MD5: 3ed026064cd987dd1232fa41b8624675
SHA1: 73a6c876d092534b6b9a16cc9c4f78dd81bef61e
SHA256: 8d289dff36231680b17d4b3dea6338920e988a1f6df43ed538d0978626f9b383
SSDeep: 98304:djC ePxm7iPYQdUl0o3rMbfJhCpUBVI/p0ESM QcgP9VABKrmn:KINQdUlRUfVTgq6cuVMKrm
Size: 4673007 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1988-10-23 22:19:22
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

2345Explorer_343901_silence.exe:3648
2345_28879_desk.exe:2668
2345Desktop.exe:1748
2345Desktop.exe:3124
2345Desktop.exe:2952
2345Desktop.exe:3344
2345DesktopLoader.exe:2716
2345DesktopLoader.exe:2960
2345DesktopLoader.exe:3116
2345DesktopLoader.exe:2744
2345DesktopLoader.exe:2944
2345DesktopLoader.exe:2708
regsvr32.exe:972
2345DesktopService.exe:3056
2345DesktopService.exe:2984

The Trojan injects its code into the following process(es):

%original file name%.exe:212
Explorer.EXE:932

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 2345Explorer_343901_silence.exe:3648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjC.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjC.tmp\modern-header.bmp (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjC.tmp\RCWidgetPlugin.dll (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB.tmp (27316 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsdA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjC.tmp (0 bytes)

The process 2345_28879_desk.exe:2668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\2345Soft\2345Desktop\2345DesktopService.exe (1760 bytes)
%Program Files%\2345Soft\2345Desktop\Uninstall.exe (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\FileInfo.dll (5064 bytes)
%Program Files%\2345Soft\2345Desktop\2345Extract.dll (1824 bytes)
%Program Files%\2345Soft\2345Desktop\2345Desktop.exe (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss5.tmp (127162 bytes)
%Program Files%\2345Soft\2345Desktop\data\weather_city_list.json (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\2345Desktop\2345Desktop_10\2345DesktopLoader.exe (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\System.dll (11 bytes)
%Program Files%\2345Soft\2345Desktop\Install.data (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\RCWidgetPlugin.dll (14184 bytes)
%Program Files%\2345Soft\2345Desktop\2345DesktopLoader.exe (197 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\FileInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\2345Desktop\2345Desktop_10 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\RCWidgetPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\2345Desktop (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\2345Desktop\2345Desktop_10\2345DesktopLoader.exe (0 bytes)

The process 2345Desktop.exe:3124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data-journal (8028 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data (7120 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data-journal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RC~7.tmp (0 bytes)

The process 2345Desktop.exe:2952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\2345Desktop.ini (678 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data-journal (1536 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data (2312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\AnRList_000005[1].block (60 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data-journal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RC~8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\AnRList_000005[1].block (0 bytes)

The process 2345Desktop.exe:3344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_detect.json.tmp (23 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_weather.json.tmp (25 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data-journal (1024 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_alert.json.tmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\54511[1].json (25 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\2345Desktop.ini (1430 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\update\2345Desktop.CheckStat.data (132 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data-journal (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_weather.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RC~9.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_detect.json (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_alert.json (0 bytes)

The process %original file name%.exe:212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2345_28879_desk[2].exe (421897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (4545 bytes)
%Program Files%\2345_28879_desk.exe (10592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2345_28879_desk[1].exe (489298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (1425 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2345_28879_desk[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2345_28879_desk[2].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)

The process 2345DesktopLoader.exe:2716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\2345Desktop.ini (225 bytes)

The process 2345DesktopLoader.exe:2960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\2345Desktop.ini (54 bytes)

The process 2345DesktopLoader.exe:2944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\2345网址导航\2345桌面.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\2345网址导航.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\2345网址导航.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\2345网址导航.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\2345网址导航\卸载2345网址导航.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\2345桌面.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\2345桌面.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\2345网址导航\2345网址导航.lnk (1 bytes)
%Program Files%\2345Soft\2345Desktop\2345网址导航.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\2345桌面.lnk (1 bytes)

The process 2345DesktopService.exe:3056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\2345Desktop.ini (40 bytes)

Registry activity

The process 2345Explorer_343901_silence.exe:3648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 43 EA 2E A2 E4 36 30 F6 D2 97 F2 98 FA BD 3F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\2345Explorer\Extensible Cache]
"(Default)" = ""

The process 2345_28879_desk.exe:2668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 A5 68 4B 61 48 86 AA 81 CC FD 3E BD 63 E1 81"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\2345Desktop]
"Value2" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\2345Desktop]
"Path" = "%Program Files%\2345Soft\2345Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Desktop]
"UninstallString" = "%Program Files%\2345Soft\2345Desktop\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\2345Desktop]
"Value" = "022074093570390062786500390489"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Desktop]
"Publisher" = "2345.com"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\2345Desktop.exe]
"(Default)" = "%Program Files%\2345Soft\2345Desktop\2345Desktop.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Desktop]
"URLInfoAbout" = "http://www.2345.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\2345Desktop]
"value6" = "028879 17533"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Desktop]
"DisplayIcon" = "%Program Files%\2345Soft\2345Desktop\2345Desktop.exe,1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Desktop]
"DisplayVersion" = "8.5.0.1024"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\2345Desktop.exe]
"Path" = "%Program Files%\2345Soft\2345Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Desktop]
"DisplayName" = "2345网址导航"

[HKLM\SOFTWARE\2345Desktop]
"Value11" = "0"

The process 2345Desktop.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 87 DE 6C 06 6B 5C CF 18 EA EE 79 30 67 0C 95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 2345Desktop.exe:3124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 54 75 90 A7 EB 6B 15 57 EA 07 CD 22 40 37 BA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 2345Desktop.exe:2952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 29 91 74 2A 99 38 34 B8 42 BE B7 C2 32 60 68"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 2345Desktop.exe:3344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 3F 23 4A 81 CF 53 1A 95 11 00 6A D0 5B B6 16"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 0B 02 ED 89 8F BC 3B 93 ED 2B D6 3B 66 9B 04"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 2345DesktopLoader.exe:2716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F BD 47 9F 33 4C C0 83 98 70 7C 13 29 C7 1D 76"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 2345DesktopLoader.exe:2960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 48 4C F2 B8 CC EB 28 F4 34 C9 97 89 83 C3 9E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"2345DesktopTools" = "%Program Files%\2345Soft\2345Desktop\2345Desktop.exe command=desktop"

The process 2345DesktopLoader.exe:3116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 C0 DB 0C 8E 4F 71 ED DC CB E8 41 51 E3 D8 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\2345Soft\2345Desktop]
"2345Desktop.exe" = "2345Destop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 2345DesktopLoader.exe:2744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B B1 FC 17 1F 4F 07 A5 94 2C 75 F4 4A 95 49 6D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 2345DesktopLoader.exe:2944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 5C 6C 71 DE 98 93 A3 E2 55 7E 1A 16 83 A1 F2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process 2345DesktopLoader.exe:2708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 B8 5C 7D 28 73 3E F0 31 17 2E CF EC C5 94 E2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process regsvr32.exe:972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 89 C7 A4 31 47 94 F2 4F B3 77 36 E7 00 74 92"

The process 2345DesktopService.exe:3056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A C1 C7 2B 15 03 A9 60 81 A8 81 C0 8D 74 5A 3D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

The process 2345DesktopService.exe:2984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C D6 76 36 CA 94 58 CE 8A 8B 09 43 F6 77 5A FB"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://61.147.204.55/2345_common/2345_28879_desk.exe
hxxp://download.2345.com/silence/2345Explorer_343901_silence.exe
hxxp://ie.2345.com/adblock/onlinedata_v1/onlinedata.php	183.136.203.28
hxxp://download.2345.com/adblock/onlinedata_v1/2345antiredirect/v1/AnRList_000005.block
hxxp://www.2345.com/	42.62.30.180
hxxp://union2.50bang.org/web/ajax57?uId2=SPTNPQRLSX&uId=9018013399965456402344&r=&lO=usertype=union_user=28879_version=8.5.0.1024	42.62.4.61
hxxp://tianqi.2345.com/t/detect2012_json.php	42.62.30.185
hxxp://tianqi.2345.com/t/tq_common_json/54511.json	42.62.30.185
hxxp://tianqi.2345.com/t/shikuang/alert/js/54511.js	42.62.30.185
hxxp://download.2345.cn/silence/2345Explorer_343901_silence.exe	61.147.204.54
hxxp://download.2345.com/2345_common/2345_28879_desk.exe

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /silence/2345Explorer_343901_silence.exe HTTP/1.1

Accept: */*

Range: bytes=2097152-3145727

Host: download.2345.cn

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx/1.0.11

Date: Fri, 21 Aug 2015 19:21:23 GMT

Content-Type: application/octet-stream

Content-Length: 1048576

Last-Modified: Tue, 07 Apr 2015 19:32:02 GMT

Connection: keep-alive

Content-Range: bytes 2097152-3145727/8899112
.e.....:g..] . .6.....W2`o.U.OA/......\vC....Ui..:-.x.....A..>.....
.....M_wu.......v.}.....#E.g......._.|.^..U....d..T.A...^5.|....d.....
.*..az..;.L..W.}..(......z...Y....;j... -.n~..o..P...X1..PP.u.u.i.....
..}...d.>6...p...C....&CS?..8....W$.z.d{.Z...D...2..n5.. ........j.
......q.%.......#....i=kMT*.V.I...a..r^...;[email protected]..&..y....=..
T.....U9'....S..r0.$......#7.^.L|<:TR...w.;.....E..^.8..c...*.D0...
...{`U.*.a.[=M wi.....$..ON.P*..........P......p5....t.!.f....b<Q.A
..y.o.MZoB`o...].;.0.....t.N.Z&s..,:[email protected]@Z..s.e.,.k".....&:.q.r......
@..e...;u...^.[.m'.{[.5...8...B..A.t.h..G"G=..;..........EB...3K...ZIO
=6.2u.uvNF.....Z..F...-..#.q.@.._.q}U%...T.....t./...\.A....`.\.......
....q.....b....:.....r..\X&........9...w...........vGZ...zQ.F.PO.gI...
...O.q......W.....G?...n.>A... ./.... ........f..,.Lr.F.d2-F.......
...........m..?....S.>..Q. :h.\ODD......}.[.<%...........e>..
....^.C.L.}..]K>..O=..Ih.r...`..q...!^H.."k..43H.6..s.....KLYA.\.d.
:.....MMGx..]!!(.v.6[...)\.0;.6..W]......]g.......x.....~.f..`.P...C.R
c......m..`..g...........n0.A.9.H....=......,....O.F..Y...ae][email protected]
j........Xk..JL.w.hr..k.&.......s17.my9.y...;.4.!i3.....c.....w....;d{
.........J....g.>..Q......RyJ.....h......:N.rY.....%.q....^.S.Y....
.2Vt6...{xXW..-...x.....;..u.`...1[z:.Z....c4.le..j...|6...RY9...;_?..
0.v.>d.m.E..c.CD..~....R.>....../.1Q..[.....&.......r1..NQM.....
..d.3UV.^.=F.FN\4ix....6..........H...=...^..Zj%.\....tf.<3..4}..p.
.\.WL.W.....MC.I..}.....X...I.E..3...o.w.....9i.dX....1.Y.....m...
<<< skipped >>>

GET /silence/2345Explorer_343901_silence.exe HTTP/1.1

Accept: */*

Range: bytes=1048576-2097151

Host: download.2345.cn

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx/1.0.11

Date: Fri, 21 Aug 2015 19:21:35 GMT

Content-Type: application/octet-stream

Content-Length: 1048576

Last-Modified: Tue, 07 Apr 2015 19:32:02 GMT

Connection: keep-alive

Content-Range: bytes 1048576-2097151/8899112
K...#.U% [email protected],. .A...,.:N%[.~o_.].Qp....1..R.%1.x..5.;.DAm......r9..
/..u:..3]/'..1P..*[email protected]#dc6..X8.......I...v.[...({o[
&'..v...&.!u..w.....l.$........!..#../....J........17...9.W....>BP 
../.....:..q......>.. ;.T.e=.D...;Q&.cU.5..T.....{.oSW..j2yM...6ac.
{......S.M..LV;..s.^.>........;2-...`.S......%...i.JY.)...\...!..E.
i...BAroU.:.._..4..G%.n(.*.e}.QQrE....|......?FY....aC...8[..v.~2.L.=.
...uH...."bh...........4...h...\..8sT.M..}...#.?....|,._...3~.0em_R4..
..k......B 5.M...H$V...6.J...6;.....'le.fv.1U.......Z.......[..GN"..c.
.i>...|.D....%~...).._2 ........E.......h\...).3*.g.P..3..TQJ...7\.
7.n...G....X.K......=..,...U..0.x..Ug.C..).....mp....f......Z.qd..4SI.
.?.e.&..Tg..{ ...(h5p*(.ATT.7 ....'.tb..r.n}.....q8.G........ ...s.*.%
.3.}:....#..\!q.v'P..y.et....Bq?r....Er..Hy.'>.=..(.,.NX...t...I..x
oc.x`].. .e..@.[.....}J..E......=..p..L...`..... .(.......?80..F.jX.EC
5.W.n..L.V.s..;..j1V.<M....A}|..,[@.5..S!..D.$(@G..S".i....g....{@.
6.__.h..c...R.;R.UGv.V..e$..p..0.s'....N/K.3=e..*..i_.E.......RPm..s.r
4...,..'.....vg...|.M.......r.A.w..d&...nW..q.%....x..y.......o2.n....
....Z.wY......)..mN..;G.ce.......1t#.......K.Sw.....;...Q.....e.T....x
..7...<F........Z..2....n...T.$..._..T......F..<a...fv.Z.i..{...
."....6.....8HG7....KPIa.c?.H.R;......E...Yt ].U.....H...b..lZ.....F.,
...%v\....o#...ux....1.[.b...}.....aQZa.=cQ..N..`.'s>..*....>F./
...6.#...n....JXMZW..5_.......m.lw..k...........$..<...)......G....
.....4..J>...ue.P.....9...X...JAa).46.W.`;.n...............l..!
<<< skipped >>>

GET /silence/2345Explorer_343901_silence.exe HTTP/1.1

Accept: */*

Range: bytes=0-1048575

Host: download.2345.cn

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx/1.0.11

Date: Fri, 21 Aug 2015 19:21:48 GMT

Content-Type: application/octet-stream

Content-Length: 1048576

Last-Modified: Tue, 07 Apr 2015 19:32:02 GMT

Connection: keep-alive

Content-Range: bytes 0-1048575/8899112
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........[7..:Y..:Y.
.:Y...4..:Y..."..:Y..:X..:Y..B...:Y..h...:Y..B...:Y.Rich.:Y...........
..............PE..L...w)CO.................h...4......J7............@.
.................................[....................................
..8...........PF..........`...........................................
.....................................................text...6g.......h
.................. ..`.rdata...............l..............@[email protected]...
[email protected]................................
...rsrc...PF.......H..................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.$.B..H.P.u..u..u...|[email protected],[email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] ....E..E.Pj.h [email protected]..
...@._^3.[.....L$..H.B...i......T.....tUVW.q.3.;5L.B.sD..i......D..S..
...t.G.....t...O..t .....u...3....3...F.....;5L.B.r.[_^...U..QQ.U.
<<< skipped >>>

GET /silence/2345Explorer_343901_silence.exe HTTP/1.1

Accept: */*

Range: bytes=7340032-8388607

Host: download.2345.cn

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx/1.0.11

Date: Fri, 21 Aug 2015 19:21:59 GMT

Content-Type: application/octet-stream

Content-Length: 1048576

Last-Modified: Tue, 07 Apr 2015 19:32:02 GMT

Connection: keep-alive

Content-Range: bytes 7340032-8388607/8899112
..B.#.w`.WAz./..^.."...'%.u....J*E..3....<j'...U......c.....Y..'XYz
K.W.....l......>v..:.....L/U.-t.........C..2.Q..:Eiw....o!N..(.?..9
....>Y.....sv...9.'E.l....?c....P....c.1..O...]~y_...(..C.*2....Z.p
.....9.s...#..R..f.tH...@=........i......J........!....<......]....
.c..0.K.&..49q_......v....].......h.bL.EgP..,.......R........j.c.X.3..
..i...wj#...........1....xbd. 4.Vb..-1m#u..r.ZD-..3....}D...9..!...VK.
)..&.y..{[}a.(.<@L..{.^#.5U.F.2.w..(.......t..w...P..DN5.....3~<
b.]...o%..d;. 2D.r?x....=).g......."..!.k....<...o...T..U.....KBB..
gp...G..&..w]...GYt.\..&...x.....s..w...$. .U-..........dT..$;........
i.q]....i......uZ...........C..n...@...(..l~...e.P...vs0t{ny..C.;..._.
..C-/..cPj..E.;.../.$....QH...H..O...E.....0... ..ll..w2....D...S.....
N1.).b.F.-.....a0>g)...N...!......Rn.O..... .?w.5.m......6...#.bD.I
..Y..U#..I..*..m...............b_&6...\V....c-?.......H.".....7..H....
.c..o:Bl{l.;Pf=...........".s.........%......8.9D..~Xwa.\J..#..#.P...5
q...[.....r..`..5....;....,!*.........b...2O3vA.P>.w.1..|..."6...D.
.)\Z.j............q..v.r..M...7..<T.$..f.wL....n`[email protected].
........kn..5.0.u1,....l.4i..>...J-1....,.]...8......fk<.^.1..R.
!.L..E.<..!.8.?.. .o.....V.Prr.Q...ui&.\.b O.Y.G.|v.)W..0..r4...Zj.
.y"...{m.Y......R....R.........d1....a.pr..7B.F........`"Ny...;."..;7.
&^...b.....pb.......hP..:. a\..#.N...Y.O..{o.@^.*..1>.......j<..
.4.xF......y..-0.`..>......8D..9."9_lF.D.....}.....A.*.Rpn7.'.P....
....1,E.....[.VG.8w. ra..5.....u..N.......~..1....{...9.l.-...a...
<<< skipped >>>

GET /silence/2345Explorer_343901_silence.exe HTTP/1.1

Accept: */*

Host: download.2345.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.11

Date: Fri, 21 Aug 2015 19:21:22 GMT

Content-Type: application/octet-stream

Content-Length: 8899112

Last-Modified: Tue, 07 Apr 2015 19:32:02 GMT

Connection: keep-alive

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........[7..:Y..:Y.
.:Y...4..:Y..."..:Y..:X..:Y..B...:Y..h...:Y..B...:Y.Rich.:Y...........
..............PE..L...w)CO.................h...4......J7............@.
.................................[....................................
..8...........PF..........`...........................................
.....................................................text...6g.......h
.................. ..`.rdata...............l..............@[email protected]...
[email protected]................................
...rsrc...PF.......H..................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.$.B..H.P.u..u..u...|[email protected],[email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] ....E..E.Pj.h [email protected]..
...@._^3.[.....L$..H.B...i......T.....tUVW.q.3.;5L.B.sD..i......D..S..
...t.G.....t...O..t .....u...3....3...F.....;5L.B.r.[_^...U..QQ.U.
<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Host: VVV.2345.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Last-Modified: Fri, 21 Aug 2015 12:10:29 GMT

ETag: "1eb26-51dd12757f740"

Cache-Control: max-age=3600

Expires: Fri, 21 Aug 2015 19:56:23 GMT

Vary: Accept-Encoding

Content-Type: text/html; charset=gb2312

Transfer-Encoding: chunked

Date: Fri, 21 Aug 2015 19:21:32 GMT

Age: 1510

Connection: keep-alive

x-hits: 10275
008000..<!doctype html>..<html><head>..<meta http
-equiv="Content-Type" content="text/html; charset=gb2312" />..<m
eta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />..<me
ta http-equiv="mobile-agent" content="format=xhtml;url=hXXp://m.2345.c
om">..<meta name="Description" content="2345.com................
..............................NBA.....................................
......................................................................
..............................." />..<meta itemprop="name" conte
nt="2345..................................9....11......">..<meta
 itemprop="description" content="2345.com.............................
.................NBA..................................................
......................................................................
..................">..<meta itemprop="image" content="hXXp://www
.2345.com/images/logo/logo_QQ.png">..<meta name="coninfo" conten
t="U2FsdGVkX1" />..<meta http-equiv="Cache-Control" content="no-
transform" />..<link rel="apple-touch-icon" sizes="72x72" href="
touch-icon-ipad.png" />..<title>2345.........................
.........9....11......</title>..<!--[if IE]>..<meta nam
e="application-name" content="2345.com........" />..<meta name="
msapplication-window" content="width=1024;height=768" />..<meta 
name="msapplication-task" content="name=......;action-uri=hXXp://tv.23
45.com/?ie9;icon-uri=hXXp://image.2345.com/images/ie9dsj.ico" />
<<< skipped >>>

GET /web/ajax57?uId2=SPTNPQRLSX&uId=9018013399965456402344&r=&lO=usertype=union_user=28879_version=8.5.0.1024 HTTP/1.1

Host: union2.50bang.org

HTTP/1.1 200 OK

Date: Fri, 21 Aug 2015 19:21:33 GMT

Server: Apache

Set-Cookie: uidFlag=1; path=/; domain=union2.50bang.org; expires=Sun,22-Feb-2099 00:00:00 GMT

Set-Cookie: uUid=826955D77A3D000E4530D2FA020B; path=/; domain=union2.50bang.org; expires=Sun,22-Feb-2099 00:00:00 GMT

Set-Cookie: uHTL=1; path=/web/ajax57; expires=Sun,22-Feb-2099 00:00:00 GMT

Set-Cookie: uHTT=1440184893; path=/web/ajax57; expires=Sun,22-Feb-2099 00:00:00 GMT

P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"

Cache-Control: no-cache, must-revalidate

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Content-Length: 0

Content-Type: text/plain
HTTP/1.1 200 OK..Date: Fri, 21 Aug 2015 19:21:33 GMT..Server: Apache..
Set-Cookie: uidFlag=1; path=/; domain=union2.50bang.org; expires=Sun,2
2-Feb-2099 00:00:00 GMT..Set-Cookie: uUid=826955D77A3D000E4530D2FA020B
; path=/; domain=union2.50bang.org; expires=Sun,22-Feb-2099 00:00:00 G
MT..Set-Cookie: uHTL=1; path=/web/ajax57; expires=Sun,22-Feb-2099 00:0
0:00 GMT..Set-Cookie: uHTT=1440184893; path=/web/ajax57; expires=Sun,2
2-Feb-2099 00:00:00 GMT..P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IV
Ai IVDi CONi HIS OUR IND CNT"..Cache-Control: no-cache, must-revalidat
e..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Content-Length: 0..Content-
Type: text/plain..

GET /silence/2345Explorer_343901_silence.exe HTTP/1.1

Accept: */*

Range: bytes=3145728-4194303

Host: download.2345.cn

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx/1.0.11

Date: Fri, 21 Aug 2015 19:21:23 GMT

Content-Type: application/octet-stream

Content-Length: 1048576

Last-Modified: Tue, 07 Apr 2015 19:32:02 GMT

Connection: keep-alive

Content-Range: bytes 3145728-4194303/8899112
wr.m.e.<....j...0.39Z~....|%...8.....s*.|B...5..W..C...).a..F.l...^
_...e...?r...(-..5..q._..ec3ByB....55.F.&.N.|.Q..~.q`........Tq'...p.2
[email protected]?..MF..;I.Kg.......
./B2......-......#...........k......=j.......Q..hu.!.#Fp...5.?...,.,!v
.g..CC.O'.2.n=..q......h....Vy1.=.*.."*;.....ut. ......i.;F..........H
$E.).]M.=O.......!".Sx~O b.rKT..g.e......t...fW.K.-...B......5...m*".J
h-....G....<.......!......,...r&.>f..M'a............- ..~....S..
.m.).c.l..{..T...a&$c..p.....v.oz..S.y.....S....g.;..'L....4.n .:..O..
..K.-...2m..}.....M...4..R..[.{..D...U8 &..{.....4...8..U).w.....I....
!G...K.m.&I..........EQEh8'._n.r.KI......{.x.k....}....,.....$2.A)QLI.
|.uB...........rM.......WESj`L.K.......{Co......`|[email protected]..
s'.~.j.....,q..)]"....g.u..-].......&...l..p....k.X....fU....S..Y....W
......0........% B......s.;$y...E.&W.................P.1....j...\'.yQ.
.P..._.............|a.x.9....Gw a......Ds.. .IRfd.n..#...V.B.Q.7.[....
....(...o*..l.H..i.I .TZ...I....'O.._..t'.....c...../gg.g...'..wH.....
....8...85.i.iO{..=T.o-....S.....[...{.4...Yf...C.&...}...q....w.~..*.
h..?..]2.....e..$ee....u.b>e...yK....9 3.<P]O....?..............
S.c.....Yw...}|.d9~...o....D!3...!..".BZE...\.. ....Y....C!.-.....V..?
. C...L..$......O.<..t..?..]....h...*w..Ud3.P7....T.....h4..D...1.V
.=..A..d./.,[email protected][YR.#N=.Q..9.......X.......
3Os:..,.#..(........w..l....t..W..... :.c.Vw0....~J.I.....r.w......[..
....2....k.....x.P....AZ3..k..!@s\..]7z.C.r.&,.H.u...wb.3.z.......
<<< skipped >>>

GET /silence/2345Explorer_343901_silence.exe HTTP/1.1

Accept: */*

Range: bytes=8388608-8899111

Host: download.2345.cn

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx/1.0.11

Date: Fri, 21 Aug 2015 19:21:54 GMT

Content-Type: application/octet-stream

Content-Length: 510504

Last-Modified: Tue, 07 Apr 2015 19:32:02 GMT

Connection: keep-alive

Content-Range: bytes 8388608-8899111/8899112
...{>....6.&.u..l.487.[...J.P.W......?.Y..#c.c.\......T..=%.wBL.V..
.b.0...m.O.s.....]....U...e..Q..r=.i.-..-H.!O..wxyN...Q......~.|...\..
.S2..5Lzv....k9%1.cS...`V...8l.L.C..}h.A.........._Jz.!..(#{....7h&.G.
...z.Zv...<hT.3L=~........9&..~i.&.tv...v.............'o.ZN........
mE...`...0.o....$...\.oL.XJC....\..V.....4...].xn.....F.....x="..Q.B..
..DD.r..Bsh.3.a..}...%PC..gm..lv.\:..K....GQ..Zr.nw?..bi....y.5....r.K
l.\.Nd.......iD.....;.... .{.&]v.|D..........V...SM?P.....Jk..V,.%.AT.
.p.)[email protected]#C..S?...C.."..).L..;.6..&0..gg......*f.].*.....r.F#4
l.t.7.RsW..C.O...(.vvc.[e7F5..T..N.D.Z. 6.E.....%..Na\ lc.r..0.....A'.
f.].y..OvhK.gC.s. ......Q...lpY..RC.P.So.X....c.N,...T8. J=d....A..L.7
.&.2...<.....\~Z.#3.........Y.8.. .g..R<l... n...h.......A.pRVr.
WB./V./[email protected]*..=........4.X,c.P.g.3..hL.L..7.b....Q.w.....
...e.7...a..k.|.;..d..$...R....t;.. ....g......kg..*.y.1..).J..s.V*.~Z
 i...YL...".Dc-0.f,.....|....XT.>H...H.d.r.~(.J...c).o.Si7...Q.gF..
....O.]>...BF....7/..W..(Gh.Zq....et.~.....6....2.6S.J..-..s...s.\1
_yuR...4....9...7V1..[.a.}.VG:G.%I...R.42.......kh.......KF./~.C..:2.O
....lP.=..6.O._(..-...g..%2....L`$.q.%]jV.'=\......QpvU....u`...t.\.QG
$U9r........v1_....,.....~....V......J*.B...0..........;..W6.7.v...'..
..Mg.C.n.J.7.~mJ....5@.}=2..8.u`.`c.0J.[........_..G..n....%7...R..S..
...o#y..J..hEN4.M...R...vA9.U.zrD..k\..Q....]..o.O.Lw]B".w_'..s.".3..j
.W8.8...6..2.K1.......ti.%.....Z..%..?.dL......p.9....i.T..<......T
dg.Gs..>..#.p;..l..Gj.........f.\{.s...C.i....i.._{S.v.....F;H.
<<< skipped >>>

GET /silence/2345Explorer_343901_silence.exe HTTP/1.1

Accept: */*

Range: bytes=6291456-7340031

Host: download.2345.cn

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx/1.0.11

Date: Fri, 21 Aug 2015 19:22:04 GMT

Content-Type: application/octet-stream

Content-Length: 1048576

Last-Modified: Tue, 07 Apr 2015 19:32:02 GMT

Connection: keep-alive

Content-Range: bytes 6291456-7340031/8899112
y..e.uz......4^.. .f....l...V.........}..S.......~....h..m`6B......n..
s.9eJ....p;.(..NH.k?....m#c;....$..@...&....!..F.]...e.~_....F.....M)N
..7...,q.3..H.......a.x.....hg. .....J.r).....w.p....W <.S.i.....!.
..3O....a.BdI.E.....$.B`.......(.A.Z...j.{../....8....~.t..7(*x%....:.
e..;[email protected]$..I....._.C..z.q0..qUl....EH..a........x.....$.
..v.!E........k..q..{..p/N....7i`...A..&y........eai..^U...........M..
.%.GQ....\-`.L...2..{.t:..=.$m|g....~b....3.!.....Lo.=...Y..#*fVr.h..&
lt;...\.!6-.kg.u....I.}.k..wI..` ...dCv(8..a0........ ..v^.O}....#@...
.Q.m...>....A..9..s.../..).\...S.JC.....m....3.d....R,.C6Q..9sh... 
..5Zh....*0E....p...*.\.....E-...d.. ...D.H.B....}~....d ../nTW..Y....
."...>.....g...D9..s.......5....8.C..`...]........T.P...?...s.o..v.
u..F.[.....,........ ....c.t8.t......if..T...[tDI..U3Zf..[...:..q.....
...R5..wc. ..y[H^D.....9.{..78... sD0..Q.LP...9...kR.i.A.A.x..b.......
..S......TF..,.CF...T4)......)....Z/.\U.2.2X....$...}....u...d.....?B.
.u..>V..G.......|..._...[.Q.rg._..s.<<w..Ut.bEw....;..st?<
.......c*....``=m..%....=).e]fy6.W.up&b....?3l......:!.~.s^HNp....TF.p
..a...y....Z...E.....0/2..!Y&Y.9..M.......a..<...h.m...sHzIn.r.W...
.....HasA.}.......O.4.%,. .5`A.../.I.'u...J$.l...=:(..m..?.~...in.f!QW
....)>!...3.%Q......,.......eW.{..}. Bf.H...k..L.......8. ..fV|.?..
...m.LJ/.~...C..~..B0..1h}....;.v.......v..Ma.%AP.n...C.ul....i..X.I2.
....9.....Y|.z..kx.".......[.....~.c<l>P'FO.}.....jT....(..X.r..
.^O.!R<....".......x...... .NB-m...M.:%.4..Xk..I..[u..~....u...
<<< skipped >>>

GET /t/detect2012_json.php HTTP/1.1

Accept: */*

Host: tianqi.2345.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: max-age=0

Expires: Fri, 21 Aug 2015 19:22:05 GMT

P3P: CP=CAO PSA OUR

Vary: Accept-Encoding

Content-Type: text/html; charset=gbk

Content-Length: 23

Accept-Ranges: bytes

Date: Fri, 21 Aug 2015 19:22:05 GMT

Age: 0

Connection: keep-alive
{'lc':54511,'wc':54511}....


GET /t/tq_common_json/54511.json HTTP/1.1

Accept: */*

Host: tianqi.2345.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Last-Modified: Fri, 21 Aug 2015 18:09:24 GMT

ETag: "67d-51dd62aedfd00"

Cache-Control: max-age=600

Expires: Fri, 21 Aug 2015 19:26:55 GMT

P3P: CP=CAO PSA OUR

Content-Type: application/json

Content-Length: 1661

Accept-Ranges: bytes

Date: Fri, 21 Aug 2015 19:22:06 GMT

Age: 311

Connection: keep-alive
{"city":"\u5317\u4eac","id":"54511","prov":"\u5317\u4eac","provId":"12
","areaId":"54511","area":"\u5317\u4eac","pinyin":"beijing","temp":"25
","nongli":"\u4e03\u6708\u521d\u4e5d","dayType":15,"cityNameWithSuffix
":"\u5317\u4eac\u5e02","aqi":"34","PM10":"42","CO":"0.6","O3":"70","SO
2":"3","NO2":"40","PM25":"24","showDetail":"yes","day1":{"tempLow":"20
","tempHigh":"30","year":"2015","month":"08","day":"22","week":"\u516d
","weather":"\u9635\u96e8","wind":"\u5fae\u98ce","img":39,"imgNight":3
9,"shortWea":"\u9635\u96e8"},"day2":{"tempLow":"19","tempHigh":"27","y
ear":"2015","month":"08","day":"23","week":"\u65e5","weather":"\u5c0f\
u96e8\u8f6c\u9634","wind":"\u5fae\u98ce","img":11,"imgNight":26,"short
Wea":"\u5c0f\u96e8"},"day3":{"tempLow":"19","tempHigh":"29","year":"20
15","month":"08","day":"24","week":"\u4e00","weather":"\u591a\u4e91","
wind":"\u5fae\u98ce","img":28,"imgNight":28,"shortWea":"\u591a\u4e91"}
,"day4":{"tempLow":"20","tempHigh":"29","year":"2015","month":"08","da
y":"25","week":"\u4e8c","weather":"\u591a\u4e91","wind":"\u5fae\u98ce"
,"img":28,"imgNight":28,"shortWea":"\u591a\u4e91"},"day5":{"tempLow":"
20","tempHigh":"29","year":"2015","month":"08","day":"26","week":"\u4e
09","weather":"\u591a\u4e91\u8f6c\u9635\u96e8","wind":"\u5fae\u98ce","
img":28,"imgNight":39,"shortWea":"\u591a\u4e91"},"day6":{"tempLow":"19
","tempHigh":"28","year":"2015","month":"08","day":"27","week":"\u56db
","weather":"\u5c0f\u96e8","wind":"\u5fae\u98ce","img":11,"imgNight":1
1,"shortWea":"\u5c0f\u96e8"},"day7":{"tempLow":"","tempHigh":"","y
<<< skipped >>>

GET /t/shikuang/alert/js/54511.js HTTP/1.1

Accept: */*

Host: tianqi.2345.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Last-Modified: Fri, 21 Aug 2015 18:01:21 GMT

ETag: "18-51dd60e23fe40"

Cache-Control: max-age=3600

Expires: Fri, 21 Aug 2015 19:26:39 GMT

Vary: Accept-Encoding

P3P: CP=CAO PSA OUR

Content-Type: application/javascript

Transfer-Encoding: chunked

Date: Fri, 21 Aug 2015 19:22:06 GMT

Age: 3328

Connection: keep-alive
0018..weaAlertCallBack(false);....

GET /2345_common/2345_28879_desk.exe HTTP/1.1

Accept: */*

Range: bytes=1048576-1906639

Host: download.2345.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx/1.0.11

Date: Fri, 21 Aug 2015 19:21:05 GMT

Content-Type: application/octet-stream

Content-Length: 858064

Last-Modified: Mon, 17 Aug 2015 23:57:37 GMT

Connection: keep-alive

Content-Range: bytes 1048576-1906639/1906640
.@.$~...5..0e"..L.m...... ..Z.1....;...........M...J#..........{f-...A
..f...- u....0..!*.s..eH.]....0.*{.bet~..`.Q.......G.t...),#.^2..i..9.
.{*k.J.rf.t.....Td...d........X...ij41.Vy.e:s..7.......;U.......j4....
iF....|..EBk_9.P.......b...f|....0j....2.A.............{/.....4....kI.
..c......];.{."../......Q.....$.........qE....K.kN.x.......G0.......?.
K|<p.;..*n.n.6....V...W.,...'b.3.......~F.F4.eK.. .)....Zz....\...K
Y...u..e.[*....._#C....\I*5.}%..)8O......!......P\Q.SV.kt.9"U.'..m.A .
.~.u.4.......0~"......_..........l..LZ.&W.......6..u...... .R..Hc[.T.r
l....<.9..=s.5..].E.....(.>".Q#.................W%.t.G3..D.E..mf
~....GM5vZTI..J'B....[..o...*..:Mk...".g..d.../.2Ne....j@$).y.!..a027.
.Y..u..,......>...<..L....x.G.A..h>..F..a.pQ.f......t..%.A$..
..\..|....[...XuI:.".V..........T...k{#-....h..}J..<.s...\.,.?...c.
w.tnvr8....a.".%nC2......'..}.5z."...2a..B!..}w.y.UM.`..qL.....%.?...]
@...T...W...Z/i].........w."X.t.}0.d.......L......)...6m..[0.W.3T.#U.=
..k/j.{.......s.c%.nAH.W....S14#[email protected]@..7,.}..sa1K9vp...
...4Z.-..o[W-N.;.- .............^U......7.\`O.j...Q.uWM......K%...=...
..E.]K..$v.HTC.4c.Yx]}u.....^[email protected]...%..=.ok...S..V%........8..9.X...
..m......*[U.._z}..dDy5Z.....>.>...z%.......L;.N.5..-.y."L5R..m.
<...r`v.....QB.|5 .:......u..o.Q.JR..*.....6>.%.j......E.]8N....
h.l;%.."lF.@.=2..&'>..?].W...8.q..........*.%.Gu.....CF.....51.T.l.
z.k.0........#..I.X.>.id.A..-n..3g...w.....iN...........2..V/......
[email protected]]...|....M5.Z.|6....].....X|.....1".....
<<< skipped >>>

GET /adblock/onlinedata_v1/2345antiredirect/v1/AnRList_000005.block HTTP/1.1

Accept: */*

Host: download.2345.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.11

Date: Fri, 21 Aug 2015 19:21:31 GMT

Content-Type: application/octet-stream

Content-Length: 60

Last-Modified: Tue, 02 Jun 2015 04:38:49 GMT

Connection: keep-alive

Accept-Ranges: bytes
.].............5.K....C.q......~..])g....d.>[email protected]/1.
1 200 OK..Server: nginx/1.0.11..Date: Fri, 21 Aug 2015 19:21:31 GMT..C
ontent-Type: application/octet-stream..Content-Length: 60..Last-Modifi
ed: Tue, 02 Jun 2015 04:38:49 GMT..Connection: keep-alive..Accept-Rang
es: bytes...].............5.K....C.q......~..])g....d.>[email protected]..
......

GET /2345_common/2345_28879_desk.exe HTTP/1.1

Accept: */*

Range: bytes=0-1048575

Host: download.2345.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx/1.0.11

Date: Fri, 21 Aug 2015 19:21:05 GMT

Content-Type: application/octet-stream

Content-Length: 1048576

Last-Modified: Mon, 17 Aug 2015 23:57:37 GMT

Connection: keep-alive

Content-Range: bytes 0-1048575/1906640
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........[7..:Y..:Y.
.:Y...4..:Y..."..:Y..:X..:Y..B...:Y..h...:Y..B...:Y.Rich.:Y...........
..............PE..L...w)CO.................h...4......J7............@.
.................................Z....................................
..8............u......................................................
.....................................................text...6g.......h
.................. ..`.rdata...............l..............@[email protected]...
[email protected]................................
...rsrc....u.......v..................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.$.B..H.P.u..u..u...|[email protected],[email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] ....E..E.Pj.h [email protected]..
...@._^3.[.....L$..H.B...i......T.....tUVW.q.3.;5L.B.sD..i......D..S..
...t.G.....t...O..t .....u...3....3...F.....;5L.B.r.[_^...U..QQ.U.
<<< skipped >>>

POST /adblock/onlinedata_v1/onlinedata.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: ie.2345.com

Content-Length: 21

Cache-Control: no-cache

ClientVer=4.1.0.13470
HTTP/1.1 200 OK

Date: Fri, 21 Aug 2015 19:21:29 GMT

Server: Apache

Cache-Control: max-age=0

Expires: Fri, 21 Aug 2015 19:21:29 GMT

Vary: Accept-Encoding

Content-Length: 5320

Connection: close

Content-Type: text/html
<?xml version="1.0" encoding="utf-8"?>.<main ver="000001">
.<item DataType="BlockADBlack">hXXp://download.2345.com/adblock/
onlinedata_v1/blockadblack/v2/adfblist_000053.block</item>.<i
tem DataType="BlockADWhite">hXXp://download.2345.com/adblock/online
data_v1/blockadwhite/v2/adfwlist_000053.block</item>.<item Da
taType="BlockADWildCard">hXXp://download.2345.com/adblock/onlinedat
a_v1/blockadwildcard/v2/adfslist_000053.block</item>.<item Da
taType="VideoADWildCard">hXXp://download.2345.com/adblock/onlinedat
a_v1/videoadwildcard/v2/vflist_000021.block</item>.<item Data
Type="MaliciousSiteBlack">hXXp://download.2345.com/adblock/onlineda
ta_v1/malicioussiteblack/v2/mfblist_000100.block</item>.<item
 DataType="MaliciousSiteWildCard">hXXp://download.2345.com/adblock/
onlinedata_v1/malicioussitewildcard/v2/mfwlist_000100.block</item&g
t;.<item DataType="FlashCacheWildCard">hXXp://download.2345.com/
adblock/onlinedata_v1/flashcachewildcard/v3/fcachelist_000012.block<
;/item>.<item DataType="VideoBlk">hXXp://download.2345.com/ad
block/onlinedata_v1/videoblk/v1/VideoBlk_000028.block</item>.<
;item DataType="VideoBlkVer">hXXp://download.2345.com/adblock/onlin
edata_v1/videoblkver/v1/VideoBlkVer_000028.block</item>.<item
 DataType="BannerADWildCard">hXXp://download.2345.com/adblock/onlin
edata_v1/banneradwildcard/v1/BFInfo_000005.block</item>.<item
 DataType="AdvancedRenderForce2WildCard">hXXp://download.2345.c
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

t$(SSh

|$D.tm

P$RWPhP%F

~%UVW

u$SShe

shlwapi.dll

advapi32.dll

winmm.dll

ntdll.dll

kernel32.dll

KERNEL32.DLL

user32.dll

C:\360Lanadmin.dll

Kernel32.dll

Shlwapi.dll

MsgWaitForMultipleObjects

RegCloseKey

RegCreateKeyA

RegOpenKeyA

MapVirtualKeyA

keybd_event

.text

.sedata

.idata

.rsrc

.reloc

B.sedata

X}.GW

-L.WaA

%DuWo

M-Sql

8E.Fn

.bb5H

$>>.zE

m.dlU<}

9`.aOc

O.ke 

:%Snr

.iD~`

%1s`S

.GZ*w

n.VBu

ce<.lI

$.HN)

p.Mad0A

bX.lk

rFW%F

fl).oS

r/<%s0

g.IR#

ŒW9

=.pIO

'b.SR

,-dbF}

J.jJ~

r%s10w&#

jQ.eG

0k.kR

947.ggf

%D)tT

&.Jsa

?x{%XD

T-sq}

A9%3uG

%d^9_^[

o6.hI

?%UI;

v.AM8

iA-p}

*X.Ckzjr

$T.Bj

x\.jK

.pOg.|

/.Vm*

%uv)>

.BKPS

:.dfL

.AQ[h

Jl%U]

Q>.mP

a$.Da\

mSgtY

.kdFK

_Mt-L%X

.tSh'

s?Y%X

:yo.Ia!

*I.yo 

.qk@i

TRC%X

}r.nA$cy,Uv

NVQ%cki\"

3F"\%c

@\d%f

5%Cx|

';L)7l[%U%

V.xj-

*.YEd6?

a3m.rC8

.fzHH

cT%S=;

..Tb3

g.vd>}

P.ATu

.oa=/

]mSgE

{^Y.lZ

`%d;lKa!]

1.QJM

.sD2`S

9I.ugO

M!f.Cl

.pC~o}

.mD$3

?G%.c^

h.Cu)

Oe|~sDÍ

udP}yB

/@.UC/

z.xd^

.dws;

yb3.HqF

c%UOX

MOc%U1

6.bWv

A.tD~/G

v.gUo

?.KGi

.fFT?qXyK

U.Bjp

-wG}@

%S<t3Z;e`

3<'{.mm

>s.bAT;

j$H-

.Px.,fg

NR-g.pI8q

M*.hM`!

.Gi#8qq

iy.bhO

%SLkM

>G}]!%s

A`b.Oy

@<R.Agw

cN.BM

].NRT

.IwiO

1s>.zX&

.rI"=

v%Dys

Hc.gv

guRl

weB:V

ó|s

&.OX8

O%c]5

q/x%c

3PE.ne

_zD7%C.

mi.wz,S\

?Va.CL

M%dO,(]M[

.qO3O

9%u\-

r.vanz

=%USmN

%F] G;

luW%sg

Qy%S.f

.YJoX

'.LeH

%u^S~?j

"0?}~931

|rd%U

.zY5K

.Csh|

j%UPA

%DJs5

\.Mfk

^]L.Qt

B=s.OKv

^1fm?

FH0.ar

;YBf%x

.Yuds

c%Fq&

}G4%x

D4B/%F

eW.uy

0-V}%

Y.IrWB%

?%Xtb

A.aKAn\

GetProcessHeap

hid.dll

iphlpapi.dll

mscoree.dll

mscorwks.dll

mscorsvr.dll

KernelBase.dll

mscoreei.dll

clr.dll

diasymreader.dll

SEGetNumExecUsed

SEGetNumExecLeft

SESetNumExecUsed

SEGetExecTimeUsed

SEGetExecTimeLeft

SESetExecTime

SEGetTotalExecTimeUsed

SEGetTotalExecTimeLeft

SESetTotalExecTime

SECheckExecTime

SECheckTotalExecTime

&&&&6666????

""""****

2222::::

$$$$\\\\

00006666

####====

MSVCRT.dll

IPHLPAPI.DLL

PSAPI.DLL

KERNEL32.dll

USER32.dll

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

ADVAPI32.dll

SHELL32.dll

}%ft\

nmsg

aY.jNf

7_%cR

?'.sm

.wKI%

`A%f(

1z%Dp?

b.Tz1}

/.fPc

uDPh

,f wO.BD

3eY.chW\M

@@g!%x

9.uXD

u|J%Us

jj-2}

ys.ahL

fZ.vK8

.hhZWEG

sQ,.JH

Y:.gi

.WYmz

dKFF-%X

A?L%D

Qn.TZ

J%xDB

W<o}

g%US8

g^.Wl

"ÁN

%D-Wm

\<9.HAO

oG.DG

|ZO

gt5`u3?.BRV

E#m\.jV

X.FaxD

g%dHB

&%Uy(

F-QC}M

 k7{.cFyo

us%Xl

%uW1'K

qw#%C>

m,W

.sE}n

Ui2ZR%x;

%V-Ô

y%xY9

|.GN!N#h"6

.aS-Y

2u.Je

%dQie

R.Rny

SQlIt

rH[.wK

T?%XL

H*_

.Ta4Ba

R.xUD

&m%DJr

Muy%SjL

.VUE}

T%d"<

Sq-%c

p.VG*

Ky3%F

/%x&N

R.OqR_i>

wmadmoe12.dll

d$%fR

QWINMM.dll

WS2_32.dll

RASAPI32.dll

WinExec

DGetCPInfo

GetWindowsDirectoryA

GetKeyState

{USER32.dll

OSetWindowsHookExA

UnhookWindowsHookEx

%ScrollWindowEx

UnregisterHotKey

}LRegisterHotKey

CreateDialogIndirectParamA

(GDI32.dll

GetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

uSetViewportOrgEx

ScaleViewportExtEx

G 1%f

WINSPOOL.DRV

:ADVAPI32.dll

piRegOpenKeyExA

GetViewportExtEx

ShellExecuteA

ole32.dll

WININET.dll

OLEAUT32.dll

COMCTL32.dll

comdlg32.dll

Safengine Shielden v2.3.4.0

WINMM.dll

GDI32.dll

.Shanghai Bo Yi Information Technology Co. Ltd.1"0

[email protected]

[email protected]

.Shanghai Bo Yi Information Technology Co. Ltd.1:08

[email protected]

[email protected]]

LhXXp://pki-crl.symauth.com/ca_3e5451d77b370c64c3bd39d10f35bd21/LatestCRL.crl07

hXXp://pki-ocsp.symauth.com0

51153809

ehXXp://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0

2345Desktop.exe

hXXp://VVV.2345.com/?28879\

google chrome

Google Chrome

CLSID\{00000000-0000-0000-0000-000000000001}\Instance\InitPropertyBag\Param1

CMD /C regsvr32 /u /s igfxpph.dll & reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f & reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}& reg add HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001} & reg add HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001}\InProcServer32 & reg add HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001}\InProcServer32 /ve /t reg_expand_sz /d %SystemRoot%\system32\shdocvw.dll /f & reg add HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001}\Instance & reg add HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001}\Instance /v CLSID /t reg_sz /d {3f454f0e-42ae-4d7c-8ea3-328250d6e272} /f & reg add HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001}\Instance\InitPropertyBag & reg add HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001}\Instance\InitPropertyBag /v Param1 /t reg_sz /d hXXp://VVV.234la.com /f & reg add HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001}\Instance\InitPropertyBag /v command /t reg_sz /d 360

/f & reg add HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001}\Instance\InitPropertyBag /v method /t reg_sz /d ShellExecute /f & reg add HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001}\Instance\InitPropertyBag /v CLSID /t reg_sz /d {13709620-C279-11CE-A49E-444553540000} /f & reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\{00000000-0000-0000-0000-000000000001}kernel32.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\Main

Software\Policies\Microsoft\Internet Explorer\Main\Default_Page_URL

Software\Microsoft\Internet Explorer\Main\Default_Page_URL

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command

%Program Files%\Internet Explorer\iexplore.exe"

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

GDI32.DLL

USER32.DLL

SHELL32.DLL

ADVAPI32.DLL

MPR.DLL

WINMM.DLL

cmd.exe

explorer.exe

.nsp0

.nsp1

.nsp2

MSVCRT.DLL

55555555555555.dll

ÜeTK

&F*.lT!

2345Soft\2345Explorer\Uninstall.exe

2345Soft\2345Desktop\Uninstall.exe

,[[?KEYKY

\4%6s

!"#$%&'()* ,-./012345678

p\HTTP

.pdbq``

/.text]

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

HTTP_DownLoad_Dll.dll

HTTP_DownLoad_Info

HTTP_DownLoad_Pause

HTTP_DownLoad_Restore

HTTP_DownLoad_Start

HTTP_DownLoad_Stop

%Program Files%\2345_28879_desk.exe

\2345Soft\2345Desktop\2345Desktop.exe

%Program Files%\2345Explorer_343901_silence.exe

SHLWAPI.DLL

.IQ 0B

2345Explorer.exe

2345desktop.exe

DLL.dll

%CpDH

:%5UT

Uo%S,!

M-1}),

BB.Vr

.PY%*c

OLE32.DLL

OLEAUT32.DLL

COMCTL32.DLL

WS2_32.DLL

COMDLG32.DLL

360Lanadmin.dll

k%d&HrW

1A.whf\

.KlPBn

#A.VZ

bp[%d

>.IZo

WTR.xJ

1ÍyN

R$d.gr

97".Ag

`(.IZK@

_%X6plcBn

?,u%S

*i.En$

.hwP_O

%f^`g

`.hdX

.JjC>$

sÜ7P ^

ABPczi%fk

]s%d I

%U?7q

JQf%F

0000000

svchost.exe

gdi32.dll

ws2_32.dll

%Program Files%\2345_28879_desk

.exehXXp://yunpan.cn/cKY8yG52eY745

WScript.Shell

rundll32.exe url.dll,FileProtocolHandler

hXXp://download.2345.com/2345_common/2345_28879_desk.exehXXp://pan.baidu.com/s/1hqAF3UG

%Program Files%

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

%s,%d

%s.lnk

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

%d%d%d

rundll32.exe shell32.dll,

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

10.0.0.3802

Windows Media Audio Encoder/Transcoder

(hXXp://VVV.eyuyan.com)

1.0.0.0

%original file name%.exe_212_rwx_26A48000_00461000:

t.Ht2Ht6Ht:Ht>

user32.dll

F&{00000000-0000-0000-C000-000000000046}

3This binary has no widestrings support compiled in.

ENoThreadSupport

ENoWideStringSupport

=?&{7B108C52-1D8F-4CDB-9CDF-57E071193D3F}$TMultiReadExclusiveWriteSynchronizer

1234567890

kernel32.dll

TlxLoaderInternalExportItem

TlxLoaderInternalExportList

&{3FEEC8E1-E400-4A24-BCAC-1F01476439B1}

.Owner

Invalid registry data type: "%s"

registry.sinvalidregtype

Failed to create key: "%s"

registry.sregcreatefailed

Failed to set data for value "%s"

registry.sregsetdatafailed

Failed to get data for value "%s"

registry.sreggetdatafailed

1.1.2

sysconst.sabstracterror

sysconst.saccessdenied

sysconst.saccessviolation

Missing argument in format "%s"

sysconst.sargumentmissing

%s (%s, line %d)

sysconst.sasserterror

sysconst.sassertionfailed

sysconst.sbuserror

sysconst.scontrolc

sysconst.sdiskfull

sysconst.sdispatcherror

sysconst.sdivbyzero

sysconst.sendoffile

External exception %x

sysconst.sexternalexception

sysconst.sfilenotassigned

sysconst.sfilenotfound

sysconst.sfilenotopen

sysconst.sfilenotopenforinput

sysconst.sfilenotopenforoutput

sysconst.sinvalidfilename

sysconst.sintoverflow

Interface not supported

sysconst.sintfcasterror

Invalid argument index in format "%s"

sysconst.sinvalidargindex

sysconst.sinvalidcast

sysconst.sinvaliddrive

sysconst.sinvalidfilehandle

Invalid format specifier : "%s"

sysconst.sinvalidformat

sysconst.sinvalidinput

Invalid floating point operation

sysconst.sinvalidop

Invalid pointer operation

sysconst.sinvalidpointer

sysconst.sinvalidvarcast

Invalid variant operation

sysconst.sinvalidvarop

Threads not supported. Recompile program with thread driver.

sysconst.snothreadsupport

sysconst.smissingwstringmanager

System error, (OS Code %d):

sysconst.soserror

sysconst.soutofmemory

sysconst.soverflow

sysconst.sprivilege

sysconst.srangeerror

sysconst.ssafecallexception

sysconst.siconverror

sysconst.stoomanyopenfiles

sysconst.sunknownruntimeerror

sysconst.sunderflow

An operating system call failed.

sysconst.sunkoserror

sysconst.svararraybounds

sysconst.svararraycreate

sysconst.svarnotarray

Ancestor class for "%s" not found.

rtlconsts.sancestornotfound

Cannot assign a %s to a %s.

rtlconsts.sassignerror

Class "%s" not found

rtlconsts.sclassnotfound

Duplicate name: A component named "%s" already exists

rtlconsts.sduplicatename

rtlconsts.sduplicatestring

rtlconsts.semptystreamillegalreader

rtlconsts.semptystreamillegalwriter

Unable to create file "%s"

rtlconsts.sfcreateerror

Unable to open file "%s"

rtlconsts.sfopenerror

rtlconsts.sinvalidimage

"%s" is not a valid component name

rtlconsts.sinvalidname

rtlconsts.sinvalidpropertypath

rtlconsts.sinvalidpropertyvalue

List capacity (%d) exceeded.

rtlconsts.slistcapacityerror

List count (%d) out of bounds.

rtlconsts.slistcounterror

List index (%d) out of bounds

rtlconsts.slistindexerror

rtlconsts.smemorystreamerror

Error reading %s%s%s: %s

rtlconsts.spropertyexception

rtlconsts.sreaderror

rtlconsts.sreadonlyproperty

Resource "%s" not found

rtlconsts.sresnotfound

%s.Seek not implemented

rtlconsts.sseeknotimplemented

Operation not allowed on sorted list

rtlconsts.ssortedlisterror

Reading from %s is not supported

rtlconsts.sstreamnoreading

Writing to %s is not supported

rtlconsts.sstreamnowriting

Unknown property: "%s"

rtlconsts.sunknownproperty

Unknown property type %d

rtlconsts.sunknownpropertytype

rtlconsts.swriteerror

RegCloseKey

RegCreateKeyExA

RegFlushKey

RegOpenKeyExA

RegQueryInfoKeyA

GetProcessHeap

GetWindowsDirectoryA

ShellExecuteW

advapi32.dll

gdi32.dll

oleaut32.dll

shell32.dll

".Nm6

%S|Lj

ouDpU

.qH<Q

x!i.CdN

J*.LS

2Lnh%c

2hK%U

<.lg5?3

5L\.Ew-zp

)Y@%f

!Å4xl~

b.qx%2

i.lF8

8V

&%U;:U8

.Iu|X

I.Ji5

`.Jd^Z

%UV(g$

.so`$zDZ'

Yj.DO

.SywY

.fF2E7

.VV*H

.DM)r

#WeB1

.I%x $

dQS.xH

Wt.vGn

*.VGg

*{û*q

.jI{A

.Od2@

[[}%F

[1

P%XExY

sQLG~u'

'J

!B%XU%

Z^.hf]P

^O.wR

^.zvMFn`

.uqo@

.Mxy9k

.XrqQ

K-B}f

`yH%FK}DU1

.qq|eO

LM%Udk

.zwS3

,^/.cq

6%U#K

DK$.hW

%Cr^r

_d.lI^

-s.zVz

m.qg._R

%xX=|N

D6.rk

JbA%d

C%U?><

8oR%U

Ie.Je

q.Df@

{.xpP

em=%C

.uQ2#:

FLK.JL

.HMaMqo

? %D:

p9--.QH_

W%c^`

#%FqI

%F EL

#Izn%S^

p%s*'#`<

uDPpM

p8

^%.lQv

|-pw}"

D.PO9}D

.Wo0R

,"%ux

LC%Cr;

Ù'H'

M;.AUs7O1B

.AG5z

7%c%c

|f%Dwu

y0*.Vx

GV.KP

Z_L%fM

<kEy4geu

i}`K%U

&.FM5

.tMaV

H.CqD

.ggs/

c%uE 

.jrfr

'.IhB

.EI^l

k.aiv

/`~!4~)%

.vXj\

SQLd

.em`7

%X|W&bN

#W%X^

.ezQ*3<P'O

{.OC <

%x7^]

k.Ou~

7`%d&

.t.Ks[

.viXz

.DPY'

.gu#V4

%C^rj

fx;J%ui

d!.rxz

C*.xWM

.WG9>U

i.dc0

LK}!

%DI`p(}

f.ldEPK

TCPA

|U.miy)

.attf;>;

MA.Ixh

x:.Be

 %sA5fCCt

ua.tT[

.XYeNC]\

fO$4.tWj

n.qn:

~"=U

l:\0,6

,%DMS

9k.IP

9C*%CS

Urlrt

dA.SP

:B.od/

IyBv%U

gGK%bQ.Ra

`4(.oMl

.oYLv?

%d=$?

D-V}P

R%MY1.mW

R1v.QJ

T[.iV

8.Hc4U

e0.eL

&d%X$

!.dYuRh

*8pe.Efh

5N%CO

(%6Sntq

%c?r8

4.FGF

8WJ.to

;.vEW

%uPTg

U%fz#0

7u.OXs)0'

.OeKuk

i.SzS

hQ%d^f

'g*-e}

>a.RX

%CzN$

2À>=`

.qCFYr

A]].sj

J.Ga%

!%X)a

d1.hO

%xnxv

Z2~.lj!

-$C%d

sy.WJy

.iprqZm

YS>.eNl

%v.iU

5zÚf

\v.VT

2t.Id@

#.hfv

&.yYW

.HVz"

RtcP

.f%SY

k.lSBm

.ix[0

a3D'.xa

%f.Y;

{dmSg 

54o.lRd

.AG=b

!D0SW.Sc

\%d<%

.UmIe

7[.LM

.Oilro

.xANK

6O\%x

.IOUn

-O}!n

By-.CA

,1%F]

a&.Hb

".EyT_

G}.Pz$

%X!~!b

%cMn$$

.Nc YEN6

0[E.yWn4

_%f$Z1/

i?.Qx

%U!n,6

^.NfUDu

Y.fDe

$Pq.vUg

%F}E1

`.jEak

,JuRLe

.ScFoku

.wh'Qy

Y]l0.yZxEm

.Xgtr

oSf%xW

@].Fn

H.Gh}

y@\p&H.iY

:1j%x

g-wX}s.

\Gn8.hr

%u4`5

%%9x1

2:`6

YG%UE

a.efEc|

1.vt(

}g%C(u

E.xFl

.uR]\

P.weq4

.TsQ&

/G.Ux

.NuKq

B-n}-

^.Sl%

%S\9Un?

}%Xv)

.MLG:

~|'.IB

"dt%d

^.Md\

e.uPZi

.oM[L5

.Mo_K

4zp.jV

r.rK/

R:\e1

.a%xuL

*h"%SXx

zZ.Dz^?

}iE .LN

%Dgid

q%SaT

.Mmkp

{i1.xQ

t.tXp

.InT}

-YD.mivNy7

S.HYl

C(.FN

%7XfrRHN

.JQgr!

L(.GH 

z8y%X$

.rwn*

B.tEK

%Vq%U

%U]v%

<zV# b%d

N"8:}8

X%0uF

%u@7<Q

.ltto6J

>!"(!7.^

/.yn,

L.Fsk/

=.hgo

$.Pa;}

UDPA

t0e.IR

K7.cU

.gZ8%QQG

o%cIJ^

lC;";Ô!

{].bB"

I.Eil(

.yK.I

%2S>$

g@þ

.OunIoj

(.hpY

.bF/5'

k.qmf%i

z<.kuR

%.qEjDJJ

,%3X%

 .TNJ

%CjHw

.dY W

/.eh0

}.RJ8

Hva.vw<H

`%fL^

.UtD$

F.LKv

@%c!O

!.LfFkZ

*5.Hzf

L|.Ow

<(.JR[We?

<}/%X

 j.fxUDq_

%xRU}

70.jg

%original file name%.exe_212_rwx_27530000_00011000:

3This binary has no widestrings support compiled in.

GetProcessHeap

EnumWindows

.text

P`.data

.idata

.reloc

KERNEL32.DLL

oleaut32.dll

user32.dll

2345Desktop.exe_3344:

.text

`.rdata

@.data

.rsrc

@.reloc

?%u";q

r%f;M

j.Yf;

_tcPVj@

.PjRW

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

url:"

.htm"

ClientVer=4.1.0.13470

GetProcessWindowStation

operator

3.8.1

SQLite format 3

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

0123456789-

%b %d %H : %M : %S %Y

%m / %d / %y

%I : %M : %S %p

%d / %m / %y

RegOpenKeyExW

RegCloseKey

ShellExecuteW

CryptCATCatalogInfoFromContext

CertNameToStrW

Windows XP: GB18030 Simplified Chinese (4 Byte)

COMCTL32.DLL

User32.dll

Shell32.dll

ShellExecuteExW

DeleteUrlCacheEntryA

DeleteUrlCacheEntryW

FindCloseUrlCache

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryW

FindNextUrlCacheEntryA

FindNextUrlCacheEntryW

FtpCommandA

FtpCommandW

FtpFindFirstFileA

FtpFindFirstFileW

FtpOpenFileA

FtpOpenFileW

GetUrlCacheEntryInfoA

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

HttpAddRequestHeadersW

HttpEndRequestA

HttpEndRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpQueryInfoA

HttpQueryInfoW

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestA

HttpSendRequestW

InternetCrackUrlA

InternetCrackUrlW

InternetOpenUrlA

InternetOpenUrlW

RetrieveUrlCacheEntryStreamW

ReadUrlCacheEntryStream

UnlockUrlCacheEntryStream

Z#jM0NeVv#wMDG9 8rwzxVsti80A=j5a.op

2345.com--

login

NetWkstaTransportEnum

UrlEscapeA

UrlUnescapeA

Line %d, Column %d

E:\code_svn\2345Software_1024\bin\Win32\Build\2345Desktop\pdb\2345Desktop.pdb

KERNEL32.dll

WININET.dll

COMCTL32.dll

MSIMG32.dll

GetProcessHeap

GetCPInfo

GetKeyState

EnumWindows

USER32.dll

SetViewportOrgEx

GDI32.dll

RegOpenKeyW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

GdiplusShutdown

gdiplus.dll

GetWindowsDirectoryW

ExitWindowsEx

RegEnumKeyW

RegQueryInfoKeyW

zcÁ

automatic extension loading failed: %s

foreign key constraint failed

too many columns on %s

unable to use function %s in the requested context

sqlite_temp_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

duplicate column name: %s

PRIMARY KEY must be unique

defer_foreign_keys

database schema is locked: %s

foreign_key_check

foreign_key_list

foreign_keys

sqlite_

failed to allocate %u bytes of memory

database corruption at line %d of [%.10s]

a JOIN clause is required before %s

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

default value of column [%s] is not constant

abort at %d in [%s]: %s

constraint failed at %d in [%s]

failed memory resize %u to %u bytes

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

table "%s" has more than one primary key

variable number must be between ?1 and ?%d

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

too many SQL variables

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

vtable constructor failed: %s

vtable constructor did not declare schema: %s

cannot change %s wal mode from within a transaction

%s-mjXXXXXX9XXz

MJ delete: %s

MJ collide: %s

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

-mjX9X

database table is locked: %s

no such module: %s

RowKey

bind on a busy prepared statement: [%s]

sqlite_stat1

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

invalid name: "%s"

%s.xBestIndex() malfunction

statement aborts at %d: [%s] %s

too many attached databases - max %d

automatic index on %s(%s)

SQL logic error or missing database

database %s is already in use

invalid page number %d

2nd reference to page %d

no such trigger: %S

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

unknown operation

large file support is disabled

unable to identify the object to be reindexed

cannot open value of type %s

Failed to read ptrmap key=%d

Bad ptr std::map entry key=%d expected=(%d,%d) got=(%d,%d)

unable to open database: %s

%s-shm

CREATE %s %.*s

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

%d of %d pages missing from overflow list starting at %d

failed to get page %d

no such database: %s

cannot detach database %s

freelist leaf count too big on page %d

database %s is locked

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

cannot open virtual table: %s

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

cannot open view: %s

no such column: "%s"

misuse of aliased aggregate %s

too many columns in %s

no such collation sequence: %s

%s: %s.%s.%s

foreign key

%s: %s.%s

%s: %s

Page %d:

SQLITE_

indexed

unable to get the page. error code=%d

cannot open %s column for writing

a NATURAL join may not have an ON or USING clause

btreeInitPage() returns error code %d

sqlite_detach

On tree page %d cell %d:

cannot have both ON and USING clauses in the same join

view %s is circularly defined

sqlite_attach

cannot join using column %s - column not present in both tables

On page %d at right child:

%s prohibited in partial index WHERE clauses

%s %T cannot reference objects in database %s

table %s: xBestIndex returned an invalid plan

%s prohibited in CHECK constraints

Corruption detected in cell %d on page %d

recovered %d frames from WAL file %s

-- TRIGGER %s

no such index: %s

%s cannot use variables

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

Fragmentation of %d bytes reported as %d on page %d

Multiple uses for byte %d of page %d

not authorized to use function: %s

cannot open savepoint - SQL statements in progress

sqlite_stat%d

DELETE FROM %Q.%s WHERE %s=%Q

Page %d is never used

Pointer std::map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

no such savepoint: %s

cannot release savepoint - SQL statements in progress

sqlite_sq_%p

zeroblob(%d)

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

%.*s"%w"%s

d-d-d d:d:d

too many references to "%s": max 65535

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

d:d:d

cannot commit transaction - SQL statements in progress

table %s may not be modified

d-d-d

cannot modify %s because it is a view

%s%.*s"%w"

%r %s BY term out of range - should be between 1 and %d

sqlite_stat

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

EXECUTE %s%s SUBQUERY %d

%s.%s

%s.%s.%s

no such table: %s

foreign key on %s should reference only one column of table %T

sqlite_rename_table

number of columns in foreign key does not match the number of columns in the referenced table

sqlite_rename_trigger

sqlite_rename_parent

table %S has %d columns but %d values were supplied

%d values for %d columns

USE TEMP B-TREE FOR %s

at most %d tables in a join

unknown column "%s" in foreign key definition

table %S has no column named %s

%s OR name=%Q

%s SUBQUERY %d

too many terms in %s BY clause

%s TABLE %s

%s AS %s

unknown database: %s

%s USING AUTOMATIC %sINDEX%.0s%s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s USING %sINDEX %s%s

%s USING INTEGER PRIMARY KEY

%s (rowid=?)

%s (rowid>? AND rowid<?)

%s (rowid>?)

%s (rowid<?)

no such column: %s

type='trigger' AND (%s)

922337203685477580

unknown database %s

%s VIRTUAL TABLE INDEX %d:%s

indexed columns are not unique

*** in database %s ***

table %s may not be altered

there is already another table or index with this name: %s

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

os_win.c:%d: (%lu) %s(%s) - %s

cannot create a TEMP index on non-TEMP table "%s"

sqlite_sequence

unsupported encoding: %s

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

cannot limit WAL size: %s

table %s may not be indexed

views may not be indexed

virtual tables may not be indexed

there is already a table named %s

delayed %dms for lock/sharing conflict

SCAN TABLE %s%s%s

index %s already exists

sqlite_autoindex_%s_%d

%s.%s may not be NULL

Cannot add a PRIMARY KEY column

constraint %s failed

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

malformed database schema (%s)

%s - %s

keyinfo(%d

table %s has no column named %s

%s(%d)

recovered %d pages from %s

sqlite_altertab_%s

cannot VACUUM - SQL statements in progress

sqlite_version

sqlite_source_id

sqlite_stat3

API call with %s database connection pointer

sqlite_log

sqlite_stat4

sqlite_compileoption_used

sqlite_compileoption_get

%s:%d

sqlite3_extension_init

PRAGMA vacuum_db.synchronous=OFF

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

unable to open shared library [%s]

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

CREATE TABLE %Q.%s(%s)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

no such %s mode: %s

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

sqlite3_

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

%s mode not allowed: %s

no such vfs: %s

no entry point [%s] in shared library [%s]

unsupported file format

error during initialization: %s

%s%s%s

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

object name reserved for internal use: %s

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

foreign key mismatch - "%w" referencing "%w"

Expression tree is too large (maximum depth %d)

misuse of aggregate: %s()

there is already an index named %s

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

sqlite3_get_table() called with two or more incompatible queries

.?AVRCExecuteManager@@

.?AVRCExecuteAsParent@@

.?AVRCSqliteResults@@

.?AVRCMD5@RC@@

.?AV?$sp_counted_impl_p@VRCHashCalcMD5@RC@@@detail@boost@@

.?AVRCHashCalcMD5@RC@@

.?AVRCHttpFile@RC@@

&iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:9971EEA129F311E5988EED297D8B57B5" xmpMM:DocumentID="xmp.did:9971EEA229F311E5988EED297D8B57B5"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9971EE9F29F311E5988EED297D8B57B5" stRef:documentID="xmp.did:9971EEA029F311E5988EED297D8B57B5"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:0C8B28D12C4311E5BE7DBE8A58FCD8F6" xmpMM:DocumentID="xmp.did:0C8B28D22C4311E5BE7DBE8A58FCD8F6"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0C8B28CF2C4311E5BE7DBE8A58FCD8F6" stRef:documentID="xmp.did:0C8B28D02C4311E5BE7DBE8A58FCD8F6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

qiTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:b9181da8-5d58-ec40-aa3e-e90d2aba86b8" xmpMM:DocumentID="xmp.did:C97D8D468B4111E48A968C4A4A633D9E" xmpMM:InstanceID="xmp.iid:C97D8D458B4111E48A968C4A4A633D9E" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:b9181da8-5d58-ec40-aa3e-e90d2aba86b8" stRef:documentID="xmp.did:b9181da8-5d58-ec40-aa3e-e90d2aba86b8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:b9181da8-5d58-ec40-aa3e-e90d2aba86b8" xmpMM:DocumentID="xmp.did:C97D8D428B4111E48A968C4A4A633D9E" xmpMM:InstanceID="xmp.iid:C97D8D418B4111E48A968C4A4A633D9E" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:b9181da8-5d58-ec40-aa3e-e90d2aba86b8" stRef:documentID="xmp.did:b9181da8-5d58-ec40-aa3e-e90d2aba86b8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

m.Cw(/

R.RavX'

`%XH!

.K%%Xi

v-Dx}

dY.Io

%X8kLj

wYŒ

-%cjJ

jg.eA`

.IAB@

(/.bqv

I%D\)

viTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:20239c19-4804-2242-ad64-b88646a1eb40" xmpMM:DocumentID="xmp.did:E50907BCCEDF11E4AFA98F25D86EC42D" xmpMM:InstanceID="xmp.iid:E50907BBCEDF11E4AFA98F25D86EC42D" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:20239c19-4804-2242-ad64-b88646a1eb40" stRef:documentID="xmp.did:20239c19-4804-2242-ad64-b88646a1eb40"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>Y;

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:99B71E7ADF3311E480FBEBA7003DF5FE" xmpMM:DocumentID="xmp.did:99B71E7BDF3311E480FBEBA7003DF5FE"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:99B71E78DF3311E480FBEBA7003DF5FE" stRef:documentID="xmp.did:99B71E79DF3311E480FBEBA7003DF5FE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:2A71325F932DE411AFB78559F6CA8A12" xmpMM:DocumentID="xmp.did:65E3584E9F8111E4936FEEEA372FEEFD" xmpMM:InstanceID="xmp.iid:65E3584D9F8111E4936FEEEA372FEEFD" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:cbd205d4-0fb6-a649-9d62-1ababf4a1c6f" stRef:documentID="adobe:docid:photoshop:810e159b-9d56-11e4-b551-fb287c9b7c54"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:FC328882D10D11E4BA0CE999F94CE202" xmpMM:DocumentID="xmp.did:FC328883D10D11E4BA0CE999F94CE202"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FC328880D10D11E4BA0CE999F94CE202" stRef:documentID="xmp.did:FC328881D10D11E4BA0CE999F94CE202"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:3C652975D29A11E4BC34C67E1F44EF2E" xmpMM:DocumentID="xmp.did:3C652976D29A11E4BC34C67E1F44EF2E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3C652973D29A11E4BC34C67E1F44EF2E" stRef:documentID="xmp.did:3C652974D29A11E4BC34C67E1F44EF2E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:29E31669D2B111E4AD11AC799E7B1354" xmpMM:DocumentID="xmp.did:29E3166AD2B111E4AD11AC799E7B1354"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:29E31667D2B111E4AD11AC799E7B1354" stRef:documentID="xmp.did:29E31668D2B111E4AD11AC799E7B1354"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:3A0592A4D2B111E48B2E947AC04C7967" xmpMM:DocumentID="xmp.did:3A0592A5D2B111E48B2E947AC04C7967"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3A0592A2D2B111E48B2E947AC04C7967" stRef:documentID="xmp.did:3A0592A3D2B111E48B2E947AC04C7967"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:AE145607DDBC11E4A329D7FFB0E8FCB2" xmpMM:DocumentID="xmp.did:AE145608DDBC11E4A329D7FFB0E8FCB2"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:AE145605DDBC11E4A329D7FFB0E8FCB2" stRef:documentID="xmp.did:AE145606DDBC11E4A329D7FFB0E8FCB2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>7

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:8B993B67DDBC11E4A5B1872B13F5657D" xmpMM:DocumentID="xmp.did:8B993B68DDBC11E4A5B1872B13F5657D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8B993B65DDBC11E4A5B1872B13F5657D" stRef:documentID="xmp.did:8B993B66DDBC11E4A5B1872B13F5657D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:0fae8087-c937-464a-813a-2b2ddb7afb10" xmpMM:DocumentID="xmp.did:6BCA6573DDBB11E48791823727A22817" xmpMM:InstanceID="xmp.iid:6BCA6572DDBB11E48791823727A22817" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0fae8087-c937-464a-813a-2b2ddb7afb10" stRef:documentID="xmp.did:0fae8087-c937-464a-813a-2b2ddb7afb10"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

d.Jq '

ln}5M%S

RL;%x

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:1f345368-cefe-3443-ae98-6d6928b0e8bb" xmpMM:DocumentID="xmp.did:871BAE7A08F211E5BDF0B1318D79B875" xmpMM:InstanceID="xmp.iid:871BAE7908F211E5BDF0B1318D79B875" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1f345368-cefe-3443-ae98-6d6928b0e8bb" stRef:documentID="xmp.did:1f345368-cefe-3443-ae98-6d6928b0e8bb"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2" xmpMM:DocumentID="xmp.did:E981591CFF6211E49268EAB375D6B5E8" xmpMM:InstanceID="xmp.iid:E981591BFF6211E49268EAB375D6B5E8" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9acba63c-65e5-f940-9398-c907c24d1d14" stRef:documentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2" xmpMM:DocumentID="xmp.did:E98B6B5BFF6211E49268EAB375D6B5E8" xmpMM:InstanceID="xmp.iid:E98B6B5AFF6211E49268EAB375D6B5E8" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9acba63c-65e5-f940-9398-c907c24d1d14" stRef:documentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2" xmpMM:DocumentID="xmp.did:E9815918FF6211E49268EAB375D6B5E8" xmpMM:InstanceID="xmp.iid:E9815917FF6211E49268EAB375D6B5E8" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9acba63c-65e5-f940-9398-c907c24d1d14" stRef:documentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2" xmpMM:DocumentID="xmp.did:E98B6B5FFF6211E49268EAB375D6B5E8" xmpMM:InstanceID="xmp.iid:E98B6B5EFF6211E49268EAB375D6B5E8" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9acba63c-65e5-f940-9398-c907c24d1d14" stRef:documentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2" xmpMM:DocumentID="xmp.did:E9815914FF6211E49268EAB375D6B5E8" xmpMM:InstanceID="xmp.iid:E9815913FF6211E49268EAB375D6B5E8" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9acba63c-65e5-f940-9398-c907c24d1d14" stRef:documentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2" xmpMM:DocumentID="xmp.did:FA6BEA42FF6711E4B068FD03114F3FA4" xmpMM:InstanceID="xmp.iid:FA6BEA41FF6711E4B068FD03114F3FA4" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:c9fd47b0-88c8-0748-a2c5-083d0bd28449" stRef:documentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2" xmpMM:DocumentID="xmp.did:E98B6B63FF6211E49268EAB375D6B5E8" xmpMM:InstanceID="xmp.iid:E98B6B62FF6211E49268EAB375D6B5E8" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9acba63c-65e5-f940-9398-c907c24d1d14" stRef:documentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>\]g

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2" xmpMM:DocumentID="xmp.did:6F0C1436FF6711E497FBF735881AE88C" xmpMM:InstanceID="xmp.iid:6F0C1435FF6711E497FBF735881AE88C" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e5410ba6-07d6-464b-b092-d681e72b339e" stRef:documentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>:

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2" xmpMM:DocumentID="xmp.did:6F0C1432FF6711E497FBF735881AE88C" xmpMM:InstanceID="xmp.iid:6F0C1431FF6711E497FBF735881AE88C" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e5410ba6-07d6-464b-b092-d681e72b339e" stRef:documentID="xmp.did:b99fee2d-c8b7-4144-ae13-6f767ebec1a2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>l/}

niTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:20239c19-4804-2242-ad64-b88646a1eb40" xmpMM:DocumentID="xmp.did:C19A449805B611E5B082D11F4990F0A8" xmpMM:InstanceID="xmp.iid:C19A449705B611E5B082D11F4990F0A8" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7F3A3BDDFF5E11E4BC75DF10B9FB1ED3" stRef:documentID="xmp.did:7F3A3BDEFF5E11E4BC75DF10B9FB1ED3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:20239c19-4804-2242-ad64-b88646a1eb40" xmpMM:DocumentID="xmp.did:00791DB905B611E5880FE4A3B838A5AC" xmpMM:InstanceID="xmp.iid:00791DB805B611E5880FE4A3B838A5AC" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:73E6FCFD05AA11E5AFA594A2B827DA11" stRef:documentID="xmp.did:73E6FCFE05AA11E5AFA594A2B827DA11"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>wBA

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:20239c19-4804-2242-ad64-b88646a1eb40" xmpMM:DocumentID="xmp.did:8CB67F6105B711E5B51EADB26445C450" xmpMM:InstanceID="xmp.iid:8CB67F6005B711E5B51EADB26445C450" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:73E6FCFD05AA11E5AFA594A2B827DA11" stRef:documentID="xmp.did:73E6FCFE05AA11E5AFA594A2B827DA11"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:20239c19-4804-2242-ad64-b88646a1eb40" xmpMM:DocumentID="xmp.did:1EE6D7E205B711E59FC7CD470140D588" xmpMM:InstanceID="xmp.iid:1EE6D7E105B711E59FC7CD470140D588" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0E267E2C05AE11E586BCCC1E9AEA48E7" stRef:documentID="xmp.did:0E267E2D05AE11E586BCCC1E9AEA48E7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>b

Þar

{hv%X

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:5597BB4029F211E584AE85AD1798BE2F" xmpMM:DocumentID="xmp.did:5597BB4129F211E584AE85AD1798BE2F"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5597BB3E29F211E584AE85AD1798BE2F" stRef:documentID="xmp.did:5597BB3F29F211E584AE85AD1798BE2F"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>v

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:04CB90A229F211E59551F0251EFE08FA" xmpMM:DocumentID="xmp.did:04CB90A329F211E59551F0251EFE08FA"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:04CB90A029F211E59551F0251EFE08FA" stRef:documentID="xmp.did:04CB90A129F211E59551F0251EFE08FA"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>Z

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:89A8B0DF29F411E58EDDF615F825F2EB" xmpMM:DocumentID="xmp.did:89A8B0E029F411E58EDDF615F825F2EB"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:89A8B0DD29F411E58EDDF615F825F2EB" stRef:documentID="xmp.did:89A8B0DE29F411E58EDDF615F825F2EB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>t

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:71217E1D29F411E5AF239E9F16685723" xmpMM:DocumentID="xmp.did:71217E1E29F411E5AF239E9F16685723"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:71217E1B29F411E5AF239E9F16685723" stRef:documentID="xmp.did:71217E1C29F411E5AF239E9F16685723"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:f65013e7-ebd7-3046-95f0-cc4d8d0373c0" xmpMM:DocumentID="xmp.did:6AE1C08A2ACE11E58550E1DA18BCD649" xmpMM:InstanceID="xmp.iid:6AE1C0892ACE11E58550E1DA18BCD649" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6613c413-3b04-f647-a84d-c6fdf2691468" stRef:documentID="xmp.did:f65013e7-ebd7-3046-95f0-cc4d8d0373c0"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:B979B62129F311E5A5CF88FDFC1A8819" xmpMM:DocumentID="xmp.did:B979B62229F311E5A5CF88FDFC1A8819"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B979B61F29F311E5A5CF88FDFC1A8819" stRef:documentID="xmp.did:B979B62029F311E5A5CF88FDFC1A8819"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:f65013e7-ebd7-3046-95f0-cc4d8d0373c0" xmpMM:DocumentID="xmp.did:5E39C1B22ACE11E5B7ECAF722958FF3F" xmpMM:InstanceID="xmp.iid:5E39C1B12ACE11E5B7ECAF722958FF3F" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6613c413-3b04-f647-a84d-c6fdf2691468" stRef:documentID="xmp.did:f65013e7-ebd7-3046-95f0-cc4d8d0373c0"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>-

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:D6E237DD29F311E5A7C4BC70AEA8C9A0" xmpMM:DocumentID="xmp.did:D6E237DE29F311E5A7C4BC70AEA8C9A0"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D6E237DB29F311E5A7C4BC70AEA8C9A0" stRef:documentID="xmp.did:D6E237DC29F311E5A7C4BC70AEA8C9A0"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:CE4CB96C29F111E5B1DDDE580D260B52" xmpMM:DocumentID="xmp.did:CE4CB96D29F111E5B1DDDE580D260B52"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CE4CB96A29F111E5B1DDDE580D260B52" stRef:documentID="xmp.did:CE4CB96B29F111E5B1DDDE580D260B52"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>x

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:97990189-5add-274b-9398-4bb2d5d0c1cd" xmpMM:DocumentID="xmp.did:BCDBDFF729F211E59923C56A95C3EE83" xmpMM:InstanceID="xmp.iid:BCDBDFF629F211E59923C56A95C3EE83" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:97990189-5add-274b-9398-4bb2d5d0c1cd" stRef:documentID="xmp.did:97990189-5add-274b-9398-4bb2d5d0c1cd"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:2C21B69B2AD811E5AD0DC59BAA25B9D6" xmpMM:DocumentID="xmp.did:2C21B69C2AD811E5AD0DC59BAA25B9D6"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2C21B6992AD811E5AD0DC59BAA25B9D6" stRef:documentID="xmp.did:2C21B69A2AD811E5AD0DC59BAA25B9D6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>f

(%X1B/

L.QW@

1%xSi

4<Cix.kp&

/012345678

%&'()* ,-.

<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"><assemblyIdentity name="2345Desktop" version="1.0.0.0" processorArchitecture="X86" type="win32"></assemblyIdentity><description>2345Desktop</description><dependency><dependentAssembly><assemblyIdentity name="Microsoft.Windows.common-Controls" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" language="*" processorArchitecture="X86" type="win32"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS></application></compatibility></assembly>

8#949#:1:

2$3-3t3}3

2#32334@4

4 464=4_4

7(7!8&9891:

30@0&181

> >$>(>,>0>

0%0s0

< <$<(<,<0<4<8<<<@<#>3>

?#?2???|?

868;8&;7;

01U1f4s4V5c5

6b6c6

< =>=&>5>

6"7(7,70747

0"3&3*3.32363:3>3

0 0$0(0,0

< <$<(<,<0<4<8<<<

1$2(2,202428204

9‘9F9W9]9r9

:.:=:]:}:

4R5F5i5~5

&050&:9:

3%4S4

1(3,3034383<3

5 5$5(5,505

4(444<4\4

9,989@9`9

:(:4:<:\:

8$8,888\8|8

2345Desktop.exe

2345DesktopService.exe

pdb\2345DesktopService.pdb

2345DesktopService.pdb

H{02B2CD9B-34A6-4de0-A331-D7BDACCFED0B}

{02B2CD9B-34A6-4de0-A331-D7BDACCFED0B}

user32.dll

{BD3849D9-74E1-4808-9811-FD5AEE8EA843}

note.data

CREATE TABLE [note_info] ([id_value] INTEGER PRIMARY KEY AUTOINCREMENT, [content_value] VARCHAR(2048), [GUID_value] VARCHAR(128)UNIQUE, [visible_value] INTEGER, [modify_year] INTEGER, [modify_month] INTEGER, [modify_day] INTEGER, [modify_hour] INTEGER, [modify_minute] INTEGER, [modify_second] INTEGER, [pos_value] VARCHAR(512))

CREATE TABLE [alarm_info] ([id_value] INTEGER PRIMARY KEY AUTOINCREMENT, [content_value] VARCHAR(2048), [GUID_value] VARCHAR(128)UNIQUE, [note_GUID] VARCHAR(128), [alarm_HZ] INTEGER, [weekDay_flag] INTEGER, [modify_year] INTEGER, [modify_month] INTEGER, [modify_day] INTEGER, [modify_hour] INTEGER, [modify_minute] INTEGER, [modify_second] INTEGER, [alarm_year] INTEGER, [alarm_month] INTEGER, [alarm_day] INTEGER, [alarm_hour] INTEGER, [alarm_minute] INTEGER, [alarm_second] INTEGER, [enable_value] INTEGER)

CREATE TABLE [alarm_delay_info] ([id_value] INTEGER PRIMARY KEY AUTOINCREMENT, [content_value] VARCHAR(2048), [GUID_value] VARCHAR(128)UNIQUE, [note_GUID] VARCHAR(128), [alarm_HZ] INTEGER, [weekDay_flag] INTEGER, [modify_year] INTEGER, [modify_month] INTEGER, [modify_day] INTEGER, [modify_hour] INTEGER, [modify_minute] INTEGER, [modify_second] INTEGER, [alarm_year] INTEGER, [alarm_month] INTEGER, [alarm_day] INTEGER, [alarm_hour] INTEGER, [alarm_minute] INTEGER, [alarm_second] INTEGER, [alarm_type] INTEGER, [enable_value] INTEGER, [visible_value] INTEGER)

%d,%d,%d,%d

select count(*)from sqlite_master where type='table' and name='

2345Desktop.ini

RCWeatherWindow.city

RCWeatherWindow.name

RCWeatherWindow.pinyin

RCWeatherWindow.aqi

day%d

.temp

.weather

RCWeatherWindow.alert

RCWeatherWindow.alertUrl

{EF61F7C3-BBB6-4A52-979C-A87BEDF28744}

{9DD56E18-ED55-493f-B9B0-B9C0F3D80162}

UpdateNavigateUrl

J{25CD88AC-F351-4AF1-9800-3492E466429A}

{670EE91A-F5A2-4599-8431-75160C4F243A}

report.php

NavigateUrl

hXXp://VVV.2345.com/

hXXp://VVV.baidu.com

hXXp://

hXXp://VVV.9991.com/

ie.2345.com

update.desk.2345.com

adblock/onlinedata_v1/onlinedata.php

RCPowerDialog.warning

RCWeatherWindow.LastChangeCloseActionTime

RCWeatherWindow.FirstInTrayTime

RCWeatherWindow.ActiveCloseTimes

HOLIDAY_LIST.JSON

holiday_list.json

RCCalendarWindow.visible

RCFloatingWnd.showed

%d-%d-%d

RCAppBoxDialog.create

RCWeatherWindow.left

RCWeatherWindow.top

RCCalendarWindow.left

RCCalendarWindow.top

RCFloatingWnd.size

/holiday_list.json

/web/ajax100?uId2=SPTNPQRLSX&r=&lO=

{9D1BF615-4CFD-43ef-AB19-69FD6598D66B}

DoUpgrade.fullpath

DoUpgrade.result

%d.%d.%d.%d

check_new_version.php

RCWeatherWindow.autorun

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

K2345MobileSdk.exe

2345com.2345MobileSdk.Mutex

2345MobileSdk.exe

-uninstall=2345.com

adb.exe

2345.com

2345Extract.dll

2345MobileSdkUpdate.exe

/sdk.json

-user=2345.com

2345Desktop.WaitRunMobileSdk.Mutex

RCPowerDialog.once.year

RCPowerDialog.once.month

RCPowerDialog.once.day

d-d-d

RCPowerDialog.hour

RCPowerDialog.minute

RCPowerDialog.mode

RCPowerDialog.week.week1

RCPowerDialog.week.week2

RCPowerDialog.week.week3

RCPowerDialog.week.week4

RCPowerDialog.week.week5

RCPowerDialog.week.week6

RCPowerDialog.week.week7

RCPowerDialog.week.week%d

power_edit_week_week%d

RCPowerDialog.week.weeK%d

{X-X-x-XX-XXXXXX}

check_time_loading.png

hXXp://VVV.2345.com/time.txt

/time.txt

SetSystemTime.year

SetSystemTime.month

SetSystemTime.day

SetSystemTime.hour

SetSystemTime.minute

SetSystemTime.week

SetSystemTime.result

check_time_logo.png

Lunion2.50bang.org

RCWeatherWindow.autorun_cancel

weather_config_normal.png

weather_config_hover.png

window_close_normal.png

window_close_hover.png

weather_number_icon.png

weather_tool_site.png

weather_tool_note.png

weather_tool_calculator.png

weather_tool_appbox.png

weather_tool_power.png

weather_tool_power_time.png

hXXp://bbs.2345.cn/post.php?fid=1&tid=1

calendar_table_row%d

calendar_left_normal.png

calendar_left_hover.png

calendar_right_normal.png

calendar_right_hover.png

today%d

select%d

work%d

calendar_work.png

holiday%d

calendar_holiday.png

alarmdot%d

alarm_dot.png

dayButton%d

lunar%d

floating_wnd.png

floatingwnd_close_normal.png

floatingwnd_close_hover.png

M2345DesktopService.exe

app_note.png

app_calendar.png

app_alarm.png

app_calculate.png

app_check_time.png

User32.DLL

wdesktop_bubble.png

desktop_bubble_hover.png

desktop_bubble.png

okernel32.dll

/web/ajax57?uId2=SPTNPQRLSX&uId=9018013399965456402344&r=&lO=

union2.50bang.org

/web/ajax58?uId2=SPTNPQRLSX&uId=9018013399965456402344&r=&lO=

/web/ajax63?uId2=SPTNPQRLSX&uId=41905134525324506284263&r=&lO=

index.php

HTTP/1.1

about_logo_desktop.png

about_logo_small.png

(c)2345.com

about_report_button

hXXp://desk.2345.com

note_shadow.png

E:\code_svn\RCFL\vendor\include\boost/smart_ptr/scoped_ptr.hpp

RICHED20.dll

note_close.png

note_add.png

note_size_normal.png

note_alarm.png

note_alarm_toggled.png

d:d

d-d d:d

new_alarm_ico.png

alarm_modify_ok.png

note_alarm_clock.png

%d-%d-%d@%s

skin_lib_dialog_combobox_combo.png

hXXp://tianqi.2345.com/

.htm?desktool

hXXp://tianqi.2345.com/t/shikuang/alert/

hXXp://tianqi.2345.com/air-

weather_city_list.json

weather_container_loading.png

weather_container_error.png

weather_container_city_logo.png

weather_container_weather_icon.png

weather_container_combo.png

ddd

hXXp://tianqi.2345.com/t/detect2012_json.php

weather_city_detect.json

hXXp://tianqi.2345.com/t/tq_common_json/

.json

weather_city_weather.json

hXXp://tianqi.2345.com/t/shikuang/alert/js/

weather_city_alert.json

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

ADVAPI32.DLL

portuguese-brazilian

888816666554443

6666554443

!6666554443

wuser32.dll

skin_lib_dialog_combobox_combo_disable.png

skin_lib_dialog_checkbox_14_check.png

skin_lib_dialog_checkbox_14_check_disable.png

skin_lib_dialog_checkbox_16_normal.png

skin_lib_dialog_checkbox_16_hover.png

skin_lib_dialog_checkbox_16_check.png

skin_calendar_hover.png

skin_calendar_disable.png

item%d

button%d

separator%d

skin_calendar_left_normal.png

skin_calendar_left_hover.png

skin_calendar_right_normal.png

skin_calendar_right_hover.png

skin_lib_dialog_close_normal.png

skin_lib_dialog_close_hover.png

skin_lib_dialog_min_normal.png

skin_lib_dialog_min_hover.png

expire%d

alarm_expire.png

btnRemove%d

btnBG%d

btnDelete%d

alarm_delete_hover.png

alarm_delete_normal.png

delete_sel_hover.png

delete_sel_normal.png

%systemroot%

%commonprogramfiles%

advapi32.dll

yadvapi32.dll

http\shell\open\command

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

Software\Classes\.html

2345Browser.exe

2345Explorer.exe

2345chrome.exe

SOFTWARE\2345chrome

shlwapi.dll

shell32.dll

%programfiles(x86)%\Internet Explorer\iexplore.exe

%programfiles%\Internet Explorer\iexplore.exe

Content-Type: application/x-www-form-urlencoded

Kernel32.dll

kernel32.dll

psapi.dll

nadvapi32.dll

radvapi32.dll

ewintrust.dll

twintrust.dll

wintrust.dll

crypt32.dll

%sD.%.03d.%.03d

.NewVersion.data

download_url

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

hXXp://VVV.2345.com?

V%d.%d (Build %d)

V%d.%d.%d (Build %d)

.CheckVersion.data

{47FF0D24-E0A5-4163-8546-DE7217D2F141}

2345.com.config.ver.major

2345.com.config.ver

2345.com.config.ver.minor

2345.com.config.ver.lowest

2345.com.config.ver.revision

g.old.tmp

AdvApi32.dll

000000000000

dddddd

SOFTWARE\Microsoft\Windows NT\CurrentVersion

.CheckStat.data

wininet.dll

%u.%u

main_exe_ver

DhXXps://

DAdvapi32.dll

Shlwapi.dll

Cryptdll.dll

Iphlpapi.dll

0.0.0.0

netapi32.dll

xxxxxx

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

Coral.sts

2345Chrome

RCImage.hzs

HaoZip.hzs

RCMobile.hzs

RCPinyin.hzs

.RCStat.data

Windows XP

Windows 2000

Windows Home Server

Windows XP Professional x64 Edition

Windows Server 2003

Windows Server 2003 R2

Windows Server 2008

Windows Vista

Windows Server 2008 R2

Windows 7

Windows Server 2012

Windows 8

Windows Server 2012 R2

Windows 8.1

Windows 10

Windows 10 Alpha

Windows 10 

Windows 10 Server

https

%s://%s/

%s://%s:%u/

hXXp://ie.2345.com/

#{ad498944-762f-11d0-8dcb-00c04fc3358c}

Assertion failed: %s, file %s, line %d

%Program Files%\2345Soft\2345Desktop\2345Desktop.exe

PNG"SKIN_LIB_DIALOG_COMBOBOX_COMBO.PNG*SKIN_LIB_DIALOG_COMBOBOX_COMBO_DISABLE.PNG

SKIN_LIB_DIALOG_CLOSE_HOVER.PNG SKIN_LIB_DIALOG_CLOSE_NORMAL.PNG

SKIN_LIB_DIALOG_MIN_HOVER.PNG

SKIN_LIB_DIALOG_MIN_NORMAL.PNG

SKIN_LIB_MESSAGE_WARNING.PNG%SKIN_LIB_DIALOG_CHECKBOX_14_CHECK.PNG-SKIN_LIB_DIALOG_CHECKBOX_14_CHECK_DISABLE.PNG%SKIN_LIB_DIALOG_CHECKBOX_16_CHECK.PNG%SKIN_LIB_DIALOG_CHECKBOX_16_HOVER.PNG&SKIN_LIB_DIALOG_CHECKBOX_16_NORMAL.PNG

ABOUT_LOGO_DESKTOP.PNG

ABOUT_LOGO_SMALL.PNG

CALENDAR_LEFT_HOVER.PNG

CALENDAR_LEFT_NORMAL.PNG

CALENDAR_RIGHT_HOVER.PNG

CALENDAR_RIGHT_NORMAL.PNG

CHECK_TIME_LOADING.PNG

WEATHER_CONFIG_HOVER.PNG

WEATHER_CONFIG_NORMAL.PNG

WEATHER_CONTAINER_CITY_LOGO.PNG

WEATHER_CONTAINER_COMBO.PNG

WEATHER_CONTAINER_ERROR.PNG

WEATHER_CONTAINER_LOADING.PNG"WEATHER_CONTAINER_WEATHER_ICON.PNG

WEATHER_NUMBER_ICON.PNG

WEATHER_TOOL_NOTE.PNG

WEATHER_TOOL_CALCULATOR.PNG

WEATHER_TOOL_POWER.PNG

WEATHER_TOOL_POWER_TIME.PNG

WEATHER_TOOL_SITE.PNG

WEATHER_TOOL_CALANDER.PNG

WINDOW_CLOSE_HOVER.PNG

WINDOW_CLOSE_NORMAL.PNG

MESSAGE_TIP.PNG

NOTE_SIZE_NORMAL.PNG

NOTE_ALARM_CLOCK.PNG

ALARM_DOT.PNG

NEW_ALARM_ICO.PNG

ALARM_MODIFY_OK.PNG

FLOATINGWND_CLOSE_NORMAL.PNG

FLOATINGWND_CLOSE_HOVER.PNG

FLOATING_WND.PNG

NOTE_SHADOW.PNG

APP_ALARM.PNG

APP_CALCULATE.PNG

APP_CALENDAR.PNG

APP_CHECK_TIME.PNG

APP_NOTE.PNG

WEATHER_TOOL_APPBOX.PNG

ALARM_EXPIRE.PNG

ALARM_DELETE_HOVER.PNG

ALARM_DELETE_NORMAL.PNG

NOTE_ADD.PNG

NOTE_ALARM.PNG

NOTE_ALARM_TOGGLED.PNG

NOTE_CLOSE.PNG

DESKTOP_BUBBLE.PNG

DESKTOP_BUBBLE_HOVER.PNG

DELETE_SEL_HOVER.PNG

DELETE_SEL_NORMAL.PNG

CALENDAR_WORK.PNG

CALENDAR_HOLIDAY.PNG

SKIN_CALENDAR_LEFT_HOVER.PNG

SKIN_CALENDAR_LEFT_NORMAL.PNG

SKIN_CALENDAR_RIGHT_HOVER.PNG

SKIN_CALENDAR_RIGHT_NORMAL.PNG

SKIN_CALENDAR_HOVER.PNG

SKIN_CALENDAR_DISABLE.PNG

CHECK_TIME_LOGO.PNG

desk.2345.com

8.5.0.1024

Copyright (C) 2013 - 2015, 2345.com

%original file name%.exe_212_rwx_276B0000_00012000:

`.rsrc

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

C:\Users\BLACK\Desktop\HTTP_DownLoad_Dll\Release\HTTP_DownLoad_Dll.pdb

c:\%original file name%.exe

GetCPInfo

HttpQueryInfoW

HttpAddRequestHeadersW

HttpOpenRequestW

HttpSendRequestW

.text

`.rdata

@.data

.rsrc

@.reloc

p\HTTP

.pdbq``

/.text]

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

KERNEL32.DLL

USER32.dll

WININET.dll

HTTP_DownLoad_Dll.dll

HTTP_DownLoad_Info

HTTP_DownLoad_Pause

HTTP_DownLoad_Restore

HTTP_DownLoad_Start

HTTP_DownLoad_Stop

mscoree.dll

hXXp://

hXXps://

%original file name%.exe_212_rwx_27C60000_00038000:

t.Ht2Ht6Ht:Ht>

kernel32.dll

user32.dll

F&{00000000-0000-0000-C000-000000000046}

3This binary has no widestrings support compiled in.

ENoThreadSupport

ENoWideStringSupport

=?&{7B108C52-1D8F-4CDB-9CDF-57E071193D3F}$TMultiReadExclusiveWriteSynchronizer

1234567890

&{3FEEC8E1-E400-4A24-BCAC-1F01476439B1}

.Owner

Ancestor class for "%s" not found.

rtlconsts.sancestornotfound

Cannot assign a %s to a %s.

rtlconsts.sassignerror

Class "%s" not found

rtlconsts.sclassnotfound

Duplicate name: A component named "%s" already exists

rtlconsts.sduplicatename

rtlconsts.sduplicatestring

rtlconsts.semptystreamillegalreader

rtlconsts.semptystreamillegalwriter

Unable to create file "%s"

rtlconsts.sfcreateerror

Unable to open file "%s"

rtlconsts.sfopenerror

rtlconsts.sinvalidimage

"%s" is not a valid component name

rtlconsts.sinvalidname

rtlconsts.sinvalidpropertypath

rtlconsts.sinvalidpropertyvalue

List capacity (%d) exceeded.

rtlconsts.slistcapacityerror

List count (%d) out of bounds.

rtlconsts.slistcounterror

List index (%d) out of bounds

rtlconsts.slistindexerror

rtlconsts.smemorystreamerror

Error reading %s%s%s: %s

rtlconsts.spropertyexception

rtlconsts.sreaderror

rtlconsts.sreadonlyproperty

Resource "%s" not found

rtlconsts.sresnotfound

%s.Seek not implemented

rtlconsts.sseeknotimplemented

Operation not allowed on sorted list

rtlconsts.ssortedlisterror

Reading from %s is not supported

rtlconsts.sstreamnoreading

Writing to %s is not supported

rtlconsts.sstreamnowriting

Unknown property: "%s"

rtlconsts.sunknownproperty

Unknown property type %d

rtlconsts.sunknownpropertytype

rtlconsts.swriteerror

sysconst.sabstracterror

sysconst.saccessdenied

sysconst.saccessviolation

Missing argument in format "%s"

sysconst.sargumentmissing

%s (%s, line %d)

sysconst.sasserterror

sysconst.sassertionfailed

sysconst.sbuserror

sysconst.scontrolc

sysconst.sdiskfull

sysconst.sdispatcherror

sysconst.sdivbyzero

sysconst.sendoffile

External exception %x

sysconst.sexternalexception

sysconst.sfilenotassigned

sysconst.sfilenotfound

sysconst.sfilenotopen

sysconst.sfilenotopenforinput

sysconst.sfilenotopenforoutput

sysconst.sinvalidfilename

sysconst.sintoverflow

Interface not supported

sysconst.sintfcasterror

Invalid argument index in format "%s"

sysconst.sinvalidargindex

sysconst.sinvalidcast

sysconst.sinvaliddrive

sysconst.sinvalidfilehandle

Invalid format specifier : "%s"

sysconst.sinvalidformat

sysconst.sinvalidinput

Invalid floating point operation

sysconst.sinvalidop

Invalid pointer operation

sysconst.sinvalidpointer

sysconst.sinvalidvarcast

Invalid variant operation

sysconst.sinvalidvarop

Threads not supported. Recompile program with thread driver.

sysconst.snothreadsupport

sysconst.smissingwstringmanager

System error, (OS Code %d):

sysconst.soserror

sysconst.soutofmemory

sysconst.soverflow

sysconst.sprivilege

sysconst.srangeerror

sysconst.ssafecallexception

sysconst.siconverror

sysconst.stoomanyopenfiles

sysconst.sunknownruntimeerror

sysconst.sunderflow

An operating system call failed.

sysconst.sunkoserror

sysconst.svararraybounds

sysconst.svararraycreate

sysconst.svarnotarray

1.1.2

GetProcessHeap

GetWindowsDirectoryA

.text

P`.data

.idata

.edata

[email protected]

CZg%c

f!.RP

KERNEL32.DLL

oleaut32.dll

2345DesktopService.exe_3056:

.text

`.rdata

@.data

.idata

@.rsrc

@.reloc

j.Yf;

_tcPVj@

r%f;M

.PjRW

url:"

.htm"

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

CryptCATCatalogInfoFromContext

CertNameToStrW

operator

GetProcessWindowStation

E:\code_svn\2345Software_1024\bin\Win32\Build\2345Desktop\pdb\2345DesktopService.pdb

zcÁ

.?AVRCExecuteService@@

%Program Files%\2345Soft\2345Desktop\2345DesktopService.exe

KERNEL32.dll

USER32.dll

ADVAPI32.dll

GetCPInfo

GetProcessHeap

ShellExecuteExW

SHELL32.dll

ole32.dll

<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"><assemblyIdentity name="2345DesktopService" version="1.0.0.0" processorArchitecture="X86" type="win32"></assemblyIdentity><description>2345DesktopService</description><dependency><dependentAssembly><assemblyIdentity name="Microsoft.Windows.common-Controls" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" language="*" processorArchitecture="X86" type="win32"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS></application></compatibility></assembly>

0#0/050;0

6!6(6/6\6

78}8}9

3$3*303[3

2"2(2.242

4$40484`4

7$70787`7

0 0(000<0`0

2345Desktop.ini

RCWeatherWindow.city

RCWeatherWindow.name

RCWeatherWindow.pinyin

RCWeatherWindow.aqi

day%d

.temp

.weather

RCWeatherWindow.alert

RCWeatherWindow.alertUrl

userenv.dll

kuserenv.dll

RCWeatherWindow.autorun

2345Desktop.exe

SetSystemTime.year

SetSystemTime.month

SetSystemTime.day

SetSystemTime.hour

SetSystemTime.minute

SetSystemTime.week

SetSystemTime.result

DoUpgrade.fullpath

DoUpgrade.result

%systemroot%

%commonprogramfiles%

kernel32.dll

psapi.dll

advapi32.dll

nadvapi32.dll

radvapi32.dll

2345.com

ewintrust.dll

twintrust.dll

wintrust.dll

crypt32.dll

Kernel32.dll

Bmscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

ADVAPI32.DLL

portuguese-brazilian

USER32.DLL

desk.2345.com

8.5.0.1024

Copyright (C) 2013 - 2015, 2345.com

2345DesktopService.exe

Explorer.EXE_932_rwx_01DE0000_00003000:

.nsp0

.nsp1

.nsp2

KERNEL32.DLL

WINMM.DLL

ADVAPI32.DLL

MSVCRT.DLL

USER32.DLL

RegCreateKeyExA

55555555555555.dll

ÜeTK

&F*.lT!

1.0.0.0

(hXXp://VVV.eyuyan.com)

Explorer.EXE_932_rwx_01EF7000_00003000:

KERNEL32.DLL

WINMM.DLL

ADVAPI32.DLL

MSVCRT.DLL

USER32.DLL

RegCreateKeyExA

55555555555555.dll

ÜeTK

&F*.lT!

1.0.0.0

(hXXp://VVV.eyuyan.com)

Explorer.EXE_932_rwx_01F60000_00003000:

.nsp0

.nsp1

.nsp2

KERNEL32.DLL

WINMM.DLL

ADVAPI32.DLL

MSVCRT.DLL

USER32.DLL

RegCreateKeyExA

55555555555555.dll

ÜeTK

&F*.lT!

1.0.0.0

(hXXp://VVV.eyuyan.com)

Explorer.EXE_932_rwx_020A7000_00003000:

KERNEL32.DLL

WINMM.DLL

ADVAPI32.DLL

MSVCRT.DLL

USER32.DLL

RegCreateKeyExA

55555555555555.dll

ÜeTK

&F*.lT!

1.0.0.0

(hXXp://VVV.eyuyan.com)

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   2345Explorer_343901_silence.exe:3648
   2345_28879_desk.exe:2668
   2345Desktop.exe:1748
   2345Desktop.exe:3124
   2345Desktop.exe:2952
   2345Desktop.exe:3344
   2345DesktopLoader.exe:2716
   2345DesktopLoader.exe:2960
   2345DesktopLoader.exe:3116
   2345DesktopLoader.exe:2744
   2345DesktopLoader.exe:2944
   2345DesktopLoader.exe:2708
   regsvr32.exe:972
   2345DesktopService.exe:3056
   2345DesktopService.exe:2984
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\nsjC.tmp\System.dll (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsjC.tmp\modern-header.bmp (9 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsjC.tmp\RCWidgetPlugin.dll (33536 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nstB.tmp (27316 bytes)
   %Program Files%\2345Soft\2345Desktop\2345DesktopService.exe (1760 bytes)
   %Program Files%\2345Soft\2345Desktop\Uninstall.exe (324 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\FileInfo.dll (5064 bytes)
   %Program Files%\2345Soft\2345Desktop\2345Extract.dll (1824 bytes)
   %Program Files%\2345Soft\2345Desktop\2345Desktop.exe (23407 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nss5.tmp (127162 bytes)
   %Program Files%\2345Soft\2345Desktop\data\weather_city_list.json (6584 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Temp\2345Desktop\2345Desktop_10\2345DesktopLoader.exe (197 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\System.dll (11 bytes)
   %Program Files%\2345Soft\2345Desktop\Install.data (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\RCWidgetPlugin.dll (14184 bytes)
   %Program Files%\2345Soft\2345Desktop\2345DesktopLoader.exe (197 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data-journal (8028 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\2345Desktop.ini (678 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\AnRList_000005[1].block (60 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_detect.json.tmp (23 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_weather.json.tmp (25 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_alert.json.tmp (24 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\54511[1].json (25 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\update\2345Desktop.CheckStat.data (132 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2345_28879_desk[2].exe (421897 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (3361 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (4545 bytes)
   %Program Files%\2345_28879_desk.exe (10592 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2345_28879_desk[1].exe (489298 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (1425 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\2345网址导航\2345桌面.lnk (1 bytes)
   %Documents and Settings%\%current user%\Desktop\2345网址导航.lnk (1 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\2345网址导航.lnk (1 bytes)
   %Documents and Settings%\%current user%\Start Menu\2345网址导航.lnk (1 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\2345网址导航\卸载2345网址导航.lnk (1 bytes)
   %Documents and Settings%\%current user%\Desktop\2345桌面.lnk (1 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\2345桌面.lnk (1 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\2345网址导航\2345网址导航.lnk (1 bytes)
   %Program Files%\2345Soft\2345Desktop\2345网址导航.lnk (1 bytes)
   %Documents and Settings%\%current user%\Start Menu\2345桌面.lnk (1 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "2345DesktopTools" = "%Program Files%\2345Soft\2345Desktop\2345Desktop.exe command=desktop"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.