Analysis Date2015-01-31 12:58:27
MD505a8a4930494231d597c814224c2bdfc
SHA14d73b3c8b622b66607b854db92a84f3b78e59f7e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 318c70f6add35466abf06234987aa450 sha1: abd5c52816928836a714d9e096a96365e7d91f2f size: 253952
Section.rdata md5: 549ec042f0a0bfa176a9d6b855aaccdb sha1: 0ca30f7409e1263be13d46f8a520ce0b35b0b9ba size: 24576
Section.data md5: 9f12e9fa5479d5cf3e994bf9bf050afc sha1: 65fab446516379ca632629d44e08ecfa4463e290 size: 4096
Section.rsrc md5: b38e7a8ccd8a6733b81f9d325d969179 sha1: 868aabea430f98ed7486ea8eb16cb3ce2b082d67 size: 12288
Section.text md5: 7a322137e925627f2545eadcc3a1be8c sha1: 2c473ff6a61f3fd3d6a40fb41b730d1472fc3efb size: 8192
Timestamp2010-05-19 02:12:04
PEhash7652fcefcb1b94343125e3b646b208cd1ea42f8c
IMPhash2a40d236161d1e3bf1babc3ffff430ee
AV360 SafeVirus.Win32.Banito.Y
AVAd-AwareWin32.Tufik.P
AVAlwil (avast)Unruy-W [Trj]
AVArcabit (arcavir)Win32.Tufik.P
AVAuthentiumW32/Tufik.A.gen!Eldorado
AVAvira (antivir)TR/Dldr.Genome.agor
AVBullGuardWin32.Tufik.P
AVCA (E-Trust Ino)Win32/tufik.J
AVCAT (quickheal)W32.Tufik.gen
AVClamAVTrojan.Downloader-98394
AVDr. WebBackDoor.Bandito.1851
AVEmsisoftWin32.Tufik.P
AVEset (nod32)Win32/Tufik.NAA virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/Tufik.A.gen!Eldorado
AVF-SecureWin32.Tufik.P
AVGrisoft (avg)Win32/Tufik.A
AVIkarusTrojan.Win32.Agent
AVK7Trojan-Downloader ( 00132cab1 )
AVKasperskyVirus.Win32.Pioneer.ak
AVMalwareBytesno_virus
AVMcafeeW32/Tufik
AVMicrosoft Security EssentialsVirus:Win32/Tufik.D
AVMicroWorld (escan)Win32.Tufik.P
AVRisingWin32.Tufik.p
AVSophosW32/Tufik-Fam
AVSymantecW32.Tufik.B!inf
AVTrend MicroPE_TUFIK.JK
AVVirusBlokAda (vba32)Virus.Expiro.ad

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Program Files\Internet Explorer\IEXPLORE.EXE
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\wuauclt.exe.mdmp
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\icwrmind.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\wuauclt.exe.hdmp
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FileC:\Program Files\NetMeeting\cb32.exe
Creates FileC:\Program Files\Internet Explorer\iedw.exe
Creates FileC:\Program Files\Outlook Express\wabmig.exe
Creates FileC:\Program Files\Outlook Express\wab.exe
Creates FileC:\Program Files\NetMeeting\wb32.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\Program Files\Outlook Express\msimn.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\Messenger\msmsgs.exe
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\isignup.exe
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\icwtutor.exe
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\inetwiz.exe
Creates FileC:\Program Files\NetMeeting\conf.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\Program Files\Outlook Express\setup50.exe
Creates FileC:\Program Files\Movie Maker\moviemk.exe
Creates FileC:\Program Files\Outlook Express\oemig50.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\icwconn2.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Creates Mutexopen
Winsock DNS8.5.1.46
Winsock URLhttp://8.5.1.46/csrsa.exe

Network Details:

DNS85773.com
Type: A
8.5.1.46
HTTP GEThttp://8.5.1.46/csrsa.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 8.5.1.46:80

Raw Pcap
0x00000000 (00000)   47455420 2f637372 73612e65 78652048   GET /csrsa.exe H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20382e35 2e312e34 360d0a43   ost: 8.5.1.46..C
0x000000b0 (00176)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000c0 (00192)   416c6976 650d0a0d 0a                  Alive....


Strings
B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:
B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:B:.
................. !"#$89'()*+,-../01234567
|
..
...
@
`@
XX.XXX.

!1Aa
#+3;CScs
"+^ +]
								
??1type_info@@UAE@XZ
	4uA8T
7jsj%j\js
9O$tKSV
~(9~$u
_acmdln
_adjust_fdiv
A[Richo
.?AVtype_info@@
buffer error
_controlfp
CreateDirectoryW
C,u	^]
__CxxFrameHandler
_CxxThrowException
D$0jBP
D$0jmP
D$0jsP
D$0jwP
D$0UjrjuSjpjajCUSjaUjrjCjpja
D$4_^][
D$4jcP
D$4j_P
D$4jsP
D$(8D*
D$8jDP
D$8jIP
D$8jlU
D$8jmji
D$8jrP
D$8jRP
D$8jsP
D$8jSP
D$8jWP
@.data
data error
D$DjcP
D$DjCP
D$DjDP
D$DjFP
D$djGP
D$DjgP
D$DjGP
D$djMP
D$DjOP
D$DjRP
D$djWP
 deflate 1.2.2 Copyright 1995-2004 Jean-loup Gailly 
DeleteFileW
D$HjCP
D$HjDP
D$hjEP
D$HjFjH
D$hjGP
D$HjGP
D$hjLP
D$HjPP
D$HjSP
D$(jajNUjljijFUjljujdjojMSU
D$(jAjS
D$(jbP
D$`jCP
D$<jCP
D$@jCP
D$`jEP
D$<jFP
D$`jGP
D$<jGP
D$|jGP
D$@jGP
D$\jGP
D$,jhP
D$|jIP
D$,jnP
D$@jOP
D$$jpP
D$`jPP
D$$jrjp
D$(jrP
D$@jRP
D$,jsP
D$(jsP
D$`jSP
D$,jSP
D$<jWP
D$@jWP
D$ljAP
D$ljDP
D$LjDP
D$LjEP
D$LjFP
D$ljGP
D$LjgP
D$LjGP
D$ljLP
D$LjRP
D$LjSP
__dllonexit
D$pjCP
D$PjCP
D$PjFP
D$PjGP
D$PjPP
D$PjSP
D$PjwjojdjnjijWSU
D$pjWP
D$$SUV
D$tjcP
D$TjDP
D$TjGP
D$TjTP
D$TjWP
D$(]UjNj2j3jsjsUjcjojrjPP
DVhQPj
D$xjcP
D$xjCP
D$XjCP
D$xjGP
D$XjGP
D$Xjijd
D$XjOP
D$XjRP
D$XjSP
D$XjTP
D$ XPjljaPSPjnPjnjUjo
ewh/?y
_except_handler3
F 9F$uR3
Fdf+Fh
(f@f;F
file error
FindClose
FindNextFileA
Fxf9F|u
GetComputerNameW
GetCurrentDirectoryA
__getmainargs
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetWindowTextA
G|jija
G`jnji
G@jojl
G(jpju
G jPSjnUjrjrjujCSU
Gljija
GPjAjhSjajPjpjmUjTSU
Gtjijr
G\UjsjojljCjdjnji
H*0"ZOW
header crc mismatch
HtRHtDHHt
HtyHtZHt;Ht
IiGM>nw
incompatible version
incorrect data check
incorrect header check
incorrect length check
 inflate 1.2.2 Copyright 1995-2004 Mark Adler 
_initterm
insufficient memory
invalid bit length repeat
invalid block type
invalid code lengths set
invalid distance code
invalid distances set
invalid distance too far back
invalid literal/length code
invalid literal/lengths set
invalid stored block lengths
invalid window size
jAjCjDUSja
jajcjiSjijrjCUjvjaU
jAjgjnjojLjwjojdjnjijW
jAjnjojiSjajmjrjojfjnjIUjmjujljojV
jAjnjojiSjajrUjpjOUjlji
jAjnjojiSjpjijrjcjsUjDjrUjvjijrjDSUjG
jajnSjsjojhSU
jAjsjsUjcjojrjPUSja
jAjsUSjujbjijrSSjAUjljijF
jAjwjojdjn
jAjwjojdjnjijW
jAjxjEjyUjKjnUjpjOjg
jAjxjEUjm
jAjyjrjoSjcUjrjijDjmUSjsjyjS
jAjyjrjoSjcUjrjijDjsjwjojdjnjijW
jAjyjrjoSjcUjrjijDUSjaUjr
jAjyUjKjojfjnjIjyjrUjujQ
jASjnUjvjEjn
jASjnUjvjEUSja
jASjxUjTjwjojdjnjijW
jAUjgjajsjsUjM
jAUjgjajsjsUjMjd
jAUjgjajsjsUjMjdjaUjrjhjTS
jAUjgjajsjsUjMS
jAUjljijFSjsjrjijFjd
jAUjljijFSjxUjNjd
jAUjljijFUSja
jAUjljijFUSU
jAUjmjajNjh
jAUjmjajNjhSjajPSjrjojhjS
jAUjmjajNUjljijFUjljujdjojM
jAUjujljajVjmjujnjE
jAUjujljajVUjgUjljijv
jAUSjujcUjxjEjljl
jCjDUjljbjiSjajpjmjojCUSja
jCjDUSU
jcjojrjPjnUjp
jcjojsSU
jcjrjsjr
jdjaUjrjhjTUjdjojCSjijxjE
jdjaUjrjhjTUSja
jdjaUjrjhjTUSjajnjijm
jdjIjsjsUjcjojr
jdjIjsjsUjcjojrjPjdjaUjrjhjT
jdjijujGUSjaUjr
jDj.j2j3j_j2jS
jfSjnji
jijrjPjpjujkjojo
jijWjdjnji
j>jajrjejmjajC
j*j.j*j\js
j>jnjejejrjcjSjtjnji
jLjLjDj.j2j3
jLjLjDj.j2j3jEjL
jLjLjDj.j2j3jIjPjA
jLjLjDj.j2j3jLjEjNjRjE
jLjLjDj.j2j3jPjAjC
jLjLjDj.j2j3jR
jLjLjDj.jIjP
jLjLjDj.jMjM
jLjLjDj.jSjUjLjPjIjD
jLjLjDj.jTjRjCjV
jlSjcjojI
jmjojrjfjv
jnjoji
jnjojiSjcUjSjl
jnjojiSjcUjSjljajcjiSjijrjCjrU
jnjojiSjcUjSjljajcjiSjijrjCUSU
jnjSj2j3jpjlUjhjljojojTUSjaUjr
jnjwjojdS
jnjwjojdSjujhjSjsjujljp
jnUjkjojTjsjsUjcjojrjPjn
jojpjmjojCjpjojtjkjs
jojpjsjijDjpjijd
joSjdjnU
jpjajmSjijBUjljbjiSjajpjmjojCUSjaUjr
jpjmjbj.j}j6YQj1QjBj1j7Qj2j9j2j3jDj-XPjEjAj7jAPj4j8jfj4PjEjBjCj1PQj5jFj4j2j7jFjE
jpjmjbj.j}jAj5jCXPPj6j2j6j9Pj2j4ZRPj-YQj1j5j8j9Qj8jej7RQjFRj2j0QRjDj8j7jAPjBjF
jpjmjc
jpjujnjaUjljC
jpjuSjrjaSjS
jrjajhjCUjdjijWjojTUSjyjBjiS
jrjhjc
jrjhjcjrjr
jrjojrjrjESjsjajL
jrjojrjrjESjsjajLSUjG
jrjpjujr
jrjwjljr
jrUSjnjijojPUjljijF
jsjcjijrSUjMjmUSjsjyjS
jsj%j\js
jsj%js
jsjrUjdjojcjnjEUjgjajmjISUjGjp
jsjsUjcjojrjPSjnUjrjrjujC
jsjsUjcjojrjPUjdjojCSjijxjE
jsjsUjcjojrjPUSjajnjijm
jsjuSjaSjSjnjojiSUjljpjmjojCjdUjuUjujQ
jsjuSjaSjSjnjojiSUjljpjmjojCjdUjuUjujQS
jsSjcUjjjbjOUjljpjiSjljujMjrjojFS
jsSjijBjIjD
jsUjgUjljijvjijrjPjnUjkjojTSjsju
jsUjljujdjojMjsjsUjcjojrjPjm
jwjojdjnji
jwjojdjnjijW
jwjojdjnjijWjpjoSjkjsUjD
jwjojdjnjijWjyjojrS
jxjEjsjwjojdjnjijWS
jyjpjc
jyjTUjvjijrjDSU
jyUjKUjsjojljCjgU
KERNEL32.dll
l!;b	F
L\Hf9t\H
[-&LMb#{'
LoadLibraryA
L$\t8;
malloc
memcpy
MessageBoxA
MFC42.DLL
mj>zjZ
MSVCRT.dll
need dictionary
Npf+F\
ntvLoadLibraryA
_onexit
OpenEventA
OpenEventW
OpenFileMappingA
OpenMutexA
OpenSemaphoreW
OpenThread
OZw3(?
__p__commode
PDSj}j2j2j5XPj6jEj9j8j1j0jAjCZRjFj-YQj4j3j0jAQj1jaPj4QPRj9RQRjBj3j9j3jBPP
__p__fmode
PhSj}j4
PTSjs_
PTSjsj%js
PTWjsj%js
PulseEvent
_purecall
PVh0]C
PVVVVh
Qj6QjFjCj0jEjFj1jCj1j-XPj8jFj3jBPjdj0j4j4Pj7j7j1QPjBj3Qj3jDj8jBjA
Qkkbal
QQ.exe
`.rdata
ReadFile
Recycler
ReleaseSemaphore
RemoveDirectoryA
ResumeThread
S$_^]3
__set_app_type
SetComputerNameA
SetConsoleTitleA
SetCurrentDirectoryA
SetEndOfFile
SetEnvironmentVariableA
SetEvent
SetFileAttributesW
SetFilePointer
SetHandleCount
__setusermatherr
SetWindowTextA
shell32
SjajPjgjnjojLSU
SjcUjjjbjOSjcU
SjcUjjjbjOUjljgjnjijSjrjojFS
SjcUjjjbjOUSU
SjcUjn
SjejgjejljijvjijrjPjnjwjojdjtjujhjSjejSP
Sjejxjej.WWjmWP
Sje^VjxVWjsj%P
SjfWjijhjtjtW
Sj}j2j5j2j8jEj6jEjFj1j5j7jBj-_WjFXPjCj9jBWj6jbj5j4WjDj0j9jEWj5PPPjEj7j8j7
Sj}j9j9j1j7j8j3XPj2Pj6j2jFj2Wj6j1jCj9WPjej1j4WPj4j0jFWjDjFj0j4Pj7PjA
Sj\j:jc
SjkjajbWjsj%P
Sjljljdj.jvjnjiWjyWP
SjnjujojCjkjcjijT
SjnUjvjE
SjnUjvjEjljljijKU
SjnUjvjESU
SjnUjvjESUjSU
SjnVjp
Sjojhjsjpja
Sjojijdjujtjsj jljajujsji
Sjpjmjtj.j}j3j1j9j5jDj1j8jBj0XPjEjFjFj-YQjBj6ZRj3j9QjfRj2j4QRPjDj9QRPPPj3PPj5
Sjpjmjtj.j}j3j1j9j5jDj1j8jBj0YQjEjFjFj-XPjBj6ZRj3j9PjfRj2j4PRQjDj9PRQQQj3QQj5
Sjpjmjtj.j}jEj2j7j9jA^Vj7j2Vj4XPj8j1jFj-ZRjFj9PVRjdj8jaPRj1j5jBYQPRQQQj6VPj9jC
Sjpjmjtj.j}jEj2j7j9jAZRj7j2Rj4YQj8j1jFj-XPjFj9QRPjdj8jaQPj1j5jBQPjBjBjBj6RQj9jC
SjpjmVjtWjsj%P
SjrjaSjSjsjujljpjijd
SjrWjdjnjijbWjx
SjsjrjijFj2j3jsjsUjc
Sjtjajdj.j}jCXPj2YQj7QPQjEPj1jDj5j1Vj0j1PjAVjejdjcWVj8WjEjEVjAj9jFPWQjFjF
Sjtjajdj.j}jCXPj2YQj7QPQjEPj1jDj5j1Wj0j1PjAWjejdjcj4Wj8j4jEjEWjAj9jFPj4QjFjF
Sjtjajdj.j}jFjFj0ZRjBjBj3j4YQjCjBj6j3j5j-XPj1j8Rj9PRjcj5QPjAj8j6jCPj9Qj3jDj1QRjA
SjujbjijrSSjAUjljijFSU
SjxjojfWjrjijf
SleepEx
stream end
stream error
SUjkjcjojsUjs
SUjsjr
SuspendThread
SVj0j6j3
SVjgjnjajwjgjnjajwjijlja
SVjgjnjijsjijr
SVjpjijzjnjijw
SVjrjajrjnjijw
SVjrjojtjcjojdjqjq
SVjrWjdjnjujhjt
SVjrWjgjnWjsjsWjmVWjvjijlj jsjwjojdjnjijw
SVjrWjrjojljpjxWj jtWjnjrWjtjnji
SVjrWjvjrWjsj jljqjsj jtjfjojsjojrjcjijm
SVjsjsWjrjpjxWj jkjojojljtjujo
SVjsjwjojdjnjijwV
SVWjcjijfjfjoj jtjfjojsjojrjcjijm
SVWjmjajgVjkjnjijljljajbjojljg
SVWVj\js
SWjxWj.jmjijijlja
SystemTimeToFileTime
;T$0sP;t$4sJ
.text 
@.text 
!This program cannot be run in DOS mode.
tJHt'H
TlsAlloc
too many length or distance symbols
toupper
ts9_ tn9_$ti
UjgjajmjIUjs
UjjjbjOSU
UjljdjnjajHUjs
UjljdjnjajHUSjajcjijl
UjljijFjd
UjljijFjmjojrjFUjgjajmjIjdjajojLjp
UjljijFjojTUjgjajmjIUjvjajSjp
UjljijFUS
Ujmjajnjk
UjmjajnjyjbSjsjojh
UjpjijPUSja
UjzjijljajiSjijn
UjzjijSjsjrUjdjojcjnjEUjgjajmjISUjGjp
UjzjijSUjljijF
unknown compression method
unknown header flags set
URLDownloadToFileA
Urlmon
user32
USER32.dll
vCloseHandle
vCreateFileA
vCreateFileMappingA
vCreateMutexA
vCreateThread
vFindClose
vFindFirstFileA
vFindNextFileA
vGetDriveTypeA
vGetFileSize
vGetLastError
vGetLocalTime
vGetLogicalDriveStringsA
vGetTempPathA
vGlobalAlloc
vGlobalFree
VjnjojcjIj jyjajrjTj jCjNjVjnji
VjpjmWjtVP
vlstrcatA
vlstrcmpA
vlstrcpyA
vlstrlenA
vMapViewOfFile
vSetEndOfFile
vSetFilePointer
vShellExecuteA
vshlwapi
vSleep
vStrStrIA
vUnmapViewOfFile
vWriteFile
VWSjnjejp
V_:X1:
W(9W$u
wgethostbyname
WINDOW
winet_ntoa
Wjejxjej.
Wjgjejpjjj/jejgjajm
Wj}j2j9Y
Wj*j.j*j\js
Wj*j.j*j\jsj%P
Wj.j.P
Wj>jtjnjejn
WjnjejpjoP
Wjsj%j\js
Wjtjajdj.j}jFjFj0ZRjBjBj3j4YQjCjBj6j3j5j-XPj1j8Rj9PRjcj5QPjAj8j6jCPj9Qj3jDj1QRjA
Wj%Wj%P
w+OQvr
WriteFileEx
wRtlMoveMemory
|$ WUSV
WVhb$C
WVj\js
WVjYjAjLjPjSjI
wWs2_32
wWSAStartup
_XcptFilter
XPjPjnPjiSUjljpjmPjCPjIUSjaUjr
XPPjDj.j2j3PPjEjH
XPSjcUjSjljajcPSPjrjCUjzPjljaPSPjn
YQj3XPj6j1jCj8j5jDj9j6jBj7WjFjFjBjAWjfj6QQWj2j8Qj9WjAPjFPPjDPj8
YSj}j4_Wj3XPj6j1jCj8j5jDj9j6jBj7j-^VjFjFjBjAVjfj6WWVj2j8Wj9VjAPjFPPjDPj8
YSj}j9j9j1j7j8j3XPj2Pj6j2jFj2j-YQj6j1jCj9QPjej1j4QPj4j0jFQjDjFj0j4Pj7PjA
YSjpjojtjkjsje
YSjsj%j\jsj%P
YSSSSS
)\ZEo^m/