Analysis Date2014-01-14 20:17:58
MD5d19d120abf10e3c4006476c01cd45648
SHA189a77e1f788c679714850c8ed7c496821a9e3713

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 856b32eb77dfd6fb67f21d6543272da5 sha1: 6597c511c2ee72f68f5246460f0683dae16dcade size: 24064
Section.rdata md5: dc77f8a1e6985a4361c55642680ddb4f sha1: 3d397ee25b2dd83ab741c67375880151cae94ed8 size: 5120
Section.data md5: 7922d4ce117d7d5b3ac2cffe4b0b5e4f sha1: 4e56bb1994226ae0285c7adee470777262de2c99 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 374b8c6c8b8cb2251c3f385d1dc84371 sha1: 214a81ff205d9be01d58216320210238fa998e0e size: 82432
Timestamp2009-12-05 22:50:52
PackerNullsoft PiMP Stub -> SFX
PEhashdabed348fe1731db4f31a79e343354ebfd6cdc21

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsb2.tmp\pwgen.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsb2.tmp\inetc.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsb2.tmp\System.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsb2.tmp\UserInfo.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nss3.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DM_3Ukr53JOC2\DownloadManager.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsb2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nss3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu1.tmp
Creates ProcessDownloadManager.exe "C:\malware.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.google-analytics.com

Process
↳ DownloadManager.exe "C:\malware.exe"

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab4.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\TarB.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DM_3Ukr53JOC2\ApplicationDebug.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab6.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\CabC.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\CabA.tmp
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab8.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar9.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar7.tmp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar5.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\TarD.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab4.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\TarB.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab6.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\CabC.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\CabA.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab8.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar9.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar7.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar5.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\TarD.tmp
Creates Processdw20.exe -x -s 276
Winsock DNSwww.download.windowsupdate.com
Winsock DNScacerts.digicert.com

Process
↳ dw20.exe -x -s 276

Network Details:

DNSwww-google-analytics.l.google.com
Type: A
173.194.34.163
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.167
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.162
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.160
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.161
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.165
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.164
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.168
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.174
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.169
DNSwww-google-analytics.l.google.com
Type: A
173.194.34.166
DNSocsp.regional.digicert.com
Type: A
5.10.86.116
DNSa26.ms.akamai.net
Type: A
62.253.3.169
DNSa26.ms.akamai.net
Type: A
62.253.3.185
DNSwww.google-analytics.com
Type: A
DNScacerts.digicert.com
Type: A
DNSwww.download.windowsupdate.com
Type: A
HTTP GEThttp://www.google-analytics.com/__utm.gif?utmwv=5.3.6&utmhn=&utmr=-&utmp=&utmac=UA-44288146-1&utmcc=__utma%3D999.999.999.999.999.1%3B&utms=1&utmvid=0x2AE9F18F45174D77&guid=on&utmt=event&utme=5(NET%20Frameword*Installed)&utmsr=1024x768&utmsc=24-bit
User-Agent: Mozilla/4.0 (compatible; en-US; NSIS; Windows NT 5.1)
HTTP GEThttp://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
HTTP GEThttp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
HTTP GEThttp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43.crt
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Flows TCP192.168.1.1:1031 ➝ 173.194.34.163:80
Flows TCP192.168.1.1:1032 ➝ 5.10.86.116:80
Flows TCP192.168.1.1:1033 ➝ 62.253.3.169:80
Flows TCP192.168.1.1:1034 ➝ 62.253.3.169:80

Raw Pcap
0x00000000 (00000)   47455420 2f5f5f75 746d2e67 69663f75   GET /__utm.gif?u
0x00000010 (00016)   746d7776 3d352e33 2e362675 746d686e   tmwv=5.3.6&utmhn
0x00000020 (00032)   3d267574 6d723d2d 2675746d 703d2675   =&utmr=-&utmp=&u
0x00000030 (00048)   746d6163 3d55412d 34343238 38313436   tmac=UA-44288146
0x00000040 (00064)   2d312675 746d6363 3d5f5f75 746d6125   -1&utmcc=__utma%
0x00000050 (00080)   33443939 392e3939 392e3939 392e3939   3D999.999.999.99
0x00000060 (00096)   392e3939 392e3125 33422675 746d733d   9.999.1%3B&utms=
0x00000070 (00112)   31267574 6d766964 3d307832 41453946   1&utmvid=0x2AE9F
0x00000080 (00128)   31384634 35313734 44373726 67756964   18F45174D77&guid
0x00000090 (00144)   3d6f6e26 75746d74 3d657665 6e742675   =on&utmt=event&u
0x000000a0 (00160)   746d653d 35284e45 54253230 4672616d   tme=5(NET%20Fram
0x000000b0 (00176)   65776f72 642a496e 7374616c 6c656429   eword*Installed)
0x000000c0 (00192)   2675746d 73723d31 30323478 37363826   &utmsr=1024x768&
0x000000d0 (00208)   75746d73 633d3234 2d626974 20485454   utmsc=24-bit HTT
0x000000e0 (00224)   502f312e 310d0a41 63636570 742d4c61   P/1.1..Accept-La
0x000000f0 (00240)   6e677561 67653a20 656e2d55 530d0a55   nguage: en-US..U
0x00000100 (00256)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000110 (00272)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000120 (00288)   6c653b20 656e2d55 533b204e 5349533b   le; en-US; NSIS;
0x00000130 (00304)   2057696e 646f7773 204e5420 352e3129    Windows NT 5.1)
0x00000140 (00320)   0d0a486f 73743a20 7777772e 676f6f67   ..Host: www.goog
0x00000150 (00336)   6c652d61 6e616c79 74696373 2e636f6d   le-analytics.com
0x00000160 (00352)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000170 (00368)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x00000180 (00384)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000190 (00400)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f446967 69436572 74417373   GET /DigiCertAss
0x00000010 (00016)   75726564 4944526f 6f744341 2e637274   uredIDRootCA.crt
0x00000020 (00032)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000030 (00048)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000040 (00064)   6e743a20 4d696372 6f736f66 742d4372   nt: Microsoft-Cr
0x00000050 (00080)   7970746f 4150492f 352e3133 312e3236   yptoAPI/5.131.26
0x00000060 (00096)   30302e35 3531320d 0a486f73 743a2063   00.5512..Host: c
0x00000070 (00112)   61636572 74732e64 69676963 6572742e   acerts.digicert.
0x00000080 (00128)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x00000090 (00144)   204b6565 702d416c 6976650d 0a0d0a75    Keep-Alive....u
0x000000a0 (00160)   746d653d 35284e45 54253230 4672616d   tme=5(NET%20Fram
0x000000b0 (00176)   65776f72 642a496e 7374616c 6c656429   eword*Installed)
0x000000c0 (00192)   2675746d 73723d31 30323478 37363826   &utmsr=1024x768&
0x000000d0 (00208)   75746d73 633d3234 2d626974 20485454   utmsc=24-bit HTT
0x000000e0 (00224)   502f312e 310d0a41 63636570 742d4c61   P/1.1..Accept-La
0x000000f0 (00240)   6e677561 67653a20 656e2d55 530d0a55   nguage: en-US..U
0x00000100 (00256)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000110 (00272)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000120 (00288)   6c653b20 656e2d55 533b204e 5349533b   le; en-US; NSIS;
0x00000130 (00304)   2057696e 646f7773 204e5420 352e3129    Windows NT 5.1)
0x00000140 (00320)   0d0a486f 73743a20 7777772e 676f6f67   ..Host: www.goog
0x00000150 (00336)   6c652d61 6e616c79 74696373 2e636f6d   le-analytics.com
0x00000160 (00352)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000170 (00368)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x00000180 (00384)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000190 (00400)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 332f7374 61746963   update/v3/static
0x00000020 (00032)   2f747275 73746564 722f656e 2f617574   /trustedr/en/aut
0x00000030 (00048)   68726f6f 74736571 2e747874 20485454   hrootseq.txt HTT
0x00000040 (00064)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000050 (00080)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x00000060 (00096)   4d696372 6f736f66 742d4372 7970746f   Microsoft-Crypto
0x00000070 (00112)   4150492f 352e3133 312e3236 30302e35   API/5.131.2600.5
0x00000080 (00128)   3531320d 0a486f73 743a2077 77772e64   512..Host: www.d
0x00000090 (00144)   6f776e6c 6f61642e 77696e64 6f777375   ownload.windowsu
0x000000a0 (00160)   70646174 652e636f 6d0d0a43 6f6e6e65   pdate.com..Conne
0x000000b0 (00176)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000c0 (00192)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x000000d0 (00208)   3a206e6f 2d636163 68650d0a 50726167   : no-cache..Prag
0x000000e0 (00224)   6d613a20 6e6f2d63 61636865 0d0a0d0a   ma: no-cache....
0x000000f0 (00240)   6e677561 67653a20 656e2d55 530d0a55   nguage: en-US..U
0x00000100 (00256)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000110 (00272)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000120 (00288)   6c653b20 656e2d55 533b204e 5349533b   le; en-US; NSIS;
0x00000130 (00304)   2057696e 646f7773 204e5420 352e3129    Windows NT 5.1)
0x00000140 (00320)   0d0a486f 73743a20 7777772e 676f6f67   ..Host: www.goog
0x00000150 (00336)   6c652d61 6e616c79 74696373 2e636f6d   le-analytics.com
0x00000160 (00352)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000170 (00368)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x00000180 (00384)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000190 (00400)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 332f7374 61746963   update/v3/static
0x00000020 (00032)   2f747275 73746564 722f656e 2f303536   /trustedr/en/056
0x00000030 (00048)   33423836 33304436 32443735 41424243   3B8630D62D75ABBC
0x00000040 (00064)   38414231 45344244 46423541 38393942   8AB1E4BDFB5A899B
0x00000050 (00080)   32344434 332e6372 74204854 54502f31   24D43.crt HTTP/1
0x00000060 (00096)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000070 (00112)   0a557365 722d4167 656e743a 204d6963   .User-Agent: Mic
0x00000080 (00128)   726f736f 66742d43 72797074 6f415049   rosoft-CryptoAPI
0x00000090 (00144)   2f352e31 33312e32 3630302e 35353132   /5.131.2600.5512
0x000000a0 (00160)   0d0a486f 73743a20 7777772e 646f776e   ..Host: www.down
0x000000b0 (00176)   6c6f6164 2e77696e 646f7773 75706461   load.windowsupda
0x000000c0 (00192)   74652e63 6f6d0d0a 436f6e6e 65637469   te.com..Connecti
0x000000d0 (00208)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000e0 (00224)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000f0 (00240)   6f2d6361 6368650d 0a507261 676d613a   o-cache..Pragma:
0x00000100 (00256)   206e6f2d 63616368 650d0a0d 0a7a696c    no-cache....zil
0x00000110 (00272)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000120 (00288)   6c653b20 656e2d55 533b204e 5349533b   le; en-US; NSIS;
0x00000130 (00304)   2057696e 646f7773 204e5420 352e3129    Windows NT 5.1)
0x00000140 (00320)   0d0a486f 73743a20 7777772e 676f6f67   ..Host: www.goog
0x00000150 (00336)   6c652d61 6e616c79 74696373 2e636f6d   le-analytics.com
0x00000160 (00352)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000170 (00368)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x00000180 (00384)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000190 (00400)   650d0a0d 0a                           e....


Strings
!1Aa
#+3;CScs
msctls_progress32
MS Shell Dlg
RAny use of this Certificate constitutes acceptance of the DigiCert CP/CPS and the Relying Party Agreement which limit liability and are incorporated herein by reference
SysListView32
<!--@#
 [!;!{ 
"]"[+=
*?|<>/":
#@--!>
000a@@@
04q^f4ShB
07T#Ln
0i-2V[B
0i[d~-`7Y
0idVYX-
0sKR0E
0T|y_a
'0vx}JOOOS\\
110211120000Z
121018000000Z
121221000000Z
130206000000Z
131204081044Z0#
160211120000Z0S1
1>6x+{
~1(Az1
1CH'QB
1*D/IV
.&1,jQ
/1o6w^
>;1.]pS
1/Qv*P
1|}r:f
@1T>?UG))
1U7hAs
~~/1v*
201229235959Z0b1
201230235959Z0^1
/21_d<
2 }1 s"
222]AAA
260210120000Z0o1
2=7Of-
2:|8xQl
$2axxk
2b	NW6g
+2.Hp[
%2IYg6
2 _LGg
#2/>N~
2nWm\L
+}_#-{2Y1F
2<yzfx
2y}.zL
2%z5)2:k
_324:t
3>B$jq2
3cm&uk~/w
3I4o&#
3KeVQWc
3Kf>8Y
^%3M{r
3TJK)M>
3\t+M	
#.[40ILv
444MWWW
;~	4a2
4c b=j
4FP_"]
4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
4http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
4IY}i)
4JZ_C7
4.Lpeu
%`4`$p
4"peBs
4^qQaiq>
[4~SG3
'~4>TG<t&
4VdK&/
4:wfcb	
4|.$>X
?@5{!<
5!;);[
5j_8/6
&5M7~<
*"5Nda
]~5~)O
5'SM^_
5+t%2K
;5vl]Z3@a!l
(5v.v$
]5X[?6
6`]1yu
|>6{7`
6"KA1;eSx
6lpU;c
6#M	&3-
&6	N$8
6qf*5t^ED
	6R's39
6` TtP(
|6Z%{Z
$|7	/%
}796nx0/f
7c=BN$
7 ._cy
7Dl8k_
[7,dm7E
7-%EKI
\7H"d 
7.$>HN
7http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
7$|j'8
7k7fWi
}`7Pfw*
7;rx.MQO
7Urje:
7.uU^m
7xsDeCa
 -7y_x
8(B{:{^B	
8G:eMj\
8NCRCu
8NEe/p
]8_o	G
8![qOq
>8>/QVM+
=8y6zM
9$|-	/ 
92u926.
9 '4XS 
9@=:7J
99i6*>
9AK>'H
9A`r%*
%9axc\
9Ds!gj
9FF7JP
9;IUfu
9i>{zN
9jN^0R
9K6zka
9KU5t:
9MMJEe
9mZsw3
9'rNT&
9:S2&1;B
9TEZQh5,
9U(z4dr
9}|V d
9|^V~i
-9W>JU
9? X/@?0
@9y$+ig:
;`9Z6D
9z(crp
>;-		?!a
]!a$<~
 [!/A^
~{A0$S-
A6@J!e
@a8:7}
a>	 9H
a>^b>.
aB}CZcB
.]Abl+
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
a~{]ekC
aH	nT?nw
^Ah~v-
AhvXK	
%!,	aI
[a>J6[
a"M&7")I
An-3t	R
anJ)-et
AppendMenuA
Aq5Mwqww
:}atp=
_ATSZ'>&p
?AVN[-bg
AwLtTW
AY:Fb:~
ays,:o
a^-)ZK
>),B3>=&
	-B7Qm
>Ba?2p
,BA7O(Y
b]bW!s
BeginPaint
b.F-j<
b^<GMt
-bhb N;b
b=<	|i
<BIPg(	V
BjMNCDH\
|;BjY!?[n
"*'BM:
bmuKAm
BPI?!o
\BqS=kg
bSX~63s
-b-T:*
B&T4@(
BU]Umi
bYe0/O
c3VI|<
C{4k||xj
c[4XoF
c71~?y?}
|Ca/eE
cA;GG8
CallWindowProcA
}}}ccc
ccp-7 
C&Cr y
ce<bx7
Cfi{:U
C/F|O#
CharNextA
CharPrevA
CheckDlgButton
C ]j88Sl"
ClitqL
CloseClipboard
CloseHandle
|['c;m
c:^([m>"]
=Cm'1&
c	N$8i6
cNG,SPT
@cn"Y|
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CP#u	t
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
C(W1_Kx
	-CwIk
C"y+NVL
{]+cz|
\-c!;zF
... %d%%
D$0+D$(P
D@2-#t
d>6Ouo
D71JTl
d7<5I)
D7i{R|cd`
&d^9#^k
/(/D"a
DAEEEEE
@.data
DAzCFA
ddd<I|
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
deNU}OZ
DestroyWindow
d?:`fo
d(GW6,
DHW52@!
DialogBoxParamA
%DigiCert Assured ID Code Signing CA-1
%DigiCert Assured ID Code Signing CA-10
DigiCert Assured ID Root CA0
DigiCert Inc1
DispatchMessageA
D%'IZX
dJl2g7
dK-&$[}
d%`_lh
|dNu13
D$$Ph,
d;Q};Q}
D/%^(r
DrawTextA
dryX?3
D$(SPS
Durbanville1
D%u(t'&
DV8. %A
Dx_g|h
d$$YH1^
e~7joh#
/]egvv{
eH {	d
E~^H;,r
E+i)lZ+.
e#;#Iq;
ejQ,J)
=EKuWC
'EM6jrQ
EmptyClipboard
EnableMenuItem
EnableWindow
----END-DATA----
EndDialog
EndPaint
EnKe"!B
EPE4AC
}e+Pq3
&EQ?/<
e]QF!ZP
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
]ERW x
E="sCLx
EsVBV.
esy6R#
ETx4fP
EuOTA,
>Ev52!
eV6S1n
E&"}x.
ExitProcess
ExitWindowsEx
+ex^Iv]
e{Xo=:
ExpandEnvironmentStringsA
eY_Fag
>Ez0ag{
!EZo}F
/:*)F"
[F[1y&{
f^2\"C
-]f3Ru
)F5%*?
f63Uj^
\)f7jt:
FB0o{*
f>bv7_@
~~{fff
FfJZF-L
FfL,D>[
,fFO~	
@Fh!u,-
%_fi~@
FillRect
,f+	IN
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
(f?jg\
f^kDaI
FKtI6t
{FL8 Q
|fM8$C
Fmz8j_*
fMZZxQdd
)?f`_o
F}~Q}~]}>
fQ01}v
>F,r0y
fR5&I,
FreeLibrary
>]Frlm
'<fRRl[y
FS.b~/
F(ST.CD
fSxx6W
fvkneh
fW"diJ
FX%DAK
Fyz2?n
FzfR~S
F_zgO[
fZ,idA
G0a^"dW5
G6?&sE
g7Pg=7
g899y-,-h~
^G8v|r
GAh:Ek
gc,`N_
gdi,*/
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
G]`e.w
gg|\>B	
G#`h#1
gh@H68
g"ii+7 `
]/|g:k
gl7e|s
G>L>Ay
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
G_N\K>
G.op1;
go:.XA*
gqz~/U
G}<s5y=
-?GTGi/
\GuCTX
gvH,Oi
gvp~ah&
(^["Gz
GzA+q\
g.ZO||k[
]h>{:3{
H(?4Mo
H6_FJv
h75agO
h~7g:V
H9_W<=
hAy1aDT
HDTkIoF!Qp
h*E~,<
/H;H7H
H H^}'i
Hnm6CRQU
hNRU`G
h\O[QR
hqP!to
]hSM?bD
h &T}L~9
@http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
-http://crl3.digicert.com/assured-cs-2011a.crl03
-http://crl4.digicert.com/assured-cs-2011a.crl0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
http://nsis.sf.net/NSIS_Error
http://ocsp.digicert.com0C
http://ocsp.digicert.com0L
http://ocsp.thawte.com0
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
http://ts-ocsp.ws.symantec.com07
.http://www.digicert.com/ssl-cps-repository.htm0
HtVHtHH
 HV33(3
.hWvFq
hYlK*e
`i9:5w?O
'ia~_w
{"icon_url":"https:\/\/d1r57dxzsrp0oz.cloudfront.net\/icons\/9\/81650\/icon.png","program_name":"Mozilla Firefox","version":"26.0","size":"22.93MB","file_name":"Firefox_Setup_26.0.exe","license":"Free","mirrors":["http:\/\/download.wedownload.netdna-cdn.com\/9\/81650\/868204\/Firefox_Setup_26.0.exe","http:\/\/d1km450po5waad.cloudfront.net\/9\/81650\/868204\/Firefox_Setup_26.0.exe"],"download_manager_identifier":"1386951205","properties":{"program_name":"Mozilla Firefox","category_name":"Internet","subcategory_name":"Browsers","kw":"Firefox","mt":"e","ad":"33229594518","pl":"","ds":"s"},"download_url_id":"868204","retry":"http:\/\/mozilla-firefox.todownload.com?no_download_manager","is_browser":"1","browser":"Google Chrome","silent_params":"","api_key":["87fb3b8e4f0ffb501632c877145c24242a486065","a8668e1123ad0c137353427f07e461dac773bd35"]}
Icq:_W
IDAT3hS
IDATGxI
iE_*:=
I\}{*E
Ie0:U}
ie#\=P
iF@kta
IG0gjd
i g(LC^
-I=,'I
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
Imq0<~
incomplete download and damaged media. Contact the
>;i_'NJ`
!i`np>
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu`
InvalidateRect
:`i"Re
iRichu
iR]&U6
IsWindow
IsWindowEnabled
IsWindowVisible
]I/t02
itiB;V
)ItWPC
ivJ5"{
I;w/~|
-i*w0^
Ix)	?A
iXK9KK
i>$[xo
Ix,	oA
iy#,o4
IYYm<9
iZp!;g
IZtLEl
~J>>}&
j3={|/
^J3gbK
J6%q.]
)J'|7?
@J _BNC<
j <!Cx!IC
__JfI|
Jfi>,7
JG`yC2B
J>h<TN	
jj+}>"
$jL`^:JTk
j-#O7;
jPIE=*
*j[PQE
J^r_{q^Q:*
_Juy.p
Jvw&QqX
Jw^l1X
JwmzIB
JY;3A	N|
jz(3TJ
JZ_{oQ
*jzqY3
/_k,|+
K1C{>k
~k3.Ppa
K	a;%8
kAV}aH
,kBF4z:e
.kbU3n
kCo]X4H
/&Ke>L
KERNEL32
KERNEL32.dll
]KeVgRK2`l
KH!8GzUD$
kHySY_
KJY9Tf
*]K)lo
KL`uhV
\)kMY	kH
k|`OckzW
K~R9 I
|KR',o<n
Krr!&	|fE
kSS'u54f
kTQgN4
 KttcES
kV7V65
k	. vv
k	. x7
K#~y)`
kzgG9;eZ
L1T"3/
L2k%Wi
l4JR^o;
l5:s_P
:L7[M{
l8rqqDT
=LaJ|TG
@lBQIX,
Lc>25]
lC}Gr7
LCIa"{
,&l^csC
L	)cx{
{Le**N
>_li8)
"LK,=B
.Lkg([~
;lnj$V
&^-Lo*
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
?LOT*n
%lpinT
'Lr9u+*c)
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
lt!i 8
l;t?l-
?l=tNRB{(
lu;,Mv
lv1'#f
LVJdiB
	@l	XO3g[
L.Zk!_
m4u]V-2%
maql$	
m`Bj*Lz
mckzF:k\
mc<oYW/
MessageBoxIndirectA
	m^G;&
/m=GKn
+[MG((Y^
M\hH*J\
\Microsoft\Internet Explorer\Quick Launch
M]I{f.D>
M_J^E^O>G
mOBp\aio[i
More information at:
MoveFileA
MoveFileExA
&m^R~|tr1
 MS4NO
MsrnEN
MulDiv
MultiByteToWideChar
~Mv7:o
m}#Vre;
m@WVR91
N<5|jV`
N8xWHg
nCN##t
nc[_S;B
.ndata
ND"I'1o
nEai6tZ
N/^)@G
.%NGtr
Nicosia1
n}(jm	
~<>Nl3cc
'n>*M5
NoR	g#
NQ%C|JS
;NrKd9
n~;r$"%Q
NSIS Error
~nsu.tmp
NullsoftInstIP
NulluN	E
nVwkzW
nX-7l6!
NX.;~8>S
nxVMu~
nyaw3p
#N`z]4m
|'?"O~
o2dtvD
_>O5?W
 + O@6Bv
o{9-eM
o-A~4w
{O{Asz
Obj>?uT
ODHZ?z
>*O/!(ec
o <FU-
.Og]>=%
.o/.}h
%Oi'J6S
okS?]~
oK>VZ8
ole32.dll
OleInitialize
OleUninitialize
\o#|.N7
%on]7/vl
[>ON?H}
o<ohg|
OpenClipboard
OpenProcessToken
!}opyug
}}O:::q
O{q71|&^
;O%+qy
'$<Oru
&OS6dG
o!~uL#
o:{__X)
{$]O@x
]>}OY6j
o~ZTIZ<
p1i$3#
p~7YojC
p9O-8dv
PaI%Q?
Pb ?t9
|P::CSm~
PeekMessageA
 pF#8l
P]H1;C
PI=1H]
p(k3Rt
PmlIsD
#&Pne~
{pNhkH
p{N	Nve{
PostQuitMessage
PP|dZsr
PPPPPP
pqL^#/2Y'O
pQ+O*w
P	rHEg
)_,p/S
]p&SLG
PTt^Xy
pu>('<.
$PU2@A
pul}T9
pUn7|_
p]v@7C
pw>nq&
PWSYMqf
p&Z.c	
~PzP5[~^
$Q3.-=
Q87!_lk
#`{q b
qC79]n
Qfb#X&
QGdV,b
(qi^pv
qNo;td
QO<&:-
qOG~7W
QP\X\Z
/qrI&C
`|Q*>}rVk
|\qt y
qUBwPTFk
&QV8.6
q.xop<
q\xy5uP`r+a
q-zmje
R'2k1I
r5{OF~
R\8L8~
r9M?E>O~F~E)
R:^9Yo
RCoaR$
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
r@g]}!7t
RichEd20
RichEd32
RichEdit
RichEdit20A
(rJu>?X
R]Jvg6
Rk] _(
Rk<V,\=
r=M?F>My
r	M?L~D
Rn;h.Nxp
^(rNl.9
R|nMs5;
,"R..O
'}r%PG^A
rq/i,|
r~;q/U3
r|~*r9
rSY_O\i9H
RT dYG
\R<tMW
rtw+&<Y
rWQf~A
RY8CCe
S0wEg&
s4}62T1
s4FvE}z
!}s4{s
S5)]R2=^
s":7kt
s'9"0g
Saa}d\E#
sAp9?\k
ScreenToClient
SearchPathA
SelectObject
s\EM=_
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
sg{v(oo),
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
sJ!Y]N
?sl,+d
softuW
Software\Microsoft\Windows\CurrentVersion
][ sqj
SQSSSPW
sqT<.Q
sr<K'E
:srPq|<
{_'SRY
S[`S-3
----START-DATA----
sUu:LA
sV_$\l(
`|S^{X>
]S~`xN
s	>yl*
Symantec Corporation100.
Symantec Corporation1402
'Symantec Time Stamping Services CA - G2
'Symantec Time Stamping Services CA - G20
+Symantec Time Stamping Services Signer - G40
SystemParametersInfoA
Sz0'Uq
s$Zo7:
> _?=t
;t^0I6i.
T2	3=#l
{T2cPxbd
t3rsKc
T4)IC)
.	-t$A
ta2_N?)r
T%CIFS
#tCJQR\
TeYvdE
TG1L!x|
Thawte1
Thawte Certification1
Thawte Timestamping CA0
!This program cannot be run in DOS mode.
TimeStamp-2048-10
TimeStamp-2048-20
tis]?--
{)t\!j4
TJfE0#
<tkdgj
tkR+)7O2Cq
TLJhJlfD
_^[t	P
t&qp&(
?Tr?|5~l
<T_<R9
TrackPopupMenu
T,s.-(+
tSOH~G
TVwKdZX
~t+wcfo
TYUD~)~L
^U2+\c
u2dQ	/
u2:x$9
$~U5h7"
@"U 6Y]
,U7Lga<U7x
&u9{K\
UCv)	r
UD<4br
uD,*jd
ufvdvV
 `&Uhj3BrP
u@~ht@P
u_jU4MD
UkJ0ab
U)kQFPFf
Uk| >S
U,M(\!
(Un>&zX
U?o'-?]
USER32.dll
).Uu'B(
uu"bYs
%u.%u%s%s
uV-(hV
Uv>ijd
^ux!pQe#	
uxz2Ez
V$0X1U
v2kgFD
}V4$UF
/Va,6\
VcjAQY
verifying installer: %d%%
VerQueryValueA
VERSION.dll
%ve^Xm
]vhl'\&
vIai'<
VIc2^M;
Vix_5#I.
Vj7>jo9
/v$]o;
Vs-S#|~G7
;|$vtp
?VV|^=
v#Vh;+@
#VVV!9995OOO]
V,WkV+
=w ~]3
W5).=A
w5Y:,6
w6Hyf1
(W`aC9
WaitForSingleObject
')wb|Pu$/
WeDownload, Ltd0
WeDownload, Ltd1
Western Cape1
WEz>ob
w'h$CA
wh.zH3
`wihf*
WI"H=Id
w}j|TSZI
w<K0PA
WKd[bl
WkZ\G@
 _w|LB
w^	Le>}
?& -wLVH
wn\124
!W<>o.
WOUuwuWuuuH>
@WP<7V
WPy+v~D
<('W q
WriteFile
WritePrivateProfileStringA
wsprintfA
w-su<9
W.WAK]
www.digicert.com1.0,
www.digicert.com1$0"
Wxr:6wu
|W'z~3L
	<>~|x
%;{__X*
{X_,19
X1O888
X5VB+w
)X9?h}
>X)aO8[
Xbft-2
X:+>D5k
~xe#fa
!<XeW+<
xEYh;}
x{Hk_o
xhzo/1
x/iA.~
XJ'^t^]a
?Xm^	L
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
x+Ne}H
::xPw7'
&>]xukO2SZ
XwS/9D
x*	'+x
[xx8QF
xxA>+,
xz>n*!z
X_#Z_#Z
Y}B^BA
yCi}th
)YdKrW
Y!e5@V
yf`)1j
ygiLim
Y=-o;U
:Yqj(U
ytG*()6
;]:}yU
,Y.u-+
*yU2Sf
=^Y!{uM
&yvSn^
y^YJo`
y[YrcZ
Y}ZZ:f5.
Z27s#X
=Z]340P[#
z4ob90
z%4U;_
=ZbhKLC6.
Zb(	"(Q
ZF[@)^
ZH<#I^
ZH|,+TI
zI!LfM
Zj]ZN4|
ZLW+,8
	,[(Z/M5ab:
ZM6;vK
ZnL/_"
ZNp?77
)Z]oy)
@Zp8Xk
zP-gMu
zPJ&Z)
z>q)=+1
zs9EMy
z}('tEo
}~z<wC\
Z}zqND