Analysis Date2014-11-25 19:25:18
MD50fdce7d84141af3102bfaaddb9d09bed
SHA1ff0bf6bc9ec8e10d9c5ec9d4af0fc3329fb11ad4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionEsp0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionEsp1 md5: f0a34fb1a610fe934e81456b4d8f4f3c sha1: 19c34b3aa9e7549ba39cb02693f891ad876bb714 size: 624640
Section.rsrc md5: ffc45cceb2c6807b7531d7dcdb8e2c69 sha1: de3469d7e492e95e1490da7ede4d45305d2655a7 size: 105472
Section.Esp md5: bba78d684353d5a79a5ea2fa8aa2a102 sha1: c5ce2a540c054a0026d80f01524c5ed4700c97d6 size: 512
Timestamp2013-08-14 11:49:29
VersionLegalCopyright: 朋来阁出品
FileVersion: 1.0.0.0
Comments: 朋来阁出品
ProductName: 朋来阁出品
ProductVersion: 1.0.0.0
FileDescription: 朋来阁出品
PEhashe5f0a18a7859bf1c9f38a4288bb0fee5d453b4ae
IMPhasha77be1aed84f4e5d931178a6cfeeb4e1
AV360 SafeGen:Variant.Strictor.38903
AVAd-AwareGen:Variant.Strictor.38903
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.JKCJ-3585
AVAvira (antivir)TR/Agent.731666
AVBullGuardGen:Variant.Strictor.38903
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Strictor.38903
AVEset (nod32)no_virus
AVFortinetW32/OnLineGames.AJN!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Strictor.38903
AVGrisoft (avg)no_virus
AVIkarusTrojan.Strictor
AVK7Riskware ( 0040eff71 )
AVKasperskyTrojan.Win32.Generic:Packed.Multi.MultiPacked.gen
AVMalwareBytesno_virus
AVMcafeeFlyagent
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Strictor.38903
AVRisingPacker.Win32.Agent.f
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\vga.drv 1024x768x24(BGR 0) ➝
31,31,31,31\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\12853.tmp
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\132e3.tmp
Creates FilePhysicalDrive0
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\13d44.tmp
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\132e3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\13d44.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\12853.tmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.bestgaozhuji.com
Winsock DNSftp77149.web-89.com

Network Details:

DNSsk140.webcname.net
Type: A
182.18.22.18
DNSftp77149.web-89.com
Type: A
141.8.225.62
DNSwww.bestgaozhuji.com
Type: A
HTTP POSThttp://www.bestgaozhuji.com/hhq27/hhqpiao27.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://ftp77149.web-89.com/hhq27/hhqpiao27.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://www.bestgaozhuji.com/hhq27/hhqpiao27.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://ftp77149.web-89.com/hhq27/hhqpiao27.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://www.bestgaozhuji.com/hhq27/hhqpiao27.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://ftp77149.web-89.com/hhq27/hhqpiao27.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1032 ➝ 182.18.22.18:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.62:80
Flows TCP192.168.1.1:1034 ➝ 182.18.22.18:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.62:80
Flows TCP192.168.1.1:1036 ➝ 182.18.22.18:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.62:80

Raw Pcap
0x00000000 (00000)   504f5354 202f6868 7132372f 68687170   POST /hhq27/hhqp
0x00000010 (00016)   69616f32 372e6173 70204854 54502f31   iao27.asp HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x00000040 (00064)   3a20656e 2d75730d 0a526566 65726572   : en-us..Referer
0x00000050 (00080)   3a206874 74703a2f 2f777777 2e626573   : http://www.bes
0x00000060 (00096)   7467616f 7a68756a 692e636f 6d2f6868   tgaozhuji.com/hh
0x00000070 (00112)   7132372f 68687170 69616f32 372e6173   q27/hhqpiao27.as
0x00000080 (00128)   700d0a55 7365722d 4167656e 743a204d   p..User-Agent: M
0x00000090 (00144)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x000000a0 (00160)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000b0 (00176)   3b205769 6e646f77 73204e54 20352e30   ; Windows NT 5.0
0x000000c0 (00192)   290d0a43 6f6e7465 6e742d54 7970653a   )..Content-Type:
0x000000d0 (00208)   20617070 6c696361 74696f6e 2f782d77    application/x-w
0x000000e0 (00224)   77772d66 6f726d2d 75726c65 6e636f64   ww-form-urlencod
0x000000f0 (00240)   65640d0a 61636365 70742d6c 616e6775   ed..accept-langu
0x00000100 (00256)   67653a20 7a682d43 4e0d0a41 63636570   ge: zh-CN..Accep
0x00000110 (00272)   742d456e 636f6469 6e673a20 677a6970   t-Encoding: gzip
0x00000120 (00288)   2c206465 666c6174 650d0a48 6f73743a   , deflate..Host:
0x00000130 (00304)   20777777 2e626573 7467616f 7a68756a    www.bestgaozhuj
0x00000140 (00320)   692e636f 6d0d0a43 6f6e7465 6e742d4c   i.com..Content-L
0x00000150 (00336)   656e6774 683a2037 330d0a43 6f6e6e65   ength: 73..Conne
0x00000160 (00352)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000170 (00368)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x00000180 (00384)   3a206e6f 2d636163 68650d0a 0d0a703d   : no-cache....p=
0x00000190 (00400)   30303331 26663d30 30333030 30333030   0031&f=003000300
0x000001a0 (00416)   30334430 30334530 30333730 30333530   03D003E003700350
0x000001b0 (00432)   30343030 30333430 30344630 30334230   0400034004F003B0
0x000001c0 (00448)   30333030 30343530 30333430 30343730   0300045003400470
0x000001d0 (00464)   30343930 303343                       049003C

0x00000000 (00000)   504f5354 202f6868 7132372f 68687170   POST /hhq27/hhqp
0x00000010 (00016)   69616f32 372e6173 70204854 54502f31   iao27.asp HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x00000040 (00064)   3a20656e 2d75730d 0a526566 65726572   : en-us..Referer
0x00000050 (00080)   3a206874 74703a2f 2f667470 37373134   : http://ftp7714
0x00000060 (00096)   392e7765 622d3839 2e636f6d 2f686871   9.web-89.com/hhq
0x00000070 (00112)   32372f68 68717069 616f3237 2e617370   27/hhqpiao27.asp
0x00000080 (00128)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000090 (00144)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000a0 (00160)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000b0 (00176)   2057696e 646f7773 204e5420 352e3029    Windows NT 5.0)
0x000000c0 (00192)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000d0 (00208)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000e0 (00224)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000f0 (00240)   640d0a61 63636570 742d6c61 6e677567   d..accept-langug
0x00000100 (00256)   653a207a 682d434e 0d0a4163 63657074   e: zh-CN..Accept
0x00000110 (00272)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000120 (00288)   20646566 6c617465 0d0a486f 73743a20    deflate..Host: 
0x00000130 (00304)   66747037 37313439 2e776562 2d38392e   ftp77149.web-89.
0x00000140 (00320)   636f6d0d 0a436f6e 74656e74 2d4c656e   com..Content-Len
0x00000150 (00336)   6774683a 2037330d 0a436f6e 6e656374   gth: 73..Connect
0x00000160 (00352)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000170 (00368)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000180 (00384)   6e6f2d63 61636865 0d0a0d0a 703d3030   no-cache....p=00
0x00000190 (00400)   33312666 3d303033 30303033 30303033   31&f=00300030003
0x000001a0 (00416)   44303033 45303033 37303033 35303034   D003E00370035004
0x000001b0 (00432)   30303033 34303034 46303033 42303033   00034004F003B003
0x000001c0 (00448)   30303034 35303033 34303034 37303034   0004500340047004
0x000001d0 (00464)   39303033 433343                       9003C3C

0x00000000 (00000)   504f5354 202f6868 7132372f 68687170   POST /hhq27/hhqp
0x00000010 (00016)   69616f32 372e6173 70204854 54502f31   iao27.asp HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x00000040 (00064)   3a20656e 2d75730d 0a526566 65726572   : en-us..Referer
0x00000050 (00080)   3a206874 74703a2f 2f777777 2e626573   : http://www.bes
0x00000060 (00096)   7467616f 7a68756a 692e636f 6d2f6868   tgaozhuji.com/hh
0x00000070 (00112)   7132372f 68687170 69616f32 372e6173   q27/hhqpiao27.as
0x00000080 (00128)   700d0a55 7365722d 4167656e 743a204d   p..User-Agent: M
0x00000090 (00144)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x000000a0 (00160)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000b0 (00176)   3b205769 6e646f77 73204e54 20352e30   ; Windows NT 5.0
0x000000c0 (00192)   290d0a43 6f6e7465 6e742d54 7970653a   )..Content-Type:
0x000000d0 (00208)   20617070 6c696361 74696f6e 2f782d77    application/x-w
0x000000e0 (00224)   77772d66 6f726d2d 75726c65 6e636f64   ww-form-urlencod
0x000000f0 (00240)   65640d0a 61636365 70742d6c 616e6775   ed..accept-langu
0x00000100 (00256)   67653a20 7a682d43 4e0d0a41 63636570   ge: zh-CN..Accep
0x00000110 (00272)   742d456e 636f6469 6e673a20 677a6970   t-Encoding: gzip
0x00000120 (00288)   2c206465 666c6174 650d0a48 6f73743a   , deflate..Host:
0x00000130 (00304)   20777777 2e626573 7467616f 7a68756a    www.bestgaozhuj
0x00000140 (00320)   692e636f 6d0d0a43 6f6e7465 6e742d4c   i.com..Content-L
0x00000150 (00336)   656e6774 683a2037 330d0a43 6f6e6e65   ength: 73..Conne
0x00000160 (00352)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000170 (00368)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x00000180 (00384)   3a206e6f 2d636163 68650d0a 0d0a703d   : no-cache....p=
0x00000190 (00400)   30303331 26663d30 30333030 30333030   0031&f=003000300
0x000001a0 (00416)   30334430 30334530 30333730 30333530   03D003E003700350
0x000001b0 (00432)   30343030 30333430 30344630 30334230   0400034004F003B0
0x000001c0 (00448)   30333030 30343530 30333430 30343730   0300045003400470
0x000001d0 (00464)   30343930 303343                       049003C

0x00000000 (00000)   504f5354 202f6868 7132372f 68687170   POST /hhq27/hhqp
0x00000010 (00016)   69616f32 372e6173 70204854 54502f31   iao27.asp HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x00000040 (00064)   3a20656e 2d75730d 0a526566 65726572   : en-us..Referer
0x00000050 (00080)   3a206874 74703a2f 2f667470 37373134   : http://ftp7714
0x00000060 (00096)   392e7765 622d3839 2e636f6d 2f686871   9.web-89.com/hhq
0x00000070 (00112)   32372f68 68717069 616f3237 2e617370   27/hhqpiao27.asp
0x00000080 (00128)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000090 (00144)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000a0 (00160)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000b0 (00176)   2057696e 646f7773 204e5420 352e3029    Windows NT 5.0)
0x000000c0 (00192)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000d0 (00208)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000e0 (00224)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000f0 (00240)   640d0a61 63636570 742d6c61 6e677567   d..accept-langug
0x00000100 (00256)   653a207a 682d434e 0d0a4163 63657074   e: zh-CN..Accept
0x00000110 (00272)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000120 (00288)   20646566 6c617465 0d0a486f 73743a20    deflate..Host: 
0x00000130 (00304)   66747037 37313439 2e776562 2d38392e   ftp77149.web-89.
0x00000140 (00320)   636f6d0d 0a436f6e 74656e74 2d4c656e   com..Content-Len
0x00000150 (00336)   6774683a 2037330d 0a436f6e 6e656374   gth: 73..Connect
0x00000160 (00352)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000170 (00368)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000180 (00384)   6e6f2d63 61636865 0d0a0d0a 703d3030   no-cache....p=00
0x00000190 (00400)   33312666 3d303033 30303033 30303033   31&f=00300030003
0x000001a0 (00416)   44303033 45303033 37303033 35303034   D003E00370035004
0x000001b0 (00432)   30303033 34303034 46303033 42303033   00034004F003B003
0x000001c0 (00448)   30303034 35303033 34303034 37303034   0004500340047004
0x000001d0 (00464)   39303033 433343                       9003C3C

0x00000000 (00000)   504f5354 202f6868 7132372f 68687170   POST /hhq27/hhqp
0x00000010 (00016)   69616f32 372e6173 70204854 54502f31   iao27.asp HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x00000040 (00064)   3a20656e 2d75730d 0a526566 65726572   : en-us..Referer
0x00000050 (00080)   3a206874 74703a2f 2f777777 2e626573   : http://www.bes
0x00000060 (00096)   7467616f 7a68756a 692e636f 6d2f6868   tgaozhuji.com/hh
0x00000070 (00112)   7132372f 68687170 69616f32 372e6173   q27/hhqpiao27.as
0x00000080 (00128)   700d0a55 7365722d 4167656e 743a204d   p..User-Agent: M
0x00000090 (00144)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x000000a0 (00160)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000b0 (00176)   3b205769 6e646f77 73204e54 20352e30   ; Windows NT 5.0
0x000000c0 (00192)   290d0a43 6f6e7465 6e742d54 7970653a   )..Content-Type:
0x000000d0 (00208)   20617070 6c696361 74696f6e 2f782d77    application/x-w
0x000000e0 (00224)   77772d66 6f726d2d 75726c65 6e636f64   ww-form-urlencod
0x000000f0 (00240)   65640d0a 61636365 70742d6c 616e6775   ed..accept-langu
0x00000100 (00256)   67653a20 7a682d43 4e0d0a41 63636570   ge: zh-CN..Accep
0x00000110 (00272)   742d456e 636f6469 6e673a20 677a6970   t-Encoding: gzip
0x00000120 (00288)   2c206465 666c6174 650d0a48 6f73743a   , deflate..Host:
0x00000130 (00304)   20777777 2e626573 7467616f 7a68756a    www.bestgaozhuj
0x00000140 (00320)   692e636f 6d0d0a43 6f6e7465 6e742d4c   i.com..Content-L
0x00000150 (00336)   656e6774 683a2037 330d0a43 6f6e6e65   ength: 73..Conne
0x00000160 (00352)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000170 (00368)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x00000180 (00384)   3a206e6f 2d636163 68650d0a 0d0a703d   : no-cache....p=
0x00000190 (00400)   30303331 26663d30 30333030 30333030   0031&f=003000300
0x000001a0 (00416)   30334430 30334530 30333730 30333530   03D003E003700350
0x000001b0 (00432)   30343030 30333430 30344630 30334230   0400034004F003B0
0x000001c0 (00448)   30333030 30343530 30333430 30343730   0300045003400470
0x000001d0 (00464)   30343930 303343                       049003C

0x00000000 (00000)   504f5354 202f6868 7132372f 68687170   POST /hhq27/hhqp
0x00000010 (00016)   69616f32 372e6173 70204854 54502f31   iao27.asp HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x00000040 (00064)   3a20656e 2d75730d 0a526566 65726572   : en-us..Referer
0x00000050 (00080)   3a206874 74703a2f 2f667470 37373134   : http://ftp7714
0x00000060 (00096)   392e7765 622d3839 2e636f6d 2f686871   9.web-89.com/hhq
0x00000070 (00112)   32372f68 68717069 616f3237 2e617370   27/hhqpiao27.asp
0x00000080 (00128)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000090 (00144)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000a0 (00160)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000b0 (00176)   2057696e 646f7773 204e5420 352e3029    Windows NT 5.0)
0x000000c0 (00192)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000d0 (00208)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000e0 (00224)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000f0 (00240)   640d0a61 63636570 742d6c61 6e677567   d..accept-langug
0x00000100 (00256)   653a207a 682d434e 0d0a4163 63657074   e: zh-CN..Accept
0x00000110 (00272)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000120 (00288)   20646566 6c617465 0d0a486f 73743a20    deflate..Host: 
0x00000130 (00304)   66747037 37313439 2e776562 2d38392e   ftp77149.web-89.
0x00000140 (00320)   636f6d0d 0a436f6e 74656e74 2d4c656e   com..Content-Len
0x00000150 (00336)   6774683a 2037330d 0a436f6e 6e656374   gth: 73..Connect
0x00000160 (00352)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000170 (00368)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000180 (00384)   6e6f2d63 61636865 0d0a0d0a 703d3030   no-cache....p=00
0x00000190 (00400)   33312666 3d303033 30303033 30303033   31&f=00300030003
0x000001a0 (00416)   44303033 45303033 37303033 35303034   D003E00370035004
0x000001b0 (00432)   30303033 34303034 46303033 42303033   00034004F003B003
0x000001c0 (00448)   30303034 35303033 34303034 37303034   0004500340047004
0x000001d0 (00464)   39303033 433343                       9003C3C


Strings
.
@.+u
.
...^f
0.
Y1
vK
.
%.
..
).
....O.
..
.O
$,.
h
.
v
7
x
A
9.
.
.
.
2
o
.
e....
&
 
).~Gz
.8.q.
..
...
..
B
.
..
...
.
.
@.+u
.
...^f
0.
Y1
vK
.
%.
..
).
....O.
..
.O
$,.
h
.
v
7
x
A
9.
.
.
.
2
o
.
e....
&
 
).~Gz
.8.q.
..
...
..
B
.
..
...
.

080404B0
1.0.0.0
Comments
DEFAULT_ICON
FileDescription
FileVersion
IEXT_IDB_STATEIMAGES
LegalCopyright
ProductName
ProductVersion
StringFileInfo
TEXTINCLUDE
Translation
VarFileInfo
VS_VERSION_INFO
"/ %-=
0#5,Q~
0]F&Z(1[
0'g0\/G
{0g;A"a
0,MYqLh
 0O8<d<
>0P]K;
>0ufu^
0$u|X9
0!V,+"
0\WfK`
1(_2:	
+1a3j)
.1A@ru/2PT
1_$c#$
&1>*`CX
(#(1DBLYvJVe
$1'd&(Q
~1gl9,
@1HAg_
_1VeOJ|h
+1&Xs:<
1Y[4L.
1YEdxM
2{2LF5 
$$26rsZ
2$;+&8
29p?9:K
2!=a!^
&+2>FUg
2G\'|G{
2){Hwu
/2K1}r
2<%;Ki9
2Kiw!rf
	2KV"B
/{2kY\
2?ocB9
2	oh~3
<2Q:;~
)2=QGd
2\txL@
#2w)AkZ
(2,xAv
2ZaZWZ
3a*bUAlK
%3B7Km
[?<3BX
 3C?;Y
<3;d1i
3e4ZcW
#3e,}b
-+3;f*
{3F3L4
&3F '5Q
3f"OxH&
3;FW5@Pp3<Lp5:C\
#3Fyw|P
@\+3H@
3Jd/*>
3jzFQD
?/3LHa
3Mwmb=
3/P]C~%8
=3qjH.
3|R+B@
3u'J	V
3ukAcn
3UMS*Pg
3vy4vT
3w		L.
3/x;D_
3!y:t"
3ZMSUk
+43aAGl3
,4e?\6D
4?=eH=
4IL;qa
4?jhzF
4kNNNk~
4LvuxWM
 -4?Nd
\4[|Us5
:^%4W;
=,4@WF
{4wlc'
4xg#5L
4$y GM
4Z0wQRu
54dq:P
+59s`mf_du
5C/p=K
5 E1sM
5Ee~unW	s
5Exh+)
<=5fF'=
5h73kX
5kycS%
5){lsa
<5o~9g-
5onNT^
5^PmaRT
=5'xAgZ
5<.yW|v
>63y,D
6`5#Hm
!6	/,5q
6<A,45
6b>D$<
6bHblT(
6,BN	 1
=6)c=D
#,6DCXz
6Fp?Bq.d
6)G6sYs
]^[6if
6Ipav2
6j)u7	~-
6!(k:TVs+
&>6;LQ
+6NBxV
6}nZ	R
6OX`%Z
6oy7q}
6Q1M=mS3
6v]d>&
+~6W11_
6'+x9B\T
6Y3 :#
6YRO D
<6z6V`)
6z)y=/
731648731648      
78fJsgSS
|.7.Akp
7cQ4{f}
7f:|#F
[%@7h+
7m9L1rV
7nAtbkW
,>7~ne
7>o$?/Gc
7^&Pt%
7R^EV4
7T>;b"
7u?N)s
7(`vm=
7wSPM*
$7&+#x
8"4K\#=sr?
{86lGC
87"xEq[
*8=Baz
8BtKu5
8(dN0]
%8Dt&g
 "8[fL
8g6AvD
8PA19\Z
>#8Q[m"
8r}dh(
8<'%RU
`8'rvZ
%_9~05
9@2(~4
,_99q;=
9B1n?2Aa~[
9dUv~>&
_9F5F"B	
\'9-Fc
)9HN);IMg
9j'c~7
9J/-z=
9?kVy>
9L"}U:
9MK5<!
9MNH#o
9oq7R)
9qPp[{]g
9s`"'B?XI
.9sSia
9%*U5EMa
;9Ug<6
9v?<k`
9X;j;k
9y/mU,LS<E
$9zhC(
A!-{~0
!^~a4&E]
a%4Fz<
(a52xdoFdE^H
a8&.?,{
%a8Mza
`)&a\A+#
*aA/~e
AA'G\Q
aaNkK)a
AbEal(
{A~caimi
A#cpL]
A~|dC%
AD>SL>
ADVAPI32.dll
 	AeK+
,a fAZ}=}
afF,b-m`k
af>q"_Ja
_Ajrj 
AKM^&*G
a+*l4^
;[}a:n{Zo7
\,Aq#'
At-".`^
> Atw	
$A"uoNL9
A$UxB&
AV?6E-/
<A~z2i}
A~-z,q
`:[.-B
 ,"~B.1
b5j728
BDr<<Q
bdV%x,
beFN]^9
Bel9DG
BF0;H4
bFE*O\
b.F]ve
B}),(H1
B}h1+$<k
./B.Haw*
bHY\Z 
bI3cA`U
bjfE(g
Bk`B)u
^-b\k?Fja
#bM6.f
=BN3O)
b$nL y9
B.Pe*!
B$q`f9,
bqZWGr
Bre0Q.
~BSg/4
'BU-'D&Ocg
"Bugf%
[B/v(o
bw7Unp
bW9zI]
Bwo	;I
#_bwPdC?
bx~1hY2H
`/b_z=0
:,bZ=3
{BzAd@
^`"C-#
 ]? c0
%-c2	Q_:kMt
C41.&ZXq
c7r)q.
C88Shr
C:~9'F
%ca:[}
"c;A	b[a
Caiy$pO
cAO\mg
CboN^.[
Cc]L0[B%
\%Cd	+(
[c*d5k
c]{dJ[WY
[Cdl;bg
[!cE2zg
.,_Cfc
ChooseColorA
^}cj'DI-
^c#- K`
C_K2J&
?ck51X
ck8cg}{.
ClosePrinter
clpu6b
_Cl:Qf
c<l!X%~
COMCTL32.dll
comdlg32.dll
cpk1Ry
C#ReLw
c}t?)1i
 c]t,S
cV-MyO
?cwmJv
\CX%_2
`cxiGC
/C(]'y
$?c&Y\b
>[;C}{YvG
cz	#	(
]c@zT|
D2k|-D
d4 p;i#
D6!5tV^
%DAgSV
/D[aJU
'D_Bo{
:DcTn;
Dd(Vb$
De9fQ\
dE:;<o
d-!EPs
=]Df{w
D	`|*g
DGHM"PJW
dh1wnR^
D,hkV0
dJv6se
$ d%&kT
D?!m8O
`[dNd=O!d
DQ@[ij
$D-rq8
dS^@| -	N
Dss"#`
dt^~1!R
([du`$
&dU"4b
Du.EXg
:|dV}&
Dv{Gj"a
dW>,'P9
dx0z4G
dx3&MI
D x "4Jx
.dxCII
dzI{Jh
dZr: Gw
]]_e				
E00428C
E#20_C
e\5:b-
E9;;8]
;[Eai/
E	+c~*g
Edv	  
e}EqWC
>~eH1,=c
>E!|%I
^Eid^R
&EIg;@
EM9t"2
E}MtqA
,e	m<u(
eP[+wH
[&\E'q]4$
eQ=P;k
er1hs,U
ErAJ-\
E#s8Yg
;e`t9K|t@
E"UDgTl
EuoxaO[
EuyP&'
ExitProcess
,E~`Xp
`(exZg
:e',>z
+ezW+*|'
F0;DQzv
F0X{(&
$F 5;H!
]f7y,er
f/8U|L,
Fbc+4SL
FBM(qT
fc-/.)
fC(Bkb
_FCOAB
$f_Cr94
Fc^?(W
f`&dm\
FD~oQ/
FDv L|
"?fErW
/FE_'u
F}fl~/
"fgWD[
fH9sc2T
#FiZ!(
+=[Fk4
F!K<AC
?>FKm+w
('fl4]
:F%L<v1
&	F!lX
}+F+#n
\fNl5:
fOW7!$
FpOiu<
'[F*q\
F:R+cMG
f?RtNr
fs70 $
!fSm7w
fTZmOG]
fU(3%{X
FUTM6c
f(X*)r
>FYy^u
~FzD]q
@!!g^	
g001C#
 +G0;Ll
//G2o0#6o
_.	?G2W
g8b(zo
)G'8s5
}gAvL4v
G>c~4aM
gCBG7DN
GDI32.dll
gdVlPh/
"-Ge3ab\
<ge'8ha
G	EDM	
&GEpz3
GetAdaptersInfo
GetProcAddress
)GEWeW9	
Gh8j5wx
}ghFTv
';gj!5gQl
GJX/M<
	G()kj>x
|,GLm`
_G*lO	
g_l'Y=D
glZ=7%
GMT.5'
/GNfy,
,~GOH!
GO.jx$
g<Pdt-
		?GPV
g/.QfTsGl
"G>SiO
gt]ts/i3
`\GU	N
gw$ Ds
gx-a4c
gXngHw
g@+-y=/O
g)'zE|
;G[>zo
H(;_	/
h5GC~8'
H5+	On
H }!6$
H!61@0v
|#Ha}JS
H)/	aoI
hDl;wY
^/hDS"T
Hf;~[7o
`=H)FBA9
h\F%~f
hFG?b[
hF"gyrj
h`FLh>
hgvGQ,x
hHB9GYt
H.+Hlm
<hi$]~
H&iwU= 
hiXf{t
hi;x!j>b
Hm6c;^
hob&kMZ
hO"JlB
hr9H(6
H~/RT0
~H&tO7+O
hT#SZ:q[
HX3KGP
h]*{=Y
)hY/f#
HYgrOUH
h(z62Qf
H Z$jR
I1HaD~
i;2'P6Y)
I`2U'F
I>(78G
i@8Msfi
i~95!v
i9:at'!HIy8
IA*DBxT
Ic>H4Dq
iDIv|0
-ID^m{
iD)\`U
IE2XEZz
IemXl;
#="ig#
.ih_AbZnO
i>h-*js
iHtC%'t
Ij5H6 
Il5R~"
I,L-"B{
iN_&;0
iNi})gS
`Io`wZ
iphlpapi.dll
i+,]q)
>iu%!8
:iW$y,
`IX'Inl
]i;ZCU
|%+>J	
J2jkqM
";#j	]4
j7)_rg
)$[.Ja
j	!|DF
`j~dFtcWX\
}jf4<a
JFR(&r
jFtk)Dk
jfU6<0M`@
jh}t	]
JhWWK;2
j>IK[o
'j]I,m
Jj#WJ{
J:ki\J
;JlAN;~
Jl#Q5#^H
	JMaUt
jrH _qi
J_S0,d
j$Ty{<
jW4o)V
jWB(d`
j^xWf;
,jY[> y+7k
k??292
k2+9,r
k3rnjd
\k{87[nU
'.K8u5
kA.qo5x
kCJj#z,
[;K_C>	nk
ke_#%f
KERNEL32.DLL
kfY|WDI]
k,g~K1i[
kGu~}lt
kh2YAZ
KI]pqRu
KISl(&
kjio"!!#
kJos]T
kK"J{=
{*k=LN
K> MD'*
KOc$5K
K,pLP*
K\PPnDe~8
K!P|wM=
Kr@2<"
KsK/Ey
 &kS O$
k$;{ua
kuVyRN+/
kVh4-o
KV'zlw3
kvzwgh
KWkYr.8
kWNNm#
kWwEc`
>.{~	KY
Ky'&9W
Kyre`D
>kyyf(
L6}-U'
}+*L8+g
&=?l9(
:l9'a+
~l"a_L
LARy^{M@
LAyX7g
|*,/Lb
<l_BmB6
lcF%&^
lCkf6'
:'l>F=Zxv
Lg\S%E
^\_Lgw
LGWSLW
lHc4Ak
LHm^#E
Lhq. 9
Li8aBh
/LIP)}
lJLpo}`
lkw~,,-0
!LL}OM
LMCh8S
]LMf?~
&lmNP}
l/(mz+
L&}Nv>p
LoadLibraryA
{lq)-A?
	'L QK
l}r	2f
L@RxZL&lb
lTyuD~
,	lu5P
L~u,e3
lu*vH~G
LUz	7{
lVF#;!
Lv@ hv
lV i1x
lVN5,-a
Lv>(OJ
Lw/F:|P
lxW$tW2
l~YFU3
[&m2zBW
]m4^N.AP
/*M$6;
|m8uBq
M9\_Ff3
"M^9,t
ma^.Hj
MbxQOR
MeC=rJ
:mH-T_
mi]^45F
	_mJOS"9
mjS'.4
]MK00P5
#MK[6h
%mLGZ_
MnGpLB
MnUl?[
--MO |P
MQ{A[R
m*q"HLw
MqxsK(
MreHd_
`mS~~|
)^_Ms6
ms	cI3
MsfC#c
MT`5|j
'M-U)E
mUi]UG
 MV!>6NtC
-Mvbz)1mh;
mwAobp
>myEwV
M:YQwr
m}YYY!h\E
;myZ8c
$MzpD0f
?!n^)'
?n?`<+
{+n._]
>n2b!z
N|6&O^
N> ^80m
n+8E#(
nAD@I9
Nat#Pt
/}N;C"^
'NC+^%
NC}w}q.)
nd2fg@
nE`v"p!
n;F}*V
NG\	3y3
N>(gv;
NHq%,d
-nij;x:
n]MJLk
nM.Q\H
{NnCT&
+nqfRA
\)n-Qh
+N<qR|
-nQ^t7>
Nqtncq#
n*?rAD
nsQ5.6w
NSV~|Z
'nTs0e2
:NUx1y9
/&nvW;
nx1ume
n\:xA&9
}Ny%+2I
nZ)3-(
NZQexs
o0Dx8X
O.6IQx
_O96o.
oab]Zk,!o
';O_aE
O)b57"
o(BByZn
\`ODFEBDx
o'EaswIF
Oey"?4jhN
OF?@i/
Ofq,r.
OFSIN4;
OF/z6:
#OGM_u
O?H;-E
="oh?kPH
O#IH[~[
ojx`<B%
~ojX?EB
ole32.dll
OLEAUT32.dll
oledlg.dll
OleRun
olX!/A
> O-me
%Om<f1j^
oN.ao+
@OO_Dz"
~]Oqs'L
o~Qt{~
`[o|Sd 
O\S,_Q
o}tRDR
OU8@4 
OUC,A#R
,o;;*W
&.?O@x.
|<O	X=
=oYKY#
o:ZPa\Q
P{]>&,
p4IK'B
;p4TWJ
p&4uBh
(P6-5@
[P7#(p
p8qz?Z
PA@9_P
&pa^R8
pa(W ~{e
|#P!Cs
_pdb1sN
$P}D v
PeG}l`
PeKiyl
.$P]F|MtdR
['pGqk3
P+'h0&
pH>=e#!g]
PHj?4r}}2
[Pi7:^K
pIOft~
PJc!Fs'
!pjvrr
p)lL9Lj
P\OX&,
>P"PW/3
pq4lj>F
pQi\`2
 PQRBrN`
&P|S	dtl
P'tJ=n
%pu~!J
Pvgr-8A46c
pWm%SK:2
PwPrPD.
P}{=@Y
P+ Yut
.pYv*1O
p<\Z|xP}
'';,Q<
Q5%#8a
q7L[<Ls
?}QDMG
![!qDs
;?qeL}
QGCq2`
Qg"_L.
!QGq"\
"<: QgRC*
q @h'/
Qhp)CF
"qi:6nnH'
q^J%&;
qJq|P:
qLe1Gw
qMdJBk
%>QM!xt
+qo,:H
\QOR1e
Q%}Q9&
QqA}H#
q.to3D
QTx	ad
;q;u^@
qWGH\qp2
Qx2>`5
Q+;X=L~
]Qxvh\
Qx%ZzvDT
r}["\1
.r37n,
!+;R$->^3C`
"*`R5S
R6yMOcW
R7h=G\
r8&Np}
r*A.v$d&
Rboq(.45*156%+/0!'*+
RegCloseKey
R.E;j6
RGFZd]
RhHKoS
RhtOb$
RiA.Y0
RIM}vP
R/_iUO/
{.(r&j
rj?dckR
.Rj$Ll
Rkz4x 
RL`pzI=;
|`RmLI&$GN
r=n^[9
&r&ONz
)rOuH+_
rpA=xx
+rp\CN
rpim2P
R\P}JZ
}R#P<z
Rr:a`y
rs)6u&
RU{wRe
@RXb=W
RxSrd7
Rzf`6)@
S0 y(n
S*1)c(S
S1F/_l
S[1qC_
s1sO"`%@E:
s2J,vW
S4'Z<;6$
	s6]2W)
S8[S&|
#S9*r|
s<a7lL
SaveDC
SB&Q.$
SdH.+J<
Sgfc,P
[Sgx!H{
SHELL32.dll
ShellExecuteA
SI|!}G
s,I:;M
SjFhqM
sLK)F?
SLTR JSQ
SLy9YU4O
SNV .&
S*]*O-b\Nj0c
sOVE4i
SP2mWS^u
SqfGrX
SqH;Y2K
sRwz<Ke
ssG`~iPw
Ssz_ym
stYu;~j
*S:u8D
|SX;pmy
SyNzw?
+":*?T
 ,t0,6
t0@R7 
t2J1jhI
)T6cWX"y
T\"6j.
T73*5=&jj
T9$.K0I
T`'aA.5
T]"AdMKR
T|&D/W
tF7CQ)
tfclaS
tFNncby
tF'"XQ
TGcv-F7[
T(gJb'
t;g,ZT
!This program cannot be run in DOS mode.
|th~mC
TitU>,|
/"'T'j
$TKrSe%r;
tk/T8w
|tn ?,
t/N;J~
tojzH(Z
tOrIL`
TOV/.;b
t{?=-P
^tP?0\
TPIf^=
TQ~H?N
T.)Q_t%ug#
t<Q:(-u
TqU39_
tSZzIRp
TV+ F$e
T<w}3WS
TWN~Lw
txQtXx;4{
#[tx!sc
/(t^<y
:ty#>E
U0_F?4
U/1,\&3
u}~`,5
U@$52]
\U7	Dz
U&=7|k
[U9~z*0
`uby:yY
U,c%{RW
,UDM>A
`U@dt?Q
u-:.&g
UiDU'k
uiN!`e<
uI|OP<
UJhk#r
<UJ[:Me!
ujq'r$
.Uk\?4M,
^u.Kp5C
U>MgOW
U(M	~k
}UM#vI
uOWr\&
u-q$ 9
+u#Qu?
UrdI6?
@Ur	e8
uRhd`vq 
U\RYu{
USER32.dll
u*Ss\Nf`
u~?t7Dz'iM
u_<ui7"
%UV3$Df%
U*X8N]>V
ux`vN5
UYY)T`z
/?*^v{
v)0];Oy>30
v0\qKF~
,*(;V1
v1Qr7	m
@!v"3J
{V3|u{
*v6_| 
+va-K;T
'Vb\Ay
VBY{*E*
Vd%H!4{V6
VDOcKf
VerQueryValueA
VERSION.dll
vh/yA2#
?vi1tm
VirtualAlloc
VirtualFree
VirtualProtect
`$Vl_"
:V'N6J
vo:0Mg
v=[pZln
vq|57[
vr4":^
vrD}xpP|X0
{vt^1z
vuqfM<7
vU[>v*
vwF1Hp
^vXFpXe
VYPS\<`
v~YTGJ
w#1~ep
	W^$,3
>%w&35
W~3d=f
w67OiS1
W]8Bar
w~A>nh#1
Wa [rA
waveOutOpen
/W$Bxz
wCkK.D
w{eM%h
{+wge}
W=Gr(l
wg_>YBY
&WIlik
WINMM.dll
WINSPOOL.DRV
&W?j8(
WJD$^=U
wJ~XL,
 wK!dM
W}kEp6Lpw
wkN`Z/,
w>{Kp9
WL\P=I
w[>NkE,7
WNlm+kiB
WN+>[Z
W|=Py|
W% rlX
WS2_32.dll
w|T;z=
wutc1c
wv]|lQk
WWvMY=
:X={#!
x0u	KrV
x2B;xZET
X6rPq1
X8{^lB
_*xarS
:xaxo!q
xbLQz=
xC8X0f
>XD#H)n
"xE7bT
X:ESqe
<xE:VM
\xFd^4
XGjKybB
XI'lDR1
xjaIL[
x`;jDQf
%Xknoo
(XKQ0RF
/XK)QMOm
X=l6gg
)xLrNj
#X#m%5
!}Xm"A
x<M|Rc
x}NRzN`?
,)!	XNx
xNYOJW
{xn@zK
xOq7^m
\xozd/
,X(q"	
xS%2$d
*XS[Yk|
^X/</u
xuL)O+
xU.v=_D
+XUvj4
xvo'SN
Xwb|AI
x;Xi2,
y|2*T5y
y4;A"b
,Y^5j-P
_: 'y5P1o
<"/Y#7<
Y8*YIH
@yaAHi
y`Am%d
Yaw&@]
YB?B `v
Yb|k`}hK
.YB&ORrR 
Y][*C\3
^yc*!:N>
;!y?dbj{
>()yf|
YGDIXxo
Yg:UPI
Y^;g|	Y
yh,?`BjW
_[=y\K
YLWB$g
Y?m6R;
"y	M`C
YM	CeX
Ym(s7j"
yn6c]L^z
YQCXCB(
Y%q |G`
#Y-QH@C
Y^QIL?.
YRK'zW
y>'Sb*
Ys[MZ3|
,y:sO98
Y`}#te
yuI56bu~p
Y$w* "
ywg	k	
Y)xKhE
 Yxq-w
yxt/ld
yy	7fH
yyqYz	
'Z[1_d
Z1r?><zk
z^1saE
Z.%3oh
z3s%*R
Z4#*-g
^zB5/+
Z>#cIz<
(+	Zg&
ZGCA&M
z GeDE
zjif`$
+z\J J
Z>jY]b
Z\<K-4-
.+Z!k&fC
zk);T<
ZmuQW\
ZN8r@A
ZNK:/X
Z~nRg;
z(=`oP
ZP[Qi+,q
"/zpt	ah
/z?qa|
ZQa_x9
ZqhLI0{
z;qNk.
zq/t5QW(
z>rqb+
#ZrwmR
ZtJ=vf
zv&OKC
|ZvTdm
/_zXe.=
`ZxE_=
Z%ybs2
ZZt3v.}