Analysis Date2014-08-26 23:29:12
MD54e069d665491e03fd0e33260f1884105
SHA1c27dc0191a5ea4787a634f569ee70ddf623c10d5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: e1ec3c926de80f7b7406db8ae72aa19d sha1: b62058e16956992b2d286df907da69c61beb48aa size: 73728
Section.data md5: cb9cc7d11a565b8ec50d7edd1ed622b3 sha1: b12886eaac8026f33c7d39113d7c5080e6325dc1 size: 2048
Section.idata md5: 851d7fac2b455c9bcc5362c35e48520f sha1: 8746d05a9dd1d23da44cdcc7f192702a769533ca size: 4096
Section.rsrc md5: d927bb49d99482a29026d0078f0a3564 sha1: 13af41d9ef97e3086a2b864ead239d5bb0572627 size: 16672
Timestamp2013-01-27 07:58:17
PEhashf9a7ba726dcf452df93553d05709639abecf372e
IMPhashebe26b5fe34686afc9c718c05a6b638a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hbhdosic.exe
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\hbhdosic.exe elevate
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\hbhdosic.exe elevate
Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates Mutex{37FFF806-FE56-017C-F492-53D695A61D45}

Process
↳ "C:\WINDOWS\system32\cmd.exe" /C ""C:\Documents and Settings\Administrator\Local Settings\Temp\hbhdosic.exe"" admin

Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\hbhdosic.exe" admin

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\rsdobpfm.log
Creates FilePIPE\lsarpc
Creates Mutex{380001F2-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF806-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PvjImqgs ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\hprscqwf\pvjimqgs.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Documents and Settings\Administrator\Local Settings\Application Data\hprscqwf\pvjimqgs.exe
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start ➝
4
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride ➝
1
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall ➝
NULL
Creates FileC:\Documents and Settings\All Users\Application Data\edevdhfq.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\qcvbfpbp.log
Creates File631D2408D44C4f47AC647AB96987D4D5
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\hprscqwf\px1.tmp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\hprscqwf\pvjimqgs.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pvjimqgs.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Application Data\hprscqwf\px1.tmp
Creates Mutex{37FFF2F1-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF806-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69C661D45}

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\hbhdosic.exe" admin

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start ➝
4
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride ➝
1
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wkkppqyi.sys
Creates FilePIPE\lsarpc
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\wkkppqyi.sys
Creates Mutex{37FFF805-FE56-017C-F492-53D695A61D45}
Creates ServiceMicorsoft Windows Service - C:\Documents and Settings\Administrator\Local Settings\Temp\wkkppqyi.sys

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\hbhdosic.exe elevate

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates Process"C:\WINDOWS\system32\cmd.exe" /C ""C:\Documents and Settings\Administrator\Local Settings\Temp\hbhdosic.exe"" admin
Creates Mutex{37FFF807-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates File\Device\Afd\Endpoint

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1128

Network Details:

DNSwxsssfvmqi.com
Type: A
72.14.182.233
DNSaxigleyldgeq.com
Type: A
208.73.211.237
DNSaxigleyldgeq.com
Type: A
208.73.211.240
DNSaxigleyldgeq.com
Type: A
208.73.211.250
DNSaxigleyldgeq.com
Type: A
208.73.210.210
DNSaxigleyldgeq.com
Type: A
208.73.211.179
DNSgoogle.com
Type: A
74.125.229.233
DNSgoogle.com
Type: A
74.125.229.238
DNSgoogle.com
Type: A
74.125.229.224
DNSgoogle.com
Type: A
74.125.229.225
DNSgoogle.com
Type: A
74.125.229.226
DNSgoogle.com
Type: A
74.125.229.227
DNSgoogle.com
Type: A
74.125.229.228
DNSgoogle.com
Type: A
74.125.229.229
DNSgoogle.com
Type: A
74.125.229.230
DNSgoogle.com
Type: A
74.125.229.231
DNSgoogle.com
Type: A
74.125.229.232
DNSnhedwmmg.com
Type: A
72.14.182.233
DNSsqhofbxqksckbfrs.com
Type: A
72.14.182.233
DNSpmyadxuvmfmcajv.com
Type: A
208.73.211.174
DNSpmyadxuvmfmcajv.com
Type: A
208.73.211.175
DNSpmyadxuvmfmcajv.com
Type: A
208.73.211.193
DNSpmyadxuvmfmcajv.com
Type: A
208.73.211.242
DNSpmyadxuvmfmcajv.com
Type: A
208.73.211.163
DNSrwtxpiehuiiucxkfckw.com
Type: A
72.14.182.233
DNSroiornfvclppad.com
Type: A
72.14.182.233
DNSaxswdqnjgrnryt.com
Type: A
80.89.130.2
DNSvuxrkjrewjwl.com
Type: A
178.79.190.156
DNSmgnodqfisg.com
Type: A
94.126.178.29
DNSdhlpcscshdrvpcpp.com
Type: A
94.126.178.29
DNSsdcepuelyqary.com
Type: A
109.236.85.191
DNSnqbvanrafsi.com
Type: A
178.79.190.156
DNSjpdvnajhhv.com
Type: A
93.170.79.102
DNSadvjpbbhiwoccqa.com
Type: A
94.126.178.29
DNSaikiecaopi.com
Type: A
208.73.211.179
DNSaikiecaopi.com
Type: A
208.73.211.237
DNSaikiecaopi.com
Type: A
208.73.211.240
DNSaikiecaopi.com
Type: A
208.73.211.250
DNSaikiecaopi.com
Type: A
208.73.210.210
DNSagnhmtkxxko.com
Type: A
141.8.225.80
DNSuejgdopjiyxnnvws.com
Type: A
DNSrkjtwjwmesvwhpc.com
Type: A
DNSnbfplqkemrpedccrcyp.com
Type: A
DNSywyqjdqktqxsxkt.com
Type: A
DNSgveejaqxpyrb.com
Type: A
DNSxygkltvhkvbje.com
Type: A
DNSijxahlsdiw.com
Type: A
DNSjhchibrcyo.com
Type: A
DNStxnhnwwxfam.com
Type: A
DNSkkiykxbsc.com
Type: A
DNShxlsxpmmtdqqvo.com
Type: A
DNScnlbabnssw.com
Type: A
DNSdthjrnnicjkdetclt.com
Type: A
DNSeewbwvjommryy.com
Type: A
DNSvjckfodjtbobafxmc.com
Type: A
DNSyswkdrulyic.com
Type: A
DNSbovexbjn.com
Type: A
DNSfhlfkhytwhsr.com
Type: A
DNSeuspqcxqqyg.com
Type: A
DNSfugwardol.com
Type: A
DNStgrkqpausony.com
Type: A
DNSinxsymblbqalsalowfq.com
Type: A
DNSmfvgedcelh.com
Type: A
DNSnentdfyokt.com
Type: A
DNSramilhgme.com
Type: A
DNSeduqsjyun.com
Type: A
DNSlmifmeowe.com
Type: A
DNSdfcpywecgpxdafddnx.com
Type: A
DNSfuycfraut.com
Type: A
DNSaoiibtouhnv.com
Type: A
DNStbleofsef.com
Type: A
DNSwrffvnjkdhvlw.com
Type: A
DNSffixkfwdkpvknrckkog.com
Type: A
DNSqcbcfxbfuntohovjf.com
Type: A
DNSajqwbyetyjkj.com
Type: A
DNSrrybjrmyfdrlks.com
Type: A
DNShhxecdlsbelfwlxywl.com
Type: A
DNSdthsjnnah.com
Type: A
DNSniabhbpyig.com
Type: A
DNSsxjdijvatcldovjljo.com
Type: A
DNSghwdrtxplacpt.com
Type: A
DNSoyrpekdshy.com
Type: A
DNSiyvtavwycqvlnrun.com
Type: A
DNSulqwsfcxfe.com
Type: A
DNSjewjkxjagfudj.com
Type: A
DNSlhpvdndlqexik.com
Type: A
DNSyycwkoxpn.com
Type: A
DNSywyjnfyyvempl.com
Type: A
DNSflbgrwxtbhv.com
Type: A
DNSslkxbdfnacvbyj.com
Type: A
DNSynjsipgopbbplsi.com
Type: A
DNSrwddwwskwvtnfcx.com
Type: A
DNSavmvnhsasuslrxswsyp.com
Type: A
DNSgtojwtnv.com
Type: A
DNSqjyxfqehlkrkmdbe.com
Type: A
DNScxwqxhxbujjcrxs.com
Type: A
DNSbyifjajwmkl.com
Type: A
DNSimojpwikfcdp.com
Type: A
DNSwmxipgffbjsj.com
Type: A
DNSkgajnefinlkn.com
Type: A
DNSgvmxpwrivm.com
Type: A
DNSwinikuevntsw.com
Type: A
DNSexggxwbvrb.com
Type: A
DNSkmbnvnhxqkpop.com
Type: A
DNSqdrsuxycnhbucojk.com
Type: A
DNSocnmsgvgn.com
Type: A
DNShrofeoetf.com
Type: A
DNSfqenmlycbvcrw.com
Type: A
DNSlpgfaijjdvpkyncdrl.com
Type: A
DNSsvtiseop.com
Type: A
DNSkgqprnvopwjtoima.com
Type: A
DNSpytfdffpqmaymkho.com
Type: A
DNSxojuqslt.com
Type: A
DNSfvegevujmtnnk.com
Type: A
DNSthiplpwllqexrctjby.com
Type: A
DNSqnodrvocb.com
Type: A
DNShmgutkmjfnccuratlh.com
Type: A
DNSbqmnspbphsg.com
Type: A
DNSfilcrwfxwtdmn.com
Type: A
DNSslvkqlmyrwh.com
Type: A
DNSnparibnvo.com
Type: A
DNSldevtwblghjgajw.com
Type: A
DNSdcgwwcnvnaalcrviddw.com
Type: A
DNSparvdvvipc.com
Type: A
DNSpogatjbrdndnlm.com
Type: A
DNSppmeeywimaeibyp.com
Type: A
DNSdadohbnoiu.com
Type: A
DNSaqmuiaddsxklxe.com
Type: A
DNSeuudrkwclwmaqchisn.com
Type: A
DNSjqiaedrhettmbknif.com
Type: A
DNSoeppqinhskhbiy.com
Type: A
DNSqwgkbbnilkuliegjpyv.com
Type: A
DNSxffrllsxdeualrdfs.com
Type: A
DNSjlxxsxpdiatjebvatqs.com
Type: A
DNScmbocnufjwedynauvf.com
Type: A
DNSnuhqtdvrwwk.com
Type: A
DNSubdrwmcxmsgtxtx.com
Type: A
DNSnomjbffrclygo.com
Type: A
DNScafmlrotpxh.com
Type: A
DNSlbantkjo.com
Type: A
DNScqrpvccjaqpvfiosqek.com
Type: A
DNSifuxxcqfvmueks.com
Type: A
DNSkjhsnywvufccay.com
Type: A
DNSunhcyfuglpsrmnh.com
Type: A
DNSoppfwtygeahskm.com
Type: A
DNSngmtinmsgwx.com
Type: A
DNSiplhvgnqcnbyhwxsdn.com
Type: A
DNSwmwluhjmchdlylshccm.com
Type: A
DNSrxkrvqsnlgobkn.com
Type: A
DNSjmvymnksibdgmd.com
Type: A
DNSpcrtbwmrnotxtpnf.com
Type: A
DNSopncxvfc.com
Type: A
DNSwdasxkprruclcbxev.com
Type: A
DNSylmbqgaeya.com
Type: A
DNSskikrapnsqe.com
Type: A
DNStorolvfw.com
Type: A
DNSjpxxebircyyjhxgfe.com
Type: A
DNSlgnolyowelloqvoapja.com
Type: A
DNSjqafpkahjy.com
Type: A
DNSqsmjjnpxs.com
Type: A
DNSjdvtivimckmliwg.com
Type: A
DNSljsfpgxdwkng.com
Type: A
DNStrqaolysgaw.com
Type: A
DNSywfdrgsgdcotai.com
Type: A
DNSgdohpxeqhmsp.com
Type: A
DNSfqqlcsfvxeqvhwurneo.com
Type: A
DNSoefertnpiw.com
Type: A
DNShyvhgsfjrxm.com
Type: A
DNSrgdrgejio.com
Type: A
DNSkwnpeybys.com
Type: A
DNSvsskvvgn.com
Type: A
DNServlnaswjoaljqn.com
Type: A
DNSbjetagymxvdhgfqit.com
Type: A
DNSsuvucdluweptmhlxyhq.com
Type: A
DNSgimmgckpl.com
Type: A
DNSgobfuafamwpp.com
Type: A
DNSxlhiwperrtyv.com
Type: A
DNSkxduhbaqhnoxhew.com
Type: A
DNSeyfsdqtidnsfoqvl.com
Type: A
DNSibudkotvubjmwdp.com
Type: A
DNScwfktodbrv.com
Type: A
DNSfjrmpsghky.com
Type: A
DNSikaslhxnntips.com
Type: A
DNSrpbqkufmcvvkhrgp.com
Type: A
DNSjifomwhvmxj.com
Type: A
DNSaxobrxdyeyn.com
Type: A
DNScrhgaxsejh.com
Type: A
DNSgmanknqqplaklr.com
Type: A
DNSxagqmdnhphspw.com
Type: A
DNSmgmihqybl.com
Type: A
DNStuwgghifpyrc.com
Type: A
DNSvsynhfxghhmpcc.com
Type: A
DNSntumvowecupvyu.com
Type: A
DNSpigysyahadq.com
Type: A
DNSnxktgmijiweu.com
Type: A
DNSlrbqcxlxdyryuify.com
Type: A
DNSwpimtxbybqcqmyqbl.com
Type: A
DNSuonowgioxcrla.com
Type: A
DNSrqirwappmlbg.com
Type: A
DNSjrxradmjkjdivjco.com
Type: A
DNShghipyrq.com
Type: A
DNSulijexamcnlo.com
Type: A
DNSgukmqbclj.com
Type: A
DNSkijwoqgwjdhew.com
Type: A
DNSnjldhchogvyhjoy.com
Type: A
DNSmwcbtjqskbl.com
Type: A
DNSyssdpxfgsybxkf.com
Type: A
DNShiifwfamuwhhb.com
Type: A
DNSrhuhjcyaaknox.com
Type: A
DNSlmshsifkguc.com
Type: A
DNSmyvqujcl.com
Type: A
DNSuitctlnfgvexm.com
Type: A
DNSrxqptadfied.com
Type: A
DNSronlbmed.com
Type: A
DNSpsdfvjew.com
Type: A
DNSeaqanswyomvtkksj.com
Type: A
DNSjyxqsfskeyr.com
Type: A
DNSqlweutyvdlqth.com
Type: A
DNSuublwuyhygyetfyk.com
Type: A
DNSjkptcrsnliqcplhhb.com
Type: A
DNSlgexottqjbd.com
Type: A
DNSlbcffsokirnhlif.com
Type: A
DNSmlcymdthipoh.com
Type: A
Flows TCP192.168.1.1:1045 ➝ 74.125.229.233:80
Flows TCP192.168.1.1:1047 ➝ 72.14.182.233:443
Flows TCP192.168.1.1:1046 ➝ 72.14.182.233:443
Flows TCP192.168.1.1:1048 ➝ 72.14.182.233:443
Flows TCP192.168.1.1:1044 ➝ 208.73.211.237:443
Flows TCP192.168.1.1:1049 ➝ 208.73.211.174:443
Flows TCP192.168.1.1:1050 ➝ 72.14.182.233:443
Flows TCP192.168.1.1:1051 ➝ 72.14.182.233:443
Flows TCP192.168.1.1:1052 ➝ 80.89.130.2:443
Flows TCP192.168.1.1:1053 ➝ 178.79.190.156:443
Flows TCP192.168.1.1:1054 ➝ 94.126.178.29:443
Flows TCP192.168.1.1:1055 ➝ 94.126.178.29:443
Flows TCP192.168.1.1:1056 ➝ 109.236.85.191:443
Flows TCP192.168.1.1:1057 ➝ 178.79.190.156:443
Flows TCP192.168.1.1:1058 ➝ 93.170.79.102:443
Flows TCP192.168.1.1:1059 ➝ 94.126.178.29:443
Flows TCP192.168.1.1:1060 ➝ 208.73.211.179:443
Flows TCP192.168.1.1:1061 ➝ 141.8.225.80:443

Raw Pcap

Strings
v.
.2.
.
.
.u
:...
.s2..R.
.
&About Task Manager
&AboveNormal
&Always on Top
&Always On Top
Apple
Banana
&BelowNormal
&Bring To Front
Cancel
&Cascade
&Client Name
&Close
Connect Password Required
&CPU History
Create an &Explorer on the new desktop
Create New Desktop
Ctrl
&Debug
Desktop:
&Details
&End Process
End Process &Tree
&End Task
Enter the name that will identify the new desktop.
Enter the selected User's password:
E&xit Task Manager
&File
&Go To Process
&Help
&Hide When Minimized
&High
Hot key
Lar&ge Icons
&Low
Ma&ximize
Me&ssage:
&Message title:
&Minimize
&Minimize On Use
MS Shell Dlg
&New Task...
&New Task (Run...)
&New Task (Run..)
New Task (&Run...)
No Active Network Adapters Found.
&Normal
&One Graph, All CPUs
One Graph &Per CPU
&Options
&Paused
Peach
Pear
Please wait while Terminal Services establishes the remote control session...
Processes
&Realtime
&Refresh Now
Remote Control
&Restore
&Select Columns...
Select Columns
Select the columns that will appear on the Users page of the Task Manager.
Send Message
S&ession
Set &Affinity...
Set &Priority
Shift
&Show 16-bit tasks
&Show Kernel Times
&Show processes from all users
Sh&ut Down
S&mall Icons
&Status
&Switch To
SysListView32
SysTabControl32
Tab1
Task Manager &Help Topics
Tasks
Tile &Horizontally
Tile &Vertically
To end a remote control session, press this key on the numeric keypad, plus the keys selected below:
To end a remote control session, press this key, plus the keys selected below:
Totals
&Update Speed
&User Name
&View
&Windows
??><>>
????????
.*') %+
'#'''+
0C9M7?
1GS] Q]amy
26<DHP
~!~2~8~
3>>'1>>
)'$33^
3B3BCM
3=,d|nW
3>>{k`
3OW/W\_
@4>>!:>>
4,A*T@
>:5>>>,>4
><>>>>>>>>>5>5 
65#UqE'
>>=6pI
79>>?9>>iv
>>8&>>%
/!]8$)
8>514>3
8E[*D\
8kJqH?
 ".8: Q] >DJLX] Q]\bjt|Q] Q
8r9b:Bne
8>rOrkror
8w^Kw$
>>96>=72>=5/>=3+>=1(><0%><.!>>
*9u&f##D
A=3JD]
??????????????A?B???_??
-AB6*i
afIUC5
A<{>I{b
?A@J@HKm+
Akgc_[
aVM"]TN0ZRJ1`QJ+kZM!zcS
[AWg'Tg
A{'}x<
B7lx6^
B8zXrW
B@DPj>
(Bf>;W
_B?g???O???_???@?_?????
BK'ZK^Z4X_
BNw?a?
B*qMAru
B?S???????????
ByQKGD
-BZTr?qP
C????????????????????????@?3@??
+C7[BqF
C_9jaW
CCo*AC
=CEFC?W
cI1;hA
Cj0Bh2
CloseHandle
c_'p#G
C??????????????????????????p\O
CreateFileA
CreateFontIndirectExA
CreateHalftonePalette
CreateMetaFileA
CreatePatternBrush
CreatePolyPolygonRgn
CreateScalableFontResourceW
C'Tc#!
cUE1Dpe 
_^[]`d
$D7,LKkOK
DeviceCapabilitiesExA
&dF7;=7ZX
@D?K"&
d'mJz=l
DXeY*U
E~2s84s
}E~d~|~
eG|;{+
EngCreateDeviceBitmap
EngMultiByteToWideChar
EngReleaseSemaphore
EnumFontFamiliesExA
e|oz2,
-E] Q]Wmy
'Ewt!	
ExitProcess
ExtCreatePen
E(xx]2
:F9+}Sk
fb#CC{@K@1@pAFOQk
FindFirstChangeNotificationA
FindResourceA
FloodFill
^F`qev
FsWindow
Gdi32.dll
GDI32.dll
GdiCleanCacheDC
GdiCreateLocalEnhMetaFile
GetCharABCWidthsFloatW
GetDesktopWindow
GetDeviceGammaRamp
GetDlgCtrlID
GetFileSize
GetGlyphOutlineW
:GetLastError
GetModuleFileNameA
GetModuleHandleA
GetParent
GetProcAddress
GetProcessHandleCount
GetWindowRect
G#G'+/
G'@gIG
GG#OSG
GlobalAlloc
GlobalMemoryStatusEx
GoJWRG?
GS $<$
GU@_:t
GWE[Icc
-H3VTb
??????????????@?HC??
HC:g@?G
@h$p<p
h\R']:
H#URz(
'h:USj
HwjI&?
./Hz+3
iAUA3N
.idata
IDRORQ
[i^Rg9
IsDebuggerPresent
iUCg>u
j5i/8,]
`JHCw}
jIA_`G
j.O !i"
JXLV2*
{K6_?(
_KB=@*
Kernel32.dll
:kF%KQ
KF;qD"
KK2OYOQ
K;"u@tf
%k=W1%
L.6^<IS
+>,__lA
L?A?U_
!LLIHB
LoadLibrary
LoadLibraryA
LoadResource
#lOGE8D33.
lTwh"~gJ
lX7O$7Md
lX@JWB
LZ@Xm4
m&;7oG
?@MAOb
M>>>{=>>B#i
MessageBoxA
&MF5zr7
-mP*BJ
m@+:szl
n>~{m>*
N+SKVN
>>n>>>zO1
=>>o7>>
obwJaF
<;<OF4
_ogo|o
o>>>>Jojopo~o
??oK'j
oqqztn
oSo>D!
oxES1V
pKg\[qOG
pO5A3i'
>>>>p#pgq
pUPpwp
Q'1V||sA
q6qPr\rmrvr
] Q])7GWc
Q8b7BI
Q:b9BB
] Q]-EUco
qK7r:#
Qlv7M`J@D1
{Q] M6m]SE= Q] 3#
#Q] Q7GWg
q Q] cI3
qqqq#'+/xqqq37;?
Qs\EfZ
QTSPtg
qX/OKZ
QzAN{B`
$'RcG(mY
`.rdata
ReadFile
R] GWg)P
+R[hI@PKOFO
rHsmszs
r[Mv????]XS`
R{N'Z0
r#r-r4risws
r"r+rQs
rV"jA/t##
S5>>Xg
SEoWo^oco=P
SetEndOfFilt
sIt\>>>>tlt
s>jHHj3
SVWRPR
}SzBkN
_^t>>> 
'T9RAm'
tCE~vK
_-T`&E
# T%Gu
!This program cannot be run in DOS mode.
TJ3N;Uq?
t,t5tFu\uvu
TTDLQ?
t)tJu{u
ty_b;7"
u.8hEA
U;9u[^	3
uao4GaD,
'Ua:&y
UfK}g@
U:@j`'
UK3DfO
>Uq2>(
User32.dll
u	u:un4>>
,[*uZE
@%-V:\
VirtualProtect
>'_?vS
v v;vLwgwxw
??????????????@?@???w??
'W8X8['
#Wa@[FQ
wBHXiO
_W@CBu
*WiX'WJ
w"w-w2w;wFx>>>>KxTx_x
wwwpwwww
wwwwwwp
wwwwwwpw
wwwwwwpwpwwp
wwwwwwwpwwwwwwwwww
wwwwwwwwwwwwwwwwwwwpwwp
wwwwwwwwwwwwwwwwwwwwwwpwwp
wwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwp
wwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwww(
wwwwwwwwwwwwwwwwwwwwwwwwwwwp
wwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwx
<W)_yy
\}"WzM
x4xQy]Hy
X6Qt<TU
_x*JGV
X}Qj'rB,
xS2>>F
X'Tr(oR
>xxwlqooxa
x,xZyzy
y[DJM|3
YQ?jQLS
yRLq'7
Ys6{;pz
>>>>y(y1ygz
YY%	sFth
y y&>>>>y3yAzGzUz^zxz
Z9'@cM
ZA7'v7x8
zB>>>>{
zGmGF&
&zG{+tY
zKv4*D
>ztl>#
z#zN{y{