Hostile Data — The Mydoom Worm

The header as received

This came in from an Spanish ISP address block. The worm tries to appear as if the mail is coming from your organization's staff:

From postmaster@ecn.purdue.edu  Thu Oct  7 04:18:35
Received: from smtp.ecn.purdue.edu (smtp.ecn.purdue.edu [128.46.154.20])
	by rvl3.ecn.purdue.edu (8.12.11/8.12.11) with ESMTP id i979IZuG021314
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT)
	for <cromwe11@rvl3.ecn.purdue.edu>; Thu, 7 Oct 04:18:35 -0500 (EST)
Received: from ecn.purdue.edu (217.Red-213-96-61.pooles.rima-tde.net [213.96.61.217])
	by smtp.ecn.purdue.edu (8.13.1/8.13.1) with ESMTP id i979IJKP002546
	for <cromwe11@ecn.purdue.edu>; Thu, 7 Oct 04:18:22 -0500 (EST)
Message-Id: <10070918.i979IJKP002546@smtp.ecn.purdue.edu>
From: "Mail Administrator" <postmaster@ecn.purdue.edu>
To: cromwe11@ecn.purdue.edu
Subject: Mail System Error - Returned Mail
Date: Thu, 7 Oct 11:18:32 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0008_0E863536.C234E7D0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Status: R
Content-Length: 40712

The clumsy message content

It is foolish to allow your mail interface to render HTML. Among other things, this is used by spammers to create "web bugs" that report back to them if you read their message, guaranteeing you will get far more spam. Using mail safely, it should appear precisely as below:

Dear user of ecn.purdue.edu, Mail server administrator of ecn.purdue.edu would like to let you know that:

Your account has been used to send a large amount of unsolicited commercial e-mail during this week.
Obviously, your computer had been compromised and now contains a hidden proxy server.

We recommend you to follow instructions in the attachment in order to keep your computer safe.

Sincerely yours,
The ecn.purdue.edu team.

The attachment

This was followed by an attached zip file named instruction.zip, letter.zip, or text.zip. The Mydoom.I variant named it attachment.zip.

When you unzip any of these, you get a file with the same base name, followed by either .txt or .htm, followed by 188 space characters, followed by either .com, .exe, or .scr. In other words, the file   instruction.zip contains a file whose name is "instruction.htm", followed by 188 spaces, followed by .exe.

The resulting files seem to have identical sizes: 28864 bytes for files carried by Mydoom.M and 22020 bytes for files carried by Mydoom.I, but contents and thus SHA-1 hash vary with file name.

The executable contents

GNU utilities such as file, strings, and hexdump are useful for getting some limited idea about what this malicious code might do. The file utility reports that these executables are each:
PE executable for MS Windows (GUI) Intel 80386 32-bit, UPX compressed
The following is partial output for running
  hexdump -C "account-report.htm*.exe"
under Linux or BSD. The interesting stuff appears, among many other places:

• Around addresses 0x00000400 through 0x00000440, where reference to Internet Exploder appears,
• Around addresses 0x00000530 through 0x00000620, where reference to the DNS API appears, along with what seems to be attempts to avoid detection by spam or virus filtering, and other suspicious strings.
• Around address 0x00000770, where USERPROFILE appears,
• Around addresses 0x00000d80 through 0x00000e10, where components of the SMTP engine and the string SYSTEM appear,
• Around addresses 0x00001150 through 0x00001180, where components of the SMTP engine appear,
• Around addresses 0x00006580 through 0x00006700, where some sort of ASCII art appears!
• Around addresses 0x000069b0 through 0x00006a50, where calls to the Windows networking and registry modification API appear. Usually that is the last part of the file, but this one continues to 0x000070c0.

00000000  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
00000010  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 d8 00 00 00  |................|
00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000d0  00 00 00 00 00 00 00 00  50 45 00 00 4c 01 03 00  |........PE..L...|
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 e0 00 0f 01  |................|
000000f0  0b 01 07 00 00 60 00 00  00 10 00 00 00 80 00 00  |.....`..........|
00000100  00 ed 00 00 00 90 00 00  00 f0 00 00 00 00 50 00  |..............P.|
00000110  00 10 00 00 00 02 00 00  04 00 00 00 00 00 00 00  |................|
00000120  04 00 00 00 00 00 00 00  00 00 01 00 00 10 00 00  |................|
00000130  00 00 00 00 02 00 00 00  00 00 10 00 00 10 00 00  |................|
00000140  00 00 10 00 00 10 00 00  00 00 00 00 10 00 00 00  |................|
00000150  00 00 00 00 00 00 00 00  14 f5 00 00 30 01 00 00  |............0...|
00000160  00 f0 00 00 14 05 00 00  00 00 00 00 00 00 00 00  |................|
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001d0  55 50 58 30 00 00 00 00  00 80 00 00 00 10 00 00  |UPX0............|
000001e0  00 00 00 00 00 04 00 00  00 00 00 00 00 00 00 00  |................|
000001f0  00 00 00 00 80 00 00 e0  55 50 58 31 00 00 00 00  |........UPX1....|
00000200  00 60 00 00 00 90 00 00  00 60 00 00 00 04 00 00  |.`.......`......|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 e0  |............@...|
00000220  2e 72 73 72 63 00 00 00  00 10 00 00 00 f0 00 00  |.rsrc...........|
00000230  00 08 00 00 00 64 00 00  00 00 00 00 00 00 00 00  |.....d..........|
00000240  00 00 00 00 40 00 00 c0  00 00 00 00 00 00 00 00  |....@...........|
00000250  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000003d0  00 00 00 00 00 00 00 00  00 00 00 31 2e 32 34 00  |...........1.24.|
000003e0  55 50 58 21 0c 09 02 09  19 fb 87 48 91 a6 71 b5  |UPX!.......H..q.|
000003f0  12 c6 00 00 fb 5c 00 00  00 9e 00 00 26 01 00 77  |.....\......&..w|
00000400  ff 87 a8 90 00 6b 65 72  6e 65 6c 33 32 2e 64 ff  |.....kernel32.d.|
00000410  9b e7 df 6c 6c 35 72 6f  6f 74 5c 49 45 46 72 61  |...ll5root\IEFra|
00000420  6d 65 00 41 54 56 fe ff  fc 48 5f 4e 6f 74 65 72  |me.ATV...H_Noter|
00000430  63 74 72 6c 5f 72 65 6e  77 6e 64 0f ff b7 ff ff  |ctrl_renwnd.....|
00000440  7c 79 5f ee cf b9 dd de  67 3b 84 15 80 d4 00 1e  ||y_.....g;......|
00000450  38 09 b2 9f fb 15 00 8d  06 18 78 b6 ff ff ff 0f  |8.........x.....|
00000460  40 40 03 00 1d 2b f4 41  81 4f cd fc ff d7 25 6b  |@@...+.A.O....%k|
00000470  08 00 01 40 3c 8f 53 01  36 40 ff 6e ff df 54 f1  |...@<.S.6@.n..T.|
00000480  fd a7 33 bb bd 9a 41 14  04 57 85 0e 06 40 5d 10  |..3...A..W...@].|
00000490  00 18 04 2f b7 db dd 40  08 1f 00 2d 0a 03 79 28  |.../...@...-..y(|
000004a0  07 a4 2c 8a dc 02 97 bf  fc e5 00 be 0e 2f 1b 00  |..,........../..|
000004b0  00 bf 06 a7 38 04 00 85  2f 05 13 b7 b7 ff f2 01  |....8.../.......|
000004c0  00 15 5d 8e 5f ce 0b 44  65 63 00 a3 76 00 4f 9f  |..]._..Dec..v.O.|
000004d0  00 53 dd be fb db 65 70  5e 75 67 00 4a 75 6c 03  |.S....ep^ug.Jul.|
000004e0  6e 00 4d 61 79 0f 70 72  6b 97 ed cd 07 03 46 65  |n.May.prk.....Fe|
000004f0  62 13 61 53 61 27 dd 73  b7 ed 7f 69 00 54 68 75  |b.aSa'.s...i.Thu|
00000500  00 57 65 64 07 75 de 4d  6f 17 2f b2 8f 6d bf 25  |.Wed.u.Mo./..m.%|
00000510  73 2c 20 25 75 02 73 05  2e 32 75 3a 04 f3 c2 7b  |s, %u.s..2u:...{|
00000520  5b 0e 63 06 03 3d 49 6e  74 6f ad b5 ed 74 47 02  |[.c..=Into...tG.|
00000530  43 3a 08 7a 48 53 74 61  fb 13 fe 08 28 64 6e 73  |C:.zHSta....(dns|
00000540  61 70 69 55 69 70 68 6c  70 0d 0b db b2 25 1b 44  |apiUiphlp....%.D|
00000550  51 6e 72 39 41 35 fc ad  6b 0b 3b 4e 02 77 6f 72  |Qnr9A5..k.;N.wor|
00000560  6b 50 61 6c 73 df f6 dd  fe 1f 6d 61 69 6c 1e 2d  |kPals.....mail.-|
00000570  64 0b 73 38 6d 07 61 b6  39 37 f6 62 75 73 65 1b  |d.s8m.a.97.buse.|
00000580  73 74 17 16 70 24 bb dd  ba bb 17 63 63 6f b2 00  |st..p$.....cco..|
00000590  de 69 76 0b 79 63 1b 76  6c 2b 7c 74 69 66 69 0b  |.iv.yc.vl+|tifi.|
000005a0  2e 67 4b 6c 69 2f 9a e1  63 b7 38 72 76 4b 75 62  |.gKli/..c.8rvKub|
000005b0  6d 69 dd b6 da ad 1d db  2b 69 0f 70 70 78 10 61  |mi......+i.ppx.a|
000005c0  64 16 86 1f e1 e6 42 43  61 67 e3 74 68 65 2e 62  |d.....BCag.the.b|
000005d0  1f cf b7 dd fb 67 6f 6c  64 2d 51 49 63 61 20 66  |.....gold-QIca f|
000005e0  65 73 74 6e 95 8f d6 1c  22 22 d2 2f 66 05 63 ec  |estn....""./f.c.|
000005f0  ce 0f 4b 6f 66 74 63 69  27 bd d6 b9 ad 3f 53 67  |..Koftci'....?Sg|
00000600  af 0d 79 a1 03 85 56 68  cf b5 27 11 2b 14 82 de  |..y...Vh..'.+...|
00000610  b7 f7 bd 79 06 4b 68 28  07 62 6f 64 79 0f ad 7d  |...y.Kh(.body..}|
00000620  e5 f6 16 59 69 6e 2f 77  08 4a 3c e6 dc b1 72 07  |...Yin/w.J<...r.|
00000630  7a 69 71 0c 6a 73 66 2e  dd d6 da 33 79 4f 57 a2  |ziq.jsf....3yOW.|
00000640  2b 72 ba 72 f6 b6 43 6b  20 b8 2b 08 6e 07 bf 1d  |+r.r..Ck .+.n...|
00000650  da fb e1 6f 67 23 67 6e  75 0e 07 58 8b bd 43 e1  |...og#gnu..X..C.|
00000660  83 a9 16 07 94 eb 8e d6  7e 6f 72 1f cb 2e 63 9f  |........~or...c.|
00000670  ff de 0a 11 16 0e 7c 1e  64 cc 79 09 97 66 e7 2e  |......|.d.y..f..|
00000680  40 64 6f 6e 65 78 7c 5f  db 2d b4 7b d8 6f 18 79  |@donex|_.-.{.o.y|
00000690  61 06 ac 73 9b f9 61 6b  7e 9c 6b 47 6e 64 61 15  |a..s..ak~.kGnda.|
000006a0  74 b9 8b 15 62 71 d5 8e  07 64 6e 2e 1d 62 a5 c2  |t...bq...dn..b..|
000006b0  9f 66 c5 c7 bd 8d fc b0  be 2e e7 79 6d 61 76 e4  |.f.........ymav.|
000006c0  5f 2d 21 65 5b ec 8b 2f  07 40 57 93 20 00 90 07  |_-!e[../.@W. ...|
000006d0  ca 0a a6 28 00 29 b5 7e  9c 2a 20 02 97 18 50 40  |...(.).~.* ...P@|
000006e0  90 41 3e d3 07 70 0f 6c  68 66 40 86 64 64 60 03  |.A>..p.lhf@.dd`.|
000006f0  86 a4 19 90 5c 04 54 4c  40 86 64 48 44 3c 19 64  |....\.TL@.dHD<.d|
00000700  90 66 05 34 30 28 a4 1b  90 21 20 06 bf 18 c2 02  |.f.40(...! .....|
00000710  f6 05 1f 10 0f 00 64 db  c0 a6 02 0b 0c 01 00 66  |......d........f|
00000720  29 6c b0 12 01 00 3d 4f  55 b6 c8 1f 00 26 6e 62  |)l....=OU....&nb|
00000730  96 a5 c3 1a f6 07 3b 7c  2e 74 30 9f e9 9e 14 5f  |......;|.t0...._|
00000740  07 5f 0b 28 f7 8e 51 fa  ba 20 a5 ff 5f 61 1a 17  |._.(..Q.. .._a..|
00000750  6d 64 79 36 0f 29 2e 2e  40 0e 9c d9 b9 06 8a 27  |mdy6.)..@......'|
00000760  03 40 00 2d f9 ff ff f4  30 35 2a 2e 2a 00 55 53  |.@.-....05*.*.US|
00000770  45 52 50 52 4f 46 49 4c  45 00 3a 5c 70 36 eb 34  |ERPROFILE.:\p6.4|
00000780  d3 0d 00 2d 72 90 6e d9  a7 14 26 1e 07 08 fc 25  |...-r.n...&....%|
00000790  34 cd 20 cd 19 f4 ec 14  e4 37 c8 20 83 dc d0 c4  |4. ......7. ....|
[....]
00000d70  5b 7c 03 d6 0c ad 12 24  6c 99 63 07 07 2e 16 44  |[|.....$l.c....D|
00000d80  21 fe a2 6f c2 bb f1 52  43 50 54 14 6f 3a da 9c  |!..o...RCPT.o:..|
00000d90  ee 87 bf fd 87 7b b9 42  4f 58 20 4e 4f 1d 46 4f  |.....{.BOX NO.FO|
00000da0  55 4e 44 7c 01 0f e1 b0  84 31 5f 98 02 7c 49 e1  |UND|.....1_..|I.|
00000db0  25 2d b4 6e ce 86 64 81  7c 4e 01 fc ec 6b 82 1e  |%-.n..d.|N...k..|
00000dc0  b7 7d 6b 44 41 54 41 85  b1 be 7b 95 64 34 30 30  |.}kDATA...{.d400|
00000dd0  2d 61 71 72 01 98 f1 f6  bf 25 6d 2d 45 2d 4f 50  |-aqr.....%m-E-OP|
00000de0  45 6f 55 54 2c c6 d0 7e  30 d0 9f 2e 0d 21 41 53  |EoUT,..~0....!AS|
00000df0  ce b2 f6 da 32 36 a8 70  d0 b8 41 a1 6d 77 bf 2d  |....26.p..A.mw.-|
00000e00  52 4d 53 40 43 52 45 3c  41 d1 7c 33 15 dc 47 b3  |RMS@CRE<A.|3..G.|
00000e10  63 f9 02 19 0c 6f ff 21  ac 64 37 53 59 53 54 45  |c....o.!.d7SYSTE|
00000e20  4d 2d 46 3c 58 44 49 19  b7 da f6 53 4b 51 55 ef  |M-F<XDI....SKQU.|
00000e30  41 42 3d 73 6b 3c 64 28  d8 0b 3f 3e f7 cf 6d 62  |AB=sk<d(..?>..mb|
00000e40  85 e3 8c 6c 75 2f b1 4e  94 58 12 f1 2b 2c 08 b6  |...lu/.N.X..+,..|
00000e50  31 24 27 88 7d 31 a3 25  30 10 1b 1a ef 42 21 9e  |1$'.}1.%0....B!.|
[....]
00001150  4f 24 04 3e 27 68 a5 77  62 34 07 7a 12 7b 2f 92  |O$.>'h.wb4.z.{/.|
00001160  b9 da 19 ef 17 2d cb da  4f 82 cb 48 45 4c 00 45  |.....-..O..HEL.E|
00001170  0c 0f d2 d9 04 c3 4c 4f  eb e3 2b 20 93 f5 7a 71  |......LO..+ ..zq|
00001180  3e 53 4d 54 50 25 83 20  36 19 87 25 5c a3 5c 2a  |>SMTP%. 6..%\.\*|
00001190  2c 7a ae 6b a3 6e c2 72  0d 36 23 b7 62 c1 37 0b  |,z.k.n.r.6#.b.7.|
000011a0  41 17 d7 78 2e 25 1e 28  02 13 f7 6d 38 91 83 e7  |A..x.%.(...m8...|
000011b0  a7 2e f3 6c 6f 67 7a a3  2c 4e 74 30 42 95 2f 95  |...logz.,Nt0B./.|
000011c0  15 4a ad d8 4b 57 a8 5a  68 26 3e 16 45 55 52 4c  |.J..KW.Zh&>.EURL|
000011d0  44 c1 35 0d 1d b0 15 7a  ae 43 b0 46 d0 41 b5 d6  |D.5....z.C.F.A..|
000011e0  de 5c 03 4f 3a 2f 2f 36  9b 13 43 d3 d7 b6 54 79  |.\.O://6..C...Ty|
000011f0  71 73 4e 2f ea 61 68 ac  8b ff 42 2e a2 70 3f 6c  |qsN/.ah...B..p?l|
00001200  70 76 3d 31 26 96 3d 26  2a c0 6f fd 68 70 26 74  |pv=1&.=&*.o.hp&t|
00001210  0d 3d 77 65 62 26 23 6c  5b 0a 67 26 f1 77 71 07  |.=web&#l[.g&.wq.|
00001220  64 4f 41 db 5a 3b 77 00  3a 3e 61 8b ed 4c 5d cc  |dOA.Z;w.:>a..L].|
00001230  e8 50 2d 2f cb 53 73 3f  a7 30 db df 29 73 26 6b  |.P-/.Ss?.0..)s&k|
[....]
000015a0  9c 94 fb 08 cd b6 6f 8c  5e ab 18 80 65 fe 20 d3  |......o.^...e. .|
000015b0  34 5d 66 78 9c 52 65 67  34 cd 20 4d 69 73 65 72  |4]fx.Reg4. Miser|
000015c0  53 d3 34 35 83 72 76 2f  69 63 4e d3 34 4d 65 50  |S.45.rv/icN.4MeP|
[....]
00005db0  06 5c af 2d 68 f0 87 22  81 ac 60 2c b6 d5 0f 48  |.\.-h.."..`,...H|
00005dc0  28 10 0c 41 e7 6a b5 b6  c0 02 ce bf 3b 0d a8 4a  |(..A.j......;..J|
00005dd0  f8 2f 30 28 2f 35 27 00  f3 14 45 58 45 44 81 80  |./0(/5'...EXED..|
00005de0  c0 1a 8d 16 08 08 e4 01  00 30 0a 00 24 51 05 bf  |.........0..$Q..|
00005df0  69 26 20 a8 1c 01 46 69  6e 64 43 44 01 a0 f2 6c  |i& ...FindCD...l|
00005e00  6f 73 65 1b 44 cc de 15  d4 53 69 7a 65 17 ef 7f  |ose.D....Size...|
00005e10  fb 4c 4c 11 41 0e 4d 61  70 56 69 65 77 4f 66 0f  |.LL.A.MapViewOf.|
00005e20  6e 6f 61 6f 0e 55 6e 6d  10 2e 03 72 73 22 6e 77  |noao.Unm...rs"nw|
00005e30  c3 2f 4b 45 6e 76 10 6f  6e 76 ab 8a 8e 5d 56 22  |./KEnv.onv...]V"|
00005e40  61 62 18 39 88 b8 1d 44  0c 76 65 da ee 91 8a 98  |ab.9...D.ve.....|
00005e50  0e 7d 54 69 6d 46 2a e2  ac b5 57 1a 0b 51 43 a2  |.}TimF*...W..QC.|
00005e60  db ba f7 b1 0b 7b 70 5e  67 2d 4c c3 6e 5f 20 7e  |.....{p^g-L.n_ ~|
00005e70  4c 69 62 72 4e 79 41 21  f6 4c 50 b4 50 63 28 4b  |LibrNyA!.LP.Pc(K|
00005e80  c6 44 39 b6 fd 62 61 6c  41 6c 06 63 58 4c 61 b7  |.D9..balAl.cXLa.|
00005e90  3d ec 54 d3 2a 4d 75 03  78 28 1b 9b b5 5b 6c 17  |=.T.*Mu.x(...[l.|
00005ea0  72 63 0f 7e b0 74 10 07  fb e7 5a 56 1d 46 43 6f  |rc.~.t....ZV.FCo|
00005eb0  70 79 c5 44 65 da 87 37  6b 06 83 17 25 48 61 e7  |py.De..7k...%Ha.|
00005ec0  0b 20 dd c2 9d 45 53 63  d9 76 3b f9 6c 65 6e 54  |. ...ESc.v;.lenT|
00005ed0  df 70 50 2f 68 0d 61 0b  0a c3 57 2b 58 44 1d b3  |.pP/h.a...W+XD..|
00005ee0  b7 45 44 f1 6f ca 91 b6  50 c4 c9 70 79 4d 91 6c  |.ED.o...P..pyM.l|
00005ef0  5b 76 67 82 22 4d 13 45  78 69 42 41 f1 62 dd 68  |[vg."M.ExiBA.b.h|
00005f00  71 64 1f f1 bd 59 c0 26  ff 2f 99 8d f7 86 0d bb  |qd...Y.&./......|
00005f10  05 65 70 a1 36 42 37 e2  c2 c3 b0 33 6e 5a 9c 65  |.ep.6B7....3nZ.e|
00005f20  49 7b 11 71 a2 cb fb 17  6c 20 fc 5e 72 18 54 6f  |I{.q....l .^r.To|
00005f30  93 15 86 99 a2 b8 4c a9  0e bc 25 7b 13 62 11 0d  |......L...%{.b..|
00005f40  08 63 6b 43 85 6f 4f 44  72 01 e3 64 65 43 68 a7  |.ckC.oODr..deCh.|
00005f50  dc 5d 44 6c 34 4d 6f 42  79 74 22 12 14 27 22 9c  |.]Dl4MoByt"..'".|
00005f60  9e b9 af b5 2d 0a 63 98  36 2a 52 a0 b2 bd 27 e1  |....-.c.6*R...'.|
00005f70  54 47 50 6f 69 28 19 48  7b c1 66 ed 70 46 26 5c  |TGPoi(.H{.f.pF&\|
00005f80  bd 13 19 84 43 98 30 e8  3a 6e 45 4c b8 ac 30 69  |....C.0.:nEL..0i|
00005f90  09 69 9c 16 a4 22 26 04  3a 4d 18 33 d7 38 43 75  |.i..."&.:M.3.8Cu|
00005fa0  18 7d 19 3a 24 39 61 6f  6b a5 44 65 2c 95 84 20  |.}.:$9aok.De,.. |
00005fb0  c5 95 68 b5 c7 1e e3 9b  c0 67 1b 4b 65 79 0c 4f  |..h......g.Key.O|
00005fc0  70 eb dc a3 6b 31 0b 45  6a 0e 80 56 5b bd 00 1a  |p...k1.Ej..V[...|
00005fd0  76 75 65 0f 8b cc dc a5  84 11 29 75 6d 30 0c 4f  |vue.......)um0.O|
00005fe0  b3 cd 26 b7 3f 64 c2 f8  6d a0 a2 61 6e 87 73 65  |..&.?d..m..an.se|
00005ff0  30 8a 37 17 6b 8c 72 10  f6 07 69 73 64 bd f6 5c  |0.7.k.r...isd..\|
00006000  09 7a 19 f2 ce 10 14 a2  78 ae 5b 50 08 22 39 37  |.z......x.[P."97|
00006010  a1 2b 33 2a 61 2a 21 02  4a 0f 66 b3 54 cd 20 01  |.+3*a*!.J.f.T. .|
00006020  a1 55 5c 0f 16 b0 df 4e  42 75 66 66 41 0f 0b 4c  |.U\....NBuffA..L|
00006030  6f 77 f6 19 b6 23 77 76  49 72 94 23 77 0a 85 9b  |ow...#wvIr.#w...|
00006040  71 5a f4 cc 0c 4d 82 c2  00 a8 6d 59 b6 4d d7 b7  |qZ...M....mY.M..|
00006050  d8 62 40 ff 04 02 13 0b  65 59 96 65 34 17 12 10  |.b@.....eY.e4...|
00006060  03 ab 65 59 96 0f 09 14  73 39 bf ff 84 bc 3c 50  |..eY....s9....<P|
00006070  45 4c 01 03 e0 00 0f 01  0b 01 07 ae 7b d2 6c 13  |EL..........{.l.|
00006080  72 2a 80 32 04 10 03 82  6c 67 b1 90 35 0b 02 33  |r*.2....lg..5..3|
00006090  04 99 5b d2 cd 07 0c d0  1e 34 7b d9 1b d8 10 07  |..[......4{.....|
000060a0  06 00 c0 79 08 40 80 5b  64 78 02 18 05 46 b8 c2  |...y.@.[dx...F..|
000060b0  76 2b 64 78 01 1e 2e 2f  d8 93 a0 98 a4 70 90 eb  |v+dx.../.....p..|
000060c0  36 7f bb b0 04 23 20 0b  60 2e 64 61 74 61 98 23  |6....# .`.data.#|
000060d0  ee 42 ba c1 fb 22 27 76  40 bd cd 60 1b 85 2e e5  |.B..."'v@..`....|
000060e0  09 00 c3 c0 06 7c bf 29  7b 34 27 40 1b b0 7b 0d  |.....|.){4'@..{.|
000060f0  94 00 00 4a 41 3c 09 00  00 00 ff 00 00 00 00 00  |...JA<..........|
00006100  60 be 00 90 50 00 8d be  00 80 ff ff 57 83 cd ff  |`...P.......W...|
00006110  eb 10 90 90 90 90 90 90  8a 06 46 88 07 47 01 db  |..........F..G..|
00006120  75 07 8b 1e 83 ee fc 11  db 72 ed b8 01 00 00 00  |u........r......|
00006130  01 db 75 07 8b 1e 83 ee  fc 11 db 11 c0 01 db 73  |..u............s|
00006140  ef 75 09 8b 1e 83 ee fc  11 db 73 e4 31 c9 83 e8  |.u........s.1...|
00006150  03 72 0d c1 e0 08 8a 06  46 83 f0 ff 74 74 89 c5  |.r......F...tt..|
00006160  01 db 75 07 8b 1e 83 ee  fc 11 db 11 c9 01 db 75  |..u............u|
00006170  07 8b 1e 83 ee fc 11 db  11 c9 75 20 41 01 db 75  |..........u A..u|
00006180  07 8b 1e 83 ee fc 11 db  11 c9 01 db 73 ef 75 09  |............s.u.|
00006190  8b 1e 83 ee fc 11 db 73  e4 83 c1 02 81 fd 00 f3  |.......s........|
000061a0  ff ff 83 d1 01 8d 14 2f  83 fd fc 76 0f 8a 02 42  |......./...v...B|
000061b0  88 07 47 49 75 f7 e9 63  ff ff ff 90 8b 02 83 c2  |..GIu..c........|
000061c0  04 89 07 83 c7 04 83 e9  04 77 f1 01 cf e9 4c ff  |.........w....L.|
000061d0  ff ff 5e 89 f7 b9 01 01  00 00 8a 07 47 2c e8 3c  |..^.........G,.<|
000061e0  01 77 f7 80 3f 01 75 f2  8b 07 8a 5f 04 66 c1 e8  |.w..?.u...._.f..|
000061f0  08 c1 c0 10 86 c4 29 f8  80 eb e8 01 f0 89 07 83  |......).........|
00006200  c7 05 89 d8 e2 d9 8d be  00 c0 00 00 8b 07 09 c0  |................|
00006210  74 45 8b 5f 04 8d 84 30  14 e5 00 00 01 f3 50 83  |tE._...0......P.|
00006220  c7 08 ff 96 8c e5 00 00  95 8a 07 47 08 c0 74 dc  |...........G..t.|
00006230  89 f9 79 07 0f b7 07 47  50 47 b9 57 48 f2 ae 55  |..y....GPG.WH..U|
00006240  ff 96 90 e5 00 00 09 c0  74 07 89 03 83 c3 04 eb  |........t.......|
00006250  d8 ff 96 94 e5 00 00 61  e9 23 44 ff ff 00 00 00  |.......a.#D.....|
00006260  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00006400  00 00 00 00 00 00 00 00  00 00 00 00 00 00 02 00  |................|
00006410  03 00 00 00 20 00 00 80  0e 00 00 00 90 00 00 80  |.... ...........|
00006420  00 00 00 00 00 00 00 00  00 00 00 00 00 00 02 00  |................|
00006430  01 00 00 00 40 00 00 80  02 00 00 00 68 00 00 80  |....@.......h...|
00006440  00 00 00 00 00 00 00 00  00 00 00 00 00 00 01 00  |................|
00006450  09 04 00 00 58 00 00 00  d8 f0 00 00 e8 02 00 00  |....X...........|
00006460  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00006470  00 00 00 00 00 00 01 00  09 04 00 00 80 00 00 00  |................|
00006480  c4 f3 00 00 28 01 00 00  00 00 00 00 00 00 00 00  |....(...........|
00006490  00 00 00 00 00 00 00 00  00 00 00 00 01 00 00 00  |................|
000064a0  d0 00 00 80 a8 00 00 80  00 00 00 00 00 00 00 00  |................|
000064b0  00 00 00 00 00 00 01 00  09 04 00 00 c0 00 00 00  |................|
000064c0  f0 f4 00 00 22 00 00 00  00 00 00 00 00 00 00 00  |...."...........|
000064d0  01 00 30 00 e0 c0 00 00  28 00 00 00 20 00 00 00  |..0.....(... ...|
000064e0  40 00 00 00 01 00 04 00  00 00 00 00 80 02 00 00  |@...............|
000064f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00006500  00 00 00 00 00 00 80 00  00 80 00 00 00 80 80 00  |................|
00006510  80 00 00 00 80 00 80 00  80 80 00 00 c0 c0 c0 00  |................|
00006520  80 80 80 00 00 00 ff 00  00 ff 00 00 00 ff ff 00  |................|
00006530  ff 00 00 00 ff 00 ff 00  ff ff 00 00 ff ff ff 00  |................|
00006540  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00006580  00 88 88 88 88 88 88 88  88 88 88 88 88 88 80 00  |................|
00006590  00 8f ff ff ff ff ff ff  ff ff ff ff ff ff 80 00  |................|
000065a0  00 87 ff ff ff ff ff ff  ff ff ff ff ff f7 80 00  |................|
000065b0  00 8f 7f ff ff ff ff ff  ff ff ff ff ff 7f 80 00  |................|
000065c0  00 8f f7 ff ff ff ff ff  ff ff ff ff f7 ff 80 00  |................|
000065d0  00 8f ff 7f ff ff ff ff  ff ff ff ff 7f ff 80 00  |................|
000065e0  00 8f ff f7 ff ff ff ff  ff ff ff f7 ff ff 80 00  |................|
000065f0  00 8f ff ff 7f ff ff ff  ff ff ff 7f ff ff 80 00  |................|
00006600  00 8f ff ff f7 ff ff ff  ff ff f7 ff ff ff 80 00  |................|
00006610  00 8f ff ff 77 77 77 77  77 77 77 7f ff ff 80 00  |....wwwwwww.....|
00006620  00 8f ff f7 7f 7f 7f 7f  7f 7f 7f 77 ff ff 80 00  |...........w....|
00006630  00 8f ff 77 f7 f7 f7 f7  f7 f7 f7 f7 7f ff 80 00  |...w............|
00006640  00 8f f7 7f 7f 7f 7f 7f  7f 7f 7f 7f 77 ff 80 00  |............w...|
00006650  00 87 77 f7 f7 f7 f7 f7  f7 f7 f7 f7 f7 77 80 00  |..w..........w..|
00006660  00 8f 7f 7f 7f 7f 7f 7f  7f 7f 7f 7f 7f 7f 80 00  |................|
00006670  00 8f ff ff ff ff ff ff  ff ff ff ff ff ff 00 00  |................|
00006680  00 08 ff ff ff ff ff ff  ff ff ff ff ff f0 00 00  |................|
00006690  00 00 8f ff ff ff ff ff  ff ff ff ff ff 00 00 00  |................|
000066a0  00 00 08 ff ff ff ff ff  ff ff ff ff f0 00 00 00  |................|
000066b0  00 00 00 8f ff ff ff ff  ff ff ff ff 00 00 00 00  |................|
000066c0  00 00 00 08 ff ff ff ff  ff ff ff f0 00 00 00 00  |................|
000066d0  00 00 00 00 8f ff ff ff  ff ff ff 00 00 00 00 00  |................|
000066e0  00 00 00 00 08 ff ff ff  ff ff f0 00 00 00 00 00  |................|
000066f0  00 00 00 00 00 8f ff ff  ff ff 00 00 00 00 00 00  |................|
00006700  00 00 00 00 00 08 88 88  88 88 00 00 00 00 00 00  |................|
00006710  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00006740  ff ff ff ff ff ff ff ff  ff ff ff ff c0 00 00 03  |................|
00006750  c0 00 00 03 c0 00 00 03  c0 00 00 03 c0 00 00 03  |................|
*
00006780  c0 00 00 03 c0 00 00 03  c0 00 00 03 c0 00 00 07  |................|
00006790  e0 00 00 0f f0 00 00 1f  f8 00 00 3f fc 00 00 7f  |...........?....|
000067a0  fe 00 00 ff ff 00 01 ff  ff 80 03 ff ff c0 07 ff  |................|
000067b0  ff e0 0f ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
000067c0  c8 c3 00 00 28 00 00 00  10 00 00 00 20 00 00 00  |....(....... ...|
000067d0  01 00 04 00 00 00 00 00  c0 00 00 00 00 00 00 00  |................|
000067e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000067f0  00 00 80 00 00 80 00 00  00 80 80 00 80 00 00 00  |................|
00006800  80 00 80 00 80 80 00 00  c0 c0 c0 00 80 80 80 00  |................|
00006810  00 00 ff 00 00 ff 00 00  00 ff ff 00 ff 00 00 00  |................|
00006820  ff 00 ff 00 ff ff 00 00  ff ff ff 00 00 00 00 00  |................|
00006830  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00006840  00 00 00 00 00 8f ff ff  ff ff ff 00 00 88 ff ff  |................|
00006850  ff ff f8 00 00 8f 8f ff  ff ff 8f 00 00 8f f8 ff  |................|
00006860  ff f8 ff 00 00 8f 8f 88  88 8f 8f 00 00 88 f7 f7  |................|
00006870  f7 f7 f8 00 00 8f 7f 7f  7f 7f 7f 00 00 08 f7 f7  |................|
00006880  f7 f7 f0 00 00 00 8f 7f  7f 7f 00 00 00 00 08 f7  |................|
00006890  f7 f0 00 00 00 00 00 88  88 80 00 00 00 00 00 00  |................|
000068a0  00 00 00 00 00 00 00 00  00 00 00 00 ff ff 00 00  |................|
000068b0  ff ff 00 00 c0 01 00 00  c0 01 00 00 c0 01 00 00  |................|
000068c0  c0 01 00 00 c0 01 00 00  c0 01 00 00 c0 01 00 00  |................|
000068d0  c0 01 00 00 e0 03 00 00  f0 07 00 00 f8 0f 00 00  |................|
000068e0  fc 1f 00 00 ff ff 00 00  ff ff 00 00 f0 c4 00 00  |................|
000068f0  00 00 01 00 02 00 20 20  10 00 01 00 04 00 e8 02  |......  ........|
00006900  00 00 01 00 10 10 10 00  01 00 04 00 28 01 00 00  |............(...|
00006910  02 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00006920  bc f5 00 00 8c f5 00 00  00 00 00 00 00 00 00 00  |................|
00006930  00 00 00 00 c9 f5 00 00  9c f5 00 00 00 00 00 00  |................|
00006940  00 00 00 00 00 00 00 00  d6 f5 00 00 a4 f5 00 00  |................|
00006950  00 00 00 00 00 00 00 00  00 00 00 00 e1 f5 00 00  |................|
00006960  ac f5 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00006970  ec f5 00 00 b4 f5 00 00  00 00 00 00 00 00 00 00  |................|
00006980  00 00 00 00 00 00 00 00  00 00 00 00 f6 f5 00 00  |................|
00006990  04 f6 00 00 14 f6 00 00  00 00 00 00 22 f6 00 00  |............"...|
000069a0  00 00 00 00 30 f6 00 00  00 00 00 00 38 f6 00 00  |....0.......8...|
000069b0  00 00 00 00 39 00 00 80  00 00 00 00 4b 45 52 4e  |....9.......KERN|
000069c0  45 4c 33 32 2e 44 4c 4c  00 41 44 56 41 50 49 33  |EL32.DLL.ADVAPI3|
000069d0  32 2e 64 6c 6c 00 4d 53  56 43 52 54 2e 64 6c 6c  |2.dll.MSVCRT.dll|
000069e0  00 55 53 45 52 33 32 2e  64 6c 6c 00 57 53 32 5f  |.USER32.dll.WS2_|
000069f0  33 32 2e 64 6c 6c 00 00  4c 6f 61 64 4c 69 62 72  |32.dll..LoadLibr|
00006a00  61 72 79 41 00 00 47 65  74 50 72 6f 63 41 64 64  |aryA..GetProcAdd|
00006a10  72 65 73 73 00 00 45 78  69 74 50 72 6f 63 65 73  |ress..ExitProces|
00006a20  73 00 00 00 52 65 67 43  6c 6f 73 65 4b 65 79 00  |s...RegCloseKey.|
00006a30  00 00 6d 65 6d 73 65 74  00 00 77 73 70 72 69 6e  |..memset..wsprin|
00006a40  74 66 41 00 00 00 00 00  00 00 00 00 00 00 00 00  |tfA.............|
00006a50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00006c00  c1 7e d3 ea fe 29 26 12  3e 4d 41 7c 3e b2 2b 06  |.~...)&.>MA|>.+.|
00006c10  c1 dc 7d 5a 3e d9 4e a9  c1 02 ab e6 3e 1f 35 7c  |..}Z>.N.....>.5||
00006c20  83 68 fe 86 b4 bb 87 17  73 eb 1d 04 b5 6f 76 24  |.h......s....ov$|
[....]
00007090  3f 4b f8 c2 20 16 98 c1  e7 9f 42 d5 d0 76 73 98  |?K.. .....B..vs.|
000070a0  0f e1 8f 12 e0 a2 f1 bf  0f d5 2e d2 0f a4 a9 b8  |................|
000070b0  f0 38 d1 88 0f 8f 51 39  f0 9d ed b6 0f 7d 05 75  |.8....Q9.....}.u|
000070c0