Analysis Date2014-04-16 12:37:41
MD5a9c7e5ebd9276be30498cc59fa628592
SHA14f6a90729dea149d99c17f2afe6323ddf56a8509

Static Details:

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\p.dll.zgx.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\b.dll.zgx
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\4.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\3.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\p.dll.zgx
Creates FileC:\WINDOWS\Tasks\ms.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\s.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\_uninstall
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\z.lz
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\b.dll.zgx.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\2.dll
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\s.exe.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\p.dll.zgx.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\b.dll.zgx.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\\_uninstall
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\s.exe.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\\z.lz
Creates ProcessC:\WINDOWS\system32\588d.exe -i
Creates ProcessC:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\e8dr.dll"
Creates ProcessC:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\efle.dll"
Creates ProcessC:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\e0fe.dll, Always
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\q.exe
Creates ProcessC:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\30c5.dll"
Creates ProcessC:\WINDOWS\system32\regsvr32.exe /s "C:\WINDOWS\system32\e5eo.dll"
Creates ProcessC:\WINDOWS\system32\588d.exe -s
Creates ProcessC:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\e5eo.dll"

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\q.exe

Process
↳ C:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\efle.dll"

Process
↳ C:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\30c5.dll"

Process
↳ C:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\e8dr.dll"

Process
↳ C:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\e5eo.dll"

Process
↳ C:\WINDOWS\system32\regsvr32.exe /s "C:\WINDOWS\system32\e5eo.dll"

RegistryHKEY_CLASSES_ROOT\BHO.FunPlayer\ ➝
CFunPlayer Object\\x00
RegistryHKEY_CLASSES_ROOT\BHO.FunPlayer.1\ ➝
CFunPlayer Object\\x00

Process
↳ C:\WINDOWS\system32\588d.exe -i

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Mdlea\EventMessageFile ➝
C:\WINDOWS\system32\588d.exe\\x00
Creates FilePIPE\EVENTLOG
Creates FilePIPE\lsarpc
Creates ServiceMdlea - C:\WINDOWS\system32\588d.exe

Process
↳ C:\WINDOWS\system32\588d.exe -s

Creates FilePIPE\lsarpc
Starts ServiceMdlea

Process
↳ C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\e0fe.dll, Always

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\WINDOWS\system32\11312736-24
Creates FileC:\WINDOWS\system32\1fa
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FilePhysicalDrive0
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\3227095050
Creates MutexZonesLockedCacheCounterMutex
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates MutexGlobal\E61EE389-C31D-4a32-82CE-45590684225B
Creates MutexZonesCounterMutex
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexZonesCacheCounterMutex
Winsock DNS110.770304123.cn
Winsock DNS122.770304123.cn

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1168

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1848

Process
↳ Pid 1152

Process
↳ C:\WINDOWS\system32\588d.exe

Creates Filepipe\net\NtControlPipe10
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\e0fe.dll,Always

Process
↳ C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\e0fe.dll,Always

Creates MutexZonesLockedCacheCounterMutex
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex

Network Details:

DNSyahoo.com.cn
Type: A
98.139.102.145
DNSyahoo.com.cn
Type: A
68.180.206.184
DNS122.770304123.cn
Type: A
19.254.66.4
DNS110.770304123.cn
Type: A
19.254.66.3
HTTP POSThttp://122.770304123.cn/ue000/38sw.e?uid=322709505013042141518281
User-Agent:
HTTP POSThttp://110.770304123.cn/player/blog.updata?v=1.4.0.7&mid=b57f1705ff508f14bd8523ab00c47f98&r1=b51794ba3f80c2735e4429ef206fa7cc&tm=2014-04-16%2011:05:20&av=TD&os=Windows%20XP.2600%20with%20Service%20Pack%203&uid=322709505013042141520250&cht=0
User-Agent:
HTTP POSThttp://110.770304123.cn/player/blog.updata?v=1.4.0.7&mid=b57f1705ff508f14bd8523ab00c47f98&r1=b51794ba3f80c2735e4429ef206fa7cc&tm=2014-04-16%2011:05:25&av=TD&os=Windows%20XP.2600%20with%20Service%20Pack%203&uid=322709505013042141525718&cht=0
User-Agent:
HTTP POSThttp://110.770304123.cn/player/blog.updata?v=1.4.0.7&mid=b57f1705ff508f14bd8523ab00c47f98&r1=b51794ba3f80c2735e4429ef206fa7cc&tm=2014-04-16%2011:05:30&av=TD&os=Windows%20XP.2600%20with%20Service%20Pack%203&uid=322709505013042141530781&cht=0
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 19.254.66.4:80
Flows TCP192.168.1.1:1032 ➝ 19.254.66.3:80
Flows TCP192.168.1.1:1033 ➝ 19.254.66.3:80
Flows TCP192.168.1.1:1034 ➝ 19.254.66.3:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7565 3030302f 33387377   POST /ue000/38sw
0x00000010 (00016)   2e653f75 69643d33 32323730 39353035   .e?uid=322709505
0x00000020 (00032)   30313330 34323134 31353138 32383120   013042141518281 
0x00000030 (00048)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000040 (00064)   3a202a2f 2a0d0a48 6f73743a 20313232   : */*..Host: 122
0x00000050 (00080)   2e373730 33303431 32332e63 6e0d0a43   .770304123.cn..C
0x00000060 (00096)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000070 (00112)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000080 (00128)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x00000090 (00144)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x000000a0 (00160)   650d0a0d 0a                           e....

0x00000000 (00000)   504f5354 202f706c 61796572 2f626c6f   POST /player/blo
0x00000010 (00016)   672e7570 64617461 3f763d31 2e342e30   g.updata?v=1.4.0
0x00000020 (00032)   2e37266d 69643d62 35376631 37303566   .7&mid=b57f1705f
0x00000030 (00048)   66353038 66313462 64383532 33616230   f508f14bd8523ab0
0x00000040 (00064)   30633437 66393826 72313d62 35313739   0c47f98&r1=b5179
0x00000050 (00080)   34626133 66383063 32373335 65343432   4ba3f80c2735e442
0x00000060 (00096)   39656632 30366661 37636326 746d3d32   9ef206fa7cc&tm=2
0x00000070 (00112)   3031342d 30342d31 36253230 31313a30   014-04-16%2011:0
0x00000080 (00128)   353a3230 2661763d 5444266f 733d5769   5:20&av=TD&os=Wi
0x00000090 (00144)   6e646f77 73253230 58502e32 36303025   ndows%20XP.2600%
0x000000a0 (00160)   32307769 74682532 30536572 76696365   20with%20Service
0x000000b0 (00176)   25323050 61636b25 32303326 7569643d   %20Pack%203&uid=
0x000000c0 (00192)   33323237 30393530 35303133 30343231   3227095050130421
0x000000d0 (00208)   34313532 30323530 26636874 3d302048   41520250&cht=0 H
0x000000e0 (00224)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x000000f0 (00240)   202a2f2a 0d0a486f 73743a20 3131302e    */*..Host: 110.
0x00000100 (00256)   37373033 30343132 332e636e 0d0a436f   770304123.cn..Co
0x00000110 (00272)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000120 (00288)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000130 (00304)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x00000140 (00320)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000150 (00336)   0d0a0d0a                              ....

0x00000000 (00000)   504f5354 202f706c 61796572 2f626c6f   POST /player/blo
0x00000010 (00016)   672e7570 64617461 3f763d31 2e342e30   g.updata?v=1.4.0
0x00000020 (00032)   2e37266d 69643d62 35376631 37303566   .7&mid=b57f1705f
0x00000030 (00048)   66353038 66313462 64383532 33616230   f508f14bd8523ab0
0x00000040 (00064)   30633437 66393826 72313d62 35313739   0c47f98&r1=b5179
0x00000050 (00080)   34626133 66383063 32373335 65343432   4ba3f80c2735e442
0x00000060 (00096)   39656632 30366661 37636326 746d3d32   9ef206fa7cc&tm=2
0x00000070 (00112)   3031342d 30342d31 36253230 31313a30   014-04-16%2011:0
0x00000080 (00128)   353a3235 2661763d 5444266f 733d5769   5:25&av=TD&os=Wi
0x00000090 (00144)   6e646f77 73253230 58502e32 36303025   ndows%20XP.2600%
0x000000a0 (00160)   32307769 74682532 30536572 76696365   20with%20Service
0x000000b0 (00176)   25323050 61636b25 32303326 7569643d   %20Pack%203&uid=
0x000000c0 (00192)   33323237 30393530 35303133 30343231   3227095050130421
0x000000d0 (00208)   34313532 35373138 26636874 3d302048   41525718&cht=0 H
0x000000e0 (00224)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x000000f0 (00240)   202a2f2a 0d0a486f 73743a20 3131302e    */*..Host: 110.
0x00000100 (00256)   37373033 30343132 332e636e 0d0a436f   770304123.cn..Co
0x00000110 (00272)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000120 (00288)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000130 (00304)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x00000140 (00320)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000150 (00336)   0d0a0d0a                              ....

0x00000000 (00000)   504f5354 202f706c 61796572 2f626c6f   POST /player/blo
0x00000010 (00016)   672e7570 64617461 3f763d31 2e342e30   g.updata?v=1.4.0
0x00000020 (00032)   2e37266d 69643d62 35376631 37303566   .7&mid=b57f1705f
0x00000030 (00048)   66353038 66313462 64383532 33616230   f508f14bd8523ab0
0x00000040 (00064)   30633437 66393826 72313d62 35313739   0c47f98&r1=b5179
0x00000050 (00080)   34626133 66383063 32373335 65343432   4ba3f80c2735e442
0x00000060 (00096)   39656632 30366661 37636326 746d3d32   9ef206fa7cc&tm=2
0x00000070 (00112)   3031342d 30342d31 36253230 31313a30   014-04-16%2011:0
0x00000080 (00128)   353a3330 2661763d 5444266f 733d5769   5:30&av=TD&os=Wi
0x00000090 (00144)   6e646f77 73253230 58502e32 36303025   ndows%20XP.2600%
0x000000a0 (00160)   32307769 74682532 30536572 76696365   20with%20Service
0x000000b0 (00176)   25323050 61636b25 32303326 7569643d   %20Pack%203&uid=
0x000000c0 (00192)   33323237 30393530 35303133 30343231   3227095050130421
0x000000d0 (00208)   34313533 30373831 26636874 3d302048   41530781&cht=0 H
0x000000e0 (00224)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x000000f0 (00240)   202a2f2a 0d0a486f 73743a20 3131302e    */*..Host: 110.
0x00000100 (00256)   37373033 30343132 332e636e 0d0a436f   770304123.cn..Co
0x00000110 (00272)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000120 (00288)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000130 (00304)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x00000140 (00320)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000150 (00336)   0d0a0d0a                              ....


Strings
S
dJtC
.
00-+  
.
.
e
. 
\
.
.
.l..
.l.e.
..
..
.Q
X..
8hv
040904B0
1, 0, 0, 1
6Open another window for the active document
About4Quit the application; prompts to save documents
Activate Task List
Activate this window
Ajjj
APPID
Arrange Icons/Arrange windows so they overlap
Cascade Windows5Arrange windows as non-overlapping tiles
Change the window position
Change the window size
Close
Close the active document
Copy1Cut the selection and put it on the Clipboard
Copyright 2010
Create a new document
 Display full pages
?Display program information, version number and copyright
Enlarge the window to full size"Switch to the next document window&Switch to the previous document window9Close the active window and prompts to save the documents
Erase
Erase All3Copy the selection and put it on the Clipboard
Erase everything
Erase the selection
Exit
FileDescription
FileVersion
Find
Find the specified text
                                 H
         (((((                  H
         h((((                  H
        h((((                  H
Insert Clipboard contents
InternalName
jjjjjjj
LegalCopyright
Module
Module_Raw
New Window7Arrange icons at the bottom of the window
Next Pane5Switch back to the previous window pane
(null)
Open
Open an existing document
Open this document
OriginalFilename
Page Setup3Change the printer and printing options
Paste
Previous Pane
Print
Print Preview
Print Setup
Print the active document
ProductName
ProductVersion
Ready
Redo
Reduce the window to an icon
@REGISTRY
Repeat1Replace specific text with different text
Repeat the last action
Replace%Select the entire document
!Restore the window to normal size
Save0Save the active document with a new name
Save As&Change the printing options
Save the active document
Select All
Setup
Setup.exe
Setup Module
Split
StringFileInfo
(Switch to the next window pane
Tile Windows5Arrange windows as non-overlapping tiles
Tile Windows(Split the active window into panes
Translation
Undo&Redo the previously undone action
Undo the last action
VarFileInfo
VS_VERSION_INFO
=`+{^%(
=?@_&(
 !"#$$$$$$
$^(>\%
	$$$$$$$
0#}0)r,
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
{01DE82F02810BB9D466D}
06wc^[
&0ADwd
0^BIeY
0~cpH*&L/
0f;%	}w\)C
/0g	iu	u0
0M*jJ*
0"+}PM
0=[qdc
0r+*(1]
0:$^S^
0S0yS-
0SAWiQ
14`4JC
1C&@[8\
1](*/E
<1I{eA[h&
1:j6_&
@'1Roi
1&,;`V
;1XK>	
2/5oYB>
2'6c7F
2_?6}CF
2[7jR;
29Z^#o
2A%%PCmZ
2f*i.a
2#F]u\
2	+=G1
2la&JK
2MO,V@[
`2s[%w
=|30.=
"3?2>z
/*36H6
3 7C b
3aG!;d
3C+8XWa
)}3d\6
_.3@fS
3H2Zi+
\3iGmu
3L~Uf[
=3q	.rD]
=~.4+1
4Ak^Uk^
4c$Tpj{
}4hm*c
4iHJw:
	4JCb)
4LxOCqM)2
)4xXsQ
50\/254
 53rEh
)<5=ax
5b!>/a
5EBDzN
@5e?:R
5F!u:JKv
5+Gsxh
5LNv~e
5mr=o-
5,.>o;
*5&t.y
6<>~bdx
6)bkL,
6I[,4k
?6m9UD
6MT@<*^
6MV_~=
?6^N?s
6ORW9ZL
6t|	=J
6xqUMfK 
6YttYI
71572690-1156-4e36-9F2A-42587899ABDE
76X^#c
+7(7#5p+7
7)aV8|
7 c/_L
7l^TY/
7N7c^	
/7NY	7e%~
7+p=u7p
.7'TSCL
7U5k*/
83tvf}l
86R([z(
8	[b$ 
;8G&o:
8HU:oQ
(8.NC(
8Oic[i
8pXut0q
8Y;1(<
+8<Zlae
 9<'|<<
:$%9]69
9\91p[
9("B<H
[9bywB
&~$9dW
9Eh-2`
9.gDML
9l}(xt
.9N%9Y7gn
9NJIk:J
9/oiyI
$)9^OR
9T:SNC\
9}_U#u
<9v1?2!^
<	a-}-'
)A/!#|
)A0Tpd]
A1<:&@
A2;aW"
A66uZ}v
$+?A76
/a7-Xk
a8e`I1>
A .$% al
A buffer overrun has been detected which has corrupted the program's
A>?c?BQ
*ack|\
Administrator
ADVAPI32.dll
'a^ F/
:Ag$K^D
@aISUB
&A	..l
, Always
A<MN"o2
an9Cg5
a Oc[`F
Ao<]*G
A_pdhp0
ArnG`~
ar[w6@
A security error of unknown cause has been detected which has
aSPXIb"W
</assembly>
<assemblyIdentity 
		<assemblyIdentity 
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
ATw.2&Zp
August
.?AVexception@@
.?AVlength_error@std@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
A"zKYM
"B[+;0i$"
`B0;x9
B1?%tF	
B5k*/8
b7g	G~
B7/z+41
;bAkcAtQ
	[b=.B
[Bb\H~
b.dll.zgx
bhv_j'
bJ~5JG
.BJg)s!d
bKaTm)&
_bLx1(C
bmhBpC{
B@Nbizj
BNfrj^qj
bP}Blt
Bqj}):
b#,q$S
btFHt+
bTGd9h
\(BuBDI
Buffer overrun detected!
^B~vhLBd
``bvnx
bwf\dvl
-B^(wM
+B!{@w+R
b=X9]?
B{X]QXYI
BY8.z's
^B}Z+^
Bz;]B+
)`~!c)
]C3jB0
;C%%ac
%[)) C,C
c&Cf*d
{?~CD>
c:\%d%d%d.cab
#__cFlXY
!(CGg8
C|g_g_g_g_g_g_g_g_g_g_g_g_g_g_g_g_
cGio"f
CharNextA
$'c:IG*
%'cjIGj.%
:cJ|[y
^}CKAO
Ck![[n
CloseHandle
C[MP-ct{
;C:Mtn
{c,n$6
?C|N^D1
CoCreateInstance
CoInitialize
cokZl"
COMCTL32.dll
Component Categories
continue execution and must now be terminated.
cO'pGEx
CopyFileA
CorExitProcess
corrupted the program's internal state.  The program cannot safely
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoUninitialize
C	="<p
c!]P>e
cpF .8
c#PWyv
Cq0yyAb
CreateDirectoryA
CreateEventA
CreateFileA
CreateFileMappingA
CreateProcessA
CreateProcessAsUserA
CreateToolhelp32Snapshot
CroFc~
+C~Uz[
cVqy&E
c-$>WH
.CwRy'
c@X+7FG
C=}XM8	K
d2[If(+
d2xZ{F
D5BMP?
D$5cRi,k3
@&D%812!b
dA4hhya
daGdU8
&D%A|O
@.data
dB%8t2
dcK^?dh3
'D{cR#IubR#j
dddd, MMMM dd, yyyy
December
DefWindowProcA
Delete
DeleteCriticalSection
DeleteFileA
</dependency>
<dependency>
	</dependentAssembly>
	<dependentAssembly>
</description>
<description>
DestroyWindow
DeviceIoControl
D+>#gi
d| hgr
DHhXJ=
DHhXJ=+T
DHKF+y_
}dKNdH
#DmZwn
DOMAIN error
dS(X\f
D-=sZR
]DTB !
>DV	Xr\
dwBOp4
&dY3:f
Dz'K>X
e[>.0R
e1a'zE
E6mV'5_}VW
+(^'e9
<e*aKM
E&B_9B[
?eC]b 
~ed>Gh
:/Eh	4
ehC[\\K
eK)!!Aj
EL`fFN
EMt&=@
ENGVukB
EnterCriticalSection
E=o?Ur
E-Q3Jp
ER.EXE
	ERr=]
ESk`oG
ESq{RK
Euub2J
ExitProcess
F035(f
f:31?7
F&4:/J
F~<5S%
F,98uX
%}F]}a
fB?`o;
f'B<Vz
fcoL$;
February
Fhr[l9
FileType
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
- floating point not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
ForceRemove
;F(r(8_
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
Friday
(fS_7p]
ftWiFh
|FW--dF
FwQtk~
Fx7xw{e
FxvR2R95
fY95+5c
;|	f-Z
?)/<G$
G#1)9p &,h
*g!2F$5
g6[dSp{^:M
G9/A wm.
G`"A>f
G&BZ& y
:g~c^p
ge\(sI
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceExA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileAttributesA
GetFileAttributesExA
GetFileSize
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetShortPathNameA
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetThreadLocale
GetTickCount
GetUserNameA
GetUserObjectInformationA
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
{gH.Fd6
gi9DQe
G]IfVf
Gk]Gdk-
G(l6Fd
Global\
GM-IgU
]gmMxXT
GN ^!>?
G:w.8V
=g^x*J$
]|&G,Z
`h````
H#(({0
?h0NTI
h2P2P.
h3$^-^
h3:b!.
]h4o"K
>h9i48
h9SnBcLs:o
h9uNJ\
<H~ }A
Hardware
hc%z,yxP
$Hd.r:>l
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
.'+heW
HH:mm:ss
HHt`HHt\
HHtjHHtF
$H=I_5
,hjT(R
h:	k#5g
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_DYN_DATA
HKEY_LOCAL_MACHINE
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKLN-q
hk/S7:
&h>,M,
h=m@[lB
hO5$iot
H:P5=S^
h'Q5Q=
hQZ^&j
HR6hEgc\[<X
H R/W@
H*V$d&
$h'vLih'~9
hxGrdM,
i2ahnAX
I2&k&M
I4:&'74g=
<~I(:6
i6Nj=m
I'92h9,
i9*iiDZ
i]?9S"
id7&4&gA
i>d-l^:
\-iE>O
+	ifK/
IF#L%i
}IfxKF
ig0 )?
ig7{>3
ihFO!)
I H?}oV
I<i7H54
ii:m;he&
@iK-cg
Ik i-$m
ILf5/am
`ILuM7
)i-%m;
IME9Hq
IM'!NG,
iM>Uz@
InitCommonControlsEx
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeSecurityDescriptor
Interface
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
internal state.  The program cannot safely continue execution and must
invalid string position
iPB7+!
I'P~;L
.IpT-S
iR&Ax3n
I?|S2G
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsDBCSLeadByte
ISmHH(
?'It3"
I:TWCU
IvD7.4
}iXXoJAX.K?{
{iZ@DQ(
#!@j,1
}j3%+y
J5?:\F
J7_$@X
jA8a&SHy[
JanFebMarAprMayJunJulAugSepOctNovDec
January
?,*)jC
*j!](c3
JdE{hC
jdgkbJ
j]eiT;
{J{G;M
J%H~u=}K
J#IuR*
<JK)+`
.	jkFm[
][JkgE
jLW5^T5
j)mv]0
j_	|QQ
J)RC3Q
js=?3[
J@sn^9
~~}J	T
J)th"^
!jt@L)S
jt}Sl)
JUNvW+F
}jWd+^
Jx*5fG
$J#X&J
&k35`i
~k6ju_
`k8ixm
ka(~17
|k"/b%
k/BXmm
kdjfir
k@DL?&
kernel32.dll
KERNEL32.dll
/ke?'s
@KgI[0
KhV]:I
k~iI|~Z|
,!Kj<a
]KLEOy
kMb9_r\
KNjMg|
@^knPF
k	n}w	
KQ;wI6
K(qW}Vy
&K$R( 
ksD'th7C
Ks.M>/
kvY0H)
kw*tzS]4
l2}OGQ@
"laB&o:
			language="*" 
LCMapStringA
LCMapStringW
L\Cu)Rui
ld_A:C
`lDh	_F
LeaveCriticalSection
#	%|lFb
lH0SsZ
lHBHOB
l'I td
Liv"op
l@_@&j
llr]4H
LoadLibraryA
LoadLibraryExA
LoadResource
LoadStringA
LockResource
	=l;:ok|g&
L/P+g)3
{:;'lql
lrD>%,
L!SIHz
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
lstrlenW
l]U0=;
/LV0@3
LvC0GJ
l-wp,{x
Lz:+6j
makecab %s %s
mATEU-8
m|{-d1t
#M"d(C
mdW;mx
=M|'Eh
MessageBoxA
miAG'X
microsoft_lock
Microsoft Visual C++ Runtime Library
=mikL:
M(!?J^
m'`jHym
}?[mk5
mMAX-H
MM/dd/yy
<mnRM\k
^M,O?F
Monday
M_OQr\J
MoveFileA
MoveFileExA
mPOk:(
?/M=~Pt
mPw<]~H
mq2b&i
m/Q9em{
mscoree.dll
msw6OW
MUI'}@
MultiByteToWideChar
MV9MN*
 .Mwg~
.,mxeC
!MyN:2
.n{^;"
n^,3(O
N3`[wk^$`
(n5ps0
[n*7d#
n 8A<w.
`n9-kD
-N aht
n-\A}l
			name="Microsoft.Windows.Common-Controls" 
	name="Setup" 
ne7`Ku
n/E|Z(A:h(
Noejyh
NoRemove
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
now be terminated.
~+?~np
npJN}8
&NQh~'c~
>NSg^f
nS?sD]o
}NTDTMt
(null)
N?wHhE
n"x7uKO
_,o;%^
o*'<%}~
=OA[a{
ob1g_ J
ob:-'h
October
%O}%g|
OGT_LS
oG<-uK
o|]i|-4
oia8uU
-oI,q\
oiy"/>#
okmiij
o~LC`;
ole32.dll
OLEAUT32.dll
oM"NCC5
ooLZ*r
o"Ow(5
OpenFileMappingA
OpenMutexA
OpenProcess
OpenProcessToken
%|os\9
o(_?U.];
o;wqr'gh
OX^q+S
=-@"p)
[#)_	p!#
p!~ )^
P2t-:K
P3pm)=
p|86Kz
PB`\~H
p)c<~}.
p.dll.zgx
pd&:n~\
\\.\PhysicalDrive%d
='PiyF
`?.p<,j
Pj4jUn
`PjECuD-
PKbXZ:
P%"#:L
:`pL{-D
Please contact the application's support team for more information.
@p\nQAi
PPPPPPPP
PpSUw#
ppxxxx
;PqY6}Y
Process32First
Process32Next
			processorArchitecture="x86" 
	processorArchitecture="x86" 
Program: 
<program name unknown>
			publicKeyToken="6595b64144ccf1df" 
- pure virtual function call
PUVh }
PVN)qD|
(PwZF[Y
Q\%(+"
Q1`}ZI\
>_q|25
Q4nJ}%
q7H_ \
Q9Ei],+zL
Q9r1p"
'Q({BM
qe8(t/9
=!.|qIe-]
q?Jas1"
&!.qJxTt
*"QM@=
qm@r}v
%^^Q&MW
*qN/Fr
qNJqvJq
q^O}c$	0
qP	};H
qq4XpcT
QQSVW3
QQSVWd
|q$tDZ
q)t><h
q@\UA&D
^%QuCH
QueryPerformanceCounter
&qUi/r
`qvwHyl
q"XsX+
qXvI]6x
Q)yO{+
:(qz"|=
`{/^_;R
,r5)!w
R82?dk
r{9Rzh
RaiseException
RAQ>D	-
_ra_rt
"RB*H%
rB^$-Q
%r\Brd`
%rCqciU
`.rdata
rd	R_3
r?@E^3
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
rFbQC}B
|_RfX<
r-iobc
RldZ?}
#RL%Jw
[r;Qj'
RQ-$;j
R%#/s9
rsu_&h
RtlUnwind
'r[u-&
r`[&"u
rundll32
rundll32 
runtime error 
Runtime Error!
R;vb/E
RVQfjiF
	Rx=\d
RX>q-{
RY:HTJ
Rz1FnP/
RZ=b:r
Rz~nD)
S3asBDL
}S3'dN
s4'6p%*9Gw&
S8uFSe 
s9MM(6SB
sA{1hTsg
%s,Always
Saturday
sBhE)P
S<*;]C
\\.\Scsi%d:
SCSIDISK
SECURITY
September
SetEndOfFile
SetFileAttributesA
SetFilePointer
SetFileTime
SetHandleCount
SetLastError
SetSecurityDescriptorDacl
SetStdHandle
SetSystemTime
SetUnhandledExceptionFilter
SETUPAPI.dll
	Setup Application
SetupIterateCabinetA
sfj_.y
shell32.dll
SHGetFolderPathA
Sh"m6M
)%sHT:
SI-(5v
SING error
SizeofResource
='s}+n
s.NFsX
Software
"*SQq+
SqS<1Pf
%s\%s\
%s%s%s
%ssysoption.ini
string too long
Sunday
%s_uninstall
SunMonTueWedThuFriSat
sU^U5I
sVS;7|B;w
S,W9S/
sysoption.ini
SYSTEM
SystemTimeToFileTime
t2S&Cx
t2WWVPVSW
T4-<Z\/$S
T*!5'W
TAuR\Au
T*+D)=
/tDa0H`
TDQ$c(
TerminateProcess
>.tF83
"T<GeY
*TgHU|
tgxS\h
t}h/] !
- This application cannot run using the active version of the Microsoft .NET Runtime
This application has requested the Runtime to terminate it in an unusual way.
!This program cannot be run in DOS mode.
Thursday
;TiF:v 
[tj<eK
T`&k{ 
Tl+n0`F
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TLT:f*
T=@(nDh
!t_nsc
t|$O*~-
t&<O%6>
"ToW_cW
TPR#b_}
Tr-/dK
t!SS9]
t#SSUP
TTKZV%
t.;t$$t(
t$<"u	3
Tuesday
tv6]q2[
t$$VSS
TW`oBz-X
T\>"x	(
TypeLib
			type="win32" 
	type="win32" 
Tz)cGN
	tZu~c
!&<,u`
u2>Y~V
U65OY,o
}UC_-z;x*
/.$Ud&f
Udil/o@
)uF7[3H[j
~Uh`s	
&Uk6EJ
U.KT=:_(
_uLJC]
UmG.pG
- unable to initialize heap
- unable to open console device
u=nApvN
Unc-CQ
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
Unknown exception
Unknown security failure detected!
unLWL'
u.}O[^
@uo44>
U^OR9*
~Uor+Ho
UoUl[^
uPxrnb[H
[urickk45
 /u /s "
user32.dll
USER32.dll
UVksGf
uWHn_Jr
[{uXr@
uy[+2!
u zn(Qn
(UzY=e,
.!{v0C
v1ri)o
v5[[9,	w]
]	V6MYnF
v&#6OVqRu
v<8	9?
>va	R#
VC20XC00U
v;DI2y
	version="1.0.0.0" 
			version="6.0.0.0" 
v$fhxW%
vG>BJa
vg}V4X
v/.h|c'W
^v'iCj
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
v\JOEM;
	v{?JPW
vKCONs
_VN1)i
v	N+D$
]vnIQGJ
}Vn<wY4
VqK?b#?	J
VqK,z\
vrXe84
VtTWtVW
}VWc[o
VWumh`
])Vz[{
_*<W;]
(w1#^!
+w3-BP
W?7nca(
W8|NDco
w+9,CFfb
WaitForSingleObject
WAKJow
WC1326
{wdY@5
Wednesday
w?GS@+
]W*h]I
w!<Ia	
WideCharToMultiByte
wIK&NO
WinExec
winio.sys
WinSta0\Default
wJ~S4>
w+JZy'
]|w!!K#
|.W$L<
wm)]:;
wmErX,Em
\W,@&n},
@WN}	}9,}
+WnkGK3
;WOlJ6Y
+:wov_
?'Wq|3
w<qX t
=w|RG%_
WriteFile
wSh5==y
wS	Q.!
%}wVcxG
_w*VL@
w^?v>X
WWWWVSW
wwwwww
wwwwwwx
wxh%?Uq
wy~e[b
W";YyG
=X1Z:z
x~_\3{&
x30,r$jc
X3Yy]j
XA/)Bbs
~xaXI/
X[B+ZIS+g
xcvbnm0123qwertyuiopasdfghjklz456789
xeoq9^
=x	eRac
XF0Q..c
xH;b|"
Xi_!{0
xKC.)	%
	xKg:[
XL2U>7
<XMf!{
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XN2|UB
X|n.guX
x;O4^0
xOG2iTO
|xO$+O
XP(:_`
Xp>[2z
Xr-DiL
:xS;zn(
Xv5ttH
_XVJ)g
x][#_W
}>Xw+D
:<xxhf'
x~xk2v
Xy	.-;
Xy.@TR
$/>x@Z
:\\$~Y
Y=\.1'
}y#2|.6
(<y6tU
Y$908u
y9!V3.s
#y	}AB
YBJ<R^<t
&YBP#0
yC=vYu
Yh{=pG
YlVCLf
#*YOlE
y;pNb,
%]<#yr
 Y"Ws2
Y	wt#o
yX$t1t
"Y:X>v
y|'`Y_
_^][YY
@z0?^[2XC\
z1n_TVJY
_}!;z3
Z38 ^_
Z6x'9r
Z"7=yi]
%z8H}*
,z|9	o
zcyUE}
ZdJ&~C
Z*dwa*8
{Z'~}F
>zf5*}
zip.tmp
Z+J,4Ek
zjy9-b	u`
z$l6j1e
~zlOJm
z)l$qV
=Zmk[Em
Zp"P+sP1
ZPZ]LD
#zri3IZ
Z?sL|v
ZU]9R0
Zvn7-r
Z(y`.p1
Zz. {h