Analysis Date2014-08-14 12:02:20
MD51f903b6b16e69220d28a55c28d29d544
SHA1fb0d92050f88b3acd2b4a1523e63d1991a98cb89

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e4d11edc23cf28513734eebc85f730f9 sha1: 7b5cbd6f65c52b4efdf6f36fc5aa9c2a67d36ac4 size: 25600
Section.rdata md5: 657547f7311a36183b6aafa928e49623 sha1: a10272456cf448c08b3ae94457a888c0c65a0660 size: 5120
Section.data md5: 2ecafdb1d49b8fa49b32f466a693a69a sha1: 411b47233d4c824205c691fd8c4c8908ab1554df size: 3072
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: fc2efb5e37efad097cd49b5199ee0594 sha1: b8d68af64061725a426e3e76b014dfed202169e4 size: 297472
Timestamp2009-12-05 22:53:24
PackerNullsoft PiMP Stub -> SFX
PEhash7281c5b3586c762b3b10fd79bcd0c45269ace138
IMPhash1c042238f43557c055fca8642de8a074
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Downloader.Gnome.r5 (Not a Virus)
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)NSIS/TrojanDownloader.Agent.NON:NSIS/TrojanDownloader.Agent.NOF
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7no_virus
AVKasperskyDownloader.Win32.Gnome.bme
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVNormanwin32/KuPlays.A
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\play.exe\ ➝
C:\Program Files\kuboplay\lsplay.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsk2.tmp\Inetc.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Program Files\kuboplay\uninst.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\kuboplay\Uninstall.lnk
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsk2.tmp\FindProcDLL.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsk2.tmp\config.txt
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsk2.tmp\config.txt
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsz1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsk2.tmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSallconfig.oss-cn-hangzhou.aliyuncs.com
Winsock DNSpconfig.b0.upaiyun.com

Network Details:

DNSna.b9.aicdn.com
Type: A
199.192.75.57
DNSna.b9.aicdn.com
Type: A
72.20.58.54
DNSallconfig.oss-cn-hangzhou.aliyuncs.com
Type: A
42.120.230.9
DNSpconfig.b0.upaiyun.com
Type: A
HTTP GEThttp://pconfig.b0.upaiyun.com/other.txt
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://allconfig.oss-cn-hangzhou.aliyuncs.com/other.txt
User-Agent: NSIS_Inetc (Mozilla)
Flows TCP192.168.1.1:1031 ➝ 199.192.75.57:80
Flows TCP192.168.1.1:1032 ➝ 42.120.230.9:80

Raw Pcap
0x00000000 (00000)   47455420 2f6f7468 65722e74 78742048   GET /other.txt H
0x00000010 (00016)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000020 (00032)   656e743a 204e5349 535f496e 65746320   ent: NSIS_Inetc 
0x00000030 (00048)   284d6f7a 696c6c61 290d0a48 6f73743a   (Mozilla)..Host:
0x00000040 (00064)   2070636f 6e666967 2e62302e 75706169    pconfig.b0.upai
0x00000050 (00080)   79756e2e 636f6d0d 0a436f6e 6e656374   yun.com..Connect
0x00000060 (00096)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f6f7468 65722e74 78742048   GET /other.txt H
0x00000010 (00016)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000020 (00032)   656e743a 204e5349 535f496e 65746320   ent: NSIS_Inetc 
0x00000030 (00048)   284d6f7a 696c6c61 290d0a48 6f73743a   (Mozilla)..Host:
0x00000040 (00064)   20616c6c 636f6e66 69672e6f 73732d63    allconfig.oss-c
0x00000050 (00080)   6e2d6861 6e677a68 6f752e61 6c697975   n-hangzhou.aliyu
0x00000060 (00096)   6e63732e 636f6d0d 0a436f6e 6e656374   ncs.com..Connect
0x00000070 (00112)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000080 (00128)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000090 (00144)   6e6f2d63 61636865 0d0a0d0a            no-cache....


Strings
 " ".E
Z..

!1Aa
#+3;CScs
Cancel
Cancel...
File name
File size
InetClient plug-in
InetLoad plug-in
jjjh
jjjj
jjjjjj
msctls_progress32
MS Sans Serif
MS Shell Dlg
Please wait
Please wait while Setup is loading...
Progress1
Remaining time
Static
SysListView32
Total time
Transfered
zip_menu
 !{!$)
*?|<>/":
0 0;0n4
0(020<0F0P0Z0`0o0w0
0"020B0R0b0r0
0#070@0
0?0S0_0}0
0$141O1y1
%02x%c
> >$>(>,>0>4>
04>eedY
> >*>0>6><>B>P>]>k>x>
?*?0???G?Q?W?c?n?t?~?
0x000C
0x0030
1 1&121@1M1T1Z1j1v1
1"121B1R1b1r1
!11491JMR1JQZ1JMJ1kU11
1,1b1l1
1@1H1O1W1n1v1}1
!149!cQ)!
:1:7:?:J:R:a:}:
 !19891JMR1JMR1RMB1sY!1
1! ){9AB
	%1eb\@=,
<,<1<?<n<
>1>R>e>m>u>
1S1Y1b1g1
2%2,242;2G2O2T2^2f2m2u2{2
2&2>2R2X2d2q2}2
2/252H2P2
2$2B2Q2l2s2~2
2"3/3C3P3d3q3
<2<A<O<V<v<
?"?2?B?R?b?r?
>#>2>D>J>`>
*-2eeeec:
?(?2?@?R?\?f?t?
#32770
!*32mnoqy8.$	
3$3/3>3F3Z3`3f3n3
3"3-383C3
3"3=3F3Q3`3r3}3
3"3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
3@4_4g4o4w4
360rp.exe
360sd.exe
360tray.exe
360Tray.exe
:3:b:w:
3E3b3k3
#3[TCVD9
4!41474B4H4S4`4l4r4
4$4+42494
4"4(4:4T4e4
4#4:4D4I4O4U4_4f4q4
=#=4=<=G=y=
4zengjie_installer_cn.exe
/4zengjie_installer_cn.zip
4zengjie_installer_cn.zip
5%51575<5Q5W5a5t5}5
5!5*505=5C5K5\5b5
5%5+525?5G5N5Z5f5r5~5
5!5+595H5U5\5
5$61686
5Z6a6n6y6
6'606G6O6X6`6f6o6w6
6%6-626\6d6
666K6t6
<"=6=c=
757T7h7
;76669
7$70777B7N7c7j7
7'747<7J7O7T7Y7d7q7{7
7*7S7~7
7(8/878B8H8V8[8h8v8
;$;,;7;>;T;];h;o;
838:9A9J9P9X9^9c9h9m9r9w9
8"828o8
8/8H8b8n8
$8?AB;
8NCRCu
/90018_ailiao.exe
9)019JIJ9RUZ9JQZ9ZUB9
91499ZQB9
929B9H9d9j9z9
!!989!BIJ!BEJ!ZM1!
)989)cQ1)
9$9-9?9y9
!)9<9)BIR)BIR)ZM1)
9*9V9o9
9!$)9ZQB9
 !)9<B)JMR)BIR)RM9)
:&:9:F:W:g:r:
^\9^hsM
<"</<9<?<U<g<
 [Abort] 
Aborting: "%s"
Access Forbidden (403)
AddAtomA
_adjust_fdiv
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
:/:A:G:S:Y:
/ailiao.zip
ailiao.zip
AppendMenuA
Are you sure that you want to stop download?
Authorization: basic %s
!B149BJQRBRYcBRYcBZURBk]1B
B1{mR1Z]c1Zak1RUZ1)011
/banner
B!$)BBABBRUZBRUcBRURBkY9B
BeginPaint
B/percent
BringToFront
Bt=IIt
buffer error
C0M0q0
!c),1c9<BcJIJcJMRkRUZkRYckR]ckZ]ZkZYZkZYZkZYZkZYZkZYZkZYZkZYZkZYZkZ]ZkZ]ZkZ]ckZ]ckZ]ckZ]ckZYckRUZkJQRkBEJc189c!$)c
callback%d
Call: %d
CallWindowProcA
Cancelled
/canceltext
/caption
CharNextA
CharPrevA
CheckDlgButton
C`j WP
CloseClipboard
CloseHandle
CLSIDFromString
;!;,;C;M;\;j;
CoCreateInstance
COMCTL32.dll
COMCTL32.DLL
\Common Files
CommonFilesDir
CompareFileTime
\config.txt
Connecting
Connecting ...
Connection Error
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: octet-stream
Control Panel\Desktop\ResourceLocale
CopyFileA
CopyFiles "%s"->"%s"
CoTaskMemFree
C:\Program Files
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" created
CreateDirectory: "%s" (%d)
created uninstaller: %d, "%s"
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
CreateThread
CreateThread Error
CreateToolhelp32Snapshot
CreateWindowExA
CT9CPt
... %d%%
%d:%02d:%02d
D$0+D$(P
`.data
@.data
data error
DayD<B
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
DeleteFileA
DeleteObject
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
Delete: "%s"
DestroyMenu
DestroyWindow
detailprint: %s
DialogBoxParamA
Dialog Error
dianxin_silent[108].exe
/dianxin_silent[108].zip
dianxin_silent[108].zip
DispatchMessageA
%dkB (%d%%) of %dkB @ %d.%01dkB/s
__dllonexit
DosDateTimeToFileTime
Downloading
Downloading %s
DrawTextA
D$(SPS
 (%d %s%s remaining)
e)c{a1cs]9ck]JccaZccecckikccekZcekZcekZZYZZJMRZ149Z
.edata
 &.eeeaW)
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
EnumProcesses
EnumProcessModules
 (Err=%d)
_errno
Error! Can't initialize plug-ins directory. Please try again later.
Error FTP path (550)
Error launching installer
Error registering DLL: Could not initialize OLE
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Error writing temporary file. Make sure your temp folder is valid.
essvv}}
ewh/?y
Exch: stack < %d elements
Exec: command="%s"
Exec: failed createprocess ("%s")
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exec: success ("%s")
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
Extracted: %d %%
Extracted: %d files
Extracting: 0 %
Extracting: 0 files
Extracting: %d %%
Extracting: %d files
FCB???BDG
fclose
FEDBXV
fflush
file error
File: error creating "%s"
File: error, user abort
File: error, user cancel
File: error, user retry
File Not Found (404)
File Open Error
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
File Read Error
/files
File: skipped: "%s" (overwriteflag=%d)
File Write Error
File: wrote %d to "%s"
FillRect
FindAtomA
FindClose
FindFirstFileA
FindNextFileA
FindProc
\FindProcDLL.dll
FindProcDLL.dll
FindWindowExA
fprintf
FreeLibrary
FtpCommandA
FtpCreateDirectoryA
FtpCreateDir failed (550)
FtpOpenFileA
fwrite
../../gcc/gcc/config/i386/w32-shared-ptr.c
GDI32.dll
GetAsyncKeyState
GetAtomNameA
GetAtomNameA (atom, s, sizeof(s)) != 0
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetCursorPos
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessageA
GetMessagePos
GetModuleBaseNameA
GetModuleFileNameA
GetModuleHandleA
GetParent
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSubMenu
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetVersionExA
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
GetWindowTextA
GlobalAlloc
GlobalFree
GlobalLock
GlobalSize
GlobalUnlock
g^WWVVtSLII
H*0"ZOW
H5TUe]<
/header
header crc mismatch
HideWindow
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_DYN_DATA
HKEY_LOCAL_MACHINE
HKEY_PERFORMANCE_DATA
HKEY_USERS
h;l;p;t;x;|;
Ht|HtcHt
http://5fj.fshqs.com/kk.php
HttpAddRequestHeadersA
http://allconfig.oss-cn-hangzhou.aliyuncs.com/jinshan.txt
http://allconfig.oss-cn-hangzhou.aliyuncs.com/other.txt
http://allconfig.oss-cn-hangzhou.aliyuncs.com/qq.txt
http://e4j.fshqs.com/4zengjie_installer_cn.zip
http://e4j.fshqs.com/ailiao.zip
http://e4j.fshqs.com/dianxin_silent[108].zip
http://e4j.fshqs.com/izrhfo_30071.zip
http://e4j.fshqs.com/KAVSETUPS_81_1008.zip
http://e4j.fshqs.com/ksbinstaller_s_87_1008.zip
http://e4j.fshqs.com/kuping_s_51022.zip
http://e4j.fshqs.com/mkcf_70032.zip
http://e4j.fshqs.com/NiuZip_Setup_1.0_201042.zip
http://e4j.fshqs.com/pczh_121.zip
http://e4j.fshqs.com/ravbd246.zip
http://e4j.fshqs.com/s2222.zip
http://e4j.fshqs.com/setup_3038.zip
http://e4j.fshqs.com/setup_open_3747.zip
http://e4j.fshqs.com/setup_qd318.zip
http://e4j.fshqs.com/SoHuVA_4.2.0.0-c204900009-ng-s-run-x.zip
HttpEndRequestA
http://nsis.sf.net/NSIS_Error
HttpOpenRequestA
http://pconfig.b0.upaiyun.com/jinshan.txt
http://pconfig.b0.upaiyun.com/other.txt
http://pconfig.b0.upaiyun.com/qq.txt
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
https://tongji.lssen.com/kk.php
HtVHtHH
(&i1.r7)
@.idata
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
 [Ignore] 
IiGM>nw
IIu.j@
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incompatible version
incomplete download and damaged media. Contact the
incorrect data check
incorrect header check
incorrect length check
inetc.dll
\Inetc.dll
Inetc plug-in
 inflate 1.2.3 Copyright 1995-2005 Mark Adler 
InitCommonControls
_initterm
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
install.log
Instu`
insufficient memory
Int64Op
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetErrorDlg
InternetGetLastResponseInfoA
InternetOpenA
InternetQueryOptionA
InternetReadFile
InternetSetFilePointer
InternetSetOptionA
InternetWriteFile
InvalidateRect
invalid bit length repeat
invalid block type
invalid code lengths set
invalid distance code
invalid distances set
invalid distance too far back
invalid literal/length code
invalid literal/lengths set
invalid registry key
invalid stored block lengths
invalid window size
Iphlpapi::GetAdaptersInfo(i,*i.r0)
Iphlpapi::GetAdaptersInfo(ir1r2,*ir0)i.r0
(i.r2,i,&t260.s,&t132.s,i.r5)i.r0
iRichu
IsDialogMessageA
IsDlgButtonChecked
IS>?T#7
IsWindow
IsWindowEnabled
IsWindowVisible
izrhfo_30071.exe
/izrhfo_30071.zip
izrhfo_30071.zip
}J1keZ1Zak1cek1RQR1)()1
J)caZ)),1)
J!c]Z!)()!
jinshan
J!$)JBABJRUZJR]cJZYcJZYRJk]9J
J)JIJ)
J!()JJMJJk]BJ
JM^`/>"67E
)Js]9J
Jump: %d
<	=J=V=[=g=v=
 !k)01s9<BsBEJsJIJsJIJsBIJsBEJs989s)()k
KAVSETUPS_81_1008.exe
/KAVSETUPS_81_1008.zip
KAVSETUPS_81_1008.zip
KERNEL32
Kernel32.DLL
KERNEL32.dll
?(?/?=?K?f?l?q?
KillTimer
ksbinstaller_s_87_1008.exe
/ksbinstaller_s_87_1008.zip
ksbinstaller_s_87_1008.zip
)!())kU))
 kuboplay 
\kuboplay
kuboplay 
\kuboplay\Uninstall.lnk
kuping_s_51022.exe
/kuping_s_51022.zip
kuping_s_51022.zip
kxetray.exe
!!$)kZYZ
!!()kZ]Z
l!;b	F
-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32
llnldwp
[-&LMb#{'
LoadBitmapA
LoadCursorA
LoadIconA
LoadImageA
LoadLibraryA
LoadLibraryExA
LoadMenuA
LocalFileTimeToFileTime
logging set to %d
LookupPrivilegeValueA
\lsplay.exe
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
malloc
_mbschr
_mbsrchr
_mbsstr
memcpy
memset
MessageBoxA
MessageBox: %d,"%s"
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
MIEsBf
minute
mj>zjZ
mkcf_70032.exe
/mkcf_70032.zip
mkcf_70032.zip
Module32First
Module32Next
More information at:
MoveFileA
MoveFileExA
msvcrt.dll
MSVCRT.dll
;$;+;?;M;T;[;j;p;w;
MulDiv
MultiByteToWideChar
(&N) >
.ndata
need dictionary
New install of "%s" to "%s"
NiuZip_Setup_1.0_201042.exe
/NiuZip_Setup_1.0_201042.zip
/nocancel
/noproxy
Not Allowed (405)
Not Available
Not Modified
NSIS Error
NSIS_Inetc (Mozilla)
Nsttv}
~nsu.tmp
NullsoftInst3
Nullsoft Install System v2.46
NullsoftInst-V
NulluN	E
=.>N>X>b>p>
\Nzipdll.dll
Nzipdll.dll
OemToCharBuffA
ole32.dll
OleInitialize
OleUninitialize
OpenClipboard
Open Internet Error
OpenProcess
OpenProcessToken
OpenRequest Error
Open URL Error
OZw3(?
/password
&password=
pczh_121.exe
/pczh_121.zip
pczh_121.zip
PeekMessageA
Please reconnect and click Retry to resume installation.
Pop: stack empty
/popup
&postcheck=Joe923930&pcsd=
&postdate=232620
&postdate=301010
PostMessageA
PostQuitMessage
PO_ZXNLI
PPPPPP
Process32First
Process32Next
${PRODUCT_UNINST_KEY}
/progbar
/PROGBAR
ProgramFilesDir
/proxy
Proxy-authorization: basic %s
Proxy Error (407)
PSAPI.DLL
PSQORK
@PWSh(
P[Z^XYQ
P[Z^YX
q1BsiRBcekBcisBcekBJMRB)()B
q1JsiRJkicJcisJcikJRUZJ149J
qBRJMJR!$)R
qJ9cac9cek9cac9BEJ9! !9
qJRkeZRBIJR!$)R
Qkkbal
QQPCTray.exe
QQPUPWQQ
q)R{iBRkiZRkmkRkisRkmsRcekRRYZR9<BR! !R
/question
R)01RJQRRkaRR
R189RcYBR
!R),1RBEJRRYZRZ]cRZakRcacRcaZRkaJR{e1R
R),1RBEJRRYZRZ]cRZ]cRc]ZRc]JR{a1R
ravbd246.exe
/ravbd246.zip 
ravbd246.zip
`.rdata
.rdata
ReadFile
Reconnect Pause
Redirection
RedrawWindow
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
Reget Error
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
@.reloc
RemoveDirectoryA
[Rename]
Rename failed: %s
Rename on reboot: %s
Rename: %s
Request Error
REST %d
/resume
 [Retry] 
\return.htm
RichEd20
RichEd32
RichEdit
RichEdit20A
Rich]XA
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory invalid input("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: "%s"
))()R)()R
}R)Z]Z)Z]c)RYZ)101)
s2222.exe
/s2222.zip
s2222.zip
ScreenToClient
SearchPathA
/sec )
second
Section: "%s"
SelectObject
SendDlgItemMessageA
SendMessageA
SendMessageTimeoutA
SendRequest Error
Server Error
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFileAttributes failed.
SetFileAttributes: "%s":%08X
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
settings logging to %d
setup_3038.exe
/setup_3038.zip
setup_3038.zip
setup_open_3747.exe
/setup_open_3747.zip
setup_open_3747.zip
setup_qd318.exe
/setup_qd318.zip
setup_qd318.zip
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
/silent
/SILENT
SIZE %s
Skipping section: "%s"
Sleep(%d)
SleepEx
Soft10
Soft11
Soft12
Soft13
Soft14
Soft15
Soft16
Soft17
Soft18
Soft19
Soft20
SoftName
SoftUrl
softuW
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\App Paths\play.exe
SoHuVA_4.2.0.0-c204900009-ng-s-run-x.exe
/SoHuVA_4.2.0.0-c204900009-ng-s-run-x.zip
SoHuVA_4.2.0.0-c204900009-ng-s-run-x.zip
%s - %s
s!$)s101{189{989{149{),1s
s!$)s),1s989s9<BsBEJsBIJsJMJsJMRsJMRsJQRsJQR{JQR{JQRsJQRsJMRsBMJsBEJsBABs9<Bs149s)()s
strchr
strcmp
stream end
stream error
StringFromGUID2
strtol
strtoul
%s:%u: failed assertion `%s'
SVVddVVJJS
(SWj	3
\System.dll
System.dll
SystemParametersInfoA
!)()sZ]c
> _?=t
t8ShdX
t>8\$|t8
tASjgS
Terminated
TerminateThread
<tgHtVHt3
!This program cannot be run in DOS mode.
/timeout
tMHHt1Hue
too many length or distance symbols
_^[t	P
TrackPopupMenu
Transfer Error
/translate
TranslateMessage
<~t$<!t 
tVj5h([
tvvvvtv
uBBkiZBcekBcikBZ]ZB189B
%u bytes
u_.exe
u_.exe" 
uJ99<B9
UJz|}}
Unauthorized (401)
Uninstall
UninstallString
\uninst.exe
Unknown
unknown compression method
unknown header flags set
UnSoft0
UnSoft1
UnSoft10
UnSoft11
UnSoft12
UnSoft13
UnSoft14
UnSoft15
UnSoft16
UnSoft17
UnSoft18
UnSoft19
UnSoft2
UnSoft20
UnSoft3
UnSoft4
UnSoft5
UnSoft6
UnSoft7
UnSoft8
UnSoft9
 unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
\uO<\uK
UpdateWindow
Uploading
Uploading %s
u!R{iBRkiZRkikRcisRcikRZYZR9<BR! !R
URL Parts Error
uR)Z]c)Zac)RYZ)101)
USER32.dll
/useragent
/username
username=
%u.%u%s%s
uwSSj1
~~|vaa
verifying installer: %d%%
VerQueryValueA
VERSION.dll
VirtualAlloc
VirtualProtect
V@;P s
V@;P(s
V_:X1:
w32_sharedptr->size == sizeof(W32_EH_SHARED)
WaitForSingleObject
wggFvw
 wGgggw
WideCharToMultiByte
wininet.dll
WININET.dll
$$\wininit.ini
w+OQvr
WriteFile
WriteINIStr: wrote [%s] %s=%s in %s
WritePrivateProfileStringA
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0x%08x"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
wsprintfA
wvsprintfA
WVWVMeo}j
&WWWPV
wwwwww
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
y1JkeZJBEJJ
yJ9RUZ9!$)9
YMMN	;;
Your internet connection seems to be not permitted or dropped out!
_^][YY
z<[^_]
)\ZEo^m/
Z_qrk!
Z!()Z9<BZJQRZZYZZZ]cZZacZZacZcaccc]ZcZYJccY9cs]1cs])c{a)c
Z!Z]Z!ZYc!RUZ!)01!