Analysis Date2015-01-17 01:00:05
MD517653022576b45a6ac90815a659bc9cb
SHA12db8765e94ebf7fcc35d22ea374dd3238d9101f3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bbb9592dfeab5f6c19243e0bf5404a3d sha1: 6bb9eb8e64b605153d397d021ef6ab1e096c709d size: 97792
Section.rdata md5: 88236b2141169de746306ad57f14643b sha1: fe2f3e1c52f9b9b3f15df57f68c91122485d4b71 size: 1024
Section.data md5: bafe55b1773299eb2cf071389724b4af sha1: 41f6dba2af5863bc6b44b5f23206cc7ffbff0ef5 size: 23040
Section.rsrc md5: 6e630787db1919eb65a90cef0ac7b785 sha1: 2b78f5f497f72e33ece83519681c0208949758e8 size: 1024
Timestamp2005-09-30 12:44:37
VersionPrivateBuild: 1102
PEhash454510451da4dd330e7eeef18ca32ecabfde149f
IMPhash0be9fe659962311bca7a0a4c46bea1d1
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.KD.80396
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Trojan.Generic.KD.80396
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardTrojan.Generic.KD.80396
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Diple-19
AVDr. WebTrojan.MulDrop1.56159
AVEmsisoftTrojan.Generic.KD.80396
AVEset (nod32)Win32/Cycbot.AA
AVFortinetW32/Krypt.NHL!tr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.GTC
AVGrisoft (avg)Agent.5.BJ
AVIkarusPacked.Win32.Krap
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.bs
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.e
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Trojan.Generic.KD.80396
AVRisingTrojan.Win32.Cybot.a
AVSophosTroj/FakeAV-CDG
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\svchost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSzoneck.com
Winsock DNSwww.google.com
Winsock DNSdolbyaudiodevice.com
Winsock DNSmotherboardstest.com
Winsock DNS127.0.0.1
Winsock DNSzonejm.com
Winsock DNSpcdocpro.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSpcdocpro.com
Type: A
209.59.161.20
DNSwww.google.com
Type: A
173.194.37.81
DNSwww.google.com
Type: A
173.194.37.82
DNSwww.google.com
Type: A
173.194.37.83
DNSwww.google.com
Type: A
173.194.37.84
DNSwww.google.com
Type: A
173.194.37.80
DNSzoneck.com
Type: A
208.79.234.132
DNSzonejm.com
Type: A
23.239.15.54
DNSmotherboardstest.com
Type: A
204.11.56.45
DNSdolbyaudiodevice.com
Type: A
DNSxibudific.cn
Type: A
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://pcdocpro.com/images/logo-2.jpg?tq=gP4aKydo3y29h8GGdHmghFVgBEzxJ44%2FJ7lUwS7BcyrAxDPXpjX%2FquGGe9ey%2FsYnxhZLVJinblHRXGiIYUIf1V8eosjlgg4SRfBlPDCibUw38NofSjhGoDguIbrRTd%2FIRAFrFHD6EFP7IhKlBXK9r%2FY%2FlSc%2FBqVQYJOlgdN2ACNliJuiK4sMnROZoYf3RPizOECbHNIf0TQ9zN%2BeYOt6ECoD50dBsUO6c4KUjgc9L%2BCLi2hgRi2RpZQH%2Fx9l6CCqqtPabdxYrNKXYL%2Bxd7wX%2FetrjUmqigkOfs3zYNv48HPo9U%2FalhBVtam4MnCZN3dtk8roC2%2Fln17H4ZLhRdTTcUl2iy46iNWOglUAAiHmTe18xjKOI2MZzURtP7wVKs168wZF7ZxEqKlPR5krz0WubiSk5MSyscj5gkh9ahjH
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://zoneck.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz2uw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://zonejm.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz2uw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://motherboardstest.com/images/im135.jpg?tq=gL4SK%2FSUh7zEpRMw9JGd5dGwJk6s0824xLMjS9rWwLWyxSE6qaKxpMa1C2m51bCwxbNQK%2B%2FbxUqRSfkIYUhF
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUq1ujbwvgS917W65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUq1ujbwvgS917X65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1031 ➝ 173.194.37.81:80
Flows TCP192.168.1.1:1032 ➝ 209.59.161.20:80
Flows TCP192.168.1.1:1033 ➝ 173.194.37.81:80
Flows TCP192.168.1.1:1034 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1035 ➝ 23.239.15.54:80
Flows TCP192.168.1.1:1036 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1037 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1038 ➝ 208.79.234.132:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a                      */*....

0x00000000 (00000)   47455420 2f696d61 6765732f 6c6f676f   GET /images/logo
0x00000010 (00016)   2d322e6a 70673f74 713d6750 34614b79   -2.jpg?tq=gP4aKy
0x00000020 (00032)   646f3379 32396838 47476448 6d676846   do3y29h8GGdHmghF
0x00000030 (00048)   56674245 7a784a34 34253246 4a376c55   VgBEzxJ44%2FJ7lU
0x00000040 (00064)   77533742 63797241 78445058 706a5825   wS7BcyrAxDPXpjX%
0x00000050 (00080)   32467175 47476539 65792532 4673596e   2FquGGe9ey%2FsYn
0x00000060 (00096)   78685a4c 564a696e 626c4852 58476949   xhZLVJinblHRXGiI
0x00000070 (00112)   59554966 31563865 6f736a6c 67673453   YUIf1V8eosjlgg4S
0x00000080 (00128)   5266426c 50444369 62557733 384e6f66   RfBlPDCibUw38Nof
0x00000090 (00144)   536a6847 6f446775 49627252 54642532   SjhGoDguIbrRTd%2
0x000000a0 (00160)   46495241 46724648 44364546 50374968   FIRAFrFHD6EFP7Ih
0x000000b0 (00176)   4b6c4258 4b397225 32465925 32466c53   KlBXK9r%2FY%2FlS
0x000000c0 (00192)   63253246 42715651 594a4f6c 67644e32   c%2FBqVQYJOlgdN2
0x000000d0 (00208)   41434e6c 694a7569 4b34734d 6e524f5a   ACNliJuiK4sMnROZ
0x000000e0 (00224)   6f596633 5250697a 4f454362 484e4966   oYf3RPizOECbHNIf
0x000000f0 (00240)   30545139 7a4e2532 4265594f 74364543   0TQ9zN%2BeYOt6EC
0x00000100 (00256)   6f443530 64427355 4f366334 4b556a67   oD50dBsUO6c4KUjg
0x00000110 (00272)   63394c25 3242434c 69326867 52693252   c9L%2BCLi2hgRi2R
0x00000120 (00288)   705a5148 25324678 396c3643 43717174   pZQH%2Fx9l6CCqqt
0x00000130 (00304)   50616264 7859724e 4b58594c 25324278   PabdxYrNKXYL%2Bx
0x00000140 (00320)   64377758 25324665 74726a55 6d716967   d7wX%2FetrjUmqig
0x00000150 (00336)   6b4f6673 337a594e 76343848 506f3955   kOfs3zYNv48HPo9U
0x00000160 (00352)   25324661 6c684256 74616d34 4d6e435a   %2FalhBVtam4MnCZ
0x00000170 (00368)   4e336474 6b38726f 43322532 466c6e31   N3dtk8roC2%2Fln1
0x00000180 (00384)   3748345a 4c685264 54546355 6c326979   7H4ZLhRdTTcUl2iy
0x00000190 (00400)   3436694e 574f676c 55414169 486d5465   46iNWOglUAAiHmTe
0x000001a0 (00416)   3138786a 4b4f4932 4d5a7a55 52745037   18xjKOI2MZzURtP7
0x000001b0 (00432)   77564b73 31363877 5a46375a 7845714b   wVKs168wZF7ZxEqK
0x000001c0 (00448)   6c505235 6b727a30 57756269 536b354d   lPR5krz0WubiSk5M
0x000001d0 (00464)   53797363 6a35676b 68396168 6a482048   Syscj5gkh9ahjH H
0x000001e0 (00480)   5454502f 312e300d 0a436f6e 6e656374   TTP/1.0..Connect
0x000001f0 (00496)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000200 (00512)   3a207063 646f6370 726f2e63 6f6d0d0a   : pcdocpro.com..
0x00000210 (00528)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000220 (00544)   722d4167 656e743a 2067626f 742f322e   r-Agent: gbot/2.
0x00000230 (00560)   330d0a0d 0a                           3....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 4d5a7a55 52745037    */*....MZzURtP7
0x00000050 (00080)   60                                    `

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a327577 3861336e 4f514c61   rCiUz2uw8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a207a 6f6e6563   ose..Host: zonec
0x000000b0 (00176)   6b2e636f 6d0d0a41 63636570 743a202a   k.com..Accept: *
0x000000c0 (00192)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000d0 (00208)   67626f74 2f322e33 0d0a0d0a            gbot/2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a327577 3861336e 4f514c61   rCiUz2uw8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a207a 6f6e656a   ose..Host: zonej
0x000000b0 (00176)   6d2e636f 6d0d0a41 63636570 743a202a   m.com..Accept: *
0x000000c0 (00192)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000d0 (00208)   67626f74 2f322e33 0d0a0d0a            gbot/2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   352e6a70 673f7471 3d674c34 534b2532   5.jpg?tq=gL4SK%2
0x00000020 (00032)   46535568 377a4570 524d7739 4a476435   FSUh7zEpRMw9JGd5
0x00000030 (00048)   6447774a 6b367330 38323478 4c4d6a53   dGwJk6s0824xLMjS
0x00000040 (00064)   39725777 4c577978 53453671 614b7870   9rWwLWyxSE6qaKxp
0x00000050 (00080)   4d613143 326d3531 62437778 624e514b   Ma1C2m51bCwxbNQK
0x00000060 (00096)   25324225 32466278 55715253 666b4959   %2B%2FbxUqRSfkIY
0x00000070 (00112)   55684620 48545450 2f312e30 0d0a436f   UhF HTTP/1.0..Co
0x00000080 (00128)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000090 (00144)   0a486f73 743a206d 6f746865 72626f61   .Host: motherboa
0x000000a0 (00160)   72647374 6573742e 636f6d0d 0a416363   rdstest.com..Acc
0x000000b0 (00176)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000c0 (00192)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000d0 (00208)   0d0a6f74 2f322e33 0d0a0d0a            ..ot/2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 7131756a 62777667 53393137   fBvUq1ujbwvgS917
0x00000040 (00064)   57363572 4a716c4c 66675069 57573163   W65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 65636b2e 636f6d0d   ost: zoneck.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a742e 636f6d0d 0a416363   .3....t.com..Acc
0x000000b0 (00176)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000c0 (00192)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000d0 (00208)   0d0a6f74 2f322e33 0d0a0d0a            ..ot/2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 7131756a 62777667 53393137   fBvUq1ujbwvgS917
0x00000040 (00064)   58363572 4a716c4c 66675069 57573163   X65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 65636b2e 636f6d0d   ost: zoneck.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a742e 636f6d0d 0a416363   .3....t.com..Acc
0x000000b0 (00176)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000c0 (00192)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000d0 (00208)   0d0a6f74 2f322e33 0d0a0d0a            ..ot/2.3....


Strings
h
"
..
040904b0
1102
B&reak
C&ompile
&Data
MS Sans Serif
PrivateBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0(phJ>f	S
=1@^BFm
[20j`K
;4IF<6
4l7O)9{CqT
5gXVEX
5%XwgX
7t&X*fX3
7\$Xmm
 @&.81
8dX4N{
8Hw%X=
:8 YG<
9DXGXz
AO*j:&
!cdcGXb
ceX\GX
cI]eX|
CloseHandle
CreateEventA
CreateSemaphoreA
CreateStdAccessibleObject
CreateThread
c\<]rU
d,1$2Cs
@.data
DeleteCriticalSection
+dq!gP
DX4({s
>DXdX	
DX{{eX
DXgX9l\
DXGX$X
dXh~;T
dXv$X[lM4
dX%XeX
DXyFXO
EnterCriticalSection
EnumResourceNamesA
eX,gXJ7
ExitProcess
eXI$X|U
eXuEXU
.F`E1O
FindClose
FindFirstFileW
FreeEnvironmentStringsA
Fw"$NF
fXFX$X
>FXgX*
FXI%XEX-t
FXThLoadhN
fXtN^u
FXU7dX
fXXMdXR
FX&Xu$X
GetDriveTypeW
GetLastError
GetLocalTime
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadPriority
GqE~=n
|gXDXdX
gXEXdX
gX\gX&X
h,dX{|}
^hEX{{
hFheW@
hhLibr
hLocah
HVTQhI
I_EX~FX
iH_^q[
INICc(
InitializeCriticalSection
?iok(W$X
i/(_%X
+I/&XW
iXXeX+==
J9uYW(^
={jFX}
jFXJ'X
jz"2"6
k>76%X
KERNEL32.dll
K,FXvM
KgXu4,V
./.,LB
LCtqhq
LeaveCriticalSection
LE=gDY
LoadLibraryA
LresultFromObject
M4YfXfXZ
M_5~KMFX
MDXkGXL
m(FX<Y
MgXtt"
M$XeXZ
m'X|jC
N<FXT6y
oEX,yyhy
O}LdX	
OLEACC.dll
o%X:FX
o}xtEX
O'Xy+z
<Qr(47
	qRht@
`.rdata
ReadFile
ReleaseSemaphore
RKh4<d
Scc-,zGX
SetEndOfFile
SetEvent
SetFilePointer
tDX)(Q
!This program cannot be run in DOS mode.
<Thjs@
ThlAllh,U@
ThlFre
>Toccr
tOz]AX
TY(fXmkr
UIhKdX
U_U\m	
V:-<4j
%vB%L"
V[GX	L
VIrOQIG)-=
WaitForMultipleObjects
WaitForSingleObject
w}~gX)!
WriteFile
wUdXeXS
wVdXO:
wvi%Xh]
W!xPnf/q
~w;$XVq
X5[4fX;
=$X5GXh_
X/5*&Xb
X5$X&X)
X7FX=n
X9-DX)!
X-DXdX
XdXiX+O
X<*dXZ
XDXz5GX
XEXEXA
XEXFX`
XEXGX.
XEXZ;]
XFX:~`
X|_fX2
xfX8zkDX
XFXFXya
XFXgX"
XfX	JdXa
'XFX~l
XfXmDX|P
X	*FXR
*?&XgX
xgXFXb
XgXFXI"
XgXI)=
XgXkIS
XgXllW
XgX+>n
X.gXU?
XgXvfX
XGXw)c
X~ieXr
X+IFXEX]
Xk>Wv2
XK$XIxB
X|L5$X
Xlh?+0
XLI[FX
$XL'Xi}\&X
X^L$X<y
X?MMK4
XM.^n;"
XM[oiZ
X>mVj6r
X>mw5=
X/\nLN
X=o7>a
&XO7vL7
XOX_hQ
Xoyn%X
Xtmjw-T
Xtt+}2
%XU.fXr
_&XV_O
X_v$XA
XvZ.gXN
'XWGX]
XWgXdX
{$Xx)!
+X'X>@
X&X\/#
X&X95A
X'XdX6
'X&XEX
XXeXFX
X$XfXYdX
X[%XhP
X$Xj?FX
X&XjNB
X&XjNm*
'X&XJp
XXu/ifX2
X%X'XK
X]'XZ()
XY(:{C
XyjGX~*
Xy_J;w
xYy/x&X
Xz4FXh+
&\y[AT
=yDw#n/
Y>jx&XQ
/Y|mwu
zc!cEX&X@
*'zrk{