Trojan.Win32.Inject.ijat (Kaspersky), Generic.Malware.SYBd!dldprng.298347B3 (B) (Emsisoft), Generic.Malware.SYBd!dldprng.298347B3 (AdAware), Backdoor.Win32.Zegost.2.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor, Worm, EmailWorm, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: aca02ef228ca6a0cf55b921df0a86b4b
SHA1: 8c32c94574ef8aba07b2641bf5d79963c0b0c30d
SHA256: ccbfee5ca53eeb3afe313b9af237a092a7b074a0a489d123062a40cd91bfd6fe
SSDeep: 49152:g ZPgX0PBVRhaWSp2AoGutO2sD3Ev4TGFbKZNXoX1E1 99Y/:gNX0PB7haXpkGkxyX416/
Size: 3411585 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Generic creates the following process(es):
%original file name%.exe:2028
The Generic injects its code into the following process(es):
¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÃÂÛêÃËȫü¸¨Öú.exe:636
server.exe:1180
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process ¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÃÂÛêÃËȫü¸¨Öú.exe:636 makes changes in the file system.
The Generic creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (725 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1164 bytes)
The Generic deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (0 bytes)
The process %original file name%.exe:2028 makes changes in the file system.
The Generic creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\server.exe (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÃÂÛêÃËȫü¸¨Öú.exe (20507 bytes)
%System%\drivers\beep.sys (7 bytes)
The process server.exe:1180 makes changes in the file system.
The Generic creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe (1281 bytes)
%WinDir%\Ball.exe (1281 bytes)
%WinDir%\Temp\zk.exe (1281 bytes)
Registry activity
The process %original file name%.exe:2028 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F C7 28 24 DC 20 87 5B A5 76 6A 48 77 4C D5 6E"
Dropped PE files
MD5 | File path |
---|---|
f2f15ebc7e0ee49923961e9e59dd2443 | c:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ball.exe |
f2f15ebc7e0ee49923961e9e59dd2443 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server.exe |
1b0b0719a26652013f23aa7a00a386c3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÃÛêÃËȫü¸¨Öú.exe |
f2f15ebc7e0ee49923961e9e59dd2443 | c:\WINDOWS\Ball.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2028
- Delete the original Generic file.
- Delete or disinfect the following files created/modified by the Generic:
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (725 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\server.exe (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÃÂÛêÃËȫü¸¨Öú.exe (20507 bytes)
%System%\drivers\beep.sys (7 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe (1281 bytes)
%WinDir%\Ball.exe (1281 bytes)
%WinDir%\Temp\zk.exe (1281 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 24508 | 24576 | 4.51037 | fe9741d9440745880409762b5b70b0bb |
DATA | 28672 | 3324 | 3584 | 3.51797 | cb9b777bab5f53a0c9ee279705f95436 |
BSS | 32768 | 3757 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 36864 | 2448 | 2560 | 3.07162 | 324b3843ac86281dd452fb8445da8cfd |
.tls | 40960 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 45056 | 24 | 512 | 0.14174 | a59d5deeda3151a72e3841f3a8a37fbd |
.reloc | 49152 | 1548 | 2048 | 3.93841 | 800431cef35e18e3b4ace16e5fce61e2 |
.rsrc | 53248 | 512 | 512 | 2.09142 | a7f406bf6fb25a7f3329a2ee80fb270a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
389083d53ca592852b52f5a62735597d
Network Activity
URLs
URL | IP |
---|---|
hxxp://114.215.104.9/lol/1.gif | |
hxxp://114.215.104.9/lol/2.gif | |
hxxp://114.215.104.9/lol/3.gif | |
hxxp://114.215.104.9/lol/4.gif | |
hxxp://114.215.104.9/lol/5.gif | |
hxxp://114.215.104.9/lol/6.gif | |
hxxp://114.215.104.9/lol/7.gif | |
hxxp://114.215.104.9/lol/8.gif | |
hxxp://114.215.104.9/lol/9.gif | |
hxxp://114.215.104.9/lol/10.gif | |
hxxp://x2.tcdn.qq.com/download.shtml | |
hxxp://www.a.shifen.com/ | |
hxxp://lol.qq.com/download.shtml | 203.205.142.142 |
hxxp://www.baidu.com/ | |
qq652277163.f3322.net | 125.71.245.224 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /download.shtml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: lol.qq.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: NWS_X2_MID
Connection: keep-alive
Date: Tue, 02 Jun 2015 05:26:42 GMT
Cache-Control: max-age=90
Expires: Tue, 02 Jun 2015 05:28:12 GMT
Last-Modified: Tue, 02 Jun 2015 05:20:00 GMT
Content-Type: text/html
Content-Length: 43956
X-Cache-Lookup: Hit From Upstream
X-Daa-Tunnel: hop_count=1
X-Cache-Lookup: Hit From Inner Cluster
<!DOCTYPE HTML>..<html>..<head>..<meta charset="gb2312" />..<meta name="robots" content="all" />..<meta name="Copyright" content="TENCNET" />..<meta name="author" content="Tencent-TGideas" />..<meta name="keywords" content="............,................,lol....,lol..............,lol........,lol....,lol......,lol........,..lol............" />..<meta name="description" content="........................................" />..<title>........-................-........</title>..<!-- ......jasonshuai | ......jasminjiang | ......20131028 | ..........hXXp://tgideas.qq.com -->..<script type="text/javascript">var d0 = new Date();</script>..<link href="/web201310/css/public.css" rel="stylesheet" />..<link href="/web201310/css/down.css" rel="stylesheet" />..</head>..<body>..<div class="wraper">.. <div class="layout toper"><!--[if lt IE 7]>. <p class="chromeframe">........IE................<a href="hXXp://windows.microsoft.com/">........IE......</a>........<a href="http://VVV.google.com/chromeframe/?redirect=true">Google Chrome</a>..<a href="hXXp://VVV.google.com/chromeframe/?redirect=true">Firefox</a>..................................</p>.<![endif]-->.<script src="hXXp://gameact.qq.com/comm-htdocs/js/game_area/lol_server_select.js"></script>.<script src="hXXp://lol.qq.com/web201310/js/head.js"></script>.<h1 class="t
<<< skipped >>>
GET / HTTP/1.1
User-Agent: test
Host: VVV.baidu.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Tue, 02 Jun 2015 05:26:50 GMT
Content-Type: text/html
Content-Length: 14613
Last-Modified: Wed, 03 Sep 2014 02:48:32 GMT
Connection: Keep-Alive
Vary: Accept-Encoding
Set-Cookie: BAIDUID=48D8A6B212BE6543412E5A1B6E9ADF95:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=48D8A6B212BE6543412E5A1B6E9ADF95; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1433222810; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BDSVRTM=0; path=/
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
Pragma: no-cache
Cache-control: no-cache
BDPAGETYPE: 1
BDQID: 0xb24567180004afa6
BDUSERID: 0
Accept-Ranges: bytes
<!DOCTYPE html><!--STATUS OK-->..<html>..<head>...<meta http-equiv="content-type" content="text/html;charset=utf-8">...<meta http-equiv="X-UA-Compatible" content="IE=Edge">...<link rel="dns-prefetch" href="//s1.bdstatic.com"/>...<link rel="dns-prefetch" href="//t1.baidu.com"/>...<link rel="dns-prefetch" href="//t2.baidu.com"/>...<link rel="dns-prefetch" href="//t3.baidu.com"/>...<link rel="dns-prefetch" href="//t10.baidu.com"/>...<link rel="dns-prefetch" href="//t11.baidu.com"/>...<link rel="dns-prefetch" href="//t12.baidu.com"/>...<link rel="dns-prefetch" href="//b1.bdstatic.com"/>...<title>...........................</title>...<link href="hXXp://s1.bdstatic.com/r/www/cache/static/home/css/index.css" rel="stylesheet" type="text/css" />...<!--[if lte IE 8]><style index="index" >#content{height:480px\9}#m{top:260px\9}</style><![endif]-->...<!--[if IE 8]><style index="index" >#u1 a.mnav,#u1 a.mnav:visited{font-family:simsun}</style><![endif]-->...<script>var hashMatch = document.location.href.match(/# (.*wd=[^&]. )/);if (hashMatch && hashMatch[0] && hashMatch[1]) {document.location.replace("hXXp://" location.host "/s?" hashMatch[1]);}var ns_c = function(){};</script>...<script>function h(obj){obj.style.behavior='url(#default#homepage)';var a = obj.setHomePage('//VVV.baidu.com/');}</script>...<noscript><meta http-equiv="refresh" conte
<<< skipped >>>
GET /lol/1.gif HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:39 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span
<<< skipped >>>
GET /lol/2.gif HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:39 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span
<<< skipped >>>
GET /lol/3.gif HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:39 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span
<<< skipped >>>
GET /lol/4.gif HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:40 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span
<<< skipped >>>
GET /lol/5.gif HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:40 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span
<<< skipped >>>
GET /lol/6.gif HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:40 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span
<<< skipped >>>
GET /lol/7.gif HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:41 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span
<<< skipped >>>
GET /lol/8.gif HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:41 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span
<<< skipped >>>
GET /lol/9.gif HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:41 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span
<<< skipped >>>
GET /lol/10.gif HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:42 GMT
Content-Length: 1831
<!DOCTYPE html>..<html>.. <head>.. <title>.....................</title>.. <meta name="viewport" content="width=device-width" />.. <style>.. body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} .. p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}.. b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}.. H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }.. H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }.. pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}.. .marker {font-weight: bold; color: black;text-decoration: none;}.. .version {color: gray;}.. .error {margin-bottom: 10px;}.. .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }.. @media screen and (max-width: 639px) {.. pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }.. }.. @media screen and (max-width: 479px) {.. pre { width: 280px; }.. }.. </style>.. </head>.. <body bgcolor="white">.. <span><H1>.../.......................................<hr width=100% size=1 color=silver></H1>.. <h2> <i>.....................</i> </h2></span
<<< skipped >>>
Map
The Generic connects to the servers at the folowing location(s):
Strings from Dumps
server.exe_1180:
.text
.text
`.rdata
`.rdata
.data
.data
.rsrc
.rsrc
|$<.tk>
|$<.tk>
D$8RPSSh
D$8RPSSh
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
inflate 1.1.4 Copyright 1995-2002 Mark Adler
WINMM.dll
WINMM.dll
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
WS2_32.dll
WS2_32.dll
WININET.dll
WININET.dll
MSVFW32.dll
MSVFW32.dll
PSAPI.DLL
PSAPI.DLL
WTSAPI32.dll
WTSAPI32.dll
GetAsyncKeyState
GetAsyncKeyState
GetKeyState
GetKeyState
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
keybd_event
keybd_event
MapVirtualKeyA
MapVirtualKeyA
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
GetProcessWindowStation
GetProcessWindowStation
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegSetKeySecurity
RegSetKeySecurity
RegEnumKeyExA
RegEnumKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegRestoreKeyA
RegRestoreKeyA
RegSaveKeyA
RegSaveKeyA
ShellExecuteA
ShellExecuteA
SHDeleteKeyA
SHDeleteKeyA
InternetOpenUrlA
InternetOpenUrlA
GetWindowsDirectoryA
GetWindowsDirectoryA
WinExec
WinExec
CreatePipe
CreatePipe
DisconnectNamedPipe
DisconnectNamedPipe
PeekNamedPipe
PeekNamedPipe
KERNEL32.dll
KERNEL32.dll
NETAPI32.dll
NETAPI32.dll
AVICAP32.dll
AVICAP32.dll
GetCPInfo
GetCPInfo
%s//%s
%s//%s
Microsoft\Network\Connections\pbk\rasphone.pbk
Microsoft\Network\Connections\pbk\rasphone.pbk
\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
RasDialParams!%s#0
RasDialParams!%s#0
%s\%s
%s\%s
%s\shell\open\comman
%s\shell\open\comman
%s\*.*
%s\*.*
%s%s%s
%s%s%s
%s%s*.*
%s%s*.*
a %s %s
a %s %s
a -r %s %s
a -r %s %s
rar.exe
rar.exe
x %s %s
x %s %s
SYSTEM\CurrentControlSet\Services\%s
SYSTEM\CurrentControlSet\Services\%s
Http/1.1 403 Forbidden
Http/1.1 403 Forbidden
\keyboar.dat
\keyboar.dat
:] %s
:] %s
:]%d-%d-%d %d:%d:%d
:]%d-%d-%d %d:%d:%d
Applications\iexplore.exe\shell\open\command
Applications\iexplore.exe\shell\open\command
Windows Windows7/Vista/2008
Windows Windows7/Vista/2008
Windows 2003
Windows 2003
Windows XP
Windows XP
Windows 2000
Windows 2000
Windows NT
Windows NT
kxetray.exe
kxetray.exe
egui.exe
egui.exe
RavMonD.exe
RavMonD.exe
KvMonXP.exe
KvMonXP.exe
avp.exe
avp.exe
360sd.exe
360sd.exe
KSafeTray.exe
KSafeTray.exe
360tray.exe
360tray.exe
PortNumber
PortNumber
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
:%dMB
:%dMB
:%dGB
:%dGB
.DEFAULT\Keyboard Layout\Toggle
.DEFAULT\Keyboard Layout\Toggle
Hotkey
Hotkey
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp
SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogo
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogo
SOFTWARE\Policies\Microsoft\Windows\Installer
SOFTWARE\Policies\Microsoft\Windows\Installer
SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
C:\3389.bat
C:\3389.bat
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d
c:\3389.bat
c:\3389.bat
gdt = x
gdt = x
idt = x
idt = x
%System%\ctfmon1.exe
%System%\ctfmon1.exe
%Documents and Settings%\All Users\
%Documents and Settings%\All Users\
\Ball.exe
\Ball.exe
%WinDir%\Ball.exe
%WinDir%\Ball.exe
hXXp://
hXXp://
ws2_32.dll
ws2_32.dll
%WinDir%\temp\svchost.exe
%WinDir%\temp\svchost.exe
%WinDir%\temp\zk.exe
%WinDir%\temp\zk.exe
%-25s %-15s 0x%x(%d)
%-25s %-15s 0x%x(%d)
%-25s %-15s %s
%-25s %-15s %s
\cmd.exe
\cmd.exe
recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
hXXps://
hXXps://
ddd
ddd
c:\windows\temp\svchost.exe
c:\windows\temp\svchost.exe
%WinDir%\TEMP\svchost.exe
%WinDir%\TEMP\svchost.exe
c:\windows\temp\svchost.txt
c:\windows\temp\svchost.txt
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
Shell32.dll
Shell32.dll
%System%\GroupPolicy\user\Scripts\scripts.ini
%System%\GroupPolicy\user\Scripts\scripts.ini
0CmdLine=C:\windows\temp\svchost.exe
0CmdLine=C:\windows\temp\svchost.exe
%System%\GroupPolicy\user\Scripts\script.ini
%System%\GroupPolicy\user\Scripts\script.ini
gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]
gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]
%System%\GroupPolicy\gpt.ini
%System%\GroupPolicy\gpt.ini
%System%\GroupPolicy\user\Scripts\Shutdown
%System%\GroupPolicy\user\Scripts\Shutdown
%System%\GroupPolicy\user\Scripts\Startu
%System%\GroupPolicy\user\Scripts\Startu
%System%\GroupPolicy\user\Scripts
%System%\GroupPolicy\user\Scripts
%System%\GroupPolicy\user
%System%\GroupPolicy\user
%System%\GroupPolicy
%System%\GroupPolicy
%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe
%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe
Rstray.exe
Rstray.exe
%s\SysTEM32\sysedit.exe
%s\SysTEM32\sysedit.exe
Windows
Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
explorer.exe
explorer.exe
1.1.4
1.1.4
zcÁ
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\server.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\server.exe
[201412215920]
[201412215920]
201412215920
201412215920
server.exe_1180_rwx_00423000_00001000:
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
inflate 1.1.4 Copyright 1995-2002 Mark Adler
server.exe_1180_rwx_00428000_00002000:
%s//%s
%s//%s
Microsoft\Network\Connections\pbk\rasphone.pbk
Microsoft\Network\Connections\pbk\rasphone.pbk
\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
RasDialParams!%s#0
RasDialParams!%s#0
%s\%s
%s\%s
%s\shell\open\comman
%s\shell\open\comman
%s\*.*
%s\*.*
%s%s%s
%s%s%s
%s%s*.*
%s%s*.*
a %s %s
a %s %s
a -r %s %s
a -r %s %s
rar.exe
rar.exe
x %s %s
x %s %s
SYSTEM\CurrentControlSet\Services\%s
SYSTEM\CurrentControlSet\Services\%s
Http/1.1 403 Forbidden
Http/1.1 403 Forbidden
\keyboar.dat
\keyboar.dat
:] %s
:] %s
:]%d-%d-%d %d:%d:%d
:]%d-%d-%d %d:%d:%d
Applications\iexplore.exe\shell\open\command
Applications\iexplore.exe\shell\open\command
Windows Windows7/Vista/2008
Windows Windows7/Vista/2008
Windows 2003
Windows 2003
Windows XP
Windows XP
Windows 2000
Windows 2000
Windows NT
Windows NT
kxetray.exe
kxetray.exe
egui.exe
egui.exe
RavMonD.exe
RavMonD.exe
KvMonXP.exe
KvMonXP.exe
avp.exe
avp.exe
360sd.exe
360sd.exe
KSafeTray.exe
KSafeTray.exe
360tray.exe
360tray.exe
PortNumber
PortNumber
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
:%dMB
:%dMB
:%dGB
:%dGB
.DEFAULT\Keyboard Layout\Toggle
.DEFAULT\Keyboard Layout\Toggle
Hotkey
Hotkey
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp
SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogo
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogo
SOFTWARE\Policies\Microsoft\Windows\Installer
SOFTWARE\Policies\Microsoft\Windows\Installer
SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
C:\3389.bat
C:\3389.bat
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d
c:\3389.bat
c:\3389.bat
gdt = x
gdt = x
idt = x
idt = x
%System%\ctfmon1.exe
%System%\ctfmon1.exe
%Documents and Settings%\All Users\
%Documents and Settings%\All Users\
\Ball.exe
\Ball.exe
%WinDir%\Ball.exe
%WinDir%\Ball.exe
hXXp://
hXXp://
ws2_32.dll
ws2_32.dll
KERNEL32.dll
KERNEL32.dll
%WinDir%\temp\svchost.exe
%WinDir%\temp\svchost.exe
%WinDir%\temp\zk.exe
%WinDir%\temp\zk.exe
%-25s %-15s 0x%x(%d)
%-25s %-15s 0x%x(%d)
%-25s %-15s %s
%-25s %-15s %s
\cmd.exe
\cmd.exe
recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
hXXps://
hXXps://
ddd
ddd
c:\windows\temp\svchost.exe
c:\windows\temp\svchost.exe
%WinDir%\TEMP\svchost.exe
%WinDir%\TEMP\svchost.exe
c:\windows\temp\svchost.txt
c:\windows\temp\svchost.txt
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
Shell32.dll
Shell32.dll
%System%\GroupPolicy\user\Scripts\scripts.ini
%System%\GroupPolicy\user\Scripts\scripts.ini
0CmdLine=C:\windows\temp\svchost.exe
0CmdLine=C:\windows\temp\svchost.exe
%System%\GroupPolicy\user\Scripts\script.ini
%System%\GroupPolicy\user\Scripts\script.ini
gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]
gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]
%System%\GroupPolicy\gpt.ini
%System%\GroupPolicy\gpt.ini
%System%\GroupPolicy\user\Scripts\Shutdown
%System%\GroupPolicy\user\Scripts\Shutdown
%System%\GroupPolicy\user\Scripts\Startu
%System%\GroupPolicy\user\Scripts\Startu
%System%\GroupPolicy\user\Scripts
%System%\GroupPolicy\user\Scripts
%System%\GroupPolicy\user
%System%\GroupPolicy\user
%System%\GroupPolicy
%System%\GroupPolicy
%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe
%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe
Rstray.exe
Rstray.exe
%s\SysTEM32\sysedit.exe
%s\SysTEM32\sysedit.exe
Windows
Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
explorer.exe
explorer.exe
1.1.4
1.1.4
server.exe_1180_rwx_0042D000_00005000:
zcÁ
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\server.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\server.exe
¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe_636:
.text
.text
.rdata
.rdata
@.data
@.data
.rsrc
.rsrc
@.text
@.text
t$(SSh
t$(SSh
~%UVW
~%UVW
.tTPV
.tTPV
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.WWj
u.WWj
u.VVj
u.VVj
u$SShe
u$SShe
ole32.dll
ole32.dll
kernel32.dll
kernel32.dll
GdiPlus.dll
GdiPlus.dll
wininet.dll
wininet.dll
user32.dll
user32.dll
OLEACC.DLL
OLEACC.DLL
gdiplus.dll
gdiplus.dll
gdi32.dll
gdi32.dll
advapi32.dll
advapi32.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
GdiplusShutdown
GdiplusShutdown
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
RegEnumKeyA
RegEnumKeyA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
MySQL
MySQL
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
flash.ocx.......
flash.ocx.......
dbghelp.dll
dbghelp.dll
loljdhurs.dll
loljdhurs.dll
hacker.map
hacker.map
114.215.104.9
114.215.104.9
','1', '
','1', '
hXXp://connect.qq.com/toc/auth_manager?from=auth
hXXp://connect.qq.com/toc/auth_manager?from=auth
hXXp://connect.qq.com/intro/login
hXXp://connect.qq.com/intro/login
hXXp://114.215.104.9/fz/lol/3.txt
hXXp://114.215.104.9/fz/lol/3.txt
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
R%U~
R%U~
^Hz%S~
^Hz%S~
:n%D'l:W
:n%D'l:W
A2V.Uq
A2V.Uq
%,.jc
%,.jc
%s40B
%s40B
v"(.qF
v"(.qF
T.VEb
T.VEb
W.YUb
W.YUb
( .yv
( .yv
F5.la
F5.la
pt$%ud"u
pt$%ud"u
%DTny
%DTny
Y?.GG8
Y?.GG8
d@7.CI
d@7.CI
.Dg.F`MF`f!
.Dg.F`MF`f!
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
5
5
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
HwEb9
HwEb9
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
b\V.DM
b\V.DM
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
"2&*:*.
"2&*:*.
&;%.C-6K
&;%.C-6K
&6-&.9
&6-&.9
uiUDPzV
uiUDPzV
W.Hi.
W.Hi.
{x(>%f
{x(>%f
0.kRP
0.kRP
._%fv
._%fv
j,^.Ll}
j,^.Ll}
X\K".luM
X\K".luM
-,2rV.bU
-,2rV.bU
'%CZGpBq
'%CZGpBq
.ei^KHf
.ei^KHf
!}f%.GzTK;
!}f%.GzTK;
|H%Cs~Dw
|H%Cs~Dw
1.eP6
1.eP6
%cr&kR
%cr&kR
17.Go
17.Go
Hq%XX!
Hq%XX!
.tk;1
.tk;1
/%s@Z
/%s@Z
2C.Re
2C.Re
V`U.CgDI
V`U.CgDI
.pfeF
.pfeF
p!mh
p!mh
P.hK\a
P.hK\a
_%X^E
_%X^E
424235235
424235235
mysqlpassword
mysqlpassword
103.242.1.19
103.242.1.19
hXXp://114.215.104.9/lol/1.gif
hXXp://114.215.104.9/lol/1.gif
hXXp://114.215.104.9/lol/2.gif
hXXp://114.215.104.9/lol/2.gif
hXXp://114.215.104.9/lol/3.gif
hXXp://114.215.104.9/lol/3.gif
hXXp://114.215.104.9/lol/4.gif
hXXp://114.215.104.9/lol/4.gif
hXXp://114.215.104.9/lol/5.gif
hXXp://114.215.104.9/lol/5.gif
hXXp://114.215.104.9/lol/6.gif
hXXp://114.215.104.9/lol/6.gif
hXXp://114.215.104.9/lol/7.gif
hXXp://114.215.104.9/lol/7.gif
hXXp://114.215.104.9/lol/8.gif
hXXp://114.215.104.9/lol/8.gif
hXXp://114.215.104.9/lol/9.gif
hXXp://114.215.104.9/lol/9.gif
hXXp://114.215.104.9/lol/10.gif
hXXp://114.215.104.9/lol/10.gif
hXXp://lol.qq.com/download.shtml
hXXp://lol.qq.com/download.shtml
hXXp://id.qq.com/index.html
hXXp://id.qq.com/index.html
hXXp://user.qzone.qq.com
hXXp://user.qzone.qq.com
tabIndex=1 onclick=Nav.logout(); href="javascript:void(0);" target=page>[
tabIndex=1 onclick=Nav.logout(); href="javascript:void(0);" target=page>[
&encrytype=0&devtype=0&keytpye=0&uin=
&encrytype=0&devtype=0&keytpye=0&uin=
hXXp://ptlogin2.qq.com/getface?appid=21000124&imgtype=
hXXp://ptlogin2.qq.com/getface?appid=21000124&imgtype=
info_banner_nick
info_banner_nick
hXXp://user.qzone.qq.com/
hXXp://user.qzone.qq.com/
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
http=
https
https
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
hXXp://
hXXp://
\TCLS\config\LoginQ.dat
\TCLS\config\LoginQ.dat
LoginUserRecord
LoginUserRecord
hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=1006102&daid=1&style=23&hide_border=1&proxy_url=http://id.qq.com/login/proxy.html&s_url=hXXp://id.qq.com/index.html
hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=1006102&daid=1&style=23&hide_border=1&proxy_url=http://id.qq.com/login/proxy.html&s_url=hXXp://id.qq.com/index.html
\Air\preferences\*.*
\Air\preferences\*.*
.properties
.properties
\TCLS\Client.exe
\TCLS\Client.exe
LolClient.exe
LolClient.exe
hXXp://114.215.104.9/fz/lol/a.txt
hXXp://114.215.104.9/fz/lol/a.txt
hXXp://114.215.104.9/fz/lol/b.txt
hXXp://114.215.104.9/fz/lol/b.txt
hXXp://114.215.104.9/fz/lol/c.txt
hXXp://114.215.104.9/fz/lol/c.txt
hXXp://114.215.104.9/fz/lol/d.txt
hXXp://114.215.104.9/fz/lol/d.txt
hXXp://114.215.104.9/fz/lol/e.txt
hXXp://114.215.104.9/fz/lol/e.txt
hXXp://114.215.104.9/fz/lol/1.txt
hXXp://114.215.104.9/fz/lol/1.txt
hXXp://114.215.104.9/fz/lol/2.txt
hXXp://114.215.104.9/fz/lol/2.txt
hXXp://114.215.104.9/fz/lol/wangzhan/ltan.txt
hXXp://114.215.104.9/fz/lol/wangzhan/ltan.txt
hXXp://connect.qq.com/manage
hXXp://connect.qq.com/manage
hXXp://114.215.104.9/fz/lol/wangzhan/wzs.txt
hXXp://114.215.104.9/fz/lol/wangzhan/wzs.txt
1662768861
1662768861
hXXp://114.215.104.9/fz/lol/wangzhan/wz.txt
hXXp://114.215.104.9/fz/lol/wangzhan/wz.txt
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
window.location.reload()
window.location.reload()
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
text|password|file
comdlg32.dll
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
?A.nL
?A.nL
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
K%CS{z8'
K%CS{z8'
.vW1@
.vW1@
G:l.zl/
G:l.zl/
}iÜ
}iÜ
ei%f
ei%f
3}%DKU4
3}%DKU4
4.IM!
4.IM!
.XG\@G
.XG\@G
VQc6.IR
VQc6.IR
2.Mq)9
2.Mq)9
{hg_.GB6
{hg_.GB6
.HeZ`yxm
.HeZ`yxm
%z.Pt
%z.Pt
aR.Ot|7
aR.Ot|7
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
.VBUj
.VBUj
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
0U.Qe
0U.Qe
%D!&'
%D!&'
Co.Kd
Co.Kd
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
,,,---///@@@...:::???
,,,---///@@@...:::???
^^^___***[[[
^^^___***[[[
sssHHHbbbaaajjjMMMKKK)))
sssHHHbbbaaajjjMMMKKK)))
"""|||(((
"""|||(((
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
hXXp://ns.adobe.com/xap/1.0/
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
I.YBh
I.YBh
-PPm}
-PPm}
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
.pal"
.pal"
Adobe Photoshop CS4 (11.0x20071101 [20071101.m.190 2007/11/01:02:00:00 cutoff; m branch]) Windows
Adobe Photoshop CS4 (11.0x20071101 [20071101.m.190 2007/11/01:02:00:00 cutoff; m branch]) Windows
2011:11:10 12:10:51
2011:11:10 12:10:51
urlTEXT
urlTEXT
MsgeTEXT
MsgeTEXT
hXXp://ns.adobe.com/xap/1.0/
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
IEC hXXp://VVV.iec.ch
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
CRT curv
jyM%f"
jyM%f"
~.DqC
~.DqC
kA.yR"EC
kA.yR"EC
oTi&.
oTi&.
-(00(5"!'
-(00(5"!'
&& 4' ."-2
&& 4' ."-2
##&,$'-"$(#%)
##&,$'-"$(#%)
") $ !%,
") $ !%,
# $*$(.(,2"$'$&)247
# $*$(.(,2"$'$&)247
"& #'#&*,/3 .2
"& #'#&*,/3 .2
#(&*/' 0)-2
#(&*/' 0)-2
!$#&)$'*%( ,/2#%'
!$#&)$'*%( ,/2#%'
!##&(%(*'*,( -,/1 .0
!##&(%(*'*,( -,/1 .0
467 %'( ,),-045
467 %'( ,),-045
"' #(#&
"' #(#&
# #&$'*#%'
# #&$'*#%'
!!&)%*-!%'#'),./
!!&)%*-!%'#'),./
$&$'(&)*#()$)*
$&$'(&)*#()$)*
##.22"%%'**&))*--
##.22"%%'**&))*--
%>UZ{DRn%6X
%>UZ{DRn%6X
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
(7),01444
(7),01444
'9=82<.342>
'9=82<.342>
G%5xI
G%5xI
VVV.fuzhu999.com
VVV.fuzhu999.com
2/ $3$'.
2/ $3$'.
37 *,/ $.
37 *,/ $.
~27/!%
~27/!%
"% #*%&1 #
"% #*%&1 #
BD7%XDAqVQ]B>T;8L64D0/
BD7%XDAqVQ]B>T;8L64D0/
!' #& "!
!' #& "!
!( #)!$$ )'
!( #)!$$ )'
") ") "*!$*!$& !
") ") "*!$*!$& !
464\^\|~|
464\^\|~|
|~|
|~|
D-w.yD!
D-w.yD!
1.2.18
1.2.18
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
portuguese-brazilian
portuguese-brazilian
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
inflate 1.1.4 Copyright 1995-2002 Mark Adler
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
MSVFW32.dll
MSVFW32.dll
AVIFIL32.dll
AVIFIL32.dll
RASAPI32.dll
RASAPI32.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
GetCPInfo
GetCPInfo
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
WSOCK32.dll
WSOCK32.dll
InternetOpenUrlA
InternetOpenUrlA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
VVV.dywt.com.cn
VVV.dywt.com.cn
hXXp://VVV.baidu.com
hXXp://VVV.baidu.com
(*.avi)|*.avi
(*.avi)|*.avi
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
-1-1 0:0:0
-1-1 0:0:0
2000-1-1
2000-1-1
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
its:%s::%s
its:%s::%s
%d%d%d
%d%d%d
rundll32.exe shell32.dll,
rundll32.exe shell32.dll,
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÁ
zcÁ
PIPE
PIPE
ssl-cert
ssl-cert
ssl-key
ssl-key
pipe
pipe
password
password
port
port
MYSQL
MYSQL
\\%s\pipe\%s
\\%s\pipe\%s
Unknown option to protocol: %s
Unknown option to protocol: %s
d:t:o,/tmp/client.trace
d:t:o,/tmp/client.trace
MYSQL_PWD
MYSQL_PWD
Windows_NT
Windows_NT
MYSQL_UNIX_PORT
MYSQL_UNIX_PORT
MYSQL_TCP_PORT
MYSQL_TCP_PORT
mysql
mysql
Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)
Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)
Can't open shared memory. %s event don't create for client (%lu)
Can't open shared memory. %s event don't create for client (%lu)
Using unsupported buffer type: %d (parameter: %d)
Using unsupported buffer type: %d (parameter: %d)
Can't send long data for non string or binary data types (parameter: %d)
Can't send long data for non string or binary data types (parameter: %d)
Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)
%-.100s via named pipe
%-.100s via named pipe
Lost connection to MySQL server during query
Lost connection to MySQL server during query
%-.100s via TCP/IP
%-.100s via TCP/IP
MySQL client run out of memory
MySQL client run out of memory
Protocol mismatch. Server Version = %d Client Version = %d
Protocol mismatch. Server Version = %d Client Version = %d
MySQL server has gone away
MySQL server has gone away
Unknown MySQL Server Host '%-.100s' (%d)
Unknown MySQL Server Host '%-.100s' (%d)
Can't create TCP/IP socket (%d)
Can't create TCP/IP socket (%d)
Can't connect to MySQL server on '%-.100s' (%d)
Can't connect to MySQL server on '%-.100s' (%d)
Can't connect to local MySQL server through socket '%-.100s' (%d)
Can't connect to local MySQL server through socket '%-.100s' (%d)
Can't create UNIX socket (%d)
Can't create UNIX socket (%d)
Unknown MySQL error
Unknown MySQL error
TCP/IP (%d)
TCP/IP (%d)
socket (%d)
socket (%d)
named pipe
named pipe
%s would have been started with the following arguments:
%s would have been started with the following arguments:
error: Found option without preceding group in config file: %s at line: %d
error: Found option without preceding group in config file: %s at line: %d
error: Wrong group definition in config file: %s at line %d
error: Wrong group definition in config file: %s at line %d
C:/mysql/
C:/mysql/
Index.xml
Index.xml
127.0.0.1
127.0.0.1
Software\MySQL
Software\MySQL
HAVE_TCPIP
HAVE_TCPIP
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Can't initialize threads: error %d
Can't initialize threads: error %d
Can't sync file '%s' to disk (Errcode: %d)
Can't sync file '%s' to disk (Errcode: %d)
Error on realpath() on '%s' (Error %d)
Error on realpath() on '%s' (Error %d)
Can't create symlink '%s' pointing at '%s' (Error %d)
Can't create symlink '%s' pointing at '%s' (Error %d)
Can't read value for symlink '%s' (Error %d)
Can't read value for symlink '%s' (Error %d)
Out of resources when opening file '%s' (Errcode: %d)
Out of resources when opening file '%s' (Errcode: %d)
Character set '%s' is not a compiled character set and is not specified in the '%s' file
Character set '%s' is not a compiled character set and is not specified in the '%s' file
Can't create directory '%s' (Errcode: %d)
Can't create directory '%s' (Errcode: %d)
Disk is full writing '%s'. Waiting for someone to free space...
Disk is full writing '%s'. Waiting for someone to free space...
%d files and %d streams is left open
%d files and %d streams is left open
Warning: '%s' had %d links
Warning: '%s' had %d links
Can't change dir to '%s' (Errcode: %d)
Can't change dir to '%s' (Errcode: %d)
Can't get working dirctory (Errcode: %d)
Can't get working dirctory (Errcode: %d)
Can't open stream from handle (Errcode: %d)
Can't open stream from handle (Errcode: %d)
Can't change size of file (Errcode: %d)
Can't change size of file (Errcode: %d)
Can't get stat of '%s' (Errcode: %d)
Can't get stat of '%s' (Errcode: %d)
Can't read dir of '%s' (Errcode: %d)
Can't read dir of '%s' (Errcode: %d)
Can't unlock file (Errcode: %d)
Can't unlock file (Errcode: %d)
Can't lock file (Errcode: %d)
Can't lock file (Errcode: %d)
Unexpected eof found when reading file '%s' (Errcode: %d)
Unexpected eof found when reading file '%s' (Errcode: %d)
Error on rename of '%s' to '%s' (Errcode: %d)
Error on rename of '%s' to '%s' (Errcode: %d)
Error on delete of '%s' (Errcode: %d)
Error on delete of '%s' (Errcode: %d)
Out of memory (Needed %u bytes)
Out of memory (Needed %u bytes)
Error on close of '%s' (Errcode: %d)
Error on close of '%s' (Errcode: %d)
Error writing file '%s' (Errcode: %d)
Error writing file '%s' (Errcode: %d)
Error reading file '%s' (Errcode: %d)
Error reading file '%s' (Errcode: %d)
Can't create/write to file '%s' (Errcode: %d)
Can't create/write to file '%s' (Errcode: %d)
File '%s' not found (Errcode: %d)
File '%s' not found (Errcode: %d)
charsets.charset.collation.map
charsets.charset.collation.map
charsets.charset.collation.flag
charsets.charset.collation.flag
charsets.charset.collation.order
charsets.charset.collation.order
charsets.charset.collation.id
charsets.charset.collation.id
charsets.charset.collation.name
charsets.charset.collation.name
charsets.charset.collation
charsets.charset.collation
charsets.charset.unicode.map
charsets.charset.unicode.map
charsets.charset.unicode
charsets.charset.unicode
charsets.charset.lower.map
charsets.charset.lower.map
charsets.charset.lower
charsets.charset.lower
charsets.charset.upper.map
charsets.charset.upper.map
charsets.charset.upper
charsets.charset.upper
charsets.charset.ctype.map
charsets.charset.ctype.map
charsets.charset.ctype
charsets.charset.ctype
charsets.charset.alias
charsets.charset.alias
charsets.charset.description
charsets.charset.description
charsets.charset.family
charsets.charset.family
charsets.charset.name
charsets.charset.name
charsets.charset.binary-id
charsets.charset.binary-id
charsets.charset.primary-id
charsets.charset.primary-id
charsets.charset
charsets.charset
charsets.max-id
charsets.max-id
xml.encoding
xml.encoding
xml.version
xml.version
1.1.4
1.1.4
%,%$%4%
%,%$%4%
eZl%u
eZl%u
Q.YeY
Q.YeY
R:\Sg|p5rL
R:\Sg|p5rL
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe
s4s/s)s%s>sNsOs
s4s/s)s%s>sNsOs
!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&
!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&
2&3&4&5&6&7&8&
2&3&4&5&6&7&8&
!(,("(-(
!(,("(-(
!,!5!6!
!,!5!6!
!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%
!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%
g9H5_DF>L!9yMGE~8
g9H5_DF>L!9yMGE~8
%Sv0$S
%Sv0$S
|T)>~T%C
|T)>~T%C
8]7]:]=5
8]7]:]=5
.Dh26a
.Dh26a
Z6%d#d
Z6%d#d
ReXeQe
ReXeQe
uewexe
uewexe
6*6 8*8 5*5 :*: ;*; =*=
6*6 8*8 5*5 :*: ;*; =*=
/"2"6"5"
/"2"6"5"
21314151
21314151
'2(2)2*2 2
'2(2)2*2 2
-6.6/6061626
-6.6/6061626
.7/70717
.7/70717
[7\7]7^7
[7\7]7^7
=8>8?8@8
=8>8?8@8
19293949
19293949
%;&;';(;
%;&;';(;
%>&>'>(>
%>&>'>(>
=>>>?>@>
=>>>?>@>
[@\@]@^@
[@\@]@^@
"U#U$U%U
"U#U$U%U
8[9[:[;[[
8[9[:[;[[
&\'\(\)\
&\'\(\)\
~\!]"]#]
~\!]"]#]
/]0]1]2]
/]0]1]2]
4]5]6]7]8]
4]5]6]7]8]
|_}_~_!`
|_}_~_!`
&`'`(`)`
&`'`(`)`
2`3`4`5`
2`3`4`5`
WeXe
WeXe
vewexe
vewexe
$f%f&f
$f%f&f
@mAmBmCmDm
@mAmBmCmDm
S%S'S(S)S S,S-S0S2S5SSBSLSKSYS[SaScSeSlSmSrSyS~S
S%S'S(S)S S,S-S0S2S5SSBSLSKSYS[SaScSeSlSmSrSyS~S
d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d
d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d
.AK.)
.AK.)
.uGvG
.uGvG
/%S67
/%S67
-<.gig>
-<.gig>
I.pKqK
I.pKqK
J.AeRtH49
J.AeRtH49
U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;UU?U@UAUBUCUDUEUFUGUHUIUJUKULUMUNUOUPUQURUSUTUUUVUWUXUYUZU[U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU
U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;UU?U@UAUBUCUDUEUFUGUHUIUJUKULUMUNUOUPUQURUSUTUUUVUWUXUYUZU[U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU
?q.SM!@
?q.SM!@
$R&ß
$R&ß
C.JMH
C.JMH
-)./...6. .
-)./...6. .
E~ExE|E{E
E~ExE|E{E
&t.KIx
&t.KIx
"*0QIs%u1
"*0QIs%u1
)Q.GN
)Q.GN
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfX
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfX
S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S
S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S
U!U%U&U
U!U%U&U
X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X
X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X
_!_"_#_$_
_!_"_#_$_
%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;dd@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d
%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;dd@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d
"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e
"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e
2!2"2#2$2%2&2'2(2)2
2!2"2#2$2%2&2'2(2)2
"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%
"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%
1 1!1"1#1$1%1&1'1(1)1
1 1!1"1#1$1%1&1'1(1)1
!0"0#0$0%0&0'0(0)0
!0"0#0$0%0&0'0(0)0
% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%
% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%
W%f?i
W%f?i
e.lFO
e.lFO
}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}
}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}
urlsS
urlsS
~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~
~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~
u%urrGS
u%urrGS
]']&].]$]
]']&].]$]
s"s9s%s,s8s1sPsMsWs`slsos~s
s"s9s%s,s8s1sPsMsWs`slsos~s
x
x
{.{1{ {%{${3{>{
{.{1{ {%{${3{>{
!!"!#!(!
!!"!#!(!
4!5!6!7!8!9!:!;!>!?!
4!5!6!7!8!9!:!;!>!?!
~!2!3!
~!2!3!
.VZN'Uu:&7V@
.VZN'Uu:&7V@
%FxG=R
%FxG=R
~e%fWM
~e%fWM
rP.BPb
rP.BPb
C^%X*?M[lRzF*E
C^%X*?M[lRzF*E
(m|P%c
(m|P%c
NN"L.PSD25X^uU7
NN"L.PSD25X^uU7
.QqP8j9j:j5:
.QqP8j9j:j5:
%CxF-kJD
%CxF-kJD
(d.deB
(d.deB
3G,===%d
3G,===%d
&8.pB1
&8.pB1
mS.Xk@
mS.Xk@
tq.RG^JK
tq.RG^JK
B]HC
B]HC
yTDI.SS8`3
yTDI.SS8`3
t6ZeXeYe@5
t6ZeXeYe@5
*M%u#u4=(u
*M%u#u4=(u
"*")"'"("
"*")"'"("
%d&`&a&e&g&c&
%d&`&a&e&g&c&
%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%
%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%
[!\!]!^!
[!\!]!^!
mQ.bx
mQ.bx
{ | }9},
{ | }9},
d6exe9j
d6exe9j
]%sOu
]%sOu
m.t.zB}
m.t.zB}
w%xIyWy
w%xIyWy
%f?iCt
%f?iCt
#$%&'()* ,
#$%&'()* ,
!"#$%&'()* ,-./0123456789:;?@
!"#$%&'()* ,-./0123456789:;?@
%
%
%q%r%s%
%q%r%s%
`!`'`)` `
`!`'`)` `
e%f-f f'f/f
e%f-f f'f/f
%x-x x
%x-x x
~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
]8^6^3^7^
]8^6^3^7^
c{cichczc]eVeQeYeWe_UOeXeUeTe
c{cichczc]eVeQeYeWe_UOeXeUeTe
r6s%s4s)s:t*t3t"t%t5t6t4t/t
r6s%s4s)s:t*t3t"t%t5t6t4t/t
t&t(t%u&ukuju
t&t(t%u&ukuju
a.bidodyd
a.bidodyd
duewexe
duewexe
]!^"^#^ ^$^
]!^"^#^ ^$^
t.uGuHu
t.uGuHu
h&h(h.hMh:h%h h,k/k-k1k4kmk
h&h(h.hMh:h%h h,k/k-k1k4kmk
k%lzmcmdmvm
k%lzmcmdmvm
{1{ {-{/{2{8{
{1{ {-{/{2{8{
WHX%X
WHX%X
`IaJa aEa6a2a.aFa/aOa)a@a bh
`IaJa aEa6a2a.aFa/aOa)a@a bh
d@d%d'd
d@d%d'd
kCpDpJpHpIpEpFp
kCpDpJpHpIpEpFp
3: %s unexpected (ident or '/' wanted)
3: %s unexpected (ident or '/' wanted)
5: %s unexpected ('>' wanted)
5: %s unexpected ('>' wanted)
6: %s unexpected ('?' wanted)
6: %s unexpected ('?' wanted)
4: %s unexpected (ident or string wanted)
4: %s unexpected (ident or string wanted)
1: %s unexpected (ident wanted)
1: %s unexpected (ident wanted)
'%s>' unexpected ('%s>' wanted)
'%s>' unexpected ('%s>' wanted)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
(*.*)
(*.*)
1.0.0.1
1.0.0.1
¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe_636_rwx_00401000_000EA000:
t$(SSh
t$(SSh
~%UVW
~%UVW
.tTPV
.tTPV
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.WWj
u.WWj
u.VVj
u.VVj
u$SShe
u$SShe