Analysis Date2014-12-26 12:06:07
MD5157966912bf75e8984f64d95ae863991
SHA17ee671b79cbaa1c9f9164949a60566f8621e1d48

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c69726ed422d3dcfdec9731986daa752 sha1: 4546608e3b1a2ab1d69a34018d2ddfa7fa411885 size: 23040
Section.rdata md5: a2c7710fa66fcbb43c7ef0ab9eea5e9a sha1: 60485025c47935e745e57b6efc7042f2261b7d53 size: 4608
Section.data md5: e59cdcb732e4bfbc84cc61dd68354f78 sha1: ffc24489dd56b406f9078ba1cb9c71e9b430dbee size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: a25c8ad1bb6da1c5758c9f76646474c8 sha1: 4172212d9286286c5300d55a944a49dd2a8e44e1 size: 2560
Timestamp2009-12-05 22:50:41
PackerNullsoft PiMP Stub -> SFX
PEhashb7b13e0d13f9fff9b64ead1c35ca8ca615516b6d
IMPhash7fa974366048f9c551ef45714595665e
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7no_virus
AVKasperskyDownloader.NSIS.Chindo.s
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileIQIYIsetup_l_spl004@kb010.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\Base64.dll
Creates FileC:\Program Files\Common Files\4.ico
Creates Fileins1256858.exe
Creates File-2000_1_qkt.exe
Creates File2345Explorer_329242_silence.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates Fileaodce.exe
Creates FileF1023_s_30974.exe
Creates FilePIPE\lsarpc
Creates FileC:\Program Files\Common Files\1.rar
Creates File\Device\Afd\Endpoint
Creates File9377mycs_Y_mgaz2_01.exe
Creates FileC:\Program Files\Common Files\2.ico
Creates FileBaidu_Com_90000214.exe
Creates FileSoHuVA_4.2.0.16-c204900009-ng-s-run-x.exe
Creates Filesetup_3501.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\System.dll
Creates FileOfficeAssist.0419.80.1123.exe
Creates FileMM-liao8398.exe
Creates FileBFVCenter-y4bd2[[BB027]].exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileQQBrowser_Setup_Hk_78653.exe
Creates Filehkyl_yls_hk2014_202lm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\NsProcess.dll
Creates Fileyx_dts.exe
Creates Filesetup_95165069.exe
Creates FileG1031_s_71117.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\Inetc.dll
Deletes FileIQIYIsetup_l_spl004@kb010.exe
Deletes FileC:\Program Files\Common Files\4.ico
Deletes Fileins1256858.exe
Deletes File-2000_1_qkt.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp
Deletes File2345Explorer_329242_silence.exe
Deletes FileF1023_s_30974.exe
Deletes FileC:\Program Files\Common Files\1.rar
Deletes File9377mycs_Y_mgaz2_01.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse1.tmp
Deletes FileBaidu_Com_90000214.exe
Deletes FileOfficeAssist.0419.80.1123.exe
Deletes Filesetup_3501.exe
Deletes FileSoHuVA_4.2.0.16-c204900009-ng-s-run-x.exe
Deletes FileMM-liao8398.exe
Deletes FileBFVCenter-y4bd2[[BB027]].exe
Deletes FileQQBrowser_Setup_Hk_78653.exe
Deletes Fileyx_dts.exe
Deletes Filehkyl_yls_hk2014_202lm.exe
Deletes Filesetup_95165069.exe
Deletes FileG1031_s_71117.exe
Creates Process
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexRuning
Winsock DNSint.dpool.sina.com.cn
Winsock DNSidc.xn--r93a55o.cc
Winsock DNSpchome.b0.upaiyun.com
Winsock DNSshadu.baidu.com

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ Pid 0

Network Details:

DNSint.dpool.sina.com.cn
Type: A
180.149.136.250
DNSna.b9.aicdn.com
Type: A
72.8.188.98
DNSna.b9.aicdn.com
Type: A
108.186.7.129
DNSna.b9.aicdn.com
Type: A
108.186.7.130
DNSna.b9.aicdn.com
Type: A
108.186.7.131
DNSna.b9.aicdn.com
Type: A
72.8.188.90
DNSna.b9.aicdn.com
Type: A
72.8.188.94
DNSidc.lssen.net
Type: A
222.186.60.70
DNSidc.lssen.net
Type: A
222.186.60.2
DNSidc.lssen.net
Type: A
222.186.60.68
DNSidc.lssen.net
Type: A
222.186.60.69
DNSshadu.n.shifen.com
Type: A
123.125.65.162
DNSmmliao.jianting.net
Type: A
122.227.42.227
DNSaaa.163vv.com
Type: A
222.186.60.18
DNSaaa.163vv.com
Type: A
222.186.60.23
DNSaaa.163vv.com
Type: A
222.186.60.60
DNSdown.woka123.cn.w.alikunlun.com
Type: A
106.120.181.40
DNSdown.woka123.cn.w.alikunlun.com
Type: A
106.120.181.50
DNSdown.woka123.cn.w.alikunlun.com
Type: A
27.221.34.110
DNSp2p.hd.sohu.com
Type: A
220.181.19.138
DNSp2p.hd.sohu.com
Type: A
220.181.19.139
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.5
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.6
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.234.3
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.234.4
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.2
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.3
DNSxnop010.tlgslb.com
Type: A
117.34.29.139
DNSxnop010.tlgslb.com
Type: A
117.34.29.149
DNSxnop010.tlgslb.com
Type: A
117.34.29.223
DNSg.quwen320.com
Type: A
219.238.237.210
DNSqkt.ksxbyy.com
Type: A
111.177.111.77
DNScdn.coop.baofeng.com
Type: A
119.188.72.240
DNScdn.coop.baofeng.com
Type: A
122.142.74.12
DNScdn.coop.baofeng.com
Type: A
182.18.51.104
DNScdn.coop.baofeng.com
Type: A
218.60.99.66
DNScdn.coop.baofeng.com
Type: A
58.20.193.222
DNSdownload.pps.tv.webscache.com
Type: A
119.188.40.81
DNSdldir1.qq.com.cdngc.net
Type: A
174.35.56.207
DNSdldir1.qq.com.cdngc.net
Type: A
174.35.56.186
DNSpchome.b0.upaiyun.com
Type: A
DNSidc.xn--r93a55o.cc
Type: A
DNSshadu.baidu.com
Type: A
DNSdown.asjujia.com
Type: A
DNSdown.woka123.cn
Type: A
DNSxiazai.9377.com
Type: A
DNSdl.nx5.com
Type: A
DNSdl.baofeng.com
Type: A
DNSdl.static.iqiyi.com
Type: A
DNSdldir1.qq.com
Type: A
DNSdownload.2345.cn
Type: A
HTTP GEThttp://int.dpool.sina.com.cn/iplookup/iplookup.php
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://pchome.b0.upaiyun.com/2.ico
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://idc.xn--r93a55o.cc/yx_dts.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://idc.xn--r93a55o.cc/OfficeAssist.0419.80.1123.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://shadu.baidu.com/index/mini_2to1_download/90000214
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://mmliao.jianting.net/mmliao/MM-liao8398.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://down.asjujia.com:6677/setup/setup_3501.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://down.woka123.cn/qudao/hk/hkyl_yls_hk2014_202lm.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://p2p.hd.sohu.com/dcs.do?f=1&s=204900009&append=-ng-s-run
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://idc.xn--r93a55o.cc/F1023_s_30974.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://xiazai.9377.com/20141201/9377mycs_Y_mgaz2_01.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://idc.xn--r93a55o.cc/G1031_s_71117.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dl.nx5.com/apk/20141222/setup_95165069.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://g.quwen320.com/d/ins1256858.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://qkt.ksxbyy.com/qukt/bind/-2000_1_qkt.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dl.baofeng.com/BFVCenter/BFVCenter-y4bd2[[BB027]].exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dl.static.iqiyi.com/hz/IQIYIsetup_l_spl004@kb010.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dldir1.qq.com/invc/tt/QQBrowser_Setup_Hk_78653.exe
User-Agent: NSIS_Inetc (Mozilla)
Flows TCP192.168.1.1:1031 ➝ 180.149.136.250:80
Flows TCP192.168.1.1:1032 ➝ 72.8.188.98:80
Flows TCP192.168.1.1:1033 ➝ 222.186.60.70:80
Flows TCP192.168.1.1:1034 ➝ 222.186.60.70:80
Flows TCP192.168.1.1:1035 ➝ 123.125.65.162:80
Flows TCP192.168.1.1:1036 ➝ 122.227.42.227:80
Flows TCP192.168.1.1:1037 ➝ 222.186.60.18:6677
Flows TCP192.168.1.1:1038 ➝ 106.120.181.40:80
Flows TCP192.168.1.1:1039 ➝ 220.181.19.138:80
Flows TCP192.168.1.1:1040 ➝ 222.186.60.70:80
Flows TCP192.168.1.1:1041 ➝ 8.37.235.5:80
Flows TCP192.168.1.1:1042 ➝ 222.186.60.70:80
Flows TCP192.168.1.1:1043 ➝ 117.34.29.139:80
Flows TCP192.168.1.1:1044 ➝ 219.238.237.210:80
Flows TCP192.168.1.1:1045 ➝ 111.177.111.77:80
Flows TCP192.168.1.1:1046 ➝ 119.188.72.240:80
Flows TCP192.168.1.1:1047 ➝ 119.188.40.81:80
Flows TCP192.168.1.1:1048 ➝ 174.35.56.207:80

Raw Pcap
0x00000000 (00000)   47455420 2f69706c 6f6f6b75 702f6970   GET /iplookup/ip
0x00000010 (00016)   6c6f6f6b 75702e70 68702048 5454502f   lookup.php HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   204e5349 535f496e 65746320 284d6f7a    NSIS_Inetc (Moz
0x00000040 (00064)   696c6c61 290d0a48 6f73743a 20696e74   illa)..Host: int
0x00000050 (00080)   2e64706f 6f6c2e73 696e612e 636f6d2e   .dpool.sina.com.
0x00000060 (00096)   636e0d0a 436f6e6e 65637469 6f6e3a20   cn..Connection: 
0x00000070 (00112)   4b656570 2d416c69 76650d0a 43616368   Keep-Alive..Cach
0x00000080 (00128)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x00000090 (00144)   6368650d 0a0d0a                       che....

0x00000000 (00000)   47455420 2f322e69 636f2048 5454502f   GET /2.ico HTTP/
0x00000010 (00016)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000020 (00032)   204e5349 535f496e 65746320 284d6f7a    NSIS_Inetc (Moz
0x00000030 (00048)   696c6c61 290d0a48 6f73743a 20706368   illa)..Host: pch
0x00000040 (00064)   6f6d652e 62302e75 70616979 756e2e63   ome.b0.upaiyun.c
0x00000050 (00080)   6f6d0d0a 436f6e6e 65637469 6f6e3a20   om..Connection: 
0x00000060 (00096)   4b656570 2d416c69 76650d0a 43616368   Keep-Alive..Cach
0x00000070 (00112)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x00000080 (00128)   6368650d 0a0d0a6f 6c3a206e 6f2d6361   che....ol: no-ca
0x00000090 (00144)   6368650d 0a0d0a                       che....

0x00000000 (00000)   47455420 2f79785f 6474732e 65786520   GET /yx_dts.exe 
0x00000010 (00016)   48545450 2f312e31 0d0a5573 65722d41   HTTP/1.1..User-A
0x00000020 (00032)   67656e74 3a204e53 49535f49 6e657463   gent: NSIS_Inetc
0x00000030 (00048)   20284d6f 7a696c6c 61290d0a 486f7374    (Mozilla)..Host
0x00000040 (00064)   3a206964 632e786e 2d2d7239 33613535   : idc.xn--r93a55
0x00000050 (00080)   6f2e6363 0d0a436f 6e6e6563 74696f6e   o.cc..Connection
0x00000060 (00096)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x00000070 (00112)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000080 (00128)   63616368 650d0a0d 0a3a206e 6f2d6361   cache....: no-ca
0x00000090 (00144)   6368650d 0a0d0a                       che....

0x00000000 (00000)   47455420 2f4f6666 69636541 73736973   GET /OfficeAssis
0x00000010 (00016)   742e3034 31392e38 302e3131 32332e65   t.0419.80.1123.e
0x00000020 (00032)   78652048 5454502f 312e310d 0a557365   xe HTTP/1.1..Use
0x00000030 (00048)   722d4167 656e743a 204e5349 535f496e   r-Agent: NSIS_In
0x00000040 (00064)   65746320 284d6f7a 696c6c61 290d0a48   etc (Mozilla)..H
0x00000050 (00080)   6f73743a 20696463 2e786e2d 2d723933   ost: idc.xn--r93
0x00000060 (00096)   6135356f 2e63630d 0a436f6e 6e656374   a55o.cc..Connect
0x00000070 (00112)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000080 (00128)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000090 (00144)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f696e64 65782f6d 696e695f   GET /index/mini_
0x00000010 (00016)   32746f31 5f646f77 6e6c6f61 642f3930   2to1_download/90
0x00000020 (00032)   30303032 31342048 5454502f 312e310d   000214 HTTP/1.1.
0x00000030 (00048)   0a557365 722d4167 656e743a 204e5349   .User-Agent: NSI
0x00000040 (00064)   535f496e 65746320 284d6f7a 696c6c61   S_Inetc (Mozilla
0x00000050 (00080)   290d0a48 6f73743a 20736861 64752e62   )..Host: shadu.b
0x00000060 (00096)   61696475 2e636f6d 0d0a436f 6e6e6563   aidu.com..Connec
0x00000070 (00112)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x00000080 (00128)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000090 (00144)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f6d6d6c 69616f2f 4d4d2d6c   GET /mmliao/MM-l
0x00000010 (00016)   69616f38 3339382e 65786520 48545450   iao8398.exe HTTP
0x00000020 (00032)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000030 (00048)   3a204e53 49535f49 6e657463 20284d6f   : NSIS_Inetc (Mo
0x00000040 (00064)   7a696c6c 61290d0a 486f7374 3a206d6d   zilla)..Host: mm
0x00000050 (00080)   6c69616f 2e6a6961 6e74696e 672e6e65   liao.jianting.ne
0x00000060 (00096)   740d0a43 6f6e6e65 6374696f 6e3a204b   t..Connection: K
0x00000070 (00112)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x00000080 (00128)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000090 (00144)   68650d0a 0d0a6368 650d0a0d 0a         he....che....

0x00000000 (00000)   47455420 2f736574 75702f73 65747570   GET /setup/setup
0x00000010 (00016)   5f333530 312e6578 65204854 54502f31   _3501.exe HTTP/1
0x00000020 (00032)   2e310d0a 55736572 2d416765 6e743a20   .1..User-Agent: 
0x00000030 (00048)   4e534953 5f496e65 74632028 4d6f7a69   NSIS_Inetc (Mozi
0x00000040 (00064)   6c6c6129 0d0a486f 73743a20 646f776e   lla)..Host: down
0x00000050 (00080)   2e61736a 756a6961 2e636f6d 3a363637   .asjujia.com:667
0x00000060 (00096)   370d0a43 6f6e6e65 6374696f 6e3a204b   7..Connection: K
0x00000070 (00112)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x00000080 (00128)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000090 (00144)   68650d0a 0d0a6368 650d0a0d 0a         he....che....

0x00000000 (00000)   47455420 2f717564 616f2f68 6b2f686b   GET /qudao/hk/hk
0x00000010 (00016)   796c5f79 6c735f68 6b323031 345f3230   yl_yls_hk2014_20
0x00000020 (00032)   326c6d2e 65786520 48545450 2f312e31   2lm.exe HTTP/1.1
0x00000030 (00048)   0d0a5573 65722d41 67656e74 3a204e53   ..User-Agent: NS
0x00000040 (00064)   49535f49 6e657463 20284d6f 7a696c6c   IS_Inetc (Mozill
0x00000050 (00080)   61290d0a 486f7374 3a20646f 776e2e77   a)..Host: down.w
0x00000060 (00096)   6f6b6131 32332e63 6e0d0a43 6f6e6e65   oka123.cn..Conne
0x00000070 (00112)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000080 (00128)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x00000090 (00144)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....

0x00000000 (00000)   47455420 2f646373 2e646f3f 663d3126   GET /dcs.do?f=1&
0x00000010 (00016)   733d3230 34393030 30303926 61707065   s=204900009&appe
0x00000020 (00032)   6e643d2d 6e672d73 2d72756e 20485454   nd=-ng-s-run HTT
0x00000030 (00048)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000040 (00064)   743a204e 5349535f 496e6574 6320284d   t: NSIS_Inetc (M
0x00000050 (00080)   6f7a696c 6c61290d 0a486f73 743a2070   ozilla)..Host: p
0x00000060 (00096)   32702e68 642e736f 68752e63 6f6d0d0a   2p.hd.sohu.com..
0x00000070 (00112)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000080 (00128)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x00000090 (00144)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000a0 (00160)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f463130 32335f73 5f333039   GET /F1023_s_309
0x00000010 (00016)   37342e65 78652048 5454502f 312e310d   74.exe HTTP/1.1.
0x00000020 (00032)   0a557365 722d4167 656e743a 204e5349   .User-Agent: NSI
0x00000030 (00048)   535f496e 65746320 284d6f7a 696c6c61   S_Inetc (Mozilla
0x00000040 (00064)   290d0a48 6f73743a 20696463 2e786e2d   )..Host: idc.xn-
0x00000050 (00080)   2d723933 6135356f 2e63630d 0a436f6e   -r93a55o.cc..Con
0x00000060 (00096)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000070 (00112)   6976650d 0a436163 68652d43 6f6e7472   ive..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000a0 (00160)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f323031 34313230 312f3933   GET /20141201/93
0x00000010 (00016)   37376d79 63735f59 5f6d6761 7a325f30   77mycs_Y_mgaz2_0
0x00000020 (00032)   312e6578 65204854 54502f31 2e310d0a   1.exe HTTP/1.1..
0x00000030 (00048)   55736572 2d416765 6e743a20 4e534953   User-Agent: NSIS
0x00000040 (00064)   5f496e65 74632028 4d6f7a69 6c6c6129   _Inetc (Mozilla)
0x00000050 (00080)   0d0a486f 73743a20 7869617a 61692e39   ..Host: xiazai.9
0x00000060 (00096)   3337372e 636f6d0d 0a436f6e 6e656374   377.com..Connect
0x00000070 (00112)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000080 (00128)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000090 (00144)   6e6f2d63 61636865 0d0a0d0a 6368650d   no-cache....che.
0x000000a0 (00160)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f473130 33315f73 5f373131   GET /G1031_s_711
0x00000010 (00016)   31372e65 78652048 5454502f 312e310d   17.exe HTTP/1.1.
0x00000020 (00032)   0a557365 722d4167 656e743a 204e5349   .User-Agent: NSI
0x00000030 (00048)   535f496e 65746320 284d6f7a 696c6c61   S_Inetc (Mozilla
0x00000040 (00064)   290d0a48 6f73743a 20696463 2e786e2d   )..Host: idc.xn-
0x00000050 (00080)   2d723933 6135356f 2e63630d 0a436f6e   -r93a55o.cc..Con
0x00000060 (00096)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000070 (00112)   6976650d 0a436163 68652d43 6f6e7472   ive..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)   6e6f2d63 61636865 0d0a0d0a 6368650d   no-cache....che.
0x000000a0 (00160)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f61706b 2f323031 34313232   GET /apk/2014122
0x00000010 (00016)   322f7365 7475705f 39353136 35303639   2/setup_95165069
0x00000020 (00032)   2e657865 20485454 502f312e 310d0a55   .exe HTTP/1.1..U
0x00000030 (00048)   7365722d 4167656e 743a204e 5349535f   ser-Agent: NSIS_
0x00000040 (00064)   496e6574 6320284d 6f7a696c 6c61290d   Inetc (Mozilla).
0x00000050 (00080)   0a486f73 743a2064 6c2e6e78 352e636f   .Host: dl.nx5.co
0x00000060 (00096)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x00000070 (00112)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x00000080 (00128)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000090 (00144)   68650d0a 0d0a6865 0d0a0d0a 6368650d   he....he....che.
0x000000a0 (00160)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f642f69 6e733132 35363835   GET /d/ins125685
0x00000010 (00016)   382e6578 65204854 54502f31 2e310d0a   8.exe HTTP/1.1..
0x00000020 (00032)   55736572 2d416765 6e743a20 4e534953   User-Agent: NSIS
0x00000030 (00048)   5f496e65 74632028 4d6f7a69 6c6c6129   _Inetc (Mozilla)
0x00000040 (00064)   0d0a486f 73743a20 672e7175 77656e33   ..Host: g.quwen3
0x00000050 (00080)   32302e63 6f6d0d0a 436f6e6e 65637469   20.com..Connecti
0x00000060 (00096)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000070 (00112)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000080 (00128)   6f2d6361 6368650d 0a0d0a01            o-cache.....

0x00000000 (00000)   47455420 2f71756b 742f6269 6e642f2d   GET /qukt/bind/-
0x00000010 (00016)   32303030 5f315f71 6b742e65 78652048   2000_1_qkt.exe H
0x00000020 (00032)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000030 (00048)   656e743a 204e5349 535f496e 65746320   ent: NSIS_Inetc 
0x00000040 (00064)   284d6f7a 696c6c61 290d0a48 6f73743a   (Mozilla)..Host:
0x00000050 (00080)   20716b74 2e6b7378 6279792e 636f6d0d    qkt.ksxbyy.com.
0x00000060 (00096)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000070 (00112)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x00000080 (00128)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000090 (00144)   0d0a0d0a 0d0a6865 0d0a0d0a 6368650d   ......he....che.
0x000000a0 (00160)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f424656 43656e74 65722f42   GET /BFVCenter/B
0x00000010 (00016)   46564365 6e746572 2d793462 64325b5b   FVCenter-y4bd2[[
0x00000020 (00032)   42423032 375d5d2e 65786520 48545450   BB027]].exe HTTP
0x00000030 (00048)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000040 (00064)   3a204e53 49535f49 6e657463 20284d6f   : NSIS_Inetc (Mo
0x00000050 (00080)   7a696c6c 61290d0a 486f7374 3a20646c   zilla)..Host: dl
0x00000060 (00096)   2e62616f 66656e67 2e636f6d 0d0a436f   .baofeng.com..Co
0x00000070 (00112)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000080 (00128)   6c697665 0d0a4361 6368652d 436f6e74   live..Cache-Cont
0x00000090 (00144)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x000000a0 (00160)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f687a2f 49514959 49736574   GET /hz/IQIYIset
0x00000010 (00016)   75705f6c 5f73706c 30303440 6b623031   up_l_spl004@kb01
0x00000020 (00032)   302e6578 65204854 54502f31 2e310d0a   0.exe HTTP/1.1..
0x00000030 (00048)   55736572 2d416765 6e743a20 4e534953   User-Agent: NSIS
0x00000040 (00064)   5f496e65 74632028 4d6f7a69 6c6c6129   _Inetc (Mozilla)
0x00000050 (00080)   0d0a486f 73743a20 646c2e73 74617469   ..Host: dl.stati
0x00000060 (00096)   632e6971 6979692e 636f6d0d 0a436f6e   c.iqiyi.com..Con
0x00000070 (00112)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000080 (00128)   6976650d 0a436163 68652d43 6f6e7472   ive..Cache-Contr
0x00000090 (00144)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x000000a0 (00160)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e76 632f7474 2f515142   GET /invc/tt/QQB
0x00000010 (00016)   726f7773 65725f53 65747570 5f486b5f   rowser_Setup_Hk_
0x00000020 (00032)   37383635 332e6578 65204854 54502f31   78653.exe HTTP/1
0x00000030 (00048)   2e310d0a 55736572 2d416765 6e743a20   .1..User-Agent: 
0x00000040 (00064)   4e534953 5f496e65 74632028 4d6f7a69   NSIS_Inetc (Mozi
0x00000050 (00080)   6c6c6129 0d0a486f 73743a20 646c6469   lla)..Host: dldi
0x00000060 (00096)   72312e71 712e636f 6d0d0a43 6f6e6e65   r1.qq.com..Conne
0x00000070 (00112)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000080 (00128)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x00000090 (00144)   3a206e6f 2d636163 68650d0a 0d0a0d0a   : no-cache......
0x000000a0 (00160)   0a0d0a                                ...


Strings
 " "
E
msctls_progress32
MS Shell Dlg
SysListView32
,&)['+
[)|*+=
*?|<>/":
0a&H#3"
_0LVc6
0;-P'*
0Qan"4
_>0QL@f
0t6Z5X
1D9:=.
1H!E:-Q$kG
&1J3VES
1jK|GT
1;'KN7
'1U2VA
-1vzbA
>!-.\	^2
24c);+	
25'+[h{
2c6kbN
2H%9)Qu
2iiURB
+2#&m2
2mA13y
2Mt)rM
2 ^vXxo
2xs~6;LNL,
$3<1vQ#Ed
3<4?F<
3b"42-N
3FRVN&d>
=~<~3m
!3'MT7
3oj(E?
_3S1G"
:3'U1<!g
:4BzGo
4N>M5TXE
 4U)pD0
,%=;5,
\{]58*
5Ehu6-
5r\=6Y
5s#FTVv
5u]eD$Lbm
%5~?`ww8
+6^ac+
6F }%Y)
6H-5g3
6QIo3V.
6sC<fPE
+(}6U#MV_
8`6g#5
8|!b7$
8NCRCu
988)d\
%AaM&k
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
	aE|tU
!a>?iF
AppendMenuA
a\Q,I5	
.}>A<]S
asdrcG
au@29]
Auap*r
AvWm{	
A.W;le	
|AX9LC
a{x*/df
aZy|?q
B~;~>2
$b=a0`
BeginPaint
Bg96jh
&bLjx|P
+B%NBf
!'bZ_n
C0Gx(5Z
,C|&.6
c6\D}n
CallWindowProcA
CharNextA
CharPrevA
CheckDlgButton
c"^HH&
*Ck!k{:G
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
 ]~Cy}`
C,)zy(4
... %d%%
D$0+D$(P
@.data
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
Dh3m=MT
DialogBoxParamA
DispatchMessageA
dJR{+.o
dk};"n
DKo$OS[
D$$Ph,
DrawTextA
D$(SPS
dtOnJE
>Du:m#
"D*vR7
>dw1	CF
dwuG}M
E]05n*x
}E2$5b]L
e;b"^b
e>&C#a
EcCj 8
e	MgV0#>
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
^eO-d8
EPhz}a
E.p!s+
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
:ev+Gffi
[e$v&ia
ex8bD_D
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
f3ukS|
%F90w[
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
f~JVU_
F;pL_o.
FreeLibrary
|Ft.F<
f(<]To
#`">g	
#	G#2R!
'<G2U?
g|)6oQ
GA5H80
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
{gG15!I
_ggZ[J4p	
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
`G>n5W
gpSXQuLnc
>'g*Qb9q
;GSu+h2
#Gv}}j
gW%Ybr`
$gZx0B
H0FvP}X
h!`cA@
Ht@aXgd
http://nsis.sf.net/NSIS_Error
hVo"-e
hW^#W?#
I04'@,
i0Bf/M
\I~>1v
i_8KKj
`?IBoC
i=Db`V
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu`
InvalidateRect
_I>)q)
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
=%iTF]
i/XhR~
iy^#HGa
j6JVR1
jcp}_g
(jctZh
JE>%{h
jHI[nb
|jHW`Z
$j{LY~
jMiKx0
J?Ro:K
J-SV+l
j;(TC&9I-
j?T=+J
JWBX[>
J`wd1-
Jy?ASl
!>K6cr
K$*=CwT
KERNEL32
KERNEL32.dll
kh_3eF
*~kHy54
?k	M	 I
K@r;!n,
kT!i4D
@Ku`'l
>k._v{
|#lk-[+m
"Lm33l
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
lta	r4nWZ*
*l!#@U
LvphqK+
l#XZNo
 ?M00A
M1]PsZ
m#%B%a
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
More information at:
+*MO-t
MoveFileA
MoveFileExA
mPrmg(
{M?+pZ
MulDiv
MultiByteToWideChar
m-UNqP@Y
.ndata
NHnfQR
nk#[w1
nn\r7j+
@no!K-
N*PX?dY
Nq~lPM
NSIS Error
~nsu.tmp
nuIrdx
NullsoftInstLH
NulluN	E
nz85ne
/o)&<^
(~O2`G"
O=6NH7
O(}]Bn
+OdSZD
o+FmuTl
O$:H&K
ole32.dll
OleInitialize
OleUninitialize
	oOGu^
OpenClipboard
OpenProcessToken
otbe+-s
{OWGs0]
o%=Z?G
 *o^zZ
pdlq]%
PeekMessageA
PK6/KfpB
\*p!)lM
PostQuitMessage
pO_SzZ
PPPPPP
P!qoW{
)PRC=8!
pu/,fU
PXg:<\z
q3SQ*\
Q\4U:`o
qBkQQwI
qF6'4MW
qkGK@x
<QLX$G%
qs1l.1V9
;q|T|{3
Q!_yZ( 
%~R0S0
r[9$Wn
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
RichEd20
RichEd32
RichEdit
RichEdit20A
rIzvyy
rQegZk
RW*{!K
Ry<1=c
s 2TdZ
S!.9qp|
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
softuW
Software\Microsoft\Windows\CurrentVersion
SQSSSPW
SystemParametersInfoA
> _?=t
'TA%d/
tbP]I{
=tDLg3
:|"tGh
!This program cannot be run in DOS mode.
t!%$J''K
_tl"]}
TN2@1`LI
_^[t	P
TrackPopupMenu
TZ$y;F
-[u	>f
:uO])G
USER32.dll
%u.%u%s%s
u)V85>
uWCBhgeAy
V0eB%18
v(6.	~^,
,V8s/	I[
`V{@9#
v97(yB"%A
;v^[C-0
verifying installer: %d%%
VerQueryValueA
VERSION.dll
vpisVl
v#Vh;+@
W~.#]" 
w5?LC_
WaitForSingleObject
wh825b
w~pj>;
WriteFile
WritePrivateProfileStringA
wsprintfA
wV-3E9
wwwwww
wwwwwwwx
wwwwwx
|wy0V$`
x@,^@?
[X_>e.
x+F)+=
Xf:ANv
(xoB]nE
Xp^gu?
x!q"zB
$Xr2qe
,yew*W
yG7-RW
YoaCFU
y	sM9O'
yX	A}W(,Y^
Z$4i?[}
>+,)zA9
Z~f+'1
zJZn>y
z}k'8g
@zKC<iO
;Zm!/4
z\NYO9
:(z}WY
)	z(]y
ZYc6Y}
/Z/.Y N