Analysis Date2014-06-15 01:57:54
MD54bee97c9ff1908bf1ed68516820ab0bd
SHA142a768a477a505a1abef123ad80ae12e3ad504c6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cf04b93878070088c4930d4e2cc1ccf6 sha1: ac6f12077b0a2470d4fcf49ccaa13e4a06aab888 size: 112128
Section.rdata md5: bba8c635d88621d2475c100766d6ea62 sha1: 41744e7b3edb97471387726f8540086c6f126421 size: 1024
Section.data md5: 8842f60da18d8ab445ef5ffd51b64c91 sha1: 374216be9e8ac42c1e8e14977dc14d58ca615025 size: 65024
Section.reloc md5: 6b51feb394d7011545b843e424291dda sha1: 01c96a1d2d657097e0b60258e0523e31fcbb99c1 size: 1024
Timestamp2005-10-19 16:55:52
PEhash6e00e6c4043ce1c46d2aec84fadccba247fcc641
IMPhashb8d689de996a2df42d9b686b862a90d0
AV360 SafeGen:Heur.Conjar.5
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-449
AVClamAVTrojan.Gbot-449
AVDr. WebBackDoor.Gbot.69
AVDr. WebBackDoor.Gbot.69
AVEmsisoftGen:Heur.Conjar.5
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.SXV
AVEset (nod32)Win32/Kryptik.SXV
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado (generic, not disinfectable)
AVF-SecureRogue:W32/OpenCloud.A
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVIkarusBackdoor.Win32.Cycbot
AVKasperskyTrojan.Win32.Generic
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVNormanwinpe/Cycbot.EC
AVNormanwinpe/Cycbot.EC
AVRisingBackdoor.Win32.Cycbot.a
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen.2
AVSymantecTrojan.Gen.2
AVTrend MicroBKDR_CYCBOT.SME3
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSyourblogresources.com
Winsock DNScoolmediastore.com
Winsock DNSpsfk.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSpsfk.com
Type: A
72.10.50.52
DNSzonedg.com
Type: A
208.73.211.168
DNSzonedg.com
Type: A
208.73.211.165
DNSzonedg.com
Type: A
208.73.210.218
DNSzonedg.com
Type: A
208.73.210.215
DNSzonedg.com
Type: A
208.73.211.175
DNSyourblogresources.com
Type: A
DNScoolmediastore.com
Type: A
HTTP GEThttp://psfk.com/img/icons/facebook.png?v47=77&tq=gJ4WK%2FSUh7TFm0R8oY%2BQtMWTUj26kJH7yZJSPbqVybhqtUn5CGFATA%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 72.10.50.52:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.168:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.168:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.168:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.168:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d67 2f69636f 6e732f66   GET /img/icons/f
0x00000010 (00016)   61636562 6f6f6b2e 706e673f 7634373d   acebook.png?v47=
0x00000020 (00032)   37372674 713d674a 34574b25 32465355   77&tq=gJ4WK%2FSU
0x00000030 (00048)   68375446 6d305238 6f592532 4251744d   h7TFm0R8oY%2BQtM
0x00000040 (00064)   5754556a 32366b4a 4837795a 4a535062   WTUj26kJH7yZJSPb
0x00000050 (00080)   71567962 68717455 6e354347 46415441   qVybhqtUn5CGFATA
0x00000060 (00096)   25334425 33442048 5454502f 312e300d   %3D%3D HTTP/1.0.
0x00000070 (00112)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000080 (00128)   73650d0a 486f7374 3a207073 666b2e63   se..Host: psfk.c
0x00000090 (00144)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x000000a0 (00160)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x000000b0 (00176)   696c6c61 2f322e30 0d0a0d0a            illa/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53253246   ij%2B8yjYvEaS%2F
0x000000c0 (00192)   54253242 73717453 72253246 65253242   T%2BsqtSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a                 close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 70537225 32466525 32425635   2BsqpSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 20737563 68206669   lose.... such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42387976 55712532 4633766c   ij%2B8yvUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6564672e   1..Host: zonedg.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   206d6f7a 696c6c61 2f322e30 0d0a436f    mozilla/2.0..Co
0x00000100 (00256)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000110 (00272)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000120 (00288)   73650d0a 0d0a3c69 6d672073 72633d22   se....<img src="
0x00000130 (00304)   696e7465 726e6574 2e676966 223e0a20   internet.gif">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a                                    .

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42383275 59764561 53253246   ij%2B82uYvEaS%2F
0x000000c0 (00192)   54253242 73714e53 72253246 65253242   T%2BsqNSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7563 68206669    close....uch fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.
 .
A
..
UD.
...= 
?
Q.xF
.%3
z.

080904b0
1.0.0.1
1815
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
` $``|
=======
===========
      
            
 @`.@@
______
_______
---===
-------
,,,,,,   
;;;;;;;;
!!\\\\\\\\\
???????????
???''''''
((((((((((
[[[[[[&&
]]]]]]
]]]]]]]]]]]]]
]]]]]]]]]]]]]]]
}}}}}}}}}}}
}}}}}}}}}}}}
@`]%=(@
$$$$$$$$$$$$$$$
***********
******************~~
\\\\\\\
&&&&&&
&&&&&&&&&&&
####:::
########
###############
%%%%%%%%
+++++++++
								
000000000000000000
0A\&'/[
0cf4A?
`0eo'\
0IhhXRP
?0I?y;
0l$0@p[
0=_s@>
@"@@1,
{{11111
@@1<G5
;%1pk[5<
::::::2@@@
222222222
22TTTT
2O(*!KF"#
2{P_?"
2>Xic=`zB
33333gggg
```33333ZZZ
333rrrr
`@3%f  `
3`h0vK
444444
4444qq
4J$sMt{t
	<4NH-
)4\S+N
'''555555:::::::::::
55555555
 `+`5b
` 5B<j
5Kh1ZV.
*5oly"
5?oppP
`5O!W7
66&&&&&&
66611111111yyyy
/6)cWw
@@{6iv
*6!Z8^c
73C's:
'74UCe26M5
77777777777
$`7D"I.
$@ 7[	[>G<
}>?"`@7h
7&!~Jq
!7Nd]V
					8888
8unb!u
(8{`*Zf@
999KKKK
`9:*H]
9h.dll
9lQf?f
9T~F#Y
_!9V"z
AAAAAA
aaaaaaa
^Ad@Sa
a_(` kw(
 `'	AL
AL, @NfV
|"ama>
.\amEp9
aN5V!D
:. `AO
=Avjh0
AWWWWWW@
 ` }b\
bbbbbb
BBBBBBBB
??bb<NNNNNNNN
-b|F60
:BgEgit
`-BRmm
BS9e8Cd
+B@XVX
C+.` ,
c6Dfw2
_^Cc @
,************CCCC
ccccccccccccccppppp
-C^Jvd
ClipCursor
_COg{b
 c|O_gK
CreatePopupMenu
`C+yj.`
@.data
DDDDDD
dddddddd
dddddddddddd
DDDDDDDDDDDDD[
dddddddddddddddAAAAAA------
dddddddddddFFFFFFF
DDDFFFFFF
DestroyMenu
D*Fd**kgn
DghT.@
"@`dHF
DMlGY.
DO5aCV
`@DO	m2
dTan}z
DuplicateHandle
`.` E<
e0N5%f
e9B|.A=N
`@ED_H
eeeeeeee$$
eeeeeeeeee
EEEEEEEEEEE
e!%F[$
E[JHg~F
EnumResourceNamesW
Eolw+B(
(eppy|
$@ erx7
EU1jv\
f2yY<6
falcEWi5
Fb,_Q+&L
F:cqN4A
` .  fI
FindClose
FindFirstFileA
FindResourceExA
FindWindowA
f_l>H(
FlushInstructionCache
F*M{*N
F>]tw8O
=#F.\Ukg
g36Q}N>6
GetDesktopWindow
GetModuleFileNameW
gg0LItB
GGaaaa
----gggg
gggggg
gggggggggggg
GGGGGGGGGGzzzzzzzzzz
ggggguuuuuuuuuu
%%%%%%gggjjjjj
^GhxwTH\
@(` G[J
Gmd[z$
GX@w!|
`H1P|2
``	hDP
HHHHHHH44444
hhhhhhhhhhhh
_h/k#d
,Hk.w(!
`|%Hn 
Ho9mGY
@ hr;UO
%ht%[Rln
HXpTTD
I::8##
` iE)Du;
igu.@`
IIIIIIII
IIIIIISSS
iiyyyyy%
`{\IN54Av
io8p`8
iuNL0u
IUz7zJ
i-Z:>a
	I_z)mV
i%Z{/p
j6=Q=z`B
_j8jm]
J'95Gv
jA`@V+
 @ JB,
JB|0#C
Jb& @/R}
\J%EH]
JfMy~#ox
JJJ/////
\\\\\\\\\\jjjjjj
JJJJJJ
JJJJJJJ
?,jj#R
/J$OaR(2
Jp*@`'
`@jP8(
` JQS.@`G
@j]]]W
JzSPv_\`
`@k   
K6:a.`
K*)8;+G
KERNEL32.dll
+=Kh  
KKK999999
kkkkkk
KKKKKK
KKKKKKK
KKKKKKKK
KKKKKKKKKKK
KKKKKKKKKKKKKKKK
kKp*` 
k\_l(@
   k'#t
ktQ7. 
kUIkMh
KWVjT~q
KyX.KixpqX
L4&``?
LLLLLLL
LLLLLLLL
LN( @=
Ln%C7:
lxm8C<
:m98:k
MapViewOfFile
(mDIUk3
mIV8U/
M`}Kps*
  `m>m
mmmmmmmmmm
mmmmmmmmmmmmmmm
mmmmmmmyyy
Mn2BT7gB
` mn}yWP
n0|`NX
N20oC^
@@n8]X
N<,``b
NdrComplexArrayFree
<nh_vn
NIx,&a
nLn[Dy)0K/r
NlUqTp2
nnnee))))))))))))
nnnnnnn
&&&&&&NNNNTT
{#n|q1
~+!N!r
ntx7\6
O @`0h
@,&o-9
\oaGzl
o&` bDpj7X
(|Oc_v1Y
<)OGAb~
oN& @k8}
O[}[ny>
OOOOOOOOOOOOOOOO
`Oqz%9
O	Un9=
OXao09
O". Y(o
p3+~}h
!$@@pdZ
pEy]50
pg3g,@
@`piEm
p'JZW 
pmA/QF7
 pO+QP,
PPPPPPPPP
PP[[[[[[[[q
@q$ @<
^Q1HX!
q^1v*L
` q8P['
)Qde<([
`Qe{Yw
qil17-(
QQQQQQccccccccccccccccc**************
qqqqqqqq
QQQQQQQQQ
q{&ys^'Jk
!Qyt	t
_;`r( 
R=>/2x
`@RB\x
`.rdata
RedrawWindow
.reloc
Rg)(  vKxReH8
^<roxM
RPCRT4.dll
`;?RQo
RRRRRRRRR,,,,,,,??
  S1FG
SetFileShortNameW
S\EZWP
SHELL32.dll
Shell_NotifyIconA
's@P9z
SS\5ZW
sss000RRR
SSSSSSS
*SSSSSSSS
)Sueu}
&@ +SzS
@`( @T
t5j<]@
 @T6Zxg
t$`@_817w*
!This program cannot be run in DOS mode.
`tI~1Sc
timeEndPeriod
TrackPopupMenuEx
tr/Tt3
tttttttt
ttttttttttt
tttttttttttttm
tttttttttttttt
tV%H@-nwJ
TxBkR3
<u, `_
;$  #U
u-0|~<&
u/1\;J$
u3[/K>
u3<Y`$S
U9aqnI
u|aMbq
UC.)@1
_u"c$T
)ud(@ 
u& @d%
UnmapViewOfFile
USER32
UuidCreate
uuuuPPPPPPPPPPPPP
uuuuuu
UUUUUU
?UUUUUUBBBBBBBBBB
U`Vx6B
@UyxsJ
v0BQSW
V0(``l;Hip!~
v4w))B
v8%Ow4
 @vbn4
vi*``y,@
vl`9(h
vmHP0I
 `vo#"
`@VOjdPY
vqDc&,
*V&R%*^
v^t!XKHTa=(
#}vtze
vvgu1y>-I
vvoooo
VVVVVVV
vvvvvvvVVV
w"`@[^
$ `}^W
!`{W_4
w[<	7-X
{W^.Bp
Wgm%"K
whPAPI
+whx,?
WINMM.dll
WK!6sR
=WLe}>.
wwwwwwww
Wx?`3?O
W	,;_Y
^W	Z##
 `x6M3&
XaZVcb
@xBPCPB
X&``<d
'x{Emf @`
Xf1T/D
x]	I,h
, @XR^
 @ xv0
XXXXXuuuu@@
XXXXXXX
xxxxxxxx
XXXXXXXXX
XXXXXXXXXXXXXMMMM
Y7777777
 =yH]W%Q
yq8#Y.
yrrccc
y~tCR;
yyyyyy
yyyyyyyyggg
YYYYYYYYY
ZbU DiQ
ZCo7BU
Z~d{hl
z?ff+J
ZgD|"~
=Z=ih6
Z+L(@ 
Z	$nbz
@ Zo)eO
zrldof
z'uQTO
)~Z^Xq
+ZZZ11
ZZZZZZZZ
zzzzzzzzzzJJJ