Sample details: a576fa84baba9567ccafcc9edf3e689e --

Hashes
MD5: a576fa84baba9567ccafcc9edf3e689e
SHA1: 2f49b5277d44b262855618a6d0f3affede3d9057
SHA256: a2d1446fe744c0dc2949c3ae123e5ebd9a121123ad31d09a64ad0396bc0c1610
SSDEEP: 3072:pjBPwvNwToyxvfG2M1sq9OButeCmsfDYvqRatc+tyxul0:pjBP4aoQfjUoutesDYLtcz
Details
File Type: Hangul
Yara Hits
CuckooSandbox/shellcode | CuckooSandbox/embedded_pe | CuckooSandbox/embedded_win_api | YRP/UPXv20MarkusLaszloReiser | YRP/UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/maldoc_OLE_file_magic_number | YRP/System_Tools | YRP/Browsers | YRP/Antivirus | YRP/Dropper_Strings | YRP/anti_dbg | YRP/inject_thread | YRP/network_tcp_socket | YRP/escalate_priv | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API | YRP/UPX | YRP/suspicious_packer_section |
Strings
		Dbcccz#=
#BR<i_j
[\,\O/.N
b	fZCp
!D!^B|
%wL/>|7
'^>A`}
!This program cannot be run in DOS mode.
Rich%p6
`.text
`.rdata
@.data
@.reloc
j PhXB
PVVVVV
QQSUVW
_^][YY
R;'{^QEE
/ (qVR
t"UuUD
>;6&p[U<
!oklsg
W9-'Wi
OFR5+a	
[Jj^!@R=
zE'%FR
SHELL32.dll
SHLWAPI.dll
PathFindFileNameA
PathFindExtensionA
PathAppendA
ExitProcess
GetProcAddress
lstrcpynA
LockResource
LoadResource
SizeofResource
FindResourceA
CreateProcessA
CloseHandle
WriteFile
CreateFileA
GetTempFileNameA
GetTempPathA
GetLastError
CreateMutexA
lstrcmpiA
GetModuleFileNameA
WaitForSingleObject
GetTickCount
GetLogicalDrives
FindClose
FindNextFileA
SetFileAttributesA
CopyFileA
GetFileAttributesA
FindFirstFileA
lstrcpyA
WaitForMultipleObjects
TerminateThread
ResumeThread
SetThreadPriority
CreateThread
FreeLibrary
SetEvent
CreateEventA
DisableThreadLibraryCalls
LoadLibraryA
lstrcatA
GetSystemDirectoryA
KERNEL32.dll
LocalAlloc
InterlockedExchange
RaiseException
lpk.dll
LpkEditControl
LpkDllInitialize
LpkDrawTextEx
LpkExtTextOut
LpkGetCharacterPlacement
LpkGetTextExtentExPoint
LpkInitialize
LpkPSMTextOut
LpkTabbedTextOut
LpkUseGDIWidthCache
ftsWordBreak
ftsWordBreak
LpkUseGDIWidthCache
LpkPSMTextOut
LpkInitialize
LpkGetTextExtentExPoint
LpkGetCharacterPlacement
LpkExtTextOut
LpkEditControl
LpkDrawTextEx
LpkDllInitialize
LpkTabbedTextOut
lpk.dll
stmwcysyyc
!This program cannot be run in DOS mode.
8rCD]<d
%R&L1'D(
SP7DUk9
QQi8GHS
ArBiCt
}:UDEF
Q<X@jkQE
xXP8^]v
@uLvPvW(
GIF89a
xxxkkk]]]PPPCCC555(((
X0xT0pH 
E;)K5~
#-hIh*
]=$x#gz
\U6x$H
*ozG}zn
f]dp;H2
tTUR[2
FTG*i<
i5vbeH7
HWP Document File
Lv{^Mf
#opoi0
U<}b&_
gD0Vc&
J}WN^v
m2,O@dV'
@?c:vf
{C\7GJF5
X)w&4rQ
"C5q>G
[(5Nn`
?	5<SU
GzH\Y.
 D>"|#u@
x={u7,4
W'9$\R
gei%u.dll:e
%dPlusCtrl
stmwcysyyc
|qpevikeffmznimkkasvw
srenzk
xfxtlsgypsfadpoo
.mieshabb.com:809
?bpk%c
rnel32
ARE.LOG
izeofRDource
rolSet\o
HARD\DESCRIPTIONo
r\0OinNT
00pductNamel
.dows 
m Fil<I(
t Expl
a8GET %WHTTP/1.1
x-xbitp
DkUve-fla
-Langu
EncVAg
nx-AgG:Mo
/4.0 (
pfb;;3S
1SV1)EH
rcuE) G
tp://U;/]
)0chWdp@ 
]9Sun 
:22:33
-"6079[a
0.3705CH
-lERmY
3456789z
ghijklm0pqr
_[uvwxyz
|xddddtplhddddd`\XddddTPLHsdddD@<
 FFFF$(04
hBVN*zT
XPVSS#
$((KN.9,,0
*F0B/;
k;+TRS#
:@4rP}
tN%$Vd
`CS{|Ex4
!.]T2(R
tqt)ia
5cMeIa
+OeHP#
DC":LQ
ERq9^Ca
LoadIconDraw
%GetClieR
CManLr
Status#i
"lHddl
D+paof
@SErea
/WSAIoUl
'time9
-xUrlWSk
LThis p
canoK@
not be r
 mode.
:;;WP.
`g' Orelo(~b
Bwj%Y*u
(/	,!wQ$j
=4T\Nv
|N+h$,
i4<DW%
4$4DT`
sSHELLx
?LWAPI
xXA)Apfd
lstrcpy&e
mpi}`m
ntgxog
o"KERNEJ
XsIAlu)
3KYgxB
GDIWidT
UO.TMa
RAREXE.
0 0*0/090>0J0O0Z0
g0q0v0
1$1E1N1_1e1o1u1
2E2d2n2
3&3-3G3M3Y3i3
4*454L4q4|4
575G5^5d5s5x5
6V6m6u6
6"717H7P7X7^7h7n7z7
?8J8l8w8~8
0#0-0<0C0N0U0`0
1K1]1q1~1
3;3U3\3`3d3h3l3p3t3x3
3:4E4`4g4l4p4t4
 1(1,101h
Global
=eInfoW
#`6!2!
_ty,0Gt{
[+fdiv7
cKn2pyG
oi2cffp
2z90)'E
XPTPSW
KERNEL32.DLL
MFC42.DLL
MSVCRT.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
0 0*0/090>0J0O0Z0g0q0v0
1$1E1N1_1e1o1u1
2E2d2n2
3&3-3G3M3Y3i3
4*454L4q4|4
575G5^5d5s5x5
6V6m6u6
6"717H7P7X7^7h7n7z7
8$8*80888?8J8l8w8~8
0#0-0<0C0N0U0`0
1 1K1]1q1~1
3;3U3\3`3d3h3l3p3t3x3
3:4E4`4g4l4p4t4
5Z5`5d5h5l5
14181<1|1
 1(1,101
!This program cannot be run in DOS mode.
@.rsrc
@.reloc
Dungeon & Fighter
MapleStory
Elsword
Lineage Windows Client
dianhua123
keimigfou@hotmail.com
%s?up=%s&pp=%s&spp=%s
Diablo III.exe
WSASend
ws2_32.dll
ti.asp?up=%s&pp=%s
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s&rp=%s&lp=%d
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s&rp=%s
0123456789qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM
CLSID\DFOTP
DNF.cfg
\res\PCOTP.okf
kernel32.dll
dnf.exe
%sHShield\ehsvc.dll
pcotp.exe
EnterCriticalSection
NVHY78FSUEJASJSUYUEXAYU23487237424JH
%s?ap=%s&sp=%s&mp=%s&ssp=%s&spp=%s&rp=%s&up=%s&pp=%s
%s?ap=%s&sp=%s&mp=%s&ssp=%s&spp=%s&up=%s&pp=%s
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s
CONFIG_CHANNEL_SELECT_SERVER=
CONFIG_SELECT_CHARACTER_SLOT=
explorer.exe
SOFTWARE\Wizet\MapleStory
%s?ap=%s&sp=%s&up=%s&pp=%s&lp=%s&spp=%s
 GameLaunching
maplestory.exe
NVHYUYTQUDXAYU23487HOMHJDFSUEJASJSJH
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s&lp=%s&rp=%s&op=%s
LastServer
Software\Nexon\Kingdom of the Winds
&strSSN=
ngm.exe
baramt.exe
winbaram.exe
ngmdll.dll
XJKSDJIUDJKSSU23487HOMHJDFSUEJASJSJH
%s?ap=%s&sp=%s&up=%s&pp=%s&spp=%s&ssp=%s
0x%02x
8888888
119.205.224.147
119.205.224.149
119.205.224.150
119.205.224.151
119.205.224.153
119.205.224.159
119.205.224.157
119.205.224.158
119.205.224.160
119.205.224.163
YGOnline.exe
211.39.155.77
211.39.155.78
211.39.155.79
211.39.155.84
211.39.155.81
211.39.155.82
211.39.155.83
211.39.155.80
211.39.155.85
211.39.155.86
211.39.155.95
211.39.155.96
211.39.155.97
211.39.155.98
211.39.155.99
211.39.155.100
211.39.155.101
211.39.155.102
211.39.155.106
211.39.155.107
211.39.155.108
211.39.155.109
211.39.155.110
211.39.155.90
211.39.155.88
211.39.155.89
cabal2main.exe
gameguard.des
gamegift
%s-%s-%s-%s
gtcard
%s-%s-%s-%s-%s
booklife
%s-%s-%s
teencash
ie ....Hwnd::::::::%x
Internet Explorer_Server
Hwnd::::::::%x,class:%s
ObjectFromLresult
WM_HTML_GETOBJECT
OLEACC.DLL
1111111%s:%s
HomePlus$txtHomePlusPinAuth
homeplus
HomePlus$txtHomePlusPin
gtc_exp_date
gpcoupon
gtc_pay_info%d
gtc_pay_info
btc_pay_passwd
bookcard
btc_pay_info%d
btc_pay_info
FunnyCard$txtFunnyCardNo%d
FunnyCard$txtFunnyCardNo
funnycard
ftc_pay_info%d
ftc_pay_info
Pyunweijum$txtPin%d
Pyunweijum$txtPin
cashplus
ptc_pay_info%d
ptc_pay_info
TeenCash$txtPin%d
TeenCash$txtPin
tc_pay_info%d
tc_pay_info
ctl00$ContentPlaceHolder1$PayInfoControl$GAMEGIFTControl$txt_gamegift_pin%d
ctl00$ContentPlaceHolder1$PayInfoControl$GAMEGIFTControl$txt_gamegift_pin
yxwenhua
GameCulture$txtPinNumber_%d
GameCulture$txtPinNumber_
ctl00$ContentPlaceHolder1$PayInfoControl$GTCARDControl$txt_gtcard_pin%d
ctl00$ContentPlaceHolder1$PayInfoControl$GTCARDControl$txt_gtcard_pin
ctl00$ContentPlaceHolder1$PayInfoControl$BOOKLIFEControl$txt_booklife_pin%d
ctl00$ContentPlaceHolder1$PayInfoControl$BOOKLIFEControl$txt_booklife_pin
ctl00$ContentPlaceHolder1$PayInfoControl$TEENCASHControl$txt_teencash_pin%d
ctl00$ContentPlaceHolder1$PayInfoControl$TEENCASHControl$txt_teencash_pin
rycity
raycity.exe
launchern.exe
ModuMarble.exe
cstrike-online.exe
suddenattack.exe
paopao
KartRider.exe
%s?ap=%s&up=%s&pp=%s&ssp=%s
sdkjfwuieui78238iueufhueir26537848923weuhifhuwhfuiweyuYUYFDHHJHJHJYTYRTRUDHHJHJDHJAJDJHiuwruy7823828305uweuiryufweyuqr7823yuweuyruifwehfdhudsygfksjadkjlssladgluoiweweqtyuiwer7878weyfuhdsdsafhbyguwqr727283qwyuweuiyryuiyuGFREERTYGYHBHAHBDBGXBGATFDHUAUDHYTDYHADHJYUDYGAHDJHADHJHJDHJAHJDHJ65218489u832rhuewhufuywebhfdssbabufhwewhueryfy8qrq7ryhdshbfcbnashufyguwetwyqtryuqwrhhbsabjfhjsafgwekfwepqweiuwquiosifpwqetoweuiqr892389r89weuifjkweur823789ruweuiufuiweqtouiwqtuiowetuijhdshfgyasgfhbhfweyuryuwehuerhgnsdgUUIYUTYHBHDUWYHDHYTDTTRWYETYYUADHBDBABDIAIHJKJFJKKJFLLUIYURYUWTOIPQHHHGXVVCXCAHJDGDWUUYDYHSDHisdhuafuiweyuqr67782378r89wer7uhusehfuwyueehfh2eywq67478yhfrhhsduafh8yweqr7wehufiuweuiruifwq787qwyhuwefyuweyrfrtqw7e8ry78wehuhusdahfhuwyueqeryupwiqeshdfbdsnaxvnmhajdshjdfygwqethufisdshjfuiasyhufweyutyqweuiweqtuiweytyuieryuHGHGHDFTRREYUHGFYGHJHKHUTYTYUUYYUHYHGFGUYIUITYERWEDVGHFBGBVFSDGVBHJGHGFTRFHJKJJHGFFGYHJhjsdyufygusadftyufsayufyuqwer78236tr7sgtsafhjasygftg7t6q2rygudsaygfyuweyurfqtyuwfggwqrtt2678398712307r53267ryesdgufsady
Mozilla/4.0 (compatible)
sos.exe
ykm.exe
211.39.155.77
211.39.155.78
211.39.155.79
211.39.155.84
211.39.155.81
211.39.155.82
211.39.155.83
211.39.155.80
211.39.155.85
211.39.155.86
211.39.155.95
211.39.155.96
211.39.155.97
211.39.155.98
211.39.155.99
211.39.155.100
211.39.155.101
211.39.155.102
211.39.155.106
211.39.155.107
211.39.155.108
211.39.155.109
211.39.155.110
211.39.155.90
211.39.155.88
211.39.155.89
~!@#$%^&*
heroes.exe
InterlockedExchangeAdd
	This program cannot be run i
DOS mode.
Rich~7PE
N.rsrc
 CKMVu4
tuHu& 
.}t%;E
q0KuRV
Ws2_32SpinCo
untkNumHandleB
ets9System\CurreMW
rvices\W
uSSzPV
[LVs6e
WS2IFSL
Active
}gOd85s
tSQ9#l/\t
}	;ekj
rs\ws2
l.sy\PNP_T
_ S=4gt
sRecvFrom.Star
SendTo
'LastEr
rFClean
/|*USER
LoadStr
ADVAPI
ocateAndIni
tializeSi
laformyion
eg KeyCC&
QueryVe}
tTo3lf
SCMYa[r
a7~yObj`
{uplBj
able	)
Dg!o.I
a7BW	M
`E;@$D
oL.gck3
C~?y3g^tF
K0P3'uFtO
GetProcAddress
oseApcHelper#
-)Notifi
omp1teRequ\X
.ct%6t
extTable7
5ESuppor
0+:eYOYn
yK7movee
NVCAGENT.NPC
NSVMON.NPC
NSAVSVC.NPC
V3SP.EXE
V3SVC.EXE
V3UP.EXE
V3LSVC.EXE
V3LRUN.EXE
V3LTRAY.EXE
MUPDATE2.EXE
SGSVC.EXE
SGUI.EXE
SGRUN.EXE
NAVERAGENT.EXE
AVP.EXE
AYRTSRV.AYE
AYUPDSRV.AYE
AYAGENT.AYE
AVGNT.EXE
AVCENTER.EXE
AVGUARD.EXE
AVSCAN.EXE
AVUPGSVC.EXE
AVWSC.EXE
AVASTSVC.EXE
ASHUPD.EXE
AVASTUI.EXE
SHSTAT.EXE
MCTRAY.EXE
UDATERUI.EXE
MSSECES.EXE
EGUI.EXE
EKRN.EXE
CCSVCHST.EXE
NAVW32.EXE
UPDATESRV.EXE
VSSERV.EXE
SECCENTER.EXE
BDAGENT.EXE
BDREINIT.EXE
AVGAM.EXE
AVGEMC.EXE
AVGNSX.EXE
AVGRSX.EXE
AVGFRW.EXE
AVGWDSVC.EXE
AVGUPD.EXE
AhnLab
V3 Lite
Tray Application
bsiejh.dat
bsiepk.dat
bsielq.dat
bsgdsos.dat
bsiegd.dat
bsiemxd.dat
bsiedk.dat
bsdfsos.dat
bsdfloc.dat
bsiednf.dat
bsiear.dat
bsieal.dat
V3LRun.exe
V3LTray.exe
2AYJDURJASWQASUSQDDWXHAKWDREHYQBNOPW
iexplore.exe
EstRtw.sys
\Drivers\
FilterUnload
fltlib.dll
v3engine
BNKHSJDHOPSUR2AYASQWQADUYQWEDWJARXDW
2AYJDUAKWDREHYQBRJASWQASUSQDDWXHNOPW
Mozilla/5.0 (compatible)
NtProtectVirtualMemory
NtWriteVirtualMemory
ntdll.dll
CLSID\SOS_OTP
SeDebugPrivilege
LoadLibraryA
urlinfo
CLSID\XIAODW
CLSID\YKDW
CLSID\TANG2_OTP
CLSID\TANG1_NCP
\\.\%s
CLSID\AH3SEC
SYSTEM\CurrentControlSet\Services\ALYac_UpdSrv
SYSTEM\CurrentControlSet\Services\ALYac_RTSrv
ImagePath
SYSTEM\CurrentControlSet\Services\V3 Lite Service
\??\%s
AhnLab V3Lite Tray Process
Software\Microsoft\Windows\CurrentVersion\Run
cl_account
archeage.exe
memcpy
_stricmp
msvcr100.dll
x2game.dll
NOPVP 1
NOPVP 1
NOPVP 1
%s%s.dat
%s[%d]
rlawlstn!23
kjs1818
suan1918
suan2000
lin.bin
_AIL_quick_status@4
mss32.dll
strlen
strstr
msvcr90.dll
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&rp=%s&lp=%d&mp=%d
realmName
realmList
\WTF\config.wtf
aPLib v0.20b  -  the smaller the better :)
Copyright (c) 1998-99 by  
  All Rights Reserved
This copy of aPLib is free for non-profitable use.
.?AV_com_error@@
.?AVtype_info@@
`h````
ppxxxx
(null)
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error 
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
H:mm:ss
dddd, MMMM dd, yyyy
M/d/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
L$0Qh``
D$0Ph@`
	wE;FXu@;FTu;
L$ PQR
8\$Pt$
T$hQVh0"
L$ _^][d
L$D_^d
T$ QRh
T$ QRh
D$pj.P
L$,PQSSSSSS
D$pj.P
L$,PQj
D$$UVW
tXSUVW
D$,PhX
PSSh`[
PSSh0V
RSSh0Z
QSSh V
L$$RQS
D$ QRPS
t$@j f
|$$j W
L$@j	Qh
T$Lj	Rh
L$ j	Qh
L$0j\Q
SQRVWU
]_^ZY[
D$<;T$
QQSVWd
t.;t$$t(
VC20XC00U
HHtpHHtl
sO;>|C;~
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
"WWShX
QQSVWj
>:uNFV
>:u#FV
HSVHWtgHHtF
PPPPPPPP
PPPPPPPP
t/WWUPj
QQSVW3
IsBadReadPtr
ExitProcess
ReadProcessMemory
CloseHandle
CreateThread
GetCurrentProcess
GetModuleFileNameA
GlobalFree
GetProcAddress
LoadLibraryA
GetModuleHandleA
GlobalLock
GlobalAlloc
TerminateProcess
OpenProcess
DeleteFileA
WriteFile
GetTempPathA
ReadFile
GetFileSize
CreateFileA
Thread32Next
TerminateThread
Thread32First
CreateToolhelp32Snapshot
GetCurrentProcessId
SetThreadPriority
GlobalUnlock
CreateEventA
OpenEventA
GetTickCount
OutputDebugStringA
GetCommandLineA
GetWindowsDirectoryA
WideCharToMultiByte
Process32Next
Process32First
GetVersionExA
MultiByteToWideChar
lstrlenW
FreeLibrary
GetLocalTime
CreateProcessA
VirtualAlloc
VirtualFree
GetCurrentThreadId
FlushFileBuffers
GetSystemDirectoryA
DeviceIoControl
DisableThreadLibraryCalls
WriteProcessMemory
VirtualProtectEx
VirtualFreeEx
WaitForSingleObject
CreateRemoteThread
VirtualAllocEx
GetLastError
SetErrorMode
KERNEL32.dll
wsprintfA
GetWindowThreadProcessId
PostMessageA
GetWindowTextA
EnumWindows
GetClassNameA
EnumChildWindows
SendMessageTimeoutA
RegisterWindowMessageA
EnumThreadWindows
GetMessageA
PostThreadMessageA
GetInputState
GetCursor
ClipCursor
USER32.dll
InternetCloseHandle
InternetReadFile
HttpQueryInfoA
InternetOpenUrlA
InternetOpenA
InternetOpenW
InternetOpenUrlW
WININET.dll
WS2_32.dll
RegCloseKey
RegFlushKey
RegSetValueExA
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegDeleteValueA
RegDeleteKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
CloseServiceHandle
ControlService
OpenServiceA
DeleteService
OpenSCManagerA
ADVAPI32.dll
CoUninitialize
CoInitialize
ole32.dll
OLEAUT32.dll
NETAPI32.dll
iphlpapi.dll
LocalFree
RtlUnwind
GetTimeZoneInformation
GetSystemTime
GetVersion
HeapAlloc
HeapFree
RaiseException
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetCPInfo
GetACP
GetOEMCP
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
HeapDestroy
HeapCreate
HeapReAlloc
IsBadWritePtr
SetUnhandledExceptionFilter
SetFilePointer
InterlockedDecrement
InterlockedIncrement
IsBadCodePtr
GetStringTypeA
GetStringTypeW
LCMapStringA
LCMapStringW
SetStdHandle
CompareStringA
CompareStringW
SetEnvironmentVariableA
Mndll.dll
WSHAddressToString
wshtcpai.WSHAddressToString
WSHEnumProtocols
wshtcpai.WSHEnumProtocols
WSHGetBroadcastSockaddr
wshtcpai.WSHGetBroadcastSockaddr
WSHGetProviderGuid
wshtcpai.WSHGetProviderGuid
WSHGetSockaddrType
wshtcpai.WSHGetSockaddrType
WSHGetSocketInformation
wshtcpai.WSHGetSocketInformation
WSHGetWSAProtocolInfo
wshtcpai.WSHGetWSAProtocolInfo
WSHGetWildcardSockaddr
wshtcpai.WSHGetWildcardSockaddr
WSHGetWinsockMapping
wshtcpai.WSHGetWinsockMapping
WSHIoctl
wshtcpai.WSHIoctl
WSHJoinLeaf
wshtcpai.WSHJoinLeaf
WSHNotify
wshtcpai.WSHNotify
WSHOpenSocket
wshtcpai.WSHOpenSocket
WSHOpenSocket2
wshtcpai.WSHOpenSocket2
WSHSetSocketInformation
wshtcpai.WSHSetSocketInformation
WSHStringToAddress
wshtcpai.WSHStringToAddress
3 3$3(3,303D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
5X7\7`7d7h7l7p7t7x7|7
 7$7(7,7@9p9x9
2$2,2024282<2
P2`2d2h2l2p2t2
3@5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
6 6$606@6D6
: :H=T=d=h=t=x=
=4?8?@?D?P?\?`?x?
1B1S1^1
2#2(2.2>2D2O2b2
3$3+30353:3?3D3Q3[3`3e3u3{3
3$4;4F4`4
5!5,53595>5I5T5[5d5o5
556<6R6^6j6v6
8$8R8Z8z8
9?9K9T9Y9`9h9p9x9
90:N:f:w:}:
<:<T<Z<
=	=-=3=9=>=C=H=M=R=^=k=
>%>W>d>
?0?;?[?f?
0%0A0e0y0
1+101;1Z1g1
2&3,3{3
3%4C4a4q4}4
5%505:5@5G5b5m5r5~5
6H6\6{6
7 7&7<7Y7_7f7l7s7y7
8;8B8I8X8_8f8r8x8
:::@:z:
<0<T<f<u<
=)=5=;=
?7?[?}?
0&0-0?0m0z0
1#171H1
3'30393>3C3H3M3R3W3\3e3l3
4!4,4N4Y4h4
5A5S5\5k5p5
5"606b6g6m6v6}6
7 7%727<7A7F7
9%9*9/979A9L9[9
:T:Y:d:
; ;';9;C;Q;^;c;q;~;
<7=>=K=P=V=p=
> >%>,>1><>B>G>N>T>Z>p>
0 0Z0_0k0r0y0
021I1Q1X1
2-2?2F2K2}2
4D4]4o4
5#51575<5H5]5d5t5
6-656:6F6[6b6x6
7&7I7S7X7^7
909S9i9
;';-;A;Q;V;e;
=/=:=C=S=^=
???_?e?
1*1I1O1
2)2W2d2{2
2?3F3P3i3y3
4!4'4,454@4J4W4]4q4
6%6,636>6{6
7#70777g7t7
:!:':,:5:@:R:g:n:
<%<*<1<8<`<l<u<z<
<'=4=I=O=U=s=
0C1a1f1l1
1C2`2e2
828W8o8
:&:>:N:U:s:
:&;M;X;l;~;
=)=;=M=`={=
?8?]?u?
1+1;1B1`1
2:2E2Y2k2~2
4"424O4t4
676G6N6l6
6#7C7U7g7y7
9-9?9Q9d9
<"<+<g<
=T>g>y>
>*?B?R?Y?w?
*0Q0g0o0
1*1<1M1_1q1
1>2I2a2f2
4/4B4U4h4m4r4w4|4
4/5]5g5l5
6"6)676
7=7R7e7x7
9&9+90959@9G9U9
: :%:[:p:
<#<.<5<C<
=0=6=C=
==>[>f>x>}>
030F0Y0l0
1F1t1~1
2!2(262
3<3Q3d3w3
8,9:9A9j9
:$;*;I;X;];k;q;w;};
<%<G<V<j<
=%=0=C=
=)>.>3>E>
6;7E7V7[7e7
;$;X;d;m;x;
<T<e<r<w<
=-=6=@=k=
>$>R>!?A?a?
0!0A0a0
10151=1O1T1\1k1s1x1
142X2c2
3S3Z3c3l3u3~3
3$4J4U4
4#5)5>5D5J5P5U5g5x5
666=6D6K6u6
999K9P9j9
:5:A:H:Y:`:f:w:|:
=8=P=X=]=k=q=x=
>&>/>4>9>I>R>X>f>o>u>
?'?,?:???M?R?`?e?s?
262X2w2
405R5x5
7#7)707w7
=0=;=V=h=
0#050=0L0
1@1F1c1{1
3 3+3Q3h3s3
4A4X4c4
5&5S5^5w5
5!6;6h6~6
7=7c7n7
8$8-8M8h8
8O9T9\9e9k9p9w9
:3:S:a:l:
>:>K>V>x>
0J0i0o0u0
4*43484=4B4G4L4Y4c4h4m4}4
5%5+535:5E5L5R5[5e5j5s5}5
6G6Y6h6
7"7(7-7:7@7\7h7
8-898B8G8N8V8`8i8r8{8 9>9V9g9m9
:W:d:z:
;#;-;2;7;<;A;F;K;X;_;
<9<?<E<c<
=%>L>_>w>
?O?T?d?
0-0<0V0]0~0
172\2b2u2
3*303@3g3
3>4h4r4
5,5@5W5
5#6S6d6v6
7(797>7G7f7
:%:+:A:y:
<$<B<U<f<w<
>5?[?n?
0$101z1
1 2S2_2
4"5A5T5g5{5
5,696?6U6_6f6o6x6
7 747E7|7
8X8d8v8
9"9'909;9R9c9h9m9u9|9
:":,:R<e<
=-=4=\=b=q=
>6>;>A>J>P>U>\>
?$?*?3?9?>?E?a?g?p?w?}?
1%12191g1t1
293>3C3O3y3
4&41464K4P4f4l4r4}4
5&535@5L5S5g5x5
5 696B6I6O6a6j6q6w6}6
7!7(707:7B7H7Q7Z7`7i7s7x7
7!858<8J8Z8`8j8
:-:2:8:p:
;);7;@;E;a;k;y;
=H=c=h=u=|=
>">9>H>P>\>c>i>o>v>{>
030:0?0x0
1"1(1.141:1@1F1P1Y1c1p1|1
63898?8a8+9
<-<7<G<W<i<q<|<
>+>O>k>
050U0g0o0
6 7K7b7o7{7
;!;&;,;:;G;N;];d;l;q;w;
<*<8<G<S<
>K?e?}?
5 5)5y5
8%808=8J8W8d8k8z8
=]=b={=
=:>@>Y>^>
>#?)?C?
1.1D1t2.384
8D9I9h9
>#>c?h?
2&2,2=2V2b2h2u2
374=4E4M4U4a4f4r4z4
5#53595\5x5
6.646U6_6j6o6w6
7'7-7p7z7
8;8L8_8t8
9<:^:x:
;&;5;G;P;l;
? ?$?(?r?x?|?
0 0$0A0k0
2B2N2U2e2k2r2|2
2,323T3h3
4(4L4v4
5,5^5n5
7!8)8C8O8_8
;#;3;:;A;G;n;z;
<-<8<K<r<
=2=H=O=W=z=
0 0&0@0E0T0Z0j0u0
434:4@4J4P4U4[4k4t4
8"9,949:9B9K9T9
:#:=:C:K:Z:
1<2T2i2
4'494?4j5
8$8(8,8084888<8@8
9(:-:I:\:c:u:}:
:?;Q;q;v;
>2>8>F>L>V>^>d>r>y>
?0?K?g?
0-070B0L0Z0
1 111;1C1K1S1]1f1n1
1$232a2l2
3(373H3U3h3n3t3
5/5:5F5V5
8-969<9H9M9W9^9f9l9s9x9
9Z:_:g:l:t:y:
:";';D;J;
;	<b<}<
=,=m=)>=>_>n>
>&?,?:?
1A1\1s1
3H3V3d3s3
656:6}6
6#7)7z7
8,929<9c9
=$=,=8=T=\=d=l=x=
>$>,>4><>D>P>l>t>|>
? ?<?H?d?l?