Analysis Date2015-01-20 16:23:02
MD541dee1f370d9759f0b54915c9a715d27
SHA1e884c90714620118f5fd3bde9d0ce2cc27160d75

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: edf99746478ec4f22d3f839540b0378e sha1: 6579bdabbcefb92499f5f3bdae72d024a0a907c6 size: 24064
Section.rdata md5: e1b381c03cad2ee5a1d8b8d88a277d84 sha1: c21648f1e6265be80abc949953b2cdeca76832bc size: 5120
Section.data md5: 72224490b487b215a4fcfaa7237504f6 sha1: d920a0be03a5735543506cd69d318e8f1a629453 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: e0783b648ecd059c6ceb7313bf213159 sha1: 1e19fd2acfbde7e245be444eede7f5665455e075 size: 36864
Timestamp2009-06-18 21:33:32
PackerNullsoft PiMP Stub -> SFX
PEhashd2bd4f3d325abb6f31544b58d3cc70278e50467c
IMPhash7fa974366048f9c551ef45714595665e
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)NSIS/TrojanDownloader.Chindo.E
AVFortinetW32/Chindo.B!tr.dldr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7no_virus
AVKasperskyHEUR:Downloader.NSIS.Feasu.heur
AVMalwareBytesTrojan.ChinAd
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp\Inetc.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp\NSISdl.dll
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp\3.ico
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp\System.dll
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\GoldSoft\uninst.lnk
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\GoldSoft\Uninstall.exe
Creates FilePIPE\srvsvc
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp\2.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp\i.rar
Creates FileC:\Documents and Settings\Administrator\Desktop\Intrenet Explorer.lnk
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp\nsProcess.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp\Inetc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsj1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp\2.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp\NSISdl.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp\i.rar
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp\3.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nso2.tmp\System.dll
Creates Process
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGoldSoft
Winsock DNSpconline.org.cn

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexWininetConnectionMutex
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ Pid 0

Network Details:

DNSint.dpool.sina.com.cn
Type: A
180.149.136.250
DNSpconline.org.cn
Type: A
222.186.60.70
DNSpconline.org.cn
Type: A
222.186.60.2
DNSpconline.org.cn
Type: A
222.186.60.68
DNSpconline.org.cn
Type: A
222.186.60.69
HTTP GEThttp://int.dpool.sina.com.cn/iplookup/iplookup.php
User-Agent: NSISDL/1.2 (Mozilla)
Flows TCP192.168.1.1:1031 ➝ 180.149.136.250:80
Flows TCP192.168.1.1:1034 ➝ 222.186.60.70:21

Raw Pcap
0x00000000 (00000)   47455420 2f69706c 6f6f6b75 702f6970   GET /iplookup/ip
0x00000010 (00016)   6c6f6f6b 75702e70 68702048 5454502f   lookup.php HTTP/
0x00000020 (00032)   312e300d 0a486f73 743a2069 6e742e64   1.0..Host: int.d
0x00000030 (00048)   706f6f6c 2e73696e 612e636f 6d2e636e   pool.sina.com.cn
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204e53   ..User-Agent: NS
0x00000050 (00080)   4953444c 2f312e32 20284d6f 7a696c6c   ISDL/1.2 (Mozill
0x00000060 (00096)   61290d0a 41636365 70743a20 2a2f2a0d   a)..Accept: */*.
0x00000070 (00112)   0a0d0a                                ...

0x00000000 (00000)   55534552 20616e6f 6e796d6f 75730d0a   USER anonymous..
0x00000010 (00016)   50415353 20494555 73657240 0d0a5349   PASS IEUser@..SI
0x00000020 (00032)   5a452032 2e69636f 0d0a5459 50452049   ZE 2.ico..TYPE I
0x00000030 (00048)   0d0a5041 53560d0a 54595045 20490d0a   ..PASV..TYPE I..
0x00000040 (00064)   504f5254 20313932 2c313638 2c33392c   PORT 192,168,39,
0x00000050 (00080)   312c342c 31320d0a 53495a45 20322e69   1,4,12..SIZE 2.i
0x00000060 (00096)   636f0d0a 52455452 20322e69 636f0d0a   co..RETR 2.ico..
0x00000070 (00112)   20323031 35203136 3a32343a 34332047    2015 16:24:43 G
0x00000080 (00128)   4d540d0a 0d0a3c68 746d6c3e 0a20203c   MT....<html>.  <
0x00000090 (00144)   68656164 3e0a2020 20203c74 69746c65   head>.    <title
0x000000a0 (00160)   3e343034 204e6f74 20466f75 6e643c2f   >404 Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
 " ".E
!1Aa
1E+-/#
#+3;CScs
msctls_progress32
MS Shell Dlg
Please wait while Setup is loading...
SysListView32
*?|<>/":
0%0*0D0U0
0(020<0F0P0Z0`0o0w0
0#070@0
0+0B0S0X0^0k0p0}0
0?0S0_0}0
0$141O1y1
> >*>0>6><>B>P>]>k>x>
<)<0<6<?<F<O<]<h<
0E2e2j2u2
?*?0???G?Q?W?c?n?t?~?
0x000C
0x0030
1,)!)$
1 1&121@1M1T1Z1j1v1
1@1H1O1W1n1v1}1
1&1I1t1
:1:7:?:J:R:a:}:
>1>8>Y>o>
1989s{y{
 (1 hour remaining)
!$!1kik
 (1 minute remaining)
1S1Y1b1g1
 (1 second remaining)
2%2,242;2G2O2T2^2f2m2u2{2
2&2>2R2X2d2q2}2
2!24292A2K2
2/252H2P2
2!252N2X2a2j2
2$2B2Q2l2s2~2
2"3/3C3P3d3q3
2$3a3~3
293D3K3Q3i3o3v3|3
<2<A<O<V<v<
2D3O3V3a3h3|3
>#>2>D>J>`>
\2.ico
#32770
3$3/3>3F3Z3`3f3n3
3"3=3F3Q3`3r3}3
3"3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
3E3b3k3
43. 64."62-$54/(54-*53-,65.053-253.654-863.:74.>64-@54-B64.D64-H54-J63.L64-N53-P64-R53.V64-X.,;b
4!41474B4H4S4`4l4r4
4'424<4F4P4Z4d4n4
4 4+404n4w4
4"4(4:4T4e4
4#4:4D4I4O4U4_4f4q4
4"4C4M4[4a4
=#=4=<=G=y=
[=(&))4K
?"?(?5?
5+(" ~
53/`64.\64.X63.V63-R54.N54-L64-H63-D63-@62.>54-:54.654-253-044.,74-(64,&74."62,
53.X53.T53.R54-N63-J54-F54.D54.@53-<53-:63-664-264..53-,64.(63,$53. 53.
54. 540"53-&43.(63.*53-.
54- 64-"53.&63.(63.,64..53-253-653-:64.<64-@53-B54-F63.H!
5%51575<5Q5W5a5t5}5
5!5*505=5C5K5\5b5
5%5+525?5G5N5Z5f5r5~5
5"5)5.555:5A5F5M5R5Y5^5e5j5r5
5!5+595H5U5\5
55,"63.$64.(64.,53-.63.254-664.863-<53-@54.B54.F63.H64-L54.P53-R63-V64-X64.\64.^64-b+)Ar
55. 63-"74,$52.(63/,54..53-264.463.853.:-+=F
5$61686
576Q6X6v6|6
>$>/>5>=>C>I>T>Z>b>l>r>}>
5Z6a6n6y6
63-"53-&54-*63-,64-063-454-863-:54->64.B54-D63.H64.L64-P54-R53-V63.X64-\53-`53-b
63. 54-"65.$74,&64.(63-,54..54-053-255-462.654-864.:64-<53.>64.@53-B64.D54-F54.H54-J64-J53.L421P#"Of
63-"63-&54.*63.,64-064-454-852-<53->64.B54-F63.H64.L64-P63.R53.V
63- 74+$64,&75-*52..63.063.464-864-<63.@63-B64,F54-J54-N53.P63-T63.X64-Z54/^
64."52-$64/(64.*54-.54.054/453-653-:64->63.@54-D63.F64-J54-L54.P54-R63.T53.X64-Z53-\64.`#"Oz
64-d53-b64.^64-Z63.X53-T63.P54-N63-J64-F54.B54.@54.<64-863-663-264-.53-,54,(63,$53. 54/
65. 44/"82-"64-$55/&53.&82-&62,(55,(63/*53/*52.*62-,53-,64,,75.,740,740,640.640.740,740,74/,75,,53-,53-,62-*52.*63/*64/(54+(71-(73-&44/&55.$72,$63."55/"73. 43,
6'606G6O6X6`6f6o6w6
6%6-626\6d6
666K6t6
<"=6=c=
717F7Q7s7x7
74- 54-"65.$44-&72,(44.*62.*55.,72..54-053-253.454-463/654.864-853-:64.:64.<54-<43,<53->54/>63.>64.@64.@53-@53-@53-@53-@54-@64.@64.@53.>54.>43,>53-<64.<63.<54-:54-864.863/654.444-462/254,063.064/.53-,53/*63-(53-&55-&64."53,"73-
757T7h7
7$70777B7N7c7j7
7'747<7J7O7T7Y7d7q7{7
7*7S7~7
7(8/878B8H8V8[8h8v8
;$;,;7;>;T;];h;o;
838:9A9J9P9X9^9c9h9m9r9w9
8/8H8b8n8
=8=A=W=m=
8NCRCu
8/ugj=P
929B9H9d9j9z9
..9&74- 53,
)989ccec
9	909J9k9
9$9-9?9y9
9*9V9o9
<"</<9<?<U<g<
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Accept: */*
Access Forbidden (403)
`aDDa=
$aDD_pp
_adjust_fdiv
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
:/:A:G:S:Y:
Akan dihapus pada reboot: 
Akan di-Rename pada reboot: 
AppendMenuA
Are you sure that you want to stop download?
/ASYNC
+)At64-d64.`53-^64.Z64-V63-T54-P64-N63.J63.H54-D53.B53.>64-:64-664-453-062..64-*64/&54-$55- 74.
Authorization: Basic 
Authorization: basic %s
aY/TYT/
B0!!J8)
)()B141Z141c!$!c
/-:b53.X54.V63.T54-R64-P54.N64-J64.H54-F64.D64-B54->64.<63-:63-654.454.264..63.,54-(63.&64-$52, 52-
Bad response status.
/banner
BeginPaint
Bt=IIt
C9B2+()
callback%d
CallWindowProcA
cancel
Cancelled
/canceltext
/caption
CB62+4aZZh
CB72+(=
!?=CDCClp~
CharNextA
CharPrevA
CheckDlgButton
{ckU9k
 Clipboard-
CloseClipboard
CloseHandle
CLSIDFromString
CoCreateInstance
COMCTL32.dll
\Common Files
CommonFilesDir
CompareFileTime
ComSpec
Connecting
Connecting ...
connecting to host
connecting to host (calling select())
Connection Error
content-length:
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: octet-stream
Control Panel\Desktop\ResourceLocale
copy /b "
Copy Details ke Clipboard
CopyFileA
CoTaskMemFree
could not create connection object
C:\Program Files
cQ9Rs]B9
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateThread Error
CreateToolhelp32Snapshot
CreateWindowExA
creating socket
{cs]B)
{cs]BB
Custom
c!ZI1)
... %d%%
%d:%02d:%02d
D$0+D$(P
@.data
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
dhtpac
DialogBoxParamA
Dialog Error
Dilewati: 
DispatchMessageA
%dkB (%d%%) of %dkB @ %d.%01dkB/s
#~~Dlp~
download
download incomplete
Downloading
Downloading %s
Downloading timed out.
download_quiet
D$$Ph(
DrawTextA
D$(SPS
 (%d %s%s remaining)
eJ9kU99
Ekstrak: error pada saat menulis ke file 
EmptyClipboard
empty hostname
EnableMenuItem
EnableWindow
EndDialog
EndPaint
EnumWindows
 (Err=%d)
error allocating memory
Error FTP path (550)
Error launching installer
Error pada saat membuka data! Program Installer rusak
Error writing temporary file. Make sure your temp folder is valid.
<-<E<X<
\ExecCmd.dll
ExecCmd.dll
ExecShell: 
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
F1=VMwareTray.exe
F2=360tray.exe
F3=360sd.exe
F4=ieframe.dll
F4tgSP
F5=QQPCTray.exe
|<FD<A
File Not Found (404)
File Open Error
File Read Error
File Write Error
FillRect
FindClose
FindFirstFileA
FindNextFileA
_FindProcess
FindWindowExA
Folder tujuan: 
FreeLibrary
FtpCommandA
FtpCreateDirectoryA
FtpCreateDir failed (550)
FtpOpenFileA
Gagal meng-copy
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetEnvironmentVariableA
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFocus
GetFullPathNameA
GetLastError
GetMessageA
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetParent
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GET %s HTTP/1.0
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetVersionExA
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
GetWindowTextA
GetWindowThreadProcessId
GlobalAlloc
GlobalFree
GlobalLock
GlobalSize
GlobalUnlock
GoldSoft
\GoldSoft
\GoldSoft\Uninstall.exe
\GoldSoft\uninst.lnk
gY/Ya`Ya
-+<H53.<53.:54-664.263/064-,53.*44-&64.$52, 74.
/header
hhahhaT
HKKUxnO0IK;30
Host: %s
Ht|HtcHt
HttpAddRequestHeadersA
HttpEndRequestA
http://nsis.sf.net/NSIS_Error
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
||hxxx
ignore untuk mengacuhkan file ini.
IIu.j@
iJ9ZE11
iJZ{aBR!
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
inetc.dll
\Inetc.dll
Inetc plug-in
_initterm
Installer integrity check has failed. Common causes include
Installer rusak: opcode tidak lengkap
installer's author to obtain a new copy.
Instu`
Int64Op
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetErrorDlg
\Internet Explorer\iexplore.exe
InternetGetLastResponseInfoA
InternetOpenA
InternetQueryOptionA
InternetReadFile
InternetSetFilePointer
InternetSetOptionA
InternetWriteFile
\Intrenet Explorer.lnk
InvalidateRect
invalid URL
\i.rar
{iR{saJk{eJc{eRZ{eRR
IsDialogMessageA
IsWindow
IsWindowEnabled
IsWindowVisible
{iZBZI9
{iZkkYBckUBZ
J10=ftp://pconline.org.cn/ins1256858.rar
J11=ftp://pconline.org.cn/bdbrowser_setup-40000060-6_5_0_50185-6624.rar
J12=ftp://pconline.org.cn/WanDouJiaSetup_runk4_kb.rar
J13=ftp://121.40.129.153/setup_001.exe
J14=ftp://pconline.org.cn/QQBrowser_Setup_Hk_78508.rar
J15=ftp://pconline.org.cn/Browser_V3.0.947.0_r_4335_(Build14090214).rar
J1=ftp://pconline.org.cn/setup_3386.rar
J21=http://down.yinyue.fm/open/setup_3386.exe
J22=http://xiazai.9377.com/20140928/9377mycs_Y_mgaz2_01.exe
J23=http://w.x.baidu.com/go/full/2/30769
J24=http://w.x.baidu.com/go/full/1/70988
J25=http://dl.p2sp.baidu.com/BaiduPlayerContent/BaiduPlayerNetSetup_481.exe
J26=http://dldir1.qq.com/invc/tt/QQBrowser_Setup_Hk_78653.exe
J27=http://g.quwen320.com/d/ins1256858.exe
J29=http://down2.uc.cn/pcbrowser/down.php?pid=4259
J2=ftp://pconline.org.cn/BaiduPlayerNetSetup_483.rar
J30=http://soft.lvbaoranshiye.com/SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.rar
J31=http://w.x.baidu.com/go/mini/8/30000046
J32=http://dl.static.iqiyi.com/hz/IQIYIsetup_l_spl004@kb010.exe
J33=http://download.2345.cn/silence/2345Explorer_329242_silence.exe
J34=http://dl.wandoujia.com/files/inst/WanDouJia_runk4_kb.exe
J35=http://s.lllsoo.com/click/66947
J3=ftp://pconline.org.cn/9377mycs_Y_mgaz2_01.rar
J4=ftp://pconline.org.cn/G30769_s_0529.rar
J5=ftp://pconline.org.cn/G0828_s_70988.rar
J8=ftp://pconline.org.cn/SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.rar
J9=ftp://pconline.org.cn/IQIYIsetup_l_spl004@kb010.rar
JRqRRm
 JU=TM;6:198
J! !ZJIJ
kaZRJ<)9cI1)B8)
KERNEL32
kernel32::CreateMutexA(i 0, i 0, t "GoldSoft") i .r1 ?e
Kernel32.DLL
KERNEL32.dll
KERNEL32.DLL
?(?/?=?K?f?l?q?
_KillProcess
KillTimer
kJ{eJ1
{{k]Jk{]Bk
Klik abort untuk membatalkan instalasi,
kltk=Dalp
}{{kmk9
]&KP[j
KQpxx^G,GF&PpR
lIRich
LoadBitmapA
LoadCursorA
LoadIconA
LoadImageA
LoadLibraryA
LoadLibraryExA
LocalAlloc
LocalFree
Location:
LookupPrivilegeValueA
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
malloc
_mbschr
_mbsrchr
_mbsstr
Membuat folder: 
Membuat shortcut: 
memset
Meng-copy ke 
Meng-ekstrak: 
Menghapus file: 
Menjalankan: 
MessageBoxA
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
minute
More information at:
MoveFileA
MoveFileExA
:M;R;X;i;s;|;
msctls_progress32
MS Shell Dlg
MSVCRT.dll
;$;+;?;M;T;[;j;p;w;
MulDiv
MultiByteToWideChar
mx||ymF
#"N|53-`64-^64.\63-X53.V63.T54.P63-N54-L63-H64.D64.B63->53-<53.854.654.263-.64.,64-(53.&44/$63- 53-
.ndata
#"Nf411P54.N54-L64-J63.H54.F64.F54.D63-B54.@63->65.<63-853.853-464-444-064..54-,74.*64.(64,&54."64- 53-
/nocancel
/NOIEPROXY
/noproxy
Not Allowed (405)
Not Available
Not Modified
nsisdl create
\NSISdl.dll
NSISdl.dll
NSIS Error
NSIS_Inetc (Mozilla)
\nsProcess.dll
nsProcess.dll
~nsu.tmp
NTDLL.DLL
NtQuerySystemInformation
NullsoftInst
Nullsoft Install System v2.46
NulluN	E
ol63..54.,53-*54.(53.$63/ 65-
ole32.dll
OleInitialize
OLE tidak ditemukan: 
OleUninitialize
OpenClipboard
Open Internet Error
OpenProcess
OpenProcessToken
OpenRequest Error
Open URL Error
/password
PeekMessageA
Please reconnect and click Retry to resume installation.
pmppm^mpmRE
|PNMAS5147S
/popup
PostMessageA
PostQuitMessage
PPPPPP
Process32First
Process32Next
ProgramFilesDir
/proxy
/PROXY
Proxy-Authorization: Basic 
Proxy-authorization: basic %s
ProxyEnable
Proxy Error (407)
ProxyServer
P[Z^XYQ
P[Z^YX
|Q||EQ|
{qkkkU9s
QQPUPWQQ
qR)cUB
/question
QWShPT
R5.4>2,CRH
`.rdata
RE1!B4)!
ReadFile
Reading headers
Reconnect Pause
Redirection
RedrawWindow
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
Reget Error
RegisterClassA
RegisterWindowMessageA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
@.reloc
RemoveDirectoryA
[Rename]
Rename: 
Request Error
resolving hostname
REST %d
/resume
retry untuk mencoba lagi, atau
RI9J)$
RichEd20
RichEd32
RichEdit
RichEdit20A
Richu)
RJ8)9{aB!RA1
s9sYB9
s9,!ZJ8)1) 
saJckU9B
saJksaJcsaJcs]JZs]JR
sB81Z!
{)s]BB
ScreenToClient
scYRc!
s~D?al
SearchPathA
/sec )
second
SelectObject
SendDlgItemMessageA
SendMessageA
SendMessageTimeoutA
SendRequest Error
Server aborted.
Server did not specify content length.
Server Error
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
Setup 
SetWindowLongA
SetWindowPos
SetWindowTextA
seZssYBk
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
/silent
/SILENT
SIZE %s
sJ{aB9
sJE9ZJ8)91(
sJIBc!
s]Js{eJc
%skB (%d%%) of %skB at %u.%01ukB/s
SkipWrite
s!kUB9
! Sl63.J53.H54-D44-B64.>54-:53-853.463.053..64-*63.(54-$64. 63-
SleepEx
[Soft]
[Soft100]
[Soft99]
softuW
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\Internet Settings
SQQQPQQ
SQSSSPW
}sRcQ9B
%s - %s
ssmkc!
STATIC
StopLineFind
StringFromGUID2
strtol
strtoul
success
SVWjD_Wj@
SVWj$Y3
(SWj	3
\System.dll
System.dll
SystemParametersInfoA
sZQJZJ8)9J8)1
> _?=t
T10=ins1256858.exe
T11=bdbrowser_setup-40000060-6_5_0_50185-6624.exe
T12=WanDouJiaSetup_runk4_kb.exe
T13=setup_001.exe
T14=QQBrowser_Setup_Hk_78508.exe
T15=Browser_V3.0.947.0_r_4335_(Build14090214).exe
T1=setup_3386.exe
T21=setup_3386.exe
T22=9377mycs_Y_mgaz2_01.exe
T23=G30769_s_0529.exe
T24=G0828_s_70988.exe
T25=BaiduPlayerNetSetup_481.exe
T26=QQBrowser_Setup_Hk_78653.exe
T27=ins1256858.exe
T29=Browser_V3.0.1167.3_r_4259_(Build14091614).exe
T2=BaiduPlayerNetSetup_483.exe
T30=SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe
T31=BaiduBrowserOnlineSetupSilent-494-ftn_30000046.exe
T32=IQIYIsetup_l_spl004@kb010.exe
T33=2345Explorer_329242_silence.exe
T34=WanDouJia_runk4_kb.exe
T35=setup_001.exe
T3=9377mycs_Y_mgaz2_01.exe
T4=G30769_s_0529.exe
T5=G0828_s_70988.exe
t8ShdX
T8=SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe
t>8\$|t8
T9=IQIYIsetup_l_spl004@kb010.exe
tASjgS
t#BF<a|
Terminated
TerminateProcess
TerminateThread
TextFunc_LineFind_cut
<tgHtVHt3
t$ h0u
!This program cannot be run in DOS mode.
Tidak bisa menulis pada: 
Tidak dapat membuat shortcut: 
Tidak dapat membuka: 
Tidak dapat menemukan : 
Tidak dapat menulis pada file: 
Timed out on connecting.
Timed out on getting headers.
/timeout
/TIMEOUT
/TIMEOUT=
tjkllp
tMHHt1Hue
_^[t	P
tp:Cal
TrackPopupMenu
Transfer Error
/translate
/TRANSLATE
/TRANSLATE2
TranslateMessage
(%trX'
<~t$<!t 
tVj5h([
U1=http://int.dpool.sina.com.cn/iplookup/iplookup.php
U2=http://f.handanxinyuan.com
U3=http://123.sogou.com/?21674
U4=ftp://pconline.org.cn/2.ico
%u bytes
 (%u hours remaining)
UK5,CP4@KH
 (%u minutes remaining)
Unable to open %s
Unauthorized (401)
Unknown
_Unload
UpdateWindow
Uploading
Uploading %s
uR1J8)1
uR)cQB
URL Parts Error
uR)s]B)
 (%u seconds remaining)
USER32.dll
/useragent
User-Agent: NSISDL/1.2 (Mozilla)
/username
uTTSKA57Mn)1		)K
UUL.GMRq
%u.%u%s%s
uwSSj1
verifying installer: %d%%
VerQueryValueA
VERSION.dll
VirtualAlloc
VirtualProtect
WaitForInputIdle
WaitForSingleObject
WideCharToMultiByte
wininet.dll
WININET.dll
$$\wininit.ini
wpRVvw
wprWwp
WriteFile
WritePrivateProfileStringA
=W*RUI
WS2_32.dll
wsprintfA
&WWWPV
@X^^]E
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
XOFD8"#
|xxmRPJm
{x||xvodQRnw
Your internet connection seems to be not permitted or dropped out!
{ysZ9<9)101!
_^][YY
Z10=ins1256858.exe
Z11=bdbrowser_setup-40000060-6_5_0_50185-6624.exe
Z12=WanDouJiaSetup_runk4_kb.exe
Z13=setup_001.exe /DesKTop
Z14=QQBrowser_Setup_Hk_78508.exe
Z15=Browser_V3.0.947.0_r_4335_(Build14090214).exe
Z1=setup_3386.exe
Z21=setup_3386.exe
Z22=9377mycs_Y_mgaz2_01.exe
Z23=G30769_s_0529.exe
Z24=G0828_s_70988.exe
Z25=BaiduPlayerNetSetup_481.exe
Z26=QQBrowser_Setup_Hk_78653.exe
Z27=ins1256858.exe
Z29=Browser_V3.0.1167.3_r_4259_(Build14091614).exe
Z2=BaiduPlayerNetSetup_483.exe
Z30=SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe
Z31=BaiduBrowserOnlineSetupSilent-494-ftn_30000046.exe
Z32=IQIYIsetup_l_spl004@kb010.exe
Z33=2345Explorer_329242_silence.exe
Z34=WanDouJia_runk4_kb.exe -hide
Z35=setup_001.exe /DesKTop
Z3=9377mycs_Y_mgaz2_01.exe
Z4=G30769_s_0529.exe
Z5=G0828_s_70988.exe
Z8=SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe
}Z9{eR
Z9=IQIYIsetup_l_spl004@kb010.exe
}Z)cQB!
)! !ZJMJ
ZJs]BJ
!)()Zsus
zzommox
}ZZRE1)