Analysis Date2015-01-19 16:54:22
MD5d0970a923132db418cd17b79175913c6
SHA14e4080e0779a0c1182ead1911134e960d1192322

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fffb772000233d4fe8e04c0160926de0 sha1: 00083cb23aee9aff7b0d94fbb88fa071bb5ce583 size: 425984
Section.rdata md5: 0ade19e16dc5495eb75f171fa948eea7 sha1: cfb737ec7bf520a94b3985e5caa9d27ff8a9777d size: 7168
Section.data md5: d0f557a42e465904c69c0adcf9b87630 sha1: 7076f1f5cea2ba9767cff3b121bfdd9316e6f45d size: 410112
Section.rsrc md5: 105ad82a04e3afe65f264f030b3f019d sha1: dc1fa626bc235d60cb16904b0cf429f99ba1bc1c size: 9728
Timestamp2005-07-25 22:41:12
PEhash3d3bc5d3af4c1346a5be72e57f38bcee1d735a10
IMPhash52f2c2ad293b3ec821db21c1b365bd73
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.3667
AVAlwil (avast)MalOb-DM [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.3667
AVAuthentiumW32/FakeAlert.HR.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen3
AVBullGuardGen:Variant.Kazy.3667
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)FraudTool.Security
AVClamAVWin.Trojan.Fakeav-8923
AVDr. WebTrojan.Fakealert.19447
AVEmsisoftGen:Variant.Kazy.3667
AVEset (nod32)Win32/Kryptik.IHJ
AVFortinetW32/Krap.IC!tr
AVFrisk (f-prot)W32/FakeAlert.HR.gen!Eldorado
AVF-SecureGen:Variant.Kazy.3667
AVGrisoft (avg)Generic20.ADLP
AVIkarusPacked.Win32.Krap
AVK7Trojan ( 001cdda01 )
AVMalwareBytesRogue.SecurityTool
AVMcafeeFakeAlert-SecurityTool.w
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVMicroWorld (escan)Gen:Variant.Kazy.3667
AVRisingno_virus
AVSophosMal/FakeAV-DO
AVSymantecTrojan.FakeAV!gen39
AVTrend MicroTROJ_FAKEAV.SME8
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\4e4080e0779a0c1182ead1911134e960d1192322 ➝
"C:\Documents and Settings\Administrator\Local Settings\Application Data\93691767.exe" 0 31 \\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\93691767.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2829578160.bat

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Application Data\93691767.exe -i
Creates Processreg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 4e4080e0779a0c1182ead1911134e960d1192322 /f

Process
↳ reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 4e4080e0779a0c1182ead1911134e960d1192322 /f

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Application Data\93691767.exe -i

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\93691767 ➝
"C:\Documents and Settings\Administrator\Local Settings\Application Data\93691767.exe" 0 39 \\x00
Creates Mutexalready run
Winsock URLhttp://95.64.111.100/cb_soft.php?q=e83100294a13818f1b5c69a83045b08d

Network Details:

HTTP GEThttp://95.64.111.100/cb_soft.php?q=e83100294a13818f1b5c69a83045b08d
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
HTTP GEThttp://95.64.111.100/cb_soft.php?q=e83100294a13818f1b5c69a83045b08d
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Flows TCP192.168.1.1:1031 ➝ 95.64.111.100:80
Flows TCP192.168.1.1:1031 ➝ 95.64.111.100:80
Flows TCP192.168.1.1:1032 ➝ 95.64.111.100:80

Raw Pcap
0x00000000 (00000)   47455420 2f63625f 736f6674 2e706870   GET /cb_soft.php
0x00000010 (00016)   3f713d65 38333130 30323934 61313338   ?q=e83100294a138
0x00000020 (00032)   31386631 62356336 39613833 30343562   18f1b5c69a83045b
0x00000030 (00048)   30386420 48545450 2f312e31 0d0a5573   08d HTTP/1.1..Us
0x00000040 (00064)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000050 (00080)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000060 (00096)   653b204d 53494520 372e303b 2057696e   e; MSIE 7.0; Win
0x00000070 (00112)   646f7773 204e5420 362e313b 20547269   dows NT 6.1; Tri
0x00000080 (00128)   64656e74 2f342e30 3b20534c 4343323b   dent/4.0; SLCC2;
0x00000090 (00144)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000a0 (00160)   3732373b 202e4e45 5420434c 5220332e   727; .NET CLR 3.
0x000000b0 (00176)   352e3330 3732393b 202e4e45 5420434c   5.30729; .NET CL
0x000000c0 (00192)   5220332e 302e3330 3732393b 204d6564   R 3.0.30729; Med
0x000000d0 (00208)   69612043 656e7465 72205043 20362e30   ia Center PC 6.0
0x000000e0 (00224)   290d0a48 6f73743a 2039352e 36342e31   )..Host: 95.64.1
0x000000f0 (00240)   31312e31 30300d0a 43616368 652d436f   11.100..Cache-Co
0x00000100 (00256)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x00000110 (00272)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f63625f 736f6674 2e706870   GET /cb_soft.php
0x00000010 (00016)   3f713d65 38333130 30323934 61313338   ?q=e83100294a138
0x00000020 (00032)   31386631 62356336 39613833 30343562   18f1b5c69a83045b
0x00000030 (00048)   30386420 48545450 2f312e31 0d0a5573   08d HTTP/1.1..Us
0x00000040 (00064)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000050 (00080)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000060 (00096)   653b204d 53494520 372e303b 2057696e   e; MSIE 7.0; Win
0x00000070 (00112)   646f7773 204e5420 362e313b 20547269   dows NT 6.1; Tri
0x00000080 (00128)   64656e74 2f342e30 3b20534c 4343323b   dent/4.0; SLCC2;
0x00000090 (00144)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000a0 (00160)   3732373b 202e4e45 5420434c 5220332e   727; .NET CLR 3.
0x000000b0 (00176)   352e3330 3732393b 202e4e45 5420434c   5.30729; .NET CL
0x000000c0 (00192)   5220332e 302e3330 3732393b 204d6564   R 3.0.30729; Med
0x000000d0 (00208)   69612043 656e7465 72205043 20362e30   ia Center PC 6.0
0x000000e0 (00224)   290d0a48 6f73743a 2039352e 36342e31   )..Host: 95.64.1
0x000000f0 (00240)   31312e31 30300d0a 43616368 652d436f   11.100..Cache-Co
0x00000100 (00256)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x00000110 (00272)   0a0d0a                                ...


Strings
p.
.S
..
..
k
o.
.
E
.3
.
.
.A
.
>
.
.
.
.N
I..l
...&.
m.
M..R.
.r.b...
.C|.
|.
Z..
.p
..%.
..
CE
(
.
Q..
.
..,
.
$&A`
ALERT_UPDATE
BSR_BOTTOM
BSR_LEFT
	BSR_RIGHT
BSR_TOP
BUTTONS
	CHARTABLE
DVCLAL
E"BE
G&E&
IML16X16
IMLBROWSERS
IMLCATEGORY
IMLCTRLS
IMLFULLPROTECTED
IMLGUARDLEVEL
IMLMSGICONS
IMLPAYFORMLOGO
	IMLSHIELD
MAIN
PACKAGEINFO
TBAXOXYCIDY
TDMRESOURCE
TFEWAX
TFIGUZAW
TFYDUCUXAW
TKAGAJYFAJI
TMUFAKAWYP
TPORAGOBEHI
TREWIJA
TSOREKUZAS
TSUCUXA
	TTIZYXAZY
TVAMADIWAR
TVYVOPY
TWOZIF
TZEXIXYHEGY
UPDATE
	02?U"
0A#>q	T
<0c8ucB
%0eS#RuF
-0*GB^
]0G%l)s
0JOTrI
0LdnfI
0lS BF3
0M`jIQ
0oOOgin!5
0pM{pG
(0Pp8O
#1" Bs
1dRJ0f
1g]Y1:b
+1IZXA
'1P],)
1\&&q8
1{Q\h1
#1tz`XY
1U;h6s
1VZ;,@
1}WK6h
)1z.7>E
2?6hJW(/J
2|7A2(
(2:Cgz
2>	E<m
2-[h/]@
2islz[
] 2k|Yw<
+!2?;l
2O8Sje
2?#oC\
2_!|_q
*2t25D
'-}2v.
3#%:>>
31[5bN
(+3a=fSJ
3B$yc8
:3Iimv
3jbYS[
&3Q\g0
+3_Q^h
3r6%|=
&3s(&1
3Sdi^j"
3SHrh[mN
\ 3:Ua
(|3	wh
~3/W$?v
3>Y{^=
"3YpwR
3ZI)_KG
3zJN&6CcX
%42(x*+
49#OOA
4aYAAI
4#?C.6
4hLoadh"?
4hryTo
&4IK Z%f
+4iu-|
4?/p4l"SO
4p_^_,Tc
{4	qR}1KD
4r`(|`
4r..C45
4Vz#L(
|4W.$H
4w?rn+X|94S
 4@;YW
52L8PT
55hZK]5
56%Dc;
`5A;_*
5Atu70/'
5C^N$J
5I	82S3
[5IL!T
\]5%#jV#L'
5'n_X5
5t6Ph]
5%xxyq
5ZD_c/
6ERc3\
6hNR>S
6H`T$bZ
6?jU!!
6K05AG
6$ktgU2
6lSmj9
6oFq6N
6O~gL^9
6~*S~b
^~6U{z
 <+.$7 
740<2v
|76,UU
779L0`|
77=T<L
%7{\b:
"7BJlj)
7fylP%
7o_T,X
&7#=:R
.7rGbu
#7rq*h
*81?G2
;\89<&F
89qpAj
8du?1c2F
8HM_$H
8k{%:FXiC
8^KZ&f
8<;N6s
?8*N<tx
8syI#e
8Uk=Hy
8U\$m[
8\UMkx
9?2]aI]G
"92v)0
9A+vCZ
(9de2$O
.9/h;f
9h(t/n
9!+iAu;K	
9o:RX!
9~Pk3,
9@PlV[
;9uKsg
9VX>Cw
_{9wi:u
/-9X<\
9_X}LF
A~=0qJ
a5K8-i+
a5M1jC
a8hZ,n~
aa=?~/
Aadv_%=
a+bq.d
AdjustWindowRectEx
advapi32.dll
\'aG	Q'
ahxY#LH
a[?jqIPnA
AJ@QPy
AKp$]w
ALo|lS;5&
AlphaBlend
#!AL r
A<[Muj
and?p=Opx
AP(juj
APT-@zh
"Ar[cg>rI
^a/R	R"B
A"W9	(
]Ax2lN*#xO
#~>Ax_h
^})A>Y
a&YU2;j
aZ\#P'
B0QXO|
B4:@D"}
"b64eE
bb?DMt
|BbEt3
bC.VA8j
B|D(c	
}B$dg9'-
_Bd(xbZG
BeginPaint
	bek=f,\
:b%F: 
<bF6nw
?b[#h,
B_#@JV
Bk#=o18
bK &Vy<
B[L'qQ
B%+$m\8
bo37G[
b=!Ov[
 ]+b:p
$'BqgO
BqR[S@
|b/#yHA#
b\	?ZxC
 =c(=_
;C;="`	
]^[C].
C1pn$O
C]}4EN8
C5|Y$H
~Ca4Uf
CallNextHookEx
CallWindowProcW
`CB$'r
cb@]ZTq4
-CcJK=iT
ceS>_3X
c_>g@m/
CheckMenuItem
{>c(iA
(C	jD~
@CK,EU
ClientToScreen
CloseHandle
Cm*NDo
CoInitialize
comctl32.dll
comdlg32.dll
CopyFileW
CopyRect
CoUninitialize
cqc_X`0
C>qh2uly
'cQ* u
CreateBitmap
CreateDirectoryW
CreateEventW
CreateFileW
CreateMutexW
CreateStdAccessibleObject
CreateStreamOnHGlobal
CreateThread
CreateWindowExW
;CR:MM
crypt32.dll
CryptStringToBinaryA
C/tXHm
CuN-yx
(]~CW<
c]YI)^
CZ^$`4
d0c:$o
D2cKL+	f
d8fV!t
D{8mI-
@.data
daZ4-~
d%b|JO
d<b-pQn
DefWindowProcW
DeleteCriticalSection
DeleteDC
DeleteFileW
DeleteObject
DestroyMenu
DestroyWindow
#dFRVoF
dF~TE'
DispatchMessageW
dK~d	[F
DlDF6H
(do4FM
D_Ol(P8OM
d-|pR!
DQ7ckth
d)qimL
DrawTextExW
DrawTextW
dS?7;D
;^D=Sb
+(D T&s
dU[<52xs"
d uS1q
d(^Wg.
E1Nz_)a
`(E2K	&
E3C\#4
E{(79oh
#\E_a!
EBe0]i
eB_h@}
ec> |j
e]cyl^/s
E,dlC9*8
Efv^2e
Eh)sez
~E'HxY
&E=jso
E'm_i_
EnableMenuItem
EnableWindow
EndPaint
EnterCriticalSection
;enVf)
+Eo/F$5
Escape
-eS[RX
Et*P>JVI
\ETs6U
&E&V?3r8
E`Wm@H
+,EWrFq
/>EX 2
?ExitP
ExitProcess
ExitThread
ExtTextOutW
	Exw!C
E+Y8Qk
F2;"2	00)
f%3+e#
F$3p%p
F6[)+}J
f7;&s"
#fd4|r
|F$Gjn?n(
F)hmRs
FindResourceW
FindWindowW
fkb`xjW}
f[`+&lO
FlushFileBuffers
FormatMessageW
fO@Z4?
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
>_F}sn
;f\sY>
fT9Q~/9l
fUqEK-
FW03R 
FW.94F
Fwxf~A%
g1%z1q
`*>g5?
G#<9:B
G>au@).
&?GB"V)TzP
gc	SfxY"M4
gdi32.dll
GDI32.dll
 [gemf
GetACP
GetCapture
GetClassInfoExW
GetClassInfoW
GetClassLongW
GetClassNameW
GetClientRect
GetClipBox
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetDlgCtrlID
GetDlgItem
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileSize
GetFileType
GetFocus
GetForegroundWindow
GetKeyboardType
GetKeyState
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMenu
GetMenuCheckMarkDimensions
GetMenuItemCount
GetMenuItemID
GetMenuState
GetMessagePos
GetMessageTime
GetMessageW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetParent
GetPrivateProfileIntW
GetPrivateProfileStringW
GetProcAddress
GetPropW
GetSaveFileNameW
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSubMenu
GetSysColor
GetSysColorBrush
GetSystemInfo
GetSystemMetrics
GetSystemTime
GetSystemTimeAsFileTime
GetThreadLocale
GetTickCount
GetTopWindow
GetVersion
GetVersionExA
GetVersionExW
GetWindow
GetWindowLongW
GetWindowPlacement
GetWindowRect
GetWindowTextW
-gfb9LhT
g*(G,y
>gH6& 
gkAy{X
gL{K]ld
GlobalAddAtomW
GlobalAlloc
GlobalDeleteAtom
GlobalFindAtomW
GlobalFlags
GlobalFree
GlobalHandle
GlobalLock
GlobalReAlloc
GlobalUnlock
G![[ls
~|gLSo
 gMQw^
GM]#u|
gMwL@X
G*N]EO8
{~"Gq]P
GrayStringW
grrUK*
}GTu0Oc}
GVU<mN
~}GWN9
{gYA`?=
G%yA3K;
gyD&A|
gz]kW8
}G.Z#X
H4Mar:
+~[*H5'
h88r3e
h9~6YoYF&
_hAo\\'
H@%_Cg
Hcz+c:
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
)HfI]c
hg'1:q
(h?'h<
HH,4JN
HiR:Y/
H!|(;^j'
h]j_)3
hjT+r~
h(+)K=
H{KZ`j
hlFreh(
hLocah_
}H=mI=
>HMVd8
>H>n46
<HPpBo
hp	Uy`
hsz@]_
HttpAddRequestHeadersW
HttpOpenRequestW
HttpQueryInfoW
HttpSendRequestW
HUP!?H
*hWPw@
hWS Wp
/Hy3W"
i=2(QD
i5/;H5
I\5xmi
(i7fcc
I|9iK%J
i`?AW/
I%B>ED
^I cGb
\i<~d:W
,ieZ)Q 
iij+(V
i%\i*xY=K
ILGetSize
il=y3w
:, #im
InitializeCriticalSection
InitializeFlatSB
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
InternetCanonicalizeUrlW
InternetConnectW
InternetOpenUrlW
InternetOpenW
InternetReadFile
InternetSetFilePointer
iP,kMR
iPXZG{
&IqC }R
[IQeNSD
Ir7@bP
iR\*s0
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsIconic
IsNetworkAlive
IsWindowEnabled
`Iu@j8
i$vb;BG
IWA|L1Z
IwWOmT
iwZu/q{
'I&X-E
I} xj/j*nXe
|)IxrC
i_xw%]Ma
i/[Xyw
i"Y	~D-\
I$yD#ou
&izX6'1
|^J)_$
!j1DQ>
%j3SU 
J3VXo]
J(b1!DL
~{?(jD
j+)I*G
Ji/n,)
J=Iuhe
j;J{<M+
jJ(_P4
|JJuS]
j~L1W;
jlU	UXb>
\jm3^s
j_mJ>d
J)n Z`Z
j~odKL
j~UgGl
Jxws	w
jZ8SRI
 ~JZvu
,:-`K[
K	(+  
k1y[}K1
,~^k3S~
K6^5(B@
K9^]HI
k9S0(aY	
{Ka=-N;
~<ka*p
KB"I)?
k}D'/}
kernel32.dll
KERNEL32.dll
K:GcI(
khkS?	
;~KhxOjr
Ko}<t7x
K>qYWp+c
K/rZft
KsMn-W
k)S;tB
k@u7-:
}KU=7i
	kWP!!
kx&U|Z
]k^X]V
KZO6s\
l<`:05
L~&0*Y
_~L2>+
l.3*[$$
l4LnRD
L8-${?
l96SXUq2'jr
L_9tP9	;
LC7SPk
LCG_[=
LCMapStringA
LCMapStringW
LeaveCriticalSection
{lf:)}
L@FSWVU
lfxS#%1lv
lh|q @
>L'??J
/L	J753
@LjC6ZR
lLcDEyG.
Lm~t	H
l]mZNT
Ln%.]Y
LoadAcceleratorsW
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LoadResource
LocalAlloc
LocalFree
LocalReAlloc
LockResource
L|PBoKq
Lp`guwZ
L.&r`"
LresultFromObject
lstrcatW
lstrcmpW
lstrcpynW
lstrcpyW
lstrlenW
lti.>?
lTkY)H
(L}v52
L:;vo<OK
[lWq~}
?-//m(\
M0n	m=
 M1{_7
}m1rP[
}-m*3p6
m\5?Jo
M6@W0K
MapWindowPoints
MAv 2P
$M#blP2s
m_?c7qo
+M<deE
'm_Ec4
"m ER+o
MessageBoxW
Mfbew&\
m?}\Ff
`mFH$^/S
,@M!Fl
}mh2UR
`_M&Hkj
MjHHC:
.Mj~i^"
"M+@lb
M'NR|	^,\
ModifyMenuW
M)PN:A
=\/:MQ
MQ<VU\Z
msimg32.dll
_MT149
)(Mt<w
MultiByteToWideChar
mUP>xF
Mu(!vS
m_~V51D
mVjRca
]>mxF#
m},z(^
mZ2EA`_
n2|+\2R
n;4OY_
N5~BSm
^=n7Hv
N$_B\)
`N!bj7
N:`BX"
nc[yB_h
NcZa`O
n#E[6 
]>NEwYr-9
nf`9HcJk
N"(+Fd
nG?nAA ?&I
N_H0}.
		NH)\C
<Ni^&5
n*i7>yV
nkN4hj
"nkt^i*
}NMKkk
nm=R	}
]NP}k	
N+P	US
NPX	,i
n,S.pu]
NsxZ5tq^
|'>NT2hFE
=:"NTI
N;TvEz
-n><[u
,]nujJh4
NW*.h-
n%,Y6h
N.yoZv
	o+@2,E#Z=I
o2	Oz(C
o41;a1~
O41I0C
(\o44h;
-o4HlY
O54}6('
O9+s	t
OAG/V`2;
O}aJ}br9
O|d	8.
[OE*1D^UN(
^ o\fe
OffsetViewportOrgEx
/OfmQ[
oF=RU@|
oF^Uu'
[O`Gn@
}Ogtcd
O#Hsft
=oI=g.
O.k+5J
|ok-Iu
ole32.dll
OLEACC.dll
oleaut32.dll
ol)O+tI|
OmE?2<Fkk
om+I+<h
oMOr6)
oO;0Z/
`OOU?&EV
	<Or:7%
[Osx-kP
@(oUi&
OutputDebugStringA
OutputDebugStringW
$^o;v7"XYt
o)V.E?~-
	o[V<x
<oW;{g	
OWZH>7
|;>[OX
OY6DO1
oY >7o
%o(Yq5
O]z^  
p01~iOk
#^p6I_
p?;7L`
@$P(#]9
pap-XI
PathFileExistsW
;p,Bf)
*p'cJ#
&p@D $
pd9;yTF
PeekMessageW
PFOE	/
P*gnLF!
P"	Gw>9.
&'Ph&+
^p	i,RV
Pjj,APn
p+^jmV
pK~?;C
;PKG'Fj
&PnH+x
PostMessageW
PostQuitMessage
Pp*7M_3
-\p`Qn
pr,,A|
p}&	RA
pRIt1sI.o
p_Sn#^w
PtInRect
ptttZxT
PtVisible
Pvlu,H
pwG{!R
'p)[y~
p/y\Ua
P~YuAi
pzicxE
_q*;)%
@q.0|H
{Q0~vLw
Q4>6Rw5$
q[4$JrTM
q6N3Hc
Q?6s7@
|q}9=K
Q9M>s;
Q]a@6<
QA$EQxq
qc$2\9
<qCNR0
qEI[RD4oT
/Q@^gM
*<Qj+4CQ6
qJM+l	
=Qk:+9W
*Q*Ka:ie
Q~lmDE
QLnp`A
qLQ+=*
[qN@"{
/q]NtHZ
Qs({d3
qSp%rGlR
	QS@q}
Q%s	\YLs
Q:ta$7ub
QueryPerformanceCounter
`q v'35
Q^VDc)H
QwAAx9
QWIu_B
Q?)\wK
(qWt}E
QxUY!}
{Q(Z/m
^r(}_)
{(|R)4
R5.@ol
RaiseException
r/A&-\Wz
\RB~3%:ma
`.rdata
Rd+doc
re5TIX
ReadFile
RectVisible
RegisterClassExW
RegisterClassW
RegisterWindowMessageW
RegQueryValueExW
R,]	ej
ReleaseDC
RemovePropW
RestoreDC
./R.H`
'@__RH
r>J6~6&
)R,(kM
]]+rKo
rmmS5*
r+PStA
rP;;yN
rR8FAV
R{S`2Wmt
rSV;rQ
RtlUnwind
)rVJ7	
RVow>>Ia
R*wo|W
RW&X#9"
rX.dGMAL	:
}r-ZI_
RzLuam
%|S``)
S16k.b
|~S3\O
s#4aR,
'=$$S5q
S6bAzeK
s8W[O38
SaveDC
!{sb"!
Sb[\5T
SB/ed,
\; SbSx0
~s&B]y
ScaleViewportExtEx
ScaleWindowExtEx
SeFm0&
SelectObject
SendMessageW
SensApi.dll
SetBkColor
SetEndOfFile
SetEvent
SetFileAttributesW
SetFilePointer
SetForegroundWindow
SetHandleCount
SetLastError
SetMapMode
SetMenuItemBitmaps
SetPropW
SetStdHandle
SetTextColor
SetUnhandledExceptionFilter
SetViewportExtEx
SetViewportOrgEx
SetWindowExtEx
SetWindowLongW
SetWindowPos
SetWindowsHookExW
SetWindowTextW
shell32.dll
SHELL32.dll
Shell_NotifyIconW
SHLWAPI.dll
ShowWindow
SI/f!,
SizeofResource
sL=;Q2
slT6W^
s$]m8	1
Sm'A_Law
^Sm*>w
SnC<Y.
Sn@To%
SNVj?c
SPtU)p
"ssa>mA
s")sJ%
S_tOMM
StrToIntW
S[vHs @
SvRcnd%@J
s!_W@9i
\^S-x0
s*x+fg
Sx	@^'^j
SxtX$H
SysFreeString
SystemParametersInfoA
-<t\(=
.`%[t@
T#`{+<
t1Oti_
t'34`V 
t\6^6l
T97vQ%
TabbedTextOutW
</T,C6
;tC/FT]
tDWfB0S
TerminateProcess
TextOutW
TfZ,?8
;TG	Io
th>>|&
!This program cannot be run in DOS mode.
@tHn@F
}tH>o	7
Tlhvi8
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
T@lUm-
Tm6I<hq,|
tn82tY
,tN`9qI
T/O#<?
ToKPe%
~TpEUg
+T}P/N
TPn]BS,rv
+tq@ Gx
TranslateAcceleratorW
TranslateMessage
Tsl\KA
TsZ;  
tt]=f3
t?vL	S
TW}9$'
.TW&Nn
TXWao|qFg
=u1jTw
U`2rd0;
.U?3ZJ
U4Tk$H
::u5!B
>?U7]|
u7ylT4
`U!^8e
	U9Xw'PI"
U/9ZYc
u_&A\P^
u~F`tH
uGu	i5
 	=UH)
{\UJp'
*],+U-k
u,lAx^
U!lrDq
+uLv @
um2N`(
UnhandledExceptionFilter
UnhookWindowsHookEx
UnrealizeObject
UnregisterClassW
un?X=+
U nZ)p*
*,UOOO..3i
UpdateWindow
UrXr*f
user32.dll
USER32.dll
USQWVR
u"SYe.
Ut60OD
[:$U&v
-UvSXy-f
u|ymFMp.\
uYr0V"
U:Z:Ay
=;v(| 
})V-{#
}V1hE 
V|+1+w
v1&%z6
v29NnD
?V2rS3
v7j\}1^
ValidateRect
-vcj] +]Sf
v^Dg.$
V'E*_5\`^
VerQueryValueW
version.dll
Vh99&&P
vHHJ.+
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
vJ{Kv3K
VjwU/"-
VK_>.L
vK,X}|3
[vlivZ[$
v{l"Q}
@!V+m:
vM/0aVA
V}mhYod
]vM~p~X
%Vne e=
]VOl"DQ
VoT3X({
&V&&P<
V)qS*k
VsmIVG|
={VtC:a
+vTy<{w
v >V4x
vV_6!y8
v:Vu_r	
_vWd|=
v/XVpk
vY?047h
!v[Y7D_7d
^^)vYc
w,:*}=
)}<W? @
w^3t!5
W3Uni8_q
W3|Wi1
w5 xs$
W8-.*^n
]W9|y)
Wa6:6]
WaitForSingleObject
 W*B99
W/~+(BA
*	W''cK
W-ez~-Ll
W[gb"U_
w/GSj+
wi1MNW=*
WideCharToMultiByte
WinHelpW
wininet.dll
WININET.dll
w^>]J|Ni?
w(:KGZsk
*w`*N3
	wq7Rb>2.s
Wq8wRXk8
WriteFile
WritePrivateProfileStringW
wsprintfW
wS>s-`
}w?V= &
/wwAh:,+
W*W`<fgt
,~W!Wk3
\W$zIt
X"~):%0.
:x1BL2
:x2=a@
^x{ 2p
x3/'ge
x>3<RNx
%{x8+=
x8;=9N
X8dp86
X9BP6-Dw5
xbY5LK
X"c{FE
XD]L1PJ
x__`!?f
/#\X]F
?XG[:b
`"x}G`|C
XGpU~F
Xg*(,y
x	G>Z;Nx<
xige!U
XiSEib$
x)j}{IH
XL,]S]V
xn%M|c
X+n&nc
x:Oe\'
x*oJ?nFI
xPb|U	
xPr-D G
xs~>X7
X,u3%%
xv*LO3
X>wZC>
/Y	+;~
y:12>+
Y]1nVF
y'2`uX
Y7"LH=
y7;_w9
#y8<#"
{:Y8dA
Y8!gmA
<y8!L$
)y~ak=
*|"YB-
yce907
yd|6~\
y{h*he
Y=hv9&X
#Y:>jK
YKbmMT
yknTI:G#%
_+Y\ku
Ym+qgG9
y|ny.H
+$YO3cL
Y#(O<82t
yO,]AGF;
Yp.x	+
y]R1<s
YR(g/ku
ySc>+j
Ys,,fAr
yu\|)$
(-[y*ub
YV6Of^
yw>}f,
y$x9'v
	Y,xv`
Y?`\XW:j1
YXYm2&
]Y[YZr]
)\z)?#
]z^1zw
Z2E	* g
-z2qY6D
z3g eO
Z6nY+=
>z8.tm
ZaT5t/
Z\b$gY
#?z`c#I
/z C~M#
^+zC(Nd
z,c:r&
zd]~1bK-
z,+`fI
ZFxHNTin
ZHatl0
Zh;B@zh=
ZH_OhP
(ZiPuF
^~zJ7I
<ZjtCk0h
ZKA?O?
ZLhl5oM
z(nR<F
zOR3QW1
z-"sAA
:Zs{AH
Z&Te0	
|Ztm[W4
z?u^M=
ZWY^b\
	-/ZXP
ZX|WaMt7]o
zXZ.{Im
Z^_Y[]
Zyh)4/
z!YmId