Analysis Date2015-05-11 12:37:06
MD55fe330f3dd9acee910c1724a2cf3ae5d
SHA1ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 706b900860d3af878c5a1e45ca71f3cd sha1: cb05113002b0babc3199872cf7eaabe29f4e24ab size: 496640
Section.rdata md5: a14c06aaa7b384cadc555fc6182f6d51 sha1: 33618f61558fec2956b9bdc9f6137536a8c8ed87 size: 512
Section.data md5: 14807528c4bd9584b35b590477e31689 sha1: 47edc7bb09f2911f4649b51638b8a1cc1e6b1eb7 size: 512
Section.rsrc md5: 8a73e1749f3f6df0faccfbe0c2cd0c89 sha1: 65939daef7c22ea6dbe44c2325413e57d360eef6 size: 4608
Timestamp2015-01-06 00:36:08
PEhash032e6b41dafbb332b7b6d92218dffac1eb4b5d12
IMPhash204216eb9afad05841a8ebe66fa9e5a1
AVAd-AwareWin32.Virlock.Gen.1
AVAlwil (avast)MalOb-FE [Cryp]
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVAuthentiumW32/S-7d685898!Eldorado
AVAvira (antivir)no_virus
AVBitDefenderWin32.Virlock.Gen.1
AVBullGuardWin32.Virlock.Gen.1
AVCA (E-Trust Ino)Win32/Nabucur.C
AVCAT (quickheal)Error Scanning File
AVClamAVno_virus
AVDr. WebWin32.VirLock.10
AVEmsisoftWin32.Virlock.Gen.1
AVEset (nod32)Win32/Virlock.G virus
AVFortinetW32/Zegost.ATDB!tr
AVFrisk (f-prot)no_virus
AVF-SecureWin32.Virlock.Gen.1
AVGrisoft (avg)Generic_r.EKW
AVIkarusVirus-Ransom.FileLocker
AVK7Trojan ( 0040f9f31 )
AVKasperskyVirus.Win32.PolyRansom.b
AVMalwareBytesTrojan.VirLock
AVMcafeeW32/VirRansom.b
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVPadvishno_virus
AVRisingno_virus
AVSophosW32/VirRnsm-C
AVSymantecno_virus
AVTrend MicroPE_VIRLOCK.D
AVTwisterW32.PolyRansom.b.brnk.mg
AVVirusBlokAda (vba32)Virus.VirLock

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe,
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fcowUcMA.bat
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\FYgsQwIY.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\FYgsQwIY.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\fcowUcMA.bat" "C:\malware.exe""
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0"

Creates ProcessC:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ C:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\OeMsMYMU.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0
Creates FilePIPE\lsarpc
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\OeMsMYMU.bat
Creates Process"C:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0"
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0"

Creates ProcessC:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0

Process
↳ "C:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0"

Process
↳ "C:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0"

Creates ProcessC:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\nyEQQowY.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nyEQQowY.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\TUQwcQwo.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nyEQQowY.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\TUQwcQwo.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Process"C:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0"
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\nyEQQowY.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0

Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\isgcMcAM.bat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\TQoIwgAE.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\isgcMcAM.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\TQoIwgAE.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\ca3fbb31cd88dfbdce33d7bcc3f53185617a23a0"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\TQoIwgAE.bat" "C:\malware.exe""

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\file.vbs
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\TQoIwgAE.bat
Creates Processcscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates Mutex\\xc3\\xb00@
Creates Mutex\\xc3\\xb80@
Creates Mutex\\x081@
Creates MutexnwYEEQIw0
Creates Mutex\\xc3\\xa80@
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFC0F4.tmp
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex\\xc3\\xb00@
Creates Mutex\\xc3\\xb80@
Creates Mutex\\x081@
Creates MutexnwYEEQIw0
Creates Mutex\\xc3\\xa80@
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\fcowUcMA.bat" "C:\malware.exe""

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Process
↳ cscript C:\Documents and Settings\Administrator\Local Settings\Temp/file.vbs

Creates FilePIPE\lsarpc

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1872

Process
↳ Pid 1156

Network Details:

DNSgoogle.com
Type: A
216.58.219.110
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.219.110:80
Flows TCP192.168.1.1:1032 ➝ 216.58.219.110:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....


Strings
rn
.....;

$^~:+"
02-2UG
0c #lwX!Z
~0,DdQpG
,([ }0K
0t^Y/v
12HLyqU
1+"hC-
1JDzfs"
^1ORM7
1,.=p,g
~1qE~w?
~1qm~d 
1sn_70
'2:8D\
2}b6K_
2COm	7
2 jK1"zsi
,2Q2C8
"2T5n30I
3,!'bGA
[ @3Bp
3:]bY;@
3C1wsK'
~3'D,(\
3{dsu5
3e${3s
3G'bk8%biFM6.F%bkD%
3G'bk8%bkF%b
3G'bk8%bkF%biFM6,F
3GG>bU}
3ii*v|
3*Ofl<ig
3riO<J
^3&z?b
40p+y@
$40/Q"
45%wy7kuyy
49,'o&:
49Upxr
 4c8&8wH&HcX&Lwh&
4c(&8w8&HcH&LwX&'
4c`&8wp&Hc
4cX&8wh&Hcx&Lw
4dZY@>
4IP	4IP	4IP	4IP	4IP	4IP	4IP	4IP	4I
4s~:+`
4s~*+`
4W#1|N2
%;53kuy{ku{y
($;55%wy7kuyyk%"y
57_HlR
%;57kuy{kuyyk
%;57kuy{kuyykuyy
%;57kuy{kuyyk%"y
5c s4$
5h\Nhjy
 5!ki}
)5	ku{{k
6 !;57iuy7ku
6 %;57iuy7ku{y
6 !;57iuy7kuyyku
6 6C<N
*!6a0=
.'6} E
;6=.h]
(6jf6-WA_I>`
?6LsU|
>6[NNi
6QgW+t
6r>H*V
6Uq,`iuy7ku
6)%;y7kuyykuyyku
$70!pl?
7%;51ku{{ka|x*
%;777(
%;77%;77%;77%;77%;57
77qM<v
77SS\.0
-77&:w
7|BWS 
7G"U9=
7/l@{	
7[s+%x
.7wAE<
<7ykLL
7y%;y7kuyyku
857iuy7ku
86'%;5
86'%;57kuy{kuyyk%"x&;5
8gm1-Q
;"8m%9
8Q($9;]z
*=9<	]
9-05y^}
957iuy7kuyyku{y
"9:H#;
9r,e#-_H:
\9SBa*x
|9YGj_
9yv~Uu
9yykuyykuyyku
A35AZF
&=A|6F
a7{sqi
AaNY~n
A\-(d#l
\a^-E}
&=A|&F
\>A|FF
AHfOT!e
(aJ}ND
A k%}Q
_AlF\}rl
+a!m<s
A*n1lZi
)\an3	6l3	xl3[y
a-|pUR
_aT^%$
`ATD@I
(>A|VF
&>A|VF
B=1G?z
b,@)9n&
b.aXB^w
BcA-(d<
B$g0Th
b= G9ZNBl~O
%b?G{`k
%b=Gn|j
%biFE:
%biFN2"
%biFp)
%biFp)#
%biFq!
%biFq7+F%bkD%biFp)+
b]_ihZ
Bk7F0`
%bkD%6>G
%bkD%bkF
%bkD%bkF%
%bkD%bkF%6>G
%bkD%bkF%biFp)
%bkD%bkF%biFp)#
%bkD%bkF%biFv3*
%bkD%bkF%bkF< 
%bkF|!
%bkF%"
%bkF%6>G[bk
%bkF%6>GW`k
%bkF%b
%bkF%b)F
%bkF%biF
%bkF%biF}
%bkF%biFp!%
%bkF%biFq!9+
%bkF%bkF
%bkF%bkF%
%bkF%bkF%"
%bkF%bkF%"1F65$
%bkF%bkF%6>Gk
%bkF%bkF%6>Gkck
%bkF%bkF%b
%bkF%bkF%b?Gg`k
%bkF%bkF%biF
B[mJ A
b:>+O	^
BOZ^{$	
{B/R@1
BrI @^
br-/^Z4>
Br-/^Z4>
BSW9ym
&b_TzfQ
bu]OmC
Bvs_g7
BxA72[
.BZ2k[2
Bzd>XG
C,='|`
c0b|jo
c3^4Sc
C{3-A1
=C61T,
C6^Z'j
.}C/bHV
*C'F&d
CfWG_p
'C.>g;[
C&G|A}
)CG CP54
|[Ch`OC
CJ&!&K
/cjU,z
>;C$_L
C.:LB~
cLe;rO"
@CLOX 
CoFreeLibrary
>C/OhF
Cptf8$9
Cq#@pp
:[csxJ
C}/XC-tX
C}/XC}/X
!C"y~R
czQKkx
cZ  YMB
D0ea_++
d1J|	DK
d$1^YG
d9,7g&:7
dA/hbK
@.data
!dA:tN
DB0$to
DDX~E)
DEcFrH
dgi)kxT
DhnO"	
d<j8|=
dj;wB!
]<dnL/
DO)29H
d/@olG
d/SD_I
Dsm4=C
DsqnLJ
ds|y0K
@Dt6]E
]$$dW&q
D*&!'x=
*dXF8V
)DxsE+
//%?:E3
*e5rTB
E~8*17
E]ag9,
_>ECG.
eCoY'|st
EdaSb:
(EG\aP
(EG\=t
$e(K|-\K
EL(=/-7
Em<ww{DW
eOG2jm
EoKy9rv
e[O.#L
EOQJD[
	EQ26 3
EQ26 3
E[\SQb
ev\B3bY
~e$v[OS
Ewj#Cb+nh
f0FD&q
*F9Sumq
F%bkD%biFq!
:*fBs@
F#/C+v
fdkLf"
\F!"}E6n3	6l3	xl3Kx
fg1#\0A
fg;=|6
f+@g%A
/f$G-{kJ
FmEvYp"
F~mjiI
f<[OK0
fqz]|p
|Fr6ea
-F"r,!-xu
ft-} !
ft~[]B
fT"ibh
FVNgtJZ
f]wbu@
^fxq/79
f+#yE6"1	6l3	x55e)#
"},g}*
GA]7_v
G}b1E}
*gE$3u
GetCaretBlinkTime
GetDoubleClickTime
GetShellWindow
g	Fk3m
$GH_8l
 >ghC9
|~}GJd
	gkp<A|
}(=gL_&
Gl6l'mnc
}(G$pr
GrRK?M"
;gtRcA%
`^:gtte
gVe@-34
G[w9H	
G/;x2d
GzgFF{
H"0<GjV
H3[hgwZ
H6cS=C
hb1_U+
Hc5R~V
&Hc(&Lw:&
hcMEU#
<}He1"
Hetr=E
{:HHB~
h{HBU#
HJ<-@K
h>kvhp
Hn$}0K
hNK[1(
hOY~R;
hs].y"
-Hw4qlK$
/H^XIa
;h(y}Y22
[// i!
i4:{!!
#I{.5 
i5u}kR
I";6p<
I8nh*RGU,
I",}9#
if+9~zB-k
,IgOP/
|Ig~qF
|IIK?m
i*I	OE
IkE:?ub
inJ/a,
Io.jst
IOo58Hc.
iPIgh8
iSQOaCT
I",}U"
IuuC@"W
iuy7ku
iuy7ku{y
iuy7kuyy
iuy7kuyyku
i=Zi23
!IZu8Td
 Jfn)D
Jf	Wkr>A|t
J+i6EI
jiqb|K
Jj{Cg>/
j,J  q
(J<-@K
$J<-@K
jP9(jH
jZiy!yrn
$`^^`K
k&0odg
`k9B8$9
k&%bkF%bkF%b
/^|K_Bu'W^0k[f
;KCi4wXM
kcW)?*
).k|g]
k;>\JMa
k k%|:0
Kkj, F
\K^muO
KU(cyO
kuy{ku{y2
kuyyku
kuyyku{y+
kuyykuyy
kuyykuyyk
kuyykuyyku
kuyykuyyku;y
kuyykuyyku{y$
kuyykuyykuyy.
K$_Uy:z
K$YUy8z
K$YUy:z
l1J|y@J
- L}3j
}l_$9LK
L{aFaE
@L=<bb
.ld	9*
lEPDdn
l>E*uB
LHx*QC
Li`Fx~
	LjKl^
l]Jl	\
Lkuyykuyyk%"y
<L?Q3P=
lW|yxJ
l[|y0K
l\Z'}[I
M3\rw5k
M5K-o-IR
@m7cUd"
MCX`]3&<:
,md"dN
~M%)i8
m+JPdM
MjPZzU
_mO:$9
MoeP+xj
ms%Tsi
	m*uMSKE
_mX:Tt?
>(%['&N
]N!A>jr
=N+b!/gj=&gf
nF4F4C
n%FY%C
NG5#Y6
~-n"#h
n,`iuy7kuyyku;y&
Nj#bNk
Njk:sj'
NjkV&k8
nM\Z*V
NnpoM]
nr-3^*4>
NS)nVU
N*Ws.m
ny~!"}
<NY%Iv5	
{`.N] z
?O5uet
O6z%[`
`O#=AL;+<
-OApcFnC
Ob>9Hbr-
|O	e|g
OG\P}*
OHo"T%I
ole32.dll
onJ/bb
<o*N;Wg
oqR-J}
oS7l#)
`OtH3!P
 /o#U@
oVb-o[
;oVK{e
O\@X	6
$P}"5T
p$A,AN
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
 pbR}.H
PBuu/t
PD	jOa=
pD\XqD,DqDx
\PGrPF
Pi}IC|j@
Pj~Je@_
p"=k^j
pM{n}{Z
PpHh%$]xE
Pp^|ZY
P(t|H--
	pVgJM
Pv+--N;
P	w^{MP
#pxo6p@Q;p
|(-^^q
q2Hhb^P
q8JjY8:
<Q)?cI
q&Dne}
QF61T,
QIS">R 
q,`iuy7ku{y
[QJ5@K
qK6|?V
(qRAPJ
#QS]UU^;
$	Qt7:U
q TW9o
QvQ@QA
#qXFp[:[
$r~*+`
|!,R]@
&r0$"Ns
R&$13,
R2K$Q}
>r-+^"4>
r-/^"4>
r-7^Z4>
rA=gUA
$r~*+B
RBuaW}(^
Rcw(''
`.rdata
Rf-4"Q
R!Fr]H
+RG\M!
<rH	Q1@
Rich!l
|RjDCY
R|.jib
rJt4Vg
r-kT%bkF%b	F
;rMot3
R`N~=0kAn
.<RNl%
R]NnK]
Ro9*uu
|r.PF4g
r-+^R4>
rS-N"U|
r/S)sZ
|-R:v:
R|w1-$
r{)wC$
^RY"aF
s1stX]
S}2}X|
s-!6s-!
s7.0'bk
s7.0$bkP%biF
s7.8'bk
s7"8&bkd%b
s7. $bk
s7.@'bk
s7"H%bk
s}9<	_
SAO	!^
S@A`RR
@s$ayJ 
s+b<e"
sDVLkn{[
SEMS02
:sGfkT{
sHd@"8q
sHdHB\
sHf@"D
S$hrP-V#Qn
SHTP"]iU
s-KXQO\
sLiI>dv
SM5p{)
So7	tQ
SofaPV
S\o;@kM
sq Rse!
ST|cc&
Sto>HS
[S'U`_
sx-=16
s/^y{Zdu&
't4).:
t4cT&8wd&Hct&Lw
."t4Vc
T6&3`"t
|t\'b7
 tD3CqTF
;TeTLu
!This program cannot be run in DOS mode.
Tj #3"3
t<._	N
^TNG?vnf
tnu&:$9
To0H >
TQyYeD
tr<Nq\
tru(:$9
-ts1!\
t=)tZu
t*u$:$9
t*u*:$9
TW?$C9e-:m 
txEF6t#
TX._PYeU
~t.Y`*]
ty!ku{yk
t*?ym=;a
t Z{"W
!|[U-.
u{}1QS
u1qv`K_
$+U^3.
.*u5V/
}U7rLLG
u8A;y0C;x
UeqGJE
*U:`|hC
#uq$ '
user32.dll
UTiwN-bn
uY	"^5
"UY7TF
_u=_z[
v$0wqB
V]cAXN
vFFW`K
VG=?UE
vGY:oT
vh#mr6
v,;{I,
(V#jK"
'(V)/NDfv
VNka~05	
v?`NuE}
VoE"va>
Vo~V)C
v*ux:$9
VY/x0N7	
>>W/>'
w0A%NU
.W3bIA
>>W/>'Be
"]wBo_8
,Wcr+^
^_W{EHo
"_wJo_9
wLf8D>
|W".op=
"_wrc_
w)sjC`0<
w(`uAo
wwaSj$3yX
WwCr&o
W)WQS%
],w}]xh}]
wX>R(4\
{WXS]uP
%wx%;y1kuyyku{y
$wy5kuyykuyyk5
$wy5kuyykuyyk%"y
$wy/kuyyk5
$wy/kuyyk%"y
W"'(Z}
}]X~}]\`}]
$X}2"H
$`X]3a
x4ch&8wx&Hc
x7DS`qK
	:/x9J
X+a8gb-ma#
XeF,F%
xI1$km`k
X[J_"2
xJ49hWpa\K
X%~.L#
xL?}kR
XL"Xf-
xn|=@W
Xo7	}-
%Xo|y|K
XrE;)0
x\ =Sc_  
Xv!(LN
!xV}RE
xWlYLtlY
x$wy5kuyy2
x$wy5kuyykuyyk
XZWa}&
+y";5ekuy{ku{yk
%;y7kuyyku{y
%;y7kuyyku{ykz
%;y7kuyykuyyku
y$a?f=
yBT%MIh
<~y:(D
";yekuyyku{y
<YGadB
yGCI>78q
|Y%Hiv
)yi d"-
YID-\L
yiuy5kuyyku)x
yjuyEku{y
yjuy!kuyyku
yK#sLB
yk!vZ?
ym<Vo1w6K
YoJ>W=
y_:Ow8
y)RrXt
yXw8a\K
{>YYJR
Z1>RZ6i
Z8W^Rs+-]
Z	9=	q
!+#Za3s
z$A\c8
z="b4=
(zc\9e1
z$-!\e
ZEb~5B
#ZhQx<
!Zj2V"
$ZL8*E
&zNHvg
%Zn`x8
zqX" 9
Z~t4V[
zTcluX
zX]O08