Analysis Date2014-01-07 01:24:40
MD559d3de78c2d08737192.168.1.2e1a5c911
SHA1680d2c2837715f08e57e4ab8e83326d45f4f978e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 639f63ec41d84e83a5faf607f0ab99a3 sha1: ee718b1e583274880a0442e0a983c927a39c1813 size: 506880
Section.rsrc md5: 5709529ec647f4fc24fe82b78d72876b sha1: d46f4eea728f0f493e1259c874a490fe7258f2f3 size: 8192
Section+u. md5: 122156144e06a0154fa22332cbf2d5f2 sha1: 1e6c2c60996632a4b502b0e381daea120b7c316d size: 16896
Timestamp2012-11-08 02:24:14
VersionLegalCopyright: 网吧语音大师 版权所有
FileVersion: 8.3.0.0
CompanyName: 网吧语音大师
Comments: 网吧语音大师 版权所有
ProductName: 网吧语音大师 客户端程序
ProductVersion: 8.3.0.0
FileDescription: 最专业使用最为广泛的网吧语音服务软件。
PEhash71fcc95a7de6fba91296b9f2cebff04a56841e23
AVavgWin32/DH{ADUeeSVXTmQBNiBBDxMufSI}

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\680d2c2837715f08e57e4ab8e83326d45f4f978e ➝
C:\malware.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qgguSY.exe
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\qgguSY.exe
Creates MutexLBSclient.exe
Winsock DNSbbs.hylbs.com
Winsock DNSwww.hylbs.com

Process
↳ C:\WINDOWS\system32\cmd.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\qgguSY.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\GTplus\Time ➝
NULL
Creates FileC:\temp\files\AcroRd32Info.exe
Creates FileC:\temp\files\AcroRd32.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\temp\files\malware.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\temp\monitor.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\temp\files\qgguSY.exe
Creates FileC:\temp\files\AdobeUpdateManager.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\0cdc45a4.bat
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\temp\files\monitor.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Winsock DNSddos.dnsnb8.net
Winsock URLhttp://ddos.dnsnb8.net:799/cj//k1.rar

Network Details:

DNS5a453ae9c28d1785.cdn.jiashule.com
Type: A
222.216.190.64
DNS5a453ae9c28d1785.cdn.jiashule.com
Type: A
61.155.149.85
DNSdnspod-free.mydnspod.net
Type: A
54.248.143.107
DNSdnspod-free.mydnspod.net
Type: A
54.248.82.230
DNSddos.dnsnb8.net
Type: A
DNSwww.hylbs.com
Type: A
DNSbbs.hylbs.com
Type: A
HTTP GEThttp://www.hylbs.com/lbs/pclose.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://bbs.hylbs.com/lbs/pclose.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://www.hylbs.com/lbs/popinfo.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://bbs.hylbs.com/lbs/popinfo.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1033 ➝ 222.216.190.64:80
Flows TCP192.168.1.1:1034 ➝ 54.248.143.107:80
Flows TCP192.168.1.1:1035 ➝ 222.216.190.64:80
Flows TCP192.168.1.1:1036 ➝ 54.248.143.107:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c6273 2f70636c 6f73652e   GET /lbs/pclose.
0x00000010 (00016)   74787420 48545450 2f312e31 0d0a5573   txt HTTP/1.1..Us
0x00000020 (00032)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000030 (00048)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000040 (00064)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000050 (00080)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000060 (00096)   290d0a41 63636570 742d4c61 6e677561   )..Accept-Langua
0x00000070 (00112)   67653a20 7a682d63 6e0d0a43 6f6e6e65   ge: zh-cn..Conne
0x00000080 (00128)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000090 (00144)   650d0a41 63636570 743a2069 6d616765   e..Accept: image
0x000000a0 (00160)   2f676966 2c20696d 6167652f 782d7862   /gif, image/x-xb
0x000000b0 (00176)   69746d61 702c2069 6d616765 2f6a7065   itmap, image/jpe
0x000000c0 (00192)   672c2069 6d616765 2f706a70 65672c20   g, image/pjpeg, 
0x000000d0 (00208)   6170706c 69636174 696f6e2f 782d7368   application/x-sh
0x000000e0 (00224)   6f636b77 6176652d 666c6173 682c2061   ockwave-flash, a
0x000000f0 (00240)   70706c69 63617469 6f6e2f78 2d73696c   pplication/x-sil
0x00000100 (00256)   7665726c 69676874 2c202a2f 2a0d0a48   verlight, */*..H
0x00000110 (00272)   6f73743a 20777777 2e68796c 62732e63   ost: www.hylbs.c
0x00000120 (00288)   6f6d0d0a 0d0a                         om....

0x00000000 (00000)   47455420 2f6c6273 2f70636c 6f73652e   GET /lbs/pclose.
0x00000010 (00016)   74787420 48545450 2f312e31 0d0a5573   txt HTTP/1.1..Us
0x00000020 (00032)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000030 (00048)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000040 (00064)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000050 (00080)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000060 (00096)   290d0a41 63636570 742d4c61 6e677561   )..Accept-Langua
0x00000070 (00112)   67653a20 7a682d63 6e0d0a43 6f6e6e65   ge: zh-cn..Conne
0x00000080 (00128)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000090 (00144)   650d0a41 63636570 743a2069 6d616765   e..Accept: image
0x000000a0 (00160)   2f676966 2c20696d 6167652f 782d7862   /gif, image/x-xb
0x000000b0 (00176)   69746d61 702c2069 6d616765 2f6a7065   itmap, image/jpe
0x000000c0 (00192)   672c2069 6d616765 2f706a70 65672c20   g, image/pjpeg, 
0x000000d0 (00208)   6170706c 69636174 696f6e2f 782d7368   application/x-sh
0x000000e0 (00224)   6f636b77 6176652d 666c6173 682c2061   ockwave-flash, a
0x000000f0 (00240)   70706c69 63617469 6f6e2f78 2d73696c   pplication/x-sil
0x00000100 (00256)   7665726c 69676874 2c202a2f 2a0d0a48   verlight, */*..H
0x00000110 (00272)   6f73743a 20626273 2e68796c 62732e63   ost: bbs.hylbs.c
0x00000120 (00288)   6f6d0d0a 0d0a616e 642e3c2f 703e0a20   om....and.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f6c6273 2f706f70 696e666f   GET /lbs/popinfo
0x00000010 (00016)   2e747874 20485454 502f312e 310d0a55   .txt HTTP/1.1..U
0x00000020 (00032)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000030 (00048)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000040 (00064)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000050 (00080)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000060 (00096)   31290d0a 41636365 70742d4c 616e6775   1)..Accept-Langu
0x00000070 (00112)   6167653a 207a682d 636e0d0a 436f6e6e   age: zh-cn..Conn
0x00000080 (00128)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x00000090 (00144)   76650d0a 41636365 70743a20 696d6167   ve..Accept: imag
0x000000a0 (00160)   652f6769 662c2069 6d616765 2f782d78   e/gif, image/x-x
0x000000b0 (00176)   6269746d 61702c20 696d6167 652f6a70   bitmap, image/jp
0x000000c0 (00192)   65672c20 696d6167 652f706a 7065672c   eg, image/pjpeg,
0x000000d0 (00208)   20617070 6c696361 74696f6e 2f782d73    application/x-s
0x000000e0 (00224)   686f636b 77617665 2d666c61 73682c20   hockwave-flash, 
0x000000f0 (00240)   6170706c 69636174 696f6e2f 782d7369   application/x-si
0x00000100 (00256)   6c766572 6c696768 742c202a 2f2a0d0a   lverlight, */*..
0x00000110 (00272)   486f7374 3a207777 772e6879 6c62732e   Host: www.hylbs.
0x00000120 (00288)   636f6d0d 0a0d0a6e 642e3c2f 703e0a20   com....nd.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f6c6273 2f706f70 696e666f   GET /lbs/popinfo
0x00000010 (00016)   2e747874 20485454 502f312e 310d0a55   .txt HTTP/1.1..U
0x00000020 (00032)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000030 (00048)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000040 (00064)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000050 (00080)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000060 (00096)   31290d0a 41636365 70742d4c 616e6775   1)..Accept-Langu
0x00000070 (00112)   6167653a 207a682d 636e0d0a 436f6e6e   age: zh-cn..Conn
0x00000080 (00128)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x00000090 (00144)   76650d0a 41636365 70743a20 696d6167   ve..Accept: imag
0x000000a0 (00160)   652f6769 662c2069 6d616765 2f782d78   e/gif, image/x-x
0x000000b0 (00176)   6269746d 61702c20 696d6167 652f6a70   bitmap, image/jp
0x000000c0 (00192)   65672c20 696d6167 652f706a 7065672c   eg, image/pjpeg,
0x000000d0 (00208)   20617070 6c696361 74696f6e 2f782d73    application/x-s
0x000000e0 (00224)   686f636b 77617665 2d666c61 73682c20   hockwave-flash, 
0x000000f0 (00240)   6170706c 69636174 696f6e2f 782d7369   application/x-si
0x00000100 (00256)   6c766572 6c696768 742c202a 2f2a0d0a   lverlight, */*..
0x00000110 (00272)   486f7374 3a206262 732e6879 6c62732e   Host: bbs.hylbs.
0x00000120 (00288)   636f6d0d 0a0d0a6e 642e3c2f 703e0a20   com....nd.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
080404B0
8.3.0.0
Comments
CompanyName
DEFAULT_ICON
FileDescription
FileVersion
IEXT2_IDC_HORZLINEMOVECURSOR
IEXT2_IDC_VERTLINEMOVECURSOR
IEXT2_IDR_WAVE1
IEXT_IDB_STATEIMAGES
LegalCopyright
ProductName
ProductVersion
StringFileInfo
TEXTINCLUDE
Translation
VarFileInfo
VS_VERSION_INFO
WAVE
<-|~'[
<[}{,<
,-,$.?
,(((((((((((	
!!!!!!!
..,),.
..,),...
*..........,
0&&4f~
 (08@P`p
}0<B~>
0b123'
{+0\]C
>0^E$/@^1
>0et`e
0fCtGP
+%0g%p
0h7/~b0
0iH6$(
0mm;rF
0=MolI|
0oGYvP
>0P?K?
0{s#$~TN
0|tart
]_0TftS
0]WCda!
0wc_d;z
0wwhLD
0xIJD/
140gSB
14{#fjf7?
_^1}.7
.1dpg=D
1eA\FC
1E_nfXj
>&1h"423' 
1i7neg
1.jh0&6~
&1MQN_
.:1@N7.	
1~*@O^
1#QNAN
1r8U^/
27bb20fd
29{&D<
2Bm[k^>P
"2BRbr
2cBDFD7D6
2ffs#S#hC\
2`[fW^
2FX]axN
2{.#g;>
2Ie7+h
2M+-'3
`<2?P<djR
2q(F-Os
2S]GpS/
\2`(t\r
2~X>~6
??2@YAPAXI@Z
%,3:;4y
3+=~ cg
#+3;CS<
3dvddUO
:3f>&C#
=3Ll&:
3M4|VN
3p)(	5
3r3T[z
3u>JZT
3v7E0u
]?/3	W
>4.,,>
40O0	r
4_1%%,
45e4be
$4$_b~
"4C&R~V
$4DTdt
4eyzN7
4J~u{R
&4M6Y{
4NRV5C
~4s4A&
|?5^<@
50o (8PX
#515?5M
52F2600l05
57TFR*
5,8.d:
5B7p=F
=5cz#%
-?5f&V_9F?
5gg'1^
 >5	gJ
@5(#-J
5p6Vvi
!6=;&,
6=&#`,=	
\~>619
{"626	
>:62.*y
63{)W* 4
63;Y7.uG
6.57Ax 
'66~i`
6|(7F.
6A/B)}O|
6ag`e#v
^>&6Ay(
>6BV8f@
6F+p^ 
&6FVfv
6f^[.XK7
6/gif, 
6JvZH.L
6m.BjJ
6M:ew]2
6OQgtZ$
|'6Ou}
,6Rk,:!|
6&Sf~e`=
6v@Dc#V=
^6^VEG
6VHOST
,<6vY3
6X~?%!T
6Xx(o^
(6	/ZS
7''$#}
721B4N
 76Zc^
7|7^2k
&!78'4
7c/47-
7d(:7 :
7D"9$7
>7feWS)
7FNFwY
+7/	iD
7k:N]mX
^7mo)Lp
^7_;mw
7n"`nR
7oaYf.
7OPT,(
7pp2R>L
7rN5gN
7Y+	+C
7/Yx	`V
	8 [[@
81^FDt
^\82qj
"	(<85
86#947iD
8_amRH
8<c@<[<
8euVL;
8/~)^fi
8fmod_hyPte
-8F-r%E
(8HXhx
8	Nv4~
.~8Oc^
8U$_%_
:8UzGKB
8W\FQxl
&8xNTbb
)964RJ
9^7!<f
;:9''''8765''''4321''''0/.-'''',+*)''''('&%
!9, %8Gri>
99_196r
9c5B1(X
9D_@8D
9`DhD/
9d(hF:
9@~Dj!hF
&*9e\cR
<9G9R9]
9)JnS&
9~NpRO
9r:^(U
+9U>UO
&'{+9Z
~a4I{B
~_]a`6
a^/>+6
@.A6B983789F62
A6Hf.&
a8a>^~
<^a^a3
A;d6iSN15z
.adata
advapi32.dll
ADVAPI32.dll
A%et='.r~
^.aeVD
,A#$f4,f
a^f?e{z
_AFX_NO_SPLITTER_RESOURC
AfxOld
AG/;flV$
A|;I>7
aj6G!kFN>
a_KF7d4
ak_'z_
an>>J_
'ANTB|i)7
{AON"O
&AP`a:G
Apry&unp
A~Qa&RFg-
A"R_j"
.aspack
a<Thbd&n
aTV`\W8
auxO1_
}a__v 
a|@)@V
?Av:%B
AVEfmt 
AVIFIL32.dll
AVIStreamInfoA
	aV.v"c
A__[WVX_
a/YaH)
@b1h.lu
B2y^1_
B33ECF
b(',4%6
b5^+7&6
B"6EWw
B,%77Mi
B8;QcZ
b9&>>Hi
`b:@/B
Bb^3^X
B>]C4<b
Bck_/i`W%hfa\
B&dDRg
BD[gE1
be^fBX
BefJ<Z0
Bfn#>d
bFND80AA4
b>Fs`jR
*BG.Da
>bhcoF
BHzZ8e
bIvvWg
BJPa	n>'
bK.^Q&
#.bKUZ
BLgium
b=LO.?
BNNNg'
BTYGJif !Sd(
BusySh.`
Button
BVfzH,`
b^vgW%
BvNeu_O
b*WV_A
BW)Wn7
B,x>&)
BX~&F=
B.!XQ!Zd
b)YU?f
c2.txt
c3:Js	
C6&T*nxG
~c6Vp$GR
":c7`^
#?[?C7
c!<7/!gdvf
C<8H`/
C:aA&eCqm
^}^c]C^
~C?c/P
#CExtD
CHCXzq
ChooseColorA
cHRMgA
<CJQ_PD
|^c+L~
cLGl[B
c/l>>m
'CloseHa>leyCoI_
ClosePrinter
\CLSID
-CnlR+
col\St
COMCTL32.dll
comdlg32.dll
 Copyr
c~	OvI
~*c?p.
c'q[O]\
??cQx1
CreateMu
{[cS9Q
c<soft\
]c,)t[
CTYPEd
cVbi!H
cvM*%L
c__[[W
CWBKIi&6W
cWh;R(&
c`>XJ4
"cZ0^'
!c'_zh
''''d$
!~]D.@
.(D'&_
%>;'D^
d09f2340818511d396f6aaf844c7
^D1mfl
*D\9N+vk|f
DaEn^'
d>b6Kk
Dbi,6l
-~d<[c#
~\D}Cv
dCW#WeRO
[dd@@?
Dd74l 
^d /!]$}.(F
df#8E.N^N
	d_G4H
DHDV>1
/~d$hh
di'^,lPH
DkpLd7vb
D^ktopWdow
dleAu7
;_DLL) || 9TA
Dl_MemVyS^
dlTc&#
\d/@M`
d(;)O~9
d;peO6
~dQuz*
DrawDibDraw
DRIFF@l
d`S>rd
d[U'yj
"^D=^v
&&dvVT
&.DWbO
dY%e`?
dyWlE.
DzjR4>
:DzLNZ/
`#;^e$]
#$_@]E
E2<2wz
>E2eMO
e&+2GI
E4<QDn
E6lew~
E`6VLI
e(936kend
_ 'e9G
eadb`]_x
eadpzh-c
+e,Aj.7
eapoO7jtz
ebb.;a
eBbf.p,
';eC_]
*e<_]F~
 Ef.-/
EF`xV3
EGo|=j
egZOAR`f
eHanu@
~; eiUD
e/?j'N
%`E!n!
e=QF.+	
ES_ G?
esRewG5
e=s)Wo
|.&e/T
Eu-c .
E@~VdjO
e_VOgGj
ExitProcess
eyVN<t
EYZb#Z
ez<Ps'
/F@0Fb
 f"$1&
/f}1my
f_1?ZAD
~f	2bY
|}f2G >
f2lW5R
/F*?3m
f4ljc|.
F5gc"p
/F&6D]
(f6#UA
f7e0~0
F7FC1AE
<f8n`=o
F8oI13/
fail!g'b
fBe&}"
f~B	g`
fBh*Co5
>f.Bhn
f%B">lW
~fBo,>&&M
F	B^^Vd
fc7F7}
FCN^wl
fCSwitz
F|eg@u
f}f' af
ff/gK'
FfHNVFJ8
f^FlPom?k
Ff)<lU
f_gA|?
?fgjmBV
fgpFZ8
fHa1Dn\Z
F'"/he
Fh,W7gG
(&fI)2>
*F@%j<
Fk6b0'
fKb3~w_
">FlID
F!Mc5^S
fmDlz&
:f\n0V/
fne*V*J
!FNNxSO
%FN~/v
^fny^|
F~O7S$=
?+FORy
;$?F$Q
FQ.iFC
fr/f95
F	s+B(|
&FT0Nd
+&fT6j/X
FtpGetFileA
,ft=,<Y
fU!	=U
$]fv7v
=F{v8	
^fW'@O
fW"Wk%P
F:x;nn
f>y5=`_
.	g\^|
g?0mK;
&*g0N5,
{'g2}U
}G	8>$Ne
<g9B4V_
#G++9+G+oM
>GBx!\
>gcgR}
`GD?0.
GDI32.dll
GetAdaptersInfo
GetModuleHandleA
GetMuR
GetProcAddress
GFrom7J
G+FsIV
G*G=$2
#G^@=H=S=
;gH_SCRO
g..,|/I
@GIF89a7
(g.J)]
GKKOO7}&
G(Last
G$/lkZ
GM@&cD
!G,nEp
g.NKkA
G>='NpL~
%g#[O6&b
^GOaMn
_`G;OK
GS*7fV
G/t60"
GUAGE 4, #pragma coH_p
gU}lm$
`	GV4I!
~.gV~B
,&gVcY
g'w1!<
`	<gW i
!gXW[0G'F>\
GZ-2QF
gZf+TV3
g]ZpSV
h6l Dlg
hB%<&'
H>B"^S
HcGs.n1
HDBW>!
|;^He/
hf@dP3
]#HFf9
?H]">/FT
@{hGOLE=TRACK	Lk
hGwq}wz
HhnO*ON
Hho9'^o
hjfR^M
=H'JGz
%;Hji<
h?!K^./
Hkcw'?7
hlBT7!2
H~l?>Em
hlX'w 
>Hm?7@
<HN>@G3+o)
h*O*OJ
 hp6fZD
+@HPE'W
h/pOxo
H"pSizOA
HrCg@b	g
[Hr,gJw
H=ry;40o\vY
http://w.hylbs.com/
h~'Vkk
>!}!H~?x
HX|GC~
Hzchiv
)}I<?"
{i~^6Zv
Ia_C.v Q
IaLH.h
iBs'V}
i$c?'_
+I/CXP
>>i*E>
.ieiXT
IEXPLO|.
ifpDTWj
.IfxV_M
IGHTDOWN_ 
iGl.chs\S
*>I(gR
IHDRIDAT
iIMXWC
iJ~6e?`
}/iJYg
i:~{K"
}IKf|"{
+iL`$L
ilm'^U
IMERNS
INW||+
iO0q"e
io;ass#r
?i`>Of
;~iO]H
IoiL>_
ios::eofb
iphlpapi.dll
&I(	>v
Iw7}0K
IWC&c=
-i)wd$
i~*?..x;\r
^:_IzD<
%'`j1f
J6lTbi%
`~j_7mn
JAND[f
J=DH`N>
+JfV~8
J~gN"W
jiGJ09
j*,+kQ
:JM2V@
jN2^-d
jnn:) 
*J.nR02
Jnz02	
j'~^;o
J	O;^Z
 	.	<	Jr
jr;yGf.
j<u?F!E
Jv)$>~
"jV~pb
Jxa@G~
*:JZjz
k0F~~V.
k3.ROL/
k 6Unl
>k7;K]
k*8D#bi
kbq:&~6
~K; d/
KDBEAF=
kedcrve +De
kernel32.dll
KERNEL32.DLL
)kH;KCNot
+;K[k{
kmOCXwm
k+Op@K
kplh^&
;?K|PT
kpTX2$O
k,rd{G*
`KSg7$
kV^<=i,$_
 "kXj[
kY0}gv
*:"K@+'Yg
/*=*K*Yr
L6oV.v
-Langu
LBFFFFBCCC
L}%_cl_
:l>dvX/
+-.LEW
L#g^SJ
l"kAJ^
(Lm$>/
L}mNTP .
&lmoUXiN
LOADER ERROR
LoadLibraryA
+ LOO.
Lq?--o'W
lvleaS^v
lWG/*W
lwnCZ@
L&=/Wo
M?0nh|
mbed[v
mbolTip%
mck(W/
McWR;b
MessageBoxA
Me@v[\f
M)\.F>
MF6b`P
Mg){$d
m_gRWC
\MGs6&
?)M)[)i)
+Mi~6$
-=M]m}
MMY:8%
mn^6z`
{mo?F&
,mote_s:
MouseZ
"~)M'r
[m|rl_DZg
'|'m[s9
ms%M3Vf
.MSVCRT
msvcrt.dll
MSVFW32.dll
Mu8	_.
mV4\Qa6
mWh,*B
Mx	M'6>
MZ_m$54
^}\?;}n
|!)>n"
_N*		~
(n'.0	
N| 1!,
n#2NNB
n.4j^?
n5ObV*&
n5y5lE//
N61&OV
n6R,Bf
n6zt4MP
 n7q1L
N86S<{
N9Cf-+D}@
N&|'B&6&
N<B/6U
nB@b	g
=@	_nBFS?
NbV!ne
&n$c.%
NCWgPPC
nd>^48
NETARY
\Nfr?	7
NF^$T,7~
nF"T(N
.}	ng'
<ng6/"
nGFV19
Ng>jG:k
nh65I0^A
N	_h}a
`	<"nI
(NLDb[G
!n.L-w%:R
.>N^n~
nnameGS
nn>dwB<
NNNNf&
Nn*NVZ
N^NO.O
n~\=[o
nO6Vq(
N[OL~f
N@O&lz
nQPO:*
nRAj	H
Nrb&|+
NRkl'T
};nRV6k
nSJ	~&Fl
NtFEn7d.E
_NTR+~&c
numDisplay/,
NURIC'MO
Nv[85c
>N	,VO.
n.	]|w
N/XU?vF
|n y O8
N(+Yw6
N:Z<~ld
{?N_>Zw-
=%o5TV
(o?60V
/o6std
O~7d!WV
o7S&*V
`O7TnBN
O8~Ad!i
o8'-d#
o8%W?L
o\aA6.
od7chxS.h	
\{OdBw
oduluI
OfENC&o
OFTWARE\Mi
$#Of\V]
OgCkB7
o/gZ.yY
o@i@1WEl$ 56
\OKki&
ole32.dll
OLEAUT32.dll
oledlg.dll
OleRun
}O! LL
omPoiu
On8DZF*U
OpenProcessToken
OResourG6
'OTe$'
O*TLlv
ottial
O~<U@!
.'O$uEs
:O>\Vv
_@|OW6T
o w_gF
o}+w},l
O{:	XK
(%_O)z
=^OZ'ws$
P'`'|$
p	]02>
P[03Wb
p0@P`p
<`P@0"y
p2!~b8@
@P)4~E
P*6}%V
P7D;\<
P?~9V^
PatBlt
PathFileExistsA
paVble; MS
\Pbkj6 
pCALspHY/sBIT}
%p"_CY?
P.	ff6w
pGC^7.-
pGdiWF.
~p!]GlS? 
^_p*HP
P#include "afm
p`IsIconic
PlaySoundA
pNoPDXD
p-~N-V
portedExce
pow>pZ
{~$PP'
PPDpPD
+Pp%t5
pqABCDEF
Prd<)'
P^rP/`/
+ PT6\
>PUTEAD
P{Vc~_
"pv-e?
 _P!/v*F{`
Pv_l6)D
P%vv&>Lr
P:'W4<
pWN'IF
PXVO^^pn
*"Px$w
pxyn''
P^zcch
pZi1^n+oJ
|qEiLG
!Qf+BN
QH"X"s 
qin9H/N
qiQ>~&
#]Q)/=J
qj5IQX
Qkkbal
q>P>dg
'Qw41`
Q'{w_n
QWn,n#
Q?X@a2m_
Q|XRWV
q\/YBfg
,?.|:R}
% R$?:
$#R6028
r87AF8"A3
RASAPI32.dll
RasHangUpA
Rbvld?7
R	~CmdT"
RCN8d.n0
rcpynFDu
.rdata
RegCloseKey
.reloc
Rfd[P~
r&fF2o
[Rfg_p
RG_CHS)q2
R{gFWa
{RJ`??
rjbZRNy
rj\N>4
-Rk:] 7
~??RkmQ
Rm2|~V
-RM=W@
.^RNdx
RO  0z.
_@RQr G
RS'>Nm
}/rW G
R"Xtn_
]rXVc<n
ryA;)UB
+~^?r;Z88
Rz.b~V
s\Cur&
Sd2#aH
S e=Ff
.s-ehX
SetProcessWorking Sioo
)^s>f@
sfa#r~
Sf /I;7
"<S.Gl
sg-v[4l
shell32.dll
SHELL32.dll
ShellExecuteA
SHGetSpecialFolderPathA
SHLWAPI
shlwapi.dll
^shockwa
SING^OMA/
sion\ru
SL^Objf
S'N)dY_
/SO4GW0x&
so?_n'
S]'tU]OpU
!SuperBtn
SV6}?S
\:Sv:N
(>SWC)
S>z,@E
SzLW&O
t4&*?6
t^d?Fn(
T=Dg:P
TDrawD
te"qK'
@tFJ>u~
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
!This program cannot be run in DOS mode.
(=Tk4~f
tLJ|L#
T?m=BZ-
Tn;H8xVo
t	o?XK
'tOY_=
?'tPfa
tT8$\A
T$UBR4
;t,WFo
TWgVdg
! t/XN
TXtoFFs
tz>\Ca
?u='@^
^=u^3,
!|u 4%
u5^i$y_R
u6AQVj
UBJw_'
[U/^ea
^&	Uel 
[UfFG*
UhlushUBuff 
URLDownloadToFileA
urlmon.dll
user32.dll
USER32.dll
U.S;sJrT
UX2%SG
UXJNec
}~"v&	
V$_%__
V0AVIN
^v1m_A
V2+2	Fj
V2<$|g
V2&/H;
v.3b0D
~v3k,f
V4_N>8
v`5|sbw
 V7viK
Variaz
Vatch`Cl
]!V_bk
vc_hb^
vC)?%`v
vd0_.""
 ;/VDA
?V "_ e
ve^,hN
VerLanguageNameA
VERSION.dll
:?VfOn
{Vg(9>
vgcM>ENV>YX
Vgf7v6^
VGv;ai`
>V(	H5
V'hc.f
V:ia(<h-Gc&8
VirtualAlloc
VirtualFree
VirtualProtect
[| VisUC++ RALi 
v>%IUi
&\v@iy
\vJb\0
vjbF:N2B
VL>\<_
vLbfKn
'|\vld
{vM5f>
v',mtR
	\vN 0K
VN63OY
vNNNN=X
VnO2|w
vnwd#VA
Vo=Ab^
vo"G?!m
VOIV;VV
"vPVo}
V?R	,ds^
vr+eAW,7
V^<T-5
]vT54:G&
_	VTISPLAY
_V%#U^2
`vV#	_
V>Xn`(
VYS7F_lP
-vz&.1
v]Z_{].V
vz/|_W
^>W[&{#	
];?/^W
??#!#W.6'h
>W7	g[~[
W7hC!X|
,w_b_.}
w&b.`*
;WBbnR
W\{BeA
W!CH|6
-W+%CouX
wCvJo.>
w@CXxp
?w"^D{
>Wd8[\
wdhgn~0o
WebBrows
<w' e}K
wff.!&
wf_"ff
!`WG}$
$Whry!
WININET.dll
WINMM.dll
WINSPOOL.DRV
Wn1:Fs
!_"wnG
|Wnnb[
.wNz/vW[
^~(#Wo
Wp	DT<
WpNlJ>
WpV;,0,271
WPW-mF
Wqct q!
WQo-c@__
WS2_32.dll
wsprintfA
>W/?Tl
WX>NVE.
wXQ>7\
wY7lt;
x?4Wr^
x7aDlgG
!	x^aU4P
XBC[?1Fk
xe(Mozilla/4.0 (
+>x.fk
	X	f	t	G
X	hzgn
x,j`|>
`x,k3N
`X?Map}
X;N13q
XnGR&D
)xp=A7
XPTPSW
Xr\sLabel
xTd|JcW
x%vjBz)
Xv~V6P%~
x>[Wi>
x-xbitp!
X{XoX3)
Y$1`u 
~y8DK|
'~Y]=9
ydUNLIN
y>E:K{
y);*F+
^|YjdYV
yJFB>:
?YmVrjD#6|
yn]'5Tz
YQUVGF
{yR*'*
ystemInfog
^YVjVo
,yyB./
Z2\.^8
&.?.z4
Z58b0\F1
ZasHU`
Z^<~BN
zCcWp|
`@ZF1I
Zf^3ms
~@ZG&?
/zGh%I?
}~z&gn*&{
Zh&wP}M
z|.jG}&D5>
:Z%}?l~
zM8h(FF?Z
znbVJ<
/:z_*(Ns
Z|ntnO
zo;JK>
zS>\B.|
Z Stapard
Z\ta$7pro#
Zt|^=D
_z[x$^!7
zx:Dnx
zy:*~7
zz?\N.
^ZZ{QMv
ZZ/yT!