Analysis Date2014-03-24 06:11:45
MD5dfb529246a114732faa26b1027045f01
SHA15bc2415b02b7dbabd3cfed4fc2082335ca7f826c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 982807ffda28569f67b1f53bcfbafe1b sha1: 2dbc5ec44a4c857af54fac3dec04da1ba1bb6250 size: 135168
Section.rdata md5: 2a43e0418c811433c6282fc81f2f70bd sha1: 260e824d97cdfff6a91f8ad5d7511a8d8f4a38e4 size: 20480
Section.data md5: e0382a9fcfa055e8a1839d6f3c6cf672 sha1: fe98d4b277db4844fce558e24b863a0ec9e56112 size: 8192
Section.rsrc md5: 1540be37188273cbb6fdc243ca441294 sha1: ff989ccafe9a3d6cb60690a22fb7b3dd3bbb8904 size: 344064
Timestamp2010-10-13 09:36:01
VersionLegalCopyright: Copyright 2010
InternalName: Setup
FileVersion: 1, 0, 0, 1
ProductName: Setup Module
ProductVersion: 1, 0, 0, 1
FileDescription: Setup Module
OriginalFilename: Setup.exe
PackerMicrosoft Visual C++ 7.0
PEhash77bbce9c05988b27234264612b0db7882d6de163
IMPhasha8d31cd803ce486c3652ba74a700279b
AVavgAdware Generic4.ARUD
AVclamavTrojan.Dropper-27609
AVaviraDR/Cadro.A
AVmsseTrojanDropper:Win32/Blathla.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\p.dll.zgx.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\b.dll.zgx
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\4.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\3.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\p.dll.zgx
Creates FileC:\WINDOWS\Tasks\ms.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\s.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\_uninstall
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\z.lz
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\b.dll.zgx.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\2.dll
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\s.exe.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\p.dll.zgx.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\b.dll.zgx.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\\_uninstall
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\s.exe.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\\z.lz
Creates ProcessC:\WINDOWS\system32\588d.exe -s
Creates ProcessC:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\efle.dll"
Creates ProcessC:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\e8dr.dll"
Creates ProcessC:\WINDOWS\system32\regsvr32.exe /s "C:\WINDOWS\system32\e5eo.dll"
Creates ProcessC:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\e5eo.dll"
Creates ProcessC:\WINDOWS\system32\588d.exe -i
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\msn.exe
Creates ProcessC:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\30c5.dll"
Creates ProcessC:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\e0fe.dll, Always

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\h8nil4o8\msn.exe

Process
↳ C:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\efle.dll"

Process
↳ C:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\30c5.dll"

Process
↳ C:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\e8dr.dll"

Process
↳ C:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\e5eo.dll"

Process
↳ C:\WINDOWS\system32\regsvr32.exe /s "C:\WINDOWS\system32\e5eo.dll"

RegistryHKEY_CLASSES_ROOT\BHO.FunPlayer\ ➝
CFunPlayer Object\\x00
RegistryHKEY_CLASSES_ROOT\BHO.FunPlayer.1\ ➝
CFunPlayer Object\\x00

Process
↳ C:\WINDOWS\system32\588d.exe -i

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\OSS\EventMessageFile ➝
C:\WINDOWS\system32\588d.exe\\x00
Creates FilePIPE\EVENTLOG
Creates FilePIPE\lsarpc
Creates ServiceOSS - C:\WINDOWS\system32\588d.exe

Process
↳ C:\WINDOWS\system32\588d.exe -s

Creates FilePIPE\lsarpc
Starts ServiceOSS

Process
↳ C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\e0fe.dll, Always

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\WINDOWS\system32\11312736-24
Creates FileC:\WINDOWS\system32\1fa
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FilePhysicalDrive0
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\3227095050
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\E61EE389-C31D-4a32-82CE-45590684225B
Winsock DNS122.770304123.cn
Winsock DNS122.zzso.cn

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 816

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1140

Process
↳ C:\WINDOWS\system32\588d.exe

Creates Filepipe\net\NtControlPipe10
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\e0fe.dll,Always

Process
↳ C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\e0fe.dll,Always

Creates MutexZonesLockedCacheCounterMutex
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex

Network Details:

DNSyahoo.com.cn
Type: A
98.139.102.145
DNSyahoo.com.cn
Type: A
68.180.206.184
DNS122.770304123.cn
Type: A
19.254.66.4
DNS122.zzso.cn
Type: A
117.79.89.138
HTTP GEThttp://122.770304123.cn/1.gif
User-Agent:
HTTP GEThttp://122.zzso.cn/1.gif
User-Agent:
HTTP GEThttp://122.770304123.cn/1.gif
User-Agent:
HTTP GEThttp://122.zzso.cn/1.gif
User-Agent:
HTTP GEThttp://122.770304123.cn/1.gif
User-Agent:
HTTP GEThttp://122.zzso.cn/1.gif
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 19.254.66.4:80
Flows TCP192.168.1.1:1032 ➝ 117.79.89.138:80
Flows TCP192.168.1.1:1033 ➝ 19.254.66.4:80
Flows TCP192.168.1.1:1034 ➝ 117.79.89.138:80
Flows TCP192.168.1.1:1035 ➝ 19.254.66.4:80
Flows TCP192.168.1.1:1036 ➝ 117.79.89.138:80

Raw Pcap
0x00000000 (00000)   47455420 2f312e67 69662048 5454502f   GET /1.gif HTTP/
0x00000010 (00016)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000020 (00032)   0d0a486f 73743a20 3132322e 37373033   ..Host: 122.7703
0x00000030 (00048)   30343132 332e636e 0d0a436f 6e6e6563   04123.cn..Connec
0x00000040 (00064)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x00000050 (00080)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000060 (00096)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f312e67 69662048 5454502f   GET /1.gif HTTP/
0x00000010 (00016)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000020 (00032)   0d0a486f 73743a20 3132322e 7a7a736f   ..Host: 122.zzso
0x00000030 (00048)   2e636e0d 0a436f6e 6e656374 696f6e3a   .cn..Connection:
0x00000040 (00064)   204b6565 702d416c 6976650d 0a436163    Keep-Alive..Cac
0x00000050 (00080)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000060 (00096)   61636865 0d0a0d0a 650d0a0d 0a         ache....e....

0x00000000 (00000)   47455420 2f312e67 69662048 5454502f   GET /1.gif HTTP/
0x00000010 (00016)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000020 (00032)   0d0a486f 73743a20 3132322e 37373033   ..Host: 122.7703
0x00000030 (00048)   30343132 332e636e 0d0a436f 6e6e6563   04123.cn..Connec
0x00000040 (00064)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x00000050 (00080)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000060 (00096)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f312e67 69662048 5454502f   GET /1.gif HTTP/
0x00000010 (00016)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000020 (00032)   0d0a486f 73743a20 3132322e 7a7a736f   ..Host: 122.zzso
0x00000030 (00048)   2e636e0d 0a436f6e 6e656374 696f6e3a   .cn..Connection:
0x00000040 (00064)   204b6565 702d416c 6976650d 0a436163    Keep-Alive..Cac
0x00000050 (00080)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000060 (00096)   61636865 0d0a0d0a 650d0a0d 0a         ache....e....

0x00000000 (00000)   47455420 2f312e67 69662048 5454502f   GET /1.gif HTTP/
0x00000010 (00016)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000020 (00032)   0d0a486f 73743a20 3132322e 37373033   ..Host: 122.7703
0x00000030 (00048)   30343132 332e636e 0d0a436f 6e6e6563   04123.cn..Connec
0x00000040 (00064)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x00000050 (00080)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000060 (00096)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f312e67 69662048 5454502f   GET /1.gif HTTP/
0x00000010 (00016)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000020 (00032)   0d0a486f 73743a20 3132322e 7a7a736f   ..Host: 122.zzso
0x00000030 (00048)   2e636e0d 0a436f6e 6e656374 696f6e3a   .cn..Connection:
0x00000040 (00064)   204b6565 702d416c 6976650d 0a436163    Keep-Alive..Cac
0x00000050 (00080)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000060 (00096)   61636865 0d0a0d0a 650d0a0d 0a         ache....e....


Strings
Q
Q
.
C
00-+  
.
e
. 
\
.
.
-
.W
v
.
G..
Vi..
w.
C.
.
'
.m
.[
.
.
U|..
.
><.(.
.
..j
Jz.

040904B0
1, 0, 0, 1
6Open another window for the active document
About4Quit the application; prompts to save documents
Activate Task List
Activate this window
APPID
Arrange Icons/Arrange windows so they overlap
Bjjj
Bjjjj
Bjjjjjjjj
Cascade Windows5Arrange windows as non-overlapping tiles
Change the window position
Change the window size
Close
Close the active document
Copy1Cut the selection and put it on the Clipboard
Copyright 2010
Create a new document
 Display full pages
?Display program information, version number and copyright
Enlarge the window to full size"Switch to the next document window&Switch to the previous document window9Close the active window and prompts to save the documents
Erase
Erase All3Copy the selection and put it on the Clipboard
Erase everything
Erase the selection
Exit
FileDescription
FileVersion
Find
Find the specified text
                                 H
         (((((                  H
         h((((                  H
        h((((                  H
Insert Clipboard contents
InternalName
jjjj
jjjjj
jjjjjjj
jjjjjjjjjjjj
LegalCopyright
Module
Module_Raw
New Window7Arrange icons at the bottom of the window
Next Pane5Switch back to the previous window pane
(null)
Open
Open an existing document
Open this document
OriginalFilename
Page Setup3Change the printer and printing options
Paste
Previous Pane
Print
Print Preview
Print Setup
Print the active document
ProductName
ProductVersion
Ready
Redo
Reduce the window to an icon
@REGISTRY
Repeat1Replace specific text with different text
Repeat the last action
Replace%Select the entire document
!Restore the window to normal size
Save0Save the active document with a new name
Save As&Change the printing options
Save the active document
Select All
Setup
Setup.exe
Setup Module
Split
StringFileInfo
(Switch to the next window pane
Tile Windows5Arrange windows as non-overlapping tiles
Tile Windows(Split the active window into panes
Translation
Undo&Redo the previously undone action
Undo the last action
VarFileInfo
VS_VERSION_INFO
```````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````
```````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````
^%^<: 
<'`%	<
 !"#$$$$$$
]@~"@~"
	$$$$$$$
00f0r)
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
01F$ p
	05K=&\6,[
+(070!
*(0aY!C-
0fm*Q$
0[\l3_
0l?~Ms
0*OSS@YGK@y
0OZb.O7^
0P8efK
 >\0xo
1%,1<V
1;7ekNB
1dD% 2
1eapR4
1H,5u;~q
1HZDt}1
1$*(I9-Ja
1J5%$1n
(1k9_4
1/n(asu
1^n#N%k
)1O&I{
|~1o)U%5
1 ^PqHfz`Op`
>1=y=}=
.{21qY
28uUAQi
2b-dZa
|2c7RwND
2e&6uH2
2J8H{7)
2<Mn$5:c
2<$nV>
2|QNL"f&
`-2^sB
2_SphP26A#
312ML1!
38h#6l_
3D'e@0
3`dpr"K
3p9G_!X
|#3tc%
3w@06;J]c^'
3ZTq+b
4$~.|)
4=1[oXF
|/\44(
]}4&6a
4f0,qw&
/4hji(
4ID-|b
4,mE|h
4t-22B%
4?,Ws}V
5IP\c`@
_5$^)P
5Q3pEQC
5(QGk)w
^(]6)`
61hh\G
6fNEr/Q
6;G@8U
6Gpt)e
\6I8Lv
]6I/[b{
6kvzK,"
6*>\-S
6s-PT9
70XjS}5
712381212
7`${6Lj	
7Ey({%U	
7GQs'"
7j8A=<H
7JV((I
\7ov|d
7P(50G5)
`7v^9;U2M
%7Wa:5
85#!n,i
*89'G^
8d8Z7)C
8>Q_g!
8V	M_8,
)9AjO"
9 C--F!x
9#fhDv
\)9JEg7
9"@rgZ-
9SyinsY1
9yS0hi
a```````#]
a0~kO~^H
A2C\9(	i1Z
a-3#&````
a-3#&````Nkc`````L```````caa`a```````&```l`a``
A9.|	5
aAk-&~
A buffer overrun has been detected which has corrupted the program's
ac"d(|
A"CyR`
ADVAPI32.dll
a\$Ep8
A gJ-Hm
:AII@)
aJAWlD
alaldH
 a`````L```````caa`a```````&```f`a``
AmAXp"O
america
american
american english
american-english
a_qc~p
AqWG|5
#'a+RB+
Argentina
.AS3i>
A security error of unknown cause has been detected which has
$a@SF5
A;&Sg2-f:
aSPu8h
</assembly>
<assemblyIdentity 
		<assemblyIdentity 
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
August
A.,*Uh!_n
Australia
australian
Austria
`:`_a{v
.?AVbad_alloc@std@@
.?AVbad_cast@@
.?AVexception@@
.?AVfacet@locale@std@@
.?AVfailure@ios_base@std@@
.?AVios_base@std@@
.?AV?$_Iosb@H@std@@
.?AVlength_error@std@@
.?AV_Locimp@locale@std@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
AVq8tK/
.?AVruntime_error@std@@
.?AVtype_info@@
a]w"8O6
ayyZNS2
b```````-]<
b0CQ{+ass
B"11e=
b'}2-`H
.B6R=wa
B7rvkev
b8GM|6
b~A:Cq
bad allocation
bad cast
Basque
B:"+a}u
B[@BafPq
.b=Bwx
[bdJT|
bEb">x
belgian
Belgium
bF@gkA
bF$j	)
\BG`mEr
BGTM#ce`
&BgUr1k
bhlRZ&
bI^\$Z
BLBZEK^dg%dad
BN:}jr
b n'(R
BO7 Sa
BQ1&DV
bQo|cj
britain
b/rk7w+
B)) RN
b+s@Ow
b-\TF	
btFHt+
'BT@lh
Buffer overrun detected!
b+'ux,
b{v`Iyde]`Ks\Sg
BW0#}g
Bw'gz1p
b~wojxi~u
b^WOJXI^u
bzLrh0g
c01o@Z
c2/OaY
,;C5;m
	c|%6;x
C7obm1
{c>82uu
c8`6 Z
#!C.8rd
C8Y1\IS
Canada
canadian
ccgokz]B$(
C/CuD~\Z
?C/!^D
CdoB</
`_c>e^b
ce\\D=
CH__ac
ChangeServiceConfigA
CharNextA
chinese
chinese-hongkong
chinese-simplified
chinese-singapore
chinese-traditional
)C`k,=
CloseHandle
CloseServiceHandle
ClyrT\H 
C!MriO
(CnMUF
CoCreateInstance
CoInitialize
Colombia
COMCTL32.dll
Component Categories
continue execution and must now be terminated.
CopyFileA
Copyright (c) 1992-2001 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
CorExitProcess
corrupted the program's internal state.  The program cannot safely
Costa Rica
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoUninitialize
C PjPVj
C$PjQVj
C.PjRVj
C/PjSVj
C*PjTVj
C+PjUVj
C,PjVVj
C-PjWVj
c}PkB&
c$qBt&
Cq[O$'
CreateDirectoryA
CreateEventA
CreateFileA
CreateProcessA
CreateProcessAsUserA
CreateToolhelp32Snapshot
'c:RFr#
'crW/1p
C)u,1i
cvb+aW
CXVNKE
(CY.km
"CyLO+J
C\Zv<D
 ""~D 
(; :\D>
d+6cw(
d+6V:6
d7ATs, 
@.data
@ )*db
d\b(e8`
d[Bh]"R
D~BLVttM
dddd, MMMM dd, yyyy
D;DK,\}:
.!D,dO
December
DefWindowProcA
Delete
DeleteCriticalSection
DeleteFileA
</dependency>
<dependency>
	</dependentAssembly>
	<dependentAssembly>
</description>
<description>
DestroyWindow
DeviceIoControl
dfOjPlgW
dg$*U;
djNzge
dl	Ikc
Dl;YLa
D!"MB?#
d+mDui)
DOMAIN error
Dominican Republic
.DQiX)
Dqm@lUaa
dTRGwF
Dud{04
dutch-belgian
=Dv21L 
)dVDci
D[VK{r
dvr`N!fQ
$ ,d$w
"}~`Dw
d;WW$Zz
DZUislg
/e^=-<
{?&;e(
e```````-]<
e1BIs-
e&a>+. .
Ecuador
efo9Uu
EGko.p.
EjM'j<
*EK4J	
EKA5rF
eLB>$w
ElC,@,F
EL"t}sl
england
English
english-american
english-aus
english-belize
english-can
english-caribbean
english-ire
english-jamaica
english-nz
english-south africa
english-trinidad y tobago
english-uk
english-us
english-usa
EnterCriticalSection
EnumSystemLocalesA
eOV|Y~
&e[PI~@
E}RSQm
EsvYa+v
&e.##w
e_*'.w
E>>,w&%
eXeXfXdX`(
ExitProcess
EY*Op&
e],y,uc
EYY({	
@:f,^\
{f4Z\0n
f72`t(
f'=`=82
F,98uX
fa	9^W
>F<A<E8ir
-&""f"B#
fC@\k:Y
fD+Y=5d
February
f\e|g^a
ffALg""5Ks
<>F.fEb&
FfJ pC
FGk&[3
FileType
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
Finland
Finnish
F<{KY36
- floating point not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FMH>`E
$F:O-!
ForceRemove
;F(r(8_
France
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
French
french-belgian
french-canadian
french-luxembourg
french-swiss
Friday
fu'ZrL
fv6ffF
FVh|5B
F@Y'.b
@G $b$4
_)G(BK
g/BU6r*
GDI32.dll
German
german-austrian
german-lichtenstein
german-luxembourg
german-swiss
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileAttributesA
GetFileSize
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocaleInfoW
GetLogicalDrives
GetLogicalDriveStringsA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetShortPathNameA
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTextCharsetInfo
GetThreadLocale
GetTickCount
GetUserDefaultLCID
GetUserNameA
GetUserObjectInformationA
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
&GH{~i
gjinJS~&
Global\
/!g^mZ
G#n%|%9
gP}5q=
;]@gQe'
 gQ]"T
GrcCJ5
great britain
>?GREObIG
grX]cUgCA
gsVr|{4
G}u8DT
Guatemala
.GV3r+
GWh|5B
 }gw{p
G_yr6#
$gZpcZ
`h````
H0s_O,
}h5K~;
Hardware
 hC(1l
h	C[Ag
&hC~*h#
hdMGQB
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
<Heg^>
HE}Q2q
>	^;heV
hEZJS_J
HGrKo{/
HH:mm:ss
HHt`HHt\
HHtjHHtF
h_*hv&
Hjp*x$
HJw~q1
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_DYN_DATA
HKEY_LOCAL_MACHINE
HKEY_PERFORMANCE_DATA
HKEY_USERS
hM\KWPO
HNls?8E
.*hO8	
holland
hong-kong
Hp=tMd
hQZ^&j
hR\8+v
hRg'^7
Htmzuk	XqE
H:U-~BE?
`*.?Hug&
HxKI{l
)H(X`m
h.xXjY
hyTx1M
I85x7d
iB	Q$^
Iceland
Icelandic
iC]SP4
iD!yDK D
iGxAO;1
IGXr&U
I!+h2c
_I-HeS%?
ih=fhZ
IHJ}[E?Q
	i~IkB
iJ^ ~f
I]	mY-
InitCommonControlsEx
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeSecurityDescriptor
Interface
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
internal state.  The program cannot safely continue execution and must
invalid string position
ios_base::badbit set
ios_base::eofbit set
ios_base::failbit set
{ $ip,
iqFE;s
irish-english
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsDBCSLeadByte
IsValidCodePage
IsValidLocale
italian-swiss
It[IItM
I`T>oAT
$ItTFp^c
iu` #+
IX|?&na
.Iy[(lN&M$u
\I{YZaFro
?i)ZhU
J0;=TlH<
JanFebMarAprMayJunJulAugSepOctNovDec
January
jBy9NQ
^J/<c2}B
!J\c<m
J|E^MP
j;G&{F
j`h(3B
jhedbfc
j@hX5B
j@hxKB
=j_I0AJ
!|;JJ	
JJQ1}"
JJtdUe
	jKdv`oaq
~)J$?L;
jLCIcY<
?JLnKz
jmtro[
jskV4F
ju`-rnu`
J,=U>TK
JUx}0f
,Jy4DdC
J@zHO7
@?:+<k
k2|`b?`
{K3;=	P
/..K&7
@k9\V!;
KAYA+>c
kernel32.dll
KERNEL32.dll
|k-_hE
_K&hV0-y
 k=IwY
K,LMJJLRJ4*<
#[KlnT
K#+LW^
'.K_MR
	kqs0x
=KtS3|g
.K@U2$
=KWI*d
<	%Kw?|S
	kYK%:
?^kyxk
^>*KZ4:
[L?' \
\#l6:Vj
			language="*" 
l~B8H[
``````L```````caa`a```````"```d`a``
LC_ALL
LC_COLLATE
LC_CTYPE
LCMapStringA
LCMapStringW
LC_MONETARY
LC_NUMERIC
LC_TIME
lct-=r
ldIm#9
LeaveCriticalSection
(LG|}Z
LH]L+o
LJ0-Ur
>++L)n
l:N59v
LoadLibraryA
LoadLibraryExA
LoadResource
LoadStringA
LockResource
loWSjqvj]
)`l`P`
l`@%pT
lqkt^Z
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
lstrlenW
lTa!ML#
lTVl(^C
lU~]G 
+LUW`j
Luxembourg
#~}LW5
%L{.Xh
lXm$O"
|LyDz8Y
Ly=P@g
M04U,:P]
m* 3J=i
mbLNI\b
Mb?;rv
M_\e]h
MessageBoxA
Mexico
mFHJJZ
MfQu~S
M/FT;T
mH<7()
Microsoft Visual C++ Runtime Library
?Mk^[G
mKo&6Xz
mlQd";
MM/dd/yy
m[^NIF
Monday
MoveFileA
MoveFileExA
Mo;vg~
$m`P#+
mPh]I7
-?MQ4K
Ms6 nd
mscoree.dll
MS"[Xcu
MultiByteToWideChar
MW&D"~
]MX@a<
.My'gz
(MYi+n
|[mY^Mb0
m*y_Z=&
{mzcf]
Mz+SRQ
n<#)3^
			name="Microsoft.Windows.Common-Controls" 
	name="Setup" 
nc'Arv
nd+fcB
N{!_#e0
new-zealand
>?+NF3.L
nfvg/$:?PsI*<
Nf}vKkb,[
nH_TcFKZeg
nHWPK"
-NiwA5
```````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````Nkc`
NKuTvd
=NM*o*
NoRemove
norwegian
norwegian-bokmal
norwegian-nynorsk
Norwegian-Nynorsk
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
now be terminated.
nP1@E)M
`@npf 
nrU3$k
nUH7Ic
(null)
Nu#!p*
"|n.X-F
^N-y7JK
O0%k+m
o1z=d+#
o4km|9
o|.9m|
October
OE-9U~	a
@O,"(g%
O$#GR9
oG<-uK
OHL:<<
OH+M@w
ole32.dll
OLEAUT32.dll
oNI$/)A
O=Nm#up
OpenFileMappingA
OpenMutexA
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenServiceA
oPnNR,
oqtt$F.
o)?Sw!
oT[ErG
o`[t;g
oxD)2b
,)OyNxIS
ozs!#,
%o}|Zz
$[+P_0`
P0pQV?
p#1hfu
P2RFLCv&@
:{p4(!th
?P#7>De
/]/|P8++
Panama
Paraguay
pAX8D\>-
p_F\LF
\\.\PhysicalDrive%d
Pjw'(L-
Pkdhx@ 0T
Please contact the application's support team for more information.
p(Njt$x&
portuguese-brazilian
PPPPPPPP
ppxxxx
P'q;[R+
pr china
pr-china
Process32First
Process32Next
			processorArchitecture="x86" 
	processorArchitecture="x86" 
Program: 
<program name unknown>
pS>B6O
P,S.;O+
pTjTlTp
<p=u!-
			publicKeyToken="6595b64144ccf1df" 
puerto-rico
pUF@} 
- pure virtual function call
pW`Tc`HMK\QbO
p}[!\X"(
p-Zm$%
$[q='!
%\,";q
Q0i%K_
q10_zY
-Q]?2Vj
Q47F;v
\`Q 4t
&	?q6f
q6r,#8$
Q&B@nm6
q###$##cik
qdTB/<
<)qe]Ff
}+QiD(C
.}QK)I
QLi,|F
qM0g^}
Q#)/M42
qN<A'|
&QNQc9KU
QQSVW3
QQSVWd
QR,*,2L
QueryDosDeviceA
QueryPerformanceCounter
QueryServiceStatus
r1j*'9
R27p}'
<\$r3{
,&=*R7
R8]fj$
RaiseException
raWL26o
rB/7/<
`.rdata
ReadFile
REDW}y
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegGetKeySecurity
RegOpenKeyA
RegOpenKeyExA
RegQueryInfoKeyA
RegSetValueExA
RE_juO3
.\RgCOz
:r#%j/,
rjZg`#>
|\RMbFd[M
\\RMbFd[Mvib^f
-rNetcjawa
'R]NJ0
`R?nMs
rnu=bA
$r%_|>}qq
rqvFw]f
R}SEB\
R.s~MAua#
rT@\%0
RtlUnwind
runtime error 
Runtime Error!
RV@1c_
rVpT]6
{rW6XY
rx6zQ`
r^`Xba
RxY=<F
.RZbz-
`s0eHf
<@s8jX
+}"S9Lt
sa.l(B33
Saturday
scgmnx
Schedule
sc=K/0
\\.\Scsi%d:
SCSIDISK
SECURITY
September
SetEndOfFile
SetFileAttributesA
SetFilePointer
SetFileTime
SetHandleCount
SetLastError
SetPriorityClass
SetSecurityDescriptorDacl
SetStdHandle
SetSystemTime
SetUnhandledExceptionFilter
SETUPAPI.dll
	Setup Application
SetupIterateCabinetA
s"f,\\
,sF\IOC
~^sg6N0
SGT_'K
|sg^yY
sH=]BN
SING error
SIoP@G
SizeofResource
?sk(qPn9h
slovak
=*so0Q0
Software
south africa
south-africa
South Africa
south korea
south-korea
Spanish
spanish-argentina
spanish-bolivia
spanish-chile
spanish-colombia
spanish-costa rica
spanish-dominican republic
spanish-ecuador
spanish-el salvador
spanish-guatemala
spanish-honduras
spanish-mexican
spanish-modern
Spanish - Modern Sort
spanish-nicaragua
spanish-panama
spanish-paraguay
spanish-peru
spanish-puerto rico
Spanish - Traditional Sort
spanish-uruguay
spanish-venezuela
s,P&k:
S+:Pod&
%s\%s\
StartServiceA
string too long
Sunday
SunMonTueWedThuFriSat
S!-vQD
sVS;7|B;w
>\s{[W
)'S"W-
Sweden
Swedish
swedish-finland
,swFHT
Switzerland
sxLIKhkS
s\y2<|C
SYSTEM
SystemTimeToFileTime
SzFEIu
t2 9h83
t2 j)QIGU
t2WWVPVSW
:T3<:'
T3MYN[g
\#t599
t(9Cn=
t=a'u.{T
<'T#:bi
t)\$CW
tE$/1"
*TEOE_
TerminateProcess
TFqlI5m
tgYM,+J
- This application cannot run using the active version of the Microsoft .NET Runtime
This application has requested the Runtime to terminate it in an unusual way.
!This program cannot be run in DOS mode.
t|h\RB
t$ht=B
Thursday
T?iJ(p
t+#jlm
tjvj&*
&TlFaM>t
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tmCgP\
tNI^//
trinidad & tobago
t!SS9]
t#SSUP
<t<T~j
t.;t$$t(
t%<.u(
t$<"u	3
Tuesday
t "$]v
TV(97|
t$$VSS
t!VV9u
t,vxn,
TWrLO1
)~	tX"f
txN;';y
TypeLib
			type="win32" 
	type="win32" 
:TZ"vv9C
~?U{??
/U28xT%
_U[63]
!u/7PI
u9@\Fr
Ub)5`_
U$_F:/
UfkjfP
u:G.:a
>Ug'f/
U[-HCB
@UJ%0$
Ukik@.:b
UN1s c
- unable to initialize heap
- unable to open console device
UndC'U
	U[)ne
- unexpected heap error
- unexpected multithread lock error
un`F[n
UnhandledExceptionFilter
united-kingdom
united-states
Unknown exception
Unknown security failure detected!
UnlockFile
u}P%W>
~,U:QJ3
Uruguay
 /u /s "
user32.dll
USER32.dll
({,uuCY%
U]!uU)
u+WWSW
U	xy]g{
`UxZU2]
uzq+u~
|v1nr#
;V2&-@oXr=y
V5gUGUO
v7)=Uu:7
v8bdn+
vaEv7njJ
vaT_5M
VC20XC00U
	=v=e(
v!EM$E[
Venezuela
	version="1.0.0.0" 
			version="6.0.0.0" 
_vFp[(
Vf)[p#
VFve(t,$
VH[EK8
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
[V$mmC
v	N+D$
V`Q\4b
Vqz0T$M
$vredx
%VrsSs
VTo\iPb
v{uEok
VWht=B
VWumhxRB
W0F]'l
-w4v<,o
WaitForSingleObject
WaS06?`D
waUdQbOR
wC$%c9y%X
Wednesday
W"eZz(
WideCharToMultiByte
WinExec
winio.sys
WinSta0\Default
wnK^;Q
WN-<s"
-*w\O]0
?w[OEs
Wq+SU$1
W&,rG|
WriteFile
w?.u7o
WUVSA*]dT
(wVra1
!w//WA
WWWWVSW
wwwwww
wwwwwwx
W]YE{d]
Wz-=ae
+x]_""
x%3@@)
X]'3Br
??	x8p8f
(+XAg.
xaZi1GAz@
xcvbnm0123qwertyuiopasdfghjklz456789
xfdp:,c
{."xFw
x-h].;
[Xh:+fC
+X*`Jx
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
X][O#[ce
X{oS6B
X#o|t%
Xp~,|`-
Xpoc$w:
x!$QrO
xqT2_j
_<x_-r
={.xTMV8
XTSAZ^>W
xuHIf$L
xV5[#m
XW-%Iki
x>]{*+w[N
 x^|*X
X}xudehF
XzI'iS
xzL]Jn>
 ={y)=[)
Y3m9Yk9z1Y
yAWNV&
)Yc}2P
Yf97%*NW
&#Yi8sG
	YiET(4HTq$iD %q
$yi$Xj
Y~',IyP
.Y^-?J
yl#(HK
 YLiqTh1
?Y-Lv_.
yND:ns)
@Y~'Nw?
 y.qgLv(
y}~sCh
Ys{HQE
}	.Ytp
Yt:SVW
]yVpOm
ywFLt`
yx}o<(|
_^][YY
Z!$ <(
	z"!#0
z0aLa"
=Z'3B~
z}'5}_
%;Z}^A{
|ZAB:en
zbIq@ca
Zb_/tv
>$zd{1
.ZF]y>
Zgvl)oCb
zip.tmp
z}.]j2
z;k&\`
Zp2Mfu
Zp9a;M
zpecxpvb
zp:gx]
&z!%RjA
zu^SSS
Z,Z)0;}