Analysis Date2014-04-22 10:12:32
MD538b6b9b11aa82334a7355938c39475c1
SHA1b9d33ba7288db910addaf30f219bcbdd9f6884f9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5c966fd83bf01338456166deeca0d62f sha1: b7f107f3b1ff73b16235b82ff5e37db4713cc7ba size: 2048
Section.rdata md5: 7778e82b298a9234726818f6a6f4b909 sha1: fbf9673587b46619408b3f85a6dfe3bcef0136f4 size: 2560
Section.data md5: b311cc8bff2a20ed90ae8db181098321 sha1: d41535355350d86bb3ea4bd9692ad30f65d28eb2 size: 89088
Section.rsrc md5: 72b9d4419654149cc308652ea7ee5832 sha1: 66deef580f7d93f2abb38c6c65ffbfc26b2edd52 size: 13312
Section.reloc md5: 708ab679cb262d34a44991997cfc5fa3 sha1: a7572ef08e9148d0fd714b08210351480db1ba73 size: 80896
Sectionqrcuzls md5: 0f682063513c3c9d493d1148f9360942 sha1: 359c9ae9c576357447b80e3c09fd84c6870a66b5 size: 130048
Sectionkgujoce md5: 2e44c0699b042245f75446e15754ff97 sha1: 35a46ce53fbea5c72a4f52d79967122e1c72ec28 size: 60416
Sectionuefqhhf md5: 77c7713b364d5c3b2e3759841e5f860b sha1: e36cb85da51aecf96e8e9034aee7ca083faeec21 size: 31744
Section.text md5: fff51e0ecb0fb217c8c5ccaa0b45da8a sha1: a991cd6652943aaa9761359491031202bad78ec3 size: 413696
Timestamp1996-08-14 20:59:04
VersionLegalCopyright: Copyright © 2007 Avira GmbH. All rights reserved.
InternalName: AntiVir/Win32
FileVersion: 7.6.0.59
CompanyName: Avira GmbH
PrivateBuild:
LegalTrademarks: AntiVir® is a registered trademark of Avira GmbH, Germany
Comments:
ProductName:
SpecialBuild:
ProductVersion: 7.6.0.59
FileDescription: AntiVir Command Line Scanner for Windows
OriginalFilename:
PEhash39729b131434eb392e0dba507afad9d22c68a561
IMPhash093a51e0b7dcb2466b7edfd78d191aa0
AVmcafeePWS-Zbot.gen.cy
AVclamavW32.Ramnit-1
AVavgWin32/Zbot.G

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Aasppapmmxkvs\A1_0 ➝
3688340317
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:ipsec
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Aasppapmmxkvs\-993627007\1768776769 ➝
202
Creates FileC:\b9d33ba7288db910addaf30f219bcbdd9f6884f9mgr.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Creates ProcessC:\b9d33ba7288db910addaf30f219bcbdd9f6884f9mgr.exe
Creates MutexuxJLpe1m
Creates Mutexservices.exeM_616_
Creates Mutexsvchost.exeM_1016_
Creates Mutexsvchost.exeM_1124_
Creates Mutexcsrss.exeM_548_
Creates Mutexsvchost.exeM_848_
Creates Mutexsvchost.exeM_800_
Creates Mutexlsass.exeM_628_
Creates Mutexsmss.exeM_500_
Creates Mutexwinlogon.exeM_572_
Creates Mutexspoolsv.exeM_1304_
Creates Mutexsvchost.exeM_1204_

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\b9d33ba7288db910addaf30f219bcbdd9f6884f9mgr.exe
Creates FileC:\Program Files\huettqja\px5.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Program Files\Internet Explorer\dmlconf.dat
Deletes FileC:\Program Files\huettqja\px5.tmp
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Process
↳ C:\b9d33ba7288db910addaf30f219bcbdd9f6884f9mgr.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp
Creates MutexuxJLpe1m

Network Details:

DNSstromoliks.com
Type: A
66.228.61.232
DNSgoogle.com
Type: A
173.194.34.167
DNSgoogle.com
Type: A
173.194.34.163
DNSgoogle.com
Type: A
173.194.34.162
DNSgoogle.com
Type: A
173.194.34.161
DNSgoogle.com
Type: A
173.194.34.174
DNSgoogle.com
Type: A
173.194.34.168
DNSgoogle.com
Type: A
173.194.34.164
DNSgoogle.com
Type: A
173.194.34.166
DNSgoogle.com
Type: A
173.194.34.160
DNSgoogle.com
Type: A
173.194.34.169
DNSgoogle.com
Type: A
173.194.34.165
DNSstromoliks.com
Type: A
66.228.61.232
DNSbing.com
Type: A
204.79.197.200
DNSpromoliks.com
Type: A
66.228.61.232
DNSpromoliks.com
Type: A
66.228.61.232
DNSyahoo.com
Type: A
98.139.183.24
DNSyahoo.com
Type: A
206.190.36.45
DNSyahoo.com
Type: A
98.138.253.109
Flows TCP192.168.1.1:1039 ➝ 173.194.34.167:80
Flows TCP192.168.1.1:1038 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1040 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1041 ➝ 204.79.197.200:80
Flows TCP192.168.1.1:1042 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1044 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1045 ➝ 98.139.183.24:80

Raw Pcap

Strings
/4eUN...
e.O..
..
..
I
>))YS
wp
.
H;
..U
.e.
.
.
.
.1..
.
..I
.....
....QQ
E
P\
{----}
.
....
.
.
.m
.|
^?.<+
:~$0
000004b0
^|0*8
0Uf/Y j@,l2
0zv}
1cQw
!1+k
#(1Kz
{1%+t
 2007 Avira GmbH. All rights reserved.
%23)
;^25
2F O
2fYOW9
2`._Hj
$2kN
2qDO
2tD<$x<
3C,F
3i'm
3ogv
)>>4
4F.'\q
4hSr!
~~4z[s
50[:
5aLm
5EcX
5]H	r
^5J7$
.5lX
@:5Yd
60xu
6$Y<
7.6.0.59
7957
7;q{4
7v3e
8Fs,
8NDU
{8x6)
9)_,
-a=%	
_a5G
aav*
ABXir
ac)dd
AntiVir
AntiVir Command Line Scanner for Windows
AntiVir/Win32
Avira GmbH
<A-X
]BbG
BcS`a
bfQh
"c2%
c2Xz
c+-4
`?C 4
C6F"M
C.b}
C|<g
 CJ/
Comments
CompanyName
Copyright 
C]}p
Cq1`
ct|w
)$CW.
CWT<^
-c;z
"D%7
,d'BSN
dD(_R
dE5B
D`?UJO
$@e'
%eh?
E#q0
er!0u
#E^wH
 -ey
@&f4
fa5"
FileDescription
FileVersion
fkCv
>}{g
;),.g
%g&%
`,}G
g63"
g-her
gJ"a
@Gmbuo
gPtl
_gQ7s
gww5A.#
 ;	:H
heln
{H_f
HIjz3@U
 hJB
H=lt
hqF]
&hR@
+h]t
HUn:
H~vCw
hvZPIt
HyfA
HZ\_"
I+7O
iCGB
@$ig
iHuA;
$ild~t
InternalName
Ip1y
 is a registered trademark of Avira GmbH, Germany
iYptg
J'"?
][J4
JA5,
#%jb
_<J+F
}#JGk2
jh3r
jjjjjj
J|kbHL
.j T
=[jW
Jxz8H@;
KIzr
KLU\!
*k$N
'K]vt
ky)@
}|[:l
@[l}
l3Kue
'L:Cv
ld]C
LegalCopyright
LegalTrademarks
;l(f
LnF2
lSm[Wx>
Lv)P
L)xj
\m;~
-m5b
MANIFEST
MI^B
:m.t
muH9
:nb&I
ncmR&B
nHVW
#;?nL
nL9!*Z
n$(V
nxUy
 \]o
O;2$
O\b&?Cn
%/obsB
oBsv
`	on
O'oA
o"P|
OriginalFilename
O>X1
o]xH
OZWd
--p;
p:{ 
p34+
\P|{6
@	pF
Phu'|IF
p/+P=z
PrivateBuild
ProductName
ProductVersion
+@pt
p-VQq
!'PW
pw1s
p>zq
]Q3_8.
#q+a}h
|r?\
;R.{-'
[r1%V	[
R,<Cwr"
RH6P
r"[l3=
RP[qm
rTAaw
S3%k
SBnK
sCs(
S$$*F
~S@I
S?IC
Sncr-cC
sNyw
S_p!
+SPa
SpecialBuild
s[Q[
StringFileInfo
svis
s'w#
s,)y
T3Mrrba
^t`b=
tcG1
+tDo
TdxF
tg$[^
t+G\H
t;l\
TQLj
Translation
;tuv
u0^O
{u37
u4.6l
Uc6r
UC"x
uJll
u?{M
UMxz
^U)r
U%xt
v@6x
VarFileInfo
v"/go
v:Oa/
-V/OY8?
}vR4
#vR&U
VS_VERSION_INFO
Vt;z
VUVQu2
VW8i5
VX cU
<&w]
|'%W
+{-W
w5}W
WBl%
WhT#Q
Wsf[
wuyq
X*`?
X1-UXu/
*}X8,
\X8V"
xK#{
xvJYq
X=\Z
[y/-*.
{y%$
y0Rrj
(yB7
YbhO=
YjNY
yooZ
ys&q
Ys/q0!
YS!X{
yUDx27
\YW 
+yW7GF+
Z"?$
Z3`f
~Z]f
z,HB5
!z'hi
zqG1|B
z|TE
Z +U
zUBD
"z`V
,zy>
~'&\-|
/&^@[:
} $_/=
0|0"^{
0!121R1l1~1
069j(T,
&0a ,WIH
;0}#)D1N
0Eqz*1
0>^e,V
0$HZrs
0i\aPJ
0i{d#6
0:jl+;
^0k7`0!
'0.NB_>
0pv1yG
 0q$$EM
0//uN0lg}>=
0:YPGp
<$+@.1
12mGnyT
12TYwl
15292@2M2]2u2
 16tmJ
178")qI
1A{n$d
1b63/(
-1bAH:
-1BpTqa\
1&(eFG
1?=G{}
1G~45dz
,`1j\i
1]=X_{
223o3u3
2]2HQ8
27=zTh
\[2bKj
2	c*#2
2E;f#H4
2esJ-V
2#G|s2
2GV(Xr
?2.h'8I
2JIR^U)N
_*2L'L
2Qzj1Mk[
2sp"!HrlQ
 :3];,
^30	_l
3>:/1y>
33>qbd
3a\L~M
 :3BfW
3:C2G]+
3c|5Q)
3Jw91`p
)<=[3k
^3LFY#
!3N]Bn^
3nYip3
3~Px=>
#3(zuE5
4_*3FW
4)6HbU
^4AgS/
)4C9Ew
?_4_Df
{4H@A)
-4Nq>Z
4n./Z5
4oq|Fz
4!p8{iy0P
4~pC,2
4RBq+d<
(4.!)Vkq
%4w;^;
4zgA2U
5"5(5.545:5@5F5L5R5X5^5d5j5p5v5|5
58TOhxS;
5c%wHh
5[D,@8
"5~F[B
5.f=/{udz
~5g}P;
_5h5^5
^5KxA5
5li=h6
5lWknBd)p
5M8`uj
5)=pOU
5P[xm)
5PzaxH
)5Th8T
[5'Y^NW
5yZA\_4+
6$6*60666<6B6H6N6T6Z6`6f6l6
66rA|Lz
68&/Mf
[6&a^V
.>6!>b
6eTbF0e
6hYl6=2
6j$"Bj
6	Jrci4
:<6lN*
6mX4]4
6n_-`|
?6&nKt0*T
"6_* o9
	6$%|pAz
6vf='{a
70E/,T
72dD-t
73AAQgP
77w%+n
7<8@b=
+79/y_2u)
{7D\cQ
\^~7<g
7?Hr ^
7kKov*
#7<p)O'?oy
7sgtgj7
7sOTPyS
\7::"t
7-)$$T
7!<	\w
7xaa	J
7Z dYP
8+6CQs
8(\BMl
8})B	\}y
8_EJ3bT
8EUg)q
[-;8j:
*8LVeu"{
8N t{T
8oLyVF
8o_ROF
#?8P@)
+8pkP,3
8q0%uz
8}Rs~6
8!{\	v
) {'9=
9|}<@]
9][0+ 
99_2c(
9C70^EK
9GN^e	
9,Hd}pa
9iGEFb
9K568|
9{kH[	
9Q"AyB
9{;{rK
9sY>mR
:9{T/Ox
$9XKkD
`@9X-Yyt
9(+z:1
">[ (a	
{A0eJG
A&?:2,l
`<!a3g
A3y;FEU
%]a?:7
.a~/B_
"abizHn
+a.Bs"a"Y{%
AddFontResourceW
ADVAPI32.dll
aDv=j	
A\< dw
!<Afg<
afra6%
A\#"G0Q
aj!@*N
aJPXBy
AkLAi"hd
% aN2d[
|An>7#
(A>]`p
}+`a\s*
|!Asn1
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
ATeg>H
a[Tj-R
Atq>0J/
awPflO-L
/aY4H{
a_Yh3K
Ay+[y*
b4$7%P
B-]6(_
B+6|qW
b?7PH1
'bA/6F7U
bBazz8
BB(Fpkr
'bbl6!
BBX G+
bCoj;1p-
b	 d1y
&bd%A{
bDRpP%J4
BFxsjl
>[Bg(|M}
Bi}p_m
BitBlt
B|L0Gh
bl6'Wt
Bl$K|/
!+BLZD
(BMaYz
b-~'MS
Bp*'IY).0
b)]P&p|
B_q?G?e
>bqgtC%Z|an
b$R;z1{
	B}T[*
BT[Ht.h
btnjVc
B%ui*g]
bU$I#\U5
b'Ur$6
~BvC~Cg
]bW^*n
Bx70l8
bX^Im2
bX^Im_Q
=By\IcS
by{~o^
Byp,pRX
bz/?i>
	bz#%I
_bzo`)
C'>5,|
C7e1#*C
C8i8|v
c93@lxYK
C?@[9I
C${cmH
cD(@08
C]eCRN
cf5N+}
`CF>fc
cFUN>0$t0
CgSXKR
!>!cH=
CharLowerW
ChooseColorW
cH|-?R9
^C(Irhj0
Cj4Te*
)>Cjb{
)`CkKz
CloseClipboard
CloseHandle
c"lrT1
_cM`g9#>
cm^s:&
CnW@t1s
comdlg32.dll
cOt-'v
#?']cQ
Cr\%/,
c*r4&"
{cr`E.
CreateBitmap
CreateCaret
CreateCompatibleBitmap
CreateCursor
CreateDialogParamW
CreateFileA
CreateFontIndirectW
CreatePen
CreateProcessA
`cRV?U
cs8j8<
cS_dF8
cS_dG8
CVv$fB6
CxS*ev
cyj~b}
D0QF>Er
d{0t7;
d2A.@w
&	d3*~
D3/qzD
>d5Jy	
d#6Gsy?-
dA(krM
d){+an
D:ao<q
DB07kK
DeleteDC
DeleteObject
D[)F/(
dF0Z?^
dfUAHz3\
dGICRu
&DGS8b
D(I[7`
djy]SU
d(	ks4
DL"<{}
dn4f4!
,dN/HGK
DNZ=^=vk
"dq6fmf
DrawFrameControl
;d&rBQ
Drv<I_k(
!:D>SR]k
Dvsn@:yC
D%wf@|
D:ytm+
";Dyw_Xc
$E4^iw
E:84Ng
)@+{EB
/Ec7wb
?ec^}9
e.evL*
e].f.S
	e~Gg16ys3
eG?T;1
|Ehguj
eI-~oa
[EIoL`@
/Ej;ER
eK:>f%
ekfxLn
!E`l6#
eL#gDp
elM1d:A
'~EMLT
EnableMenuItem
EndDoc
e:nF9a
Eq}[$/
 eQp ~
eRSY:W
||*}ET1
`)eTCNS
Etm	/J
[)e\U=
E,.U6R
!ev8IZ
\ewW	t
;~	ex*
}?(EZ/
Ez2|/ 
F<2'St
fbNR/&
.f[B&Z
 fc_AK
?F%e:&
FE!BJny
(-FF]l
~(Fg@e"
f}`HO2
<F:$hx6:
FindClose
FindNextFileW
FindResourceW
~)!|F?IOb
f/IpOk
fjlag3B
fj#PsW
FkgiEZ%
flX.,<
f{]$@#m
FP@b5)
FreeLibrary
/}f*T9
FUR|!a"D
	f=/_V
fWHTRd
fW=S#y[
FX?J<7
Fy$^@ w
fZ%Y\!
G*1vf]
G<54OU
G(8BE+	
g99?7*
!]ga@]
G>Bbz%-
gdi32.dll
GDI32.dll
GE2n<k
"gE	&e
GetACP
GetConsoleMode
GetDlgItemTextW
GetGlyphOutlineW
GetKeyboardState
GetLocalTime
GetLongPathNameW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetOpenFileNameW
GetProcAddress
GetROP2
GetSaveFileNameW
GetScrollPos
GetStringTypeW
GetSystemMetrics
GetTextExtentPoint32W
GetTextMetricsW
GetTimeFormatW
GetVolumeInformationA
GetWindowRect
GetWindowsDirectoryA
g$FC#{
gh+~5	?4
gHd$FWP
gie5n5
%_g_Kd
GLb@.pc
GlobalSize
gmb3Qc
gm^cKkW
=GM'f$D2SV
G\n<54
	gNjn[
G)N'&o
Gn)pwy
?G:_oJ
&gP5h9
~|,Gpa
g*q<pkd
GQX@P|
.GRt#~I
\"gu8!
GV2bS4W
gvD@.D
Gwa]~=
gWNsYs
%"/gxT/
G;y)G3
G=<z<j
g?zou/
{+h1qv
H52Gnl
;h7Vj@
h:82V;=0z
	H=#C7
.HCc':z
h#"dKL--
HeapAlloc
hf;/+s
hhc:Ny-
h\>_L	
hl`23b
hLdVc'
^H\lS@<
hMQjpW
h{,\o?
`-hq.*
!hQ F1}
Hry.S`
hU{l!q
h;vI|e2
h,w4`)
$Hwe~_
h#X$&Yo.iaE
Hyst")
hy[u^rLj
HY_^Z[
h-zQN)
~H_\;z>z
}I`.%.
?i0"#-
&& i1W
I2KyFl
I2nQagU
i5!5:m<
I6`}[K
ia!VoG(
i`Co $
ICU.V6iC
I\eeRnEf
I;,_gl
II9	Z"
=IKb}\Z
Ikj2>8
IkJ>okX	Nm
)<Ik{V
i+=mN@
InflateRect
InsertMenuW
InterlockedCompareExchange
+:is/c
IsTextUnicode
I{tKNw
i@Tp ^"#
iup^Ih
'-ivRh
+&Iwb#
i.XO2J%v@:
I\xP##
,>iY~P
|{J1 F}
j3aT%l
j'5hdt
')J-,^a'
]jbvdV
J"#by.K
jj>gDqgOE:Cu
J&jYt"
j[k:Vz
!--jLI
Jm9lZ!
JMf#c?
J:Nc+ :
_'Jn_i7
*	*JO=
jq41DP1
J{qD[@q
j^%!R	
jR%6*r
j="RcU
jr|&k,
jrk[#h
jrwNcbz
j="TcU
JVU@19
j.W}`OIj
$%/j zA
@-k2QR
(.=&K$6
k*>*8)
,+k8	3lI
K8q2^u
kbEiOW.
^K:CI.r
kdK!Q2
K)ee	2
K$ej3\@
-|kE#N
kernel32.dll
KERNEL32.dll
keU6nD
Kf~U`U
]KGbhZ
kgujoce
$KH2Cu
	KHrX3
Kibjay
@Ki *!o@k)
{K!Iw.
~_kj&d
k^JDb!(
KjQ7m 
:kku83
 !{k:l
#KM[Ly
Kng.}c2
Kog.}b2
KO]pzk
kq+d(X
KRG->ln
kus`zTY?	
Kwf}zq?h
?KwP/]
KX Xnt
k.YC?e
Ky	Em4o
'|KYu%
<kZE~;
@l*.,)
=]|/L];
[l2 aW
l5>GXOL
L5`Y	&J
<L{?6f
L_6"sQ
'l-at8
lB"6qO
LeaveCriticalSection
lFV#~9
L}<G1`
L}=G1`
Ljj8AV3
#lN:IU2
Lo8N /
LoadIconW
LoadLibraryA
lp	v.J(
LQQ?X+
lstrcpynW
/?+?LT
LVHl=@
lytK^e
LZhOt}F
lZN{Xo9n
$|>M^@
}M1IGK
m\4e>f_&
M5GU!_
m6=K/kf
m&?:6tl
m{9+S1>
m9:Sy-u
MbWn"i
mC=cXz
:@}MfT"
_mgc"nW
mgr.exe
m-gwJ<-
mj`rv@\
MJT5h1x,
&Mj=wa
<;mKG^
%mL ?J"
#	MN0~
M	n(eR
m;_OV"q4
MQM8u3!
mqm,_r
]MsrJ;
#M\SZ}0:mB
&M>t}<sh
MultiByteToWideChar
M'VWP-
m"vY!uLU
?(!MWC6
MXv{mbx
MY,90pnge
M#YF)3)
/MY{rO 
/MZ)zs
?#	n}=
+N1>5,p
=,n	2Q
/N$6cJ
:%n8J/
n&95"R
N;&+A0<W
nB+D\b
 :N|C%
{ nd$F,
nfAcl6iG6
nFtg#S]v0
nG1Sxs
n	ga[~r
n<HL>[
+_"nhu
N)ioS8
NLQ.'&
+^+NNP-HN/`
n-NqJ 3
No*&>E
$nq_6e
NrDx5kzc
nSa6&&|
NsbI]Ewl
N&tdJ[
Nu6P.p
nUkpI\
n=upC#
Nu!z11
N]'V0yF67
`Nw+i[
NW`VyB
nXD>O~
N;XLhI%r0
N^xmQ>
ny%1or
<$n[:z
nzL>}B=
~O0|n0
o3V;"Oe
o4&aaR
{O4s C
(o8@LA
O8+P'M
OD-i~o
OdIzxe
ODJ~P1
OD'kwg
OF>^=<$
OffsetWindowOrgEx
OFIq/F
Og!7\k$
ole32.dll
OleDuplicateData
*O&l[o
On+F'R.$'
<O\NW!
O*oq	`Q
OpenEventW
OpenMutexA
Op!Ma0
<OQ[P;=
o#r>~,
O&|t<P
OUD5tX
oU\JvVg
~ouZF;`
Ov*&,l
ow.iF1%
O\wIN1
OZsw^5
P2(js}G
p4=zra
P6=.$T.c
P9q5h~a
pCAL;]
`PCPcF 8
,PD*@0L
p_d< s
pkpF(003g^
}`pk+Q8D
{p:l&H
Pn>2.a|
P{n`!U
PostMessageW
pP2R\n
;^PQ@s
PrintDlgW
p=/RKyM
PRMU2Oyk 
P)SjG7
pskrw}z
psQcwqFv
PTihB85
PU.L!K
p<Upgf
pV>i%q
P/VL9[
p:[Vq]
,)-Pwb
Px0,zJ
px19>V
px!*2R3
PXegIIVK
"p	Y6!(
!PYhH%9
P	,yIf]r
PYTEK{
pZ+l@X
p=zq4h
;/pZv:C
Q0Ew>5
q2zRAi
/Q9ElIe
$qb`2F>
_qbC#a
qD+`/J
QEqOU 
q	#g12Q
^qH<[8
qj 0<Y
-'^Q(J*YRT.M-*#
qmjx$Y
'QmtVDO
Q;NdMd
;qO[-&
qobp0/,
'qo%ld
Qp-AD$
qp|!F9
|?Qq`o2
qQqD~_
qrcuzls
Qse[VqC	/
qte*jgo
qv'MTV
q%w~tg
Q^Xi_QZ'
Q!Y,R(q
}.q{:=Z
R4G-CE
R[5'Y^N
r.A	{)
rB`v6?
RCv%7c
_rCV.p
.rdata
RealChildWindowFromPoint
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegSetValueExW
@.reloc
RemoveFontResourceW
RemoveMenu
 <requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
ResumeThread
 :R/>f
_rfd6Ud
~RF~R:
RH^S0$1
r%k,,1
R&kEXE~
R#kP!zC
%R+{nV/
roi'zthf
(rPFEv
&rpm8b
RS\5dD
{RS<*m
RSYy?q
	r!.%T
~>R'ta
R-ThGD?{`
>R/;U4
\?r^]v
}rVfXoL
RV@M]_
\		RvR
RwA)CD
r|$XA5G
[@&rxs
RyL6i{
r` Yw6
R-ZLCK
rZ]?Yn4
-+?S<]
\s[0ED
S1FHtG
S4`"h 
s7'b-!
s~8i97
S}ACo.
SB4W8lZ
SB?G`u
s	BKP4
ScreenToClient
s??,dV-i
s=E2~0
 </security>
 <security>
SelectObject
SetFocus
SetScrollRange
sEYEU/
sf9?"J"
ShowScrollBar
?Shpw 
Sh@X6N
SHz$K&r
SI^9Mu
S/L~ie
SNd2xHrj
[[>SnG
%Sn)n	k
s;Ong{
Sp6#;i/
sqm>!n\
SRK4OY
SRQWVj
:sR=Uko
SS|?g2
S(tg6Q
sVbbl-
@[SVM Q
Sw5_9{	
	@sxsP
=^s .Y
>'*t_)
T3WBGwz
#T]6.<
t9c>_X{
TA{vD^cz1
tB#?cR
t}cG0,
T&ckbf
[:t|cW
TDAThS1Mz
tgt@M*
!This program cannot be run in DOS mode.
timO*g
TJ`.U.
tk#1tDU{
t}KIJ"
TlkA8k
^T"Lo3
TlsAlloc
TmaU80
]tMJt-^
TmR3w^
Tn|f/l
&tQ\<-
!tR9g_
Tr>Eyi
 </trustInfo>
 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
}T{T0n7
Tt=</3
tt9Yu`
+t$(vB
TVrc7	
T(@X%v
>U:@-+
^!u0 >o
U;2Q40:
:U 3)2
u6dQ 9
U)Be{'`
U[;);Bf
_~UBNy
UBp+{p
"u:C_;
Ue20[M
uefqhhf
Ue$F%ul
uE>vLac
<,$Ug 
?Uk\Uk
UKXaG|*M
ULD,tOL
uL|Von 
u!L wuq
uLxP##
UMiwR_
Um;Z[~
UnhandledExceptionFilter
=!UO	9
|U~Ow:
U(PsYF
~uRUQj.
USER32.dll
;Ut~Sm
u[+@/<v
;\Uvn5
Uxt`1_
$&U"~%Z
v0!0].
V02"0Y
/V#0As
)V1.jFr
 Va?0e
va*m+dy
\VC-z;U
VF,F[A
vH]JE@+
	V(hoJlQ
v";>Hz<|
VirtualAlloc
VirtualProtect
Vk@*u	
v^(KUev
vk_W%{
>vL?n:|
V$MgQ'3
%vnfRcl6C*
VN_uzm
V#o"q~:
v)P;FZ
V%pT_D
Vr29Oe
`V`r\D
v<r WH
vr\Y;K
Vs|d_?
 {VSLL$
 v`U '
.#Vv;+
v}vi{[V
VVVVVVV
 {/]+vVzE
VWQRSj
vXlkyC}	
%$V'y6
v=z5BD
v`Z{Zn;
W1[3U)
W},5SK
w6@1jh
w84Vx 
)#w.=a
,=-WC`
+wC{YS
`WdE7h
}W!*eF>k
WE]'TSO
.w=FQ7
;w[G #u7
WHb( O
W\HoEZ
wit u3}qW
wK6$T:T
W+kjuw
Wm3{i*l/
w|n`yP
wP3XU 
W,pg>y
<\w^pSV
/Wpt%Vo
WriteFile
\\W*}s
W{S;6"-
w&ST#]!{
*WU%)M
Wu/*	rb
WXGv(7	
wy+aW]
[_x1-c'"
X1PMdu~
X2F_P-
(+X3s!
X40A5|Q
x{6K/<
	xbk1*t
x'blq'
%xBTPt
/x[d`*z
XEL	[J2
xF$&x5
Xga`k 
#*x+hz
#X`I+3_
'_XJa&
XK>N3R'
XkR_*,
XL kJ%
,XM2sDB
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xOk^hw
,X$P*d
X}RJ]t
X_>r*U
x^u>k7
XY^NA(k
x!Z4?!`
Xzkl;*
Xzvpo8
y(1@NL
!Y2"lW
y4Ao0a
~y6t3#)
y880GyM
+Y=9 '
	!Y9j2
Y9>jCe
y>#'C6
ycl_"m
YD)q~D
'yf!T%
 Y!HIk
YirhQ'%
%-,Yjy
yk+dMR
y'klR_
Ykm	yTy
YLpIX 
 ,Ylv 
yo<Avm
@ySkd 
YSZ)Cp
yTZMs?3
YvK'Mgz^t]3
yVxtn!
ywU`3Z
YyE&gfZ
y.Yw7~
(Z,0v=
Z!2pWm
z33_P-
z3a!yk
Z3:lUv
+Z4 "Y
z8y|~8
<z]cJ%|]
zDO[,w
zDs-D%(
ZD_su%p
Z$"/dv
,z_eOq.8
z/~fj@/
%$Zg93
*zGtHd5
z{hjz]
ZHM'[g
zi,8AI>
z'iFo_
Zj!$ 0
z&J24.
Z	:K,g
}-z<mk
Z#nGL"|
&Z"NXI
Zo)@SI&
@:^= Z[P
z(p!=4T
Z%P],E
Zq-NIq
Z-Qz1B
ZrSv_w
Z($]}U
ZuuX_~
z,@vc(!
z.wj&W
Z[X?|+
	ZY'guU
zysxSV
Zz] s$
ZZSY	=
z*ZvhUWZ