Analysis | #totalhash

Analysis Date	2015-01-21 06:34:48
MD5	4447d13a9c1e28b9594da331795c571e
SHA1	fe9151c6c17cd9ebbb5368bf08e420848a5c1152

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 856b32eb77dfd6fb67f21d6543272da5 sha1: 6597c511c2ee72f68f5246460f0683dae16dcade size: 24064
Section	.rdata md5: dc77f8a1e6985a4361c55642680ddb4f sha1: 3d397ee25b2dd83ab741c67375880151cae94ed8 size: 5120
Section	.data md5: 7922d4ce117d7d5b3ac2cffe4b0b5e4f sha1: 4e56bb1994226ae0285c7adee470777262de2c99 size: 1024
Section	.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section	.rsrc md5: 546d0cb567e779152101b2ec0f45c411 sha1: bee11bf1aad191be35a1bfa669c6fef77ca88ec2 size: 177152
Timestamp	2009-12-05 22:50:52
Packer	Nullsoft PiMP Stub -> SFX
PEhash	6890267322c1b28b56409fbab2470600804ace5b
IMPhash	7fa974366048f9c551ef45714595665e
AV	360 Safe	no_virus
AV	Ad-Aware	no_virus
AV	Alwil (avast)	no_virus
AV	Arcabit (arcavir)	no_virus
AV	Authentium	no_virus
AV	Avira (antivir)	no_virus
AV	BullGuard	no_virus
AV	CA (E-Trust Ino)	no_virus
AV	CAT (quickheal)	Downloader.NSIS.r5 (Not a Virus)
AV	ClamAV	no_virus
AV	Dr. Web	no_virus
AV	Emsisoft	no_virus
AV	Eset (nod32)	no_virus
AV	Fortinet	no_virus
AV	Frisk (f-prot)	no_virus
AV	F-Secure	no_virus
AV	Grisoft (avg)	no_virus
AV	Ikarus	no_virus
AV	K7	no_virus
AV	Kaspersky	HEUR:Downloader.NSIS.Feasu.heur
AV	MalwareBytes	no_virus
AV	Mcafee	no_virus
AV	Microsoft Security Essentials	no_virus
AV	MicroWorld (escan)	no_virus
AV	Rising	no_virus
AV	Sophos	no_virus
AV	Symantec	no_virus
AV	Trend Micro	no_virus
AV	VirusBlokAda (vba32)	no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1
Creates File	C:\Documents and Settings\Administrator\Start Menu\Programs\0917\uninst.lnk
Creates File	setup_001.exe
Creates File	BaiduPlayerNetSetup_472.exe
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\k2.ico
Creates File	C:\Program Files\0917\Uninstall.exe
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\Base64.dll
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\k1.ico
Creates File	ins1256858.exe
Creates File	OfficeAssist.0334.80.1078.exe
Creates File	PIPE\wkssvc
Creates File	F1023_s_30974.exe
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\NSISdl.dll
Creates File	9377mycs_Y_mgaz2_01.exe
Creates File	setup_3386.exe
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\1.rar
Creates File	UCBrowser_V3.1.1644.29_4443_(Build14102814)_downloader.exe
Creates File	\Device\Afd\AsyncConnectHlp
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File	yx_dts.exe
Creates File	letvsetup.exe
Creates File	IQIYIsetup_l_spl004@kb010.exe
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	G1031_s_71115.exe
Creates File	2345Explorer_329242_silence.exe
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	WanDouJia_runk4_kb.exe
Creates File	PIPE\srvsvc
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\System.dll
Creates File	MM-liao8398.exe
Creates File	SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe
Creates File	QQBrowser_Setup_Hk_78653.exe
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\Inetc.dll
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\nsProcess.dll
Deletes File	letvsetup.exe
Deletes File	setup_001.exe
Deletes File	BaiduPlayerNetSetup_472.exe
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\k2.ico
Deletes File	IQIYIsetup_l_spl004@kb010.exe
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\k1.ico
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\Base64.dll
Deletes File	ins1256858.exe
Deletes File	OfficeAssist.0334.80.1078.exe
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp
Deletes File	2345Explorer_329242_silence.exe
Deletes File	G1031_s_71115.exe
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\NSISdl.dll
Deletes File	F1023_s_30974.exe
Deletes File	9377mycs_Y_mgaz2_01.exe
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsy1.tmp
Deletes File	setup_3386.exe
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\1.rar
Deletes File	WanDouJia_runk4_kb.exe
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\System.dll
Deletes File	MM-liao8398.exe
Deletes File	SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe
Deletes File	UCBrowser_V3.1.1644.29_4443_(Build14102814)_downloader.exe
Deletes File	yx_dts.exe
Deletes File	QQBrowser_Setup_Hk_78653.exe
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp\Inetc.dll
Creates Process	WanDouJia_runk4_kb.exe -hide
Creates Mutex	c:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex	WininetConnectionMutex
Creates Mutex	c:!documents and settings!administrator!cookies!
Creates Mutex	c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex	0917
Winsock DNS	show.man1234.com
Winsock DNS	xn--sesz3ik91bknc.xn--fiqs8s
Winsock DNS	leju.down.letv.com
Winsock DNS	d.qq66699.com

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝ NULL
Registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝ 1
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	PIPE\lsarpc
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex	_SHuassist.mtx
Creates Mutex	Shell.CMruPidlList

Process
↳ WanDouJia_runk4_kb.exe -hide

Network Details:

DNS	int.dpool.sina.com.cn Type: A 180.149.136.250
DNS	show.man1234.com Type: A 122.227.42.227
DNS	c01.i06.arnic.hadns.net Type: A 58.220.2.5
DNS	c01.i06.arnic.hadns.net Type: A 113.17.184.10
DNS	c01.i06.arnic.hadns.net Type: A 121.10.117.139
DNS	c01.i06.arnic.hadns.net Type: A 183.56.172.47
DNS	c01.i06.arnic.hadns.net Type: A 222.186.20.122
DNS	coop.gslb.leletv.net Type: A 115.182.51.55
DNS	shadu.n.shifen.com Type: A 123.125.65.162
DNS	swwx.n.shifen.com Type: A 123.125.65.175
DNS	dldir1.qq.com.cdngc.net Type: A 174.35.56.164
DNS	dldir1.qq.com.cdngc.net Type: A 174.35.56.186
DNS	dl.p2sp.n.shifen.com Type: A 61.135.185.123
DNS	g.quwen320.com Type: A 219.238.237.210
DNS	download012.rdb.cnc.ccgslb.com.cn Type: A 61.179.105.148
DNS	download012.rdb.cnc.ccgslb.com.cn Type: A 61.179.105.147
DNS	down.gtm.ucweb.com Type: A 120.196.208.98
DNS	down.gtm.ucweb.com Type: A 211.103.82.247
DNS	opt.xdwscache.glb0.lxdns.com Type: A 8.37.235.6
DNS	opt.xdwscache.glb0.lxdns.com Type: A 8.37.234.3
DNS	opt.xdwscache.glb0.lxdns.com Type: A 8.37.234.4
DNS	opt.xdwscache.glb0.lxdns.com Type: A 8.37.235.2
DNS	opt.xdwscache.glb0.lxdns.com Type: A 8.37.235.3
DNS	opt.xdwscache.glb0.lxdns.com Type: A 8.37.235.5
DNS	na.b9.aicdn.com Type: A 72.8.188.94
DNS	na.b9.aicdn.com Type: A 72.8.188.98
DNS	na.b9.aicdn.com Type: A 108.186.7.129
DNS	na.b9.aicdn.com Type: A 108.186.7.130
DNS	na.b9.aicdn.com Type: A 108.186.7.131
DNS	na.b9.aicdn.com Type: A 72.8.188.90
DNS	download.pps.tv.webscache.com Type: A 119.188.40.81
DNS	download.2345.com Type: A 122.228.248.3
DNS	download.2345.com Type: A 218.75.155.244
DNS	download.2345.com Type: A 60.191.187.15
DNS	download.2345.com Type: A 60.191.223.2
DNS	download.2345.com Type: A 60.191.223.4
DNS	download.2345.com Type: A 60.191.223.15
DNS	download.2345.com Type: A 61.147.127.202
DNS	download.2345.com Type: A 61.147.127.203
DNS	download.2345.com Type: A 61.160.245.8
DNS	download.2345.com Type: A 61.160.245.11
DNS	download.2345.com Type: A 61.160.245.14
DNS	aaa.163vv.com Type: A 60.222.232.224
DNS	aaa.163vv.com Type: A 222.186.60.18
DNS	aaa.163vv.com Type: A 222.186.60.23
DNS	aaa.163vv.com Type: A 222.186.60.60
DNS	s.lllsoo.com Type: A 42.120.61.139
DNS	dl.wandoujia.com Type: A 125.39.216.11
DNS	xn--sesz3ik91bknc.xn--fiqs8s Type: A
DNS	d.qq66699.com Type: A
DNS	leju.down.letv.com Type: A
DNS	shadu.baidu.com Type: A
DNS	w.x.baidu.com Type: A
DNS	dldir1.qq.com Type: A
DNS	dl.p2sp.baidu.com Type: A
DNS	wdl1.cache.wps.cn Type: A
DNS	down2.uc.cn Type: A
DNS	xiazai.9377.com Type: A
DNS	soft.lvbaoranshiye.com Type: A
DNS	dl.static.iqiyi.com Type: A
DNS	download.2345.cn Type: A
DNS	down.yinyue.fm Type: A
HTTP GET	http://int.dpool.sina.com.cn/iplookup/iplookup.php User-Agent: NSISDL/1.2 (Mozilla)
HTTP GET	http://show.man1234.com/mmliao/MM-liao8398.exe User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://d.qq66699.com/yx/dts/sqcs/916631/yx_dts.exe User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://leju.down.letv.com/pcweb/version/7.1.2.327/client_lianmeng7-09/letvsetup.exe User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://shadu.baidu.com/index/fulldownload/30974 User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://w.x.baidu.com/go/full/1/71115 User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://dldir1.qq.com/invc/tt/QQBrowser_Setup_Hk_78653.exe User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://dl.p2sp.baidu.com/BaiduPlayerContent/BaiduPlayerNetSetup_472.exe User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://g.quwen320.com/d/ins1256858.exe User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://wdl1.cache.wps.cn/wps/download/OfficeAssist.0334.80.1078.exe User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://down2.uc.cn/pcbrowser/down.php?id=101&pid=4443&type=downloader User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://xiazai.9377.com/20140928/9377mycs_Y_mgaz2_01.exe User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://soft.lvbaoranshiye.com/SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.rar User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://dl.static.iqiyi.com/hz/IQIYIsetup_l_spl004@kb010.exe User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://download.2345.cn/silence/2345Explorer_329242_silence.exe User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://down.yinyue.fm/open/setup_3386.exe User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://s.lllsoo.com/click/66947 User-Agent: NSIS_Inetc (Mozilla)
HTTP GET	http://dl.wandoujia.com/files/inst/WanDouJia_runk4_kb.exe User-Agent: NSIS_Inetc (Mozilla)
Flows TCP	192.168.1.1:1031 ➝ 180.149.136.250:80
Flows TCP	192.168.1.1:1032 ➝ 122.227.42.227:80
Flows TCP	192.168.1.1:1033 ➝ 58.220.2.5:80
Flows TCP	192.168.1.1:1034 ➝ 115.182.51.55:80
Flows TCP	192.168.1.1:1035 ➝ 123.125.65.162:80
Flows TCP	192.168.1.1:1036 ➝ 123.125.65.175:80
Flows TCP	192.168.1.1:1037 ➝ 174.35.56.164:80
Flows TCP	192.168.1.1:1038 ➝ 61.135.185.123:80
Flows TCP	192.168.1.1:1039 ➝ 219.238.237.210:80
Flows TCP	192.168.1.1:1040 ➝ 61.179.105.148:80
Flows TCP	192.168.1.1:1041 ➝ 120.196.208.98:80
Flows TCP	192.168.1.1:1042 ➝ 8.37.235.6:80
Flows TCP	192.168.1.1:1043 ➝ 72.8.188.94:80
Flows TCP	192.168.1.1:1044 ➝ 119.188.40.81:80
Flows TCP	192.168.1.1:1045 ➝ 122.228.248.3:80
Flows TCP	192.168.1.1:1046 ➝ 60.222.232.224:80
Flows TCP	192.168.1.1:1047 ➝ 42.120.61.139:80
Flows TCP	192.168.1.1:1048 ➝ 125.39.216.11:80

Raw Pcap

0x00000000 (00000)   47455420 2f69706c 6f6f6b75 702f6970   GET /iplookup/ip
0x00000010 (00016)   6c6f6f6b 75702e70 68702048 5454502f   lookup.php HTTP/
0x00000020 (00032)   312e300d 0a486f73 743a2069 6e742e64   1.0..Host: int.d
0x00000030 (00048)   706f6f6c 2e73696e 612e636f 6d2e636e   pool.sina.com.cn
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204e53   ..User-Agent: NS
0x00000050 (00080)   4953444c 2f312e32 20284d6f 7a696c6c   ISDL/1.2 (Mozill
0x00000060 (00096)   61290d0a 41636365 70743a20 2a2f2a0d   a)..Accept: */*.
0x00000070 (00112)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f6d6d6c 69616f2f 4d4d2d6c   GET /mmliao/MM-l
0x00000010 (00016)   69616f38 3339382e 65786520 48545450   iao8398.exe HTTP
0x00000020 (00032)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000030 (00048)   3a204e53 49535f49 6e657463 20284d6f   : NSIS_Inetc (Mo
0x00000040 (00064)   7a696c6c 61290d0a 486f7374 3a207368   zilla)..Host: sh
0x00000050 (00080)   6f772e6d 616e3132 33342e63 6f6d0d0a   ow.man1234.com..
0x00000060 (00096)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000070 (00112)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x00000080 (00128)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x00000090 (00144)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f79782f 6474732f 73716373   GET /yx/dts/sqcs
0x00000010 (00016)   2f393136 3633312f 79785f64 74732e65   /916631/yx_dts.e
0x00000020 (00032)   78652048 5454502f 312e310d 0a557365   xe HTTP/1.1..Use
0x00000030 (00048)   722d4167 656e743a 204e5349 535f496e   r-Agent: NSIS_In
0x00000040 (00064)   65746320 284d6f7a 696c6c61 290d0a48   etc (Mozilla)..H
0x00000050 (00080)   6f73743a 20642e71 71363636 39392e63   ost: d.qq66699.c
0x00000060 (00096)   6f6d0d0a 436f6e6e 65637469 6f6e3a20   om..Connection: 
0x00000070 (00112)   4b656570 2d416c69 76650d0a 43616368   Keep-Alive..Cach
0x00000080 (00128)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x00000090 (00144)   6368650d 0a0d0a                       che....

0x00000000 (00000)   47455420 2f706377 65622f76 65727369   GET /pcweb/versi
0x00000010 (00016)   6f6e2f37 2e312e32 2e333237 2f636c69   on/7.1.2.327/cli
0x00000020 (00032)   656e745f 6c69616e 6d656e67 372d3039   ent_lianmeng7-09
0x00000030 (00048)   2f6c6574 76736574 75702e65 78652048   /letvsetup.exe H
0x00000040 (00064)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000050 (00080)   656e743a 204e5349 535f496e 65746320   ent: NSIS_Inetc 
0x00000060 (00096)   284d6f7a 696c6c61 290d0a48 6f73743a   (Mozilla)..Host:
0x00000070 (00112)   206c656a 752e646f 776e2e6c 6574762e    leju.down.letv.
0x00000080 (00128)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x00000090 (00144)   204b6565 702d416c 6976650d 0a436163    Keep-Alive..Cac
0x000000a0 (00160)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000b0 (00176)   61636865 0d0a0d0a                     ache....

0x00000000 (00000)   47455420 2f696e64 65782f66 756c6c64   GET /index/fulld
0x00000010 (00016)   6f776e6c 6f61642f 33303937 34204854   ownload/30974 HT
0x00000020 (00032)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000030 (00048)   6e743a20 4e534953 5f496e65 74632028   nt: NSIS_Inetc (
0x00000040 (00064)   4d6f7a69 6c6c6129 0d0a486f 73743a20   Mozilla)..Host: 
0x00000050 (00080)   73686164 752e6261 6964752e 636f6d0d   shadu.baidu.com.
0x00000060 (00096)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000070 (00112)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x00000080 (00128)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000090 (00144)   0d0a0d0a 702d416c 6976650d 0a436163   ....p-Alive..Cac
0x000000a0 (00160)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000b0 (00176)   61636865 0d0a0d0a                     ache....

0x00000000 (00000)   47455420 2f676f2f 66756c6c 2f312f37   GET /go/full/1/7
0x00000010 (00016)   31313135 20485454 502f312e 310d0a55   1115 HTTP/1.1..U
0x00000020 (00032)   7365722d 4167656e 743a204e 5349535f   ser-Agent: NSIS_
0x00000030 (00048)   496e6574 6320284d 6f7a696c 6c61290d   Inetc (Mozilla).
0x00000040 (00064)   0a486f73 743a2077 2e782e62 61696475   .Host: w.x.baidu
0x00000050 (00080)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x00000060 (00096)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x00000070 (00112)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000080 (00128)   63616368 650d0a0d 0a6f2d63 61636865   cache....o-cache
0x00000090 (00144)   0d0a0d0a 702d416c 6976650d 0a436163   ....p-Alive..Cac
0x000000a0 (00160)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000b0 (00176)   61636865 0d0a0d0a                     ache....

0x00000000 (00000)   47455420 2f696e76 632f7474 2f515142   GET /invc/tt/QQB
0x00000010 (00016)   726f7773 65725f53 65747570 5f486b5f   rowser_Setup_Hk_
0x00000020 (00032)   37383635 332e6578 65204854 54502f31   78653.exe HTTP/1
0x00000030 (00048)   2e310d0a 55736572 2d416765 6e743a20   .1..User-Agent: 
0x00000040 (00064)   4e534953 5f496e65 74632028 4d6f7a69   NSIS_Inetc (Mozi
0x00000050 (00080)   6c6c6129 0d0a486f 73743a20 646c6469   lla)..Host: dldi
0x00000060 (00096)   72312e71 712e636f 6d0d0a43 6f6e6e65   r1.qq.com..Conne
0x00000070 (00112)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000080 (00128)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x00000090 (00144)   3a206e6f 2d636163 68650d0a 0d0a6163   : no-cache....ac
0x000000a0 (00160)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000b0 (00176)   61636865 0d0a0d0a                     ache....

0x00000000 (00000)   47455420 2f426169 6475506c 61796572   GET /BaiduPlayer
0x00000010 (00016)   436f6e74 656e742f 42616964 75506c61   Content/BaiduPla
0x00000020 (00032)   7965724e 65745365 7475705f 3437322e   yerNetSetup_472.
0x00000030 (00048)   65786520 48545450 2f312e31 0d0a5573   exe HTTP/1.1..Us
0x00000040 (00064)   65722d41 67656e74 3a204e53 49535f49   er-Agent: NSIS_I
0x00000050 (00080)   6e657463 20284d6f 7a696c6c 61290d0a   netc (Mozilla)..
0x00000060 (00096)   486f7374 3a20646c 2e703273 702e6261   Host: dl.p2sp.ba
0x00000070 (00112)   6964752e 636f6d0d 0a436f6e 6e656374   idu.com..Connect
0x00000080 (00128)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000090 (00144)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x000000a0 (00160)   6e6f2d63 61636865 0d0a0d0a 6e6f2d63   no-cache....no-c
0x000000b0 (00176)   61636865 0d0a0d0a                     ache....

0x00000000 (00000)   47455420 2f642f69 6e733132 35363835   GET /d/ins125685
0x00000010 (00016)   382e6578 65204854 54502f31 2e310d0a   8.exe HTTP/1.1..
0x00000020 (00032)   55736572 2d416765 6e743a20 4e534953   User-Agent: NSIS
0x00000030 (00048)   5f496e65 74632028 4d6f7a69 6c6c6129   _Inetc (Mozilla)
0x00000040 (00064)   0d0a486f 73743a20 672e7175 77656e33   ..Host: g.quwen3
0x00000050 (00080)   32302e63 6f6d0d0a 436f6e6e 65637469   20.com..Connecti
0x00000060 (00096)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000070 (00112)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000080 (00128)   6f2d6361 6368650d 0a0d0a6c 6976650d   o-cache....live.
0x00000090 (00144)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x000000a0 (00160)   6e6f2d63 61636865 0d0a0d0a 6e6f2d63   no-cache....no-c
0x000000b0 (00176)   61636865 0d0a0d0a                     ache....

0x00000000 (00000)   47455420 2f777073 2f646f77 6e6c6f61   GET /wps/downloa
0x00000010 (00016)   642f4f66 66696365 41737369 73742e30   d/OfficeAssist.0
0x00000020 (00032)   3333342e 38302e31 3037382e 65786520   334.80.1078.exe 
0x00000030 (00048)   48545450 2f312e31 0d0a5573 65722d41   HTTP/1.1..User-A
0x00000040 (00064)   67656e74 3a204e53 49535f49 6e657463   gent: NSIS_Inetc
0x00000050 (00080)   20284d6f 7a696c6c 61290d0a 486f7374    (Mozilla)..Host
0x00000060 (00096)   3a207764 6c312e63 61636865 2e777073   : wdl1.cache.wps
0x00000070 (00112)   2e636e0d 0a436f6e 6e656374 696f6e3a   .cn..Connection:
0x00000080 (00128)   204b6565 702d416c 6976650d 0a436163    Keep-Alive..Cac
0x00000090 (00144)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000a0 (00160)   61636865 0d0a0d0a 0d0a0d0a 6e6f2d63   ache........no-c
0x000000b0 (00176)   61636865 0d0a0d0a                     ache....

0x00000000 (00000)   47455420 2f706362 726f7773 65722f64   GET /pcbrowser/d
0x00000010 (00016)   6f776e2e 7068703f 69643d31 30312670   own.php?id=101&p
0x00000020 (00032)   69643d34 34343326 74797065 3d646f77   id=4443&type=dow
0x00000030 (00048)   6e6c6f61 64657220 48545450 2f312e31   nloader HTTP/1.1
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204e53   ..User-Agent: NS
0x00000050 (00080)   49535f49 6e657463 20284d6f 7a696c6c   IS_Inetc (Mozill
0x00000060 (00096)   61290d0a 486f7374 3a20646f 776e322e   a)..Host: down2.
0x00000070 (00112)   75632e63 6e0d0a43 6f6e6e65 6374696f   uc.cn..Connectio
0x00000080 (00128)   6e3a204b 6565702d 416c6976 650d0a43   n: Keep-Alive..C
0x00000090 (00144)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x000000a0 (00160)   2d636163 68650d0a 0d0a                -cache....

0x00000000 (00000)   47455420 2f323031 34303932 382f3933   GET /20140928/93
0x00000010 (00016)   37376d79 63735f59 5f6d6761 7a325f30   77mycs_Y_mgaz2_0
0x00000020 (00032)   312e6578 65204854 54502f31 2e310d0a   1.exe HTTP/1.1..
0x00000030 (00048)   55736572 2d416765 6e743a20 4e534953   User-Agent: NSIS
0x00000040 (00064)   5f496e65 74632028 4d6f7a69 6c6c6129   _Inetc (Mozilla)
0x00000050 (00080)   0d0a486f 73743a20 7869617a 61692e39   ..Host: xiazai.9
0x00000060 (00096)   3337372e 636f6d0d 0a436f6e 6e656374   377.com..Connect
0x00000070 (00112)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000080 (00128)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000090 (00144)   6e6f2d63 61636865 0d0a0d0a 3a206e6f   no-cache....: no
0x000000a0 (00160)   2d636163 68650d0a 0d0a                -cache....

0x00000000 (00000)   47455420 2f536f48 7556415f 342e332e   GET /SoHuVA_4.3.
0x00000010 (00016)   302e312d 63323034 39303030 30332d6e   0.1-c204900003-n
0x00000020 (00032)   672d6e74 692d732d 782e7261 72204854   g-nti-s-x.rar HT
0x00000030 (00048)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000040 (00064)   6e743a20 4e534953 5f496e65 74632028   nt: NSIS_Inetc (
0x00000050 (00080)   4d6f7a69 6c6c6129 0d0a486f 73743a20   Mozilla)..Host: 
0x00000060 (00096)   736f6674 2e6c7662 616f7261 6e736869   soft.lvbaoranshi
0x00000070 (00112)   79652e63 6f6d0d0a 436f6e6e 65637469   ye.com..Connecti
0x00000080 (00128)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000090 (00144)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000a0 (00160)   6f2d6361 6368650d 0a0d0a              o-cache....

0x00000000 (00000)   47455420 2f687a2f 49514959 49736574   GET /hz/IQIYIset
0x00000010 (00016)   75705f6c 5f73706c 30303440 6b623031   up_l_spl004@kb01
0x00000020 (00032)   302e6578 65204854 54502f31 2e310d0a   0.exe HTTP/1.1..
0x00000030 (00048)   55736572 2d416765 6e743a20 4e534953   User-Agent: NSIS
0x00000040 (00064)   5f496e65 74632028 4d6f7a69 6c6c6129   _Inetc (Mozilla)
0x00000050 (00080)   0d0a486f 73743a20 646c2e73 74617469   ..Host: dl.stati
0x00000060 (00096)   632e6971 6979692e 636f6d0d 0a436f6e   c.iqiyi.com..Con
0x00000070 (00112)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000080 (00128)   6976650d 0a436163 68652d43 6f6e7472   ive..Cache-Contr
0x00000090 (00144)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x000000a0 (00160)   6f2d6361 6368650d 0a0d0a              o-cache....

0x00000000 (00000)   47455420 2f73696c 656e6365 2f323334   GET /silence/234
0x00000010 (00016)   35457870 6c6f7265 725f3332 39323432   5Explorer_329242
0x00000020 (00032)   5f73696c 656e6365 2e657865 20485454   _silence.exe HTT
0x00000030 (00048)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000040 (00064)   743a204e 5349535f 496e6574 6320284d   t: NSIS_Inetc (M
0x00000050 (00080)   6f7a696c 6c61290d 0a486f73 743a2064   ozilla)..Host: d
0x00000060 (00096)   6f776e6c 6f61642e 32333435 2e636e0d   ownload.2345.cn.
0x00000070 (00112)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000080 (00128)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x00000090 (00144)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000a0 (00160)   0d0a0d0a 6368650d 0a0d0a              ....che....

0x00000000 (00000)   47455420 2f6f7065 6e2f7365 7475705f   GET /open/setup_
0x00000010 (00016)   33333836 2e657865 20485454 502f312e   3386.exe HTTP/1.
0x00000020 (00032)   310d0a55 7365722d 4167656e 743a204e   1..User-Agent: N
0x00000030 (00048)   5349535f 496e6574 6320284d 6f7a696c   SIS_Inetc (Mozil
0x00000040 (00064)   6c61290d 0a486f73 743a2064 6f776e2e   la)..Host: down.
0x00000050 (00080)   79696e79 75652e66 6d0d0a43 6f6e6e65   yinyue.fm..Conne
0x00000060 (00096)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000070 (00112)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x00000080 (00128)   3a206e6f 2d636163 68650d0a 0d0a2d43   : no-cache....-C
0x00000090 (00144)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000a0 (00160)   0d0a0d0a 6368650d 0a0d0a              ....che....

0x00000000 (00000)   47455420 2f636c69 636b2f36 36393437   GET /click/66947
0x00000010 (00016)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000020 (00032)   4167656e 743a204e 5349535f 496e6574   Agent: NSIS_Inet
0x00000030 (00048)   6320284d 6f7a696c 6c61290d 0a486f73   c (Mozilla)..Hos
0x00000040 (00064)   743a2073 2e6c6c6c 736f6f2e 636f6d0d   t: s.lllsoo.com.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000060 (00096)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x00000070 (00112)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000080 (00128)   0d0a0d0a 2d636163 68650d0a 0d0a2d43   ....-cache....-C
0x00000090 (00144)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000a0 (00160)   0d0a0d0a 6368650d 0a0d0a              ....che....

0x00000000 (00000)   47455420 2f66696c 65732f69 6e73742f   GET /files/inst/
0x00000010 (00016)   57616e44 6f754a69 615f7275 6e6b345f   WanDouJia_runk4_
0x00000020 (00032)   6b622e65 78652048 5454502f 312e310d   kb.exe HTTP/1.1.
0x00000030 (00048)   0a557365 722d4167 656e743a 204e5349   .User-Agent: NSI
0x00000040 (00064)   535f496e 65746320 284d6f7a 696c6c61   S_Inetc (Mozilla
0x00000050 (00080)   290d0a48 6f73743a 20646c2e 77616e64   )..Host: dl.wand
0x00000060 (00096)   6f756a69 612e636f 6d0d0a43 6f6e6e65   oujia.com..Conne
0x00000070 (00112)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000080 (00128)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x00000090 (00144)   3a206e6f 2d636163 68650d0a 0d0a6865   : no-cache....he
0x000000a0 (00160)   0d0a0d0a 6368650d 0a0d0a              ....che....

Strings

 " ".E.
.
z.0r
.8

!1Aa
#+3;CScs
msctls_progress32
MS Shell Dlg
Please wait while Setup is loading...
SysListView32
;::*?+
({,{<{*;
*?|<>/":
&	[!`+
02b^3$
05(lBI
0Kr55|
^0m{?oz
0rE^1/
0RV0ff'
1&cLu\
>1hsD!
^1r2rT
1+S12O!X
2PZw-D
&3q21A
3.|(X]G
47?	{?
4MO:In
:[^~5^
5i(-0Z7
\5Q\A}s)
5u+qqC
5[uV$r>
5x;p z&
6a+5v;
6hkP_W7
6n6>n|
6o:,#}
,6>v07f
6'W^J4}.S
6~x4h<z}
71vM<9
7	9{NL
7fr)r_
7n_kL}
7o0vk:u
7R)/Ci
7szyFc
[;7t4w
'''8::
8}1qQ6
8|2|3|4|5|6|7r
88tn)g
8NCRCu
8$Zw> 
=93ZK'
9d~3fA
#9FJ7R
9	h#x_
*^9JCS}
@9y$+ig:
)ad5|*
AdjustTokenPrivileges
a`ds&2U
ADVAPI32
ADVAPI32.dll
A~fb5);
+aH9#%l
A\i 0g
a<$iHC
@[AmM~
{?AmT.
ANm2b6
A^nZU=*n
AppendMenuA
_AQ!&I
AR2_f`
<aRo!z
a]u;t'
[awww,
B&c0Fc
bd2?PFG+&
BeginPaint
Berebu);
	bGz72bdN
='BU7Y
C2a2N2q
|C~6bI_
CallWindowProcA
caWa|.
CharNextA
CharPrevA
CheckDlgButton
CJW(e,
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
c(r[v*^
Cu+o= 7
C*uSKbZVT
@cV`Mv-
cyf>Mm96x,%
... %d%%
d\%@`+
D$0+D$(P
@.data
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeIkfB_&bo
DeleteFileA
DeleteObject
DestroyWindow
D[f-byp
dh}~lM
DialogBoxParamA
DispatchMessageA
dKg&!g
Do-?[q
D$$Ph,
dpwwwwww
DrawTextA
D$(SPS
dX_Hp&
$}eF?A
)EMB\q
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
e}Nkk-
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
E|[sk;E
EuzXhM
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
]e_/[Zf-
	F6V<*
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
Fj3*mj
&FlU@U
F"nsN	9
FreeLibrary
FR'	PN
Ft)j=)5
FwT}Gy
fy^_kO
F>YLr=
`FzMj:!
?Fzwo/
G|{:\#
g3)x/c
"g7:<TF"6<
-gb-6n
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
gfm;|j
G#_ic+
gLGM'L/
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
GL/Wz@Z;
%,GNw%
G_:Q(5
?GUwA}
gVv#wH
gX>uMQ
G	YCj"^7
g.ZO||k[
h3zVMI;
h7x14=[
hAs<WN
H$:KEg
HsYRd]
http://nsis.sf.net/NSIS_Error
HtVHtHH
h|TyD1Mc
[h^w#p i^
i_A_?a
:>ibdP=
iC6j8X
(iC	QC
iGJ	8sU_
ij9H3K$ s
iL2["k
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
iM&Y)V
'IN$Cl
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu`
InvalidateRect
iomprOA
:`i"Re
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
i#Zumn
J#{4YU
J6`vSt
Jccc5w
J\Fe='B
|jSm=,
j&S"[sP
{.jtN@o
'`k2`9
kaoD=[
KC}KK+o
Ke7'y028
KERNEL32
KERNEL32.dll
k@?h9z
K[J9P?
KR`T}eY
><kt`G
KTjpCn
.K^u}8
kV7V65
kZ{:@l*
L=3W6?;G
~l#e'l
Lh4Rc_
$;(lL2
.L;ml#
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
l`r$D0b
~Lsl^_
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
l&thiFT.k
ltJf_>
\M2@Z"
m`Bj*Lz
MessageBoxIndirectA
/m=GKn
M;?)GL
% M%HSPQ
\Microsoft\Internet Explorer\Quick Launch
Mj/jEm~
#&MJKm
*M<+Kk?e?
More information at:
MoveFileA
MoveFileExA
MulDiv
MultiByteToWideChar
MycLu=
>\'n})
<N1rJ 
.ndata
nES"}2S
NFb=FcN
nH"-Y2
Nm+,\*
N[m%lD[
NSIS Error
~nsu.tmp
NullsoftInst
NulluN	E
NWV:U1}{Fh
nyC{AFU
~/o:;;
ObQpMx
O(G1!N{
+O#j@:
O_!KW_$q
ole32.dll
OleInitialize
OleUninitialize
!O=p0j
OpenClipboard
OpenProcessToken
OxAG3y
pBPt-AX
PeekMessageA
)p)eq>k
p#-ih)_
PIl@f9
PiXnh2
Pk3jo?
p'KrtW|
PO:015-V)
PostQuitMessage
PPPPPP
PRJb/m
q#/]0z
q8I%[$
Q'&}8O
Qbok{K
QOlo#k
qO<wV{
QP\X\Z
QqAl5R\
q<sFRq<sz2
Q"S^Lz
#$qTWY2S
/q+z?N
QZ_y\|
r]4k?Cb2	2
?~R96.
ra&8$v}
r*aL;/
`.rdata
-?/rE'4
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
"r"&ET
rf6+`o
r]>`F@a
RichEd20
RichEd32
RichEdit
RichEdit20A
>R)*<Ii
?r>LVk
'}r%PG^A
rQ>xQ(
R_ZTSN
S0C~zH
/S>8+^
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
slmma6
softuW
Software\Microsoft\Windows\CurrentVersion
_Sq`oS
SQSSSPW
ss~5'l
sWeHkZ
swx[[|V
SystemParametersInfoA
> _?=t
|=/t,'
TByk)N
t-cq&^
/Tg:K_
!This program cannot be run in DOS mode.
TkRSPO
.Tlx"z
t#m-4"
%TM78/W"
T?MN?O
_^[t	P
?TP&{-
tpmT}(
TrackPopupMenu
tW^8}@
Tx</fCg~
<T=x`k
tXTi#Gg
TYJ8kA
t.#z)+
/U4V#s
"Uf8^3>
^uH{Uu
%UJ	-R@}\<
*UR-Pc
USER32.dll
%u.%u%s%s
{uyU_e}
u<Z,[z
;[[[;v
V43S$7
V,Ec+i
verifying installer: %d%%
VerQueryValueA
VERSION.dll
%ve^Xm
VhusA3
v#mB [
VM\}jM
V.S6)[
VTz;qP
v#Vh;+@
v?vwwOd`
vx6S8j7{
,)VXFG
_v+xr@\w
WaitForSingleObject
wcb9p{M
WEe-kC:
?w&ELG
Wf(b:o
\Wfi)N
WiZURs
$WM`RKF
wouuuu
w=\%PF+E8gM
WriteFile
WritePrivateProfileStringA
wsprintfA
W-=$v~
;x =~#
=x0wZEa
x5Fv}\)
x	`=@9
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
x&O`B34"
X,p~~^
X,pppPd
X,pvv6Y7
+X]^qK
XT%Q<H
}X/v;K	&
=,<%*= Y
yd^	d (
YdtF<w
Yoc-nw:
/Y(TcZ
yUnR`N
yWS|(d
/^y@,Y
Zaww73
(?ZmWJ;+<
~]={ZS