Analysis Date2014-08-16 20:50:03
MD522e92f77d2ac9f7dd94908113aae63f3
SHA1dc21b740da7388efb9003024ca68e2d55b56bcfb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 37b69cc053bc3bda9ebdf9e2c38d650c sha1: 8102870e56170e72a123b07ddfd543eb32bfecb1 size: 8192
Section.rdata md5: 790ab1a0645fc3a1d361b707b343550b sha1: 7a00afeaeab2b3e7f36851cda1ee606f17e5e1b3 size: 4096
Section.data md5: 4d066a204db2cdb9337e8080cae4b599 sha1: 598f14863ff2e971a837e25d641447e4017e5a10 size: 4096
Section.idata md5: 737f714f462f57c4ef48866c346d0c65 sha1: 54defb955c01726981eda8a5262cd736d64c4916 size: 4096
Section.rsrc md5: 58bc72e4aaa941d488d23dbd978b4b6f sha1: 7fb2282190d3b5687faee6889f19f1b1329519e9 size: 53248
Section.reloc md5: f36ab6fc557689d0264d7cce109ffd3a sha1: 5d4d8679912bcfd67a853abb00d151e264c54f4a size: 4096
Timestamp2014-08-06 17:15:35
PackerMicrosoft Visual C++ 5.0
PEhashc58bd5e5cedf7db03bee3b4f43ec88baedf1fa02
IMPhash83ba8429d50dbdde6ddfaf87910649ca
AV360 SafeTrojan.GenericKD.1801646
AVAd-AwareTrojan.GenericKD.1801646
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.Xpack.78095
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Sharik.r6
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.1801646
AVEset (nod32)Win32/TrojanDownloader.Zurgop.BK
AVFortinetW32/Sharik.AY!tr
AVFrisk (f-prot)W32/Trojan3.JYL (exact)
AVF-SecureTrojan.GenericKD.1801646
AVGrisoft (avg)Agent4.CAPJ
AVIkarusTrojan.Win32.Sharik
AVK7no_virus
AVKasperskyTrojan.Win32.Sharik.thq
AVMalwareBytesno_virus
AVMcafeeGeneric.tb
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dofoil.T
AVMicroWorld (escan)Trojan.GenericKD.1801646
AVNormanwinpe/Troj_Generic.VIFVH
AVRisingno_virus
AVSophosTroj/Dofoil-AY
AVSymantecTrojan.Smoaler
AVTrend MicroTROJ_DOFOIL.WYSW
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Network Details:

DNSus.co1.cb3.glbdns2.microsoft.com
Type: A
131.253.40.1
DNSwww.wip4.adobe.com
Type: A
192.150.16.64
DNSwww.go.microsoft.akadns.net
Type: A
134.170.189.4
DNSlb1.www.ms.akadns.net
Type: A
64.4.11.42
DNSwww.msn.com
Type: A
DNSwww.adobe.com
Type: A
DNSgo.microsoft.com
Type: A
DNSwww.microsoft.com
Type: A
HTTP GEThttp://www.msn.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.adobe.com/support/main.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=45396
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.microsoft.com/windows
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.adobe.com/support/main.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=146008
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.adobe.com/support/main.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=45396
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 131.253.40.1:80
Flows TCP192.168.1.1:1032 ➝ 192.150.16.64:80
Flows TCP192.168.1.1:1033 ➝ 134.170.189.4:80
Flows TCP192.168.1.1:1034 ➝ 64.4.11.42:80
Flows TCP192.168.1.1:1035 ➝ 192.150.16.64:80
Flows TCP192.168.1.1:1036 ➝ 134.170.189.4:80
Flows TCP192.168.1.1:1037 ➝ 192.150.16.64:80
Flows TCP192.168.1.1:1038 ➝ 134.170.189.4:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000060 (00096)   2e353037 3237290d 0a486f73 743a2077   .50727)..Host: w
0x00000070 (00112)   77772e6d 736e2e63 6f6d0d0a 436f6e6e   ww.msn.com..Conn
0x00000080 (00128)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000090 (00144)   0a                                    .

0x00000000 (00000)   504f5354 202f7375 70706f72 742f6d61   POST /support/ma
0x00000010 (00016)   696e2e68 746d6c20 48545450 2f312e31   in.html HTTP/1.1
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   20777777 2e61646f 62652e63 6f6d0d0a    www.adobe.com..
0x00000090 (00144)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x000000a0 (00160)   650d0a43 6f6e7465 6e742d4c 656e6774   e..Content-Lengt
0x000000b0 (00176)   683a2034 34360d0a 436f6e74 656e742d   h: 446..Content-
0x000000c0 (00192)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000d0 (00208)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000e0 (00224)   656e636f 6465640d 0a0d0abe 01         encoded......

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d343533 39362048 5454502f   nkId=45396 HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000050 (00080)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000060 (00096)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000070 (00112)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000080 (00128)   73743a20 676f2e6d 6963726f 736f6674   st: go.microsoft
0x00000090 (00144)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000a0 (00160)   3a20636c 6f73650d 0a436f6e 74656e74   : close..Content
0x000000b0 (00176)   2d4c656e 6774683a 20333030 0d0a436f   -Length: 300..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a0d   rm-urlencoded...
0x000000f0 (00240)   0a2c01                                .,.

0x00000000 (00000)   504f5354 202f7769 6e646f77 73204854   POST /windows HT
0x00000010 (00016)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000020 (00032)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000030 (00048)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000040 (00064)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000050 (00080)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000060 (00096)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000070 (00112)   0a486f73 743a2077 77772e6d 6963726f   .Host: www.micro
0x00000080 (00128)   736f6674 2e636f6d 0d0a436f 6e6e6563   soft.com..Connec
0x00000090 (00144)   74696f6e 3a20636c 6f73650d 0a436f6e   tion: close..Con
0x000000a0 (00160)   74656e74 2d4c656e 6774683a 20323833   tent-Length: 283
0x000000b0 (00176)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000c0 (00192)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000d0 (00208)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000e0 (00224)   640d0a0d 0a1b01                       d......

0x00000000 (00000)   504f5354 202f7375 70706f72 742f6d61   POST /support/ma
0x00000010 (00016)   696e2e68 746d6c20 48545450 2f312e31   in.html HTTP/1.1
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   20777777 2e61646f 62652e63 6f6d0d0a    www.adobe.com..
0x00000090 (00144)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x000000a0 (00160)   650d0a43 6f6e7465 6e742d4c 656e6774   e..Content-Lengt
0x000000b0 (00176)   683a2031 38390d0a 436f6e74 656e742d   h: 189..Content-
0x000000c0 (00192)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000d0 (00208)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000e0 (00224)   656e636f 6465640d 0a0d0abd            encoded.....

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d313436 30303820 48545450   nkId=146008 HTTP
0x00000020 (00032)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20676f2e 6d696372 6f736f66   ost: go.microsof
0x00000090 (00144)   742e636f 6d0d0a43 6f6e6e65 6374696f   t.com..Connectio
0x000000a0 (00160)   6e3a2063 6c6f7365 0d0a436f 6e74656e   n: close..Conten
0x000000b0 (00176)   742d4c65 6e677468 3a203233 380d0a43   t-Length: 238..C
0x000000c0 (00192)   6f6e7465 6e742d54 7970653a 20617070   ontent-Type: app
0x000000d0 (00208)   6c696361 74696f6e 2f782d77 77772d66   lication/x-www-f
0x000000e0 (00224)   6f726d2d 75726c65 6e636f64 65640d0a   orm-urlencoded..
0x000000f0 (00240)   0d0aee                                ...

0x00000000 (00000)   504f5354 202f7375 70706f72 742f6d61   POST /support/ma
0x00000010 (00016)   696e2e68 746d6c20 48545450 2f312e31   in.html HTTP/1.1
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   20777777 2e61646f 62652e63 6f6d0d0a    www.adobe.com..
0x00000090 (00144)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x000000a0 (00160)   650d0a43 6f6e7465 6e742d4c 656e6774   e..Content-Lengt
0x000000b0 (00176)   683a2034 31360d0a 436f6e74 656e742d   h: 416..Content-
0x000000c0 (00192)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000d0 (00208)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000e0 (00224)   656e636f 6465640d 0a0d0aa0 01         encoded......

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d343533 39362048 5454502f   nkId=45396 HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000050 (00080)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000060 (00096)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000070 (00112)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000080 (00128)   73743a20 676f2e6d 6963726f 736f6674   st: go.microsoft
0x00000090 (00144)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000a0 (00160)   3a20636c 6f73650d 0a436f6e 74656e74   : close..Content
0x000000b0 (00176)   2d4c656e 6774683a 20333336 0d0a436f   -Length: 336..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a0d   rm-urlencoded...
0x000000f0 (00240)   0a5001                                .P.


Strings
    
00:00:00
10:10:10
     12
  2004
 (C) 2009
kernel32.dll
Time
 Time
Time 1.0 
 Time(&A)...
u =H
0"1)1/151H1M1R1]1
<$<*<0<6<<<B<H<N<T<Z<`<f<l<r<x<~<
080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
0L0V0b0l0
0og!R(
@0vX[OMqe
141L1d1|1
1%~,Os
1vn5wD.E
2014:07:28 09:35:42
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
=$=+=2===D=J=U=Z=d=q=
2\m3Fy
3?2-f>G
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
37p'H7
?3EJ# 
4$4(484T4`4|4
;";(;.;4;:;@;F;L;R;X;^;d;j;p;v;|;
!"/4me
5 5<5H5d5l5t5|5
5(5Z5|5
\5NMp"
6"6'6-6
.6<767
757V7{b0
796L6[
@7C7t7
7'd7d_]s4
7]^(el
'7GWgw
7N7HE]
7&)q{T
'?8|@Y
9)9:9K9\9v9
9>:J:n:t:z:
a^5P@!
_adjust_fdiv
Adobe_CM
Adobe Photoshop CS4 Windows
AppendMenuW
aria-haspopup\x3d"true"\x3e\x3cdiv class\x3d"gb_Da gb_g"\x3e\x3c/div\x3e\x3cdiv class\x3d"gb_va"\x3e\x3cdiv 
aria-haspopup\x3d"true"\x3e\x3cdiv class\x3d"gb_eb gb_g"\x3e\x3cdiv class\x3d"gb_gb gb_g"\x3e\x3c/div\x3e\x3c/div\x3e\x3cdiv 
^b3C(31
>:?B?T?t?
ByHD	A
class\x3d"gb_8"\x3e\x3cdiv class\x3d"gb_9"\x3eAegis Crypter\x3c/div\x3e\x3cdiv class\x3d"gb_aa"\x3eaegiscrypter@g mailPAD
class\x3d"gb_Ca"\x3e\x3ca class\x3d"gb_q gb_g" href\x3d"https://plus.google.com/u/0/stream/all?hl\x3dzh-CN" title\x3d"\u5206\u4eab" 
class\x3d"gb_fb"\x3e\u5206\u4eab\x3c/div\x3e\x3c/a\x3e\x3cdiv class\x3d"gb_M"\x3e\x3c/div\x3e\x3cdiv class\x3d"gb_L"\x3e\x3c/div\x3e\x3c/div\x3e\x3cdiv 
class\x3d"gb_g" style\x3d"background-position:-69px -138px"\x3e\x3c/span\x3e\x3cspan 
class\x3d"gb_h"\x3e\u76f8\u518c\x3c/span\x3e\x3c/a\x3e\x3c/li\x3e\x3c/ul\x3e\x3ca class\x3d"gb_v gb_kb" href\x3d"http://www.google.com/intl/zh-CN/options/" 
class\x3d"gb_r" aria-hidden\x3d"true" aria-live\x3d"assertive"\x3e\x3c/div\x3e\x3c/div\x3e\x3cdiv class\x3d"gb_db gb_Ea gb_j"\x3e\x3cdiv 
class\x3d"gb_r" aria-hidden\x3d"true"\x3e\x3c/div\x3e\x3c/div\x3e\x3cdiv class\x3d"gb_da gb_Ea gb_Fb gb_j"\x3e\x3cdiv class\x3d"gb_Ca gb_ea gb_Fb 
class\x3d"gb_R"\x3e\x3ca class\x3d"gb_S gb_rb" href\x3d"https://plus.google.com/u/0/me?tab\x3dmX" target\x3d"_blank"\x3e\x3cimg class\x3d"gb_U" 
class\x3d"gb_V"\x3e\u66f4\u6362\u7167\u7247\x3c/span\x3e\x3c/a\x3e\x3cdiv class\x3d"gb_T"\x3e\x3cdiv class\x3d"gb_W"\x3eAegis Crypter\x3c/div\x3e\x3cdiv 
class\x3d"gb_xa"\x3e\x3c/div\x3e\x3c/div\x3e\x3c/a\x3e\x3cdiv class\x3d"gb_M"\x3e\x3c/div\x3e\x3cdiv class\x3d"gb_L"\x3e\x3c/div\x3e\x3c/div\x3e\x3cdiv 
class\x3d"gb_X"\x3eaegiscrypter@gmail.com\x3c/div\x3e\x3cdiv class\x3d"gb_Q"\x3e\x3ca href\x3d"https://www.google.com/settings" 
CloseHandle
_controlfp
Cp:;S.
CreateFileW
CreateSolidBrush
__CxxFrameHandler
C\Yu9h
@.data
d*dt]	4sdi]
dEU6te
dIIY#p
__dllonexit
DrawIcon
$E}6g?G
|e[d;}
EnableWindow
_except_handler3
&FnQT\]A_
:FS@-*
gb_j"\x3e\x3ca class\x3d"gb_q gb_O gb_j identityWidgetIcon" href\x3d"https://plus.google.com/u/0/me?tab\x3dmX" title\x3d"Aegis Crypter  
GDI32.dll
`G`\]e
GetClientRect
GetFileSize
GetModuleFileNameW
GetModuleHandleW
GetProcAddress
GetStartupInfoW
GetSystemMenu
GetSystemMetrics
guidedhelpid\x3d"gbniphid"\x3e\x3cdiv class\x3d"gb_Ca"\x3e\x3ca class\x3d"gb_q" href\x3d"https://plus.google.com/u/0/notifications/all?hl\x3dzh-CN" 
g=&[-Y
hGi/l)
h~i'l?
HrCg@b	g 
href\x3d"https://plus.google.com/u/0/photos?tab\x3dmq" target\x3d"_blank" rel\x3d"noreferrer" data-pid\x3d"31" data-ved\x3d"0CBIQwS4oDw"\x3e\x3cspan 
href\x3d"/mail/u/0/" target\x3d"_blank" rel\x3d"noreferrer"\x3e\x3cimg class\x3d"gb_7" 
\h@UTk/0P
>hxy{9
.idata
 ifR27
_initterm
IsIconic
iv class\x3d"gb_M"\x3e\x3c/div\x3e\x3cdiv class\x3d"gb_L"\x3e\x3c/div\x3e\x3c/div\x3e\x3cdiv class\x3d"gb_r" aria-hidden\x3d"true"\x3e\x3cdiv 
?JbQlqiu
JPWS~N"
j]REd.M
kernel32.dll
KERNEL32.dll
>+>K>Q>^>e>j>
LoadIconW
LoadLibraryA
localtime
M/fc([
MFC42u.DLL
MSVCRT.dll
$mwmMK
n1Y!kw"
#n8L4m
Oi$$2w
_onexit
<oPgX4
O&S;X9
(\p1Y<;
??PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
__p__commode
__p__fmode
QQSUVW
q~	rY3
qt;e`NPpu
r8pT2%
`.rdata
ReadFile
.reloc
SendMessageW
__set_app_type
SetTimer
__setusermatherr
src\x3d"//lh5.googleusercontent.com/-XawuveI7Jvc/AAAAAAAAAAI/AAAAAAAAAAA/ycPIOTWEgPI/s48-c/photo.jpg" alt\x3d"Aegis Crypter"\x3e\x3cdiv 
src\x3d"//lh5.googleusercontent.com/-XawuveI7Jvc/AAAAAAAAAAI/AAAAAAAAAAA/ycPIOTWEgPI/s96-c/photo.jpg" alt\x3d"Aegis Crypter"\x3e\x3cspan 
style\x3d"background-image:url(\'//lh5.googleusercontent.com/-XawuveI7Jvc/AAAAAAAAAAI/AAAAAAAAAAA/ycPIOTWEgPI/s32-c/photo.jpg\')"\x3e\x3c/span\x3e\x3c/a\x3e\x3cd
SU#&?V
target\x3d"_blank"\x3e\u5e10\u6237\x3c/a\x3e\x26ndash;\x3ca href\x3d"http://www.google.com/intl/zh-CN/policies/" 
target\x3d"_blank"\x3e\u6765\u81ea Google \u7684\u66f4\u591a\u5e94\u7528\x3c/a\x3e\x3c/div\x3e\x3c/div\x3e\x3cdiv class\x3d"gb_Ba gb_Ea gb_j" 
target\x3d"_blank"\x3e\u67e5\u770b\u4e2a\u4eba\u8d44\u6599\x3c/a\x3e\x3c/div\x3e\x3c/div\x3e\x3cdiv class\x3d"gb_3 gb_jb"\x3e\x3ca class\x3d"gb_4 gb_5" 
target\x3d"_blank"\x3e\u9690\u79c1\u6743\x3c/a\x3e\x3c/div\x3e\x3ca class\x3d"gb_mb gbp1 gb_E" href\x3d"https://plus.google.com/u/0/me?tab\x3dmX" 
!This program cannot be run in DOS mode.
 tH.J{bn
tS|6:N\
{U%?M#
USER32.dll
uvV8Z)
V1=3~kX
>V#!Lsg
v!Ny_8
_wcmdln
__wgetmainargs
	WS!N1
x1(5^j|r
\x26#10;(aegiscrypter@gmail.com)" aria-haspopup\x3d"true" guidedhelpid\x3d"gbacsw"\x3e\x3cspan class\x3d"gb_J" 
\x3d"gb_h"\x3e\u8d22\u7ecf\x3c/span\x3e\x3c/a\x3e\x3c/li\x3e\x3cli class\x3d"gb_a"\x3e\x3ca class\x3d"gb_e" id\x3d"gb31" 
_XcptFilter
*;Xh,D
x[M!k|
y|{eX=
yS5"3.
_^][YY
ZO7UZ/