Analysis Date2013-11-23 21:25:55
MD566295272bb6867f024b221b52affd19c
SHA1a5e9d898d9825e76287b74d94d7fea9827ad1a4f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9d64b6ac6eb1aa41e38f6cc8798b652e sha1: f4a3d9f95186a438562e94d405bfef3355c6cb1f size: 23552
Section.rdata md5: f179218a059068529bdb4637ef5fa28e sha1: 6035d27db526131eb0f29aee60cfcdbb5072ed7d size: 4608
Section.data md5: af685ae5a632e08acd6c90a62cdfc3bb sha1: efc7ece496385ad53dda894ae310ffa90b2fc571 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: bc12f1cb238eb9c8c9c5fcfd6982c70c sha1: a13cb227e885923000c64f9db379ae45f82d85eb size: 3072
Timestamp2009-12-05 22:50:35
PackerNullsoft PiMP Stub -> SFX
PEhasha3affb0ff482cc181b4852cde5e74f892511f120
AVavgWin32/Heri
AVclamavWin.Adware.Agent-3933
AVaviraProgramFilesDir/[UnknownDir] <<< ADWARE/Adware.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CLASSES_ROOT\CLSID\{30E7B485-2705-7529-3AA6-C604A4D8153C}\ ➝
revenuestreaming browser enhancer\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\AppDataLow\Software\{94C1BCC8-4F4A-D0BE-97F3-B67B231B005E}\aff_id ➝
revenuestreaming
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\xqlyeqdxyq\DisplayName ➝
Advanced Performance Platform Revenuestreaming.\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fwovtriaczyfxhx ➝
C:\WINDOWS\System32\regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\nsv4.tmp.dll"
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30E7B485-2705-7529-3AA6-C604A4D8153C}\NoExplorer ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsv4.tmp.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsq3.tmp\System.dll
Creates FileC:\WINDOWS\system32\xqlyeqdxyq.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsf2.tmp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsq3.tmp\System.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsj1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsq3.tmp
Creates Process"C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\tslgjhnnbbbqrsru.dll"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSrevenuestreaming.net

Process
↳ "C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\tslgjhnnbbbqrsru.dll"

RegistryHKEY_CLASSES_ROOT\CLSID\{30E7B485-2705-7529-3AA6-C604A4D8153C}\ ➝
revenuestreaming browser enhancer\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fwovtriaczyfxhx ➝
C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\tslgjhnnbbbqrsru.dll"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30E7B485-2705-7529-3AA6-C604A4D8153C}\NoExplorer ➝
1
Creates FilePIPE\lsarpc
Creates MutexGlobal\afxOpenEvent1337

Network Details:

DNSrevenuestreaming.net
Type: A
64.74.223.44
HTTP GEThttp://revenuestreaming.net/bc/nsi_install.php?inst_result=success&aff_id=revenuestreaming&id=7d2c1ab9d1cfe00d7254c93d819c053475c383b2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 64.74.223.44:80

Raw Pcap
0x00000000 (00000)   47455420 2f62632f 6e73695f 696e7374   GET /bc/nsi_inst
0x00000010 (00016)   616c6c2e 7068703f 696e7374 5f726573   all.php?inst_res
0x00000020 (00032)   756c743d 73756363 65737326 6166665f   ult=success&aff_
0x00000030 (00048)   69643d72 6576656e 75657374 7265616d   id=revenuestream
0x00000040 (00064)   696e6726 69643d37 64326331 61623964   ing&id=7d2c1ab9d
0x00000050 (00080)   31636665 30306437 32353463 39336438   1cfe00d7254c93d8
0x00000060 (00096)   31396330 35333437 35633338 33623220   19c053475c383b2 
0x00000070 (00112)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000080 (00128)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000090 (00144)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x000000a0 (00160)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x000000b0 (00176)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x000000c0 (00192)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x000000d0 (00208)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x000000e0 (00224)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x000000f0 (00240)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x00000100 (00256)   486f7374 3a207265 76656e75 65737472   Host: revenuestr
0x00000110 (00272)   65616d69 6e672e6e 65740d0a 436f6e6e   eaming.net..Conn
0x00000120 (00288)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x00000130 (00304)   76650d0a 0d0a                         ve....


Strings
msctls_progress32
MS Shell Dlg
SysListView32
^#="#!)
==?@<@
]/  ~'
*?|<>/":
>0?[_[
0DO@M&
{}0[e&a
!{0EmH}
0>$J@)
0ke'@F
0LSs]4b
0'}MKaX
$	)0;&nkXp
0tRE^]
0x0Y${
|0x`b!
0Xq.t+
0yc?>@
`\\``1"@
)1]05m
11"qce7
11u{_!
1Et8:&0
1[Ia#4
 1:!m@
#]1]RCJ\G
1RT(-S
?\1S2}
1UAV*0EEX
>1W6|{
1-Z19md
1zb#b9}
2$2Lq5Z
25o%"2
\2=:|6
27.^kW
*2("A`,
2,B+0B
!+2bS7V
2G0bPv
2?/^+i<
#,\2'lT
2}:py%Vl
(2%s$8em"
2-SvM,N
30{wmJE<
39>oT|
3){czy
3`Fhe3|
3I^@v+
)3L'5pHziD
+3MJPP
3 ^Q{v~5}
3R*%K1
3Vm)]x'
3/wER&Z\
3XtM~!m
,40~.m
4^5/j9
4c>3	p}
4DVRYFY
4l+E!y
] 4N&>
4no;3m
4*"NvQ
4-x+<s
|54S=9
5]$5w'
566%j%-
59D)ms
]5dI2|~^
+?5$:DRl
5ejkvI
5gN5%F
=5|lN>
}5sQB|7 
5	UKj8
6#[[1v
6bTSgA+
6EkI$p"
6HE~~3
6j:Ekc
6klG1d
)6mWp cG,t&
6P"<`C
6ys YN
*6Z4,:aD\
@=7 _(
7AFR,@
7>aJm1
7b3!@S
7}*>FZ
	}7hES
7;J4s2
7LS1]L[]E
7n]#v0
@7}P.&
7src3:
7u)T]/
7v	8]gV:
|7%w)0:
-	|7xX
8	:0yo=^"b7
@(8AFiA
8b@d(f
8+#F)H
8HF@a;
;8^)L#
8NCRCu
8nMf>T
8q>dT#
[8;;Q]S
8Xo^-5
*}`9\#.
) 9`9wmJ
9?CHfU
;9E#!`
9=*$:f
9?H|kiy
~?9O/'
9;r?C/
!9"s}=
9Tba~w
'9V^+*
9VgYSG
9v)W3y	
9#yMYW
9/>zeF@
9Z^rLo*
a0l)vL
]A0MAb
)a1"S=
a3&`VC
A. ,6&/}
a9X2Bd
$AAhL=W
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
A@;E |
=a,]!g8j
AgdtLj
A|i^pg;
ALOhV<
ALs~mY
Ap<O'\n
AppendMenuA
Aq<:Vnr
ATwy*M
b+"1UE?
bC{U	NH3
bdHd[d
bDqfCI
&'\{bE
BeginPaint
BezgM4E*
bF%c6,j
%BH*,X
bM+v@j
/bP 0D
bP3Iho
b`P`TQ
Bt-FAW
bvgCJl>
?'B;}Y(^
B$ZwXV
c"0b"M
?c3ayO1
c8_8	y7
CallWindowProcA
^cbKqb
cb[WOZ
_Cb'Z6
-@Cg)3
C|[GgP
CharNextA
CharPrevA
CheckDlgButton
chU+)[
!;>c=j
`cJjeX
CK0uP7
Ck\Am]0L
&CkP f*
c{L*1g
CloseClipboard
CloseHandle
C;%|Luc
C)lyvy
c{NO)`
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
cUe	NL
cU<Gg[
C=uuvKL
%cZ(\d
c''ZoNv
C#ZYFYYF
... %d%%
D$0+D$(P
d(44`g
d6AxKhyj
d~[8V\
@.data
d,-^C}
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
?deLSK.cC
DestroyWindow
D^GS=_Q
DialogBoxParamA
DIfx4e8+E
!DIR F
DispatchMessageA
\@D"m_N
d]{N>,
d)N-WE
<Do+l?
}dOWJ-
DPh>oA
D$"q,N
DrawTextA
D$(SPS
DTEb" 
$-dWKs
{dX"1z
d$Xb1L5x
E*4*H8
]e9[_P
EAC#y-
[EAVIF
.eC=t;Nx
egi]][YYYSSSQQQQQQQQQQQQOOOJ
EGTjXbYuv=
EIFd! 
?EJ#f'
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
ep0T<*M
E#renr(J
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
'E	rZ5C
^~Ev?u
EX1!p/
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
`\ExU+
e\zerh
`EZk7t
ezQjQ-+*
f/0%;r
@F};2nr
f6cTo!	
\F8p]vYjI
<F^8ry
fC2z4(
;FC>hxl
 fD@&"s
Fer}*9
;fF		X,
FHTeHfh
F;I$"G*
FillRect
FIMYLro
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
f$iRN6m
($FkiN
fKQ*1j
flB	5P
fN&>|pIB
F&Q-C0
FR(*8S
FreeLibrary
:fS=7[
fv6px|
Fviw;)^
(/FW5$e
F%wx4q
:F*`y)[
;F(ywo6
G5KF(LV
}G8tLj9
g}9\=g
G:A($ 
G}B@%H
+)GCsC6
GDI32.dll
gegd@2
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
GgB(/;
G-H{f^
`%g}kNFf
&g;L7v
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
gluOo\p3
Gm@*7p
~G^<ON=G9
}G%RkJ
Gyd8(	W
h0m}M!
^~H1g<9
\(%h1p
H3Wd}8
H6>z3h
`hBl=A
H]C3*g0*
h+c%V;
|h$%d)H}
H'DW*1w
HE(R "
hF\K9]
h<f<k{d
h@ I0H 
h"ME)"jT
h#|?N6
(H!,'O
.hq!(yP [
http://nsis.sf.net/NSIS_Error
hu%I\IN
%hvKSb
hWTaQ6V
' $$!	,I
i)4l|o
'&I9K/B>`l
i:bPWf
I=cL (
:icnpY:2z';
IdO)Ew
ieamaacWh
/IeJZDm
i_f\Fv-,94[v
i)ifJv
i[ij;m
;IIJT_
%(@iK|
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
i (mbE
im+]td
incomplete download and damaged media. Contact the
i|n]_p`
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu_
InvalidateRect
IrXE9:
IsWindow
IsWindowEnabled
IsWindowVisible
IUR]_-
i:}(VBC
IXDW11.
'I:}!zC
@!I`z>m
/,+J:{
.J(/(=
J1d(MswtN
.^J3;O
j`9b*Fu
)JBxcA
& JdIf
J\^H/ 9B
*&[Ji{
]jJ-0`
#J=Jj^
Jj.&r)
%-JK7B
JKb)pt
Jksxn5
J-l,P-JUV
j`M{^i
JP^A)&Q
JUHu7C
j:Ur=:
J!U@yPB
J'!V]7}
(}J}vU
~K5^UE
k,5XFl
K7qfip
Kc^;pK
KERNEL32
KERNEL32.dll
kI+%`*
K[ix^ W
}	Kj/)
}KJRdC>rE
{{k;+o
ko:fWA
@kQq-|5l
'KR%Cp
kurc=(
]k}vJA
kXPV2G1
%K[Y[{
>k)<<Z
l2mC8Q
,\l6nZ
l\8OGM
@ LaDYW
	Lbc	1R
LCCqXAd
lCm&5vi
lDAzpz
l$&Dt 
leVuYH
LgZ:.k%}
l=_\/I
LIF_]yc
lIWdV)
 Li Yq	*
Lkh8|1
.l|kJ^
lLFOb$
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
	(lpKB
L,PqTw
l[[r'}
+l(()R
L/S2W&
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
;Luovm
L``.VRh_
LW4*R2
LW#]a_
?Lw"EpU
lwL0H\
.&Lz[s
""m[1a
M^2#%)
m37J@'
M4' CE|
M4&d,BS
m&4KQ10
m5]xIN
M8GATwz
'maB4_
*(mb/.
mcF=e;
 M!D\:LY
MessageBoxIndirectA
[MH,`q
Mh+qp6
\Microsoft\Internet Explorer\Quick Launch
M;j<Ua
MlmNx:
-m,@mr
More information at:
MoveFileA
MoveFileExA
&@M?P!
MP3jfP
%m$_	Q
	$Ms_S
M{t?cRAM
m{u~i^8%
MulDiv
MultiByteToWideChar
M]]UmE
"^MUNe
mvynoyuciyN
Mw]TnrK
{M$X*0S
M@-xPd>JL
^M-yDFY
$mYU6qxE
N,<4x^
naIp!b]
.ndata
nE` 9"<
nh\n~-_L
NIK ad
nJ77^p
_',NJr
	NKFUY
nnnnt>
np>M$)@
Nq6^5M
NSIS Error
~nsu.tmp
NullsoftInstH5
NulluM	E
n?ul,x
Nv&d,TUC
Nxm:;<3
n?<YvF
NyX_E^
n^YYQ!
o</,}~
o0,f?]\-B
]/O!3/
o5-^SA
o)a^kZ
$	;+oD
o{_ FC
!OGGnr
ogS.u]k3
OIb@CU
oIQ[^7(
ole32.dll
OleInitialize
OleUninitialize
o$:-lP
/{\ooe
OpenClipboard
OpenProcessToken
OPs0h3B
.}OqkY
(OSGu@
Os[}ok2Y9
^+osrk
oU:E}u
*;?o]VL
owqdcWH
_!P1<;
p^=2W*
p5F=)y ;b2
P5K}jPi
,p8;fG
)_P(>9u
/PbYs;'`
p,"%CJ;
P=DDGj
/-PdEQ
pEaP2(
PeekMessageA
PEfww@ZrBXl
peo$S9I
peVEW)
pH/kzo{
))+*PJ
\P&J!$5m&0E
pm;E!e
+pn"S)
Po7FhT
PostQuitMessage
PPPPPP
PQAAb=^
p	s!E1
#Pt_o,<
pUe@p2
,p(V2"
PX, (H
p]ZD//vcS
Q0^)6Z
Q+5G[vE
&,Q'9O
qa=pQ9
(Q~DQE
QdZ);jsUp
qEw2QnF
Q!iw5ZX
QJX,DG
qo4HXE"p
QPPvy367
q*U6veG<+
qu8_O~
qWEnRS
(`Q&wkf
Q<*wpL
|Qx<b[
qX!@d0z
$qXDW$P
^>[R "?
r0*Q%Z
R5't$=
'r:;[72
r<A	Z:
RC cR`
rc;ZS9
rd2n]=
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
rGkD.K
rgXKZQu
RichEd20
RichEd32
RichEdit
RichEdit20A
R&I<&K
~RI_q9
RkBhvr
'RkfFY
RKUSQ!
~RLr6J+&U
?RO6w{
rR@'FHp
$RTPpk
(.r'u~
R|uZ{'{
rV9kW1
/\rWs|
rZlSF~
?s06UP
=s0N/[?
S>&1(;
S]1(i~nb
s6Rpp2
SBcN<E 
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
S~\f=+
Sf:6Am
s|GQaf
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
Si$qm6
S-j^(;
sjK"TY
_sk9H;_]R
SKmjy~
#sMK&q
^'S"_mN
;SN~ge
sOCc8w_L
softuV
Software\Microsoft\Windows\CurrentVersion
]s=P&.
sP~_3qp
SP@5MISID
SPF7h:
sq}^;n
SqpT(_w
SQSSSPW
SU-<*%
sV5c>U
,{svX[F
sW24[E
SystemParametersInfoA
> _?=t
t9=5_]
#T`Bq	69
!This program cannot be run in DOS mode.
,,tJrBz
t'l=OR
,_t|<M
tm6`R_
_^[t	P
TrackPopupMenu
trpEd*
TTRE+6
TuF a&
tv1 };
	tW2Id
TW!:(K
&TyQ:.
TZJQh>(
U0i2WnJe`
u49-l'z
U4PBL?37
U*5BdY
:&u6hU
UaDJ*M
uCc=.TB>,
UC@cZe
$.U\cW
udn{o;
uf?f*l
uliL|:
ulqYVy9
'%U/ly
unpacking data: %d%%
unUi2b
UOyQrHi
U*P%+Y
US*d6d
USER32.dll
UsGWVo
us.Ny6
U, }t-
%u.%u%s%s
UUUUUUUUUUUUUUUUT
UUwfhU
].Uwkk
uxc<5c
.UZl-gk
?=u`ZUNVK
v1H-f[?_
V9O,EE
]|VB>._
verifying installer: %d%%
VerQueryValueA
VERSION.dll
v[$g)E7f
#Vh;+@
_~\V/l
V*lAVh[FX
VmeAe`,
vM&PMu+
Vo+rl4Z
VQ/=9G
VqQ0OL
,~	vs'
`v_t(cd
vugfy[HG
V[V*5P
v)v8m.
vxYfcmvM,
.v%>}z
w@3Iq^U
>W+{(9~
W_*9ZD
WaitForSingleObject
</Wg+[
#wia:/w
WilT)*
W*j$Sy\.[
W?=r(1
wrAIR[kIY(?{
WriteFile
WritePrivateProfileStringA
{{w;sN
WS.PG[H
wsprintfA
<W tm>
;-./WV
WVP5taK
w<\ w]
w(><W>
wwwwww
wwwwwwwx
wwwwwx
wZ:MF_
x|1{E5
^]X#~3
'x3,%]4
	%X?7@
x>8?4+
xaPU+2
=XatYH
XBEF\@
$X	'bPOGP
xD*"%~
x)d0iWiZR
[~xd.>g
Xe7 $f
x^ES,p
X\/<$F
XFh,3>
X~|GfMb
x*i2GT8
+xIYr	
X<#juyY
x:&KLr
x{Ly}^P
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
X!@n}D
+X* QR,mP
X+yN3.
>xY]oS\
Xz.g@pC?3
Xz_ONgn
&y1H\ti'B
y|5Hc#
y6W1-J
y7qO&M
Y8,]YO
y@_a,+Z
>_ybJV
yC.&-/
Y+&>'D
.%y&Dw
?y^f6;<
YFu. IB
YgmK"Xd
yi^;=A
y~MXKp
)#'*yN
YNsA	[M
=_yOI\h
Y\o~]U
yQ}N!\
]yr4 y
=\_YRV	
?$yTo2g
y}[^u<8
yUe5az
YV$pga?;
YWPU.f
^&y_}y
<;#yYR&
z77$!*
ZcT[vN
]ZCZ|^^y
;Z/#D'
Zd4ZK8
(~ZDK2Mu
z%fbT0
ZFFJTL
zf>x%	
$zg.LH
)Zh'n#
&@	>zI
zI;|f*
zMcg|p
|^~z~Mp
z^"M X-~}< G
`zopI,
%ZrN?s
+/}Z{S
zt.62K
Z<V>#5@
Zv\JMT