Analysis Date2018-03-20 03:28:02
MD598d4a09487c25103746c65d699d5fc78
SHA1f4ec7a17032761f132faa0bb4037d46a5ff48fe1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 5043806cefe5e15757eeb9e829297b91 sha1: 8e344e509648c3b24cf996a9af1e1cb5f515137e size: 252416
Section.rsrc md5: 73b0de11c91053df393d5e7a78924262 sha1: c27464783602589afee38b8986d5cfdf8c57adac size: 4608
Timestamp2013-11-20 10:46:07
PackerUPX -> www.upx.sourceforge.net
PEhash0cfb13aaa4a5af5ed1a6b2c1eec878a1c7b1dbee
IMPhash7412403a696af7734366d6d759654a7e
AVArcabit (arcavir)Error Scanning File
AVAuthentiumW32/S-6b93e35e!Eldorado
AVGrisoft (avg)No Virus
AVAvira (antivir)TR/Rogue.258048.33
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareTrojan.Generic.12049711
AVBitDefenderTrojan.Generic.12049711
AVBullGuardTrojan.Generic.12049711
AVClamAVNo Virus
AVDr. WebNo Virus
AVEmsisoftTrojan.Generic.12049711
AVMicroWorld (escan)Trojan.Generic.12049711
AVCA (E-Trust Ino)Trojan.Generic.12049711
AVFortinetRiskware/FlyStudio
AVFrisk (f-prot)W32/S-6b93e35e!Eldorado
AVF-SecureTrojan.Generic.12049711
AVIkarusTrojan.Rogue
AVK7Trojan ( 005246d51 )
AVKasperskyNo Virus
AVMalwareBytesNo Virus
AVMcafeeNo Virus
AVMicrosoft Security EssentialsNo Virus
AVNANONo Virus
AVEset (nod32)No Virus
AVPadvishNo Virus
AVCAT (quickheal)No Virus
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareError Scanning File
AVSymantecNo Virus
AVTrend MicroNo Virus
AVTwisterNo Virus
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderNo Virus
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\f4ec7a17032761f132faa0bb4037d46a5ff48fe1.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates MutexLocal\!IETld!Mutex
Creates MutexLocal\ZonesCounterMutex
Creates MutexLocal\ZoneAttributeCacheCounterMutex
Creates MutexLocal\ZonesCacheCounterMutex

Network Details:

DNSwww.a.shifen.com
Type: A
180.76.3.151
DNSwww.baidu.com
Type: A
HTTP GEThttp://www.baidu.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.baidu.com/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 180.76.3.151:80
Flows TCP192.168.1.1:1033 ➝ 180.76.3.151:80

Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000030 (00048)   2d75730d 0a416363 6570742d 456e636f   -us..Accept-Enco
0x00000040 (00064)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000050 (00080)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000060 (00096)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000070 (00112)   6d706174 69626c65 3b204d53 49452037   mpatible; MSIE 7
0x00000080 (00128)   2e303b20 57696e64 6f777320 4e542036   .0; Windows NT 6
0x00000090 (00144)   2e313b20 574f5736 343b2054 72696465   .1; WOW64; Tride
0x000000a0 (00160)   6e742f34 2e303b20 534c4343 323b202e   nt/4.0; SLCC2; .
0x000000b0 (00176)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x000000c0 (00192)   373b202e 4e455420 434c5220 332e352e   7; .NET CLR 3.5.
0x000000d0 (00208)   33303732 393b202e 4e455420 434c5220   30729; .NET CLR 
0x000000e0 (00224)   332e302e 33303732 393b204d 65646961   3.0.30729; Media
0x000000f0 (00240)   2043656e 74657220 50432036 2e30290d    Center PC 6.0).
0x00000100 (00256)   0a486f73 743a2077 77772e62 61696475   .Host: www.baidu
0x00000110 (00272)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x00000120 (00288)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x00000130 (00304)                                         

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 36353a35 3335370d 0a0d0a3c   00.165:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a383062 37336335 362d6363 38382d34   :80b73c56-cc88-4
0x00000280 (00640)   6239302d 62306330 2d313332 30306562   b90-b0c0-13200eb
0x00000290 (00656)   66393938 393c2f77 73613a4d 65737361   f9989</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a6666 32636136   >urn:uuid:ff2ca6
0x00000340 (00832)   62382d35 3964652d 34363364 2d383865   b8-59de-463d-88e
0x00000350 (00848)   382d3963 35373464 34323631 61313c2f   8-9c574d4261a1</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 39333a35 3335370d 0a0d0a3c   00.193:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a626461 31626366 622d6333 64372d34   :bda1bcfb-c3d7-4
0x00000280 (00640)   6234372d 62623962 2d383130 35646665   b47-bb9b-8105dfe
0x00000290 (00656)   31343063 373c2f77 73613a4d 65737361   140c7</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3562 30656434   >urn:uuid:5b0ed4
0x00000340 (00832)   31642d66 6263362d 34626365 2d616430   1d-fbc6-4bce-ad0
0x00000350 (00848)   612d6561 37653066 61333933 61313c2f   a-ea7e0fa393a1</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 39333a35 3335370d 0a0d0a3c   00.193:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a343766 37306562 342d3861 66312d34   :47f70eb4-8af1-4
0x00000280 (00640)   6565632d 62663735 2d623535 65653133   eec-bf75-b55ee13
0x00000290 (00656)   31636466 623c2f77 73613a4d 65737361   1cdfb</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a6537 62353065   >urn:uuid:e7b50e
0x00000340 (00832)   34362d61 3365352d 34323932 2d396561   46-a3e5-4292-9ea
0x00000350 (00848)   302d3935 36386234 62303431 65643c2f   0-9568b4b041ed</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>


Strings
d
.l5v-.
z
...(..S.
.
.
.
.)
.
.
Mdck.
.
.
.J#
d
.l5v-.
z
...(..S.
.
.
.
.)
.
.
Mdck.
.
.
.J#

DEFAULT_ICON
TEXTINCLUDE
0{0X#Ri
`02,^D
06b=^{
0BT> !
@$0CEU
0g<O/aK
$0;IgO<
0UlRij
=0*WFWE
 0XX{/`L
1=0$rJ
13G+$v
)1Ex_s U
@1h)Ys
 1(qma
1wrzK*
1Xo'3(
".:~"2
27ew7bB
2&AR=xP
2CIS I
2D@?/>
2${m'vK
2#Rh)w
 2rW!z
/[3=3_
+35A@u
3A3O}	
3Mg"hs
3TEhdo
`4AU<G
4bxV#:
4h#=;C
,**4/M
^4u@T!aLw
 !;53'
5)5V@Q
5DQso%
5%^=gmf
 /5it}
{5r5A_ 
5s+MhJL
5*[#U\
@6-D7}
_6{dJ)
-6H(Bh
|`6Q)8
>6q,8J
6 (S;&)4
6*w7"T
=7|.@}
_/7|1|
$)7FE4
7]gi>II
-7KJMb
?7N8,U
7NUSq8n
`7REMy1b
@"7Wc%!.
.7w?v8v
7(y)v:W
86a3RO6
8f@Hk6[
+8k|t 
`8SI*H
+8utGY
:950`^Ek
9l$\w_
9	TCbu@
A{=+0>&j
a74XF^
A?9D#	(
]AcQNZU
ADGv)x
ADVAPI32.dll
a]F"Z5eJ
AGf8+K"k0
}a^[HUED{
A#iIi#P
aIqMX#q2
"Aj&&N
'AlZ08
a	ngsN
;An/\M
A >sF+
A.VuWs
awmIgpom
AYO`iP
B2 W l
b>3	&l
bF+'J 5&D
`BH(R16
`.+BnG
bovk!-
|b~	R#q6
B{>>Z4.
C|:%^.
ca[$ L
ccf\'W
Ce-		E
)Cfg>(
ChooseColorA
ClosePrinter
COMCTL32.dll
comdlg32.dll
cOuC1mJr
cPU.z]a^_
cP^V/nR
Cr-\\15
CSu */
C^&TIc
	cUFF+
cVl-)ZH
>D1S-{
D2qx;*
d3P0N;
.)D$H)
dH3ru+1
&d(K{Z
(d=Nr4
DSqeWs
?%D!T%[5
D$t+D$\
D$t#D$h
DtIxj.
*D%UMz
;;"#{e
e0 s-K
E2;RAv
$e2t2M
@e_~ oe
ERBywP}
ES7!	(
EU	}I@
>EVz)J
ExitProcess
e_/\ZT
F%/+=	
!f)2{"Fy
f2 W'z
f6]*Re:
f8	L.Y}0
f?a46i
+f_\aXTj
F}B&)oT
fCYwvNI
.F|"G2
fHmNb$&U
FJ(#J5p
[{fkTD
>F?lo.o
fvFw:g
"fW=#9
FXdT|W
fYu<v@i!
F!;ZWe
G}2QU|
g}|6m-
-gBmg[v.
|'G#CBU
GDI32.dll
:[GeEK
GetProcAddress
g`g6@.
GHMaW$
GK,M|*lF
;+gL(A
`?/Gq$
G~+UY!
g	YT:"
G+ZFP[T
	H}]>~
h[3L`n
H3o0)A'
h]A/-(wl
Hc>kW	
\hINkR
#h/IVj:~
hjz!wW
H]$m=!
HMYZL*
HoZKoJ
`H#Q"W
!(HVH X95
hzzl~5
I1Oqz2
	i56I:`O
i<]&&6|
I_`7B<
i7NopS5
ib^NjPb
i=bQe].
Ib;T29
\ic]|ec
iF9[xKh
,*:i&*p
(iu,%0;
IV9+OL
`Iw^@=
@IWHw 
= i{'X
,$I X;
+iy5o{
J3k@5P
= jbK{
jbYR_t
J=c8kX
{j"FNmG[zh
jj?3Nsr
JlAp	+
=^jM`@f
Jn7!| F
+,Jof3
\jQ+63
^_jSL2
:jvF ^Jd
jwqywY
"J[Xk{y+
k1y}e+
|k6RvX
;KdcVK!
KERNEL32.DLL
K/kRL$k
K&L\45"
/k%w?1
<kWI_^
KxD}Wu3
+)kXS2
ky"A#<
'|[kYF
L93$a)
-LA{}#
}L*,$B
lDF57+
LDNaL R\-
\Lft0bD2
LG!)@Rd
LlN_m{
Ll%vaa
LoadLibraryA
lq7ifm
LQ\mK	
LRr\<:
<L$W0i
M9?]HLN
[ma2<_
md0U6P!
MDv<Lv
mEtfiNI
 '}miy\:
mk,|4k
Mk]lfNa"
Mk[NGf
mR^"<C
mxlIJf
N^&+0Lv
N4mb}is
<Nd(TF^
NF7A2|
n?hV>.d^
!!ni{8
${}n@l
":)|Nt
ntW#uW
n(y		d
@<o1E-
/o4Y_b
 o59)}
O^6rGq
@OcbdM
O/)f0UKy
ofRbi1
oGe~)<
_OkAKaU
ole32.dll
OLEAUT32.dll
oledlg.dll
OleInitialize
^olrn	!O
}(oMp%
OP)hY^|
OSHs0$ZLPu
Ox"#ANM
O"y=[_
+*O$Ze
 ,P+]@
p2>Eup
PatBlt
P[CaOlv
Pi.^Ol.
pJlx7fu
[Pj$Yf"
%<pNQ@
PogHW}~K
P`P! X
&}psl$
/@pTI!
P&Uaf/
puPCf7Mk
PV_(sC
P,X!oF
P[,x`q
q2e4DwTD
qAa#Ey!1
 }!q$b!
Q	}G,@
qg`{kxQ
qHK0x3
qi8#( 
qIj&)6
qwiSRGNE
#QZ~e&
r"35C/
r+3oF?7
r(>6+!
r`BJ5]<$
RegCloseKey
R~g9t*
rGr%WZ
Rich"=
>r{Id'
R J,O%
Rj zy1
RNbL@'
RP?<:G
<R-_qo
R>RNW_
?rU&AA
rW%	jd
S04&q$0
S$+B-a
SBKl}9K
se/)+2
sf6@q(
s(]f9U
SHELL32.dll
ShellExecuteA
(Si)xZ
.s}k#!
s`)L$4
s[Wv':
s!Y:b7=y(
T2ky%)
Tb10@V
(T|Bf3
+TCRA5
!This program cannot be run in DOS mode.
	thTn(q
['"tn:&
t|R`^R
t$t#t$l
t~y5`N
!U26|V
u8(#6Y
UD-.4O~
UF*R"P
;`uJ.,`
Uj!@}h;&o
uM]!D$
UpJf6<
USER32.dll
u{)T*>G%
uu?M&J{
>`uV1z
uWJoq.
uy[$~9
V0!<6D}
$v!@0e
Ve+:,11
v(:#e/9
VE`\fx
v$F5X`z
VgcS#7
vh5DY<
VirtualAlloc
VirtualFree
VirtualProtect
vJIxTY
v^-qoCmB
v=!T`@
^VV,O<
vw]pbi
Vy<#f2
W2.0?y
waveOutOpen
WG^St#
WINMM.dll
WINSPOOL.DRV
wk3y3E
WoLZ6I^
WS2_32.dll
\W%txN
wu;uyi
wx&t|m
w@%Z]4#
X1\Y:r0
x2WCIX
X4G*A;"
x52<;'
&/x?5D]X
+,xdE-
@; X.E
X<<g m
&Xj^C&
>XJ]lS
X(mG;]4
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.1.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
XPTPSW
(;<;"\xQ
XSrzK8
x_}tV/
	XURw9
xyCYce
xy`UPgF
xZ"I)P
'^ y!}
Y=9mv-
YD,:+\wTB
]=<	Y{G
yJ3LM&
yn]5%1%
ypr Go
yT!C*qG
Y:v^',o
yVX[,L
;z+0&s
Z>0WTZ^
Z3B2&r
z4Etq1
($`Z4r*m
?Zf[&j
Zh)HOo 
z(OC+K#
'zq!^C>
Z-ro-I
ZS!!Gb
{ZSz"=
ZuC)'|<1
Z_;-VO
"?z!WA
Zx6_,RZ
zxa-lr<
zyt1UM
zy?(+W