Analysis Date2015-01-12 12:50:27
MD598d1bba8e8564ecb37b75a4224ff0185
SHA189e1c1803613a442647d7c5ffc3248fdf3f6d13b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ba8594e2733244c2922f1448aa95ed40 sha1: f4e3104bb3737ebb37a56e311255c1131d0173cb size: 105472
Section.tls md5: be9dc3630854e23044872ccd7703d03b sha1: 3fdb0276aa752dc66292772fcdfda45c2874e580 size: 1536
Section.data md5: e0b5e364a54283c87f9c65d7fbce0995 sha1: 7c2508754d25b4c38133392fbcb68956427ca706 size: 72704
Section.reloc md5: 7ead5e07b23b403823a799f148fffb72 sha1: 18b60c26051dd65b75ac6bbd047d0a40bdc1501c size: 1024
Timestamp2005-09-08 09:36:56
PEhash002e9303249028e3e7fe27981604fdd140d8ea25
IMPhash9d683d43b1ce924da6acae8f84aa08a0
AV360 Safeno_virus
AVAd-AwareBackdoor.Cycbot.AK
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Backdoor.Cycbot.AK
AVAuthentiumW32/Goolbot.J.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardBackdoor.Cycbot.AK
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Menti-2345
AVDr. WebTrojan.DownLoader4.12876
AVEmsisoftBackdoor.Cycbot.AK
AVEset (nod32)Win32/Cycbot.AF
AVFortinetW32/Cycbot.AF!tr.dldr
AVFrisk (f-prot)W32/Goolbot.J.gen!Eldorado
AVF-SecureBackdoor.Cycbot.AK
AVGrisoft (avg)Agent_r.ALA
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.k
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Backdoor.Cycbot.AK
AVRisingno_virus
AVSophosTroj/FakeAV-EFL
AVSymantecBackdoor.Cycbot!gen4
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{45BCA615-C82A-4152-8857-BCC626AE4C8D}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{1ACD3490-8843-47EB-867B-EDDDD7FA37FD}
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSgreenherbalteaonline.com
Winsock DNS127.0.0.1
Winsock DNShappyratatuy.com
Winsock DNSsuperaudiosysrem.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSgreenherbalteaonline.com
Type: A
209.222.14.3
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSsuperaudiosysrem.com
Type: A
DNShappyratatuy.com
Type: A
HTTP GEThttp://greenherbalteaonline.com/images/greenherbalteagirlholdingcup350.gif?v61=65&tq=gJ4WK%2FSUh%2FTNhRMw9YLJ%2BMSTUivqg4b0zZJEfqHXarVJ%2BQhhAAQ%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNzFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJtX%2BSNxL5ygm1C4lKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 67726565   GET /images/gree
0x00000010 (00016)   6e686572 62616c74 65616769 726c686f   nherbalteagirlho
0x00000020 (00032)   6c64696e 67637570 3335302e 6769663f   ldingcup350.gif?
0x00000030 (00048)   7636313d 36352674 713d674a 34574b25   v61=65&tq=gJ4WK%
0x00000040 (00064)   32465355 68253246 544e6852 4d773959   2FSUh%2FTNhRMw9Y
0x00000050 (00080)   4c4a2532 424d5354 55697671 67346230   LJ%2BMSTUivqg4b0
0x00000060 (00096)   7a5a4a45 66714858 6172564a 25324251   zZJEfqHXarVJ%2BQ
0x00000070 (00112)   68684141 51253344 20485454 502f312e   hhAAQ%3D HTTP/1.
0x00000080 (00128)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000090 (00144)   6c6f7365 0d0a486f 73743a20 67726565   lose..Host: gree
0x000000a0 (00160)   6e686572 62616c74 65616f6e 6c696e65   nherbalteaonline
0x000000b0 (00176)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x000000c0 (00192)   2a0d0a55 7365722d 4167656e 743a206d   *..User-Agent: m
0x000000d0 (00208)   6f7a696c 6c612f32 2e300d0a 0d0a       ozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a75   OhLgjh8sG%2BcoJu
0x000000c0 (00192)   58253242 534e7a46 4b763937 35586c6d   X%2BSNzFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a                       ose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a3e 0a20203c 6872202f 3e0a2020   ...>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a745825 3242534e 784c3579 676d3143   JtX%2BSNxL5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000110 (00272)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000120 (00288)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000130 (00304)   4e542035 2e31290d 0a436f6e 74656e74   NT 5.1)..Content
0x00000140 (00320)   2d4c656e 6774683a 20300d0a 436f6e6e   -Length: 0..Conn
0x00000150 (00336)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000160 (00352)   0a                                    .


Strings
I.e
h.
h

080904b0
1.0.0.1
1915
FileVersion
&No Exit  Shift+N
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
&Yes
>>/_(+
09C SX\4
0bUGepc?
0h5tH/
0h.,+g
0h( hph
0h	~Rh
0m7hFE;
&0Vi*I
1!00<.#~t
1*`3EZP
1bh6_l
1e 3'+gp
1$#LjK
1ph:oNH
1RQ{@R
1_T hs
[2h0hF
[[&2h5
2hbh2hz^0h]
2h@hQm7s\
2hph}V
3 h!0h{$
`3qqD*
3v96![
+(4{9vnwS
(4G|]q
$4kaIF8
4rhkGL
4;Xju0b
,5!4Lh-J
5-8\6:D
5bhVn#&
^$`5c|<{
!5C3<~
5PhA\j\
5>Qzgbh
[5Rh~3
[6kvEx
6Rh-Bh
6v+T^8
7g5,Y@h>
{7q@hPh
7.Rich
7Vd0hK
?7[XphPh
8hky`&
8QPhRh
9bhHKy
9\c;N$
9rddnT
a2h%8~
AC#f.}.
aF~E4b
a]"+HsW
_akfcNAe
`aL>-J
AlphaBlend
aLq^!	
>aMNKz
a}&phL
aphN@hc
A[R6zR"dt
,+|aSS$6M
%,$#b1
Bh0h(v
Bh8Bh7
bh8BhAH
bh9X=@h4,0h
<>BhBh
<bhG0h
Bhlubh
_bhPh6
BhphV1
>bhW@h
CBhphA|
cCMTE>Y
.c|`hRh
C hxVe
CoCreateInstance
CoGetMalloc
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
-c;phCc*x`h
CreateFontIndirectA
ctrg3/8p
cUo%S?
$cv^#L4Luy
D2Gi	;
d\2h2hA
?D8%d>
@.data
(db;-N
DeleteCriticalSection
DeleteObject
D-i`h|U
dIl	7]
DkxRh'phXPh$wmI
dLLwi<
%_dNsr
d/n	T^
DSS{10
DU8"h,
D(w&On
E4 h`h
E-}+5R:_SM
E9Qi$_r
eBhPhj
E-e.ia
EExe_g
[em@h{
EnterCriticalSection
EnumResourceTypesA
{ePhzJ`hH
(Eq]=\
F8K`hc
)_'fBh
fFy/bhAO4
FM':..
)FmkP*
F{ol'_
{f/Ph8Aw
FreeEnvironmentStringsA
FreeEnvironmentStringsW
*Gb-('
GDI32.dll
GetACP
GetCPInfo
GetCPInfoExW
GetCurrentProcessId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastError
GetLocaleInfoA
GetOEMCP
GetStartupInfoA
GetStdHandle
GetTextExtentPointA
GetTextMetricsA
GetThreadLocale
GetTickCount
GetVersionExA
g}%	tv
h0h{M`hc
h1Bh0h
h~2hgt,Sj
h	:3 h
h3~$_Z
h*5phK
h6H,@h
 h7bhBh
h|7DXY
hAa+@h
h)AH"h
hAH$	:Z=ErhE
hBhA@h
hbh*C8
 h/bh`h
h<bhj9
`h\bhZBhVi}nm
\`hcam
h'cDAY@hm
hd.8 h8
h(_da3U
hd<^HOK
HeapSize
 hEBh"hv;
h).Erh
hEta3-
hf*&3%Ph
 hgBh9QO
*hGDI3
h h%0h
h#`h2h
h[ h59
h@hbh;
h"his-
$"hhjs
h<"hrh'
h&"hSbh
hHT}`hO
"h} h$W$
hh<ybh
h"hZ4Qu/
h#ieN{
hi[im:
"hiPh!
hj8H=)
 hJ\&chjc
h>>jPh
@hjwPhBh
hk_'e'
"hKY`h
hL\Bhls
hM{bh_
hm?)`h
hm.	 h5
)HmHU=Z
hNQKPh
."hoJ+
`hOZ>-
hPh86W
h.ph|Aph
 h\Phgd
h)>phgHf
hph hH
hphHZw
hPhPhk
h\PhTY
hPhvbh
`hPhviA"h
h{[phX
`hQ60h
H)|,Q!a
==hR2g
hRh8{"h
h=rhc;%
`hrheL
hrhEphl
hrhez	
 hrh@h
`hrhVl
hsBhS~
ht0hrhM:l
ht<1bh
hTphc8
~@h[tZ
hU$0h_:
>hv(8u
hv h7W
hVQUE`h%
hwfTt}
h>]X=c;
h'yrhPh
"hYw,:
|"hZH@hG?BhN
hz`hPh
;IaJ,@hU'
I]H>}9h\
i,`h$C
I hG!g$
ihq5t<I
InitializeCriticalSection
InterlockedExchange
InterlockedIncrement
IrhphUG
iujgz6
'"iwoER
_J@)65
J7Zq<V
}~^JaF6
J#B66#
Jg[*eU
j`hzu9
Jm7L4_;Xo
j})_rh
jUT}hln
jX'ZN:
K2o-MP
KBuUK\
^kEA:|
k{;eBV
KERNEL32.dll
 KG"j]
K[{h"{1
KKG:<>n&A
KQRhRh
KUJE&1}"z
:l9%O)
:<]l#bh
l.cxqt)
LeaveCriticalSection
:	lE;C
~LF2h:
LFs10h
l h~_V
L-<jtI
LkW`!L
l?L hw@h
	LNHXZ	
LoadLibraryW
LPhDbhKv
$LRhph
lstrlenW
%Lx -Y
LZ4>{{
M+^0hA
\mAY|mj
M?c@Vd+
Ml6cCy
MphGPh=`hm1
mppNpv
MSIMG32.dll
/M;TJ`hJ
 MU$i;
MultiByteToWideChar
MYTkhF
)[mZm(Z
:'N><}
+*n8\B
NA9z{}N'
n;bh3?{
NgW.<7UHLb
n@hIL"h
niOvYa
n#MNYK7-
nMW06CWNn
NNs971
nPhO/T
#|$n'rh
.N/sVM
nv2h]n
n{X{0h
#O&0AR
&#O7su
Oct(4@h
O%\kV/
ole32.dll
+'+OO1
ouRhlq
;PB`V^
Ph0hL\L35
Ph4W<,_	
PhFsMM
ph"h&(
ph"h3=X"h(6
ph"hQu
Ph^K,C
ph%n:Vc
-Ph,ph"h
phRhK2h
_PhWw5
^P:#^k
p}LEPD
	}P"NO
qaFrh!phKS
QAM |r
Qfh:E?&s
qph7~]
Qrh0hZ&
^Qu$+7#
QueryPerformanceCounter
Q=w0h,
%R6z-*
RaiseException
*-RCJ\3
.reloc
Rh2h$jhO
Rhdw0hzF
'RhG}!h
Rh.`h{
Rh`h}PW
rhJY0h
rh~ks6k
Rhm2hS
rh?n?z
Rh%rhy|<
rh^Vg#
rhw( h
RhWXBh
Rhy^ph
rn6]\|m
!rv ]`
.s7NY}
SelectObject
SetHandleCount
s@M)uD
SrhWJg
StringFromGUID2
T0I+\f
t~%2he
t.-d8W9
{;T drT
tekX"h
!This program cannot be run in DOS mode.
t|`hPh
T&`hPh
thR[80}
TlsGetValue
TlsSetValue
Tp] &7E
TransparentBlt
tTQI^#
	|[t-XW
U.]',.)
u1F+%]
U8VRygM
U+eM)~
U	e]t3
ufg\(K#x~
u`h~O2h
UnhandledExceptionFilter
U`U].~
UW:~U98
V([#Bh
V@h*`hN?
V\i=7A6
vt<haG
vVqphE
vXyPhQ
w:&2hRhI
whEd(i
WideCharToMultiByte
w%M][[
W+PhPh
WriteFile
:WTKdsL
WWPhL2h]
wzKx1!g
x=|+!3Ob
&x,9<|.
xBh.)6
xbhL\j
x&BN6(
xdbh=T
	^XGS;
=XgVphh
xph.6`h
XPh+rhh
XRh	ces_5
xViy+\
x yo+p
Yaw_sM~
ybhrh3
{!]YDVu
Ye.a.r`=
y)Hfr~
?Yr2[(
Yrhsrh#
@,%ytU
y#=XY!2h
yZwcl_
,Z@h++	
zj&2h;
z^\j|p
Z*L<*g
zoYVM>l
ZpNvhk
zx2_2a<