Analysis Date2013-11-21 21:59:41
MD5e83f6cbf13bf79f75609fe4949eecf74
SHA18644746488cdff46e792ddcb7bcc809fe7f36ee7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b2da5a30c0965b0bb01768ae339be62d sha1: 751c66b536183343c2c77a53a0d6ea38ba6ee1c9 size: 7680
Section.rdata md5: fa80e947b73138993a0197f101133900 sha1: c034358355da6d6294b561e0cc21679c1b079235 size: 2048
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: c16b49cef61cf69f63f7e1cec2831618 sha1: f20d88c245f6840f6dcd7af274e38bc0846b2388 size: 8192
Section.reloc md5: 9616f9fa4fc01c4d013da3e0fd62603c sha1: bff008b4fae8ab3cd3d722436e1e6abde996b6a9 size: 512
Section.tsustub md5: abaf901a2e706627a52417e7d3faee6e sha1: 1c16ac7cd8d717b302f348f98d4c305da8d663ef size: 119808
Section.tsuarch md5: 234fbfb7521297c25a816f5667d66cd8 sha1: 9a2df7fe81700cc41b01fb2d92761d00181278c3 size: 157184
Timestamp2012-11-01 21:51:06
Pdb pathD:\Dev\Tin7\InstallDir\vc80-win32u\Loader.pdb
VersionLegalCopyright: Copyright © 2010 Premium
ProductCode: {3C7BB346-60EE-4A4F-BD08-119A67490010}
InternalName: TSULoader
FileVersion: 2012.11.8.1120
SpecialBuild:
CompanyName: Premium
PackageCode: {5E1119BB-1DF5-5947-BBAC-55D785F23B4D}
Comments: WinNT (x86) Unicode Lib Rel
ProductName: Setup
ProductVersion: 1.0
FileDescription: Installer
WebSite:
Email:
OriginalFilename: TSULoader.exe
Arguments: /x
PEhash6d6ebc79a39f0eec0a54d663581e3b2527b3422b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeout ➝
600000
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\{2671EDDF-12CE-1F75-FD9E-5AECFD92CF29}\Setup.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\{2671EDDF-12CE-1F75-FD9E-5AECFD92CF29}\_Setupx.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\{2671EDDF-12CE-1F75-FD9E-5AECFD92CF29}\_Setup.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\EBEC3006.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tsu78D1407E.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\8644746488cdff46e792ddcb7bcc809fe7f36ee7.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\{2671EDDF-12CE-1F75-FD9E-5AECFD92CF29}\Setup.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\EBEC3006.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{5E1119BB-1DF5-5947-BBAC-55D785F23B4D}
Winsock DNSwww.storagepl1.info
Winsock DNSwww.storagepl1.com
Winsock DNSwww.reportpl1.info
Winsock DNSwww.reportpl1.com

Network Details:

DNSreportpl1.com
Type: A
50.63.202.71
DNSstoragepl1.com
Type: A
184.168.221.66
DNSreportpl1.info
Type: A
184.168.221.91
DNSstoragepl1.info
Type: A
184.168.221.77
DNSwww.reportpl1.com
Type: A
DNSwww.storagepl1.com
Type: A
DNSwww.reportpl1.info
Type: A
DNSwww.storagepl1.info
Type: A
HTTP POSThttp://www.reportpl1.com/installmate/php/track_installer_products.php?installer_version=75
User-Agent: TixDll
HTTP GEThttp://www.storagepl1.com/installmate/php/get_cfg.php?step_id=1&product_name=jagwar+ma+-+come+save+me&product_title=MP3Juices+Download+Manager&installer_file_name=jagwar+ma+-+come+save+me+-+%5BMP3Juices.com%5D&product_file_name=jagwar+ma+-+come+save+me+-+%5BMP3Juices.com%5D.mp3&product_download_url=http%3A%2F%2Fmp3juices.com%2Fdownload%2F4994%2F19069593%2F33965255248f%2Fjagwar+ma+-+come+save+me&reffer=http%3A%2F%2Fwww.MP3juices.com%2F&installer_id=509ec4e0961b06.34223747&publisher_id=356&source_id=0&page_id=0&affiliate_id=0&geo_location=GB&locale=EN&browser_id=1
User-Agent: TixDll
HTTP POSThttp://www.reportpl1.info/installmate/php/track_installer_products.php?installer_version=75
User-Agent: TixDll
HTTP GEThttp://www.storagepl1.info/installmate/php/get_cfg.php?step_id=1&product_name=jagwar+ma+-+come+save+me&product_title=MP3Juices+Download+Manager&installer_file_name=jagwar+ma+-+come+save+me+-+%5BMP3Juices.com%5D&product_file_name=jagwar+ma+-+come+save+me+-+%5BMP3Juices.com%5D.mp3&product_download_url=http%3A%2F%2Fmp3juices.com%2Fdownload%2F4994%2F19069593%2F33965255248f%2Fjagwar+ma+-+come+save+me&reffer=http%3A%2F%2Fwww.MP3juices.com%2F&installer_id=509ec4e0961b06.34223747&publisher_id=356&source_id=0&page_id=0&affiliate_id=0&geo_location=GB&locale=EN&browser_id=1
User-Agent: TixDll
Flows TCP192.168.1.1:1032 ➝ 50.63.202.71:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.66:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.91:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.77:80

Raw Pcap
0x00000000 (00000)   504f5354 202f696e 7374616c 6c6d6174   POST /installmat
0x00000010 (00016)   652f7068 702f7472 61636b5f 696e7374   e/php/track_inst
0x00000020 (00032)   616c6c65 725f7072 6f647563 74732e70   aller_products.p
0x00000030 (00048)   68703f69 6e737461 6c6c6572 5f766572   hp?installer_ver
0x00000040 (00064)   73696f6e 3d373520 48545450 2f312e31   sion=75 HTTP/1.1
0x00000050 (00080)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000060 (00096)   6f6e7465 6e742d54 7970653a 20617070   ontent-Type: app
0x00000070 (00112)   6c696361 74696f6e 2f782d77 77772d66   lication/x-www-f
0x00000080 (00128)   6f726d2d 75726c65 6e636f64 65640d0a   orm-urlencoded..
0x00000090 (00144)   55736572 2d416765 6e743a20 54697844   User-Agent: TixD
0x000000a0 (00160)   6c6c0d0a 486f7374 3a207777 772e7265   ll..Host: www.re
0x000000b0 (00176)   706f7274 706c312e 636f6d0d 0a436f6e   portpl1.com..Con
0x000000c0 (00192)   74656e74 2d4c656e 6774683a 20353831   tent-Length: 581
0x000000d0 (00208)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000e0 (00224)   206e6f2d 63616368 650d0a0d 0a646174    no-cache....dat
0x000000f0 (00240)   613d5747 7450424e 71396765 46496866   a=WGtPBNq9geFIhf
0x00000100 (00256)   74584336 6d5a434e 6e53704e 49534165   tXC6mZCNnSpNISAe
0x00000110 (00272)   34484479 78494279 6c476637 56557354   4HDyxIBylGf7VUsT
0x00000120 (00288)   4f53716a 61346865 7239686a 61347154   OSqja4her9hja4qT
0x00000130 (00304)   78537264 674b7248 6e477254 72367164   xSrdgKrHnGrTr6qd
0x00000140 (00320)   43537663 61534337 6c484337 564c4256   CSvcaSC7lHC7VLBV
0x00000150 (00336)   30506863 7333734e 49477154 43466d6b   0Phcs3sNIGqTCFmk
0x00000160 (00352)   6d776d53 39467255 7178766a 78797148   mwmS9FrUqxvjxyqH
0x00000170 (00368)   6b4a6d55 6e346d69 39386e6b 6c646d55   kJmUn4mi98nkldmU
0x00000180 (00384)   6e347255 71797254 56307353 4559734e   n4rUqyrTV0sSEYsN
0x00000190 (00400)   6856434e 71504237 35537053 73367169   hVCNqPB75SpSs6qi
0x000001a0 (00416)   73497363 74454279 7839684d 3047426c   sIsctEByx9hM0GBl
0x000001b0 (00432)   30376866 74484165 304b7354 4f537148   07hftHAe0KsTOSqH
0x000001c0 (00448)   61477169 73497363 74454465 74494166   aGqisIsctEDetIAf
0x000001d0 (00464)   714f6866 74584165 6e537053 7348716a   qOhftXAenSpSsHqj
0x000001e0 (00480)   67537663 61534337 3038434d 71566637   gSvcaSC708CMqVf7
0x000001f0 (00496)   56557354 4f537263 73497363 74456765   VUsTOSrcsIsctEge
0x00000200 (00512)   44566637 56557354 4f537263 73497363   DVf7VUsTOSrcsIsc
0x00000210 (00528)   74384337 6c476636 71506863 73337356   t8C7lGf6qPhcs3sV
0x00000220 (00544)   724a7269 3938766a 7346766a 7737726a   rJri98vjsFvjw7rj
0x00000230 (00560)   6e35706a 6b36716a 6e4a7254 61367148   n5pjk6qjnJrTa6qH
0x00000240 (00576)   59457154 73457069 3946726a 43367254   YEqTsEpi9FrjC6rT
0x00000250 (00592)   7235706a 7738766a 6b457263 73497363   r5pjw8vjkErcsIsc
0x00000260 (00608)   74504337 78554265 564b7354 4f537269   tPC7xUBeVKsTOSri
0x00000270 (00624)   73497363 74384337 6c476637 465a424d   sIsct8C7lGf7FZBM
0x00000280 (00640)   43537053 73467264 72487353 4559734d   CSpSsFrdrHsSEYsM
0x00000290 (00656)   30487354 4f53716a 61467353 4559734e   0HsTOSqjaFsSEYsN
0x000002a0 (00672)   59377163 73337354 61537663 61534337   Y7qcs3sTaSvcaSC7
0x000002b0 (00688)   6c47444d 5654686c 30456765 71527354   lGDMVThl0EgeqRsT
0x000002c0 (00704)   4f537247 73497363 74474465 344b4165   OSrGsIsctGDe4KAe
0x000002d0 (00720)   344e6636 62474237 71564336 71564347   4Nf6bGB7qVC6qVCG
0x000002e0 (00736)   73337354 61537663 61534337 71476865   s3sTaSvcaSC7qGhe
0x000002f0 (00752)   6c4b6636 59537053 73467264 73397353   lKf6YSpSsFrds9sS
0x00000300 (00768)   4559734e 7154434d 6c564256 30347354   EYsNqTCMlVBV04sT
0x00000310 (00784)   4f537148 67357353 4559734d 6d564337   OSqHg5sSEYsMmVC7
0x00000320 (00800)   71474166 62394165 304b7354 4f53734e   qGAfb9Ae0KsTOSsN
0x00000330 (00816)   3830                                  80

0x00000000 (00000)   47455420 2f696e73 74616c6c 6d617465   GET /installmate
0x00000010 (00016)   2f706870 2f676574 5f636667 2e706870   /php/get_cfg.php
0x00000020 (00032)   3f737465 705f6964 3d312670 726f6475   ?step_id=1&produ
0x00000030 (00048)   63745f6e 616d653d 6a616777 61722b6d   ct_name=jagwar+m
0x00000040 (00064)   612b2d2b 636f6d65 2b736176 652b6d65   a+-+come+save+me
0x00000050 (00080)   2670726f 64756374 5f746974 6c653d4d   &product_title=M
0x00000060 (00096)   50334a75 69636573 2b446f77 6e6c6f61   P3Juices+Downloa
0x00000070 (00112)   642b4d61 6e616765 7226696e 7374616c   d+Manager&instal
0x00000080 (00128)   6c65725f 66696c65 5f6e616d 653d6a61   ler_file_name=ja
0x00000090 (00144)   67776172 2b6d612b 2d2b636f 6d652b73   gwar+ma+-+come+s
0x000000a0 (00160)   6176652b 6d652b2d 2b253542 4d50334a   ave+me+-+%5BMP3J
0x000000b0 (00176)   75696365 732e636f 6d253544 2670726f   uices.com%5D&pro
0x000000c0 (00192)   64756374 5f66696c 655f6e61 6d653d6a   duct_file_name=j
0x000000d0 (00208)   61677761 722b6d61 2b2d2b63 6f6d652b   agwar+ma+-+come+
0x000000e0 (00224)   73617665 2b6d652b 2d2b2535 424d5033   save+me+-+%5BMP3
0x000000f0 (00240)   4a756963 65732e63 6f6d2535 442e6d70   Juices.com%5D.mp
0x00000100 (00256)   33267072 6f647563 745f646f 776e6c6f   3&product_downlo
0x00000110 (00272)   61645f75 726c3d68 74747025 33412532   ad_url=http%3A%2
0x00000120 (00288)   46253246 6d70336a 75696365 732e636f   F%2Fmp3juices.co
0x00000130 (00304)   6d253246 646f776e 6c6f6164 25324634   m%2Fdownload%2F4
0x00000140 (00320)   39393425 32463139 30363935 39332532   994%2F19069593%2
0x00000150 (00336)   46333339 36353235 35323438 66253246   F33965255248f%2F
0x00000160 (00352)   6a616777 61722b6d 612b2d2b 636f6d65   jagwar+ma+-+come
0x00000170 (00368)   2b736176 652b6d65 26726566 6665723d   +save+me&reffer=
0x00000180 (00384)   68747470 25334125 32462532 46777777   http%3A%2F%2Fwww
0x00000190 (00400)   2e4d5033 6a756963 65732e63 6f6d2532   .MP3juices.com%2
0x000001a0 (00416)   4626696e 7374616c 6c65725f 69643d35   F&installer_id=5
0x000001b0 (00432)   30396563 34653039 36316230 362e3334   09ec4e0961b06.34
0x000001c0 (00448)   32323337 34372670 75626c69 73686572   223747&publisher
0x000001d0 (00464)   5f69643d 33353626 736f7572 63655f69   _id=356&source_i
0x000001e0 (00480)   643d3026 70616765 5f69643d 30266166   d=0&page_id=0&af
0x000001f0 (00496)   66696c69 6174655f 69643d30 2667656f   filiate_id=0&geo
0x00000200 (00512)   5f6c6f63 6174696f 6e3d4742 266c6f63   _location=GB&loc
0x00000210 (00528)   616c653d 454e2662 726f7773 65725f69   ale=EN&browser_i
0x00000220 (00544)   643d3120 48545450 2f312e31 0d0a4163   d=1 HTTP/1.1..Ac
0x00000230 (00560)   63657074 3a202a2f 2a0d0a55 7365722d   cept: */*..User-
0x00000240 (00576)   4167656e 743a2054 6978446c 6c0d0a48   Agent: TixDll..H
0x00000250 (00592)   6f73743a 20777777 2e73746f 72616765   ost: www.storage
0x00000260 (00608)   706c312e 636f6d0d 0a436163 68652d43   pl1.com..Cache-C
0x00000270 (00624)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000280 (00640)   0d0a0d0a                              ....

0x00000000 (00000)   504f5354 202f696e 7374616c 6c6d6174   POST /installmat
0x00000010 (00016)   652f7068 702f7472 61636b5f 696e7374   e/php/track_inst
0x00000020 (00032)   616c6c65 725f7072 6f647563 74732e70   aller_products.p
0x00000030 (00048)   68703f69 6e737461 6c6c6572 5f766572   hp?installer_ver
0x00000040 (00064)   73696f6e 3d373520 48545450 2f312e31   sion=75 HTTP/1.1
0x00000050 (00080)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000060 (00096)   6f6e7465 6e742d54 7970653a 20617070   ontent-Type: app
0x00000070 (00112)   6c696361 74696f6e 2f782d77 77772d66   lication/x-www-f
0x00000080 (00128)   6f726d2d 75726c65 6e636f64 65640d0a   orm-urlencoded..
0x00000090 (00144)   55736572 2d416765 6e743a20 54697844   User-Agent: TixD
0x000000a0 (00160)   6c6c0d0a 486f7374 3a207777 772e7265   ll..Host: www.re
0x000000b0 (00176)   706f7274 706c312e 696e666f 0d0a436f   portpl1.info..Co
0x000000c0 (00192)   6e74656e 742d4c65 6e677468 3a203538   ntent-Length: 58
0x000000d0 (00208)   310d0a43 61636865 2d436f6e 74726f6c   1..Cache-Control
0x000000e0 (00224)   3a206e6f 2d636163 68650d0a 0d0a6461   : no-cache....da
0x000000f0 (00240)   74613d57 47745042 4e713967 65464968   ta=WGtPBNq9geFIh
0x00000100 (00256)   66745843 366d5a43 4e6e5370 4e495341   ftXC6mZCNnSpNISA
0x00000110 (00272)   65344844 79784942 796c4766 37565573   e4HDyxIBylGf7VUs
0x00000120 (00288)   544f5371 6a613468 65723968 6a613471   TOSqja4her9hja4q
0x00000130 (00304)   54785372 64674b72 486e4772 54723671   TxSrdgKrHnGrTr6q
0x00000140 (00320)   64435376 63615343 376c4843 37564c42   dCSvcaSC7lHC7VLB
0x00000150 (00336)   56305068 63733373 4e494771 5443466d   V0Phcs3sNIGqTCFm
0x00000160 (00352)   6b6d776d 53394672 55717876 6a787971   kmwmS9FrUqxvjxyq
0x00000170 (00368)   486b4a6d 556e346d 6939386e 6b6c646d   HkJmUn4mi98nkldm
0x00000180 (00384)   556e3472 55717972 54563073 53455973   Un4rUqyrTV0sSEYs
0x00000190 (00400)   4e685643 4e715042 37355370 53733671   NhVCNqPB75SpSs6q
0x000001a0 (00416)   69734973 63744542 79783968 4d304742   isIsctEByx9hM0GB
0x000001b0 (00432)   6c303768 66744841 65304b73 544f5371   l07hftHAe0KsTOSq
0x000001c0 (00448)   48614771 69734973 63744544 65744941   HaGqisIsctEDetIA
0x000001d0 (00464)   66714f68 66745841 656e5370 53734871   fqOhftXAenSpSsHq
0x000001e0 (00480)   6a675376 63615343 37303843 4d715666   jgSvcaSC708CMqVf
0x000001f0 (00496)   37565573 544f5372 63734973 63744567   7VUsTOSrcsIsctEg
0x00000200 (00512)   65445666 37565573 544f5372 63734973   eDVf7VUsTOSrcsIs
0x00000210 (00528)   63743843 376c4766 36715068 63733373   ct8C7lGf6qPhcs3s
0x00000220 (00544)   56724a72 69393876 6a734676 6a773772   VrJri98vjsFvjw7r
0x00000230 (00560)   6a6e3570 6a6b3671 6a6e4a72 54613671   jn5pjk6qjnJrTa6q
0x00000240 (00576)   48594571 54734570 69394672 6a433672   HYEqTsEpi9FrjC6r
0x00000250 (00592)   54723570 6a773876 6a6b4572 63734973   Tr5pjw8vjkErcsIs
0x00000260 (00608)   63745043 37785542 65564b73 544f5372   ctPC7xUBeVKsTOSr
0x00000270 (00624)   69734973 63743843 376c4766 37465a42   isIsct8C7lGf7FZB
0x00000280 (00640)   4d435370 53734672 64724873 53455973   MCSpSsFrdrHsSEYs
0x00000290 (00656)   4d304873 544f5371 6a614673 53455973   M0HsTOSqjaFsSEYs
0x000002a0 (00672)   4e593771 63733373 54615376 63615343   NY7qcs3sTaSvcaSC
0x000002b0 (00688)   376c4744 4d565468 6c304567 65715273   7lGDMVThl0EgeqRs
0x000002c0 (00704)   544f5372 47734973 63744744 65344b41   TOSrGsIsctGDe4KA
0x000002d0 (00720)   65344e66 36624742 37715643 36715643   e4Nf6bGB7qVC6qVC
0x000002e0 (00736)   47733373 54615376 63615343 37714768   Gs3sTaSvcaSC7qGh
0x000002f0 (00752)   656c4b66 36595370 53734672 64733973   elKf6YSpSsFrds9s
0x00000300 (00768)   53455973 4e715443 4d6c5642 56303473   SEYsNqTCMlVBV04s
0x00000310 (00784)   544f5371 48673573 53455973 4d6d5643   TOSqHg5sSEYsMmVC
0x00000320 (00800)   37714741 66623941 65304b73 544f5373   7qGAfb9Ae0KsTOSs
0x00000330 (00816)   4e3830                                N80

0x00000000 (00000)   47455420 2f696e73 74616c6c 6d617465   GET /installmate
0x00000010 (00016)   2f706870 2f676574 5f636667 2e706870   /php/get_cfg.php
0x00000020 (00032)   3f737465 705f6964 3d312670 726f6475   ?step_id=1&produ
0x00000030 (00048)   63745f6e 616d653d 6a616777 61722b6d   ct_name=jagwar+m
0x00000040 (00064)   612b2d2b 636f6d65 2b736176 652b6d65   a+-+come+save+me
0x00000050 (00080)   2670726f 64756374 5f746974 6c653d4d   &product_title=M
0x00000060 (00096)   50334a75 69636573 2b446f77 6e6c6f61   P3Juices+Downloa
0x00000070 (00112)   642b4d61 6e616765 7226696e 7374616c   d+Manager&instal
0x00000080 (00128)   6c65725f 66696c65 5f6e616d 653d6a61   ler_file_name=ja
0x00000090 (00144)   67776172 2b6d612b 2d2b636f 6d652b73   gwar+ma+-+come+s
0x000000a0 (00160)   6176652b 6d652b2d 2b253542 4d50334a   ave+me+-+%5BMP3J
0x000000b0 (00176)   75696365 732e636f 6d253544 2670726f   uices.com%5D&pro
0x000000c0 (00192)   64756374 5f66696c 655f6e61 6d653d6a   duct_file_name=j
0x000000d0 (00208)   61677761 722b6d61 2b2d2b63 6f6d652b   agwar+ma+-+come+
0x000000e0 (00224)   73617665 2b6d652b 2d2b2535 424d5033   save+me+-+%5BMP3
0x000000f0 (00240)   4a756963 65732e63 6f6d2535 442e6d70   Juices.com%5D.mp
0x00000100 (00256)   33267072 6f647563 745f646f 776e6c6f   3&product_downlo
0x00000110 (00272)   61645f75 726c3d68 74747025 33412532   ad_url=http%3A%2
0x00000120 (00288)   46253246 6d70336a 75696365 732e636f   F%2Fmp3juices.co
0x00000130 (00304)   6d253246 646f776e 6c6f6164 25324634   m%2Fdownload%2F4
0x00000140 (00320)   39393425 32463139 30363935 39332532   994%2F19069593%2
0x00000150 (00336)   46333339 36353235 35323438 66253246   F33965255248f%2F
0x00000160 (00352)   6a616777 61722b6d 612b2d2b 636f6d65   jagwar+ma+-+come
0x00000170 (00368)   2b736176 652b6d65 26726566 6665723d   +save+me&reffer=
0x00000180 (00384)   68747470 25334125 32462532 46777777   http%3A%2F%2Fwww
0x00000190 (00400)   2e4d5033 6a756963 65732e63 6f6d2532   .MP3juices.com%2
0x000001a0 (00416)   4626696e 7374616c 6c65725f 69643d35   F&installer_id=5
0x000001b0 (00432)   30396563 34653039 36316230 362e3334   09ec4e0961b06.34
0x000001c0 (00448)   32323337 34372670 75626c69 73686572   223747&publisher
0x000001d0 (00464)   5f69643d 33353626 736f7572 63655f69   _id=356&source_i
0x000001e0 (00480)   643d3026 70616765 5f69643d 30266166   d=0&page_id=0&af
0x000001f0 (00496)   66696c69 6174655f 69643d30 2667656f   filiate_id=0&geo
0x00000200 (00512)   5f6c6f63 6174696f 6e3d4742 266c6f63   _location=GB&loc
0x00000210 (00528)   616c653d 454e2662 726f7773 65725f69   ale=EN&browser_i
0x00000220 (00544)   643d3120 48545450 2f312e31 0d0a4163   d=1 HTTP/1.1..Ac
0x00000230 (00560)   63657074 3a202a2f 2a0d0a55 7365722d   cept: */*..User-
0x00000240 (00576)   4167656e 743a2054 6978446c 6c0d0a48   Agent: TixDll..H
0x00000250 (00592)   6f73743a 20777777 2e73746f 72616765   ost: www.storage
0x00000260 (00608)   706c312e 696e666f 0d0a4361 6368652d   pl1.info..Cache-
0x00000270 (00624)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000280 (00640)   650d0a0d 0a734672 64724873 53455973   e....sFrdrHsSEYs
0x00000290 (00656)   4d304873 544f5371 6a614673 53455973   M0HsTOSqjaFsSEYs
0x000002a0 (00672)   4e593771 63733373 54615376 63615343   NY7qcs3sTaSvcaSC
0x000002b0 (00688)   376c4744 4d565468 6c304567 65715273   7lGDMVThl0EgeqRs
0x000002c0 (00704)   544f5372 47734973 63744744 65344b41   TOSrGsIsctGDe4KA
0x000002d0 (00720)   65344e66 36624742 37715643 36715643   e4Nf6bGB7qVC6qVC
0x000002e0 (00736)   47733373 54615376 63615343 37714768   Gs3sTaSvcaSC7qGh
0x000002f0 (00752)   656c4b66 36595370 53734672 64733973   elKf6YSpSsFrds9s
0x00000300 (00768)   53455973 4e715443 4d6c5642 56303473   SEYsNqTCMlVBV04s
0x00000310 (00784)   544f5371 48673573 53455973 4d6d5643   TOSqHg5sSEYsMmVC
0x00000320 (00800)   37714741 66623941 65304b73 544f5373   7qGAfb9Ae0KsTOSs
0x00000330 (00816)   4e3830                                N80


Strings
000004b0
 2010 Premium
2012.11.8.1120
333f3
{3C7BB346-60EE-4A4F-BD08-119A67490010}
{5E1119BB-1DF5-5947-BBAC-55D785F23B4D}
Arguments
Comments
CompanyName
Copyright 
 /d:"%s"
Email
f3fff
FileDescription
FileVersion
Installer
InternalName
LegalCopyright
OriginalFilename
PackageCode
Premium
ProductCode
ProductName
ProductVersion
Setup
SpecialBuild
StringFileInfo
\StringFileInfo\%04x%04x\Arguments
Translation
Tsu%08lX.dll
TSULoader
TSULoader.exe
VarFileInfo
\VarFileInfo\Translation
VS_VERSION_INFO
WebSite
WinNT (x86) Unicode Lib Rel
"""""/
050607080910Z
0D1i1x1
$0HR]>
0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
0K){=Rc
	0t*?:#
0Uj,>:
`.0YgBI
110824000000Z
120606000000Z
1#2=2o2x2
130606235959Z0
13afVx.\
{=&1(4
&1#AmMQ
1%BfKU
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
`1jSf.
1^mc`09K
1W<"L^
 /1:yy
200530104838Z0
200530104838Z0{1
2`A>r$
 2G0u3`
2qsF"C
2t.TK@
2XBZa(
2Y\V	Y
30x?WG
3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
3N,dYs
3PTLMH
~4_2<t`
46b	f	
4C{~Q2
``4'Kl
[4n[ea
4o|hW#LU	
4\Qijk
4qIy[s
4usK7D
4zQyn3
5!5>5H5R5^5m5z5
5>ESA`
5iOX\|
5'(qY/
5Sn|`a
5Tt7dXL
5u}NsT	q
634071
6$6H6M6
6	7>7N7U7a7t7~7
6-84\n
6JF1 |
6>KP1].
6LahY)p
6>MKc)G
6NyJW}
6$	pTi
6T{fp"
6#y#_\p
;7;8<?<n<
7;8Y8,9i9
)7AJ>Su<
7An)96y=
7?b7fR-
7!=E-o
7k';N*D[
(.7nUJ
7^oiLx
7QaBk3S9bb
7U=|l~
>85d&Fco
8877"0
8),BF1Y
%8F<rk
8pdQOs
8s!z0Rj
|9526<
99p-cUG/i
9Bh$0@2
,9-cwx
%9d/V*
9dX+\{
9[|E4*
9*en.s
9f*<Z,m
;9GC%h?+.
9H75PW'
>9qhPO
9!.@UNQP
A1D|l^
}abv/X;So
A{"'c7
AddTrust AB1&0$
AddTrust External CA Root0
AddTrust External TTP Network1"0 
admin@amazingsoftware.info0
Agd%lH
a\|j=;
ANoVN7~
>ao@ny?
Ap=[1<
</assembly>
	<assemblyIdentity
			<assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AU@e](e
Ay5ll@
\B4=vJ
B6YKu3
\bCKF#
$@"{Be<
BFqKaP
\b'H3\
*B["]I
BI%Iwe
#`B_?M
b-Q(Zj9
B;r?QaU
`?^btP
B.tsuarch
B.tsustub
?Bw3k*t
^C2Hef
	|C2`R
<C-6:[
(CdOjI.i
cGG@/3
/^;CJ-
c*>K~r
CloseHandle
@codp&
COK-xOk
COMODO CA Limited1!0
COMODO Code Signing CA 2
COMODO Code Signing CA 20
Cq>FD;
CreateFileMappingW
CreateFileW
c{@%SB
ct(.;R9wV
cXo]0 C
 .d^a7N
DA`F!Pn4
dai/nb9
@.data
D:\Dev\Tin7\InstallDir\vc80-win32u\Loader.pdb
DeleteFileW
	</dependency>
	<dependency>
		</dependentAssembly>
		<dependentAssembly>
	<description>Tarma InstallMate v7 Setup Loader</description>
	D|i$M
dkK(5'
d={o7a
DoA:Q(L
|D_rSi
(dSr<c
=DzC{j
dz;[!q
!e`}2g
e\_9yG
'{"E?A
]edc>.'
+E<;EHv
E@	ELf
E\;EXu-
E\;EXu0
EG ?U&
E>>l%p
>E\ n\
eO/%*J
er8]T&
Error %u while extracting TSU.DLL to %ls
Error %u while loading TSU.DLL %ls
Error %u while retrieving entry point from %ls
ET+EL;
ET+EL;E,r
eu9Q1w
eVpH9n
e:w:}'
Ewd%j-E
EX9E\u(
Executable has no .tsustub section
Executable has no valid MZ signature
ExitProcess
E,YTzf*=
?<])-@F
;F 0^pa
f1]G@gynz
F:6\j,\ L
^f)Bw.
^F:,Ct
F%:ez)
FhSrZA
~ :FI6
FJgKF1C
'F!k$Pm:
fM7Ktqv
FOq=p\/
f<Ozpq
`f;)P6
fPNX^}<
FreeLibrary
f:~RZ!
 Fu"LbC$
+<#/fv
fwA#f^
f:YDk.x\b
!>=g0q>'f
G2*d;f"r
*:{g7'
(g=@8b
G8=re7F2
gAW+1x1R
GCi)$H
G!^D<M
GetCommandLineW
GetCurrentProcessId
GetCurrentThreadId
GetFileAttributesW
GetFileSize
GetFileVersionInfoSizeW
GetFileVersionInfoW
GetLastError
GetModuleFileName() failed => %u
GetModuleFileNameW
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSystemTimeAsFileTime
GetTempPath() failed => %u
GetTempPathW
GetTickCount
gGL3D	
.gONB17
Gordon 61
G_P)+-\Gv
gpq7fo
g-(Qhz
&:gR">
gR5J;=
Greater Manchester1
Gs^}RK
;G\Vdw
+h7b|q
HeapAlloc
HeapFree
H</eCo
H+#Hp\
h!n@B}
-~~[H{p
`Hqa,%
hQqL|6 
hR-3r 
hr-C9E
{;hSKf
http://ocsp.comodoca.com0%
http://ocsp.usertrust.com0
https://secure.comodo.net/CPS0A
http://www.usertrust.com1
hw?A2p
hx#hwi
H,{YFp#
h@(Y'r
HzFX]( @B
i5	~{i
}I9.`=(
ia+B}<
!ICC0\
ICumm~6
I	D'!X7
#& !iEH
iHO:[B
{i+\ I
#IiSL.
ij~5cVL
|i/%kk
i>Njtu
      <$ InstallerID=509ec4e0961b06.34223747 PublisherID=356 SourceID=0 PageID=0 PayloadOffset=300928 PayloadSize=0 ExtractPayload=0 GeoLocation=GB Language=EN AffiliateID=0 ServerName="DC" ServerUrl="http://www.storagepl1.com" ServerUrl1="http://www.storagepl1.info" ServerReportUrl="http://www.reportpl1.com" ServerReportUrl1="http://www.reportpl1.info" InstallerDate="2012/11/10" InstallerTime="21:19:28" ShowInTaskbar=1 ProductName="jagwar ma - come save me" QueryString="product_name=jagwar+ma+-+come+save+me&product_title=MP3Juices+Download+Manager&installer_file_name=jagwar+ma+-+come+save+me+-+%5BMP3Juices.com%5D&product_file_name=jagwar+ma+-+come+save+me+-+%5BMP3Juices.com%5D.mp3&product_download_url=http%3A%2F%2Fmp3juices.com%2Fdownload%2F4994%2F19069593%2F33965255248f%2Fjagwar+ma+-+come+save+me&reffer=http%3A%2F%2Fwww.MP3juices.com%2F&installer_id=509ec4e0961b06.34223747&publisher_id=356&source_id=0&page_id=0&affiliate_id=0&geo_location=GB&locale=EN&browser_id=1" $>
i&oe`bb
}I~OH7(W
i*p?XH
Israel1
iw'xU!:
IZc2FVk
j8$CYF
Jb&rdz
''JG\R
ji*GbFGX
JI"JY#
JJ&<<1
'j"(kg
JsH2T*Z
!>j~:t
JThYj/
-,j_vu7
;j\^X?
>J^"YL
K 1_JU#
k# 7Jy
K&8)H5d
KERNEL32.dll
k;f&%R
<*-k^G
	KoCxb 
kq!%Us1
\kyga_
l8:$&D
l9;N%P
				language="*"
^l+B?S
lC 'mI
L>=+G\
L^GRb>
L*H}Iv
lKN@8>S
!lm\ii
LoadLibraryW
LPi2{*f
lQ)6N`A=
lstrcpynW
lstrlenW
LT^;_J
LuFe0,sES
>L|xIH 
lXT6j=m<
L%^$y\
l["y^R~=
M2Da'$
 -M2M/
M8;Mxs5
MapViewOfFile
[-mBHr
MdbTpeLq
MessageBoxA
mIQOxl
m J3-3
m!l}N%
Mm0eG'
M\;MXu-
M\;MXu)
M\;MXu0
m)&o8F,DAb*
? }mR:"
M\sD;MXu-
MultiByteToWideChar
N1~K|6
n1^%O 
=N&}1!xE
N9?vv5H
				name="Microsoft.Windows.Common-Controls"
		name="Tarma.InstallMate7.Loader"
n^~asM
Natan Risman0
Natan Risman1
&NbyE.,o
NGAR8m
\nImCl
nK2:9"
nk&j	<
nM\LM:4I
n=q56_Rs
|n;+Qe
-'nV.w{$
Nw\-f$
Nx+RT0
@N$y.|,
NZ@yWC
o1Z+-!
)-)o]3H
'o*[9P
oB4vl5
Ob,?k*
'Oc'R!
	oeq}or
oF|74r
OhK;GD
O]iE'xE
O,j,%\
OO#i/<
_O@R4@
O\riTo
!OrM97
oSCP4"
OutputDebugStringA
OV4!iGd
@.^@'P
P1*~RSd9_
^P2q-m
P 3HuQ>8
?P`=}5
-;P-8-
P";/8w
PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
'(p^b"SR
pB=V1ZM-O;2
Pcj6HeH
pcsFbV
Pd&AeS|
:,)P@?E
Pg|2,:t
PIa78w
PjTp5uMU
PnFO;u
PostMessageW
PRJ'	zpT0|mB
pRkvG@>
				processorArchitecture="*"
		processorArchitecture="*"
Psqn;*9J}
pT	,qa
				publicKeyToken="6595b64144ccf1df"
p-|y(lWMf
pz1kqj
q$:};.
Q7;i'W
>qa9,b
qAn4)O#A
\q|@|D
_qe4&IAb
Q=E-D0L
QGS%p:`I
qjOH3P
,Q{o![
qRE%8^
QSn,\E
qU^ifc<Tj
Q"vI[X
<$Q<w.
~+@#Qy 
R3 [TP|
r4Q|i#y
r&8z1q7(
rCcg03
%r{D!	
`.rdata
ReadFile
@.reloc
				<requestedExecutionLevel level="requireAdministrator"/>
			</requestedPrivileges>
			<requestedPrivileges>
:Rig5S
rKdt]F#Cdx
)rKT!"
].r@N?o
RN`!pr
rp2J#E
r\U+#G.
rWfF(1
S8.K2'[
S9:$U{O<
Salford1
Salt Lake City1
SBvA6&
{>%SCj
		</security>
		<security>
SetFileAttributesW
SetFilePointer
SetFileTime
;Sf\0@
s,Jm\zV
spH0z*7
#sS:oH
	sU^/6
)TB	|O
T!>*bv
TcOF3_
te00u!
Tel Aviv1
The USERTRUST Network1!0
This installer is for Windows 2000 and later
!This program cannot be run in DOS mode.
&|T[lks
%tor,A
tOxp+h
tpkq=J
	</trustInfo>
	<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
TSU Loader
_TsuMainW@8
.tsustub
tSWO[vU
*T?^t:
				type="win32"
		type="win32"
?tzf3t
\+>	$u
U-49c^
)u7dS+GB
UC0|Qu#
-u	EWf
uFao/08
uf"~=L
ukqO@-q1C
|uLFWP
)]`	ULOu
u+lW}V+
u>M\-Z
UnmapViewOfFile
uNn n0
U SC)H8
USER32.dll
.U>T9[
UTN-USERFirst-Object0
u~/uNC
U}wa4S'
&UwS8r
<u~Y?>
 @>V,!
[v1sW4!
v7e'T^}Q
Vaz K;{y
_Vct)m;&l
V):-Cu$Ea
vDt)V(
VerQueryValueW
				version="6.0.0.0"
		version="7.2.0.0"
VERSION.dll
V/ImrM
!VJcxL&
vs2F,]
VsMQIO
VTU+pY!%
vuddg!
VuyxW}
v=X;_<
V^x\|f
:vZu6p
|W4	3o
W6)QFXl'K96
=w-9&B
Wa2(}#
 wC|GCBUW$C
w{C%gid
:`$wCu
WC+VzC
	Wd[-9
+wiEd8
,w?-kVN
WO&EHJ.
W(^P`>
 WQM|F,p
wq$sCAM
WriteFile
WrN!=>V%;
wsprintfW
Wu;2Gm
wvsprintfA
wwwwwwww
wwwwwwwxp
WYz1\Fw
^wzk[.IX
X>(-;$
X2 l?i(
X3q/ d
:!,xb/Hp
xb(r1o
!:XDc?/
[XE<^R
xg&n].%
@x[i8`
{*XIl_
\'X*j5:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
Xm{?P-P
x_n9/y
.}!=`Xo
x~{qw<
xSmH/1
xx3	k-U
X?.XrU
#Xx\>=U
y0=XN6
Y4BoxE
Y*7/<0e
yay:au
Yc!^]W
Y`E0bPa
yGL7)8
Y`j#0K
YJ8aF7#
Y@M&E^
YmGr;J
ys7"3&
"y_Wfc
,Y"Y"[2
z0,-pa
z"0.rM/;I2Jr
z;0SH_X
Z9-'$7
Z9@m'NY^
z">al<
+za=sN
ZB\(5K
zD3<I5
Z>dT&9`
ZD`ugy
*zE>l	J
(z#F:^
zh@&lZ
Z@?	Id
-ZmMrc
zn u#g}7
_ZODt:,
Z//oWf}r
ZQF_]{e^
+z<qSK
Z:rVCa
zSOL/{
'Zt33x
:Z!U#e
z|uZ.C>
Z _;xq
}z+x$y
zZ/=$B