Analysis Date2014-03-14 16:46:13
MD50bbdcd764a5e2cfd2a9aec16acffe7e5
SHA18faa7729f6ca569e9360fa63a134d81c4837b6ef

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: be2f0d19f200a3cc0705c6c796f7b964 sha1: 0aeab8b36392771d8289f5580c880e636416dc6b size: 527872
Section.rsrc md5: 3c15fe67d101d228884bbf1e86f1bdaa sha1: 97a28f2b9910db65cedb7d63545be6b35eded286 size: 8192
Sectiontu md5: 4f0e0bb99b1762017dd4db2bc1e10250 sha1: 14541de438d3f2199888532a7c84e86572b9421b size: 16896
Timestamp2011-10-13 07:40:10
VersionLegalCopyright: 网吧语音大师 版权所有
FileVersion: 8.2.0.0
CompanyName: 网吧语音大师
Comments: 网吧语音大师 版权所有
ProductName: 网吧语音大师 客户端程序
ProductVersion: 8.2.0.0
FileDescription: 最专业使用最为广泛的网吧语音服务软件。
PEhashf766b0b6757b7fcaa037ab9157c0caa7556530fb
IMPhashcd73c1832579ec475a66859f92065808
AVaviraW32/Jadtre.B
AVavgWin32/Wapomi.I

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\8faa7729f6ca569e9360fa63a134d81c4837b6ef ➝
C:\malware.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\YMmwmu.exe
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\YMmwmu.exe
Creates MutexLBSclient.exe
Winsock DNSbbs.hylbs.com
Winsock DNSwww.hylbs.com

Process
↳ C:\WINDOWS\system32\cmd.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\YMmwmu.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\GTplus\Time ➝
NULL
Creates FileC:\temp\files\AcroRd32.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\temp\monitor.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FileC:\temp\files\YMmwmu.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\27f97605.bat
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\temp\files\malware.exe
Creates FileC:\temp\files\monitor.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Winsock DNSddos.dnsnb8.net
Winsock URLhttp://ddos.dnsnb8.net:799/cj//k1.rar

Network Details:

DNS5a453ae9c28d1785.cdn.jiashule.com
Type: A
61.155.149.85
DNS5a453ae9c28d1785.cdn.jiashule.com
Type: A
222.216.190.64
DNSdnspod-free.mydnspod.net
Type: A
54.248.143.107
DNSdnspod-free.mydnspod.net
Type: A
54.248.82.230
DNSddos.dnsnb8.net
Type: A
DNSwww.hylbs.com
Type: A
DNSbbs.hylbs.com
Type: A
HTTP GEThttp://www.hylbs.com/lbs/pclose.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://bbs.hylbs.com/lbs/pclose.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://www.hylbs.com/lbs/popurl.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://bbs.hylbs.com/lbs/popurl.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://www.hylbs.com/lbs/miniclose.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://bbs.hylbs.com/lbs/miniclose.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1033 ➝ 61.155.149.85:80
Flows TCP192.168.1.1:1034 ➝ 54.248.143.107:80
Flows TCP192.168.1.1:1035 ➝ 61.155.149.85:80
Flows TCP192.168.1.1:1036 ➝ 54.248.143.107:80
Flows TCP192.168.1.1:1037 ➝ 61.155.149.85:80
Flows TCP192.168.1.1:1038 ➝ 54.248.143.107:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c6273 2f70636c 6f73652e   GET /lbs/pclose.
0x00000010 (00016)   74787420 48545450 2f312e31 0d0a5573   txt HTTP/1.1..Us
0x00000020 (00032)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000030 (00048)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000040 (00064)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000050 (00080)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000060 (00096)   290d0a41 63636570 742d4c61 6e677561   )..Accept-Langua
0x00000070 (00112)   67653a20 7a682d63 6e0d0a43 6f6e6e65   ge: zh-cn..Conne
0x00000080 (00128)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000090 (00144)   650d0a41 63636570 743a2069 6d616765   e..Accept: image
0x000000a0 (00160)   2f676966 2c20696d 6167652f 782d7862   /gif, image/x-xb
0x000000b0 (00176)   69746d61 702c2069 6d616765 2f6a7065   itmap, image/jpe
0x000000c0 (00192)   672c2069 6d616765 2f706a70 65672c20   g, image/pjpeg, 
0x000000d0 (00208)   6170706c 69636174 696f6e2f 782d7368   application/x-sh
0x000000e0 (00224)   6f636b77 6176652d 666c6173 682c2061   ockwave-flash, a
0x000000f0 (00240)   70706c69 63617469 6f6e2f78 2d73696c   pplication/x-sil
0x00000100 (00256)   7665726c 69676874 2c202a2f 2a0d0a48   verlight, */*..H
0x00000110 (00272)   6f73743a 20777777 2e68796c 62732e63   ost: www.hylbs.c
0x00000120 (00288)   6f6d0d0a 0d0a                         om....

0x00000000 (00000)   47455420 2f6c6273 2f70636c 6f73652e   GET /lbs/pclose.
0x00000010 (00016)   74787420 48545450 2f312e31 0d0a5573   txt HTTP/1.1..Us
0x00000020 (00032)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000030 (00048)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000040 (00064)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000050 (00080)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000060 (00096)   290d0a41 63636570 742d4c61 6e677561   )..Accept-Langua
0x00000070 (00112)   67653a20 7a682d63 6e0d0a43 6f6e6e65   ge: zh-cn..Conne
0x00000080 (00128)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000090 (00144)   650d0a41 63636570 743a2069 6d616765   e..Accept: image
0x000000a0 (00160)   2f676966 2c20696d 6167652f 782d7862   /gif, image/x-xb
0x000000b0 (00176)   69746d61 702c2069 6d616765 2f6a7065   itmap, image/jpe
0x000000c0 (00192)   672c2069 6d616765 2f706a70 65672c20   g, image/pjpeg, 
0x000000d0 (00208)   6170706c 69636174 696f6e2f 782d7368   application/x-sh
0x000000e0 (00224)   6f636b77 6176652d 666c6173 682c2061   ockwave-flash, a
0x000000f0 (00240)   70706c69 63617469 6f6e2f78 2d73696c   pplication/x-sil
0x00000100 (00256)   7665726c 69676874 2c202a2f 2a0d0a48   verlight, */*..H
0x00000110 (00272)   6f73743a 20626273 2e68796c 62732e63   ost: bbs.hylbs.c
0x00000120 (00288)   6f6d0d0a 0d0a616e 642e3c2f 703e0a20   om....and.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f6c6273 2f706f70 75726c2e   GET /lbs/popurl.
0x00000010 (00016)   74787420 48545450 2f312e31 0d0a5573   txt HTTP/1.1..Us
0x00000020 (00032)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000030 (00048)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000040 (00064)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000050 (00080)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000060 (00096)   290d0a41 63636570 742d4c61 6e677561   )..Accept-Langua
0x00000070 (00112)   67653a20 7a682d63 6e0d0a43 6f6e6e65   ge: zh-cn..Conne
0x00000080 (00128)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000090 (00144)   650d0a41 63636570 743a2069 6d616765   e..Accept: image
0x000000a0 (00160)   2f676966 2c20696d 6167652f 782d7862   /gif, image/x-xb
0x000000b0 (00176)   69746d61 702c2069 6d616765 2f6a7065   itmap, image/jpe
0x000000c0 (00192)   672c2069 6d616765 2f706a70 65672c20   g, image/pjpeg, 
0x000000d0 (00208)   6170706c 69636174 696f6e2f 782d7368   application/x-sh
0x000000e0 (00224)   6f636b77 6176652d 666c6173 682c2061   ockwave-flash, a
0x000000f0 (00240)   70706c69 63617469 6f6e2f78 2d73696c   pplication/x-sil
0x00000100 (00256)   7665726c 69676874 2c202a2f 2a0d0a48   verlight, */*..H
0x00000110 (00272)   6f73743a 20777777 2e68796c 62732e63   ost: www.hylbs.c
0x00000120 (00288)   6f6d0d0a 0d0a616e 642e3c2f 703e0a20   om....and.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f6c6273 2f706f70 75726c2e   GET /lbs/popurl.
0x00000010 (00016)   74787420 48545450 2f312e31 0d0a5573   txt HTTP/1.1..Us
0x00000020 (00032)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000030 (00048)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000040 (00064)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000050 (00080)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000060 (00096)   290d0a41 63636570 742d4c61 6e677561   )..Accept-Langua
0x00000070 (00112)   67653a20 7a682d63 6e0d0a43 6f6e6e65   ge: zh-cn..Conne
0x00000080 (00128)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000090 (00144)   650d0a41 63636570 743a2069 6d616765   e..Accept: image
0x000000a0 (00160)   2f676966 2c20696d 6167652f 782d7862   /gif, image/x-xb
0x000000b0 (00176)   69746d61 702c2069 6d616765 2f6a7065   itmap, image/jpe
0x000000c0 (00192)   672c2069 6d616765 2f706a70 65672c20   g, image/pjpeg, 
0x000000d0 (00208)   6170706c 69636174 696f6e2f 782d7368   application/x-sh
0x000000e0 (00224)   6f636b77 6176652d 666c6173 682c2061   ockwave-flash, a
0x000000f0 (00240)   70706c69 63617469 6f6e2f78 2d73696c   pplication/x-sil
0x00000100 (00256)   7665726c 69676874 2c202a2f 2a0d0a48   verlight, */*..H
0x00000110 (00272)   6f73743a 20626273 2e68796c 62732e63   ost: bbs.hylbs.c
0x00000120 (00288)   6f6d0d0a 0d0a616e 642e3c2f 703e0a20   om....and.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f6c6273 2f6d696e 69636c6f   GET /lbs/miniclo
0x00000010 (00016)   73652e74 78742048 5454502f 312e310d   se.txt HTTP/1.1.
0x00000020 (00032)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000030 (00048)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000040 (00064)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000050 (00080)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000060 (00096)   53563129 0d0a4163 63657074 2d4c616e   SV1)..Accept-Lan
0x00000070 (00112)   67756167 653a207a 682d636e 0d0a436f   guage: zh-cn..Co
0x00000080 (00128)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000090 (00144)   6c697665 0d0a4163 63657074 3a20696d   live..Accept: im
0x000000a0 (00160)   6167652f 6769662c 20696d61 67652f78   age/gif, image/x
0x000000b0 (00176)   2d786269 746d6170 2c20696d 6167652f   -xbitmap, image/
0x000000c0 (00192)   6a706567 2c20696d 6167652f 706a7065   jpeg, image/pjpe
0x000000d0 (00208)   672c2061 70706c69 63617469 6f6e2f78   g, application/x
0x000000e0 (00224)   2d73686f 636b7761 76652d66 6c617368   -shockwave-flash
0x000000f0 (00240)   2c206170 706c6963 6174696f 6e2f782d   , application/x-
0x00000100 (00256)   73696c76 65726c69 6768742c 202a2f2a   silverlight, */*
0x00000110 (00272)   0d0a486f 73743a20 7777772e 68796c62   ..Host: www.hylb
0x00000120 (00288)   732e636f 6d0d0a0d 0a2e3c2f 703e0a20   s.com.....</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f6c6273 2f6d696e 69636c6f   GET /lbs/miniclo
0x00000010 (00016)   73652e74 78742048 5454502f 312e310d   se.txt HTTP/1.1.
0x00000020 (00032)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000030 (00048)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000040 (00064)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000050 (00080)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000060 (00096)   53563129 0d0a4163 63657074 2d4c616e   SV1)..Accept-Lan
0x00000070 (00112)   67756167 653a207a 682d636e 0d0a436f   guage: zh-cn..Co
0x00000080 (00128)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000090 (00144)   6c697665 0d0a4163 63657074 3a20696d   live..Accept: im
0x000000a0 (00160)   6167652f 6769662c 20696d61 67652f78   age/gif, image/x
0x000000b0 (00176)   2d786269 746d6170 2c20696d 6167652f   -xbitmap, image/
0x000000c0 (00192)   6a706567 2c20696d 6167652f 706a7065   jpeg, image/pjpe
0x000000d0 (00208)   672c2061 70706c69 63617469 6f6e2f78   g, application/x
0x000000e0 (00224)   2d73686f 636b7761 76652d66 6c617368   -shockwave-flash
0x000000f0 (00240)   2c206170 706c6963 6174696f 6e2f782d   , application/x-
0x00000100 (00256)   73696c76 65726c69 6768742c 202a2f2a   silverlight, */*
0x00000110 (00272)   0d0a486f 73743a20 6262732e 68796c62   ..Host: bbs.hylb
0x00000120 (00288)   732e636f 6d0d0a0d 0a2e3c2f 703e0a20   s.com.....</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
o.p
g
.o.Q.
...
.
w
m
...
.9
u.
.
.
.
&...=.v&...
.Q....
$
..
.
.
X.RO
..XE
.
..
.
..
.
.<...W
..l
w......
..}./.
..
Fo
.Y
.A
.x
 .Z
o..
jZg
.
.
..
.)
_ .e^.
x$R....
.
.v.
...
.
...
.T
g..
g
4
.....
.
fN....
@n..
..
.~.^z
1
.
:...
Hf
kHf
o.p
g
.o.Q.
...
.
w
m
...
.9
u.
.
.
.
&...=.v&...
.Q....
$
..
.
.
X.RO
..XE
.
..
.
..
.
.<...W
..l
w......
..}./.
..
Fo
.Y
.A
.x
 .Z
o..
jZg
.
.
..
.)
_ .e^.
x$R....
.
.v.
...
.
...
.T
g..
g
4
.....
.
fN....
@n..
..
.~.^z
1
.
:...
Hf
kHf

080404B0
8.2.0.0
Comments
CompanyName
DEFAULT_ICON
FileDescription
FileVersion
IEXT2_IDC_HORZLINEMOVECURSOR
IEXT2_IDC_VERTLINEMOVECURSOR
IEXT2_IDR_WAVE1
IEXT_IDB_STATEIMAGES
LegalCopyright
ProductName
ProductVersion
StringFileInfo
TEXTINCLUDE
Translation
VarFileInfo
VS_VERSION_INFO
WAVE
>&/:<|
 :`~!	
_.)|!,
,(((((((((((	
!!!!!!!
..,),...
*..........,
"[&0^!
03o 4FCx
04&.3D
 04^O\v
05'q~V
07sk(_F&
 (08@P`p
0(936k
}*0(|A
~0{AC^
<0BN^n
0Dq'vA
.0	.HLPu
&`0HTL
0.(iN	
*0/?J`P~
&^ |0L
0Mx$hv
0oGYvP
0QABCD[Bx
0|tart
0xIJD/
16fm&u
=1&\8l$
!1AQaq
1bmM,17
1DP2D?
1jc'RZF
1lpk~F
\1o _X\rr
1#QNAN
@&1r`3
1$xNif
200WTbbs
;,2271
232Stp
~23_3p
2>_6a#
~27bb20fdM
2cBDFD7D671
2ffs#S# 
^?&2HJg}
2M+-'3
\2/mR-;
2pxqiF
2uesRewG5
.2xG$w
??2@YAPAXI@Z
%3)\_~aH
3 Copyr
#3CScs
3~hfa0
+__3]r
>'<@4.>
4*/*1l
!4~._2
423'oF
42B,%77
4?6 Z=
*4B6E9
4er<r21B4
?4mdBa
4O_AJAo&
4OResourW
-4 p}g
4*=P^Y@g
4"uS"CvG\
4 W2UrNT
|?5^<@
5/^_,"
*\50T%
5'6\p@
5`6YO2X
58b0\F1
5e@-,^^
@5(#-J
&5nzfz
5O6~>B
>5	X,^
}^5x6=
/5Y%Ait
].5zF\
600l059
{65^mK
6A3NQrR
]6bF0ia
6b~K?GA
6Cddw_
6EU[n&
&6FVfv
6g>EW~
6|gh-f
&6gi47
) 6/gif, 
6	I	!f
6'(kAgX
^6m.f!>&
'$@ 6P
6 PHq3
6P~iW7
6rLV1\u
6v7WyW
?6X]/+aa
71bhs39g
720L1/w
7_%7-7
>7^84b\
-7>aNev
7b12p^>
7C>yO3&
7FkZko
.7g^5^
7.|G!M
<7/-jo
'7kb.@
7N^@bA6V
'/7Nnn>
&7NWGb`
7PF{.r
7Pu-SC
7qOclA
`.7rQ #
^7sEUnOM
7t+)nV
#7TVvNdT
7v:+v>
\7Vw$~
^7w'	'd
>"7WT[
7#Xc@F
	8 [[@
8Dp5G_
8$h8*t
(8HXhx
_8IHQV
8>j9Jv
8lBar.
)8L?uO
8nI{NX
8 nw6&
8p^C7])
(8qJ?k
8 `/tn
^8*u>,
8vl?Jg?"
) || 9
!9, %3hg	|
;99=Y-
	^`]9C
9c5B10A
 9$foV7
^9 h@~
9J)>uAr
9K~N7.w
9lp1O}'
9lzNV'Bs
9`.nnL
<9?[`v
9,xOBW
"^@@&_a>/
A4G_CHS)q2
A5N	nZ
a5vqF.M
A6B983789F62
a8SO'Z
A`A&B_
AaP8fNf
A>B4<I_
aBo	f/`
a#?[?C7
.adata
adgbeliF
advapi32.dll
ADVAPI32.dll
~a^EP%,
*aFa`w-
afgHObaa<
,_AFX_NO_SPLITT
AfxOldm?
)A#gA.
AGohBG
AG.P;Ec
!Ah0l2cpyn
ahg~(!\
aiQ|f\
a-@JYQ
#^akF>N
am RKV
AnN`.?
aNr]>T
ao? aL
a/Oo/W
A>O<tj
aoZHr,gJwB.
^API5^
Apo#tfnV
?AR1J@6
ARVJWl
.aspack
a&ta}-
Attribut
aTX6XN
A|?ui~#A
/AuxU2Tyf\ 
%Av_D=@
AVIFIL32.dll
AVIStreamInfoA
A<w6Of'
Aw6WAzJ
aWHQx%
_"Aw&No
A"Yg_N
=@b./	
_~>^*B
b3W3Lry^
B[bg_a-
/~b.dk6dXasB
BefJ<Z0
BE:`?n(
.[B@f>
BF.9vs
BG6-<x
b[_\>i
BIosPL
Bk.@c>Wf
@`bkXP
Bl04A5#O	B
b>ld?<f?f
bN85e))
bO	|@:6>
_bo.*H
"|[bolTip%p
BO+_N^6WPC,
b'OzHc`
&bp&.v
bRAD80AA4
Button
BW@,a#/bo
bW>z6&6
<bx`RBO
;,C3JRa
c7a2{Y
c7n fm
c<'aOPmD1Z
	Cb6WfQ
"cBO1s
c C]^7
~#C/E|~
>CE})B
cfwt?%
ChooseColorA
.chs\S
c&-? J
ClosePrinter
/Cm	W*
C_NRw~o
CoInitialize
col\Stw
COMCTL32.dll
comdlg32.dll
~CO`X8
>CQO&2
criptl
C/RXdG
?.cS^2
CSfq&^
CSwitz
cU?KKo
\Cv?*_
C VisUC++ R<
cWBXZ~
CxEL_X
.C?Z!1
~?*D_.
d09f2340818511d396f6aaf844c7;-
d2Zn~V
d36fZD
D~.`;6a
}	=d9_
D&f^G}
@\d	>i
D#I?vN
DI=z#r
D@ktov
dleAu7
dlFLjBG	
%d??:m
d op,i&
dOW*Vc
D$/r;&=
DrawDibDraw
DRIFF@
d!)v|.h2
Dvj.4hE
%>dW6-
~_dwM;?
DwTORR
D ~~Xf
D$Xynw|
dy87lnG
e145e4be
E2<2wz
^e4Rf/
e&6zV 
E7&kxC
E.8zM 
ebn~$m
ECtrl4#
EcYX~_
_e~fD]l
eHanu@
EIm7`A
eL"f!)o
eMD(Gx
e%'MDIFr
EmlC8nLd
ennr'A
EO1R6o$
^EODJw
e&oLin
&~EOm$v
E-p6fg
EP?,d#
EPJnzo4
[eQ999
ETxgQ 
[EU1xF\g
ExitProcess
exmI<^
EXNNLR;V
_@%*.*f
~f	2bY
F4<?~YE
f6<"T?Jo
F7FC1AE
;F)~7v
F&96QT
fA8d8NNpa
<^FbAQw
FBKQNnW
-FB>LF
FBp/~4
F	B^^Vd
&fCD'P
>fc&Qb3
FEo9j}
FeP R]
fFAa(I
ff)|CD
F*^f?E
f~FV!0
ffwj`i
fG+'{^
+~FGfJ5
-FG^g5Z
:~fGR/
fH;)<&
F@@/i=4
fi8w,I
FIw;SV&
*F@%j<
:FJ<0a
fjKAPNw
fJVnv~%
f	j	xwN`
	$FkBx&
f+@l4Q
(fn+`	;'
(F)NfG
F`N.FOF
^fNkZI
]F}NrI
fo>>26
*(Fow7
fqH\\jX
f^RF>2y
f.s['GW;_
~.#F!Su
fTgGo|)
f&T*nxG
FtpGetFileA
Ftr@}7
:	-FUT.A
	.fv_/
FVH	#_Jo{
$fvl^U
fVNTbb
!fv.OW
*f;/^w
fW4a$_W
/fXk9lmf
fxr0;+OF
#&?G\.
G0dm,()&K-
G6F?Fm
!G "8"
g8IeBVb
'gbjR!*
gb.Rj}1Awm
&>Gb"/Y
GDI32.dll
gd|Vh~
GelBk-
GetAdaptersInfo
GetModuleHandleA
GetMuR
GetProcAddress
;GF(Zgt
`G[gA;
G.Hh@i
gH_SCROL
g+^h&*W
GIF89a7@
.~-GkR^g
GLi9y`
-g#m+&e
$Gm&#g=h
!G,n"8h
GN^)a-
gN-wx|
,gO1a7
Go27 0&
gO2m`ng
_G_$oA
[?$>GO]HB
Gpdbe6
g:QzRv
G	r<;~(
grB&dE
G&rWE)
&^GrZ03X
$`)g~U
Gu;_(5
G$U[MFf
['$gV!
]gvNu8
G#(W$?
*.GwF4
g&w^iO
^g'WP*
g)X9>q
	gz!b.Fm
$H|%2_
h6l Dlg
	@h6_v
h9Aca7
.H9lUr
h.9%SG
.H/a_8
_%HB6V
hb&dlF*
&h'~eC
 HEq;D
)<*>H^g
hgffq*)$
H=@h?!c
hho7?A<
hI.>V?
H<IY/n
hlBT7!2
hL#!@M
H:mm:<d
/HNFlFgg
HNvP?-
	Ho@T0J
Hp9QcC
hP$e_n
>HpqAcf
 ,:HR<
HrCg@b	g
http://w
huZRi'
'%,$hV~
*h.v/@.9
#H	V	d	
hW6c?"
H^@	w7
+HwEY%
.hy6.com/
H'Ya+v9/
_:~&I_
I%`: [
	i?@0g
I2 0V(H
>i~.*8
+i$! 8_
i>9j`t
&+iBT \N:#
@ID/Ch
/IF0ON
*i~&$g
IGHTDOWN_
?i?>hE/
$I$I6v
ijeI^9g
I!MPj0
	>i<N&f?
ios::eofb
IPG>2=
iphlpapi.dll
^i<t^ 
I&^.tc
IV	Xe>
iwOXGu
=ixelH;
I_x!nB
"_.?J*
J??{|	}
J|1 4O_
J2^W!i
j5DNtOV#
j5[>Ff
J6aa=@
J8KLVH
JBUPU%
JCVkb'
*::JDQ
&&'jE8
j	fvfP
_Jghd`A
+jI@/	~/
`>&jITl
jI?xRy
J*]?Jl~
J@kAT>V
j_Kj~r
J?K./q
*jmSS7
jNKpD	|
J^N^N2n0E /Y9B
j%O<hWp
jorV[ ^\
JpANX	P
	J:_pG
JSj2bN-
[Jw9Mj
}jwo}j
~jy~>7
*:JZjz
:K1tX<6
k2Ieen
k 67ys
%K8YF*
KAlAy~a
K_a "P
kB8ff,
k/  Ee<
kernel32.dll
KERNEL32.DLL
@KeVV/
kFi7Unl
kFM\-(6
kG&=10
kghE7!
KGk7kmu
Ki_zkA
+;K[k{
,k/{m /_
kN!Cxu,+_
'KnfVK
knulLT
*krFA 
ksA^Pb
}KVio'
KWk9pm
!@(KWN
kW,_PO
k*&Xoi
 "kXZfw
\!l`\!
`l0.^3
L1k,oV
^l7f\^L
L7TFKQg
LANGUAGE 4, #p
-LanguaP
Layered+
lbsXVHOST.EXE
L}"CF^
LDnBLa(Vf
+lEgT^
l)EnglF'"
&Lf@A v
l$IUfV
L_j)	r5
&-)l,.N/
Lnti>`
lO^!7w
LOADER ERROR
LoadLibraryA
:!l:od
lor+k+
loseHan
~ LoYL
LPC:?l
'~L(r3
)@lR6ti*L
Ltable7pro
^luWfs}
LuxLL	
]^_. lw
|lwAR.
L_y,xK
/~m<]/
%M|+|0
m666qt
MA$#R6028
/mD=yiO
`_MemVyS&
MessageBoxA
M"F0N^_
MgI-d"
%<mg>l
m'h|,'
M	'~^h
_M Iev
M([(i(w(
_	Mj7>~	
@"~Mk^w
-=M]m!
	mNjCn
&mod7hy0
{mo?F&
mo#p(}
MO:P8T
MouseZ
M*PG/x
mQ{JsW
MRZ,AV
msvcrt.dll
MSVFW32.dll
M.VvirdBfJ
M[w+<~
!MzN>vo
n&{?#	
!N '(_
N'[(0^%
N0s$R$
N0.V|D
~	n)4o&
^N5>6rv
n6whS*s7G
^n]|>7vE
name.txt
.N.a_N
nb9Fr'81H/e
nB@b	y
('N/bS
neu9B_
n^F&itS
NfMSEX
	n'f/n
?NGHM2
~@ ngt%
nGW'\Z
~}Ng_x
;.,:nH>
N>h\v_
&nix/L-4
nJ6@7@
!|nKor
nk\R_.
n<Kz W
Nmlrl_DJg
NnG"6&
nNGNN	M
/n/NKK
	nN+O~
NnuD'j
No6AiFFFF
NO^>:x
&nPA'dn]
n%<>PGl
N @`.q
Nq9m8p
Nq$Hw(
^n	r^]}
n	rT0	X
;Nr&tg
^NRU0v
NSrsQT
numDisplay
N}?v>#(
N@VgJ+\
nVqn%,
nv`%R]
_NvVAU
NVW*Jmo	
$n^"wWf;
nxuan.
=^Ny*&
&nYgf$)
_n+yT!
~.nzF9Qf
o 0H_O
(O1(o?(///?
O.2.18
!O3UoG
o4"	\l
o5;..d
o)_5(Kk'
o6}fno
^`>O.a9
Objec[k
Ob(Ph9
o"D_^P
oduluI
O/f"ec
of	wNv+f$
o?g!xX
oHdraw
 OJW[O
?ole32.dll
ole32.dll
OLEAUT32.dll
oledlg.dll
OleRun
OLE=TRACK
O^mi~U
OmObf>?Li
omPoiv
om.u.?
on0;r:
)O;NdD
]OnQ[f
)O)nW,
oO&rJg
OpenProcessToken
"&O,'q
"&or]&R'
oseQGh
o!slNhG
OV5]fG;1l
$/O$vEm+
OVz[Qb
>	*owa
+Ow`A/
@O@wgp
O:XnfeB`
oxY'	^
(<	p./
 `/P/|
;.=P-.
}p0%L`
P25n`f6
P5zl&P
p7BPOST&8
PatBlt
PathFileExistsA
PA#Vin2
P(b57^
\PbkWTP
>~>P-e
	p?F9M\
pf/Busy
P~fFHo
P+	GkP`
P#incl
Pj/q6R
P'J+XkgP&J
P&kIV*
PlaySoundA
P(Nn/}G	M2f
po79ton
:portedExceZ{
!}p'p!
Ppbi/m
?%PRbu
PROPBTYGJif !Sm`
 *pr[Q
P_S"CTED.
; PT6\
P$TUIU
&p$VGh1I
pVible; M
pW}.[.
_pWOs5
>P:WPD1
Pye7q^
^?&?$q
!Q1)%<7
q\ 3?v
q4X`5o
"Q8Nun
QB@j6fN
)}>/Qf
>?+QgYn
q\iRxyF
#]Q)/=J
~&Qj@&F
"qk2@6)4
Qkkbal
]q)<lYW
~> q(m
:qm,yyCI
Qo57o=7
_Q&Q_*8,l/_d
<qrstu
quDO^f'
qv'}gfV@
QWn,n#
Q{]_yo
&Qz%p:
,%|#/r
$/'#?R
~r>( ?0ehb
R0_N/Nz
R0Q)Y>
r5B	RRW
'R`7L@Ff
r87AF8".
r95=lX^_^iiv
Ra ?_s^`
RASAPI32.dll
RasHangUpA
{R?Bi7
_Rckwa
.rdata
rDG.4$
RegCloseKey
Reg@un
.reloc
remote_
?RF7vq
Rgn;RT
RH$|Fq
RIC'MONETARY
RIfXM-
(R|iu.nw
@R\(:J
r{j2$+
*	.rL6
_rMNdj
r`oFX"
RoI/4.
rP6o?/
rPID!n}ibc
]RRESOURC
R:ROf^
rV._w>1
]rw61nu
rwWa!|
R,X_Zn
*Ry2TW%
(SbJW._
	/SbpS
S$,h/&|
shell32.dll
SHELL32.dll
ShellExecuteA
SHGetSpecialFolderPathA
shlwapi.dll
SHLWbD
SIE 6*
sion.da8.5k
}SKuCByFo
Slx6UpdBL
SOFTWARE\M
s%ojoJ.
>[SO td
spries
SpRKT\
sQFHK/uw_-i
stemInfog"B
s^thcl
Sube	)
s@w/at
T1Afy@
tc$P"XQ
T_$D3/	,
>TEb5~H
t	E"V:&
%t&f/r
tfXJ2O
tg4"zf( 
tggn]H
T?g	WA
tgWV- R
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
!This program cannot be run in DOS mode.
Th$s'{
TiLToI
TimerE
T!KKB&
?t*L#6V|&
T?L{OrgEx
t.#_Na76AKx
T#N]NW
TNPn8T_Ri
to]Lp.
t{OOEv
tProcessWork0g S1Open
Tq'm0`O
T@Wy]l
~t\xEv
TXtoFFs
TZ_ yiq
/_@U1G
u~2?,@*
U2:^^a
u6AQVj
~u-9>_f7
u;A(,&a
"UA`r ^
=u/BP~
UBuff 
u`*_C_
^uC)+#N@
\~!ueY
UFx@n=:
U	i%Aa
u:Kl8N
:UmhdL$
>Unknj
U.,NueU
u(]O7btz
-&UODM
URLDownloadToFileA
urlmon.dll
user32.dll
USER32.dll
uSOwPx 
U.S;sKR
ut]a'`
u;\#<u;
$*	UUU
.uxb	(
V0DV)}*_
V]2tG>
\v}^3r
^>V 5$
v6FSkA
V77ABD
V9J~qwM	S 
V>A1sK@*FN+
)vaepD+
V~A+Lf
v~>Aow
/V;Bg"
VCgOB-
`V?Cw^a
 ;/VDA
[@ve\I+
VerLanguageNameA
VERSION.dll
=vetm%
V F&VQ
V~g>4nkm
VGfW6do
vgn![)
v:{gN>B
{vH<r(g
vic%IS)P
&#v.If>
VirtualAlloc
VirtualFree
VirtualProtect
&\v@iy
\vJb\0
%VJ%m>
`\~vJp
)?V@Kb
~*vlZNK@!
}vmi5&}
v|M>mB
*>V"_N
VN>O"h
vOBAL_
?V;\ol
vOnbXO
+	vo~X
v?P:0~
vp)L#n
VR]ygh{
v'T?F/
v~uHOT
VVn~^j
@!~(vW
VwHROYo
-VWosE4
Vx0&"V
vX&#(6
$vX6B'G
)vxg,0~]f?
<.$/w^
?"(w@&
w275w&
	w376v
W:4?l20L65PW;!cwxO
/W	~5!
w/6k~hw
W@?6Vj-
w7/u:k
w;9LWOb
Wa^F<S
WAVEfmt 
-W+%CZ 
?w"^D{
WebBrows
"|>w#F7
wFKJIb
w<gm`6
W@GqTQN
whIS_iCCP
}WIN32
WININET.dll
WINMM.dll
WINSPOOL.DRV
&W-JB.
wjjWT|
Wjv0VCRT/g
wKGiS0
wKVlFz
w-@~&l*
W*lFF~
wlf^Vm
]Wm`eyF
WndM(O
wn`]lf
wnUF@^
wo_OG?
.W+^(%`oz!
WpCALspHY/sl
W`pO/O
Wqct q!
W.Qd>fNF
wQE*&RNG
WS2_32.dll
Ws+|@p
wsprintfA
?#%W,U
Wv:3^fi>u
wv:#86q 
>	Wv*F
-'\_w$>;W/
w!,>wC~
wyrwYF
Wz|Cg'
.x_<^&
x0_CNot
X1RAYfC
x7fbN+
.X7SpYF
X81 ^^
Xa~taG
xbitp!jLg
X*'?+F
.xF7lK
X ?FWg
XgvfnY
x&Hm~x
xjXH89
x,k5^|
x.ny^Z
	^.Xo&
;`X"PoN
XPTPSW
	Xp+VN
Xr\sLabe
Xr Tva
#XuQsN
<xVo	4
X'w`'P
Xw$%vw
XW}%XIx
/x%/yn
Y2,EY3^f
Y3v9xTK
{Y7?_]n'
&yAzU'4
yB>6.&
Y>\b_`/"kXEQ
yBXdr~
yCbne e
Y'dyff
YF9.NV^
'yfwqQ
YgTkN/<M
YH=FUB
Y~($hI.
	yHW63
YI^?!=
yIeHF@
Y/Igqw'<Y
yj\P8 
Y[N^[%
yNE"y$T
)Y*nF^\ 
yNRRVV
Ynzfu6
y?}p+$
yr|wW_
ySF=yT
Yu4O'~+
yux^Ex
Y^UYp=
yVl'H*
&y&y+RV?
y)?{z@
Z+~.,[
Z42	1._
z6K@j.
ZAKFo{
Z'bM@*
z(CgU?
Zd&r@v
z]fVk'p
Z`/g-;
'^Z:ghV
zgN6AU
Zh&wP}M
zI1Rk;%
^{ziB-
z]'KH	
z>\LBScall
_ZN00rg()
<ZN@4(o
/@ZNke
	zT'7v
ZVRNJFy
zw6Fw\_m
??z@+Y
zZ87G"A