MD5: d3f18606296b4497c335e5becd4c2494
SHA1: c385fa017fed28ab717748105acfb1b61fbf11cf
SHA256: dda1ffd0aae6fe5caa1f88f2e5c51704e2a5c984e1c4fdd033b118843b4ed6df
SSDeep: 6144:ye34EMuU777777777777777VQGUBR777iTxzysexqVSrWNYro2CKuMbOewsjTFJb:xMubRqSrKV8weTjURgCE
Size: 638326 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: DsNET Corp
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

MYLogger.exe:1780
yx_dts.exe:3244
notify.exe:3380
assistupdate.exe:916
ntvdm.exe:2780
dts.exe:2612
dts.exe:4020
RsMgrSvc.exe:1588
9377mycs_Y_mgaz2_01.exe:2104
OfficeAssist.0334.80.1078.exe:996
OfficeAssist.0334.80.1078.exe:820
regsvr32.exe:3612
regsvr32.exe:2816
popwndexe.exe:2080

The Trojan injects its code into the following process(es):

MYLogger.exe:2496
ntvdm.exe:3528
%original file name%.exe:2740
ins1256858.exe:2516

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process MYLogger.exe:2496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\pc_game_my_new[1].htm (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018020720180208\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jquery.Slideshow[1].js (2457 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UZ91JSMY.txt (65 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\fast_register[1].js (2753 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\input_bg[1].jpg (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\U4C45LLV.txt (211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ajax[1].js (53540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\pc_new[1].css (3766 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G6TD40BZ.txt (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\quick_register[1].jpg (200 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UZ91JSMY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101120171012\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101120171012 (0 bytes)

The process yx_dts.exe:3244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\dts\mydts\uninst.exe (11351 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\´óÌìʹ֮½£.lnk (901 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\´óÌìʹ֮½£\жÔØ´óÌìʹ֮½£.lnk (990 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\dts\mydts\dts.exe (31369 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\´óÌìʹ֮½£\´óÌìʹ֮½£.lnk (971 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\dts\mydts\lander.ini (427 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslBEBF.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\Desktop\´óÌìʹ֮½£.lnk (921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslBEBF.tmp\FindProcDLL.dll (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslBEBE.tmp (42619 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\´óÌìʹ֮½£.lnk (901 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslBEBF.tmp\FindProcDLL.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslBEBF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslBEBF.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslBEBD.tmp (0 bytes)

The process notify.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\pptassist\update\log\notify_2018_02_07.log (374 bytes)
C:\Windows\Tasks\PPTAssistantNotifyTask_adm.job (322 bytes)

The process assistupdate.exe:916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Tasks\PPTAssistantUpdateTask_adm.job (334 bytes)

The process ntvdm.exe:2780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs5D8C.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs5D8B.tmp (335 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs5D8C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs5D8B.tmp (0 bytes)

The process ntvdm.exe:3528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsB51E.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsB50D.tmp (335 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsB51E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsB50D.tmp (0 bytes)

The process dts.exe:2612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\dts\mydts\lander.ini (164 bytes)

The process dts.exe:4020 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\dts\mydts\lander.ini (72 bytes)

The process RsMgrSvc.exe:1588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Rising\RSD\RsMgrSvc.exe.log (217 bytes)
%Program Files%\Rising\RSD\comx3.dll (188 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.dat (712 bytes)
%Program Files%\Rising\RSD\syslay.dll (102 bytes)

The process 9377mycs_Y_mgaz2_01.exe:2104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\9377÷ÈÓ°´«Ëµ\MeiYing.dll (16288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\9377÷ÈÓ°´«Ëµ.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\9377÷ÈÓ°´«Ëµ\9377÷ÈÓ°´«Ëµ.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\9377÷ÈÓ°´«Ëµ\uninstall.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr627D.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr627D.tmp\inetc.dll (804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr627D.tmp\ip.dll (804 bytes)
%Program Files%\9377÷ÈÓ°´«Ëµ\9377÷ÈÓ°´«Ëµ.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr627C.tmp (32278 bytes)
%Program Files%\9377÷ÈÓ°´«Ëµ\MYLogger.exe (13368 bytes)
%Program Files%\9377÷ÈÓ°´«Ëµ\uninstall.exe (2275 bytes)
%Program Files%\9377÷ÈÓ°´«Ëµ\MYLogger.ini (567 bytes)
C:\Users\Public\Desktop\9377÷ÈÓ°´«Ëµ.lnk (1 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb626B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr627D.tmp\inetc.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr627D.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr627D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr627D.tmp\ip.dll (0 bytes)

The process OfficeAssist.0334.80.1078.exe:996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB2AE.tmp\v6svc.dll (2693 bytes)
C:\ProgramData\kingsoft\20180207_185107\oem.ini (1068 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB2AE.tmp\System.dll (23 bytes)
C:\ProgramData\kingsoft\20180207_185107\OfficeAssist.0334.80.1078.exe (117322 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB28D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB2AE.tmp (0 bytes)

The process OfficeAssist.0334.80.1078.exe:820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\pptassist64.dll (5275 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\notify.exe (4335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\pptassist64.dll (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\2.jpg (95 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\meihua2007.ppsx (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\utility\uninst.exe (4799 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\20.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\3.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\cfgs\feature.dat (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\utility\uninst.exe (6841 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\meihuappt.pps (7385 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\pptassist.dll (6215 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\assistupdate.exe (3716 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua2003.pps (529 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\assistdownloader.exe (2425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\10.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\assistdownloader.exe (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\product.xml (334 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\30.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\pptassist.dll (4545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua2007.ppsx (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\104.png (275 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua2013.ppsx (199 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihuappt.pps (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\meihua2013.ppsx (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\meihua2003.pps (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\setup.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PPT美化大师\卸载.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\meihua.exe (1752 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\assistupdate.exe (2746 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\103.png (346 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\102.png (233 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\100.png (238 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\meihua2010.ppsx (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\cgpb_bg.png (198 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\cgpb_fg.png (182 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\cfgs\setup.cfg (643 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\updateself.exe (4770 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\notify.exe (2779 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\cfgs\setup.cfg (643 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\cfgs\feature.dat (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\updateself.exe (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PPT美化大师\PPT美化大师.lnk (943 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua2010.ppsx (198 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua.exe (3123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\101.png (951 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\pptassist64.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\notify.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihuappt.pps (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\pptassist.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua2003.pps (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\assistupdate.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\cfgs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\cfgs\setup.cfg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua2013.ppsx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\cfgs\feature.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua2010.ppsx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua2007.ppsx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\updateself.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\utility (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\utility\uninst.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\assistdownloader.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua.exe (0 bytes)

The process regsvr32.exe:3612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\pptassist64.dll (655 bytes)

The process regsvr32.exe:2816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\pptassist.dll (675 bytes)

The process %original file name%.exe:2740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\yx_dts.exe (62194 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\Inetc.dll (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (274 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\RBZFCATM.txt (92 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab5390.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\1.rar (20 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\2331\uninst.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ins1256858[1].exe (263402 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_611D8AF93D88D61ED8CD55C30E7FC92A (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\nsProcess.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\Base64.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar5391.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0A2EA55F20CC96EF43A26E7FAF8A2217 (412 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\yx_dts[1].exe (57920 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\System.dll (23 bytes)
%Program Files%\2331\Uninstall.exe (4823 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\MM-liao8398[1].htm (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\iplookup[1].htm (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB (712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\9377mycs_Y_mgaz2_01.exe (43691 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\G1031_s_71115.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\MM-liao8398.exe (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\30974[1].htm (83 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\OfficeAssist.0334.80.1078[1].exe (198039 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\k1.ico (6720 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0A2EA55F20CC96EF43A26E7FAF8A2217 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\CAGQV8JL.htm (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\ins1256858.exe (279754 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB (432 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\9377mycs_Y_mgaz2_01[1].exe (40640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\OfficeAssist.0334.80.1078.exe (211646 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (408 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_611D8AF93D88D61ED8CD55C30E7FC92A (1 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\k2.ico (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AEC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\setup_3386.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\BaiduPlayerNetSetup_472.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar5391.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\F1023_s_30974.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab5390.tmp (0 bytes)

The process popwndexe.exe:2080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Rising\RSD\rsdk.dll (495 bytes)
%Program Files%\Rising\RSD\rsmginfo.dll (335 bytes)

The process ins1256858.exe:2516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Rising\RSD\updater.exe (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RAV.cfg (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdinfo.dll (664 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\localopt.dll (2561 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (51 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.exe (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\RavSetup.dll (5378 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
%Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (2938 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (243 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\dataups.dat (207 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\mondrv.dll (3415 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (519 bytes)
%Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (969 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
%Program Files%\RsTest.ini (14 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\userdata.mond (485 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\Proccomm.dll (1267 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.rstray (293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\Setup.exe (6167 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\pngdll.dll (1468 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\selfmon.dll (78 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\CfgDll.dll (1528 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RsMgrSvc.exe (1855 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\syslay.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.mond (485 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\rspalvd.dll (726 bytes)
%Program Files%\Rising\RSD\setup.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (650 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\localopt.dll (1576 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7385 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (2154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\cnt08.dll (347 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\kguard.sys (1085 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravlog\rslog.dll (880 bytes)
%Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (307 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\license\license.xml (347 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\adefmon.mond (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\monbasedui\rscombas.dll (2118 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll (7726 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\os.xml (685 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RsStub.exe (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\rscommx2.dll (1588 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\CLOUDQRY.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\rsmginfo.dll (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\Custom.xml (775 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\cnt09.dll (2145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (58 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\sysmon.sys (2475 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmginfo.dll (1708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\rsndisp.sys (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\CLOUDV3.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\syslay.dll (1801 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\datastorage.db (19 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\comx3.dll (1268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\Proccom.dll (2305 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (1106 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\dfw.dll (743 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\hookbase.dll (1485 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\Rav.7z (484 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\moncom08.dll (79 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RsBackup.exe (1548 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (1583 bytes)
%Program Files%\Rising\RSD\Data\RAV\RAV.ini (52 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\ravbase.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravconfig\mergexml.dll (1711 bytes)
%Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
%Program Files%\Rising\RSD\RsStub.exe (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (817 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravdefdb\mondef.dll (3522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (3353 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\defmon.dll (4217 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
%Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
%Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1416 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll (2105 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
%Program Files%\Rising\RSD\update.xml (164 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\os.xml (685 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (907 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (1275 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
%Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\monbasedui\moncomm.dll (2249 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ins1256858.exe.log (110994 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\updater.exe (4788 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (1683 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
%Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\bacore.dll (1066 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RsAppMgr.dll (129 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
%Program Files%\Rising\RSD\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\kguard_if.dll (1410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
%Program Files%\Rising\RSD\localopt.dll (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (519 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
%Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RAV.cfg.tmp (1960 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1659 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\userdata.rstray (293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\label.dat (388 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RSD\Setup.exe (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\rssqlite.dll (1177 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\rscom.dll (901 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (5863 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\rsutils.sys (51 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\datastorage.db (19 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rslang.dll (650 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\setup.dll (1572 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\comx3.dll (1440 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (2369 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (42 bytes)
C:\Windows\System32\drivers\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscfg\rscfg.dll (53 bytes)
%Program Files%\Rising\RSD\rsdk.dll (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\hookbase.xml (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\update.xml (164 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\rstask.xml (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
%Program Files%\Rising\RSD\popwndexe.exe (727 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\monrule.dll (815 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\monbasedui\rssrv.dll (774 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys (601 bytes)
%Program Files%\Rising\RSD\rslang.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\mscrt9\atl90.dll (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudqry\rscurl.dll (2638 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk.dll (4761 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (1244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\Auto.ini (36 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\setup.dat (117 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RAV.cfg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RAV_DL (0 bytes)
%Program Files%\Rising (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ForLogDeve[1].htm (0 bytes)
%Program Files%\Rising\RAC (0 bytes)
%Program Files%\RsTest.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\Rav.7z (0 bytes)

Registry activity

The process MYLogger.exe:2496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\MYLogger_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\MYLogger_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\MYLogger_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\MYLogger_RASAPI32]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018020720180208]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018020720180208"
"CacheLimit" = "8192"
"CacheOptions" = "11"

"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\MYLogger_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\MYLogger_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018020720180208]
"CachePrefix" = ":2018020720180208:"

[HKLM\SOFTWARE\Microsoft\Tracing\MYLogger_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\MYLogger_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\MYLogger_RASMANCS]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017101120171012]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process yx_dts.exe:3244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesChanges" = "9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\´óÌìʹ֮½£]
"DisplayName" = "´óÌìʹ֮½£"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesVersion" = "2"
"Favorites" = "00 7C 01 00 00 14 00 1F 80 C8 27 34 1F 10 5C 10"
"FavoritesResolve" = "CC 02 00 00 4C 00 00 00 01 14 02 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\´óÌìʹ֮½£]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\dts\mydts\dts.exe"
"URLInfoAbout" = ""
"DisplayVersion" = "3.1.0.0"
"Publisher" = "´óÌìʹ֮½£"
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\dts\mydts\uninst.exe"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The process dts.exe:2612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\dts_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\dts_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\dts_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\dts_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\dts_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\dts_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\dts_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process 9377mycs_Y_mgaz2_01.exe:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"Favorites" = "00 7C 01 00 00 14 00 1F 80 C8 27 34 1F 10 5C 10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\9377÷ÈÓ°´«Ëµ]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\9377mycs_Y_mgaz2_01_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\9377÷ÈÓ°´«Ëµ]
"(Default)" = "%Program Files%\9377÷ÈÓ°´«Ëµ"

[HKLM\SOFTWARE\Microsoft\Tracing\9377mycs_Y_mgaz2_01_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9377mycs_Y_mgaz2_01_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9377mycs_Y_mgaz2_01_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\9377÷ÈÓ°´«Ëµ]
"DisplayName" = "9377÷ÈÓ°´«Ëµ"

[HKLM\SOFTWARE\Microsoft\Tracing\9377mycs_Y_mgaz2_01_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\9377÷ÈÓ°´«Ëµ]
"UninstallString" = "%Program Files%\9377÷ÈÓ°´«Ëµ\uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\9377mycs_Y_mgaz2_01_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9377mycs_Y_mgaz2_01_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesVersion" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "48"

[HKLM\SOFTWARE\Microsoft\Tracing\9377mycs_Y_mgaz2_01_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9377mycs_Y_mgaz2_01_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9377mycs_Y_mgaz2_01_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesChanges" = "10"

[HKLM\SOFTWARE\Microsoft\Tracing\9377mycs_Y_mgaz2_01_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\9377÷ÈÓ°´«Ëµ]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesResolve" = "CC 02 00 00 4C 00 00 00 01 14 02 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\9377mycs_Y_mgaz2_01_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process OfficeAssist.0334.80.1078.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"DisplayName" = "PPT美化大师"

[HKCU\Software\PPTAssist\Common]
"infoGUID" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\PPTAssist\Common\Setting]
"HideExcelPane" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\utility\uninst.exe"
"Publisher" = "珠海金山办公软件有限公司"

[HKCU\Software\PPTAssist\Common]
"DistSrc" = "80.1078"

[HKLM\SOFTWARE\Microsoft\Tracing\OfficeAssist_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"DisplayVersion" = "1.0.0.0334"

[HKLM\SOFTWARE\Microsoft\Tracing\OfficeAssist_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"LocationRoot" = "C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\C:\ProgramData\kingsoft\20180207_185107]
"OfficeAssist.0334.80.1078.exe" = "1"

[HKCU\Software\PPTAssist\Common\Setting]
"HidePowerPntPane" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\OfficeAssist_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\OfficeAssist_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\OfficeAssist_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\OfficeAssist_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\utility\uninst.exe"

[HKCU\Software\PPTAssist\Common\Setting]
"HideWordPane" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\OfficeAssist_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5\HELPDIR]
"(Default)" = "%Program Files%\Common Files\Microsoft Shared\OFFICE14"

[HKLM\SOFTWARE\Microsoft\Tracing\OfficeAssist_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\OfficeAssist_RASMANCS]
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"

[HKCU\Software\PPTAssist\Common]
"Version" = "1.0.0.0334"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process regsvr32.exe:2816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\PPTAssist.Addins]
"(Default)" = "PPTAssist Class"

[HKCU\Software\Microsoft\Office\Word\Addins\PPTAssist.Addins]
"LoadBehavior" = "3"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"

[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Classes\PPTAssist.Addins\CLSID]
"(Default)" = "{034DF736-A378-4292-ACAE-A561088999F5}"

[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\Version]
"(Default)" = "1.0"

[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"

[HKCU\Software\Microsoft\Office\Powerpoint\Addins\PPTAssist.Addins]
"LoadBehavior" = "3"

[HKCU\Software\Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\pptassist.dll"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\ProgID]
"(Default)" = "PPTAssist.Control.1"

[HKCU\Software\Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist"

[HKCU\Software\Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Classes\PPTAssist.Control.1\CLSID]
"(Default)" = "{1077138E-896C-445E-BD31-CFCFFA4636C4}"

[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\pptassist.dll"

[HKCU\Software\Microsoft\Office\Powerpoint\Addins\PPTAssist.Addins]
"CommandLineSafe" = "1"

[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Classes\PPTAssist.Addins.1\CLSID]
"(Default)" = "{034DF736-A378-4292-ACAE-A561088999F5}"

[HKCU\Software\Microsoft\Office\Excel\Addins\PPTAssist.Addins]
"CommandLineSafe" = "1"

[HKCU\Software\Classes\PPTAssist.Control]
"(Default)" = "PPTAssistControl Class"

[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"

[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\VersionIndependentProgID]
"(Default)" = "PPTAssist.Addins"

[HKCU\Software\Microsoft\Office\Powerpoint\Addins\PPTAssist.Addins]
"Description" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\ProgID]
"(Default)" = "PPTAssist.Addins.1"

[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}]
"(Default)" = "IRibbonCallback"

[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Office\Excel\Addins\PPTAssist.Addins]
"FriendlyName" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\pptassist.dll"

[HKCU\Software\Microsoft\Office\Excel\Addins\PPTAssist.Addins]
"LoadBehavior" = "3"

[HKCU\Software\Microsoft\Office\Word\Addins\PPTAssist.Addins]
"Description" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\PPTAssist.Addins.1]
"(Default)" = "PPTAssist Class"

[HKCU\Software\Microsoft\Office\Excel\Addins\PPTAssist.Addins]
"Description" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}]
"(Default)" = "PPTAssist Class"

[HKCU\Software\Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0]
"(Default)" = "PPTAssist 1.0 ÀàÐÍ¿â"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Classes\PPTAssist.Addins\CurVer]
"(Default)" = "PPTAssist.Addins.1"

[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}]
"(Default)" = "IWpsAssistControl"

[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}]
"(Default)" = "PPTAssistControl Class"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\VersionIndependentProgID]
"(Default)" = "PPTAssist.Control"

[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Office\Word\Addins\PPTAssist.Addins]
"CommandLineSafe" = "1"

[HKCU\Software\Classes\PPTAssist.Control\CLSID]
"(Default)" = "{1077138E-896C-445E-BD31-CFCFFA4636C4}"

[HKCU\Software\Classes\PPTAssist.Control.1]
"(Default)" = "PPTAssistControl Class"

[HKCU\Software\Microsoft\Office\Word\Addins\PPTAssist.Addins]
"FriendlyName" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Microsoft\Office\Powerpoint\Addins\PPTAssist.Addins]
"FriendlyName" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"

[HKCU\Software\Classes\PPTAssist.Control\CurVer]
"(Default)" = "PPTAssist.Control.1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\Programmable]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\ProgID]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\TypeLib]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\TypeLib]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\ProgID]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\Version]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\VersionIndependentProgID]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\VersionIndependentProgID]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\Programmable]

The process %original file name%.exe:2740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\d3f18606296b4497c335e5becd4c2494_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\d3f18606296b4497c335e5becd4c2494_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\d3f18606296b4497c335e5becd4c2494_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d3f18606296b4497c335e5becd4c2494_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\d3f18606296b4497c335e5becd4c2494_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\d3f18606296b4497c335e5becd4c2494_RASMANCS]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d3f18606296b4497c335e5becd4c2494_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\d3f18606296b4497c335e5becd4c2494_RASAPI32]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process popwndexe.exe:2080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process ins1256858.exe:2516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ins1256858_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ins1256858_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcDll" = "1549644638"

[HKLM\SOFTWARE\Microsoft\Tracing\ins1256858_RASMANCS]
"EnableFileTracing" = "0"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"rstrayexe" = "INpgnqTDQVgCMj9fShcEPihY"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ins1256858_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"InstallLocation" = "%Program Files%\Rising\RSD"

[HKLM\SOFTWARE\Microsoft\Tracing\ins1256858_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant]
"ExecutablesToExclude" = "%Program Files%\Rising\RSD\Setup.exe"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"InstallPath" = "INpgnqTDFmkzCQpscnQlDx8bb2sINSRQVGUzBw4F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayVersion" = "23.00.00.98"

[HKLM\SOFTWARE\Microsoft\Tracing\ins1256858_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcKind" = "5"

[HKLM\System\CurrentControlSet\Services]
"Rising" = "Admin Test"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcInfo" = "1518022238"

[HKLM\SOFTWARE\Microsoft\Tracing\ins1256858_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"RAV" = "INpgnqTDYXgikA=="
"Title" = "INpgnqTD-8mxgf2M-5Kpq/HAoA=="

[HKLM\SOFTWARE\Microsoft\Tracing\ins1256858_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"UninstallString" = "%Program Files%\Rising\RSD\Setup.exe /UNINSTALL /PRODUCT=RSD"
"Publisher" = "Beijing Rising Information Technology, Inc."

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"ravmonexe" = "INpgnqTDQUolIytbXUoEaChGVjY="

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"URLInfoAbout" = "http://help.ikaka.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"monShowName" = "INpgnqTDYUpBFAx9E2oENDtb0w=="

[HKLM\SOFTWARE\Microsoft\Tracing\ins1256858_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"regtray" = "INpgnqTDQUwPNCxduA=="

[HKLM\SOFTWARE\Microsoft\Tracing\ins1256858_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCR\CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}]
"ProcID" = "{CC290F46-6398-957E-0000-000000000000}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayName" = "Rising Software Deployment System"
"DisplayIcon" = "%Program Files%\Rising\RSD\Setup.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\ins1256858_RASAPI32]
"MaxFileSize" = "1048576"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"monServerName" = "INpgnqTDd1wHIyNNVoM="

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}]
"ProcKey" = "RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

[HKLM\System\CurrentControlSet\Services]
"Rising"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\protreg.sys" the Trojan controls operations with a system registry by installing the registry notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://int.dpool.sina.com.cn/iplookup/iplookup.php	180.149.138.197
hxxp://show.man1234.com/mmliao/MM-liao8398.exe	204.11.56.48
hxxp://37w.xdwscache.ourglb0.com/yx/dts/sqcs/916631/yx_dts.exe
hxxp://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=237&ext_1=2&ext_2=37cs_wd&ext_3=916631&ext_4=E000A7BC1E6E4D4FA995541680A7EB78&ext_5=2d80e67f845e4d321e380bdc9a3520fb&ext_6=2&browser_type=3000	183.60.123.113
hxxp://aqgw.n.shifen.com/index/fulldownload/30974
hxxp://www.61jingling.com/ZDNmMTg2MDYyOTZiNDQ5N2MzMzVlNWJlY2Q0YzI0OTQuZXhl/40.html	107.151.98.176
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0=
hxxp://swwx.n.shifen.com/go/full/1/71115
hxxp://swwx.n.shifen.com/go/full/1/.exe
hxxp://37w.xdwscache.ourglb0.com/20140928/9377mycs_Y_mgaz2_01.exe
hxxp://e6845.dscb1.akamaiedge.net/pca3.crl
hxxp://dl.p2sp.n.shifen.com/BaiduPlayerContent/BaiduPlayerNetSetup_472.exe
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=
hxxp://g.quwen320.com/d/ins1256858.exe	219.238.237.210
hxxp://37w.xdwscache.ourglb0.com/api/client_data_receive.php?Name=9377meiying&Channel=mgaz2&referer_param=01&Version=1.1.0.8&IP=192.168.11.134&MAC=00-50-56-3C-AC-71&Installtime=2018/2/7/18:49:52&ExeName=C:UsersadmAppDataLocalTemp sq5AFD.tmp9377mycs_Y_mgaz2_01.exe
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEG6PrCxmmU8tZDNcJoriZ80=
hxxp://e6845.dscb1.akamaiedge.net/ss.crl
hxxp://wwww.9377.com/pc_game_my_new.php?lm=mgaz2&rnd=31338&referer_param=01
hxxp://e6845.dscb1.akamaiedge.net/pca3-g5.crl
hxxp://37w.xdwscache.ourglb0.com/js/ajax.js?20180207145758
hxxp://37w.xdwscache.ourglb0.com/style/my/pc_new.css?20180207145758
hxxp://37w.xdwscache.ourglb0.com/js/jquery.Slideshow.js?20180207145758
hxxp://37w.xdwscache.ourglb0.com/js/fast_register.js?20180207145758
hxxp://37w.xdwscache.ourglb0.com/images/my/pc/quick_register.jpg
hxxp://37w.xdwscache.ourglb0.com/images/my/pc/wczc_btn.jpg
hxxp://37w.xdwscache.ourglb0.com/images/my/pc/input_bg.jpg
w.x.baidu.com	123.125.115.171
xn--sesz3ik91bknc.xn--fiqs8s	218.241.116.40
s1.symcb.com	23.46.117.163
client.9377.com	103.243.93.26
crl.verisign.com	23.46.117.163
d.qq66699.com	157.185.149.167
s2.symcb.com	23.46.123.27
static.9377s.com	157.185.149.167
shadu.baidu.com	123.125.115.151
www.9377.com	157.185.149.167
ss.symcb.com	23.46.117.163
ocsp.verisign.com	23.46.123.27
dl.p2sp.baidu.com	61.135.185.123
xiazai.9377.com	157.185.149.167
ss.symcd.com	23.46.123.27
down.yinyue.fm

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET POLICY External IP Lookup sina.com.cn
ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1435

content-transfer-encoding: binary

Cache-Control: max-age=451239, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Feb 2018 22:07:49 GMT

Expires: Mon, 12 Feb 2018 22:07:49 GMT

Date: Wed, 07 Feb 2018 16:49:40 GMT

Connection: keep-alive
0..........0..... .....0.....}0..y0.......(C.....}.\u...q..N...2018020
5220749Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.%...0a.. ...M|......20180205220749Z....20180212220749Z0...*.H........
.....L.....s........M..T ..e.'...0....N...=-.hS.l.@.U..FLu=%.i...5?.\J
.....s6...h......T....3>.r}..U.z9..`?.........F.Q......m.6&..?..Y.~
.C..58.b.:T..iG.]H6.x...-3.Vg<..d.!.....P....z.....y...Z.Q...j..5.&
.1.....*'...n.....".J............z.r.P..f..7....j....:.0.....0...0...0
..!.......!8.1..OV......[.0...*.H........0_1.0...U....US1.0...U....Ver
iSign, Inc.1705..U....Class 3 Public Primary Certification Authority0.
..171205000000Z..181214235959Z0..1.0...U....US1.0...U....DigiCert Inc.
1.0...U....DigiCert Trust Network1?0=..U...6DigiCert Class 3 PCA - G1 
OCSP Responder Certificate 60.."0...*.H.............0.................
.l..^..u%.#;U.......q>.M{....08.4...,....x.....}...,h .F..,.q...t.E
c5o;.J..1..I.a..z.kU_.P.7..#....E......u".!...`.[....<..w....,..H)D
.N.s..A[.. .O.z<..Do...U.0..-.;..Z......J.}. .}...UE..0v..J.W.....M
R.."..u!.F.9FW;......r[. ....o.Z=. &...n. Slu.........0..0...U....0.0.
..U.%..0... .......0...U........0... .....0......0_..U. .X0V0T..U. .0L
0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.c
om/rpa0#..U....0...0.1.0...U....TGV-OFF-2160...*.H............_..#..!.
j..8........n...J..Yp.A....b. ...T92.....M"K..1U>..lw..\.1R.U;'.K..
P..i..g3.a]">.P...r./...F.. ..p..D.C0...T...h...C......
<<< skipped >>>

GET /index/fulldownload/30974 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: shadu.baidu.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Location: hXXps://shadu.baidu.com/index/fulldownload/30974

Date: Wed, 07 Feb 2018 16:49:18 GMT

Content-Length: 83

Content-Type: text/html; charset=utf-8
<a href="hXXps://shadu.baidu.com/index/fulldownload/30974">Moved
 Permanently</a>.....

GET /yx/dts/sqcs/916631/yx_dts.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d.qq66699.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 07 Feb 2018 16:49:00 GMT

Server: nginx/1.4.7

Content-Type: application/octet-stream

Content-Length: 952696

Last-Modified: Tue, 14 Oct 2014 07:36:20 GMT

ETag: "543cd274-e8978"

Accept-Ranges: bytes

X-Via: 1.1 tandianxin73:2 (Cdn Cache Server V2.0), 1.1 xxz212:9 (Cdn Cache Server V2.0), 1.1 PShlamstdAMS1nm191:2 (Cdn Cache Server V2.0)

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
...........................d$.......................................s.
......@..HW..........Ph..(!...........................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@..@.data........
........r..............@....ndata.......@...........................rs
rc...HW...@...X...v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.
P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......P
p@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /js/ajax.js?20180207145758 HTTP/1.1

Accept: */*

Referer: hXXp://client.9377.com/pc_game_my_new.php?lm=mgaz2&rnd=31338&referer_param=01

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: static.9377s.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Fri, 09 Mar 2018 07:11:31 GMT

Date: Wed, 07 Feb 2018 07:11:31 GMT

Server: nginx

Content-Type: application/x-javascript

Last-Modified: Thu, 01 Feb 2018 06:09:42 GMT

Transfer-Encoding: chunked

ETag: W/"5a72af26-1bb5a"

Cache-Control: max-age=2592000

Content-Encoding: gzip

Age: 1

X-Via: 1.1 xxz208:3 (Cdn Cache Server V2.0), 1.1 td48:3 (Cdn Cache Server V2.0)

Connection: keep-alive
400a..............is...........G&L...}..!.....^.....J....E"...vj~.}...
B......o......^Y.g......*O*'?.......".|<.N.....,..........`..6..O.X
.~....Z>.d....?XT....D.w.`R.9......y2.....d.v ..n:.,.i.../.lVy.....
.l>.&........l..6....N.G..t^.<......._q./O.n. c.....N....#K...4.
s:J...F..._D.d..a..I.`u.."mT... .....ne........N...........U{..c.W}.=.
o.S.4.&Q'....^........>.....i......'.~.._,f..."...z...:a...(..*...Q
d..........bv..-....^2.....7...(h....q}8..|.v..4...W.,Y...../.9.......
.O,....'..A5.o.......]..0..w.tq>.T.wn..T.[.VF..9N.O.u.e.....9.s.q.4
.....t...._..d:.]W..y..P?..Hf........Qt.e.U4.....}....Al&......q{....y
....S...g...@V..w......:.9.k...G....p.rC..r.1...a.L...E6!,.,..1..i....
B.q:.&.i....._^M.A....a=.j...|:...A=..'.pR.P..j...h .kA....BL...G..R..
uT.9Ocu'l..Y.4.i......I.1h..j.. ~.>...3...o}.NG.c..(.BLBg......AuP.
.../...K....[[...,>.,.......G.........l..........].=;.l...q@......_
./.s.F.A.....n./.....o....xV....4........=..8;...h:..KB@..P.E..j...@..
.,...t.<..x..3pGx....q<..t]o9..(....s....RG..........|..V....p..
.67......vfir.()l..].!...'....{...../.%....;3GW.....c.79a...A.<#...
.l.....^d.i..bg....r.F...|..o...;...mD.zg.V..G".$r......b..'A ...5....
...I..A..p..Q..D.f.!..O..}_YJ..C...........c.........c..x..waSP/..q.. 
.....;...}.....3.N. ...*P1....hh.?..p.3.L.F.]3..Z...v....Vn.?.%.X.N.,.
.Y..6.uV........D... V..?....j...a...L...av.J...Z.(.......x. .).q.....
...YY..{J..r.&....).<..'.4..#yl..BK..nWF...........t{...L.S...A....
.z{>.5.M...'..9U...s7.....].....N2zy...N..j.\.....m"...$......r
<<< skipped >>>

GET /js/jquery.Slideshow.js?20180207145758 HTTP/1.1

Accept: */*

Referer: hXXp://client.9377.com/pc_game_my_new.php?lm=mgaz2&rnd=31338&referer_param=01

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: static.9377s.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Feb 2018 16:50:04 GMT

Expires: Fri, 09 Mar 2018 07:05:27 GMT

Server: nginx

Content-Type: application/x-javascript

Last-Modified: Fri, 08 Jun 2012 03:41:55 GMT

Transfer-Encoding: chunked

ETag: W/"4fd17483-25b2"

Cache-Control: max-age=2592000

Content-Encoding: gzip

X-Via: 1.1 xinxzai207:10 (Cdn Cache Server V2.0), 1.1 td48:1 (Cdn Cache Server V2.0)

Connection: keep-alive
e11.............Zms........;&. ,...6....LhH:.i...0ki%..... ....c<iI
.Nc....!..bc..B..M..I.I3....I...wW.eC..f...y..{....9g.]y..M.?.6.....Z8
y}...V...N...O].01v....;K.c3G..~O.\~........v%o..X.c..}.85......_#.d..
.,....vr.........wn.^.f...W.5!#.wb.~q......K....c..]..t..5..r...p|g.u.
f.Ge.5...b.f.....?=yg....So.O,}|...|.p....7n..>.|7>....D.....GN-
}......,>8ze..._..2. k.. .ED..#...q.*.'?.......1..4{ab..././.Z:...%
.|....'..9...w..a?..~.......$..{.Sg..;|.#n......L.z.........[....)'K.&
..\.l....i\*......V@ '.F.!...3......FQ.....7.x,........Y.....'!.k.<
.....4............?>:s...... ..?..X>:..pq....O-~...g/..?r...Sw?.
~e|..7.O....m..9>w...f..)..9)............w.....?>Aw.Gg.<{..5.
...T.A.Sb.H.T2.&....J4.....h.t=.)1$#!..Q....^s...U.R..M...=.r...e...K@
5.&2N.F....../.....s....k.=.....#'.....'.~q....Wu.}66.V]........?.>
.0I..`..w.-N_.uxai.8..i....U...\.....d..c...W..3..Y...)mI......!.y.Q..
../..g.).......;.....#.II....M./$...,).1.. .....`)..O.].n..H....m.2...
2S9...F.) >...A..T1.y..%>..F....K...}..\....m$8...........eN*D..
....E..P...G.ht '.".Sr&.ga.l.J...j.;..9&...z.....>.^!g..S3W.`..:.d.
.Sj...&.....xx0....1 C#..|......|.u~.`r......z....dk.|.. Br9...n^.d'..
.........e..N1.......M.u.j.#...W%.n..e..%E..z........e. 4....).k....Q.
.{A....p..)..7....$S:$b...NiT.....@5...P{..).SP:......|T.r..._.....A.L
.X...r.j.%/.U[.b<.......y.... _..5...-.."V......R.@..0.......7n.IoQ
.m...Z.B..6`.&xR.....v.. ...P.".5q...... A.P/.....6...C..p.)...\._<
.W,"....JM...W.P...(hV..-U.[jG.[..Q.O.(..[...5..E.........!.c-..."
<<< skipped >>>

GET /js/fast_register.js?20180207145758 HTTP/1.1

Accept: */*

Referer: hXXp://client.9377.com/pc_game_my_new.php?lm=mgaz2&rnd=31338&referer_param=01

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: static.9377s.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Feb 2018 16:50:05 GMT

Expires: Fri, 09 Mar 2018 07:14:52 GMT

Server: nginx

Content-Type: application/x-javascript

Last-Modified: Sun, 27 Nov 2016 12:25:34 GMT

Transfer-Encoding: chunked

ETag: W/"583ad0be-1ade"

Cache-Control: max-age=2592000

Content-Encoding: gzip

X-Via: 1.1 xxz208:8 (Cdn Cache Server V2.0), 1.1 PShlamstdAMS1nm191:10 (Cdn Cache Server V2.0)

Connection: keep-alive
95e.............Yms....,f.....V.. ;@&...L[u....| T......v7.b.!.$.....M
R`(}...2u.L.. ..aW.S.B....j.b.&4.-..=..s.......K..."v.W......R....#...
...!e..Z.../7.....xx..KY=Y.-..Kb-..'ew...Ee.:s....s......R".5.A.w.....
./.Mj5.&9H....&...dr.72.....z..X...&..Y......./.........ML..~u7\......
.><t./u......U...."u...Y..7.G....9)..}g...... /.....-EkRm.a!;M..
n..y./7.....r..'G.......4.4k..X>.-.......*N...7..^`..\&.bf...E~..&l
t;|..%.s...........o.?...............g.2.E./........................]b
z.;..\......... .Op.c.....4.$.-p.2.2....R..<._....6...1.`L...L"...X
4.F...e...I.e................h.@..mW..N.J.......gN.|m............I...7
.JY}.....b.."._<fS....(.&....^.....m.Eq:....nYD.~.6..s3..r.~|.A.g.Z
.c.S.J..".?<.."Qa.si.....S..{..J.....|f....".....}..l..%.....^.TW.Z
A.F..0.w..=X....91[.{....'F.RQ...@..E..... V.f....U... .....P....{.z..
Q.g....eYHL..*.Q'......`c....M..._...~..*.O....}k.D.......>.:..(|..
T#.sl'p$.mL..|N..ik.'........A..cS|l*.s..:..D.Im...vAn.:D}.L@...$C...)
.........:..y.Y..^.Mj4. ....m...p..>.w...!....=%...\s.66.-..dl.8...
..K..%.zpQ)`i.{.(.M.e.k...A.y...A.n.mh..MC.........uc.....o..r~...C..\
u.j..6......8hN..w2T(.uU. ........=,Z............2.O.5.u..........j...
..|.D.....9L.........U.t.&.M......Y\...-aDB...yl.e</k.!....q.O..8..
....ih.Rr5....`.2t....?.3.;#.....9.....p/.....T*....I..ZM$2\.7....{.H"
,f...;.....Q......?.[w......p.Jt.....u>.....T....<..nz.[...m....
Y........./8v.DV-.....93..4=........*(........(0.a......|.sG:.\.......
..T.`..''O...mx.O...P.L..y.Z./.......G.M..5.....T....2..B.QM..A'.0
<<< skipped >>>

GET /20140928/9377mycs_Y_mgaz2_01.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: xiazai.9377.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 07 Feb 2018 02:49:53 GMT

Server: nginx

Content-Type: application/octet-stream

Content-Length: 665024

Last-Modified: Thu, 23 Oct 2014 08:03:45 GMT

ETag: "5448b661-a25c0"

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 dianxinxiazai184:6 (Cdn Cache Server V2.0), 1.1 PShlamstdAMS1uv190:4 (Cdn Cache Server V2.0)

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
...........................9a.......................................s.
......`...3...........................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@..@.data........
........r..............@....ndata... ...@...........................rs
rc....3...`...4...v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.
P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......P
p@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /style/my/pc_new.css?20180207145758 HTTP/1.1

Accept: */*

Referer: hXXp://client.9377.com/pc_game_my_new.php?lm=mgaz2&rnd=31338&referer_param=01

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: static.9377s.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Feb 2018 16:50:05 GMT

Server: nginx

Content-Type: text/css

Last-Modified: Wed, 10 May 2017 09:26:35 GMT

Transfer-Encoding: chunked

ETag: W/"5912dccb-1730"

Expires: Fri, 09 Mar 2018 16:50:04 GMT

Cache-Control: max-age=2592000

Content-Encoding: gzip

X-Via: 1.1 uzhoudianxin67:3 (Cdn Cache Server V2.0), 1.1 td49:4 (Cdn Cache Server V2.0)

Connection: keep-alive
727.............X]n.6.~_`..n^......Dy(..[..D....B..;F....@....(z..{...
.$J.7.(P.1 ...g..f....../c.><..f./7....7I..OyUJ../,.B...s...1.Np
ZL.....$O..4.l.... ..bR.I=....N....^.{y*x.B..`.<.,...=..........Q..
..\1..$;H/ci%..Ui.T{Y....{h..>01Z.J.P ..p.T...VE%.......i.....t.RU.
8p.c.KP.e|...o......7uA.qRT...AIqR.-h....z..<.X.@>..'.......|V..
.;...........W...y&....X........{Q|=.;.a.lw..../d...|C....fT>..vB..
.Z.;.K{.`..Cg..3-.s..yj..........T....Q.....2.. .V}.!|.PM|.k......Q.HF
.H...B.........H..#U.A~S.<#7Q.........v(..U.Z.eY.&.x....../K..*1>
;I.C...I...J.0...g..c>.V@b|`h....U.."<_2...]...m....Z...T'.._.r.
.A.{6..V_.8gB.G...o.x../ .;W.c.d....hCro.l..';A..JW..>...JD.....X..
.%J.y...0B]q.G.8..`;...@.X.A`k1..3i...>.D........w)0...&.8.`~..NW3.
u...0.Utw...S..0.H...lG,".M7t....B....>.x..c.w...4.>..$..._u.n.n
x.p....4>...2Y.Z...h%../....:.M... .=.,}:uR....jsG:vq...>..m..uK
'..MbM......3u.....fs..p...u.rR..0..9..>...AIx..M..H.. .%......0...
c!. ...p..-.k... S..M.Er.w,.....J[n......^.H.<C..a..wk............4
46!..}.u...n,..4.K\.F...J........FE.m.:...G...G.$....P..W[.G.(...(..~.
a,.(...E."......5M...K4..&..`.?....`..9G..g.k.6T.R...,....\lZ..U]T!..h
............'Y...K. *...~.....Q.<..>0....h.|.zGC..........B...?-
._.k.e.M^...n...K.LG8..).`....W.!..A..Ua..a.....;...;.Z..:.'......g..u
..K^...G.<.$s.c..]...y@...P...6....D...[T;t..RC.TTE.P.Q!.g...&4.h.:
.)........nsB. ......f...$....v....Z...-49.#o......$..d...t.Tl.i....[@
.:....l..P...zX.....ZK....=.!t..^9.`..R..&Mw7.e..8..z...q-...;.c0.
<<< skipped >>>

GET /images/my/pc/quick_register.jpg HTTP/1.1

Accept: */*

Referer: hXXp://client.9377.com/pc_game_my_new.php?lm=mgaz2&rnd=31338&referer_param=01

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: static.9377s.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Feb 2018 16:50:07 GMT

Expires: Fri, 09 Feb 2018 11:10:30 GMT

Server: nginx

Content-Type: image/jpeg

Content-Length: 8822

Last-Modified: Wed, 25 Jun 2014 07:41:24 GMT

ETag: "53aa7d24-2276"

Cache-Control: max-age=2592000

Accept-Ranges: bytes

X-Via: 1.1 xinxzai207:5 (Cdn Cache Server V2.0), 1.1 td48:9 (Cdn Cache Server V2.0)

Connection: keep-alive
......Exif..II*.................Ducky.......<..... hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" 
xmpMM:InstanceID="xmp.iid:75A9C2DFFC3411E3B461F5D43F45A904" xmpMM:Docu
mentID="xmp.did:75A9C2E0FC3411E3B461F5D43F45A904"> <xmpMM:Derive
dFrom stRef:instanceID="xmp.iid:75A9C2DDFC3411E3B461F5D43F45A904" stRe
f:documentID="xmp.did:75A9C2DEFC3411E3B461F5D43F45A904"/> </rdf:
Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="
r"?>....Adobe.d....................................................
......................................................................
.......................@.X............................................
...........................................Q...R.s..T!1.3.A"q.2..ar.b.
....B#........................Q.1A.!2a......R."............?..jw.faL..
w.S.s...._.g.|.u....i.......i..~^...l.......ZB[c2......Am.......)..3 .
../H.....j.|.".[c2......Am.......)..3 .../H.....j.|.".[c2......Am.....
..)..3 .../H.....j.|.".[c2......Am.......)..3 .../H.....j.|.".[c2.....
.Am.......)..3 .../H.....j.|.".[c2......Am.......)..3 .../H.....j.
<<< skipped >>>

GET /images/my/pc/input_bg.jpg HTTP/1.1

Accept: */*

Referer: hXXp://client.9377.com/pc_game_my_new.php?lm=mgaz2&rnd=31338&referer_param=01

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: static.9377s.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Feb 2018 16:50:07 GMT

Expires: Fri, 09 Feb 2018 11:10:32 GMT

Server: nginx

Content-Type: image/jpeg

Content-Length: 6720

Last-Modified: Wed, 25 Jun 2014 07:41:24 GMT

ETag: "53aa7d24-1a40"

Cache-Control: max-age=2592000

Accept-Ranges: bytes

X-Via: 1.1 xinxzai206:10 (Cdn Cache Server V2.0), 1.1 PShlamstdAMS1uv190:9 (Cdn Cache Server V2.0)

Connection: keep-alive
......Exif..II*.................Ducky.......<..... hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" 
xmpMM:InstanceID="xmp.iid:1B768923FC3411E3A5FA883712ECB69B" xmpMM:Docu
mentID="xmp.did:1B768924FC3411E3A5FA883712ECB69B"> <xmpMM:Derive
dFrom stRef:instanceID="xmp.iid:1B768921FC3411E3A5FA883712ECB69B" stRe
f:documentID="xmp.did:1B768922FC3411E3A5FA883712ECB69B"/> </rdf:
Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="
r"?>....Adobe.d....................................................
......................................................................
.......................c..............................................
..............................................!Q...1b.#Sc...A.".aq.2r4
.BR..T...3.....CD.......................Q..!1...A.."R...q.a..2Br#.....
.......?...#.l.9..dXd&.........*..QS{.....A..-..L....j.] .......e..{.U
..v..X.t.K.....p...N...)w..... ....xr...30....w.............:.......r.
.O..OR...Q.....K....Ugj..w.}.8.|..R..<...l..n.........w.O.q..Vv...}
=.8.. ....x....s......K....ej.n .}..4..Kg.......M.....#....M......
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1754

content-transfer-encoding: binary

Cache-Control: max-age=449285, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Feb 2018 21:37:49 GMT

Expires: Mon, 12 Feb 2018 21:37:49 GMT

Date: Wed, 07 Feb 2018 16:49:55 GMT

Connection: keep-alive
0..........0..... .....0......0...0...........8&.h....GE.......2018020
5213749Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..Q?.t8p.4@A.0........20180205213749Z....20180212213749Z0...*.H.....
........x.9L..?Z.Y...I^........1I`...^..}dE1.ct.U.X.*........I&.}NZ...
..>4...\..........\j........G39.s}VU.{..7.x6.C.o<L..k\..L...,T.9
n..7V"IZ....T.....p_...0...........I.Lo..-J*k.........~y...........H@N
*.&......!%...i.z...Z..h.........K3u.t.[.....X.U..1kQ..A.Y?.....0...0.
..0..........enJ..S.. ...h..a0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G50...161213000000Z..211231235
959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec
 Trust Network1604..U...-Symantec Class 3 PCA - G5 SHA1 OCSP Responder
0.."0...*.H.............0.........8..=...n.....T.p..{.. ..m.....F.t...
..4..._....fC..........f0..HTe....W..".q../.g6....E....{.....Z .....[.
I..S....O...eD".^_7~...ip...Q.-....<>n........V.I..O..t..v]f...^
.MN........?uVCj..b...\%i.W.s........V.......C.k.n...B.....B'..L......
.g.......[...K..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R
0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.sym
auth.com/rpa0...U.%..0... .......0...U...........0... .....0......0"..
U....0...0.1.0...U....TGV-OFF-680...U...........8&.h....GE.....0...U.#
..0.....e......0..C9...3130...*.H..............b..N.).. ....HT..y.
<<< skipped >>>

GET /pc_game_my_new.php?lm=mgaz2&rnd=31338&referer_param=01 HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: client.9377.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 07 Feb 2018 16:50:02 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Set-Cookie: SESSID=o6hm80h1fgkti1u4m62v414dg4; path=/; domain=9377.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: lm=mgaz2; expires=Wed, 07-Feb-2018 17:50:02 GMT; Max-Age=3600; path=/; domain=9377.com

Set-Cookie: referer_param=01; expires=Wed, 07-Feb-2018 17:50:02 GMT; Max-Age=3600; path=/; domain=9377.com

Set-Cookie: check_stack=1; expires=Wed, 07-Feb-2018 17:00:02 GMT; Max-Age=600

Set-Cookie: rnd=1; expires=Sun, 30-Dec-1979 00:00:00 GMT; Max-Age=-1202662202

Content-Encoding: gzip

X-Via: 9377 g6.wxg.6.s
537.............Vmo.G........g....%$...A....F..*k...79...{~."..(..E-iE
 *...ZPZ.RP..../|._....v..M.e...v.yfv....[\*.?:w..x.C...8s...i..t.dY..
E.....gP...r.}F9.|.Y...:.k.....l6..A3..V....X9a<XN.1K...^...a......
LnnnNY...;p....(.....6.z).9..t........s...._@v.G..B....:...S......:o~.
z....{.R...G......3......u..~.j3..ZD.!i.1..9wpv..vP...Uo[.].I...c3....
Lv6w......fG4.......S.....b.Yx.......... .ws.|%&Q...Q...4....YV....._w
.=.o....M.n...l..5-5e....zf...F.)...xN.h...cd5...f...,U.Z.r..........J
D..q..{.....%."._.S^q....n....T@SFz.X.!..u.}S&.h...cF"..I:c6.gd2..u4.!
..5...n..).......F../...{.~.........ng.v....,...G.J,..*^.&p..L.....~..
........\Z:...DI.......QL2&.<2...{(....4.&*(..5e.Q...)..p ...$P%..f
L.CC..N}u. ..C..:..D.^..%..._^.....)M.);V6....Z.#..Z.`a.......6K.dZ.M.
a8...L...:..bX&.Rp$..f.GA......T.34.......8....lD.l..jD....\...-#... T
.g..?}.r.TZ.x.......`.* l..v..<.Y.....!d...Lv........?..........w.^
...... .`.......*)<E()....~...$No.6;.<..........G..;............
s.i........6.u...z.i.3.a.e..a.eOh....d.......k....4<..}..g.=....5..
i,G!L.*.@.......X.9.Q...^.o>.|.}.........d*oA.....M.#K=.iz..Gz?T...
V.D (n`.L..|............q.Q.C.]....D.=*...(..2.A..z.4.$d..J....'"..AJ.
.....=!.` ]..qv.S.....(...@.'..j7O.........`.i-.u.s1LS..c..b=)......(.
...3...p..g..{Lb*..s\..H^E..(.U.QQA.....).J....[H..CY...<.a., .?Q@.
f.....p...p.......N../...7.$|.......0..
<<< skipped >>>

GET /ss.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcb.com

HTTP/1.1 200 OK

Server: Apache

ETag: "80e36900350bd994e5c339e891cb088e:1517994397"

Last-Modified: Wed, 07 Feb 2018 09:06:37 GMT

Date: Wed, 07 Feb 2018 16:50:01 GMT

Transfer-Encoding:  chunked

Connection: keep-alive

Connection: Transfer-Encoding

Content-Type: application/pkix-crl
00006000..0..L.0..J....0...*.H........0~1.0...U....US1.0...U....Symant
ec Corporation1.0...U....Symantec Trust Network1/0-..U...&Symantec Cla
ss 3 Secure Server CA - G4..180207090113Z..180214090113Z0..J.0!.......
."..Q.%..)~..170531142330Z0!....lv...>.?O...^...160622011159Z0!....
.6w...iP...s.M..160608011251Z0!....^?.P ...........170529192239Z0!....
r-...0u..B\.`...160602011343Z0!....E.u2..1....L....160315011119Z0!....
K.i3.......=.W..170714205514Z0!......6L.j*..I......170905135641Z0!....
. AS...9>...i...170818025944Z0!.....6.#.. .W..yK...171222010721Z0!.
....q...D.O.n.HB3..170513233625Z0!.....8.y....C..3.$..170516074639Z0!.
.....y.....a..C....160621011139Z0!....TC....z......-..170524071006Z0!.
........2..]...0A..170524162146Z0!.............[..{...170829010849Z0!.
...eL.Y icf}.:..N..140508200907Z0!.......BRyb. si..!..170211011123Z0!.
......>..z(L..0i...150517010832Z0!......qBv,....XF....170315011039Z
0!...........b.;......170620030940Z0!....Z. ...!.8.`.....170405152414Z
0!....m..D...j .......170303024631Z0!.............j f....160613011111Z
0!.....Qi......Ql.ry..170921175321Z0!.....d........../...170706110106Z
0!....#...1.@..o.&8f..170217011223Z0!....o...D..W........170419223245Z
0!.....^k.u..}d.7..u..170831192306Z0!.....7.....S.%..k...171109083805Z
0!..........E.....5A..170822010919Z0!....,...$`./.}.."...170522010929Z
0!.....8.@.N..w.n.aw..160122052207Z0!..."^o..p....)).....171011164650Z
0!...".FQe.P....Q<....170509115953Z0!...#D..!jhMz........1609060458
41Z0!...#]........x.zW-..160329114327Z0!...%.vu..;..r*y..E..150802
<<< skipped >>>

POST /api/client_data_receive.php?Name=9377meiying&Channel=mgaz2&referer_param=01&Version=1.1.0.8&IP=192.168.11.134&MAC=00-50-56-3C-AC-71&Installtime=2018/2/7/18:49:52&ExeName=C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\9377mycs_Y_mgaz2_01.exe HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.9377.com

Content-Length: 209

Connection: Keep-Alive

Cache-Control: no-cache

Name=9377meiying&Channel=mgaz2&referer_param=01&Version=1.1.0.8&IP=192.168.11.134&MAC=00-50-56-3C-AC-71&Installtime=2018/2/7/18:49:52&ExeName=C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\9377mycs_Y_mgaz2_01.exe
HTTP/1.1 200 OK

Date: Wed, 07 Feb 2018 16:49:57 GMT

Server: nginx

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

X-Via: 1.1 huangxian181:0 (Cdn Cache Server V2.0), 1.1 PShlamstdAMS1nm191:9 (Cdn Cache Server V2.0)

Connection: keep-alive
0..HTTP/1.1 200 OK..Date: Wed, 07 Feb 2018 16:49:57 GMT..Server: nginx
..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..
X-Via: 1.1 huangxian181:0 (Cdn Cache Server V2.0), 1.1 PShlamstdAMS1nm
191:9 (Cdn Cache Server V2.0)..Connection: keep-alive..0..

GET /BaiduPlayerContent/BaiduPlayerNetSetup_472.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: dl.p2sp.baidu.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Server: nginx

Date: Wed, 07 Feb 2018 16:49:44 GMT

Content-Type: text/html

Content-Length: 162

Connection: close
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx</
center>..</body>..</html>....

GET /pca3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.verisign.com

HTTP/1.1 200 OK

Server: Apache

ETag: "b6af5fbdfe043a9ffd24bea600e1cbc7:1513323624"

Last-Modified: Fri, 15 Dec 2017 07:40:24 GMT

Date: Wed, 07 Feb 2018 16:49:43 GMT

Content-Length: 1073

Connection: keep-alive

Content-Type: application/pkix-crl
0..-0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..171205000000Z..180
331235959Z0...0!...v....a_>..2......020924164823Z0!...?.$..Y.....=p
.8..170622164647Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<.
..j ...080605174907Z0!.....FMv......"%Zz..170622164744Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!...Tb...CZ...
Xp.....170622164545Z0!............R.e.53..010207212458Z0!..!......Y...
ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y
..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c..
..........070411175910Z0!..D..Da..B..(..Zt...170622164156Z0!..H.Py...N
....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w
`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H...............J....L.:.-}......kSN
....L....Z.o.C.4.S.,.......eQ..W....;....ZeRK.{b;C..Xeu?i,./ ..5...&..
.a1..64R...3....... S.8..c...j..6..HTTP/1.1 200 OK..Server: Apache..ET
ag: "b6af5fbdfe043a9ffd24bea600e1cbc7:1513323624"..Last-Modified: Fri,
 15 Dec 2017 07:40:24 GMT..Date: Wed, 07 Feb 2018 16:49:43 GMT..Conten
t-Length: 1073..Connection: keep-alive..Content-Type: application/pkix
-crl..0..-0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1
705..U....Class 3 Public Primary Certification Authority..171205000000
Z..180331235959Z0...0!...v....a_>..2......020924164823Z0!...?.$
<<< skipped >>>

GET /go/full/1/71115 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: w.x.baidu.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Found

Content-Type: text/html; charset=utf-8

Date: Wed, 07 Feb 2018 16:49:41 GMT

Location: .exe

Server: nginx/1.4.3

X-Powered-By: PHP/5.3.2

Content-Length: 0
....


GET /go/full/1/.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: w.x.baidu.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Date: Wed, 07 Feb 2018 16:49:41 GMT

Server: nginx/1.4.3

X-Powered-By: PHP/5.3.2

Content-Length: 6
url=""HTTP/1.1 200 OK..Content-Type: text/html; charset=utf-8..Date: W
ed, 07 Feb 2018 16:49:41 GMT..Server: nginx/1.4.3..X-Powered-By: PHP/5
.3.2..Content-Length: 6..url=""..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEG6PrCxmmU8tZDNcJoriZ80= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcd.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1609

content-transfer-encoding: binary

Cache-Control: max-age=388336, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Feb 2018 04:41:56 GMT

Expires: Mon, 12 Feb 2018 04:41:56 GMT

Date: Wed, 07 Feb 2018 16:50:01 GMT

Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0.......^ZK."......~....mM...2018
0205044156Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C
....n..,f.O-d3\&..g.....20180205044156Z....20180212044156Z0...*.H.....
.........#.Ss.....$..../2.Y..?...e....4...:.....E.....hq@]....2.s.....
.....pv"..U.....<.&.....x"...... Z.Y.....*.k.T;.:..u....=>.. H..
,.,.......!..........)....>.'E.qk=.......k0.....-..W.Jk.u..t.[.....
...p..i.t...Q..,.s.......z ..`.K..r.3...W........UR....L.(...R....n0..
j0..f0..N.......'."1>:....w.hd6.0...*.H........0~1.0...U....US1.0..
.U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&
Symantec Class 3 Secure Server CA - G40...171230000000Z..180330235959Z
0@1>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Respond
er0.."0...*.H.............0.........g.pFi-/ .c.!1...nUg........#.4._._
.[.......M.m...Z.p..b...E...."o.....kEf6.}...1..i-..'.v"L..?...exu...c
Yu...<..9....MV@. -......<.B*.$:..........@,...1.*..J....B,...&.
-V....B....#...H..^xEEG...`.......u.....<o.jvg.V%........,:....jd$c
.x8m..!B...X).k.#.'..........0...0... .....0......0"..U....0...0.1.0..
.U....TGV-E-44580...U.#..0..._`.a.U..C..`*..z.C..0...U.......^ZK."....
..~....mM.0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........http
://VVV.symauth.com/cps0*.. .......0...  hXXp://VVV.symauth.com/rpa0...
U.%..0... .......0...U...........0...*.H.............c....W........w..
i.......L.G.No.......;....9.H.B9.z.q....Qd..!..yu.6..dU.}.D..."Wh..3..
.;....{..g^p.....f<Gc.....m.t...4~v.....n......e.W.-....@N;...\
<<< skipped >>>

GET /mmliao/MM-liao8398.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: show.man1234.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 07 Feb 2018 16:48:59 GMT

Server: Apache

Set-Cookie: vsid=931vr2655677391831808; expires=Mon, 06-Feb-2023 16:48:59 GMT; Max-Age=157680000; path=/; domain=show.man1234.com; HttpOnly

Content-Length: 272

Keep-Alive: timeout=5, max=128

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
<html>..<head>..<meta name="robots" content="noarchive"
 />..<meta name="googlebot" content="nosnippet" />..</head
>..<body>..<div align=center>..<h3>Error. Page ca
nnot be displayed. Please contact your service provider for more detai
ls.  (31)</h3>..</div>..</body>..</html>HTTP/1
.1 200 OK..Date: Wed, 07 Feb 2018 16:48:59 GMT..Server: Apache..Set-Co
okie: vsid=931vr2655677391831808; expires=Mon, 06-Feb-2023 16:48:59 GM
T; Max-Age=157680000; path=/; domain=show.man1234.com; HttpOnly..Conte
nt-Length: 272..Keep-Alive: timeout=5, max=128..Connection: Keep-Alive
..Content-Type: text/html; charset=UTF-8..<html>..<head>..
<meta name="robots" content="noarchive" />..<meta name="googl
ebot" content="nosnippet" />..</head>..<body>..<div 
align=center>..<h3>Error. Page cannot be displayed. Please co
ntact your service provider for more details.  (31)</h3>..</d
iv>..</body>..</html>..

GET /ZDNmMTg2MDYyOTZiNDQ5N2MzMzVlNWJlY2Q0YzI0OTQuZXhl/40.html HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.61jingling.com

Connection: Keep-Alive

HTTP/1.1 500 Internal Server Error

Server: Microsoft-IIS/6.0

Content-Length: 21

Content-Type: text/html
Internal Server ErrorHTTP/1.1 500 Internal Server Error..Server: Micro
soft-IIS/6.0..Content-Length: 21..Content-Type: text/html..Internal Se
rver Error..

GET /d/ins1256858.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: g.quwen320.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Rising Cloud Server

Date: Wed, 07 Feb 2018 16:45:35 GMT

Content-Type: application/octet-stream

Content-Length: 4561520

Last-Modified: Fri, 07 Aug 2015 07:42:49 GMT

Connection: keep-alive

Expires: Wed, 07 Feb 2018 17:45:35 GMT

Cache-Control: max-age=3600

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......zf@.>...&
gt;...>.....!.#.....q.?.....s.1...>./.......N.n.....q.......p.?.
....t.?...Rich>...........................PE..L...T..S.............
........0............... ....@..........................P........E....
..................................K..p.... ... ...........{E..........
.......................................H..............................
.............UPX0....................................UPX1.............
t..................@....rsrc....0... .......x..............@..........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................3.07.UPX!......;KV..wR....p....M.&....^;...(.\M.
U..A.K.;Uw$8S..(.O..tDlG(.a.R..-@.`...i...(...`..3.............:...G..
....C.(....w.Q.........[...p.9..k...A.Z..D%.a...i..2A .O`/............
 Mm.r[nO..z..%...oj..HnI....2:iL.S6..Mo..%lG.....s{A.<.3..g..XTy^.n
H........=L.&.5Z$j..M..l.~= .c9p..~..^...z3..,c...u.$.;D...bI\Qh..8`.Z
3..D..I...}..a..;\x...O...........e.t..U..Z.5..PM.C*.c{........F.a;@$q
.j....4...v....W).O<v.......o..e..=Z.?M.....I..3...$ ...&.`f.m...'.
.,..Jj.p#...uQ...Y..1U....]!.[;@.LW...9.y.._...\......]..XF.Uu.m..
<<< skipped >>>

GET /controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=237&ext_1=2&ext_2=37cs_wd&ext_3=916631&ext_4=E000A7BC1E6E4D4FA995541680A7EB78&ext_5=2d80e67f845e4d321e380bdc9a3520fb&ext_6=2&browser_type=3000 HTTP/1.1

User-Agent: HTTPDownloader

Host: a.clickdata.37wan.com

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 07 Feb 2018 16:49:13 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: PHPSESSID=4nukkpv2p0me2d36emc973r9s4; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache
1..1..0..

GET /iplookup/iplookup.php HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: int.dpool.sina.com.cn

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Sina

Date: Wed, 07 Feb 2018 16:48:37 GMT

Content-Type: text/html; charset=gbk

Content-Length: 20

Connection: close

DPOOL_HEADER: intdpool-yf-3858553005-9v8ff

Set-Cookie: NEVIS-INTDPOOL=cdfec46c68ca7362cee6829ec98c7e3a;Path=/

DPOOL_LB7_HEADER: skuld142
1.-1.-1...............

GET /pca3-g5.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s1.symcb.com

HTTP/1.1 200 OK

Server: Apache

ETag: "66f904be4255afc122abb218f59fea62:1513897820"

Last-Modified: Thu, 21 Dec 2017 23:10:20 GMT

Date: Wed, 07 Feb 2018 16:50:02 GMT

Content-Length: 712

Connection: keep-alive

Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...
U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For au
thorized use only1E0C..U...<VeriSign Class 3 Public Primary Certifi
cation Authority - G5..171219000000Z..180331235959Z0..0!..$..t9v.z....
[.?\..171114172944Z0!..Qc...-..yq.v=uR...170810214141Z0!..^j7...Tw.&.t
.OQ...170720172916Z0!..n.N/.v...J..%R.t..160630163929Z0!..zo.M.5...!8$
......171114172536Z0...*.H.............0..\..Y.X...^..&|.V.*.azs^1....
.o.*'i...4S.V.X~.t/Cx.W.n0m.)%..<%....m..v...i...O...SJ...F...0..#Y
Y.....W.:...5.Nj.D..II..V.......tfKD...o..k.m..1..v....V.X9n.=.>%..
&!.}..X.p._.!|..N....x.....Yq../H...d....%...F.....A*.H.....%._.`.g...
R]../....T...w5......HTTP/1.1 200 OK..Server: Apache..ETag: "66f904be4
255afc122abb218f59fea62:1513897820"..Last-Modified: Thu, 21 Dec 2017 2
3:10:20 GMT..Date: Wed, 07 Feb 2018 16:50:02 GMT..Content-Length: 712.
.Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0
...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....Veri
Sign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized 
use only1E0C..U...<VeriSign Class 3 Public Primary Certification Au
thority - G5..171219000000Z..180331235959Z0..0!..$..t9v.z....[.?\..171
114172944Z0!..Qc...-..yq.v=uR...170810214141Z0!..^j7...Tw.&.t.OQ...170
720172916Z0!..n.N/.v...J..%R.t..160630163929Z0!..zo.M.5...!8$......171
114172536Z0...*.H.............0..\..Y.X...^..&|.V.*.azs^1.....o.*'i...
4S.V.X~.t/Cx.W.n0m.)%..<%....m..v...i...O...SJ...F...0..#YY....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

hu2.iu

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

sers\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\Inetc.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\Inetc.dll

zMzVlNWJlY2Q0YzI0OTQuZXhl/40.html

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp

k1.ico

NWJlY2Q0YzI0OTQuZXhl/40.html

@.reloc

MSVCR80.dll

_crt_debugger_hook

Base64.dll

<assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50608.0" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>

u.Wj@

MSVCRT.dll

HttpSendRequestA

HttpSendRequestExA

HttpQueryInfoA

FtpCreateDirectoryA

FtpOpenFileA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpEndRequestA

InternetCrackUrlA

WININET.dll

inetc.dll

Open URL Error

URL Parts Error

FtpCreateDir failed (550)

Error FTP path (550)

Downloading %s

%dkB (%d%%) of %dkB @ %d.
dkB/s

(%d %s%s remaining)

REST %d

SIZE %s

Content-Length: %d

Content-Type: application/x-www-form-urlencoded

Authorization: basic %s

Proxy-authorization: basic %s

%s:%s

FtpCommandA

wininet.dll

%u MB

%u kB

%u bytes

%d:d:d

%s - %s

(Err=%d)

NSIS_Inetc (Mozilla)

/password

Uploading %s

.reloc

KERNEL32.DLL

NTDLL.DLL

nsProcess.dll

EnumWindows

ExecCmd.dll

Kernel32.DLL

GetProcessHeap

comdlg32.dll

nsDialogs.dll

All Files|*.*

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\1.rar

%original file name%.exe

D3F186~1.EXE

nt_lianmeng7-09/letvsetup.exe

ata\Local\Temp\nsq5AFD.tmp\nsl5F13.tmp

sers\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\1.rar

sers\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp

1.rar

ray.exe

d.exe

hXXp://VVV.61jingling.com

PTF://xn--sesz3ik91bknc.xn--fiqs8s:27/k1.ico

Local\Temp\nsq5AFD.tmp\nsl5F13.tmp

p://int.dpool.sina.com.cn/iplookup/iplookup.php

hXXp://leju.down.letv.com/pcweb/version/7.1.2.327/client_lianmeng7-09/letvsetup.exe

letvsetup.exe

.1644.29_4443_(Build14102814)_downloader.exe

c:\%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsq5AEC.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

T=G%d

Hw%f_@

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\2331\uninst.lnk

%original file name%.exe_2740_rwx_10004000_00001000:

callback%d

ntvdm.exe_3528:

.text

`.data

.rsrc

@.reloc

KERNEL32.dll

NTDLL.DLL

ADVAPI32.dll

GDI32.dll

USER32.dll

sfc.dll

sfc_os.DLL

SHELL32.dll

SoftPC

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

Invalid parameter passed to C runtime function.

GetProcessWindowStation

USER32.DLL

d:\w7rtm\base\mvdm\softpc.new\base\video\video.c

BIOS keyboard buffer overflow

hardware keyboard buffer overflow

%s Mouse %d.01 already installed

%s Mouse %d.01 installed

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_timer.c

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_eoi.c

C:\IBMBIO.SYS

C:\IO.SYS

C:\IBMDOS.SYS

C:\MSDOS.SYS

\ntio404.sys

\ntio411.sys

\ntio412.sys

\ntio804.sys

\ntio.sys

%s %lxh

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_com.c

d:\w7rtm\base\mvdm\softpc.new\host\src\config.c

Software\Microsoft\Windows NT\CurrentVersion\WOW\Console

\\.\$VDMLPT2

\\.\$VDMLPT3

\\.\$VDMLPT1

FONT.NT

\ega.cpi

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_fulsc.c

Drive %c:

Incompatible DOS diskette, C H R N = %d %d %d %d

\\.\A:

\\.\?:

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_event.c

cmd.exe

WINDOWS VMM 4.0

WINDOWS NT 3.1

WINDOWS 386 3.0

WINDOWS 286 3.0

\_default.pif

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_det.c

VrRemoveOpenNamedPipeInfo

VrConvertLocalNtPipeName

VrAddOpenNamedPipeInfo

VrIsNamedPipeHandle

VrIsNamedPipeName

VrWriteNamedPipe

VrReadNamedPipe

midiOutShortMsg

midiOutLongMsg

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_hosts.c

NtDeviceIoControlFile failed %x

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_sec.c

SoftPc: NtDeCommitVirtualMemory failed !!!! Status = %lx

NTVDMD.DLL

Check Keyboard Status

\ntdos404.sys

\ntdos411.sys

\ntdos412.sys

\ntdos804.sys

\ntdos.sys

demDosDispCall %s

config.nt

PIPE

%c:%sNUL

Software\Microsoft\Windows\CurrentVersion\Setup

Unimplemented SVC %d

Software\Microsoft\Windows NT\CurrentVersion\WOW

tmp dir is <%s>

env var is <%s>

InitFileRedirect:%s ;

RedirectShortFileName: to:<%s>

RedirectShortFileName: from <%s>

RedirectShortEnvVar: to <%s>

RedirectShortEnvVar: <%s>

RedirectLongFileName: to <%s>

RedirectLongFileName: <%s>

%SystemRoot%

%SystemDrive%\Temp

%SystemRoot%\Temp

%s=%s%s /p %s\system32

%s=%3.3u,%3.3u,%s\system32\%s.sys%s

Error Code 0x%x

Software\Microsoft\Windows NT\CurrentVersion\WOW\CmdLine

krnl386.exe

%s - %s

COMMAND.COM

KEYB

\KEYBOARD.SYS

\KEYJ31.SYS

\KEY02.SYS

\KEY01.SYS

\KEYAX.SYS

%s,%d,%s

\KB16.COM

DosKeybIDs

System\CurrentControlSet\Control\Keyboard Layout\

DosKeybCodes

00000409

Software\Microsoft\Windows NT\CurrentVersion\WOW\Compatibility

ntvdm.exe

d:\w7rtm\base\mvdm\dpmi32\buffer.c

Broken pipe

Inappropriate I/O control operation

Operation not permitted

ega.rom

vga.rom

v7vga.rom

bios4.rom

bios1.rom

profile.spc

.spcprofile

d:\w7rtm\base\mvdm\softpc.new\host\src\x86_emm.c

CS:x IP:x OP:x x x x x

ntvdm.pdb

YtYHt.Hut

t.VVVV

t.IIt

SSSSh

~,WSSh

QSSSSh

PSSSSh

SSSSSh

j.Yf;

9t.Ht

s'f;O%s!

V<%ue

tK<%uAj

Ht.HuL

t4HtPHt.Ht

Ht.Ht

|.WSV

GetCPInfo

GetConsoleOutputCP

NtEnumerateValueKey

NtOpenKey

ntdll.dll

RegCloseKey

RegQueryInfoKeyA

RegOpenKeyExA

GetSystemWindowsDirectoryA

GetWindowsDirectoryA

SetConsoleOutputCP

SetConsoleKeyShortcuts

VDMConsoleOperation

GetConsoleKeyboardLayoutNameA

EnumWindows

GetKeyState

VkKeyScanW

MapVirtualKeyA

GetKeyboardType

GetProcessHeap

SoftPcEoi

cmdCheckTemp

cmdCheckTempInit

demIsShortPathName

'?--?1-?6-?:-??-??-:?-6?-1?--?1-?6-?:-??-:?-6?-1?--?--?1-?6-?:-??-:?-6?-1?

$$$(((---222888???

!"#$%&'( 

SoftPC-AT Version 3

89:;<=>?

autoexec.nt

00030<0?0

30333<3?3

<0<3<<<?<

?0?3?<???

!"#$%&'()

Software\Microsoft\Windows NT\CurrentVersion\Terminal Server

\System32\command.com

zcÁ

C:\Windows\system32\ntvdm.exe

\\.\B:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

C:\Windows

6$6(6,606

< <*<`<~<

4L4K4Q4o4

7-8}8

;<<@<\<`<

2 2$2(2,2024282

KERNEL32.DLL

KERNELBASE.DLL

kernel32.dll

kernelbase.dll

Microsoft.Windows.NTVDM

tWOW32.DLL

VDMREDIR.DLL

WINMM.DLL

NTVDM.EXE

6.1.7600.16385 (win7_rtm.090713-1255)

Windows

Operating System

6.1.7600.16385

5The NTVDM CPU has encountered an illegal instruction."Internal error in NTVDM procedure.#NTVDM does not support a ROM BASIC.BFailure to allocate the requested number of Expanded Memory pages.*A continuous RESET state has been entered.

LAn installation file required by NTVDM is missing, execution must terminate.

Insufficient memory resources.=The NTVDM CPU has encountered an unsupported 386 instruction.TThe EMM command line in your config.nt contains invalid parameters or syntax errors.5The NTVDM CPU has encountered an unhandled exception.t

MS-DOS program files must end with the extension .EXE, .COM, or .BAT.

vAn application has attempted to %s, which cannot be supported. This may cause the application to function incorrectly./directly access an incompatible diskette format

16 bit Windows Subsystem

VThe system file is not suitable for running MS-DOS and Microsoft Windows applications."Memory error during intialization.

A temporary file needed for initialization could not be created or could not be written to. Make sure that the directory path exists, and disk space is available.-This system does not support fullscreen mode.?Insufficient memory to load installable Virtual Device Drivers.8Virtual Device Driver format in the registry is invalid.?An installable Virtual Device Driver failed Dll initialization.

Unable to lock for exclusive access. Another application may be using the drive. When the other application has finished using the drive you may retry the operation.

Drive %c: ZThe Application attempted to enable DOS graphics mode. DOS graphics mode is not supported.

Function failed$NTVDM has encountered a System Error*Driver does not support selected Baud Rate<The system cannot open %s port requested by the application.

ntvdm.exe_3528_rwx_00000000_00010000:

C:\USERS\ADM\APPDATA\LOCAL\TEMP\NSQ5AFD.TMP\MM-LIA~1.EXE

MM-LIA~1EXE

."/\[]:|<> =;,

c:\wina20.386

%WinDir%\SYSTEM32\COUNTRY.SYS

89:;<=>?

1234567890-=

!@#$%^&*()_ 

789-456 1230.

!"#$%&,-./012

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp

t.exe

%WinDir%\SYSTEM32\COMMAND.COM

%File allocation table bad, drive %1

Invalid COMMAND.COM

!Press any key to continue . . .

Cannot execute %1

Error in EXE file

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsB51E.tmp

arameter vaCOMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

OS=Windows_NT

PATH=C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WINDOW~1\v1.0\;c:\PROGRA~1\WIRESH~1

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

PSMODULEPATH=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\

SYSTEMROOT=C:\Windows

WINDOWS_TRACING_FLAGS=3

WINDOWS_TRACING_LOGFILE=C:\BVTBin\Tests\installpackage\csilogfile.log

3COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

\COMMAND.COM

COMSPEC=\COMMAND.COM

BMicrosoft(R) Windows DOS

FCOMMAND [[drive:]path] [device] [/E:nnnnn] [/P] [/C string] [/MSG]

H [drive:]path Specifies the directory containing COMMAND.COM file.

N /MSG Specifies that all error messages be stored in memory. You

%Intermediate file error during pipe

Switches may be preset in the DIRCMD environment variable. Override

>Quits the COMMAND.COM program (command interpreter).

]Displays or sets a search path for executable files.

$B | (pipe)

%Displays the MS-DOS version.

LRecords comments (remarks) in a batch file or CONFIG.SYS.

key to continue...."

PATH=PROMPT=COMSPEC=DIRCMD=

.COM.EXE.BAT?VBAPWRHSvDANEDSG

%WinDir%\SYSTEM32

[]|<> =;"

ntvdm.exe_3528_rwx_00010000_00090000:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsB51E.tmp

89:;<=>?

D%WinDir%\SYSTEM32\HIMEM.SYS

Q001,437,%WinDir%\SYSTEM32\COUNTRY.SYS

S%WinDir%\SYSTEM32\COMMAND.COM

/P %WinDir%\SYSTEM32

/P %WinDir%\SYSTEM32

%WinDir%\SYSTEM32\COUNTRY.SYS

[]|<> =;"

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsB50D.tmp

%WinDir%\SYSTEM32\COMMAND.COM

NTCMDPROMPTT

Unrecognized command in CONFIG.SYS

Insufficient memory for COUNTRY.SYS file

Incorrect order in CONFIG.SYS line $Error in CONFIG.SYS line $WARNING! Logical drives past Z: exist and will be ignored

1234567890-=

!@#$%^&*()_ 

789-456 1230.

!"#$%&,-./012

00030<0?0

30333<3?3

<0<3<<<?<

?0?3?<???

Windows NT MS-DOS subsystem Mouse Driver

/)()(00)(

/@%}-{.Nb#b

t.exe

!Press any key to continue . . .

%Intermediate file error during pipe

Switches may be preset in the DIRCMD environment variable. Override

>Quits the COMMAND.COM program (command interpreter).

]Displays or sets a search path for executable files.

$B | (pipe)

%Displays the MS-DOS version.

LRecords comments (remarks) in a batch file or CONFIG.SYS.

key to continue...."

PATH=PROMPT=COMSPEC=DIRCMD=

.COM.EXE.BAT?VBAPWRHSvDANEDSG

%WinDir%\SYSTEM32\DOSX

NT.EXE

C:\USERS\ADM\APPDATA\LOCAL\TEMP\NSQ5AFD.TMP\MM-LIA~1.EXE

nt.exe

DOSX.EXE

ntvdm.exe_3528_rwx_000A0000_0002B000:

66666666

6666666

6666666666666666

6666666676666666

6666667076666666

66666666666

66666707666

66666666666666666666

66666666666707666666

6666666666666

89:;<=>?

'/7?-16:?

V M ware, Inc. VBE support 2.0

$o.o.oJo.o8o

ntvdm.exe_3528_rwx_000CB000_00011000:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

OS=Windows_NT

PATH=C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WINDOW~1\v1.0\;c:\PROGRA~1\WIRESH~1

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

PSMODULEPATH=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\

SYSTEMROOT=C:\Windows

WINDOWS_TRACING_FLAGS=3

WINDOWS_TRACING_LOGFILE=C:\BVTBin\Tests\installpackage\csilogfile.log

C:\Windows\system32\DOSX.EXE

C:\Windows\system32\mscdexnt.exe

C:\Windows\system32\redir

nt.exe

C:\LANMAN.DOS

C:\Windows\system32\dosx

C:\Windows\SYSTEM.INI

STEM.INI

SYSTEM.INI

ntvdm.exe_3528_rwx_000DC000_0000C000:

06/02/2011

000000000000

Keyboard

[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]

ntvdm.exe_3528_rwx_000E8000_00008000:

00030<0?0

30333<3?3

<0<3<<<?<

?0?3?<???

Windows NT MS-DOS subsystem Mouse Driver

ntvdm.exe_3528_rwx_000F0000_00010000:

:[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]

<%X8X

Operating System not found

Operating System not found, retrying boot now...

Operating System not found, retrying boot in

Windows XP Mode active

06/02/11

08:28:06

00/00/00

00:00:00

/8.BCPNV

1234567890-=

ntvdm.exe_3528_rwx_00100000_00010000:

C:\USERS\ADM\APPDATA\LOCAL\TEMP\NSQ5AFD.TMP\MM-LIA~1.EXE

MM-LIA~1EXE

."/\[]:|<> =;,

c:\wina20.386

%WinDir%\SYSTEM32\COUNTRY.SYS

89:;<=>?

1234567890-=

!@#$%^&*()_ 

789-456 1230.

!"#$%&,-./012

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp

t.exe

%WinDir%\SYSTEM32\COMMAND.COM

%File allocation table bad, drive %1

Invalid COMMAND.COM

!Press any key to continue . . .

Cannot execute %1

Error in EXE file

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsB51E.tmp

arameter vaCOMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

OS=Windows_NT

PATH=C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WINDOW~1\v1.0\;c:\PROGRA~1\WIRESH~1

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

PSMODULEPATH=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\

SYSTEMROOT=C:\Windows

WINDOWS_TRACING_FLAGS=3

WINDOWS_TRACING_LOGFILE=C:\BVTBin\Tests\installpackage\csilogfile.log

3COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

\COMMAND.COM

COMSPEC=\COMMAND.COM

BMicrosoft(R) Windows DOS

FCOMMAND [[drive:]path] [device] [/E:nnnnn] [/P] [/C string] [/MSG]

H [drive:]path Specifies the directory containing COMMAND.COM file.

N /MSG Specifies that all error messages be stored in memory. You

%Intermediate file error during pipe

Switches may be preset in the DIRCMD environment variable. Override

>Quits the COMMAND.COM program (command interpreter).

]Displays or sets a search path for executable files.

$B | (pipe)

%Displays the MS-DOS version.

LRecords comments (remarks) in a batch file or CONFIG.SYS.

key to continue...."

PATH=PROMPT=COMSPEC=DIRCMD=

.COM.EXE.BAT?VBAPWRHSvDANEDSG

%WinDir%\SYSTEM32

[]|<> =;"

conhost.exe_3512:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

iexplore.exe_3152:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_3196:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

svchost.exe_3704:

.text

`.data

.rsrc

@.reloc

msvcrt.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNEL32.dll

NTDLL.DLL

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

RPCRT4.dll

ole32.dll

ntdll.dll

_amsg_exit

RegCloseKey

RegOpenKeyExW

GetProcessHeap

svchost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Services.SvcHost"

<description>Host Process for Windows Services</description>

<requestedExecutionLevel

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

\PIPE\

Host Process for Windows Services

6.1.7600.16385 (win7_rtm.090713-1255)

svchost.exe

Windows

Operating System

6.1.7600.16385

MYLogger.exe_2496:

.text

`.rdata

@.data

.rsrc

>.uBV

It.It It!It

vSSSh

FTPjK

FtPj;

C.PjRV

FRegDeleteKeyExW

kernel32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

ADVAPI32.DLL

operator

GetProcessWindowStation

USER32.DLL

portuguese-brazilian

2\Release\Logger.pdb

GetProcessHeap

KERNEL32.dll

EnumChildWindows

CreateDialogIndirectParamW

USER32.dll

SetViewportOrgEx

GDI32.dll

RegDeleteKeyW

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

RegOpenKeyW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

COMCTL32.dll

MSIMG32.dll

FindCloseUrlCache

DeleteUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

HttpQueryInfoW

HttpSendRequestW

HttpAddRequestHeadersW

HttpOpenRequestW

InternetCrackUrlW

WININET.dll

GdiplusShutdown

gdiplus.dll

SensApi.dll

VERSION.dll

WINTRUST.dll

CryptMsgClose

CertCloseStore

CertFreeCertificateContext

CertGetNameStringW

CertFindCertificateInStore

CryptMsgGetParam

CRYPT32.dll

IPHLPAPI.DLL

GetCPInfo

GetConsoleOutputCP

.?AVMyWebEvent@@

.?AV?$IDispEventSimpleImpl@$00VMyWebEvent@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$CComObject@VMyWebBrowser@@@ATL@@

.?AVMyWebBrowser@@

.?AV?$WebBrowserWnd@VMyWebEvent@@@@

.?AV?$CWindowImpl@V?$WebBrowserWnd@VMyWebEvent@@@@V?$CAxWindowT@VCWindow@ATL@@@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@3@@ATL@@

.?AV?$bind_t@XV?$mf1@XVScriptPopup@@PAVHttpTask@@@_mfi@boost@@V?$list2@V?$value@PAVScriptPopup@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.?AV?$bind_t@XV?$mf1@XVPopupWinManager@@PAVHttpTask@@@_mfi@boost@@V?$list2@V?$value@PAVPopupWinManager@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.?AVHttpTask@@

.?AVHttpTaskImpl@@

zcÁ

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

ShockwaveFlash.ShockwaveFlash

WAdvapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

@LoginForm

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

web_browser

%s|%s|%s

passport=

clientCallJs(%d, %d, %d, %d)

MSScriptControl.ScriptControl

%s|%s|%s|%s

%X,%s

DSoftware\Microsoft\Windows\CurrentVersion\Run

%d.%d.%d.%d

D.ini

"%s" "%d"

desktop.ini

HttpClient

mscoree.dll

KERNEL32.DLL

%Program Files%\9377

\MYLogger.exe

1, 0, 0, 4

Copyright (c) 2013 9377.com

MYLogger.exe

ins1256858.exe_2516:

`.rsrc

\rsdebug.ini

c:\%s

dbghelp.dll

kernel32.dll

d-d-d(d-d-d)

Kernel32.dll

\rsmain.exe

[d-d-d][d:d:d:d]

%s\%s

%s\*.*

C:\Temp

SOFTWARE\Rising\%s

2.log

[u]

[0xX]

RAV.INI

\Rs7zSfx.log

\setup.dll

CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}

%s\CompsVer.inf

Setup.exe

%s\auto.ini

%s Start

%s End

{E5C53971-D80E-4500-BE0D-761BF3CD8457}

Unsupported Method

Password is not defined

mscoree.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

GetProcessWindowStation

user32.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

C:\DistributedAutoLink\Temp\CompileOutputDir\7zSfx.pdb

COMCTL32.dll

GDI32.dll

kZ~a%s

j$5%c

fK&%DL

.qv=:

5vFkey

cq.in

\.cuJ

Uc.sg

 .uI>eA

.hA0H

8.avs

NTPg%cw

.6d.vjZ0Q

D%XO9

T<?P%s;

w=i%S

SeXEM

Q$.kO9

58I.SY

Ej%U 

;q-7.mZ

|.Tkz;

%Dkdo 

p.LP'

).XMe

.HX`j

q&"%C

d.ch,r

{UDP}*

.fuF;{

;v_C%S

%U.S5

}.kXx

y.smi2`

.X.oDRH/^

Oi.Zc309

a.VW7}[

o.Mb~g

w.vxW

-T}z-

dC%s^

T6X%U

3%ur M

.xyHP

`DVÃ=

]s.ot

0=R6.da

\%c[,-0yd

Jt.bL

.aqQO

.jWew

C[.rg

.Sq8r/

)%S> 

zeò

.KP]1

@q.Mp1

i~.bb

X`u%D

%uCs]

[u.wkf

*ðUPN0

b.nmzK1

P!.WPF $!p

.IZNw

xJ'ut.cq

Fu%.U

.bOkCx

_!D.XJ

-p}C%M

.Nnai

(.Unh

y.GO.

A.uu0j

.qvqD

~f.dz

.Yf`> 

G%.Zm=

.ZmbT

GFu.nn

CmDtf

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

hXXp://sf.symcb.com/sf.crl0f

hXXps://d.symcb.com/cps0%

hXXps://d.symcb.com/rpa0

hXXp://sf.symcd.com0&

hXXp://sf.symcb.com/sf.crt0

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

.aZAy

knQ%D

.Dk$I

$F.Mt

(t.ZWO

.pW,Rl@c

*.*{8

%u(I|

Yg{.SGHl

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\ins1256858.exe

.text

`.rdata

@.data

.rsrc

@.reloc

QSVSSSh

>%uPV

|$D.tD

.tgPV

FTPjK

FtPj;

C.PjRVj

u.VV3

|$$vL9|$ u%Sh

\\.\PhysicalDrive%d

\\.\Scsi%d:

Iphlpapi.dll

XXXXXXXXXXX

{X-X-X-XX-XXXXXX}

Advapi32.dll

Explorer.exe

NtDll.dll

%d %d %d %d

Failed to call WTSQueryUserToken, err= 0x%x

wtsapi32.DLL

Could not open pipe

SetNamedPipeHandleState failed

\\.\pipe\RISING_RSD_BU

%*.*f

/RUNAS %s

Failed to load psapi.dll.

Psapi.dll

Setup.exe End with ErrorCode: 0xX

hXXp://center.rising.com.cn/LogCenter.asp?info=%s

Key=%s&v1=%s&v2=%s&v3=%s&v4=%s&v5=%s

Password

Port

\NetConfig.ini

%s\Data\%s\%s.ini

setup.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

%s(%s)

ReportView

KERNEL32.DLL

SetWillReboot(%d)

Failed to call QueryServiceStatus(RSD)! Err Code: %d

Failed to call OpenService(RSD)! Err Code: %d

Failed to call OpenSCManager! Err Code: %d

\RsTest.ini

ÞSKTOP%

\label.dat

\Backup.ini

\Export.ini

\XMLS\RSSetup.xml

\Setup.exe

\*.exe

\XMLS\Setup.xml

\os.xml

Label.dat

/PASS=

/PRODUCT=%s

/LANG=%d

HKEY_LOCAL_MACHINE\SoftWare\Rising\%s

ITEM%d

UPDATEXMLURL

d-d-- d:d

Setup.dll

Local_RSD_Setup_%s

Global\Rising_RSD_Setup_%s

Rising_RSD_Setup_%s

\Backup\RSD\RSSetup\RSSetup.xml

\RSSetup.xml

\CompsVer.inf

AddPCAExclude return: %d

Open Key Failed!

Create Key Failed!

Query Value Failed! Return: %d

%s\Setup.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AddPCAExclude(%d)

Setup.xml

\Setup.xml

12345678.000

Create Temp Cfg From %s to %s

rd /q %s

rd /s /q %s

if exist %s goto repeat

del /s /q /f %s

\DelSelf.bat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SetFileSecurity() failed. Error %d

SetSecurityDescriptorControl() failed.Error %d

GetSecurityDescriptorControl() failed.Error %d

SetSecurityDescriptorDacl() failed. Error %d

AddAce() failed. Error %d

GetAce() failed. Error %d

AddAccessAllowedAce() failed. Error %d

AddAccessAllowedAceEx() failed. Error %d

advapi32.dll

InitializeAcl() failed. Error %d

HeapAlloc() failed. Error %d

GetAclInformation() failed. Error %d

GetSecurityDescriptorDacl() failed. Error %d

InitializeSecurityDescriptor() failed.Error %d

GetFileSecurity() failed. Error %d

InitializeSid() failed. Error %d

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

<!--%s-->

WinSessionThread GetPidByName dwPID = %d , name=%s!

WTSQueryUserToken Failed! Err Code: %d

OpenProcess Failed! Err Code: %d

GetProcAddress(OpenProcessToken) Failed! Err Code: %d

OpenProcessToken Failed! Err Code: %d

GetLogonUserToken(%d)

CreateProcess2 Return: %d

LoadLibrary Failed! Err Code: %d

CreateEnvironmentBlock Failed! Err Code: %d

DuplicateTokenEx Failed! Err Code: %d

CreateProcessWithTokenW Failed! Err Code: %d

Userenv.DLL

GetFileAttributes %s return: %d

Delete File %s fail, Err: %d

Wow64DisableWow64FsRedirection Return: %d

Wow64RevertWow64FsRedirection Return: %d

RsInstallService(%s) Return: %d

ChangeServiceConfig Failed! Err Code: %d

CreateService Failed! Err Code: %d

OpenSCManager Failed! Err Code: %d

RsInstallService(%s)

RsUninstallService(%s) Return: %d

DeleteService Failed! Err Code: %d

OpenService Failed And Service Already Exist! Err Code: %d

RsUninstallService(%s)

OpenService Failed! Err Code: %d

LoadLibrary(Advapi32.dll) Failed!

RsSetServiceFailureAction(%s) Return: %d

GetProcAddress(%s) Failed!

ChangeServiceConfig2 Failed! Err Code: %d

RsSetServiceFailureAction(%s)

QueryServiceStatus Failed! Err Code: %d

StartService Failed! Err Code: %d

RsStartService(%s)

Wait for Service %s Time Out!

QueryServiceStatus(%s) Failed! Err Code: %d

ControlService(%s) SERVICE_CONTROL_STOP Failed! Err Code: %d

HeapAlloc Failed! Err Code: %d

EnumDependentServices Failed! Err Code: %d

Stop Service %s Dependencies...

%s's Stop is Pending...

Service %s is Stopped...

OpenService(%s) Failed! Err Code: %d

RsStopService(%s)

Rs%sInstallCom(%s) Return: %d

LoadLibrary(%s) Failed!

%s Failed! ErrMsg: %s

Rs%sInstallCom(%s)...

WinSessionThread CreateProcess ret = %d end !

WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !

WinSessionThread CreateProcess begin dwSessionID = %d!

WININIT.INI

\WININIT.INI

HKEY_CURRENT_CONFIG

"%s" %s

\RsMgrSvc.ini

Save DELETEPATH %s to RsMgrSvc.ini

Save REBOOTRUN %s to RsMgrSvc.ini

%s Loaded By %s

EXPLORER.EXE

Setup.exe Begin----------------------------------

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

StopComponent(%s)...

StartComponent(%s)...

Report Error!

Call Component %s Dll_PreHandle Return: 0xX

Call Component %s Dll_PostHandle Return: 0xX

Check XML File %s Failed

Check File %s Failed

BackUp XML File From: %s To %s

Delete XML File: %s

Copy XML File From: %s To %s

%s\RsMgrsvc.ini

URLInfoAbout

hXXp://help.ikaka.com/

"%s" /UNINSTALL /PRODUCT=%s

"%s" /UNINSTALL /PRODUCT=RSD

Delete File %s

Copy File From %s To %s

CompsVer.inf

Copy Path From %s To %s

Down Load %s To Path: %s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\run

RunFirstInstall Successfully...NeedReboot: %d

InstallComponentList Failed! Error Code: 0xX

PreHandleComponentList Failed! Error Code: 0xX

Product_PreHandle Failed! Error Code: 0xX

BackUpComponentList Failed! Error Code: 0xX

CheckComponentList Failed! Error Code: 0xX

RunFirstInstall, AfterReboot: %d

RavTmp: %s

file not exist : %s

succeed to download %s

Failed to download %s. ErrCode = %d; hr = %d

Failed to verify %s

%s%s/%s%s.inf

Failed to get download url from %s

URLLIST

Failed to load %s.

%s%s/%s/%s/%s

%s\%s\%s\%s

%s%s/%s/%s

%s\%s\%s

Failed to get %s-ITEM.

Failed to get %s-FILES.

Failed to get %s-COMPONENT.

Download %s retry > 3

%s/%s/%s_xml.zip

%s\%s\%s.xml

%s%s/%s/%s.xml

Failed to get %s' newver from %s

SCMD

REGVERKEY

REGKEYVALUE

REGKEYNAME

REGKEY

Set File %s Everyone Access Rights 0xX return: %d

Set File %s Users Access Rights 0xX return: %d

Delete File Return: %d, NeedReboot: %d

Prepare To Delete File %s...

Back Up File From: %s To: %s Return: %d

Skip Backing Up File %s For Checked OK...

Copy File Return: %d, NeedReboot: %d

MoveFile From %s To %s

Prepare To Copy File From %s To %s...

TaskbarPin = 0x%x

Install Link: %s

Delete Link: %s

TaskbarunPin = 0x%x

Old Link File: %s

SUBKEY

Set Key %s Everyone Access Rights 0xX return: %d

Set Key %s Users Access Rights 0xX return: %d

REGKEYDATATYPE

Install Key KeyName: %s, ValueName: %s, Value: %s, DataType: %d Return: %d

Backup Key Value Return: %d

microsoft\windows\currentversion\run

Restore Key Value Return: %d

UnInstall Key KeyName: %s, ValueName: %s Return: %d

Execute langsel.exe

langsel.exe

Setup Log (*.log)

*.log

A%d M

ÚTADIR%

Need Reboot, Add DeletePath Task To Server: %s

No Reboot, RsDeletePath(%s)

\lics%d.txt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

{X-X-X-XX-XXXXXX}.bmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SHFolder.dll

Shell32.dll

HKEY_LOCAL_MACHINE\%s\%s

%snserver.exe

%sRsTest.ini

Software\Microsoft\Windows\CurrentVersion

nserver.exe

%FIRSTPART%

%COMMONDIR%

%DOMINODATA%

%DOMINODIR%

%SYSDIR64%

%SYSDIR%

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

[INF]CRsConfigBase::InitializeRsConfig: GetPath(PathSize=%d),Result=0xX

[ERR]CRsConfigBase::InitializeRsConfig: QueryInterface RSIID_IRSCfgMgr Failed(Result=0xX)!

[ERR]CRsConfigBase::InitializeRsConfig:CreateAppEnv Failed(Result=0xX).

RsConfig.cfg

[ERR]CRsConfigBase::InitializeRsConfig:QueryInterface RSIID_IRSAppMgr failed(Result=0xX).

[ERR]CRsConfigBase::InitializeRsConfig:CreateObject RSID_RSAppMgr failed(Result=0xX).

RSAPPMGR.DLL

\RSAPPMGR.DLL

comx3.dll

</%s>

standalone="%s"

encoding="%s"

version="%s"

&#xX;

%s='%s'

%s="%s"

\RsLang.dll

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

System\CurrentControlSet\Services\VxD\MSTCP

255.255.255.255

socket() failed; %d

MSIE %d.%d

WININET.DLL

Windows

Windows Me

Windows 98

Windows 95

Windows NT %d.%d

%s:%d

Mozilla/4.0 (compatible; %s; %s; Rising)

Range: bytes=%d-

HTTP/1.0

hXXp://

portuguese-brazilian

.rstmp

1.1.3

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

C:\DistributedAutoLink\Temp\CompileOutputDir\Setup.pdb

GetProcessHeap

SetNamedPipeHandleState

WaitNamedPipeA

GetWindowsDirectoryA

KERNEL32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

EnumWindows

EnumChildWindows

USER32.dll

comdlg32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegOpenKeyA

RegCreateKeyExA

RegDeleteKeyA

RegSetKeySecurity

RegGetKeySecurity

RegQueryInfoKeyA

RegEnumKeyExA

ADVAPI32.dll

ShellExecuteExA

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

RPCRT4.dll

InternetCrackUrlA

HttpQueryInfoA

HttpSendRequestA

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

VERSION.dll

WSOCK32.dll

GetCPInfo

zcÁ

11166666600000000000000/////////.....""""""""""""""""--- .DDDDDDDDDDDDDDDDDDDDDDDDDDBBBBBB

>VVVVVVVVVVVVYYYY:Y:YYV8888888888888.ppMs3llkxNqKKqK

!'!555''''

!! **""!

#### # # # #  # # # #

6,,,6,,6,66

,,,,66,,6,

6,,,,6,,,

555555555555555

666666666666666666

888888888

CC.CCCCCC6hML7L77L789;nOOOOOOOO8

...CCCCCC6hMLL7777789;

...CCCCCC6hML77777789;

"""!"!"!"

1111111111111000000

!%%&11&&&

23333333333333333333

3333343333333333334

443434333333333333

#34344443344333343

3444444444444

444444444444

7676676676676676

7777777777777

77777777777

>889889889889883$3

/2$ÝDD

4::-...,..,,,, %

7766666666666666666666601$ÞDE

000000000000011110

"#%DPTVVVVVVPO%%"L

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

6'6.6>6>7

2<3t3

9#939:9[9

; ;$;(;,;0;4;8;<;

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

It is strongly recommended to close all Windows program before running the setup program.

Password:

This module need %fM

1.0.0.2

Setup.EXE

20140619153336140

ECan't create the destination folder, please check and input it again.APlease take off your CD avoiding to restart from CDROM next time.

 Totally scaned %d files, found %d viruses.

Export,Unable to Create File Folder: %s , continue?

This version [version:%s] is older than your current installed [version:%s]

Continue to install Rising AntiVirus Software[version:%s]?

%Click "Next" to continue installation

jSystem comctl32.dll version is lower than 4.70!\please upgrade it through installing IE4 or above version.

KYou have install follow Rising product, this product can't install whit it.FLast Rising setup progress is not completed, please reboot your systemNRising Anti-virus software has been uninstalled successfully but follow files.

!Version: %s Update Date: %s

$Add or remove same component please!(%d second left to auto close this dialog8Rising Anti-virus software has been updated successfully

Password is error7update is completed, windows need reboot for copy file.

ins1256858.exe_2516_rwx_00401000_001F1000:

\rsdebug.ini

c:\%s

dbghelp.dll

kernel32.dll

d-d-d(d-d-d)

Kernel32.dll

\rsmain.exe

[d-d-d][d:d:d:d]

%s\%s

%s\*.*

C:\Temp

SOFTWARE\Rising\%s

2.log

[u]

[0xX]

RAV.INI

\Rs7zSfx.log

\setup.dll

CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}

%s\CompsVer.inf

Setup.exe

%s\auto.ini

%s Start

%s End

{E5C53971-D80E-4500-BE0D-761BF3CD8457}

Unsupported Method

Password is not defined

mscoree.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

GetProcessWindowStation

user32.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

C:\DistributedAutoLink\Temp\CompileOutputDir\7zSfx.pdb

COMCTL32.dll

GDI32.dll

kZ~a%s

j$5%c

fK&%DL

.qv=:

5vFkey

cq.in

\.cuJ

Uc.sg

 .uI>eA

.hA0H

8.avs

NTPg%cw

.6d.vjZ0Q

D%XO9

T<?P%s;

w=i%S

SeXEM

Q$.kO9

58I.SY

Ej%U 

;q-7.mZ

|.Tkz;

%Dkdo 

p.LP'

).XMe

.HX`j

q&"%C

d.ch,r

{UDP}*

.fuF;{

;v_C%S

%U.S5

}.kXx

y.smi2`

.X.oDRH/^

Oi.Zc309

a.VW7}[

o.Mb~g

w.vxW

-T}z-

dC%s^

T6X%U

3%ur M

.xyHP

`DVÃ=

]s.ot

0=R6.da

\%c[,-0yd

Jt.bL

.aqQO

.jWew

C[.rg

.Sq8r/

)%S> 

zeò

.KP]1

@q.Mp1

i~.bb

X`u%D

%uCs]

[u.wkf

*ðUPN0

b.nmzK1

P!.WPF $!p

.IZNw

xJ'ut.cq

Fu%.U

.bOkCx

_!D.XJ

-p}C%M

.Nnai

(.Unh

y.GO.

A.uu0j

.qvqD

~f.dz

.Yf`> 

G%.Zm=

.ZmbT

GFu.nn

CmDtf

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

hXXp://sf.symcb.com/sf.crl0f

hXXps://d.symcb.com/cps0%

hXXps://d.symcb.com/rpa0

hXXp://sf.symcd.com0&

hXXp://sf.symcb.com/sf.crt0

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

.aZAy

knQ%D

.Dk$I

$F.Mt

(t.ZWO

.pW,Rl@c

*.*{8

%u(I|

Yg{.SGHl

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\ins1256858.exe

.text

`.rdata

@.data

.rsrc

@.reloc

QSVSSSh

>%uPV

|$D.tD

.tgPV

FTPjK

FtPj;

C.PjRVj

u.VV3

|$$vL9|$ u%Sh

\\.\PhysicalDrive%d

\\.\Scsi%d:

Iphlpapi.dll

XXXXXXXXXXX

{X-X-X-XX-XXXXXX}

Advapi32.dll

Explorer.exe

NtDll.dll

%d %d %d %d

Failed to call WTSQueryUserToken, err= 0x%x

wtsapi32.DLL

Could not open pipe

SetNamedPipeHandleState failed

\\.\pipe\RISING_RSD_BU

%*.*f

/RUNAS %s

Failed to load psapi.dll.

Psapi.dll

Setup.exe End with ErrorCode: 0xX

hXXp://center.rising.com.cn/LogCenter.asp?info=%s

Key=%s&v1=%s&v2=%s&v3=%s&v4=%s&v5=%s

Password

Port

\NetConfig.ini

%s\Data\%s\%s.ini

setup.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

%s(%s)

ReportView

KERNEL32.DLL

SetWillReboot(%d)

Failed to call QueryServiceStatus(RSD)! Err Code: %d

Failed to call OpenService(RSD)! Err Code: %d

Failed to call OpenSCManager! Err Code: %d

\RsTest.ini

ÞSKTOP%

\label.dat

\Backup.ini

\Export.ini

\XMLS\RSSetup.xml

\Setup.exe

\*.exe

\XMLS\Setup.xml

\os.xml

Label.dat

/PASS=

/PRODUCT=%s

/LANG=%d

HKEY_LOCAL_MACHINE\SoftWare\Rising\%s

ITEM%d

UPDATEXMLURL

d-d-- d:d

Setup.dll

Local_RSD_Setup_%s

Global\Rising_RSD_Setup_%s

Rising_RSD_Setup_%s

\Backup\RSD\RSSetup\RSSetup.xml

\RSSetup.xml

\CompsVer.inf

AddPCAExclude return: %d

Open Key Failed!

Create Key Failed!

Query Value Failed! Return: %d

%s\Setup.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AddPCAExclude(%d)

Setup.xml

\Setup.xml

12345678.000

Create Temp Cfg From %s to %s

rd /q %s

rd /s /q %s

if exist %s goto repeat

del /s /q /f %s

\DelSelf.bat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SetFileSecurity() failed. Error %d

SetSecurityDescriptorControl() failed.Error %d

GetSecurityDescriptorControl() failed.Error %d

SetSecurityDescriptorDacl() failed. Error %d

AddAce() failed. Error %d

GetAce() failed. Error %d

AddAccessAllowedAce() failed. Error %d

AddAccessAllowedAceEx() failed. Error %d

advapi32.dll

InitializeAcl() failed. Error %d

HeapAlloc() failed. Error %d

GetAclInformation() failed. Error %d

GetSecurityDescriptorDacl() failed. Error %d

InitializeSecurityDescriptor() failed.Error %d

GetFileSecurity() failed. Error %d

InitializeSid() failed. Error %d

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

<!--%s-->

WinSessionThread GetPidByName dwPID = %d , name=%s!

WTSQueryUserToken Failed! Err Code: %d

OpenProcess Failed! Err Code: %d

GetProcAddress(OpenProcessToken) Failed! Err Code: %d

OpenProcessToken Failed! Err Code: %d

GetLogonUserToken(%d)

CreateProcess2 Return: %d

LoadLibrary Failed! Err Code: %d

CreateEnvironmentBlock Failed! Err Code: %d

DuplicateTokenEx Failed! Err Code: %d

CreateProcessWithTokenW Failed! Err Code: %d

Userenv.DLL

GetFileAttributes %s return: %d

Delete File %s fail, Err: %d

Wow64DisableWow64FsRedirection Return: %d

Wow64RevertWow64FsRedirection Return: %d

RsInstallService(%s) Return: %d

ChangeServiceConfig Failed! Err Code: %d

CreateService Failed! Err Code: %d

OpenSCManager Failed! Err Code: %d

RsInstallService(%s)

RsUninstallService(%s) Return: %d

DeleteService Failed! Err Code: %d

OpenService Failed And Service Already Exist! Err Code: %d

RsUninstallService(%s)

OpenService Failed! Err Code: %d

LoadLibrary(Advapi32.dll) Failed!

RsSetServiceFailureAction(%s) Return: %d

GetProcAddress(%s) Failed!

ChangeServiceConfig2 Failed! Err Code: %d

RsSetServiceFailureAction(%s)

QueryServiceStatus Failed! Err Code: %d

StartService Failed! Err Code: %d

RsStartService(%s)

Wait for Service %s Time Out!

QueryServiceStatus(%s) Failed! Err Code: %d

ControlService(%s) SERVICE_CONTROL_STOP Failed! Err Code: %d

HeapAlloc Failed! Err Code: %d

EnumDependentServices Failed! Err Code: %d

Stop Service %s Dependencies...

%s's Stop is Pending...

Service %s is Stopped...

OpenService(%s) Failed! Err Code: %d

RsStopService(%s)

Rs%sInstallCom(%s) Return: %d

LoadLibrary(%s) Failed!

%s Failed! ErrMsg: %s

Rs%sInstallCom(%s)...

WinSessionThread CreateProcess ret = %d end !

WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !

WinSessionThread CreateProcess begin dwSessionID = %d!

WININIT.INI

\WININIT.INI

HKEY_CURRENT_CONFIG

"%s" %s

\RsMgrSvc.ini

Save DELETEPATH %s to RsMgrSvc.ini

Save REBOOTRUN %s to RsMgrSvc.ini

%s Loaded By %s

EXPLORER.EXE

Setup.exe Begin----------------------------------

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

StopComponent(%s)...

StartComponent(%s)...

Report Error!

Call Component %s Dll_PreHandle Return: 0xX

Call Component %s Dll_PostHandle Return: 0xX

Check XML File %s Failed

Check File %s Failed

BackUp XML File From: %s To %s

Delete XML File: %s

Copy XML File From: %s To %s

%s\RsMgrsvc.ini

URLInfoAbout

hXXp://help.ikaka.com/

"%s" /UNINSTALL /PRODUCT=%s

"%s" /UNINSTALL /PRODUCT=RSD

Delete File %s

Copy File From %s To %s

CompsVer.inf

Copy Path From %s To %s

Down Load %s To Path: %s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\run

RunFirstInstall Successfully...NeedReboot: %d

InstallComponentList Failed! Error Code: 0xX

PreHandleComponentList Failed! Error Code: 0xX

Product_PreHandle Failed! Error Code: 0xX

BackUpComponentList Failed! Error Code: 0xX

CheckComponentList Failed! Error Code: 0xX

RunFirstInstall, AfterReboot: %d

RavTmp: %s

file not exist : %s

succeed to download %s

Failed to download %s. ErrCode = %d; hr = %d

Failed to verify %s

%s%s/%s%s.inf

Failed to get download url from %s

URLLIST

Failed to load %s.

%s%s/%s/%s/%s

%s\%s\%s\%s

%s%s/%s/%s

%s\%s\%s

Failed to get %s-ITEM.

Failed to get %s-FILES.

Failed to get %s-COMPONENT.

Download %s retry > 3

%s/%s/%s_xml.zip

%s\%s\%s.xml

%s%s/%s/%s.xml

Failed to get %s' newver from %s

SCMD

REGVERKEY

REGKEYVALUE

REGKEYNAME

REGKEY

Set File %s Everyone Access Rights 0xX return: %d

Set File %s Users Access Rights 0xX return: %d

Delete File Return: %d, NeedReboot: %d

Prepare To Delete File %s...

Back Up File From: %s To: %s Return: %d

Skip Backing Up File %s For Checked OK...

Copy File Return: %d, NeedReboot: %d

MoveFile From %s To %s

Prepare To Copy File From %s To %s...

TaskbarPin = 0x%x

Install Link: %s

Delete Link: %s

TaskbarunPin = 0x%x

Old Link File: %s

SUBKEY

Set Key %s Everyone Access Rights 0xX return: %d

Set Key %s Users Access Rights 0xX return: %d

REGKEYDATATYPE

Install Key KeyName: %s, ValueName: %s, Value: %s, DataType: %d Return: %d

Backup Key Value Return: %d

microsoft\windows\currentversion\run

Restore Key Value Return: %d

UnInstall Key KeyName: %s, ValueName: %s Return: %d

Execute langsel.exe

langsel.exe

Setup Log (*.log)

*.log

A%d M

ÚTADIR%

Need Reboot, Add DeletePath Task To Server: %s

No Reboot, RsDeletePath(%s)

\lics%d.txt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

{X-X-X-XX-XXXXXX}.bmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SHFolder.dll

Shell32.dll

HKEY_LOCAL_MACHINE\%s\%s

%snserver.exe

%sRsTest.ini

Software\Microsoft\Windows\CurrentVersion

nserver.exe

%FIRSTPART%

%COMMONDIR%

%DOMINODATA%

%DOMINODIR%

%SYSDIR64%

%SYSDIR%

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

[INF]CRsConfigBase::InitializeRsConfig: GetPath(PathSize=%d),Result=0xX

[ERR]CRsConfigBase::InitializeRsConfig: QueryInterface RSIID_IRSCfgMgr Failed(Result=0xX)!

[ERR]CRsConfigBase::InitializeRsConfig:CreateAppEnv Failed(Result=0xX).

RsConfig.cfg

[ERR]CRsConfigBase::InitializeRsConfig:QueryInterface RSIID_IRSAppMgr failed(Result=0xX).

[ERR]CRsConfigBase::InitializeRsConfig:CreateObject RSID_RSAppMgr failed(Result=0xX).

RSAPPMGR.DLL

\RSAPPMGR.DLL

comx3.dll

</%s>

standalone="%s"

encoding="%s"

version="%s"

&#xX;

%s='%s'

%s="%s"

\RsLang.dll

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

System\CurrentControlSet\Services\VxD\MSTCP

255.255.255.255

socket() failed; %d

MSIE %d.%d

WININET.DLL

Windows

Windows Me

Windows 98

Windows 95

Windows NT %d.%d

%s:%d

Mozilla/4.0 (compatible; %s; %s; Rising)

Range: bytes=%d-

HTTP/1.0

hXXp://

portuguese-brazilian

.rstmp

1.1.3

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

C:\DistributedAutoLink\Temp\CompileOutputDir\Setup.pdb

GetProcessHeap

SetNamedPipeHandleState

WaitNamedPipeA

GetWindowsDirectoryA

KERNEL32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

EnumWindows

EnumChildWindows

USER32.dll

comdlg32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegOpenKeyA

RegCreateKeyExA

RegDeleteKeyA

RegSetKeySecurity

RegGetKeySecurity

RegQueryInfoKeyA

RegEnumKeyExA

ADVAPI32.dll

ShellExecuteExA

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

RPCRT4.dll

InternetCrackUrlA

HttpQueryInfoA

HttpSendRequestA

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

VERSION.dll

WSOCK32.dll

GetCPInfo

zcÁ

11166666600000000000000/////////.....""""""""""""""""--- .DDDDDDDDDDDDDDDDDDDDDDDDDDBBBBBB

>VVVVVVVVVVVVYYYY:Y:YYV8888888888888.ppMs3llkxNqKKqK

!'!555''''

!! **""!

#### # # # #  # # # #

6,,,6,,6,66

,,,,66,,6,

6,,,,6,,,

555555555555555

666666666666666666

888888888

CC.CCCCCC6hML7L77L789;nOOOOOOOO8

...CCCCCC6hMLL7777789;

...CCCCCC6hML77777789;

"""!"!"!"

1111111111111000000

!%%&11&&&

23333333333333333333

3333343333333333334

443434333333333333

#34344443344333343

3444444444444

444444444444

7676676676676676

7777777777777

77777777777

>889889889889883$3

/2$ÝDD

4::-...,..,,,, %

7766666666666666666666601$ÞDE

000000000000011110

"#%DPTVVVVVVPO%%"L

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

6'6.6>6>7

2<3t3

9#939:9[9

; ;$;(;,;0;4;8;<;

It is strongly recommended to close all Windows program before running the setup program.

Password:

This module need %fM

1.0.0.2

Setup.EXE

20140619153336140

ECan't create the destination folder, please check and input it again.APlease take off your CD avoiding to restart from CDROM next time.

 Totally scaned %d files, found %d viruses.

Export,Unable to Create File Folder: %s , continue?

This version [version:%s] is older than your current installed [version:%s]

Continue to install Rising AntiVirus Software[version:%s]?

%Click "Next" to continue installation

jSystem comctl32.dll version is lower than 4.70!\please upgrade it through installing IE4 or above version.

KYou have install follow Rising product, this product can't install whit it.FLast Rising setup progress is not completed, please reboot your systemNRising Anti-virus software has been uninstalled successfully but follow files.

!Version: %s Update Date: %s

$Add or remove same component please!(%d second left to auto close this dialog8Rising Anti-virus software has been updated successfully

Password is error7update is completed, windows need reboot for copy file.

ins1256858.exe_2516_rwx_01DC9000_00001000:

.?AVCppSQLite3Exception@@

ins1256858.exe_2516_rwx_10072000_00001000:

SetWillReboot(%d)

Failed to call QueryServiceStatus(RSD)! Err Code: %d

Failed to call OpenService(RSD)! Err Code: %d

Failed to call OpenSCManager! Err Code: %d

\RsTest.ini

ÞSKTOP%

\label.dat

\Backup.ini

\Export.ini

\XMLS\RSSetup.xml

\Setup.exe

\*.exe

\XMLS\Setup.xml

\os.xml

Label.dat

/PASS=

/PRODUCT=%s

/LANG=%d

HKEY_LOCAL_MACHINE\SoftWare\Rising\%s

ITEM%d

UPDATEXMLURL

d-d-- d:d

Setup.dll

Local_RSD_Setup_%s

Global\Rising_RSD_Setup_%s

Rising_RSD_Setup_%s

\Backup\RSD\RSSetup\RSSetup.xml

\RSSetup.xml

\CompsVer.inf

AddPCAExclude return: %d

Open Key Failed!

Create Key Failed!

Query Value Failed! Return: %d

%s\Setup.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AddPCAExclude(%d)

Setup.xml

\Setup.xml

12345678.000

Create Temp Cfg From %s to %s

rd /q %s

rd /s /q %s

if exist %s goto repeat

del /s /q /f %s

\DelSelf.bat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SetFileSecurity() failed. Error %d

SetSecurityDescriptorControl() failed.Error %d

GetSecurityDescriptorControl() failed.Error %d

SetSecurityDescriptorDacl() failed. Error %d

AddAce() failed. Error %d

GetAce() failed. Error %d

AddAccessAllowedAce() failed. Error %d

AddAccessAllowedAceEx() failed. Error %d

advapi32.dll

InitializeAcl() failed. Error %d

HeapAlloc() failed. Error %d

GetAclInformation() failed. Error %d

RsMgrSvc.exe_1588:

.text

`.rdata

@.data

.rsrc

t%Shh

|$D.tD

CryptDecodeObject failed with %x

wintrust.dll

WTHelperGetProvCertFromChain

CryptCATCatalogInfoFromContext

crypt32.dll

CryptMsgGetParam

CryptSIPVerifyIndirectData failed with %x

1.3.6.1.4.1.311.2.1.4

CryptMsgGetParam(%d) failed with %x

CryptSIPRetrieveSubjectGuid failed with %x

CryptQueryObject failed with %x

\\.\PhysicalDrive%d

\\.\Scsi%d:

Iphlpapi.dll

Software\Microsoft\Windows\CurrentVersion

Advapi32.dll

\Rising\RSD\RsMgrSvc.exe"

SOFTWARE\Rising\%s

[d-d-d][d:d:d:d]

Explorer.exe

{X-X-X-XX-XXXXXX}

CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

2.log

[u]

[0xX]

RAV.INI

WinSessionThread GetPidByName dwPID = %d , name=%s!

NtDll.dll

Kernel32.dll

WTSQueryUserToken Failed! Err Code: %d

wtsapi32.DLL

OpenProcess Failed! Err Code: %d

GetProcAddress(OpenProcessToken) Failed! Err Code: %d

OpenProcessToken Failed! Err Code: %d

GetLogonUserToken(%d)

userinit.exe

CRsMgrSvc::WaitForLogonNT:LoadLibrary(_"psapi.dll");err=0x%x

psapi.dll

Fail to OpenProcessToken; 0x%x

Failed to call CreateProcessAsUser again: appname = %s cmd=%s;err=0x%x.

Failed to SetTokenInformation(0):err=0x%x

Failed to call CreateProcessAsUser:cmd=%s;err=0x%x.

Failed to DuplicateTokenEx:err=0x%x

Failed to SetTokenInformation:err=0x%x

SessionId = %d

Failed to LoadLibrary("Wtsapi32.dll"):err=0x

Failed to call WTSEnumerateSessions:err=0x%x

SessionInfo[%d]: SessionId=%d; WinStationName=%s; State=%d.

Wtsapi32.dll

Failed to CreateProcess:%s;err=0x%x

Failed to LoadLibrary("Wtsapi32.dll"):err=0x%x

Failed to WTSEnumerateSessions:err=0x%x

Session\%d\RSD_POP_MESSAGE_INFO

WinSessionThread CreateProcess ret = %d end !

WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !

Userenv.DLL

WinSessionThread CreateProcess begin dwSessionID = %d!

Failed to LoadLibrary("Userenv.DLL"):err=0x%x

Failed to call CreateProcessAsUser: cmd=%s;err=0x%x.

Failed to call WTSQueryUserToken, err= 0x%x

Failed to open the shell ready event: 0x%x

"%s" /shellrun

%s\RsStub.exe

Session\%d\ShellReadyEvent

LogonRun - session : %d

Failed to call RegOpenKeyEx, err = 0x%x

Failed to call RegSaveKey, err = 0x%x

Failed to call AdjustTokenPrivileges, err = 0x%x

Failed to call OpenPrcessToken, err = 0x%x

%s\RsMgrSvc.dat

Failed to Create LogonRunThread Thread, err = 0x%x

SessionChange:EventType=%d; sessionID = %d

/subkey

Failed to Verify the "%s".

Failed to call vf.Init.

%s\rsbackup.exe

"%s\rsbackup.exe"

/subkey

%s\RsMgrSvc.ini

%s\updater.exe

"%s\updater.exe"

DeleteFile: %s.

ITEM%d

\RsMgrSvc.ini

DeletePath: %s.

Clean WillReboot In %s

%s\%s\%s.ini

1971-01-01 00:00:00

%d-%d-%d %d:%d:%d

%s\Data

%s /subkey %s /RsMgrSvc

"%s\Updater.exe" /silence

%s\Updater.exe

\Reboot.ini

CRsMgrSvc::SVC:Failed to CreateEvent-Wait: err=0x%x

CRsMgrSvc::SVC:Failed to CreateEvent, err=0x%x

comx3.dll

KERNEL32.DLL

kernel32.dll

mscoree.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

GetProcessWindowStation

user32.dll

C:\DistributedAutoLink\Temp\CompileOutputDir\RsMgrSvc.pdb

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegOpenKeyA

RegSaveKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

CryptMsgClose

CertCloseStore

CertGetNameStringW

CertFindCertificateInStore

CRYPT32.dll

RPCRT4.dll

GetProcessHeap

GetCPInfo

zcÁ

%Program Files%\Rising\RSD\RsMgrSvc.exe.log

%Program Files%\Rising\RSD\RsMgrSvc.exe

.Beijing Rising Information Technology Corporation Limited

1.0.0.38

RsMgrSvc.exe

571443342450000

ins1256858.exe_2516_rwx_6CF42000_00001000:

ValueData: [%S]

ValueName: [%S]

ValueData: [%s]

ValueName: [%s]

RLCHECK: ActCtx Query failed with err %d.

RLCHECK: Error opening activation context with err %d.

RegCreateKeyExA: wrp key is mitigated

RegCreateKeyExW: wrp key is mitigated

RegOpenKeyExA: wrp key is mitigated

RegSetValueA: wrp key is mitigated

RegSetValueW: wrp key is mitigated

RegSetValueExA: wrp key is mitigated

RegSetValueExW: wrp key is mitigated

RegDeleteValueA: wrp key is mitigated

RegDeleteValueW: wrp key is mitigated

odbcconf.exe

regsvr32.exe

regasm.exe

msiexec.exe

popwndexe.exe_2080:

.text

`.rdata

@.data

.rsrc

@.reloc

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

C:\DistributedAutoLink\Temp\CompileOutputDir\popwndexe.pdb

KERNEL32.dll

ole32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

>$>(>,>0>

5(565;5~7

mscoree.dll

KERNEL32.DLL

rsdk.dll

<plugin clsid='{56CF1F5A-D59E-4fe7-BE35-066F4E788E2A}' name='CLID_CRsPopWndUI' start='1'/>

<plugin clsid='{EBC23555-424F-45c3-BECE-206819CB276B}' name='ClSID_CTrayWnd' start='999' /> </plugins></process></rscom>

BUF:<?xml version='1.0' ?><rscom> <components> <component path='rsdk.dll'> <clsid progid='RscomEnv.1'>{E59BC62D-64AB-439D-BAF3-B2D1BA15E441}</clsid> <clsid progid='ObjectLoader.1'>{4F496E7F-D8FD-4DED-967D-C4F53BFB9452}</clsid> <clsid progid='Rot.1'>{216DFF2F-B2F0-4CE0-BA5B-72E0B7BFAC28}</clsid> <clsid progid='MainRun.1'>{C8CA7580-8E65-49E6-A66A-B087C7EF523D}</clsid> <clsid progid='RsSrv.1'>{5D37C04C-8F58-4D47-94C8-B94153399473}</clsid> <clsid progid='Property.1'>{ED20E0E5-2357-4825-B3FA-198AEC674E81}</clsid> <clsid progid='PropertyThread.1'>{AD4F3A47-0CD6-43DE-BC22-E8BE24FFD424}</clsid> <clsid progid='Property2.1'>{2100E98D-B13E-4306-8081-50F325B10586}</clsid> <clsid progid='Property2Thread.1'>{0AEF80FB-9BAF-4E66-96B3-784ED0FCECF1}</clsid> <clsid>{E8D494C-D598-4E2F-B796-809E74315E76}</clsid> <clsid>{95EAB9C4-A7F4-46A8-A69F-54911364F2F0}</clsid> <clsid progid='TrayWnd'>{EBC23555-424F-45C3-BECE-206819CB276B}</clsid> <clsid progid='TraySrv'>{4FCE6281-8849-4FC6-A764-95C793EB8A48}</clsid> <clsid progid='TrayMenuBase'>{FCA0E62A-5DD4-46FB-AFB2-BDC74EA7DB36}</clsid> <clsid>{35FD921E-B758-46D8-B0AA-FCD033B0E66D}</clsid> <clsid progid='DfwWindow'>{201409F6-22F8-48D3-A69F-7935BDDE6BFA}</clsid> <clsid progid='DfwComponentMgr'>{787683B8-D58D-4072-BA04-46284CEA5AF8}</clsid> <clsid progid='DfwDrawIcon'>{224E5B34-E98F-4033-8B6F-46B758E7587E}</clsid> <clsid progid='DfwLocalExternal'>{23BD3E3A-72ED-4AE4-A5A9-41B466BA8D25}</clsid> <clsid progid='SafeSecurity'>{B769D42A-2392-42B6-8C10-DB99AE23F75A}</clsid> </component> <component path = 'localopt.dll'> <clsid progid='localopt'>{1DDF6C09-67B3-4b05-B3A4-43D7D92D067C}</clsid> </component> <component path = 'rsmginfo.dll'> <clsid progid='rsmginfo'>{56CF1F5A-D59E-4fe7-BE35-066F4E788E2A}</clsid> </component> </components></rscom>

{{887FE1BB-7C1F-4d73-BD44-B726E1672DC7}}_%s

%Program Files%\Rising\RSD\popwndexe.exe

1.0.0.7

tray.exe

814210592210000

UCBrowser_V3.1.1644.29_4443_(Build14102814)_downloader.exe_3592:

.text

`.rdata

@.data

.gfids

@.tls

.rsrc

@.reloc

SSSShd@

t.PPPPPPh

u.WVS

j.Yf;

_tcPVj@

.PjRW

conf-url

hXXps://mmstat.ucweb.com/bluesky.

6.2.3964.2

module_code=%d.%d&error_code=%d&customized_data=%s

d:\webapps\b\build\slave\repo\build\src\wow\tools\downloader\wow_downloader_main.cc

hXXp://uc123.com/guide/downloader.php

&version=6.2.3964.2

invalid map<K, T> key

default_url

default_md5_url

default_zip_url

channel_url

channel_zip_url

md5_url

d:\webapps\b\build\slave\repo\build\src\wow\tools\downloader\wow_installer_url_config.cc

Failed to parse installer url config file:

The windows heap does not support memalign.

d:\webapps\b\build\slave\repo\build\src\base\allocator\allocator_shim_default_dispatch_to_winheap.cc

d:\webapps\b\build\slave\repo\build\src\base\logging.cc

(0x%X)

Error (0x%X) while retrieving error. (0x%X)

d:\webapps\b\build\slave\repo\build\src\base\threading\platform_thread_win.cc

((((DWORD )0x00000000L) )   0 ) == WaitForSingleObject(thread_handle.platform_handle(), 0xFFFFFFFF)

d:\webapps\b\build\slave\repo\build\src\base\win\scoped_handle.cc

d:\webapps\b\build\slave\repo\build\src\base\files\memory_mapped_file_win.cc

icudtl.dat is not exists!

d:\webapps\b\build\slave\repo\build\src\base\files\memory_mapped_file.cc

icudtl.dat exists, but Initialize failed.

ICU.Initialize

d:\webapps\b\build\slave\repo\build\src\base\process\process_win.cc

d:\webapps\b\build\slave\repo\build\src\base\process\launch_win.cc

%d.%d.%d

ActivityTracker.ThreadTrackers.MemLimitTrackerCount

ActivityTracker.ThreadTrackers.Count

.thunks

.syzygy

d:\webapps\b\build\slave\repo\build\src\base\tracked_objects.cc

WorkerThread-%d

d:\webapps\b\build\slave\repo\build\src\base\pickle.cc

d:\webapps\b\build\slave\repo\build\src\base\threading\thread_local_win.cc

PlatformFile.UnknownErrors.Windows

Unsupported encoding. JSON must be UTF-8.

Dictionary keys must be quoted.

d:\webapps\b\build\slave\repo\build\src\base\metrics\persistent_memory_allocator.cc

PlatformThreadLocalStorage::AllocTLS(&key)

d:\webapps\b\build\slave\repo\build\src\base\threading\thread_local_storage.cc

PlatformThreadLocalStorage::AllocTLS(&key) && key != PlatformThreadLocalStorage::TLS_KEY_OUT_OF_INDEXES

!PlatformThreadLocalStorage::GetTLSValue(key)

d:\webapps\b\build\slave\repo\build\src\base\metrics\histogram.cc

Histogram.InconsistentCountHigh

Histogram.InconsistentCountLow

Histogram: %s recorded %d samples

(flags = 0x%x)

d:\webapps\b\build\slave\repo\build\src\base\metrics\sparse_histogram.cc

\uX

d:\webapps\b\build\slave\repo\build\src\base\json\string_escape.cc

str.length() <= static_cast<size_t>(std::numeric_limits<int32_t>::max())

Line: %i, column: %i, %s

(%d = %3.1f%%)

-d:\webapps\b\build\slave\repo\build\src\base\metrics\bucket_ranges.cc

UMA.CreatePersistentHistogram.Result

d:\webapps\b\build\slave\repo\build\src\base\metrics\sample_vector.cc

d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_log.cc

tracing/thread_%d

[0;3%dm

%s/%s

{"pid":%i,"tid":%i,"ts":%lld,"ph":"%c","cat":"%s","name":

,"scope":"%s"

,"s":"%c"

d:\webapps\b\build\slave\repo\build\src\base\message_loop\message_loop.cc

flag is not supported

d:\webapps\b\build\slave\repo\build\src\base\trace_event\memory_dump_manager.cc

renderer.scheduler

disabled-by-default-cc.debug

disabled-by-default-cc.debug.picture

disabled-by-default-toplevel.flow

%d:%s

d:\webapps\b\build\slave\repo\build\src\base\message_loop\message_pump_win.cc

CallMsgFilterW

g_call_msg_filter

MsgWaitForMultipleObjectsEx

g_msg_wait_for_multiple_objects_ex

Chrome.MessageLoopProblem

KeyDown

Chrome_RenderWidgetHostHWND

Chrome_WidgetWin

"%d":

[Thread: %s]

pc:%x

,"%d":

d:\webapps\b\build\slave\repo\build\src\base\threading\thread.cc

IndexedDBBackingStore

leveldb/value_store/Extensions.Database.Open.Settings/0x?

leveldb/value_store/Extensions.Database.Open.Rules/0x?

leveldb/value_store/Extensions.Database.Open.State/0x?

leveldb/value_store/Extensions.Database.Open/0x?

leveldb/value_store/Extensions.Database.Restore/0x?

leveldb/value_store/Extensions.Database.Value.Restore/0x?

web_cache/Image_resources

web_cache/CSS stylesheet_resources

web_cache/Script_resources

web_cache/XSL stylesheet_resources

web_cache/Font_resources

web_cache/Other_resources

sqlite

d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_event_argument.cc

it.ReadBool(&value)

it.ReadInt(&value)

it.ReadDouble(&value)

it.ReadString(&value)

handle_.IsValid()

d:\webapps\b\build\slave\repo\build\src\base\synchronization\waitable_event_win.cc

d:\webapps\b\build\slave\repo\build\src\wow\base\stats\wow_stats_helper.cc

d:\webapps\b\build\slave\repo\build\src\wow\base\win\wow_machine_info_utils_win.cc

wow wow_base::MachineInfoUtils::GetCPUBrand

_SP%d

3.4.1.1.1

3.4.1.1.2

3.4.1.1.3

3.4.1.1.4

3.4.1.1.5

10.1.1.1.1_SysEvent

\\.\PhysicalDrive%d

\\.\Scsi%d:

Drive%dModelNumber

Drive%dSerialNumber

DriveÜontrollerRevisionNumber

DriveÜontrollerBufferSize

Drive%dType

23[^;

=]=I99[^;

httponly

skipped cookie with illegal dotcount domain: %s

skipped cookie with bad tailmatch domain: %s

#HttpOnly_

%s cookie %s="%s" for domain %s, path %s, expire %lld

%s%s%s

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/rfc/cookie_spec.html

# This file was generated by libcurl! Edit at your own risk.

# Fatal libcurl error

WARNING: failed to save cookies in %s

Could not resolve %s: %s; %s

init_resolve_thread() failed for %s; %s

getaddrinfo() failed for %s:%d; %s

%s:%d

operation aborted by callback

seek callback returned error %d

the ioctl callback returned %d

ioctl callback returned error %d

Rewinding stream by : %zd bytes on url %s (zero-length body)

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

HTTP server doesn't seem to support byte ranges. Cannot resume.

Problem (%d) in the Chunked-Encoded data

Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)

Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

Operation timed out after %ld milliseconds with %lld bytes received

%5[^:]:%d:%5s

Resolve %s found illegal!

Added %s:%d:%s to DNS cache

No URL set!

[^?&/:]://%c

Issue another request to this URL: '%s'

Violate RFC 2616/10.3.2 and switch from POST to GET

Violate RFC 2616/10.3.3 and switch from POST to GET

Disables POST, goes with %s

unspecified error %d

About to connect() to %s%s port %ld (#%ld)

Connected to %s (%s) port %ld (#%ld)

IDN support not present, can't parse Unicode domains

Protocol %s not supported or disabled in libcurl

[^:]:%[^

:]://%[^

<url> malformed

http_proxy

%5[^:@]:%5[^@]

:%5[^@]

[%*45[0123456789abcdefABCDEF:.]%c

;type=%c

%s://%s%s%s:%hu%s%s%s

Port number too large: %lu

Couldn't find host %s in the _netrc file; using defaults

PTF@example.com

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

%s://%s

Re-using existing connection! (#%ld) with host %s

User-Agent: %s

Connection #%ld to host %s left intact

Send failure: %s

Recv failure: %s

[%s %s %s]

Local Interface %s is ip %s using address family %i

Name '%s' family %i resolved to '%s' family %i

Couldn't bind to '%s'

getsockname() failed with errno %d: %s

Local port: %hu

Bind to local port %hu failed, trying next

bind failed with errno %d: %s

getpeername() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

ssloc inet_ntop() failed with errno %d: %s

Failed connect to %s:%ld; %s

Could not set TCP_NODELAY: %s

TCP_NODELAY set

sa_addr inet_ntop() failed with errno %d: %s

Trying %s...

Failed to connect to %s: %s

d:d:d

d:d

Unsupported protocol

URL using bad/illegal format or missing URL

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

FTP: weird server reply

FTP: The server did not accept the PRET command.

FTP: unknown PASS reply

FTP: unknown PASV reply

FTP: unknown 227 response format

FTP: can't figure out the host in the PASV response

FTP: couldn't set file type

FTP: couldn't retrieve (RETR failed) the specified file

HTTP response code said error

FTP: command PORT failed

FTP: command REST failed

Operation was aborted by an application callback

A libcurl function was given a bad argument

An unknown option was passed in to libcurl

SSL peer certificate or SSH remote key was not OK

Problem with the local SSL certificate

Peer certificate cannot be authenticated with given CA certificates

Problem with the SSL CA cert (path? access rights?)

Unrecognized or bad HTTP Content or Transfer-Encoding

Invalid LDAP URL

Issuer check against peer certificate failed

Login denied

TFTP: File Not Found

TFTP: Access Violation

TFTP: Illegal operation

TFTP: Unknown transfer ID

TFTP: No such user

Caller must register CURLOPT_CONV_ callback options

Error in the SSH layer

Unable to parse FTP file list

Please call curl_multi_perform() soon

CURLSHcode unknown

Protocol option is unsupported

Protocol is unsupported

Socket is unsupported

Operation not supported

Address family not supported

Protocol family not supported

Winsock version not supported

Unknown error %d (%#x)

Pipe broke: handle 0x%p, url = %s

Internal error clearing splay node = %d

Internal error removing splay node = %d

0123456789

%d.%d.%d.%d

USER %s

STARTTLS denied. %c

Access denied. %c

PASS %s

Invalid message. %c

RETR %s

LIST %s

POP3S not supported!

SMTPS not supported!

SMTP

LOGIN

EHLO %s

HELO %s

No known auth mechanisms supported!

AUTH %s %s

AUTH %s

Access denied: %d

%s xxxxxxxxxxxxxxxx

Authentication failed: %d

MAIL FROM:%s

MAIL FROM:%s SIZE=%s

RCPT TO:%s

RCPT TO:<%s>

Got unexpected smtp-server response: %d

%s:%s

%sAuthorization: Basic %s

The requested URL returned error: %d

%s auth using %s with user '%s'

%s, d %s M d:d:d GMT

If-Modified-Since: %s

If-Unmodified-Since: %s

Last-Modified: %s

Referer: %s

Accept-Encoding: %s

Chunky upload is not supported by HTTP 1.0

Host: %s%s%s

Host: %s%s%s:%hu

PTF://

Range: bytes=%s

Content-Range: bytes %s%lld/%lld

Content-Range: bytes %s/%lld

PTF://%s:%s@%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

%s%s=%s

Internal HTTP POST error!

Content-Type: application/x-www-form-urlencoded

Failed sending HTTP POST request

Failed sending HTTP request

HTTP/

Avoided giant realloc for header (max is %d)!

HTTP error before end of send, stop sending

HTTP/%d.%d =

HTTP =

RTSP/%d.%d =

HTTP 1.0, assume close after body

HTTP/1.0 proxy connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 connection set to keep alive!

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

--:--:--

%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s

CLIENT libcurl 7.23.1

MATCH %s %s %s

DEFINE %s %s

WSAStartup failed (%d)

insufficient winsock version to support telnet

%s IAC %s

%s IAC %d

%s %s %s

%s %s %d

%s %d %d

Sending data failed (%d)

%s IAC SB

%s (unsupported)

%d (unknown)

USER,%s

7[^= ]%*[ =]%5s

Unknown telnet option %s

Syntax error in telnet option: %s

%c%c%c%c%s%c%c

%c%c%c%c

7[^,],7s

%c%s%c%s

WS2_32.DLL

failed to load WS2_32.DLL (%d)

failed to find WSACreateEvent function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSAEnumNetworkEvents function (%d)

WSACreateEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACloseEvent failed (%d)

FreeLibrary(wsock2) failed (%d)

TFTP

set timeouts for state %d; Total %ld, retry %d maxtry %d

got option=(%s) value=(%s)

blksize is larger than max supported

%s (%d)

blksize is smaller than min supported

%s (%ld)

%s (%d) %s (%d)

invalid tsize -:%s:- value in OACK packet

%s%c%s%c

tftp_send_first: internal error

Received unexpected DATA packet block %d, expecting block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

Received ACK for block %d, expecting %d

tftp_tx: giving up waiting for block %d ack

tftp_tx: internal error, event: %i

TFTP finished

bind() failed; %s

TFTP response timeout

%s LOGIN %s %s

%s SELECT %s

%s FETCH 1 BODY[TEXT]

%s STARTTLS

%s LOGOUT

IMAPS not supported!

FTPS not supported!

%c%c%c%u%c

%d,%d,%d,%d,%d,%d

Skips %d.%d.%d.%d for data connection, uses %s instead

Bad PASV/EPSV response: d

Can't resolve proxy host %s:%hu

Can't resolve new host %s:%hu

Failed to do PORT

dddddd

ddd d:d:d GMT

Last-Modified: %s, d %s M d:d:d GMT

unsupported MDTM reply format

Got a d response code instead of the assumed 200

ftp server doesn't support SIZE

Failed FTP upload: 

RETR response: d

PBSZ %d

ACCT %s

Access denied: d

ACCT rejected by server: d

Got a d ftp-server response when 220 was expected

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

PROT %c

Entry path is '%s'

QUOT command failed with d

MKD %s

Failed to MKD dir: d

PRET command not accepted: d

Remembering we are in dir "%s"

Failure sending ABOR command: %s

server did not report OK, got %d

CWD %s

QUOT string not accepted: %s

PORT

TYPE %c

Connecting to %s (%s) port %d

getsockname() failed: %s

failed to resolve the address provided to PORT: %s

socket failure: %s

bind(port=%hu) on non-local address failed: %s

bind(port=%hu) failed: %s

bind() failed, we ran out of ports!

%s |%d|%s|%hu|

Failure sending EPRT command: %s

,%d,%d

%s %s

Failure sending PORT command: %s

Connect data stream passively

PRET %s

Wildcard - START of "%s"

Wildcard - "%s" skipped by user

PRET STOR %s

PRET RETR %s

REST %d

SIZE %s

Failure sending QUIT command: %s

MDTM %s

APPE %s

STOR %s

Uploading to a URL without a file name!

FTP response timeout

FTP response aborted due to select/poll error: %d

Couldn't open file %s

Can't open %s for writing

Can't get the size of %s

Refusing to issue an RTSP request [%s] without a session ID.

Transport:

Transport: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Range: %s

%s %s RTSP/1.0

Session: %s

%s%s%s%s%s%s

Unable to read the CSeq header: [%s]

Got RTSP Session ID Line [%s], but wanted ID [%s]

%%X

login

password

%s:%s:%s

%s:%.*s

%s:%s:x:%s:%s:%s

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%s, opaque="%s"

%s, algorithm="%s"

Failed to resolve "%s" for SOCKS4 connect.

SOCKS4%s request granted.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

User was rejected by the SOCKS5 server (%d %d).

SOCKS5 GSSAPI per-message authentication is not supported.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

Failed to resolve "%s" for SOCKS5 connect.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Establish HTTP proxy tunnel to %s:%hu

%s:%hu

Host: %s

CONNECT %s:%hu HTTP/%s

%s%s%s%s

HTTP/1.%d %d

Received HTTP code %d from proxy after CONNECT

%c%c==

%c%c%c=

.jpeg

.html

%s; boundary=%s

Content-Type: multipart/mixed, boundary=%s

Content-Disposition: attachment; filename="%s"

; filename="%s"

Content-Type: %s

couldn't open file "%s"

--%s--

0123456789-

1.2.8

inappropriate io control operation

not supported

operation canceled

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

address family not supported

broken pipe

function not supported

InitOnceExecuteOnce

operator

operator ""

IND)ind)Visual C   CRT: Not enough memory to complete call to strerror.

Operation not permitted

Inappropriate I/O control operation

Broken pipe

?#%X.y

%S#[k

D:\webapps\b\build\slave\repo\build\src\out\Release\luxury_installer_downloader.exe.pdb

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCL

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XLA

.CRT$XLB

.CRT$XLZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.edata

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.gfids$x

.gfids$y

.tls$ZZZ

.rsrc$01

.rsrc$02

luxury_installer_downloader.exe

curl_easy_cleanup

curl_easy_duphandle

curl_easy_escape

curl_easy_getinfo

curl_easy_init

curl_easy_pause

curl_easy_perform

curl_easy_recv

curl_easy_reset

curl_easy_send

curl_easy_setopt

curl_easy_strerror

curl_easy_unescape

curl_escape

curl_formadd

curl_formfree

curl_formget

curl_free

curl_getdate

curl_getenv

curl_global_cleanup

curl_global_init

curl_global_init_mem

curl_maprintf

curl_mfprintf

curl_mprintf

curl_msnprintf

curl_msprintf

curl_multi_add_handle

curl_multi_assign

curl_multi_cleanup

curl_multi_fdset

curl_multi_info_read

curl_multi_init

curl_multi_perform

curl_multi_remove_handle

curl_multi_setopt

curl_multi_socket

curl_multi_socket_action

curl_multi_socket_all

curl_multi_strerror

curl_multi_timeout

curl_mvaprintf

curl_mvfprintf

curl_mvprintf

curl_mvsnprintf

curl_mvsprintf

curl_share_cleanup

curl_share_init

curl_share_setopt

curl_share_strerror

curl_slist_append

curl_slist_free_all

curl_strequal

curl_strnequal

curl_unescape

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

ADVAPI32.dll

CreateIoCompletionPort

GetProcessHeap

PeekNamedPipe

GetWindowsDirectoryW

KERNEL32.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

VERSION.dll

InternetOpenUrlW

WININET.dll

WINMM.dll

WS2_32.dll

USERENV.dll

GetCPInfo

.?AU_Crt_new_delete@std@@

--pid=4443 --conf-url=hXXp://VVV.uc123.com/guide/downloader.phpP(

%$$$$%%$%%%

$((((7%7%7%7(7%((7577w557557(%

,$99;9;9;9;9;9;9;99;9;9;9;9;9;9;99$,

,$99;9;9;9;9;9;9;99?9?9?9?9?9?9?99(,

,(99?9?9?9?9?9?9?9<9?<<9?<<9?<<9?9(-

-(9<9?<<9?<<9?<<9?<?<9??<9??<9??<99=

=(9??<9??<9??<9??<<<??<<??<<??<<?99>

$()))))))))))))(HUUUUUUUUUUUUUUH()))))))2222322266%UUUUUUUUUU.66222232222222222222

22222222222223232322

(%&&&%&&&%&&%(

2-2F2Y2k2x2}2

2&3 30383?3

:#:(:-:;:

3!3&3 383?3

5T5F5V5i5

0!1&191>1

0;0@0^2}2

> >/>7>?>

2$3(3,3034383

: :$:(:,:0:4:

2 2$2(2,2

; ;$;(;,;

7 7<7@7`7

: :<:@:`:

; ;@;\;`;

installer.exe

installer.exe.md5

installer.zip

ucbrowser_installer.exe

download.log

installer_url_config

Global\Downloader.{F80AA159-E187-4961-8B8A-7E0014132FF4}

cWOW_DOWNLOADER.SWITCHES

inst.log

WOW_INSTALLER.SWITCHES

Ndebug.log

user32.dll

\StringFileInfo\xx\%ls

icudtl.dat

kernel32.dll

ntdll.dll

shell32.dll

pAdvapi32.dll

Chrome_MessagePumpWindow_%p

\\.\X:

mscoree.dll

minkernel\crts\ucrt\inc\corecrt_internal_strtox.h

__crt_strtox::floating_point_value::as_double

__crt_strtox::floating_point_value::as_float

ext-ms-win-ntuser-windowstation-l1-1-0

portuguese-brazilian

!"#$%&'()* ,-./012345678

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\UCBrowser_V3.1.1644.29_4443_(Build14102814)_downloader.exe

WOW_DOWNLOADER.SWITCHES

UCWeb Inc.

luxury_installer_downloader_exe

Copyright 2008-2017 UCWeb Inc. All rights reserved.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   MYLogger.exe:1780
   yx_dts.exe:3244
   notify.exe:3380
   assistupdate.exe:916
   ntvdm.exe:2780
   dts.exe:2612
   dts.exe:4020
   RsMgrSvc.exe:1588
   9377mycs_Y_mgaz2_01.exe:2104
   OfficeAssist.0334.80.1078.exe:996
   OfficeAssist.0334.80.1078.exe:820
   regsvr32.exe:3612
   regsvr32.exe:2816
   popwndexe.exe:2080
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\pc_game_my_new[1].htm (172 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018020720180208\index.dat (16 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jquery.Slideshow[1].js (2457 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UZ91JSMY.txt (65 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\fast_register[1].js (2753 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\input_bg[1].jpg (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\U4C45LLV.txt (211 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ajax[1].js (53540 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\pc_new[1].css (3766 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G6TD40BZ.txt (77 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\quick_register[1].jpg (200 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\dts\mydts\uninst.exe (11351 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\´óÌìʹ֮½£.lnk (901 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\´óÌìʹ֮½£\жÔØ´óÌìʹ֮½£.lnk (990 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\dts\mydts\dts.exe (31369 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\´óÌìʹ֮½£\´óÌìʹ֮½£.lnk (971 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\dts\mydts\lander.ini (427 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslBEBF.tmp\System.dll (23 bytes)
   C:\Users\"%CurrentUserName%"\Desktop\´óÌìʹ֮½£.lnk (921 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslBEBF.tmp\FindProcDLL.dll (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslBEBE.tmp (42619 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\´óÌìʹ֮½£.lnk (901 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\pptassist\update\log\notify_2018_02_07.log (374 bytes)
   C:\Windows\Tasks\PPTAssistantNotifyTask_adm.job (322 bytes)
   C:\Windows\Tasks\PPTAssistantUpdateTask_adm.job (334 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs5D8C.tmp (269 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs5D8B.tmp (335 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsB51E.tmp (269 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsB50D.tmp (335 bytes)
   %Program Files%\Rising\RSD\RsMgrSvc.exe.log (217 bytes)
   %Program Files%\Rising\RSD\comx3.dll (188 bytes)
   %Program Files%\Rising\RSD\RsMgrSvc.dat (712 bytes)
   %Program Files%\Rising\RSD\syslay.dll (102 bytes)
   %Program Files%\9377÷ÈÓ°´«Ëµ\MeiYing.dll (16288 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\9377÷ÈÓ°´«Ëµ.lnk (1 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\9377÷ÈÓ°´«Ëµ\9377÷ÈÓ°´«Ëµ.lnk (1 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\9377÷ÈÓ°´«Ëµ\uninstall.lnk (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr627D.tmp\System.dll (23 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr627D.tmp\inetc.dll (804 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr627D.tmp\ip.dll (804 bytes)
   %Program Files%\9377÷ÈÓ°´«Ëµ\9377÷ÈÓ°´«Ëµ.lnk (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr627C.tmp (32278 bytes)
   %Program Files%\9377÷ÈÓ°´«Ëµ\MYLogger.exe (13368 bytes)
   %Program Files%\9377÷ÈÓ°´«Ëµ\uninstall.exe (2275 bytes)
   %Program Files%\9377÷ÈÓ°´«Ëµ\MYLogger.ini (567 bytes)
   C:\Users\Public\Desktop\9377÷ÈÓ°´«Ëµ.lnk (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB2AE.tmp\v6svc.dll (2693 bytes)
   C:\ProgramData\kingsoft\20180207_185107\oem.ini (1068 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB2AE.tmp\System.dll (23 bytes)
   C:\ProgramData\kingsoft\20180207_185107\OfficeAssist.0334.80.1078.exe (117322 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\pptassist64.dll (5275 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\notify.exe (4335 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\pptassist64.dll (4185 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\2.jpg (95 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\meihua2007.ppsx (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\utility\uninst.exe (4799 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\20.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\3.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\cfgs\feature.dat (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\utility\uninst.exe (6841 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\meihuappt.pps (7385 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\pptassist.dll (6215 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\assistupdate.exe (3716 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua2003.pps (529 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\assistdownloader.exe (2425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\10.png (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\assistdownloader.exe (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\product.xml (334 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\30.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\pptassist.dll (4545 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua2007.ppsx (300 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\104.png (275 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua2013.ppsx (199 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihuappt.pps (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\meihua2013.ppsx (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\meihua2003.pps (3361 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\setup.xml (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PPT美化大师\卸载.lnk (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\meihua.exe (1752 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\assistupdate.exe (2746 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\103.png (346 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\102.png (233 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\100.png (238 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\meihua2010.ppsx (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\cgpb_bg.png (198 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\1.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\cgpb_fg.png (182 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\cfgs\setup.cfg (643 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\updateself.exe (4770 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\notify.exe (2779 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\cfgs\setup.cfg (643 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\cfgs\feature.dat (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\PPTAssist\updateself.exe (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PPT美化大师\PPT美化大师.lnk (943 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua2010.ppsx (198 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb5c8\meihua.exe (3123 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pptassist\~4fb4fd\install_res\101.png (951 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\yx_dts.exe (62194 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\Inetc.dll (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (274 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\RBZFCATM.txt (92 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab5390.tmp (53 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\1.rar (20 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\2331\uninst.lnk (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ins1256858[1].exe (263402 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_611D8AF93D88D61ED8CD55C30E7FC92A (676 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\nsProcess.dll (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\Base64.dll (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar5391.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0A2EA55F20CC96EF43A26E7FAF8A2217 (412 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (684 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\yx_dts[1].exe (57920 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\System.dll (23 bytes)
   %Program Files%\2331\Uninstall.exe (4823 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\MM-liao8398[1].htm (272 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\iplookup[1].htm (20 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB (712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\9377mycs_Y_mgaz2_01.exe (43691 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\G1031_s_71115.exe (10 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\MM-liao8398.exe (276 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\30974[1].htm (83 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\OfficeAssist.0334.80.1078[1].exe (198039 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\k1.ico (6720 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0A2EA55F20CC96EF43A26E7FAF8A2217 (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\CAGQV8JL.htm (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\ins1256858.exe (279754 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB (432 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\9377mycs_Y_mgaz2_01[1].exe (40640 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5AFD.tmp\OfficeAssist.0334.80.1078.exe (211646 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (408 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_611D8AF93D88D61ED8CD55C30E7FC92A (1 bytes)
   %Program Files%\Rising\RSD\rsdk.dll (495 bytes)
   %Program Files%\Rising\RSD\rsmginfo.dll (335 bytes)
   %Program Files%\Rising\RSD\updater.exe (3361 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RAV.cfg (48 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdinfo.dll (664 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\localopt.dll (2561 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (51 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\RavSetup.dll (5378 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
   %Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (2938 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (243 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (255 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\dataups.dat (207 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\mondrv.dll (3415 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (519 bytes)
   %Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (969 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
   %Program Files%\RsTest.ini (14 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\userdata.mond (485 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\Proccomm.dll (1267 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.rstray (293 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\Setup.exe (6167 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\pngdll.dll (1468 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\selfmon.dll (78 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\CfgDll.dll (1528 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RsMgrSvc.exe (1855 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.mond (485 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\rspalvd.dll (726 bytes)
   %Program Files%\Rising\RSD\setup.dat (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (650 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\localopt.dll (1576 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7385 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (2154 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\cnt08.dll (347 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\kguard.sys (1085 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravlog\rslog.dll (880 bytes)
   %Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (307 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\license\license.xml (347 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\adefmon.mond (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\monbasedui\rscombas.dll (2118 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll (7726 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\protreg.sys (24 bytes)
   %Program Files%\Rising\RSD\os.xml (685 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RsStub.exe (64 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (48 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\rscommx2.dll (1588 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\CLOUDQRY.xml (1 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (24 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\Custom.xml (775 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\cnt09.dll (2145 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (3 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (58 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\sysmon.sys (2475 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmginfo.dll (1708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\rsndisp.sys (10 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\CLOUDV3.xml (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\syslay.dll (1801 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\datastorage.db (19 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\comx3.dll (1268 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\Proccom.dll (2305 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (1106 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\dfw.dll (743 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
   %Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\hookbase.dll (1485 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\Rav.7z (484 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\moncom08.dll (79 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RsBackup.exe (1548 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (1583 bytes)
   %Program Files%\Rising\RSD\Data\RAV\RAV.ini (52 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\ravbase.xml (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravconfig\mergexml.dll (1711 bytes)
   %Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
   %Program Files%\Rising\RSD\RsStub.exe (64 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (817 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravdefdb\mondef.dll (3522 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (3353 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\defmon.dll (4217 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
   %Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
   %Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll (3073 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1416 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll (2105 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
   %Program Files%\Rising\RSD\update.xml (164 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\os.xml (685 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (907 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (1275 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
   %Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\monbasedui\moncomm.dll (2249 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ins1256858.exe.log (110994 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\updater.exe (4788 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (1683 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
   %Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (3 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\bacore.dll (1066 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (3073 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\RsAppMgr.dll (129 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\kguard_if.dll (1410 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (2 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
   %Program Files%\Rising\RSD\localopt.dll (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (519 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
   %Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RAV.cfg.tmp (1960 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll (2321 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1659 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\userdata.rstray (293 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\label.dat (388 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (126 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
   %Program Files%\Rising\RSD\Setup.exe (5441 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscomm\rssqlite.dll (1177 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll (673 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (1 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll (1281 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\rscom.dll (901 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (5863 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (853 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\rsutils.sys (51 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\datastorage.db (19 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rsnscfg.dat (2 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rslang.dll (650 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\setup.dll (1572 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\comx3.dll (1440 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (2369 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (42 bytes)
   C:\Windows\System32\drivers\protreg.sys (24 bytes)
   %Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rscfg\rscfg.dll (53 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\hookbase\hookbase.xml (3 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat (207 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\update.xml (164 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\rstask.xml (3 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll (601 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
   %Program Files%\Rising\RSD\popwndexe.exe (727 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsmondef\monrule.dll (815 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\monbasedui\rssrv.dll (774 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys (601 bytes)
   %Program Files%\Rising\RSD\rslang.dll (673 bytes)
   %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\mscrt9\atl90.dll (131 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll (63 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\cloudqry\rscurl.dll (2638 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk.dll (4761 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (1244 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\Auto.ini (36 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RsdSfxTmp\setup.dat (117 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (3 bytes)
   %Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe"

6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.