Analysis Date2014-08-02 07:54:25
MD56d5233121a000e645f78dcf9cafb8630
SHA1a65283d99f463cc07615147e2d2b3e2d9dfd1505

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash13f691841c7203701464a033e4622b28782f4dfb
IMPhash74988f909711d4e13d99475604887831
AV360 SafeTrojan.GenericKD.1738141
AVAd-AwareTrojan.GenericKD.1738141
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.ABSF-5428
AVAvira (antivir)TR/Dldr.Zurgop.BK.6
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanPWS.Crypt.r4
AVClamAVWin.Trojan.Inject-10347
AVDr. WebBackDoor.Tishop.122
AVEmsisoftTrojan.GenericKD.1738141
AVEset (nod32)Win32/TrojanDownloader.Zurgop.BK
AVFortinetW32/Zurgop.BK!tr
AVFrisk (f-prot)W32/Trojan3.JAO (exact)
AVF-SecureTrojan.GenericKD.1738141
AVGrisoft (avg)FileCryptor.CB
AVIkarusTrojan.Win32.Sharik
AVK7Trojan-Downloader ( 004973061 )
AVKasperskyTrojan.Win32.Sharik.tan
AVMalwareBytesSpyware.Zbot.VXGen
AVMcafeeRDN/Downloader.a!rs
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.GenericKD.1738141
AVNormanwinpe/Inject.EWOQ
AVRising0x56f5cca4
AVSophosTroj/Agent-AHSI
AVSymantecTrojan.Smoaler
AVTrend MicroTROJ_INJECT.YYNO
AVVirusBlokAda (vba32)Trojan.Sharik

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:

DNSus.co1.cb3.glbdns2.microsoft.com
Type: A
131.253.40.1
DNSwww.go.microsoft.akadns.net
Type: A
134.170.184.137
DNSwww.wip4.adobe.com
Type: A
192.150.16.64
DNSlb1.www.ms.akadns.net
Type: A
65.55.57.27
DNSwww.go.microsoft.akadns.net
Type: A
64.4.11.25
DNSwww.msn.com
Type: A
DNSgo.microsoft.com
Type: A
DNSwww.adobe.com
Type: A
DNSwww.microsoft.com
Type: A
HTTP GEThttp://www.msn.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=45396
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.adobe.com/support/main.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.adobe.com/support/main.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.microsoft.com/windows
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=45396
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=45396
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=45396
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=45396
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 131.253.40.1:80
Flows TCP192.168.1.1:1032 ➝ 134.170.184.137:80
Flows TCP192.168.1.1:1033 ➝ 192.150.16.64:80
Flows TCP192.168.1.1:1034 ➝ 192.150.16.64:80
Flows TCP192.168.1.1:1035 ➝ 65.55.57.27:80
Flows TCP192.168.1.1:1036 ➝ 64.4.11.25:80
Flows TCP192.168.1.1:1037 ➝ 64.4.11.25:80
Flows TCP192.168.1.1:1038 ➝ 64.4.11.25:80
Flows TCP192.168.1.1:1039 ➝ 64.4.11.25:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000060 (00096)   2e353037 3237290d 0a486f73 743a2077   .50727)..Host: w
0x00000070 (00112)   77772e6d 736e2e63 6f6d0d0a 436f6e6e   ww.msn.com..Conn
0x00000080 (00128)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000090 (00144)   0a                                    .

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d343533 39362048 5454502f   nkId=45396 HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000050 (00080)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000060 (00096)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000070 (00112)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000080 (00128)   73743a20 676f2e6d 6963726f 736f6674   st: go.microsoft
0x00000090 (00144)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000a0 (00160)   3a20636c 6f73650d 0a436f6e 74656e74   : close..Content
0x000000b0 (00176)   2d4c656e 6774683a 20333337 0d0a436f   -Length: 337..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a0d   rm-urlencoded...
0x000000f0 (00240)   0a5101                                .Q.

0x00000000 (00000)   504f5354 202f7375 70706f72 742f6d61   POST /support/ma
0x00000010 (00016)   696e2e68 746d6c20 48545450 2f312e31   in.html HTTP/1.1
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   20777777 2e61646f 62652e63 6f6d0d0a    www.adobe.com..
0x00000090 (00144)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x000000a0 (00160)   650d0a43 6f6e7465 6e742d4c 656e6774   e..Content-Lengt
0x000000b0 (00176)   683a2032 34360d0a 436f6e74 656e742d   h: 246..Content-
0x000000c0 (00192)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000d0 (00208)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000e0 (00224)   656e636f 6465640d 0a0d0af6            encoded.....

0x00000000 (00000)   504f5354 202f7375 70706f72 742f6d61   POST /support/ma
0x00000010 (00016)   696e2e68 746d6c20 48545450 2f312e31   in.html HTTP/1.1
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   20777777 2e61646f 62652e63 6f6d0d0a    www.adobe.com..
0x00000090 (00144)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x000000a0 (00160)   650d0a43 6f6e7465 6e742d4c 656e6774   e..Content-Lengt
0x000000b0 (00176)   683a2032 37380d0a 436f6e74 656e742d   h: 278..Content-
0x000000c0 (00192)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000d0 (00208)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000e0 (00224)   656e636f 6465640d 0a0d0a16 01         encoded......

0x00000000 (00000)   504f5354 202f7769 6e646f77 73204854   POST /windows HT
0x00000010 (00016)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000020 (00032)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000030 (00048)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000040 (00064)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000050 (00080)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000060 (00096)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000070 (00112)   0a486f73 743a2077 77772e6d 6963726f   .Host: www.micro
0x00000080 (00128)   736f6674 2e636f6d 0d0a436f 6e6e6563   soft.com..Connec
0x00000090 (00144)   74696f6e 3a20636c 6f73650d 0a436f6e   tion: close..Con
0x000000a0 (00160)   74656e74 2d4c656e 6774683a 20313436   tent-Length: 146
0x000000b0 (00176)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000c0 (00192)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000d0 (00208)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000e0 (00224)   640d0a0d 0a92                         d.....

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d343533 39362048 5454502f   nkId=45396 HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000050 (00080)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000060 (00096)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000070 (00112)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000080 (00128)   73743a20 676f2e6d 6963726f 736f6674   st: go.microsoft
0x00000090 (00144)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000a0 (00160)   3a20636c 6f73650d 0a436f6e 74656e74   : close..Content
0x000000b0 (00176)   2d4c656e 6774683a 20323532 0d0a436f   -Length: 252..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a0d   rm-urlencoded...
0x000000f0 (00240)   0afc                                  ..

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d343533 39362048 5454502f   nkId=45396 HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000050 (00080)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000060 (00096)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000070 (00112)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000080 (00128)   73743a20 676f2e6d 6963726f 736f6674   st: go.microsoft
0x00000090 (00144)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000a0 (00160)   3a20636c 6f73650d 0a436f6e 74656e74   : close..Content
0x000000b0 (00176)   2d4c656e 6774683a 20323932 0d0a436f   -Length: 292..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a0d   rm-urlencoded...
0x000000f0 (00240)   0a2401                                .$.

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d343533 39362048 5454502f   nkId=45396 HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000050 (00080)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000060 (00096)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000070 (00112)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000080 (00128)   73743a20 676f2e6d 6963726f 736f6674   st: go.microsoft
0x00000090 (00144)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000a0 (00160)   3a20636c 6f73650d 0a436f6e 74656e74   : close..Content
0x000000b0 (00176)   2d4c656e 6774683a 20333736 0d0a436f   -Length: 376..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a0d   rm-urlencoded...
0x000000f0 (00240)   0a7801                                .x.

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d343533 39362048 5454502f   nkId=45396 HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000050 (00080)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000060 (00096)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000070 (00112)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000080 (00128)   73743a20 676f2e6d 6963726f 736f6674   st: go.microsoft
0x00000090 (00144)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000a0 (00160)   3a20636c 6f73650d 0a436f6e 74656e74   : close..Content
0x000000b0 (00176)   2d4c656e 6774683a 20313733 0d0a436f   -Length: 173..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a0d   rm-urlencoded...
0x000000f0 (00240)   0aad                                  ..


Strings
040904B0
10, 5, 1
   2000
Aestan Software
CompanyName
FileDescription
FileVersion
Fofi Ifydeqi Uhonuwi
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
ProductName
ProductVersion
Qama Pak Leqi Helihe Heq Kyqiqeq Isowexi Fuqumod Fiqaq
Qtwkw.exe
StringFileInfo
Translation
Ubagil
VarFileInfo
VS_VERSION_INFO
^^^^^*^
^*^^*^
*^^*^^
*^^*^*
**^*^**
**^***
0bs\>v
]0+tI|lC
]2&_ ]
2NM*GkS8
2onoCZ
3XavW&
}[4?sZ
5w5qMi
7_2}L{&
7BXtnR
9:i1{)
9.KDV^s
9N	k{2
A^|'?-
AcceptSecurityContext
AcquireCredentialsHandleA
AddCredentialsW
AddIPAddress
AddPrinterW
AddSecurityPackageA
AdvancedDocumentPropertiesA
ADVANCEDSETUPDIALOG
ADVPACK.dll
AllocateAndGetIpAddrTableFromStack
An:3y;l$
BUker9
C0P0Wa
[;CI6z
CLIPFORMAT_UserUnmarshal
CloseEnhMetaFile
CloseMetaFile
CM_Create_Range_List
CM_Free_Log_Conf_Ex
CM_Get_Class_Key_Name_ExW
CM_Get_Class_NameA
CM_Get_Device_ID_List_ExW
CM_Get_Device_Interface_Alias_ExA
CM_Get_Hardware_Profile_Info_ExW
CM_Get_Next_Log_Conf_Ex
CM_Get_Sibling_Ex
CM_Request_Device_EjectW
CoCancelCall
CoCreateGuid
CoCreateInstance
CoFreeAllLibraries
CoGetCurrentProcess
CoIsHandlerConnected
CoQueryAuthenticationServices
CoQueryClientBlanket
CoReactivateObject
CoRegisterPSClsid
CreateEventW
CreateFileMappingW
CreateFontA
CreateFontIndirectExA
CreateGenericComposite
CreateILockBytesOnHGlobal
CreateIpForwardEntry
CreatePalette
CreateStdProgressIndicator
cRqCKbF
:CW;,Z
D8hEnek
`.data
DefDriverProc
DeleteFormA
DeleteIpForwardEntry
DeleteMonitorA
DeleteObject
DeletePrinterKeyA
DeletePrintProcessorW
DeviceCapabilitiesA
DeviceMode
D]jqxY_]
DoInfInstall
DPtoLP
DrvGetModuleHandle
DsAddressToSiteNamesW
DsAddSidHistoryA
DsBindW
DsBindWithCredW
DsCrackNamesW
DsCrackSpnA
DsEnumerateDomainTrustsW
DsFreeDomainControllerInfoA
DsFreePasswordCredentials
DsFreeSchemaGuidMapA
DsGetDcSiteCoverageA
DsGetSpnW
DsInheritSecurityIdentityW
DsListDomainsInSiteA
DsListDomainsInSiteW
DsListInfoForServerA
DsListInfoForServerW
DsListServersForDomainInSiteW
DsListServersInSiteW
DsListSitesA
DsListSitesW
DsMakePasswordCredentialsA
DsRemoveDsDomainA
DsRemoveDsServerA
DsReplicaDelA
DsReplicaModifyA
DsReplicaSyncA
DsReplicaUpdateRefsW
DsUnBindA
EndPath
EnumPrinterDataExW
EnumPrintersA
EnumPrintProcessorDatatypesW
ExtractFiles
F|&BvJ
 ]f=C[
FileSaveMarkNotExist
FileSaveRestoreOnINF
FindClosePrinterChangeNotification
FlashWindow
FlushPrinter
_F$o+n
FreeContextBuffer
GDI32.dll
GdiPlayJournal
GetAdapterIndex
GetArcDirection
GetBestInterface
GetCharacterPlacementA
GetCharWidthFloatA
GetCharWidthI
GetClassFile
GetComputerObjectNameW
GetCurrentProcessId
GetEnhMetaFileW
GetFriendlyIfIndex
GetIcmpStatistics
GetIfEntry
GetInterfaceInfo
GetIpAddrTable
GetIpNetTable
GetLastError
GetMiterLimit
GetObjectA
GetPolyFillMode
GetPrinterDataExA
GetPrinterDataExW
GetPrintProcessorDirectoryA
GetRasterizerCaps
GetRTTAndHopCount
GetTcpStatistics
GetTcpTable
GetUdpTable
GetVersionFromFile
GGVW_^[BJB3
GjiQbW
GK)<Z`
GlobalAddAtomW
HACCEL_UserFree
HBRUSH_UserMarshal
HICON_UserMarshal
HICON_UserSize
HMENU_UserMarshal
|`&HSs
Ia+Ctj
IF2s1$
:$(iJM5
ImportSecurityContextW
I_NetLogonControl
InitializeSecurityContextW
InitSecurityInterfaceA
InternalCreateIpNetEntry
InternalDeleteIpForwardEntry
InternalGetIpForwardTable
IPHLPAPI.dll
IpRenewAddress
I_RpcFree
I_RpcGetExtendedError
IsDBCSLeadByteEx
iSYhgJ
I_UuidCreate
JA/;[O
joyReleaseCapture
KERNEL32.dll
LaunchINFSection
LsaDeregisterLogonProcess
LsaEnumerateLogonSessions
LsaLogonUser
LsaLookupAuthenticationPackage
LsaRegisterLogonProcess
LsaRegisterPolicyChangeNotification
MakeSignature
mciDriverNotify
mciSendCommandA
mHYmF3
Microsoft Visual C++ Runtime Library
midiDisconnect
midiInGetDevCapsW
midiOutCacheDrumPatches
midiOutClose
midiOutGetDevCapsA
midiStreamRestart
mixerGetDevCapsW
mmioInstallIOProcA
mmioRenameA
mmioStringToFOURCCA
mSsclfV
na\Z6/
NdrByteCountPointerMarshall
NdrByteCountPointerUnmarshall
NDRCContextBinding
NdrComplexArrayFree
NdrConformantStructMarshall
NdrCStdStubBuffer2_Release
NdrDllCanUnloadNow
NdrEncapsulatedUnionBufferSize
NdrMesTypeAlignSize2
NdrPointerMarshall
NdrRpcSsDefaultFree
NDRSContextUnmarshall2
NDRSContextUnmarshallEx
NdrSimpleStructUnmarshall
NdrUserMarshalBufferSize
NdrUserMarshalSimpleTypeConvert
NdrXmitOrRepAsMarshall
NeedReboot
NeedRebootInit
NETAPI32.dll
NetAuditClear
NetDfsManagerSendSiteInfo
NetFileEnum
NetFileGetInfo
NetGetJoinableOUs
NetGroupGetInfo
NetLocalGroupAddMembers
NetMessageNameEnum
NetRemoteComputerSupports
NetReplExportDirEnum
NetReplExportDirLock
NetReplExportDirUnlock
NetReplSetInfo
NetScheduleJobDel
NetScheduleJobEnum
NetScheduleJobGetInfo
NetServerDiskEnum
NetSessionEnum
NetUseGetInfo
NetUserSetGroups
NetValidateName
NetWkstaGetInfo
NetWkstaUserGetInfo
NetWkstaUserSetInfo
NhGetGuidFromInterfaceName
NiP6Fa
NN:(b1i
 nNdC	
NotifyRouteChange
NTDSAPI.dll
NTTimeToNTPTime
OffsetClipRgn
OffsetRgn
OLE32.dll
OleCreateLinkToFileEx
OleDestroyMenuDescriptor
OleDoAutoConvert
OleFlushClipboard
OleIsRunning
OleLoad
OleMetafilePictFromIconAndLabel
OleSetAutoConvert
OpenDriver
OpenINFEngine
PatBlt
PathToRegion
PdhCalculateCounterFromRawValue
PdhCloseLog
PdhCloseQuery
PdhCollectQueryData
PdhConnectMachineA
PDH.dll
PdhEnumObjectItemsA
PdhGetCounterInfoA
PdhGetCounterTimeBase
PdhGetDataSourceTimeRangeA
PdhGetDataSourceTimeRangeW
PdhGetDefaultPerfObjectW
PdhGetFormattedCounterArrayW
PdhLookupPerfNameByIndexA
PdhMakeCounterPathA
PdhOpenLogA
PdhOpenLogW
PdhOpenQueryA
PdhParseCounterPathW
PdhRemoveCounter
PdhSetCounterScaleFactor
PdhUpdateLogW
PdhVbIsGoodStatus
PdhVbOpenLog
PdhVbOpenQuery
PdhVbUpdateLog
PlayEnhMetaFileRecord
PlaySoundW
Polyline
P}xWY;
qbn4jU3
qbnUaR
QueryCredentialsAttributesA
QueryCredentialsAttributesW
QuerySecurityPackageInfoA
\>|R6iZ 
RASAPI32.dll
RasAutoDialSharedConnection
RasClearConnectionStatistics
RasConnectionNotificationW
RasCreatePhonebookEntryA
RasCreatePhonebookEntryW
RasEditPhonebookEntryW
RasEnumConnectionsA
RasEnumConnectionsW
RasEnumDevicesW
RasEnumEntriesA
RasFreeEapUserIdentityA
RasFreeEapUserIdentityW
RasGetAutodialAddressA
RasGetAutodialParamW
RasGetConnectStatusA
RasGetCustomAuthDataW
RasGetEapUserIdentityA
RasGetEntryDialParamsW
RasGetEntryHrasconnW
RasGetEntryPropertiesA
RasGetErrorStringW
RasQueryRedialOnLinkFailure
RasQuerySharedAutoDial
RasSetCredentialsW
RasSetCustomAuthDataW
RasSetEntryPropertiesW
.rdata
RebootCheckOnInstall
RegInstall
RegRestoreAll
RegSaveRestore
RegSaveRestoreOnINF
ResUtilAddUnknownProperties
ResUtilEnumPrivateProperties
ResUtilFindDwordProperty
ResUtilFindMultiSzProperty
ResUtilFindSzProperty
ResUtilGetDwordProperty
ResUtilGetPropertySize
ResUtilGetResourceDependency
ResUtilGetResourceDependencyByName
ResUtilGetResourceDependentIPAddressProps
ResUtilGetSzProperty
ResUtilGetSzValue
RESUTILS.dll
ResUtilSetBinaryValue
ResUtilSetDwordValue
ResUtilSetExpandSzValue
ResUtilSetMultiSzValue
ResUtilSetSzValue
ResUtilSetUnknownProperties
ResUtilStopResourceService
ResUtilVerifyPrivatePropertyList
ResUtilVerifyPropertyTable
ResUtilVerifyResourceService
ResUtilVerifyService
RHdGUp
Richh#
~rNv2o
RpcBindingInqAuthClientExA
RpcBindingInqAuthClientW
RpcCertGeneratePrincipalNameW
RpcEpRegisterNoReplaceA
RpcEpRegisterW
RpcIfIdVectorFree
RpcMgmtEnableIdleCleanup
RpcMgmtInqIfIds
RpcRevertToSelfEx
RPCRT4.dll
RpcServerInqBindings
@.rsrc
RunSetupCommand
RxNetAccessAdd
RxNetAccessDel
\s|7}%
SaslAcceptSecurityContext
SaslGetProfilePackageA
SaslIdentifyPackageA
SaslIdentifyPackageW
SaslInitializeSecurityContextA
SaslInitializeSecurityContextW
ScaleWindowExtEx
SECUR32.dll
SetArcDirection
SetBkColor
SetDIBColorTable
SetDIBits
SetFormA
SetIfEntry
SetIpForwardEntry
SetIpStatistics
SetJobA
SetMapperFlags
SetMetaFileBitsEx
SetPerUserSecValues
SetPortA
SetPrinterDataA
SetPrinterDataExW
SetTcpEntry
SetupAddToSourceListA
SETUPAPI.dll
SetupCloseFileQueue
SetupCopyErrorA
SetupCopyErrorW
SetupDecompressOrCopyFileA
SetupDiGetClassDescriptionExW
SetupDiGetDeviceInstallParamsA
SetupDiGetDeviceInterfaceDetailA
SetupDiGetHwProfileFriendlyNameExW
SetupDiGetINFClassA
SetupDiInstallClassA
SetupDiInstallDevice
SetupDiRegisterDeviceInfo
SetupDiSetSelectedDevice
SetupFindNextLine
SetupFindNextMatchLineA
SetupInstallFileA
SetupQueueRenameA
SetupQueueRenameW
SetupRemoveSectionFromDiskSpaceListA
SetupScanFileQueueW
SetWorldTransform
sfWODA
$sMCRZ
SNB_UserFree
SplDriverUnloadComplete
SpoolerDevQueryPrintW
StartDocPrinterW
tfqES[
!This program cannot be run in DOS mode.
timeBeginPeriod
TranslateInfStringEx
TranslateNameA
TranslateNameW
UnenableRouter
UnsealMessage
UNy+	U
USER32.dll
UserInstStubWrapper
UuidEqual
UuidToStringW
VW_^^VW_^A
waveInMessage
waveOutClose
waveOutGetDevCapsW
WdtpInterfacePointer_UserSize
WINMM.dll
WINSPOOL.drv
,Woa,F
WriteFmtUserTypeStg
WTSAPI32.dll
WTSDisconnectSession
WTSEnumerateServersA
WTSEnumerateServersW
WTSEnumerateSessionsW
WTSOpenServerA
WTSOpenServerW
WTSQuerySessionInformationA
WTSQuerySessionInformationW
WTSTerminateProcess
WTSVirtualChannelClose
WTSVirtualChannelPurgeInput
WTSVirtualChannelPurgeOutput
WTSWaitSystemEvent
XEvHl}
x Jijy
^^^^y^
^^^y^^
^^y^^*
^^y*****^^
^*^**y
^y^^^*^
^y^^^**
^y^^*^*^*
^y*^^^^^
^y**^^*
^y***^*
**^^*y*
****y*^*
**y^^^^*^
*y^^^^
y^^^^*
y^^**^
y^*^*^
y*^^*^
y*^**^
yAtBYV
^^^y**y^*^^*^
^^*y^^^^^y^
^^*yy*
^^y*^y
^**y^^y
^*yy^*
^y^^^y
^y^^^y^
^y*^*^^y
^y*^y^*^^*^*
^y**y^^^
^y**y^*^
^y*y^^^^
*^*^y^y
**^*y*y
*y^^^y**
*y^^*^y
*y^*y^
*y^y*^
*yy**^
y^^^^y^
y^^^**y
y^^^y^
y^^^y*^
y^^*^y^^
y^^*y^
y^^y*^
y^^y**
y^*y^^
y^*y**
y^*y***^*
y*^^^y
y*^^*^y
y****y*^
y***y*
yy^^^^
yy^^^*
yy^*^^
^y^y^y^
^y^y*y
^yy^^y^
^yyy^^^
**y*y^^y
**yy*y^
*yy^^y
y^^yy^
y^y*^y
y^y*y^
y*^y*^^^y
y**y*y*
yy^y^^^
yy*^*y^
yyy^^^
^^yyy^y^
y^^*y*yy
yy^^yy^
yyy*^y
ZaL38