Analysis Date2014-12-18 01:49:06
MD51869c205b75949c4987f630ce4b3e742
SHA1331f2d13521181b0a6be2403ae1ff938150fffdd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cf6b4ab6fcccf156a12e75fe2e5d9fbd sha1: daa24754c855575cd158c06bee28f52829ab921c size: 133120
Section.xyu md5: 2709b52050d4f7349c12ea1dcd97c465 sha1: 0ddaa2185c3b83d577beb4970a1f135699f7a6f5 size: 512
Section.rdata md5: 1f7ca6b5dd3c99661a4e3133744a0c5a sha1: 572ea860a39e57bc1b2f6cf4cce7830d12554749 size: 709632
Section.data md5: 5bc39bd8f822ac9676684c0c7232852b sha1: fd6fc8114effbad36a75eeafb32ed4f09a047000 size: 101888
Section.rsrc md5: beeeb49ebe948200817fc7866eb0cc4b sha1: f066aaadfc53d80d411f46878a6b7434acb388c3 size: 2560
Section.reloc md5: 2eeb96258d29f3e6d7dc83423c0907c7 sha1: 3cf8625e4e02e4e000aa079ac599040413a57bf4 size: 5120
Timestamp2011-08-24 19:52:48
VersionLegalCopyright: Copyright © OOQ Software
InternalName: Gwns.exe
FileVersion: 6.1.7600.17383
CompanyName: Heaventools Software
ProductName: Copyright © OOQ Software
ProductVersion: 6.1.7600.17383
FileDescription: Nrsnloyusaequngqbyjnlbafeiec
OriginalFilename: Itueaax.exe
PackerProgram Protector XP v1.0
PEhash4ddb1f4d2fcbe5161c9a69adcae9e1c0b678312a
IMPhashba64feedda867bb46691c63f0345f2b1
AV360 SafeGen:Variant.Kazy.35253
AVAd-AwareGen:Variant.Kazy.35253
AVAlwil (avast)MalOb-GS [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.35253
AVAuthentiumW32/FakeAlert.QU.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen2
AVBullGuardGen:Variant.Kazy.35253
AVCA (E-Trust Ino)Win32/FakeAV.BB!generic
AVCAT (quickheal)Rogue.FakeRean
AVClamAVno_virus
AVDr. WebTrojan.MulDrop2.54093
AVEmsisoftGen:Variant.Kazy.35253
AVEset (nod32)Win32/Kryptik.SBR
AVFortinetW32/Crypt.AAAG!tr
AVFrisk (f-prot)W32/FakeAlert.QU.gen!Eldorado
AVF-SecureGen:Variant.Kazy.35253
AVGrisoft (avg)Generic_r.HV
AVIkarusVirus.Win32.Cryptor
AVK7Riskware ( 0015e4f01 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeFakeAlert-Rena.ac
AVMicrosoft Security EssentialsRogue:Win32/FakeRean
AVMicroWorld (escan)Gen:Variant.Kazy.35253
AVRisingMalware.XPACK!48A2
AVSophosMal/FakeAV-LX
AVSymantecUltraDefraggerFraud
AVTrend MicroMal_FakeAV-58
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\wkssvc
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.tmp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\Application Data\defender
Creates FileC:\Documents and Settings\All Users\Desktop\Security Protection.lnk
Creates ProcessC:\Documents and Settings\All Users\Application Data\defender.exe

Process
↳ C:\Documents and Settings\All Users\Application Data\defender.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Security Protection ➝
C:\Documents and Settings\All Users\Application Data\defender.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\\x00
RegistryHKEY_CURRENT_USER\Software\F40C5BE803CBA1BAFA8C3727B0D8A9DD\FRun ➝
0\\x00
Creates FileScsi1:
Creates FileScsi0:
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF364F.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexSecurity Protection_MUTEX

Network Details:

DNSyazminx.com
Type: A
208.73.211.250
DNSyazminx.com
Type: A
208.73.210.211
DNSyazminx.com
Type: A
208.73.211.167
DNSyazminx.com
Type: A
208.73.211.244
HTTP GEThttp://yazminx.com/scripts/ss.php?id=100
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 208.73.211.250:80

Raw Pcap

Strings
.
.
"
..c.
M..]_w.
g.$
n..z
.4..
.6
...0f
.
{U.
.
W..>1q..>
..
....!
.
a
...@
I
.
j
.
].'
.
...M>
040904b0
6.1.7600.17383
CompanyName
Copyright 
FileDescription
FileVersion
Gwns.exe
Heaventools Software
InternalName
Itueaax.exe
LegalCopyright
Nrsnloyusaequngqbyjnlbafeiec
 OOQ Software
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
> ~&@?
|@|(|(
.//($.
]=/?)%\
&}|?;#
#*$)-#
0.-'.,;
0#0(070R0W0a0
&00=2C
0 1W1]1b1
*02&$:
02]@4(%
"0267/
02a^8[
:04=LC<
0[ #5^
	05,6<
,;05<6E
#0=6GFLN
0&"<@9
0)b9o)q
+0:BFg
0C@AMH=&
0'./\.d
0/D3=[
0;D)]T
'=0E],Y
0iS0+G
0Kw#to7
0lk<,D
<0^lv3
0 lwZ~>
0|\;nC$
?0p`i.
#0q?pHE
0RvI}y9
0t)f)(
0t\jE9
0V`#s+
0wrww,
-0yD_j
0ZQ\`g]\k
#,{1!@(
11wa1s
14o5*+0E
( 1(66
188=wEI
1b__=>=
1BUFJPUJ
.1_c8/
1c@)~tr+
1d7GA=
1d$KXS
$1DOi.
1{EX|F	f
1FWXWVcRa^
$1HXBE
1jm*AUI
1k&5<"T
]1k7{VM
)1[/Kk
-1n	-#
1;|!Ns
#*1o!d
1OY"E]
1'PfT0\
1P[n0fN]Y{k
!1@/S8
1sZ~W{8
1TWlY[
	]!1:v
#_1'-W
1WT$]JE
,1WV=W
1XT^bXg
1z72(v0J
"2_3J:
23K'/3
]*25uUc
*+279>
>27!@;M>QZ$
28>L=G-pY
29@C6E
29x~`d
(<?2A@G
&:2$Aha
]2aLX=b
<2AQc{"F
2AW,~B
2Bd!Vg:P
2`b@t'e/XS
[2bW7wZ	XZK
2c2K?l
2c_B_#
2D8hYY
2@E8G@IKB
2f4EUM
2fi 3&
2GI@>P
2g.T#@
2=-H	\
-	2HgU
{2hNwa
&2&Hoz
2HU_\]
~2ik4\\H
:2li:r
2/lj?0
2LYDf{
-}('2m
~2mg1f
2>|,N1
&2)nN_XK
2=S@Ln
2=?^t|
+2th?FW
2]"wnb>
2y>g*x
2yh+dIO
(<2$"*Z
30:&>*D
3*/14*9
3333331
	&340;
36PSo%
3$/7:9.=
-38f(-vB
3=]/al
3aLLg)
3a%#!^R3#
3B*oex
3cJClt
3cv111
[3C:WI
3DOLHL	>a^c^
?3#fEZd
3|FU-(
 3 g>{
3ia$EE0
3<IR|O3
$\3[KHLjp
3mp2y:
3o]5hFecvn
{{3oNd
3pu)y^
3RIPXY
*|3ri]so
3Rv=0Q
;3,#t"x
!3Xy1*
3Y*b^K
&3zp=`
4*1*=.=2
*(=4;6
4(7#v2oF
,,4982
4B\<_V
4C8?W)
/4ChbV7
,(4e`S
4ExCo>@
+`4hE~
4$IBZs
|4Jh$|
4JNVbeX
;4kSx>
<4,?Mo
4MV/ wF#
;4NB]}
	4nYg:
%4)RV"
4_.r|\Zr/iS;
4s>A.T
4Z)r\e
{4<zSh
#%5*:<
),54;0
5*5=,04
(5<+7622A
57@F@EI?
@ 5:7t
]5=\b|`
5.>?Cj
*]`^5E`
-(:5=E6;
5G9`\qI
5h%_&	
5_nMF	
]:5P/[
5'p[ |xJ
5\tOlW`8
&5t(U7
5/u:Ob}
*5xPTl
5XV[^tb
`^5-y'
5Y B<v
'!<**6
(-6*&0
61#C	N
&6{1_hwf
6"3|+]W"H
6<5Mq0
67:IG@O@
!6^aPJJ
%6b* >
	6b%k~p
6=B@n?&Nk
_6C'C#0<
: @[6e
&6EM@B
6f"s95
6=#}G\
6)"|~g3
6NE@o'
6ohu}R
6o[jonvjm'K}n
<;;6P7
6/P#Ol
,6R6;B
!6s;0)
[^6s&Y
6TIN]V]
6toRtV
!)6tp5
6.(U}+hb
|6Uph|
)6 'Wy
6Y#@A5*4lDh
+!71EK,D
7	2[ZZwgWX
&+755c
75X"9J
:7.7D86F:I
7*8+AzR
) )(7;B
@".]7C
"@@7I:
7iZnpdu#Xwu
7@Jtgm(
7K43/k
7!MJsj
7MV[aN[U
\7NUJo
7R/6+[
 +7vE5P
7(@X>8
7*"Y"1+}
7ykH-	
8*0"{D
8|1-3)
84?ACEGIKMOQSUW
8>.5]9o
88|!eg1
8aGp"wZx%0d\
`8A>KF
8&)C2l3W
;8d;?}dH
'8@D>M
,8E?BLBU
%:8EOLQ
8i-DBta
#8*j+J
@8_kwTd
8O{_=H>4
8ON~7V0j
8/+OZNOx
8/QDa`@
8=QFRFU
]8r[<z5mT
8S4N8n.
+8#*t$
8TR_ah
.8VpH5
8)*W1]
8x;/_<e
8{Y'tdn7
%8^=.=Z
{(,(<9
&+-<*9
	!"(')*9
9[1j2#1,
92&gvZD
 9=^;4
9:@50CG
)$.95,1H
.9+:?=6
9/%.6t
":99.0
^9aYqM%
.9aZ}:Q!
9b 9nf
&9;D:>C8
@9DRP+
&9e"gh#
9FG09Y
9F[kBZrg
9f[P$)
9gnjt>
9Iz	*+nE
9$_JBS
+ 9JLv
/9{~kl
9kUBGlS
{%9lqP7
`9[Nl)m
9^pYDC
|9]_t"\
9T8?u)
9\_tac!Un{j+Ztz
9~U9%:0
9u@J*Cl
9]W0^^cg\ln?tgijy	]
||9xw.9
@9?,Yg/
9"	Ykf
9Zikdp
9Z_j`o#Mvxo-br
['a_"#
*	\	|;a
[A@~0	
?!@A'2
a^35RV/
a3^X?O
A@5:ER
a5#.YL
].a6Xe
A9=.`/)
a9GFFX
a+Ad}r
aAo3m$
aBA3^^b:}
abc~72
ab`eY+
a\-biF,K
)!AbjD,w
AdkaEz
ADVAPI32.dll
aEAj/l
$=)aEE
)\aG-oi
AGq&tY#3
AHGXZl
Ai$ahv
ajfAMh6
A-KpkQ
aKS	::
A}l&;"AE
{a|lEc
A@="l[hS{g
a#lm;/(Z=&
a{%:LTK
aLvH*m!I
@a"}mi*X=
&a&`MYe
;-,a@n
|[%An"
AN}6\/
{a|Ns?
//AO3Sl
aOGy>F
apQvx%BaF
!A |Qh
A$QxQ2
ARn|$P
As,"6+
A\S#N^
AU=1,y
!auyAQ
AV]1(T
AVcJCK
a`WgOn
_aXrFkfW
}AZwsG
b~$",(
B1G6bp0
B2^K&	K
~B}2}tq
b3ll -
@B54Lm7
b~\.!6
b6Oe=`
b!7AwHNW
b8~hoI
B8!To%
b{9xTv
[B!A3Fe
baJP7V
Bb`mdsw%Hpp-S
*B?BRIR\
BCe:hF
b*Cj"h
b^c/PG
bcu(N#$a
}-{bD$t
>bdZa`o
B`egtgfhq'Wl
Bf&jUm
BfojhFU2
$B?g#{
Bg}1K	
B[><%H
BH#!	"
BHaf~U
B&] Hd<Tp
~B	h&{G
BhV\lolq!Utknz-\rv5
~bhW~s
-`[=bi
-\Bj;$
BJe+$ih2
bJmp%g
BjxZ?5
Bk\blfu%Znrrp
BkkI75
]BL;^+/
+>BLDWK	A\VV_
. B(lk)
BmK9^&W
B-{<n3P
>bnai	
boB1Q8=
Boo^9c
b#oW<aXFM
BP<-5i
}b[-<PTr
!Bq9FD
:-bQ.G
,B\QVW
bqZG)8
Br:9ga
B\s}J@
bT&I	#
bUpA,/
BvGzgb^
bVQ('+/$
B^VY|&
B*w$P$
BwXoo4
-bx>avM
=bX'fgm}o6'
+<"BXK
BXsubsul%Orvn
`BX{t1
	-bY3W
By6RKQ !
B^zF=<
{-c<;!
c0(0uP
C]27tD
c	#$_2j
c,{3@u2
>]C~3X
|\'c5+
' c6l#
-C8Pe#nB
C&8zi'
=!C9*A
?@;C9x<J
CallWindowProcW
~ca:Tbl
C/B^_|
cBZy<:<
cC:>BA
]c"D4Q
[c"dI-
CDk^u7f
^C:$El
cEVY!_;
c#f3$(V77=]
	cfW:4
C%go{i
CharLowerW
CharNextW
CharPrevW
Chwuql
Chzoup
CiaL5?
Ci?G,`^&JL5z
CIsp?:z
)cjg9}
cjpxqB
_CKbtk
cKEZ_3
c_K):l
CKpC'&
CloseClipboard
CloseHandle
C?<@|n
Cnukduvt})Yn
CoCreateInstance
)coDZk-h
CoInitialize
CopyFileExW
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoUninitialize
>CO_X$
Cp~Rbv;
^CqcW2
cqgofsVj[
Cr;,ChK
CreateEventW
CreateFileA
CreateFileW
CreateMutexW
CreateThread
CreateWindowExW
cr"&Wz
CsV?eB
_cTf}=
cTYdm.}
_c$~UBjB
CueT'jN
CUgTF	D05
CVkkd`
 c.vO{
..@C)X&
CX%D'ld
=C<;y\f
c#)yq*
CZVJR@{S,[
\D$`/* 
d0s\MC
D3}'0_
d3V?b-U
D)51q@V
<d5$~"5
>'D"7'
?d7:aS
d7~>hZc
d9oDh=
d?_asBE
@.data
dB0ca2
d~B'A5
DC4DGwwwwwq
(Dce+s
d	&c/i
<ddcZelf^xb#Ml
DDDDD@
DDDDDDDETETDDH
DDDDDH
DDDETL
^d)dv/
DdxY+TpS
DebugBreak
DefWindowProcW
DeleteCriticalSection
D_EL	]k
DestroyWindow
D'gJqv
DGtFc4DDDDDC?
DgVeg\oc!Ifp{p-byt
_:DGvy
D+h!G;
D#hH#s
DId~r>
#DIM@OR
DI;@QS
DispatchMessageW
|$D>j{)
djd_tXP_]
d? K<|
Dkjgilw+\uwt5dz
dk+UsY
DMD4ko
dmG4#.
dm_kg$
|D$O@4
D*+	Qk
=DRs-z
dsLgq.bf
DV\>5~
DWgXae
#DWIJd
DwTXmb|t:
DX02Et
dx6-F"
d}X`{9B
&@D[Xk.4k
.Dy!VJ
DZmlkmd%Hvpqt
(dZq_E
>|"e_`
e0vD`8
E2Cq!!\N
e369D"*
e-3*}l
+E5d&]
$%-E.5J
E5Z,lx;8O
eaA_ H
eAJiK	s`
,Eb3:#esS
ecb{sY
;Ed1mfM
EDNvx!l
e.eHS;
"[eFMR
+EF}:Psu
E.FWVz
_eG;* 
EG>MPNO
eh1Sdw
E H`'4
EHBUTTXYaT
e\HdwKxW
E]-j(,
eJ5.sw
@eKFxJ
Ek"Lbc
<Ek#LzTd
ElO]^?.
_}elP%
#>>EMFU
&E<MOFFVH
EmptyClipboard
Em[YR,
EnterCriticalSection
E_!n%X
Eou]0@
EPl xC2
.[epRa
E#"q"93
.@eQD|
<E%R7e)
ESyyqs
eTVh~;
E"V,"9
E%-Vf-B$
eW<KQ`t
eW	,XK
ExitProcess
ex`vHrO
@*EY"_
e|=Y7I:
EZ,u)w
]>f~.,
F0qiI=
:~f1F?
F.1;;t
!f2>{)
{F<	26Ym
f3y<n,
F,4EYh(
f4&=I.,
f5I?lLz!
F"8?AQ
F8eoqe+z
F\!AO`
_fA;ZQawA>S%
F#%_B^
],f.Bb
Fbi}'s
	fb%k	d
f)==	C
f<`dqz
FE!B!;e
FE{IY$X
F||-?eY
f)f=^^
(FFVHQ
F=G=1"
\fGE|I
F}H:t9[
/FI*}B
FindResourceW
FindWindowW
FiX^abk!ozir
fJjG-9;
<^f@<K
;\fkf|%Wnlpw
F}{LKO
FlushFileBuffers
FlushInstructionCache
FlYuk9
_F?#MB
Fm&=|v
fMZ?/V
f\%N(I
?FnwsD
fpEub5
fpg5=VM
fPH,8$
fpkhultu|+P
	?}(F*q
F	q2}dLx
FreeEnvironmentStringsW
FreeLibrary
FsKxWp
$F]'!t
%f'T18
Ft)_DJ
f%%Tpa
#]?Fu`
f_[uV,
fVVC<~
{f{.&w{
fwK?x/
FX}(:|
fX:Pn0;5$
FyTk]ro
\@-|fz
f[>}za
FZo)L$
:FZQMba_
G*) -='<
G{0.>O
_%-g-1
g2,MR;
G3Y<w96
@{(g4iK
+g#77@
G8G?x 7
g8P/	i
G8=sHb
`G98=+
%G9VY:+7#
GAU'cr
	g\/bJ
Gb>MXC
G CGQY
g)d"0CZ
Gdik`ksfuf'M
;gdLJRbF
,gDP{3
gdtZXYZ
(+G*e0
gejGo`
GetACP
GetClassInfoExW
GetClipboardData
GetCommandLineW
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDriveTypeW
GetEnvironmentStringsW
GetFileAttributesW
GetFileType
GetLastError
GetLocaleInfoA
GetMessageW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTempPathW
GetTickCount
GetVersionExW
GetWindowLongW
gFI=e6
GFNB63
g	<	-G
GgD{c^ 
\|GG;Erd
GhY$8{
g	HZ1~
~"gI5uA
gi6_ +
gI[l%Q
gj2tay
GlobalAlloc
GlobalFree
GlobalLock
GlobalSize
GlobalUnlock
gM=7iI
Gm8TMR
GMqMUW
G\n]bmt#Glmm
gnpxuhZ4
>%g=_!}Nrb
.gnVg&"
)GoA5w
Gof=1){
+g"-:#p
g=Pe82
g@q{#]*
-gRG<s
grVrxm
Grx<+i
#gs?1D5 
/Gs;Di
g\sqq:
gSxKAh_
<Gt3 Ty
'GT	$fou
gu=va$
gxmNje7
gXNzrC
Gy}OIDA#
=gY uX
H$(`0 
-H0;c{$=
H2!&o/
h44V{^\q~
h6 /g<'
h6pszC
H7Hd1l
H9=='4
h;b]?h
hDN`W"
hd`y<t
^:HdZ8
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
he#\iw
h`.&Ex
~|H\fW8
hg=jcv
*HGLLFQ
hhUQ<,
h /i"1
>`H?I6R
HJIkK1&
{h	&Jw
\^Hlnp
hL!x|U_
h|;M4gQ
/HO$& 4
HoB$k72
>hoh4'e
$HOHY[N
hO-Im`
_!\	H}O:Jf!
h>pYby
HqrYZI
-"hQVM
hqWB"u
h!rT:jA
Hrtk)[yx
:HSD4E
.`H{SE
)~`hT5
HU:$G2jy
;HUWR]d
HUxsoF
HuYVVh
HV@ML?
hW.1w:
H/-w+5
H+$%wC
Hxa+cd^)
HXc3	u!'
h)x-qd
"|!_H?Y
HY3!j|
hyjIT!
HYkj[Z&
H&Z6Ws
HZar^kmh%Ij}n}
Hz#Nvw
[I}2o7
i'2|rb
I5<"g~f;
I,7}$=
i7[=S'
I}8vsr
@I9@kc1J@lV
'-#}ib
}i[b~hP-[
:ICK9c
ICrh:E~
I![c`s
+ICzz#
I^#!D 8
!ID(9[
Idbu~'Yp|}1U
idP1YCG7
IDV-bu
IgKLm8
(iGN1z-T~
$i?}GR
&IH	r`
ii]pv>o
I|J1an=]6
ikj/vaa
In]ihdds'Ut}
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
_iN;m2=
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
iOj5P6
i>pFN*
i<q7/{
I/>QF{
ir|#f"5
IsDebuggerPresent
iS,\}/j
\I!@sM
IsProcessorFeaturePresent
IsValidCodePage
IsWindow
I#@_%t
i[`tjh
I)^Uet
I$@U/K
I""uv6h
ivSWNb
iV#WOG
iW]['!
=iw"A(
}iWg8QSes6
I$WH|T
(IWx/2
I>+<x`Xs[
iyCl~	
]i(zhB
`%]j[ 
j2#H^o
j3x^8@(<
!#J3ZA
_J];.;5
J	};=6Ok
j81E+y[
J82{1c
J9D5N.
j9vl-j
JadL;9
"}&jaF
j#a>)mFWz}
*J& C<f
Jdc_dkfidr'Yl
JDHI@DBX
J?DS8F
Je:/F4e
_;_{Jf
JfaYjD
j{fooh
J*fzRH
&J= GR
j&HwN=
J(iQ,L
J%'+jS
Jk@eSFK
.!Jk:n
J	;ks/
jk&	v9"
)JKXUDNS	?R[VV``
+J^M<Awp?}
JmUkXK
jNfSQ\n
|Jn#M`
J_&{O&
*$JO(9/or
+J\OQV
#J.o&Y
JP1E'%
jP#4Pd
J;pH6o
J~<pn16f
JQ|{fN*
$`JQU%
Jq%z/.:
jR`':5
js&yMpbq
Jtmgtvw+W~r
JvL~te
jv[>'q
*jwkn,*
jxA9]#
=JYQTciZ\k
j{$Z`&
!jz(-I
*J]ZT]\cX
jz`y-6!
K\-`{)
~K	0bM
K)+0oT
K10jNQxX
*>k;1z[
_k}2`}
k2OL\{
k3-,,2
K3KUsbw
/K<5b!
:{k5>Q9"86t
K6`8@w/
K{6g#@
K7$L9&
k9^k.B
KAKz;5v55
	'kArj
kB)BYk
KbkiH|
KBVY'Yl
'# ,kD
Kd3>!o
_KEF`b-
KERNEL32.dll
KG1*8T
kgcGY.w"
K!G,f(
kg|Vs>
KH3QtK
kHH.jcH9
K|:(%hr
=&@=kI
Kj%@\VA4i[-
KJVCPQ
>~Kk$_
Kk*	;1
k;$k4g
;k`K6(
k_KfjGF
.!kl	_
k=lb^6w
^KL{H`T
K)lLQm
=kLs[Y}.s
#<KMJV
:KM^YD
K^nmlsv)[
kNN~iN
(}?KO4
kp9sqh
k"Pj[,
$;+KR8
Krqzxy-c
_kso0YB
kSX'7{
~kTREZ
K?vbLb
[^kVK&gfzV
kvRlPP
k	wMIr
kW;V(u
K`y	%B
kYkkcYYk
kYYkYY
"kYYY"
K?zO}X
kZs`b[
^;!"\)L
l0m_b2
l2c2)^
L2;~WF
l4f`tT1
%L|- 5
l9IMbhY
L9wE_f
l%~A+!&
L/`a1I
-\L@AG
/La#u3!
`:l+by
:lC B|
LCMapStringA
LCMapStringW
LeaveCriticalSection
LeL2#@
lEmc`7
Le	RUO
L>!Ey>
L(Ga!h
L`ghfkm#X~np
L|gW5:
;l|hA>
lh-_WFX
LiH#}"
L\`jfwy'\s
)LKI?TMO
LL$,^^9
Lli@RK
lL}+nI
+lm^r.nO`
lMzwme
LNMUY.e&%<
Lo? $!
LoadCursorW
LoadIconW
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LoadResource
LoadStringW
LOB@NETH]+Sp
Lo"R%Y
L@OTAC
LO)%$	U
LP8'>V
,L[P	.\\^Tc[bolqf#H
Lqehws
{lq$_F
LQw7DK
LrM^zl8)
~@l|R	NR
!)lS;au
l#sj}[
lstrcmpiW
lstrcpynW
lstrcpyW
lstrlenA
lstrlenW
l}\T	-
}/&LT[
;l|tpDm
{lT+tQ
@l]ut(o
LV}B|h\!
LVn[h`
L_&(w 
l,`w2D
L{{wUV
]lxB!#
lXHrHd
,#ly[,
LZq]$<
 }<	m?
`*'M08}
-M)3no
M3rB+q
M56e6J
:>M_5T
'M*6Z4b
&M8*LF
m8xC-mv
m98	$G>YVaW
M9gl{-R 
@M&;[9Q
&m ARo
M'b {>
mb1;o\{
M ]bU[j
mb($W:
Mb|XWbTd
|M C/^
MC1\9[N
MC=}b8'j
m?cd\Q
m=}C i?
MCi'NS
MCoL+]
MC-qQ+
 m=@)e
MejP!=
'>MEVGL[RRa
*;m~f%
MGZCLS
_\M@}H
MH+[#e
Mhg|J?
MI)bgi
{)<Mivz
m{j3dL
'Mk ;<?9
+m#Lv)
m/lZhZ=
*MMLAF
(m?Nr*
?m^oqd
>moRn.k
MoveFileExW
^Mp9gL
Mpuf']s|
MP)z~j(
;,mqs:
MR1E&0M
Ms{D(a
M<sI'4
{M/S>x
m+#+^Ti
^&mucS
,}mU=i
}Mu<,kP
MultiByteToWideChar
m,>"Uo
MU#qHdG
mVuD;x
mwkzUap
m$)X6[
my+(}5
"Mz9%'
m>$Z}s'
MZTHYh
Mzxd&l
N0Y2~2
N11RpE\
n,4;\J
N7_%2!
N_\&9-
`N9@g	
/}N{9+QiB
na6R?8B
N?AE.^
\N%!Bd
Nbw1EZ
,Nb^z'
n=c{4M
/|_ne+
[]N+E1
Nednlfo)[
nElNmRH
^%$NFN$r
n>JG?@
NkeMHS
:n,m2U
>NMYTj
NN=W_]b
\NNYrh
no;wM@
N&$p,a
"_NPI;
"+n=PR
\@nP.Tj
npx` l
<&NQ2z
n~q4=q
Nqhon~'\p{p1b{}
~NQi"?
:NQVJUY
N:r:@[
n~Sg> b
:]]NSR
( ntR~_
$nU03Xs
nV17Ok0
N]v3qx
Nv8 )&
>'"NVS
>-nv	V
"Nw|3{
`N*W?v
NX2$$U
n-XcaK
ny"7} 
(NYl_E
%NYMPf
;.nyq.
N.Z7P;
$:|$<O
o_20~d
*.o:2/n
O5`Z.F
o7jv6_
~O7&q|Zt
o9Ztf>
\)~oA$
O&a8cu
o-~b2~
?)[.Oc
o`^c&A
Od.gj^
"o+?F_Cd
,O\G@f^
oGkXH.
og.LcIl
.Ogq']M=
Oh{k_]Tf
o h%oM	
O{i.%>
^ oiEv16
>oIp]eX
Oi'Q{i
<O}J2!]
oJ'\Ls
o<'kGVJ
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
O?L&w%zd
Om0.Nbi
O;~mAT
O:NO>w
'ootwL&
!oP$({
OpenClipboard
O/"phH[
_Oq~pb
OR)9U\
Or{gc!1
o'sLgi
$os LT
O<*tgD
OUQb^}
OutputDebugStringW
^OUXfR
~oVMd_
@ovNyb1*r
o?w`D4
oxU>kC
o:Zk9-g9-~p
[p1={8
p<4*2D
p~|9$"
]*P9U=
!?:P9v
_+P[AC
.p#b~67
=P b+i2
|pBM(O
PC6>@f
P>E?_0
PeekMessageW
pekX\3
p*f&A%
`P[f?aw%1:A
pFX9-~c
p|'G?)
p:g22L
+PgDv[i
<pgfu%Un}|/Rv}x
&$Ph`\
+pi7{Aiv
p,$ihr
'p'i\mry
pj},5dVA
 pj&sF
Pj		t{
p\J=tu
P:%j{	x
pKepqZ*
P,kf@,}
>?pkKU
P|KZVx
"PLL1&
PlL[!f
PLp!(we
|p^^\m
pM|1Z{
P=MC;k
$Pm_|F
{p'm"slG
pM)V6y
PostMessageW
PostQuitMessage
.pq3C9
PqG1}-
pq(t_(
@pqT.)
pR<@\	
|p%[R/3
Pr'#9^
"PRPWLQPS
p$`sSuK
PT1qAs
ptH4Lh
~>pToR+xRu
)PTT3.
_P}wA+
*P\,Wh
"pWIe}\MTY9
pwjF?1
pw)OAF}
P\*=&X
pxxr{5Y~
=P%[y<
P\y?FZ
pZH$y^
P%zUbl
~PZXd#6
.+Q'` 
q1Y.F2Uq
)?q}23<
q2Do_S
?*;q2\gX
[q:(!4hk
Q%'%5^
q>6~3ybg
q\`7!=
Q]7{`'0
q7#_vmV3
Q8sk-2gg
@q9BOy
\qa^lV
qA'O />Q	P
Qbyo'g.
Qc#$SS[
{qE>-}
qehr@N~
QE:,~Y
'Qhs5=
}.q"-k/
QkH$9Kuk.
qo-oklP
.Q@OZTVM
qPiT)}<R
qpUT3OvuJ
Qqpzgyrott1`vzZ
Q(rpG#<
Qs]8$a!$
qsD#"{_Q
QueryPerformanceCounter
QuerySecurityPackageInfoA
qv4Ol,
q*WTSK
q<x9a@
Q!yi#*
^Qy'u~
QZm*f;
""'r"-
@!@'	r
{\}R%*
R1hq,'
R4%>2o
r5]ES(
R6BG|a'
R77.G.
r7i4oV
R8v6do
#[$R(a
RaiseException
.RBILSL	1_Pf
Rbrdry{)Mn
|{rC}"
r&cEk6
+@rc,W\
"/}_rd
Rd8G?{=
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegisterClassExW
RegOpenKeyExW
RegQueryInfoKeyW
RegSetValueExW
@.reloc
ResetEvent
R}eVmm
RF 89k
rfHAEX
RF<ol$+
 rG-Gq>
Rgq+o~
r@:(h"\$~
r.h#g%
Rj><CW
.RjEJUI
rk) 6:s
>rk,<g9
rlH)1b
R^mdkjr)L
;r_o5w
rP[?:5
rPaLQP
+R[Rbeb
R/r$DJ:;z
rrev| 
]RS4	S
r>S/CzX
=R'T87'DL
rTik?kW
RtlUnwind
(*rU2,
^Rud)	u
rvcXE7
r&v!mi
#rV}Nf
rX4XcU
rXpv_L
r(Y&9qD
}rz1gz
Rz~@vG
"]&*S_
S!!!!>
S?0#fD'
	S39.Q
s5?8nA
s5)s3W
<`'S6)
;S7cw(
)"S8A7
s8I	z.
s8w:f6
s/99(F
s9nVR"J
sb-cBU
sBuSf11i
sC =.}{
S	C B,*NC
sDaQ1a
s{$=d*u
Secur32.dll
s.eJZ|
sEN990s
^S"esM	
SetClipboardData
SetEvent
SetFileAttributesW
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SetWindowLongW
!<s(f,~
SF,5RSc
sfASYBAA_
_s(:Fg
sg1U=R
{"s.g7
sG>%8B
:^S_GSwwE(
sH!oft
ShowWindow
shPbEr;
Sh/*y_6
/SHYV[T\dd
+S&I&*
si>5XR
sIjwP$X$
SizeofResource
sKh5m^
S}mzCY
Sn<FtxR
(s"}Nh
snHu}Z
*SnII&2
s$n|J/\X
S\N:Tg"
:_SNu	N
\(<S!p
S>[pJQ
-@SPJSU
,*SpO(
sPv>9z
&>s>PW
Sq(;L{
sq?m\^
	:SQ.v
s.*Q+=y
?sr'K<
Sr(>]P
SsDL21
S*S(&EYg
SS!~SSJ
S!S>SS!>S!
sT)%(f
s"UikK
svyC.(
sW38K9
Swy2cO
S=xZ,gV
syileX
:SzvBh4
>+_,|T
%,@T0,
T	~<2R|
_T	~/5
T5JjI}>
/>T6<{~=
t6l]@'
T7yy(?
&T8i$g
t8vja5
t9'5)G
tAj7xY&
$'TanQ
#"TbgF
tcq*	;
:'}Td4
tDIB[5
TeJK'-A
teqC`_w~6w|@9
TerminateProcess
>t=;fJ{3
tHgsfWp
!This program cannot be run in DOS mode.
T-h:w$
~$Ti<;/9
timeGetTime
'T-:+k
T`#\K^
Tk5$t[
T~K6(M
tK|Z_e
tL49IZ=
TL<(C"
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tlT:p"
TMk0aH
}T-mP<|
t	m=SP
T\,.:N
T%	>N}
`~tND&p
tntru?
T.O:|O
_TQ(A.
.tr`2kd
TranslateMessage
^T#(R*EK
|Tr_;m[^
+tRz;+
TSp:^Ko
!t%t7K.
tTizWQ
TT:M?}
	Tu0	ND
t:Ufb+
!tU@S\
*@TVFP	6NcVl
Twm|R_
tX]lJr
_,U }@
.'U'{&
U0>5Fe
_>|U}0dm
:U.0[Tip
u;	3yt
u4K2%_
*${U*5
U5{6;=
U7cxe?
U8gBU^
u8Oe$ 
u%980V
u9oI~c
,uAmVYoS
Uc:<3.
"uCKL)
uD2m!mC	L+
u%D5%S.
|ud)Zq
UeG.z=
uePO&>`
^Uey'S
Uf5P.>
]U,FI~A7
'Uglro
uHuiN8`
uI H:B/
'+#uj ,
uJOOy+^|
u{leM6
UleMlFYx
\(;^Ul&Y
	U*;M]
\^u:mBn
~u"`MXQ[
Un)4K}73
UnhandledExceptionFilter
uN?N@&
UnregisterClassA
UR5N6.<
Urhu{MHb
UR;Lv@zl
US849yKm
USER32.dll
Uu7*)YL~\$
Uujuls-Sr
UUUWuUUUU_
uv5c!!
UvS5FCJj
Uw{:1g
{uw23(
U~!w[<BT,
U`WiGs;
u}Wt:Z,}
}Ux#*7
&Uxq-h
Uy99o%W
u/yk**B;
 uY|p	
@.uz/*
|>UZf`c
^uZfE{
\*	v	*
%'V&+"
v1{*512c
v1ai?9
v1N]$$"
@/[V	3
v_$3?>!<3
v4fdzi
!*V6cQ
V.}7bY
}V8e	Qt
v	AfK.p
va!_t.
VB2JCWm;O5
@VbUBU
v _\Ck9
VdGvfffj
v<DLvx.d
v<]DNk
vDsT+ 
vD)zF5
Vf4'~kX
V@fA[Lf[|
vGML\tU
-vH.ov
V"Hoy	@
vH?T)C
!`VIDB
|vI{E211bcs
vIn[= 
Vi@ngyA
|#viPNc
VirtualAlloc
VirtualFree
VIv1M>
\-v"J>:?
V}kN>Ay
Vl@1{B'
}.V@>l24
V}l4wF
=Vl{Bg
vLVPu=
V;n{	]
Vnsu)z
vNv<aT
/vnxu'
v}O@b7
,vpotEz
?v^r-$
;Vre'T
Vs1"u`
v\s9/V
VSWebtI
V/sY<{f
@Vt**=yX@
?vu2(h
v&UN-h
VV	9RtD#O
]<Vv:<l
{vw{{|
vW*cBD
VXMz`17&
v`XTANM`T
V&+Y	:
V`YF(-"
"`!vZ<
w1{Xs=sf
w:2luk
w2,&Xr
|w(3EG
w4PM't
W-^5nE
w/9RAo
wa2 pNwL
Wa8$]a]Psn
WaitForSingleObject
<(^wb`
%.W	Bb
W,cc1W
|w+d"}
W^@Dg?rK
:'wdI._
WDRFin${
>wdzot
weZ8C.
#`WFdW
w.gJS(
Whwlkp
WH&@wsC
(w.HWz$
WideCharToMultiByte
w-iGYZl
{w=Ijc
WINMM.dll
[	wjTst
wKG*@*]
w`,kHd
w=kKz7
WLDAP32.dll
W~lHq 
*wL-zza
WM7|4}
wMTcbt
W:NLSuh
wO|R"x
#wO\su9
WPjQ27^
w=PNJ\
 wPTdDs
WQ2=QxC
wq9A	B@}
:'	Wr[
WriteConsoleA
WriteConsoleW
WriteFile
<]wsoSv
W t'"\
!Wt*3vp
wTGp!w
-wU	MmNr
.WViRUZkZ
wvsprintfW
;w{{vw;
{ww{{&
Wwlk0T
wwwwwww~
wwwwwwwwwvgwwwwz
wy]Fg6
X;15H}
x1t%5^
+"X1`Y2
.x39kS
X3H!7s
x)5n6u
	|x5RM
\(@x76
x| 7ow0\Z
x	_ 9=
xa\mw8P
([X\aVe
x|AV[V
x(d(Hq
XDy=,s
x?e!4=
Xe4@F[
(XEIc0
@X<eifmf|%Tnw|s
'x]EqIv/2)
XE$YAH
xF)Q?Zr
xG'2-=
XG4>3v
Xg^*5O
xgU\2F)
{XG""w
\XH6$`
x,H_Fj
xh.vww
X}I6=I
X	<].K
_$)<xKa
+x]kkl"b
x	.KVk*]O
XLH0Hq
Xlhh@"
X+%l+ou
x:	/#M
\xojhh)
 xoNEK
Xo/n%f4f
	x	p\`
_]XPhI
X%pHMC4v-
XpTV&(
XQ79c 
{xqp76
XR0a=*
X'R4vi15
}XrUeX
XS76K5r
Xshq(T
Xsib=m
?X@{sJ
@]XsVd
$x_`tOOi
=XVWbfgo
.xw*84
xx4	X5o
{%XYa#<
x?>y?D
x}"YN]
(@x&Z_
xzEb}Z
#	XZ:g
[xZGS'
:|y{"*
{>Y&/>
Y045q5
%y+0nw6Q
(Y1Hnf
Y1z[>:
Y*3%NE_f
/Y$=>|4
y49p<7
_y"Ayv{
~yb+p%I
ybpmR]
yC3ur!6
yDs@$W
YDY.,KO
Yevt0,vJ
yg:MR^<b
Yi4	Zf
Yj3OU- 
"	Ykm50
yL?Mka-
yMC/i#
Y]mQtz
Y'oVk[GB.
*yP^#,|
YPF/Ct0
_yR-@:
|+Yr5w(W
 y`RJu
_*yr'p
	Ys3a<
	ytRj"
@]yTW 
/Y#u4%(:
||yu*w
yV2E$:O
y*$vzzd
YXE["Y
YxSTNy}
?yXTtq
YY`'>7
YYC)Wr
YYYYYY
YYYYYYY
Y@$+Z&
z0A-^#K7o
}Z>{2)@c
Z3='~D]
Z.4A>R
z55!@bB
Z=5I(S
`z^5xz2
Z6W?O"
z6X{nC
z7}uY6
z9M#W^dS
< [/zapW
ZaQe_0
zBL.bx
/Z<ci*M
zC	krK
{zD2rPu
?Zgao,o
Zg&FJ1
ZGH)?x0
!Z=GR-6
z\h/lo
Z:!"ILT!
)Ziyw/0
Z =j[<@
Zj=}4b
zJ@Jpb>k
ZK$>4n
=Zkcw{I
zKHPA_
'ZK	-N]kT^
ZK'p+!
?zKw)D
ZK[XI|
z%l^4U=ei"
z&@$/M
z}m=[z=,
z,N.${
Z%Nl0B
Z;_n"X-Ow
z,] ]o
zov/#F
zQsW!W
?_z}r''
:Z|r	8
Zsh2T7^l
=]>Z_sl K
;zS<=!P
))ZuFw
Z}U^h/6X
;zuS)e
.>@ZwL]
_%!zx|
)Zy\2I
_^zyqN/V