Analysis Date2014-10-10 10:20:42
MD501bc615b8fbc9327b7714084eb137011
SHA119daa6e4fddfc3cec0f66ca4fa7ea66b22cd4d9b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 723b7e90835b200684486c0f666c84b9 sha1: 06704fccc4d60660bb4ba2b2083126aed6328e59 size: 32428
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.data md5: 5c78d317cfcc4a24c3b7e884ca6e8f74 sha1: 28c187aca0e561eefbf9f300db6bddb5dea6afc6 size: 12752
Section.idata md5: 708cff90e55fcc1f43ce49fc7ad6f7f4 sha1: 89a85982966309a3b25c380e28dc1c55f1060eed size: 3748
Section.aciof md5: 756830eb98c539578cbc49cda02b803f sha1: 275ceffa871a3fc59abe27c7aee6f85c24b1fb7f size: 512
Timestamp2024-04-18 19:06:08
PackerAHTeam EP Protector 0.3 (fake PCGuard 4.03-4.15) -> FEUERRADER
PEhash88def7a9528d308081c9e8220e735b0afc65fba9
IMPhasha64e048b98d051ae6e6b6334f77c95d3
AV360 SafeGenPack:Generic.Malware.SYd!g.49851E96
AVAd-AwareGenPack:Generic.Malware.SYd!g.49851E96
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Berbew.F
AVAvira (antivir)TR/Crypt.XDR.Gen
AVCA (E-Trust Ino)Win32/Webber.W
AVCAT (quickheal)Worm.Dorkbot.A
AVClamAVTrojan.Crypted-32
AVDr. WebBackDoor.HangUp.51712
AVEmsisoftGenPack:Generic.Malware.SYd!g.49851E96
AVEset (nod32)Win32/Spy.Qukart.K
AVFortinetW32/Qukart.A!tr.bdr
AVFrisk (f-prot)W32/Berbew.F
AVF-SecureGenPack:Generic.Malware.SYd!g.49851E96
AVGrisoft (avg)I-Worm/Nuwar.N
AVIkarusTrojan-Spy.Win32.Qukart
AVK7Backdoor ( 04c515c41 )
AVKasperskyTrojan.Win32.Generic:Trojan-Proxy.Win32.Qukart.gen
AVMalwareBytesBackdoor.Agent.RDKGen
AVMcafeeBackDoor-AXJ.gen
AVMicrosoft Security EssentialsBackdoor:Win32/Berbew.DR
AVMicroWorld (escan)GenPack:Generic.Malware.SYd!g.49851E96
AVNormanwin32:winpe/Berbew.VS
AVRisingno_virus
AVSophosTroj/Padodor-I
AVSymantecBackdoor.Berbew.F
AVTrend MicroBKDR_BERBEW.F
AVVirusBlokAda (vba32)TrojanSpy.Qukart
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger ➝
{79FEACFF-FFCE-815E-A900-316290B5B738}
RegistryHKEY_CLASSES_ROOT\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ ➝
C:\WINDOWS\system32\Hcegpgah.dll
Creates FileC:\WINDOWS\system32\Hcegpgah.dll
Creates FileC:\WINDOWS\system32\Beqdbg32.exe
Creates ProcessC:\WINDOWS\system32\Beqdbg32.exe

Process
↳ C:\WINDOWS\system32\Beqdbg32.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1601 ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hdabpoja.htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\surf.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ipoieojn.htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ehgheeeh.htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ehgheeeh.htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\ipoieojn.htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\hdabpoja.htm
Creates ProcessC:\Program Files\Internet Explorer\Iexplore.exe C:\Documents and Settings\Administrator\Local Settings\Temp\hdabpoja.htm
Creates ProcessC:\Program Files\Internet Explorer\Iexplore.exe C:\Documents and Settings\Administrator\Local Settings\Temp\ipoieojn.htm
Creates ProcessC:\Program Files\Internet Explorer\Iexplore.exe C:\Documents and Settings\Administrator\Local Settings\Temp\ehgheeeh.htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexKingKarton_10

Process
↳ C:\Program Files\Internet Explorer\Iexplore.exe C:\Documents and Settings\Administrator\Local Settings\Temp\hdabpoja.htm

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexWininetConnectionMutex
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ C:\Program Files\Internet Explorer\Iexplore.exe C:\Documents and Settings\Administrator\Local Settings\Temp\ipoieojn.htm

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexWininetConnectionMutex
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ C:\Program Files\Internet Explorer\Iexplore.exe C:\Documents and Settings\Administrator\Local Settings\Temp\ehgheeeh.htm

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexWininetConnectionMutex
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Network Details:


Raw Pcap

Strings
.

@+0FJ*:
]0'fP $fk78
0Tt	9`
[0#	Yk9
1@+3	^6
1%	C$9H[0x
	*1F]->
	*1FJ$%
@1Wf)E
1xS`+W
@&26[*4
@+2fz*1
])2X)y?
`4S`t	
5aiw4l
5%	D*y
	5%	N76
5nat	S`
5nct	S`
5net	S`
	[5WCZy#
5	W`t	
\$;6[*#
%	^62(L2
63	J0:
6	;bt	
6	;Lu	S
6pFG$:
6	R`t	
6SotcS
6u])#"
6	;`v	S
6wIjer
6x4]!/W
7aSdt	
7"I@+3
8Et	9`
@*9f{1;(]
@*9FJ*3
	*9FK$4
@*9FM$#
@*9Fp 6
@*9:l='
9y`tY;k
ABf)EWf)EW
.aciof
ADVAPI32.DLL
AEGf9!
aGat	;`t	
Agf9-KV)U
A$#H[0x
AiE5@iE5@iE5@iE5@iE5@iE5@iE5@iE5@iE5@iE5@iE5@iE5@iE
AiEeNiE
AiE]NiE
AiEwNiE
`$A#OWC
aR`taS`tY;
\aS`tY;
aS`tY;s
\aS`tY;x
A w	^+2
|aWat	
b/EWf&
BEWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)E
b/EWf]J
B$-H[0x
BkW5@"9F`+W
BveHM);f
CallWindowProcA
C\EkIK*3
c)EWb)EWf)EWf)EWf)Ewf)%y
c)EWv)E
CiE5@iE5@iE5@iE5@iE
CloseHandle
CLSIDFromString
CoCreateInstance
CoInitialize
CopyFileA
CoUninitialize
CreateBrushIndirect
CreateDesktopA
CreateFileA
CreateFontA
CreateMutexA
CreateProcessA
CreateThread
CreateWindowExA
CRTDLL.DLL
\ct	9`
ct	 r2
D5Wf)EWf)EWf)EWfA18
d~,9#Q 4f)E
D,#D	36
DefWindowProcA
DeleteFileA
DeleteUrlCacheEntry
DestroyWindow
DispatchMessageA
,dt	hU
\DuW\Mws
DVg(0B
(DVg]Bjg(DV
D W0@66fd$$
D WCZ`"F
)DWg)DWg(EVf(EbZiE
dzK	`"F
]e4	M w	Ge5
)E^5I1W
]e.	\7w
[e.	\7w%H73Fg0:
*)EC&)UC&)UC&)UC&)UC&)UC&)UC&)UC&)UC&)UC&)UWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)Ewf)EWf)Ewf)EWv)EWp)EWV)EWZ)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWv)E
)E;d)EW&)E;d)EWh)EWf)EWf)EWf)E7f)
')E?')E/')E
EEWf^&$
EEWf).2
EEWfB %
EEWf)E"
[(ef{ 0
)E f[EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)E6
EgfhEgfjEnf
EnfTEWf	Er"
`>;#Er
E	`t4S`t
ETf)ESf)E
EveHM);fZ0%
)EVf)E
)EVf)EVf)EVf)Eg
)EWb)E
)EWb)EWf)EUf)EWf9EWv)EWf9EWv)EWf)EGf)EW
eW=E 9
')EW$)EWf)E
')EW$)EWf)EWf)EC')Es')E
E)Wf)+#
)EWf).2
)EWf)E
)EWf)E 
)EWf)EWfB %
')EWf)EWf)E
E)Wf)EWf)E
&)EWf)EWf)Eo$)E
]EWf)EWf)EWf)EWf)E
)EWf)EWf)EWf)EWf)Eof)EWf)E
&)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EC')Es')E
)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)E
)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)E'&)EWf)EWf)E[$)E
E{WHA1:f
ExitProcess
ExpandEnvironmentStringsA
+"f~ ;
F!25]7>
F(2F]*w	\7w
F2$:j0%
\)#F~ 5Fd$$
F72HL=2F)
F7w	Oe4
F##:~,9
Fat	S'
f'd\g+rW`)EWj)EWf)E
}*f#E]2q
f)E9f)E-f)E
f)EW6)E
f)EW&)E;d)EWf)EWf)EWf)EWf)EWf)EWf)EW6)E
f)EWf)
f)EWf`+4	[72
f)EWf)E
f)EWF)E
f)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)E
f)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)Ey
f)EWf)EWfz 9
f)EWj)EWf)EWf)EWf)E
f)EWl)EWf)EWf)EWf)Ewf)
f)EWp)EWf)EWf)EWf)Ewf)
f)EWr)EWf)EWf)EWf)Ewf)Gy
f)EWV)E
F##F`+#
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindWindowA
Fk4	DE:
Fk4	Dj$I)k=
fME2f_E>fJE2fuE'fAE.fZE>fJE6fEE:fLE:fFE%fPEWfj
fn ##G3>
f 	S?)
fv#3	Y 9f)E
@);F@+w
F+w+F+#
F&Wf)E
F(Wf)E!fHE;f\E2f)EZl)
F+Wf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)E<
F(WHL$%
]*'fXE<
G11f)E"dZ1%
G1W2A72
G1yCZk$
] :/G#8
g{C\llf
GDI32.DLL
GeH	S`
GetClassNameA
GetCommandLineA
GetComputerNameA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetForegroundWindow
__GetMainArgs
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetSecurityInfo
GetStockObject
GetSystemDirectoryA
GetTempPathA
GetThreadDesktop
GetTickCount
GetUserNameA
GetVersion
GetVersionExA
GetWindow
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
GetWindowTextA
Geu	S`
G*#FK w
G #Fl='
G #Fz #
GlobalMemoryStatus
Gt	9a#cc
]*'H[0x
+:H[0x
H16f)E
H"2')EWf)EWf`6
H+3H[0x
H62FD$<
H62J	62
H62J	&8
H62J	 9
H72:d,4
H9/dH0-@
H+<H[0x
H!ifd,4
\Ht	9a#cc
Ht	9a#cc
[ht	hU
hu	S3"
HWft	S
H<yfe*0F`+WHY$.
+"I@+3
.idata
@iE]NiE
@iE]NiE]NiE
@iE]NiE]NiE]NiE]NiE]NiE]NiE]NiE]NiE
[iEsXiEG
InterlockedIncrement
IR`tcM
IsBadReadPtr
IsBadWritePtr
J1>	Ge/N
J1>	GkWl	ew'\1?	[,-
j1	[(if
J1W6E 6
J1Wf)EWfn #%\7%
J1w \);Fg$:
J1w%H73Fg0:
)`$:J(3HL=2f
j4	E*%KK$9
[!~J	5;
Jp	S[A)
J.w)G&2F}*w%F+#
J.w	Oe4
KERNEL32.DLL
kEWg*@Pn O\
K %FH&4	\+#
k}fqh8
]k;	J$#
KSkt	S
/Kt	;[
:K`tcR
L&#	[<
L+#0L7$
L1w5L1#
L3/HG(y
L)4	D w
L6$f)E
l7%	[E
L7{FY)2
L7$G	-#
L7W5F##
L7WCZer
L7W"F&
LE0dZ #
Le4	G#>
LE]F	e
L=#f)E
L+#Fe*0
L&#Fj$%
L&#Fl='
L&#fy)2
L&#"L)6
llfRE1
lMjg(DV
LoadCursorA
LoadIconA
LoadLibraryA
LocalAlloc
LocalFree
lstrlenA
lstrlenW
lWZZ&%
M)2f)Ehgn #5P6#
M)2f)EZdO&;	Z Wf)Enfv&2
M,#D	36
Me#		&8
memcpy
memset
Meq@	 /
(mERKA
MessageBoxA
M=fC@k3
M /HA1:fA1#
M /HY-'fA1#
Mk4	DEr
M*$KK$9
mN32.l
MoveWindow
M]`tcS
my`taWat	
nat	S3"
Ne6FY %
NiE5@iE5@iE
NiE5@iE5@iE5@iE5@iE
NiE5@iE5@iE5@iE5@iE5@iE5@iE5@iE5@iE
NiE#@iE
NiEQAiEiNiE
NiEwNiE
nqu	So
n;xu	S
[*$	O1
[*$	O1w/G12
ole32.DLL
OLEAUT32.DLL
OpenMutexA
o^t|Z'
PostQuitMessage
printf
*Q`tc+
?Q`tc7
ReadFile
RegCloseKey
RegCreateKeyExA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
R`t	9a
%R`tca
RtlUnwind
	S`4as
	S`4aS
	S`$a-
	S`$aU
SendMessageA
SetBkColor
SetEntriesInAclA
SetFilePointer
SetFocus
SetSecurityInfo
SetTextColor
SetThreadDesktop
SetTimer
SetWindowLongA
S)EWfM
S)EWV)E[f)EWV)EW&)E{f)EKT	wsT
ShowWindow
signal
S`I	S`
_sleep
sprintf
S{p	SCp!S
sscanf
SS)EWf 
S`t	&~
St	;8v	S
st	9`$
S`taS`tY;"
S`t	&j
strcat
strchr
_stricmp
strncmp
S`t}t]
S`Y	C`t
SysAllocString
`t	&>{
T2'DP}I
[`t4kat	\
T7S`+W
<+t	9`
:|t	9`
.>t	9`
 't	9a$
t	9a#cc
tal`{	9`
"taP`t
"taR`t
ta	S`t
taS`tI
taS`tI;`
}`taWat	
_`tcR0
t	;du	S
TerminateProcess
`t	'gI
!This program cannot be run in DOS mode.
tI	S`t
T	mdKM,0
`t	;Qu	S
TranslateMessage
t	S`$m
`t	;tu	S
tUT&wCT
Tuw7TMw?T)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)E?
"u`$:`+
UaSpt	
u`$fB.4
u`$HL=2f
_;*u	S
	;#u	S
USER32.DLL
u	S`+W
u)UWf)EWf)EWf)EWf)EWf)Er
[-uWv 
v.<f_3'
VirtualQuery
|v	S3"^
:v	S]g
vsprintf
V$tDW2tvW
vtgfA1#
W-@+0-H7#	GE
](W5F##
WaitForSingleObject
{WCZ9W@G'$
&WCZer>
WDI	C`tz
w)EWv)EWV)EWf)UWv)EWd)EVf)EWf)ESf)EWf)EW
]#Wf)E7d[$>
\#Wf)E:dZ5%
Wf)ELfj)8
Wf)EWf)E
Wf)EWf)EWf)EWf)EWf)EVf)EVf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)E
Wf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)EWf)Ef
Wf)EYd{1;3G2>
WfHa'rI
_w~fp*"
\!w	Ge8
WideCharToMultiByte
WinExec
WININET.DLL
]<w+L$$
WPH0,dH9.d
WriteFile
Wuu	S`
wy"e	Wf)EW&)UW&)UW&)UW&)UW&)UW&)UW&)U
%x4Sat	\
xIN$-KY78
xMt	9`
XWf)Ej
XWf)EW
)y5	M<if
@+yf|+6
]<yfk 1	[ w
<Yt	;du	S
Y<Wf)E
YW`t2f|
+@&%	Z*1
Z #2@(2	\1
Z4EWf)x#e
Ze4	M 3FK<w0
)ze:	M yk$Osf)EWf)E
ZEWf)EWf)EWf)EWf
Z {FJ*%
Z {FL+#
[{Zl),3f
[{Zl)y5
-ZS`-8
Z$x+H6#