;;MyDoom.AX strings output (repackaged MyDoom.M)
;;comments added by infectionvectors.com preceded by ";;"
;;2005


File pos   Mem pos      ID   Text
========   =======      ==   ====

00000104   00500104      0   0.ELO
0000012C   0050012C      0   1.ELO
00001178   00501178      0   kernel32.dll
00001194   00501194      0   IEFrame
0000119C   0050119C      0   ATH_Note
000011A8   005011A8      0   rctrl_renwnd32
0000128C   0050128C      0   %s, %u %s %u %.2u:%.2u:%.2u %c%.2u%.2u

;;call for DNS API DLL/check connectivity 

000012B4   005012B4      0   InternetGetConnectedState
000012D0   005012D0      0   dnsapi.dll

;;ip helper API DLL call

000012DC   005012DC      0   iphlpapi.dll
000012EC   005012EC      0   DnsQuery_A
000012F8   005012F8      0   GetNetworkParams

;;strings for the "do not mail to" list

0000130C   0050130C      0   mailer-d
00001320   00501320      0   abuse
00001328   00501328      0   master
00001330   00501330      0   sample
00001338   00501338      0   accoun
00001340   00501340      0   privacycertific
00001358   00501358      0   listserv
00001364   00501364      0   submit
0000136C   0050136C      0   ntivi
00001374   00501374      0   support
0000137C   0050137C      0   admin
0000138C   0050138C      0   the.bat
00001394   00501394      0   gold-certs
000013A4   005013A4      0   feste
000013D0   005013D0      0   rating
000013E8   005013E8      0   someone
000013F0   005013F0      0   anyone
000013F8   005013F8      0   nothing
00001400   00501400      0   nobody
00001408   00501408      0   noone
00001418   00501418      0   winrar
00001420   00501420      0   winzip
00001428   00501428      0   rarsoft
00001430   00501430      0   sf.net
00001438   00501438      0   sourceforge
00001444   00501444      0   ripe.
0000144C   0050144C      0   arin.
00001454   00501454      0   google
00001464   00501464      0   gmail
0000146C   0050146C      0   seclist
00001474   00501474      0   secur
00001484   00501484      0   foo.com
0000148C   0050148C      0   trend
00001494   00501494      0   update
0000149C   0050149C      0   uslis
000014A4   005014A4      0   domain
000014AC   005014AC      0   example
000014B4   005014B4      0   sophos
000014BC   005014BC      0   yahoo
000014C4   005014C4      0   spersk
000014CC   005014CC      0   panda
000014D4   005014D4      0   hotmail
000014E4   005014E4      0   msdn.
000014EC   005014EC      0   microsoft
000014F8   005014F8      0   sarc.

;;parsing constructs for email addresses

00001514   00501514      0   _-!.@
00001520   00501520      0                                   
00001810   00501810      0   &nbsp
00001818   00501818      0   &nbsp;
00001820   00501820      0   .dot.
00001828   00501828      0   _dot_
00001834   00501834      0   (dot)
0000187C   0050187C      0   USERPROFILE
00001890   00501890      0   yahoo.com

;;email message body construction

000019D8   005019D8      0   Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}
00001A87   00501A87      0   {We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
00001B6E   00501B6E      0   {We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.
00001C2B   00501C2B      0   {Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.
00001CCB   00501CCB      0   {{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
00001D10   00501D10      0   {$T {user |technical |}support team.|The $T {support |}team.}
00001D50   00501D50      0   {The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}:
00001DB1   00501DB1      0   Your message {was not|could not be} delivered because the destination {computer|server} was
00001E0E   00501E0E      0   {not |un}reachable within the allowed queue period. The amount of time
00001E56   00501E56      0   a message is queued before it is returned depends on local configura-
00001E9D   00501E9D      0   tion parameters.
00001EB1   00501EB1      0   Most likely there is a network problem that prevented delivery, but
00001EF6   00501EF6      0   it is also possible that the computer is turned off, or does not
00001F38   00501F38      0   have a mail system running right now.
00001F61   00501F61      0   Your message {was not|could not be} delivered within $D days:
00001FA0   00501FA0      0   {{{Mail s|S}erver}|Host} $i is not responding.
00001FD2   00501FD2      0   The following recipients {did|could} not receive this message:
0000201A   0050201A      0   Please reply to postmaster@{$F|$T}
0000203E   0050203E      0   if you feel this message to be in error.
00002068   00502068      0   The original message was received at $w{
00002092   00502092      0   | }from {$F [$i]|{$i|[$i]}}
000020B1   005020B1      0   ----- The following addresses had permanent fatal errors -----
000020F1   005020F1      0   {<$t>|$t}
000020FE   005020FE      0   {----- Transcript of {the ||}session follows -----
00002132   00502132      0   ... while talking to {host |{mail |}server ||||}{$T.|$i}:
0000216D   0050216D      0   {>>> MAIL F{rom|ROM}:$f
00002186   00502186      0   <<< 50$d {$f... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <$t>... {Mail quota exceeded|Message is too large}
00002218   00502218      0   554 <$t>... Service unavailable|550 5.1.2 <$t>... Host unknown (Name server: host not found)|554 {5.0.0 |}Service unavailable; [$i] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|}
000022E5   005022E5      0   Session aborted{, reason: lost connection|}|>>> RCPT To:<$t>
00002323   00502323      0   <<< 550 {MAILBOX NOT FOUND|5.1.1 <$t>... {User unknown|Invalid recipient|Not known here}}|>>> DATA
00002387   00502387      0   {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
000023C7   005023C7      0   |}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed
000023FF   005023FF      0   |}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
0000243F   0050243F      0   |}<<< 400}|}
0000244C   0050244C      0   The original message was included as attachment
0000247C   0050247C      0   {{The|Your} m|M}essage could not be delivered

;;subject lines

000024AC   005024AC      0   hello
000024B8   005024B8      0   error
000024C0   005024C0      0   status
000024D0   005024D0      0   report
000024D8   005024D8      0   delivery failed
000024E8   005024E8      0   Message could not be delivered
00002508   00502508      0   Mail System Error - Returned Mail
0000252C   0050252C      0   Delivery reports about your e-mail
00002550   00502550      0   Returned mail: see transcript for details
0000257C   0050257C      0   Returned mail: Data format error

;;attachment filenames

000025BC   005025BC      0   readme
000025C4   005025C4      0   instruction
000025D0   005025D0      0   transcript
000025E4   005025E4      0   letter
000025FC   005025FC      0   attachment
00002608   00502608      0   document
00002614   00502614      0   message
00002620   00502620      0   postmaster
0000262C   0050262C      0   MAILER-DAEMON
0000263C   0050263C      0   noreply

;;"From:" field (if not spoofed from harvested addresses)

00002648   00502648      0   "Postmaster"
00002658   00502658      0   "Mail Administrator"
00002670   00502670      0   "Automatic Email Delivery Software"
00002694   00502694      0   "Post Office"
000026A4   005026A4      0   "The Post Office"
000026B8   005026B8      0   "Bounced mail"
000026C8   005026C8      0   "Returned mail"
000026D8   005026D8      0   "MAILER-DAEMON"
000026E8   005026E8      0   "Mail Delivery Subsystem"

;;extension construction

00002704   00502704      0   %s.%s
00002718   00502718      0   %s.zip
0000274C   0050274C      0   %d.%d.%d.%d

;;SMTP header construction strings

00002758   00502758      0   ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
000027A0   005027A0      0   X-Priority: 3
000027AF   005027AF      0   X-MSMail-Priority: Normal
000027CA   005027CA      0   X-Mailer: Microsoft Outlook Express 6.00.2600.0000
000027FE   005027FE      0   X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
0000283C   0050283C      0   Content-Type: multipart/mixed;
0000285C   0050285C      0   	boundary="%s"
00002872   00502872      0   MIME-Version: 1.0
00002888   00502888      0   Date: 
00002890   00502890      0   Subject: %s
000028A0   005028A0      0   To: %s
000028AC   005028AC      0   From: %s
000028B8   005028B8      0   ----=_%s_%.3u_%.4u_%.8X.%.8X
000028D8   005028D8      0   NextPart
000028E8   005028E8      0   --%s--
000028FE   005028FE      0   Content-Type: application/octet-stream;
00002927   00502927      0   	name="%s"
00002933   00502933      0   Content-Transfer-Encoding: base64
00002956   00502956      0   Content-Disposition: %s;
00002970   00502970      0   	filename="%s"
00002984   00502984      0   inline
0000299E   0050299E      0   Content-Type: text/plain;
000029B9   005029B9      0   	charset=us-ascii
000029CC   005029CC      0   Content-Transfer-Encoding: 7bit
000029F0   005029F0      0   This is a multi-part message in MIME format.
00002A3C   00502A3C      0   RC%sO:<%s>
00002A54   00502A54      0   MA%sROM:<%s>
00002A6C   00502A6C      0   %sO %s
00002A7C   00502A7C      0   E%s %s
00002A98   00502A98      0   %s %s

;;used in drop/infection routines (note name for dropped Trojan, "zincite," saved as "services.exe")

00002AA8   00502AA8      0   Server
00002AB0   00502AB0      0   Software\Microsoft\%s %s Manager\%ss
00002AD8   00502AD8      0   Internet
00002AE4   00502AE4      0   Account
00002AF0   00502AF0      0   mail.
00002AF8   00502AF8      0   smtp.
00002B08   00502B08      0   zincite
00002B18   00502B18      0   services

;;email address/target retreival via Internet search engines, where domain of harvested addresses used to seed request

00002B24   00502B24      0   urlmon.dll
00002B30   00502B30      0   URLDownloadToCacheFileA
00002B48   00502B48      0   http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s
00002B90   00502B90      0   &nbq=%d
00002B98   00502B98      0   http://www.altavista.com/web/results?q=%s&kgs=0&kls=0
00002BD0   00502BD0      0   &n=%d
00002BD8   00502BD8      0   http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=
00002C24   00502C24      0   &num=%d
00002C2C   00502C2C      0   http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s
00002C68   00502C68      0   %s+%s

;;address parsing

00002C74   00502C74      0   contact+
00002C80   00502C80      0   reply
00002C88   00502C88      0   mailto
00003446   00503446      0   SVWt1
0000370F   0050370F      0   uef9u
000039BC   005039BC      0   >F@Ju
00003C23   00503C23      0   |$8PU
00003C29   00503C29      0   D$<UPU
00003E6A   00503E6A      0   UQUUj
00003F7E   00503F7E      0   tXj5f
000040B6   005040B6      0   <<@t?
00004524   00504524      0   t <@t
00004819   00504819      0   @uR@j
000048AC   005048AC      0   Wt+9X
000049E7   005049E7      0   @uJV@j
00004AE2   00504AE2      0   QQSUVW3
00004BA1   00504BA1      0   QPVh7JP
00004F54   00504F54      0   WSSSj
000051E4   005051E4      0   ttx<au
000051F2   005051F2      0   ptj<su
00005200   00505200      0   tt\<au
0000520E   0050520E      0   btN<du
00005271   00505271      0   9N w3
000061C7   005061C7      0   "h,'P
00006355   00506355      0   Dt9HHt-
0000640B   0050640B      0   BBRhL'P
00006550   00506550      0   < rA<=t=<+t9<
00006566   00506566      0   t-<@t)
000067C2   005067C2      0   QSUVW
00006869   00506869      0   YYhp(P
00006BE7   00506BE7      0   t><:t9<
00006BF3   00506BF3      0   t1<	u
00006BFF   00506BFF      0   < u	8
00006F26   00506F26      0   Phx*P
000072B9   005072B9      0   tBHt8Ht.H
00007711   00507711      0   PSSSj
0000784C   0050784C      0   Rh,,P
00007894   00507894      0   Wh$,P
0000916B   0050916B      0   ABAAAEAAA
00009179   00509179      0   AAAAAAA
00009181   00509181      0   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
000091B7   005091B7      0   )(2a13.&3 ,a" //.5a#$a34/a(/a
000091D7   005091D7      0   a,.%$oLLKeAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0000922D   0050922D      0   @BAAAAAAAAAAAAA
0000923D   0050923D      0   AN@J@FAAaAAAQAAA
0000924E   0050924E      0   AA1&AAA
00009256   00509256      0   AAA1AAAA
0000925F   0050925F      0   AAQAAACAAEAAAAAAAEAAAAAAAA
0000927A   0050927A      0   AAAQAAAAAACAAAAAQAAQAAAAQAAQAAAAAAQAAAAAAAAAAAA1AAE@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
00009323   00509323      0   qAAAAA
0000932A   0050932A      0   AAAQAAAAAAAEAAAAAAAAAAAAAA
0000934B   0050934B      0   pAAAAAaAAA
00009356   00509356      0   AAA[AAAEAAAAAAAAAAAAAA
00009373   00509373      0   sAAAAAQAAA1AAACAAA_AAAAAAAAAAAAAA
00009398   00509398      0   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAposuA
0000955A   0050955A      0   AA"VAAAiAAg@AL
000095FD   005095FD      0   *$3/$-rso%--
0000960E   0050960E      0   cd2cFdoy9od"@A
00009621   00509621      0   8o-.&;(/"(5$A9
0000974D   0050974D      0   FMPWDHOUEJQ
0000975C   0050975C      0   VGKNTA@CBBEC@DP/
0000976E   0050976E      0   DDGF6n@$5
00009784   00509784      0   ./I"O%
000097FE   005097FE      0   Pne5a
0000980E   0050980E      0   5UEn5N
00009823   00509823      0   |ah+$+9B
0000982F   0050982F      0   B#%F!
00009897   00509897      0   1C%xD=
000098B4   005098B4      0   B 6Y>
000098EA   005098EA      0   P[eI>N
00009916   00509916      0   =VK>D
0000996E   0050996E      0   M{<Q+P
00009A4A   00509A4A      0   ?IMNG
00009AB4   00509AB4      0   _Mxq?QQ.
00009ADF   00509ADF      0   <Ew2r
00009B0C   00509B0C      0   s4~-@
00009B56   00509B56      0   2MISY
00009B88   00509B88      0   D	GM'/
00009BD8   00509BD8      0   _? xxI
00009C28   00509C28      0   _uq#?a
00009C4F   00509C4F      0   0@T/4
00009C75   00509C75      0   1NjIX
00009C86   00509C86      0   )KEa4
00009CCA   00509CCA      0   Sn2|R
00009CD1   00509CD1      0   1la)%P
00009CE8   00509CE8      0   3PRPw
00009E13   00509E13      0   |AE0P
00009F63   00509F63      0   O2XU@4n
00009F7C   00509F7C      0   YAII1
0000A00A   0050A00A      0   <VhEL_JM
0000A058   0050A058      0   )Pq"\1>
0000A06C   0050A06C      0   )w]SC
0000A09D   0050A09D      0   \:I3K
0000A0AE   0050A0AE      0    ]$Qr
0000A1EF   0050A1EF      0   ,Pa?RI
0000A220   0050A220      0   xSY<gSvQf=
0000A234   0050A234      0   &*"(O
0000A287   0050A287      0   *P;9u;
0000A31D   0050A31D      0   C%l Y
0000A45E   0050A45E      0   IzN[b
0000A470   0050A470      0   )&!	C=
0000A51B   0050A51B      0   nUDYl
0000A54D   0050A54D      0   D2Zy)
0000A5EB   0050A5EB      0   7Qs=K
0000A632   0050A632      0   UABQ.@b
0000A67D   0050A67D      0   GD96S
0000A753   0050A753      0   Qy-ln
0000A810   0050A810      0   .	3B+9
0000A88B   0050A88B      0   DKWN'DW
0000A9A7   0050A9A7      0   aEPEMpj
0000A9CC   0050A9CC      0   	k}GE
0000AAE7   0050AAE7      0   j.7<s
0000AB29   0050AB29      0   AAkaJ
0000AB3C   0050AB3C      0   (-$XA
0000AB65   0050AB65      0   .4L-25
0000AB6F   0050AB6F      0   3W/V$,1
0000AB86   0050AB86      0   --."c
0000AB90   0050AB90      0   3I$22U
0000AB97   0050AB97      0   T2$	 /%
0000ABDC   0050ABDC      0   (#3 38s
0000AC03   0050AC03      0   $VN.y(W
0000AC2F   0050AC2F      0   62131'	
0000AC3D   0050AC3D      0   OCBQRu
0000AC47   0050AC47      0   xEVH@
0000AC50   0050AC50      0   SLC2I
0000AC60   0050AC60      0   AN@J@FO
0000AC74   0050AC74      0   EQZErF
0000AC7F   0050AC7F      0   M{iQF
0000AC86   0050AC86      0   dZGB-n
0000ACA5   0050ACA5      0   EbaJ!o% 5 4J
0000ACC2   0050ACC2      0   @AAAAAAa
0000ACCB   0050ACCB      0   AAAAAAAAAAAAA!
0000AD04   0050AD04      0   @AAA@
0000ADEF   0050ADEF      0   qA!AA@
0000AE1A   0050AE1A      0   )!AAH
0000AE2B   0050AE2B      0   -!AA 
0000AE35   0050AE35      0   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0000AF75   0050AF75      0   1AA%1AAAAAAAAAAAAAA
0000AF89   0050AF89      0   1AA51AAAAAAAAAAAAAA
0000AF9D   0050AF9D      0   1AA=1AAAAAAAAAAAAAA
0000AFB5   0050AFB5      0   1AAAAAAAAAAAAAAAAAAAAAA
0000AFD5   0050AFD5      0   1AAAAAA
0000AFDD   0050AFDD      0   1AAAAAA
0000AFE5   0050AFE5      0   1AAAAAAIAA
0000B007   0050B007      0   rso%--A
0000B012   0050B012      0   rso%--A
0000B01D   0050B01D      0   rso%--AAA
0000B02B   0050B02B      0   (#3 38
0000B03C   0050B03C      0   %%3$22AA
0000B049   0050B049      0   3."$22AAA
0000B05B   0050B05B      0   $8AAA6213(/5'
0000B069   0050B069      0   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0000C601   0050C601      0   qVj0Yd
0000C644   0050C644      0   ;|$(u
0000C687   0050C687      0   onQhurlmT

;;retreival of "Nemog" Trojan from Internet

0000C6C0   0050C6C0      0   http://www.aoprojecteden.org/site/modules/articles/modulelogo.png

;;calls to Windows modules

0000DB30   0050DB30      0   KERNEL32.DLL
0000DB3E   0050DB3E      0   FindClose
0000DB49   0050DB49      0   GetFileSize
0000DB56   0050DB56      0   FindNextFileA
0000DB65   0050DB65      0   MapViewOfFile
0000DB74   0050DB74      0   UnmapViewOfFile
0000DB85   0050DB85      0   FindFirstFileA
0000DB95   0050DB95      0   GetEnvironmentVariableA
0000DBAE   0050DBAE      0   GetDriveTypeA
0000DBBD   0050DBBD      0   GetSystemTime
0000DBCC   0050DBCC      0   WriteFile
0000DBD7   0050DBD7      0   CreateFileMappingA
0000DBEB   0050DBEB      0   LoadLibraryA
0000DBF9   0050DBF9      0   CreateProcessA
0000DC09   0050DC09      0   GlobalAlloc
0000DC16   0050DC16      0   GetLastError
0000DC24   0050DC24      0   CreateMutexA
0000DC32   0050DC32      0   lstrcatA
0000DC3C   0050DC3C      0   GetFileAttributesA
0000DC50   0050DC50      0   CopyFileA
0000DC5B   0050DC5B      0   DeleteFileA
0000DC68   0050DC68      0   CloseHandle
0000DC75   0050DC75      0   CreateFileA
0000DC82   0050DC82      0   SetFileAttributesA
0000DC96   0050DC96      0   lstrlenA
0000DCA0   0050DCA0      0   GetTempPathA
0000DCAE   0050DCAE      0   GetWindowsDirectoryA
0000DCC4   0050DCC4      0   lstrcpyA
0000DCCE   0050DCCE      0   GetModuleFileNameA
0000DCE2   0050DCE2      0   ExitThread
0000DCEE   0050DCEE      0   GetProcAddress
0000DCFE   0050DCFE      0   GetModuleHandleA
0000DD10   0050DD10      0   Sleep
0000DD17   0050DD17      0   CreateThread
0000DD25   0050DD25      0   ExitProcess
0000DD32   0050DD32      0   GetTimeZoneInformation
0000DD4A   0050DD4A      0   FileTimeToSystemTime
0000DD60   0050DD60      0   FileTimeToLocalFileTime
0000DD79   0050DD79      0   GetLocalTime
0000DD87   0050DD87      0   GetTickCount
0000DD95   0050DD95      0   WideCharToMultiByte
0000DDAA   0050DDAA      0   InterlockedIncrement
0000DDC0   0050DDC0      0   ReadFile
0000DDCA   0050DDCA      0   SetFilePointer
0000DDDA   0050DDDA      0   HeapFree
0000DDE4   0050DDE4      0   GetProcessHeap
0000DDF4   0050DDF4      0   HeapAlloc
0000DDFF   0050DDFF      0   lstrcpynA
0000DE0A   0050DE0A      0   lstrcmpA
0000DE14   0050DE14      0   lstrcmpiA
0000DE1F   0050DE1F      0   SetThreadPriority
0000DE32   0050DE32      0   GetCurrentThread
0000DE44   0050DE44      0   GlobalFree
0000DE50   0050DE50      0   InterlockedDecrement
0000DE66   0050DE66      0   GetTempFileNameA
0000DE7F   0050DE7F      0   ADVAPI32.dll
0000DE8D   0050DE8D      0   RegCloseKey
0000DE9A   0050DE9A      0   RegOpenKeyExA
0000DEA9   0050DEA9      0   RegSetValueExA
0000DEB9   0050DEB9      0   RegQueryValueExA
0000DECB   0050DECB      0   RegEnumKeyA
0000DED8   0050DED8      0   RegCreateKeyExA
0000DEF0   0050DEF0      0   MSVCRT.dll
0000DEFC   0050DEFC      0   memset
0000DF04   0050DF04      0   tolower
0000DF0D   0050DF0D      0   memcpy
0000DF15   0050DF15      0   isdigit
0000DF1E   0050DF1E      0   strchr
0000DF26   0050DF26      0   isalnum
0000DF2F   0050DF2F      0   isspace
0000DF38   0050DF38      0   malloc
0000DF40   0050DF40      0   strstr
0000DF4F   0050DF4F      0   USER32.dll
0000DF5B   0050DF5B      0   CharUpperBuffA
0000DF6B   0050DF6B      0   CharUpperA
0000DF77   0050DF77      0   CharLowerA
0000DF83   0050DF83      0   wvsprintfA
0000DF8F   0050DF8F      0   wsprintfA
0000DF9A   0050DF9A      0   FindWindowA
0000DFA7   0050DFA7      0   PostMessageA
0000DFBC   0050DFBC      0   WS2_32.dll
0000E02A   0050E02A      0   qVj0Yd
0000E070   0050E070      0   ;|$(u
0000E0AF   0050E0AF      0   QhurlmT
0000E0E0   0050E0E0      0   tGp:/
0000E123   0050E123      0   KERN0L32.uD
0000E133   0050E133      0   indClose
0000E151   0050E151      0   MapV_
0000E16C   0050E16C      0   Env"o
0000E1E3   0050E1E3      0   GCo+py
0000E201   0050E201      0   &ndET
0000E223   0050E223      0   ModuTl\N(am
0000E27D   0050E27D      0   Hk>$u
0000E286   0050E286      0   d{eHh
0000E2B1   0050E2B1      0   F) cH4pF{N
0000E2D7   0050E2D7      0   I_*yN?Cu
0000E303   0050E303      0   g3(<K*y
0000E503   0050E503      0   0G;N|
0000E541   0050E541      0   (}=2l
0000E6AD   0050E6AD      0   MXfcE
0000E87D   0050E87D      0   0$C(W
0000E88F   0050E88F      0   ][Rj}/
0000EADE   0050EADE      0   +|>DN
0000EBE7   0050EBE7      0   gTo'k
0000ED1E   0050ED1E      0   #qS_ cd
0000ED83   0050ED83      0   IqFHb
0000EE1F   0050EE1F      0   3];t?
0000EEF2   0050EEF2      0   n]kyb
0000EFD2   0050EFD2      0   MD4o9
0000F1C3   0050F1C3      0   V?+Av@|
0000F33A   0050F33A      0   ..'q]
0000F437   0050F437      0   ORW@o
0000F53A   0050F53A      0   xrz>j\
0000F94F   0050F94F      0   FDV5B
0000FB11   0050FB11      0   P\Bwp
0000FB2A   0050FB2A      0   s&@zd
0000FBE4   0050FBE4      0   .M%2s
0000FC3B   0050FC3B      0   CEG+6
0000FE21   0050FE21      0   <$[,*
0000FE5E   0050FE5E      0   TRfx_
000100B4   005100B4      0   '_j<I
000100FC   005100FC      0   zNaTm
00010144   00510144      0   W].c5
000102FF   005102FF      0   Kfu($x
0001036B   0051036B      0   :z*DI
000104B1   005104B1      0   8	:	6S
0001059F   0051059F      0   )_jHV
00010637   00510637      0   pyLG}
00010671   00510671      0   esK_m
000107C8   005107C8      0   _xxb @[~
00010809   00510809      0   >	):?
0001086B   0051086B      0   H3g(L
00010936   00510936      0   +[wLx
00010ABE   00510ABE      0   1"8QyI&yJ*
00010BA9   00510BA9      0   h)Wj]
00010C3B   00510C3B      0   (O#dJ)j?WR'
00010C6D   00510C6D      0   >,<[G
00010CCA   00510CCA      0   \yQn2
00010D67   00510D67      0   0)wtM
00010DBE   00510DBE      0   YC?Ai
00010EDD   00510EDD      0   )ef&m1
00010EF5   00510EF5      0   ;{1~=,3
00010F86   00510F86      0   8S{kA
00010FB9   00510FB9      0   'f=2s
00010FDA   00510FDA      0   a[)LP
00011137   00511137      0   F5T3m
0001115E   0051115E      0   ezLC2
00011184   00511184      0    Pm?ny
00011316   00511316      0   0I&5$
000113D3   005113D3      0   k.@.]
0001145D   0051145D      0   jI:|M
00011551   00511551      0   	p8NR
000115D1   005115D1      0   *C\bwu2
000117B7   005117B7      0   G9j8eO
00011887   00511887      0   1Azr_
00011A06   00511A06      0   \"RHXt2
00011A7E   00511A7E      0   nw4m5[
00011BDC   00511BDC      0   a1nQu
00011D9B   00511D9B      0   r{J7_
0001207F   0051207F      0   wPDVD
0001224C   0051224C      0   mqjpV
00012310   00512310      0   JuWVhH
0001263D   0051263D      0   ~z:	1
00012643   00512643      0   T("fc
000126DC   005126DC      0   +:$$e
0001278A   0051278A      0   7>,oZ
00012848   00512848      0   Ij79\\
00012869   00512869      0   lVJ_f
000128B1   005128B1      0   E.-/(
00012B03   00512B03      0   3#./1
00012B30   00512B30      0   *%% I
00012C1F   00512C1F      0   SnShD
00012C30   00512C30      0   DHT>|
00012C4E   00512C4E      0   OT<QvH)
00012C85   00512C85      0   }	\\T
00012D02   00512D02      0   }_8Gp"P-*
00012D1F   00512D1F      0   2=4]v
00012D5E   00512D5E      0   >eXvC
00012DCD   00512DCD      0   ksSa"
00012DF7   00512DF7      0   mb~$pzb
00012E6F   00512E6F      0   KA3@V
00012EF6   00512EF6      0   EP!u)Fk-
0001306B   0051306B      0   T \D:
00013148   00513148      0   j-}Q"+wh
00013170   00513170      0   8ZbX5
00013257   00513257      0   ?M,nWn9
000132F8   005132F8      0   E!8<P
00013396   00513396      0   G/pdGP
0001348A   0051348A      0   D*e;2
000134AE   005134AE      0   JU4Hx
0001350B   0051350B      0   GZ%?j
00013522   00513522      0   jy]xw
0001355C   0051355C      0   tx30E
0001389B   0051389B      0   L_05}
000138B1   005138B1      0   d>hN7w
00013978   00513978      0   qU]iOL
00013CBF   00513CBF      0   OZr6W
00013CF6   00513CF6      0   U&@mT
00013E9F   00513E9F      0   wwwwwww
00014269   00514269      0   kernel32.dll
00014276   00514276      0   LoadLibraryA
00014283   00514283      0   GetProcAddress