Trojan.Generic.19471292 (B) (Emsisoft), Trojan.Generic.19471292 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ac1dce347f2446d026186438f6326f35
SHA1: c69ec662098250e97f3c0faf723b3ca6d45a244e
SHA256: 0d144c78c50d7da4fc48466db7fc0b480d06a98434420569596f1f32b1882ccf
SSDeep: 24576:5M2wqgYAOUKC9tpLJUq2tCBv5MoElG4oftbK0CdrNoMJ9rofw0jqXR8I3HaS4vN1:5UpN2t4ElG4 sdrNo9w0jqX9Zi
Size: 2019328 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2016-10-26 21:56:55
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:2180
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_A8352CE05B25F0F9D10DF67B4AF32E1D (3724 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_D3965FB3F59D07F18EB51DE6E2F34F1C (2016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AA7WAFJC.txt (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SBRYYQR6.txt (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_6F40F84EFC7436F970496216E829CD7E (2016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\1.4[1].js (46119 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EZYC00EU.txt (287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\aplus_v2[1].js (1909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\uac[1].js (542 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\um[1].js (286 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_2482221837C207831DF64C0E13622E54 (1464 bytes)
C:\dll.zip (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\kg[1].js (18900 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD347.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_A8352CE05B25F0F9D10DF67B4AF32E1D (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\login.taobao[1].xml (1074 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_2482221837C207831DF64C0E13622E54 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\fp[2].swf (2924 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_6F40F84EFC7436F970496216E829CD7E (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\nc[1].css (7240 bytes)
C:\CrackCaptchaAPI.dll (38904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\font_1451959379_8626566[1].eot (22263 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\pt2[1].js (1864 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\kg[1].js (11450 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\um[2].js (238 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\81[1].js (98212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\1.4[1].js (10493 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD346.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\font_1465353706_4784257[1].eot (5260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\69UIMC0S.txt (287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5AKWAGDB.txt (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\nc[1].js (61469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\xd[1].js (762 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\TB1R5zYKVXXXXb7XVXXXXXXXXXX-32-32[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\new-loginV2[1].css (7667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\nlogin[1].js (18568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\um[1].js (20809 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\login_pc[1].css (401 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1476 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\JSocket[1].swf (485 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)
C:\UUWiseHelper.dll (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\1.4[1].js (1447 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_21E8013D91D4BCA4E3DD193D1780CFED (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_21E8013D91D4BCA4E3DD193D1780CFED (1512 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_D3965FB3F59D07F18EB51DE6E2F34F1C (1 bytes)
C:\sqlite3.dll (19096 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\js[1].js (1015 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\seed-min[1].js (31426 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\login[1].htm (3538 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KIAAR139.txt (93 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD347.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SBRYYQR6.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\aplus_v2[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD346.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\login[1].htm (0 bytes)
C:\dll.zip (0 bytes)
Registry activity
The process %original file name%.exe:2180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"
[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASMANCS]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASMANCS]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"
[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Total]
"(Default)" = "91568"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"
[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionTime" = "C0 72 5D 44 5B 38 D2 01"
[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com]
"(Default)" = "14"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASAPI32]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "C0 72 5D 44 5B 38 D2 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
| MD5 | File path |
|---|---|
| b42b7378004f2052d7b440f6c8199692 | c:\CrackCaptchaAPI.dll |
| dc6b73cbd1f6f5cec640a8c634ae50c8 | c:\UUWiseHelper.dll |
| d6580cc678d0a80596628cd3cab61ff1 | c:\sqlite3.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_A8352CE05B25F0F9D10DF67B4AF32E1D (3724 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_D3965FB3F59D07F18EB51DE6E2F34F1C (2016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AA7WAFJC.txt (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SBRYYQR6.txt (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_6F40F84EFC7436F970496216E829CD7E (2016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\1.4[1].js (46119 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EZYC00EU.txt (287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\aplus_v2[1].js (1909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\uac[1].js (542 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\um[1].js (286 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_2482221837C207831DF64C0E13622E54 (1464 bytes)
C:\dll.zip (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\kg[1].js (18900 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD347.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_A8352CE05B25F0F9D10DF67B4AF32E1D (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\login.taobao[1].xml (1074 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_2482221837C207831DF64C0E13622E54 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\fp[2].swf (2924 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_6F40F84EFC7436F970496216E829CD7E (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\nc[1].css (7240 bytes)
C:\CrackCaptchaAPI.dll (38904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\font_1451959379_8626566[1].eot (22263 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\pt2[1].js (1864 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\kg[1].js (11450 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\um[2].js (238 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\81[1].js (98212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\1.4[1].js (10493 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD346.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\font_1465353706_4784257[1].eot (5260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\69UIMC0S.txt (287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5AKWAGDB.txt (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\nc[1].js (61469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\xd[1].js (762 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\TB1R5zYKVXXXXb7XVXXXXXXXXXX-32-32[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\new-loginV2[1].css (7667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\nlogin[1].js (18568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\um[1].js (20809 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\login_pc[1].css (401 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1476 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\JSocket[1].swf (485 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)
C:\UUWiseHelper.dll (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\1.4[1].js (1447 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_21E8013D91D4BCA4E3DD193D1780CFED (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_21E8013D91D4BCA4E3DD193D1780CFED (1512 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_D3965FB3F59D07F18EB51DE6E2F34F1C (1 bytes)
C:\sqlite3.dll (19096 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\js[1].js (1015 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\seed-min[1].js (31426 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\login[1].htm (3538 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KIAAR139.txt (93 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ?????????
Product Name: ???????????
Product Version: 5.2.5.0
Legal Copyright: ?????????
??:http://www.oowise.com
????QQ:9996860
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.2.5.0
File Description: ?????? ?????????
Comments: ?????? ?????????
Language: German (Germany)
Company Name: ?????????Product Name: ???????????Product Version: 5.2.5.0Legal Copyright: ???????????:http://www.oowise.com????QQ:9996860Legal Trademarks: Original Filename: Internal Name: File Version: 5.2.5.0File Description: ?????? ?????????Comments: ?????? ?????????Language: German (Germany)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 8192 | 8192 | 3.72698 | 54fd7ed452972ca6642bc5c0260eed1c |
| .text | 12288 | 1139533 | 1142784 | 4.49944 | f7dcf14ea0c0176ee5657c7f6bd54137 |
| .rdata | 1155072 | 689576 | 692224 | 4.2712 | 10d9c8f15162700675a86d19185195e4 |
| .data | 1847296 | 435921 | 118784 | 3.67776 | d1f54305deadbddc5f3978b98765716e |
| .rsrc | 2285568 | 49620 | 53248 | 3.89075 | 1db9f3210c599bb878606a1fbb9d0144 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://ssl.oowise.com/Download/dll.zip | 120.25.220.207 |
| hxxp://cdn.globalsigncdn.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH | |
| hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDH0GzxSIRcX7TjQ3Cw== | |
| hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhmzbUedtf28CkIXb9LojCmw== | |
| hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= | |
| hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEE1V+4O+uWVgka7IMeo/g6E= | |
| hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDDAnOAiDP1BQ8yFjyg== | |
| hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYLnHjjHwADjD39iRSceNk= | |
| hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDH0GzxSIRcX7TjQ3Cw== | 104.16.26.216 |
| hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhmzbUedtf28CkIXb9LojCmw== | 104.16.26.216 |
| hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= | 23.43.139.27 |
| hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEE1V+4O+uWVgka7IMeo/g6E= | 23.43.139.27 |
| hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYLnHjjHwADjD39iRSceNk= | 23.43.139.27 |
| hxxp://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH | 104.16.28.216 |
| hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDDAnOAiDP1BQ8yFjyg== | 104.16.26.216 |
| login.taobao.com | 106.11.95.2 |
| img.alicdn.com | 23.219.143.8 |
| af.alicdn.com | 80.231.126.240 |
| ynuf.alipay.com | 140.205.174.93 |
| at.alicdn.com | 80.231.126.250 |
| ynuf.aliapp.org | 140.205.142.13 |
| aeu.alicdn.com | 23.219.143.8 |
| g.alicdn.com | 213.244.178.250 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDH0GzxSIRcX7TjQ3Cw== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
HTTP/1.1 200 OK
Date: Sun, 06 Nov 2016 18:26:25 GMT
Content-Type: application/ocsp-response
Content-Length: 1570
Connection: keep-alive
Set-Cookie: __cfduid=d477bf27f8a68e55de939bcea0198f8391478456784; expires=Mon, 06-Nov-17 18:26:24 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Sun, 06 Nov 2016 16:57:25 GMT
Expires: Thu, 10 Nov 2016 16:57:25 GMT
ETag: "cd1c44b020a23987f32c77e7c755576655168f37"
Cache-Control: public, max-age=340260
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 2fda97f63331405c-SOF
0..........0..... .....0......0...0.......M........u....%...G..20161106165725Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|..}....E..N47.....20161106165725Z....20161110165725Z0...*.H..............$Y..Qp.....s.5...$..k.X.[/......`e`r......h ,..a..i..&,J.rc=._..(VXD...k..t..nA..asJ1..%...7..m(n....ti.v?C.7.....U{j~......eY.p.5S..w/o.rA3.S..Q.6..G..|.5...Z.[..<.Y....xW..Z.n.8.$...smz.<. .z..m.}.E.. .....p.....=.Fa...U....Kx.ryE|.B........ ..*fQ.-1T.....K0..G0..C0.. .......*'....?...F$0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...161019091216Z..170119091216Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....2016072511411M0K..U...DGlobalSign Organization Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.H.................v.bV.......)...c..}.....y=...........L.G%...N.<...8Qi..Y...........\.fd-.<V=.;0".4..h:v*j..N<M..*...i.Hz{?..[....ML..I.Y....r.x.n.dS...J......d.JXT..:..P..B..~.KD....b..&..........."..oELo..I
<<< skipped >>>
GET /gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhmzbUedtf28CkIXb9LojCmw== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
HTTP/1.1 200 OK
Date: Sun, 06 Nov 2016 18:26:27 GMT
Content-Type: application/ocsp-response
Content-Length: 1576
Connection: keep-alive
Set-Cookie: __cfduid=d5dc6bc4bea92edf0567a2c2092fe5df81478456787; expires=Mon, 06-Nov-17 18:26:27 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Sun, 06 Nov 2016 15:31:39 GMT
Expires: Thu, 10 Nov 2016 15:31:39 GMT
ETag: "2712dfecd45911efee6d4798a94c090401ce675d"
Cache-Control: public, max-age=335112
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 2fda980933c2405c-SOF
0..$.......0..... .....0......0...0.......M........u....%...G..20161106153139Z0u0s0K0... ..........M.=......r......{.....a....)S...};..@..|...!.6.y._...!v.........20161106153139Z....20161110153139Z0...*.H.............H..l.H.Q.NJ/#...twA_...o.;.....qb).o.b.c..|..I....k.....".......)(..j!.{@#Q..~H0\-....;.U..uUkm...G.........mY...|.....8c....Rf....f[..y............*...]....B....>.v...65...y...i((....`...h...|...>y.,OP..Oj......^..E...m>C..Dx.suf....< WC.$...?R...=;.!;.da...K0..G0..C0.. .......*'....?...F$0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...161019091216Z..170119091216Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....2016072511411M0K..U...DGlobalSign Organization Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://www.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.H.................v.bV.......)...c..}.....y=...........L.G%...N.<...8Qi..Y...........\.fd-.<V=.;0".4..h:v*j..N<M..*...i.Hz{?..[....ML..I.Y....r.x.n.dS...J......d.JXT..:..P..B..~.KD....b..&.........
<<< skipped >>>
GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDDAnOAiDP1BQ8yFjyg== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
HTTP/1.1 200 OK
Date: Sun, 06 Nov 2016 18:26:35 GMT
Content-Type: application/ocsp-response
Content-Length: 1570
Connection: keep-alive
Set-Cookie: __cfduid=daf46068fa007ed99c1921ac52ce511e91478456794; expires=Mon, 06-Nov-17 18:26:34 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Sun, 06 Nov 2016 15:52:14 GMT
Expires: Thu, 10 Nov 2016 15:52:14 GMT
ETag: "58b97d4e86ba6dd8c9758907ec359feb7063dd39"
Cache-Control: public, max-age=336339
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 2fda98329540405c-SOF
0..........0..... .....0......0...0.......M........u....%...G..20161106155214Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|..0'8..?PP.!c.....20161106155214Z....20161110155214Z0...*.H.............0...Q....."x.P..e...X....b.B.v.D..i..z...........A..Q..n..a..)e2.;?...7.t..V~>X...E...!..5.......-.-.. #.x.2.....n/....yQ..@ .L ....R.p.S..:. R....jY.$..zCYC...)I..:Qv.......x...V...\.Fc.i.BP..#-....9..:.j......W.Yz... ........y...f.9w..&.0.o...bw..A..v.*....K0..G0..C0.. .......*'....?...F$0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...161019091216Z..170119091216Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....2016072511411M0K..U...DGlobalSign Organization Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.H.................v.bV.......)...c..}.....y=...........L.G%...N.<...8Qi..Y...........\.fd-.<V=.;0".4..h:v*j..N<M..*...i.Hz{?..[....ML..I.Y....r.x.n.dS...J......d.JXT..:..P..B..~.KD....b..&..........."..oELo..I..k
<<< skipped >>>
GET /gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhmzbUedtf28CkIXb9LojCmw== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
HTTP/1.1 200 OK
Date: Sun, 06 Nov 2016 18:26:27 GMT
Content-Type: application/ocsp-response
Content-Length: 1576
Connection: keep-alive
Set-Cookie: __cfduid=d9d10799adc53b93eecf8fd1109331f981478456787; expires=Mon, 06-Nov-17 18:26:27 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Sun, 06 Nov 2016 15:31:39 GMT
Expires: Thu, 10 Nov 2016 15:31:39 GMT
ETag: "2712dfecd45911efee6d4798a94c090401ce675d"
Cache-Control: public, max-age=335112
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 2fda980986034050-SOF
0..$.......0..... .....0......0...0.......M........u....%...G..20161106153139Z0u0s0K0... ..........M.=......r......{.....a....)S...};..@..|...!.6.y._...!v.........20161106153139Z....20161110153139Z0...*.H.............H..l.H.Q.NJ/#...twA_...o.;.....qb).o.b.c..|..I....k.....".......)(..j!.{@#Q..~H0\-....;.U..uUkm...G.........mY...|.....8c....Rf....f[..y............*...]....B....>.v...65...y...i((....`...h...|...>y.,OP..Oj......^..E...m>C..Dx.suf....< WC.$...?R...=;.!;.da...K0..G0..C0.. .......*'....?...F$0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...161019091216Z..170119091216Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....2016072511411M0K..U...DGlobalSign Organization Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://www.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.H.................v.bV.......)...c..}.....y=...........L.G%...N.<...8Qi..Y...........\.fd-.<V=.;0".4..h:v*j..N<M..*...i.Hz{?..[....ML..I.Y....r.x.n.dS...J......d.JXT..:..P..B..~.KD....b..&.........
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s2.symcb.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1761
content-transfer-encoding: binary
Cache-Control: max-age=483564, public, no-transform, must-revalidate
Last-Modified: Sat, 5 Nov 2016 08:44:05 GMT
Expires: Sat, 12 Nov 2016 08:44:05 GMT
Date: Sun, 06 Nov 2016 18:26:30 GMT
Connection: keep-alive
0..........0..... .....0......0...0......l..T.#4...c.K.... *...20161105084405Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..Q?.t8p.4@A.0........20161105084405Z....20161112084405Z0...*.H..............8v..1[@S.{n.. ... ..~m,XC......B..?a.k.2..r.*..3...U".j......m..`....Y...y...wl.r.>/B#....|5n.......=S.y.(...$9Q..|W2..M.<nF%]..x.9W..i..n.{;..n#,...5n^>.......ds.^.....zyiu.Y......-.$.?.Xr..$..Zh,.<:.~<.........P..IO3...{..n....:.u..O.<.yO.Z.?0....Tx........0...0...0.......... .7.$.T.4.....u.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...151124000000Z..161214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 40.."0...*.H.............0........./..C.n..RRd-G..mB...m.0Q..^f..A...av.9....?Q..(.j(..$..P..?[v....9. ...u....v..-<l....^.Z.C.f.V...$7............G.D.....@T{.....|...msV...{.q...2..y.............".u.d.p.%... U.I.0..0.x.-`..Yi....6.lw<....N.k\.....]s...O... 0....TH.cB.Q.Z...}...p.1....>2 ..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0 ..U....0...0.1.0...U....TGV-C-600...U......l..T.#4...c.K.... *.0...U.#..0.....e......0..C9...3130...*.H...........
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEE1V+4O+uWVgka7IMeo/g6E= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ss.symcd.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1609
content-transfer-encoding: binary
Cache-Control: max-age=400642, public, no-transform, must-revalidate
Last-Modified: Fri, 4 Nov 2016 09:39:54 GMT
Expires: Fri, 11 Nov 2016 09:39:54 GMT
Date: Sun, 06 Nov 2016 18:26:30 GMT
Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......p...T.......F...,^....20161104093954Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C....MU....e`...1.?......20161104093954Z....20161111093954Z0...*.H.............Q.v...B........N..(Ua.37....8...r....'5.y..Z.0.;.....z.*;....).{.j..d...R..<4X....y.YVaE...;......4.....m..y...l..%..............H.h.s...}.C<ic..n..k..J....y......t.V/.>".p&......`Yf [0.....X....zy.......}m..0.Uz....L3...y...Q.{..t.~..k....$.......k4WL|?.B...n0..j0..f0..N.............h.?.]W`.).0...*.H........0~1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&Symantec Class 3 Secure Server CA - G40...160822000000Z..161120235959Z0@1>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Responder0.."0...*.H.............0..........^.x........e{.C.H......|1fA.E.;.L..<g.-}.A3.........0xR.O..........Y...H...2...h...a....mi.G{*..a-$..#.r,.....G'.,&.%....?....]F.2O...-36.3.Hq@U.H!...6_../N.{... [...0_ J...g.].i..-..W';b{.p.D.......Z.V.g.=v..`...........a.&.v...y..[..e/s......Gi.b.)"..#.........0...0... .....0......0"..U....0...0.1.0...U....TGV-D-16850...U.#..0..._`.a.U..C..`*..z.C..0...U......p...T.......F...,^..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://VVV.symauth.com/cps0*.. .......0... hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0...*.H.............W...P.v.:$.....zR..,G..........[..k... .^...P.C1,q... E[...Xf...`E..uL...`.3..Gv4...{s.O5{....X..]7.....<....wW|....E.k..3...K..k......7......AE...*dX:./e.....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYLnHjjHwADjD39iRSceNk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ss.symcd.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1609
content-transfer-encoding: binary
Cache-Control: max-age=478542, public, no-transform, must-revalidate
Last-Modified: Sat, 5 Nov 2016 07:18:45 GMT
Expires: Sat, 12 Nov 2016 07:18:45 GMT
Date: Sun, 06 Nov 2016 18:26:36 GMT
Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......p...T.......F...,^....20161105071845Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C....V..x.....=....x.....20161105071845Z....20161112071845Z0...*.H.............$.00.@..5.3.U.2...O.d....4]..6..|q.<o.... ...3&0v.=....,..?K...}:.......@..\...r.>.d...1..`Q.<:.OD.a..3Y.z..Cv..9.~....xP.[9.....!.....b...WL:4..@..D.....wE.#....k`o(.`B...=t.s.5.x..:.~.b...~4.........5..mk...........w...<N...o.Y.v.\...{.m.\.O.6.c.H(.....X...n0..j0..f0..N.............h.?.]W`.).0...*.H........0~1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&Symantec Class 3 Secure Server CA - G40...160822000000Z..161120235959Z0@1>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Responder0.."0...*.H.............0..........^.x........e{.C.H......|1fA.E.;.L..<g.-}.A3.........0xR.O..........Y...H...2...h...a....mi.G{*..a-$..#.r,.....G'.,&.%....?....]F.2O...-36.3.Hq@U.H!...6_../N.{... [...0_ J...g.].i..-..W';b{.p.D.......Z.V.g.=v..`...........a.&.v...y..[..e/s......Gi.b.)"..#.........0...0... .....0......0"..U....0...0.1.0...U....TGV-D-16850...U.#..0..._`.a.U..C..`*..z.C..0...U......p...T.......F...,^..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://www.symauth.com/cps0*.. .......0... hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0...*.H.............W...P.v.:$.....zR..,G..........[..k... .^...P.C1,q... E[...Xf...`E..uL...`.3..Gv4...{s.O5{....X..]7.....<....wW|....E.k..3...K..k......7......AE...*dX:./e..
<<< skipped >>>
GET /Download/dll.zip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ssl.oowise.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 06 Nov 2016 18:26:20 GMT
Server: Apache
Last-Modified: Thu, 01 Sep 2016 12:19:11 GMT
ETag: "701a8-104a74-53b7138a16dc0"
Accept-Ranges: bytes
Content-Length: 1067636
Connection: close
Content-Type: application/zip
PK........$v.F.Y2..k..........CrackCaptchaAPI.dll.}}xSU...G.P.I!-...(.Q.B.A..-JJ.i.$.-.|.../...Xg`,.....Qf...GP_u.w.........Bm..V.W.0C..xj;c....r....4MNJ.....'.c.........9.....t......r\-..r.....g.......''.j.NN^.z......z|.COf>..O~..;..G37..$...d...0....=:g...,..{..M..8'O...:........[C.{...se............s..i....z..g..}..O..|........8.@..=<.."....N..I..,3..O.e..C.qf4....OP..ih.r...Q.}U......Hn......p.@{.g....4..W1.9....qk.1s.C.>.i.......M?..h...."...F....s6.{....}.c=.}%.g......9...(.._.p.....D...l|z.#p.t.[%..7..w..G.?...]...Kp....;.................W-f.{...s..........u=..]Z..`....f..=........zR......W.%..Nm...........F...HO....j....n...?..'...Sz.%.[..._j..^C!yOwVaq..q.-`}..m=.^.*.Q....U....xx....C.........V...'.{.`?..Y....V.......x.J..I-fB.1VpV..5..............V[......Q..........%.M.{...P....~......G%..(...[..u.x........`P,;h...*..6....j......./5....g{.y.....k...~P..........;..9,..4......p..4k. N.@..\...s0...Oj9O...W.....| Q>........O.....S>. .-$...%..N03..&....h.i4..Q(.k...LQ"...,....&`.....hY.t . .d..e..LO0es...j..nZ..S..})IC.G...N...[M^jL.])....3)o..S.,..n.<..S.....Y.i<...e..h...(..?...^l...a....1..).....d.......{W1J.A...#:E..\......Tb...j..9...../}..<.3.T......5....r.U.._$h?.-...5.......D.=E..U:.1.'...r.7..z....a........p...\..~..G,^..b.....'....J6.%;.6..pZ..k..C....=(q.(..(...!D..|...<D..Q.3Jc..K.4C........N.....0U......i~....W.......7....b]z.B.^..s..-'.oj..p..T_|S.w..#...Q{.M"...;..;.7.X.J....<.:.v(.>..-.nS..{.R..=..Z.....y....DO gs.......@E...42U.....S;.........OFF.?E. N..O.
<<< skipped >>>
GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH HTTP/1.1
Cache-Control: max-age = 10800
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 07:50:34 GMT
If-None-Match: "6b9ba9eca642c891cc02365fc6161341647bd9fc"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.globalsign.com
HTTP/1.1 200 OK
Date: Sun, 06 Nov 2016 18:26:23 GMT
Content-Type: application/ocsp-response
Content-Length: 1518
Connection: keep-alive
Set-Cookie: __cfduid=d4239b93e42a1b7033431a3113e1cea311478456783; expires=Mon, 06-Nov-17 18:26:23 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Sun, 06 Nov 2016 16:07:29 GMT
Expires: Thu, 10 Nov 2016 16:07:29 GMT
ETag: "f3d6a1837a428db76107dba0997cf2e5b583b3b2"
Cache-Control: max-age=10800,public,no-transform,must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 2fda97f346a0405c-SOF
0..........0..... .....0......0...0.......ue......$I1......dO..20161106160729Z0n0l0D0... .........W......#....*..2..1..`{f.E....P/}..4....K........DN.BG....20161106160729Z....20161110160729Z0...*.H.............T{.x.......Z.f....c..C..[..>....}..Fw&DQ.y...{BL...c..l..?.f...K*g...w..)....&.NG......k<Y....0;....."A-r.&p`............{.;...`..<h.{W5..[.,H.....!Nx.=.O6Ue-t..Z. ...g .X..[..Z.....mZ.....>c...DGYA.;.W..._.5dM#....}....7w|~....:?I........J..i.|cb...^.t6Q3....0...0...0..........H.i..E...\...I0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA0...160807000000Z..161115000000Z0[1.0...U....BE1.0...U....GlobalSign nv-sa110/..U...(GlobalSign OCSP for Root R1 - Signer 1.20.."0...*.H.............0.........ga..)..*.n/X..z.<.....E'..rB(Z\'1..,....g.e.{.}...4...8.sU....@...h.3D.C......i.LKu..7..uv.#...3hN....1.-..u[.........D../jS.....`....#.M.vm.:Pj~.t].Fq......B.M.NI~H`..L.n....2.W.....f_>5b. ....]......p.6.E. ..P..a....Y......W.......:....K.~..2%G......^0.........0..0...U...........0...U.%..0... .......0...U.......0.0...U.......ue......$I1......dO0...U.#..0...`{f.E....P/}..4....K0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...*.H..............$..L...N.x4..FX.j.u.......;.0..>.C)9........z....n..k,....f...K....A...a..@...b.qZ....Z......4.L.i...=.C.....0(*....................1..R.B|..Zn..u.......=2H..^..63.......?!_s..b]J...._...o.B..P...H. .s7..s.~..P..@...S...l..9.....$.....3....P6.'.$......
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2180:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
{82B46959-3065-46a0-8340-3BB58B77A259}
{82B46959-3065-46a0-8340-3BB58B77A259}
bywayboy@gmail.com
bywayboy@gmail.com
hXXp://VVV.ecodeproject.cn/bbs
hXXp://VVV.ecodeproject.cn/bbs
:16882569
:16882569
kernel32.dll
kernel32.dll
ole32.dll
ole32.dll
msvcrt.dll
msvcrt.dll
fne.dll
fne.dll
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
wininet.dll
wininet.dll
WinINet.dll
WinINet.dll
CrackCaptchaAPI.dll
CrackCaptchaAPI.dll
user32.dll
user32.dll
UUWiseHelper.dll
UUWiseHelper.dll
urlmon.dll
urlmon.dll
sqlite3.dll
sqlite3.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
Login2
Login2
ReportResult
ReportResult
uu_reportError
uu_reportError
uu_loginA
uu_loginA
UrlMkSetSessionOption
UrlMkSetSessionOption
sqlite3_errcode
sqlite3_errcode
sqlite3_finalize
sqlite3_finalize
sqlite3_prepare_v2
sqlite3_prepare_v2
sqlite3_bind_blob
sqlite3_bind_blob
sqlite3_step
sqlite3_step
sqlite3_get_table
sqlite3_get_table
sqlite3_free_table
sqlite3_free_table
sqlite3_changes
sqlite3_changes
sqlite3_data_count
sqlite3_data_count
sqlite3_reset
sqlite3_reset
sqlite3_column_count
sqlite3_column_count
sqlite3_column_name
sqlite3_column_name
sqlite3_column_decltype
sqlite3_column_decltype
sqlite3_column_text
sqlite3_column_text
sqlite3_column_blob
sqlite3_column_blob
sqlite3_column_int
sqlite3_column_int
sqlite3_column_int64
sqlite3_column_int64
sqlite3_column_double
sqlite3_column_double
GetProcessHeap
GetProcessHeap
sqlite3_sql
sqlite3_sql
sqlite3_column_bytes
sqlite3_column_bytes
sqlite3_open_v2
sqlite3_open_v2
sqlite3_close
sqlite3_close
sqlite3_rekey
sqlite3_rekey
sqlite3_key
sqlite3_key
sqlite3_free
sqlite3_free
sqlite3_errmsg
sqlite3_errmsg
sqlite3_libversion
sqlite3_libversion
sqlite3_busy_timeout
sqlite3_busy_timeout
sqlite3_exec
sqlite3_exec
sqlite3_interrupt
sqlite3_interrupt
WebBrowser
WebBrowser
&api=cancellation.lg
&api=cancellation.lg
&mutualkey=
&mutualkey=
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
http=
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXp://
hXXps://login.taobao.com/member/request_nick_check.do?_input_charset=utf-8&username=
hXXps://login.taobao.com/member/request_nick_check.do?_input_charset=utf-8&username=
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
&loginsite=0&newlogin=0&TPL_redirect_url=http://portal.gongxiao.tmall.com/supplierIndex.htm&from=tb&fc=default&style=default&css_style=&tid=XOR_1_000000000000000000000000000000_63504554470A7C717D71047B&support=000001&CtrlVersion=1,0,0,7&loginType=3&minititle=&minipara=&umto=T068afe2a986ae40dfd2fc252ad4e61e4&pstrong=2&llnick=&sign=&need_sign=&isIgnore=&full_redirect=&popid=&callback=&guf=¬_duplite_str=&need_user_id=&poy=&gvfdcname=10&gvfdcre=&from_encoding=&sub=true&TPL_password_2=&loginASR=0&loginASRSuc=0&allp=&oslanguage=&sr=1366*768&osVer=windows|6.1&naviVer=ie|8
&loginsite=0&newlogin=0&TPL_redirect_url=http://portal.gongxiao.tmall.com/supplierIndex.htm&from=tb&fc=default&style=default&css_style=&tid=XOR_1_000000000000000000000000000000_63504554470A7C717D71047B&support=000001&CtrlVersion=1,0,0,7&loginType=3&minititle=&minipara=&umto=T068afe2a986ae40dfd2fc252ad4e61e4&pstrong=2&llnick=&sign=&need_sign=&isIgnore=&full_redirect=&popid=&callback=&guf=¬_duplite_str=&need_user_id=&poy=&gvfdcname=10&gvfdcre=&from_encoding=&sub=true&TPL_password_2=&loginASR=0&loginASRSuc=0&allp=&oslanguage=&sr=1366*768&osVer=windows|6.1&naviVer=ie|8
&TPL_password=
&TPL_password=
hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://qudao.gongxiao.tmall.com/supplier/user/invitation_record_list.htm
hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://qudao.gongxiao.tmall.com/supplier/user/invitation_record_list.htm
/data/login.txt
/data/login.txt
gotoURL:"
gotoURL:"
login.taobao.com/member/login_unusual.htm
login.taobao.com/member/login_unusual.htm
hXXps://passport.alipay.com/mini_apply_st.js?site=0&token=
hXXps://passport.alipay.com/mini_apply_st.js?site=0&token=
hXXps://qudao.gongxiao.tmall.com/supplier/user/invitation_list.htm
hXXps://qudao.gongxiao.tmall.com/supplier/user/invitation_list.htm
checkcodev3.php
checkcodev3.php
hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_list.htm
hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_list.htm
&how=&app=weblayer&v=3&w=&back=
&how=&app=weblayer&v=3&w=&back=
hXXp://alisec.tmall.com/tmdgetv3.php?code=
hXXp://alisec.tmall.com/tmdgetv3.php?code=
supplier_setting.htm'>
supplier_setting.htm'>
1970-01-01 00:00:00
1970-01-01 00:00:00
i@hXXps://login.taobao.com/member/login.jhtml?tpl_redirect_url=hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_record_list.htm&style=miniall&enup=true&newMini2=true&full_redirect=true&from=tmall&allp=assets_css=3.0.5/login_pc.css&pms=1452608347355
i@hXXps://login.taobao.com/member/login.jhtml?tpl_redirect_url=hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_record_list.htm&style=miniall&enup=true&newMini2=true&full_redirect=true&from=tmall&allp=assets_css=3.0.5/login_pc.css&pms=1452608347355
taobao.com
taobao.com
tracknick=
tracknick=
tmall.com
tmall.com
i
i
) a[i] = ("00" str.charCodeAt(i ).toString(16)).slice(-4);
) a[i] = ("00" str.charCodeAt(i ).toString(16)).slice(-4);
return "\\u" a.join("\\u");
return "\\u" a.join("\\u");
return unescape(str.replace(/\\/g, "%"));
return unescape(str.replace(/\\/g, "%"));
) a[i] = str.charCodeAt(i );
) a[i] = str.charCodeAt(i );
return "" a.join(";") ";";
return "" a.join(";") ";";
return str.replace(/(x)?([^&]{1,5});?/g, function (a, b, c) {
return str.replace(/(x)?([^&]{1,5});?/g, function (a, b, c) {
return String.fromCharCode(parseInt(c,b?16:10));
return String.fromCharCode(parseInt(c,b?16:10));
hXXp://alisec.tmall.com/checkcodev3.php?apply=scc&http_referer=hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_list.htm
hXXp://alisec.tmall.com/checkcodev3.php?apply=scc&http_referer=hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_list.htm
hXXp://regcheckcode.taobao.com/auction/checkcode?sessionID=
hXXp://regcheckcode.taobao.com/auction/checkcode?sessionID=
hXXp://VVV.uuwise.com/User/VipPay.aspx
hXXp://VVV.uuwise.com/User/VipPay.aspx
&api=liuyan.in&table=
&api=liuyan.in&table=
&api=gg.in
&api=gg.in
&api=logica.in
&api=logica.in
&api=logicinfoa.in
&api=logicinfoa.in
&api=logicb.in
&api=logicb.in
&api=logicinfob.in
&api=logicinfob.in
&api=imga.in
&api=imga.in
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_PhysicalMedia")
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_PhysicalMedia")
GetTrait =Obj.SerialNumber
GetTrait =Obj.SerialNumber
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
GetTrait = Obj.ProcessorId
GetTrait = Obj.ProcessorId
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_ComputerSystem")
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_ComputerSystem")
GetTrait = Obj.Name
GetTrait = Obj.Name
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_baseboard")
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_baseboard")
GetTrait = Obj.SerialNumber
GetTrait = Obj.SerialNumber
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_NetworkAdapterConfiguration")
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_NetworkAdapterConfiguration")
If Obj.IPEnabled=True Then
If Obj.IPEnabled=True Then
GetTrait = Obj.MacAddress
GetTrait = Obj.MacAddress
&key=
&key=
&api=login.lg&user=
&api=login.lg&user=
&api=internet.in
&api=internet.in
[\s\S]*?[\s\S]*? [\s\S]*?[\s\S]*?hXXp://qudao.gongxiao.tmall.com/supplier/json/cancel_invitation_json.htm?action=user/invitation_action&event_submit_do_cancel=t&invitationId=
hXXp://qudao.gongxiao.tmall.com/supplier/json/cancel_invitation_json.htm?action=user/invitation_action&event_submit_do_cancel=t&invitationId=
hXXp://qudao.gongxiao.tmall.com/supplier/json/cancelInvitationJson.htm?action=user/invitation_action&event_submit_do_cancel=t&invitationId=
hXXp://qudao.gongxiao.tmall.com/supplier/json/cancelInvitationJson.htm?action=user/invitation_action&event_submit_do_cancel=t&invitationId=
(.txt)|*.txt
(.txt)|*.txt
TEAKEY
TEAKEY
hXXps://amos.alicdn.com/muliuserstatus.aw?beginnum=0&site=cntaobao&charset=utf-8&uids=
hXXps://amos.alicdn.com/muliuserstatus.aw?beginnum=0&site=cntaobao&charset=utf-8&uids=
&apply=scc&referer=http://qudao.gongxiao.tmall.com/supplier/user/invitation_list.htm
&apply=scc&referer=http://qudao.gongxiao.tmall.com/supplier/user/invitation_list.htm
hXXp://alisec.tmall.com/tmdgetv3.php
hXXp://alisec.tmall.com/tmdgetv3.php
hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_record_list.htm?_tb_token_=
hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_record_list.htm?_tb_token_=
hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_record_list.htm
hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_record_list.htm
SELECT ctime FROM normaltb WHERE nick = '
SELECT ctime FROM normaltb WHERE nick = '
nick =
nick =
INSERT INTO normaltb (ID,userid, nick,ctime,type) VALUES
INSERT INTO normaltb (ID,userid, nick,ctime,type) VALUES
&api=jiekey.lg&user=
&api=jiekey.lg&user=
hXXp://v3.dama2.com/index/
hXXp://v3.dama2.com/index/
hXXp://gongxiao.tmall.com/supplier/user/distributor_terminate.htm?cooperateId=
hXXp://gongxiao.tmall.com/supplier/user/distributor_terminate.htm?cooperateId=
http:
http:
1E7540C7-006A-4852-A1BF-F7D7CEB9879A
1E7540C7-006A-4852-A1BF-F7D7CEB9879A
32F1C86B-E64C-4EAF-8BC1-C142570008BC
32F1C86B-E64C-4EAF-8BC1-C142570008BC
SESSIONkEY
SESSIONkEY
-12027,TEAKEY
-12027,TEAKEY
&_fms.di._0.c=
&_fms.di._0.c=
&event_submit_do_end_cooperate=t&_fms.di._0.d=1&_fms.di._0.e=
&event_submit_do_end_cooperate=t&_fms.di._0.d=1&_fms.di._0.e=
&action=supplier/user/cooperate_action&cooperateId=
&action=supplier/user/cooperate_action&cooperateId=
&action=/supplier/user/cooperate_action&event_submit_do_agree_end_cooperate=1&_tb_token_=
&action=/supplier/user/cooperate_action&event_submit_do_agree_end_cooperate=1&_tb_token_=
hXXp://gongxiao.tmall.com/supplier/json/json_result.htm?cooperateId=
hXXp://gongxiao.tmall.com/supplier/json/json_result.htm?cooperateId=
hXXp://qudao.gongxiao.tmall.com/supplier/user/salers_search_list.htm?
hXXp://qudao.gongxiao.tmall.com/supplier/user/salers_search_list.htm?
1000001
1000001
5000001
5000001
10000000
10000000
2000000
2000000
1000000
1000000
hXXp://VVV.ruokuai.com/home/register
hXXp://VVV.ruokuai.com/home/register
hXXp://alisec.taobao.com/tmdgetv3.php?code=
hXXp://alisec.taobao.com/tmdgetv3.php?code=
nick":"
nick":"
hXXps://shopsearch.taobao.com/search?app=shopsearch&fs=1&java=on
hXXps://shopsearch.taobao.com/search?app=shopsearch&fs=1&java=on
hXXp://VVV.ruokuai.com/login
hXXp://VVV.ruokuai.com/login
&status=1&action=supplier/user/SalersAction&needPageTotal=false&total=&orderBy=gmt_create&salerType=2&direction=desc&distributorNick=&beginDate=&endDate=&gradeId=&tradeType=&priceCountLow=&priceCountHeigh=&productLineShow=&productLine=&orderCountLow=&orderCountHeigh=
&status=1&action=supplier/user/SalersAction&needPageTotal=false&total=&orderBy=gmt_create&salerType=2&direction=desc&distributorNick=&beginDate=&endDate=&gradeId=&tradeType=&priceCountLow=&priceCountHeigh=&productLineShow=&productLine=&orderCountLow=&orderCountHeigh=
hXXp://gongxiao.tmall.com/supplier/user/my_salers_list.htm
hXXp://gongxiao.tmall.com/supplier/user/my_salers_list.htm
CooperateId_([\s\S]*?)
CooperateId_([\s\S]*?)
&cooperateId=
&cooperateId=
data-nick="
data-nick="
hXXps://amos.alicdn.com/muliuserstatus.aw?beginnum=0&site=cntaobao&charset=utf-8&uids=
hXXps://amos.alicdn.com/muliuserstatus.aw?beginnum=0&site=cntaobao&charset=utf-8&uids=
&pageTotal=&needPageTotal=false&orderby=default&brandId=0&distributorNick=&userMarket=0
&pageTotal=&needPageTotal=false&orderby=default&brandId=0&distributorNick=&userMarket=0
hXXps://goods.gongxiao.tmall.com/supplier/user/distributor/dist_stat_list.htm
hXXps://goods.gongxiao.tmall.com/supplier/user/distributor/dist_stat_list.htm
pageNum=&pageTotal=&needPageTotal=false&orderby=default&brandId=0&distributorNick=
pageNum=&pageTotal=&needPageTotal=false&orderby=default&brandId=0&distributorNick=
insert into salerlist (shopid, userid,wangwangnick,distributorId,hassend,intime) VALUES
insert into salerlist (shopid, userid,wangwangnick,distributorId,hassend,intime) VALUES
_86&userNick=
_86&userNick=
hXXp://qudao.gongxiao.tmall.com/supplier/json/invite_result.htm?action=user/invitation_action&event_submit_do_search=t&_input_charset=utf-8&&_ksTS=
hXXp://qudao.gongxiao.tmall.com/supplier/json/invite_result.htm?action=user/invitation_action&event_submit_do_search=t&_input_charset=utf-8&&_ksTS=
hXXp://qudao.gongxiao.tmall.com/supplier/json/invite_result_json.htm?action=user/invitation_action&event_submit_do_invite=t&_input_charset=utf-8&&_ksTS=
hXXp://qudao.gongxiao.tmall.com/supplier/json/invite_result_json.htm?action=user/invitation_action&event_submit_do_invite=t&_input_charset=utf-8&&_ksTS=
hXXp://qudao.gongxiao.tmall.com/supplier/json/jsonResult.htm?action=user/salers_search_action&event_submit_do_recruit=t&tbDisId=
hXXp://qudao.gongxiao.tmall.com/supplier/json/jsonResult.htm?action=user/salers_search_action&event_submit_do_recruit=t&tbDisId=
{shopurl}
{shopurl}
hXXps://shop.m.taobao.com/shop/shop_info.htm?user_id={shopurl}
hXXps://shop.m.taobao.com/shop/shop_info.htm?user_id={shopurl}
hXXp://mai.taobao.com/seller_admin.htm
hXXp://mai.taobao.com/seller_admin.htm
hXXp://gongxiao.tmall.com/supplier/user/distributor_detail.htm
hXXp://gongxiao.tmall.com/supplier/user/distributor_detail.htm
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
\sqlite3.dll
\sqlite3.dll
\CrackCaptchaAPI.dll
\CrackCaptchaAPI.dll
\UUWiseHelper.dll
\UUWiseHelper.dll
\data\set.ini
\data\set.ini
\set.ini
\set.ini
hXXp://ssl.oowise.com/AppEn.php?appid=30000000&md5=863461ed672e10c6902837d7fdde3e42
hXXp://ssl.oowise.com/AppEn.php?appid=30000000&md5=863461ed672e10c6902837d7fdde3e42
VVV.oowise.com
VVV.oowise.com
909797891
909797891
&api=BSphpSeSsL.in
&api=BSphpSeSsL.in
&api=v.in
&api=v.in
/dll.zip
/dll.zip
hXXp://ssl.oowise.com/Download/dll.zip
hXXp://ssl.oowise.com/Download/dll.zip
\dll.zip
\dll.zip
&api=GetPleaseregister.lg&user=
&api=GetPleaseregister.lg&user=
&api=chong.lg&user=
&api=chong.lg&user=
&api=weburl.in
&api=weburl.in
(.csv)|*.csv
(.csv)|*.csv
&api=registration.lg&user=
&api=registration.lg&user=
120894001|
120894001|
50020808|
50020808|
50020857|
50020857|
50008164|
50008164|
50020611|
50020611|
50023904|
50023904|
50010788|
50010788|
50023282|
50023282|
50019780|
50019780|
50018222|
50018222|
50018264|
50018264|
50012164|
50012164|
50007218|
50007218|
50018004|
50018004|
50022703|
50022703|
50011972|
50011972|
50012100|
50012100|
50012082|
50012082|
50002768|
50002768|
50020332|
50020332|
50020485|
50020485|
50020579|
50020579|
50016349|
50016349|
50016348|
50016348|
50008163|
50008163|
50014812|
50014812|
50022517|
50022517|
50008165|
50008165|
50020275|
50020275|
50002766|
50002766|
50016422|
50016422|
50010728|
50010728|
50013886|
50013886|
50011699|
50011699|
50011740|
50011740|
50006843|
50006843|
50006842|
50006842|
50010404|
50010404|
50011397|
50011397|
50017300|
50017300|
50012029|
50012029|
50013864|
50013864|
50025705|
50025705|
50026316|
50026316|
50023804|
50023804|
50026800|
50026800|
50050359|
50050359|
50074001|
50074001|
50468001|
50468001|
50510002|
50510002|
50008141|
50008141|
wangwangnick
wangwangnick
nick
nick
SQLite format 3
SQLite format 3
ON "normaltb" ("userid" ASC, "nick" COLLATE BINARY ASC)
ON "normaltb" ("userid" ASC, "nick" COLLATE BINARY ASC)
"ID" INTEGER PRIMARY KEY AUTOINCREMENT,
"ID" INTEGER PRIMARY KEY AUTOINCREMENT,
"nick" TEXT,
"nick" TEXT,
ON "salerlist" ("wangwangnick" ASC, "distributorId" ASC)1
ON "salerlist" ("wangwangnick" ASC, "distributorId" ASC)1
indexsqlite_autoindex_salerlist_1salerlist
indexsqlite_autoindex_salerlist_1salerlist
"wangwangnick" TEXT NOT NULL,
"wangwangnick" TEXT NOT NULL,
PRIMARY KEY ("wangwangnick" ASC, "distributorId")
PRIMARY KEY ("wangwangnick" ASC, "distributorId")
Ytablesqlite_sequencesqlite_sequence
Ytablesqlite_sequencesqlite_sequence
CREATE TABLE sqlite_sequence(name,seq)
CREATE TABLE sqlite_sequence(name,seq)
hXXps://
hXXps://
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
&api=timeout.lg
&api=timeout.lg
@.reloc
@.reloc
SSSSh
SSSSh
ByScreen.JPG
ByScreen.JPG
operator
operator
GetProcessWindowStation
GetProcessWindowStation
E:\work\UUWiseHelper
E:\work\UUWiseHelper
\UUWiseHelper.pdb
\UUWiseHelper.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
dbghelp.dll
dbghelp.dll
gdiplus.dll
gdiplus.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
WS2_32.dll
WS2_32.dll
GetCPInfo
GetCPInfo
UUWiseHelper.DLL
UUWiseHelper.DLL
uu_easyRecognizeUrlA
uu_easyRecognizeUrlA
uu_easyRecognizeUrlW
uu_easyRecognizeUrlW
uu_loginW
uu_loginW
uu_recognizeByCodeTypeAndUrlA
uu_recognizeByCodeTypeAndUrlA
uu_recognizeByCodeTypeAndUrlW
uu_recognizeByCodeTypeAndUrlW
zcÃ
zcÃ
"0,01070
"0,01070
8Â8J8R8x8
8Â8J8R8x8
0#0'0-01070;0
0#0'0-01070;0
=*>0>4>8>
=*>0>4>8>
5%6S6
5%6S6
3$3,383\3|3
3$3,383\3|3
:-1014,URL
:-1014,URL
:-19011,
:-19011,
hXXps://gongxiao.tmall.com/supplier/user/distributor_detail.htm?distributorId=
hXXps://gongxiao.tmall.com/supplier/user/distributor_detail.htm?distributorId=
taobaocdn.com/newrank/
taobaocdn.com/newrank/
&logintype=2&_ksTS=1419347542359_164&callbackName=MinervaLoginCallback
&logintype=2&_ksTS=1419347542359_164&callbackName=MinervaLoginCallback
hXXps://service.taobao.com/support/minerva/sdk/minerva_login.do?version=2&loginname=
hXXps://service.taobao.com/support/minerva/sdk/minerva_login.do?version=2&loginname=
&ver=7.00.34T
&ver=7.00.34T
hXXp://tradecardseller.wangwang.taobao.com/tradecard/nameCard.htm?uid=cntaobao
hXXp://tradecardseller.wangwang.taobao.com/tradecard/nameCard.htm?uid=cntaobao
&ver=8.00.34C
&ver=8.00.34C
hXXp://tradecard.wangwang.taobao.com/tradecard/buyer/nameCard.htm?uid=cntaobao
hXXp://tradecard.wangwang.taobao.com/tradecard/buyer/nameCard.htm?uid=cntaobao
hXXps://shop.m.taobao.com/shop/shop_info.htm?user_id={userid}
hXXps://shop.m.taobao.com/shop/shop_info.htm?user_id={userid}
Accept: application/x-ms-application, image/jpeg, application/xaml xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/msword, */*
Accept: application/x-ms-application, image/jpeg, application/xaml xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/msword, */*
User-Agent: Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5
User-Agent: Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5
hXXps://shop.m.taobao.com/shop/shop_index.htm?shop_id={shopurl}
hXXps://shop.m.taobao.com/shop/shop_index.htm?shop_id={shopurl}
.taobao.com/
.taobao.com/
hXXps://shop
hXXps://shop
.tmall.
.tmall.
.alitrip.
.alitrip.
.taobao.com/search.htm?search=y
.taobao.com/search.htm?search=y
J_ShopAsynSearchURL
J_ShopAsynSearchURL
.taobao.com
.taobao.com
item.htm?id=
item.htm?id=
nickName:'
nickName:'
nickName: '
nickName: '
&wangwangnick=
&wangwangnick=
&shopkeyword=
&shopkeyword=
[\s\S]*?distributorId=([\s\S]*?)"[\s\S]*?[\s\S]*? [\s\S]*?distributorId=([\s\S]*?)"[\s\S]*?[\s\S]*?SELECT hassend FROM salerlist WHERE wangwangnick = '
SELECT hassend FROM salerlist WHERE wangwangnick = '
&api=url.in
&api=url.in
hXXp://VVV.taobao.com/webww/?&ver=1&touid=cntaobao
hXXp://VVV.taobao.com/webww/?&ver=1&touid=cntaobao
hXXp://api.ruokuai.com/register.xml
hXXp://api.ruokuai.com/register.xml
hXXp://api.ruokuai.com/info.xml
hXXp://api.ruokuai.com/info.xml
hXXp://api.ruokuai.com/recharge.xml
hXXp://api.ruokuai.com/recharge.xml
hXXp://api.ruokuai.com/create.xml
hXXp://api.ruokuai.com/create.xml
hXXp://api.ruokuai.com/reporterror.xml
hXXp://api.ruokuai.com/reporterror.xml
VBScript.RegExp
VBScript.RegExp
&password=
&password=
application/x-www-form-urlencoded
application/x-www-form-urlencoded
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
&softkey=
&softkey=
Content-Disposition: form-data; name="password"
Content-Disposition: form-data; name="password"
{pass}
{pass}
Content-Disposition: form-data; name="softkey"
Content-Disposition: form-data; name="softkey"
{softkey}
{softkey}
Content-Disposition: form-data; name="image"; filename="System.Byte[]"
Content-Disposition: form-data; name="image"; filename="System.Byte[]"
Primary Key
Primary Key
select count(*) from sqlite_master where type='table' and tbl_name='
select count(*) from sqlite_master where type='table' and tbl_name='
select name as title from sqlite_master where type='table'
select name as title from sqlite_master where type='table'
select name as title from sqlite_master where type='table' and name not like('sqlite%')
select name as title from sqlite_master where type='table' and name not like('sqlite%')
sqlite_master
sqlite_master
select sql from sqlite_master where type='table' and name='
select sql from sqlite_master where type='table' and name='
select sql from sqlite_master where type='index' and name='
select sql from sqlite_master where type='index' and name='
select sql from sqlite_master where type='view' and name='
select sql from sqlite_master where type='view' and name='
select sql from sqlite_master where type='trigger' and name='
select sql from sqlite_master where type='trigger' and name='
MSXML2.ServerXMLHTTP
MSXML2.ServerXMLHTTP
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
SetClientCertificate
SetClientCertificate
(Xn*%f
(Xn*%f
a.pRT
a.pRT
.QD@R
.QD@R
.UIJI
.UIJI
hXXp://VVV.oowise.com
hXXp://VVV.oowise.com
.kof'
.kof'
oW.kr
oW.kr
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
1.2.18
? deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
? deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
inflate 1.1.4 Copyright 1995-2002 Mark Adler
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
iphlpapi.dll
iphlpapi.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
VERSION.dll
VERSION.dll
MSVFW32.dll
MSVFW32.dll
AVIFIL32.dll
AVIFIL32.dll
RASAPI32.dll
RASAPI32.dll
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyState
GetKeyState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
WINSPOOL.DRV
WINSPOOL.DRV
comdlg32.dll
comdlg32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
WSOCK32.dll
WSOCK32.dll
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
VVV.dywt.com.cn
VVV.dywt.com.cn
(*.avi)|*.avi
(*.avi)|*.avi
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) CometHTTP
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) CometHTTP
1.1.4
1.1.4
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCaptchaRecognizer::recognizeByCodeTypeAndUrl
CCaptchaRecognizer::recognizeByCodeTypeAndUrl
hXXp://s1.uudati.com:
hXXp://s1.uudati.com:
hXXp://s1.taskok.com:
hXXp://s1.taskok.com:
hXXp://s1.uudama.com:
hXXp://s1.uudama.com:
hXXp://s1.uuwise.com:
hXXp://s1.uuwise.com:
/Api/config.aspx
/Api/config.aspx
2.0.0.5
2.0.0.5
WiseClientAPI-2.0.0.5
WiseClientAPI-2.0.0.5
CCaptchaRecognizer::__UpdateTKEY
CCaptchaRecognizer::__UpdateTKEY
CCaptchaRecognizer::_IsNeedLogin
CCaptchaRecognizer::_IsNeedLogin
/Api/DecodeImg.aspx
/Api/DecodeImg.aspx
xxxxxxxxxxx
xxxxxxxxxxx
hXXp://p1.uuwise.net:
hXXp://p1.uuwise.net:
hXXp://p1.uudama.net:
hXXp://p1.uudama.net:
hXXp://p1.taskok.com:
hXXp://p1.taskok.com:
hXXp://p1.uuwise.com:
hXXp://p1.uuwise.com:
hXXp://p1.uudama.com:
hXXp://p1.uudama.com:
CCaptchaRecognizer::easyRecognizeUrl
CCaptchaRecognizer::easyRecognizeUrl
%d%d%d%d%d
%d%d%d%d%d
CCaptchaRecognizer::_CalcRandomPort
CCaptchaRecognizer::_CalcRandomPort
/Api/VerifyAPIFile.aspx
/Api/VerifyAPIFile.aspx
/Api/UserLogin.aspx
/Api/UserLogin.aspx
CCaptchaRecognizer::login
CCaptchaRecognizer::login
/Api/UserReg.aspx
/Api/UserReg.aspx
/Api/PayCard.aspx
/Api/PayCard.aspx
/Api/ReportError.aspx
/Api/ReportError.aspx
CCaptchaRecognizer::reportError
CCaptchaRecognizer::reportError
/Api/UserPoint.aspx
/Api/UserPoint.aspx
|2.0.0.5|
|2.0.0.5|
/Api/DecodeResult.aspx
/Api/DecodeResult.aspx
ID/KEY/
ID/KEY/
ByTypeBytes.JPG
ByTypeBytes.JPG
%d-%d-%d
%d-%d-%d
CHttpRequestHelper::_ReadResponse
CHttpRequestHelper::_ReadResponse
User-Agent:WiseClient-2.0.0.5;
User-Agent:WiseClient-2.0.0.5;
WiseClient-2.0.0.5
WiseClient-2.0.0.5
CHttpRequestHelper::_InternalRequest
CHttpRequestHelper::_InternalRequest
CHttpRequestHelper::RequestGetImage
CHttpRequestHelper::RequestGetImage
CHttpRequestHelper::RequestPost
CHttpRequestHelper::RequestPost
ServerPort
ServerPort
UUExtConfig.ini
UUExtConfig.ini
-:-:-.%d
-:-:-.%d
tCRYPTDLL.DLL
tCRYPTDLL.DLL
3.cn.pool.ntp.org
3.cn.pool.ntp.org
2.cn.pool.ntp.org
2.cn.pool.ntp.org
1.cn.pool.ntp.org
1.cn.pool.ntp.org
0.cn.pool.ntp.org
0.cn.pool.ntp.org
cn.pool.ntp.org
cn.pool.ntp.org
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
Microsoft Windows Millennium Edition
Microsoft Windows Millennium Edition
Microsoft Windows 98
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 95
%s (Build %d)
%s (Build %d)
Service Pack 6a (Build %d)
Service Pack 6a (Build %d)
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Web Edition
Web Edition
Service Pack %d (Build %d)
Service Pack %d (Build %d)
Microsoft Windows NT
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP
Microsoft Windows Server 2003,
Microsoft Windows Server 2003,
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 "R2"
Microsoft Windows Server 2003 "R2"
Windows Server 2008
Windows Server 2008
Windows Vista
Windows Vista
Windows Server 2008 R2
Windows Server 2008 R2
Windows 7
Windows 7
ox-x-x-x-x-x
ox-x-x-x-x-x
\Tencent\Users\*.*
\Tencent\Users\*.*
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
!"#$%&'()* ,-.
!"#$%&'()* ,-.
uuwise.com
uuwise.com
2, 0, 0, 5
2, 0, 0, 5
1.0.0.1
1.0.0.1
(*.*)
(*.*)
5.2.5.0
5.2.5.0
:hXXp://VVV.oowise.com
:hXXp://VVV.oowise.com