HEUR:Trojan.Win32.Generic (Kaspersky), Worm.Generic.896010 (B) (Emsisoft), Worm.Generic.896010 (AdAware), Trojan.NSIS.StartPage.FD, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 7af9988781b8b1bd909d466b20bdf8b6
SHA1: a248583574734e6a9fcd49aa3142f29cb72120f9
SHA256: 263b22f3ac018d40beac936f583a832ed5bf940d6f13af870be4c2a92cb405a7
SSDeep: 196608:1OHZv4Yr9wMWByNtOAh8UQu8KVRDhoN6frd8SdUJRz0/6O3drx93OPV01pPJXd B:o5v4YJ/gymAKUQYHhoN6/mYiO3drSsPL
Size: 11798016 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2008-01-19 07:47:29
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
%original file name%.exe:564
The Worm injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:564 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Tiara's Moonshine Mod G9S2-V60 Installer.exe (183607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\crypted.exe (9260 bytes)
Registry activity
The process %original file name%.exe:564 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 B4 F6 1D C4 70 E3 61 18 DD B9 F7 B8 C2 9B 5D"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
Dropped PE files
| MD5 | File path |
|---|---|
| b1d95c5a4e00145d268ec91261abab3b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\Tiara's Moonshine Mod G9S2-V60 Installer.exe |
| 3b41cdc7ba92427772a70263cee90a47 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\crypted.exe |
| a1bba35c752b36f575350cb7ddf238e4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsk2.tmp\AdvSplash.dll |
| 36e0280c371781af52c2638934c62be5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsk2.tmp\BgImage.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:564
- Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Tiara's Moonshine Mod G9S2-V60 Installer.exe (183607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\crypted.exe (9260 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.0.6001.18000
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.0.6001.18000 (longhorn_rtm.080118-1840)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)
Company Name: Microsoft CorporationProduct Name: HD Player Product Version: 6.0.6001.18000Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE Internal Name: Wextract File Version: 6.0.6001.18000 (longhorn_rtm.080118-1840)File Description: Win32 Cabinet Self-Extractor Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 43488 | 43520 | 4.55206 | 9ee0e124f68a3a1c8fa64ad51ff9fa45 |
| .data | 49152 | 8800 | 1536 | 4.57321 | f3764284f4d25ed35f75b9c16e1ab608 |
| .rsrc | 61440 | 11751424 | 11748352 | 5.54466 | 48da8d0b25ff02e8a11898cf3bd4ae21 |
| .reloc | 11812864 | 3280 | 3584 | 3.33839 | 6ecf5ec5c89c4b613322d7793c0bd979 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_564:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
msvcrt.dll
msvcrt.dll
COMCTL32.dll
COMCTL32.dll
VERSION.dll
VERSION.dll
advapi32.dll
advapi32.dll
wininit.ini
wininit.ini
advpack.dll
advpack.dll
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupapi.dll
setupx.dll
setupx.dll
IXPd.TMP
IXPd.TMP
TMP4351$.TMP
TMP4351$.TMP
FINISHMSG
FINISHMSG
USRQCMD
USRQCMD
ADMQCMD
ADMQCMD
msdownld.tmp
msdownld.tmp
wextract.pdb
wextract.pdb
PSSSSSSh
PSSSSSSh
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegCreateKeyExA
RegCreateKeyExA
GetWindowsDirectoryA
GetWindowsDirectoryA
ExitWindowsEx
ExitWindowsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
_acmdln
_acmdln
_amsg_exit
_amsg_exit
rundll32.exe %s,InstallHinfSection %s 128 %s
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
wextract_cleanup%d
%s /D:%s
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
Command.com /c %s
zcÃ
zcÃ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
33333330
33333330
3333333
3333333
33333333
33333333
Tiara's Moonshine Mod G9S2-V60 Installer.exe
Tiara's Moonshine Mod G9S2-V60 Installer.exe
crypted.exe
crypted.exe
.hs-K8
.hs-K8
C-U}L
C-U}L
.fh"c
.fh"c
j!.fcwi
j!.fcwi
.PNV[P
.PNV[P
:n.TR
:n.TR
ÖJ)2
ÖJ)2
%S"[-
%S"[-
%%sqBNEX
%%sqBNEX
.dQ|N
.dQ|N
.ICrB
.ICrB
!k.YT
!k.YT
w~.ZI
w~.ZI
.m.Po
.m.Po
Fyef.lB
Fyef.lB
w4.lG
w4.lG
T.TFhl
T.TFhl
B%sYQ
B%sYQ
jYC%c
jYC%c
9.VhJ
9.VhJ
Is,%X
Is,%X
o).cz
o).cz
5.tZ\
5.tZ\
|.nH`C
|.nH`C
=_.Gk
=_.Gk
".qqx-
".qqx-
2`/2)(07
2`/2)(07
k.pGFYSK
k.pGFYSK
%d~HL
%d~HL
yv'w.he
yv'w.he
.AY )v
.AY )v
;QQ.WC
;QQ.WC
7Q.hG{
7Q.hG{
,E\%F
,E\%F
]o{%C
]o{%C
.ELs]
.ELs]
'.uU;
'.uU;
nf%ug
nf%ug
.lYUq c
.lYUq c
h%D
h%D
Gx.dn
Gx.dn
r7eÃ’
r7eÃ’
R^%uc
R^%uc
.Cj8Q
.Cj8Q
.gH)
.gH)
}d%U1
}d%U1
/T%XQ
/T%XQ
ON,j.LL
ON,j.LL
.AyqAf
.AyqAf
TCpH_
TCpH_
Ov%d}
Ov%d}
T(/}
T(/}
.QZf'ut
.QZf'ut
.Eq>2
.Eq>2
.G-bJ}
.G-bJ}
Co,.LWl
Co,.LWl
i .AA
i .AA
.hsA~
.hsA~
*rZx-y}
*rZx-y}
2[%U5
2[%U5
qx.TV
qx.TV
.yT&,
.yT&,
2N%8xr
2N%8xr
.qMv;
.qMv;
lFÞ
lFÞ
z.Cdkn
z.Cdkn
M%}l%xXV
M%}l%xXV
j}.mO6;r
j}.mO6;r
%D"_&
%D"_&
Sb.HK
Sb.HK
S[.TKW
S[.TKW
Ng3%CW@W
Ng3%CW@W
Eÿc
Eÿc
Ze.Wi
Ze.Wi
.gr;P
.gr;P
g%X4Us
g%X4Us
6%XSR
6%XSR
|.QT\
|.QT\
z.Es,
z.Es,
`%c;K
`%c;K
].nIxd
].nIxd
x>.WvP`
x>.WvP`
B.Ix-VNJ
B.Ix-VNJ
./1%F
./1%F
$\%cW
$\%cW
%C]hn
%C]hn
}X.nY6
}X.nY6
.ecK@
.ecK@
%xMDZ
%xMDZ
">V!D1'
">V!D1'
U\Uz)%U6
U\Uz)%U6
b-.wT
b-.wT
('.Dj
('.Dj
%s:6$5
%s:6$5
.kEMm
.kEMm
le.Af
le.Af
Vh.CR
Vh.CR
V%xl}
V%xl}
.XYccj7
.XYccj7
%uiq3
%uiq3
.HgK8
.HgK8
.Zg0H
.Zg0H
Uqm.ju
Uqm.ju
P 6o%4s
P 6o%4s
.tI@i
.tI@i
.GJx\
.GJx\
5.SF7b
5.SF7b
`.yt:^
`.yt:^
HL.yEvS
HL.yEvS
G.qs.m
G.qs.m
.kzBv
.kzBv
X*.YgS
X*.YgS
%sg .Y
%sg .Y
Zdrq%U
Zdrq%U
6?%uc
6?%uc
.zz\^0
.zz\^0
7=M~%X
7=M~%X
.mIqg
.mIqg
I[.nWT
I[.nWT
9D.YL
9D.YL
yk-Uek}
yk-Uek}
a&&4%x'
a&&4%x'
#.UZj
#.UZj
&/wWeq%C&g
&/wWeq%C&g
O?-L}
O?-L}
t%X{
t%X{
bIOs.un
bIOs.un
%cYna
%cYna
%s8W{
%s8W{
.fjE!
.fjE!
R%c:G
R%c:G
.UBWy
.UBWy
û(:
û(:
x%s/I
x%s/I
VO.SC
VO.SC
|.ber
|.ber
%XSHN
%XSHN
$L9\%D
$L9\%D
.NfPn
.NfPn
kn.pB
kn.pB
.DnKTo!~P
.DnKTo!~P
:).ya
:).ya
70,%ds
70,%ds
0.BCy
0.BCy
.ek(
.ek(
.stYo
.stYo
' 2%x
' 2%x
E}C.pV
E}C.pV
ÃuyNj
ÃuyNj
7.Jue
7.Jue
%c-lS
%c-lS
s.tS)
s.tS)
fhQE.Tq
fhQE.Tq
e.vOr@
e.vOr@
%d($?|c
%d($?|c
*S.qT
*S.qT
}.iSSf}L
}.iSSf}L
md.wV
md.wV
n^%fk
n^%fk
~q2%uH
~q2%uH
.Um\q
.Um\q
.aowl
.aowl
%Cj&Mn
%Cj&Mn
H.lcs
H.lcs
1n%uLV
1n%uLV
t.MbjqszK
t.MbjqszK
.NJoM
.NJoM
.Qw='
.Qw='
>H$Ju%sX
>H$Ju%sX
-o.nA
-o.nA
#2K.ME3
#2K.ME3
Ã:G
Ã:G
6%Y%s
6%Y%s
%DhUI
%DhUI
dN.Td
dN.Td
0%cJ2;
0%cJ2;
{^w.*%cV
{^w.*%cV
Q~D.NNOf
Q~D.NNOf
.hF >
.hF >
T.SHXd
T.SHXd
(Q.fN
(Q.fN
Cs,%s
Cs,%s
R.ZJ7
R.ZJ7
WGb%C|
WGb%C|
9)Ç1
9)Ç1
4V.qS
4V.qS
& ÓE
& ÓE
T.SBSaF8
T.SBSaF8
&.Shl4
&.Shl4
E.aH-
E.aH-
.hgp,
.hgp,
kC.vh
kC.vh
".Kv3Fx2
".Kv3Fx2
[zQSShwZ
[zQSShwZ
p.dLPf
p.dLPf
l.uyQ
l.uyQ
qQV.Bc`
qQV.Bc`
%xXXo:
%xXXo:
4.BY*
4.BY*
wAcs%D
wAcs%D
{g%u/V
{g%u/V
L3.PN&\
L3.PN&\
{(U L.Ko
{(U L.Ko
t%8sV6
t%8sV6
mr-.Ld
mr-.Ld
t
t
k.nQH
k.nQH
.yE;R
.yE;R
.hN$S
.hN$S
\).%Xq
\).%Xq
.VTn5YS`
.VTn5YS`
.gHe}
.gHe}
~.sy~e
~.sy~e
-.WPT
-.WPT
.ODoc
.ODoc
F.Rh#m2
F.Rh#m2
!.LS"
!.LS"
=--8L.LZ
=--8L.LZ
.Kwqk]
.Kwqk]
.BYt":
.BYt":
F.MBg>
F.MBg>
[i.Ka
[i.Ka
eE%c=
eE%c=
.tNpr
.tNpr
!0.tT
!0.tT
0-dZ}p)
0-dZ}p)
3NT.Wsk
3NT.Wsk
4.nsb
4.nsb
\%Ux96
\%Ux96
n>|
n>|
]-a.Cm
]-a.Cm
XW.Hn
XW.Hn
.CAg2
.CAg2
kEyF
kEyF
5Bf).HX2
5Bf).HX2
.xT?W
.xT?W
y*%sE#
y*%sE#
=S,.GY
=S,.GY
tcpn~
tcpn~
cgNy.kE
cgNy.kE
%0sdA
%0sdA
p2Å’
p2Å’
}9H-%F
}9H-%F
o.Of_
o.Of_
5.gvG
5.gvG
.vt 6
.vt 6
%k.By_B
%k.By_B
.drY.%
.drY.%
xT1|.Kn
xT1|.Kn
[n:qh-i}n)ZJ
[n:qh-i}n)ZJ
.Uppj
.Uppj
cl.Dy2
cl.Dy2
@7.YMX
@7.YMX
j/.HB
j/.HB
-.Qx3.
-.Qx3.
UTG%d
UTG%d
LÃŽ@
LÃŽ@
.bFCw
.bFCw
~.kED
~.kED
.aV_q
.aV_q
k.IlC
k.IlC
s;.ay
s;.ay
fTP[n8
fTP[n8
H.Sn?r
H.Sn?r
]%dKv
]%dKv
%Xl) l
%Xl) l
g'Â
g'Â
il&ÙH,3!
il&ÙH,3!
&jW:C$.re
&jW:C$.re
!H.fnaq
!H.fnaq
U.JnC
U.JnC
C.iee
C.iee
.iVpk
.iVpk
"j.MBf
"j.MBf
Iu.BH
Iu.BH
S.Ol0
S.Ol0
wA~,%x
wA~,%x
2C
2C
i%D)9:
i%D)9:
.fC1yOr
.fC1yOr
l&X.pb!I
l&X.pb!I
8I.lc
8I.lc
.Ip/ PC
.Ip/ PC
=V.rLa
=V.rLa
f.QXy
f.QXy
!?.vw
!?.vw
.IK!-a
.IK!-a
S%O%U
S%O%U
2.qkC
2.qkC
k.IMk
k.IMk
'.wws\
'.wws\
&Ã’W
&Ã’W
a&.XrW1U
a&.XrW1U
)!%D]
)!%D]
.MHC"
.MHC"
nd.sU
nd.sU
2g%SS,!
2g%SS,!
.jDy`/
.jDy`/
8A%XUJ FHu(
8A%XUJ FHu(
#%FL-zyH%
#%FL-zyH%
%X:W{d
%X:W{d
.YVG=J
.YVG=J
zyx%2s$
zyx%2s$
E)a%X
E)a%X
cMdM#
cMdM#
>[%fj
>[%fj
2FVe.cH
2FVe.cH
.bQ:E
.bQ:E
.AnYk
.AnYk
%uO(0b
%uO(0b
.ToFe
.ToFe
.bFUl
.bFUl
>sqL:Y
>sqL:Y
KG.Ij
KG.Ij
%D>_y
%D>_y
`C"LKÙ"8e
`C"LKÙ"8e
%c\{v
%c\{v
{A[%XzVi
{A[%XzVi
%s;^7##
%s;^7##
|{XN%s
|{XN%s
%S!L(
%S!L(
(D.VIK
(D.VIK
~Y%dQ8c
~Y%dQ8c
5vl%x
5vl%x
.oVzP
.oVzP
,}Â
,}Â
1b1s|.knZ
1b1s|.knZ
v.byw
v.byw
.thzw
.thzw
n%Sdh
n%Sdh
o%ds5
o%ds5
R%D'>
R%D'>
Y.sH?
Y.sH?
$.TjJ
$.TjJ
\].gd
\].gd
m.spo
m.spo
.Ay&S}
.Ay&S}
%U_{^rx
%U_{^rx
65.Az
65.Az
Tx.fi
Tx.fi
1%u
1%u
Q.QJrg
Q.QJrg
X7W%X
X7W%X
B.MOH6
B.MOH6
.MDA/
.MDA/
Q.Btd
Q.Btd
gJ/.tbC
gJ/.tbC
OlN.oV
OlN.oV
?#.fW
?#.fW
.OgTd
.OgTd
.frt'
.frt'
-/2,04}
-/2,04}
DmP".p3.WV
DmP".p3.WV
R.qP"
R.qP"
.vxiCj
.vxiCj
v6%s&
v6%s&
Zt.ok
Zt.ok
%Umxo.
%Umxo.
\ui>kZE.gK
\ui>kZE.gK
.Rn_1e
.Rn_1e
@ .sB
@ .sB
%x!0g
%x!0g
.hh?1
.hh?1
.Zr4J[
.Zr4J[
%c|r;
%c|r;
0H.lM
0H.lM
.iL3F
.iL3F
U}.MEf
U}.MEf
#MS.cw
#MS.cw
lj.ux
lj.ux
? |%UK
? |%UK
75.dd
75.dd
%Dyemq{
%Dyemq{
|=;]%D
|=;]%D
m.zYl
m.zYl
/%fl6
/%fl6
Z
Z
.WH8k
.WH8k
.levZ
.levZ
&.dp-
&.dp-
j.ZN'
j.ZN'
.OK1>
.OK1>
R.KT1
R.KT1
/ %d;
/ %d;
.KV9
.KV9
%d?)b
%d?)b
!.UCn
!.UCn
j8CmD
j8CmD
WssHf?
WssHf?
%u3{s
%u3{s
Þ,gw
Þ,gw
SqLa
SqLa
MF\N.chu;
MF\N.chu;
b4,!%X
b4,!%X
^U#.zc
^U#.zc
x.YS4
x.YS4
K.hP;
K.hP;
.lY;Cl
.lY;Cl
.XY33g
.XY33g
-G}4C
-G}4C
Kj.Ca
Kj.Ca
1-%Xc
1-%Xc
>RO.dN
>RO.dN
OU%cr
OU%cr
-qSW}
-qSW}
^.fn}J
^.fn}J
>.yd&
>.yd&
E..aX
E..aX
R.TMO
R.TMO
.sO;^
.sO;^
.xWyv
.xWyv
(N.ey0
(N.ey0
X^P.HOM0
X^P.HOM0
}3.CcL
}3.CcL
.eOX)
.eOX)
%Xd>z
%Xd>z
%x)jf (
%x)jf (
.LN,.
.LN,.
Ãnn
Ãnn
bw[-%f
bw[-%f
YrU.Eo%C
YrU.Eo%C
.F%uk
.F%uk
TK%XT
TK%XT
.jfSmG
.jfSmG
.nKBM
.nKBM
|#%dP
|#%dP
k_Ã
k_Ã
J_ '%cz
J_ '%cz
,.dpy
,.dpy
3%s*K
3%s*K
$(%xU
$(%xU
a0(%X
a0(%X
sho&%f
sho&%f
.YWu`N
.YWu`N
ED.ax
ED.ax
g-u}w
g-u}w
!y.eSx
!y.eSx
H.Lb!Y
H.Lb!Y
#f6
#f6
[.sb$
[.sb$
$..RS
$..RS
\p.Dm
\p.Dm
X%xsnZQ
X%xsnZQ
,^d%C
,^d%C
%X@bp
%X@bp
(%XF@
(%XF@
\S%sX
\S%sX
-%CnaF
-%CnaF
tCpl
tCpl
vX%FR
vX%FR
v=)%X
v=)%X
#L.jj
#L.jj
%C|#p
%C|#p
3.jIf
3.jIf
0H.JbcF
0H.JbcF
.Ux!T
.Ux!T
.sx:q
.sx:q
q'%7X
q'%7X
.RSyBg
.RSyBg
H.St5pX
H.St5pX
\.ZN
\.ZN
M:Fb.TG
M:Fb.TG
f%uMeqI
f%uMeqI
.sACr
.sACr
(%FjJ
(%FjJ
.Wb4N
.Wb4N
Md3Q$%D
Md3Q$%D
s.QO\U
s.QO\U
{1E6.wd
{1E6.wd
R.kx'
R.kx'
sn
sn
.QGoB
.QGoB
q__
q__
EY-ebQ}
EY-ebQ}
Pa.RE
Pa.RE
,A.aL
,A.aL
;.GhX;
;.GhX;
X.RSml
X.RSml
.kD4t
.kD4t
3.Td\x
3.Td\x
#,.fB
#,.fB
d%fPAM-
d%fPAM-
..IDW
..IDW
-v.vp
-v.vp
bV?%C
bV?%C
%x)X5
%x)X5
.yY:LUF
.yY:LUF
&E%Fg
&E%Fg
Bd&"$.UX
Bd&"$.UX
O.Qk>hjo2
O.Qk>hjo2
o)g.iHw
o)g.iHw
oT%.d
oT%.d
Mq9N.cI
Mq9N.cI
4.pe"D
4.pe"D
mY%fqua
mY%fqua
Sb.ff
Sb.ff
o^%FY
o^%FY
nOr.sA
nOr.sA
YY%u
YY%u
%x%4}f1
%x%4}f1
89mX.hK
89mX.hK
|.hzD
|.hzD
.gk=3DP
.gk=3DP
}%U(U
}%U(U
7(WEB
7(WEB
%dru{
%dru{
.XI\*
.XI\*
_6.Tzp
_6.Tzp
l.pm3Z
l.pm3Z
}H.an
}H.an
.EdGP
.EdGP
-.OLVa
-.OLVa
(&k%D
(&k%D
..IV[Py
..IV[Py
M .BEm
M .BEm
%s)aW
%s)aW
R4[7%d
R4[7%d
.tn4F
.tn4F
;#oÉ
;#oÉ
.db%G
.db%G
%f?7m
%f?7m
XT.lV7
XT.lV7
u.auR
u.auR
t].kR
t].kR
.PU5Z
.PU5Z
.Ci>]0z
.Ci>]0z
n.dP/
n.dP/
cLc-x}
cLc-x}
%C}n_
%C}n_
io-N}
io-N}
"G7%x)5
"G7%x)5
vk2%X
vk2%X
ku9%S
ku9%S
).iSI
).iSI
~-9rc3}
~-9rc3}
,b.Jt8
,b.Jt8
h%c>{#
h%c>{#
~.Dcy
~.Dcy
a}S,.Un\
a}S,.Un\
CRtB
CRtB
.sX?
.sX?
>FEMgls%s
>FEMgls%s
m%x-\
m%x-\
.tST&
.tST&
F/.Qnf'
F/.Qnf'
.rQ!y
.rQ!y
HW.pqf5
HW.pqf5
Pr.Hl
Pr.Hl
.PI)WC
.PI)WC
?MZ%UG
?MZ%UG
.lW[n
.lW[n
.bF"N>
.bF"N>
)N%S-
)N%S-
(.HtK
(.HtK
/.PY/
/.PY/
`.Jz] (
`.Jz] (
].Lb`
].Lb`
}VF%C
}VF%C
Cx%fG
Cx%fG
.XL;g
.XL;g
eQ.bW
eQ.bW
K.IOz
K.IOz
s6%Cw> D
s6%Cw> D
(v.Qc
(v.Qc
iNU%F
iNU%F
|$.QI
|$.QI
%fv^j
%fv^j
t/%S?
t/%S?
VD%.c
VD%.c
_.b]%d
_.b]%d
_.By:
_.By:
.yE|Y
.yE|Y
n%S
n%S
<.jcy>
<.jcy>
.Fhkd
.Fhkd
%cG:6T_
%cG:6T_
aHn%U
aHn%U
v.AGQ
v.AGQ
t!rx%DMo
t!rx%DMo
GV.Ij
GV.Ij
.%.Dj
.%.Dj
{B.Qi
{B.Qi
ýB9#0-
ýB9#0-
_.Pqk
_.Pqk
Q7,
Q7,
2V.Gb
2V.Gb
/|%D*
/|%D*
1\441]01(:
1\441]01(:
Db^O4%x
Db^O4%x
v\.Ax
v\.Ax
J.jdB
J.jdB
.bknN
.bknN
p.Dy;z
p.Dy;z
xU.Zd(
xU.Zd(
\3.AK
\3.AK
{*%D$I/8
{*%D$I/8
.DuWN
.DuWN
X.En`
X.En`
.jmL5](
.jmL5](
/.rEoT
/.rEoT
.jO>f5
.jO>f5
e{%.s
e{%.s
E.PF-
E.PF-
5F.OSKZ5'
5F.OSKZ5'
}~.jv
}~.jv
'&&&!&'!!
'&&&!&'!!
%.wV;zJ
%.wV;zJ
t].XTW
t].XTW
Mays%S"
Mays%S"
U.GA8zK2?
U.GA8zK2?
!C.bT
!C.bT
x77%%s
x77%%s
.nOh_Y
.nOh_Y
C{V%c
C{V%c
ZEsFQ
ZEsFQ
i-.lMr
i-.lMr
8-H}&
8-H}&
1%x/s
1%x/s
Q.ECff.k
Q.ECff.k
.ukLDP
.ukLDP
.PDyM
.PDyM
L.vjN
L.vjN
t%UD%
t%UD%
l.MGM
l.MGM
!@.zP
!@.zP
.rl-V
.rl-V
s.BHe
s.BHe
bq.Pp
bq.Pp
/.HaUQxZ
/.HaUQxZ
auDph
auDph
ekEY3
ekEY3
=m.ZU
=m.ZU
%XC/w
%XC/w
M<.kg>
M<.kg>
.ka-H
.ka-H
~:3Q%f
~:3Q%f
^].po
^].po
U@Q.ZiY
U@Q.ZiY
.Nn)v
.Nn)v
J.Vhj
J.Vhj
U %uY/@
U %uY/@
yl.EC
yl.EC
Bb.LHz9
Bb.LHz9
%SJp~K
%SJp~K
.JQSU
.JQSU
wJO.Re
wJO.Re
#g.Vk
#g.Vk
3-%%c_d
3-%%c_d
-Uô)
-Uô)
nU.uP
nU.uP
'.usUE^
'.usUE^
B%Du
B%Du
w<.eon>
w<.eon>
:$%SZ
:$%SZ
.VC@d
.VC@d
:.vjl
:.vjl
TF.hL
TF.hL
%fpwxb8Q
%fpwxb8Q
,%x)v
,%x)v
^K.oq
^K.oq
cc'%s
cc'%s
i{!%F
i{!%F
;%xm48
;%xm48
N|r%S
N|r%S
fTPh
fTPh
-=,E% G;%X
-=,E% G;%X
C.BS4
C.BS4
-)l%x$
-)l%x$
.uiSD^
.uiSD^
Z[Þj
Z[Þj
|b}t{.KZ
|b}t{.KZ
.sq-,
.sq-,
Z@ü'
Z@ü'
gAu8.LB
gAu8.LB
P).pD
P).pD
K%x
K%x
Ow.UFo
Ow.UFo
~-c}Q
~-c}Q
n.em1
n.em1
NY.nn]L
NY.nn]L
%XZoa
%XZoa
ALW9%d^
ALW9%d^
%fj6K%N
%fj6K%N
UCRtba
UCRtba
;*V.go
;*V.go
N.uM-3
N.uM-3
t?pU.Qk
t?pU.Qk
-x3KnEJ}#
-x3KnEJ}#
"t.fSe
"t.fSe
k)%D~
k)%D~
$xR%.c
$xR%.c
u"..Cb
u"..Cb
I.ch8
I.ch8
A5%dr
A5%dr
'.zL=
'.zL=
;`%U}6
;`%U}6
.FKp(
.FKp(
Zc.YU
Zc.YU
!?1tX.Rj
!?1tX.Rj
'6.Ef
'6.Ef
2 .IvP
2 .IvP
ly.fTkUI
ly.fTkUI
dS.RO
dS.RO
|..HL
|..HL
v.Ms$d`Z
v.Ms$d`Z
h.YNuk
h.YNuk
Na.Uq
Na.Uq
%Fh\]/
%Fh\]/
Jm.Gy
Jm.Gy
FoHÙ?Y
FoHÙ?Y
6`IU.om{
6`IU.om{
v%XZ,
v%XZ,
g]nLW*A.bj
g]nLW*A.bj
8URL
8URL
J%D>"
J%D>"
7.XlU
7.XlU
.Rd>}j\C3
.Rd>}j\C3
G#.uC
G#.uC
Ã,*
Ã,*
.DTV1
.DTV1
$.LSu0
$.LSu0
RO?hN%,|{.KS
RO?hN%,|{.KS
.um:%
.um:%
7'.hO
7'.hO
;16D&%f
;16D&%f
.fSJ*
.fSJ*
i
i
)%fsr
)%fsr
!Xc%d
!Xc%d
qL-5}
qL-5}
}f.oy
}f.oy
?C v
?C v
.OSPf
.OSPf
3`-3hJ}]%
3`-3hJ}]%
AV.wxn
AV.wxn
\>.oyF
\>.oyF
6.QrZ(?9g
6.QrZ(?9g
~Z.zFK
~Z.zFK
]T.KK
]T.KK
WJr&Cz.Ir
WJr&Cz.Ir
dD#%DJmy
dD#%DJmy
L.ma[
L.ma[
V%c!W
V%c!W
I/.Co5
I/.Co5
a4V.ZhO
a4V.ZhO
pl.Dr
pl.Dr
x%UDN
x%UDN
c-G.Iv
c-G.Iv
s5g%UX
s5g%UX
.%Fh_
.%Fh_
.QQx5
.QQx5
LUP%S
LUP%S
Z%.rO
Z%.rO
NjQ.jX
NjQ.jX
/n%fs
/n%fs
.trC.a
.trC.a
.Wh04
.Wh04
.IoFq
.IoFq
G.Rl5J
G.Rl5J
M.nm0m
M.nm0m
=k.On&k4
=k.On&k4
q%CXI
q%CXI
Pz[tcP
Pz[tcP
%X8D.
%X8D.
)?Ã
)?Ã
en.CX
en.CX
oB!.MO
oB!.MO
-P.aii
-P.aii
gO%CP
gO%CP
P%CQ8
P%CQ8
lY/'J.wA&
lY/'J.wA&
vIo%d
vIo%d
4Pd%u
4Pd%u
>%S%EWA
>%S%EWA
5Q.az
5Q.az
-P%s1
-P%s1
sQLq
sQLq
'iD|.Tm9z@
'iD|.Tm9z@
5.JI(
5.JI(
%2x *
%2x *
sz-t %C
sz-t %C
LF8hcC%C
LF8hcC%C
}%%x8
}%%x8
.Lo&5]
.Lo&5]
&.Swt
&.Swt
.YG_w
.YG_w
%sbW6
%sbW6
S:.upWJ
S:.upWJ
\.Hw#Y
\.Hw#Y
%cn'|
%cn'|
Z?UDP
Z?UDP
`.FWC
`.FWC
t C@%UJ@ZBP
t C@%UJ@ZBP
;2b%u^uP
;2b%u^uP
i{Q\v.di
i{Q\v.di
l.NT1
l.NT1
,x.bd
,x.bd
W%slB
W%slB
Lq%dgc
Lq%dgc
C&%x_
C&%x_
'K%Cj
'K%Cj
L#k%U
L#k%U
-D.hD
-D.hD
K%uFdkK
K%uFdkK
%x3f,W,Q
%x3f,W,Q
xy.tW
xy.tW
%SJiT
%SJiT
D!.zD
D!.zD
(.boF
(.boF
U %C)
U %C)
gB;%U Qw
gB;%U Qw
i%u!i
i%u!i
Â7/
Â7/
IM.KH
IM.KH
/.OE-/
/.OE-/
[.EsK
[.EsK
fTPL
fTPL
Y>j.Sm
Y>j.Sm
x.BdF0
x.BdF0
.hu0
.hu0
\{i.DX
\{i.DX
%6xdf
%6xdf
=W.lk
=W.lk
> X.UP
> X.UP
.nU19
.nU19
%si.B
%si.B
%h%UN
%h%UN
?>195=3;7
?>195=3;7
@ .hDn\
@ .hDn\
!WB~.an=6
!WB~.an=6
6%uSRF
6%uSRF
n%Xww
n%Xww
m%U":24
m%U":24
.ZxA,
.ZxA,
X%F,F
X%F,F
Q.VU)
Q.VU)
.hLe1
.hLe1
uNr%f
uNr%f
e.iFN
e.iFN
dD.DlG
dD.DlG
t..sl
t..sl
.kRzK
.kRzK
\i.QY
\i.QY
.NCy9
.NCy9
P4[F*;.ud^w
P4[F*;.ud^w
.Kbcc
.Kbcc
.JFe}
.JFe}
Y58%C[
Y58%C[
.Ar~[4AM4&1
.Ar~[4AM4&1
y.Om9:6
y.Om9:6
M- ;%F
M- ;%F
2GHj.Ke
2GHj.Ke
.Gvu4
.Gvu4
4qV%Xi
4qV%Xi
&i.aL
&i.aL
X$(D.cY
X$(D.cY
c.wkig
c.wkig
QÃŽe
QÃŽe
0.fJN%
0.fJN%
-4{o'.(%Uj
-4{o'.(%Uj
?%D=H
?%D=H
z9[:b%C
z9[:b%C
@(@%s
@(@%s
.IeLOd
.IeLOd
J.oitp
J.oitp
8.OlrW;
8.OlrW;
"'.Vd
"'.Vd
0%xVB
0%xVB
.gpcD
.gpcD
~;ij.vOI
~;ij.vOI
N%F#%
N%F#%
u %fg
u %fg
.gd*"
.gd*"
.Bo="
.Bo="
ÃŒN1
ÃŒN1
j0Ö
j0Ö
B5V.mA
B5V.mA
7%sTA
7%sTA
.yIBfu
.yIBfu
2%c$c7
2%c$c7
GP"%X
GP"%X
.yAIj"
.yAIj"
nO.LeSE
nO.LeSE
FM.mj
FM.mj
n.NLc
n.NLc
_.ybX"
_.ybX"
/.lN@c
/.lN@c
%D%X~
%D%X~
G.XI[
G.XI[
%sk[S{
%sk[S{
ßqK
ßqK
%U4Rg
%U4Rg
U.Gkj
U.Gkj
GE.Vm
GE.Vm
$%d}?
$%d}?
K gY19%f
K gY19%f
.LsKn7
.LsKn7
.Xm!R
.Xm!R
@.JsK
@.JsK
Yrf-
Yrf-
3=t.by
3=t.by
uY.Js
uY.Js
W1.wm>3
W1.wm>3
.Bfkr
.Bfkr
.tZD_
.tZD_
MY.YIV
MY.YIV
%u.YlU
%u.YlU
.vNFH
.vNFH
.C%X9
.C%X9
7&ñ
7&ñ
.cfRk
.cfRk
upC%u
upC%u
1K,Xl/%c
1K,Xl/%c
*7%St
*7%St
N.hv]F
N.hv]F
`%SW/^
`%SW/^
.Yi/rY
.Yi/rY
}b-%f
}b-%f
Q:.kdBm
Q:.kdBm
>%CXI
>%CXI
k_) %d
k_) %d
VwM%UO
VwM%UO
]R.PY
]R.PY
/.feu
/.feu
*4a%x
*4a%x
gPSc.XF
gPSc.XF
W4.Ac
W4.Ac
Vo%Cj@
Vo%Cj@
Ét3
Ét3
LIÃ3
LIÃ3
5pj%f
5pj%f
Tqkey
Tqkey
w/;N%U
w/;N%U
.gv]3
.gv]3
Cz>%Cj
Cz>%Cj
%XLIVX
%XLIVX
j^i?bY%s
j^i?bY%s
/-xQ}
/-xQ}
=]B%dT
=]B%dT
9.DQ?1
9.DQ?1
,,/.eN|
,,/.eN|
V%Sj|
V%Sj|
Uh.jP
Uh.jP
G%cy$f
G%cy$f
;k%s
;k%s
tJ1!%s
tJ1!%s
'8.yKr
'8.yKr
%f*)?
%f*)?
{%SIg"
{%SIg"
.DOo*
.DOo*
.Il1,
.Il1,
Pn.qj
Pn.qj
93`.mm
93`.mm
XF#%x
XF#%x
h%7UQ
h%7UQ
y.an
y.an
-%2ut
-%2ut
w.kPR
w.kPR
xF%u$
xF%u$
×Gh
×Gh
D|FTP
D|FTP
.Jbz9
.Jbz9
.nRb[=U
.nRb[=U
3.eTP
3.eTP
d&P.ve
d&P.ve
:=~@.Im
:=~@.Im
.rm1L
.rm1L
T?c|.sEN
T?c|.sEN
9:.Kf;
9:.Kf;
^KJ%FH7?Z@t
^KJ%FH7?Z@t
]'Z%s
]'Z%s
.COq|
.COq|
.yX:..
.yX:..
.XBU>\>
.XBU>\>
T]X{%f
T]X{%f
q1.uq
q1.uq
^.BCX
^.BCX
Nh'EL.lf
Nh'EL.lf
%S0>x
%S0>x
tV.NaF>
tV.NaF>
-d19}
-d19}
Webu
Webu
UftP
UftP
%.F
%.F
.Ea4\
.Ea4\
'.HkIy
'.HkIy
D.wA"?
D.wA"?
tsexE
tsexE
.hZ^u
.hZ^u
"T.Lo4
"T.Lo4
{o2.pv
{o2.pv
?.eoY
?.eoY
[.hbk
[.hbk
1%sF3
1%sF3
E.Wj"
E.Wj"
1.Kkz
1.Kkz
.Ukl)
.Ukl)
Ox.Sl
Ox.Sl
'.MSj
'.MSj
{.hinP
{.hinP
~.bPZw
~.bPZw
=.DDAL
=.DDAL
-T.JkK
-T.JkK
.iHvhc?!B5
.iHvhc?!B5
c.G%U
c.G%U
?%cv7
?%cv7
MQi{%D
MQi{%D
#.fE]
#.fE]
Q.CF(
Q.CF(
Y.SO~
Y.SO~
Izf.Tn
Izf.Tn
vZ~Ë
vZ~Ë
.xn5Lh'
.xn5Lh'
%X?b`y
%X?b`y
0N.oq
0N.oq
D.Lu>dd
D.Lu>dd
.uxR(
.uxR(
2P%c#
2P%c#
D^L$%d
D^L$%d
.fo4
.fo4
"crypted.exe"
"crypted.exe"
"Tiara's Moonshine Mod G9S2-V60 Installer.exe"
"Tiara's Moonshine Mod G9S2-V60 Installer.exe"
Kernel32.dll
Kernel32.dll
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
CFailed to get disk space information from: %s.
CFailed to get disk space information from: %s.
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
8Unable to retrieve operating system version information.!Memory allocation request failed.
8Unable to retrieve operating system version information.!Memory allocation request failed.
Filetable full.Ên not change to destination folder.
Filetable full.Ên not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
Error retrieving Windows folder
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
/C: -- Override Install Command defined by author.
/C: -- Override Install Command defined by author.
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
Could not find the file: %s.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
6.0.6001.18000 (longhorn_rtm.080118-1840)
6.0.6001.18000 (longhorn_rtm.080118-1840)
WEXTRACT.EXE
WEXTRACT.EXE
Windows
Windows
Operating System
Operating System
6.0.6001.18000
6.0.6001.18000
Tiara's Moonshine Mod G9S2-V60 Installer.exe_312:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk2.tmp\BgImage.dll
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk2.tmp\BgImage.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk2.tmp\BgImage.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk2.tmp\BgImage.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk2.tmp
.reloc
.reloc
SSSSSSh
SSSSSSh
WINMM.dll
WINMM.dll
BgImage.dll
BgImage.dll
'.HkIy
'.HkIy
D.wA"?
D.wA"?
.gmRyOL
.gmRyOL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\spltmp.wav
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\spltmp.wav
spltmp.wav
spltmp.wav
\Temp\nsk2.tmp\BgImage.dll
\Temp\nsk2.tmp\BgImage.dll
l15.ini if You Wish to Restore Font Back to Default)
l15.ini if You Wish to Restore Font Back to Default)
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk2.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk2.tmp
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\Tiara's Moonshine Mod G9S2-V60 Installer.exe"
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\Tiara's Moonshine Mod G9S2-V60 Installer.exe"
C:\Nexon\Mabinogi
C:\Nexon\Mabinogi
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP
Tiara's Moonshine Mod G9S2-V60 Installer.exe
Tiara's Moonshine Mod G9S2-V60 Installer.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\Tiara's Moonshine Mod G9S2-V60 Installer.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\Tiara's Moonshine Mod G9S2-V60 Installer.exe