Analysis Date2014-11-16 20:53:52
MD529446faad1e2dfbc162ded31a77c3667
SHA14077398dcc001a236304d838d3d6363a78aa5ef7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: ecc255f6cf8edee23e3f4bc342c2bac7 sha1: 3935b250c3fdfba0b378c9a66e43e1eb2653e009 size: 269824
Section.rsrc md5: e8842f735b01dba3026fde0298215a57 sha1: 941c271a6ecd4f2aaabd34420274462ff09fc457 size: 21504
Timestamp2010-04-16 07:47:33
VersionCompiledScript: AutoIt v3 Script: 3, 3, 6, 1
FileVersion: 3, 3, 6, 1
FileDescription:
PackerUPX -> www.upx.sourceforge.net
PEhashcc4c49c3435746778e06fd58bb1466875b3bcf34
IMPhash77b2e5e9b52fbef7638f64ab65f0c58c
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)QHost-BC [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Hijack.507601
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.6182898
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)no_virus
AVFortinetW32/Generic.DB3!tr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusSettingsModifier
AVK7no_virus
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVNormanno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\WINDOWS\LCTool\LCconfig.ini
Creates FilePIPE\lsarpc

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\logo[1].gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lieuclub[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012014111620141117\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Mutex_!SHMSFTHISTORY!_
Creates MutexShell.CMruPidlList
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012014111620141117!
Winsock DNSwww.lieuclub.com

Network Details:

DNSrdis.msg.a01.yahoodns.net
Type: A
66.196.113.4
DNSdl-balancer.x.dropbox.com
Type: A
174.129.15.23
DNSwww.lieuclub.com
Type: A
69.43.160.163
DNSimg.msg.yahoo.com
Type: A
DNSdl.dropbox.com
Type: A
HTTP GEThttp://img.msg.yahoo.com/avatar.php?yids=money_love0209&format=gif
User-Agent: AutoIt
HTTP GEThttp://dl.dropbox.com/u/18418438/LCTool/LCinfo.txt
User-Agent: AutoIt
HTTP GEThttp://www.lieuclub.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.lieuclub.com/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 66.196.113.4:80
Flows TCP192.168.1.1:1032 ➝ 174.129.15.23:80
Flows TCP192.168.1.1:1034 ➝ 69.43.160.163:80
Flows TCP192.168.1.1:1035 ➝ 69.43.160.163:80

Raw Pcap
0x00000000 (00000)   47455420 2f617661 7461722e 7068703f   GET /avatar.php?
0x00000010 (00016)   79696473 3d6d6f6e 65795f6c 6f766530   yids=money_love0
0x00000020 (00032)   32303926 666f726d 61743d67 69662048   209&format=gif H
0x00000030 (00048)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000040 (00064)   656e743a 20417574 6f49740d 0a486f73   ent: AutoIt..Hos
0x00000050 (00080)   743a2069 6d672e6d 73672e79 61686f6f   t: img.msg.yahoo
0x00000060 (00096)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f752f31 38343138 3433382f   GET /u/18418438/
0x00000010 (00016)   4c43546f 6f6c2f4c 43696e66 6f2e7478   LCTool/LCinfo.tx
0x00000020 (00032)   74204854 54502f31 2e310d0a 55736572   t HTTP/1.1..User
0x00000030 (00048)   2d416765 6e743a20 4175746f 49740d0a   -Agent: AutoIt..
0x00000040 (00064)   486f7374 3a20646c 2e64726f 70626f78   Host: dl.dropbox
0x00000050 (00080)   2e636f6d 0d0a4361 6368652d 436f6e74   .com..Cache-Cont
0x00000060 (00096)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000070 (00112)   0a                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000030 (00048)   2d75730d 0a416363 6570742d 456e636f   -us..Accept-Enco
0x00000040 (00064)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000050 (00080)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000060 (00096)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000070 (00112)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000080 (00128)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000090 (00144)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000a0 (00160)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000b0 (00176)   73743a20 7777772e 6c696575 636c7562   st: www.lieuclub
0x000000c0 (00192)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000d0 (00208)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000e0 (00224)                                         

0x00000000 (00000)   47455420 2f6c6f67 6f2e6769 66204854   GET /logo.gif HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a526566 65726572 3a206874   */*..Referer: ht
0x00000030 (00048)   74703a2f 2f777777 2e6c6965 75636c75   tp://www.lieuclu
0x00000040 (00064)   622e636f 6d2f0d0a 41636365 70742d4c   b.com/..Accept-L
0x00000050 (00080)   616e6775 6167653a 20656e2d 75730d0a   anguage: en-us..
0x00000060 (00096)   41636365 70742d45 6e636f64 696e673a   Accept-Encoding:
0x00000070 (00112)   20677a69 702c2064 65666c61 74650d0a    gzip, deflate..
0x00000080 (00128)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000090 (00144)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x000000a0 (00160)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x000000b0 (00176)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x000000c0 (00192)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x000000d0 (00208)   2e353037 3237290d 0a486f73 743a2077   .50727)..Host: w
0x000000e0 (00224)   77772e6c 69657563 6c75622e 636f6d0d   ww.lieuclub.com.
0x000000f0 (00240)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000100 (00256)   702d416c 6976650d 0a0d0a              p-Alive....


Strings
.%H.
H
p[
 .
.v...&
.
P
.
.
`@.-l
.E.C..%8..
.*P.+P...
.#G
m.'
.+
S
r04.(R
080904b0
3, 3, 6, 1
AutoIt v3 Script: 3, 3, 6, 1
CompiledScript
FileDescription
FileVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
-%"!' 	&,[\
?|<-(,
/~<+^@
@ @$!(
?0012345678
0)0J'E
04LHzMBAE9
04%PT9y
0 6uw12
^0 9^;
$0)( c
0DSC/>
,0E0$(K75\(
0 (Ex$-
0Ghlc0
0h=rRz
0I}a)d`
0jd7,p
*0[,L	
	0	o$u
%`0Ozn
0'p	PS
0qS94N
\0rTGLP
0S,F(^
~0tBf=B(\
0{U9_u
.\\ 0W
0X0#+&
, 1 8m
18<@r9
~1ALRV
1	B@D;
1b=mF'o
#1Ey*tx
1@)He}
1h{qk|
1Kk@JZH
1Knfa&
1LLSNM
1Ot Ht
1#QNAN
.;1s(N
1tjh3nC
1tPHTA
1u,MX(
^!1uNh<
1|@X0I,
20rfJ>
2222$(,00
222<@D
25}_(>
> 255j
27QJ=\
2EYAP%
2@G!t)
2!mLOA
2n2rB@3
\2Nm f
2pH f,I-r
2|RB;9
2S5lay
}2s(BC
2{SG[}Uy
/2vW8%
2X^WI6*
/;33V{
(%,`34
#3 44gw
37rrr{
& 3@!8
)3bvn?
`:3jL9
`3LN%+
3[+mS8L%
+3/O@+
3[r-I|
3Rw'k!-E
3 s:&*/
3S9 0%s&
<?3TU:
<3(tYL
3~y8ql
]%-4/_
4<1@Dr9y
4!395X
,(;47|
48Ue e
-4^9Cu
4h$7	l
4J?Rr>If
4M!"#$%&NG
}4MPLG
4pK.E^m/
4r AS#}$ 
.4@RXD6p
4Rxz\>`
4v6	`LHq
4W+C!9 
4WKGj4Fg
#4/W^_N
4zPt(s#
(-\!5'
525jCz
){5\|6N
}57t,PL
5:9_Oc
5>?@AB6EF
5+C?z9[
5D17l0$4L
@5DBHw
5D$HPCS
-5#Ewr
5g2A9Dkby
{5JD-o^
5ki+5.
5~%]#m(
5&N{7L
5P+-,>v 
`` ]5q@
5/R4PVQ%ly,
+5rN]w
5;T3uV^FFKU
/5t(PEN
5W_-Di
5XJ\`m
61;1[o`
613t!n
6\>2	6
6*'*@2O-
64B6@oP
6]6dS+|@u?
6E'i*W
6I	R"x
6J}8/J
6K[YJ]Y
6mWfyi
6N@g4N
6"ntac
6rJG-U`
6Tfn+U
+`*6Type
6`:]x)U	
$	7 00O
70BHKb
72VPU2p
76>8^:t+9
:/'7?7
<`7@8kT
@>@@7B
,7cewJ5
7FU7re
_7fy;)
_7HKmr
+^	7jRM
7N3Vl=
7q+o/>f
*7t 9Ei
7uOJ4\
\7W/m`C?
 7xO)Twp
7~:z#z
84Z-nM
`8}#5;
 8$8,0
[89{HcP
8cNFt5
8Fz1QR)
=8IByH
8mUBT;
-#8O^H
8PK	#T
8P[Li#-
:8QI*d
8QP8I(@x+K
8>r9w!
8R/uw^
$8s24[
8Ti0]T\
?|8t/V
=8Tx O'
"8ytgH
$\9^![
9:50:3
$(9999,04
99/p<]
9akl00JR
@9E\	"
9E	-oeB8z
9I!G&-
_9$]kw
&9M;AsS+
'9)QbU
9r;BGBJB_B
9s:F,r[
9 /SMYIe
9S'#{t
9SY]n&Q
9:t960s;
9^ tc&
,9[Txo"
^"_?9U
9	U_ME
9u(v'VS
$9W^$n
9+!%XR-gk
~9z"B-clB1
A1$3!dc5P8Xc
a4E4KB
A5aI,U
A"5~#Y< 
A9irh`
]^_`abc<fghijklmnopqrstuvw
aBH/`5+D
a_BrM'l
/{ac\S_G
Add,OA
AdRrAJGg\
ADVAPI32.dll
advapi_RegD
aFb>\`m
ageBoxvSER32.DL=
AG<*?t
\AIL%UW;
a@I-v&
A/kSX%
a;]lZof
A NIVG
AnyrabicT
AO]F@Y#
a&q0='O&
}/a$Qs
$.??ar<fw6W
a<~:rY:8h
</assembly>
      <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
atcStVstPHtC
"&a=u&
[AU"_#
AU3!EA06
AUONmB
=AUZ	<
'.?AV^_
A]VVxag
AWM=L9
"a'w;n
aW x!o
AxQSPF>
AxZPOd
',A:Yf;
b2r$(ju
B@7j5A
B7k	I.
bad allm
bb@Z*+_1D
b%c*]<]
b";F;`1@
`b({FG
}"^@bG
B	+gi!
Bh#]ohy
Bj7rIK
B=k4-Di
blanjc
\B''M@
%B)mHPF
].bod:o
bOK:>!
]>b.p$
bqbE+y
BR#^1C!9
brary i
bSsY]G3
_Buvz5y
$bVPj1
`B~Xk@u-
|\)Bxo
BxWXST{
"By?//
$bYxxxccxD
B	Z9.1C
b=Zjo^;
<<$(\C
<-@C0-
C0K[u9
C"4}rM,G
ca3|9<6
C	bI#J
Cb:Y\bT
cCcZsv
ceilS4
chBl$X
cIRQt_
C[K8-v
;C]KiQ
 ($Cl$
Cl| Hi6
cLJk[n
CLla&.R
CoInitialize
COMCTL32.dll
COMDLG32.dll
CONOUT$.#
' |CPc
 CpNYN
cs>642
`=CS	(F
cu0$+l
cv9aPe
CVU~xb
C'X`mq!
c*	}~YD)
CYQ;lt
/#!C[Ys@c
+CY|u_=
c!z]kY
|?;~}:D
-$ D%/
,@\:D`
~@D1 |9&
D1CNE:
d?200	
D66kEJ$
D7DvjYT`
D@<840<
+DA5DQ
[\DApR U 
D}]B1 
#DCG-2
ddddlptx#
D<D|X2
DEFINEGi
  </dependency>
  <dependency>
    </dependentAssembly>
    <dependentAssembly>
:DEvn|]x
DeWFlsFree
D;FG?bH
Dg9/8P
DGcGa(
dhlp].
DHL?T\\
D;^JV+
d(k(DHO
dKh)pLa?
DLT\dw
 D'M9<P}
DN4H/;
'DPjyQ
dq%tpM
)~D>r+
d^~r13/
DragFinish
d,SGw3
<@DT.'
dt,U|G
DT;VLuw
duDe|2
|~DuzQ-
dv_Abori8
d@y }E
@DY`Gvb
Dz;2F6tp
!DZz?"
 e?$	,
	E:2DL
E43Xv;E8
E4J8Cd
E809(d
ecG=Qx)
E"gEB],
e,Gf1>:]
`EH9L>
e[`Hbu
EHu04M
EjP.DN
Ek2,Je
<	Ek5n
emaXjv
E|MHy3v
-EMPJ?
EM!ZPM: y
end&pf!
EnumProcesses
E O VSh!
'E>p2d
E|P8xS
ep.Oww
E$<QTj
>~=ERCP
e,SH{X
eSo8Jy
eSp2qfq;
eSyl6fN
ETr$Cr
E:uOPP
?!(:Ex
ExitProcess
 Exp $
eZ$9YwY
|f0&=~
f4~QyW
F9a.NDBM
f;A0s_k
FAli$SSJM
FaSoa.d
 F{awi
F''B1*
FDfkSG
fDwQV%\<P
FE8 .u
#FE; X!
FG$DHb
,|FGSu
Fh;#"#
 $( FHArP1L]uE
f	`)ID
FI!~K:
f$it!T
	fKKXZ
FKPZ9F
FlushB
FMJt]qg
FmlX`I
F[>n35
FnFdr=
FO{FD@
f^OkH<
#f;O]X1
fPa}Yl)
@ fP&t
FPV/%h
F-rU8W
_FT8i)
Ft<+A'	r
FtpOpenFileW
FtTlkH
FU0"Mf
fu774?
F.@ U_F.
$)f	UUX
F^Vv`	
fVwJrC
f	WK!W
FWlD\ya8
F#Xw&;
}	fZ!@<S
"##$%&'()**+,-./G
=.G261p
<g2hIT
 g4`V7
g!;6bVU1
gA{+`$f
GDI32.dll
g*@djt6Gedg
:G- 	ek
GetAce
GetProcAddress
GetSaveFileNameW
]{GgMRtW8
gH\wQW'
ghX#USHAUg[
gi-`POFh
!GJ0fSQ
>=#:g}k
<GL).3
/GM7?1
g*mvmCy
%|G^qT{S
grj?A)e
gSq9,h
Gsx\Rt
gt$l l
GWPht*
GyBITZ:
$+gZU(]
%}^',h
H,04!V.'
h1lpUV.'
h 3mz7
^H3UaLQ
,{h|9.
\H),>9
H9_XmK	@
 has m^
H}AU3!EA06
;hbl	W
]H^=cB
-hcBi|
Hc^odhlr9
H$_$D	
H]DBch
hdj5)5#
}HD}P6
hd`\XT<
He|h@id
-hEPZo
_hFebMarAprMJL
HG9a1k
(,'HGLO
H H$GSG@TV.'DH
hh@N,}
h[H@r|
hI?^)Br.
h_j('8PWF
HK]kv5Q
$hl|[+
hL`8&#
H`L(Dj
$'HL%Hx
HL\prrPTX
*H)%MD
HnB,Ep
,ho$=Pi
\*HP4`sy
(!hP*H`h
HpPUS%7
	h/Q ~C
+HRejp@
h_RUPE
#HSI]J'
!~h;>t
HtD}	U
ht=Nt0nt*Ot
|Ht.P0V@
@hVR&XJ.
HWPA{+
*/HX0x
#h>Z=|c
!HzSNJ
[#i0Wx
'I4feS
{@:I4T9i"
$/<i7X
I-8UufZ
I*%| a
i)a]&L
IArFy'']
i"BGaf
 icWHNW
I;&D<ePw
ide&r(
iDftWExgRF~aPF
$Id: q
Id&RaiseE
i&dxP.
#IeE[\
IF&4#L
/>If.G
if.x}@/
IG P$(
iGQk>[
i:H0  M
iHi!}B
[\I}]h{L
::iM*5
ImageList_Remove
inW tL
IoC^pTd(\
iO>}nDPi
I R]P#
IsWow64
{iTiT.
IUXz@B
iuzR0:
iX\`dY
	{I}!Z
.iZI	`
_][j%'3
J;3Dj1
&&^[J4
_J4]vY
~_J(5y
-J*6W=
+'@j7V
J.9Hxl3	
J9o^[G
j-bi6!mG
=jchOa
)j*dv[
|jDZ/x
((:JEx
#{jfe3
JHt9H*Wt!
+*JhTN
jI~#%_3
+"'J.J
jj'g?Q
j@j ^V
J]j\Yx
J%k __,
=\j]O,
jonbennett{
jP^HrIw
-<JqE(
|{JQ`Y
'*j*>!S
JSc.Xm
JsIT#,
ju(Tokb8h
j<.VPK> 5{x
(j"Vr+v!(y
J\W95Hg
J z,)*
`_	K=)
&K	>$(
K4w=`*
K^;6%@
K7N7c7C
KA/blG
Kdwpsh+
ke+A,A.#B
KEh"\;'
KERNEL32.DLL
kEtxew
KeyEx~+-
K|FEay
#?K{_h
KHc[ Vx
;?k	!I
Kk6T?m
kK!bGK4
kl=sL>
k_?M'c
KO7EaW
k>p+3!g
KPB$$l-G
K%]qt(
kqU|f;
	K(r+1
KS`B6J
KTru*;
kVCLR3
*k#&WSk
(@;(`kX
Ky0Xtu
L}\'=&`
l`0}PtL
l|}5v8
,l60(w+
(L9=RjB
] ^lAAQW
(LbFDH
&lcERx
<LD<0$
ld?<f?f
l`dl(`
ld@n	E$x
L%|$Eu
lfDj6z
'?Lf;u
<lhd`\
()l}:HL%
!LH^wc
LineTo
LIp"vzHw22~
L<K"vH
)`$L(l
lLH9&;
l!L?P?
L(luH?	
L&(lxy`x
LmE58 7j
lO@4f6
LoadLibraryA
LoadUserProfileW
#lobdD,+Iu
LognZ 
lp6I.7\
\.LPTX8
LQ\RS2
LQUNICODg
l:rcmpiW
LSFUnC
L'sK[_
LT'"_,
l<&th<!td<ot`
Lu=woztWC
}(L~+V,,
lvH-D}HLr
+L@vWIC[m
lWPS :C
L<?xv0
;^LZ[!
;lZ5X m/7
(m?|0r
m 32As
m4 to 
m5a#M_
m6Az. 7tmB
\M-6;P
m8/^L@u
&M9; 5{
#m9be@'
	{Ma|6	U=bX
Mav'IN
mbmevr
+m`e(}
meX?K~
mF??)#
M)Ffk_~
MG3C!a!_
mG.[Sp3A?3- A
Mhmk8,"
mI~&- 3
?miss	
M`%@,Iu
mjDjPl
m]JKH!
MkY\}z
mot.ycg
MPR.dll
m}<,PtD
mP+'%vdr
MRD?tB
MRMuRRR
MR!u0<
mr@Vbz$b$
mS9sfu
$(,MTF
M*T}nm
MtO$aTx-
M<<t+W
m!TzkI
m?\ueF
,|MUHQR
MulDivWV0^{
*`-M#uSG_
muv)tN
#&MWB)
mxobOP
M<:Z\B
_n$&~"
%~"	n=
N~_^2A
.N`5OeUP
N6Nk0g
?n+7rN
n;Ad};
N(/clr)<Pc
>ncodePoint
nd[l"of
ND[nSS;4
N<dstOeM
|ndwb>(*
'NdwWW
<n<<E)
]n#F +s
*nh1lp
$ nHL$
NHm1Cm
N=iie(
nIQ5X{
N!j|r!
N;Jv`n
	N+( JX
N:jX(aJQ
]"(NKH^
N`<"L2
NN5[S;	
NNCPgR/S
nNMvKFD
N<NWQPUcy
nOICMPK
nPv`~p
#\NpWH71;b[
NSG$"[m%
ntrfd|t
[Nup{4?
Nu[ _q
nVh\p%
nX|+ZD
ny|hv9
NY_OX3
$NYY]%
"NyyhO%
$|*n)z
=NZ+";\
NZyf{CF"+
*o01df
O02{+c
O1n;Wn
O3!dq^S
o5&D| lF&
o7>/15
O9|/LD
`=Oba}Q
ob<(sg6
 OBZ4Q*	
ocation
|oc)y{
OD04">
ODj`0Xf
'oDxE~D
O(=;E]Ij
$O$hm@
oH~~O~
&OiFkz
.\OJ9%X
OKF~^OEryWDa
ole32.dll
OLEAUT32.dll
olhelp32S:phot2Ed\
OLPF'A
O"lUkxk
_o'_m`
~OMA$#R60
OMMITt
^@~oQLL;
Oq*lX;x&H.
OR+EW}	IC
orExitPr:ess6m
ORP`nX
orV6FjN
{Orwe~
=oR+XJ%
.#Os]5
OTD!M6
o[u1uz
Ovohpr%
owbk5W
owStA.UF
oX-Wb?s/@j
/$P1SW
@p3:$j
P!3LRb
p5+Q!N
P6(dhl+
P6N8N:
P>6V]T
PbTbhGlY9
 =p$dd6
PDhF&y
}p\d.P
P%_].E
<p\g(m
PH3LCTdl
<`PH@8
ph.h,v 1.1 2004
_P(J)\
Pj{Q'TO
,	PK.[_
`PNNNn
PN SQuC
p)O@M,
poR>,>
}:Pq3YrJ
@?pqKn
PQ!O>'+
[PRHlWWQ
Pr>$q9
&^`prR<FR
pRTZfv
$pS^5C
PSAPI.DLL
\pSh/%B<W
pssss+
'PST}~D
PSW-{[
PTGJA,
=PtS8\:|
PUp-YG
%\pv)=|
p'V\C_
#p!vz5
.P!;xm
/PxS%(A7
pYHC7h{
p`Z0FA
pZtNxN
P{ZxI7
q36ae	e@
.Q3W7)
Q;4[~,
q7$HSW
&Q8L:w
QbZp}e
,'Q~[e
QfX^%!
"Qh|PWhU
Q:hRU 
QI#@SJ
qJWGOV
Qkkbal
q`kX0<~!5
=#Ql3Y;=
,&=qMod
QmRW0<
Q_ mS3
Q-m<Yz2
}{Q?(n
Q|%(o*
;QQ?.C
Q@QY|20
#<QRj#S
QSB`J%$	b
[qs+^t
;Qt&0p
QT,9"N!W
QUhdG1
QUnRc=[
Q .VjV%P
Q"Vo6L
qv$[Q/
.QVRWNM
-Qw((=
QWnBx|
qX-b+o
Q~zf~*fg
r0f0f<
r1)tH(?
r!76r!
r9\`h|1
Rb(ORqfe
.rbt*r
rdLJkD
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
^r%G3	
r	g$A>
R_hwrF
riX,04w
Rj {8"
rJIQa&
~;~'R{KKu-W
r<l},P1x;
rM3&Kx
r<M|X\|
RNE*X/
<RoE	SF
Ros\Osk
rOx`Uu
RP`h(wC/=
r;pxuO
rR(,0F
@rr;i$@D
rRptxf\*
)R]s7X1
rtvAti
`RU.g`A=
r@uwa<
{<R))v(
r@.vkF8R
r#v$n$rB
rV} z*
Rws7qq
rx.dno
R.y,A\
rY?_Ku
: "Rz$|#
rZ[(kv
RZ`=]	Z
(s	`!.
~S0'"']
s;6.8h
s7v5l@
Sa7t"'Gw
sA*c\Z}
SAExa[
*)SaGy
SaYE$	R
SB.d*SMA 
SbExDf
s@ )bs
SBW+I/
<SCc(Gd
sd%P4V
    </security>
    <security>
S~%{ee
>Seh-M
serObj
,,sF'Z
/-SG8{/
(SGU/y
S[!h(3
<^s@?HD
SHELL32.dll
si/a4&
S$I(G0
SJNPUTs
S%j.Zs
;S,K!\
sks^ac
S/}m8l
s$N@%`8
sn-;B1\`
S	nc	|y
SP663TQ+z^S
=SPjN!
s? Pkernel32R
SQ1LcQ
sq>p9Bi
sR;8cY
sshtFlt
Ss*	K`
\ssssE
S(t@DL
StxZUHd
Sub%CR
s u-Pw'
S\Xh.i.LQLGP
t"  $,
T0K91|Kk
T$0RWS
`t19t :t
t1qtxO8
t2v)!Z
T,40LR
T4l=8V
_t6]t1F
t\<!7x
:T91A(7
t+/9a'
%t9j)@
%TaTa5
taT<f6
<^TBUF
T.'`cI
T^&d%er
&TDRGV{LT
t(@F4|
	tFf#w
TFUURnV1I
TFYY4r1,
tGHt.`
=.t-h8
ThFA2M
!This program cannot be run in DOS mode.
THpV|4Aa
timeGetTime
;Tj|R5Py
"T*Ka1#
t_kR7WEk[
(tKW		
!tlM(9
Tltx|D
\#%tmh}
t};m!o
{!T:mQ
TN,QR.0
t}|o`.
\t odv
<TP<8%
tpdPD	
@t<P+k
T*@P`p]
t"PT gV`%
t"p<$tw
t(QKB6&eN9
<t:rN_
_;trNN
T(@rU[
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
T$Sl7u
`t(s) P
t:SUVW
|!TTD:D
T=tj;Z
t=<>t+M:I
<t!<tq
t=t'ue
(t|<"tx
>TTX-Rr>5
'Tu*=v=`
tV@1 pmB:V
tVcJ8!
}tw`(`
|t@WO&
T|<Wpdy
tX<\tT<
t@?^y1
)(tY<7x~5
u	1$H}
U3_FluginD
"u5GLA
U6 jap
_U:6l!?S/Ud 
^&U];7
!u{~9q
U@A'`2l.&
U(A],C
^$~ ub
uBE( s
uB_SV)]
=UC] 2
uCCyu[
u_]E:`
	/uE4Gz
<u'EBA
UEFGHIJKLMNO_(
uFriSa
.Uf*x_.
uG^	JL
%UH\[{
~u:*hI
uHI8)P`
u%HO[m_3
:uIB]G
uigt`8X-t[
uKVj${ 
u_k:xY
|ulT(d
:(uMxe
U#	N44
Unknown exp	8O{
UojSepOfNov
uP82It5
UQ[_0fN9
UQP*l|m
{UQTaskd
$u/R'yL
US8	, 
USER32.dll
USERENV.dll
USG';2
USo49hx
|u&s>U
UTkX;7
<U@UHZ
uV>s4(@G-
u {WW:
uX(6Z\
=UyE|[
uye|9C
!v0f1`
V[0Kxr
V1LoXw
v~^(.4
v6"dD#@
~v[@6Z=w'y
V.'8<d
v8LS	H
V98BJK)
V9TRL-w%
vamdH.Q
Va)WSX
v-B,f+s
v:bQ_V.
'V	+$d
V'D S@
V{Dw'E
vE`dh+
*~vehR
*VERB){
VerQueryValueW
VERSION.dll
{!vFP0
[V-G24R
""V'gG;5H
VGWT<$"Ole
v H6}o
VirtualAlloc
VirtualFree
VirtualProtect
V(J?6m
V}jg,2
V	!Jm4	
{vju<.
} vLu)
\VlzH@
V&MOi}q
vn"rW7
~VNv~/
v"O	b-S)S
v O@DO
vOHC+t+=(
VoI$<:
vo\[j2G
/`#V+:^pd
VpyM	B/
vQLgIT
v\q^O+]8
vriPM|
/Vs(,KW
V\T9^h
vtFPFVQ
v)U-74
v:u8iB
VURWM	
v!<V\H
;Vv	N+
V[?w2lT
v WWMV\
VxbyoD
vYQ10>J3
V:Yt1j
V,Z(jA
@%W$+[
w{1tst
 w1z@C
]+)@W2
%^^W4?om8
&@W6u(
w76V	,
{w~8Am
W%&bN3
WDFIum
$|wd<'nm
W`FA2Um
w/FkA7
WFU@+z/
_W{g-T
WhRGx"
wI6c{s
WININET.dll
WINMM.dll
]%wJE#
w.n~/3>[
WNetGetConnectionW
~_WOg<
WON4RQP
?W]!ou
w/	>Qm_
WR~Dj(
Ws${bl
,WS( d
Wsjr_e
WSOCK32.dll
WT7J@l
wtSx#|
WUE!L@
w{UU_D1HcLT.
(	@WW6
w wYpYf
|]wxy|	
WY*.dj*l
X=0G!j
.x!0j=
X4488<4p
XaBSWcnh
X"}Bll65
<,"x=C"`
X\Cd8t
XC-_e\k
!XC et]~
x)CVQ+8V
"*|xd>0
xd5$WiQ
X^}`^dG
X\`d}h
xe(yE.~eM.
x<fbADL\*
Xfl[/'
x^fv!OW
xG8j@T
xh=Hpj
X;hOU''
xh\PDy
xhTD<jE
x||I1]
XIcY;j
xjoKBgta
'XjO #{w)	
xkbt@{
X;K=C$
,]xlva
#'XmD/
x/mY-Pp
X~NVRW
XpDL}Cu
`XPPQR
XPTPSW
XQ3X9}p$
x%	 Qj
\*`x|Sh
@x,sN8|
X_TAX/+
 xTq][/
xtT|9.<xx4
=(,Xu&
-#XuK:
xV~;a 
XwK\By
X.X1G}
Xx5m~]
XXYYZP
~\&-xy
xyz{|}~
xZJoEN
.;' ;y.
Y0#8 #
Y16UIJj
[;y1	7c
!Y38=x
{y$`4fPi}Ge+
>Y][4H
yah_Lih
Yap&$\"
ybXj )
Y. CcM
y DJcrip=>B-
yFFN.S
yh@xD8#O
y,(iL-BH
<+;y<J@J
$^_y_n
Yo@&PEh
 yotW(
Y':p''
;y`p2i
ypZXL2
[Y!|q_
}y%:R^
&ys:<$?
y<%tAP
<y{t]bR
<ytXyX
@$Y+>U1
!y`#uT
YYYF)GYM
~'Z>2?
<z3Dat
z4{GQCF
Z|}AA^S
Z^bfFf
 ZClB|
Z`DeI~
z\d_hy^t
Ze|kn.
Z+	E<)pS9
Zf'hdx4
zF#op'
ZG6o}y8
zGx>W-
Z:HE[l
-!zHH:mBb
ZjFNsu
ZJF"Zj
$zLNNQ
zm@$h.
Zp?bry
z.Q_)c B+
Zr0u1XLS,
_	Z]sQ
ZURNcu
zvo_OG
Z!W0;M<
`\'ZzPE