Analysis Date2014-04-23 10:00:41
MD5b455787e6bf09d1bf11e2e4f94c46b29
SHA18c5e88be15c9f9c91ce73d7910220e3358dd8db6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 98159414d6bc744ebddaec70f3a241f9 sha1: 353d3c0f23cfff16bdea77c412211208c0bf343a size: 29696
Section.rdata md5: 9f55b81f2f28451f22299414e622eb07 sha1: c6d08ade33152051b8b00ae202f349fc45370f23 size: 9216
Section.data md5: b9f049577e45b8651c724c0d59b0c202 sha1: 9bdb69d895833948c4fe057a00582f3d66dd56ef size: 125952
Section.rsrc md5: 5d38df2e6b01a923a929ab25999de41d sha1: 478a3d639590de85643afc076240762ad552a689 size: 4096
Timestamp2011-03-06 13:04:16
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: fltMC.exe
FileVersion: 5.1.2600.5512 (xpsp.080413-2111)
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.5512
FileDescription: Filter Manager Control Program
PackerMicrosoft Visual C++ 7.0
PEhash7641aa298e7661dfd73a1c3e56d5dfe9e941b150
IMPhashfd8323f7a735409a460b6babc736ccc2
AVmcafeePWS-Zbot.gen.cy
AVavgPSW.Generic8.BATA
AVclamavWorm.Palevo-22464

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\huettqja\px3.tmp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\qcvbfpbp.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Deletes FileC:\Program Files\huettqja\px3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Creates Mutex{37FFF72F-FE56-017C-F492-53D69C0A1D45}
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201 ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201 ➝
NULL
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\ACE.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Esl\AiodLite.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Acrofx32.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates Mutex{37FFF72F-FE56-017C-F492-53D699961D45}
Creates Mutex{37FFF8CE-FE56-017C-F492-53D695A61D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFFC62-FE56-017C-F492-53D6995A1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69D361D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D699F61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6968E1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D697E21D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69A261D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D697921D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D699D21D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D698F61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D695AA1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69A1A1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69CE61D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69A721D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6999E1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69AC21D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D699961D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6981A1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69A5E1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D696E21D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69C0A1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D697CA1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D698C61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6980E1D45}

Process
↳ Pid 492

Process
↳ \??\C:\WINDOWS\system32\csrss.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D697CA1D45}

Process
↳ \??\C:\WINDOWS\system32\winlogon.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D697E21D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\services.exe

Creates Filepipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
Creates Mutex{37FFF72F-FE56-017C-F492-53D6980E1D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\lsass.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D6981A1D45}
Winsock DNS192.168.1.1

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D698C61D45}

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D698F61D45}

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D699F61D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69A5E1D45}

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice
Creates FilePIPE\lsarpc
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69AC21D45}

Process
↳ C:\WINDOWS\System32\alg.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69CE61D45}

Process
↳ C:\WINDOWS\Explorer.EXE

Creates Mutex{37FFF72F-FE56-017C-F492-53D696E21D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D6995A1D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D69A1A1D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ Pid 1152

Process
↳ C:\WINDOWS\System32\rundll32.exe

Creates FilePIPE\lsarpc
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69D361D45}

Network Details:

DNSgoogle.com
Type: A
62.253.3.113
DNSgoogle.com
Type: A
62.253.3.123
DNSgoogle.com
Type: A
62.253.3.84
DNSgoogle.com
Type: A
62.253.3.94
DNSgoogle.com
Type: A
62.253.3.118
DNSgoogle.com
Type: A
62.253.3.104
DNSgoogle.com
Type: A
62.253.3.108
DNSgoogle.com
Type: A
62.253.3.98
DNSgoogle.com
Type: A
62.253.3.89
DNSgoogle.com
Type: A
62.253.3.114
DNSgoogle.com
Type: A
62.253.3.119
DNSgoogle.com
Type: A
62.253.3.109
DNSgoogle.com
Type: A
62.253.3.88
DNSgoogle.com
Type: A
62.253.3.93
DNSgoogle.com
Type: A
62.253.3.99
DNSgoogle.com
Type: A
62.253.3.103
DNSawrcaverybrstuktdybstr.com
Type: A
109.74.196.143
DNSawrcaverybrstuktdybstr.com
Type: A
109.74.196.143
DNSbing.com
Type: A
204.79.197.200
DNSawecerybtuitbyatr.com
Type: A
109.74.196.143
Flows TCP192.168.1.1:1033 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1034 ➝ 62.253.3.113:80
Flows TCP192.168.1.1:1035 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1036 ➝ 204.79.197.200:80
Flows TCP192.168.1.1:1037 ➝ 109.74.196.143:443

Raw Pcap

Strings
\
.
 
E
...
..
%8
.. .
..__
.
..5
.'
44
040904b0
5.1.2600.5512
5.1.2600.5512 (xpsp.080413-2111)
[[5jQ
FileDescription
FileVersion
Filter Manager Control Program
Find
Find Next
Find What:
fltMC.exe
g(pB*(G
                                 H
         (((((                  H
         h((((                  H
I*/G
InternalName
LegalCopyright
Microsoft
 Microsoft Corporation. All rights reserved.
	o82
 Operating System
ProductName
ProductVersion
>	~S
StringFileInfo
t3@4
Translation
U8OU
VarFileInfo
VS_VERSION_INFO
 Windows
0K}PG1>
"&0 LD
0+=p$p]Q
0q0"q8g%
12212113192128122571131118127122172122221313228342362124171132222138621722469212119356321112912281122221442133191227742112111322212211122231135272113621528141162267218941123272823213233321112612284521811191612133111211799233171121212211212722898111912251952193132222342132221172628119211721123528251113212121462113851222813722241712161153211533221613211151235433381113322232111211127322322122157223331738221216123182932123222122221811278221211633121121142113121112212112312173123172418254112211411212228281118222212725922127128122445178121275281922257673222262142213222212522511371281342232119132631142422363121234232291111373311111222311222333132281115213221121415251327112123813122312127222292725712823111191422782349212112328116123123371112123221865211711223211121321423521329929173119122272112122152322722525421229281521121627111151743312218212221778111191122511322212292213221328312291132116163232321321111811111121151252183522235142265351156113613341121262227112222131216124212213834312211212213112113364132272122122546421415327529227121281291123121152217135127111531122122722522272112113312333342321712121312318121711257321212112115514231622517212786222113713218221112115111112981231328211122161321113231113112211831133111283832111412412213833382111529222512332122232137111422365214422112271132225282912732222121218312335216522111321224871222111712181114211322625212184322631382131822132918351311133122117121522311119111272217173525811112212236281322188222732312352172311121217132112212141326221131323151713212291122211122189723121421922921172131122211525222112323142293281157232123226221211429745231232118823223131312146231532222321223459261111311112924251313182226313111916192212312319241112265253672212117133326111232182683229121711392123382821191221885111111113129215224211221322193938132215112612141225322226223211122279122821382337361821311212121141126121272493582112132899611212613123292219251172229232371338133582121119132157711222714111221811112212112181221112231252381221374272126221112123121881112121521211229179224217214132122222573112211111112228312222216212922312152111219111122871234246124992142212215123117352218332153411112221226311119282182221112218122124112122312351722521522911272212311521112923111125224128711211U
\^13W-Y
1frtRr
1$!P;%b
1thN.]
_}1X(F
%2E)%e
2(@"G&
2TC'ae7
^39%2R
,[3u2v
&;4eVN
=4^=JG
}4PYw(
5"6epw
5-F7y&k(
5MR:W$
5TG_A~?
=~5x6a
6*5xKJ
/||6~E
~6/Qly
"{ 6ry
6v6R+(
6[`,vt
6x1&NV%
6>Zt;2;
:&/	7\
72K.	v
7`D5tz
]7j&,6
7o;#P 
7"uB'3G
7U\ulm
8MTjP>'#
A buffer overrun has been detected which has corrupted the program's
AddFontResourceW
ADVAPI32.dll
a~fK"h
A&)Kqz
,anc/2+
A_o_0"
A security error of unknown cause has been detected which has
"b,7Ve
\b\bOU,p%
BeginDeferWindowPos
Bf\oe165
Bf#o+R_
'Bh_=zH
B>iTh(
Bl7QZ=
BQ](C[
\bTrz?
Buffer overrun detected!
bX#DR|J
BYW<<y
B@zg! 
CallWindowProcW
C@BdkT
CheckMenuItem
ChooseColorA
ChooseColorW
ChooseFontA
ChooseFontW
CK%iE	
Cl:4.I
ClientToScreen
CloseHandle
comdlg32.dll
CompareStringW
continue execution and must now be terminated.
CorExitProcess
corrupted the program's internal state.  The program cannot safely
CreateAcceleratorTableW
CreateBitmap
CreateCompatibleBitmap
CreateCompatibleDC
CreateCursor
CreateDialogIndirectParamW
CreateFileW
CreateFontIndirectW
CreateFontW
CreateHatchBrush
CreateMenu
CreateMutexW
CreatePatternBrush
CreatePen
CreateSolidBrush
CreateWindowExW
Cs5^T~
>=D|&-,
 dah/|
@.data
DeferWindowPos
DefWindowProcW
DeleteDC
DestroyAcceleratorTable
DestroyCaret
DispatchMessageW
DOMAIN error
DPtoLP
DragDetect
DrawEdge
DrawTextExW
_:{DU0xv^
/dUs`O96
E2*|n2l
E4ci)(
E5Cv#rTh
E7EN'@
#EApTm5:
e`:Ctt
e)lbls
^e^L(h
;`e[mP
EmptyClipboard
  eMv#
EnableMenuItem
EndDialog
EndDoc
EndPage
EnumFontFamiliesExW
EtR\3}
ExitProcess
ExtTextOutW
e"<>|zx
`F82@!
F9U?1cm
f|?deK'
FillRect
FindClose
FindFirstFileW
FindResourceW
FindTextA
FindTextW
- floating point not loaded
FlushFileBuffers
fN(=_{
FrameRect
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
"F(UC 
fW08pXg02vG 6
f<#XGs-
$F/zqj
GDI32.dll
``GDwx%
GetACP
GetActiveWindow
GetClassNameW
GetCommandLineA
GetConsoleCP
GetConsoleOutputCP
GetCPInfo
GetCurrentDirectoryA
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatW
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetExitCodeProcess
GetFileAttributesW
GetFileTitleA
GetFileTitleW
GetFileType
GetFocus
GetKeyboardState
GetKeyState
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocaleInfoW
GetLongPathNameW
GetMenu
GetMenuState
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetOpenFileNameA
GetOpenFileNameW
GetParent
GetPixel
GetProcAddress
GetProcessWindowStation
GetROP2
GetSaveFileNameA
GetSaveFileNameW
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemMetrics
GetSystemTimeAsFileTime
GetTextExtentPoint32W
GetTextExtentPointW
GetTextMetricsW
GetTickCount
GetTimeFormatA
GetTimeFormatW
GetTimeZoneInformation
GetUserObjectInformationA
GetVersionExA
GetWindowLongW
Ge	yQ%
G G"x!
GLayQ$
GlobalFree
GlobalSize
GlobalUnlock
gTW<0B
gXsbWp
h_%a1j
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
Hm93Jm
H	 _Ra>
ht:^c)?
hux>4-Sw
-	H_.]x
H{Y{=^
:&H}$z
	h,Z5C
i(E-3_
InitializeCriticalSection
inNoET
InterlockedCompareExchange
InterlockedExchange
InterlockedIncrement
internal state.  The program cannot safely continue execution and must
IsBadWritePtr
IsClipboardFormatAvailable
IsWindow
IsWindowVisible
IsZoomed
+i"tlO
jcs ?x
)J>@%D
j$ Fmt
JiP#pq
J!(p&E
~[J]!q
=jQ!$A1
-J~``[V
;\K1H`
(K"7R<
(;}kc7'
KERNEL32.dll
Kj#3c`
kJ>D~%
Kqi@J~
kSL1qDQ
kub7!B
>ku<?w.
Kv.L~1
kXj1[rG
LCMapStringA
LCMapStringW
lg^5 6
Lj'ZWVt
+lL:H+
LoadImageW
LoadLibraryA
LoadStringW
LocalAlloc
LockResource
l~S[*0
lstrcpynW
lstrcpyW
LUw 5<
L_V]uo
mByhf\
&mc!hZ
MessageBeep
MessageBoxA
MfFvDN
Microsoft Visual C++ Runtime Library
	#mJ`S_
_],mMT!
ModifyMenuW
MonitorFromWindow
mouse_event
MoveToEx
MoveWindow
mscoree.dll
MultiByteToWideChar
mVu+Hh
Nia5eC~
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
now be terminated.
n+R)Ob'
NTO}]Dl?
NV E#9
=nW|ZW
$>n$zZ
/=*o! ?
:O~4$1
.	o.6v
;{	o7\~
"\OB-T
OffsetWindowOrgEx
oI;cFOj
OL":][
oLf${}
oM;=(/
OpenClipboard
.OU.d]
!^%Ox<
:p"?=<
P1jI=-
p2PdJ?4p
)p:5"*
PageSetupDlgA
PageSetupDlgW
PatBlt
pAW!9+
PeekMessageW
Please contact the application's support team for more information.
PostMessageW
PrintDlgA
PrintDlgW
Program: 
<program name unknown>
[pSD[N
PtInRect
- pure virtual function call
#"q}|;
QAL9WFj
Q*Aq=Q
QN@/S?
QQSVW3
{qSz^EAP
QueryPerformanceCounter
QYzs&<Z
R%2e[w3n
&r*-+c
`.rdata
ReadFile
r`eAFb&
Rectangle
RedrawWindow
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExW
RegDeleteKeyA
RegDeleteKeyW
RegDeleteValueA
RegDeleteValueW
RegEnumKeyExA
RegEnumKeyExW
RegFlushKey
RegOpenKeyExA
RegOpenKeyExW
RegQueryInfoKeyA
RegQueryInfoKeyW
RegQueryValueExA
RegQueryValueExW
RegSetValueExA
RegSetValueExW
ReleaseCapture
ReleaseDC
RemoveFontResourceW
ReplaceTextA
ReplaceTextW
RestoreDC
ResumeThread
r)~HF}
$$Rk8N
>RL0Vp
r_MIh0
@%,r*|o6S
RqV-E<`
RtlUnwind
?:RU;&
runtime error 
Runtime Error!
@,RW@`9
=r@)wX
SA?K/TA
SaveDC
ScrollWindow
SelectObject
>seNe4^[
SetBkColor
SetBkMode
SetBrushOrgEx
SetCapture
SetCaretPos
SetEnvironmentVariableA
SetFilePointer
SetForegroundWindow
SetHandleCount
SetMenuItemInfoW
SetParent
SetROP2
SetStdHandle
SetTextColor
SetWindowOrgEx
SetWindowPlacement
SetWindowsHookExW
SetWindowTextW
sfWDCc
ShowCaret
ShowWindow
SING error
/SK/~8
SM3XQb
sQ$Uvtu
StartDocW
StartPage
t2WWVPVSW
Tc62b$!R6a
TdND=]
TerminateProcess
TerminateThread
- This application cannot run using the active version of the Microsoft .NET Runtime
This application has requested the Runtime to terminate it in an unusual way.
!This program cannot be run in DOS mode.
tIr4Xj<	
TKRNqp
TLOSS error
TlsAlloc
TlsFree
TranslateMessage
t!SS9]
t#SSUP
t.;t$$t(
t$<"u	3
t$$VSS
(U%ayf
uC]gf7
U c_LD
u,hAH@
u	Lrh 
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
Unknown security failure detected!
UpdateWindow
u(Qr`.
user32.dll
USER32.dll
U'_<w 
uw*<vt
v!5XbRC`A
VB3~	)
VC20XC00U
v'DpB14a
V.dvE]
~VI}}7
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualProtect
VirtualQuery
vK6ZHU
VlvP~?Fp
>v~p]+
V&pR@2
!^vP~S<+
vrV;0j5
v$UjoSQ
VWumhh
v_x1bSv
wH?yd*
WideCharToMultiByte
Wk^hA%i
WriteConsoleA
WriteFile
wsprintfW
#wtCK^d
W^u.Q~B
wW)G:3
WWWWVSW
;<wx8V
X1}#}/#
X$AL _
:x c |
xl)%`.l
\XPA9W7
#XR]dg
XsPVetse
Xt0z`a
%x_([u
X<u<Z>
y2KhDwzX
Y5Sp6?
y7\`'R
YT~i8M
#;YUh^Aj
:|}$ywdR'x
Y*wz=V
_^][YY
 Z8}Gs
zA}?^ 'Tw@
ZbDQHb
Zl!5}y
Z;[LdP
ZqFlOD
Z-(>sX
zW:V^Fv
z"*xf5