Analysis Date2015-12-07 22:39:28
MD563f2b8413113a25e69d434f178d2c00a
SHA1dd937b1e8f6b55eb7b3a11b0ea0f83963801f67a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 18b6ba7a4b8cd4200a08a662e1566f56 sha1: 100e2883648801258f8c8ac680c861ec4212fd8b size: 200704
Section.mdata md5: 2c64cfca72a7bdaf40c3b17bfb494170 sha1: d6131038c15f573f7f36bd680240484318b01502 size: 31232
Section.rdata md5: e1d7e761b655d1d0c57a9b0175e2629d sha1: f5679fa44fa638eb8c5cdadee4ec73bca1365b5a size: 96768
Section.data md5: 34afd533711f6806bf8fa0405f7dfe6b sha1: 43c2286412e44cd6bb1209d176853e7d60bc2cf3 size: 198656
Section.rsrc md5: e4c098ae1268cc599a73356371ef3f5c sha1: 24e6a2c632067991b8a2e291bf2b1603479ec28b size: 30208
Section.reloc md5: 3deba96b8a52ca9a5f06e897748c47be sha1: ce2b97e0af592b062feecc6da64e25eb42e1db44 size: 20992
Timestamp2015-12-07 06:14:40
VersionLegalCopyright: (C) Copyright Intel(R) Corporation
InternalName: iclsPrody
FileVersion: 1.27.798.1 sys_sysscbld
CompanyName: Intel(R) Corporation
Build Time: 2013-02-13 12:24:31
ProductName: Intel(R) Capability Licensing Service Proxy Library
ProductVersion: 1,27,798,1
FileDescription: Intel(R) Capability Licensing Service Proxy Library
Build Name: 1.27.798.1 sys_sysscbld
OriginalFilename: iclsProxy.dll
PEhasha9ac6a65b325dd9f389c1c41eaaef727df084d97
IMPhasheea2bf50f7a1fd78bed2ff5869f1fdb4
AVAd-Aware Command-LineNo Virus
AVArcaVir AntivirusNo Virus
AVAvast! AntivirusNo Virus
AVAVG AntiVirusNo Virus
AVAvira AntivirusNo Virus
AVBitdefender Command-LineNo Virus
AVBullGuard AntivirusNo Virus
AVClamWin AntivirusNo Virus
AVCommand Anti-MalwareNo Virus
AVDr. Web Anti-virusNo Virus
AVEmsisoft Command-Line ScannerNo Virus
AVeScan Anti-VirusNo Virus
AVESET NOD32 AntivirusNo Virus
AVFortinet Command-Line ScannerNo Virus
AVF-PROT AntivirusNo Virus
AVF-Secure Anti-VirusNo Virus
AVIkarus Command-Line ScannerNo Virus
AVK7 Anti-VirusNo Virus
AVKaspersky Anti-VirusNo Virus
AVMalwareBytes Anti-MalwareNo Virus
AVMcAfee Command-Line ScannerNo Virus
AVMicrosoft Security EssentialsNo Virus
AVQuick Heal AntiVirusNo Virus
AVRising Command-Line ScannerNo Virus
AVSymantec Command-Line ScannerNo Virus
AVTotal Defense Internet Security SuiteNo Virus
AVTrend Micro System CleanerNo Virus
AVTwister AntivirusNo Virus
AVVirusBlokAda Console ScannerNo Virus
AVZillya! AntivirusNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\gkp\byi.ftg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\geh.tlq
Creates Process -jw knzkfia.dll
Creates MutexLocal\{1B26CF72-BABC-A299-EA28-5B587603CFDA}
Creates MutexGlobal\{486EC977-05FF-BCF2-7AE3-75B76A558603}
Creates MutexGlobal\{FAEB6751-B883-AF29-76A7-81AEEB1DFAB7}
Creates MutexGlobal\{965DB044-9A0B-71A9-7D09-7C3585B53A72}
Creates MutexGlobal\{8D11BFC7-4C19-36F5-6C09-4741FDCE4F6A}

Process
↳ -jw knzkfia.dll

Creates FilePIPE\lsarpc
Creates MutexGlobal\{24BAF5C4-F1F7-F9AB-3B6D-EFE555BE0295}
Creates MutexGlobal\{5A1FBA8D-F1FA-4111-0842-F89BE66C8C9C}
Creates MutexGlobal\{E8313337-52C9-476C-9316-D1B0D75EE8ED}

Process
↳ \??\C:\WINDOWS\system32\winlogon.exe

Process
↳ Pid 616

Process
↳ Pid 628

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\DhcpNameServer ➝
192.168.254.254\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\Parameters\Tcpip\DhcpDefaultGateway ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer ➝
192.168.254.254\\x00
Creates FileNDIS
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-4498AFF5.pf
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL

Process
↳ C:\WINDOWS\system32\userinit.exe

Creates MutexGlobal\{24BAF5C4-F1F7-F9AB-3B6D-EFE555BE0295}

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinStartTime ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing ➝
NULL
RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\{24BAF5C4-F1F7-F9AB-3B6D-EFE555BE0295}
Creates MutexGlobal\{486EC977-05FF-BCF2-7AE3-75B76A558603}
Creates MutexGlobal\{FAEB6751-B883-AF29-76A7-81AEEB1DFAB7}
Creates MutexGlobal\{70C15798-914B-5492-38FA-F90BF2AE287C}
Creates MutexGlobal\{965DB044-9A0B-71A9-7D09-7C3585B53A72}
Creates MutexGlobal\{5A1FBA8D-F1FA-4111-0842-F89BE66C8C9C}
Creates MutexGlobal\{E8313337-52C9-476C-9316-D1B0D75EE8ED}
Creates MutexGlobal\{8D11BFC7-4C19-36F5-6C09-4741FDCE4F6A}

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Creates MutexGlobal\{24BAF5C4-F1F7-F9AB-3B6D-EFE555BE0295}

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 1508

Network Details:

DNSgoogle.com
Type: A
216.58.219.174
DNSqycprsv.pw
Type: A
DNSatjuh.com
Type: A
DNSzfdwddzak.in
Type: A
Flows UDP192.168.1.1:1031 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1034 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1035 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1037 ➝ 8.8.8.8:53

Raw Pcap

Strings
1.H
e[..a.
..6
..9...
L
.h.
u
y
h
 .
.
E.
.=..t
.t.......
.E..L.]
..
.b
@.k.
`b
..
.
.W
a..
=
.
.
.
0r..
.d
..
...
N
..
@ @@@`@
00:00:00
040904e4
0 MB
0x67d03051
100%
100 KB/s
1,27,798,1
1.27.798.1 sys_sysscbld
2013-02-13 12:24:31
5Update operations are not supported for this archive.
Add and replace files
Add to Archive
	All Files
&Archive:
Archive &format:
Are you sure you want to split archive into such volumes?
Ask before overwrite
Auto rename
A&uto Rename
Auto rename existing files
&Background
Benchmark
Browse
Build Name
Build Time
Cancel
&Cancel
Cannot create folder '{0}'
"Can not open file '{0}' as archive5Can not open encrypted archive '{0}'. Wrong password?8The system cannot allocate the required amount of memory
Can not open output file '{0}'.
(C) Copyright Intel(R) Corporation
&Close
CompanyName
Compressed size:
Compressed size:	Archives:
Compressing
Compression &level:
Compression &method:
Compression ratio:
Compress shared files
Confirm File Replace
CPU Usage
Create SF&X archive
Current
Current pathnames
Decompressing
Destination folder already contains processed file.
&Dictionary size:
Elapsed time:
Encrypt file &names
Encryption
&Encryption method:
&Enter password:
Enter password
Enter password:
Errors:
Extract
Extracting
E&xtract to:
Fast
Fastest
FileDescription
File is not supported archive.$CRC failed in '{0}'. File is broken.#Data error in '{0}'. File is broken)Unsupported compression method for '{0}'.3CRC failed in encrypted file '{0}'. Wrong password?3Data error in encrypted file '{0}'. Wrong password?'Specify a location for extracted files.
Files:
FileVersion
Folders:
&Foreground	&Continue Are you sure you want to cancel?
Freshen existing files
Full pathnames
Help
&Help
iclsPrody
iclsProxy.dll
Incorrect volume size
Intel(R) Capability Licensing Service Proxy Library
Intel(R) Corporation
InternalName
LegalCopyright
List1
Maximum
Memory usage:
Memory usage for Compressing:
Memory usage for Decompressing:
Message
modified on	{0} bytes
msctls_progress32
MS Shell Dlg
	Non-solid
No pathnames
Normal
No to A&ll
&Number of CPU threads:
Options
OriginalFilename
Overwrite mode:
Overwrite without prompt
&Parameters:
Passes:
Password
Password is too long
Passwords do not match
Path mode:
&Pause
Paused
pQXP
Processed:
ProductName
ProductVersion
Progress
Progress1
p<XP
p'XP
Rating
Rating / Usage
Reenter password:
Remaining time:
&Restart
Resulting
&Show password
Show Password
Size:
Skip existing files
Solid
&Solid Block size:
Speed
Speed:
Split to &volumes, bytes:
&Stop
Store
StringFileInfo
Synchronize files[Specified volume size: {0} bytes.
SysListView32
Testing
There are no errors
Total Rating
Total size:
Translation
Ultra
Unknown Error
Unsupported archive type
Update and add files
&Update mode:
UUse only English letters, numbers and special characters (!, #, $, ...) for password.
VarFileInfo
VS_VERSION_INFO
with this one?
&Word size:
Would you like to replace the existing file
&Yes
Yes to &All
,}$"| 
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
0"0&0*0.02060:0>0B0F0J0N0R0V0Z0^0b0f0j0n0r0v0z0~0
0#0'0+0/03070;0?0C0G0K0O0S0W0[0_0c0g0k0o0s0w0{0
0;0B0p0
0<1EB!
}0 ^1hB
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
? ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
09NEW 
09"W]0
0aB7j1t
0D%]  
0ERBE 
0gCh&@1
0G>WB@
0h8DjP
0hm #/L~
0mhEu1
_@<0oW
!	;%0U
0un# {E@
	1<(&0
10h $"
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
1"1&1*1.12161:1>1B1F1J1N1R1V1Z1^1b1f1j1n1r1v1z1~1
1#1'1+1/13171;1?1C1G1K1O1S1W1[1_1c1g1k1o1s1w1{1
1an	$#
'1%a U
1DHUuW2
1H`! ;
1ISK`>E
1= Ku.u hhH
1nRH^kg
1$SYgDo
1|thMP
:1{U0 :
1ua^FFB
1Y$0_S
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
2"2&2*2.22262:2>2B2F2J2N2R2V2Z2^2b2f2j2n2r2v2z2~2
2#2'2+2/23272;2?2C2G2K2O2S2W2[2_2c2g2k2o2s2w2{2
2%2+242=2
<"<&<*<.<2<6<:<><B<F<J<N<R<V<Z<^<b<f<j<n<r<v<z<~<
="=&=*=.=2=6=:=>=B=F=J=N=R=V=Z=^=b=f=j=n=r=v=z=~=
>">&>*>.>2>6>:>>>B>F>J>N>R>V>Z>^>b>f>j>n>r>v>z>~>
;";&;*;.;2;6;:;>;B;F;J;N;R;V;Z;^;b;f;j;n;r;v;z;~;
:":&:*:.:2:6:::>:B:F:J:N:R:V:Z:^:b:f:j:n:r:v:z:~:
?"?&?*?.?2?6?:?>?B?F?J?N?R?V?Z?^?b?f?j?n?r?v?z?~?
;";&;*;.;2;6;:;>;G;T;b;l;v;
2c`{q2
2d!)X(
2LuHQPP
2R!f`0
2X!k }
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
3"3&3*3.32363:3>3B3F3J3N3R3V3Z3^3b3f3j3n3r3v3z3~3
3#3'3+3/33373;3?3C3G3K3O3S3W3[3_3c3g3k3o3s3w3{3
3$3L3T3Z3f3
<#<'<+</<3<7<;<?<C<G<K<O<S<W<[<_<c<g<k<o<s<w<{<
=#='=+=/=3=7=;=?=C=G=K=O=S=W=[=_=c=g=k=o=s=w={=
>#>'>+>/>3>7>;>?>C>G>K>O>S>W>[>_>c>g>k>o>s>w>{>
;#;';+;/;3;7;;;?;C;G;K;O;S;W;[;_;c;g;k;o;s;w;{;
:#:':+:/:3:7:;:?:C:G:K:O:S:W:[:_:c:g:k:o:s:w:{:
?#?'?+?/?3?7?;???C?G?K?O?S?W?[?_?c?g?k?o?s?w?{?
38Meh2E+
3!$Dh0
3_G a`E
3"*u@p
414A4H4V4
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
4"4&4*4.42464:4>4B4F4J4N4R4V4Z4^4b4f4j4n4r4v4z4~4
4#4'4+4/43474;4?4C4G4K4O4S4W4[4_4c4g4k4o4s4w4{4
4D1h	u
4Dge`B-
4KN$8^	
4LP1B*
]$4}^R
4um=Qh
>4u!"Ru'(`P^
4;[V'D
=4:w~^
.4x5d!
4Z%; L
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
5"5&5*5.52565:5>5B5F5J5N5R5V5Z5^5b5f5j5n5r5v5z5~5
5#5'5+5/53575;5?5C5G5K5O5S5W5[5_5c5g5k5o5s5w5{5
5b1<hD
)!.5e 
5LtC0$V@PS
5}]MSj
"5qIP(
^5TUp[
5TvH2H
60`ft|
}}61  
646L6c6z6
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
6"6&6*6.62666:6>6B6F6J6N6R6V6Z6^6b6f6j6n6r6v6z6~6
6#6'6+6/63676;6?6C6G6K6O6S6W6[6_6c6g6k6o6s6w6{6
6h>	pL
&7|3:du
7.3sRwhR
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
7"7&7*7.72767:7>7B7F7J7N7R7V7Z7^7b7f7j7n7r7v7z7~7
7#7'7+7/73777;7?7C7G7K7O7S7W7[7_7c7g7k7o7s7w7{7
7!7(7)7-7.72727272737676777=7E7F7H7N7Q7S7Z7[7`7g7p7r7s7{7
7#h@@f_N
7HpEV2L
`7JRHF
@\7-_m;
8 1	]^
81epS(
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8
8"8&8*8.82868:8>8B8F8J8N8R8V8Z8^8b8f8j8n8r8v8z8~8
8#8'8+8/83878;8?8C8G8K8O8S8W8[8_8c8g8k8o8s8w8{8
:8a)tL
8E1a%5
8h`bR!
8K(YPR
@#8lb5er
@8 |QH
8R6)EnW*
8uHG2I
8#`Z] 6
92v<#,7
94hB:GD
9"9&9*9.92969:9>9B9F9J9N9R9V9Z9^9b9f9j9n9r9v9z9~9
9#9'9+9/93979;9?9C9G9K9O9S9W9[9_9c9g9k9o9s9w9{9
~`9Em	
^9Eo1U
^9e)qEd
!9Fa^!E
9'hudE{
}9N5!2n
9N@p	2
9(Q!1P
9_;T@[
%*9W['
([(|A,
a @21 3
*{a29}plW
a5yn-%
a8LPEE
a9HJr8
aA^?gLq
AAt&K;G
(aA!Up
aBLAWr'
ABp1u8
AC9@hl
ACH@uloPI 
A `D 7n
A,D9|'K
_adjust_fdiv
ADVAPI32.dll
A.E!H{
 A&f'1
aFb]hfw g
!ahCL*]
Ahj]EW7
Aj>tG}
A@}Kxh80
Al\]D'
AllocateAndInitializeSid
!aNd$\
aoB)k`=
aQ0HtS!Uh
AreFileApisANSI
~~aS0M
aS$udx	@
!Ats .)
au$ErUOS
=AujC=H
@au:st
aXj^EH
AXRP"*
Ba;@@7
Ba e_E*
`)>bAHZ 
BBBWE~
Bd<r1U
$BE@DW
b	E=Uh@
Bh3HE*
`BHmE]bhV
 B^hMhca
b?LO&(
b!m<		
BNP92E
Bn?q.Lm
B<_!T1
B]."+u
BuHAE1
bUh:BE
:BV ?z
.bW!|Da
B;YSRk
C} 4SSP
@C~9  
,@ c9h
CancelIo
]cBIF~d
 c_&E$
cL5_R<+&-
CL^dLz
ClientToScreen
CloseHandle
-}c`o-
CombineRgn
_controlfp
c+P`XE
CreateCompatibleDC
CreateFontIndirectW
CryptHashData
CryptReleaseContext
)Cth`[2
&cu'jI
$c$vW`
@<d1 =
;da1@u
@.data
d`Dj,u
d,hHUu
d"H}u_
DLH$A3
__dllonexit
D@Lqa0ua
D.l)U8~Q
Dm4" }
DM9Xh]
D[+pK_
DQ(P YfE
DrawIconEx
d(T h`
DtKi\E9
`dTlh7
DW),(8
"=D}\wQ
}E0$$ 
e05pA\
-E1h5m
E1*-x}v
%E29G)
E3cz|A
e[4 Hj
e9 PupH
!	EadI
<E>A;{v
EbeMuR
E|b	j_
`ED`Sz
+EEoUP
EEw'M_
*+Eh4Le
E'HhA0 
]eH*hu
E@>!J9
$eK4@9F
Ek> hyP.KLUb
EL^\2_
E	:L2Vu
E(lo0P
E 	}M!
EM1@PA
EM^`Dv
EOI}+_
"E(P)$>
E,PHN<
E-ph?oE
EPR<EF
EQ (^ 
)E	r^E
~|Et1	
Et B:6
ETO6R$
)e%U%}
$E}(Vc
[ewPW4K
EX(!@`@
E}X#AU:
_except_handler3
ExtCreateRegion
;EY@IQ
eY Y`B
F3Eq9G=&9
f`40zK
f4huYh
; Fc 3
ffffff
fffffff
^fffffff^
fffffff]
ffffffff
fffffffff
ffffffffff
fffffffffff
fffffffffffff
ffffffffffffff
ffffffffffffffff
fhhxJ^i
fhtW[B!
FIDPX$
_findclose
f-kEBE!
`fKvA}qqU
F!L@5h
FqJY`}
FreeLibrary
FreeSid
f-Rich
%f@s/h
$F=WU$
GDI32.dll
/g+e P
gE~QF(u3
GetACP
GetClientRect
GetConsoleFontSize
GetConsoleOutputCP
GetConsoleWindow
GetCurrentProcess
GetCursorPos
GetEnvironmentVariableW
GetForegroundWindow
GetLastError
GetModuleFileNameW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStartupInfoW
GetSystemMetrics
GetTickCount
GetTopWindow
GetWindowDC
GetWindowRect
Gf&Aap
G@HOEE
GlobalAlloc
~G!^@u 
GV8o>)
H09y$BWh6
h0I[K4
H]0lh ?
h0&S]8
h[@0|t]
H1h&c[V
h1hzjE
h*;22 
h2j?4>
`h31U=6
%H}69W
h6AN_N
h6{*HE
'$} H7
h7u<E)`u
h7~;`Y
:h(8V|
`h9"AU
@h9M@E
>H*A* 
!H$(A6
]Ha$h'*
hbx)hS
HdBRmxN0}
 #h/dD
	h E|)	
`hE1(u
hE@@=E
h^:}EiH>
hEnhEt
hE R1}
her/uG
HESLhMY
!.h F;
H(F[F Ed
*hGdkd
|HGJl0S
hh0k"u
h=h2$A
\h&H4n
HH	Eue
	'	H(HP"
hi{@DH
?]h-jeI
HJH%ph0
~hjUmF
@h.kmG(
h>`kV<,
HM9vL}
@hMRhCH
h;pHI<
hPXE5!
hQ[fky
h@RLCV6
HSVW!E
&[@]hT
h^TM[0`
Htuh'E
huBuzH1h
HUFK#h
"h uR#
hUrLhKE
HUXu8?
HVEuHzA)
HWH0(u
h ym`@
=H=Z=n={=
`I`0!(
I2S5QU  
!I $,C
Icu0`y
iHI|mwC
!IM@`C)7
_initterm
InterlockedExchange
InvalidateRect
I_PE$P
IqC$u$Bu
IQ#qoK
IRfp|A
iruu/h
isalpha
IsDebuggerPresent
IsTextUnicode
IsWindowEnabled
IsWindowUnicode
IsWindowVisible
IyHSDH
j6qXA}R
JA|>P`
jAU@A(
Jbg6`	'
JE}/Ej
jE-xP2
jGA pO
JhEb~X
jHQqXt
JiD;CsJ>=V90EULH%. 
jlh;HXU
 JLV>#}d
jnDhfh|3Aa
JpM-wY;!~$
JSQ5!|
$ ([K@
.`K8Q_L:_9+
KERNEL32.dll
,)k	)H
K  <HIN
KMZB,dp,
k#N8MR
kp:\xU
kzmpb6
L07NkF
""L1u6
L6>ahC
L}716D
LheHA@A
^L]H.o9
lIq{}M
Lj!J$z1
~?LK0E
LKp@hu
LoadImageW
LoadLibraryA
LocalAlloc
 Lqg=I
lstrcmpiW
lstrcmpW
lstrlenW
 -"l$u
L_\uuH
L`-$Uwu
Lx-hHBSqHr$
M0}0 C%
M0E*2#
MA@D[L
+mBD]R
Mbqhcy
`.mdata
!M_(E9
M+h	]@
 M@HEB
MHr3 i
@Mquey
M@s`EE9tW
msvcrt.dll
(m&SVL
M(`T%		
m`,U(*
$M UKj
$mUPJP"
M#uW_y
	@M@vH
mWdzvE
MW@PT^R
/M.WS7
m^WtQ9D>
@MYtV*
$^@Mzf
N 0]h?*@@
N6$Out
NfLv'O
nh.Cc}
n#h g%
n]HW}_u
nK) [-^}
#="N^m
	.NmHM
nSW~Q8
$())O^
O*5PPc
oj^((A
oLP%ht
OMPU^E
	O|mqh
_onexit
O=@/@S
o@"\ x
P$0EBE
p( 1IB
P3@@kS
p5HtoDw
PAALA6
$PAGavK
PahwHb
PathFindExtensionA
PathFindFileNameA
PathIsUNCA
PathRemoveFileSpecW
PathStripToRootA
Pb1%08
!P?BD0
__p__commode
Pd/} U
P$E%Bi
peHP=@
^P(f00
__p__fmode
)PH5M}
p>?HLr"
 ~P hT
PIEp$Q
:pLEc[
PmLk@B
PmM`B9
P`]p[^
P$% S2
P\#]`t
PtInRect
pTSVP+
pu!3h+TF
pU;*E@aL7
%pUuhE`
pVsD!}L
PwA1QZ
PWaHA]
>PW;e\
P!Wu-H
	^p[`x
py|p_O
"|`%'q
^Q9VA>
Qa`h	E
qA<^I3
QCu6%K
qDNDWE
qE%d0E
q&E$LS
qh@9i 
Q"M'O&
[qpE)W']}
Q%PHh3euPb}
qtj/?[
Q}u<`Dr}
Qu uXa
 = qy	
<r- %	
r>&9!AX
RaiseException
raTE ;
`.rdata
~}`RDqQ]r
RegCloseKey
RegCreateKeyExA
RegDeleteKeyW
RegDeleteValueA
RegDeleteValueW
RegEnumKeyW
RegEnumValueA
RegEnumValueW
RegOpenCurrentUser
RegOpenKeyExA
RegQueryValueExA
RegQueryValueExW
RegSetValueExA
RegSetValueExW
@.reloc
"RE#uj
rHhmEw
RhM1Lj
RVh@OX
rv`n_d
Rx%Q+?J
S0uuH}@
S2L	IW
S2~qF*[
S !@	8E
S/BhNj
s,cjKgj
SelectObject
SendMessageW
__set_app_type
SetForegroundWindow
SetLayout
SetRect
__setusermatherr
SetWindowRgn
!s=FE+E
_@;S>h
ShJNpp
SHLWAPI.dll
sHU&HD
S]?&i`B(
:Skhd#E
SKS9Um
s)P0!`m
#SSO@o
/`SU*7a
S#u]h}
SUU" 6
^S+V`P
|:]S%YXf
T1ATpe
T8$^H0!xG0 yH0!z6!
=t9(nC
TeB 7`
\T#et9
 tfU:E
#@:]th
!This program cannot be run in DOS mode.
T"(lD_h
t@mhF1
tn`hMI
	|TNSD
t$SY	1
tViU,c
tXEht!
u0c+8i;
U0@h=J@
|`U0>m4
u2pGhPi[)
U2^pWH
|/U|/6
U}@!?7
UArEW2
uDM[}h
["	_UDp
#u)dU#X
u.$`}E
uE1 CE`kQ6
}UeBb<
uEhEu9
)}=UEj
#uEm0%
u@E UL&
UFE|EH
Ufffff
	Uffffff
U]^fffffffffff
&uhC(Y:
uhH@h~
Uhh~N:L3
UhhtC&
}u$h!xu
@U}~I[`
.uI1XE
U@# 'J
Um9mU}
uO3g/U
uO%m ME
,uo/R(
URE<&E
u=]rFxr
usEcP@
USER32.dll
u]S{H(V
U(tdf)
U`tYGC
|u)U!u
)U#v=0
uW<\gLQ
UWx/P(A&
uy8 #u
;UzX`,
UzxwFE_Y
V?]0, 
V 2X@2
V9Ci.n
	v/ew!
V}@G; KD
%V@@\H
VirtualProtectEx
vM1xEjM
Vp\]Ty
VY*Hha
w0$=y;1
W1]jx`
W1;}SC	
@W3^M1
w]4a5j
WA@KVC
(Wb#12
_wcmdln
WE|WS1}
__wgetmainargs
wh%F	a
WhqrgE
W+jz;DB
 WL1+HE
WLt VV
W\`)mi
W%N#_@P
_WRj`@
wsprintfW
WU Aa}
[%W@X/
@X_}\@
_XcptFilter
Xk[bhE
[xpmL0
}&XS=#
xt}[iWq
:Xt+xH
X@u1cp
 `?XUX
`xW=9%
xxFw9r
:	(>Y=
y01hXh
$Y0@ c
Y[98{h+wF
!	)y9H
Y#A [t)1
Y?`.$E
yExU`T)
`YoG]u
Y``uiC
['YUP).
YwzKr.
YXM1aDB
yY[huR
!Z54!M
ZA$8hL
zai E8S
^Z?:E)
	Z	IP1
zL:,Au 
ZuNjWM
"!Z]WYD