Analysis Date2013-11-08 04:09:27
MD5efd82b0f98c157bf05286dfa288997d1
SHA1c30ffffa55ae98abe8cf7247538b208ff56cb375

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 653a03e10cf0801ab25a383b5e7ac20e sha1: ce7e4b42cbfd1b6c3d1b413392570d4d6d8677e9 size: 167424
Section.rsrc md5: 79c9b1fb6dd3e03efbf888b7b10f4100 sha1: 718851b48b832057242c8be5d4b58c1c23bd9ba4 size: 16896
Timestamp1992-06-19 22:22:17
PackerNetopsystems FEAD Optimizer
PEhash1e1c4871b810488c78e8567a1c77074f33709c39
AVavgSHeur4.BQYI
AVaviraDR/Delphi.A.13601

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\Online Services\DMwGdhoy.exe\\x00
RegistryHKEY_CURRENT_USER\Software\{C470506E-351B-A6B5-175E-88EAF1697495}\ID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vRFzPYeh ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\wsRepWRd.exe\\x00
RegistryHKEY_LOCAL_MACHINE\Software\{C470506E-351B-A6B5-175E-88EAF1697495}\ID ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride ➝
1
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\nKIQhtGz.exe
Creates File\\?\C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\wsRepWRd.exe
Creates File\\?\C:\Program Files\Online Services\DMwGdhoy.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\JsYNPocY.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\9b021f678de09461b4595f16c744242c_666939c9-243b-475e-9504-51724db22670
Creates FilePIPE\samr
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\JsYNPocY.exe
Creates MutexGlobal\{E24B0061-53D6-C470-351B-A6B5A16B088A}
Winsock DNSiqpmhfrvgp.com
Winsock DNSbucelslmpwyajzlguis.com
Winsock DNScamwzffgqhckviufup.com
Winsock DNSvpicphumwodnoatp.com
Winsock DNSlcqivpov.com
Winsock DNSjulpwwtnv.com
Winsock DNSnkgnacybwam.com
Winsock DNStwnojbfrsryuuhsxv.com
Winsock DNSorsgyfcpthjvdxrvcu.com
Winsock DNSaummdgqbto.com
Winsock DNServqveknzq.com
Winsock DNSjxuynwdac.com
Winsock DNSgtrcacxkcf.com
Winsock DNSlkasukqlhhffimy.com
Winsock DNS31.207.6.189
Winsock DNScsmofrotzrce.com
Winsock DNSeyorinrbjfxuy.com
Winsock DNScbhytcvyxzzj.com
Winsock DNSzhszoxeavbhmtkbju.com
Winsock DNSpqgjtqais.com
Winsock DNSgpaiuaasntnqycyhr.com
Winsock DNShuaezwesrmxigyqj.com
Winsock DNSywcimnoycx.com
Winsock DNSmghjssbleagjvpqnfccr.com
Winsock DNSpchjwpiyd.com
Winsock DNSdsxxmzwgbfeaw.com
Winsock DNSonnxtepjtmtukenpm.com
Winsock DNSlntnrzgkyswawkuz.com
Winsock DNScxslixugarbv.com
Winsock DNSjgsmhiqpocc.com
Winsock DNSlbmntrwvfzwp.com

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\JsYNPocY.exe

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\JsYNPocY.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\JsYNPocY.exe

Network Details:

DNScbhytcvyxzzj.com
Type: A
DNServqveknzq.com
Type: A
DNSjxuynwdac.com
Type: A
DNSbucelslmpwyajzlguis.com
Type: A
DNSzhszoxeavbhmtkbju.com
Type: A
DNSnkgnacybwam.com
Type: A
DNSaummdgqbto.com
Type: A
DNSpqgjtqais.com
Type: A
DNSywcimnoycx.com
Type: A
DNSorsgyfcpthjvdxrvcu.com
Type: A
DNSvpicphumwodnoatp.com
Type: A
DNSlcqivpov.com
Type: A
DNSjulpwwtnv.com
Type: A
DNSiqpmhfrvgp.com
Type: A
DNSgpaiuaasntnqycyhr.com
Type: A
DNScxslixugarbv.com
Type: A
DNSlbmntrwvfzwp.com
Type: A
DNSonnxtepjtmtukenpm.com
Type: A
DNScsmofrotzrce.com
Type: A
DNSdsxxmzwgbfeaw.com
Type: A
DNSlkasukqlhhffimy.com
Type: A
DNSpchjwpiyd.com
Type: A
DNSgtrcacxkcf.com
Type: A
DNSmghjssbleagjvpqnfccr.com
Type: A
DNSeyorinrbjfxuy.com
Type: A
DNSlntnrzgkyswawkuz.com
Type: A
DNScamwzffgqhckviufup.com
Type: A
DNSjgsmhiqpocc.com
Type: A
DNStwnojbfrsryuuhsxv.com
Type: A
DNShuaezwesrmxigyqj.com
Type: A
HTTP POSThttp://31.207.6.189/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; .NET4.0E; Media Center PC 6.0; MASE)
HTTP POSThttp://31.207.6.189/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; .NET4.0E; Media Center PC 6.0; MASE)
HTTP POSThttp://31.207.6.189/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; .NET4.0E; Media Center PC 6.0; MASE)
HTTP POSThttp://31.207.6.189/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; .NET4.0E; Media Center PC 6.0; MASE)
Flows TCP192.168.1.1:1032 ➝ 31.207.6.189:80
Flows TCP192.168.1.1:1032 ➝ 31.207.6.189:80
Flows TCP192.168.1.1:1043 ➝ 31.207.6.189:80
Flows TCP192.168.1.1:1044 ➝ 31.207.6.189:80
Flows TCP192.168.1.1:1045 ➝ 31.207.6.189:80

Raw Pcap
0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a486f73 743a2033 312e3230 372e362e   .Host: 31.207.6.
0x00000020 (00032)   3138390d 0a557365 722d4167 656e743a   189..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452037   mpatible; MSIE 7
0x00000050 (00080)   2e303b20 2e4e4554 342e3045 3b204d65   .0; .NET4.0E; Me
0x00000060 (00096)   64696120 43656e74 65722050 4320362e   dia Center PC 6.
0x00000070 (00112)   303b204d 41534529 0d0a436f 6e74656e   0; MASE)..Conten
0x00000080 (00128)   742d5479 70653a20 6d756c74 69706172   t-Type: multipar
0x00000090 (00144)   742f666f 726d2d64 6174613b 20626f75   t/form-data; bou
0x000000a0 (00160)   6e646172 793d6169 52777661 49647150   ndary=aiRwvaIdqP
0x000000b0 (00176)   454e4f67 76714158 676a0d0a 436f6e74   ENOgvqAXgj..Cont
0x000000c0 (00192)   656e742d 4c656e67 74683a20 3130300d   ent-Length: 100.
0x000000d0 (00208)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x000000e0 (00224)   3a20656e 2d75730d 0a416363 6570743a   : en-us..Accept:
0x000000f0 (00240)   20746578 742f6874 6d6c2c20 6170706c    text/html, appl
0x00000100 (00256)   69636174 696f6e2f 786d6c3b 713d302e   ication/xml;q=0.
0x00000110 (00272)   392c2061 70706c69 63617469 6f6e2f78   9, application/x
0x00000120 (00288)   68746d6c 2b786d6c 3b713d30 2e392c20   html+xml;q=0.9, 
0x00000130 (00304)   696d6167 652f706e 672c2069 6d616765   image/png, image
0x00000140 (00320)   2f6a7065 672c2069 6d616765 2f676966   /jpeg, image/gif
0x00000150 (00336)   2c20696d 6167652f 782d7862 69746d61   , image/x-xbitma
0x00000160 (00352)   702c202a 5c2a3b71 3d302e31 0d0a4163   p, *\*;q=0.1..Ac
0x00000170 (00368)   63657074 2d436861 72736574 3a207574   cept-Charset: ut
0x00000180 (00384)   662d382c 20757466 2d31363b 713d302e   f-8, utf-16;q=0.
0x00000190 (00400)   362c202a 3b713d30 2e310d0a 50726167   6, *;q=0.1..Prag
0x000001a0 (00416)   6d613a20 6e6f2d63 61636865 0d0a436f   ma: no-cache..Co
0x000001b0 (00432)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000001c0 (00448)   0a0d0a2d 2d616952 77766149 64715045   ...--aiRwvaIdqPE
0x000001d0 (00464)   4e4f6776 71415867 6a0d0a43 6f6e7465   NOgvqAXgj..Conte
0x000001e0 (00480)   6e742d44 6973706f 73697469 6f6e3a20   nt-Disposition: 
0x000001f0 (00496)   666f726d 2d646174 613b206e 616d653d   form-data; name=
0x00000200 (00512)   22636d64 220d0a0d 0a63720d 0a2d2d61   "cmd"....cr..--a
0x00000210 (00528)   69527776 61496471 50454e4f 67767141   iRwvaIdqPENOgvqA
0x00000220 (00544)   58676a2d 2d0d0a                       Xgj--..

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a486f73 743a2033 312e3230 372e362e   .Host: 31.207.6.
0x00000020 (00032)   3138390d 0a557365 722d4167 656e743a   189..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452037   mpatible; MSIE 7
0x00000050 (00080)   2e303b20 2e4e4554 342e3045 3b204d65   .0; .NET4.0E; Me
0x00000060 (00096)   64696120 43656e74 65722050 4320362e   dia Center PC 6.
0x00000070 (00112)   303b204d 41534529 0d0a436f 6e74656e   0; MASE)..Conten
0x00000080 (00128)   742d5479 70653a20 6d756c74 69706172   t-Type: multipar
0x00000090 (00144)   742f666f 726d2d64 6174613b 20626f75   t/form-data; bou
0x000000a0 (00160)   6e646172 793d4668 6e444d74 6b4d5864   ndary=FhnDMtkMXd
0x000000b0 (00176)   74615146 4a776367 5a710d0a 436f6e74   taQFJwcgZq..Cont
0x000000c0 (00192)   656e742d 4c656e67 74683a20 3236300d   ent-Length: 260.
0x000000d0 (00208)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x000000e0 (00224)   3a20656e 2d75730d 0a416363 6570743a   : en-us..Accept:
0x000000f0 (00240)   20746578 742f6874 6d6c2c20 6170706c    text/html, appl
0x00000100 (00256)   69636174 696f6e2f 786d6c3b 713d302e   ication/xml;q=0.
0x00000110 (00272)   392c2061 70706c69 63617469 6f6e2f78   9, application/x
0x00000120 (00288)   68746d6c 2b786d6c 3b713d30 2e392c20   html+xml;q=0.9, 
0x00000130 (00304)   696d6167 652f706e 672c2069 6d616765   image/png, image
0x00000140 (00320)   2f6a7065 672c2069 6d616765 2f676966   /jpeg, image/gif
0x00000150 (00336)   2c20696d 6167652f 782d7862 69746d61   , image/x-xbitma
0x00000160 (00352)   702c202a 5c2a3b71 3d302e31 0d0a4163   p, *\*;q=0.1..Ac
0x00000170 (00368)   63657074 2d436861 72736574 3a207574   cept-Charset: ut
0x00000180 (00384)   662d382c 20757466 2d31363b 713d302e   f-8, utf-16;q=0.
0x00000190 (00400)   362c202a 3b713d30 2e310d0a 50726167   6, *;q=0.1..Prag
0x000001a0 (00416)   6d613a20 6e6f2d63 61636865 0d0a436f   ma: no-cache..Co
0x000001b0 (00432)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000001c0 (00448)   0a0d0a2d 2d46686e 444d746b 4d586474   ...--FhnDMtkMXdt
0x000001d0 (00464)   6151464a 7763675a 710d0a43 6f6e7465   aQFJwcgZq..Conte
0x000001e0 (00480)   6e742d44 6973706f 73697469 6f6e3a20   nt-Disposition: 
0x000001f0 (00496)   666f726d 2d646174 613b206e 616d653d   form-data; name=
0x00000200 (00512)   22636d64 220d0a0d 0a6c640d 0a2d2d46   "cmd"....ld..--F
0x00000210 (00528)   686e444d 746b4d58 64746151 464a7763   hnDMtkMXdtaQFJwc
0x00000220 (00544)   675a710d 0a436f6e 74656e74 2d446973   gZq..Content-Dis
0x00000230 (00560)   706f7369 74696f6e 3a20666f 726d2d64   position: form-d
0x00000240 (00576)   6174613b 206e616d 653d2262 6f746964   ata; name="botid
0x00000250 (00592)   220d0a0d 0a433035 39393030 41313244   "....C059900A12D
0x00000260 (00608)   32350d0a 2d2d4668 6e444d74 6b4d5864   25..--FhnDMtkMXd
0x00000270 (00624)   74615146 4a776367 5a710d0a 436f6e74   taQFJwcgZq..Cont
0x00000280 (00640)   656e742d 44697370 6f736974 696f6e3a   ent-Disposition:
0x00000290 (00656)   20666f72 6d2d6461 74613b20 6e616d65    form-data; name
0x000002a0 (00672)   3d226c69 64220d0a 0d0a300d 0a2d2d46   ="lid"....0..--F
0x000002b0 (00688)   686e444d 746b4d58 64746151 464a7763   hnDMtkMXdtaQFJwc
0x000002c0 (00704)   675a712d 2d0d0a                       gZq--..

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a486f73 743a2033 312e3230 372e362e   .Host: 31.207.6.
0x00000020 (00032)   3138390d 0a557365 722d4167 656e743a   189..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452037   mpatible; MSIE 7
0x00000050 (00080)   2e303b20 2e4e4554 342e3045 3b204d65   .0; .NET4.0E; Me
0x00000060 (00096)   64696120 43656e74 65722050 4320362e   dia Center PC 6.
0x00000070 (00112)   303b204d 41534529 0d0a436f 6e74656e   0; MASE)..Conten
0x00000080 (00128)   742d5479 70653a20 6d756c74 69706172   t-Type: multipar
0x00000090 (00144)   742f666f 726d2d64 6174613b 20626f75   t/form-data; bou
0x000000a0 (00160)   6e646172 793d4547 54785151 4b555148   ndary=EGTxQQKUQH
0x000000b0 (00176)   68726174 58705564 79410d0a 436f6e74   hratXpUdyA..Cont
0x000000c0 (00192)   656e742d 4c656e67 74683a20 3130300d   ent-Length: 100.
0x000000d0 (00208)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x000000e0 (00224)   3a20656e 2d75730d 0a416363 6570743a   : en-us..Accept:
0x000000f0 (00240)   20746578 742f6874 6d6c2c20 6170706c    text/html, appl
0x00000100 (00256)   69636174 696f6e2f 786d6c3b 713d302e   ication/xml;q=0.
0x00000110 (00272)   392c2061 70706c69 63617469 6f6e2f78   9, application/x
0x00000120 (00288)   68746d6c 2b786d6c 3b713d30 2e392c20   html+xml;q=0.9, 
0x00000130 (00304)   696d6167 652f706e 672c2069 6d616765   image/png, image
0x00000140 (00320)   2f6a7065 672c2069 6d616765 2f676966   /jpeg, image/gif
0x00000150 (00336)   2c20696d 6167652f 782d7862 69746d61   , image/x-xbitma
0x00000160 (00352)   702c202a 5c2a3b71 3d302e31 0d0a4163   p, *\*;q=0.1..Ac
0x00000170 (00368)   63657074 2d436861 72736574 3a207574   cept-Charset: ut
0x00000180 (00384)   662d382c 20757466 2d31363b 713d302e   f-8, utf-16;q=0.
0x00000190 (00400)   362c202a 3b713d30 2e310d0a 50726167   6, *;q=0.1..Prag
0x000001a0 (00416)   6d613a20 6e6f2d63 61636865 0d0a436f   ma: no-cache..Co
0x000001b0 (00432)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000001c0 (00448)   0a0d0a2d 2d454754 7851514b 55514868   ...--EGTxQQKUQHh
0x000001d0 (00464)   72617458 70556479 410d0a43 6f6e7465   ratXpUdyA..Conte
0x000001e0 (00480)   6e742d44 6973706f 73697469 6f6e3a20   nt-Disposition: 
0x000001f0 (00496)   666f726d 2d646174 613b206e 616d653d   form-data; name=
0x00000200 (00512)   22636d64 220d0a0d 0a63720d 0a2d2d45   "cmd"....cr..--E
0x00000210 (00528)   47547851 514b5551 48687261 74587055   GTxQQKUQHhratXpU
0x00000220 (00544)   6479412d 2d0d0a6e 74656e74 2d446973   dyA--..ntent-Dis
0x00000230 (00560)   706f7369 74696f6e 3a20666f 726d2d64   position: form-d
0x00000240 (00576)   6174613b 206e616d 653d2262 6f746964   ata; name="botid
0x00000250 (00592)   220d0a0d 0a433035 39393030 41313244   "....C059900A12D
0x00000260 (00608)   32350d0a 2d2d4668 6e444d74 6b4d5864   25..--FhnDMtkMXd
0x00000270 (00624)   74615146 4a776367 5a710d0a 436f6e74   taQFJwcgZq..Cont
0x00000280 (00640)   656e742d 44697370 6f736974 696f6e3a   ent-Disposition:
0x00000290 (00656)   20666f72 6d2d6461 74613b20 6e616d65    form-data; name
0x000002a0 (00672)   3d226c69 64220d0a 0d0a300d 0a2d2d46   ="lid"....0..--F
0x000002b0 (00688)   686e444d 746b4d58 64746151 464a7763   hnDMtkMXdtaQFJwc
0x000002c0 (00704)   675a712d 2d0d0a                       gZq--..

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a486f73 743a2033 312e3230 372e362e   .Host: 31.207.6.
0x00000020 (00032)   3138390d 0a557365 722d4167 656e743a   189..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452037   mpatible; MSIE 7
0x00000050 (00080)   2e303b20 2e4e4554 342e3045 3b204d65   .0; .NET4.0E; Me
0x00000060 (00096)   64696120 43656e74 65722050 4320362e   dia Center PC 6.
0x00000070 (00112)   303b204d 41534529 0d0a436f 6e74656e   0; MASE)..Conten
0x00000080 (00128)   742d5479 70653a20 6d756c74 69706172   t-Type: multipar
0x00000090 (00144)   742f666f 726d2d64 6174613b 20626f75   t/form-data; bou
0x000000a0 (00160)   6e646172 793d7346 44797055 70564763   ndary=sFDypUpVGc
0x000000b0 (00176)   6f664c7a 75514d43 4b430d0a 436f6e74   ofLzuQMCKC..Cont
0x000000c0 (00192)   656e742d 4c656e67 74683a20 3236300d   ent-Length: 260.
0x000000d0 (00208)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x000000e0 (00224)   3a20656e 2d75730d 0a416363 6570743a   : en-us..Accept:
0x000000f0 (00240)   20746578 742f6874 6d6c2c20 6170706c    text/html, appl
0x00000100 (00256)   69636174 696f6e2f 786d6c3b 713d302e   ication/xml;q=0.
0x00000110 (00272)   392c2061 70706c69 63617469 6f6e2f78   9, application/x
0x00000120 (00288)   68746d6c 2b786d6c 3b713d30 2e392c20   html+xml;q=0.9, 
0x00000130 (00304)   696d6167 652f706e 672c2069 6d616765   image/png, image
0x00000140 (00320)   2f6a7065 672c2069 6d616765 2f676966   /jpeg, image/gif
0x00000150 (00336)   2c20696d 6167652f 782d7862 69746d61   , image/x-xbitma
0x00000160 (00352)   702c202a 5c2a3b71 3d302e31 0d0a4163   p, *\*;q=0.1..Ac
0x00000170 (00368)   63657074 2d436861 72736574 3a207574   cept-Charset: ut
0x00000180 (00384)   662d382c 20757466 2d31363b 713d302e   f-8, utf-16;q=0.
0x00000190 (00400)   362c202a 3b713d30 2e310d0a 50726167   6, *;q=0.1..Prag
0x000001a0 (00416)   6d613a20 6e6f2d63 61636865 0d0a436f   ma: no-cache..Co
0x000001b0 (00432)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000001c0 (00448)   0a0d0a2d 2d734644 79705570 5647636f   ...--sFDypUpVGco
0x000001d0 (00464)   664c7a75 514d434b 430d0a43 6f6e7465   fLzuQMCKC..Conte
0x000001e0 (00480)   6e742d44 6973706f 73697469 6f6e3a20   nt-Disposition: 
0x000001f0 (00496)   666f726d 2d646174 613b206e 616d653d   form-data; name=
0x00000200 (00512)   22636d64 220d0a0d 0a6c640d 0a2d2d73   "cmd"....ld..--s
0x00000210 (00528)   46447970 55705647 636f664c 7a75514d   FDypUpVGcofLzuQM
0x00000220 (00544)   434b430d 0a436f6e 74656e74 2d446973   CKC..Content-Dis
0x00000230 (00560)   706f7369 74696f6e 3a20666f 726d2d64   position: form-d
0x00000240 (00576)   6174613b 206e616d 653d2262 6f746964   ata; name="botid
0x00000250 (00592)   220d0a0d 0a433035 39393030 41313244   "....C059900A12D
0x00000260 (00608)   32350d0a 2d2d7346 44797055 70564763   25..--sFDypUpVGc
0x00000270 (00624)   6f664c7a 75514d43 4b430d0a 436f6e74   ofLzuQMCKC..Cont
0x00000280 (00640)   656e742d 44697370 6f736974 696f6e3a   ent-Disposition:
0x00000290 (00656)   20666f72 6d2d6461 74613b20 6e616d65    form-data; name
0x000002a0 (00672)   3d226c69 64220d0a 0d0a300d 0a2d2d73   ="lid"....0..--s
0x000002b0 (00688)   46447970 55705647 636f664c 7a75514d   FDypUpVGcofLzuQM
0x000002c0 (00704)   434b432d 2d0d0a                       CKC--..


Strings
MIZALK
'//#/	
"*(<">
$&$,(&
#%.)')&
	$&-[-
~,0}$"-|
01F52k
0~!1(% R
03760Ttq
0,'=3 u
0+<&5v<
% 06P/
08TD+B
* (0Ds^&0
@0"F[3
0Hh"	 8
0:-|I0
0|m%33
0,NNNN($
0N|*x}&
0OM#~D
"^*>0P6
0PxODA
0,QUR=P-*r)`
~0?S;9+lf]
0)S"+	q
 0s!v3
0tq:PV7
`0T%R3,\p
;0u[4H-
#=0,UBU52w
(0}*'#UW
0"	w,9
"#0(_*Z
+~1"<"!_
1*/$'6%
1dz W{
1h?Mou&
1I$E%%
~1ir#"R+(|
}1@}iY	
*,/'/1j
1loz8	w
1,N+LN8$&
-'<1R7
"1#R,m
1}S~!S
*1&~*>v5
1Z,0w%
2 ?:>0
}	20&,9
2	0 +I
20	ORKr
+(21U6
/22DThreadA
$<2#5.
25kiU5%u
2>>6)3%8
|`2I 5)#%
2ILq-P]
;+2,{JF
2M>)5u
2N -T-!q
2'^',%_o
2}OS#=
2/P(W4P
2*PWf5b.Q$(
=2,*}q
2"RrW _6
2S1)P?Q
2T/LL+
 2;%<t>N+)
$"$!>2ts
2-!u0<d!1
2uI>)}
2	%V#o
;2w;;thsz
2yn|Jc
2ytpQd
"2?<zR
^3*\ +
+30*2/t7i'(
307u~*~),
!3^0$\y
/3%1P)j+
"),/?!33qI)4\6
%*35MH`
(38>&6&s
$\3BT3&
}3&F7SUv
=,3WPJV
/	3-\WSO
3+W?&u)0
"-4=0P
41..US>
"4<.]3
/4;97r
4=+bb-y
4Bic(c-
+"4]BNxV4X
<4<DLT
=4h3/R"
4H&<L;
4K	s60,s
4lRNH1
%4M2QK	%x
4M$$((,,h
<4*!OI=Q
	=4?,p)
4Q2x-t
4rs0--&
]$4R"tA-v%|1ilDu(\3
(4R,Wc
4u 1G4
4uqt0#A|!
4}vBa3l
,/>4'w
51<Et:<et
52201>r 
533t_"
'	?53W
^#5(6:
!<;56*+
56	y3	
5)}($7^R,)2"
5 &b/=
5bT\ x
@5iMxsA
5/J&Dy
*5l. s
5	PvuJT
5Q5#0Q
5Q6m%+t
.5. r-
5,)"sc
,5S>%Q
5(T*#(
<]5T5</
5T$Ys=U
5V0w~5
}5W	$ 
5/.W=$%$
.5(W=0
,	5 w+*4
5WQ7uV
+5z%V;
 _-/&_!6
,6)".>
6<03"P";
^^6)0-v
<+_/61,VI7>5-
,6* +,!4
'6"@4.
 &	"/64A
66#~/#
68^@<j5&(0&*
68[N,A*C
6%D+}(
'6\dU 
6F	f4^
6|[I^!2
?6*I7W5
6jZ#@'
(6,P)Q
+6rx,u?
*?6T&2H
*6T7wtb7?V
6TP3up
6tzE32A'%
6!+V'w
~6*x3YMv
,7^\('
+	~$<7
7|(>,+
,7#4)1
76@`F2r
7B<4+2u
7/e:: :e86
7F&%+%"!m5d&
,7f Pnr~|L
.7h*rf7m
7+I%T&
<_%7Ku
7\L(5Q
7~nS&S)
&7P0u.
%-7Pn7
7PYF;w
:$'7RSt
7|.UD,.
!.7;Vx
\8> aGhX
8	M6/,`
8~*PRf
8:	ssRegul6
:(8tldt
8]"t/^,P
	8U~|<E=
8<(V)M>^./u
.8;,]x
8_xkfP
8]zWE.:h
>?9~("
)94v)Q4T#
98aP+	F22
.9f$dg
(9Ftru7#S'$
9H9`7E
$9~_HE
9yH\PX
9zT4J]
A2#0u0
A7b!%a=A`
:AAHVB
''''`abc''''defg''''hijk$/:'l
@aBp)`_
a>d&^;
AdH pXD
advapi32.dll
agdW~i
A_H-t3
ak`,3GPs
aKJWTJVu/s]CMPU]xIX
aK;~ty
alV4r*
~ AMPM
A-QQzf 
ARE\Borland\Delphi\RTL
a!s%]_
Asf:!;d
=a$Sr(E
!At/CU
Axh"r$8
AXi9=[
#$-B/$
?b*0'O
_b2M.4
 b3'01
B3&9,5%
B/^56P	R.
B,`?5p
@B64@ 
B&?70-(
B7FH(=41B
(B&8B 
bdLeftToR
*b"D?:X6
'%bGNnd^~AU
BGp4'1_@
B)>H%}O{6
b'*h^'+T
.bIpm6=(K/T
BLHQpd
&BN$`$
:BN<i^
board Layouk
Boolean
bQEtJPDU@rX
BS8tdJ
BThumb.
BV(	$P
BVPFR\dv]K\JRc\V[DKFQ
Bxum=f
?-~^"C
;C0t:>@
C8Gwl`W
c#AO`-
cb=A-=
C/BALT
C ;CCJ
~C)From
ChZset
cK><tq b-]7
.c ^LYPw 
comctl32.dll
CP;t;V
c.tS(@
cV"R!=r
cxlu$I
c/zZ:-
-><*	*D
'''@D|`
"$_^D><
d!0N_S
D12OI|w
=d.1\W=
D3	-+'N
D^4K15
d.50 !
d5%	IK
+=?DaE
DataA|C
db7'fU
&dB&DHL
:dBRIP
dDINGXX
!D/ED-
Dg7i,L
dHnw0X0
d}i		(02%5
/DISPL
DK@"CQ0t*H
@)Dl'"
D:[]LA
dN16*36
DnC^z.
d"&NF@
doeFvIFj
% dqZ4
,#!d'$RU
dWlo3/
dx+-(/
Dx\;Ch&
	, ]E2
EClat\
)ed45y
EDivByZero
eg7@PSe
Eg\FH54F
e^g+TZ
&E/jLf
EMfP1%
EOutOfMemjyX.
EO`&z	
eUA/?G
) ExDY
ExitProcess
_	?,F%
"	F^&'3
F=3"45
]F6,S&
$<f)-	7
f*7\.=M
F8ZqW`:
`",fag
^fan^	
.FDiag
fFTXQQ
+*fHag
FH!FL	k
f`IPKOhf
F:iZet
F-(<-j(
 F%K_w"
FL<D2F&]
Fmif?K
F+NZDK
FoNe,$f;hhl
	fpDefa
f#P^'nn
f+PTmY(l
FPUMaskVa#w
F,r,5M
fSHfMS
FuchsiaAqua
fv0idOp
FV2I"g
,>)'f=v_T`	6Aw!
_F_W1}q#]#=
$fW8vGI
"$G+)%
G1]!gj5
"G4@cH
GB2312
gBue.*7a
Gd1p!Sr
gdi32.dll
gel` MSWHEEL
GetLongPathNameA'O
GetProcAddress
GhNewU
-GIe\3n[
gImeNV
GlQEGE
gQ9X\H
GqNZTUWVS;8
GREEKGA
]G_-Rf;` 
G@ t;H}
GUID*'
g,]	W,
GWPZ }	
%(-h. 
/H',2q
h3=W) 
H4"}X7lY
*=H<7(M5
(*HA>V
&HB"XH
 ;h}'&<e
$hEBDJ
h	Excep
HGHIJKLMNOJ
- ;Hh|"
-*-+hI,)
} *\Hi
%hL`N*,N
Hl+T$@p
HotkeysK0
_how+y
hp.07i
Hpa"`F
hP}*%n
hpNnIS
|Hr6H*f*(^!RP'SA%
hS/7?M
'HSplitle
H*TYnd\
hun,!?
"%\I!*
# I#%!#
I]/%^#
i04#4E
I0[Vm]
i<1!WT2
%<i3"=i
I|$"6D(
I6MS<(;
i.8H61
^IA8-D
iDt}w=
IDY@xofT{
Ignore
iJ;xh(C
ILW	h:d
ImageList_Add
INFNAN
Integer
Inverflow0
InVK>7
i^_>P@
IsEqualGUID
IT	lU,
itWa~N
Iu^iPa
IUnknown
IVT'&=ps
iW[E\F@
I`z(	1k
(\~>-	j1
J1234567890ABCM
<((j1g
!J2/25
j/(!.6
!J6/$ 
 ja6g/
?j]"H"
Jhplayws
ji_(>r
@jj:BG
"JjDLL
)>	jLLn
J)lP'p
j#p!L/
:Jpo5i
|*jQjG
>j#R,]
jT,-<!"	
&@jT#x
JZh"6DOn
/[K'`!
!K0yr}
'K2>w2
k@4<[f
kEh>j`
KERNEL32.DLL
~k>#".f3
%KglCl
\k GOd
K@H@Ay#
K_LINES/gmi
KMGuha
KNKfvdnR"3f
k|=pg[; |S
?K^"R;
krk\Kl&G
kT&#%'
kt&"1()/
;]Kt$P
*-.KT!x
()+KV*
*KXJ~8
l1O"U(<#
>L2	4uP
L	4&2Hf
.'L!7$5"u
L	_	=8B
lCBNTl
lDx8T)
L\fk]d.}
LimegY
Ll(eB"
l+ lFp
LLNT(F
LoadLibraryA
LoadLibraryu
L<prpS
*LQ\yRZwS
L>~t-TU(
>L'-u)S
l vl]i
L.=wv)
`LXMuF^Z@
'&)	\M
M3R2"2k
M+4!&)
	?M4.w
m@$'>5!,
m))%5(jv~kw
}m`/6"u
_MAINI
M~AP[}
MD_5H;
M	=D;C
M*f;;:
*MhI7]
MIZALK
m,O)]?/Ap
Msc/v"
MS Sans
mt.|Rn
M\UL6,
m& VZfZce8
!MW'q7/
.mz#]Br
N0>da;
N$6h%~BA
NDGX"'X#
\ndlt|
ndOf[R
N(;F,t
n.@H,?v
NIl'8z_U
	.Ni[s
Nk@dWHUAoLQFvCgTZQ]
NM_)\6
NNNN|xtpNNNNlh
nRadio
,=nu,Z	F
nw{(()@-3$-	*-&*$
|N,WvL
"O ,_2
o)2n%6`J
`!O7K8Hb7
oFaSo70
OF;MbY
~o" )I
oI\;J(u
okernel32.dll
ole32.dll
oleaut32.dll
o lU*<.3
on=fid
ook?sH
oo;^XTt
or1%&tu+Nj-*<
oross&%
ORT_(_.SC
.os3PVJ$
o!'S5*	
OSixiH
o'T]o~a
!(OTop
"o>^#TS"
ov>1(2
Ov >,4*	
OW]*5)
~%O$"xrv
p'^1i5
?P%$1v
	 P?3o"
P>4U+vj
 p6p?qD
}p6?UT_
	p'&^7*
p'7'P7O8
>P90.=8V
!pA;?\
P&>B=-
pC^;u"
}p%D)E
}<pe!9
'p+%fd
pg!Uy 
p*&I\/%n
piPJbDf\
P$K7	q
PLrrrrHD@<rrrr840,
P)OAC'
Portions Copyright (c) 1983,9q
POUhBP
#\!#PP>\
	>PPkh
#pp)&m0
''''pqrs''''tuvw''''xyz{''''|}~
;pqYAhH	
P /ST>
PT@u/]_]wQ
\P|u,'
PV:8lo
pv.Itp$KTK^Kp
PVU.kn
(+'pw3$
P{:wb-uR
P$W"!W
PX2X0z
,$p\&y/
pz0$6-H
\|Q0R:
Q1r3!7M"?U
q'1.R+P
q<6!P%
q,<7P%-1$
%>Q9TyLyn[n{N
qcoOSI
.	&q>D|,
qd%3<I
{Q;E4`
QEU7T&4
Q]f"I] ,
QHDB2T.^
Q^HMtA
*QI	M*&p otw
^qjygu
Q)Q&8 
QS<$P<
Qt7MUV!R
QT^ *r
|Q	+u	\
,qV-6#
 Q%vpS
qvXD^/*V
qW3><w
q|w|.4! 
q*wu} M
Q#w"<~v
r/01$/
R0U=-;
r3=nw,
r"4)% >
R4V]%]n
r#5= `
R5up/kr3
r)=*-6
R6f}/.
r$!A6#L
._~Range
	rb817
>RbtH'&
Rebuil
RegCloseKey
rfaced
rGqCg4
Rgs.o	F
RKwi_y
R"L u%
[RN=GT
Rn~N 11'
%_ROLL
R[R)Q)
rrr($ 
r%T4n(
RTf*h;
rt&I 	
?R U1	
!RVI%^
rv!tU6
RXTfLU
RyfV"N
(&"=S#
S2 X&7Aq
>S.4}	,5
"S>6n.
SaP,u,
SaveDC
*sGb%_ 
s}{]gF<
SI_CHARSETDEFAULT5H
/()SO-
Software
$ S@Oy
sPP`+J<
SQLWaQ!
sq *#VQO
s%R55d
S)r/9w?*
s<RR"V7
'sS4?!
S)s+UQ7
]	ST>$
S<;t~aU p
Std&ns
STf]!.s)
String
@STUVWXYZ
S)ur& 
 $SvcG
SvkC?@mCQ
S?vrT)
?s,VV25
S+v*X@
s$]W$k
=~/SwO
Sx%4l"
Sx:#(j
SYMBOLc
Sync ^izBm
+SYxj"
-$szdP
$T0+jT
\t0=T2T
t&<0t%<.t,<,t3
`;^t-2
?T43bV
t4%ko'
T5^lQ,
t5	s5U
t5SD!0
/T63j0/'
	t7KDL 
_T/ 7w
 _t8^&
&$"T^9
t#;A8tiOD
TAdXnc0
TB`9 @
TBiDiModYB
TBjic^
t_C!FC
T;C`u'7
TCu`om
TdfU.Hn
+tf$xtaXt\W
This program must be run under Win32
t%h.KSPM
{~t[i"drxRu
tifyEv
t#IPF`E
tJut:L
|tkn. (
T<L(#n
/$TN\ 
TObject
,\toN_l
tPitch
TPropFixup
T>&q']%
T<QuV/m6)"
TQ(#.V5
,	tr|~
t"r`WK
;tS14^
t$<"t *
T>)U/.
)TU-2)
TURK*H
=Tv+5|
t<v/S+<
tw $=^
 T&X^+
TY6K:S
U00XP,
u1(dK,T
*!u&/>#.-1W
+<'U5OT
U6. !&f\MiK,)ZD
<u6q|u
:U$*6U
U/7J'2$
uA+gJX
u)Br$0
uc>uT*gT
>*U	!D
uFw@w]	
|@ug5@
_Uh9(,
Uhl"J1d
\uI6$0v
U%I&H%(R<\
U]jhq@
"U#*-p
uRaA#v
user32.dll
'U>>V6
uw(2dT
uw`5\A
"U*	=xR
U>z5Q1
%!**v"
+:,$v	
	'!?&v
<=V	$'#
,"{V `
V0b+U6
`V4jPi
*.'v4sM
v"5%|&
;v9Y6<
~&Va-R
VariantClear
VBf'(b<	_=$5U
V?c0T09
~vclt\3P
vC/p<4("
)Vh pP
VirtualAlloc
VirtualFree
VirtualProtect
'+*vJ&!?
V(,mBOn$
V,nvq\	
vNzS@%,
&<,v*p
VP3+Dy
-+.V-Q
\V#<R.
VrvS..R
	vRW/ 5<1$#V&;$v
V><+st+'7
vTPpt4
v<t\/(*pV7
VuSud{_
V/v4Qn,7T
 v|w#+
!*V	w:
VW%".2>k
VW\74P
!VW.I\w
VWvpW}
V$w$w-"
VxpPz&
vy o50v'
	w/*	,
W-0/(}
W0p4#6W
W0yed* 
w1(QdZ
.w>#2+
w(!323
W37r8 
W)5"_O+
W&619 1k
w$+"6M+
W<6\W]p
W:71-7
wDiskF
wEHeap]
WF@u"F
 wh+d!-
wHuw$06
wH+V1-p
	W!"?*i
WINNLS
`WL5;0
wm3ygh
W N%+5PT
w!OH )P
"w?] }),PI=
*W?'	PV
wqfKM 6
wQ!|Hp
W/QR-t0.
wt1\6p)
($W.t3
w.&t4	PS
(WT&t8$~
?}@W^TUF>rCXBYT
W|$U.1L*u
W&u2F4o2|
<w/U^5
;!.WVh0U
wvVD>y4!*
w^WnIM
wXhw(1 
x&<}>(
}'X">0
X-)1+UI
X =.)3S(u
x4PPFqf
x5~+6qt
>x[7N5'
&*>x,EB
Xf5ub4
>X[H(E
X*|IAg
X#%"IP]H
Xir$+n
,x*<iV
XJGGL"R
+xkis.u4G`-
xMZw;,]c
`\XNNNNTPLHNNNND@<8NNNN4
|xNNNNtplhNNNNd`\XNNNNTPLHNNNND@<8NNNN40,(NNNN$ 
XPTPSW
XQ~D;l(v
!x!R,Z
.xsp4~>
 X&T^g
|xtNNNNplhdNNNN`\XTNNNNPLHDNNNN@<84NNNN0,($NNNN 
|''''xtpl''''hd`\''''XTPL''''HD@<''''840,''''($ 
Xumf&#
X'Word
X	(ZU/
Y4Zpq'
y60-=RN)
y[%6Je
yDH#n p
YF2rDHYR!
YF&qggd
'!yh7S
y _h@p
Y(.J|	|
yjxROPE
yK%3/!
yOq!7<
*)YoTq
;YP?Bd
+yr}		
YSU<HtH.'?
yw2l1B
\&z+^_
:Z0Lch
ZcV]CXK
@]zJYAK{PRW\W7
zK^%lH
]zm/d/
ZoTqlsl
ZpM,,m
/Z_/sPS
"zs, V
ZUpc@h
z	"V6"\
zVHECpyJ