Analysis Date2015-05-29 05:59:30
MD53c13c178ab8328a3273fa050c7556540
SHA1b84af37e3cba834da41818c390dd3d9f821f0da6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d9f48557c009a2eb7979fc10b0b362ef sha1: 4a3674ac9965732d2e7fb6b6f8bf7cfba11330e0 size: 25600
Section.rdata md5: 0562a781a8cdf5785a117a97cc7e5f02 sha1: 4085dd37a00008e33f01e1d7c1e577613daf2dbf size: 4608
Section.data md5: 769f3be831c912dddacbe34424aca6cb sha1: 9acf662e06aa7f011c5bb79a2d0a5a8181e3fffd size: 3072
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: d9fc637c0f112420df932555b2138937 sha1: 2ed3a8b32c2b7205e1c030215cdd2fc3ba66142a size: 2048
Timestamp2005-12-10 05:55:16
PackerNullsoft PiMP Stub -> SFX
PEhash69ac69f64f4808acb3856b33957063a56d49fda9
IMPhash9b89b73a2bd2f3c9338530bbd4a212f0

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\sys.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nst1.tmp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\sys.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\sys.exe

Creates Filec:\Documents and Settings\Administrator\Local Settings\elrfgmkmhg
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\sys.exe" a -sc:\Documents and Settings\Administrator\Local Settings\temp\sys.exe

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\sys.exe" a -sc:\Documents and Settings\Administrator\Local Settings\temp\sys.exe

RegistryHKEY_LOCAL_MACHINE\sOFtwaRe\bxsyfjgcek\DependOnService ➝
NULL
RegistryHKEY_LOCAL_MACHINE\sOFtwaRe\bxsyfjgce\seRVicemAIN ➝
BuildTrusteeWithSidA\\x00
Creates Filebxsyfjgce
Creates FileC:\WINDOWS\system32\f5859b27.rdb
Creates Filec:\Documents and Settings\Administrator\Local Settings\temp\hbbcufoxqg.dat
Deletes Filebxsyfjgce
Deletes Filec:\Documents and Settings\Administrator\Local Settings\temp\sys.exe
Starts ServiceHidServ

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePhysicalDrive0
Creates Filervobvhkepg
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes Filervobvhkepg
Deletes Filec:\Documents and Settings\Administrator\Local Settings\elrfgmkmhg
Creates MutexGlobal\b454858779_443j
Creates Mutexeed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1108

Network Details:

DNS5173vs.com
Type: A
27.152.28.27
DNSqup.qh-lb.com
Type: A
106.120.167.9
DNSqup.qh-lb.com
Type: A
106.120.162.174
DNSqup.qh-lb.com
Type: A
106.120.162.174
DNSqup.qh-lb.com
Type: A
106.120.167.9
DNSqurl.qh-lb.com
Type: A
106.38.187.105
DNSqurl.qh-lb.com
Type: A
106.38.187.118
DNSqurl.qh-lb.com
Type: A
106.38.187.118
DNSqurl.qh-lb.com
Type: A
106.38.187.105
DNSqurl.qh-lb.com
Type: A
106.38.187.105
DNSqurl.qh-lb.com
Type: A
106.38.187.118
DNSqup.qh-lb.com
Type: A
106.120.167.9
DNSqup.qh-lb.com
Type: A
106.120.162.174
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.5.85
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.5.205
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.7.7
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.7.65
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.192.7.18
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.192.7.209
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.4.56
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.4.147
DNSsdup.qh-lb.com
Type: A
0.0.0.0
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.4.179
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.4.191
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.4.202
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.4.253
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.5.194
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.6.75
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.192.7.168
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.192.7.254
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSg2-b.stat.360safe.com
Type: A
180.97.63.236
DNSg2-b.stat.360safe.com
Type: A
106.38.184.104
DNSlocini.gslb.360safe.com
Type: A
220.181.150.162
DNSlocini.gslb.360safe.com
Type: A
220.181.150.219
DNSlocini.gslb.360safe.com
Type: A
220.181.159.91
DNSlocini.gslb.360safe.com
Type: A
101.226.161.214
DNSlocini.gslb.360safe.com
Type: A
220.181.150.161
DNStr-b.p.360.cn
Type: A
61.160.224.12
DNStr-b.p.360.cn
Type: A
61.160.224.13
DNStr-b.p.360.cn
Type: A
61.160.224.14
DNStr-b.p.360.cn
Type: A
180.153.227.61
DNStr-b.p.360.cn
Type: A
180.153.227.62
DNStr-b.p.360.cn
Type: A
180.153.227.168
DNStr-b.p.360.cn
Type: A
180.153.227.169
DNStr-b.p.360.cn
Type: A
61.160.224.11
DNSupdateh-b.360safe.com
Type: A
58.68.236.241
DNSwww-b.360.cn
Type: A
106.120.167.66
DNSg2-b.stat.360safe.com
Type: A
106.38.184.104
DNSg2-b.stat.360safe.com
Type: A
180.97.63.236
DNSdl.qhcdn.com
Type: A
61.160.224.23
DNSdl.qhcdn.com
Type: A
101.227.15.35
DNSdl.qhcdn.com
Type: A
101.227.15.35
DNSdl.qhcdn.com
Type: A
61.160.224.23
DNSdl.qh-lb.com
Type: A
0.0.0.0
DNSwww-b.360.cn
Type: A
106.120.167.66
DNSwww.360safe.com
Type: A
54.251.107.25
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.158
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.159
DNSsoftm-b.update.360safe.com
Type: A
106.120.168.93
DNSsoftm-b.update.360safe.com
Type: A
106.120.168.94
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.27
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.28
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.23
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.24
DNSsoftm-s.update.360safe.com
Type: A
61.240.140.65
DNSsoftm-s.update.360safe.com
Type: A
61.240.140.66
DNSantispy.db.kingsoft.com
Type: A
219.232.254.22
DNSbo.duba.net
Type: A
119.147.146.155
DNSwww.beike.cn
Type: A
114.112.68.174
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSrdr.kingsoft.com
Type: A
115.182.195.29
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.231.19
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.231.20
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.231.21
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.231.22
DNSifr.duba.net
Type: A
127.0.0.1
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSrdr.kingsoft.com
Type: A
115.182.195.29
DNSf-signs.duba.net
Type: A
121.14.11.167
DNSf-signs.duba.net
Type: A
121.14.11.28
DNSapi.pc120.com
Type: A
119.147.146.126
DNShd.duba.net
Type: A
114.112.93.21
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.81
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.85
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.87
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.80
DNSz.rising.com.cn
Type: A
211.103.159.83
DNSz.rising.com.cn
Type: A
211.103.159.73
DNSz.rising.com.cn
Type: A
211.103.159.74
DNSz.rising.com.cn
Type: A
211.103.159.75
DNSz.rising.com.cn
Type: A
211.103.159.76
DNSz.rising.com.cn
Type: A
211.103.159.77
DNSz.rising.com.cn
Type: A
211.103.159.78
DNSz.rising.com.cn
Type: A
211.103.159.79
DNSz.rising.com.cn
Type: A
211.103.159.80
DNSz.rising.com.cn
Type: A
211.103.159.81
DNSz.rising.com.cn
Type: A
211.103.159.82
DNSgnop008.tlgslb.com
Type: A
116.10.187.111
DNSgnop008.tlgslb.com
Type: A
116.10.187.112
DNSgnop008.tlgslb.com
Type: A
116.10.187.118
DNSgnop008.tlgslb.com
Type: A
116.10.187.119
DNSgnop008.tlgslb.com
Type: A
116.10.187.120
DNSgnop008.tlgslb.com
Type: A
116.10.187.110
DNSm.rising.com.cn
Type: A
211.103.159.165
DNSm.rising.com.cn
Type: A
211.103.159.166
DNSm.rising.com.cn
Type: A
211.103.159.167
DNSm.rising.com.cn
Type: A
211.103.159.168
DNSm.rising.com.cn
Type: A
211.103.159.169
DNSm.rising.com.cn
Type: A
211.103.159.170
DNSm.rising.com.cn
Type: A
211.103.159.86
DNSm.rising.com.cn
Type: A
211.103.159.151
DNSm.rising.com.cn
Type: A
211.103.159.152
DNSm.rising.com.cn
Type: A
211.103.159.153
DNSm.rising.com.cn
Type: A
211.103.159.154
DNSm.rising.com.cn
Type: A
211.103.159.155
DNSm.rising.com.cn
Type: A
211.103.159.157
DNSm.rising.com.cn
Type: A
211.103.159.158
DNSm.rising.com.cn
Type: A
211.103.159.159
DNSm.rising.com.cn
Type: A
211.103.159.160
DNSm.rising.com.cn
Type: A
211.103.159.161
DNSm.rising.com.cn
Type: A
211.103.159.162
DNSm.rising.com.cn
Type: A
211.103.159.163
DNSm.rising.com.cn
Type: A
211.103.159.164
DNSreportq.rising.com.cn
Type: A
211.103.159.109
DNSreportq.rising.com.cn
Type: A
211.103.159.97
DNSreportq.rising.com.cn
Type: A
211.103.159.100
DNSreportq.rising.com.cn
Type: A
211.103.159.101
DNSreportq.rising.com.cn
Type: A
211.103.159.107
DNSgnop008.tlgslb.com
Type: A
116.10.187.110
DNSgnop008.tlgslb.com
Type: A
116.10.187.111
DNSgnop008.tlgslb.com
Type: A
116.10.187.112
DNSgnop008.tlgslb.com
Type: A
116.10.187.118
DNSgnop008.tlgslb.com
Type: A
116.10.187.119
DNSgnop008.tlgslb.com
Type: A
116.10.187.120
DNSxnop007.tlgslb.com
Type: A
117.42.74.137
DNSxnop007.tlgslb.com
Type: A
117.42.74.147
DNSsupport.eset.com.cn
Type: A
42.120.44.60
DNSa2047.x.akamai.net
Type: A
23.3.96.97
DNSa2047.x.akamai.net
Type: A
23.3.96.99
DNSa2047.x.akamai.net
Type: A
23.3.96.130
DNSa2047.x.akamai.net
Type: A
23.3.96.144
DNSa2047.x.akamai.net
Type: A
23.3.96.146
DNSa2047.x.akamai.net
Type: A
23.3.96.168
DNSa2047.x.akamai.net
Type: A
23.3.96.75
DNSa2047.x.akamai.net
Type: A
23.3.96.89
DNSa2047.x.akamai.net
Type: A
23.3.96.91
DNSe1793.b.akamaiedge.net
Type: A
23.220.247.223
DNSgtm-tnt.avg.com
Type: A
173.245.115.70
DNSgtm-self.avg.com
Type: A
212.96.161.252
DNSgtm-hkg.avg.com
Type: A
110.232.176.30
DNSmmi.explabs.net
Type: A
204.193.144.11
DNSa568.d.akamai.net
Type: A
72.246.56.64
DNSa568.d.akamai.net
Type: A
72.246.56.66
DNSa1639.g1.akamai.net.0.1.cn.akamaitech.net
Type: A
184.86.240.81
DNSa1639.g1.akamai.net.0.1.cn.akamaitech.net
Type: A
184.86.240.74
DNSconf.f.360.cn
Type: A
DNSqup.f.360.cn
Type: A
DNSu.qurl.f.360.cn
Type: A
DNSqurl.f.360.cn
Type: A
DNSsdup.360.cn
Type: A
DNSsdupm.360.cn
Type: A
DNSqd.code.360.cn
Type: A
DNSqd.code.qihoo.com
Type: A
DNSstat.360safe.com
Type: A
DNSstat-s.360safe.com
Type: A
DNSupdate.360safe.com
Type: A
DNSupdate-s.360safe.com
Type: A
DNStr.p.360.cn
Type: A
DNSupdateh.360safe.com
Type: A
DNSw.360.cn
Type: A
DNSstat.sd.360.cn
Type: A
DNSsdl.360safe.com
Type: A
DNSdl.360safe.com
Type: A
DNSwww.360.cn
Type: A
DNSsoftm.update.360safe.com
Type: A
DNSf-sq.beike.cn
Type: A
DNSvc01.beike.cn
Type: A
DNSpush.www.duba.net
Type: A
DNSwww.duba.net
Type: A
DNSvi.pc120.com
Type: A
DNSwww.rising.com.cn
Type: A
DNSrsdownload.rising.com.cn
Type: A
DNSmsginfo.rising.com.cn
Type: A
DNSrsdownauto.rising.com.cn
Type: A
DNSkaspersky.fastcdn.com
Type: A
DNSupdate.nai.com
Type: A
DNSguru.avg.com
Type: A
DNSgtm-nyc.avg.com
Type: A
DNSliveupdate.symantecliveupdate.com
Type: A
DNSll002.avast.com
Type: A
DNSiau.trendmicro.com.cn
Type: A
Flows TCP192.168.1.1:1032 ➝ 27.152.28.27:443

Raw Pcap
0x00000000 (00000)   63623173 743702                       cb1st7.


Strings
 " "2E
msctls_progress32
MS Shell Dlg
SysListView32
*?|<>/":
<0'\].
-01H3)2HJ
0)'-3E
0[c3+'
0D)d8v
:0f57`
-/0F}v2
^0&,sz'w
0T:Y	ko
(0(Uy*
-0YJb.
1BV)Xq
]1\Cho$
'((1<Dy
.1ea0H
<1Hqbg
 1,|!J
!1)M;IB
1>SuDc
1!=:T=
2)]8SA
}{2;bFn
$:2DYM
&2fc%g(
~[`2-g
2LQ}bp
2$S<:~
~/2W]:
3#1c=j]j
):<3hSDg
3J2`ZY
3Y`uT]
-462d8h
>4{al5
4e*-Y2
4ldZNvy
`4[P\f
\4_R`o
4Wbr[|m
<5	02>
51anHu
+5B(||
5bKe\/
/5dua1;4Z
5Hx<-0H
5/j}:g
5kc=#w
*5{MCxh
5|R+?+g
[5$-[V8
6#2xXQ]H
`<6aebo
6 |BL?
6<Klq9CH
6{LO;|
6OYrY`G
6QH2Jv(s
'~6Rso
(6v|4{
.6We1N
}6XEs"
=%(7&}
7e&Y]VtU
7f,Z<Q?J4k1*4
-_7g:[
7$gIpkS
7Hwqo)6
{( 7It
7L/-7os
7XYxRQ"
='8%2|
89:-`=
8Fhs@F|tV
8FlO!Y
8|mu{6
8NCRCu
8nJs:m0
8NxzTC
/8p_)Td
8T# Dsg
8}wZ*CO
9AFctk
`9bHK/x,
9<hx8O"
*9IxwlM
9<-l.W
9|[R4b
[9tCLn
9v_Y}q
_a:2|n
,a-61C
A90yr-iI
aA:_0x
ABloq7
Aborting: "%s"
AdjustTokenPrivileges
<AdpVI
ADVAPI32.dll
A|ea?ot
AeBH1J
aGDD*x
/a>iWA	\C
Aiy8CR
aJT3-Qy
)aL$9q
aL&Fz%D
=!a[LMOT
)A:`'M
/A"M{YGH|
aorW:B
AppendMenuA
arq!XD
Au_.exe
AUGPJ`OD
awv'f;
*&axG8:
AX%*-GS3u
AXhe2~:
B1S;B}
\|:B3S/
B{5g1Ia
$B5mf!
B5T*zoP
b7DtkX
B 9" :6"
/B=Bm#
{bEeu%
BeginPaint
bo8MaP
Bo'h0B
bQvpE6
BringToFront
BrwHf(
B?=S`+
*}BT/a
BUTTON
b{'z<b
b"ZsF@
C<4e	U
c4#?pj
Call: %d
CallWindowProcA
C*C?Ql
cd]kbrsA
cd<yv<
CharNextA
CharPrevA
CheckDlgButton
^CHgAV
<c-hQz?l
Ch}TBb
Ci\JyGGx
cIz>\'
+c{+kt
CL5gNZ
CloseClipboard
CloseHandle
.&CL,R
CoCreateInstance
Co\^dK
COMCTL32.dll
CommonFilesDir
CompareFileTime
CopyFileA
CopyFiles "%s"->"%s"
C:\Program Files
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateDirectory: "%s" (%d)
created uninstaller: %d, "%s"
CreateFileA
CreateFileMappingA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
CreateThread
CreateWindowExA
cy NHQ
c{<yZo5
CZNa,w
... %d%%
D$0+D$(P
D2e:y$
d4iaCc
,\$ d6LV
d7'|NB
D$$9E@
d9tm.a:
dA2.bP
daO6+E
@.data
D-}b0,p
d}d$er
dDFYVG/
D$(+D$ SSP
de3u-|
DefWindowProcA
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
DeleteFileA
DeleteObject
DeleteRegKey: %d\%s
DeleteRegValue: %d\%s\%s
Delete: "%s"
DestroyWindow
detailprint: %s
(D>	#f
DialogBoxParamA
DispatchMessageA
DN~j'Lm
dn->Z)
D$$Ph$
dP)/{ztHn
DQNP/}
DrawFocusRect
DrawTextA
dS`xac
DTChH{
D$(VPV
dxsv8I
e8{%=/
E8T<p#
E	9S!X
e!a+4:!vK
Eb~)1o
eBlJWJf
eCR_Yq
!Ec,(Xs
e*.E'"
eGgH|}b
Ejm:wIE
e	_^,L>^
El6xil
EmptyClipboard
EnableWindow
EndDialog
EndPaint
E-NdYX
ERO8ZP
Error launching installer
Error registering DLL: Could not initialize OLE
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Error writing temporary file. Make sure your temp folder is valid.
e-"}t9
Exch: stack < %d elements
Exec: command="%s"
Exec: failed createprocess ("%s")
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exec: success ("%s")
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
EzL)bx}
EZs6jc
e;zzV,
:!;	!@F
f<$@#F
_?fGVc
File: error creating "%s"
File: error, user abort
File: error, user cancel
File: error, user retry
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
File: skipped: "%s" (overwriteflag=%d)
File: wrote %d to "%s"
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
fIwAh4
+@&fJg
?fjKQN
	f?jmE
flKVv[7
?FMvs!
>"Fnyom
fOJ8}2
FreeLibrary
Ft_R]=
Fw7@6(J
`G"&	^
G)-?1	
@}g8ApK/
<G>8#c
:gBdP";
GDI32.dll
(GdyC\
GetAsyncKeyState
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentObject
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetEnvironmentVariableA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetObjectA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultLangID
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
#G[F,k
gfQmCY
``gK-h
g/lG`s
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
Glp17e
G)*m$F
gna-^?
	gTrL1
gTuwzZ
G;-ZVG
h_5*U]f
h\6	>{
H66	Ci
H8+#'%xg
hb,Fz!
Hf)63T
	hFS=]
HgrhEgI
HideWindow
hIodV=/
hJxd@d
#H;^"M
H	m0 2
$hqN/P
Hx52jS;
H*zI'd
	,i`]*
)$@I%?
I1,)gJ
]i;3J2{
I`_89e
iA)\F0`
iD0p_2
I_=[ET"7
`Ie%yFl
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
Ihk\[x0K{3
IKG|Fk
{i	L/DW
IlJHlrs[
I:Lyp'
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
~i!Msj*
install.log
InvalidateRect
iP.z5LX
iRQGoe
IsDlgButtonChecked
IsWindow
IsWindowEnabled
IsWindowVisible
It may be possible to skip this check using the /NCRC command line switch
Iu;B{xjQ~Tm
iXB6p8&
)-`J0O
J.15+T
j3[4rQ
JaIc|)
JC6RbI
j{co_`
%j~G0\
j"i{mS@
J'%]JL
J,K>-0
	?JN	xpa
;J)Nzg
jq*d]M
}JSbkMK5J
j#TW1~O!B
Jump: %d
jv}a$mj
Jx:SugF]
jXZQ9e
.KbLwM
Kc;U&m
{k/D4h
KERNEL32.dll
=K?H7;
kIS~J?
K'iv_C
k\lEw$3
Km0O@V
")@Ko:
K{Rm[P
 K	u-~
K}<u&A5
k)xBl)U
K@!<;xdi`B0
@L1E'=HA
{{L30/&
>lCI\W]GH
<l*'D?
l~E*!~
?lEn6M
lF'8EY<
L!))g{
'L;)gK
,lGzd%
Lhg_r_
lH)l+L
Lhn]xXc
lh"y51
:l:j=E
l$$j"U
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
logging set to %d
LookupPrivilegeValueA
l:>sF#
lS{^lJN
lstrcatA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
&L;vB]
lXEaRc	
,lyp:`
:}l?zI
>M1]?.
m1-;\jx-
M1VAA9J
_M"##5
MapViewOfFile
MapWindowPoints
`MATVP
!'mE^@
_M%~@E
MessageBoxA
MessageBox: %d,"%s"
^M$^(H
\Microsoft\Internet Explorer\Quick Launch
Mj~cFt
Mk*E	0x
ml:K+&E
}/mL\m|J
MoveFileA
MoveFileExA
([m`QE
*m-QW(s
mrc\&D7
mt~9 m
MT%#B	
MulDiv
MultiByteToWideChar
mX31Z<H
n<)ae?
N"b?sv
.ndata
New install of "%s" to "%s"
nFm-O5X
NfOkj0
(NOT RECOMMENDED).
 @NQ2k
NqwUc.?|
NSIS Error
~nsu.tmp\
NullsoftInstC$
Nullun
NX}XfR
.,NY@-yC0
O/8>R	
$O,912
o94dHl
!>oE)b
oe^}o0U
o=e^,VH}Ils
-OG~#,
ole32.dll
OleInitialize
OleUninitialize
OpenClipboard
OpenProcessToken
^O#,RY
P;8	aS
P>]?co
pdQYQn
PeekMessageA
peV<Zw
,([(.pi;
+pj!D/
pMk;A;
pM|txg
_!pmyb
!"\pO5I\
Pop: stack empty
PostQuitMessage
p*PaP@Y
|pP|M=
PPt<<&e(H
p:[pwi
ProgramFilesDir
PtInRect
"pTKb]
~ [p/U
!pUc)9
pU/YzH
)<pvju
$P?!WL
Q?2u4W
q|2x-X
	q	B_Sv
QCGORi
q"?{d4b
q+DZ|c\
QE.6<_
_qH9O](
qHuEJ<
Ql$w<9
Q&PLxV
QR K8+
Qsg~;!
qSP;%)]
QtF3{Z9
<'Qt}]h6V|
QYwmm/
QzuGi"%*k
Qz@v7a
]	R}=6
R6a"zu{Nn
/R8c?)Q
r8d{_+
R<8+Wx
R$9F#RO
RaMzz`
`.rdata
ReadFile
r=EC!F
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
Rename failed: %s
Rename on reboot: %s
Rename: %s
rG.X3+
RichEd20.dll
RichEdit20A
RichuQ
RiDX7?r
Ri!-~\}W
R*Lk4A\nqt
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory invalid input("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: "%s"
R! |oo/
:)rPxr
|RSEIaGuj!L
r\tw=?
^r}w&0
rx]\r<
@rXRn#
rxU$}^
 s495l
._s92!
)#SC~[
SC>ALu
ScreenToClient
"sD)c7
S(dM3o^Ah
sE'4`ra
SearchPathA
Section: "%s"
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
Se$ =t
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetEndOfFile
SetErrorMode
SetFileAttributesA
SetFileAttributes failed.
SetFileAttributes: "%s":%08X
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
settings logging to %d
SetWindowLongA
SetWindowPos
SetWindowTextA
}"Sfc;
Sg7t ;
S,&gO_3"
S{h1S*f4M,
_%SH7O
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHGetFileInfoA
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
shlwapi.dll
ShowWindow
Skipping section: "%s"
Sleep(%d)
softuw
Software\Microsoft\Windows\CurrentVersion
s-#-wJ/
SystemParametersInfoA
{SzbC+ 
? _?=t
T}5|:A
(T5Iwi
[t.AH~5
TA&P)b
tB Mup0
T]bN5:
t/B*-Q
The installer you are trying to use is corrupted or incomplete.
This could be the result of a damaged disk, a failed download or a virus.
!This program cannot be run in DOS mode.
({tHlD
] T(!i*
 .tjsjOn
tK<EuK
 tkwo;
TmO<"#
(\)TmW
]T}p0/
TqG@^|
T<qYEM
TrackPopupMenu
t|"}@s
T*)sq~1
T uVz`
Tv3x}&
_TV9>a
tWWWWj
T{X=(w
-Ty?Lt
tz(9f~
TZE$0A
	>U+'!
u5$x)?
#;\U8-
u\D021q!A
u`E(zj
 U&g[U 
?UkJsr
{Ul//#
{UMnNz
UnmapViewOfFile
+:\uri
USER32.dll
%u.%u%s%s
uu:tOP
	Uy)APh
U (Z<.
V-5VuP
-V8:8-?Q
vbC0L+
verifying installer: %d%%
VerQueryValueA
VERSION.dll
|v_&*G
;/v}'l
#\vL|^
=%vN ;1
(vqV!F
V[sE$kNo,
-Vs,OV
VugWQib
V{U{l.
V{uSEK5
V{wd.=!
V,#x[NQD
:w.]!:
W2~)}vxI
~W-4.T
W;991Z
WaitForSingleObject
wCB6jW
%!Wik(
\wininit.ini
WjJzIq
wjSEwa7
Wka'Zi
w*#kJB
:wO;1+
WriteFile
WriteINIStr: wrote [%s] %s=%s in %s
WritePrivateProfileStringA
WriteRegBin: set %d\%s\%s with %d bytes
WriteRegDWORD: set %d\%s\%s to %d
WriteReg: error creating key %d\%s
WriteRegStr: set %d\%s\%s to %s
wsprintfA
W?Tkhn}:
wvsprintfA
wvURW++!
#W.V[X
; W_Y>
X'2oh5
x[3|jm
!x6x<r
X7D}/f
]x7^R: \"9
]X$9qio@
x;'eh!GH^R
x{:ET>
_X\?#j\
x{ KInc
%)Xl	J
"XNy5R
X'Q3/*
)(Xvb48.B
XWS{<.
xZ~5^"
Y1C{?B
y|4	fL
y6KAm2
yAH %\
Y!AkQp
yAl%6+n
	|Yc"3
{yHV0T
`)|YI^
yK>A=~
YKW@&+
Yli(dz
ylYtI@S;
YNCjDe
=])<YO
YODa$13
You may want to contact the author of this installer to obtain a new copy.
Yq".Yw
yr@PeN
Y:YaXh
;y+ZO2
$%/|Z%
Z0A?:alr+B
Z2>SLr
Z.8Ce+WX
`zahe8
"$#Z!bs
>zc6~Z
zf1$IOL
^z[IF0
z~`l6%O
Z[#N']
&zo)9Ni
zQ}UO`
Zuacxl
z^~y1_