Analysis Date | 2015-01-21 06:34:48 |
---|---|
MD5 | 4447d13a9c1e28b9594da331795c571e |
SHA1 | fe9151c6c17cd9ebbb5368bf08e420848a5c1152 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 856b32eb77dfd6fb67f21d6543272da5 sha1: 6597c511c2ee72f68f5246460f0683dae16dcade size: 24064 | |
Section | .rdata md5: dc77f8a1e6985a4361c55642680ddb4f sha1: 3d397ee25b2dd83ab741c67375880151cae94ed8 size: 5120 | |
Section | .data md5: 7922d4ce117d7d5b3ac2cffe4b0b5e4f sha1: 4e56bb1994226ae0285c7adee470777262de2c99 size: 1024 | |
Section | .ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
Section | .rsrc md5: 546d0cb567e779152101b2ec0f45c411 sha1: bee11bf1aad191be35a1bfa669c6fef77ca88ec2 size: 177152 | |
Timestamp | 2009-12-05 22:50:52 | |
Packer | Nullsoft PiMP Stub -> SFX | |
PEhash | 6890267322c1b28b56409fbab2470600804ace5b | |
IMPhash | 7fa974366048f9c551ef45714595665e | |
AV | 360 Safe | no_virus |
AV | Ad-Aware | no_virus |
AV | Alwil (avast) | no_virus |
AV | Arcabit (arcavir) | no_virus |
AV | Authentium | no_virus |
AV | Avira (antivir) | no_virus |
AV | BullGuard | no_virus |
AV | CA (E-Trust Ino) | no_virus |
AV | CAT (quickheal) | Downloader.NSIS.r5 (Not a Virus) |
AV | ClamAV | no_virus |
AV | Dr. Web | no_virus |
AV | Emsisoft | no_virus |
AV | Eset (nod32) | no_virus |
AV | Fortinet | no_virus |
AV | Frisk (f-prot) | no_virus |
AV | F-Secure | no_virus |
AV | Grisoft (avg) | no_virus |
AV | Ikarus | no_virus |
AV | K7 | no_virus |
AV | Kaspersky | HEUR:Downloader.NSIS.Feasu.heur |
AV | MalwareBytes | no_virus |
AV | Mcafee | no_virus |
AV | Microsoft Security Essentials | no_virus |
AV | MicroWorld (escan) | no_virus |
AV | Rising | no_virus |
AV | Sophos | no_virus |
AV | Symantec | no_virus |
AV | Trend Micro | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\Documents and Settings\Administrator\Start Menu\Programs\0917\uninst.lnk |
Creates File | setup_001.exe |
Creates File | BaiduPlayerNetSetup_472.exe |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\k2.ico |
Creates File | C:\Program Files\0917\Uninstall.exe |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\Base64.dll |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\k1.ico |
Creates File | ins1256858.exe |
Creates File | OfficeAssist.0334.80.1078.exe |
Creates File | PIPE\wkssvc |
Creates File | F1023_s_30974.exe |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\NSISdl.dll |
Creates File | 9377mycs_Y_mgaz2_01.exe |
Creates File | setup_3386.exe |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\1.rar |
Creates File | UCBrowser_V3.1.1644.29_4443_(Build14102814)_downloader.exe |
Creates File | \Device\Afd\AsyncConnectHlp |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates File | yx_dts.exe |
Creates File | letvsetup.exe |
Creates File | IQIYIsetup_l_spl004@kb010.exe |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | G1031_s_71115.exe |
Creates File | 2345Explorer_329242_silence.exe |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | WanDouJia_runk4_kb.exe |
Creates File | PIPE\srvsvc |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\System.dll |
Creates File | MM-liao8398.exe |
Creates File | SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe |
Creates File | QQBrowser_Setup_Hk_78653.exe |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\Inetc.dll |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\nsProcess.dll |
Deletes File | letvsetup.exe |
Deletes File | setup_001.exe |
Deletes File | BaiduPlayerNetSetup_472.exe |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\k2.ico |
Deletes File | IQIYIsetup_l_spl004@kb010.exe |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\k1.ico |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\Base64.dll |
Deletes File | ins1256858.exe |
Deletes File | OfficeAssist.0334.80.1078.exe |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp |
Deletes File | 2345Explorer_329242_silence.exe |
Deletes File | G1031_s_71115.exe |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\NSISdl.dll |
Deletes File | F1023_s_30974.exe |
Deletes File | 9377mycs_Y_mgaz2_01.exe |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsy1.tmp |
Deletes File | setup_3386.exe |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\1.rar |
Deletes File | WanDouJia_runk4_kb.exe |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\System.dll |
Deletes File | MM-liao8398.exe |
Deletes File | SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe |
Deletes File | UCBrowser_V3.1.1644.29_4443_(Build14102814)_downloader.exe |
Deletes File | yx_dts.exe |
Deletes File | QQBrowser_Setup_Hk_78653.exe |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\Inetc.dll |
Creates Process | WanDouJia_runk4_kb.exe -hide |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | WininetConnectionMutex |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Creates Mutex | 0917 |
Winsock DNS | show.man1234.com |
Winsock DNS | xn--sesz3ik91bknc.xn--fiqs8s |
Winsock DNS | leju.down.letv.com |
Winsock DNS | d.qq66699.com |
Process
↳ C:\Program Files\Internet Explorer\iexplore.exe
Registry | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝ 1 |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PIPE\lsarpc |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates Mutex | _SHuassist.mtx |
Creates Mutex | Shell.CMruPidlList |
Process
↳ WanDouJia_runk4_kb.exe -hide
Network Details:
DNS | int.dpool.sina.com.cn Type: A 180.149.136.250 |
---|---|
DNS | show.man1234.com Type: A 122.227.42.227 |
DNS | c01.i06.arnic.hadns.net Type: A 58.220.2.5 |
DNS | c01.i06.arnic.hadns.net Type: A 113.17.184.10 |
DNS | c01.i06.arnic.hadns.net Type: A 121.10.117.139 |
DNS | c01.i06.arnic.hadns.net Type: A 183.56.172.47 |
DNS | c01.i06.arnic.hadns.net Type: A 222.186.20.122 |
DNS | coop.gslb.leletv.net Type: A 115.182.51.55 |
DNS | shadu.n.shifen.com Type: A 123.125.65.162 |
DNS | swwx.n.shifen.com Type: A 123.125.65.175 |
DNS | dldir1.qq.com.cdngc.net Type: A 174.35.56.164 |
DNS | dldir1.qq.com.cdngc.net Type: A 174.35.56.186 |
DNS | dl.p2sp.n.shifen.com Type: A 61.135.185.123 |
DNS | g.quwen320.com Type: A 219.238.237.210 |
DNS | download012.rdb.cnc.ccgslb.com.cn Type: A 61.179.105.148 |
DNS | download012.rdb.cnc.ccgslb.com.cn Type: A 61.179.105.147 |
DNS | down.gtm.ucweb.com Type: A 120.196.208.98 |
DNS | down.gtm.ucweb.com Type: A 211.103.82.247 |
DNS | opt.xdwscache.glb0.lxdns.com Type: A 8.37.235.6 |
DNS | opt.xdwscache.glb0.lxdns.com Type: A 8.37.234.3 |
DNS | opt.xdwscache.glb0.lxdns.com Type: A 8.37.234.4 |
DNS | opt.xdwscache.glb0.lxdns.com Type: A 8.37.235.2 |
DNS | opt.xdwscache.glb0.lxdns.com Type: A 8.37.235.3 |
DNS | opt.xdwscache.glb0.lxdns.com Type: A 8.37.235.5 |
DNS | na.b9.aicdn.com Type: A 72.8.188.94 |
DNS | na.b9.aicdn.com Type: A 72.8.188.98 |
DNS | na.b9.aicdn.com Type: A 108.186.7.129 |
DNS | na.b9.aicdn.com Type: A 108.186.7.130 |
DNS | na.b9.aicdn.com Type: A 108.186.7.131 |
DNS | na.b9.aicdn.com Type: A 72.8.188.90 |
DNS | download.pps.tv.webscache.com Type: A 119.188.40.81 |
DNS | download.2345.com Type: A 122.228.248.3 |
DNS | download.2345.com Type: A 218.75.155.244 |
DNS | download.2345.com Type: A 60.191.187.15 |
DNS | download.2345.com Type: A 60.191.223.2 |
DNS | download.2345.com Type: A 60.191.223.4 |
DNS | download.2345.com Type: A 60.191.223.15 |
DNS | download.2345.com Type: A 61.147.127.202 |
DNS | download.2345.com Type: A 61.147.127.203 |
DNS | download.2345.com Type: A 61.160.245.8 |
DNS | download.2345.com Type: A 61.160.245.11 |
DNS | download.2345.com Type: A 61.160.245.14 |
DNS | aaa.163vv.com Type: A 60.222.232.224 |
DNS | aaa.163vv.com Type: A 222.186.60.18 |
DNS | aaa.163vv.com Type: A 222.186.60.23 |
DNS | aaa.163vv.com Type: A 222.186.60.60 |
DNS | s.lllsoo.com Type: A 42.120.61.139 |
DNS | dl.wandoujia.com Type: A 125.39.216.11 |
DNS | xn--sesz3ik91bknc.xn--fiqs8s Type: A |
DNS | d.qq66699.com Type: A |
DNS | leju.down.letv.com Type: A |
DNS | shadu.baidu.com Type: A |
DNS | w.x.baidu.com Type: A |
DNS | dldir1.qq.com Type: A |
DNS | dl.p2sp.baidu.com Type: A |
DNS | wdl1.cache.wps.cn Type: A |
DNS | down2.uc.cn Type: A |
DNS | xiazai.9377.com Type: A |
DNS | soft.lvbaoranshiye.com Type: A |
DNS | dl.static.iqiyi.com Type: A |
DNS | download.2345.cn Type: A |
DNS | down.yinyue.fm Type: A |
HTTP GET | http://int.dpool.sina.com.cn/iplookup/iplookup.php User-Agent: NSISDL/1.2 (Mozilla) |
HTTP GET | http://show.man1234.com/mmliao/MM-liao8398.exe User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://d.qq66699.com/yx/dts/sqcs/916631/yx_dts.exe User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://leju.down.letv.com/pcweb/version/7.1.2.327/client_lianmeng7-09/letvsetup.exe User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://shadu.baidu.com/index/fulldownload/30974 User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://w.x.baidu.com/go/full/1/71115 User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://dldir1.qq.com/invc/tt/QQBrowser_Setup_Hk_78653.exe User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://dl.p2sp.baidu.com/BaiduPlayerContent/BaiduPlayerNetSetup_472.exe User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://g.quwen320.com/d/ins1256858.exe User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://wdl1.cache.wps.cn/wps/download/OfficeAssist.0334.80.1078.exe User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://down2.uc.cn/pcbrowser/down.php?id=101&pid=4443&type=downloader User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://xiazai.9377.com/20140928/9377mycs_Y_mgaz2_01.exe User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://soft.lvbaoranshiye.com/SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.rar User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://dl.static.iqiyi.com/hz/IQIYIsetup_l_spl004@kb010.exe User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://download.2345.cn/silence/2345Explorer_329242_silence.exe User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://down.yinyue.fm/open/setup_3386.exe User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://s.lllsoo.com/click/66947 User-Agent: NSIS_Inetc (Mozilla) |
HTTP GET | http://dl.wandoujia.com/files/inst/WanDouJia_runk4_kb.exe User-Agent: NSIS_Inetc (Mozilla) |
Flows TCP | 192.168.1.1:1031 ➝ 180.149.136.250:80 |
Flows TCP | 192.168.1.1:1032 ➝ 122.227.42.227:80 |
Flows TCP | 192.168.1.1:1033 ➝ 58.220.2.5:80 |
Flows TCP | 192.168.1.1:1034 ➝ 115.182.51.55:80 |
Flows TCP | 192.168.1.1:1035 ➝ 123.125.65.162:80 |
Flows TCP | 192.168.1.1:1036 ➝ 123.125.65.175:80 |
Flows TCP | 192.168.1.1:1037 ➝ 174.35.56.164:80 |
Flows TCP | 192.168.1.1:1038 ➝ 61.135.185.123:80 |
Flows TCP | 192.168.1.1:1039 ➝ 219.238.237.210:80 |
Flows TCP | 192.168.1.1:1040 ➝ 61.179.105.148:80 |
Flows TCP | 192.168.1.1:1041 ➝ 120.196.208.98:80 |
Flows TCP | 192.168.1.1:1042 ➝ 8.37.235.6:80 |
Flows TCP | 192.168.1.1:1043 ➝ 72.8.188.94:80 |
Flows TCP | 192.168.1.1:1044 ➝ 119.188.40.81:80 |
Flows TCP | 192.168.1.1:1045 ➝ 122.228.248.3:80 |
Flows TCP | 192.168.1.1:1046 ➝ 60.222.232.224:80 |
Flows TCP | 192.168.1.1:1047 ➝ 42.120.61.139:80 |
Flows TCP | 192.168.1.1:1048 ➝ 125.39.216.11:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f69706c 6f6f6b75 702f6970 GET /iplookup/ip 0x00000010 (00016) 6c6f6f6b 75702e70 68702048 5454502f lookup.php HTTP/ 0x00000020 (00032) 312e300d 0a486f73 743a2069 6e742e64 1.0..Host: int.d 0x00000030 (00048) 706f6f6c 2e73696e 612e636f 6d2e636e pool.sina.com.cn 0x00000040 (00064) 0d0a5573 65722d41 67656e74 3a204e53 ..User-Agent: NS 0x00000050 (00080) 4953444c 2f312e32 20284d6f 7a696c6c ISDL/1.2 (Mozill 0x00000060 (00096) 61290d0a 41636365 70743a20 2a2f2a0d a)..Accept: */*. 0x00000070 (00112) 0a0d0a ... 0x00000000 (00000) 47455420 2f6d6d6c 69616f2f 4d4d2d6c GET /mmliao/MM-l 0x00000010 (00016) 69616f38 3339382e 65786520 48545450 iao8398.exe HTTP 0x00000020 (00032) 2f312e31 0d0a5573 65722d41 67656e74 /1.1..User-Agent 0x00000030 (00048) 3a204e53 49535f49 6e657463 20284d6f : NSIS_Inetc (Mo 0x00000040 (00064) 7a696c6c 61290d0a 486f7374 3a207368 zilla)..Host: sh 0x00000050 (00080) 6f772e6d 616e3132 33342e63 6f6d0d0a ow.man1234.com.. 0x00000060 (00096) 436f6e6e 65637469 6f6e3a20 4b656570 Connection: Keep 0x00000070 (00112) 2d416c69 76650d0a 43616368 652d436f -Alive..Cache-Co 0x00000080 (00128) 6e74726f 6c3a206e 6f2d6361 6368650d ntrol: no-cache. 0x00000090 (00144) 0a0d0a ... 0x00000000 (00000) 47455420 2f79782f 6474732f 73716373 GET /yx/dts/sqcs 0x00000010 (00016) 2f393136 3633312f 79785f64 74732e65 /916631/yx_dts.e 0x00000020 (00032) 78652048 5454502f 312e310d 0a557365 xe HTTP/1.1..Use 0x00000030 (00048) 722d4167 656e743a 204e5349 535f496e r-Agent: NSIS_In 0x00000040 (00064) 65746320 284d6f7a 696c6c61 290d0a48 etc (Mozilla)..H 0x00000050 (00080) 6f73743a 20642e71 71363636 39392e63 ost: d.qq66699.c 0x00000060 (00096) 6f6d0d0a 436f6e6e 65637469 6f6e3a20 om..Connection: 0x00000070 (00112) 4b656570 2d416c69 76650d0a 43616368 Keep-Alive..Cach 0x00000080 (00128) 652d436f 6e74726f 6c3a206e 6f2d6361 e-Control: no-ca 0x00000090 (00144) 6368650d 0a0d0a che.... 0x00000000 (00000) 47455420 2f706377 65622f76 65727369 GET /pcweb/versi 0x00000010 (00016) 6f6e2f37 2e312e32 2e333237 2f636c69 on/7.1.2.327/cli 0x00000020 (00032) 656e745f 6c69616e 6d656e67 372d3039 ent_lianmeng7-09 0x00000030 (00048) 2f6c6574 76736574 75702e65 78652048 /letvsetup.exe H 0x00000040 (00064) 5454502f 312e310d 0a557365 722d4167 TTP/1.1..User-Ag 0x00000050 (00080) 656e743a 204e5349 535f496e 65746320 ent: NSIS_Inetc 0x00000060 (00096) 284d6f7a 696c6c61 290d0a48 6f73743a (Mozilla)..Host: 0x00000070 (00112) 206c656a 752e646f 776e2e6c 6574762e leju.down.letv. 0x00000080 (00128) 636f6d0d 0a436f6e 6e656374 696f6e3a com..Connection: 0x00000090 (00144) 204b6565 702d416c 6976650d 0a436163 Keep-Alive..Cac 0x000000a0 (00160) 68652d43 6f6e7472 6f6c3a20 6e6f2d63 he-Control: no-c 0x000000b0 (00176) 61636865 0d0a0d0a ache.... 0x00000000 (00000) 47455420 2f696e64 65782f66 756c6c64 GET /index/fulld 0x00000010 (00016) 6f776e6c 6f61642f 33303937 34204854 ownload/30974 HT 0x00000020 (00032) 54502f31 2e310d0a 55736572 2d416765 TP/1.1..User-Age 0x00000030 (00048) 6e743a20 4e534953 5f496e65 74632028 nt: NSIS_Inetc ( 0x00000040 (00064) 4d6f7a69 6c6c6129 0d0a486f 73743a20 Mozilla)..Host: 0x00000050 (00080) 73686164 752e6261 6964752e 636f6d0d shadu.baidu.com. 0x00000060 (00096) 0a436f6e 6e656374 696f6e3a 204b6565 .Connection: Kee 0x00000070 (00112) 702d416c 6976650d 0a436163 68652d43 p-Alive..Cache-C 0x00000080 (00128) 6f6e7472 6f6c3a20 6e6f2d63 61636865 ontrol: no-cache 0x00000090 (00144) 0d0a0d0a 702d416c 6976650d 0a436163 ....p-Alive..Cac 0x000000a0 (00160) 68652d43 6f6e7472 6f6c3a20 6e6f2d63 he-Control: no-c 0x000000b0 (00176) 61636865 0d0a0d0a ache.... 0x00000000 (00000) 47455420 2f676f2f 66756c6c 2f312f37 GET /go/full/1/7 0x00000010 (00016) 31313135 20485454 502f312e 310d0a55 1115 HTTP/1.1..U 0x00000020 (00032) 7365722d 4167656e 743a204e 5349535f ser-Agent: NSIS_ 0x00000030 (00048) 496e6574 6320284d 6f7a696c 6c61290d Inetc (Mozilla). 0x00000040 (00064) 0a486f73 743a2077 2e782e62 61696475 .Host: w.x.baidu 0x00000050 (00080) 2e636f6d 0d0a436f 6e6e6563 74696f6e .com..Connection 0x00000060 (00096) 3a204b65 65702d41 6c697665 0d0a4361 : Keep-Alive..Ca 0x00000070 (00112) 6368652d 436f6e74 726f6c3a 206e6f2d che-Control: no- 0x00000080 (00128) 63616368 650d0a0d 0a6f2d63 61636865 cache....o-cache 0x00000090 (00144) 0d0a0d0a 702d416c 6976650d 0a436163 ....p-Alive..Cac 0x000000a0 (00160) 68652d43 6f6e7472 6f6c3a20 6e6f2d63 he-Control: no-c 0x000000b0 (00176) 61636865 0d0a0d0a ache.... 0x00000000 (00000) 47455420 2f696e76 632f7474 2f515142 GET /invc/tt/QQB 0x00000010 (00016) 726f7773 65725f53 65747570 5f486b5f rowser_Setup_Hk_ 0x00000020 (00032) 37383635 332e6578 65204854 54502f31 78653.exe HTTP/1 0x00000030 (00048) 2e310d0a 55736572 2d416765 6e743a20 .1..User-Agent: 0x00000040 (00064) 4e534953 5f496e65 74632028 4d6f7a69 NSIS_Inetc (Mozi 0x00000050 (00080) 6c6c6129 0d0a486f 73743a20 646c6469 lla)..Host: dldi 0x00000060 (00096) 72312e71 712e636f 6d0d0a43 6f6e6e65 r1.qq.com..Conne 0x00000070 (00112) 6374696f 6e3a204b 6565702d 416c6976 ction: Keep-Aliv 0x00000080 (00128) 650d0a43 61636865 2d436f6e 74726f6c e..Cache-Control 0x00000090 (00144) 3a206e6f 2d636163 68650d0a 0d0a6163 : no-cache....ac 0x000000a0 (00160) 68652d43 6f6e7472 6f6c3a20 6e6f2d63 he-Control: no-c 0x000000b0 (00176) 61636865 0d0a0d0a ache.... 0x00000000 (00000) 47455420 2f426169 6475506c 61796572 GET /BaiduPlayer 0x00000010 (00016) 436f6e74 656e742f 42616964 75506c61 Content/BaiduPla 0x00000020 (00032) 7965724e 65745365 7475705f 3437322e yerNetSetup_472. 0x00000030 (00048) 65786520 48545450 2f312e31 0d0a5573 exe HTTP/1.1..Us 0x00000040 (00064) 65722d41 67656e74 3a204e53 49535f49 er-Agent: NSIS_I 0x00000050 (00080) 6e657463 20284d6f 7a696c6c 61290d0a netc (Mozilla).. 0x00000060 (00096) 486f7374 3a20646c 2e703273 702e6261 Host: dl.p2sp.ba 0x00000070 (00112) 6964752e 636f6d0d 0a436f6e 6e656374 idu.com..Connect 0x00000080 (00128) 696f6e3a 204b6565 702d416c 6976650d ion: Keep-Alive. 0x00000090 (00144) 0a436163 68652d43 6f6e7472 6f6c3a20 .Cache-Control: 0x000000a0 (00160) 6e6f2d63 61636865 0d0a0d0a 6e6f2d63 no-cache....no-c 0x000000b0 (00176) 61636865 0d0a0d0a ache.... 0x00000000 (00000) 47455420 2f642f69 6e733132 35363835 GET /d/ins125685 0x00000010 (00016) 382e6578 65204854 54502f31 2e310d0a 8.exe HTTP/1.1.. 0x00000020 (00032) 55736572 2d416765 6e743a20 4e534953 User-Agent: NSIS 0x00000030 (00048) 5f496e65 74632028 4d6f7a69 6c6c6129 _Inetc (Mozilla) 0x00000040 (00064) 0d0a486f 73743a20 672e7175 77656e33 ..Host: g.quwen3 0x00000050 (00080) 32302e63 6f6d0d0a 436f6e6e 65637469 20.com..Connecti 0x00000060 (00096) 6f6e3a20 4b656570 2d416c69 76650d0a on: Keep-Alive.. 0x00000070 (00112) 43616368 652d436f 6e74726f 6c3a206e Cache-Control: n 0x00000080 (00128) 6f2d6361 6368650d 0a0d0a6c 6976650d o-cache....live. 0x00000090 (00144) 0a436163 68652d43 6f6e7472 6f6c3a20 .Cache-Control: 0x000000a0 (00160) 6e6f2d63 61636865 0d0a0d0a 6e6f2d63 no-cache....no-c 0x000000b0 (00176) 61636865 0d0a0d0a ache.... 0x00000000 (00000) 47455420 2f777073 2f646f77 6e6c6f61 GET /wps/downloa 0x00000010 (00016) 642f4f66 66696365 41737369 73742e30 d/OfficeAssist.0 0x00000020 (00032) 3333342e 38302e31 3037382e 65786520 334.80.1078.exe 0x00000030 (00048) 48545450 2f312e31 0d0a5573 65722d41 HTTP/1.1..User-A 0x00000040 (00064) 67656e74 3a204e53 49535f49 6e657463 gent: NSIS_Inetc 0x00000050 (00080) 20284d6f 7a696c6c 61290d0a 486f7374 (Mozilla)..Host 0x00000060 (00096) 3a207764 6c312e63 61636865 2e777073 : wdl1.cache.wps 0x00000070 (00112) 2e636e0d 0a436f6e 6e656374 696f6e3a .cn..Connection: 0x00000080 (00128) 204b6565 702d416c 6976650d 0a436163 Keep-Alive..Cac 0x00000090 (00144) 68652d43 6f6e7472 6f6c3a20 6e6f2d63 he-Control: no-c 0x000000a0 (00160) 61636865 0d0a0d0a 0d0a0d0a 6e6f2d63 ache........no-c 0x000000b0 (00176) 61636865 0d0a0d0a ache.... 0x00000000 (00000) 47455420 2f706362 726f7773 65722f64 GET /pcbrowser/d 0x00000010 (00016) 6f776e2e 7068703f 69643d31 30312670 own.php?id=101&p 0x00000020 (00032) 69643d34 34343326 74797065 3d646f77 id=4443&type=dow 0x00000030 (00048) 6e6c6f61 64657220 48545450 2f312e31 nloader HTTP/1.1 0x00000040 (00064) 0d0a5573 65722d41 67656e74 3a204e53 ..User-Agent: NS 0x00000050 (00080) 49535f49 6e657463 20284d6f 7a696c6c IS_Inetc (Mozill 0x00000060 (00096) 61290d0a 486f7374 3a20646f 776e322e a)..Host: down2. 0x00000070 (00112) 75632e63 6e0d0a43 6f6e6e65 6374696f uc.cn..Connectio 0x00000080 (00128) 6e3a204b 6565702d 416c6976 650d0a43 n: Keep-Alive..C 0x00000090 (00144) 61636865 2d436f6e 74726f6c 3a206e6f ache-Control: no 0x000000a0 (00160) 2d636163 68650d0a 0d0a -cache.... 0x00000000 (00000) 47455420 2f323031 34303932 382f3933 GET /20140928/93 0x00000010 (00016) 37376d79 63735f59 5f6d6761 7a325f30 77mycs_Y_mgaz2_0 0x00000020 (00032) 312e6578 65204854 54502f31 2e310d0a 1.exe HTTP/1.1.. 0x00000030 (00048) 55736572 2d416765 6e743a20 4e534953 User-Agent: NSIS 0x00000040 (00064) 5f496e65 74632028 4d6f7a69 6c6c6129 _Inetc (Mozilla) 0x00000050 (00080) 0d0a486f 73743a20 7869617a 61692e39 ..Host: xiazai.9 0x00000060 (00096) 3337372e 636f6d0d 0a436f6e 6e656374 377.com..Connect 0x00000070 (00112) 696f6e3a 204b6565 702d416c 6976650d ion: Keep-Alive. 0x00000080 (00128) 0a436163 68652d43 6f6e7472 6f6c3a20 .Cache-Control: 0x00000090 (00144) 6e6f2d63 61636865 0d0a0d0a 3a206e6f no-cache....: no 0x000000a0 (00160) 2d636163 68650d0a 0d0a -cache.... 0x00000000 (00000) 47455420 2f536f48 7556415f 342e332e GET /SoHuVA_4.3. 0x00000010 (00016) 302e312d 63323034 39303030 30332d6e 0.1-c204900003-n 0x00000020 (00032) 672d6e74 692d732d 782e7261 72204854 g-nti-s-x.rar HT 0x00000030 (00048) 54502f31 2e310d0a 55736572 2d416765 TP/1.1..User-Age 0x00000040 (00064) 6e743a20 4e534953 5f496e65 74632028 nt: NSIS_Inetc ( 0x00000050 (00080) 4d6f7a69 6c6c6129 0d0a486f 73743a20 Mozilla)..Host: 0x00000060 (00096) 736f6674 2e6c7662 616f7261 6e736869 soft.lvbaoranshi 0x00000070 (00112) 79652e63 6f6d0d0a 436f6e6e 65637469 ye.com..Connecti 0x00000080 (00128) 6f6e3a20 4b656570 2d416c69 76650d0a on: Keep-Alive.. 0x00000090 (00144) 43616368 652d436f 6e74726f 6c3a206e Cache-Control: n 0x000000a0 (00160) 6f2d6361 6368650d 0a0d0a o-cache.... 0x00000000 (00000) 47455420 2f687a2f 49514959 49736574 GET /hz/IQIYIset 0x00000010 (00016) 75705f6c 5f73706c 30303440 6b623031 up_l_spl004@kb01 0x00000020 (00032) 302e6578 65204854 54502f31 2e310d0a 0.exe HTTP/1.1.. 0x00000030 (00048) 55736572 2d416765 6e743a20 4e534953 User-Agent: NSIS 0x00000040 (00064) 5f496e65 74632028 4d6f7a69 6c6c6129 _Inetc (Mozilla) 0x00000050 (00080) 0d0a486f 73743a20 646c2e73 74617469 ..Host: dl.stati 0x00000060 (00096) 632e6971 6979692e 636f6d0d 0a436f6e c.iqiyi.com..Con 0x00000070 (00112) 6e656374 696f6e3a 204b6565 702d416c nection: Keep-Al 0x00000080 (00128) 6976650d 0a436163 68652d43 6f6e7472 ive..Cache-Contr 0x00000090 (00144) 6f6c3a20 6e6f2d63 61636865 0d0a0d0a ol: no-cache.... 0x000000a0 (00160) 6f2d6361 6368650d 0a0d0a o-cache.... 0x00000000 (00000) 47455420 2f73696c 656e6365 2f323334 GET /silence/234 0x00000010 (00016) 35457870 6c6f7265 725f3332 39323432 5Explorer_329242 0x00000020 (00032) 5f73696c 656e6365 2e657865 20485454 _silence.exe HTT 0x00000030 (00048) 502f312e 310d0a55 7365722d 4167656e P/1.1..User-Agen 0x00000040 (00064) 743a204e 5349535f 496e6574 6320284d t: NSIS_Inetc (M 0x00000050 (00080) 6f7a696c 6c61290d 0a486f73 743a2064 ozilla)..Host: d 0x00000060 (00096) 6f776e6c 6f61642e 32333435 2e636e0d ownload.2345.cn. 0x00000070 (00112) 0a436f6e 6e656374 696f6e3a 204b6565 .Connection: Kee 0x00000080 (00128) 702d416c 6976650d 0a436163 68652d43 p-Alive..Cache-C 0x00000090 (00144) 6f6e7472 6f6c3a20 6e6f2d63 61636865 ontrol: no-cache 0x000000a0 (00160) 0d0a0d0a 6368650d 0a0d0a ....che.... 0x00000000 (00000) 47455420 2f6f7065 6e2f7365 7475705f GET /open/setup_ 0x00000010 (00016) 33333836 2e657865 20485454 502f312e 3386.exe HTTP/1. 0x00000020 (00032) 310d0a55 7365722d 4167656e 743a204e 1..User-Agent: N 0x00000030 (00048) 5349535f 496e6574 6320284d 6f7a696c SIS_Inetc (Mozil 0x00000040 (00064) 6c61290d 0a486f73 743a2064 6f776e2e la)..Host: down. 0x00000050 (00080) 79696e79 75652e66 6d0d0a43 6f6e6e65 yinyue.fm..Conne 0x00000060 (00096) 6374696f 6e3a204b 6565702d 416c6976 ction: Keep-Aliv 0x00000070 (00112) 650d0a43 61636865 2d436f6e 74726f6c e..Cache-Control 0x00000080 (00128) 3a206e6f 2d636163 68650d0a 0d0a2d43 : no-cache....-C 0x00000090 (00144) 6f6e7472 6f6c3a20 6e6f2d63 61636865 ontrol: no-cache 0x000000a0 (00160) 0d0a0d0a 6368650d 0a0d0a ....che.... 0x00000000 (00000) 47455420 2f636c69 636b2f36 36393437 GET /click/66947 0x00000010 (00016) 20485454 502f312e 310d0a55 7365722d HTTP/1.1..User- 0x00000020 (00032) 4167656e 743a204e 5349535f 496e6574 Agent: NSIS_Inet 0x00000030 (00048) 6320284d 6f7a696c 6c61290d 0a486f73 c (Mozilla)..Hos 0x00000040 (00064) 743a2073 2e6c6c6c 736f6f2e 636f6d0d t: s.lllsoo.com. 0x00000050 (00080) 0a436f6e 6e656374 696f6e3a 204b6565 .Connection: Kee 0x00000060 (00096) 702d416c 6976650d 0a436163 68652d43 p-Alive..Cache-C 0x00000070 (00112) 6f6e7472 6f6c3a20 6e6f2d63 61636865 ontrol: no-cache 0x00000080 (00128) 0d0a0d0a 2d636163 68650d0a 0d0a2d43 ....-cache....-C 0x00000090 (00144) 6f6e7472 6f6c3a20 6e6f2d63 61636865 ontrol: no-cache 0x000000a0 (00160) 0d0a0d0a 6368650d 0a0d0a ....che.... 0x00000000 (00000) 47455420 2f66696c 65732f69 6e73742f GET /files/inst/ 0x00000010 (00016) 57616e44 6f754a69 615f7275 6e6b345f WanDouJia_runk4_ 0x00000020 (00032) 6b622e65 78652048 5454502f 312e310d kb.exe HTTP/1.1. 0x00000030 (00048) 0a557365 722d4167 656e743a 204e5349 .User-Agent: NSI 0x00000040 (00064) 535f496e 65746320 284d6f7a 696c6c61 S_Inetc (Mozilla 0x00000050 (00080) 290d0a48 6f73743a 20646c2e 77616e64 )..Host: dl.wand 0x00000060 (00096) 6f756a69 612e636f 6d0d0a43 6f6e6e65 oujia.com..Conne 0x00000070 (00112) 6374696f 6e3a204b 6565702d 416c6976 ction: Keep-Aliv 0x00000080 (00128) 650d0a43 61636865 2d436f6e 74726f6c e..Cache-Control 0x00000090 (00144) 3a206e6f 2d636163 68650d0a 0d0a6865 : no-cache....he 0x000000a0 (00160) 0d0a0d0a 6368650d 0a0d0a ....che....
Strings
" ".E. . z.0r .8 !1Aa #+3;CScs msctls_progress32 MS Shell Dlg Please wait while Setup is loading... SysListView32 ;::*?+ ({,{<{*; *?|<>/": & [!`+ 02b^3$ 05(lBI 0Kr55| ^0m{?oz 0rE^1/ 0RV0ff' 1&cLu\ >1hsD! ^1r2rT 1+S12O!X 2PZw-D &3q21A 3.|(X]G 47? {? 4MO:In :[^~5^ 5i(-0Z7 \5Q\A}s) 5u+qqC 5[uV$r> 5x;p z& 6a+5v; 6hkP_W7 6n6>n| 6o:,#} ,6>v07f 6'W^J4}.S 6~x4h<z} 71vM<9 7 9{NL 7fr)r_ 7n_kL} 7o0vk:u 7R)/Ci 7szyFc [;7t4w '''8:: 8}1qQ6 8|2|3|4|5|6|7r 88tn)g 8NCRCu 8$Zw> =93ZK' 9d~3fA #9FJ7R 9 h#x_ *^9JCS} @9y$+ig: )ad5|* AdjustTokenPrivileges a`ds&2U ADVAPI32 ADVAPI32.dll A~fb5); +aH9#%l A\i 0g a<$iHC @[AmM~ {?AmT. ANm2b6 A^nZU=*n AppendMenuA _AQ!&I AR2_f` <aRo!z a]u;t' [awww, B&c0Fc bd2?PFG+& BeginPaint Berebu); bGz72bdN ='BU7Y C2a2N2q |C~6bI_ CallWindowProcA caWa|. CharNextA CharPrevA CheckDlgButton CJW(e, CloseClipboard CloseHandle CoCreateInstance COMCTL32.dll CompareFileTime Control Panel\Desktop\ResourceLocale CopyFileA CoTaskMemFree CreateBrushIndirect CreateDialogParamA CreateDirectoryA CreateFileA CreateFontIndirectA CreatePopupMenu CreateProcessA CreateThread CreateWindowExA c(r[v*^ Cu+o= 7 C*uSKbZVT @cV`Mv- cyf>Mm96x,% ... %d%% d\%@`+ D$0+D$(P @.data D$(+D$ SSP .DEFAULT\Control Panel\International DefWindowProcA DeIkfB_&bo DeleteFileA DeleteObject DestroyWindow D[f-byp dh}~lM DialogBoxParamA DispatchMessageA dKg&!g Do-?[q D$$Ph, dpwwwwww DrawTextA D$(SPS dX_Hp& $}eF?A )EMB\q EmptyClipboard EnableMenuItem EnableWindow EndDialog EndPaint e}Nkk- Error launching installer Error writing temporary file. Make sure your temp folder is valid. E|[sk;E EuzXhM ExitProcess ExitWindowsEx ExpandEnvironmentStringsA ]e_/[Zf- F6V<* FillRect FindClose FindFirstFileA FindNextFileA FindWindowExA Fj3*mj &FlU@U F"nsN 9 FreeLibrary FR' PN Ft)j=)5 FwT}Gy fy^_kO F>YLr= `FzMj:! ?Fzwo/ G|{:\# g3)x/c "g7:<TF"6< -gb-6n GDI32.dll GetClassInfoA GetClientRect GetCommandLineA GetCurrentProcess GetDeviceCaps GetDiskFreeSpaceA GetDiskFreeSpaceExA GetDlgItem GetDlgItemTextA GetExitCodeProcess GetFileAttributesA GetFileSize GetFileVersionInfoA GetFileVersionInfoSizeA GetFullPathNameA GetLastError GetMessagePos GetModuleFileNameA GetModuleHandleA GetPrivateProfileStringA GetProcAddress GetShortPathNameA GetSysColor GetSystemDirectoryA GetSystemMenu GetSystemMetrics GetTempFileNameA GetTempPathA GetTickCount GetUserDefaultUILanguage GetVersion GetWindowLongA GetWindowRect GetWindowsDirectoryA gfm;|j G#_ic+ gLGM'L/ GlobalAlloc GlobalFree GlobalLock GlobalUnlock GL/Wz@Z; %,GNw% G_:Q(5 ?GUwA} gVv#wH gX>uMQ G YCj"^7 g.ZO||k[ h3zVMI; h7x14=[ hAs<WN H$:KEg HsYRd] http://nsis.sf.net/NSIS_Error HtVHtHH h|TyD1Mc [h^w#p i^ i_A_?a :>ibdP= iC6j8X (iC QC iGJ 8sU_ ij9H3K$ s iL2["k ImageList_AddMasked ImageList_Create ImageList_Destroy iM&Y)V 'IN$Cl incomplete download and damaged media. Contact the Installer integrity check has failed. Common causes include installer's author to obtain a new copy. Instu` InvalidateRect iomprOA :`i"Re iRichu IsWindow IsWindowEnabled IsWindowVisible i#Zumn J#{4YU J6`vSt Jccc5w J\Fe='B |jSm=, j&S"[sP {.jtN@o '`k2`9 kaoD=[ KC}KK+o Ke7'y028 KERNEL32 KERNEL32.dll k@?h9z K[J9P? KR`T}eY ><kt`G KTjpCn .K^u}8 kV7V65 kZ{:@l* L=3W6?;G ~l#e'l Lh4Rc_ $;(lL2 .L;ml# LoadBitmapA LoadCursorA LoadImageA LoadLibraryA LoadLibraryExA LookupPrivilegeValueA l`r$D0b ~Lsl^_ lstrcatA lstrcmpA lstrcmpiA lstrcpynA lstrlenA l&thiFT.k ltJf_> \M2@Z" m`Bj*Lz MessageBoxIndirectA /m=GKn M;?)GL % M%HSPQ \Microsoft\Internet Explorer\Quick Launch Mj/jEm~ #&MJKm *M<+Kk?e? More information at: MoveFileA MoveFileExA MulDiv MultiByteToWideChar MycLu= >\'n}) <N1rJ .ndata nES"}2S NFb=FcN nH"-Y2 Nm+,\* N[m%lD[ NSIS Error ~nsu.tmp NullsoftInst NulluN E NWV:U1}{Fh nyC{AFU ~/o:;; ObQpMx O(G1!N{ +O#j@: O_!KW_$q ole32.dll OleInitialize OleUninitialize !O=p0j OpenClipboard OpenProcessToken OxAG3y pBPt-AX PeekMessageA )p)eq>k p#-ih)_ PIl@f9 PiXnh2 Pk3jo? p'KrtW| PO:015-V) PostQuitMessage PPPPPP PRJb/m q#/]0z q8I%[$ Q'&}8O Qbok{K QOlo#k qO<wV{ QP\X\Z QqAl5R\ q<sFRq<sz2 Q"S^Lz #$qTWY2S /q+z?N QZ_y\| r]4k?Cb2 2 ?~R96. ra&8$v} r*aL;/ `.rdata -?/rE'4 ReadFile RegCloseKey RegCreateKeyExA RegDeleteKeyA RegDeleteKeyExA RegDeleteValueA RegEnumKeyA RegEnumValueA RegisterClassA RegOpenKeyExA RegQueryValueExA RegSetValueExA RemoveDirectoryA [Rename] "r"&ET rf6+`o r]>`F@a RichEd20 RichEd32 RichEdit RichEdit20A >R)*<Ii ?r>LVk '}r%PG^A rQ>xQ( R_ZTSN S0C~zH /S>8+^ ScreenToClient SearchPathA SelectObject SendMessageA SendMessageTimeoutA SeShutdownPrivilege SetBkColor SetBkMode SetClassLongA SetClipboardData SetCurrentDirectoryA SetCursor SetDlgItemTextA SetErrorMode SetFileAttributesA SetFilePointer SetFileTime SetForegroundWindow SetTextColor SetTimer SetWindowLongA SetWindowPos SetWindowTextA SHAutoComplete SHBrowseForFolderA SHELL32.dll ShellExecuteA SHFileOperationA SHFOLDER SHGetFileInfoA SHGetFolderPathA SHGetPathFromIDListA SHGetSpecialFolderLocation SHLWAPI ShowWindow slmma6 softuW Software\Microsoft\Windows\CurrentVersion _Sq`oS SQSSSPW ss~5'l sWeHkZ swx[[|V SystemParametersInfoA > _?=t |=/t,' TByk)N t-cq&^ /Tg:K_ !This program cannot be run in DOS mode. TkRSPO .Tlx"z t#m-4" %TM78/W" T?MN?O _^[t P ?TP&{- tpmT}( TrackPopupMenu tW^8}@ Tx</fCg~ <T=x`k tXTi#Gg TYJ8kA t.#z)+ /U4V#s "Uf8^3> ^uH{Uu %UJ -R@}\< *UR-Pc USER32.dll %u.%u%s%s {uyU_e} u<Z,[z ;[[[;v V43S$7 V,Ec+i verifying installer: %d%% VerQueryValueA VERSION.dll %ve^Xm VhusA3 v#mB [ VM\}jM V.S6)[ VTz;qP v#Vh;+@ v?vwwOd` vx6S8j7{ ,)VXFG _v+xr@\w WaitForSingleObject wcb9p{M WEe-kC: ?w&ELG Wf(b:o \Wfi)N WiZURs $WM`RKF wouuuu w=\%PF+E8gM WriteFile WritePrivateProfileStringA wsprintfA W-=$v~ ;x =~# =x0wZEa x5Fv}\) x `=@9 <?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly> x&O`B34" X,p~~^ X,pppPd X,pvv6Y7 +X]^qK XT%Q<H }X/v;K & =,<%*= Y yd^ d ( YdtF<w Yoc-nw: /Y(TcZ yUnR`N yWS|(d /^y@,Y Zaww73 (?ZmWJ;+< ~]={ZS