Sample details: ad1934d9cbc3deb0d74eaba81849fb06 --

Hashes
MD5: ad1934d9cbc3deb0d74eaba81849fb06
SHA1: df1d05055a5a17882c39f038153b45c3ff420fa8
SHA256: 9fea3783287a32a1ae1a062ab3da93e4226688cf4930abd59d42221f6f2427fe
SSDEEP: 12288:7irK9T+gH/fWdgwmhSwomPVIO91D5/KNy/cI:7i29TFWdrmh95Vb15wy/cI
Details
File Type: MS-DOS
Added: 2018-03-06 20:13:57
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasOverlay | YRP/HasModified_DOS_Message | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/System_Tools | YRP/DebuggerCheck__QueryInfo | YRP/ThreadControl__Context | YRP/SEH__vectored | YRP/Check_OutputDebugStringA_iat | YRP/anti_dbg | YRP/inject_thread | YRP/network_http | YRP/network_tcp_socket | YRP/network_dns | YRP/network_dga | YRP/escalate_priv | YRP/screenshot | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Advapi_Hash_API | YRP/CRC32_poly_Constant | YRP/CRC32_table | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API |
Strings
		`.data
.idata
@.reloc
tkSSSSS
PSSSSSSh 
t<j"Yf
t:jDZ2
PVVVVVV
QPPPPh
QPPPPh
QPPPPh
QPPPPh0
dVWj@3
WVVh02
SVWj?3
SRUVWAQARASATAUAVAW
A_A^A]A\A[AZAY_^]Z[
bcdedit.exe -set TESTSIGNING ON
%s\drivers\%s.sys
ComSpec
\\.\NtSecureSys
SeShutdownPrivilege
kernel32
IsWow64Process
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
*EUDC*
ZwQuerySystemInformation
ntdll.dll
svchost.exe
SystemDefaultEUDCFont
EUDC\%d
ObReferenceObjectByHandle
ZwDuplicateToken
ObOpenObjectByPointer
PsReferencePrimaryToken
PsInitialSystemProcess
ObfReferenceObject
IoGetCurrentProcess
KeDelayExecutionThread
WinExec
GetModuleFileNameA
GetTickCount
GetSystemDirectoryA
CloseHandle
GetLastError
GetCurrentProcess
GetExitCodeThread
WaitForSingleObject
CreateThread
ExitProcess
CreateProcessA
DeviceIoControl
GetCurrentProcessId
CreateFileA
GetProcAddress
GetModuleHandleA
GetVersionExA
GlobalFindAtomA
CreateEventA
GlobalAddAtomA
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
GetACP
KERNEL32.dll
SendInput
ExitWindowsEx
USER32.dll
EnableEUDC
GDI32.dll
StartServiceA
CloseServiceHandle
CreateServiceA
OpenSCManagerA
FreeSid
EqualSid
GetTokenInformation
OpenProcessToken
AllocateAndInitializeSid
AdjustTokenPrivileges
LookupPrivilegeValueA
RegCloseKey
RegFlushKey
RegSetValueExA
RegDeleteValueA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
_unlink
fclose
fwrite
sprintf
malloc
getenv
_stricmp
realloc
memset
longjmp
_snprintf
_setjmp3
msvcrt.dll
_initterm
_adjust_fdiv
'060<0H0d0r0y0
1$131Y1_1q1
2<2]2n2}2
3)333\3w3
4*4A4P4m4
515:5U5w5
586>6X6^6x6~6
7K7Q7d7
738;8@8F8M8R8`8g8
9-979H9U9Z9`9g9l9
;(;/;?;e;
;?<F<T<a<g<
=*=R=\=h=r=}=
>*>0>7>G>M>T>e>k>q>w>
?$?2?^?m?u?
2<2V2\2b2p2x2
								
Qkkbal
[-&LMb#{'
w+OQvr
)\ZEo^m/
H*0"ZOW
l!;b	F
mj>zjZ
IiGM>nw
ewh/?y
OZw3(?
V_:X1:
Invalid parameter passed to C runtime function.
```hhh
xppwpp
X<~O\/z$X
FzdXZ~O\?z
X$~O\NznX
zoXT~k\	
%z8X'~ \
gt?zqXX~
_lBz)X
?zqXX~
S`;z$X
-z	X3~
XP~m\Q
VaR|/AK
 gaJ1g
C{K\!)
v:a2vm
vD0KvgaK
ao1,ao
asty+Ktg-K
/)op*)
ghIvg]K(g
gaKG7a
+-KM`A
/*fvgiKa
8JaK}/
faKXaaK
EK#|aK
gf/1g8K
/ZKfg_
)a>vga
:a_v+)
vgA?e+LK
VaKDg`
aKUg)9
gaHIgE
~6K18aK
/ga}vgf
6=a=1ga
aK`>`fv/
Tt/1[t
A1U)?t
Mv+N?v
K1_GKvg
F K1g~e
/KpC2K
YoKpg`
*/aKff
CaK+/`
%/E?ZCa
./a?i3SK
gaKOVgK
J:?tg9K
`ovguK
gEkr/e
1g)gtg
aK5ga>
m?)[tga
=gaKs5
vCa<cg
IaQ</EK
+alI/VK
a\(gaK
aKvfao
g`K7qE_
G)KngB
g=vvga
ga<v<aK
aKvga:
1gao1r
XrVvG)
)t;gaK
&)Gc/)kv
gaopYa
t3Kt/)
8`g)oH
gyKvgw
)o'gKKvC
>mT@ga
gtK1f>K
`n_pg)
PKvgq.
t)KC?a
KZ2)+QgEK
gaM?CEKG
vgZKgC)
v1JK~g
g?Kx/^
gaKtg-K
aDwga?
>aK5/`K
tZ);0ga
g-?~ggK
t/a{H%a
*kpgrK
G1f?Jv/)i
/E4JeaK
aKsgaK
/~obg)
E{1g#o
g5?=CaI
`sv@aK
v2akd7'
Kv*a{v$
Kv#)Wt
S/abvg
gaH1X)wcgQ
gQKKga
/aKpFfK
~_aKtg
m'K1oa
v\aKtga
@/ap-g)
gEK>ga
lgaKWgaK1
cAQgaK
g)o1g-
/aKh/aK
%$MaKv
>aKvgRK
aY#z)K
9/-KD/a
g);k7-
KagaL^0a
:KKC)o
g-T/gaK
/a7*gaKv
Ca&GgaJ
gaTaga
gaipga
a.K/)K
aKz/)A
,5gaK7gLK
t]a?#/a
/aJ4gs
gaJ;gno
*)K&g-
gSY}f)Kdg
,fJJR+aK
g^K9gaK
aK-/	K
)KqgaK
q+a/vf`
K1cEKti`
Kpm)K1
)K~2)S
`K1gaKbc
EKpg0?
bA@@f-
aKvg^K~G
Ktqaopg+
KogaVv
gEKRga
K-gaMCOEK
nvaKvgh
)m8ra?1f
y-aK1/
tfaetg
aktg-Z
HaKd'a
641gaK1
aK1.ao
pWKvg)K
m^K~/`
Cn8f4v
aLvg)K
vgp#vkaW
Rga:v/)
ig!Kvm
)Tvga!
CkKvfn
EKJgao
|K1g&(
aUvg"KvfV
GE1pgaK
eaK]/=
aK*g6vtg-
3)KFgs
3~O0Kp
a#.ga:
")8GCa
/%JUg5
8K)RaK
gZ`1g`K
GaKpg&K1
g%KNgE
g_KvME ~g
/-K1'p
CGawvg
]vg`Kv
aSvgaI
paK]")4
ZaKe4a
af1/al
/)o1@E; CR
wKRgaK
K~gaF~
<K_gaK
f=CnKvg
:gWKvga
ga9vHYKB
g;k1ga
mKvgLo
YgaK\_
faNItaKt"
	faDK.c
	faDJ.g
	faDK.n
	faDK.i
	faDK'`
	faDK'`
	faDK.f
	faDK.b
	faDK.g
	faDK.l
	faDK.b
	faDKg
	faDJ.d
	faDK.g
	faDK.i
	faDK.l
	faDK.i
\gaKv"iDKg
!Cv*iDK.j
v*iDJ.l
v"mDK'e
	faDK.h
=/D9-(
N]DaKvj!
	faDK'c
	faDK'`
	faDJ.l
	faDK.i
	faDK'`
	faDK.d
}gaK\_
!Iv*iDK.d
v*iDK.i
	faDK.h
	faDJg
	faDK.f
	faDJ.e
	faDK'b
	faDK.e
v3dLngaH
	faDK.i
	faDK.f
	faDJg
	faDK.k
	faDJ.f
	faDK'k
	faDK'b
	faDJg
	faDK.f
	faDKg
	faDJ.f
	faDK.h
	faDK.l
faDK.c
igaK\_
faDK.d
faDK'`
Kv*iDK.c
v*iDJ.e
faDK.h
faN%FaKt"
faDK.f
faDK.o
faN-BaKt"
faNEOaKt"
faDJ.e
faNEMaKt"
faDK.i
faDK.r
faDK.i
faDK.h
faDK'c
faDJ'm
faDJ.p
faDK.p
faDK.d
]faIXfa
AfaK@fao{faIvfa#rfa%ifa
gaKMga+
gaK=ga
gaK-ga
u\#;1\
>R@Z2I
9S\h;e}-\
2"arz4
*D]"1xh
2a_szy-2z>
QzS-z2
oNjl\-
oVk{gy;
V;&5Cz
F;A);s.[
z\k&z4
F6W s2
hz{asz
r3$;s2Yf
$5On;z
z("&}=
IlwzU=
P'I\g;
?-_2\V
_}\b;I
j;7x-9O
-6z2>b3
;"#F]zS
zi/gI]f;
!r&\3;
sOz6Cm
Nz24~o
;2&6;>~
V\+4z(f
sA}Y;u
z?v;z*
&6\+,oMl;
u>=4T>
4zYz-6
-$Y"K\
tz*-s>9y
}*;IC 
6xo7;zV
cAAIYZ1g
w95*;u
7;z*t;HoyszI 
\A`{\K
BY;B3+w
x<;_\-G
wzOC;+
#;	Dw;6
2	a'A2
{Q;328
\/Wo\s
;w\k\^
IWwJg6
\O	zI;Kz
z\{U{6
	zoxY !
n)_z\-
TB'\-;>1
	;zd6:'
	u;^c/
*2wzw"	3
WzV7;x~
##z\6z^
"U#h)u^
Xz3z[-;;\++
	PY;yIr
z}~J;\
/Z>Sas
G2I/0J
;z\6-+
wI\8)H
3_N4zY`a
L=R ;z
!z\5;Id
;zdYs2
(Nsob-
o7-:z^
&vz3Y>
2x0 \f
i\a;[rc
40/~D2I
G>p;A(
.]g^;4
s"\-Tz
~q\/Fz
s5Hz;*
6LPI@;7
S+9?\_
%3\/fz
Q4Y;b5
.L5-;5*
z\w{oF
AMP:^Q
zz6Y;9F
\*2CoJ;zp
;?\6,l-Y
:z\*:z\-
+w^lY.
xF;z\M(u
xF;z\%
x6;z\Y.v
Y _z\O
xF;z\%
x&;z\/32
Iz\'G^p
xF;z\%
^p-6:-
xv;z\/32
Q8Kz\Y.za
q,Kz\U4
xn;z\/
;z\M(u
QxUz\-
;z\M(u
;zS+9{\
;zaJ:z\
-w^$Y.
x&;z\Y.
Yh\z\-6
+w^<NnQ\
xF;z\Y.
x~;z\%
;zaZ;z\
^t-6B8
x&;z\/32
x&;z\/32
x~;z\M(u
xv;z\/32
xv;z\/32
;?oo~I
:z\*:z\-
+w^<Y.:p
:z\M(u
x>;z\-6
:z\/32
Y(az\OW
+w^tY.
YTcz\O}
:z\M(u
Q0cz\Y.
+w^|Y.
$z\Y.>C
xf;z\%
xZ;z\-6
+w^tY.
xf;z\M(u
xf;z\M(u
;z\/32
xF;z\Y.
I8#z\U4
x&:z\%
x^;z\Y.
xV;z\/32
x&:z\%
x&;z\-6
Y<|z\-
xN;z\/32
x&:z\%
x&;z\-6
;z\/32
z\Y.NM
^|p:{\
x&;z\Y.2L
;2YN{z\
;2Y~~z\
x2;z\E
]uC";z\
]uC";z\
Ou:-?p
]uC";z\
]uC";z\
#6Serj
g{6Ser
]uC";z\
]uC";z\
]uC";z\
]uC";z\
;2Se*2Sejr
;(!x>z\
;!YlUz\
;-.6Uz\
;!&' z\
;-ml_z\
;z1 kz\
;2Bh>z\
;7qn6z\
;??w9z\
;6ppRz\
;%sT.z\
;dCCzz\
;%19Xz\
;gZIPz\
;KPUez\
;ONsEz\
;59aQz\
;"e]az\
Hz\V?*/
Hz\n871
Oz\n919
m$:^l$:Z^
0123456789
abcdefghijklmnopqrstuvwxyz
^_`abcdefghijklmnopqrstuvwxyz
?i"&?ipQ~X"
?ic6?i
>e?u?%?/?$?
6"D2L2T2\2d2l2t2|2
3$3,343<3
eK4d4l4t4|4
5$5,545<5D5L5T5\
;8<8D8L8T8\8d8l8t8|8NN
fGDhv>
9$9,94
^23T:\:d:l:t:|:
;$;,;4;<;D;L;
}<t<|<
5$=,=4=<=D=L=T=\=d=l
?D?L?T?\?d?l?t?|?
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
DJ[MH5E
+v{0N%E
Authorization
Basic 
Accept-Language: 
aeiouy
bcdfghjklmnpqrstvwxz
http://www.google.com/
http://www.bing.com/
DELETE
CONNECT
OPTIONS
PROPFIND
PROPPATCH
SEARCH
UNLOCK
REPORT
MKACTIVITY
CHECKOUT
M-SEARCH
NOTIFY
SUBSCRIBE
UNSUBSCRIBE
connection
proxy-connection
content-length
transfer-encoding
upgrade
chunked
keep-alive
script
t~fb``{c|
RPK]WN
xPXPDY
m@BYOE\
cIGJFJNF
%Lhdkakmg
w{ysnrl`
{{{pzn|
soep|h
<?6:2t
2)74;_
50,-(3*
76l`nz!
uij+1zqp
LOAPh|tOWEExszwg
]^PIl|EkhaAisIggshvj`
JIGJ{kYo`|b
~pLYwoy}ua
3-%-)#b=
nUwAOCUIYK
$=-= (8
jWTQuBJAxNY\K\Xl
LqrwSdlg^h
UhknJ}u~GqfctcgWuM
c^]X|KCHqGPUBUQaCm
4-=-08(
wgMh{maVjomjhP
=>	1$#2#%
6-)+=;
:0$2h_^r%
OIN@AW
wab"	pdo/w(9&
xL\^Y_]
&<:>8!;
.4260)3
"u?+,'r:*}M)x%
siokmtn
zPP\XTg
Q|}mwt
}tJQ|pa{,]bnqlx
%. 3/6)%2/;f,//
d[_TXAF
xUWL^]IO
_vypr^xy`vcbUxxyoh|`aa#HobimGc`w_HKb
sWTCSDG
{z}7]ajiynm?Rdajtlci|z
Mvtmiho%Osx{k|
sNDWSDTBtdCH^B]@VEnd][RXOJ
}BFMAX_
xGCHD]Z
)~Olkf
ep%hfmd8#9n
Z5t{rx/62c
Mxnewc*73f..
fpoajc?$
I31o_NOD]CT
kGYwxq
JehY^KMUnq\Z[ST\@EE
fzycLBwpiowkaZ
reogfp
iGCUDSYXgDV\NYI
kn'-&<Glg0'95Le`! '*U~y26;[ps$3-aJM
^U\ZLEWIpvucot@mshmquK~nIGrdgypw^p}OYXDXQi@KUsFPKU\[
aDKLI}O[H
omi}NX[rU\]AM
CAEFet`jIn{mLvq~j
zYKz\^ZOY@bETBc@BJFBLlBX@GSISYt
G`{CbuaFunz
}Ko{wp
,-19:#jjy298
`a}oESTP
aOIAgGRC]G]XBEG
ufbuesEUryoslqgt_Uljci~{WIx~}k_DeWGG^YWdiOS
GetProcAddress
LoadLibraryA
FCICreate
FCIAddFile
FCIFlushCabinet
FCIDestroy
tm9_ th9_$tc
GD)_p)_l
Nlf+Np
Vlf+Vd
N09F0u
O@;H s
O@;H(s
Oh;O\sR
Gh9Ghr
V0WQPRV
N0WPRQV
Np;Ntt
@PAQBR
wkPSQR
Genuu8
ntelu0
ineIu(
0SSSSS
0SSSSS
URPQQhd=C
t h@PF
v	N+D$
UQPXY]Y[
/_^][YY
ItKIt)IIt
9w v>SU
l$ +T$ 
u1< uN
T$(9t$
;D$ u%P
L$$9D$H
Kt<Kt"Kt	Kt3Kt
D$8+D$,
$VWQPh
L$%9D$
t$ Ph,
D$8j2P
;\$ wVr
tx;\$$wrr
;|$ sj3
u$f9]9u
QSUVWj
QSVWj$[S
QQVWjd
\$ WUSj
\$$WVUPS
\$$WVU
t$4WQUS
D$ _^][YY
^f90u	j
_^][YY
< t:<	|
SUVWj 
L$0[j	
s?j\_f9
l$ j\_
j [j	B^
Cj ];\$
T$ Rj j
9D$ vp
@;t$ r
PH_^][
T$HRSP
\$,9\7
0t"Huqj@
<0r	<9w
<0r	<9w
=ERCPt
HHtEHHus
uW;_ttR
;AXw8R
QQSUVW
D$ ;D$
X_^][YY
QX+Q\u
A\;AXr	j
P8\$0t	j
T$$9T$(
j Yf9L]
G ;F t
G$;F$t
G(;F(u
G,;F,u
;=nSERt
;=oYPEt'=}EATt =kASVu
;=hTATt
SUVWj~3
l$ PUUh
QQSUVW2
_^][YY
D$8 t 9\$Pul
QQSUVW
_^][YY
]f9l$8u%j
f9t$ u
D$HPQQ
D$jf9l$hu
9D$ u>
9D$@~kU
l$0PQQ
@f9l$hj
]f9l$hu
L$0u^3
D$PPWV
D$ PQQ
w$E;o |
L$$;O 
D$$;G 
w$E;o |
D$$;G }U
D$$;G |
D$(PVV
D$(PVV
9w<t	;_h
tV;_ls
<KvD<M
<KvF<Mw{
l$,;D$(
D$0;\$(s
D$$@PV
}X;_ls+
D$$;D$
D$0K;\$(s
T$ ;T$
L$ ;L$
L$ @PV
T$ ;T$
L$ ;L$
L$ @PV
T$0;Wdu
 !""""""##$%&'())))))**+,-./JJJJJJJJ00J1234555676789:;<:;<JJJJJ=>?@ABCDEFG
xB9T$@t3;
;L$0vH
9|$<tZ
9l$(tK
4SUVW3
L$$QPWV
<SVj83
t$ PVh
8\$ t	
ZWSSSSP
t#SSWU
SSSh_eD
_^][YY
D$ ;D$$r
_^][YY
f9D$dua
j?_f9y
:u f9A
D$<jBP
L$,CSV
9\$ u	
t$T;T$ }
D$\Phu
T$(jvY
D$(VPj
t$ WPSQU
jaXjAZ
j0Yj	Zf;
SSSSSS
D$,PSSSS
D$(PWQS
;D$ sW
PQQh$`
HHt*Ht
L$`VWQ
T$pSSR
tXHtWHt'Ht&Huf
9;rsWRV
>DAVEu>h
=DAVEu"
D$8_^][
<	w%fkN
Ct7Ht.
Ot2Ht)HHt
	tLHt&Ht
:u9j	X
t+Ht#+
BY;L$ u
_^][YY
tS9|$$t8j
PSUVW3
t$$WWU
L$,+L$Pj
D$0+D$TR
_^][YY
D$hPUUU
D$hPUUj
SUVWj8
D$`PQj
;HXt	j
It5It(Iu7
tDHt:Ht
f9D9 v
L$ ;\$
8SUVWj83
D$Gf9n
QSUVkt$
f9G4tJf9F4u
F4f;G4t
t$f9Q u
SUVWj83
O _^][
FPHt%j
FPHHu!j
Ht>HuNj
_^][YY
tSUVWj
D$<PQQj
D$ PWV
GGj<ZRP
D$$QQP
D$,PSS
QQSVjX
j8h8)F
9|$$t&U
s49>t)
T$$!l$$
t99>~.
QSUVW3
SUVWh@7F
SVWh@7F
\$$Pj 
Ht\HtQHHt1
_^][YY
l$ 9\$
SUVWjV
T$4SUVW
f#D$<f;D$<t
t$8USV
D$ PUS
L$,;GH
|$h!|Lj
D$$j!PW
9~Hv73
<0|-<9
X_^][YY
j8hH)F
C9XPtF3
SVQQj	
t.Ht$HHt
D$D_^[
D$tPQ3
SUj [j	]j
PSSSVS
lUVWjd
D$89L$8
tlWj#Y
j$hX)F
%t'<&t
9l$ u>
|$$PQR
|$0Pj@UV
f9C t1j
f9C4tDj
t$$QQW
t$$QQW
9ERCPt
39l$ v!
D$`CSP
tW9w0u"VVj
tuHtlHt*Ht
L$ QPW
tMHt?Ht
u68D$ Qj
t$$Wu\
tC9l$,u=Uj
T$,_^]
}t9_PtP;wPuK
T$(_^][
D$ SUVWP
9t$$r(w
9T$ r 
tv9t$,r(w
9T$(r 
tB9t$4r%w
j,hh)F
VVVVVV
D$4_^][
t-HHt!HHt
D$ j`P
D$ PUh
w$QSUU
|SUVWjy
D$\j P
f9CLt%8C
t f9CJt
D$<j:UP
f;D$Ru
f;D$Tt>G
D$,?*P
QQSUVW
t	j\Xf
_^][YY
tNHt$HuD9w
D$$SUV
CE;l$ }
u79^$u
QQSUVW
_^][YY
QVVVVVVSW
t*Ht Ht
^[_]YY
_jzZjaY
K4;MTtW
D$(Pjd
D$(GET
D$DPj"VWQ
D$0Pj-W
D$@Pj"SWQ
t$PUSV
D$lj$P
_^][YY
t^HtFHuj
D$@PWQ
8\$(tB
u!SSWj
D$$;E4t
t$DSSR
t#;o4u
t$4SVj
t3;_<u
ttHu3j(
D$4PWQ
tFSSWj
D$ SPW
QQSUWj
u$;ATu
T$(9p,u
D$4PWU
LdrGetDllHandle
NtQueryInformationProcess
NtTerminateProcess
NtCreateFile
LdrLoadDll
ntdll.dll
VirtualFree
LoadLibraryA
GetProcAddress
VirtualAlloc
SetLastError
GetModuleHandleW
InitializeCriticalSection
GetLastError
DeleteCriticalSection
WaitForSingleObject
CreateFileW
QueryPerformanceCounter
SetEvent
GetTickCount
CreateEventW
CloseHandle
lstrcmpA
lstrlenA
lstrlenW
FreeLibrary
LoadLibraryW
TerminateThread
LocalFree
CreateThread
GetSystemTime
LeaveCriticalSection
EnterCriticalSection
lstrcpyA
GetCommandLineW
GetHandleInformation
WaitForMultipleObjects
lstrcpyW
TryEnterCriticalSection
TlsGetValue
TlsSetValue
WriteFile
FlushFileBuffers
GetComputerNameW
GetVersionExW
GetVolumeNameForVolumeMountPointW
WideCharToMultiByte
GetCurrentThread
SetThreadPriority
VirtualProtect
GetThreadContext
SetThreadContext
VirtualFreeEx
GetProcessId
ResetEvent
CreateMutexW
OpenMutexW
ReleaseMutex
FindFirstFileW
FindClose
FindNextFileW
MultiByteToWideChar
GetNativeSystemInfo
GetDriveTypeW
GetSystemDefaultUILanguage
GetLogicalDrives
GetProcessTimes
GetModuleFileNameW
lstrcmpW
GlobalMemoryStatusEx
GetUserDefaultUILanguage
GetDiskFreeSpaceExW
GetVolumeInformationW
IsBadReadPtr
TlsAlloc
TlsFree
HeapReAlloc
HeapAlloc
HeapFree
GetProcessHeap
HeapDestroy
HeapCreate
VirtualAllocEx
WriteProcessMemory
SetEndOfFile
SetFilePointerEx
CreateDirectoryW
SetFileTime
GetFileAttributesW
ReadFile
GetTempPathW
GetFileSizeEx
GetFileTime
DeleteFileW
GetFileInformationByHandle
SetFileAttributesW
GetCurrentProcess
DuplicateHandle
ResumeThread
ExitProcess
GetSystemTimeAsFileTime
WTSGetActiveConsoleSessionId
lstrcmpiW
GetCurrentProcessId
MapViewOfFile
UnmapViewOfFile
CreateProcessW
CreateFileMappingW
lstrcatW
ExpandEnvironmentStringsW
GetExitCodeThread
SystemTimeToFileTime
GetTimeZoneInformation
GetLocalTime
FileTimeToLocalFileTime
FlushInstructionCache
GetThreadPriority
MoveFileExW
GetPrivateProfileStringW
GetPrivateProfileIntW
lstrcmpiA
VirtualQuery
GetEnvironmentVariableW
OpenProcess
Thread32First
Thread32Next
CreateToolhelp32Snapshot
GetCurrentThreadId
CreateRemoteThread
Process32FirstW
Process32NextW
SetErrorMode
GetLongPathNameW
OpenEventW
UnregisterWait
RegisterWaitForSingleObject
DosDateTimeToFileTime
RemoveDirectoryW
GlobalLock
GlobalUnlock
FileTimeToDosDateTime
GetTempFileNameW
lstrcpynA
KERNEL32.dll
CharLowerA
CharLowerW
CharUpperW
GetSystemMetrics
GetLastInputInfo
DispatchMessageW
PeekMessageW
TranslateMessage
MsgWaitForMultipleObjects
GetCursorPos
GetIconInfo
DrawIcon
LoadCursorW
ExitWindowsEx
GetClipboardData
PostQuitMessage
ToUnicode
GetKeyboardState
USER32.dll
CryptExportKey
CryptVerifySignatureW
CryptGetKeyParam
CryptImportKey
CryptGenKey
CryptDestroyKey
CryptDestroyHash
RegCreateKeyExW
RegCloseKey
CryptAcquireContextW
RegQueryValueExW
RegQueryInfoKeyW
RegDeleteKeyW
RegDeleteValueW
RegOpenKeyExW
RegFlushKey
RegEnumKeyExW
RegSetValueExW
EqualSid
CryptGetHashParam
CryptReleaseContext
CryptCreateHash
CryptHashData
OpenProcessToken
GetSidSubAuthority
OpenThreadToken
GetTokenInformation
CreateProcessAsUserW
LookupPrivilegeValueW
AdjustTokenPrivileges
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
SetSecurityDescriptorSacl
GetLengthSid
IsWellKnownSid
ConvertSidToStringSidW
InitiateSystemShutdownExW
CryptDeriveKey
CryptSetKeyParam
CryptEncrypt
CryptDecrypt
ADVAPI32.dll
PathRemoveExtensionW
PathFindFileNameW
wvnsprintfW
PathRenameExtensionW
PathRemoveBackslashW
PathRemoveFileSpecW
PathAddBackslashW
PathQuoteSpacesW
PathGetDriveNumberW
UrlUnescapeA
StrCmpNIA
StrCmpNIW
PathFindExtensionW
StrCmpNW
PathIsURLW
PathUnquoteSpacesW
PathIsDirectoryW
StrRChrA
StrCmpIW
StrChrW
StrCmpW
StrCmpNA
StrChrA
PathSkipRootW
PathMatchSpecW
StrStrIW
SHLWAPI.dll
CommandLineToArgvW
SHGetFolderPathW
ShellExecuteW
SHELL32.dll
GetUserNameExW
DeleteSecurityContext
DecryptMessage
EncryptMessage
Secur32.dll
CoCreateInstance
CoUninitialize
CoInitializeSecurity
CoInitializeEx
CLSIDFromString
StringFromGUID2
CreateStreamOnHGlobal
CoTaskMemFree
CoSetProxyBlanket
ole32.dll
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
DeleteObject
CreateDCW
GetDeviceCaps
DeleteDC
BitBlt
GDI32.dll
freeaddrinfo
getaddrinfo
WSAStringToAddressW
WSAAddressToStringA
WSACreateEvent
WSAEventSelect
WSAEnumNetworkEvents
WSAAddressToStringW
WSAIoctl
WSACloseEvent
WSAGetOverlappedResult
GetAddrInfoW
WSASend
WSARecv
FreeAddrInfoW
WS2_32.dll
CryptUnprotectData
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
PFXImportCertStore
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
InternetConnectA
InternetCrackUrlA
InternetReadFile
InternetSetOptionA
InternetWriteFile
HttpOpenRequestA
HttpEndRequestA
HttpAddRequestHeadersA
InternetOpenA
InternetCloseHandle
InternetQueryOptionA
WININET.dll
OLEAUT32.dll
NetUserGetInfo
NetApiBufferFree
NetUserEnum
NETAPI32.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
USERENV.dll
GetAdaptersAddresses
IPHLPAPI.DLL
GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW
VERSION.dll
GdiplusShutdown
GdipSaveImageToStream
GdipFree
GdipAlloc
GdipGetImageEncodersSize
GdipDisposeImage
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdipCloneImage
GdiplusStartup
gdiplus.dll
_errno
memcpy
memmove
memcmp
memchr
_purecall
strcmp
memset
strtoul
_vsnwprintf
_vsnprintf
msvcrt.dll
RtlUnwind
SetFilePointer
OutputDebugStringA
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
_except_handler3
?$?,?4?<?D?L?T?\?d?l?t?|?
0$0,040<0D0L0T0\0d0l0t0|0
1$1,141<1D1L1T1\1d1l1t1|1
2$2,242<2D2L2T2\2d2l2t2|2
3$3,343<3D3L3T3\3d3l3t3|3
4$4,444<4D4L4T4\4d4l4t4|4
5$5,545<5D5L5T5\5d5l5t5|5
6$6,646<6D6L6T6\6d6l6t6|6
8$8,848<8D8L8T8\8d8l8t8|8
9$9,949<9D9L9T9\9d9l9t9|9
:$:,:4:<:D:L:T:\:d:l:t:|:
;$;,;4;<;D;L;T;\;d;l;t;|;
<$<,<4<<<D<L<T<\<d<l<t<|<
=$=,=4=<=D=L=T=\=d=l=t=|=
>$>,>4><>D>L>T>\>d>l>t>|>
?$?,?4?<?D?L?T?\?d?l?t?|?
(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
8$8,848<8D8L8T8\8d8l8t8|8
9$9,949<9D9L9T9\9d9l9t9|9
:$:,:4:<:D:L:T:\:d:l:t:|:
;$;,;4;<;D;L;T;\;d;l;t;|;
<$<,<4<<<D<L<T<\<d<l<t<|<
=$=,=4=<=D=L=T=\=d=l=t=|=
>$>,>4><>D>L>T>\>d>l>t>|>
:$:,:4:<:D:L:T:\:d:l:p:t:x:|:
<h<l<p<t<x<|<
=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
> >$>(>,>0>4>8><>@>D>x>|>
0 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1
0L1P1T1X1\1`1d1h1l1p1t1x1
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2
4 4$4(4,4044484<4D4H4L4P4T4X4\4`4d4(6,6
7(8<8F8X8d8u8
1=3I5c7q7
:\<`<d<h<l<p<t<x<|<
:&:-:4:;:B:
<C?U?g?y?
`3e3&6[6b6n6z6
7*777Q7^7j7v7
8 8,898c8u8
1^3e3o3|3
6@7L7r7]8
1)1.141?1F1
:B;M;\;
=%>9>c>
?O?i?z?
1,1E1a1
8a9h9q9
:0=;=`=~=
3P4m4z4
6/666M6i6t6W7~7D8
<Q<Z<a<j<q<z<
=q>-?<?l?w?
90:f:|:
;4;f;|;
909<9C9c:
8*9C9H9
39538"9
4Z5c5j5p5~5
6.6E6X6a6g6o6~6
9+;D;M;
<F<\<j<z<
4'414J4y4
6 7%7p7x7
8#8A8H8y;
<g<p<w<}<
=8>N>b>
0M1b1p1
6(71787k7
0&0E0L0
7 8E8i8
8'949e9
<6=F=z=
> >J>g>
1/2L2J5_5
5$7S7p7
8i95:v:d;
0 0<0_0
3\5e5m6t6
9G:H;$=
8!8?9F9
Z1$2~2
7.7M7Q7U7Y7]7a7e7i7m7q7u7y7}7
8!8%8)8-8185898=8A8E8I8M8Q8U8Y8]8a8e8i8m8q8u8
9!9%9)9-9195999=9A9E9I9M9Q9U9Y9]9a9e9i9m9q9u9y9}9
4'4M4|4
5-6U6|6
868O8b8}8
585L5V5x5
7$7*7U7_7n7
494P4Z4
6)6?6U6p6
667H7e7
9/9I9P9
2#222@2
596R6a6h6m6w6
;2<k<~<
=S=r=@>S>0?C?i?
142S2p2
>!>*>.>3>:>M>^>
>/>4>>>C>J>P>b>h>{>
?0?6?\?
3@3D3H3L3P3T3X3\3`3d3h3l3O4Y7
44686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<7@7D7H7
;5;@;O;
= =*=1=:=>=C=J=^=
0,0O0k0
2$282T2[2
2*3N3e3v3
324L4Y4c4k4r4
4;5S5Y5j5
656A6N6x6
1T2b2n2
3:3]3m3
494[4q4
30U0^0d0
1!1B1U1
202R2W2_2c2k2
4"464A4L4[4
5+5/555<5_5z5
5 6X6}6
6H7Q7^7l7v7
9'9;9L9U9g9x9
;T;g;q;{;
;*<6<D<j<
=1=R=j=
4d5m5t5y5
5>6I6c6z6
;-;N;c<
3,4O4\4
5	5*595[5
6 6,696
<(<X<`<p<v<~<
3P4c5}5
9m:3;B;
272Y3m3t3z3
3m4%5/545
;";o;f?
0:1C1J1O1Y1b1f1k1r1{1
5Q6Z6a6f6r6v6~6
7$858P8
939\9z9
;#;O;d;
;#<+<?<S<g<{<
0?0I0r0
3,3G3g3~3
404<4T4d4p4w4|4
565N5\5
8)8I8X8
919M9n9
1(222:3M3
7(7M7W7
819A9{9
<B<M<Z<q<y<
<'=5=K=U=
>/>:>G>^>d>k>
1(161;1F1X1_1q1x1
1+2I2[2e2k2s2}2
3"3+383E3
4&4,444b4q4v4
5+5C5I5f5l5
808=8O8\8f8p8
8*9F9r9
9E:L:i:p:
:.;=;M;z;
< <:<G<N<m<r<
=3=8=e=
>T>`>g>
0 1*1l1-2a2
3(3?3E3S3f3~3
3!4N4}4
;";/;C;U;`;
7[8e8}8
0E1R1[1
:!:*:1:7:E:L:P:W:g:s:y:
;&;4;>;L;V;c;i;z;
='=,=A=J=R=[=i=p=t={=
3i3=4a4g416@6o8x8
9%9.959>9G9^9~9
?&?5?L?R?
364?4F4L4Z4a4e4l4|4
5;5C5]5b5~5
696?6Y6w6
7"7*7/777<7D7I7
8 82888D8L8
9,989@9H9O9W9`9g9l9v9
:+:0:B:G:Y:^:p:u:
;(;-;;;@;N;S;a;f;t;y;
<3<@<H<P<w<
?.?Q?e?
0%080S0p0
3 3@3U3Z3t3
929;9B9U9\9
;*;/;4;9;>;C;H;M;R;Z;
;.<3<8<?<
>!>(>9>l>
8.9Q9t9
1,2+4@4
5)5=5Q5e5y5
7?8h8n8t8z8
9 9,909<9@9L9P9\9`9l9p9|9
0,0P3T3
>(cmhJn
5uUM>`