Analysis Date2015-05-04 09:55:50
MD5a4b3c94d9ab44949ca5b24be19092005
SHA155aae8d78228da05e7f7849bfab92ad8336c5f12

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1aa4ce28e08c61cc6535bd61ad589102 sha1: de78b5e364249e20a33f140f42d230021b618ce0 size: 81920
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: babd4aec484b77fb70fc155ad2e1fcef sha1: 02afb3afa609f89cdc83cfe994d0dcb9ba044014 size: 4096
Timestamp2015-03-13 23:35:08
VersionLegalCopyright: Copyright (C) 2012
InternalName: Origin
FileVersion: 9,5,3,636
CompanyName: Electronic Arts
LegalTrademarks: (c) Electronic Arts 2012. All rights reserved.
ProductName: Origin
ProductVersion: 9,5,3,636
FileDescription: Origin
OriginalFilename: Origin.exe
PackerMicrosoft Visual Basic v5.0
PEhash1eabc62a5a5e7898359da1f80bd046f081b099f8
IMPhashb66b7d453ac07497522d13c5518936a8
AVAd-AwareGen:Variant.Zusy.133535
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Zusy.133535
AVAuthentiumW32/Trojan.WFZU-3036
AVAvira (antivir)TR/Dropper.VB.30277
AVBitDefenderGen:Variant.Zusy.133535
AVBullGuardGen:Variant.Zusy.133535
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Zusy.133535
AVEset (nod32)Win32/Injector.BWJM
AVFortinetW32/Injector.BXKK!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.133535
AVGrisoft (avg)Dropper.Generic9.AAYW
AVIkarusTrojan.Win32.Injector
AVK7Riskware ( 0040eff71 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeSuspect-BQ!A4B3C94D9AB4
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Zusy.133535
AVPadvishno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroPossible_Otorun8
AVTwisterBackdoor.DarkKomet.eygc.zgcs
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1339_appcompat.txt
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1368 -e 152 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1368 -e 152 -g

Network Details:


Raw Pcap

Strings
.w~zyyz.{y{wwxzyzw
\*.*
0GZG
100904B0
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
9368265E-85FE-11d1-8BE3-0000F8754DA1
9,5,3,636
A*\AC:\Users\Jonaas\Desktop\aaX\
Action= @
Action=Open USB
AppData
\Archivos
Arguments
Array not initialized!
ASDHQWIUETIUASJDLASD
ASDIQWKYELAOSDA
ASDKJGHQWJITGASUIDASASDASD
[Autorun]
autorun.inf
(c) Electronic Arts 2012.  All rights reserved.
cftmon
\cftmon.exe
\cftmon.exe 
CompanyName
Copyright (C) 2012
CreateShortcut
d9368265E-85FE-11d1-8BE3-0000F8754DA1
Description
DFGSDFJFHIKDTYUYSWYWTY
Drives
DriveType
DSFG HDFHJFYHJKLFHJJSDF
e9368265E-85FE-11d1-8BE3-0000F8754DA1
Electronic Arts
EnableLUA
.exe
ExecQuery
\explorer.exe
explorer.exe
Fehler
FileDescription
FileVersion
.fldr
GetAbsolutePathName
GHDSFG
IconLocation
Icon=%SystemRoot%\system32\SHELL32.dll,7
InternalName
IsReady
JASGDKNAUYSHFDIQJHWE
LegalCopyright
LegalTrademarks
.lnk
\Microsoft\Windows\Start Menu\Programs\Startup\
Not an array!
notepad.exe
Open
Open=
Origin
OriginalFilename
Origin.exe
Path
ProductName
ProductVersion
reg add hkcu\software\microsoft\windows\currentversion\policies\system /v disableregistrytools /t reg_dword /d "1" /f
reg add hkcu\software\microsoft\windows\currentversion\policies\system /v disabletaskmgr /t reg_dword /d "1" /f
RWTYERTYERTYDRTY
S3 Trio32/64
Save
SbieDll.dll
Scripting.FileSystemObject
SDAKJSDNGKQWYIEFRKUSDASIPODAS
SDFGSDFGSDFGSDFGSDFGSDFG
SELECT * FROM Win32_VideoController
select name from Win32_Process where name='---'
Server 2K3
shell32.dll, 0
shell32.dll, 2
shell32.dll, 3
shell\explore\Command=
shell\open\Command=
shell\open\Default=1
shell\open=Open
SOFTWARE\Microsoft\Security Center
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
\Start Menu\Programs\Startup\
StringFileInfo
svchost.exe
\system32\notepad.exe
\system32\svchost.exe
\system32\taskhost.exe
TargetPath
taskhost.exe
temp
Terminate
thisexe
This Programm can not run under this OS.
\tmp645eaa54d87qw4vc558sd46.exe
Translation
TRUE
UACDisableNotify
UseAutoPlay=1
UserProfile
VarFileInfo
.vbp
VirtualBox Graphics Adapter
Vista
VM Additions S3 Trio32/64
VMware SVGA II
VS_VERSION_INFO
w{|~|}
windir
WinDir
winmgmts:
WorkingDirectory
WScript.Shell
wwwwww
|wwwwww}
{wwwwww
}wwwwww}
wwwwwww
}wwwwwww
{wwwwww|x}
~wxw~wwwxww}
wz|xz{}
~xw{
xxwxwwww}
ywwwwww
~z{}
zwwwwww
<-/>-/
 " " " " " 
 " " " " " " 
 " " " " " " : 
 "!" " " " " " : 
 "!" "!
 $.' ",#
!"#'%%'(*
'<<;#%
" " " " " " 
" " " " " " : 
" " " " " " " : 
" "!" " " " " " 
"!" : 
"!" " " " " " 
@@% /(
"0!%]?
\!/ #"0
#03PB`
048wwww?#'+wtww/SW[wwtw_CGHwwtwLptxwtwt|cdkwtwwl
[~.04D
04;twtt? '+twwt/PTXtwww_CGKwwtwOsw{wwwt
078tttw<#$(wtww,SWXwttt\CGKwwwwOst{wwww
07;wwtw? '(tttw,STXwtww\CGHwtttLsw{wwww
07;wwww?#$+wwwt/ST[tttt_@GHtwtwOpw{twtt|`gkww
,!0@'c
0c03kP
0Ca}<[
(0dp^B
# 0fC!0
0g22x 
>0G3IAK!2
<0LRR}
`0<P7\VGDQAVL
?! ##0Qf
0!Q@wj
>0Ru&Avc
0T}qc.$
,>-0%w
0W=FFqZ
0	WvpV\a
1?2DB_
13<3Qf
!15@ "0
17W433[
!1AQaq
 1F2mzr
+1gR-~	
1(RSO8
1w@zL#
~|1 )y
222-.}
!22222222222222222222222222222222222222222222222222
23'@oP
26Xj<jr
@!2-b@
_}"2B	
2Er~1(J0nC
;2;G<e!
$#'2+)i>7/
2-I}fJ9`
2IIT+1.
2<>LgP^
2PP$|"
2PP$_"
"2=q``g
2tb4C.
2',,v F
=2XZ8HLn
2`yu)5
3(	3ERy
378?\T
378wwtw< $(wwww/SW[wtww_CGKwwtwOswxwwtw|`dhwtwtl
@+@3!8
<)&38A
3 "	^c
}3l%G=
 *3nt(
@3(oecS
3qD}hj
3uhq0gs
3V-K$_
3VZ;V\HP
40CP\h
4?0u19
,41iV9
>43A5.+
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
4([63@b8?L@a
4AUlI 6
4$C$C3F
4F:SB"
4H8<'Z
^4jeCb
'4M.*B
|4O$X:>
4u.2JyP+
4*@XCrx^,
!(]5>$;
  %*5-%'2(  .?/279<<<$-BFA:F5;<9
53@bcg
_/55]9
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
/5cOX60@agho!a
5]_"D;
5GypQG
*5H6R'+
5?@[Jh/mx
?5k|&wE
5+M#zg
5PS$d'
5SPoEZ8PPGD
;5z|w).|
63oWX63
6[_dScl/
6/=g</?g 
6G$SxEK
6oVtjcd@E'
6Photoshop 3.0
6PPlF-?PPDD
6(Rh/0
(6SSSo$
'***)?7
(7),01444
7+0e<H
7dfl7<
`=7F};
{	7f^8M@4
7G&QPP$
|7La!c
7l_QMb
^|7\P{
7r[gQAL
@`7Ri;a
7S@TP$X
7yy+Ew
=?(@8`
?]^]^840
8A]#E1
8D$*4Otf
8|GF~W
]8lZQg
(: 8ml
8n{XD^
8|+oum
8SPoF)"PSDD
8T|PpE
(^8{w/
[9#1TD
97=(4_
'9=82<.342
9& &99999999999999999999999999999999999999999999999999
"=9a	-
9acspAPPL
9cTx3Y
9<?e:>^&
9EbCFG&'
"9gQPP
9iD_IJ
9iVt**
@9=-K0:9
9*?P*-jxf
9qoEgw*=
"9{QPP'hGl\SS
9UZWU_RTMQ
9~v;3o~
\"9{XL
%a~?67[[;
A9tCa|pv``^u~|aj
A	CB8Z
!(@A,Ct
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
advapi32.dll
/AFSNl5
a"K^pT
_allmul
aL(}m$<
A.oC4e
>aO,L/
\apcUk
+AQPS$
a|q~tOpr
aSP'T)S
}\:'AT
A\T|g}
A]U9/3
Av8+F?&
~aV^bC
^a~v%D
av~|dv
Av~|gu3Rw~y}zcgbqdy|~3q~jg{vbv3y}0dxu3d|a
A@@vkZ
Avt_cv}XvjR
a(xD2G
a`x>|D4$
@aY]nWm
_b0_^v6D
B4Cdpa
B5A,P!
Backup
{=bAGd;
, Bb9s
b!b"X</Wb!a">p
bD2?ppj
B#}HXW
biOSjruaWrguO
'Bjm$Y\
BorderStyle
bPP$l.k
bP?rQ+
?B/q1a<5g
b}qgy|~@a
!*BQSS
b}=Rr#
BSd:C0
bSPG\'o
bSPoF+dPSDD
Bt#f6#
;BVS'7K
%B]xhH
By}z	P
C2AU=A
c6M$x'
C>9e%e
c_a#b	
CallWindowProcA
Cav~-A
/cAy^F
`c{B-#
Cb2k`0
CCY72H-
cdkwwwwo
\cd|{T(
[c~&~f'\
cF@Cpv
CGD6SP
cghwwwwl
cgktwwto
CG$QSP$
CGWMPP$
'C-hoRPP
'C.h[RSS
'C.hWRSS
_CIatan
cibyw{d38s:0"*
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
Cjwrdu
'C,k[$
'C,kC&
$C.kGQSP
$C,kW/
$C,kW'
$C/kW&
'C.kWQPP
)c'KW/xR'
'C-kXRPS
CloseHandle
#CLu!Y
cmc`UD
co4GSC9
cPP'*gQPP":cRPPG
CPPlE7
cPP'l-h
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
^cqea_
CreateToolhelp32Snapshot
Cs-k47
C/!ttf{
+cTZMQ?5=F
CudCfccu~wCgrdv
CV&G`D;
'Cv`r|
C&]"$VVT&@#"%T
C:\\//WINDOWS\\//SYSTEM32\\//KeRnEl32.dLl
C:\\//WINDOWS\\//SYSTEM32\\//MSVBVM60.dLl
C:\\//WINDOWS\\//SYSTEM32\\//ShElL32.dLl
cWSa{F
cW_WbuQ58vgCQp-RTp2u
@|cx|`
CXWugUz
$c'y/F
C$y'lGR
<#)_d0
D,0PP6
D	4SP'
^d88M#p
D8MPPoFNpPSGG
DaBbc:BV
`|daca|u=w|
d;_Afa
DA{}kUH
DaPPWb
DASSP/W
`.data
D)bSP'd!
/D<bSS)o
DCaSP'o-h
dcdfx`gbatwvvesrrpOML
DDCPP/k
DD@PSD
@de_?G
DeHPP+o
d[e'Ii
DeSSPo,U
DE$\U^
d+[f2&
DfgPPGRZPP
DFJPP%
_D|g`dr(
|dG  l
_DHYSP.OSPS
DIdSPlF
diJ Lg 
DIOSP/
D$IPP&
~DI&uGD'
DJrSPG
DKESP/T
}dk;;:S= 7=
DK]SP'_*Z
DkTSP%
DKUSP'
;DL3333333
DL3333333E
DllFunctionCall
DNJPS+l
DNPSS'W%
`doD`j
DOfSPG
@DPK8j
DPPl,V
D@}PP$:[QPP$o
D<]PP$w
DpRPPSMl
D^PSS'W/
d`|p{ !>w||
)`DQ>`aftF
DqJSP%
Dq{PP$|$
!)DQPPG
Dq`x^v~Uavv
Dqzz+,J
drevZ}\cv~
DrmSP,k
DR`PPlF
D RPP'l$x
D\RPSD
dS'jO7
D>SPS$t'
D"[SS(o
D[SSPG
D]SSP'w*w
&^D|@SS%wD
DT8PPoF
Dt,{O}=d>3_
D=TSP%
d TYbO
D"uSS!
{%,D|_V
dVgcRpg
D;vPPG
DvYPS+l
	|D]WCB\Plp
<D@Wl@R
Dw:PP$
d$wqgrz}cfuHp
DWsSP/T
dxe~r}qy~V
DxjPPD)QSP
D{YPPi
{D`ytVqt<LF`c
dy} !=ukv
]DZ]CGQ\\
DZQSP")[QSP!9WRPP
E5GSP'
e,6O0E_
E.&-9H
E9PPPl?
Eb_x{D
EbX(H`*
e^deas
eegkjj8
E)e$V1
>{ef#k
EFuU$p
E$hG{~PP
Ei@+A(#
e"=!+k=3w
e#lKU1
ElOQ\\GKP
!EL)=Yb
E^M?}5
$|$e-N
Enabled
'eo1ki
eoFWF(
EOQW0Rr
ep33W45s
ePP$|$lG
EPPoFf
EPP$W)P
EPSlFTzSSGq
,>eqc=dhdE
Erd+|.<
eSsA@/7
$^'E$t
EtgGvep
EtSPPl"
E:u7{>h
[eui$$V
e~uy3TD
EvaAfvbjFq|evQ
E,,@VAU\A]PVOWRGR
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
/EXGPg|K&$;:
eYUD#7RE
Ezagfr|Ca|gupg
Ezbgeq|Vavv
f">!(>#0>0Saqpx0Evb`y
=F042?
F1FPS$
)f29-B/
F7EW[H2
|FA1g@
FA@AZ@V/_YW	
FAcEZ@ZG_A=Ww
FAIPPl
faNGyv
fCCiYLz
%fe}fe
FFPPPl$
FF !raxz
|FGD\]
fGO:]n
FindExecutableA
'|$F.iS
FKM,{T'
%Fl_VD:hs3
f&"oRPP%"
FPP$y$oG
fpw!!'t
FrG<,0
FSPD\$o
fuacz|~=w|
f`ua#">t
F(Upgb]L
.@FVDT
F	w@^,
`F,|'X
fxu'u|
;FY7~=~`t
Fybdfq
F]YBEUY
'$@`|g{|
G0}SS$g,n
G1NPP&
G/1PP'i
{,g\2	(
G3HPS+l
G4RPS/
g53Ow9y
G5LPS*o
G6PSS&
G7nPP',
G7oPS$,@
G8XSS%
?g9u5O
GAaSPlF
_G<APSlF
[GaSPP
_~gbh/6o
GbIPP+o
G-BPP$
G]BSSlE
@gbz~w
GCvrbpxBusKF
"<gD'^
GDaSP"
#gdB)#
G_dPP'
G]dSS,TP
GEIPP&
GEKPS$
GetCurrentProcessId
GetModuleFileNameA
GetModuleHandleA
GetVersionExW
GetVolumeInformationA
geXg5AV
GFKPS)l
GfsPP%
@GFuHJI
GFVPP$
GG;PPD
GGqPS,WP
G%HPP+o
GhPPP+l
G]HPP,WP
G"hPS/T
GH^SS't
gIHgE e
GiiPPG
G[IPP+o
g}i&vv
GjcuFQVFP
GjPSS$
GKtlLZcQ
GKvPS$
GLbPPD
GLgSS$*
GlJPSD&
,G*LPP*o
GLTPP&h'
Gm77IDttt
GMhPP,W
G(nPP&
GN`PP"
GN:PP$
@G<NPS%
&g%~nU
$goC'C
G@oPS*o
GOPSPl"
GpGPPlF
G)[PP,k
G*~PP.k
gPP$lD
/G%pPP$
G	PPP&
[G{pPPlF
G?PPS$
G}~PP$W$hG
gPP/WP
GQCPP$lGiPSP*o
GqNPS$
/G'qPP$
G$QPP$W"
")gQSP"9WRSS
G\qzvp-
;GRaPS$
^G`r Et0E%
GrFSPl
GrKSS+l
Gr`PP"
"*GRPP$
G@RPP+o
!*gRPS
;GRQ9d
GRRPP$
[G[rzgyD
_;gs) 
GsbPS$D%B)B
G?|SP"
GsRPP(o
GSS$w/L
gSS/WS
GTtz`|ec
GT{V|S
/G+uPS
G>UPS+o
G}uPS"*TQSS'
GuQSP/
G]vd\cu}U~e}R
gV?F4M
GvRPP"
Gv ;RuY
G)VSPD
gv|T|!
GWBU^\ERQ_V
GWPCL{
G.WSS'
G@WZ]s!
GxFPS'
g%XiK{Px
&$gy)<
GYCSS$
G!YPP$
G&YQ"^H
G@YSS%
gy@V}\"2
gy~z}vg=w
G{zc3ca|tar~0~f`g0qv0ae~0e}tvb0Dy} "
GzC,4[w
G[ZPP,
G[zPS"
gz}~~=w
gz~~w}gc)OL
|h0\=D
#H#1$t %
h7'6|5}
H'bIGPG
HbY@G4
HD>KPS$
$@.hdRSP
/h[$]$G
H*guqH
h/)j6b,
H)Jgw]_
:~HjY;]
hMuq&v
ho^F\GZEDB
HotTracking
^Hp'ej
hPS$lD
hqaK'/
.h[QSP
hRCQs8
hRF_'-	
hSSDL$o
hSS'oGe
$@,hT%
/hT$w${"
H>u5L=
/h['u/o
HU==T`7
,hW$^$tD
HwuROu
hxOWdeKa
,hX$v$_%
>h|-*Z`
	HZM/E$
;I2F[W,
iBci !
IBHs`n`h#7
ICC_PROFILE
IDBuFP$c
$\$iD+iSP'T's,T
Id@ugZ~u
if_CuG
$IgFirv=
&I$gHy
$iG jPPh
ih5Xg-@
	]^IhC(
iJ#w[E
].;'[iK
i%LDqc{
ImageCombo
ImageList
_:)iN3
/$InV5
I&.oV*
[iox[>	f
ipag!*D
/#$I@S
ISPlEvvSSGE
ISS$d"
IT4]ex
i'w'\D
"IW\E6
&i%x%d
i&X tJ
J35't'
j_"!b_<
JBffZjQUU
'jD7QPP+o
j?*F8F
Jft|E"Ra7e
$jG~jPSk
$jGsQPS*o
'|$jGVRSS+l
j-@MkK
JPP$_k*wQPP
jPPoFrlSSD_
JPSlF"vSSGF%
jPS$_*Y
	JRX~9
_$JTG6
@j`Uavu@gaz~t
Ju}uJ!
!jVGHUso
$j'xGxSSP$
/k_$_"
*`>k~|
K4k/ezL
k5cVax
K>5_^r0h7
%K5YBr
:K=a~61!z
%k$b%gmL
['kDMNSP't*w
kD	uSP
,kD$v!'S
KE{7J*1VKd
kernel32
kernel32.dll
k%+^\&(E%=^XC&=C_@%>'^G_=&B  \[P+#$''n
,kG$E$U$w
,kG'v&
,kG'V$Xh
K)H4`in
kH:[(j
\[kHv!
K]>j=iO.p>>j=jw
k\l}u<jZ&
<)k[mH
.k[QPP
":kQPP$
$:kQSP
KSS&t$
KSS'w/TS
K%~T{82 T
KtF ^:
.kTQPS$t'x
,kT$^'t'c"
$K;uo\
,k[$u$_$S
kVsfOa$
,k[$w"
/kW$v'_$P$
.kXQPS
-kXRSS$u$_$lG
KZT1j%/
l2*M?z
l3@@O0
|$L[44
l5Sr62
L8ViN8
l8$],Y
L=Au+s0
;:LC\_ZSJ
-lD2SSS
'{'lDAWSP/
$lDcRSP't)w
lDPAPP
'lD{QSP
'lD=WSP'
lEM>SPGT
lFBmPPDT
lF={PPDW
$lGBRPP+o
_l<gO.
. =LGY
lhd)***c
ListView
l(Ky|	
ll9H5:4;
LLD@RVWf
L`l>[{K=lx
Ll;Vi"
}\lo4w'J?w
l&o$zG
lPPDD'l
lpr`=MsM
!)lRPP
lSP',S
@LwKzX
&l%y&`$
[}lY3h[
&l&y%`G
&l&y&`&WDkPPP&V&h)Y
%l&z&c
.M2yi^
m33e0	I
M5knnQij9
mb;-Vn
Md'$\^VM
M[(e>\
MEfw+G
&-MIO&
mMPv"v
?m.MZeS
m}nH/_%]tX
mntrRGB XYZ 
moEo+&?
mPP'_&
mPP$,#
mret}g:7
Mscomctl32.
Mscomctl32.ocx
MSComctlLib.ImageCombo
MSComctlLib.ImageList
MSComctlLib.ListView
MSComctlLib.ProgressBar
MSComctlLib.Slider
MSComctlLib.StatusBar
MSComctlLib.TabStrip
MSComctlLib.Toolbar
MSComctlLib.TreeView
MSVBVM60.DLL
Mt4Ze|6
mT)[4z-ZPe
MuJ*k<
MulDiv
MultiSelect
m-^|wf
Mx]X:S
MY]U^R^
	/@`mzMA
	[	@N+
n0PvIGP
NAwCvD
)ndngn
ND(Va"s
Ng;Qut_
\\nN$)
n{.Os[
nPP$_"
NPPD_$l
NPP$jG
nPP$T"
NQl|y~
Nrr299555
n{/\t. ]
NuuuuPPu7
nVkSH:
NW]`IS
o76oce
}oagfc
o/_"Ap
O|cIOs|~~K
oD80PP'
oDB^4b
o&*DQPP$
ODz~w|d`OPfabeR0
oE1JPSGW
oEnh4(
oFfxSSDW
$oGngSS
oGs!PP"
oGZ(PP"
ohg4744`
]]^]ohg`^^^]|{tp]^]]LKG@]^^^\[W/]]]]+' S]]]]?;70]]]]
OivH5g65z
`oiW'U
o{}k7}
o<,lw'
OMDBQF{
/o$oo"
opO&JO
OPPDD'h
$)oQPP
o&*{QSP&*cQPP&)gQPP%*
o,S^Gi
O"S,LS\
OSP'w,
OSP$`$yG+]SP
OuPDr[
;oW|Io
O wt_D
^OWVEOL_\P
+o<=XA
&o&y&`
OZ0(R' {
p1Vj=q
p5Kp	)
$@\P^6*
p8oHCGC@D
$_pA AC1"
PAe}L}"
}|paps
PavrgvD||
!Pb=9F
}pDc;G
PD+DSP
(P|d`F:
PD oPSlEV
pdpNu<
PD	PSP
_PD.\@RPXKW
PDvcPSlE
.Pe%~g
PG1]PS$
PGgZPS*o
PG/kPP
PG>sSS$\*Z
PGvqSSlF
PG<zSS
ph";JV
Picture1
Picture2
PirubTrgv
p>LYF3L
PoIts'
;POo$o
p)Otzaupd
~PP'g,n
_PPl<*}
|PPoFxfSSDB
pPPDq%
PP$*`QPP
~PP$:[QPP'l
PPSl'lE
PPS$W$
PP$u$\
PP$u$_'|/MS$iG
PP$wGv
\PP$Wh*xQPP
PP'w*t
PP'W$x"
_@pQwtb
pRCZ/0
Process32First
Process32Next
ProgressBar
|PSD\&
PSDD'o
PSG\'l
PS$i+t
[PSlFbpSSGN
PSP$c$z'oD
PSP$g${$lD0SSS!
PSP$_$hG
PSPo'o
PS!)\QPP
PS'tD1
PS$t/W
PS$t'z'lG
PS'w)t
pt<qF"
p|U;Xv
~p={v'
Pvc`P6
p/vH6=
{PvwC2
Py$w$l
p:~);Z}$
pzc{va
}p`{zv
q2/LVpq
q3)3l9-
_q3uwz
q5aaqQ$D
"q 6d<
Q8(o}p
q8SP_T
!=?Q^99x3
Q}{a6?
;Q/^BR
\QbugD
qBYmEm
@}qc`x|dX$2_y`dVzb
?qd?QaV
qEdEz2!
	']Q]E=O#
(qEP4s
Qg3Y=w
QGisy 
qG?/l8
@Q_G,x
qkGU2X
q+$L]f
<Q MI+
QoR#-3
qOW1$q0
QPP'{$
QPP&eF
":{QPP'hG
QPP":oRPPG@
}&:[QPP$t
"*|QPS"9PRSP
*[QPS*o
$	Qq3Cn
qRKJi<
#!!#$%&$(*QRPTVUW[ZZX\'
*Q	RUG
qrv!+%*u>*q$$>'pw*>r#&+>p"!* 'tr["1
QSPSOE
QSS!)[RPS!:WQPS
QSxIZ4
Q+Tvuu}
Qu@(@^cf
Q``Wqgq
Qw}xg|cq
R3`}T`
?<r\\4
R5qOD8
r6BAH@
R6tsd[CwQ5wKp{
=]r<&9
@RaaqjT
^r:$C\
r`cvwDc_
R%(d\8]
RegCloseKey
RegOpenKeyExA
RegSetValueExA
r#fGOY
rH68Zt
~:R^i~
RIrZ~k
r[`k[&
r=L^~5TH0]
;'(RlJg
R\	&n,N
rOAUWLRZ^QAI\!C
r;)Ogc
RP#B9&
rp~@gbvr~@ziv
!)`RPPG
RPP%"hRSS&"cQPP&"gRPP$]&
RPS"9TQSP
RPSGhQPS
RPSl<'
RPS&n'
~`rp~#!=w
rqswvuzzx
Rrarfw
R|&R>w
R'S7( 
rS!eO@
RShYSp
'*`RSS"9
")[RSSD]
RSS!:{QPPG
RSS'T&
*#&{rT
RtlAdjustPrivilege
Rtyecd
rt\zrarbjR
r'v$eC
rwercz "=w
r$WJtvaNu
R`xJ1S
rxn}2Y'
rYF}kw
.rYPR;
S4n"sJc
":s6B"7
s7te}f
S8RWWcc7778LLG2
<s[\a!
![[Sbaa
s\BgM2
sc!h@A
SD6`SP&
SDajSP'\)Z
SDAzSPoE
SDB~SS
SDf@PP%U&\$
SDFQPP'w
SDHESP$|$jD
SD{MSP$
SDpvSP
SDX}SPlE
SD)xSPoF[bPPG_
Seconds
Separators
SG0yPS
SG4iPP
SG7NPS
SG8aSP
SG8kPPlE
SG{hPP
SGQnPPoF
SG`QPP%h&m&w$
SGSePS
SGxhPS$
SGYlPP
SHELL32
ShellExecuteA
Sh|\qz)cM
sI!ebE
SIG4\3
s!Ks$21
SlG\PSP
Slider
:sow=	
SP$!GRSS
|SPoE~aPSDO'l
SPPo?#
SPSo)l
SPSS/-
SP$wGU
SP":WQPP"
$*sQPS&
SqUQ;~o
^sR9u3E
[[Sr}r|
SS"9WQSP"
SSD\$o
|SS$g"
SSGG$o
	=sSTx
\SS%wDGRSP%
StatusBar
S'U't'
Sww('3
SWW6Do
*sXvj,
S`y5<q
t]0QRl	
+!'t1z
T4L@RZA
 =t5$;
;T6u%r
t9	YC@74?
TabStrip
)tA@nz
Tbvv_d0
;TbwvgL
`tD-h5
TDh\PP
tD/PSP
`tET8,0ho
tEWCW&
tez@CF^^RY]
t\~fQ_
TG2\SS,o
TG^a!C
TG@ePP$
TG{IPS
T[giZ*+
]TG<TG
thisexe
!This program cannot be run in DOS mode.
);`t+HIW
Tjatjj
|Tjx>`F
T,$,`k;
?Tk7{(R?)P(
$]$t/L
$t$lDF5SS'_'i
T|l~Q?P
Toolbar
TphJ9el
TPS$w$
"*TQSP
'<|}T.R
~t@rdx]q~vQ
TreeView
T_RPfq
!:tRPS$iD
@,Ts}KU
TSP'*dRPSG
tTUdZk
ttyc|f`>w
?=&t,'u
%t%^&UG
 tus$&uv%)q!u"&%rw !v"$rq uq& +*
t:Va2a
!}	TWYC
twy ">t|
]TX+x;
tzqzcwUO
tzt|)GD*Bh2
T\\ZZr
'u``~ !
_U:5mZb
~U7lp[
+uABBJK
uaf3=`
[UA]V_ !=W_\
UCINH_
uddqbvLQD
u>dXu-
u`es\qcxp
u[ex6Z
ugcLfcva
ugc>`vaeva=p
u}gFvbcJLc`
|UGGUdxz
uGXGPP$
]uhd/$
{UjZ,s
u=&^K?
ukc||aua>uhu
UKC;SCI!
_!uKo]
/Ukuped
U(Lf'_
uN/CF=
U>NF	@
U$no'l
$u'_$oG
'u$_.Q
u=~qwt@
urfd !>w||
+URPP&wP}*o
uSU[mmd
'U'^$t
@U_VSG3:3VB_]3xZ}
u#">w|
[U+WK:
UwV?GY]U*3
uWvqfwCaye
U=X#X_Gb
'U$\$z
/v?*@0
'v;7TG
V8F0HH
V8M5knnQij9Ho77
VAUdADQ
vb4projectVb
VBA6.DLL
__vbaAryConstruct2
__vbaAryCopy
__vbaAryDestruct
__vbaAryLock
__vbaAryMove
__vbaAryUnlock
__vbaAryVar
__vbaBoolVarNull
__vbaChkstk
__vbaEnd
__vbaErase
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaFileClose
__vbaFileOpen
__vbaForEachCollAd
__vbaForEachVar
__vbaFPException
__vbaFpR4
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaGet3
__vbaHresultCheckObj
__vbaI2I4
__vbaI2Str
__vbaI4Str
__vbaI4Var
__vbaInStr
__vbaLateIdCallLd
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLateMemSt
__vbaLenBstr
__vbaMidStmtBstr
__vbaNew2
__vbaNextEachCollAd
__vbaNextEachVar
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaPrintFile
__vbaPut3
__vbaR8Str
__vbaRedim
__vbaSetSystemError
__vbaStr2Vec
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrI2
__vbaStrI4
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaUbound
__vbaUI1I2
__vbaUI1Var
__vbaVar2Vec
__vbaVarAdd
__vbaVarAnd
__vbaVarCat
__vbaVarCmpEq
__vbaVarCmpNe
__vbaVarCopy
__vbaVarDup
__vbaVarIndexLoad
__vbaVarLateMemCallLd
__vbaVarMove
__vbaVarMul
__vbaVarSetVar
__vbaVarSub
__vbaVarTstEq
__vbaVarTstGt
__vbaVarTstLt
__vbaVarTstNe
__vbaVarZero
`vbezsvg
&VDGl*}
vd{</j
]VDR<>7
Vdtd7~
v$F+!*
Vg`\cu}Uy
$v$]$Gh
]\VKZD
VlMd^n
VmsVTQ
v+O'BR
V,O	dRl
'v-OSPP
|VO(Vt
VSPo'oD
vSP!*WRPP'|D
v}tva0qj3]{GMyP
VtygCeagR
VU6bZ[^\
>vuWc|g
VV5f#Y
$V$]$w
$V']$w$z$lD\RSS'
Vx9333ry0
V""y.2
_vyutzuc
/VZSz2
vZ}u|Q
>?||w`
[>*$`W
-W0LPG
W0M<Ed
W0%P"73
W3Hwm-*
w6F7Et7/
W75C@w
W7A'HXs>Su
WCB6{v
WDGkSP$
WDSWSPG
wE\VDN
WFSt^;
WGa~PP$_
WG?bSP
WGcjPPlE
W$|G(iPP'
WG'NPSF-
WGoLSPD
W=GqTPP%
:%WgwJ
\wInDoWS\SYSTEM32\kernel32.dLl
\wInDoWS\SYSTEM32\USER32.dLl
Wi}W]@LF
Wk222n6Wm
&w&]/l
W$lXA%
{WmA.\H
wmexplorer.exe
WPS$*{QPP
wP],ub
"*WQSS
{w**)*sOKG***)C_[W)**)S,($)*)* <;4**)*3
/ws-Pg4
	wsq",
-WsZM^
Wty`Ubvu
Wud@a|pRwwav`c
WV	a|D
}|w "xa~pI
wx`~TDW
w*zC(O-
X0@q~|q
X_=1cD
X9ggE:c}
#.+x9O
xb;" :38@7q
XCFC@\BDUT
"Xd\a1
xdf14eZ,v}Q
|.x*&eN
xgd`LP
'XGK=	
xGWjPP
xI))a{
&=X\lb_
xlJ}&Q0J<J
X")lRSP
XmQPPP
xnqy}?Z-
XO]3nZ
xPSlE8aSPD\
Xqjq{{
')XQPP
~&:XQSS't
xQt:(Wy)_
=XRBTWU@PBZCDZ_^
!*XRPSG
XSPoE0
xt7744sOKG4447C_[W4444P/+'4744 ?847747
xU1pcC
X=\`vbq
X/vHz&
[XVILP_RC@VCLB
xV:T>5
XvV~q[]
Xy^H37<
@y3^Aml
y3*Vgc
^\,Y6D
ybfv893
ycqqp%*=ww}`=~vg)+"
ydilvV8
yDM*Mq
YF}	4b
yfjdiV
Yhz5?*
:y\iIe
Yk_[`k
y<lF[#R`
yngCRvqd
YnIyTf
^Y[nPP
yNWEU;
yOL8R.%(&O$
<Y.oW*DF5Vn
YPSlE7
yPSoE?`SPGG
Y^QTUO]DL@YT]QGEBUgM
:Y/!sP\@ZW=h
YuvZy=
`Y"wZ7
~YXxld K%
"="= z
z$6Q(1Kt
ZC+>6K/d
z'c'hD
zCZ?0kk
~}zd)Q/_y
ZfdE~D
Zf'klm
zgprya_o|
Z]}{H*
Zj_C9L
ZjgSZ+
>zjUc3
]zpa|`
zPP$|'
ZPP$t*t
ZPP$w*t
(Z	R#g
]zRliE
ZS44DE
Z=tHH@
z|TJ$;
**zU3O
	Z+V}5
}ZWeF(
z$w%gq^
Zx6E9B
)&zxw~
ZZ~auqpuc
Z@ZpvZ
ZzT^-}d