Analysis Date2014-06-15 06:49:37
MD5c08a70786243c0eb4dfae8673cb4b514
SHA16dcf7fe7b0c762ef3dd1cf71d8a975f7a3fc580d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0b8fe6acc15bf5e9fd53e6b08627085c sha1: d1fd9f483f2feb6ae1984c02c8f132b4d2f8026b size: 114688
Section.rdata md5: 39014251d82bfec4cbf198fc0c97587c sha1: def297e3e4ab6903fe4c303ec36690acfaed3634 size: 1536
Section.data md5: e9c90d96db19cd706e0e11f5c809448c sha1: 08b102c75118b373816d10d3510bf7e0cdc24b89 size: 65024
Section.reloc md5: 84a20230bc8cd241f8c01d54d2bf7534 sha1: 38d885690f026d0c15141fd5e90205c5966bc9b0 size: 1024
Timestamp2005-11-07 11:10:48
PEhash1725aebdbc870c1f0dd463856efb61710b99a791
IMPhash06808ccd3181c6d2f093b2a5b8bbd0e7
AV360 SafeGen:Variant.Kazy.38552
AV360 SafeGen:Variant.Kazy.38552
AVAd-AwareGen:Variant.Kazy.38552
AVAd-AwareGen:Variant.Kazy.38552
AVAlwil (avast)Cybota [Trj]
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.M.gen!Eldorado
AVAuthentiumW32/Goolbot.M.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-1273
AVClamAVTrojan.Gbot-1273
AVDr. WebBackDoor.Gbot.69
AVDr. WebBackDoor.Gbot.69
AVEmsisoftGen:Variant.Kazy.38552
AVEmsisoftGen:Variant.Kazy.38552
AVEset (nod32)Win32/Kryptik.TEV
AVEset (nod32)Win32/Kryptik.TEV
AVFortinetW32/Jorik_Gbot.EBE!tr
AVFortinetW32/Jorik_Gbot.EBE!tr
AVFrisk (f-prot)W32/Goolbot.M.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/Goolbot.M.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Variant.Kazy.38552
AVF-SecureGen:Variant.Kazy.38552
AVGrisoft (avg)Win32/Cryptor
AVGrisoft (avg)Win32/Cryptor
AVIkarusWin32.SuspectCrc
AVIkarusWin32.SuspectCrc
AVKasperskyTrojan.Win32.Generic
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.r
AVMcafeeBackDoor-EXI.gen.r
AVMicrosoft Security Essentialsno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.38552
AVMicroWorld (escan)Gen:Variant.Kazy.38552
AVNormanwinpe/Kryptik.AKG
AVNormanwinpe/Kryptik.AKG
AVRisingno_virus
AVRisingno_virus
AVSophosMal/Agent-AEO
AVSophosMal/Agent-AEO
AVSymantecno_virus
AVSymantecno_virus
AVTrend MicroBKDR_CYCBOT.SME3
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Trojan.Jorik.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNSfreshmediaportal.com
Winsock DNS127.0.0.1
Winsock DNSonlinedatingsecretfriends.com
Winsock DNSfastblogportal.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSzonedg.com
Type: A
208.73.210.215
DNSzonedg.com
Type: A
208.73.211.175
DNSzonedg.com
Type: A
208.73.211.168
DNSzonedg.com
Type: A
208.73.211.165
DNSzonedg.com
Type: A
208.73.210.218
DNSonlinedatingsecretfriends.com
Type: A
DNSfreshmediaportal.com
Type: A
DNSfastblogportal.com
Type: A
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 208.73.210.215:80
Flows TCP192.168.1.1:1032 ➝ 208.73.210.215:80
Flows TCP192.168.1.1:1033 ➝ 208.73.210.215:80
Flows TCP192.168.1.1:1034 ➝ 208.73.210.215:80

Raw Pcap
0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 796a5976 45615325   OQij%2B8yjYvEaS%
0x000000c0 (00192)   32465425 32427371 74537225 32466525   2FT%2BsqtSr%2Fe%
0x000000d0 (00208)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000e0 (00224)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000f0 (00240)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x00000100 (00256)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000110 (00272)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000120 (00288)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000130 (00304)   6e3a2063 6c6f7365 0d0a0d0a            n: close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 4f6f5976 45615350   OQij%2B8OoYvEaSP
0x000000c0 (00192)   54253242 73717053 72253246 65253242   T%2BsqpSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a                 close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 796a5976 45615350   OQij%2B8yjYvEaSP
0x000000c0 (00192)   54253242 73717453 72253246 65253242   T%2BsqtSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a5502             close....U.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 4f6f5976 45615350   OQij%2B8OoYvEaSP
0x000000c0 (00192)   54253242 73716c53 72253246 65253242   T%2BsqlSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a                 close....


Strings
.
 \
..mM....
080904b0
1.0.0.1
1481
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
`````````
``````````
``~*``
``&  {'
~~~~~~~~~~~~~~~~~
<<<<<<
<<<<<<<<<<
<<<<<<<<<<<
=======
||||||||
       
  -"``,
  :(``_
  $``[
_____<<<<<<
_________________
-------
,  "  
,,,,,,
,@@$  [
;;;;;;;;
!!!!!!!!(
!!++++++
///////
////////////////////
/"``   `
/###                `
.``)-~
"""""""
"""""""""
(``*  
((((((
((((((((
(((((((((((((((((((
(%%%%%%%,,,,,,,,,,,,,,,,,,,,,,,,
))))%%%
]]]]]]]
]]]]]]]][[[[[[[[[[
]]]]]]]]]]]]
})#.@@
}}}}}}}}
}}}}}}}}+
@@=,  &
@@,``]
@@@@@@@
$$$$$$$$$$$
*`` @@)
\\\\$$$
\\\\\\\\\\\\\\\\\\\\\\\\
&@@   %
######
#######
+++++=___
+++++++++++++++++++
						
														
0000000
//000jjjj''''''''''''
03E:P6`
0fffHHHHH99DDDDDD
^0GNoobFCo
0gWc4uQ5.
0	NX{-
0;XvM}
0YzoJH
11111111111
1111111111111P
1bWcb'`
[1+Gpni
1IaXzd
\1{KdW
1\MhPAPI
1>nqs'
1|-(@@R
1t0nJO
1t7.``
22RRRR222
26W1R0
2EKn87
@@'2#F
 "2ixY
2<uUg`@
2(``x	
]+|!3~
333+++++++
333333333333BBBe
3333ccc
=*  3c
3=cV	'5
3/*  ^H'(
{3p+Q.
3:u>v-
3vvvvvvvv
4444444444444
44444444444444
444444XXXXXXXXXXXXXKKKKKKKKKKKKKKKKK
4SO*``Z 
4xOE7.>`Hf
.  5"``
,  51Z2W2
;;;;;5555555555555555,,,,,,,,,,VVVVV
5555NNNaaaaaa
5h>'EkE
@@;5lmJd
|5`	t~u
5=$``vdH@
``'5Vn
6666666
6666666666666
@6cFkK
{&6'dv
6}WQ`G
``_6YV
 @@\7(@@
#](@@)7
71:e?3
7^3cz'
7777777
7ElfcA
7NDc[]
7\WF7m
,,,,,,,,,,,,,,,,,,,8
88888~~~~~~
88    AAAAAAAAA
										88NN9&&&&&&&&&&&&&&&&&&&&&&&&&&&
8A#giF
8&``CF
8fdT3$c
\~8l   
*&\+8/Z
``/=9*
9}%$  
9999999999999999
99y]{x
9AAn02j
9CQ$L9&h
_9dS[qe9
9g$@@gPJ
9%i$  
 @@`9L
9lu3]7
:9NC93
^(@@%9r,
+9u#\E
9.@@}xz
;a(``~
/^)A-%
a;8&  W2
AAA___
aaaaaa
%%AAAAAAA
--AAAAAAAA
aaaaaaaaa77$$$$$$$$$$$$
aaPPPPPPP
Ac(FWxD
aF   {g
,``AG#
\^aI@|
$``\A|i
AlphaBlend
$aulfM
aVH\gLR
=ay\Kv
\	]B>&
b2`5+f
baQt!Rm
bbbbb;
BBBBBB
BBBBBB&&
		BBBBBBBBB
bbbbbj
BBBsssssssAAAAAAAAAA((((((((((<<<<<<<<<<
BBBv>>
,  }BE
Bek==$K
BitBlt
\~$BKYxe
+bLX(@@
   Bm^:S
``bN)U
Bo[e{`
BrI1?a9
!<b[U'
BuE@q&
bW#iwb
BwsC;R
B@*yeQ
bymac4 
 @@!?c
>ca9J'
CCCCCCCCCCkkkkkkkkkkkkkkkkkkkkkkk
``Ckg:
CKu%7HE
Cl(@@8
ClipCursor
COh`Ct
CoW{5Qq
c+p	+}
CreateBitmap
CreateCompatibleDC
CreateDCW
CreateDIBSection
CreatePen
CreatePopupMenu
``d,@@
D//////
D$@@*  
,``?+D1(
@@d3a3
%d)[*@@+8
@.data
dbf	E\
d+cbBL
DD1#{N
DD\%,  3
dddddddd
DDDDDDDDD!!!!!!!!!!!!!!!}}}^^^^^^^^^^^^
DeleteDC
DestroyMenu
&``df~
dGGGGGGG
d[:G   u
.  d~H1
d#P/-a
Dp(  d
@@d_tK
{.&d<u
dVmp^+!
,>	dX1)O
@@D&@@Y-
e 0utp
@@e9Kwlu6
@@\eD<
++++++++++EEEE
eeeeee
eeeeee[[[[[[[
EEEEEE
eeeeeeeeeeeee\\\\\\\\\\
e?"I;~
  EiW;
eL9__l
eo?e(``
ESS@@@@hhhhhhhhhyyyyyyyyyyyyyyy
!eWfwb
ExitProcess
(``EXw
EY$zej
(ezO?M7
<.``F>
?;'f3e
``fBwO
F`#\d>
fffffff
FFFFFFF---------------
FFFFFFFF
FFFFFFFFF
fffffffff9999999
??fffffffffff
FindWindowA
``Fj&@@|ch
FlushInstructionCache
fMY6!-p
FqFEhU@C
!:`frP
fZ&P`?>@
).@@g@
@g&@@:
``"``G
<?G$@@
,@@[gD
GdipCreateBitmapFromFile
GdipDisposeImage
GdipGetImageHeight
GdipGetImagePixelFormat
GdipGetImageWidth
gdiplus.dll
GetDesktopWindow
GetModuleFileNameA
GetObjectType
GetVersionExA
(@@GF`
))))))))))GG
GGG555555555555555555555
gggggg
GGGGGG
GGGGGGGGGGGGGGG
gggggpppppppp
!/{gHKj
g.I*+<
GI&``2fFD>
GOyf Q
GS%Lil
+gSnNvbr
g*@@U#
,g$VZngC
``@H_\
H!$&"}
H)*``?
H1|Kv]
H6|`BW
hB=kLn
HDDDDDDD
|H~e#8
#########hhhh111111111111111OOOO
hhhhhhhhhh
HI	alD
hIH?&i
^H%Mv4
Hp7^OV
hVb;!T
hXvF5I
````````hy
,  ,  i
I&``(@@
~:I38`
@@I!9C
@@i	b-
I<=<`b@r
I&``?D
``iDul
i!GMQL
!%iG-pvn
I~HlDq
(((iiii
%%iiiiiA
IIIIII33uu
IIIIIIIIIIIIIIIIIII
 @@%iqo
I_RpcFreeBuffer
@@IUs)_
``Iv>R+ ``
``iV?ww)
@@J,``
'j5wx{&r
"\J7ml
)j&``iu\
JJJEEEE??????????
__________JJJJJJJJJJJJJ
jjjjjjjjjjjjjjjjjjjj
JJJJJJJJJJJJJJJJJJJJJ
jQ"=owO
:|!j	s/
ju3?n7)
jU@gLW
{jYzoAr2
*@@	JZ
``K.@@
K&@@,  
k9_wUP	
.``kbZ
KERNEL32.dll
kffffffffffffiiii
K+,@@fzb~A
K\>	Ia
kkAAAAAAAAAAAAAAAAA|
#########kkkk
KKKK....
KKKKKKK
>Kl&  X
K\Tp\'
?;k/x1y
``,@@L
L.  7M
_LAzJd
lEkm# 
l<"@@HOz
LineTo
@@l;)jetV
LJPsu:
LLHHHHHHHH)))))))))))))
lllll^^^(((((((
;;;;;lllllll
___________LLLLLLLLLL
.....[[[[[[lllllllllllll
LLLLLLLLLLLLLLLL
lllllnnnn"""
LLoohhgggg
lLpT_M
LoadLibraryW
LocalAlloc
LocalFree
  l!rI_
@@_#lU
@@{Lwm
l}:xce
@@lzFL
``m]=|
M|	0{K
``M%B"
mb46JT
MC}qP2
]?`Mhu
_m>{@	K
mL)m%`
------------mm
mmmmmmm
mmmmmmmmmm
MMMMMMMMMMM
MMM@@@@@@@@@VVVV
MSIMG32.dll
m`t_}A>
@Mu"``
mYbgR>
@@_-M>Z|
  ;n@;
``N4Mk
%N6BDA
  n^|#A
~NEg3	N)
@@nfTG
  NjSr
~nKC<	
\nl@]`
nnnnnnn
[[[[[NNNNNNNNNN'''
NO4B28
Npl2>g
n   UQ
``n-z[?
!o%D^&wS5
  O@g+u
|oIt#5H8
OKf ``X
ol[2"  C
ooo((((
<<<<<<<<<<<<<<<<#oooo
oooooo
oooooooo
\\\\OOOOOOOOOOOOOOOOOUUvvvvv
oooooooooooooTT
[OOR%h
oST`6Y)4h(``
p   Er
.  PFG
PG&@@)
PPPPAAAAAAAAAAAAAAA
pppppp
ppppppp
pppppppppppppppp
p+"@@s8
pT\;ZiG
{( ;pv
],  Py
pY4Nag
@@"``q
:qA.``
Qe0,  
Q|F(@@
QGJO$x`v
[q?oI=L`
												qqqqqq
QQQQQQ
QQQQQQ|||||
{{{{{{{{{{{{{qqqqqqppppppppppppp
QQQQQQQQ
qqqqqqqqqq5555
QQQQQQQQQQQ
qqqqqqqqqqqqqqqqqqq
q$``#vep/
@@(``R
r[0V^[i
`.rdata
RedrawWindow
.reloc
r*@@fU
rOn)*W$
RPCRT4.dll
:::rrr
RRRFFFFFFFFFFFFFF
RRRRRRR
RRRRRRRRRRj
RT9 ``7pz]c
r%]we.
'-*``s
%s0"``
S4	c,z
<S72=r
SelectObject
SetLocaleInfoW
SetStretchBltMode
|SKl]YF
:::::::sM
SN<cWR>
s@Pp<3
@@`s?s
sssssssssssss
ssssssssssssss{{{{{{{{{{{{{{{{{
StretchBlt
s=+?/.u
Sv-qyf
	Sy;Ro8
``T4H!{@
t4&Xy;
t-5 @Sl
T8No8?+J
TA%4=fk
tE//;cK
_teE	i
!This program cannot be run in DOS mode.
timeGetTime
t@l-~H
Tm"``	#
toZ:EX
TrackPopupMenuEx
TransparentBlt
T'*@@t
ttttIIIIIIIIIIIIIIIII
tttttt
ttttttBBBBBBBBBBBBBBBBBB
ttttttttaaaaa
TTTTTTTTTTTT
``	t~u
U6_uVp
'U`9VT2`X
``UC[&
)UC:YzH
u'''HHHHHHHHHDDDDVVVVVVVVVVVVVVVVVyyyyyyyyyyyyooo[
u_$@@IE
ui%~<yq
'UK0S-
U;L+w;l'
USER32.dll
usIDWf
UuidCreate
uuuuuuuuuuuuuuu
\\\\\\\\UUUUUUUUUUUUUUUUUUU
uuuuuuuuuuuuuuuuuuuuuuu
}}}}}}}}}}}}}}}uVVVxxxxxx
@@	(@@V
V$@@6$
v7|`ssD}Z
v&  Ag
*``+|VDz
v~iYJ{-
=V`PKvh
~Vpl-s
VrIa+<
@@%%Vt
VVVV8888888
vvvvvvvvvvv
vvvvvvvvvvvv
vW2#e?
!*  vy
VYs<wk
  #w{?
``}W*  `
  w0$``F
"  <w3x3a
WINMM.dll
Wk^Rg%
?%^WnV
W,``O!0
Wwp.=n
''''''''''''''''''''''wwwQQQQQQQQQQQQQQQQQQQuuuuuuuuuuuuuuuu
wwwwwwww
WWWWWWWWWW
WWWWWWWWWWWWCCCC
`]_+#X
X~4\7!
xBylUx
{<XdzZ
X"  JN
x'Ly{l
  X-MQ
&@@x\O
X[O_my
xO?W$}S
@@XPr};6
xtjKp2
~!xu\d
XX(  %a7
XXX!!!!!!****.
/*``Y{
y2~#B)
`Y]5uKA
y6(]T-
y'*, A_
Y------ddddddddd
YM9C"  
yTqm2a	
{YUt~tpj<
))??????yyyy{{{{{{{{{{{{{{{{{{
YYYYYYYVVVVVVVVVVV
YYYYYYYYY/
yyyyyyyyyyy
yyyyyyyyyyyxxxxxxxx
\=;y|z
Z;-1~r
zEDOnV%P
z}JwKn
@@z}MFc].
ZR#=f\G,
]`zU/,
zz<<<<<<aaaaaa
zzDDDDDDD
zZJF~]
zzzzzzzzz
&zzzzzzzzziii
ZZZZZZZzzz~;;;;;;;;;;;;
ZZZZZZZZZZZZZZZ
ZZZZZZZZZZZZZZZZZ