Analysis Date2014-06-15 00:02:52
MD5530ffc74e4c6169ae7c095dc15e5038a
SHA15de2e7c9cdce76ee17922ef17aed08778a68e589

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0968a1ea6e6e0d165cb9de981e97832f sha1: 88303fa91c95a3f66c4728c293b5b519a8ad2e43 size: 121344
Section.tls md5: 7e2d4065028ff6c918f0b377cc24646b sha1: 58db555b4b18b51ba83ea586f2b72386b862d113 size: 1536
Section.data md5: 98989f0a66e7b3d9a8a92e14ee92f1ff sha1: 1dacc923e363946963025a0f2c5c4d4e43f6b59d size: 74752
Section.reloc md5: 131f4a570782c9b810b7a756a8d14c75 sha1: 53b747c3a5a4a4aceaa2796b106c2cf78a3ea9e7 size: 1024
Timestamp2005-10-12 06:07:45
PEhashdf06315ed3bc7a6b9e91781ec61d6c1ebc28201c
IMPhash4bd89ea67f838976a8662012dc323234
AV360 SafeTrojan.Generic.KDV.350676
AVAd-AwareTrojan.Generic.KDV.350676
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-1041
AVDr. WebBackDoor.Gbot.70
AVEmsisoftTrojan.Generic.KDV.350676
AVEset (nod32)Win32/Kryptik.SMY
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan.Generic.KDV.350676
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Trojan.Generic.KDV.350676
AVNormanwinpe/Cycbot.EC
AVRisingTrojan.Win32.Generic.12950D5C
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Trojan.Jorik.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{F053D246-5CC9-46E9-9C51-723D87E9990B}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{5D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwwwmediaportal.com
Winsock DNScalaculat.com
Winsock DNS127.0.0.1
Winsock DNShollandandbarrett.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNShollandandbarrett.com
Type: A
213.62.84.113
DNSzonedg.com
Type: A
208.73.211.199
DNSzonedg.com
Type: A
208.73.211.196
DNSzonedg.com
Type: A
208.73.211.172
DNSzonedg.com
Type: A
208.73.211.152
DNSzonedg.com
Type: A
208.73.211.235
DNSwwwmediaportal.com
Type: A
DNScalaculat.com
Type: A
HTTP GEThttp://hollandandbarrett.com/images/footer/account.jpg?v5=40&tq=gKZEtzy4bPL7v7SIjNKToI%2BNBwuAZSH6aETt7uuWaJ5dKnS8u0DkH75cKs4s2cO5kNFxfwdq3o6FRRZZBBIObNXGFPKDRnQFKA5yNVj7bz19rAQlF8DYMH%2BSckKMV83k1mV4tlnStyULC8gphubLEwYH0whRnipfNFCKmpQ4Wu%2B47Ovt%2Be4voQMu493YyhQ95npygnIz%2BubMA9n5DUCMjwCPNS1rcCSIiUw2Eq2LM6TO5Rv
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNwlKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJuX%2BSNxb5ygm1C4lKv975Xlm5G
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 213.62.84.113:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.199:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.199:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.199:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 666f6f74   GET /images/foot
0x00000010 (00016)   65722f61 63636f75 6e742e6a 70673f76   er/account.jpg?v
0x00000020 (00032)   353d3430 2674713d 674b5a45 747a7934   5=40&tq=gKZEtzy4
0x00000030 (00048)   62504c37 76375349 6a4e4b54 6f492532   bPL7v7SIjNKToI%2
0x00000040 (00064)   424e4277 75415a53 48366145 54743775   BNBwuAZSH6aETt7u
0x00000050 (00080)   7557614a 35644b6e 53387530 446b4837   uWaJ5dKnS8u0DkH7
0x00000060 (00096)   35634b73 34733263 4f356b4e 46786677   5cKs4s2cO5kNFxfw
0x00000070 (00112)   6471336f 36465252 5a5a4242 494f624e   dq3o6FRRZZBBIObN
0x00000080 (00128)   58474650 4b44526e 51464b41 35794e56   XGFPKDRnQFKA5yNV
0x00000090 (00144)   6a37627a 31397241 516c4638 44594d48   j7bz19rAQlF8DYMH
0x000000a0 (00160)   25324253 636b4b4d 5638336b 316d5634   %2BSckKMV83k1mV4
0x000000b0 (00176)   746c6e53 7479554c 43386770 6875624c   tlnStyULC8gphubL
0x000000c0 (00192)   45775948 30776852 6e697066 4e46434b   EwYH0whRnipfNFCK
0x000000d0 (00208)   6d705134 57752532 4234374f 76742532   mpQ4Wu%2B47Ovt%2
0x000000e0 (00224)   42653476 6f514d75 34393359 79685139   Be4voQMu493YyhQ9
0x000000f0 (00240)   356e7079 676e497a 25324275 624d4139   5npygnIz%2BubMA9
0x00000100 (00256)   6e354455 434d6a77 43504e53 31726343   n5DUCMjwCPNS1rcC
0x00000110 (00272)   53496955 77324571 324c4d36 544f3552   SIiUw2Eq2LM6TO5R
0x00000120 (00288)   76204854 54502f31 2e300d0a 436f6e6e   v HTTP/1.0..Conn
0x00000130 (00304)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000140 (00320)   6f73743a 20686f6c 6c616e64 616e6462   ost: hollandandb
0x00000150 (00336)   61727265 74742e63 6f6d0d0a 41636365   arrett.com..Acce
0x00000160 (00352)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x00000170 (00368)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000180 (00384)   0d0a0d0a                              ....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000100 (00256)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000110 (00272)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000120 (00288)   6e3a2063 6c6f7365 0d0a0d0a 436f6e6e   n: close....Conn
0x00000130 (00304)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000140 (00320)   6f73743a 20686f6c 6c616e64 616e6462   ost: hollandandb
0x00000150 (00336)   61727265 74742e63 6f6d0d0a 41636365   arrett.com..Acce
0x00000160 (00352)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x00000170 (00368)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000180 (00384)   0d0a0d0a                              ....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a74   OhLgjh8sG%2BcoJt
0x000000c0 (00192)   58253242 534e776c 4b763937 35586c6d   X%2BSNwlKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a755825 3242534e 78623579 676d3143   JuX%2BSNxb5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a6966 223e0a20    close....if">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a727265 74742e63 6f6d0d0a 41636365   .rrett.com..Acce
0x00000160 (00352)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x00000170 (00368)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000180 (00384)   0d0a0d0a                              ....


Strings

080904b0
1.0.0.1
1674
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
^^^^^^
~~>>>>
=======
>>>>>>>>>>
||||||||||
||||||||(
  =&@`
       
_______
;;;;;;;;;;
:::::::::
::::::@@@
!!!!!!
?????????
??????????
??????????:
/////}}}}}}}
......
.........
.@ *@@
''^^^^^^
''''''''''
"~`(;.
""""""""
)))))))
)))))))))))
{{{{{{{{{{{{{{{
}}}}}}
@@! ``
$$$$$$$$
$$$$$$$$]]]
$$$$$$$$$$$$$$
******
*******
\\----------
&&&&&&&&&
####|||
%%%%%%%
%%%%%%%%%
++}}``||
++++++++++++++++++++++++
@0*@ bh
	^0Bq@
`_0+C>Ba
(0-En+
  0M^~
1-57U&@ ~
1GgG?1
!~1_?H
]1~">|j
``=)1J
1+. `Ms
222222222222
2222(((((((C
2jE#!.
`31D6T
&|31Nz
333333
3333333
333Q##
3!mQuC
3?QYCo
444((((
444444
444444==========
444444444
44444444444
4444qqqqqqqqqqqqq
@4FDej@
`@4&  WKDq
4=Ytk[B
4z`@K)
5555555
55MMMMMMMM
5"f@>0
5<J6t/
` 5s<_
6666666
666666666dd
66666666kk
(``6	C
6f%E12Hm
6q[5N(
6YH!0n<+
%7, `,
`>*` 71
77777<<<<
*********77777777
77777777---%%
7777hhhh
77cccc
7:IHihY
^7kg,`@
7NG1ln8
%~ #7p
^7YtA 
8& //[
85WLhP
88888<<<
88888*************
888888XXXXXXXXXXX
8888LLLLLLL
` 8gy, 
8KtRC_E
8wUzeQ
999999
99999999
99999\\\\\\ddddd
9GiD"h
|9hcT?
:9'vE}
)9w&  
 `a.` 
A4)FCc
&&&&AAAA
AAAAAA
AAAAAAAASS
AAAAAu
ADVAPI32.dll
aj7fC]
a"@`/k
(`@\aL
a~r32W
atx>T%
$B0RZ6
bbbbbbbb
bbbbbbbbb==ccccccccTttdd
bbbbbb``````PP
[)B" `j:k
bly&``<
]bnph!
Bof1_H?@
b)P8)'m
 bPhr#
`@b{UH
bX&` y
Bzzzzz
`C0Lc;
`&C:0R
@@C2a^
c2~V:G
C;+3?#99
?C" @5*
________CC
ccccc=====
ccccc000
cccccccc
cccccccccc
)CCCMMMMlll
ccrrrr
CCyyyyyyYY
Ckf3zN
*` Cm_
&@ \cn
CoTaskMemFree
CreateProcessA
CreateStdAccessibleObject
CRT7+7
CTX=YtG
@@C. @V
cx.@@x
d4TRj'
d6ftKvD
d^9'gG<
@.data
DDD&&&&&
[[DDDDD
ddddddd22220HHHHHHHH!))
ddddddddd
DDDDDDDDD
DDDDDDDDDD
;dddddddddddddddddddddd8888
::::::DDu---
De1^K;
dF;&2+
{#Df@N
DH:c:@
 `D<i_
dj6d5<s
dkkkkkk
dNu&@`
dQf:[Q
 `DS]rEo
DuFP]'
d/%#"w
@ dXm4
.@ DXs
e$0VPz
e8JqW7
~~ED					DD\D....SS
&&&&&EE
EE'''#
EE)))))))))))9YYYYY.......RR
{{{{{{{EEE
eeeeee									
EEEEEE
EEEEEEEEEE
EEEEEEEEEEEEE]]]]'''-''
EEEEEEEEEEEEEE
EEEGGGGh######
;;;;;;EErr
EHqCLY
\<El:E;
e_~mMD
)/e/njE
EnumResourceNamesA
e>(pi'
e/x.{8
@$@`Ey
,``{F2
f]@3~Mk
!;:FcJ*p
?????fff
ffffff
FFFFFFFF
ffffffffffTgg
ffffzzzmBBBBBBBBBBBBBB
FFFtttttttttwwwwww
f{[_!g
fk+D1(
Fo^Vtk
[f@r:f
fU`4	7
f]X	nt
g4QW]<
g|8O+X
[gCjWg
``GDIV	&
GetSystemTimeAsFileTime
ggggggg$$$$
GGGGGGG
GGGGGGGG
ggggggggg
GGGGGGGGG
ggggggggggg^^
GGGGGZZ
GG[vT|
gh_BK|
gMMzxn8
gn=*`@
/gNeav
GO&wE&
gQlKf]
#gS!f1
-)gwadS	[
gy}PcO
h[[[[[[[2
H4dsdf
H}bfN\x4u
hC~EGJ
@`hGkR
hg[l[@
hGM[" 
HHHHHH00
//////HHHHHHHHHH
HHHHHHHHHHH
HHHHHHHHHHRRRRRR
<HihW (t
HJr C_
hsVVa!y
~h\Vdx
hyVqSX
$$$$$$$i(((((((
	i?4u0
``i6. `
` Ii% 
    iii
iiiicccccc
iiiiiiiiiiiii
iiiiiiiXXXXXX
iiiiMMMMM
iJ-:?!
i{-mW,
InterlockedExchange
IPmy_@
IR<rGAM
i-S58g
I}zu?zbX
,,==j,,,,,
jcb4x5
``]J:E
@jH@Pj
JIq=)i
JJJJijjjjjnO
JJJJJJJddddddd,,,,,,
JJJJJJJJJJJJJJJJJJ[[[[[[
jjjjjjjj+++~~~~~~~~~~~<<<<<<S
jjqq--------cc
JJssss
+~'jK-
@)J<k|
;jK{*g
JU$`@<;/
k5F~4te
K%;5XQ
KERNEL32.dll
K/j	fX5R
kkk++++~~
kkkkkkkkkkkkkkk
KKKKuuu
KlXohA
K)QSM}
)Kz]|+
``L&` 
::::::L
~|	L_2
L*4,J9B
l	9Lzd
LC!2-~	
'L(D&8
lENNNNNN>>>
l;+g]\x
`Li8x$
LLLLLL
LLLLLLLLL
lllllllllllll||||||||ffffffff
LLSSSS
LNV+A;
LocalAlloc
LqF^*`
lQh+D1
~LQiS.@
LresultFromObject
L@Sgnw
lstrlenA
lw>vC)
M,`@$`
M1C2ZT
 `_m4GF
  maO<
"`@MbI
=MK9"d*p
MkHf+e
m.LEW#
mmmmm		
mmmmmmmm
mmmmmmmmmmm,,
mmmmmmmmmmmm
MMMMMMMMMMMM
??mmmmmmmmrrrrrrrrrrrrrrrr
mmmVVVCC
mQZgP.``M"
MultiByteToWideChar
mwU{A4s
mZFTdq]
@)!N5[x
n#cKW{
nd07n1h
////NNNN
NNNNkk
nnnnnKKKK
nnnnnn
nnnnnnnnnno
np>SFX
NuY?c|F
+Nxc[/
O4^(@ 
+OD#8"
of]pWN
OgWXP>
@o-h<1
OLEACC.dll
$$$$$$$OOOOO
OOOOOO
OOOOOOO
OOOOOOOO
oooooooooo
OOOOOOZZZZ
OpenJobObjectA
oq* `i
Or  @a
`(  {p
p1%=TU
p9v#M\[
PathFileExistsW
||||||||||||||pp
PPPP		
ppppjj
&&||||PPPPSSSSS
ppX<tC
ProgIDFromCLSID
Q$`@&@
Q1( `]
q{1myE5
~-q{Cu:\
./QdA`
qf:f|YA-
.qO?d6
q=O]#zp
QQGGGG
~Q%qq8q
]]]]]]]}}}}}}}}qqqqqffffff
###QQQQQQQ
q::QQQQQQQQQ&&&'''''''
.`@_<qR
qSq8y^
@QUM]'4+
~QW1'n
r0QR/H
 R#1@W
(R3ISc9
{R'#9V
RaiseException
.R##d%S
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
R\F#}K
rglllllllllllll
\RmFlT
 R{omg
[rR( `
RRhhhh
RR---------jjj
rrrr0TTT999
rrrrIIiiiiiiiiiiii
rz{eMBQ 
@;&s,<\
 `S,@@
S=0r*@@t
s666666
s[a$`@
SChgOH
s ` {f
sfwlzs
SHELL32.dll
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI.dll
SI\pV'W
"  sJr
SOY{-}
ss:::::
sss\))
;;;;;;;SSS
SSS''''''''
<sss<<<<<FFffff
SSSHHHHHXXXXXkk
SSSSdddddd
*****ssssss
StringFromCLSID
StringFromIID
s[T^U8
S}tWbK'
sv1IfG
)))))))t
========T;;;;;&&&&&&&&&
@~tAO-U=
t>d"` #
TD{  `
;{te1c_!Ci&
!This program cannot be run in DOS mode.
 :tP`]
&;tS!TT
tt%%%%%%>>>>>>>>>>NNNNNW
tttkkk
TTTTT(((((LLLLLbb
ttttttttttttttttss
-txxxxxb
u51p=&
U5~vom
|U9K@.
uAAAAAA
uf7},`
>ULUl4
Um!!!11EE[[[&&
}UM:#kT
]un6ED
UQe}fm
?????%%%%%%%UU
:uu1@B
uu555555555
UUUUmmmmmmmmm
uuuuuuuttt
uXiW.@
v~<>bv
_v.@`d=
,;)(v^d
VFe@a*
VirtualQueryEx
V`)LO;
_vMA7}
  ^vr6
*VV  &&
VVKKKKKcc
((vvv**
--vvv.....v
vvvvvv
VVVVVVV
vvvvvvvvvHHHHHHHHH
v.@ wx
V ~}Z.
`<#-W'\
w, @:8%
w-@}C)Ayx
wD?8,@
WeCR/l)z
WideCharToMultiByte
w$@@PZ
@W\}rA
WWBBB1111TTTTTTTTTTTTTT
WWWW6666666
WWWWHHee
WWWWWWWW0000088
-wz$`@y
`x1^PF
~.XkAj
x</moq
xN!#8<;
X|RF$V>
xTN0;T
>>>$xx[[[[[[[[[1111111111m@
XXAAAAii
xx^^^^^^ddddddd
xxxxxFFZZZ
xxxxxxk
xxxxxxxx.
XynPnn
&	[Y^>
y7z"'4_|
[yi)& @
yi@U=0
  YLH"
  y<S!
Yue{Og
::YYYQQQQ
yyyyyy
YYYYYYYY
-------YYYYYYYY
yyyyyyyyuuuuuuu
z{@{.`
z}0K;F
Z3veeY>
zg2zcc1P
.zjUC)
`Z`L`1
@ZLm'R
{_/zp4
z?s{zB
Z&@`^w
ZX}oL:Rc3
zzzzMM
zzzzzzzzzzzvvczzz