Analysis Date2014-02-16 21:10:26
MD56c3be0dadaf45ee44fafca52aec3c914
SHA1b0e48775065db578e77b7f2808a8bfe417ab44e8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 2e0c8266246408d7d683600da4a65747 sha1: 51d090d768bdfb95e5c375ee874323f51559565f size: 506368
Section.rsrc md5: 0ad36598a956e34aee7ffe47a4bd462a sha1: 9bdd92ad58017df52892883f66242abc009cf790 size: 45056
Timestamp2013-11-04 09:58:18
VersionLegalCopyright: 网吧语音大师 版权所有
FileVersion: 8.4.0.0
CompanyName: 网吧语音大师
Comments: 网吧语音大师 版权所有
ProductName: 网吧语音大师 客户端程序
ProductVersion: 8.4.0.0
FileDescription: 最专业使用最为广泛的网吧语音服务软件。
PEhash87746a2d3f0930554a95ced2f596734a953cc2a0
IMPhashcd73c1832579ec475a66859f92065808
AVclamavW32.Alman-2
AVmcafeeW32/Almanahe.c
AVmsseVirus:Win32/Almanahe.B
AVaviraW32/Alman.BB
AVavgWin32/Alman

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\b0e48775065db578e77b7f2808a8bfe417ab44e8 ➝
C:\malware.exe\\x00
Creates FileC:\WINDOWS\linkinfo.dll
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\drivers\IsDrv122.sys
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\WINDOWS\system32\drivers\IsDrv122.sys
Creates MutexLBSclient.exe
Winsock DNSbbs.hylbs.com
Winsock DNSwww.hylbs.com

Process
↳ C:\WINDOWS\Explorer.EXE

Creates FileDLUProc
Creates FileC:\temp\files\monitor.exe
Creates FilePIPE\SfcApi
Creates FileC:\temp\monitor.exe
Creates FileC:\WINDOWS\system32\drivers\cdralw.sys
Creates Mutex__DLU_INF__
Creates MutexPNP#DMUTEX#1#DLU
Creates Servicecdralw - system32\drivers\cdralw.sys

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Network Details:

DNS5a453ae9c28d1785.cdn.jiashule.com
Type: A
61.155.149.85
DNS5a453ae9c28d1785.cdn.jiashule.com
Type: A
222.216.190.64
DNSdnspod-free.mydnspod.net
Type: A
54.248.82.230
DNSdnspod-free.mydnspod.net
Type: A
54.248.143.107
DNSwww.hylbs.com
Type: A
DNSbbs.hylbs.com
Type: A
HTTP GEThttp://www.hylbs.com/lbs/pclose_8.4.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://bbs.hylbs.com/lbs/pclose_8.4.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://www.hylbs.com/lbs/popinfo_8.4.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://bbs.hylbs.com/lbs/popinfo_8.4.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 61.155.149.85:80
Flows TCP192.168.1.1:1032 ➝ 54.248.82.230:80
Flows TCP192.168.1.1:1033 ➝ 61.155.149.85:80
Flows TCP192.168.1.1:1034 ➝ 54.248.82.230:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c6273 2f70636c 6f73655f   GET /lbs/pclose_
0x00000010 (00016)   382e342e 74787420 48545450 2f312e31   8.4.txt HTTP/1.1
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 290d0a41 63636570 742d4c61    SV1)..Accept-La
0x00000070 (00112)   6e677561 67653a20 7a682d63 6e0d0a43   nguage: zh-cn..C
0x00000080 (00128)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x00000090 (00144)   416c6976 650d0a41 63636570 743a2069   Alive..Accept: i
0x000000a0 (00160)   6d616765 2f676966 2c20696d 6167652f   mage/gif, image/
0x000000b0 (00176)   782d7862 69746d61 702c2069 6d616765   x-xbitmap, image
0x000000c0 (00192)   2f6a7065 672c2069 6d616765 2f706a70   /jpeg, image/pjp
0x000000d0 (00208)   65672c20 6170706c 69636174 696f6e2f   eg, application/
0x000000e0 (00224)   782d7368 6f636b77 6176652d 666c6173   x-shockwave-flas
0x000000f0 (00240)   682c2061 70706c69 63617469 6f6e2f78   h, application/x
0x00000100 (00256)   2d73696c 7665726c 69676874 2c202a2f   -silverlight, */
0x00000110 (00272)   2a0d0a48 6f73743a 20777777 2e68796c   *..Host: www.hyl
0x00000120 (00288)   62732e63 6f6d0d0a 0d0a                bs.com....

0x00000000 (00000)   47455420 2f6c6273 2f70636c 6f73655f   GET /lbs/pclose_
0x00000010 (00016)   382e342e 74787420 48545450 2f312e31   8.4.txt HTTP/1.1
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 290d0a41 63636570 742d4c61    SV1)..Accept-La
0x00000070 (00112)   6e677561 67653a20 7a682d63 6e0d0a43   nguage: zh-cn..C
0x00000080 (00128)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x00000090 (00144)   416c6976 650d0a41 63636570 743a2069   Alive..Accept: i
0x000000a0 (00160)   6d616765 2f676966 2c20696d 6167652f   mage/gif, image/
0x000000b0 (00176)   782d7862 69746d61 702c2069 6d616765   x-xbitmap, image
0x000000c0 (00192)   2f6a7065 672c2069 6d616765 2f706a70   /jpeg, image/pjp
0x000000d0 (00208)   65672c20 6170706c 69636174 696f6e2f   eg, application/
0x000000e0 (00224)   782d7368 6f636b77 6176652d 666c6173   x-shockwave-flas
0x000000f0 (00240)   682c2061 70706c69 63617469 6f6e2f78   h, application/x
0x00000100 (00256)   2d73696c 7665726c 69676874 2c202a2f   -silverlight, */
0x00000110 (00272)   2a0d0a48 6f73743a 20626273 2e68796c   *..Host: bbs.hyl
0x00000120 (00288)   62732e63 6f6d0d0a 0d0a3c2f 703e0a20   bs.com....</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f6c6273 2f706f70 696e666f   GET /lbs/popinfo
0x00000010 (00016)   5f382e34 2e747874 20485454 502f312e   _8.4.txt HTTP/1.
0x00000020 (00032)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000030 (00048)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000040 (00064)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000050 (00080)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x00000060 (00096)   3b205356 31290d0a 41636365 70742d4c   ; SV1)..Accept-L
0x00000070 (00112)   616e6775 6167653a 207a682d 636e0d0a   anguage: zh-cn..
0x00000080 (00128)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000090 (00144)   2d416c69 76650d0a 41636365 70743a20   -Alive..Accept: 
0x000000a0 (00160)   696d6167 652f6769 662c2069 6d616765   image/gif, image
0x000000b0 (00176)   2f782d78 6269746d 61702c20 696d6167   /x-xbitmap, imag
0x000000c0 (00192)   652f6a70 65672c20 696d6167 652f706a   e/jpeg, image/pj
0x000000d0 (00208)   7065672c 20617070 6c696361 74696f6e   peg, application
0x000000e0 (00224)   2f782d73 686f636b 77617665 2d666c61   /x-shockwave-fla
0x000000f0 (00240)   73682c20 6170706c 69636174 696f6e2f   sh, application/
0x00000100 (00256)   782d7369 6c766572 6c696768 742c202a   x-silverlight, *
0x00000110 (00272)   2f2a0d0a 486f7374 3a207777 772e6879   /*..Host: www.hy
0x00000120 (00288)   6c62732e 636f6d0d 0a0d0a2f 703e0a20   lbs.com..../p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f6c6273 2f706f70 696e666f   GET /lbs/popinfo
0x00000010 (00016)   5f382e34 2e747874 20485454 502f312e   _8.4.txt HTTP/1.
0x00000020 (00032)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000030 (00048)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000040 (00064)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000050 (00080)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x00000060 (00096)   3b205356 31290d0a 41636365 70742d4c   ; SV1)..Accept-L
0x00000070 (00112)   616e6775 6167653a 207a682d 636e0d0a   anguage: zh-cn..
0x00000080 (00128)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000090 (00144)   2d416c69 76650d0a 41636365 70743a20   -Alive..Accept: 
0x000000a0 (00160)   696d6167 652f6769 662c2069 6d616765   image/gif, image
0x000000b0 (00176)   2f782d78 6269746d 61702c20 696d6167   /x-xbitmap, imag
0x000000c0 (00192)   652f6a70 65672c20 696d6167 652f706a   e/jpeg, image/pj
0x000000d0 (00208)   7065672c 20617070 6c696361 74696f6e   peg, application
0x000000e0 (00224)   2f782d73 686f636b 77617665 2d666c61   /x-shockwave-fla
0x000000f0 (00240)   73682c20 6170706c 69636174 696f6e2f   sh, application/
0x00000100 (00256)   782d7369 6c766572 6c696768 742c202a   x-silverlight, *
0x00000110 (00272)   2f2a0d0a 486f7374 3a206262 732e6879   /*..Host: bbs.hy
0x00000120 (00288)   6c62732e 636f6d0d 0a0d0a2f 703e0a20   lbs.com..../p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
X_
.AI.
..$
....
.
.
.
.
XG$
.
.
......
..
Z*.tA
.o...2,
.
^Wn.
..
.VC
o...
pj..
~
.
.
...
...(T,.m..Ww
!
..
..N.*
7..
.
p!
x.f..c
6cL
 
.
.0...e.g..65.X
...
3...
.6.0p.
.
...
..
.
.Q~FF
d.
hn.
.
.
.|....>.
080404B0
8.4.0.0
Comments
CompanyName
DEFAULT_ICON
FileDescription
FileVersion
IEXT2_IDC_HORZLINEMOVECURSOR
IEXT2_IDC_VERTLINEMOVECURSOR
IEXT2_IDR_WAVE1
IEXT_IDB_STATEIMAGES
LegalCopyright
ProductName
ProductVersion
StringFileInfo
TEXTINCLUDE
Translation
VarFileInfo
VS_VERSION_INFO
WAVE
<[}{,<
,(((((((((((	
!!!!!!!
..,),.
..,),...
*..........,
+,-0	@
00@P`p
04WOCx
@05o85n
{+0\]C
0D8DFD
>0et`e
0JWn0P]K
0KJNQr
0mm;rF
0oGYvP
0oi)A`
>0P?K?
^0q0gf
0QEr'&
0qfr>~*OJ
0RdadK
0S|I?<
0=t_"f
0V?{v6
?0/`^Xk
1.2.18
14{#fjf
19G<.e
~!1Aa<
!1AQaq
}1C6*)
1dpg=D
1FfUeGH}
1l_7lW
&1MQN_k 
1o5,<V
^1 O7NH
\[1?O8!
1)|t^m
_2&!}:
20[F?;n
\2 0@\r
.27bb20fd
2??8x!
[>2a7r
"2BRbr
2ffs#S6
2Fqu-=
?>+2gZOk
-2@HBZ
2IeeZ7+h
2~i~>l
:2j !8
2lP&xG
2_M1?RA
2NdNfj
2o!S/bPv,
2p63OVle
%2 PIDn
2S]GpS
}$2tRA
%2.V6Z
2>VYQ'{w_.
: 2xB"
2ZN/7)
 30sF|
3 Copyr>
#3CScs
3l/,vP
3M4|VN
*3:`>n
3n! .4
3oYQUVT
3r.[r_;
3'T	$Q
423'7#f
	45fR^M
46+=A7
4c38'f
$4DTdt
>4<DW&.o|
4er8521B4Fo
4eyzN7
4*/*hM0X1l
4LT$d$
)4/?OJ
'4PRLk
4Q=6YW
4#R6028
4ua-N1#6
4v.n1nn
4	W6N1vhC
50_ (8PX
52F2600\059
567"NV
<5<=6/V%
58b0\F1
%5EUeu
*5gg'e
@5(#-J
5"o@Vo
5p6Vvir+	
@5~$V$
'5X%S{
62=/bo
63{)W*
63W#4Pi
63;Y7.?
6&5&2wl|
6>]*6?
+66b`Pb
66Oc5 
#(<6>8
6	A	I	Q	i
6B/K.8q
/6BzdR
|6c7xd
6C.ms;y'N
%	6cRgh~
6>c|W%
`6?FtA
&6FVfv
*/6.G;
 6/gif, 
6lTbi%
6(n>0F
6.N2lE
6n$c.%
6,Nd|6%
6p'@Lo
6RF'#	ha
6u>jZT%
6v'G0.
`6V>j)[G
6w0rkK
6_Yt	k
6Z2\.I
$~^6Zv,
6ZXZ^oN[
707cao0
[72lH:
74btt76
|7.6ih
77B~TN
?!78dU/
^?7A\`_
!7c/4^
7chxS.
7d(:7 :
'/7dx#
7FdPD}J
7| }Fn	
'7GWgw
%|7jl06
7.Mi*hc
7>ML'*'
[^7mo,
7n~.-Y
7p&_7&
7rN5gNo
7Vg(9>d
7  )\Z
7Z#_oV&
8;?@!<
844c7F5
_8.4.txt
86fBk0
86Kh[@
8<c@<[<
8euVL;
}(-8;f
_8F{l@g
8f*(pT
-8F-r%
(8HXhx
8`>ibL$V6
8$iM$	CX
8mtF~A
8^&YwC
)8.ZNpDu
9*959=9E
;9999:987999965439999210/9999.-,+9999*)('9999&%$#
9@(B(W
9@*]?bzb
9FKG>+
)9IYiy
/9>^MWZ
9RvQAi
|,9Ub^	t-p
9`]%uV1
A@%.?(
A0dHPeM
a20@&)
A6B983789F62
A	,6N]
a`7Y? 
{{a8u0
+a^a@@
ABCDEF
Ab	CF<2R
&(acvd
A?dirg
ADVAPI32.dll
,A#$f4,_AFX_NO_SP
@Af\ q
AfxOld
ag`e#v
a#ha#xr
AH&V4'
a_KF7d4
a^kFb{
%AL<Ix%
%am/hQ
~{AmTb
<an MSWHEELWhe&
AnVEB`Uf
&A	O4_S
{AON"O
apoO7jtz
Apry&un
|A-RK_!
-A T3R
#atmV]
AttribNsi
Aul`(@^6
AVEfmt 
AVIFIL32.dll
AVIStreamInfoA
A	W\k+L
aW+TF~
A__[WVX_
AxB*V>@T
aXS/y%
AZ\Mic
\b*}+_
B&?.|:
b6eN<-
*B,%77M`J
\BB>BV
Bbfld?<
*B.BN**B
bBS X#!
bbX MP
~%bC<>0
bC-HkL$
[BE#6$
be^fBX
BEf&FBoB
]b'F|R
BFVEy?
bg^J/t7
b`]_\^H
BH(2H #H
+bh`B/
bHsf@ezp
Bi@Fb<
 bK	 |
bK.%eY
B|-Km4
BLgium
,bn.0aA
bNK2!~
bNK}n$<
b"NNNN
B<nU'6
bolTip
BOp2OP"O
B^OZ'^s$
b>SFPhb
ButtoJ
bUZn^~c
b~'V^~
=~bvAz
bV#e}M
BVfzHY
	b^vgW
B-v[h ^
bVJ>2&<
BvNeu_O
[BWG/*W
BW)Wn7
BX~&F=
@B(x]q
b)YU?f
BZD=yiO
b\znvQ>
	}.c3~
c44;>n0~D
 C6pv=
C.7!3u
<?CCGG
cCT6lf
CDJd}m
|ce2f*
c@?EFn
ceX!%!]~o
CFc6Vp$
?Cf%@R_
CHCXru
ChooseColorA
Cj^6.O
C@JfFR
c/l>>m
ClosePrinter
C.N_,{~`
CNotbportedEx
C!%?O-=
CoIni+
col\St
COMCTL32.dll
comdlg32.dll
CPGT;z
CreateMu
cripl-3
CT.5C@{
&cVu']
c__[[W
cWh;R(&?
cx/JS?
CyyB./U
d09f2340818511d396f6aaf
 d6e6;
d6ww*|
D7D671
db$'e[
-D%bgo
dcGGzL
 ,dECd(T
.d^f.;
%dgWR1o
dH=Dkl]4
dhgn~0o
^d /.(I
D|ktopW
dlg_F R
_DLL) || 9TARG_CHS)q
 -[Dlq
&d\m.y
|^<.dnO
d op,i
DrawDibDraw
DRIFF@$
d<s`<kI*
|D@T ?
dt*^,U
d:~vfgjm
\^:d'v=m
dV_~OH
>>dvX/
d=W(*F
d_#Wnv6F#
"dXp6_">
$@DYf,)
d=YJ~"
`#;^e$]
e+00FZ
e145e4be
|E4ZfUo
E5?0h 
E~5d|v
e"~6gVN
e(936k
EAFHN>yK
EBn._&
';eC_]
e<C>Dg
eCYBoPC^
#Ed7FP
e<_]F~
.EfA:#
'eG@.)0
~; eiUD
ej\vXB	n
Emh[?]
e(Mozill
%`EnVP!
e=s)Wo
?.&e/T.
e^TcRf
E(|:v9
e_VOgG
ExitProcess
ex`OFTW
eyVN<4t
ez<Ps'
''''f&
:f\.0V/
-F1sr+
f2>Wn'
|F]3+>
f@	6)I
F7FC1AE
*F8R2V
faa!g-&
FAxaJN
fB33ECF
FC?GB~
Fc/H~'
:?F!@E_
feh#Aw:p
ffAOK&
Ff/gK'
fF&tbIz
f{g>A{
F'"/he
.[\FHf
*F@%j<
Fjf/nz~
fk VisUC++ R
FLastErrr
fm7?fXs
f[MFXVt;
FN6rR(
F	NI|b4
fNN-d4h54
%FN~w9
F:ojcv
~__Fo&o
fpDTWj
Fp.N^N
FQ7I.	6
fr/f9n
f_'RNA
FromF	
&FT0Nd
FtpGetFileA
f~"v&4
fVN[\`T
FV.S'$
=>f/w`
-f-,w/
~:fwjo
FX]axN)
fXLD8*
:;?fz*
f`-ZW[f
!'''g'
:*);.G:+
g?0mK;
&*g0N5E
G0R0]0
g2`:>BZR9@*
g_2Fap
g|*6W>W
G8t$Cn\
g[9)|I
'gakD	
G'B#"$
g^]C6.#
GDI32.dll
g`?dK{
G ~eRo%
GetAdaptersInfo
GetProcAddress
 Geuefb\hF
<>g~_g
 : g he
]g>hkX
#GH$S$
gH_SCROLL_tLd
G\ia3&J
@GIF89a7
gj7!p0
__GLOBAL_
^^~g.m0
?G\n_|
^gO%-p
{G P|<
GP	)b"D
GPN@"P"
gq$^c+Lo
gqdE(M
.GSci1NN
G`	Tn"
GX"M9*[+A
GZjVVt
h<+<<#
H#0^^P9
H0POp%BN
@H3- R
H4~av6a
h6l Dlg
-|!'H9
hB626	 ~
h~C]FFFCCC,JNt
he56j'^
HFmnUW
hFZ	|_
HG0LSG
H/I'0b
(<hi75
H^'+I7w
/H_iMv
&HKw0}
~	HL`{
hL#!@M
hlushUBuff 
>HMaTp
H:mm:u
H"pSizOA
~&h"Q_
H\Q_^!
#	/HQJ
hQy;/F`
HrCg@b	g
[Hr,gJw
http://w
Hu@pWA
h_'vaIq
_HvevWL
_HY! !
.hylbs.com/
I2?d<23tT<$
i_&3g@
i|5@OvG
I8r!^JK
I$a'Vs
I=B\,b 
|	}IBc
Ib|E ~
ICJCoS!
?I[dd**o
 :&&iE
Ie3HF*R
)i&e\G
IEXPLORE.{
_!>IF6
I/F7Gl
iFNL|,
ify_i T
>I?%GN
|In-L|
innV&	
i#-N"r&
INWVKV?V
io;ass#.
I?	ONn
ios::eofb
iphlpapi.dll
`i)QFZ
ISPLAY
iSQ.iI
ItmW~j
i TNZJ[
&IV6^E?
@iW4vi$S
iWO^r.
-';'I'Wr
(~I/XU?
^i$y_+
I%ZIpQI
iZrB+F
J! /		
'~.J/3
J>~7d!W
J?7m0F
<j7V.W
~j87AF8"A3
j^>-Bi?
JE>L{Q
/JFGXGi
j".h.V>N
Jif !Sd(;
[j`IL^
Jj^<~	9
|Jm1n`
jM3Fh,W7
jn*L}@
*J.nR02
Jnz02	
joZ&yA,
Jpf&BRi
JPlym;&J
^JpNJL>J,.J
JRzWgI
j&/ve*
J~*	vR
jV^>tw3
,|jw-d
jW\D@-
J,X"N6
J*Zd<R
*:JZjz
K<5FX=I
k 6Unl
k7V;,0,27h+@
,ka!q?
^k)B A
kcLb'`
~K; d~
k d:od
KERNEL32.DLL
kF0&/V
	KF@w)H
KGBXX!
khb&d,
Ki(i.t^
`kIx\6 
KjklWCK.m
kp!jLg
;?K|PS
KQefo~f
K~Ugn+
^"kXEQ
!k}"Y48D
&^,L}@\
,.'l%1
<^L@2$y
l 4HwA
L6oV.v
L7NN|-a
l>/amb
LANGUAGE 4, 
-LanguaP
.l#?_*c&
LC6&T*nxG(D
L|cd34,1
lcm z,
LD E$L&RWj(
%l.`dF&
(LF_`*
lI;S*S
ListVc
LITTER_RESOURC
/^lJa4
>*-L|K76Q
LM8 Dr
LMfWVNl
?}/-LMo
l`NB(y
LoadLibraryA
+ LOOP 
L&~o	s[
lSr!''
$L|u!r
`['luV
?L>_@V
L^>W[&{#	
L,<xXi
>& \l:z?
m\$}~'
!& m0)
m*^7N*
MapdTo
:m^b"P
MBV>k/}E
m&C7	,f*=
Mc_hb^
mcrve +De
/M)^d^
MemVyS
M^> -fcAH
m;~fIm
\MGs6&
+(\M.I
~MI/6m
mIKf|"{
Mjnf&=
]MJPSc2"
mk~>`h%
ml_Aze}Y*|
mlfENC_^`5&o
-=M]m}
mN}0@/
MnES>-,f
MO8F#=
=(mO*dH*Gw
<M_oKW
MONETARYCTYPEd
MouseZ
mQgb9$
mQ{JsW
M`q?w>
M{RewG5
~Ms+#?G
\.MSVCRTT
MSVFW32.dll
.m}>%U
M/Ve@]W
M}%vGC
!mw/CN
Mx	M'6>
MZ_m54
mz|r/&
~:N\|'
?	`N&}
{ $&N}
N#1%s!
N6FG.K
n^>6m	
N86S<{
nA8 n2
{nameGS
nAN&u6
^_{#nB
N&|'B&6&
nB@b	g
:nbf.c	
NB<Hg'
N!bMcK
Nc@t6h
??N\D~
+N~D*?
n@!DQ`
N{DyL]P
Nd/Zx%W
NeebB*8F
nfCSwitz
NF^VdHT
nfW"WkP
@NG'0K
NGFMA$^
NGi.+G
,nGR&D
?N*g}T
N,JI?N
n-JKe#
Nju|48
N~$k{.
nM^v6M
.>N^n~
nN1N7b
nn@gDB!
Nn*NVe
nnwZDJ
n;#o^D
NoM 6j
Nq}_^%
%<N%.	qb
ns/8A@
numDisplay/f
!nuP}d
NV&8	(
nX66cu
NxbFSx
NXUCBx
?N_>Zw
'.])>o
	o56`>
o56_(n
=%o5TV7-
/o6std7E
O7'/A6
_ %O9E
OAIN +
(|o^`C1
\{OdBw
O&dDRg
OF9	h	
o`|FileFv
o,ForSingrObj
$#Of\V]
OGa+]A
//oGl.
ok.A}:
oKQ?e>.
ole32.dl
ole32.dll
OLEAUT32.dll
oledlg.dll
OleRun
OLE=TRACK
Olkwe4
 Om`=B
oMHX)'b6o
omPoiu'
onN[OAM
/oN-Yt 
,^OPnbeGVW	
?or O&
}OS?+Z
)OvXAg
OXsO@cO0SO
Oyfc|Z0
$; /&P
/\\P1D
p6\wSI
p$^A_\
PaaV~}
PatBlt
paVble; MS
PbkWTP
)\PdPoP
[pdWp6
P\`ew^
p~FQ_-
P_fzbU	
~p!]GlS
P#include "afx0&
p`IsIco
}}PI>Z
pj*7Zd
pJ=ix&
pKn@wt
PlaySoundA
\"po/g
P.og/l
PP^hfS
p,Q7|A
P}R!6(^
#pragma coH_p
P_SBCT
 p:U@ky
PV&0J0\&*vV
(P$V-	8
PV87a^
PVAarz_
P;Wx;o-
"p |XZd
%=&>Q|/
.Q04|/R
-q1q^n
Q+*4u|e
\Q'6_:
Qa\)X/v
Qb&d:z
QeBL&>
q"h%dx
QkCR8>
Qkkbal
+[Q_lS
qnJ7vZH.
q|NQ?>`
QPc&?[
qp'unZ
qQ?p>;
.-\qr;V
'&QV7P
Qw=@b#@
Q?X@a2-_
[^QZNg
r2k,/C
`r;]32
r/67xt
R6c+{Nj"
r>"6T*
R6=t:.
R7dH, 
``r8f~FVDOM
RASAPI32.dll
RasHangUpA
r!B.\:S
<rbZL>i>
rcpynFDu
?r+eAW,7
RegCloseKey
ResourW
R>_JR2
r@-kF 
|rl_DZghM
RLffpS
$^rl:ked
Rl\m%g
r%'MDIFr
<RNJFB
r-O0Pr
rr!'pU
r(@S_f
rsr`e1%
RU?2NE
R.v7&&
RVdj-f
RVHOST
,RWd-A2k
|r%Wua
&RX/'t
rXVc<&
Ry/. )
RY%<@*
ryA!)k
~RY#PZ
r;z/|_
? `s]_
!<>&S~
|S0f7.
s'7feW
S8=/&G3
S`9k9v9^d
 sa.Zf
sb|>e|
s\]C/]
%s\CurrLV
Sd9}Y+
S e=GB
.s-ehX
sg'bad%
S&	gk`
Sgldm6a
#SGNHKg
\*SGV!
SGX{g.
s'@Hd	
SHELL32.dll
ShellExecuteA
^shockwa`4
si!9, %
SiCQ>6@
sion\ru
S.&KAG
s`'|:n/
S&.nfs
[SOIPG
'''SP[fqv
S+ PT6\
SrJzep^
S]'tU]OpU^
SuperBtn
SuY74O
SyN.y.5'T
-T0 H"
t4M{n6P
 "t4P	
T5&	tj
T&9?#9
T/ALipo
T B	7?
tB *DV
T#CExt,p4xDI
!This program cannot be run in DOS mode.
tH*.>JCx
Th$s'Wed{
tializfOpenProces
TimerE
!TI!&n
tJ'7?G
tJT./~(J
TJxgng=
TMzN2r
>.t"nE
T>peW[
$t*&p*&l
|`_TR^r
trrr!W
ts_c0s
TspHY/sBITn
TV2ues
TVOCpB^r
tv	vLk
TWgVdg
'tw`'L
TXtoFFspCAL
/@`!T>YF`@
T)~^"YX
?u='@^
:U63ecJ
UD*|>e
udQIN~
^&	Uel 
UF'>d'
?u>Ff.
UgojbqO
 u+hNrp
unMubQj
Unn'N>
UNPzH>
U)o`VB
!u?QgW
USER32.dll
uS:F~;
UT~FH^
UW7>bf
UWJk S
U*W}n*L
u|wrg.
UXrNec
uYQg&~
^v!$&@
V0AVIH
.^~V0>T
]~V1F:x;n
^v1m_A
V2&/H;
V4e%xk
V4U4DP
	V5;>c
[^V5Fa3vbc*
v~6=6`
V|6NjR1
V{6s42
V7apIG
V7@&\vm
V^"A'&
.vA@CA
V>Ap=f/
Variaz
.vb_!n
VCr:. 
"VDn>V"V
v\@e"O
VerLanguageNameA
VERSION.dll
&vf4OF>
VF7>_d
v-Fc&g_
vfeR62o
`V_f~O
:?VfOn
V%fTF&
v^fZO'
vG2V,nQPO
Vgf7v6
_VGv;a
VgXG$t4
vgZ)Xg
V~H0Y|6
vhnnZ)
V\#i`.
VirtualAlloc
VirtualFree
VirtualProtect
*v,/It	
&V>+J<
\vJb\0
vjbF:>'OyN2^
|v%LF;
v"L?GK
v',mtR
vnfR4m
~vnf^y
VNJAus
vn,p)L
v.O22O
Vo8y]/HT
;v)/P+
_V,QGr
%|v{rL
V(.SKI
V^<T-5
V{"V:}+
&V{vM5f
Vv^T6K
VV*[xXf
v''''=X
V~@ +X
.vXGW'
V!Z0p3
;VZaic
v]Z_{]`lZW.V
`W	0+_
W[0F>\
W3%V_%
w?'6O"
W/?9".
W9.?)E/:)
@/?W&a^L
W\{BeA
w.bKUZ
wc1f.(
W~cHRMgAMA_hISi^y
W+%Cou.
W&[d'}
>Wd8[W
<WdE*k~
wdl=.'b
WebBrow
wff.!11E4
&WFPNi`7
WF.{Wi
wgF*rd0
w.`Gr|
WhURx/
Wh<xN*
WININET.dll
WINMM.dll
WINSPOOL.DRV
 w	_Lm
wN6RGU
Wn`D|2
WntNTbb
?woc5&
%W,O`hW
WpNlJ>
WS2_32.dll
"wsMc&
W`V&gBR
WW6i/)
|W^WCp
^WX@82
W	XeG6
WX>NVE.
w>znv>
W_z$v7l
x3;k(NWd
:%x7F8
?XAtRyR
x?&^"B
xb3~wo
&XBY?(
X-cn|yn
$XDdwn
x/ecM^
xFB>S>
+/X.-HC
xlJ^Z!
XloseHan
x|+|m?Y
X;N13Ng*6
xNn''{~
X.O3+!
XPTPSW
xPtrE?ZH	Z
Xp&/:Z
XQ>6ho
Xr\sLab
Xsw~VS
%xUv%GN~
^-x 	]V$
X'@V	~
X'V$>8I
x-xbit
&!&/&=&)xyyK&Y&g&
y?5d}.~
Y?7PB0
yeP>|o
Y&$fnk|
yfXJ8 
&(^YfZ
`>>y<H
	'Yi>_
>y+JnS&
@Ykgo.7b
Y"kog5
Y>/Ldc#
yn]'5R
yn)FOO
%yNHu%
yn'Wpx_
yOE*J@+j
Y<R$~>
ystemInfo
y%WrlXD0
YY	U0v
Yy^y0<
 %(%yyyy3%A%O%]%yyyyk%y%
YZgmd%
yzhXL6
{;z2;R
z3aF 84
Z3A@&G
Z8?a>C
|ZasHUFBHaq
z{$>$B
^(^zcch
Z)cKSID!
ZfDl|OH
ZFND80AA4
^Z:ghV
~z&gn*l
zi.?8_OH<
zI9AAS
zK/}G"
z[~nzS=
|ZO/j'
zr^fb<
zrjbZ<
Z Stapard
Z~TV^*
~zUPaH*
z.v~!a
<^ZVRN
zwof,~
z!Y[_>m
ZzF~L>U
ZZ/yT!