Analysis Date2015-01-10 17:51:01
MD54d3aafad6ffe30fdb985302ddb1e1913
SHA10da9045a8482dc64737b9d163fcdc8e6d5dc3e4e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 2dc246467f94d9413accdfefe42eb405 sha1: 05a1e2e8c1afa42f61de6562a4189be0f5336401 size: 13856768
Section.rsrc md5: b336722082774975cd3ce09bfc8b7ca9 sha1: c565b56e77fdd1c870bf9224988115cf7118b58c size: 36864
Section md5: 70292f173e805c39af179d8d706139be sha1: 18a78ec76403b35796e13c526d11407ca3efd603 size: 12288
Timestamp1992-06-19 22:22:17
PackerPECompact v2.0 beta -> Jeremy Collake
PEhashb9190f4a945ccfeec6f32dbf405425f446b378e9
IMPhash85c5d4dd7bbc432be8128f34a39750db
AV360 Safeno_virus
AVAd-AwareGeneric.Banker.Delf.779B616F
AVAlwil (avast)Downloader-MFH [Trj]
AVArcabit (arcavir)Generic.Banker.Delf.779B616F
AVAuthentiumW32/D_Bancos!Generic
AVAvira (antivir)TR/Spy.Banker.Gen
AVBullGuardGeneric.Banker.Delf.779B616F
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVTrojan.Spy.Banker-4591
AVDr. WebTrojan.PWS.Banker.12036
AVEmsisoftGeneric.Banker.Delf.779B616F
AVEset (nod32)Win32/Spy.Banker.YGJ
AVFortinetW32/Banbra.A!tr
AVFrisk (f-prot)W32/D_Bancos!Generic
AVF-SecureGeneric.Banker.Delf.779B616F
AVGrisoft (avg)Win32/Delf
AVIkarusTrojan-Banker.Win32.Banker
AVK7no_virus
AVKasperskyTrojan-Banker.Win32.Banbra.pg
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Bancos.DV
AVMicroWorld (escan)Generic.Banker.Delf.779B616F
AVRisingno_virus
AVSophosMal/DelpBanc-A
AVSymantecno_virus
AVTrend MicroMal_Banker4
AVVirusBlokAda (vba32)TrojanBanker.Banbra

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\EmbeddedWB 14,52 from: http://www.bsalsa.com/ Embedded Web Browser from: http://bsalsa.com/ ➝
\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates Filec:\windows\start.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\WINDOWS\Help\svhost.txt
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates Filec:\windows\sysedir.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Processsc delete Gbpsv
Creates Processiexplore WWW_GetWindowInfo
Creates Processschtasks /create /tn winupdb /tr c:\windows\start.bat /sc onlongon /ru runasuser
Creates Processnetsh firewall add allowedprogram C:\windows\help\msn.exe Msn Live8..
Creates Processschtasks /create /tn inckl /tr c:\windows\startinc.bat /sc onlogon /ru runasuser
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSfiles1000.fileave.com
Winsock DNSmaira2k7.fileave.com
Winsock URLhttp://maira2k7.fileave.com/sys.pdf
Winsock URLhttp://files1000.fileave.com/mesg.pdf
Winsock URLhttp://maira2k7.fileave.com/geracaopraia.txt
Winsock URLhttp://maira2k7.fileave.com/mesgtxt.pdf

Process
↳ sc delete Gbpsv

Process
↳ schtasks /create /tn winupdb /tr c:\windows\start.bat /sc onlongon /ru runasuser

Process
↳ schtasks /create /tn inckl /tr c:\windows\startinc.bat /sc onlogon /ru runasuser

Process
↳ netsh firewall add allowedprogram C:\windows\help\msn.exe Msn Live8..

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
Creates FilePIPE\lsarpc

Process
↳ iexplore WWW_GetWindowInfo

Network Details:

DNSmaira2k7.fileave.com
Type: A
208.73.210.211
DNSmaira2k7.fileave.com
Type: A
208.73.211.167
DNSmaira2k7.fileave.com
Type: A
208.73.211.244
DNSmaira2k7.fileave.com
Type: A
208.73.211.250
DNSfiles1000.fileave.com
Type: A
208.73.210.211
DNSfiles1000.fileave.com
Type: A
208.73.211.167
DNSfiles1000.fileave.com
Type: A
208.73.211.244
DNSfiles1000.fileave.com
Type: A
208.73.211.250
DNSgsmtp185.google.com
Type: A
HTTP GEThttp://maira2k7.fileave.com/geracaopraia.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14,52 from: http://www.bsalsa.com/ Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727)
HTTP GEThttp://maira2k7.fileave.com/sys.pdf
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14,52 from: http://www.bsalsa.com/ Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727)
HTTP GEThttp://maira2k7.fileave.com/mesgtxt.pdf
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14,52 from: http://www.bsalsa.com/ Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727)
HTTP GEThttp://files1000.fileave.com/mesg.pdf
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14,52 from: http://www.bsalsa.com/ Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 208.73.210.211:80
Flows TCP192.168.1.1:1033 ➝ 208.73.210.211:80
Flows TCP192.168.1.1:1034 ➝ 208.73.210.211:80
Flows TCP192.168.1.1:1035 ➝ 208.73.210.211:80

Raw Pcap
0x00000000 (00000)   47455420 2f676572 6163616f 70726169   GET /geracaoprai
0x00000010 (00016)   612e7478 74204854 54502f31 2e310d0a   a.txt HTTP/1.1..
0x00000020 (00032)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000030 (00048)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000040 (00064)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000050 (00080)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000060 (00096)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000070 (00112)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000080 (00128)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000090 (00144)   20456d62 65646465 64574220 31342c35    EmbeddedWB 14,5
0x000000a0 (00160)   32206672 6f6d3a20 68747470 3a2f2f77   2 from: http://w
0x000000b0 (00176)   77772e62 73616c73 612e636f 6d2f2045   ww.bsalsa.com/ E
0x000000c0 (00192)   6d626564 64656420 57656220 42726f77   mbedded Web Brow
0x000000d0 (00208)   73657220 66726f6d 3a206874 74703a2f   ser from: http:/
0x000000e0 (00224)   2f627361 6c73612e 636f6d2f 3b202e4e   /bsalsa.com/; .N
0x000000f0 (00240)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x00000100 (00256)   290d0a48 6f73743a 206d6169 7261326b   )..Host: maira2k
0x00000110 (00272)   372e6669 6c656176 652e636f 6d0d0a43   7.fileave.com..C
0x00000120 (00288)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x00000130 (00304)   416c6976 650d0a0d 0a                  Alive....

0x00000000 (00000)   47455420 2f737973 2e706466 20485454   GET /sys.pdf HTT
0x00000010 (00016)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000020 (00032)   2f2a0d0a 41636365 70742d45 6e636f64   /*..Accept-Encod
0x00000030 (00048)   696e673a 20677a69 702c2064 65666c61   ing: gzip, defla
0x00000040 (00064)   74650d0a 55736572 2d416765 6e743a20   te..User-Agent: 
0x00000050 (00080)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x00000060 (00096)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x00000070 (00112)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x00000080 (00128)   313b2053 56313b20 456d6265 64646564   1; SV1; Embedded
0x00000090 (00144)   57422031 342c3532 2066726f 6d3a2068   WB 14,52 from: h
0x000000a0 (00160)   7474703a 2f2f7777 772e6273 616c7361   ttp://www.bsalsa
0x000000b0 (00176)   2e636f6d 2f20456d 62656464 65642057   .com/ Embedded W
0x000000c0 (00192)   65622042 726f7773 65722066 726f6d3a   eb Browser from:
0x000000d0 (00208)   20687474 703a2f2f 6273616c 73612e63    http://bsalsa.c
0x000000e0 (00224)   6f6d2f3b 202e4e45 5420434c 5220322e   om/; .NET CLR 2.
0x000000f0 (00240)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x00000100 (00256)   6d616972 61326b37 2e66696c 65617665   maira2k7.fileave
0x00000110 (00272)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x00000120 (00288)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x00000130 (00304)   416c6976 650d0a0d 0a                  Alive....

0x00000000 (00000)   47455420 2f6d6573 67747874 2e706466   GET /mesgtxt.pdf
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 56313b20 456d6265   T 5.1; SV1; Embe
0x00000090 (00144)   64646564 57422031 342c3532 2066726f   ddedWB 14,52 fro
0x000000a0 (00160)   6d3a2068 7474703a 2f2f7777 772e6273   m: http://www.bs
0x000000b0 (00176)   616c7361 2e636f6d 2f20456d 62656464   alsa.com/ Embedd
0x000000c0 (00192)   65642057 65622042 726f7773 65722066   ed Web Browser f
0x000000d0 (00208)   726f6d3a 20687474 703a2f2f 6273616c   rom: http://bsal
0x000000e0 (00224)   73612e63 6f6d2f3b 202e4e45 5420434c   sa.com/; .NET CL
0x000000f0 (00240)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000100 (00256)   73743a20 6d616972 61326b37 2e66696c   st: maira2k7.fil
0x00000110 (00272)   65617665 2e636f6d 0d0a436f 6e6e6563   eave.com..Connec
0x00000120 (00288)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x00000130 (00304)   0d0a0d0a 650d0a0d 0a                  ....e....

0x00000000 (00000)   47455420 2f6d6573 672e7064 66204854   GET /mesg.pdf HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a416363 6570742d 456e636f   */*..Accept-Enco
0x00000030 (00048)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000040 (00064)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000050 (00080)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000060 (00096)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000070 (00112)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000080 (00128)   2e313b20 5356313b 20456d62 65646465   .1; SV1; Embedde
0x00000090 (00144)   64574220 31342c35 32206672 6f6d3a20   dWB 14,52 from: 
0x000000a0 (00160)   68747470 3a2f2f77 77772e62 73616c73   http://www.bsals
0x000000b0 (00176)   612e636f 6d2f2045 6d626564 64656420   a.com/ Embedded 
0x000000c0 (00192)   57656220 42726f77 73657220 66726f6d   Web Browser from
0x000000d0 (00208)   3a206874 74703a2f 2f627361 6c73612e   : http://bsalsa.
0x000000e0 (00224)   636f6d2f 3b202e4e 45542043 4c522032   com/; .NET CLR 2
0x000000f0 (00240)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000100 (00256)   2066696c 65733130 30302e66 696c6561    files1000.filea
0x00000110 (00272)   76652e63 6f6d0d0a 436f6e6e 65637469   ve.com..Connecti
0x00000120 (00288)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000130 (00304)   0d0a0d0a 650d0a0d 0a                  ....e....


Strings
S.`.w..
.
..
.
.
$
.
..._
...
|Z..*
;y...
.
,
0
.
...
.m
.cN.
T
#.W
.
.
.
.
..0s
3
.
.
...H
.
.%P
.
b
\
.-.F..
]...
.
.s
.
]
.,.
.
.....T%
..
c&E.
..
.
..
|..~n=
..
.j
L
..
..
.
.p
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
DLGTEMPLATE
DVCLAL
MAINICON
PACKAGEINFO
PREVIEWGLYPH
TFORM4
TFORM7
TFORM_N_B_CTECL
TFRMBRAD
TFRMCERT
TFRMHSBC
TFRMHSBCASS
TFRMITAU
	TFRMPRINC
TFRMSANT
!<.!-\
@.${}=
0!0$SQ=.
0)5HcVG
0aOnPj
0BW"U	
0Co32_
~0+dl1
0}\Fn 
,0FTz3
%0<hXrJ
0&"KB3
0"KI2v
0lk5X(I
0Q(\U=/
?0_&%w
+0Xo,l
0Zr}#	
11C#!G
+14`v$
17B'5s_
184||`
^19a3P
,%1aab
1btrmH
1CrJFP
1fb_[\
1fE;#tp
1FMUDe
1Fuq=8
^_1G2P
1H0F'r
1k7%*Q%
>':1MrtVw
1oIK6c 
1;o?LAI
]1.	rjh
$1@rM]
)1<tB~$p
+1xM]Mf
+1!YCV
1#zee+
1_zN=C
26C+VbA
28jMb][
	~2Aa4T
\2Ae	z
2Dt/Ui
-2+G>g
2k74I<
2\Kb6(,
#2	(kK2IX
	_2P3GD-(-
/\$"2q
)2q[E~
2@QwPp
`2T pq
2/Ts4=
2viV6*
2Wyp:s
~2y1zi
2z;7<C
"3\	B^
3Cy(jp
3Dlw5V
$3D~Mv
,3E{Sw\4
3f&[s[
;=,,3H
	!3J3,pI
3`kJ81
3kqg{PK
3n21EM
3oEPZH
3PP!#)e
$*~3ql
"3S&U(
+3S@xV
|/3/Va
*3=xK{
3zyRIJ!M
4=0?2#
40 AOWt
-40.%t
41&Q]$_,
43h &M C
4{7dJw9
4E{@pq
$4hnIN;"y
4HsDiM
4Hv+x/
#4~,LJ
4ls!ze
4MhD|l
4NFr7\
;4Owa\
&4%qa=
4?STUZ
4UGE|w
4z*!w#Ff
.4z*Xd
|;5/^_
:~=/{5
!50lB9
5)2<f%
~{]>54
{5?_a_
=5-a2B
5C+16y
5csnCv
5cxb~`
5FF?Bplkz
5fg9(0
&{5F#s,
5HYr5<
5K	~7"
5	P};=7.tal
5q0,^e
5Qb4>7
5')^Qh
5q&Zj_
&:5R9N
5rcgxO
(>5y 6
62wH[$
63d*pQ
6/?3,i
6*:AiO
6&e#68
6H[!va
6@H=ZSb6
+6	 i[#}
6I*	zr
6JT']8
:`6Kl^
*6%+N%H
?6P"W.O}2
6(tV'Jw
6U6X+w
6(=XG\
6x=W;cA
>{>6yO
>.7	;;
,7 >>0
;&&79^
7^9>:yT
7~aY7Xn
7B38%m5
[7@b5A
7bT5YC'vI
7+cx[ 
7DLXOMNZ
7|F*wE
7/GF)00S;
=7/H0G
7Hb0xm
]7i9qX*
7im`9yXO
@7jOmUz
-`>7K"j
7[k;U"
7=kV_Tc
%7OB}2
7(,PLQ
7}Ubmy
7V7LuZ
7vIqAt
$7?x&T
7Yb-:o
:[8#- {
81$3x[
8\#2!i
)<8 $b
'~8b[007t
(8D p<
)> 8"H8E
 8'*`H{r
_8m%g1r
*8/M@/O
8M]_QG
8n&41f
!8,o'^
.8oi a
!{8q:$
8qo-VD
8R*"Gb
])8Rwyo
8s`l?ExitRP
8sms9vbu
8t5xr!
8tF`u<
8TS`W4
.~8=ty
8$u9Y4<
8U)@p5Sh
8^YeW$
--}8ZB
(9aLEvr
9a_+qx
9B(r;IQ
9cbah<
,9F\*[*
-9f8#+|
:9Hlmu
9I	*up
9KZkvo(
9L&M,)
&'~(9p
9 rLi1
9'rO:y
}=]9UZ
9VE`g'
9WTMg@
9xRv|	
9xT)?2
9y@zB]
{$]>a$
`{$A2anvg
a:9V-u
aAkq1RB
aAOB1xT
aaQeDu
Ab(Vw[\[
^ac2QCk
ac	)aP
AcA.U$H
advapi32.dll
A$G}WD
AH=$c"
Ai `|m
AIRGKa	)
=,aj7a}
A[=]"K
AK8b}4U
ak.9O;
AKcq=r
%AKf0p
Akw-WW
`:A_M;
#A`>mN
aNl'#$
a'NVKlN
ao~h'Y@N
AO'~v3
#arWkg$
#aS`0YW
+au.o9(;
+aVyB$
AWM\nV
aXy:)o
a[y.w/
.b^~}^
";b)\~
];(&b$
	b!0N`
b0o7un
b1Vkp>Q_0
B3l#U=j
b$+5r d
b8Fcje
+.;bAf
Ba!-zkw 
bb[8SX
=BBcl6~
BC(nzN
B`D;'N
b<E.jR
b\Epy8x
BgtVTm
{b(?}h
[bhhDv
BhR	bO
 BI=1"U
b}Iz.B
bJHx\o}
?bJVo4
Bk30.O
='b>k?p*
Bk]x}2
bl@|`J
Bm	CTS
B+=mDt
BMuEk903
Bnha	e
&)+B_O
BoxpA{w
b^rLo"
%B	%r#pj
_Bsb 5
BS?TD)
Bt=oS[!
|BTYpa
+'@BVd
bvgjR^
=bX)]*
b\^X 8
BY]}-~!@<
b>=.yo
B}Z#T>
;~])C;
C0Lf)4
c1Kn>O
$c27z&
c	4I{|q
C>4M54
c5}t=M
c6D\(YT
]`C6ZJ
cd,alw 
C:Df3F
C;!"DMA
C	<DU,
cEI4:8T
cFzzL,
*C[h2F
c<hhqd)
><c%I1
cjNxyX
ckmo!	
cKtiZe
c(K{ZG
CLCp sYy
CLf5~Y[
:CmyfD
>C\\nE
CNSaqf
>Co0:%
CoInternetCreateZoneManager
comctl32.dll
comdlg32.dll
c`oN	B
cRckR-
CReWgOt
cS5Twl
'cS>liD
<C$"sp
cTN9W:
@>-CtNX
cTzMWp
cU]luZ
cU}Nv*
[c?WM2o
=)^$CWw
?!C(yTy
Cz>+5P
c(@zT'
>CZ;w_T
)#`D?$
D0*eg9
d0V8h#
:=D1<1
D:1|dR
D%[=3?
d3$p8*
D4G ""
D6]'{*>
.D8F#V
D-]8J#
d990Eo
'da:,i
dAvz?k
D(ce|[
"<DcrK_c
d?`C<	z
ddgj_x	
-D#Dk$_
dDlJ_{j
dD<X#8
Dey-#xx&
d.f'M/
Dfu{bo
DH$w&i
]Dh#}y
&DLMw*
Dnc^v;>,
DnUg;i
,D,nYI
dO-R(,
d[O@z!
dpn9QwJ
D+.Q`YR
d`RFVrc?
)DRX+Z
\:D;SC	
dSg0st
ds./p2
dT#8K)
d*:T>;fc
Du&b&(&
dwA68#
dY7jVs
dY[)hq
DZcb0.
,E.=@ 
){+`E?_
E`<>>!
E")*}?~
'e2E?YP
E2m!OKXs>
e5$B39
%[[E6|
^e7|<@
E9VN=e
'ea.~~
e$A+*X
edDI^~
ED QH/
E^FG347
.e(f,}pY
e]{GeT
e_H|[#
EHaiR^Al!
EIkFI?
eI~]Om
>EI-x;d
e	\J]1/
eJVdO>
eK^fC`h
EkqQ5^7
e!`L%M
EN.WMU
EOa2YWe
E	o<dI
]:E:Oe
EP3!teF
eQ\RIl
#E'RVS
ESG%Ah
ESJ5*#
e?!tEN:
E!tpy2
ETSMSu
	<E)?u
EU9oEQ
+E;'uJ}
 Ev[A?zO
`EWrkah
EX4mn/:
eyu@+"
 eZ4;u
(eZf0|(
}E:zUCv9
F0oX$;
F1cAbT
f1xB_KO
F2C lK'
f:2OK'm
/f<3bo
f);4+|
f,56v06~^
f@:~8K
F9L(m@
"fA-TkF
F[BD`.R
=FdzY`Fe+w
?fe9Y*
fe~}:b
'	;'-fez(
#ffTx	
^}FHM_
Fi!?77
fj?`~}
fjfl'q
$.fJIT)
/fklI1
FKn2g$
fL5pzn
<fM1A3
~fm9>I
F!M f02
FNNJ_g
f#}oN7u
Fo^;R?
fQf<QX
%F(Q*j
frgwD>
;f/SdP"k
F t_WH
;fuR6[
FUUf0-
FUxKAn1
F.v2P	
:Fvb[P
fvI9]H
>FVZ#m
Fw8B%"
fWbnwQ
)fx[tc
f/yE[V
F$y*-#V
!+fz]P
&]*^}g"
#_#[g$
G;0	DpK
{	G0 e
g 4QlO
"G*>!!6^
G6Y_sb
	*/	G8_
gc5LE:
gCMd*0
gdi32.dll
gD%	-m
GetKeyboardType
GetModuleHandleA
GetProcAddress
GetSaveFileNameA
g=F~sp/
gf;sY&
ggdRDZ
@GH8+IS:
gK',& 
G\}']K
+Gm1X^+
G_MM@4
gniycB
GO$1$/
g#-P6s
g:Q*^.
^@gqMH
g/RapEj
Gr[-U5
:;GSav0?"
g}TZ5x
gV)NPb
GWM=EE
Gwo3?Q4
,`gwvbe
\gx4VW#
<gX6,4
G#?XeSV
g;xFi/(
gXG*C7
gxR^:w4z
GX\z[n	0T;
gY0Yk3B
 G)z	!-
Gzc	NL!"
H0CEx%
H1Tk8!
`;h2=2
h5RTQ"
h63$KD
=*h6~u
H6v+ulr
h8IhxNO
}h.8zl
^H, 9K
-`HAhW!
hb::@G
H(BiUh
!%h~bo
hCAl*vv
H>%!ce
=hD'k7
-HDPSo
_h&dUW
hfl|(V
#{HFxV
{#.{hh
H.+~$h
*<H|HN
-!hIGg
hjq`<u
~H!KA2
H/K!f}
h~- l(
h!LQ"`
h>M7ET
hNl"MB
hPez|!
h-pU=(X
H@PVHa4oLL
hpw %6<
H%[Q{,
{H. qr~
HRGL_nS
*h}TNZ=:S	
htzwI^P?
HVO2> s
hvRXe[r
"[hw`=
hy7[w7
HYFIq=
I`:2g 
I`3wr`HTX"<@
.i<5]9
i?5gJW
I5mjUT
I8: G.tQ2L
i=9I,#
I'a|cC
i=Bgm#
;^icBuF
Ic"q)vz
Id{9~I
IdO*^/~
i<>\$e
Ies[t\
[IeVBU
;.[if8
@igIu#
igkU]9'=`
&Iha(S
II4n%=
iJi)PA
IK-7b0
ik=mxf~
iLp#;!F
ImageList_SetIconSize
IMFh'_
	ImP[1#
i^M?Sbg
"iNJuSbQ
inl7]C
InternetSetOptionA
iNwciK
(i{:;O
ip7r9c
iQ?~2DRg
 I!QPv}]
 i:QUi
("IQyM6A
I@R	707t
I`RQYFd
/IS!3)
IsEqualGUID
i@t4`5
iUt-w,x
|I{V<\
"iv5PnF
IwA\xX
Iz|v_38|2
iZ>x`/
'$j0gV4
J0zzWn=4
J1Q+qk
J(2L,ds~9
[#J"=3
J6F_f[6
<J-7$k
J	7T-z
J,%8#6
J|~9~A;
J9H+s-
JbO)bC
JDipEt) 
j>Ea%M
JF>^/>
jF1_P@
Jfk8]<#
\jhg|:P
J\+[I`
~{jiX+
J@JmjIW
JjQk.f
&J=LE<
-\Jmtp
JnTSxM
J,|_Nx-A
jOAP(t
JP&('ZVQ
J(q?/	
'JrKu>
js<PDL
JT59h=A
Ju95tucV
jUVG.\
jUya#'
j#v}&O$k
JX|hBO{
jXk|NF 
[jX/M)
	 JYc7L.
jz_5_"
J+zdv:
J]@	ZW
/K0b7Bx
\k<0ol
*k!:'2
k2q)Y>
k676i,4I
k$6PNW
K6qdr]
+$k9*s
*KC2/5
k.)cbWk .S
	'kCE|FD
Kc"*&S~
_k|< d
%K=D,r
k#e5J`
kernel32.dll
KerrrV
%kEWw.Q
KF2;3qm<@
kg@cv2a
kGP^O5
k]/H=,
|"Ki;@
Ki2zt#
|&"_KIr
K(i&TX
	Kj5|L
?~K%jE
{kKFtxC
kkLxmX3
|KKZKk
*klZcj
kN1L-$
kN4^=!
koCod/
K#Of2XaX
ko**VE
K:PfdP
kpvdX9I'\
KPw*Rb
!K,pZi
K.q65"
k*R{Y"
krzKI?5
#kt_5%	_
#	<ktg
:(Kva3
{_KVg(
$ *KW"
K`W	M'
?#k	wp
 \KXXq
'k(Y&J
KYK7Kzg
Kyll6q
k={y/V
kYz1W:
Kz9<X*
kZ>hx2
KZoM36
?L~)_$
{l{0CK
|L2/a3-
L30g86
l=3LxD
(,l3+u
l`@+_4.
l7J)0`
l:?a*&
l=/A.%
lb5pBJ6%.2!
lb9a1"
!LcwkO
ld/6as
Ld9?B0
lDaCV/
L$dAqM
l'fOhA
LIen?M
l:iEu 
lI?GcbC
LI=Gp1
]%lk"jc
LK<Oc1
Ll!0q"
LlUB< 
LoadLibraryA
LO[Hx;f
LOSeA&
l*+o)z
*lP @()&o
^LQ55r
#l!<q7
,l-R42S
&lrWw(
l:]S	'
\$L'|s
_lT(ld
|ltQ:Fy
lwKh`N
[!lw=L
>Lw\mT
l*Wzv(
LX-]e<p
-$%^L>Y
M10m(@
-m4!@ 
	!M5<a
-m6lv 6
"m8>}rO
m9\?/T
!M[a~E4i4
m\B@bM
mB}yo8
M}@CdA
}m=	dL
'mEnegl
MessageBoxA
m|EV^l
mfh9eqY
mF	L;p
MFQ{o0	
#Mfy03
MG|'|/
+&Mg]E
"MGy >
`mh]%JX
MH@kM~
mHq?B&
m@<Im#
MiZ4_Q
^mJor{8
?}MJo"t)D
@M`@K@|
%]mKb"
Mlpr.9x
-m*n2?4(;
mnDKA'
|+M"O'
M/OT\c
M;Oyega
|mPf+Y
mQYQ"le
~%mR|]	 
mr):yy
mt>hFH
@m[)-U
%MW.Z@
MyS2(CR
,_Mys8
mZ$$ 5
Mz-n!?
N03~OC
N0^aS;r^$[
n1	r [
n3IJa+p
n4_5ZZ2
n4L ~la
n4qikUo^+H
[n:53z
^	N$5P
N7A[YP0uZ
n]=8Ch
n~9<br
N_a4\-
"N(BnF
*N{!B|z9
ncF.lga
~ND f\[O[!
NdS7SM
nDWV}Q+
N:_d]x
;N[eo6
N]{],G
nG=H*iz
NH8[cUY
nH%N^<
n&H#Z8
nJ#*#&y
") N,L
nMj9CY
n/m}zy
No\KrF
n#!|O:l~
N=p7p%
NP$FGw
NP%[Id
>NQ>HI_
,>n:rqQ5#
ns[h/i
ns>Z|* #n
nT^A^t
nTRFj8
nuSheC
n\UYrX
N>V539
NwbTw"
.^nwEn
NW>k;Z
|	NwUM
n>'X__
Nx0no"@
(O%]),
=o3Kwp
O3+u;!jZd
o`76D&
O7PeOVs
 O,cOb
{oCOxa
\Oc~x=
OdlpQy
O(EXm{w
o[+.g.
>OJdiV
[oj=qGV
ole32.dll
oleaut32.dll
olePI0
OLVqZmt.
oM!}7 
on 8er
O#%q0!
OQEj%L
}OrG-sY1>
[o#RU<v
<ORv;q
 os=*4
Os8zjQ
OS)EcW
OS^eMZdBNP
os<,Q4Q
<Ot'*8
Ou_>,BM
Ou;(Z!$
 ;oV\-
oV~o=T!CP6	(,9N
oX +G4
oXG+	^j
'O:za5
<P0l%~O
P3#hy@9X
<P}4f.l
/#p5`QJ'
P/6RO>
P*7:^a0Y
p7&"@o
!p8>c>
p8L4}Z
(P]8LH
pay	#.
pc!4@7
)pC7,7
pC"wmq
[PEbt`
PECompact2
Pg2s[L
pG4tY$
Pg-?a5cO
?p~%=g-f2he
p~:j4K
PJ~4t^
}#pJ5#M
pj8	;HNB
$P@jR=
pj-tjB
PKHI`W
PKk0K;a
p`KkbO
p\_LWx
p]mVOM
,/PMz9
pnRf`Yp
>P]PSn
pPz/vX/"
?P'\Q]
[p?@#s
P;sM$i
psRpj.
PT=gYk?)
pt-hjl
Pu	HaT9
/PuJ&K
pWM80k?
[PxMA	K
PYiN.@
'P#>Yz
P,=?!Z
?~_q/[
"Q1@6&
q;37983
Q3@M[b
Q5["FT
Q^6aG/=|
 /q6G:
q6#Qn]UD='
,:q6XEz
Q9)R*8u
-qa9ZU
~qAgzn
Qbr}6'
qBt/,L
Q%,%DQk
qDv{cQA
qeV^BO
qfkKK8
qh&:]0
qhSeWa
Q[i5D%3
(":qIy
*.qjq8
qJ^Y	x9F
Q=Lm4b
-#qm.'
Qm,#<>'
Q?NL+|
QN[$Xr<L
Q,{:pj
Qq5]-@
:_qR5m
QRPkGJ
qt4c_F
$q`\^v
qvMuXx
QvqsAE\
qV/viW
QW}$|6b
QWcm/R
QWoDx>
q*z2c-
Qz#C3%
@+r[ !
:r1-7\
.r|+2(B
[R)5gK!u
r9+)*!
$rAGxd
r;b9>m<K
RBBD},
-rbJ~5
R%&=C*;
\RC8Dd:
rca.6A
RD&\!F
RegQueryValueExA
re zfA
RG?F 8
RgsM2,
RgWW"YTI
+RHhPc^0i~s
&r]H_Pc
r&[h,Y^@>
r)iX+)*
r]j"PD
rKv%3xlM
RL4Bj2
ro1}S-W
RP/CK@.F'+
R+%#QtX
Rq]Y!w~
\rQzs7;M
r%( S"
<rSbQf
	{r.S:-F
	Rtf]Kk
R:tt"m
r}U}8G
RU)tKt|
rVxr=tr
r//**W
Rws>sO;
r\$+-y
Rycs2u7
-rY$@(OX
`R"<,yw
R>Y\ZA
})s(\	
<_S-=+
=S0@QZ3
s2.3,;
s4dX2O7!
.S9=8w
%;s~at
{SB9{E0
SBeLLF
sbh3s$:;
Sc:v~!
s&C}vjC
S`d89t
SDLtG&5
..'S%%DwT;a
S<'E3"
sfIA_H
sGm!&6j
SHAutoComplete
shell32.dll
SHGetFileInfoA
shlwapi.dll
sIv4Ld<<
S{j4\[
SL6g>:{k
(s<$n]
S'nSUM
SNvn)sC
?"sn^zZ
s`Oa/d
Sro*qD
S]{#rs
@S[_s7
SS*S5+29
+s)W@+
sw#D^ b_
s\Y3p*P
SysFreeString
sY!U,*
^t?1<;0
''t1z1q
T2ZZ'E
t4Q~_{ci
T5HwG<"
&t6t7@
t"6t"I\
T8TVfh
T8yU#K
T9`}}0{r
T\aC*6
?taL8o
tbC[$;k
tbw,jr
T=clY{
t|$}D^
TDj!|>9
>!TD_S
TGfFO5
t#&H%3
tHD=j'
The|g<cgd
This program must be run under Win32
(t"Hrk3
(	T)hZ
Tl?~]^
tLGSq$
%}tLOp
?TN9RZz
Tom|V{
trDXhzdA
TsAl\#
T<^SDo:
tsPy|%
+tT5""
Tt|k4\
tu`,@GJ9i
]t/=<V
tv:aFH
tWV?=Z
tx{#t6
"ty@_{w
#T!ZI!
#u)0GS
u@0i|b
`,u0]Qg
u3x<OVRC&
"u-|'.5
U.8*6?
	U8KVTY
u.8{Ma
u9X^Jl
U<a2Hx:
^uBi?~
Uc~7Y#K
uE1$H(
ueE $A
_u/fy~
Ug%<?X
?ujMg.
}UJVtk
=uk.9H
uK+Vx4
UlBN%4
u"~Lv#4[
UnrealizeObject
	$!U	O
U)%P u
U\pW+Sn
U>QP0b
u%qvv#
URLMON.DLL
user32.dll
USQWVR
USz8h*
_ut/9+3
uTBEM3J
uU_|\B/}.
u"U'uv
_(uvj{
,U??&*w
UwV#[n~
UX,D+Kb$
uxS1#Y
UYy[Jp
U/Z^S`q
 ^;v\~
V5=XAt
*V6"JTOPA
`v| 7!
V7m1Kv
:V.a')
vAdLpz
#v|))aV
vbD|*-
 V,c}-
VCJFFV
Vd#jz@
VD#wSv>
V.DXdN
vEEcv.
ve,%Iqq
VerQueryValueA
version.dll
{V,f'\
V.=;[f
"vfqVp
]vF)VU
 VHb	g
[VHn8Pi.
+ViQS"I
|Vi?rt
VirtualAlloc
VirtualFree
V~IVZp
vJ80d<
{.V#l;
{vLaSZ
@V	ld%-
<`:vlM
&VMY>^
[V\+o0
/VOms]
{v]r@k=c!t~d
V!Scs2
v[Su&|)
vTv1iG
Vvq:ha
Vw2t;(
 vW{$G
vw|IlO
~.vw<rB
)V	_@Y
V!\^yi
V^,Zx&
~[&@&w
W0Q7n6
W1cf[}~^
#W3J,C^-k
w4MeKIO
W7#qiaQ
 W|8?f
w:8XFA
/W`.}A
!wAmD3
~:w$$C
Wc10 2
wChy%d
`)%[We
[*wi;1
wininet.dll
W#IWN8
WjbLMw%
=WjhW^
@WJ i.nq
w$L|0;
WL7C>i
!>wlB"J
@@W'Nb
W(}Noz
)WnW\|.W
W"-O=8
wOfjpd
WOq>b<,
<?worL
Wp.eAbk
wpgks:
w Pq0w0
 wQ7)9
Wq/_k)
\W=#Qkk
{W`R @
wr{auXx
wS &I_
w-sy"#
/wT1^6
wt$kH/p
wuj%F$
w$*x|/
}wXP2GR
wy6Lq\
W+<Z+)
x:0^+D
X3\O&r!9
/x65vw
X6Z"P.d
x8Fw L2C
x8WEA`
'Xa8|rS
XDy9iO
xEIz6?
X,FATP
XfYqO<\
',x{/g^|
Xg2\0u
"X`'Gl!
!{x;"L
xlCMK@;^Z
`X+Mv(-
XnN|| 
)=XotF
$"x|`oW
xp41iM
XpYJcU
xQb7f*
(#^xR*
x|r%DE1
XS5#pv<
xS`DK6
Xuo0az
 ,xX_5oc
(x.XAU
xX{I5k
X?xvW+V
X__Y.^
xZb%*x
y,1,^.
y3SA!O
Y5O#A7
?Y7]<E8
"\Y=7VRZFP
Y9k-}N
@#y*(&9o
\yBbfjE
"y|#be
y/bvm4
&Yc6Pu
YcO8oC
~YcV{=.cd
y@.E}^
YeD2-'|
yE=S0nr
YIgXig
yj<DVaaL:c
%yjdwC
Y)~lqgQ
[y)M+e]!
<y`Onb7
yPE=.Q_
yQkL?6
})Ys|H?^m	
YtmCbEy8
Y'%/U/]_-C-+YO%Kigycmcuc}smOegyCEwICiOMGeO}qG
\	yVFBz
)yv~ki
|Ywfu%qiB
~$Y/w`y
yx	;_7
YX/%}V1
!Yy~RO7q
z*_|@^
z3fC w
z43O4)
z9EA+	%<
z	a%:T
+Z'BHn
[Zb?`y
Z&Cukg
z!D^[Z
@zfc&N
ZFK<TVd
Z(;+~G*
zg=BAu
]"Z;;GR
!};|zi
~Z??i~
zI}3	?f
[:ZIi2
ZIS]&)@\
z`iXAD*
zJix x2V
Z~j*Ky
 Z-K9_+
_'zkFNe
zlgAE[
zlhVuI
zL~^!s!
zltf	 
zMyrf(
)zN$+>.>x
zoi7hn
zokl\Ek
z{}P-J%
Zqv I8
Z-@R_QO
z}~s$<
zS9k'/s:N
z@`$t*
~z;,Tc
z$tG5b)2
`zu_mr~
ZVH;4o
ZvZ69m
zW$y(N
Z}?	XuY
[Z{*Y[
Z^_Y[]
zy_9\<
>Z:yC}
Zy$G/uN
Z<zMM;
zZzB$N=