Skip to main content

Generic.Malware.SYBddldprng.298347B3_aca02ef228


Trojan.Win32.Inject.ijat (Kaspersky), Generic.Malware.SYBd!dldprng.298347B3 (B) (Emsisoft), Generic.Malware.SYBd!dldprng.298347B3 (AdAware), Backdoor.Win32.Zegost.2.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor, Worm, EmailWorm, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: aca02ef228ca6a0cf55b921df0a86b4b

SHA1: 8c32c94574ef8aba07b2641bf5d79963c0b0c30d

SHA256: ccbfee5ca53eeb3afe313b9af237a092a7b074a0a489d123062a40cd91bfd6fe

SSDeep: 49152:g ZPgX0PBVRhaWSp2AoGutO2sD3Ev4TGFbKZNXoX1E1 99Y/:gNX0PB7haXpkGkxyX416/

Size: 3411585 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6

Company: no certificate found

Created at: 1992-06-20 01:22:17

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Generic creates the following process(es):

%original file name%.exe:2028

The Generic injects its code into the following process(es):

¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe:636
server.exe:1180

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process ¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe:636 makes changes in the file system.


The Generic creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (725 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1164 bytes)

The Generic deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (0 bytes)

The process %original file name%.exe:2028 makes changes in the file system.


The Generic creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\server.exe (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe (20507 bytes)
%System%\drivers\beep.sys (7 bytes)

The process server.exe:1180 makes changes in the file system.


The Generic creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe (1281 bytes)
%WinDir%\Ball.exe (1281 bytes)
%WinDir%\Temp\zk.exe (1281 bytes)

Registry activity

The process %original file name%.exe:2028 makes changes in the system registry.


The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F C7 28 24 DC 20 87 5B A5 76 6A 48 77 4C D5 6E"

Dropped PE files

MD5 File path
f2f15ebc7e0ee49923961e9e59dd2443c:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ball.exe
f2f15ebc7e0ee49923961e9e59dd2443c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server.exe
1b0b0719a26652013f23aa7a00a386c3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe
f2f15ebc7e0ee49923961e9e59dd2443c:\WINDOWS\Ball.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2028

  2. Delete the original Generic file.
  3. Delete or disinfect the following files created/modified by the Generic:

    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (725 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (1164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\server.exe (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe (20507 bytes)
    %System%\drivers\beep.sys (7 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe (1281 bytes)
    %WinDir%\Ball.exe (1281 bytes)
    %WinDir%\Temp\zk.exe (1281 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE409624508245764.51037fe9741d9440745880409762b5b70b0bb
DATA28672332435843.51797cb9b777bab5f53a0c9ee279705f95436
BSS32768375700d41d8cd98f00b204e9800998ecf8427e
.idata36864244825603.07162324b3843ac86281dd452fb8445da8cfd
.tls40960800d41d8cd98f00b204e9800998ecf8427e
.rdata45056245120.14174a59d5deeda3151a72e3841f3a8a37fbd
.reloc49152154820483.93841800431cef35e18e3b4ace16e5fce61e2
.rsrc532485125122.09142a7f406bf6fb25a7f3329a2ee80fb270a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 1
389083d53ca592852b52f5a62735597d

Network Activity

URLs

URL IP
hxxp://114.215.104.9/lol/1.gif
hxxp://114.215.104.9/lol/2.gif
hxxp://114.215.104.9/lol/3.gif
hxxp://114.215.104.9/lol/4.gif
hxxp://114.215.104.9/lol/5.gif
hxxp://114.215.104.9/lol/6.gif
hxxp://114.215.104.9/lol/7.gif
hxxp://114.215.104.9/lol/8.gif
hxxp://114.215.104.9/lol/9.gif
hxxp://114.215.104.9/lol/10.gif
hxxp://x2.tcdn.qq.com/download.shtml
hxxp://www.a.shifen.com/
hxxp://lol.qq.com/download.shtml203.205.142.142
hxxp://www.baidu.com/
qq652277163.f3322.net125.71.245.224

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /download.shtml HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: lol.qq.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: NWS_X2_MID

Connection: keep-alive

Date: Tue, 02 Jun 2015 05:26:42 GMT

Cache-Control: max-age=90

Expires: Tue, 02 Jun 2015 05:28:12 GMT

Last-Modified: Tue, 02 Jun 2015 05:20:00 GMT

Content-Type: text/html

Content-Length: 43956

X-Cache-Lookup: Hit From Upstream

X-Daa-Tunnel: hop_count=1

X-Cache-Lookup: Hit From Inner Cluster

<!DOCTYPE HTML>..<html>..<head>..<meta charset="gb2312" />..<meta name="robots" content="all" />..<meta name="Copyright" content="TENCNET" />..<meta name="author" content="Tencent-TGideas" />..<meta name="keywords" content="............,................,lol....,lol..............,lol........,lol....,lol......,lol........,..lol............" />..<meta name="description" content="........................................" />..<title>........-................-........</title>..<!-- ......jasonshuai | ......jasminjiang | ......20131028 | ..........hXXp://tgideas.qq.com -->..<script type="text/javascript">var d0 = new Date();</script>..<link href="/web201310/css/public.css" rel="stylesheet" />..<link href="/web201310/css/down.css" rel="stylesheet" />..</head>..<body>..<div class="wraper">.. <div class="layout toper"><!--[if lt IE 7]>. <p class="chromeframe">........IE................<a href="hXXp://windows.microsoft.com/">........IE......</a>........<a href="http://VVV.google.com/chromeframe/?redirect=true">Google Chrome</a>..<a href="hXXp://VVV.google.com/chromeframe/?redirect=true">Firefox</a>..................................</p>.<![endif]-->.<script src="hXXp://gameact.qq.com/comm-htdocs/js/game_area/lol_server_select.js"></script>.<script src="hXXp://lol.qq.com/web201310/js/head.js"></script>.<h1 class="t

<<< skipped >>>

GET / HTTP/1.1

User-Agent: test

Host: VVV.baidu.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Tue, 02 Jun 2015 05:26:50 GMT

Content-Type: text/html

Content-Length: 14613

Last-Modified: Wed, 03 Sep 2014 02:48:32 GMT

Connection: Keep-Alive

Vary: Accept-Encoding

Set-Cookie: BAIDUID=48D8A6B212BE6543412E5A1B6E9ADF95:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BIDUPSID=48D8A6B212BE6543412E5A1B6E9ADF95; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: PSTM=1433222810; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BDSVRTM=0; path=/

P3P: CP=" OTI DSP COR IVA OUR IND COM "

Server: BWS/1.1

X-UA-Compatible: IE=Edge,chrome=1

Pragma: no-cache

Cache-control: no-cache

BDPAGETYPE: 1

BDQID: 0xb24567180004afa6

BDUSERID: 0

Accept-Ranges: bytes

<!DOCTYPE html><!--STATUS OK-->..<html>..<head>...<meta http-equiv="content-type" content="text/html;charset=utf-8">...<meta http-equiv="X-UA-Compatible" content="IE=Edge">...<link rel="dns-prefetch" href="//s1.bdstatic.com"/>...<link rel="dns-prefetch" href="//t1.baidu.com"/>...<link rel="dns-prefetch" href="//t2.baidu.com"/>...<link rel="dns-prefetch" href="//t3.baidu.com"/>...<link rel="dns-prefetch" href="//t10.baidu.com"/>...<link rel="dns-prefetch" href="//t11.baidu.com"/>...<link rel="dns-prefetch" href="//t12.baidu.com"/>...<link rel="dns-prefetch" href="//b1.bdstatic.com"/>...<title>...........................</title>...<link href="hXXp://s1.bdstatic.com/r/www/cache/static/home/css/index.css" rel="stylesheet" type="text/css" />...<!--[if lte IE 8]><style index="index" >#content{height:480px\9}#m{top:260px\9}</style><![endif]-->...<!--[if IE 8]><style index="index" >#u1 a.mnav,#u1 a.mnav:visited{font-family:simsun}</style><![endif]-->...<script>var hashMatch = document.location.href.match(/# (.*wd=[^&]. )/);if (hashMatch && hashMatch[0] && hashMatch[1]) {document.location.replace("hXXp://" location.host "/s?" hashMatch[1]);}var ns_c = function(){};</script>...<script>function h(obj){obj.style.behavior='url(#default#homepage)';var a = obj.setHomePage('//VVV.baidu.com/');}</script>...<noscript><meta http-equiv="refresh" conte

<<< skipped >>>

GET /lol/1.gif HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 114.215.104.9

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 02 Jun 2015 05:26:39 GMT

Content-Length: 1830

<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span

<<< skipped >>>

GET /lol/2.gif HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 114.215.104.9

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 02 Jun 2015 05:26:39 GMT

Content-Length: 1830

<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span

<<< skipped >>>

GET /lol/3.gif HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 114.215.104.9

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 02 Jun 2015 05:26:39 GMT

Content-Length: 1830

<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span

<<< skipped >>>

GET /lol/4.gif HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 114.215.104.9

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 02 Jun 2015 05:26:40 GMT

Content-Length: 1830

<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span

<<< skipped >>>

GET /lol/5.gif HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 114.215.104.9

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 02 Jun 2015 05:26:40 GMT

Content-Length: 1830

<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span

<<< skipped >>>

GET /lol/6.gif HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 114.215.104.9

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 02 Jun 2015 05:26:40 GMT

Content-Length: 1830

<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span

<<< skipped >>>

GET /lol/7.gif HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 114.215.104.9

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 02 Jun 2015 05:26:41 GMT

Content-Length: 1830

<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span

<<< skipped >>>

GET /lol/8.gif HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 114.215.104.9

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 02 Jun 2015 05:26:41 GMT

Content-Length: 1830

<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span

<<< skipped >>>

GET /lol/9.gif HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 114.215.104.9

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 02 Jun 2015 05:26:41 GMT

Content-Length: 1830

<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span

<<< skipped >>>

GET /lol/10.gif HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 114.215.104.9

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 02 Jun 2015 05:26:42 GMT

Content-Length: 1831

<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span

<<< skipped >>>

Map

The Generic connects to the servers at the folowing location(s):

Strings from Dumps

server.exe_1180:

.text

.text

`.rdata

`.rdata

.data

.data

.rsrc

.rsrc

|$<.tk>

|$<.tk>

D$8RPSSh

D$8RPSSh

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

ADVAPI32.dll

ADVAPI32.dll

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

inflate 1.1.4 Copyright 1995-2002 Mark Adler

WINMM.dll

WINMM.dll

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

user32.dll

user32.dll

WS2_32.dll

WS2_32.dll

WININET.dll

WININET.dll

MSVFW32.dll

MSVFW32.dll

PSAPI.DLL

PSAPI.DLL

WTSAPI32.dll

WTSAPI32.dll

GetAsyncKeyState

GetAsyncKeyState

GetKeyState

GetKeyState

ExitWindowsEx

ExitWindowsEx

EnumWindows

EnumWindows

keybd_event

keybd_event

MapVirtualKeyA

MapVirtualKeyA

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

GetProcessWindowStation

GetProcessWindowStation

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyA

RegOpenKeyA

RegOpenKeyA

RegCreateKeyExA

RegCreateKeyExA

RegDeleteKeyA

RegDeleteKeyA

RegSetKeySecurity

RegSetKeySecurity

RegEnumKeyExA

RegEnumKeyExA

RegQueryInfoKeyA

RegQueryInfoKeyA

RegRestoreKeyA

RegRestoreKeyA

RegSaveKeyA

RegSaveKeyA

ShellExecuteA

ShellExecuteA

SHDeleteKeyA

SHDeleteKeyA

InternetOpenUrlA

InternetOpenUrlA

GetWindowsDirectoryA

GetWindowsDirectoryA

WinExec

WinExec

CreatePipe

CreatePipe

DisconnectNamedPipe

DisconnectNamedPipe

PeekNamedPipe

PeekNamedPipe

KERNEL32.dll

KERNEL32.dll

NETAPI32.dll

NETAPI32.dll

AVICAP32.dll

AVICAP32.dll

GetCPInfo

GetCPInfo

%s//%s

%s//%s

Microsoft\Network\Connections\pbk\rasphone.pbk

Microsoft\Network\Connections\pbk\rasphone.pbk

\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk

\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk

RasDialParams!%s#0

RasDialParams!%s#0

%s\%s

%s\%s

%s\shell\open\comman

%s\shell\open\comman

%s\*.*

%s\*.*

%s%s%s

%s%s%s

%s%s*.*

%s%s*.*

a %s %s

a %s %s

a -r %s %s

a -r %s %s

rar.exe

rar.exe

x %s %s

x %s %s

SYSTEM\CurrentControlSet\Services\%s

SYSTEM\CurrentControlSet\Services\%s

Http/1.1 403 Forbidden

Http/1.1 403 Forbidden

\keyboar.dat

\keyboar.dat

:] %s

:] %s

:]%d-%d-%d %d:%d:%d

:]%d-%d-%d %d:%d:%d

Applications\iexplore.exe\shell\open\command

Applications\iexplore.exe\shell\open\command

Windows Windows7/Vista/2008

Windows Windows7/Vista/2008

Windows 2003

Windows 2003

Windows XP

Windows XP

Windows 2000

Windows 2000

Windows NT

Windows NT

kxetray.exe

kxetray.exe

egui.exe

egui.exe

RavMonD.exe

RavMonD.exe

KvMonXP.exe

KvMonXP.exe

avp.exe

avp.exe

360sd.exe

360sd.exe

KSafeTray.exe

KSafeTray.exe

360tray.exe

360tray.exe

PortNumber

PortNumber

SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp

SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp

:%dMB

:%dMB

:%dGB

:%dGB

.DEFAULT\Keyboard Layout\Toggle

.DEFAULT\Keyboard Layout\Toggle

Hotkey

Hotkey

SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp

SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogo

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogo

SOFTWARE\Policies\Microsoft\Windows\Installer

SOFTWARE\Policies\Microsoft\Windows\Installer

SOFTWARE\Microsoft\Windows\CurrentVersion\netcache

SOFTWARE\Microsoft\Windows\CurrentVersion\netcache

C:\3389.bat

C:\3389.bat

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d

c:\3389.bat

c:\3389.bat

gdt = x

gdt = x

idt = x

idt = x

%System%\ctfmon1.exe

%System%\ctfmon1.exe

%Documents and Settings%\All Users\

%Documents and Settings%\All Users\

\Ball.exe

\Ball.exe

%WinDir%\Ball.exe

%WinDir%\Ball.exe

hXXp://

hXXp://

ws2_32.dll

ws2_32.dll

%WinDir%\temp\svchost.exe

%WinDir%\temp\svchost.exe

%WinDir%\temp\zk.exe

%WinDir%\temp\zk.exe

%-25s %-15s 0x%x(%d)

%-25s %-15s 0x%x(%d)

%-25s %-15s %s

%-25s %-15s %s

\cmd.exe

\cmd.exe

recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe

recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe

Mozilla/4.0 (compatible)

Mozilla/4.0 (compatible)

hXXps://

hXXps://

ddd

ddd

c:\windows\temp\svchost.exe

c:\windows\temp\svchost.exe

%WinDir%\TEMP\svchost.exe

%WinDir%\TEMP\svchost.exe

c:\windows\temp\svchost.txt

c:\windows\temp\svchost.txt

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

Shell32.dll

Shell32.dll

%System%\GroupPolicy\user\Scripts\scripts.ini

%System%\GroupPolicy\user\Scripts\scripts.ini

0CmdLine=C:\windows\temp\svchost.exe

0CmdLine=C:\windows\temp\svchost.exe

%System%\GroupPolicy\user\Scripts\script.ini

%System%\GroupPolicy\user\Scripts\script.ini

gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]

gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]

%System%\GroupPolicy\gpt.ini

%System%\GroupPolicy\gpt.ini

%System%\GroupPolicy\user\Scripts\Shutdown

%System%\GroupPolicy\user\Scripts\Shutdown

%System%\GroupPolicy\user\Scripts\Startu

%System%\GroupPolicy\user\Scripts\Startu

%System%\GroupPolicy\user\Scripts

%System%\GroupPolicy\user\Scripts

%System%\GroupPolicy\user

%System%\GroupPolicy\user

%System%\GroupPolicy

%System%\GroupPolicy

%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe

%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe

Rstray.exe

Rstray.exe

%s\SysTEM32\sysedit.exe

%s\SysTEM32\sysedit.exe

Windows

Windows

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

explorer.exe

explorer.exe

1.1.4

1.1.4

zcÁ

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\server.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\server.exe

[201412215920]

[201412215920]

201412215920

201412215920

server.exe_1180_rwx_00423000_00001000:

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

ADVAPI32.dll

ADVAPI32.dll

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

inflate 1.1.4 Copyright 1995-2002 Mark Adler

server.exe_1180_rwx_00428000_00002000:

%s//%s

%s//%s

Microsoft\Network\Connections\pbk\rasphone.pbk

Microsoft\Network\Connections\pbk\rasphone.pbk

\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk

\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk

RasDialParams!%s#0

RasDialParams!%s#0

%s\%s

%s\%s

%s\shell\open\comman

%s\shell\open\comman

%s\*.*

%s\*.*

%s%s%s

%s%s%s

%s%s*.*

%s%s*.*

a %s %s

a %s %s

a -r %s %s

a -r %s %s

rar.exe

rar.exe

x %s %s

x %s %s

SYSTEM\CurrentControlSet\Services\%s

SYSTEM\CurrentControlSet\Services\%s

Http/1.1 403 Forbidden

Http/1.1 403 Forbidden

\keyboar.dat

\keyboar.dat

:] %s

:] %s

:]%d-%d-%d %d:%d:%d

:]%d-%d-%d %d:%d:%d

Applications\iexplore.exe\shell\open\command

Applications\iexplore.exe\shell\open\command

Windows Windows7/Vista/2008

Windows Windows7/Vista/2008

Windows 2003

Windows 2003

Windows XP

Windows XP

Windows 2000

Windows 2000

Windows NT

Windows NT

kxetray.exe

kxetray.exe

egui.exe

egui.exe

RavMonD.exe

RavMonD.exe

KvMonXP.exe

KvMonXP.exe

avp.exe

avp.exe

360sd.exe

360sd.exe

KSafeTray.exe

KSafeTray.exe

360tray.exe

360tray.exe

PortNumber

PortNumber

SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp

SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp

:%dMB

:%dMB

:%dGB

:%dGB

.DEFAULT\Keyboard Layout\Toggle

.DEFAULT\Keyboard Layout\Toggle

Hotkey

Hotkey

SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp

SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogo

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogo

SOFTWARE\Policies\Microsoft\Windows\Installer

SOFTWARE\Policies\Microsoft\Windows\Installer

SOFTWARE\Microsoft\Windows\CurrentVersion\netcache

SOFTWARE\Microsoft\Windows\CurrentVersion\netcache

C:\3389.bat

C:\3389.bat

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d

c:\3389.bat

c:\3389.bat

gdt = x

gdt = x

idt = x

idt = x

%System%\ctfmon1.exe

%System%\ctfmon1.exe

%Documents and Settings%\All Users\

%Documents and Settings%\All Users\

\Ball.exe

\Ball.exe

%WinDir%\Ball.exe

%WinDir%\Ball.exe

hXXp://

hXXp://

ws2_32.dll

ws2_32.dll

KERNEL32.dll

KERNEL32.dll

%WinDir%\temp\svchost.exe

%WinDir%\temp\svchost.exe

%WinDir%\temp\zk.exe

%WinDir%\temp\zk.exe

%-25s %-15s 0x%x(%d)

%-25s %-15s 0x%x(%d)

%-25s %-15s %s

%-25s %-15s %s

\cmd.exe

\cmd.exe

recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe

recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe

Mozilla/4.0 (compatible)

Mozilla/4.0 (compatible)

hXXps://

hXXps://

ddd

ddd

c:\windows\temp\svchost.exe

c:\windows\temp\svchost.exe

%WinDir%\TEMP\svchost.exe

%WinDir%\TEMP\svchost.exe

c:\windows\temp\svchost.txt

c:\windows\temp\svchost.txt

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

Shell32.dll

Shell32.dll

%System%\GroupPolicy\user\Scripts\scripts.ini

%System%\GroupPolicy\user\Scripts\scripts.ini

0CmdLine=C:\windows\temp\svchost.exe

0CmdLine=C:\windows\temp\svchost.exe

%System%\GroupPolicy\user\Scripts\script.ini

%System%\GroupPolicy\user\Scripts\script.ini

gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]

gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]

%System%\GroupPolicy\gpt.ini

%System%\GroupPolicy\gpt.ini

%System%\GroupPolicy\user\Scripts\Shutdown

%System%\GroupPolicy\user\Scripts\Shutdown

%System%\GroupPolicy\user\Scripts\Startu

%System%\GroupPolicy\user\Scripts\Startu

%System%\GroupPolicy\user\Scripts

%System%\GroupPolicy\user\Scripts

%System%\GroupPolicy\user

%System%\GroupPolicy\user

%System%\GroupPolicy

%System%\GroupPolicy

%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe

%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe

Rstray.exe

Rstray.exe

%s\SysTEM32\sysedit.exe

%s\SysTEM32\sysedit.exe

Windows

Windows

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

explorer.exe

explorer.exe

1.1.4

1.1.4

server.exe_1180_rwx_0042D000_00005000:

zcÁ

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\server.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\server.exe

¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe_636:

.text

.text

.rdata

.rdata

@.data

@.data

.rsrc

.rsrc

@.text

@.text

t$(SSh

t$(SSh

~%UVW

~%UVW

.tTPV

.tTPV

FTPjK

FTPjK

FtPj;

FtPj;

F.PjRWj

F.PjRWj

u.WWj

u.WWj

u.VVj

u.VVj

u$SShe

u$SShe

ole32.dll

ole32.dll

kernel32.dll

kernel32.dll

GdiPlus.dll

GdiPlus.dll

wininet.dll

wininet.dll

user32.dll

user32.dll

OLEACC.DLL

OLEACC.DLL

gdiplus.dll

gdiplus.dll

gdi32.dll

gdi32.dll

advapi32.dll

advapi32.dll

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

GdiplusShutdown

GdiplusShutdown

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

RegCreateKeyA

RegCreateKeyA

RegOpenKeyA

RegOpenKeyA

RegEnumKeyA

RegEnumKeyA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

RegDeleteKeyA

RegDeleteKeyA

MySQL

MySQL

{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}

{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

flash.ocx.......

flash.ocx.......

dbghelp.dll

dbghelp.dll

loljdhurs.dll

loljdhurs.dll

hacker.map

hacker.map

114.215.104.9

114.215.104.9

','1', '

','1', '

hXXp://connect.qq.com/toc/auth_manager?from=auth

hXXp://connect.qq.com/toc/auth_manager?from=auth

hXXp://connect.qq.com/intro/login

hXXp://connect.qq.com/intro/login

hXXp://114.215.104.9/fz/lol/3.txt

hXXp://114.215.104.9/fz/lol/3.txt

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

R%U~

R%U~

^Hz%S~

^Hz%S~

:n%D'l:W

:n%D'l:W

A2V.Uq

A2V.Uq

%,.jc

%,.jc

%s40B

%s40B

v"(.qF

v"(.qF

T.VEb

T.VEb

W.YUb

W.YUb

( .yv

( .yv

F5.la

F5.la

pt$%ud"u

pt$%ud"u

%DTny

%DTny

Y?.GG8

Y?.GG8

d@7.CI

d@7.CI

.Dg.F`MF`f!

.Dg.F`MF`f!

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

5

5

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

HwEb9

HwEb9

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

b\V.DM

b\V.DM

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

"2&*:*.

"2&*:*.

&;%.C-6K

&;%.C-6K

&6-&.9

&6-&.9

uiUDPzV

uiUDPzV

W.Hi.

W.Hi.

{x(>%f

{x(>%f

0.kRP

0.kRP

._%fv

._%fv

j,^.Ll}

j,^.Ll}

X\K".luM

X\K".luM

-,2rV.bU

-,2rV.bU

'%CZGpBq

'%CZGpBq

.ei^KHf

.ei^KHf

!}f%.GzTK;

!}f%.GzTK;

|H%Cs~Dw

|H%Cs~Dw

1.eP6

1.eP6

%cr&kR

%cr&kR

17.Go

17.Go

Hq%XX!

Hq%XX!

.tk;1

.tk;1

/%s@Z

/%s@Z

2C.Re

2C.Re

V`U.CgDI

V`U.CgDI

.pfeF

.pfeF

p!mh

p!mh

P.hK\a

P.hK\a

_%X^E

_%X^E

424235235

424235235

mysqlpassword

mysqlpassword

103.242.1.19

103.242.1.19

hXXp://114.215.104.9/lol/1.gif

hXXp://114.215.104.9/lol/1.gif

hXXp://114.215.104.9/lol/2.gif

hXXp://114.215.104.9/lol/2.gif

hXXp://114.215.104.9/lol/3.gif

hXXp://114.215.104.9/lol/3.gif

hXXp://114.215.104.9/lol/4.gif

hXXp://114.215.104.9/lol/4.gif

hXXp://114.215.104.9/lol/5.gif

hXXp://114.215.104.9/lol/5.gif

hXXp://114.215.104.9/lol/6.gif

hXXp://114.215.104.9/lol/6.gif

hXXp://114.215.104.9/lol/7.gif

hXXp://114.215.104.9/lol/7.gif

hXXp://114.215.104.9/lol/8.gif

hXXp://114.215.104.9/lol/8.gif

hXXp://114.215.104.9/lol/9.gif

hXXp://114.215.104.9/lol/9.gif

hXXp://114.215.104.9/lol/10.gif

hXXp://114.215.104.9/lol/10.gif

hXXp://lol.qq.com/download.shtml

hXXp://lol.qq.com/download.shtml

hXXp://id.qq.com/index.html

hXXp://id.qq.com/index.html

hXXp://user.qzone.qq.com

hXXp://user.qzone.qq.com

tabIndex=1 onclick=Nav.logout(); href="javascript:void(0);" target=page>[

tabIndex=1 onclick=Nav.logout(); href="javascript:void(0);" target=page>[

&encrytype=0&devtype=0&keytpye=0&uin=

&encrytype=0&devtype=0&keytpye=0&uin=

hXXp://ptlogin2.qq.com/getface?appid=21000124&imgtype=

hXXp://ptlogin2.qq.com/getface?appid=21000124&imgtype=

info_banner_nick

info_banner_nick

hXXp://user.qzone.qq.com/

hXXp://user.qzone.qq.com/

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

http=

https

https

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXps://

hXXp://

hXXp://

\TCLS\config\LoginQ.dat

\TCLS\config\LoginQ.dat

LoginUserRecord

LoginUserRecord

hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=1006102&daid=1&style=23&hide_border=1&proxy_url=http://id.qq.com/login/proxy.html&s_url=hXXp://id.qq.com/index.html

hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=1006102&daid=1&style=23&hide_border=1&proxy_url=http://id.qq.com/login/proxy.html&s_url=hXXp://id.qq.com/index.html

\Air\preferences\*.*

\Air\preferences\*.*

.properties

.properties

\TCLS\Client.exe

\TCLS\Client.exe

LolClient.exe

LolClient.exe

hXXp://114.215.104.9/fz/lol/a.txt

hXXp://114.215.104.9/fz/lol/a.txt

hXXp://114.215.104.9/fz/lol/b.txt

hXXp://114.215.104.9/fz/lol/b.txt

hXXp://114.215.104.9/fz/lol/c.txt

hXXp://114.215.104.9/fz/lol/c.txt

hXXp://114.215.104.9/fz/lol/d.txt

hXXp://114.215.104.9/fz/lol/d.txt

hXXp://114.215.104.9/fz/lol/e.txt

hXXp://114.215.104.9/fz/lol/e.txt

hXXp://114.215.104.9/fz/lol/1.txt

hXXp://114.215.104.9/fz/lol/1.txt

hXXp://114.215.104.9/fz/lol/2.txt

hXXp://114.215.104.9/fz/lol/2.txt

hXXp://114.215.104.9/fz/lol/wangzhan/ltan.txt

hXXp://114.215.104.9/fz/lol/wangzhan/ltan.txt

hXXp://connect.qq.com/manage

hXXp://connect.qq.com/manage

hXXp://114.215.104.9/fz/lol/wangzhan/wzs.txt

hXXp://114.215.104.9/fz/lol/wangzhan/wzs.txt

1662768861

1662768861

hXXp://114.215.104.9/fz/lol/wangzhan/wz.txt

hXXp://114.215.104.9/fz/lol/wangzhan/wz.txt

javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}

javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}

javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};

javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};

window.location.reload()

window.location.reload()

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

text|password|file

text|password|file

comdlg32.dll

comdlg32.dll

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

WarnOnHTTPSToHTTPRedirect

WarnOnHTTPSToHTTPRedirect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

?A.nL

?A.nL

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

K%CS{z8'

K%CS{z8'

.vW1@

.vW1@

G:l.zl/

G:l.zl/

}iÜ

}iÜ

ei%f

ei%f

3}%DKU4

3}%DKU4

4.IM!

4.IM!

.XG\@G

.XG\@G

VQc6.IR

VQc6.IR

2.Mq)9

2.Mq)9

{hg_.GB6

{hg_.GB6

.HeZ`yxm

.HeZ`yxm

%z.Pt

%z.Pt

aR.Ot|7

aR.Ot|7

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

.VBUj

.VBUj

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

0U.Qe

0U.Qe

%D!&'

%D!&'

Co.Kd

Co.Kd

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

,,,---///@@@...:::???

,,,---///@@@...:::???

^^^___***[[[

^^^___***[[[

sssHHHbbbaaajjjMMMKKK)))

sssHHHbbbaaajjjMMMKKK)))

"""|||(((

"""|||(((

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

hXXp://ns.adobe.com/xap/1.0/

hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

I.YBh

I.YBh

-PPm}

-PPm}

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

.pal"

.pal"

Adobe Photoshop CS4 (11.0x20071101 [20071101.m.190 2007/11/01:02:00:00 cutoff; m branch]) Windows

Adobe Photoshop CS4 (11.0x20071101 [20071101.m.190 2007/11/01:02:00:00 cutoff; m branch]) Windows

2011:11:10 12:10:51

2011:11:10 12:10:51

urlTEXT

urlTEXT

MsgeTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

IEC hXXp://VVV.iec.ch

IEC hXXp://VVV.iec.ch

.IEC 61966-2.1 Default RGB colour space - sRGB

.IEC 61966-2.1 Default RGB colour space - sRGB

CRT curv

CRT curv

jyM%f"

jyM%f"

~.DqC

~.DqC

kA.yR"EC

kA.yR"EC

oTi&.

oTi&.

-(00(5"!'

-(00(5"!'

&& 4' ."-2

&& 4' ."-2

##&,$'-"$(#%)

##&,$'-"$(#%)

") $ !%,

") $ !%,

# $*$(.(,2"$'$&)247

# $*$(.(,2"$'$&)247

"& #'#&*,/3 .2

"& #'#&*,/3 .2

#(&*/' 0)-2

#(&*/' 0)-2

!$#&)$'*%( ,/2#%'

!$#&)$'*%( ,/2#%'

!##&(%(*'*,( -,/1 .0

!##&(%(*'*,( -,/1 .0

467 %'( ,),-045

467 %'( ,),-045

"' #(#&

"' #(#&

# #&$'*#%'

# #&$'*#%'

!!&)%*-!%'#'),./

!!&)%*-!%'#'),./

$&$'(&)*#()$)*

$&$'(&)*#()$)*

##.22"%%'**&))*--

##.22"%%'**&))*--

%>UZ{DRn%6X

%>UZ{DRn%6X

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?>

(7),01444

(7),01444

'9=82<.342>

'9=82<.342>

G%5xI

G%5xI

VVV.fuzhu999.com

VVV.fuzhu999.com

2/ $3$'.

2/ $3$'.

37 *,/ $.

37 *,/ $.

~27/!%

~27/!%

"% #*%&1 #

"% #*%&1 #

BD7%XDAqVQ]B>T;8L64D0/

BD7%XDAqVQ]B>T;8L64D0/

!' #& "!

!' #& "!

!( #)!$$ )'

!( #)!$$ )'

") ") "*!$*!$& !

") ") "*!$*!$& !

464\^\|~|

464\^\|~|

|~|

|~|

D-w.yD!

D-w.yD!

1.2.18

1.2.18

inflate 1.1.3 Copyright 1995-1998 Mark Adler

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CCmdTarget

CCmdTarget

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

portuguese-brazilian

portuguese-brazilian

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

inflate 1.1.4 Copyright 1995-2002 Mark Adler

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

MPR.dll

MPR.dll

WINMM.dll

WINMM.dll

WS2_32.dll

WS2_32.dll

VERSION.dll

VERSION.dll

MSVFW32.dll

MSVFW32.dll

AVIFIL32.dll

AVIFIL32.dll

RASAPI32.dll

RASAPI32.dll

GetProcessHeap

GetProcessHeap

WinExec

WinExec

GetWindowsDirectoryA

GetWindowsDirectoryA

GetCPInfo

GetCPInfo

SetNamedPipeHandleState

SetNamedPipeHandleState

WaitNamedPipeA

WaitNamedPipeA

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

RegisterHotKey

RegisterHotKey

UnregisterHotKey

UnregisterHotKey

CreateDialogIndirectParamA

CreateDialogIndirectParamA

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

USER32.dll

USER32.dll

GetViewportOrgEx

GetViewportOrgEx

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GetViewportExtEx

GDI32.dll

GDI32.dll

WINSPOOL.DRV

WINSPOOL.DRV

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

OLEAUT32.dll

OLEAUT32.dll

COMCTL32.dll

COMCTL32.dll

oledlg.dll

oledlg.dll

WSOCK32.dll

WSOCK32.dll

InternetOpenUrlA

InternetOpenUrlA

InternetCrackUrlA

InternetCrackUrlA

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

WININET.dll

WININET.dll

.PAVCException@@

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.prn)|*.prn|

(*.*)|*.*||

(*.*)|*.*||

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

User32.dll

User32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

: %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

windows

windows

out.prn

out.prn

%d.%d

%d.%d

%d / %d

%d / %d

%d/%d

%d/%d

Bogus message code %d

Bogus message code %d

(%d-%d):

(%d-%d):

%ld%c

%ld%c

VVV.dywt.com.cn

VVV.dywt.com.cn

hXXp://VVV.baidu.com

hXXp://VVV.baidu.com

(*.avi)|*.avi

(*.avi)|*.avi

WPFT532.CNV

WPFT532.CNV

WPFT632.CNV

WPFT632.CNV

EXCEL32.CNV

EXCEL32.CNV

write32.wpc

write32.wpc

Windows Write

Windows Write

mswrd632.wpc

mswrd632.wpc

Word for Windows 6.0

Word for Windows 6.0

wword5.cnv

wword5.cnv

Word for Windows 5.0

Word for Windows 5.0

mswrd832.cnv

mswrd832.cnv

mswrd632.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

Word 6.0/95 for Windows & Macintosh

html32.cnv

html32.cnv

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

HTTP/1.0

%s

%s

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

SMTP

SMTP

-1-1 0:0:0

-1-1 0:0:0

2000-1-1

2000-1-1

(*.htm;*.html)|*.htm;*.html

(*.htm;*.html)|*.htm;*.html

its:%s::%s

its:%s::%s

%d%d%d

%d%d%d

rundll32.exe shell32.dll,

rundll32.exe shell32.dll,

.PAVCOleException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

.PAVCArchiveException@@

zcÁ

zcÁ

PIPE

PIPE

ssl-cert

ssl-cert

ssl-key

ssl-key

pipe

pipe

password

password

port

port

MYSQL

MYSQL

\\%s\pipe\%s

\\%s\pipe\%s

Unknown option to protocol: %s

Unknown option to protocol: %s

d:t:o,/tmp/client.trace

d:t:o,/tmp/client.trace

MYSQL_PWD

MYSQL_PWD

Windows_NT

Windows_NT

MYSQL_UNIX_PORT

MYSQL_UNIX_PORT

MYSQL_TCP_PORT

MYSQL_TCP_PORT

mysql

mysql

Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)

Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)

Can't open shared memory. %s event don't create for client (%lu)

Can't open shared memory. %s event don't create for client (%lu)

Using unsupported buffer type: %d (parameter: %d)

Using unsupported buffer type: %d (parameter: %d)

Can't send long data for non string or binary data types (parameter: %d)

Can't send long data for non string or binary data types (parameter: %d)

Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)

%-.100s via named pipe

%-.100s via named pipe

Lost connection to MySQL server during query

Lost connection to MySQL server during query

%-.100s via TCP/IP

%-.100s via TCP/IP

MySQL client run out of memory

MySQL client run out of memory

Protocol mismatch. Server Version = %d Client Version = %d

Protocol mismatch. Server Version = %d Client Version = %d

MySQL server has gone away

MySQL server has gone away

Unknown MySQL Server Host '%-.100s' (%d)

Unknown MySQL Server Host '%-.100s' (%d)

Can't create TCP/IP socket (%d)

Can't create TCP/IP socket (%d)

Can't connect to MySQL server on '%-.100s' (%d)

Can't connect to MySQL server on '%-.100s' (%d)

Can't connect to local MySQL server through socket '%-.100s' (%d)

Can't connect to local MySQL server through socket '%-.100s' (%d)

Can't create UNIX socket (%d)

Can't create UNIX socket (%d)

Unknown MySQL error

Unknown MySQL error

TCP/IP (%d)

TCP/IP (%d)

socket (%d)

socket (%d)

named pipe

named pipe

%s would have been started with the following arguments:

%s would have been started with the following arguments:

error: Found option without preceding group in config file: %s at line: %d

error: Found option without preceding group in config file: %s at line: %d

error: Wrong group definition in config file: %s at line %d

error: Wrong group definition in config file: %s at line %d

C:/mysql/

C:/mysql/

Index.xml

Index.xml

127.0.0.1

127.0.0.1

Software\MySQL

Software\MySQL

HAVE_TCPIP

HAVE_TCPIP

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Can't initialize threads: error %d

Can't initialize threads: error %d

Can't sync file '%s' to disk (Errcode: %d)

Can't sync file '%s' to disk (Errcode: %d)

Error on realpath() on '%s' (Error %d)

Error on realpath() on '%s' (Error %d)

Can't create symlink '%s' pointing at '%s' (Error %d)

Can't create symlink '%s' pointing at '%s' (Error %d)

Can't read value for symlink '%s' (Error %d)

Can't read value for symlink '%s' (Error %d)

Out of resources when opening file '%s' (Errcode: %d)

Out of resources when opening file '%s' (Errcode: %d)

Character set '%s' is not a compiled character set and is not specified in the '%s' file

Character set '%s' is not a compiled character set and is not specified in the '%s' file

Can't create directory '%s' (Errcode: %d)

Can't create directory '%s' (Errcode: %d)

Disk is full writing '%s'. Waiting for someone to free space...

Disk is full writing '%s'. Waiting for someone to free space...

%d files and %d streams is left open

%d files and %d streams is left open

Warning: '%s' had %d links

Warning: '%s' had %d links

Can't change dir to '%s' (Errcode: %d)

Can't change dir to '%s' (Errcode: %d)

Can't get working dirctory (Errcode: %d)

Can't get working dirctory (Errcode: %d)

Can't open stream from handle (Errcode: %d)

Can't open stream from handle (Errcode: %d)

Can't change size of file (Errcode: %d)

Can't change size of file (Errcode: %d)

Can't get stat of '%s' (Errcode: %d)

Can't get stat of '%s' (Errcode: %d)

Can't read dir of '%s' (Errcode: %d)

Can't read dir of '%s' (Errcode: %d)

Can't unlock file (Errcode: %d)

Can't unlock file (Errcode: %d)

Can't lock file (Errcode: %d)

Can't lock file (Errcode: %d)

Unexpected eof found when reading file '%s' (Errcode: %d)

Unexpected eof found when reading file '%s' (Errcode: %d)

Error on rename of '%s' to '%s' (Errcode: %d)

Error on rename of '%s' to '%s' (Errcode: %d)

Error on delete of '%s' (Errcode: %d)

Error on delete of '%s' (Errcode: %d)

Out of memory (Needed %u bytes)

Out of memory (Needed %u bytes)

Error on close of '%s' (Errcode: %d)

Error on close of '%s' (Errcode: %d)

Error writing file '%s' (Errcode: %d)

Error writing file '%s' (Errcode: %d)

Error reading file '%s' (Errcode: %d)

Error reading file '%s' (Errcode: %d)

Can't create/write to file '%s' (Errcode: %d)

Can't create/write to file '%s' (Errcode: %d)

File '%s' not found (Errcode: %d)

File '%s' not found (Errcode: %d)

charsets.charset.collation.map

charsets.charset.collation.map

charsets.charset.collation.flag

charsets.charset.collation.flag

charsets.charset.collation.order

charsets.charset.collation.order

charsets.charset.collation.id

charsets.charset.collation.id

charsets.charset.collation.name

charsets.charset.collation.name

charsets.charset.collation

charsets.charset.collation

charsets.charset.unicode.map

charsets.charset.unicode.map

charsets.charset.unicode

charsets.charset.unicode

charsets.charset.lower.map

charsets.charset.lower.map

charsets.charset.lower

charsets.charset.lower

charsets.charset.upper.map

charsets.charset.upper.map

charsets.charset.upper

charsets.charset.upper

charsets.charset.ctype.map

charsets.charset.ctype.map

charsets.charset.ctype

charsets.charset.ctype

charsets.charset.alias

charsets.charset.alias

charsets.charset.description

charsets.charset.description

charsets.charset.family

charsets.charset.family

charsets.charset.name

charsets.charset.name

charsets.charset.binary-id

charsets.charset.binary-id

charsets.charset.primary-id

charsets.charset.primary-id

charsets.charset

charsets.charset

charsets.max-id

charsets.max-id

xml.encoding

xml.encoding

xml.version

xml.version

1.1.4

1.1.4

%,%$%4%

%,%$%4%

eZl%u

eZl%u

Q.YeY

Q.YeY

R:\Sg|p5rL

R:\Sg|p5rL

e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe

e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe

s4s/s)s%s>sNsOs

s4s/s)s%s>sNsOs

!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&

!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&

2&3&4&5&6&7&8&

2&3&4&5&6&7&8&

!(,("(-(

!(,("(-(

!,!5!6!

!,!5!6!

!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%

!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%

g9H5_DF>L!9yMGE~8

g9H5_DF>L!9yMGE~8

%Sv0$S

%Sv0$S

|T)>~T%C

|T)>~T%C

8]7]:]=5

8]7]:]=5

.Dh26a

.Dh26a

Z6%d#d

Z6%d#d

ReXeQe

ReXeQe

uewexe

uewexe

6*6 8*8 5*5 :*: ;*; =*=

6*6 8*8 5*5 :*: ;*; =*=

/"2"6"5"

/"2"6"5"

21314151

21314151

'2(2)2*2 2

'2(2)2*2 2

-6.6/6061626

-6.6/6061626

.7/70717

.7/70717

[7\7]7^7

[7\7]7^7

=8>8?8@8

=8>8?8@8

19293949

19293949

%;&;';(;

%;&;';(;

%>&>'>(>

%>&>'>(>

=>>>?>@>

=>>>?>@>

[@\@]@^@

[@\@]@^@

"U#U$U%U

"U#U$U%U

8[9[:[;[[

8[9[:[;[[

&\'\(\)\

&\'\(\)\

~\!]"]#]

~\!]"]#]

/]0]1]2]

/]0]1]2]

4]5]6]7]8]

4]5]6]7]8]

|_}_~_!`

|_}_~_!`

&`'`(`)`

&`'`(`)`

2`3`4`5`

2`3`4`5`

WeXe

WeXe

vewexe

vewexe

$f%f&f

$f%f&f

@mAmBmCmDm

@mAmBmCmDm

S%S'S(S)S S,S-S0S2S5SSBSLSKSYS[SaScSeSlSmSrSyS~S

S%S'S(S)S S,S-S0S2S5SSBSLSKSYS[SaScSeSlSmSrSyS~S

d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d

d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d

.AK.)

.AK.)

.uGvG

.uGvG

/%S67

/%S67

-<.gig>

-<.gig>

I.pKqK

I.pKqK

J.AeRtH49

J.AeRtH49

U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;UU?U@UAUBUCUDUEUFUGUHUIUJUKULUMUNUOUPUQURUSUTUUUVUWUXUYUZU[U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU

U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;UU?U@UAUBUCUDUEUFUGUHUIUJUKULUMUNUOUPUQURUSUTUUUVUWUXUYUZU[U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU

?q.SM!@

?q.SM!@

$R&ß

$R&ß

C.JMH

C.JMH

-)./...6. .

-)./...6. .

E~ExE|E{E

E~ExE|E{E

&t.KIx

&t.KIx

"*0QIs%u1

"*0QIs%u1

)Q.GN

)Q.GN

X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfX

X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfX

S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S

S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S

U!U%U&U

U!U%U&U

X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X

X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X

_!_"_#_$_

_!_"_#_$_

%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;dd@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d

%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;dd@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d

"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e

"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e

2!2"2#2$2%2&2'2(2)2

2!2"2#2$2%2&2'2(2)2

"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%

"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%

1 1!1"1#1$1%1&1'1(1)1

1 1!1"1#1$1%1&1'1(1)1

!0"0#0$0%0&0'0(0)0

!0"0#0$0%0&0'0(0)0

% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%

% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%

W%f?i

W%f?i

e.lFO

e.lFO

}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}

}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}

urlsS

urlsS

~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~

~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~

u%urrGS

u%urrGS

]']&].]$]

]']&].]$]

s"s9s%s,s8s1sPsMsWs`slsos~s

s"s9s%s,s8s1sPsMsWs`slsos~s

x

x

{.{1{ {%{${3{>{

{.{1{ {%{${3{>{

!!"!#!(!

!!"!#!(!

4!5!6!7!8!9!:!;!>!?!

4!5!6!7!8!9!:!;!>!?!

~!2!3!

~!2!3!

.VZN'Uu:&7V@

.VZN'Uu:&7V@

%FxG=R

%FxG=R

~e%fWM

~e%fWM

rP.BPb

rP.BPb

C^%X*?M[lRzF*E

C^%X*?M[lRzF*E

(m|P%c

(m|P%c

NN"L.PSD25X^uU7

NN"L.PSD25X^uU7

.QqP8j9j:j5:

.QqP8j9j:j5:

%CxF-kJD

%CxF-kJD

(d.deB

(d.deB

3G,===%d

3G,===%d

&8.pB1

&8.pB1

mS.Xk@

mS.Xk@

tq.RG^JK

tq.RG^JK

B]HC

B]HC

yTDI.SS8`3

yTDI.SS8`3

t6ZeXeYe@5

t6ZeXeYe@5

*M%u#u4=(u

*M%u#u4=(u

"*")"'"("

"*")"'"("

%d&`&a&e&g&c&

%d&`&a&e&g&c&

%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%

%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%

[!\!]!^!

[!\!]!^!

mQ.bx

mQ.bx

{ | }9},

{ | }9},

d6exe9j

d6exe9j

]%sOu

]%sOu

m.t.zB}

m.t.zB}

w%xIyWy

w%xIyWy

%f?iCt

%f?iCt

#$%&'()* ,

#$%&'()* ,

!"#$%&'()* ,-./0123456789:;?@

!"#$%&'()* ,-./0123456789:;?@

%

%

%q%r%s%

%q%r%s%

`!`'`)` `

`!`'`)` `

e%f-f f'f/f

e%f-f f'f/f

%x-x x

%x-x x

~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP

~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP

]8^6^3^7^

]8^6^3^7^

c{cichczc]eVeQeYeWe_UOeXeUeTe

c{cichczc]eVeQeYeWe_UOeXeUeTe

r6s%s4s)s:t*t3t"t%t5t6t4t/t

r6s%s4s)s:t*t3t"t%t5t6t4t/t

t&t(t%u&ukuju

t&t(t%u&ukuju

a.bidodyd

a.bidodyd

duewexe

duewexe

]!^"^#^ ^$^

]!^"^#^ ^$^

t.uGuHu

t.uGuHu

h&h(h.hMh:h%h h,k/k-k1k4kmk

h&h(h.hMh:h%h h,k/k-k1k4kmk

k%lzmcmdmvm

k%lzmcmdmvm

{1{ {-{/{2{8{

{1{ {-{/{2{8{

WHX%X

WHX%X

`IaJa aEa6a2a.aFa/aOa)a@a bh

`IaJa aEa6a2a.aFa/aOa)a@a bh

d@d%d'd

d@d%d'd

kCpDpJpHpIpEpFp

kCpDpJpHpIpEpFp

3: %s unexpected (ident or '/' wanted)

3: %s unexpected (ident or '/' wanted)

5: %s unexpected ('>' wanted)

5: %s unexpected ('>' wanted)

6: %s unexpected ('?' wanted)

6: %s unexpected ('?' wanted)

4: %s unexpected (ident or string wanted)

4: %s unexpected (ident or string wanted)

1: %s unexpected (ident wanted)

1: %s unexpected (ident wanted)

'%s>' unexpected ('%s>' wanted)

'%s>' unexpected ('%s>' wanted)

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

#include "l.chs\afxres.rc" // Standard components

#include "l.chs\afxres.rc" // Standard components

(*.*)

(*.*)

1.0.0.1

1.0.0.1

¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe_636_rwx_00401000_000EA000:

t$(SSh

t$(SSh

~%UVW

~%UVW

.tTPV

.tTPV

FTPjK

FTPjK

FtPj;

FtPj;

F.PjRWj

F.PjRWj

u.WWj

u.WWj

u.VVj

u.VVj

u$SShe

u$SShe