MZ@ !L!This program cannot be run in DOS mode. $ij-- ~- ~- ~8~, ~:~, ~9~! ~<~< ~- ~ ~=~, ~/~> ~>~, ~;~, ~Rich- ~PEdlCR"  |"p`]p @d8@|p.textz| `.data@.pdata @@.idata @@.rsrc@@.reloc@@BH\$Hl$H|$ATAVAWH 3MLH\$@Hl$HH|$PH A_A^A\ÐH\$Ht$WH IHLNjHH\$0Ht$8H _̐HHX L@PHHVWAVH@Lމ\$ ;wu9Åu 3ۉ\$ B;L Mt<;DƉL$pAы؉D$ 3ۉ\$ s$hL$`wL$pI؉D$ 3ۉ\$ s$hL$`=L$pI[؉D$ 3ۉ\$ s$hL$`;u~E33I"$hL$`\$ E33I $hL$`\$ HrHt$E33I$hL$`\$ tuxL$pI؉D$ 3ۉ\$ s$hL$`HHt:=t1L$pIЋ؉D$ 3ۉ\$ s$h;DH$xH@A^_^ÐHыH0Hcك f |t =D t =kE t =TF t ==G t =&H t =I t =J t =K t =ʁL t =M h Q H0[ÐH; {uHfuH~DkeH%0HxH;t3H=uA}t"H-RHt`H=>LLHH;r3H9tHHH #HL;uL;tLHLHHHHE0H߁$3"eH%0HxH;t)3H=ut E[H=L%wI;suHHtHI;roHH s4u HHH9't!H 1tMƺI3u̐`H()HzHkHuH 3H(ÐH H3H HH [H%̐HL$HH yHzHD$HE3HT$PHL$HHD$@H|$@tBHD$8HD$XHD$0HD$`HD$(HgyHD$ LL$@LD$HHT$P3k#HyHH0zHyHHyHzHxH$Hy_x YxcxHkH [xHHkH CxHxHHkH (xH}HHkH wHLhHkH }HLhH SHĈÐH\$WH HtH HH\$0H _p%%LcAHH pHt}HIUA4HHLHAHHHA3HAA HA(AIщD$(HUHD$ :H>HbnHj3#du=oot3_oH`oH\$PHl$XHt$`H@_ÐDisableDialogAPINS_DisableDialogAPI::InitializeHooksMultiDialogBoxParamWH HH@FHK0FHK FHKFHH [F̐HH3HD$XLZHD$0HD$PDIHD$(L$PHL$ HWHD$Xru9D$Pv HH3HHÐDontShimDWSoftware\Microsoft\Windows\Windows Error Reporting\DebugH\$Hl$Ht$H|$ AVH@HIHL5RLMIAHEH)HD$0L$(HyRHD$ y3ۃuCHu!L5k3;HmHu9H<<HkHu҉3du9lulu@uvHlLHHD$(H/RNAHD$ ф3Bu6HtHQLSH<A\$(HD$ H;lH\$PHl$XHt$`H|$hH@A^DWmigrationNS_DWmigration::InitializeHooksMultiH$HHEH$HcH3Hp3ۉ\$Pd]3DC`HMH\$X3HD$`HD$hLHM1;f]`HHMσVHM`p=:EhHU`HL$pBHUHM@BHHHL$pDH\$(HE`HD$ ALSPHU3tHELPHL$pGHHL$pCHL$pGHAPH ԃHD$XHD$HHEHD$@H\$8H\$0D$(D$ E3E3HT$p3HL$XHt)YHT$PHL$XYHL$X΃H\$XHL$`Ht H\$`L$P"HMHpH3 H$HĀ]Ð-c\dwwin.exe __COMPAT_LAYERHHJpgAHXAVWAVHHDŽ$HXaH3H$IEHHL$xT$HDD$@H\$pHrpHHL$Pm@HNHL$`[@HL$`GHHL$`BH$HL$`ĂHLNHMHu9HHD$ DOGOHL$`]@HL$PR@HHD$ ALAIpHGHMHL$P@LD$PA@HcHxHL$`?HL$P?3HD$PHD$0H\$(HeHD$ AZLMHLAIHL$`?HL$P?W)H|$xt$HDt$@H\$pLEƋHHHgPH$H3HA^_^[Ð{2D9E65B5-E6FE-4239-9F33-D0C67819F0F1}gpmc.mscError: CString error while applying FCS shim. GPMC.msc not found. GPMC.msc foundError: FCS could not convert lpProductBuf from "%s" to "%S". Converted string length is greater than the maximum buff size.HJP=HJ`=HT$UH@HH4HD$ AgLKHJAI}HH@]ÐError: CString error while applying FCS shim.H HJH}u H [HeHH [H`H̐H\$Hl$Ht$WH@HIHH-JLOHAHEHIHD$0L$(HIHD$ |HH-Zc<3HHfdHL JLLLI0HHAL HLI8HA3HAA HA(HAHAPHAXL H#ILI@AD$(HdIHD$ 4|:H"3HbH@3#du=ct3cHcH\$PHl$XHt$`H@_ÐNS_FCS::InitializeHooksMultiMsiEnumRelatedProductsWMsiQueryProductStateWH8E3HBAWH=EEGEx M9H8AHtfDH8ÐH\$WH HbI؋Pt/)u*C#CCCTCXC\H\$0H _ÐH\$Hl$Ht$WH@HAFIHH-GHL2HEHHD$0L$(HwGAIHD$ xzHH-`0HHaHt}HIGAHHHLHAHHHA3HAA HA(AID$(HGHD$ y:H0HJ`Hj3#du=?at3/aH0aH\$PHl$XHt$`H@_ÐOfficeMetricsLieNS_OfficeMetricsLie::InitializeHooksMultiSystemParametersInfoAH(H`PH3ɃDH(ÐH(Hu`P3ɃDH(ÐH\$Hl$Ht$WH@HAAIHH-EHL^HEH;HD$0L$(H{EAIHD$ |xHH-^.HH_HL )LLLI0H$HAL )HLI8HA3HAA HA(HAHAPHAXL HLI@AFD$(HDAIHD$ w:H.H^HA3#du= _t3^H^H\$PHl$XHt$`H@_ÐSierraWirelessHideCDROMNS_SierraWirelessHideCDROM::InitializeHooksMultiKernel32.DLLGetDriveTypeWGetDriveTypeAH\$Ht$WH H6^HPHt H H\$0Ht$8H _ÐH\$Hl$Ht$ AVH@ADLHIHSvHH|$PH|$pLDAHH|$ Ћ؅xfH3HD$097vVH-LD$0HvDE33D$ uLHBAHl$ uHD$0;7rH|$PH\$XHl$`Ht$hH@A^ø@̐COMHook_IEnumWbemClassObject_NextIEnumWbemClassObject::Next hooked NS_Sql2005::COMHook_IEnumWbemClassObject_NextH\$Hl$Ht$H|$ AVH0EHL HIH@tLHHD$hLEHD$(HD$`HHHD$ AҋHHH Htuf;uCtHA20H HtuAf;u;Ct2HA8LH@HD$ tcH\$@Hl$HH|$XHt$PH0A^ÐCOMHook_IWbemClassObject_GetOSProductSuiteDisabling WEB SKU in OSProductSuiteNS_Sql2005::COMHook_IWbemClassObject_GetSuiteMaskDisabling WEB SKU in SuiteMaskH\$Hl$Ht$ AVHPILLHIHrLHH$H|$`H$H|$@HD$8H$HD$0$LΉD$(H$LIHHD$ Aҋ؅xJH@E3L3D$ IrHrLH?A]HD$ .rH|$`H\$hHl$pHt$xHPA^ø@̐COMHook_IWbemLocator_ConnectServerIWbemLocator::ConnectServer hooked IID_IWbemServicesNS_Sql2005::COMHook_IWbemLocator_ConnectServerH\$Hl$Ht$ AVH0ALLHIH3qHH|$@H|$`LDIHH|$ Ћ؅xJH?E3L3D$ pH{LH=AHD$ pH|$@H\$HHl$PHt$XH0A^ø@̐COMHook_IWbemServices_CreateInstanceEnumIWbemServices::CreateInstanceEnum hookedNS_Sql2005::COMHook_IWbemServices_CreateInstanceEnumHl$Ht$ WATAWH`IHL HALoLHH$H$H$HD$8H$L$L$DLLt$0HIH\$(HD$ AԋM3+H =HoH3LL$@H.=E3HH|$(H|$ P f|$@HL$HH[=oHLL$@H<E3HH|$(H|$ P f|$@HL$HH =nuuILL$@H<HE3H|$(H|$ P xOf|$@uG|$Hu@LII~ u.ID$HfD$@HLL$@H<E3|$ P(HLH:A=HD$  nL$H$̸@L\$`Ik0Is8IA_A\_ÐCOMHook_IWbemServices_ExecMethodSYSTEM\CurrentControlSet\Services\IISAdminIWbemServices::ExecMethodNS_Sql2005::COMHook_IWbemServices_ExecMethodLSHICHZRHD$P3H\$XA[3DC`IKH\$`3HD$hHD$pHL$P37HQHL$P.HT$P9ZHDHD$`HD$HH$HD$@H\$8H\$0D$(\$ E3E33PmL1H 9HHD$ AKlHL$`lH$HL$`m$LH8uHHD$ AKk!D$(HHD$ AkHL$` mHL$hmH8HD$ AjkHL$P+H[Ðsystem32\inetsrv\appcmd.exe set config "Default Web Site/ReportServer" /section:handlers /accessPolicy:Read,Script[LoadPerfCounterTextStringsW] Createprocess on appcmd.exe successfulNS_Sql2005::GrantReportServerPermissions[LoadPerfCounterTextStringsW] appcmd.exe exited successfully[LoadPerfCounterTextStringsW] appcmd.exe exit with a failed dwReturnCode 0x%x[LoadPerfCounterTextStringsW] appcmd.exe failedHJP(HT$UHPHHHP]ÐHHDŽ$HHL$x(HL$xyHiHHL$xH+HyHhHH+D$xHHMHD$P3H\$X$3DC`H$H\$`3HD$hHD$pHL$P/7HHL$P)HT$P9ZHDHD$`HD$HH$HD$@H\$8H\$0D$(\$ E3E33hLHk4HDHD$ A~KxgHL$`RhH$ HL$`Oi$ LIH4uHOHD$ AK#g!D$(HnHD$ AgHL$`mhHL$hbhHHD$ AfHL$P|&HL$xq&H[ÐQ188769rsctr.iniSystem32\iisreset.exe[LoadPerfCounterTextStringsW] Createprocess on IISReset.exe successfullNS_Sql2005::IISReset[LoadPerfCounterTextStringsW] IISReset.exe exited successfully[LoadPerfCounterTextStringsW] IISReset.exe exit with a failed dwReturnCode 0x%x[LoadPerfCounterTextStringsW] IISReset.exe failHJx$HJP$HT$UHPHHJHP]ÐH\$Hl$Ht$WH@HIHH-1L;HAGHEH1HD$0L$(H1HD$ dHH-JHHKHH3HHHAHYHA3HAA HA(H cH IHLHAHD$ c/H IHdLU2HAHD$ cH IHL 2HAHD$ cH QIHL1H\AHD$ ScH IHL1H'AHD$ ct_LH/D$(H0AQHD$ b:HH8IHQ3#du=Jt3 JHJH\$PHl$XHt$`H@_ÐNS_Sql2005::InitializeHooksMultiLOADPERF.DLLLoadPerfCounterTextStringsWWBEMPROX.DLLsMK.$E:K.$H\$Ht$UWATAVAWHH`IE3HJHEIHLLMH/AE3HAL}8D|$ fDeP(H[HEHLMH/E3HfDeD|$ P(L|$8HE8Lv/HD$0H*E3IH\$(L|$ օ$HM8LMHa/HE3L|$(L|$ P f}}HM8HPHLMHEHH.E3HL}8fDeD|$ P(L|$8HE8L.HD$0H{E3IH\$(L|$ օuHM8LMH.HE3L|$(L|$ P Kf}@}6HM8HPHALMHEHH'.E3HL}8fDeD|$ P(L|$8HE8L.HD$0HE3IH\$(L|$ օHM8LMH.HE3L|$(L|$ P f}}HM8HPHLMHEHHx-E3HL}8fDeD|$ P(L|$8HE8Li-HD$0HE3IH\$(L|$ օHM8LMHT-HE3L|$(L|$ P f}}HELMH,HEHE3HfDeD|$ P(L|$8HE8HD$0L,H|E3IH\$(L|$ օvHM8LMH,HE3L|$(L|$ P Lf}A}7HLMH9,HEHE3HfDeD|$ P(L|$8HE8HD$0L",HE3IH\$(L|$ օHM8LMH,HE3L|$(L|$ P f}}HCLMH+HEHE3HfDeD|$ P(L|$8HE8HD$0L+H:E3IH\$(L|$ օx8HM8LMHu+HE3L|$(L|$ P xf}u 9EDHM8Ht HPL}8LHLMH*E3HfDeHED|$ AR(LH+LMH*E3HfDeHED|$ AR(L\$`I[0Is@IA_A^A\_]Ðsoftware\microsoft\inetstp\componentsASPNETStdRegProvMetabaseWMICompatibilityWindowsAuthenticationStaticContentDefaultDocumentHttpRedirectSystem\CurrentControlSet\Services\IISADMINH Hً UAt \HH [Ð .At3H%`\ÐH\$Ht$WH HHtx @tm \HtbHHf<^uHøHHuDHt?HO\HHt.LHHxHH\$0Ht$8H _H!\HBAHH\$0Ht$8H _H`̐H0HD$ H\$@Ht$HHHLVHYHHt,HL$PHH׋؋ @t39[@H\$@Ht$HH0_COMHook_ISqlManager_GetProviderHJPH0HD$ H\$@Ht$HHHLZHXHHt,HL$PHH׋؋ Z?t3Z@H\$@Ht$HH0_ÐCOMHook_ISqlManager_GetSnapinDescriptionHJPH0HD$ H\$@Ht$HHHLVH!XHHt,HL$PKHH׋؋ >t3Y@H\$@Ht$HH0_COMHook_ISqlManager_GetSnapinVersionHJPH\$Hl$Ht$WH@HIHH-q$LCHAHEHHD$0L$(HG$HD$ GWuIHu%H-= H>Ht7HHi=Hu3ۉ3du=E>u9>:uI[H&>3LHD$(H#HZKAHD$ V3"H=3H lHH r3HHH HXHHH fX HX()VH <HDKL`HiHD$ VH ;HHHLHAH+HHA3HAA HA(AIljD$(H^ HD$ 3S:H! Hr9Hj3#du=?:t3/:H0:H\$PHl$XHt$`H@_ÐSql2005Sp1ExtractorNS_Sql2005Sp1Extractor::InitializeHooksMultikernel32CreateDirectoryAH\$Hl$Ht$WH =:IIHu9Hz9LLHՋH\$0Hl$8Ht$@H _H`̐H\$Hl$Ht$WH@HIHH-LHAHEHgHD$0L$(HHD$ QuIHu%H-7H8Ht7H`H7Hu3ɉ 3du=8u8JuFHn83LHD$( HOHOAHD$ P3vujH,8H HH HHH XHH3HHH HH(Ht L$(HL^H7AHD$ yPH7H\$PHl$XHt$`H@_ÐSql2005SetupComputerNameNS_Sql2005SetupComputerName::InitializeHooksMultiMsiGetPropertyWHXH/H3H$@uMHL$ 3A舻HL$ D$ ]Qt$$:u3H$@H3}HXøH$@H3`HXÐHP3ҋHL$ DB0LL$pHT$ A30Qu?HL$pHt5LD$hP,Qu#LD$hH$M@8QHL$hPHP[ÐComputerNameH\$Hl$Ht$H|$ AVH@HALIHL5uIL4HEHIHD$0L$(HQAIHD$ RN3ۃuCHu!L543H_5Hu9HH^4Hu҉3du9)5u5u>usH 5DNMLHD$(H HNHD$ M3Au5HtAPHL@HYAI\$(HD$ nMH4H\$PHl$XHt$`H|$hH@A^ÐNS_TerminateZTEFileAutExe::InitializeHooksMultiH8%4tA*HyLAIHHD$ LMHtCHT$@HD$@0|$@H~H@f82uBN3zNHt.NH8Ð[ApiName] Mitigation SuccessNS_TerminateZTEFileAutExe::NotifyFnLHxH,H3HD$`HMKHlICHAICH3ICHSICICICICICMHL$`H3蔯HxÐ>(ShimLib) Mitigation SuccessApiNameUnknownH\$Ht$WHPMHLHۼDL pEHHLDH \HLL$@HDH\$8HL$0H?LHAH|$(HD$ JH\$`HHt$hHP_Ð")("%S%s%s%s ShimLib::GetHookAPIsShimLibɃgwHLBHcAfAfId/e%fheeeeeLD$SH LD$@0'HHtLD$@3H4HH [ÐMtIHHHt3MtIeH %`LHI0H%IHu3HH€<u H HHtVtQJLD$0H|$@jHHt$H\$8H\$0HLHbKH\$89HH|$@H ^3H ^ÐHL$SH0HD$ HH-H3HKH-HCHKH-HC HK(H-HC0HK8H-HC@HKHHZHH0[HJ@HJ@HHJ@H HJ@H0HJ@H@sLISUVWATAUAVAWHpICI[ILDŽ$E3AH,ICM{D$MfE98HIHt$0L|$(HHHD$ ALnHAO GeH %`AWAHI0GHH$HHHEf>"u8D$H^H\$@ftLf"tHHfu5A*Ht$@ft f tf tHHfuHD'fD?HD$PHD$(HL$ AL|HT$@3'GDEt/AsH$GtuAAG=v3fD'f;tK$tAHHƄ$H$E38HH+\$@HAH$EsEuFHHtHHEHFHf;t*f tf t Hf?uD'H^3fHHL$XHH+HB(HT$XfD'IMf H^II M<$AVEtIADEuI $L;t'IH+HY+؍CLcMIEI$XD$2uEuIVIN@3DHHfH\$0X;LHCLcHV M9HHΉX;HH\$0Ht$8H _ÐH\$WH H33T:t)HˋbH7:H;s3HH\$0@H _ÐH\$WH H>33T:t)HˋH7:H;s3HH\$0@H _ÐH HH HHH;t$ H H ^HHCHH [ÐHH;t *ÐH\$WH HuHHHf>\!>>\dT p!%%4@[@!@[@ 0H  PH  0  P d4 p Pd 4Rpd 4Rp؈d 4Rp dT42p+@0`d 4  p  202`!t0gPg܃!4Pgbg!Pgbg!0gPg܃ R0h" "4 p `P  t 2!  d4 qtq\!d qtq\!d qtq\42pd T42p4 Rp!d0tHtȄ!d0tHtȄ!0tHtȄ4 rp8  d 2p!40vOv !0vOv %dQ4PL PT`!4yyt!yyt!4yyt! t4yyt!t4yyt"0X.d.p.+t,,,-" 11.../m/x//////0:0K0t02@24(2X"pxGC/CBCDD Ġ( Gh"h(JJ0GGGUGGNIYIdIK|(Kh" VTVVV" WWFWPW"HP `XWX X" h$h4hDhThggggghh" Hnhhhm"`h u8uxuuuu2-+] f.?AVCStringError@CString@ShimLib@@}}}}}}}}}}pp0 ,`Tp m̀LLbd  ghbd7899@ 9@ h 9h !9!%,&@'@@'(P(4)4))d8*+l+..02M2222<4P44́4@5@56P677<7<78P<9999ԁ9T:T:r::*< =Q=$Q==8=>L>>\>X?pX?v?@[@[@$B$B?BCDЂ G0G0GoIK(K(KMP0NSLUtUUTVTVV0W|WHW8X`pXZPx[[[=]P]^x^_P0```9a`ablcćcddneăffԃ0gPg܃Pgbgbgggg gggh,hh$m<(nnohohooo