Analysis Date2014-06-15 03:14:54
MD5e1bfbd525c3917fd8f1e2f0b311daa26
SHA171f103256285a2445a8521a3fb1c31b799714ea4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 12df0f49cd4763f5d02aa66c12c59607 sha1: 9d656878e14ad51d1b0681a1faf90f5fd23d9f93 size: 109056
Section.rdata md5: c0d69c23804e97f546a02679b3e89cc2 sha1: 0eef1e0740f8831e5a6f5e483ea25db2fda90a42 size: 1024
Section.data md5: 3ae25523b06ffceb6de4e23bbe9b2c4e sha1: 67b62c49d1e9ca2b36d5657b3c4fbf90f893c6c9 size: 71168
Section.reloc md5: ff5870230069fcca64cd22422f86775e sha1: da2d9d31b7e09e4e94724c84778ee38e58570cd2 size: 1024
Timestamp2005-10-19 18:08:36
PEhashc74ebd3c27739e284427622ae60fe75dd01621c3
IMPhash58a6b52a2b0664d3c9f61bb52e459ddf
AV360 SafeGen:Variant.Kazy.38595
AVAd-AwareGen:Variant.Kazy.38595
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.M.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-290722
AVDr. WebBackDoor.Gbot.73
AVEmsisoftGen:Variant.Kazy.38595
AVEset (nod32)Win32/Kryptik.TEV
AVFortinetW32/Jorik_Gbot.EBE!tr
AVFrisk (f-prot)W32/Goolbot.M.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Variant.Kazy.38595
AVGrisoft (avg)Win32/DH.FF960030{Mw}
AVIkarusVirus.Win32.Cryptor
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.r
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.38595
AVNormanwinpe/Kryptik.AKG
AVRisingno_virus
AVSophosMal/Agent-AEO
AVSymantecno_virus
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNSfreshmediaportal.com
Winsock DNSresetmymemory.com
Winsock DNS127.0.0.1
Winsock DNSpsfk.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSpsfk.com
Type: A
72.10.50.52
DNSzonedg.com
Type: A
208.73.211.164
DNSzonedg.com
Type: A
208.73.211.249
DNSzonedg.com
Type: A
208.73.211.236
DNSzonedg.com
Type: A
208.73.211.182
DNSzonedg.com
Type: A
208.73.211.177
DNSresetmymemory.com
Type: A
192.155.89.148
DNSfastblogportal.com
Type: A
DNSfreshmediaportal.com
Type: A
HTTP GEThttp://psfk.com/img/icons/twitter.png?v50=41&tq=gHZutDyMv5rJfyG1J8K%2B1MWCJbP4lltXIA%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP GEThttp://resetmymemory.com/blog/images/3521.jpg?v98=1&tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0OjbwvgS917X65rJqlLfgPiWW1cg
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 72.10.50.52:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.164:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.164:80
Flows TCP192.168.1.1:1034 ➝ 192.155.89.148:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d67 2f69636f 6e732f74   GET /img/icons/t
0x00000010 (00016)   77697474 65722e70 6e673f76 35303d34   witter.png?v50=4
0x00000020 (00032)   31267471 3d67485a 75744479 4d763572   1&tq=gHZutDyMv5r
0x00000030 (00048)   4a667947 314a384b 25324231 4d57434a   JfyG1J8K%2B1MWCJ
0x00000040 (00064)   6250346c 6c745849 41253344 25334420   bP4lltXIA%3D%3D 
0x00000050 (00080)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000060 (00096)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000070 (00112)   743a2070 73666b2e 636f6d0d 0a416363   t: psfk.com..Acc
0x00000080 (00128)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x00000090 (00144)   67656e74 3a206d6f 7a696c6c 612f322e   gent: mozilla/2.
0x000000a0 (00160)   300d0a0d 0a                           0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 796a5976 45615325   OQij%2B8yjYvEaS%
0x000000c0 (00192)   32465425 32427371 74537225 32466525   2FT%2BsqtSr%2Fe%
0x000000d0 (00208)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000e0 (00224)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000f0 (00240)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x00000100 (00256)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000110 (00272)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000120 (00288)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000130 (00304)   6e3a2063 6c6f7365 0d0a0d0a            n: close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 4f6f5976 45615350   OQij%2B8OoYvEaSP
0x000000c0 (00192)   54253242 73717053 72253246 65253242   T%2BsqpSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7563 68206669    close....uch fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7639 383d3126   /3521.jpg?v98=1&
0x00000020 (00032)   74713d67 4b5a4574 7a794d76 35724a71   tq=gKZEtzyMv5rJq
0x00000030 (00048)   7847314a 3432707a 4d666642 76636a30   xG1J42pzMffBvcj0
0x00000040 (00064)   4f6a6277 76675339 31375836 35724a71   OjbwvgS917X65rJq
0x00000050 (00080)   6c4c6667 50695757 31636720 48545450   lLfgPiWW1cg HTTP
0x00000060 (00096)   2f312e30 0d0a436f 6e6e6563 74696f6e   /1.0..Connection
0x00000070 (00112)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000080 (00128)   65736574 6d796d65 6d6f7279 2e636f6d   esetmymemory.com
0x00000090 (00144)   0d0a4163 63657074 3a202a2f 2a0d0a55   ..Accept: */*..U
0x000000a0 (00160)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x000000b0 (00176)   6c612f32 2e300d0a 0d0a5369 6d207465   la/2.0....Sim te
0x000000c0 (00192)   73742070 6167650a 20202020 3c2f7469   st page.    </ti
0x000000d0 (00208)   746c653e 0a20203c 2f686561 643e0a20   tle>.  </head>. 
0x000000e0 (00224)   203c626f 64793e0a 0a202020 203c6833    <body>..    <h3
0x000000f0 (00240)   3e546869 73206973 20746865 20494e65   >This is the INe
0x00000100 (00256)   7453696d 20726561 6c2d6d6f 64652074   tSim real-mode t
0x00000110 (00272)   65737420 70616765 2e2e2e3c 2f68333e   est page...</h3>
0x00000120 (00288)   0a0a2020 20203c69 6d672073 72633d22   ..    <img src="
0x00000130 (00304)   696e7465 726e6574 2e676966 223e0a20   internet.gif">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a                                    .


Strings
\ 
.....
.
. ..Q
..@
..
4
e..
.
W.
[
z.
080904b0
1.0.0.1
1394
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
`````````````_________
```"``
``   .@@
``,  ?
^^^^^^^^^^^^^^^^^
~~~~~####
~~								
<<<<<<<<<<<<
>>>>\\\\\\
>>					
|||||||
||||||||||||
  [*  "  
  [&@@
  +.@@
_____&&&&&&&&&&&&&&&&&&&&&&&&&&&&
-------
--------
;;;;;;
!!!!!!!!!!
???????
?????????||
////////
...............................
'''''''
''''''''
""??????
(``,@@/
))))));;;;;;
))))))))
[)))))))))))))))
[[[[[[[[[[[[[
]]]]]]]]]]]
{{{{{{>
@),@@~
@@*  '
@@&  @>
$  *``
****@@@@@@@@@@
******
\\\\\\\\
\\\\\\\\\\
&&&&&&&
&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&
+++++++
000000000000
03hM+Z
09-BXq
0}9V+~
0dG!7.``
111111
111ccccc
188888888888888
#1DY?_
@@@1G4G
&1$J6F
1>./T0
`2 @@&@@
  }{2"
222222$?
22IIII%%%%%q
2{3u;?.
28@A}O"`
28E+H=
+2f#$``
>.``]<2L
333333
333333333333.
333333333333333
33333333333xxxxx?????????
#3DXc}
3!`n,  
3T+]6W
@3T!QX7{-
<4 @@{
&``4<+
40@*``
444444433
)))))))))4444444444444444444
>46zGx
48qcAv~
4G(@@q
"@@4Jl
4|jX$A
4.@@KR
4mW ``uk!
@@-4,``q
  .``%5
511aeV
5.@@)2
#55555555
55YYYYYYYY@@@
@@5gYW-
5*``Ix
5k$``t
5!Wx4w
< ?>6&
  6&``"``
&  6   
66666666666
!}66XUJ
 ``67a
6aP+dB
@@6B^H
6$<<F1
6|'Gg.
6'J|ft
$``6K~
6kkkkkkkkkk
#6Tr["``1
'6T*  yY
6VVVVVVVVVVVVVVVV(((				
71u~NZ
\\\\777777[[[[[
'7A7H`
^[7Kf3
&7qJla
7VVVVVVVVVV
}*7-WQ9
  +7[Z
????????????????????8888
88888888
88888J
`89\6np
  8[dN
8G&``B	^
8KqtLV
@@{8qL
8Tz1j#
"8y|)e
8Y,mHR
9,``06
9\*``3
@@94v0
`;97Rt"
9999:::::::::::::::::
999999
99999999999
999999999999
 9E0t*
9,FUHI.
9))O8j
9Os,@@
~.  *``~a
a:$\:%
$``?A6/
A8G2U(``#
aaaaaaaaaaaaa
AC,  K
A*^F\ 5P
a	GZc~,
a   j 
;A+LGt
AlphaBlend
ArDnsI
/<@as<V
+A-YZ!r
Az[|Rtgh
%"``~b
B"  _-;
``.  B<1s
``+B7"@@Y
B8;[S%
BaZ)?R
BBBBBB
bbbbbbbb
BBBBBBBBB888888888bbb
BBBBBBkkkkkGG
  /B   ei
BNl"  
bo5n#q
BPbv5r
BTXYU1
  BX[n}E
(``byJl
  ,  BZ
``c.  
&&&&&&&c
c(3>)k
,``C3mI
>>CCCC
cccccc
[[CCCCCC
CCCCCCCCCCCCCCCC
~CeRVDH
cF,  XU
>c&@@&  g
=CH{WPV
ClipCursor
cnB	`@
CreatePopupMenu
))))))d
D)^,@@
DaoltB
@.data
dddddd
DDDDDD
ddddddddd
DDDDDDDDDDDD
ddddddddddddd
de^MX2G
DestroyMenu
dh={!o
djJf.)sg
dL*  *
dne"``U
Dn	x311
Dr-{aE._
+E,8JL
eeeeeeeeeeee
eeeeeeeee_______eeYYY
e`I6>!Q
@@eK?tD
Em6W=5k3K*
'^\E ``Q
ExitProcess
  $``F
:::::::::F
@@(@@F
F0*``nT=!x\
F17?#ud
F7 @@"  
_______FF
FFFFFF
FFFFFFF}}}}}
FFFFFFFFFFFFFF
FFFFFFFFFFF;;;xxx66F--------
ff<<<zzzzzzzJJJJJJJJz
FindWindowA
FlushInstructionCache
fpu/58
!f%p#v
fsB<WO
  F'u?
F/"@@X
FX+h?_
Fzn'lFD
g&`!?|
G6ZE}B|
',g73'BF"
@@   gB
GdipCreateBitmapFromFile
GdipDisposeImage
GdipGetImageHeight
GdipGetImagePixelFormat
GdipGetImageWidth
gdiplus.dll
=Ge|7SUU
GetDesktopWindow
GetModuleFileNameA
GetVersionExA
_!$G]F$N
~~~~gg
GGGG+++++++++++b(kkkk
GGGGGG
~~~~~~gggggggg
gggggggggggggggggggggg
GGGGGRRRRRRRRRRR
ggggkkkkkkk
GGGGL{{{{{{QQQQbbbb
=gH3h	'
G ``;	L
G&%m8}`
gtw^jb
``GxT]
*``G^y
+\*  gY7+
GZbIm8
@@GZ	h
  	}h/
h(((((((((
``(``H"
  H9	/
h_F:lu
H&[\GG
hhhhh77777
HHHHH9999999`````ccccccc
hhhhhhhh
hhhhhhhhh
hhhhhhhhhhhhhhhhhhh
h>>I-)
hq&<mu1
h<&  ub8
i*{;+-}
i22C]+
`>I   b
?Id;!c
IDY/QAAo
i@E'|]k
igq5Rz
iidddddd
iiiiii
iiiiiii
IMi<fT
i[NerB3
I_RpcFreeBuffer
i$``x@
]IX<x-
IZa<7_
+j}2 i}
J4Z	*@@Y
J^a`AK
@@JB}z7
je7:0!g'
JJJJJGGGGGGG^
JJJJJJ
JJJJJJJ
JJJJJJJJJJJJJJ
JJJJJJJJJwwww
j"@@ki
``^J-m
``JM(  
J'P.@@
JPXEK	
~Js>?[:
K\$@@!*
  K7h}
KERNEL32.dll
kkkkkkk
kkkkkkkkk
}}}}KKKKKKKKK;;;;;
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
kkkkkkkkUUUU
kOShs8q-|
k#P*;P
kqtk8-k
kvd%EB-
kVW   H
K&xYd!,
kZ1G;g
l2&HRi
L~9'ovo
``lB[:
L:.	B1
lbjhDKO
``Lc}|?
&  L{E"
LEsOV>
*  LGDQ
lh.``)0r:
LLL((((((((
:::::::::llll
LLLLLLLLLL
lllllllllll
**LLLLLLLtttttttttttttt
Lml3YN
``LN@<[9
LoadLibraryW
LocalAlloc
LocalFree
L{rB5@x
	l!_v#
*``'lV
L#V/v-
<LVZ{/
l[Y A}~
~m?8T[.  O 
(  Mbw
^-m\~dD
md<Fg3e}
mF=:tv
mmm3333
???!MMMMMMM
MMMMMMMM
"mmmmmmmmm
MMMMMMMMMM::
MMMMMMMMMMMM
MMMMMMMMMMMMMMM
mmmmmyyyyyyy
#MR/fU
MSIMG32
@mU*@@
n}<.  
(``N%.@@
N0RLQJ
n7]>yA
NBa,``
NF(@@,  
;=N?)h
!n>iSU&  
@@(  nJv
;?n=j<VW
NMeSnm
&NNNNNN
nnnnnnnn
NNNNNNNNNN0000000
NNNNNNNNNNND
NNNNNNNNNNNNNNN...........
nnnnnnnnnnnnnnnnn
NNNNNNNNNNTTTTTTTTTTTTT
Nqy}-X
n.  wp
Nx6`)gX?H
/,  \o
@@*@@#@o
  O ``
O"``.@@
o|b	,  Q8
obZh_!
``OEg3
  o-`eve&
O}F1Xn
+   o+I	
>OId$&l,
o @@m3
O}"``n
???????OOO
OOO\\\\\\%
oooooo
ooooooo
OSC4858
OSK{	Y+
*``.@@p
%%%%%p
-+@.  P(@@
p20k^|
p3P{)x
  P`GxB>
/PKf_c
pn\?E 
POXC}p1~
PPiYYY
&&&&&&&&&&&&&&ppp
#ppppp
pppppp$
PPPPPP
  px5)M
@pY6]b
Pz\5fgq
 ``q43Ty0
qAAAAAA
 q$D&!
Qi,@@ 
q[MN+ha
  QPu.
]]]]]]]]]QQQQ
qqqqqq
QQQQQQQ
qqqqqqqqqqqqqXXXXXXXXX
Quuuuuuuuuuuu
]q,yj;bpt*
R^0v%[
r$  [3
r8D ;v
,@@R[A
+rD4pl
`.rdata
RedrawWindow
.reloc
						rgg
  !rmg
!Ro;*&$
r/`o2c
RPCRT4.dll
/\_r`~R
rrrr222yw>EEEEEEEE
```RRRRR
RRRRRRRR
!Rv)a@P]
RWW---
ryKH"@@
"RY]Wb
rzTpPAOa
s<+6EN
}Sa0r4CQ
SetLocaleInfoW
S]Frnt
shwb rUj
?}@sN9b
,@@?'ss
ssssss
ssssss;;;
sssssss
sssssssss55
ssssssssss
-ssssssssssssss
SSSSSSSSSSSSSSSE
SX?b$d
~+.``t
,,,,,,,T
T=0Eg*
``Tb8^
``tc/}
thhhhhhhhhhh
!This program cannot be run in DOS mode.
timeGetTime
+|tK?E=a
tKKKKKKKKKKKKKKKKKKKKK
^tKOVG
TrackPopupMenuEx
TransparentBlt
(;Tse~
TTTTTTTT
TTTTTTTTT
u(  	;
^uCz"6
;]UE:_
``Ui>H
-Uq%G]
USER32.dll
uu444444444444
UuidCreate
UUUUUUUhhhhhh||||||||zzzzzzzzzzzzzmmmmmmmcccccccccccZZZZNNNNNNNNNNNNNNNNNNNN------------
UUUUUUUUUUUUUUUU&&&&
UUUUUUUUUUUUUUUUU
u[#Zu/
v8N2|/
V/cXA$``<
@@v:FR
``]VGw
VVVVVVVVV
))))))))vvvvvvvvvvvvvvvv
VVVVVVVVVVVVVVVVVVVVVEEEEEEEEE
(@@$``w
@@w&``
/W9??T
wCC}tHa
WINMM.dll
?_w.``k<
w]l2i`
Wn(8wX
wnh~?:
WP2:[){
WWWW0e
WWWWWbbbbSSSGGGGGGGGGGGGGGGGss
;;;;WWWWWW
WWWWWWWW
wwwwwwwww
wwwwwwwwwww
wwwwwwwwwwwwwwwww
>Wx8p;
Wz-gT#
X}$``7Z#,``
#xat"@@@u
xdF7OS
'x)FQ'
  Xh`+Q
xKc9!n
;xnb8rA
*x(;|R
Xw459.
XXXXXXX
xxxxxxxx
xxxxxxxxxxxx
#x`z09
,  y-]
` @@Y:
y*  0r
?,``(  Y'1
Y21Nk-
y;2/Ke;
^@#Y6Xy
;Yb&E{f
yBu"``
@@y:ET
yg$@@}
yjn4~8
Y:|QC!
  YrPv
"Y[sAN
{'YTs 
"@@y+'$@@w
Ywwwwwwww
@@@@@@@@@@@@@@@YYY
''''yyyqxx
YYYYYYYY
YYYYYYYYY
YYYYYYYYYYYYYYY
?`*``z
  <Z}$
Z4#(U\
Z8=Na5
Z{|*aP
zfmvim
Z*@@J#f
$z:mN0
zpx7%uX<1
zZ[hO2
ZZZZZZttttt
..ZZZZZZZ
zzzzzzzz
zzzzzzzzz
zzzzzzzzz^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
zzzzzzzzzzz
zzzzzzzzzzzz...7
zzzzzzzzzzzzzzz