Analysis Date2014-01-17 02:49:12
MD590b0f951367b196d613726caa0fb8666
SHA16199e0363346717da10755c024f59c0086edcb15

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 856b32eb77dfd6fb67f21d6543272da5 sha1: 6597c511c2ee72f68f5246460f0683dae16dcade size: 24064
Section.rdata md5: dc77f8a1e6985a4361c55642680ddb4f sha1: 3d397ee25b2dd83ab741c67375880151cae94ed8 size: 5120
Section.data md5: 7922d4ce117d7d5b3ac2cffe4b0b5e4f sha1: 4e56bb1994226ae0285c7adee470777262de2c99 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 374b8c6c8b8cb2251c3f385d1dc84371 sha1: 214a81ff205d9be01d58216320210238fa998e0e size: 82432
Timestamp2009-12-05 22:50:52
PackerNullsoft PiMP Stub -> SFX
PEhashdabed348fe1731db4f31a79e343354ebfd6cdc21

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsj2.tmp\inetc.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsf3.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DM_5UbgruMl91\DownloadManager.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsj2.tmp\System.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsj2.tmp\UserInfo.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsj2.tmp\pwgen.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsj2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsj2.tmp\inetc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\DM_5UbgruMl91\DownloadManager.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsf3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nst1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\DM_5UbgruMl91\ApplicationDebug.log
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsj2.tmp\System.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsj2.tmp\UserInfo.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsj2.tmp\pwgen.dll
Creates ProcessDownloadManager.exe "C:\malware.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.google-analytics.com

Process
↳ DownloadManager.exe "C:\malware.exe"

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab4.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\TarB.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab6.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\CabC.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\CabA.tmp
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab8.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar9.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar7.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DM_5UbgruMl91\ApplicationDebug.log
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar5.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\TarD.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab4.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\TarB.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab6.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\CabC.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\CabA.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab8.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar9.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar7.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar5.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\TarD.tmp
Creates Processdw20.exe -x -s 280
Winsock DNSwww.download.windowsupdate.com
Winsock DNScacerts.digicert.com

Process
↳ dw20.exe -x -s 280

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\14EA7.dmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\14EA7.dmp

Network Details:

DNSwww-google-analytics.l.google.com
Type: A
173.194.34.165
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.169
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.162
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.164
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.166
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.163
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.161
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.160
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.168
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.167
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.174
DNSocsp.regional.digicert.com
Type: A
5.10.86.116
DNSa26.ms.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.169
DNSa26.ms.akamai.net.0.1.cn.akamaitech.net
Type: A
62.253.3.185
DNSwww.google-analytics.com
Type: A
DNScacerts.digicert.com
Type: A
DNSwww.download.windowsupdate.com
Type: A
HTTP GEThttp://www.google-analytics.com/__utm.gif?utmwv=5.3.6&utmhn=&utmr=-&utmp=&utmac=UA-44288146-1&utmcc=__utma%3D999.999.999.999.999.1%3B&utms=1&utmvid=0x3716C9ED562D4F85&guid=on&utmt=event&utme=5(NET%20Frameword*Installed)&utmsr=1024x768&utmsc=24-bit
User-Agent: Mozilla/4.0 (compatible; en-US; NSIS; Windows NT 5.1)
HTTP GEThttp://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
HTTP GEThttp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
HTTP GEThttp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43.crt
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Flows TCP192.168.1.1:1031 ➝ 173.194.34.165:80
Flows TCP192.168.1.1:1032 ➝ 5.10.86.116:80
Flows TCP192.168.1.1:1033 ➝ 62.253.3.169:80
Flows TCP192.168.1.1:1034 ➝ 62.253.3.169:80

Raw Pcap
0x00000000 (00000)   47455420 2f5f5f75 746d2e67 69663f75   GET /__utm.gif?u
0x00000010 (00016)   746d7776 3d352e33 2e362675 746d686e   tmwv=5.3.6&utmhn
0x00000020 (00032)   3d267574 6d723d2d 2675746d 703d2675   =&utmr=-&utmp=&u
0x00000030 (00048)   746d6163 3d55412d 34343238 38313436   tmac=UA-44288146
0x00000040 (00064)   2d312675 746d6363 3d5f5f75 746d6125   -1&utmcc=__utma%
0x00000050 (00080)   33443939 392e3939 392e3939 392e3939   3D999.999.999.99
0x00000060 (00096)   392e3939 392e3125 33422675 746d733d   9.999.1%3B&utms=
0x00000070 (00112)   31267574 6d766964 3d307833 37313643   1&utmvid=0x3716C
0x00000080 (00128)   39454435 36324434 46383526 67756964   9ED562D4F85&guid
0x00000090 (00144)   3d6f6e26 75746d74 3d657665 6e742675   =on&utmt=event&u
0x000000a0 (00160)   746d653d 35284e45 54253230 4672616d   tme=5(NET%20Fram
0x000000b0 (00176)   65776f72 642a496e 7374616c 6c656429   eword*Installed)
0x000000c0 (00192)   2675746d 73723d31 30323478 37363826   &utmsr=1024x768&
0x000000d0 (00208)   75746d73 633d3234 2d626974 20485454   utmsc=24-bit HTT
0x000000e0 (00224)   502f312e 310d0a41 63636570 742d4c61   P/1.1..Accept-La
0x000000f0 (00240)   6e677561 67653a20 656e2d55 530d0a55   nguage: en-US..U
0x00000100 (00256)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000110 (00272)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000120 (00288)   6c653b20 656e2d55 533b204e 5349533b   le; en-US; NSIS;
0x00000130 (00304)   2057696e 646f7773 204e5420 352e3129    Windows NT 5.1)
0x00000140 (00320)   0d0a486f 73743a20 7777772e 676f6f67   ..Host: www.goog
0x00000150 (00336)   6c652d61 6e616c79 74696373 2e636f6d   le-analytics.com
0x00000160 (00352)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000170 (00368)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x00000180 (00384)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000190 (00400)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f446967 69436572 74417373   GET /DigiCertAss
0x00000010 (00016)   75726564 4944526f 6f744341 2e637274   uredIDRootCA.crt
0x00000020 (00032)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000030 (00048)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000040 (00064)   6e743a20 4d696372 6f736f66 742d4372   nt: Microsoft-Cr
0x00000050 (00080)   7970746f 4150492f 352e3133 312e3236   yptoAPI/5.131.26
0x00000060 (00096)   30302e35 3531320d 0a486f73 743a2063   00.5512..Host: c
0x00000070 (00112)   61636572 74732e64 69676963 6572742e   acerts.digicert.
0x00000080 (00128)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x00000090 (00144)   204b6565 702d416c 6976650d 0a0d0a75    Keep-Alive....u
0x000000a0 (00160)   746d653d 35284e45 54253230 4672616d   tme=5(NET%20Fram
0x000000b0 (00176)   65776f72 642a496e 7374616c 6c656429   eword*Installed)
0x000000c0 (00192)   2675746d 73723d31 30323478 37363826   &utmsr=1024x768&
0x000000d0 (00208)   75746d73 633d3234 2d626974 20485454   utmsc=24-bit HTT
0x000000e0 (00224)   502f312e 310d0a41 63636570 742d4c61   P/1.1..Accept-La
0x000000f0 (00240)   6e677561 67653a20 656e2d55 530d0a55   nguage: en-US..U
0x00000100 (00256)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000110 (00272)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000120 (00288)   6c653b20 656e2d55 533b204e 5349533b   le; en-US; NSIS;
0x00000130 (00304)   2057696e 646f7773 204e5420 352e3129    Windows NT 5.1)
0x00000140 (00320)   0d0a486f 73743a20 7777772e 676f6f67   ..Host: www.goog
0x00000150 (00336)   6c652d61 6e616c79 74696373 2e636f6d   le-analytics.com
0x00000160 (00352)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000170 (00368)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x00000180 (00384)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000190 (00400)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 332f7374 61746963   update/v3/static
0x00000020 (00032)   2f747275 73746564 722f656e 2f617574   /trustedr/en/aut
0x00000030 (00048)   68726f6f 74736571 2e747874 20485454   hrootseq.txt HTT
0x00000040 (00064)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000050 (00080)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x00000060 (00096)   4d696372 6f736f66 742d4372 7970746f   Microsoft-Crypto
0x00000070 (00112)   4150492f 352e3133 312e3236 30302e35   API/5.131.2600.5
0x00000080 (00128)   3531320d 0a486f73 743a2077 77772e64   512..Host: www.d
0x00000090 (00144)   6f776e6c 6f61642e 77696e64 6f777375   ownload.windowsu
0x000000a0 (00160)   70646174 652e636f 6d0d0a43 6f6e6e65   pdate.com..Conne
0x000000b0 (00176)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000c0 (00192)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x000000d0 (00208)   3a206e6f 2d636163 68650d0a 50726167   : no-cache..Prag
0x000000e0 (00224)   6d613a20 6e6f2d63 61636865 0d0a0d0a   ma: no-cache....
0x000000f0 (00240)   6e677561 67653a20 656e2d55 530d0a55   nguage: en-US..U
0x00000100 (00256)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000110 (00272)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000120 (00288)   6c653b20 656e2d55 533b204e 5349533b   le; en-US; NSIS;
0x00000130 (00304)   2057696e 646f7773 204e5420 352e3129    Windows NT 5.1)
0x00000140 (00320)   0d0a486f 73743a20 7777772e 676f6f67   ..Host: www.goog
0x00000150 (00336)   6c652d61 6e616c79 74696373 2e636f6d   le-analytics.com
0x00000160 (00352)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000170 (00368)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x00000180 (00384)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000190 (00400)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 332f7374 61746963   update/v3/static
0x00000020 (00032)   2f747275 73746564 722f656e 2f303536   /trustedr/en/056
0x00000030 (00048)   33423836 33304436 32443735 41424243   3B8630D62D75ABBC
0x00000040 (00064)   38414231 45344244 46423541 38393942   8AB1E4BDFB5A899B
0x00000050 (00080)   32344434 332e6372 74204854 54502f31   24D43.crt HTTP/1
0x00000060 (00096)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000070 (00112)   0a557365 722d4167 656e743a 204d6963   .User-Agent: Mic
0x00000080 (00128)   726f736f 66742d43 72797074 6f415049   rosoft-CryptoAPI
0x00000090 (00144)   2f352e31 33312e32 3630302e 35353132   /5.131.2600.5512
0x000000a0 (00160)   0d0a486f 73743a20 7777772e 646f776e   ..Host: www.down
0x000000b0 (00176)   6c6f6164 2e77696e 646f7773 75706461   load.windowsupda
0x000000c0 (00192)   74652e63 6f6d0d0a 436f6e6e 65637469   te.com..Connecti
0x000000d0 (00208)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000e0 (00224)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000f0 (00240)   6f2d6361 6368650d 0a507261 676d613a   o-cache..Pragma:
0x00000100 (00256)   206e6f2d 63616368 650d0a0d 0a7a696c    no-cache....zil
0x00000110 (00272)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000120 (00288)   6c653b20 656e2d55 533b204e 5349533b   le; en-US; NSIS;
0x00000130 (00304)   2057696e 646f7773 204e5420 352e3129    Windows NT 5.1)
0x00000140 (00320)   0d0a486f 73743a20 7777772e 676f6f67   ..Host: www.goog
0x00000150 (00336)   6c652d61 6e616c79 74696373 2e636f6d   le-analytics.com
0x00000160 (00352)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000170 (00368)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x00000180 (00384)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000190 (00400)   650d0a0d 0a                           e....


Strings
!1Aa
#+3;CScs
msctls_progress32
MS Shell Dlg
RAny use of this Certificate constitutes acceptance of the DigiCert CP/CPS and the Relying Party Agreement which limit liability and are incorporated herein by reference
SysListView32
<!--@#
_}~=!\
!-&['$
{-&$(/&%
*?|<>/":
#@--!>
%*))**%&%
000a@@@
0>_2X^
03" 3-
>06Y@ E4
0AdJAu
,0BG{+
;-0_ha
0HPrC#!Q
0`M!j0
0:!o9giX
0?o|kV
;?0pSWI
]0`q]>
 0se|V
0sKR0E
0TaD*k
0Tv7%#H
0T|y_a
0U$%Rr
0vatZ3W	
110211120000Z
121018000000Z
121221000000Z
130206000000Z
131220092356Z0#
160211120000Z0S1
+18Dla
1=A=4}><
~1(Az1
}*1dLN
.&1,jQ
1(jy9i{
`_-1V)&&
1#)w2?
201229235959Z0b1
201230235959Z0^1
21>Wg.
222]AAA
260210120000Z0o1
2a)&\ O
 ;2AOH
2E{2EK
2:)iN<
2-+Kop
2MfY\$
\(2mOu
2oo!DR
2<tGgGh
2X&Vq;EgJ
3(5;cj
	/3b0 
3("BE~
3GQFRN
3ikd~M
!3 K k 
,~~3~LEu
3QD*DH
3@q+"v
' !3Sn
3V	:E]
-<|	4|@
41Q2h\~n
444MWWW
,]45:m
4c b=j
4{?E7U
4>Eheq
4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
4http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
4IY}i)
4JZ_C7
4_JZQR}
4"peBs
\4U5":#
^4;uR|-\
4X8Hz[
4.Ye7Uw
{+5{+#
524'*'4
5?2Dhl
5&7!W2%
[5->-i
($-5I1
5J|1a?],
=5J =q
>"5NtA
+~5'OL
5#PW{H]
&&5_-qJ
\5sk"%
5>U9?^"
|5{u@e
5vuERH
670@F::
%!6:9N)
6ak=,v
6.[!br
]6c54	]v
6f1CNp
 6f3}$
6HVly1
	6|Jq 
6O',;Z?~
_)+6qj
_6>tD/
?6*~Tq
6` TtP(
6]u'}v=
{6v~0uL|
[6V{=2 #
6W{Arj
&73EqjC
7grV^u
7http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
7iyKtdq
7)j4Z%
7J9\*(
7jbc8t
7JC?+PgOn
(7K#n>
{7n;DR
 7ozZ)2]
7	}?P@
7qWc?L
7=Ro)B_ 
7Urje:
7.uU^m
81@s>*
}84dE~
87QnBo 
88HJow
:*\8'{9
[&8d#m
8NCRCu
8NEe/p
8[O:0	
8!} OB
8raY|Y
8.rxI,
8@`VB~$rL
,.8Wot
=8xrpg
98c}@G
#:9c&W
9dKsL^i
9FF7JP
9iz>r0e
9!j<y,f
<9}}}o+#sT
9QS\>G
9U(z4dr
;9Wn><i
9wzL|L`
<*9XCd
@9y$+ig:
>;-		?!a
^A$1*?
&	]A1A
a1JR<v<
|a5/A?X
a;6`hLO
a_7;*s
aA#F~/
Aa	rG&x
a<BBfR
;a/BCs?[W
A-CyNx
$A:Cz@
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
^A=,EK
]:aF	(9|G
af#9-w
aF[z{)
aH`+5zd
$'{aI~
a**N5S`	
AOTa90
AppendMenuA
ApQ?\,
ap_%[R
A&@r![!
_ATSZ'>&p
A\uo`&
/.!a!v]uV
-aycG{,
aZCyZc
/+b2-?
b/;4uH
B6aqB`
b(\8iu2
$b9f]n0!
,BA7O(Y
bC^n	Kf{E	
>}}^BE
BeginPaint
-bhb N;b
"b!"" HK
,|BI&3
\*bI@dj
!bK|cb
Bk`%S^
bO{~v}
BPI>!w
bs0v}B
BvG[O1H
bYe0/O
B.Zk!_
C51g1q
c71~?y?}
)'C8%"
CallWindowProcA
cC5e2_
}}}ccc
ccp-7 
ce<bx7
}C[EC6k
C._Ep+
cGgc|6
CharNextA
CharPrevA
CheckDlgButton
C ]j88Sl"
CJRP^y
cK*d#z'
cLcvv+;
CloseClipboard
CloseHandle
|['c;m
cnE>~b
cNW,SPT
c>)-{O
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
Co!_w4
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
C[t_"z
CU=J3&
CW h,uW2a
CXMeK1
cXww\'
^+cyG=Z
... %d%%
D$0+D$(P
D5D2cn
D7i{R|cd`
&d^9#^k
@.data
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
deNU}OZ
DestroyWindow
%D f/3
}~D~GM*
DialogBoxParamA
%DigiCert Assured ID Code Signing CA-1
%DigiCert Assured ID Code Signing CA-10
DigiCert Assured ID Root CA0
DigiCert Inc1
DIh-|^Zh
d I(n^;
DispatchMessageA
dItd=>
+D :kB
DKX:O(
d%`_lh
)DM1jJ
d^m~|fd3
{Dncq:
dn(_|o^
D$$Ph,
DrawTextA
;drHpS
DSId:"
D$(SPS
dt=d}e
Durbanville1
du?)z?
Dw*~Wy
dX9rbD
e1[IHr
e2WJ7R
E4^uAv
$*);e9
ED	AC(V
?e e0ec
 e e8ec
|eee "
@EEyKVV
EFGH'HgH
eH {	d
E+=}J?
elf+;g
EmptyClipboard
EnableMenuItem
EnableWindow
----END-DATA----
EndDialog
EndPaint
e]Ovo~
E^O;-`{&X
eOZ|]I{
eqz?}CU
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
ES'	B5	h
E="sCLx
E-/spG^
EUjI<?K2
eV6S1n
e v9|&+8
ExitProcess
ExitWindowsEx
e{Xo=:
ExpandEnvironmentStringsA
~>e/Zn	y
!EZo}F
F2B7002
f@&4\K
)F5%*?
f5%60]
;f8.)np
F?9s1''*7
f| Az<e
FB0o{*
F+BlPI
f&bv0s
f,Cy>"t>
.?^Fe*!
F/e}(B
~~{fff
,fFO~	
fGM4y9
Fhc87$
&_fHU%
\f^&i+
+Fih^ho5	f
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
Fj*d~ 
F?jted)L
?FMeTU
)?f`_o
fQ01}v
FreeLibrary
FRGpy\
F(ST.CD
F\v48q>~6
}fvdvV
F`y6cF
>fyeV^~oB)]
fyGxfe
(^G{2P
g[4.lk
g5<=$4
g71ozr>
^G8v|r
-=>g9D
!/Ga^.gs#
^?*Gd-H+k
gdi,*/
GDI32.dll
g]\edj
GEo`KZ
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
}g{!h,
Gh~~;+j
G</iII(%.
	G(>*j
=-GjuN0
[gKvv9`J
gl7e|s
.GL8#=
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
Go*3k&1`
g|Oy|H-
&G/Ozu
%GpoJB
/&'GrwU
/:g]Rx8
G}<s5y=
#<GS[o
Gs-T(SPh
~-gt^>
\GuMLD
GuY{a{
.$Gvwz
gxTT\~
g.ZO||k[
H3U)z7!Y
h6M<dg
h9VXmA)'
/hcy!'=+
H_GgI6M
HHwwwwwwww
.h?i7t
Hi``Uy<^
_h\j6-?G\
(hjm0k
H:KH2U
h$l\au
Hl	Hbt
-H:	N 
Hnm6CRQU
$hrI{~-
HRiWG'R
]hSM?bD
@http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
-http://crl3.digicert.com/assured-cs-2011a.crl03
-http://crl4.digicert.com/assured-cs-2011a.crl0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
http://nsis.sf.net/NSIS_Error
http://ocsp.digicert.com0C
http://ocsp.digicert.com0L
http://ocsp.thawte.com0
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
http://ts-ocsp.ws.symantec.com07
.http://www.digicert.com/ssl-cps-repository.htm0
HtVHtHH
h$@|ux
}HwzN(v
HXfd?D9>J
Hyja-Ly
hz3r3rW
#i>2|d
$ia[~E
I|{bC"
{"icon_url":"https:\/\/d1r57dxzsrp0oz.cloudfront.net\/icons\/34\/337433\/icon.png","program_name":"OpenOffice","version":"4.0.1","size":"136.84MB","file_name":"Apache_OpenOffice_4.0.1_Win_x86_install_enUS.exe","license":"Free","mirrors":["http:\/\/download.wedownload.netdna-cdn.com\/34\/337433\/863794\/Apache_OpenOffice_4.0.1_Win_x86_install_enUS.exe","http:\/\/d1km450po5waad.cloudfront.net\/34\/337433\/863794\/Apache_OpenOffice_4.0.1_Win_x86_install_enUS.exe","http:\/\/files.soft32.com.s3.amazonaws.com\/34\/337433\/863794\/Apache_OpenOffice_4.0.1_Win_x86_install_enUS.exe"],"download_manager_identifier":"1388843002","properties":{"program_name":"OpenOffice","category_name":"Business & Finanzen ","subcategory_name":null,"kw":"Open office deutsch","mt":"e","ad":"33598479428","pl":"","ds":"s"},"download_url_id":"863794","retry":"http:\/\/openoffice.de.xtremedownload.com?no_download_manager","is_browser":null,"browser":"Google Chrome","silent_params":"","api_key":["d471045cdbd734ce549fe8bf88fa0efb29544158","6ebf118ed5f2e2c5d33be891531d4755249afff0"]}
IDAT3hS
IDATGxI
i>dCp2"
ie#\=P
=iEvwt
`If@.@
Ig--Ybi	
<*i\h,.{O7
-I=,'I
ii5-m8
I	j$01
ik(]k0
i$K-MZ2
I===M			
I~M8F	
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
I}<nb9R
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu`
InvalidateRect
%%iP>>
}'IPdP
i}(pNj
IQ=F.xWu
:`i"Re
iRichu
ISmX})
IsWindow
IsWindowEnabled
IsWindowVisible
-i*w0^
Ix		?B
`i:+xrdj
IZtLEl
=J{&=>
j0I0{XH
=j3ub$
J4tgA8
j5u]h7
J8O2[(
j8U6os
jAnEFJ'
J$'DEN(
JG`yC2B
J$I*3vm2
jIpM]x
_j[Ji]
jJ]mQ7@
jJ@^-p=
j]LMrn
j-#O7;
jo|E6[0)
JOQPk@
jrh,tHM
jTk&4yn
Ju~ A&
jw |`ev
jXej`F
JY;3A	N|
k77>ws
		KA'0
K}amav
k|b`I,:
KE>pjA
KERNEL32
KERNEL32.dll
]KeVgRK2`l
Kg=},|
KH!8GzUD$
?kh|[i
*k"HP F
K>iLwD
)}}KKp
\)kMY	kH
 k!oC>
&k!P3t
k{PUS?j
|KR',o<n
\KTL5]
 KttcES
k?U_lV
kV7V65
k;VR2Z
,KV]R5Sv
kz%w}_
_`&]=L
';*.:L
L1T"3/
_L.6`srN
|"l7u<M1
L<$=8n
=LaJ|TG
lc\kX?N
:L(*dR!
leH~ l/[
le>k(9
lfw\.Z
l( g><
	l_Gc@Z
lI3xe[)3
lJnUgY,
.Lkg([~
L/L{|)1
<},lnm
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
lPIc*Y/
__L-PK*$|[
Lq=>d'
{l`Q'R
LRRMs^
Lr;;wT
*LSKB_
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
lUXM|m
&lV}[&
LVJdiB
lv[`ND
LW5Q`{
%LwI~,
!`l!wj
}@}Lx;C
LY_2e}
lYXz\F9
@" -!m!
>'m@1~V
|m2&v/lo
m4u]V-2%
M5g@:4
mA) SG
=}	M_B
m`Bj*Lz
{mE$[a
MessageBoxIndirectA
~)M?F~@
	m^G;&
MG:1vm
/m=GKn
\Microsoft\Internet Explorer\Quick Launch
M^j_NL
Mjov)U
!MLOGy<'
More information at:
MoveFileA
MoveFileExA
-;~}mp
m,Q	fn2*1
 MS4NO
Ms}f"\[
M[+sqj
MTCn\?
MulDiv
MultiByteToWideChar
'*M&uUS
m}#Vre;
MWcwNm
,|~'n/
n4pgez
]#n5oI
n?+~6i
;	N'8c.
%n&8mK{
N8O2[Z
n9!1VJ
NB,1NB
nbEe O
nc[_S;A
.ndata
ND"I'1o
NeZU_Y
\NFM0~
NFyW|8
!ng+z3
Nicosia1
Niihf"
n	lc>=
nMAR&c
(NMo~+
	n<=N:
NNIYd;_O
nNpz!S
nOJj!G
n	OlCW
NO-@$[Ms=
nr9orY
NSIS Error
~nsu.tmp
Ns_Y62
NTs@b^|
NullsoftInstIP
NulluN	E
nVwkzW
=nw1pAtm
nX-7l6!
NX.;~8>S
nxVMu~
o*!>#%
@}O{<$
o1h0S{
o~3reli
O3(Z/&Q
_>O5?W
+%|O8<
O?aHM:ad)
O|az%+4
Obj>?uT
oBn_r.
occ3koo?
{O-dzSio<
oEHB0|
oEhp+z
*OGX,=
_\@OjQ
ole32.dll
OleInitialize
OleUninitialize
=(Olsn
o##NJ{Q
OnZs@Z
OpenClipboard
OpenProcessToken
O'P.g~-
;)OpgR*
}}O:::q
'}>Orf
ORJ}o3i
Or~MP7
&OS6dG
o)]!<SQ
o[stnT
*Ot<=C?|V
o}tVJVoUt
OXN^XV
-#<oY[
%OY[,3
oZ ec+
^P5;. C}!
p9O-8dv
P!{an)xi
p=Ap=~
PD#^b	(K
pEApE~
PeekMessageA
peuC>t8
PF?"mH
~p<}[G7
Pgbjk&
#pGnD{
P>>h_E
ph=RKR5R
P@K]9uCtV&
plcUPd
plnQ86
>pMOzM
PMtAj T
P)n4B4
$Pnf~9
PostQuitMessage
PPPPPP
P	rHEg
P-s5$V
PTdrC"
_(pui~.
p]v@7C
pwh,j#
P,~Wmzq
PWt{U'
PyoRD)
PyuN7 
+(@q>>
^=q_=6Y
/Q85n}#
Q9<L]P
#`{q b
QC:!0S
Q	}CBo
Qda/Fs
Q-*+E-
[QF!ZP
QGdV,b
-q_ggd
QGJTPv
QIQ)^35
q{ix 	
q<JRty
)^,q\m
qmN1g;
!QO't8
QP\X\Z
QRK]Q&	
QrM,|,Le1
^@qR}=wJ
qsQiX)
[QSy\Pk,
QuBBdqx
=<QVl,
QYai`Jy)Ye
=^`r-*
"(-{'r
-r0SB(
R|] }3
R72'6W+&
RcRK<M
`.rdata
rdl\8G
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
r?hWFv
RichEd20
RichEd32
RichEdit
RichEdit20A
r^Kaj}Df
R]k	Z~
r+M?A>K~B
!R|!$Nf
Rn;h.Nxp
^(rNl.9
r_}O@}
'}r%PG^A
r:qTEe
rrr"QQQ
/r~s@$
r*SQVE2
rt -%EKI
rVRNkJ 
$ryh-N
Rzw6OR
s'0'|%
S0wEg&
|s;3(V
@!s(3y
saW<?	
SBP|f$J
ScreenToClient
SearchPathA
SelectObject
s\EM=_
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
sF8zS{
SFz7wQb
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
sJ!Y]N
S"KvE}
?sl,+d
S)NEZK
softuW
Software\Microsoft\Windows\CurrentVersion
S>oIlW>
"<SPf*
SQSSSPW
SR>-@}
;ST{>%
----START-DATA----
S_uMp}	1
|sVKxH
-s'W)	%
>s(W2?
s;WHvO
]S~`xN
s	>yl*
Symantec Corporation100.
Symantec Corporation1402
'Symantec Time Stamping Services CA - G2
'Symantec Time Stamping Services CA - G20
+Symantec Time Stamping Services Signer - G40
-sy`&ofE0
SystemParametersInfoA
szy(	t^
> _?=t
]){!'T
T4)IC)
tbhDrp
TC=QpH
telc{wU
.tF\F2
t=G.LU
Thawte1
Thawte Certification1
Thawte Timestamping CA0
thi%q(
!This program cannot be run in DOS mode.
TimeStamp-2048-10
TimeStamp-2048-20
tis]?--
_tkB~,
Tm^PEm
_^[t	P
}Tq*L.
TrackPopupMenu
T,s.-(+
/U{>1_
U<#4~S5\
U7	Yv	+
&u9{K\
`u@a(w
>U|%Cv-
UdL?2A
UgA#!_u
)U"G~/qP2
\u:^h-
`%# UH-0
u_jU4MD
?U}JZV
u\_kHE
UkJ0ab
Ul/q}ph
;UN[[P
uqIv75m
U!QmcqM
USER32.dll
uSYrd`
\U"T?I
%u.%u%s%s
Uv>ijd
u`zIBo<p
?V04[	
}V4$UF
V]^b_ e
 V{*_c
V*Cs!E	
VE2.!lV
verifying installer: %d%%
VerQueryValueA
VERSION.dll
%ve^Xm
vf&G80
-.VfJd
vH4I3a'[T
"v!h"yyy
vIai'<
V$JbaZ)
VL.C=a
v!m!}!
{VNZr	S
V>`OvW
:\vr~d
vSU3^L
|VV2>:
v#Vh;+@
#VVV!9995OOO]
 ***vw
$*V&wB
V,WkV+
v(y	;?
vyB~A~A
w5/T|:
w6Hyf1
	w972^D
WaitForSingleObject
wA&WJv
WeDownload, Ltd0
WeDownload, Ltd1
Western Cape1
WF|_|#
}#Wf'C
\_[wGm$
/WHgrmI
w<K0PA
W\KF`*7
[~-W[KH
W%ko'*
WkUjL}gI/uy
 _w|LB
WNDtn~W
WO>evC
WPy+v~D
Wq~N`2
#w@QU|
WriteFile
WritePrivateProfileStringA
-@WRwAK
WS&,~n
wsprintfA
\WSVGz
,WTWA8C 
W.WAK]
www.digicert.com1.0,
www.digicert.com1$0"
`W-y_V
`x,^-;
/]x!_|
/:{_?X&
\x6h/P13
'X#76,
xAE2Q>
x]c)8m
XCu@b!
X:+>D5k
=xFF8zg
#xf%?H
X;<f:V
!?X!g-
X\/Hm;
X>HV3z
X<j#O}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
x>Mmt#
X(o;0~
XOvASY
*xPG-f
|X<^~S
XU_YRQ
Xw oFW
xxA>+,
'x&<Yw
XZ?!ad
_&#|;_y
->Y,_:
^Y6njS
)YdKrW
Y!e5@V
yEk{ <
Y_Es'm|
y?)FdK&/
;yHd<g
|Y#HPOv
'yJ~aJ@Qq5P
Y-^OHa
Y]q;M`
yr4Yg-73
YU3[1q
Y#y'$o
yy`|vZ
-?~z;=
Z3/H!/
z4ob90
Z4x!%_
z}>7v^HL
Z9X`:B
##z*@F
ZF[@)^
Z[F2:e
Z'F;bK
zfK(7b
=zGxeD
ZH|,+TI
zJ}8?*(
z	JA&B
(Zl4+Z[
	,[(Z/M5ab:
ZNp?7'
ZoQ(o3
Zq?s;27{
$'z/uN
z>U(WN:r]
zX9>}`
[z]]Xm