Analysis Date2014-01-16 16:51:18
MD58f444063a401857c002fe727a6909ab3
SHA14105de7c1db90ab9fba5412bbde63265cc8da01a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7e93431c583fce60c6f571ecc1c22e2d sha1: 3a55cbac4bc111bd461fcd3581438b8b13f296cc size: 76800
Section.data md5: ed5980c10f4a4c23a22c586fcc83f1da sha1: e9901c3c407b066af893770a57f5f2dd0bb8af2c size: 28160
Section.rsrc md5: ee893e5520ace0a70015b6b9f1a26b79 sha1: 46bfb6177bf8ae7925800438a53563280c49ebc9 size: 6144
Timestamp2013-01-08 18:31:31
PackerMicrosoft Visual C++ ?.?
PEhash3b67ca286745e2da4421ea11096fb1323e4627d0
AVaviraADWARE/Agent.aephia

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\00294823\args.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\00294823\preloader.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\00294823\args.txt
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\00294823\preloader.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\00294823\preloader.exe" ProfileFileName=args.txt

Process
↳ "C:\WINDOWS\system32\cmd.exe" /c "C:\Documents and Settings\Administrator\Local Settings\Temp\_tinFD4D.bat"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\00294823\preloader.exe" ProfileFileName=args.txt

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{926EF180-C998-40EC-A207-81BA498DD376}\UninstallString ➝
C:\Documents and Settings\All Users\Application Data\INSTAL~1\{926EF~1\Setup.exe /remove /q0\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\Setup.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\_tinFD4D.bat
Creates FileC:\Documents and Settings\All Users\Application Data\InstallMate\{926EF180-C998-40EC-A207-81BA498DD376}\TsuDll.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\x64\regsvr32.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\Custom.dll
Creates FileC:\Documents and Settings\All Users\Application Data\InstallMate\{926EF180-C998-40EC-A207-81BA498DD376}\_Setup.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\c1.getapplicationmy[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\_Setup.dll
Creates FileC:\Documents and Settings\All Users\Application Data\InstallMate\{926EF180-C998-40EC-A207-81BA498DD376}\Readme.txt
Creates FileC:\Documents and Settings\All Users\Application Data\InstallMate\{926EF180-C998-40EC-A207-81BA498DD376}\Setup.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\r1.getapplicationmy[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\x86\regsvr32.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Application Data\InstallMate\{926EF180-C998-40EC-A207-81BA498DD376}\Setup.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\r1.getapplicationmy[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\InstallMate\{926EF180-C998-40EC-A207-81BA498DD376}\Setup.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\D482E707.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\preloader.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\down.456.1.ini.part
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\Readme.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\down.456.1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tsu8F867D7A.dll
Creates FileC:\Documents and Settings\All Users\Application Data\InstallMate\{926EF180-C998-40EC-A207-81BA498DD376}\Custom.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\Setup.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\_tinFD4D.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\x64\regsvr32.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\Custom.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\r1.getapplicationmy[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\Setup.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\_Setup.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\D482E707.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\down.456.1.ini.part
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\Readme.txt
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\{926EF180-C998-40EC-A207-81BA498DD376}\x86\regsvr32.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\r1.getapplicationmy[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tsu8F867D7A.dll
Creates Process"C:\WINDOWS\system32\cmd.exe" /c "C:\Documents and Settings\Administrator\Local Settings\Temp\_tinFD4D.bat"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{BE05561F-CD13-40B3-A258-853165E674E9}
Winsock DNSr1.getapplicationmy.info
Winsock DNSc1.getapplicationmy.info

Network Details:

DNSdc-b2b0e285.getapplicationmy.info
Type: A
54.201.215.30
DNSdc-b2b0e285.getapplicationmy.info
Type: A
54.201.215.30
DNSc1.getapplicationmy.info
Type: A
DNSr1.getapplicationmy.info
Type: A
HTTP POSThttp://r1.getapplicationmy.info/?report_version=5&
User-Agent: TixDll
HTTP GEThttp://c1.getapplicationmy.info/?step_id=1&installer_id=295012343118997822&publisher_id=556&source_id=0&page_id=0&affiliate_id=0&country_code=A1&locale=EN&browser_id=1&download_id=4947784309420232488&external_id=0&session_id=11233491234451711622&hardware_id=11993134721866020867&
User-Agent: TixDll
HTTP POSThttp://r1.getapplicationmy.info/?report_version=5&
User-Agent: TixDll
Flows TCP192.168.1.1:1032 ➝ 54.201.215.30:80
Flows TCP192.168.1.1:1033 ➝ 54.201.215.30:80
Flows TCP192.168.1.1:1034 ➝ 54.201.215.30:80

Raw Pcap
0x00000000 (00000)   504f5354 202f3f72 65706f72 745f7665   POST /?report_ve
0x00000010 (00016)   7273696f 6e3d3526 20485454 502f312e   rsion=5& HTTP/1.
0x00000020 (00032)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000030 (00048)   436f6e74 656e742d 54797065 3a206170   Content-Type: ap
0x00000040 (00064)   706c6963 6174696f 6e2f782d 7777772d   plication/x-www-
0x00000050 (00080)   666f726d 2d75726c 656e636f 6465640d   form-urlencoded.
0x00000060 (00096)   0a557365 722d4167 656e743a 20546978   .User-Agent: Tix
0x00000070 (00112)   446c6c0d 0a486f73 743a2072 312e6765   Dll..Host: r1.ge
0x00000080 (00128)   74617070 6c696361 74696f6e 6d792e69   tapplicationmy.i
0x00000090 (00144)   6e666f0d 0a436f6e 74656e74 2d4c656e   nfo..Content-Len
0x000000a0 (00160)   6774683a 20393331 0d0a4361 6368652d   gth: 931..Cache-
0x000000b0 (00176)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x000000c0 (00192)   650d0a0d 0a646174 613d5652 364e316c   e....data=VR6N1l
0x000000d0 (00208)   33393742 584c4c31 752f585a 32674677   397BXLL1u/XZ2gFw
0x000000e0 (00224)   3673776d 4e334241 594e4f31 4a647451   6swmN3BAYNO1JdtQ
0x000000f0 (00240)   436f3566 756c336c 4f354471 4c753456   Co5ful3lO5DqLu4V
0x00000100 (00256)   76356d6d 566f4f73 2f36656e 692f6b4c   v5mmVoOs/6eni/kL
0x00000110 (00272)   68767234 52326566 4f696364 48484554   hvr4R2efOicdHHET
0x00000120 (00288)   31253242 68335538 2f363551 5730676f   1%2Bh3U8/65QW0go
0x00000130 (00304)   7a623470 6e5a4d64 326e7858 6934384a   zb4pnZMd2nxXi48J
0x00000140 (00320)   396f3161 6e4b3366 4d4e5749 42755941   9o1anK3fMNWIBuYA
0x00000150 (00336)   6f594156 53477972 396a786a 47623372   oYAVSGyr9jxjGb3r
0x00000160 (00352)   34543654 5a706d42 47515869 55723532   4T6TZpmBGQXiUr52
0x00000170 (00368)   41756e77 71707570 486a4678 4b555158   AunwqpupHjFxKUQX
0x00000180 (00384)   334a494a 4b7a6271 4a316c53 32514347   3JIJKzbqJ1lS2QCG
0x00000190 (00400)   5a42327a 412f4269 7a627654 65694c56   ZB2zA/BizbvTeiLV
0x000001a0 (00416)   4371656f 42754f31 30724c72 31634861   CqeoBuO10rLr1cHa
0x000001b0 (00432)   6b324637 36565471 6c4c6536 746e4d52   k2F76VTqlLe6tnMR
0x000001c0 (00448)   664e3151 63767179 494f4c66 72614b73   fN1QcvqyIOLfraKs
0x000001d0 (00464)   444e444e 4336504d 6159304f 614b5349   DNDNC6PMaY0OaKSI
0x000001e0 (00480)   75755765 6a684b59 68753144 43303943   uuWejhKYhu1DC09C
0x000001f0 (00496)   67576c64 4f52686c 52386b45 416f7859   gWldORhlR8kEAoxY
0x00000200 (00512)   49544376 74253242 30504b77 67775171   ITCvt%2B0PKwgwQq
0x00000210 (00528)   2532426e 36387276 3054456e 6b6b414a   %2Bn68rv0TEnkkAJ
0x00000220 (00544)   46776854 61736265 36515835 774d3530   FwhTasbe6QX5wM50
0x00000230 (00560)   7953484e 694b7557 6d515a70 536a6163   ySHNiKuWmQZpSjac
0x00000240 (00576)   654e426c 67496679 46533756 6c687768   eNBlgIfyFS7Vlhwh
0x00000250 (00592)   774d486d 374f7947 7351624f 4a612f35   wMHm7OyGsQbOJa/5
0x00000260 (00608)   2f5a5970 4e593438 564e4e67 76446d36   /ZYpNY48VNNgvDm6
0x00000270 (00624)   4245352f 767a6144 74334353 6d637a36   BE5/vzaDt3CSmcz6
0x00000280 (00640)   74396266 71503431 4d304561 5348614a   t9bfqP41M0EaSHaJ
0x00000290 (00656)   54654e72 57423741 63344550 52683575   TeNrWB7Ac4EPRh5u
0x000002a0 (00672)   4f315277 664b7944 45395077 5133514f   O1RwfKyDE9PwQ3QO
0x000002b0 (00688)   71756b4f 6f474379 78454a58 71416b79   qukOoGCyxEJXqAky
0x000002c0 (00704)   62336e38 794f696f 6b696758 6a486d66   b3n8yOiokigXjHmf
0x000002d0 (00720)   4d786177 72465136 732f544b 25324238   MxawrFQ6s/TK%2B8
0x000002e0 (00736)   2f4b5437 6a753473 3632544c 51756f51   /KT7ju4s62TLQuoQ
0x000002f0 (00752)   73527376 67447237 30656738 456f6132   sRsvgDr70eg8Eoa2
0x00000300 (00768)   346c636f 6e466e78 52644843 42543479   4lconFnxRdHCBT4y
0x00000310 (00784)   36495a41 25324230 5871654b 46483632   6IZA%2B0XqeKFH62
0x00000320 (00800)   324f6663 4a427157 75774249 6e657456   2OfcJBqWuwBInetV
0x00000330 (00816)   57684b34 33735057 76474b46 4b6b656c   WhK43sPWvGKFKkel
0x00000340 (00832)   4b4a5950 7a756243 64364d38 48574f77   KJYPzubCd6M8HWOw
0x00000350 (00848)   59384877 75662669 6e666f3d 55655075   Y8Hwuf&info=UePu
0x00000360 (00864)   70355525 32427033 35367277 494b4547   p5U%2Bp356rwIKEG
0x00000370 (00880)   41613474 30577525 32427346 3831716e   Aa4t0Wu%2BsF81qn
0x00000380 (00896)   55767531 71443157 48463372 4c543258   Uvu1qD1WHF3rLT2X
0x00000390 (00912)   65703933 53745954 55436f2f 75724855   ep93StYTUCo/urHU
0x000003a0 (00928)   62536366 65417442 62766563 364d7651   bScfeAtBbvec6MvQ
0x000003b0 (00944)   676c4848 6d416e30 38753766 64672f68   glHHmAn08u7fdg/h
0x000003c0 (00960)   30596d78 68385574 33423050 48586a36   0Ymxh8Ut3B0PHXj6
0x000003d0 (00976)   322f4256 4b654225 32424f58 316f544e   2/BVKeB%2BOX1oTN
0x000003e0 (00992)   6e304f38 25324245 42437969 47794262   n0O8%2BEBCyiGyBb
0x000003f0 (01008)   75657333 4f315a61 4a747045 596a664e   ues3O1ZaJtpEYjfN
0x00000400 (01024)   30525267 34583772 392f2532 42547152   0RRg4X7r9/%2BTqR
0x00000410 (01040)   6342554f 46577965 384f4a6a 596d6362   cBUOFWye8OJjYmcb
0x00000420 (01056)   6e454d46 6c633863 47485339 5441466f   nEMFlc8cGHS9TAFo
0x00000430 (01072)   68766e4c 72507035 6c305279 6754697a   hvnLrPp5l0RygTiz
0x00000440 (01088)   4578574a 686d4147 34766352 36524a26   ExWJhmAG4vcR6RJ&
0x00000450 (01104)   73696e66 6f3d6662 62575365 63646566   sinfo=fbbWSecdef
0x00000460 (01120)   41424344 57595355                     ABCDWYSU

0x00000000 (00000)   47455420 2f3f7374 65705f69 643d3126   GET /?step_id=1&
0x00000010 (00016)   696e7374 616c6c65 725f6964 3d323935   installer_id=295
0x00000020 (00032)   30313233 34333131 38393937 38323226   012343118997822&
0x00000030 (00048)   7075626c 69736865 725f6964 3d353536   publisher_id=556
0x00000040 (00064)   26736f75 7263655f 69643d30 26706167   &source_id=0&pag
0x00000050 (00080)   655f6964 3d302661 6666696c 69617465   e_id=0&affiliate
0x00000060 (00096)   5f69643d 3026636f 756e7472 795f636f   _id=0&country_co
0x00000070 (00112)   64653d41 31266c6f 63616c65 3d454e26   de=A1&locale=EN&
0x00000080 (00128)   62726f77 7365725f 69643d31 26646f77   browser_id=1&dow
0x00000090 (00144)   6e6c6f61 645f6964 3d343934 37373834   nload_id=4947784
0x000000a0 (00160)   33303934 32303233 32343838 26657874   309420232488&ext
0x000000b0 (00176)   65726e61 6c5f6964 3d302673 65737369   ernal_id=0&sessi
0x000000c0 (00192)   6f6e5f69 643d3131 32333334 39313233   on_id=1123349123
0x000000d0 (00208)   34343531 37313136 32322668 61726477   4451711622&hardw
0x000000e0 (00224)   6172655f 69643d31 31393933 31333437   are_id=119931347
0x000000f0 (00240)   32313836 36303230 38363726 20485454   21866020867& HTT
0x00000100 (00256)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000110 (00272)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x00000120 (00288)   54697844 6c6c0d0a 486f7374 3a206331   TixDll..Host: c1
0x00000130 (00304)   2e676574 6170706c 69636174 696f6e6d   .getapplicationm
0x00000140 (00320)   792e696e 666f0d0a 43616368 652d436f   y.info..Cache-Co
0x00000150 (00336)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x00000160 (00352)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f3f72 65706f72 745f7665   POST /?report_ve
0x00000010 (00016)   7273696f 6e3d3526 20485454 502f312e   rsion=5& HTTP/1.
0x00000020 (00032)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000030 (00048)   436f6e74 656e742d 54797065 3a206170   Content-Type: ap
0x00000040 (00064)   706c6963 6174696f 6e2f782d 7777772d   plication/x-www-
0x00000050 (00080)   666f726d 2d75726c 656e636f 6465640d   form-urlencoded.
0x00000060 (00096)   0a557365 722d4167 656e743a 20546978   .User-Agent: Tix
0x00000070 (00112)   446c6c0d 0a486f73 743a2072 312e6765   Dll..Host: r1.ge
0x00000080 (00128)   74617070 6c696361 74696f6e 6d792e69   tapplicationmy.i
0x00000090 (00144)   6e666f0d 0a436f6e 74656e74 2d4c656e   nfo..Content-Len
0x000000a0 (00160)   6774683a 20343038 0d0a4361 6368652d   gth: 408..Cache-
0x000000b0 (00176)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x000000c0 (00192)   650d0a0d 0a646174 613d615a 37503263   e....data=aZ7P2c
0x000000d0 (00208)   4b796743 31397550 664d4f51 41527061   KygC19uPfMOQARpa
0x000000e0 (00224)   4f326755 38785262 31785656 787a4d73   O2gU8xRb1xVVxzMs
0x000000f0 (00240)   57595053 35686563 464a597a 677a3230   WYPS5hecFJYzgz20
0x00000100 (00256)   59335a33 614a6935 4c493377 397a4b55   Y3Z3aJi5LI3w9zKU
0x00000110 (00272)   46336947 574c3071 5045536e 4d4e6e6c   F3iGWL0qPESnMNnl
0x00000120 (00288)   76684f46 31664a4a 72487573 30515931   vhOF1fJJrHus0QY1
0x00000130 (00304)   62534a70 41504870 76706371 55675679   bSJpAPHpvpcqUgVy
0x00000140 (00320)   61664d74 37615a6f 39576277 62757753   afMt7aZo9WbwbuwS
0x00000150 (00336)   56706f5a 39767978 5959506a 4d4f764f   VpoZ9vyxYYPjMOvO
0x00000160 (00352)   47323462 326a4925 32427273 4d6c6847   G24b2jI%2BrsMlhG
0x00000170 (00368)   4d636a41 7a594151 32775625 32426c57   McjAzYAQ2wV%2BlW
0x00000180 (00384)   346d4157 74647743 45634c71 394a2532   4mAWtdwCEcLq9J%2
0x00000190 (00400)   4251516a 53705766 4a797447 324e5368   BQQjSpWfJytG2NSh
0x000001a0 (00416)   72484667 46554f72 356b7931 49475545   rHFgFUOr5ky1IGUE
0x000001b0 (00432)   63377443 25324258 6c487830 7733506f   c7tC%2BXlHx0w3Po
0x000001c0 (00448)   70457331 314f6f65 6554666e 76253242   pEs11OoeeTfnv%2B
0x000001d0 (00464)   6a634951 4b4a7849 54414636 745a6e63   jcIQKJxITAF6tZnc
0x000001e0 (00480)   546f656d 47315734 37683362 45695743   ToemG1W47h3bEiWC
0x000001f0 (00496)   4863544b 4b7a6a6c 35327942 46253242   HcTKKzjl52yBF%2B
0x00000200 (00512)   55794a4e 4468644c 4d725244 25324232   UyJNDhdLMrRD%2B2
0x00000210 (00528)   61585178 32666b63 5346344f 53313238   aXQx2fkcSF4OS128
0x00000220 (00544)   58637159 65775225 32425157 64253242   XcqYewR%2BQWd%2B
0x00000230 (00560)   774b4d6a 79773855 4f557268 694a6a47   wKMjyw8UOUrhiJjG
0x00000240 (00576)   4c42774a 474d3471 6a46685a 794e4a44   LBwJGM4qjFhZyNJD
0x00000250 (00592)   4c6b3541 5137486d 31356e4b 45612f35   Lk5AQ7Hm15nKEa/5
0x00000260 (00608)   2f5a5970 4e593438 564e4e67 76446d36   /ZYpNY48VNNgvDm6
0x00000270 (00624)   4245352f 767a6144 74334353 6d637a36   BE5/vzaDt3CSmcz6
0x00000280 (00640)   74396266 71503431 4d304561 5348614a   t9bfqP41M0EaSHaJ
0x00000290 (00656)   54654e72 57423741 63344550 52683575   TeNrWB7Ac4EPRh5u
0x000002a0 (00672)   4f315277 664b7944 45395077 5133514f   O1RwfKyDE9PwQ3QO
0x000002b0 (00688)   71756b4f 6f474379 78454a58 71416b79   qukOoGCyxEJXqAky
0x000002c0 (00704)   62336e38 794f696f 6b696758 6a486d66   b3n8yOiokigXjHmf
0x000002d0 (00720)   4d786177 72465136 732f544b 25324238   MxawrFQ6s/TK%2B8
0x000002e0 (00736)   2f4b5437 6a753473 3632544c 51756f51   /KT7ju4s62TLQuoQ
0x000002f0 (00752)   73527376 67447237 30656738 456f6132   sRsvgDr70eg8Eoa2
0x00000300 (00768)   346c636f 6e466e78 52644843 42543479   4lconFnxRdHCBT4y
0x00000310 (00784)   36495a41 25324230 5871654b 46483632   6IZA%2B0XqeKFH62
0x00000320 (00800)   324f6663 4a427157 75774249 6e657456   2OfcJBqWuwBInetV
0x00000330 (00816)   57684b34 33735057 76474b46 4b6b656c   WhK43sPWvGKFKkel
0x00000340 (00832)   4b4a5950 7a756243 64364d38 48574f77   KJYPzubCd6M8HWOw
0x00000350 (00848)   59384877 75662669 6e666f3d 55655075   Y8Hwuf&info=UePu
0x00000360 (00864)   70355525 32427033 35367277 494b4547   p5U%2Bp356rwIKEG
0x00000370 (00880)   41613474 30577525 32427346 3831716e   Aa4t0Wu%2BsF81qn
0x00000380 (00896)   55767531 71443157 48463372 4c543258   Uvu1qD1WHF3rLT2X
0x00000390 (00912)   65703933 53745954 55436f2f 75724855   ep93StYTUCo/urHU
0x000003a0 (00928)   62536366 65417442 62766563 364d7651   bScfeAtBbvec6MvQ
0x000003b0 (00944)   676c4848 6d416e30 38753766 64672f68   glHHmAn08u7fdg/h
0x000003c0 (00960)   30596d78 68385574 33423050 48586a36   0Ymxh8Ut3B0PHXj6
0x000003d0 (00976)   322f4256 4b654225 32424f58 316f544e   2/BVKeB%2BOX1oTN
0x000003e0 (00992)   6e304f38 25324245 42437969 47794262   n0O8%2BEBCyiGyBb
0x000003f0 (01008)   75657333 4f315a61 4a747045 596a664e   ues3O1ZaJtpEYjfN
0x00000400 (01024)   30525267 34583772 392f2532 42547152   0RRg4X7r9/%2BTqR
0x00000410 (01040)   6342554f 46577965 384f4a6a 596d6362   cBUOFWye8OJjYmcb
0x00000420 (01056)   6e454d46 6c633863 47485339 5441466f   nEMFlc8cGHS9TAFo
0x00000430 (01072)   68766e4c 72507035 6c305279 6754697a   hvnLrPp5l0RygTiz
0x00000440 (01088)   4578574a 686d4147 34766352 36524a26   ExWJhmAG4vcR6RJ&
0x00000450 (01104)   73696e66 6f3d6662 62575365 63646566   sinfo=fbbWSecdef
0x00000460 (01120)   41424344 57595355                     ABCDWYSU


Strings
333f3
f3fff
                                 H
         (((((                  H
         h((((                  H
IAMA
jjjjj
KERNEL32.DLL
mscoree.dll
(null)
runas
                          
"""""/
{=;:0\
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
040781
050607080910Z
%08x%02x
%08x-%08x-%08x
0A@@Ju
~`0B="
0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
<0K[#>$
0Lvuy\$
`0$^NPn
0)rDqi
(_0RFt
0SSSSS
0T`o ?
0t#r/U
*0UawA
0VJNWD|5
0WWWWW
110824000000Z
130822000000Z
140822235959Z0~1
15/j><
@)18[,
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
_1lcc\
$1q*Ea
1<}t38]
?1U>:up!
?@1V}5
'1VU/b
1Wsu%*%#
200530104838Z0
200530104838Z0{1
20iL"8
	2<[0l!
23aZ{}7&
25xR<W
2"Ef|H
2IwXy)y
~2?kJK
2#RVvHE(V>qt
2Yy]i$p
2Z"i1:
,_37jp
$|38+u0/vMr|
&3B%]5
3,) BRI
3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
3([,I;*9,8f
3Jj+*t
!#3jwY
3!W8(s#
4"*2j7
4Ar[x$
/4~B#.
4C/0jZ
4GO1M?
4h?8Tq`
;~4n{[
4qY"=`
4UZwGxnQD
.4Y5X}y
%5gCH9
/5*o_rR
5VZusQ
 68Xiq
6|b8Z?Y
6[Cery
6iYBr"
6J7y@9
6M7=X76
6^Ml0A
6n[|>J
6OqphHe
`6VhV}
72+T%+t
/79ZDA)
7aSzBI
,[%?7BD
7gswzQ2
[7!K w
.`7m\@3
7n4#ke
7q:7Z7
7w@+}]F
8$ahbG8
8+Ca$g2
8eTzx>Op
+8Fcb~j%
:8'Fr2
<8/i\p
.8N3y{
("8NV]6
8	ZBZEqB
|9a[kc
9f*<Z,m
">9"k 
9?	}K&
9MCFRB
9s%'|%(
9}y$3`
$a3{TR
A'*6}rd^
&:a9o3
\A-)a7
A[A`	FE
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
a|`bG]
AddTrust AB1&0$
AddTrust External CA Root0
AddTrust External TTP Network1"0 
adtii`d
ADVAPI32.dll
:agi^WQE
ahW&4G|
A%	/$}IQ
AllocateAndInitializeSid
AL	tfw$
Am~^Jn
An application has made an attempt to load the C runtime library incorrectly.
aO{hj^M
appdata
AppData
appdata_local
		</application>
		<application>
A/Qr=m
Artur Kozak0
Artur Kozak1
`![AS/
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
a;v43Z<
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
.?AVexception@std@@
.?AVlength_error@std@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
Azsl~ 
B;4"Vv~
bad allocation
bad exception
 Base Class Array'
 Base Class Descriptor at (
__based(
BAUn	U
BISq#K(
B#Khf5
bluetooth
bou1i:
<bUs0f
by*e0r
B,y{|p
bYwm	Yy
[C1o1]c
 C4df5
C6C_cm
!C6ZDc
](Cc{sKo'
__cdecl
|c*FaX
.cF(JK4
CheckTokenMembership
cKBb`h
c~Kg55!
 Class Hierarchy Descriptor'
CloseHandle
__clrcall
+cMN.V
'C;nod
CoCreateGuid
CoInitialize
COk)-(
COMODO CA Limited1!0
COMODO Code Signing CA 2
COMODO Code Signing CA 20
	</compatibility>
	<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
 Complete Object Locator'
CONOUT$
`copy constructor closure'
CorExitProcess
c?oS,_
c?PCr>
CreateDirectoryA
CreateFileA
CreateFileMappingA
CreateProcessW
- CRT not initialized
C]}WnX
Cx S^M
.}?cy@mN
Cy"/$+w
Cyz`pO
d8.}]B
`.data
DBB';1
dcK'Jh
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
 delete
 delete[]
DeleteCriticalSection
DeleteFileA
  <description>Installer</description>
 d<f,"
dF,Au62n
df*x&b
dg]oADy
dh*hi:23
D$HPVVh
dng%'5
doL)kjj[
DOMAIN error
D[Q#wCmX
DRhqS4
dW0@=W
D.W89-
DX?$tC/
`dynamic atexit destructor for '
`dynamic initializer for '
Dz^NdL
E+^<=*
_%:e0$
 e8q~S
[ec=%08x] create process failed
[ec=%08x] extract failed
[ec=%08x] wait process failed
;EDw;hPnA
'e|F#r
Eg	0p;y
eH@BvsG
EH_^[d
ehRh'*|
:eHTX)
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
Eibf3i
E^iCpW
EjaBAB
^|eKr+
EncodePointer
:en^hJ
EnterCriticalSection
+EOTbY
EQ|MyJ
Esezl\
ewbL`5+
ExitProcess
ExpandEnvironmentStringsA
e/y&<l
F$7V{;e
F8ss"K
__fastcall
fd .@>
FDLTi:
February
F\=H[A
F=ID	2d
/fiiQt
FindClose
FindFirstFileA
 F:<k:
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
#fnk=-
fo2.;#
!fO?n)L`
FPf}>p
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
FreeSid
Friday
fS-UvhX
Ft=+>k
f[)TPA
f`;;Ue
[^*&Fv
FVh$[A
F=Wx"(x6
FZ8I!Hk
g48[uk:
{g7}Wb
G9r[|{Sq
'gA6+Wwom
G<ARBGV
g,BG_A
gcBOX1l
GetACP
GetActiveWindow
GetAdaptersInfo
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileType
GetFullPathNameA
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount
GetUserObjectInformationA
GetVolumeInformationA
gM#Q81
{gpeuzg,
GPow^e
Gq5~+y
Greater Manchester1
g$;\T#
G%[U4m
+gUJ]	iy
gv8?ij
GvYmrc
GWh$[A
gx$M.%
`h````
=:__@(h
h$::&$
h0/wfu
{>h2I]r
h7_KZlb
haqBmD>>
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHtXHHt
^`hk]8
hk*t	S
H@lnEI
_HnU,=
~H[ot_P
 }HrNlar
http://ocsp.comodoca.com0!
http://ocsp.usertrust.com0
https://secure.comodo.net/CPS0A
http://www.usertrust.com1
hWSs|>sDD
H?#Xg>
H@XoY0
]I 0y9
i4IQUo<
?&i?6*
i6mO5e
)ib`>)
Ic"gQ@
|(icS"
iCwS|P
>If90t
^Ife >4E
_@iHP.
\IHWpL
[iI(U\
iJ!;+;o
I=KQZ Q
+#I|Manh
i!N)8b
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
invalid map/set<T> iterator
invalid string position
invalid vector<T> subscript
Ip)5"K
iphlpapi.dll
IRFd9F
IsDebuggerPresent
IsValidCodePage
ITbK3%
"@i;\'U
:I@$uK
I"UKO/
I@[V#O
iw+lE$
i@Xy00
.<~I&/[Y&
iyR.cq4C 
j1N$?0
J}a5c2
JA9}p'aZ
JanFebMarAprMayJunJulAugSepOctNovDec
January
$jBi^}
*+Jd9i
JeMaD$
j@j ^V
j}l1zv
|Jm]xn
j]N"9"bEV
,jOw"F
?{j:;p
-j<_r%8(4#NqS
jr[% hQ
j"^SSSSS
JSvj#F
*jt))+3
~JUxZ_
JY<DvIFJ|
k>@;>;
.K6.K(
k;7$#=
&K8t^	
 KCd|q
K,Cosz
*KCTmL
KERNEL32.dll
Kf/t1o
{'KGfg
kJvG'	{
';@^k)KA
 kly06
/km<u4
`knL)?V
koz61@booktextzip.info0
 K;"Q-
	kQ |@Vx
KT.&N	
kVL.=S
L6LB:V$
Laok7W
latp(l
LCMapStringA
LCMapStringW
#!l,]D|Cp6
l	D'z`
LeaveCriticalSection
LeXOKN
lF|IS6W
l'hH}K
	L%;i{
lj'l&)
/l>{/n
LoadLibraryA
Local AppData
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
/$L_?)qPA
lSz<Q R
^	lTR)
L-Uj6>
 L^#!v
l+`Xq`
@"}:M'
M#5B#9
m6$%@ O
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
map/set<T> too long
MapViewOfFile
<m\caB
M[C^gn
mDLGV`
mdUmC	z
MessageBoxA
?m,&h;
&m\I8	
Microsoft Visual C++ Runtime Library
MiQ8^(
M`(_k&
.mk^,5
MM/dd/yy
 MnBzB~M
Monday
MQ14sm
mqy3$;
MultiByteToWideChar
M@V7o-~
mXo)cN
m<xY@n
{N1&^Q
NB*)R:
nBv`*X
N@=D<b
!\ne^aZ
 new[]
NLho%NR
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
%{N{Pz0=iDM?
n\)uF2
(null)
n(V!?%
]NWS`nj<)P
obib^U
OB)Zz3
October
OLE32.dll
`omni callsig'
}on]%K
--:oO;A
Ool8LT
operator
O-{ _y
@	$P~=
\P!>3G{
!p3/WN2*
P{5U!~l
,Pa|;-
pA3G7?
Parkovaya 191
__pascal
pc_d9!
pCh1,\
P@dj,	
PGkd:f
P?<H5+
]pix3w
pJP`#F(
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
\]P:]m
p&:NoW
poH(G-
=,PolOl
) ppDt
pP\/Jd
PPPPPPPP
Pq5qqxK
process exit code: %d
Program: 
program_files
%ProgramFiles%
<program name unknown>
PSSSSSSh 
__ptr64
- pure virtual function call
]pX0,L/|
!|[.q(
	.Q7^1
{<q855
q8+',c8?-D
Q'9QBf
?[qb4>
+q[BFuo
Q$C C6v;`)u
>q|F@h
QfNg,x
Qf$&ZY'TD
#Qg75; 
qhjkQD
-qK'hg
$@qk*x
qMh'f~
Qn{::b
Q:Np@K
QOCI+y_Tm9
#;-qpp~
QQSVWd
q RL_f
Q\Sh~`
+QT`Y"R	
QueryPerformanceCounter
qukDfos
`^)q-V
qw3ezj
<QwjLY
qZD5ylb
}=R26r
R7"#`L
RaiseException
 	R/BS
%rClZ9}
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RemoveDirectoryA
				<requestedExecutionLevel level="highestAvailable" uiAccess="false" />
			</requestedPrivileges>
			<requestedPrivileges>
__restrict
rgj	Z#
*Rgz<=r
 r@=JO^F/
"rk|S*
Rk zR@n
	RL{9,."
r=sHQha1-
Rs:<lU
R >s<Q
RtlUnwind
r~uaY|
[runtime=%d] 
runtime error 
Runtime Error!
%=Rwoj
R,Y@}?
Rz7tO2
S<!\-^
Salford1
Salt Lake City1
Saturday
`scalar deleting destructor'
{%s:%d} 
		</security>
		<security>
September
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SHELL32.dll
ShellExecuteExW
/sH XP
SING error
\[siv>+]
'*s\K6
SM+)DQ
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
SO:%jJ
%spl%08x.ftf
SPLVx(J
s!pQf{tE
_sq=%{\
s[S;7|G;w
:SsQ5d
%s%s%s
^SSSSS
__stdcall
`string'
StringFromGUID2
string too long
Sunday
SunMonTueWedThuFriSat
			<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
			<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
&sV&oz"
^SWB|K
S\}:	x
Sy^b~k
SystemTimeToFileTime
sZ)F e+4E
T)1.KXE1
t1WWWj
T:^3I_
t7Oa7r
T=(+dk
Ten90#
TerminateProcess
TfUy'ci
The USERTRUST Network1!0
t&HGI}
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
*tH@u_
Thursday
.tkKJ`
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TMg'cX1
ToFB.s*Ig
t/Q<9X
tqnBrv
tR99u2
	</trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
tSHHt*
t"SS9]
t$<"u	3
Tuesday
;t$,v-
*Tv(AL
@Tw_e;Q
t+WWVPV
t;,X>uc
tY!/`m
 Type Descriptor'
`typeof'
u)"0zx
U2eh#v
 *U33|
U3	'sJ
U	<7rbm*
?U;D0Z
`udt returning'
/'](UE&
u^>fag
ufzrqDJ
UghP$P	=T
ukF6lY]
-?[UL	
uLSSSQP
u$=N4s^
- unable to initialize heap
- unable to open console device
__unaligned
`u[nCahG|
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
unique
unique:
uniqueid
Unknown exception
UnmapViewOfFile
UQPXY]Y[
URPQQhx
USER32.DLL
UTF-16LE
UTN-USERFirst-Object0
uT;uXv
u_u3W0
@Uv45S
uwj<_W
uX9uTv
Uzf;}:
,>v[}=
v451Kk
{v	}9"
`vbase destructor'
`vbtable'
VC20XC00U
`vcall'
vdJULW
VE0KMv
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
vector<T> too long
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
(vIByD
virtual
VirtualAlloc
`virtual displacement map'
VirtualFree
VirtualQuery
vl,kBy
vmware
v	N+D$
V&;Pml~
 v',U]v
v	~UxOI
v:V\i?
V+Vp<u
vwk<j1
VXBqEo
V+,^zE
VzQ)a_d
vzw8!ug
W(0eTS5 J<
<[)w@a
WaitForSingleObject
wb#GV8
Wednesday
`w}e*m
wfY+"-
WHUB((
WideCharToMultiByte
wQbF8EXf^
$Wq;Gc
WriteConsoleA
WriteConsoleW
WriteFile
>ws{tH
w{}t]I6
WWWWQPWh
wwwwwwww
wwwwwwwxp
wX$[^F0t
wY]b:HT
WZ/onQ9@
X_?1E0
x9U+`e8
}.x:#cw
xd'_eM
$xF}O'o
x]I/!c
xJHyxA
xK7=I)
-}xk#kex$6O
!XmZ_m
x+O~C7
xppwpp
xpxxxx
xqr0:a
]X_T!gR
xWz4i.b
<y#:!.
Y7fc5S
Y 7{t0
Y9l5;n]%
y9<+S}
YccrY]
yfiam,
Yh_b~%
@/Y>k 
ykq{t	
%y`*lF[
Y:M/Z$
yooQqi
.=y;Q!
yQ`8`~
[yQvL"o
>=Yt1j
Y#T[FK
'yT,h3
^@YVcXh
Yv&m%Q
=YZVg>
Z 0)ys
	z3:~l
Z6<0q'!
z}a.\q
zbR-9V3
'Z<$DA"7/
ZGlG2yEou
z.I/qf
Zjh{|<
|%ZnKJ
zOh:}/
Z~u8zyb
zx0flMG
Z'x2I/