Analysis Date2015-01-10 18:58:18
MD591549f3687ee7004d6885491326aea2d
SHA1017ee8c6ff0e012f176d6253bd30ced5d2267196

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 9f02a2a97c07c60db5b8cb4d0b8529ce sha1: fb6edfc585dd3f12109df380b7b26f77f1342b45 size: 466944
Section.rsrc md5: 2fb8b704ea5250ec44b31bf3865578ce sha1: 8e3da9b90e965b43c7b3cbb1d3108b1c3a5b604c size: 52224
Timestamp2015-01-07 13:13:18
PackerUPX -> www.upx.sourceforge.net
PEhashe228de60f664305d1201cddb5399dac30c51745d
IMPhash8cb05a1fb4ecd09e61fea6e15deeecd0
AV360 Safeno_virus
AVAd-AwareGen:Variant.Symmi.47468
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Symmi.47468
AVAuthentiumW32/OnlineGames.HI.gen!Eldorado
AVAvira (antivir)TR/Dldr.Agent.520192.16
AVBullGuardGen:Variant.Symmi.47468
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.47468
AVEset (nod32)no_virus
AVFortinetW32/Flyagent!tr
AVFrisk (f-prot)W32/OnlineGames.HI.gen!Eldorado
AVF-SecureGen:Variant.Symmi.47468
AVGrisoft (avg)Win32/Heur
AVIkarusTrojan.Win32.Pasta
AVK7no_virus
AVKasperskyHEUR:Downloader.Win32.AdLoad.heur
AVMalwareBytesno_virus
AVMcafeeFlyagent
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.47468
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS360.hydspt.com.cn

Network Details:

DNS360.hydspt.com.cn
Type: A
123.57.37.211
DNSaladdin.a.shifen.com
Type: A
123.125.114.102
DNSopen.baidu.com
Type: A
HTTP GEThttp://360.hydspt.com.cn/new/info.txt
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
HTTP GEThttp://360.hydspt.com.cn/new/info.txt
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
HTTP GEThttp://360.hydspt.com.cn/new/info.txt
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
HTTP GEThttp://360.hydspt.com.cn/new/dxc.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://360.hydspt.com.cn/new/one.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://360.hydspt.com.cn/new/ip.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://open.baidu.com/special/time/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 123.57.37.211:80
Flows TCP192.168.1.1:1032 ➝ 123.57.37.211:80
Flows TCP192.168.1.1:1033 ➝ 123.57.37.211:80
Flows TCP192.168.1.1:1034 ➝ 123.57.37.211:80
Flows TCP192.168.1.1:1035 ➝ 123.57.37.211:80
Flows TCP192.168.1.1:1036 ➝ 123.57.37.211:80
Flows TCP192.168.1.1:1037 ➝ 123.125.114.102:80

Raw Pcap
0x00000000 (00000)   47455420 2f6e6577 2f696e66 6f2e7478   GET /new/info.tx
0x00000010 (00016)   74204854 54502f31 2e310d0a 52656665   t HTTP/1.1..Refe
0x00000020 (00032)   7265723a 20687474 703a2f2f 3336302e   rer: http://360.
0x00000030 (00048)   68796473 70742e63 6f6d2e63 6e2f6e65   hydspt.com.cn/ne
0x00000040 (00064)   772f696e 666f2e74 78740d0a 41636365   w/info.txt..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000060 (00096)   4c616e67 75616765 3a207a68 2d636e0d   Language: zh-cn.
0x00000070 (00112)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000080 (00128)   696c6c61 2f352e30 2028636f 6d706174   illa/5.0 (compat
0x00000090 (00144)   69626c65 3b204d53 49452039 2e303b20   ible; MSIE 9.0; 
0x000000a0 (00160)   57696e64 6f777320 4e542036 2e313b20   Windows NT 6.1; 
0x000000b0 (00176)   54726964 656e742f 352e3029 0d0a436f   Trident/5.0)..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a48   rm-urlencoded..H
0x000000f0 (00240)   6f73743a 20333630 2e687964 7370742e   ost: 360.hydspt.
0x00000100 (00256)   636f6d2e 636e0d0a 436f6e6e 65637469   com.cn..Connecti
0x00000110 (00272)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000120 (00288)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6e6577 2f696e66 6f2e7478   GET /new/info.tx
0x00000010 (00016)   74204854 54502f31 2e310d0a 52656665   t HTTP/1.1..Refe
0x00000020 (00032)   7265723a 20687474 703a2f2f 3336302e   rer: http://360.
0x00000030 (00048)   68796473 70742e63 6f6d2e63 6e2f6e65   hydspt.com.cn/ne
0x00000040 (00064)   772f696e 666f2e74 78740d0a 41636365   w/info.txt..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000060 (00096)   4c616e67 75616765 3a207a68 2d636e0d   Language: zh-cn.
0x00000070 (00112)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000080 (00128)   696c6c61 2f352e30 2028636f 6d706174   illa/5.0 (compat
0x00000090 (00144)   69626c65 3b204d53 49452039 2e303b20   ible; MSIE 9.0; 
0x000000a0 (00160)   57696e64 6f777320 4e542036 2e313b20   Windows NT 6.1; 
0x000000b0 (00176)   54726964 656e742f 352e3029 0d0a436f   Trident/5.0)..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a48   rm-urlencoded..H
0x000000f0 (00240)   6f73743a 20333630 2e687964 7370742e   ost: 360.hydspt.
0x00000100 (00256)   636f6d2e 636e0d0a 436f6e6e 65637469   com.cn..Connecti
0x00000110 (00272)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000120 (00288)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6e6577 2f696e66 6f2e7478   GET /new/info.tx
0x00000010 (00016)   74204854 54502f31 2e310d0a 52656665   t HTTP/1.1..Refe
0x00000020 (00032)   7265723a 20687474 703a2f2f 3336302e   rer: http://360.
0x00000030 (00048)   68796473 70742e63 6f6d2e63 6e2f6e65   hydspt.com.cn/ne
0x00000040 (00064)   772f696e 666f2e74 78740d0a 41636365   w/info.txt..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000060 (00096)   4c616e67 75616765 3a207a68 2d636e0d   Language: zh-cn.
0x00000070 (00112)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000080 (00128)   696c6c61 2f352e30 2028636f 6d706174   illa/5.0 (compat
0x00000090 (00144)   69626c65 3b204d53 49452039 2e303b20   ible; MSIE 9.0; 
0x000000a0 (00160)   57696e64 6f777320 4e542036 2e313b20   Windows NT 6.1; 
0x000000b0 (00176)   54726964 656e742f 352e3029 0d0a436f   Trident/5.0)..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a48   rm-urlencoded..H
0x000000f0 (00240)   6f73743a 20333630 2e687964 7370742e   ost: 360.hydspt.
0x00000100 (00256)   636f6d2e 636e0d0a 436f6e6e 65637469   com.cn..Connecti
0x00000110 (00272)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000120 (00288)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6e6577 2f647863 2e747874   GET /new/dxc.txt
0x00000010 (00016)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000020 (00032)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000030 (00048)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000040 (00064)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000050 (00080)   73204e54 20352e30 290d0a41 63636570   s NT 5.0)..Accep
0x00000060 (00096)   743a202a 2f2a0d0a 486f7374 3a203336   t: */*..Host: 36
0x00000070 (00112)   302e6879 64737074 2e636f6d 2e636e0d   0.hydspt.com.cn.
0x00000080 (00128)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000090 (00144)   6e6f2d63 61636865 0d0a0d0a 2e303b20   no-cache.....0; 
0x000000a0 (00160)   57696e64 6f777320 4e542036 2e313b20   Windows NT 6.1; 
0x000000b0 (00176)   54726964 656e742f 352e3029 0d0a436f   Trident/5.0)..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a48   rm-urlencoded..H
0x000000f0 (00240)   6f73743a 20333630 2e687964 7370742e   ost: 360.hydspt.
0x00000100 (00256)   636f6d2e 636e0d0a 436f6e6e 65637469   com.cn..Connecti
0x00000110 (00272)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000120 (00288)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6e6577 2f6f6e65 2e747874   GET /new/one.txt
0x00000010 (00016)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000020 (00032)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000030 (00048)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000040 (00064)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000050 (00080)   73204e54 20352e30 290d0a41 63636570   s NT 5.0)..Accep
0x00000060 (00096)   743a202a 2f2a0d0a 486f7374 3a203336   t: */*..Host: 36
0x00000070 (00112)   302e6879 64737074 2e636f6d 2e636e0d   0.hydspt.com.cn.
0x00000080 (00128)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000090 (00144)   6e6f2d63 61636865 0d0a0d0a 2e303b20   no-cache.....0; 
0x000000a0 (00160)   57696e64 6f777320 4e542036 2e313b20   Windows NT 6.1; 
0x000000b0 (00176)   54726964 656e742f 352e3029 0d0a436f   Trident/5.0)..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a48   rm-urlencoded..H
0x000000f0 (00240)   6f73743a 20333630 2e687964 7370742e   ost: 360.hydspt.
0x00000100 (00256)   636f6d2e 636e0d0a 436f6e6e 65637469   com.cn..Connecti
0x00000110 (00272)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000120 (00288)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6e6577 2f69702e 61737020   GET /new/ip.asp 
0x00000010 (00016)   48545450 2f312e31 0d0a5573 65722d41   HTTP/1.1..User-A
0x00000020 (00032)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000030 (00048)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000040 (00064)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000050 (00080)   204e5420 352e3029 0d0a4163 63657074    NT 5.0)..Accept
0x00000060 (00096)   3a202a2f 2a0d0a48 6f73743a 20333630   : */*..Host: 360
0x00000070 (00112)   2e687964 7370742e 636f6d2e 636e0d0a   .hydspt.com.cn..
0x00000080 (00128)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000090 (00144)   6f2d6361 6368650d 0a0d0a0a 2e303b20   o-cache......0; 
0x000000a0 (00160)   57696e64 6f777320 4e542036 2e313b20   Windows NT 6.1; 
0x000000b0 (00176)   54726964 656e742f 352e3029 0d0a436f   Trident/5.0)..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a48   rm-urlencoded..H
0x000000f0 (00240)   6f73743a 20333630 2e687964 7370742e   ost: 360.hydspt.
0x00000100 (00256)   636f6d2e 636e0d0a 436f6e6e 65637469   com.cn..Connecti
0x00000110 (00272)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000120 (00288)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737065 6369616c 2f74696d   GET /special/tim
0x00000010 (00016)   652f2048 5454502f 312e310d 0a557365   e/ HTTP/1.1..Use
0x00000020 (00032)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000030 (00048)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000040 (00064)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000050 (00080)   6f777320 4e542035 2e30290d 0a416363   ows NT 5.0)..Acc
0x00000060 (00096)   6570743a 202a2f2a 0d0a486f 73743a20   ept: */*..Host: 
0x00000070 (00112)   6f70656e 2e626169 64752e63 6f6d0d0a   open.baidu.com..
0x00000080 (00128)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000090 (00144)   6f2d6361 6368650d 0a0d0a0a 2e303b20   o-cache......0; 
0x000000a0 (00160)   57696e64 6f777320 4e542036 2e313b20   Windows NT 6.1; 
0x000000b0 (00176)   54726964 656e742f 352e3029 0d0a436f   Trident/5.0)..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a48   rm-urlencoded..H
0x000000f0 (00240)   6f73743a 20333630 2e687964 7370742e   ost: 360.hydspt.
0x00000100 (00256)   636f6d2e 636e0d0a 436f6e6e 65637469   com.cn..Connecti
0x00000110 (00272)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000120 (00288)   0d0a                                  ..


Strings
0
..
D.
}W
...
/..
%Q.
~.
|.I
.r
.^
r.
.
DEFAULT_ICON
                      `
                              
 !!*++)**%%&
;+""""+;
))*""#+,,
&]'">!
###<>>
										
:<</00
'((011
_0@46fo
0)B"iW6
0bSWP-
0EEQJj`O.
0H.SXI8
0L[rIK
0mvZ,6x
:-<0NP
0PXlpF
(0sKL<u
^0	T0:
 )0Th)TN
0)>Utkv
0	y|4x
)11!(+
11`utZ
1C						
/1E" `
%1GQ/ 
?1im?X
1j-xRZ
1\$U,i
1Uu>Oy
1wRhfv
<26u:f(
2DT!#5x
2'	*O	
2OoQCqj
#2(!pu
 2pzQ!
2r~5#ky
:2r@pB
/!+2TU
2Z$|Ar='
2zJ)!@
333333<
33333333<0
344BBB
3&;;4b
\3!gJ;
3Iu,@^
3RzewX
3svp#$
.3TZk]O'@%o
+])3V	@+(HXi
<3VuOQ
*43x)6*
:;;455___899   566
47=0&?h
4Cm:2&
!4^Cz9]
!4DX^[
@4gA~H
4IgZ8M
4,%kEG
4MI&3e
/,4MSJk
4&n3t`
4q=DM]
4rW.Bd
4S;F8d
4|TDMU
@(_5"\
53v\<E:VH
^$(54f&
;\54s1
	5$555
566=??
5}7rhj
]$/@5c5
@5}}~d
5);e>^
5@iX!dK& 
5js2^Eh
?5_W>*
	@6HU0
6iTq3W
6kCI,vA
~,^>6SWT]#
6`TiBe
6T.U[7	
6UF5}\
:6.UvvQLF
6"u+Xb
71wZl2
(7&4ji/
$77777777B
77CXw%
7~;7JE
7d%&NK_
7Drw?BH
7HN2.x
7J1_PA
7';'JF
 7*JS=
<?7&JV
7&uc.:.d
$7\W10
7W}n+'
7y9A*`
7yMNr9pqlF
	8					
81IOJa
	&888888888888i:S
())888BDD
=888I.
8::aaa9::
	8H$?A
8Ij{bA
8,<o&K
8 Qeo	
8quC:KM
8:tQEs
8vJvG3
8x3r!.
!8Z0dW
8-}zBq
}`].9|
91'Gn>
94Zq:8v
|9(6y>$d
9.8BW2
98@"tO0
9$fn/K3v\
9g5p]]
\]9		hCQ
*  9iiiiiiii
[9(\JW@
9l$\w_
9%n{-~
9`TZ93&
9Uv3|i
9w8t8;OI C
9*WS1\
?9ySZp
a&0'F7
a5LZk\,
a8OCi}
a8QU$C
+,,?@AACC?AB
ABB.//   <==,-.
AC%7Mp9
ADVAPI32.dll
aEcemf
Ae.H]n\:&
af]NxF
Agl9*5
{A	m)!
~a^m:p
a^MUW~
anB$t 
ar|s[:A
</asmv1:assembly>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="">
<assemblyIdentity version="1.0.0.0" name=".add"/>
ASVhK0
aT_7[g
a}tqqb
AtYyqF
}AXgu9g
?Ay?Wd
b1BjU>
b5g3dT?
>??,-.BBB
Bcj`[p
BEm|&#ew
B(fgO$!G
b,{#h7
B&HC@'
B#H"/k
b:h)$O
bKf N2/
bli1X)op
b{'lV-\
:BlY4e
bMD$'0
B\n%34
Bnb-`)
BNVt9b
;b!)_{\P
BPb2W\
BP=`j{
Bp]V)Y
BRrTTe
BS&cA]
b;(+Sr
b[u/A@j
&B~XA)pht
"BxdiA
b<Zt/X
?##C		
/-~\C:
c3[5kC
C3[B$;
C9_)Ab
{^C_Bb#y
@?cC>=
CCCCCCCCCCCCCC
cCCFqQ
cdc^^%
c\eahw
c,Fe<~z
C gV|@
c!gw2t
C+_h8A5
ChooseColorA
c'[(?J
cLe/e(
ClosePrinter
cMhgn9
c/n('F
-c{O1&
coIrzoT
COMCTL32.dll
comdlg32.dll
co$SS}B
{c[.Q3
.@cq/Y/>
c^Rs}9
(CwB@f<x[
cy]A(e
-`C^=Z
CZ-]?p&
!CZ-P\~F
d5<Wh^<u
D8.m53	
d&9R"\
{-D9t4
d_b	 @wD
dCX,.WG&
$DDDDDDDDDDB.
DDDDDDDw
DDDDDDw
DDDDDK
DDDDJH
/:"DE?
.)D$H)
>d;H5M
DH)8)cD
d`-:K4
D:L^RBec
$dm{Cf
D-M?$D;
dP>j7N
:d!#SG
?d@t/d}
D$t+D$\
D$t#D$h
D;{_u0
/`D/vh
d*|WQ)
DYE<Da
D|YLt=
^(E1aR
e226?S
e45t~R`
e8w2n_
E],-}9K$
eC9N(I
;=~eCO
e`F9!k
EFGGHI
<e%^Fz
?@?eg/
e`j+5aT-%M
e|JY^n
EmwDp|
>eNq{D
E"Q65y
+eq'IU7e5.
Eq,&Mg
eqz|oY 
--E)\s
eT)H*`
e[VvvvH
)&==EW
EX14qI
ExitProcess
,EXzO#/
[;?EY#
ezlS1R
f0FDkO
f!7d*,
f(}9"+
F`c9rB
F]C)GM
=F}csL	
fd]..Q
f_;EYO
___]FF|
}F<f*5
fF{a9K
fffffff7wfffffffff
ffffffffff
ffffffffffffffd
fffffg
F[Fvs/
]f#Fy,k
FG [Uu
	fiiiiii
F_J1csP
f;k.BB
fK*MYkXW
+(=F|/L
=f])l9<
Fl gw'
fQeUA(c
f=trG;
#}-/f#&W&
F{w]AS
fX4f%	
FXE{'t
FzlB:-
#fZns"
G?0~2(
 +}g1v
*G|2G-
G38$;	
 gc%QrM&
#gczC4
GDI32.dll
G;d	vt
GetAdaptersInfo
GetProcAddress
}\gGk^mK
GMm\]f
g~MU]r
GMX#xR
gN,G%3
"+gNyp
?]GR."
G>R&#n
"GS`/f
Gsl43S
G^:s^WdI
gtt==ttt!!!!!!!!!ttt=t=
G?]Uy,clu
gV%DP~
[_g"y#b
GyZWW,
h1YdVG<
!H4<d/{
)h<9_d
HaJ-`(QG
\hc-6yA
<hdb=~
H;>:DY6
H]e1Ds
hECq?X
Hekd9B
hF4hcm
hG\a9F
:Hil/1Y
'Hi>ll
+HiZ:A
hjO{9gpo
H$"K (I
	%H#]M
HM6LP(t
H'nC]9F
HN;P-C
H,{QjX
Hr^}^3I0
|H}RGlZ;
Hs2Uz$
)*(htP
hV{M<}RzewW
HybaX!
"\HYQP#
hz'	R~
+h/Z*R}
I1LTM#F
i26Yb}!
I}3w]$f
											IA													l
I-BV)l
iC*+|#
"ic'@7
iCo<^#'Q
IDP;Ai
iE4"*4
=iFo%J
"i/H_~
	iiiiii
iiiiiiii
IJK!""
I;\_$KY
I#lm[j
@!IlqW
iLs7S 
Im1.5D
`"'"IM9
)i@ndY9/
iNQ|UP
InternetOpenA
iphlpapi.dll
I^R3C	R
IT`-E6
IT	-Wm
#~"i}V
`#(=Iv
I.wnC_
J0K:j("
j31dm/
J'4&/i{W
J5&{Z!
j6@"|2s
JA.:1<
J'{Br B
JcFwre=
Jev\v4
)JeWor
+J/F7)
jH`!I1a
jiahZc
JisKXS
J&Md&wi
:jP0I`:9
=j/QA[
jrur9Xw~
J./sR{
:jTHO~
J$UZ1~
%jV5:0
jVJJJ.
j$wz	Y
"""J@XF""
jy"~9|
&jYn2N
k&?:[/
K@0 c@
k1C8.yV
*K1}>x2
K6,-2P
Ka%do)
^kBQ9LQ!
k*dI2M
KERNEL32.DLL
`}Kfn"R
K\gEg{Ob
K>h#Bx[v
kH/&[d
	K*j+"
"kn.--u}K
Kp#>(J
?KPvj)
?Kqv8E
KQxQ02}
>Krs'`O
k$:s_RZ|d:
Ktjshd
]:ku-n4
kuoaX|
Kv3?Z#AI
/#,KV:lp
kVVD3IvA
k,Zo  `
kzxQ*%
;l			@
%l61,o
L6Qy6&
<l7UAU
l{a"73
l{}Al@
@LCD'"ZL
:l^EsG hM](I{i^
LineTo
Lj$gII1W)6
l@lKFm
*LLqq66????????66qqLL*
?lMJ._
l_N<[2
*%lNn0G
LoadLibraryA
+lO lx
L% Pe7%G
=LQ6J+A
l;rmr1Q
?_(?lu
l;v[9R-4
LYRqNc+
M1+F,#F
m2o$[!
<m3ZS 
M7Q	7;;
mA)e1b	
Mb1c(rY
$`^M	c/
Md|&+13
|M>f=m
mh["In
Mhq}x\
mhXTVD
~Mj7>N
@,&Mk]
=m'	mb
+MoJl/
M;RgTJV
mRNyR]
mRpGL)
\mR'W=
;M*slM
MV4f_H
MVMZ(l
mWMx6!N
;m"Xx)
N`1rKR66
n2##2+^S
n)2?G@
!n%2JO
?n?6j29
n9#>&*
n9l(sd4Pf
NAclt)
+N]e9"
,n\EIEhU
NgP0+Uo
Nj6Qan
$}N*$K
nKyAW,y3
nnn&''&&&
n};nP6y^*
n>#rQ5
#NSBZG?
;ntUVs
N.WreV
"nX<b_
;n(!,Y=k!
nySh9$
nY;w5C
NZA$J[
O0	`yQ
O18_8'
O#/^2F
,O2<j"{
;\=o-3#DG
O~5@%H
|O=6G=
o6YM]rV
o&^7ByF
ObQg&l
ocb2r'
oci@)"
'odak@
oE sBp
Og|1:r
o;gfu|
-oi*BPI
OI'U#u{
O`J9m1
O@KkG	
ole32.dll
OLEAUT32.dll
oledlg.dll
OleRun
OqIXC*
{!?oRa4
oVqwH/
Ox>7Iw
oz!A5V;
P];)`}
P0ce>6
P1~y					
P8lx~f
P9dR[.
PAWv$;	
pBgy%G
P['CFc
pDTI5:
pEif+h
Ph6^f4
pHd	!*
;pi?>3
p^J+.~_
pJ]4D8
PM[fJ.x
=/pN1lL
\P nJ,
<pn)KF
	#-+pO
]P+(p5K0U
Ppb7H2
p(PGNd
pQ:\7S
Pr;<%;
PRW[f9
"pvKHZ
pV]_R[\
p;y\./
P&yHv:
!)>q&=
Q\::{&
q\$`0|/
Q0yFa:
-Q2hRI
q40|`j
$q4A`f
Q4z/x%
Q5O'G5
q5:z17
Q6UoNr
;Q$=7	
\q_8&kO]}
>q8Of5
Q8< X7
q]a-m?
]Q<AzuQ
QcXtbK
'Q[d43&
?q=!]f
qkbDl\
Q.MZ#D
Q[n$dp
Q`*q2.
Qs]RI=	
Qt%<_~
q=TX|+
>Q=+YI
QzkF'=
r0,RjNK
R/0_WO
R.,0yi'
r*{3iJ
R3v	8$
r7rpens
r}9Hx<
r9[=qI.
RASAPI32.dll
RasHangUpA
<:rBTa
RDo6Wc]*
RegCloseKey
        <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
R/flM5
R>]fs5
RFVw5&
r=<*Gt.U
r%#.H_
R"\>.h5
#rie"R
rlhTOQ
r~M_&+
rm:C>AB
/rm<LX+
R`pJ3p
&r?r3qB
+;RS]{v
R te`%
R-tlp14
rTsu7H
{R@(u^
rV-3L>V
+r-%wc
S1'0Tw
S1x-Ygc
's2@^)
S3'E2bf
S5W._l
*^[*S6
S))'`6
S=7z*4?
s8sq-q
sAbW@qSe
	SaZ-7
SbFT]A
%sC{3j
sd51	zT4
    </security>
    <security>
s'%^ED	Ns
SHELL32.dll
ShellExecuteA
#|Si9j(F
SJ_fW'
SL2?E\
s`)L$4
#Sm_8[s
sot^m hE"|w
S,p%(A
S~R0lC
s.TY,|bBT
suI($r
sUZ>:4
+svCUn
|_syW"
|s^Z_d0
"t0?m@n
t1;Av$Z8
+t2[DX	Dc
t2\uuU8
T4[uf"
t]5	]k
T Ac8oQQH
tc&9}Ttia
TcneY\
tDDDDDDDDDDDDGz
tDDDDDDG
tfffffffffffffhg
!This program cannot be run in DOS mode.
tKkZU9
~!:tKye
:(TlM>5
'T<mD\
TnbP]O
	tNizp
t/:QCn
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
;ts}V4
t$t#t$l
Tx	3Od
|}TX]A
?tZ~4m1
TZ@gWa
+	\/U?*
>-u '0-)
{u0ETu
#u0kLjA
+:&:u0L
\U3%SF
u4?yi_
U6u`d=
?},_u(7|
U.8Hrf
UA[<V@h)
Uc_|HI
UDb%uBY
UD%m>a
ugJh	0
ukAL:-
$_=UNax
uq\=/O
UQu].Q
<uRaRd
U)r"{)R
USER32.dll
UUUUUUUU
UUUUUUUU^ 
UUUUUUUUl
Uvn|C/
UwC`U?
u:yjD[
'(uz,^
uzrt|H
v@?&[&
v09l	J
V7t`:[E
v8nGT5
v8.suN
V8uUmT
Va>4?iX
Va{opP
vbvc"K
=;v?F:}
vffffffffffffffd
vfffffG
>vft+kk
V:Fxb=
vg1	ke!
VHrUEv
VirtualAlloc
VirtualFree
VirtualProtect
vJ=jSL
V_K;A5
vkcdz M
Vl`PDir
]V M|=
%,~Vm1z
vP20A!Cfw
VPeloo
V<QC`&3
&V{Tv`
V^u5SU
VU"f^m
Vur^=O
vUUUUUUUU[
$~V@vI
vxE`]o
VX*QOy=Ng
vY.7zCft}
W.6w?5
waveOutOpen
WBiQ?E
wbjzQp
W	cA33
~Wc GD
wE/_HG
;=WeZ*
wFBTg#}
>+WG-^ 
:wg4gj
}WgwW.
-w<GX)
w}G@XZ
w|i`632F
WININET.dll
WINMM.dll
WINSPOOL.DRV
w(	~?JB
@wJLBC
WK	K5A
wkudvdI
w\kva 
\:wmI?
wMnxA%
WN;3-U
WS2_32.dll
>-WW9(
wwwwwwwwwwwwwtw
wwwwwwwwwwwwww
wwwwwwwwwwwwz
WWX=vNz
W[y.&7
Wyx6na
*;(x!~
X;(-&@
x]1^|c
X4/^i)k',
x6fGiR=I
X8x@v$
X:\)9)8
X9aX4Ark<
x9dCGn
XaQ}5#d
x<{b+E
X#blji
\xB`_r
XBX$P^ET
Xc=: `
x.d_ 6
XH^Mqa>
XI?~/;
X${)Ik
}$XjH$
_XJk4b
X(k@-Cs
XLb[Y Wo?
xMbM'z
x^M?Gh(7
XmhZSl
<?xml version="1.0" encoding="utf-8"?>
X>+mqB
Xo2~[E
XPTPSW
XPUw]u
 !<x&_q
Xr8/kW
%?xRS#
x\sqI0l6t>
Xtr)*^|
x;:T/X
xUUUUg
?Xv	hs
(xV"t,>
x."`xO
xXY|cj
xy)h(F
X$Y-hf
XY|r.h
xz9j9b
[:~y[?]
Y0CSm_
y32Lnc`
y7~M`z
y+8C.W
y8&?YI
/y#9OTP
yb9ARc
_,Y"bt
YbV}1K
)y"c#b
~YCg *
,y:]	d]#
"yDY]!,1
YDZ9_CT
{Y<E{^
%YE7~c
"	YfOT
y,?G<b
y?H2A8J
yIDeVjQ
y\I.e(
Y|m>,b
YPg>v%
]yR6l4
yr6?"S
y|tg%!
yv0kq 
$YWB&w
yX<\Z 6L
;YY>I67
yz$y|_C
Z1G} B4
Z-4i]db-;
z`##+8
Zac:Lz
=zbN^.'	
zCW%`>
zDjAxz
ZDL+<b
Z~e*;U
Zf_]EL
ziD^21
zIkZkK
%zNj{k
zN]+@n
Znpz83
=Zo[\$
~'ZoT%'
@@zPc'
z_-R	L@
*[\zRv
zs\*6?W^
ZS.p2s
Z-TVs8cC
Zw2j}%f
ZW#s1cg
zwwwwwwwwww
$_ZXUWB