Gen.Variant.Graftor.Elzob.84_5b0348707a – Adaware

Trojan-Dropper.Win32.Injector.jksa (Kaspersky), Gen:Variant.Graftor.Elzob.84 (B) (Emsisoft), Gen:Variant.Graftor.Elzob.84 (AdAware), GenericEmailWorm.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 5b0348707a150821aaf29801d98ac60f

SHA1: 040a6a4247ee17fa7b8281caec76262e51138947

SHA256: 748f27ab38313af3423fca9997e41f45ff6a05aa20fbc7dab500727ffe573d96

SSDeep: 49152:Ec//////ZTIeezIl KqykWJQ2aM2zLoOVxkUAP30dIUmwiGECOIr2G2XP49ajkbP:Ec////// 1K6WJozLXn 30d7f25P4IjA

Size: 2692608 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6

Company: APPS installer

Created at: 1992-06-20 01:22:17

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

ksbinstaller_66_82685.exe:984
%original file name%.exe:1264
KNBCenter.exe:1240
regsvr32.exe:1536
liebao.exe:1780
liebao.exe:516
down_s_66_82685.exe:1988
ping.exe:972
wuauclt.exe:924
tencentdl.exe:1932
netsh.exe:320
Tencentdl.exe:848
0liebao.exe:1948
knbcenter.exe:2036
knbcenter.exe:916
reg.exe:1976
reg.exe:708
skinupdater.exe:348

The Trojan injects its code into the following process(es):

ÃƒÆ’Ã…Â ÃƒÆ’Ã¢â‚¬â€œÃƒâ€šÃ‚Â»ÃƒÆ’Ã‚ÂºÃƒâ€šÃ‚ÂºÃƒÆ’Ã‚Â¤ÃƒÆ’Ã¢â‚¬Â¢Ãƒâ€šÃ‚Â¨Ãƒâ€šÃ‚Â»ÃƒÆ’Ã‚Âº.exe:652

File activity

The process ksbinstaller_66_82685.exe:984 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\send_ba0.gz (586 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaearchb.dat (6341 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztma002d.psg (74 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecore.ini (172 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbpolicy.dll (15628 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\alipay.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\baifubao.png (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\atxhlp.dat (21 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\xinput1_3.dll (880 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kdumprep.exe (7541 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢ÃƒÂ©Ã…â€œÃ‚Â¸ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ¥Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¥Ã‚Â¤Ã‚Â§ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨.lnk (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb3002.ksg (8 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseutil.dll (2976 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj021204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb0005.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\unknown.ksg (422 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\libvideo.dat (15 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\safesearch_unsafe.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\bc.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\vinfo.ini (833 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\spdb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepbb002.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaevname.dat (108 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksedset.ini (425 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepc0002.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7001.vsg (265 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨\ÃƒÂ¤Ã‚Â¿Ã‚Â®ÃƒÂ¥Ã‚Â¤Ã‚ÂÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (748 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome.dll (503987 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb0002.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\cdeploy.dat (11 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Localauto.db (40 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\false.psg (132 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\PepperFlash\manifest.json (2 bytes)
%System%\drivers\ksapi.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\KNBDrv64.sys (1543 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\99bill.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Install.bat (24 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\plugins\npaliedit.dll (2836 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\gare.db (66 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj011204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb7001.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb3001.ksg (92 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Extract.dll (3773 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\incognito.dat (1650 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepba000.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7999.vsg (266 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kmsgsvc.dll (8953 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepac002.ksg (3702 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\nffflelpnjalbndohecponhmlcihbgeo\1.0\skin_thumbnail.png (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\karchive.dat (101 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb6001.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\boc.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaext2.dat (85 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\skinupdater.exe (21987 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\autofilljs2.dat (89 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\FixBrowser.exe (18429 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\Preferences (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\adfilter.dat (131 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfb0002.fsg (288 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kui.pak (30655 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvba012.vsg (273 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\en-US.pak (195 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kBrowserUpgrade2.dll (2787 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (634 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\falset.fsg (120 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksecfg.ini (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\psbc.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zema0007.psg (68 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\lego.dat (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\befc2009.psg (82 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztmb0014.psg (68 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksbwdet2.dll (10359 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\p1tl.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\mousegesturelib.xml (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨\ÃƒÂ¥Ã‚ÂÃ‚Â¸ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (726 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb0003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\newtab_img2.zip (7972 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\nologin.dat (897 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\pkw2.dat (772 bytes)
%Program Files%\liebao\2014522163323984_1\browserpacket.xml (178 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome_touch_100_percent.pak (6399 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbctrl.dll (3109 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ManualUpgrade.exe (9449 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\resources.pak (45687 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢ÃƒÂ©Ã…â€œÃ‚Â¸ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ¥Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¥Ã‚Â¤Ã‚Â§ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨.lnk (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\config\kseeat.cfg (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\send_318.gz (238 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\trackers.dat (1760 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ksapi.sys (712 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\ceb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\Preferences_resintall (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\safepay_site.dat (19 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\tn.dat (1704 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecore.dat (327 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\AllSigns.ini (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfc000f.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\kui_en-US.pak (25 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksesscan.dll (7879 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\sqlite3.exe (5007 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\ljdfelebfnfpjclmmkljlnagcdkpfpdl\1.0\Cached Theme.pak (6363 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\zlib1.dll (1112 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\KPreferences (503 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb8009.ksg (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\uninst.exe (10202 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseexf.dat (107 bytes)
%Program Files%\liebao\liebao.exe (11518 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksepnf.dat (107 bytes)
%System%\drivers\knbdrv.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\dlcore.dll (20026 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\pkw.dat (669 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb8003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\checkvideo.dat (61 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb8008.vsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\d3dcompiler_46.dll (28052 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\localurl.db (3668 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kadfilter.dll (5863 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\LegoIcon\lego.dat (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\MouseGesture.dll (8245 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\feature2.dat (23 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\libGLESv2.dll (5682 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\install_info.json (255 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\safepay.dat (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\install2_log.log (72726 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj101204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepac001.ksg (1844 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\third_party\baidu_hd_query.dll (3341 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztmc0000.psg (66 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\falset.psg (132 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\czb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\PepperFlash\pepflashplayer.dll (110917 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb7001.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kBUpdateHelper.dll (13747 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ffmpegsumo.dll (11323 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\kvipinter.dll (3811 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨\ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (632 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ksapi.dll (691 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb9008.vsg (264 bytes)
%System%\drivers\KNBDrv64.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\hxb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseescan.dll (4564 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfc000b.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Logos.db (3769 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Local State (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvc0011.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ktoolupd.dll (2779 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\icbc.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj141203.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.exe (14580 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb6002.ksg (4 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipbb004.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btfb7001.fsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb0001.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\Allvinfo.ini (833 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseset.dat (229 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\srvpref.dat (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj051204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\zh-CN.pak (193 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\resource.dat (735 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Bookmarks (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\d3dcompiler_43.dll (15709 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\false.ksg (888 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvc0019.vsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\ksais.dat (8 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\anti_injection2.dat (710 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\scom.dll (1596 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\libEGL.dll (1722 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kfcdetect.dll (7469 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\SecondaryTile.png (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\plugins\np-mswmp.dll (1724 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfb0005.fsg (288 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\uplive.dll (15007 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\sqlite.dll (1872 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvbb00d.vsg (270 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\signs.ini (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\tenpay.png (2 bytes)
%Program Files%\liebao\test_access (30 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome_100_percent.pak (6387 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\cmb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaearcha.dat (1358 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\gdeploy.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb9002.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\gdb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaextend.dat (106 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\upgrade.dll (9080 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecoref.dat (106 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipba004.ksg (7 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecorea.dat (173 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kaxhlp.dll (4594 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\adb_easylist.dat (7386 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbdrv.sys (1326 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\webresource.dat (7712 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.dll (210497 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\TNProxy.dll (5849 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.ico (30 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\switchcore.db (7386 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\nffflelpnjalbndohecponhmlcihbgeo\1.0\Cached Theme.pak (1610 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\knbcenter.exe (4415 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\unionpay.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\DownloadProxy.dll (4458 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb0002.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kwnp.dat (23 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\master_preferences (557 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Tencentdl.exe (8880 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\sdb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipc0003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\cyui.exe (3249 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\safesearch_safe.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksbwdt.ini (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7002.vsg (294 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\DesktopTips.exe (7305 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\kui_zh-CN.pak (24 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecorem.dat (97 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\wd.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btfc2009.psg (92 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb7004.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\DownloadProxyPS.dll (1806 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (652 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\cysvc.dll (6685 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\send_ba0.gz (0 bytes)
%Program Files%\liebao\2014522163323984_1 (0 bytes)
%Program Files%\liebao\test_access (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\send_318.gz (0 bytes)
%Program Files%\liebao\4.5.34.6725 (0 bytes)

The process %original file name%.exe:1264 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0liebao.exe (3750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ÃƒÆ’Ã…Â ÃƒÆ’Ã¢â‚¬â€œÃƒâ€šÃ‚Â»ÃƒÆ’Ã‚ÂºÃƒâ€šÃ‚ÂºÃƒÆ’Ã‚Â¤ÃƒÆ’Ã¢â‚¬Â¢Ãƒâ€šÃ‚Â¨Ãƒâ€šÃ‚Â»ÃƒÆ’Ã‚Âº.exe (12288 bytes)

The process KNBCenter.exe:1240 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\liebao\4.5.34.6725\Data\expand_safepay.dat (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\upgrade\manager.log (455 bytes)
%Program Files%\liebao\4.5.34.6725\log\kmctrl.log (1537 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\upgrade\cleanup.log (1064 bytes)
%System%\drivers\knbdrv.sys (601 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db-journal (0 bytes)

The process liebao.exe:1780 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Local State (32 bytes)

The process liebao.exe:516 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\LOG (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\2.tmp (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000001 (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000002 (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000002.dbtmp (20 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\CURRENT~RFab99b.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\CURRENT (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\LOG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000002 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000001 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Local State~RFab97b.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000003.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\LOCK (0 bytes)

The process down_s_66_82685.exe:1988 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.tmp (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\send_5ac.gz (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe (365108 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd (9216408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd.cfg (3656 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\send_5ac.gz (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd.cfg (0 bytes)

The process wuauclt.exe:924 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The process Tencentdl.exe:848 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Tencent\QQDownload\122\dlcore.dll (14022 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\Tencentdl.exe (6841 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\extract.dll (2105 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\DownloadProxyPS.dll (601 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\InstallInfo.xml (25 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\tnproxy.dll (2105 bytes)

The process 0liebao.exe:1948 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\setup.bat (350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\down_s_66_82685.exe (5547 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\setup.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\down_s_66_82685.exe (0 bytes)

Registry activity

The process ksbinstaller_66_82685.exe:984 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\liebao]
"Report" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"DisplayVersion" = "4.5.34.6725"

[HKCU\Software\Kingsoft\KBROWSER]
"Report" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\liebao]
"Install Path Dir" = "%Program Files%\liebao"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"UninstallString" = "%Program Files%\liebao\4.5.34.6725\uninst.exe"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\liebao]
"ver" = "4.5.34.6725"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\liebao\Coop]
"PreOEM" = "h_home"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\liebao]
"SPID" = "82685"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Kingsoft\KBROWSER]
"InstallTime" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"DisplayIcon" = "%Program Files%\liebao\4.5.34.6725\uninst.exe"

[HKLM\SOFTWARE\liebao\Coop]
"oem" = "h_home"

[HKLM\SOFTWARE\liebao]
"PID" = "66"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\System\CurrentControlSet\Services\knbcenter]
"ImagePath" = "%Program Files%\liebao\4.5.34.6725\knbcenter.exe"

[HKLM\SOFTWARE\liebao]
"hid" = "a8a67a25"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\liebao]
"InstallTime" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 1B BE EF 3F 2B 30 3A 4A 78 B8 A0 78 B6 03 8F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"Publisher" = "ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â·Ã‚Â¥ÃƒÂ¤Ã‚Â½Ã…â€œÃƒÂ¥Ã‚Â®Ã‚Â¤"
"DisplayName" = "ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\liebao]
"old_def_browser" = "%Program Files%\Internet Explorer\iexplore.exe -nohome"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\liebao\Coop]
"OEMName" = "h_home"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"URLInfoAbout" = "http://www.ijinshan.com"

The process %original file name%.exe:1264 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 12 33 7A 7B 09 F9 70 73 8A 1F 01 0C 7D 7E 12"

The process KNBCenter.exe:1240 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA AD 6F 16 BF 2C A4 6E E6 5C D7 8C 78 F0 97 2A"

[HKLM\System\CurrentControlSet\Services\KNBDrv]
"ErrorControl" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\KNBDrv]
"DisplayName" = "KNBDrv"

[HKCU\Software\Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}]
"svrid" = "l99zivdyl8kcx8rr2ed8snx5acet"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\liebao]
"AppDataPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKU\.DEFAULT\Software\Kingsoft\KBROWSER]
"vtime" = "1400765614"

[HKLM\System\CurrentControlSet\Services\KNBDrv]
"Type" = "1"

[HKLM\SOFTWARE\liebao]
"ProgramPath" = "%Program Files%\liebao\4.5.34.6725\"

[HKLM\System\CurrentControlSet\Services\KNBDrv]
"ImagePath" = "\??\%System%\drivers\KNBDrv.sys"

Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\KNBDrv]
"Start" = "3"

The process regsvr32.exe:1536 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F D6 D7 EF 3E E1 02 A0 BA 23 2F D6 7E A6 42 D4"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}]
"(Default)" = "IDownloader_2"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"(Default)" = "c:\program files\common files\tencent\qqdownload\122\DownloadProxyPS.dll"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods]
"(Default)" = "15"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

The process liebao.exe:1780 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 20 3E E7 F7 95 81 37 6F 11 C2 C7 B4 E0 9F 62"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process liebao.exe:516 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Liebao.URL\DefaultIcon]
"(Default)" = "%Program Files%\liebao\liebao.exe,1"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKCR\ftp\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCU\Software\Classes\Liebao.URL\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\%Program Files%\liebao]
"liebao.exe" = "ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid" = "Liebao.URL"

[HKCU\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\liebao\liebao.exe"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationIcon" = "%Program Files%\liebao\liebao.exe,1"

[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCU\Software\Classes\.htm]
"(Default)" = "Liebao.HTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"http" = "Liebao.URL"

[HKCU\Software\Classes\htmlfile\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"

[HKCU\Software\Classes\Liebao.URL]
"(Default)" = "Liebao HTML Document"

[HKCU\Software\Classes\InternetShortcut\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"

[HKCR\Liebao.HTML\DefaultIcon]
"(Default)" = "%Program Files%\liebao\liebao.exe,1"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".html" = "Liebao.HTML"

[HKCU\Software\Classes\Liebao.HTML\shell\open\ddeexec]
"(Default)" = ""

[HKCR\Liebao.URL\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCR\InternetShortcut\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".xhtml" = "Liebao.HTML"
".shtml" = "Liebao.HTML"

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKCR\Liebao.HTML\shell\open\ddeexec]
"(Default)" = ""

[HKCR\file\shell]
"(Default)" = "open"

[HKCR\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\TreatAs]
"(Default)" = "{0002DF01-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKCU\Software\Classes\Liebao.HTML]
"(Default)" = "Liebao HTML Document"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"ftp" = "Liebao.URL"
"https" = "Liebao.URL"

[HKCU\Software\Classes\http\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCR\.html]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\.xht]
"(Default)" = "Liebao.HTML"

[HKCR\https\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCU\Software\Classes\file\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCR\Liebao.HTML]
"(Default)" = "Liebao HTML Document"

[HKCR\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\liebao\liebao.exe"

[HKCU\Software\Classes\.html]
"(Default)" = "Liebao.HTML"

[HKCR\HTTP\shell]
"(Default)" = "open"

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKCR\HTTP\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCR\.shtm]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\Liebao.HTML\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCR\Liebao.HTML]
"URL Protocol" = ""

[HKCR\Liebao.URL]
"URL Protocol" = ""

[HKCU\Software\Classes\http\shell\open\ddeexec\Application]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid" = "Liebao.URL"

[HKCR\https\shell]
"(Default)" = "open"

[HKCR\.xhtml]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\Liebao.URL\shell]
"(Default)" = "open"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationName" = "ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

[HKCU\Software\Classes\Liebao.URL\shell\open\ddeexec\Application]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationName" = "ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".xht" = "Liebao.HTML"

[HKCR\.htm]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCR\ftp]
"URL Protocol" = ""

[HKLM\SOFTWARE\RegisteredApplications]
"liebao.exe" = "Software\Clients\StartMenuInternet\liebao.exe\Capabilities"

[HKCU\Software\Classes\Liebao.HTML\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCR\ftp\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationIcon" = "%Program Files%\liebao\liebao.exe,1"

[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\.xhtml]
"(Default)" = "Liebao.HTML"

[HKCR\htmlfile\shell]
"(Default)" = "open"

[HKCR\https\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\http\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCR\.mht]
"(Default)" = "Liebao.HTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".xht" = "Liebao.HTML"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 55 60 41 78 CC 8B 9B EE 7C ED A9 71 E0 2E EE"

[HKCU\Software\Classes\file\shell]
"(Default)" = "open"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"http" = "Liebao.URL"

[HKCU\Software\Classes\.mhtm]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\https\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid" = "Liebao.URL"

[HKCR\Liebao.HTML\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCR\Liebao.HTML\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCR\htmlfile\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"

[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"https" = "Liebao.URL"

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKCR\.shtml]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\mhtmlfile\shell]
"(Default)" = "open"

[HKCR\AppID\{0002DF01-0000-0000-C000-000000000046}]
"(Default)" = "Internet Explorer(Ver 1.0)"

[HKCU\Software\Classes\Liebao.URL\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCU\Software\Classes\.mhtml]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\Liebao.HTML\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCU\Software\Classes\InternetShortcut\shell]
"(Default)" = "open"

[HKCU\Software\Classes\Liebao.HTML\DefaultIcon]
"(Default)" = "%Program Files%\liebao\liebao.exe,1"

[HKCR\Liebao.URL\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCU\Software\Classes\ftp\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKCR\HTTP\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationDescription" = "ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨ÃƒÂ¦Ã‹Å“Ã‚Â¯ÃƒÂ§Ã¢â‚¬ÂÃ‚Â±ÃƒÂ©Ã¢â‚¬Â¡Ã¢â‚¬ËœÃƒÂ¥Ã‚Â±Ã‚Â±ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ§Ã‚Â»Ã…â€œÃƒÂ¥Ã…Â½Ã¢â‚¬Â ÃƒÂ¦Ã¢â‚¬â€Ã‚Â¶ÃƒÂ¥Ã‚ÂÃ…Â ÃƒÂ¥Ã‚Â¹Ã‚Â´ÃƒÂ¥Ã‚Â¤Ã…Â¡ÃƒÂ¥Ã‚Â¼Ã¢â€šÂ¬ÃƒÂ¥Ã‚ÂÃ¢â‚¬ËœÃƒÂ£Ã¢â€šÂ¬Ã‚ÂÃƒÂ¦Ã…Â½Ã‚Â¨ÃƒÂ¥Ã¢â‚¬Â¡Ã‚ÂºÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ¤Ã‚Â¸Ã‚Â»ÃƒÂ¦Ã¢â‚¬Â°Ã¢â‚¬Å“ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¤Ã‚Â¸Ã…Â½ÃƒÂ¦Ã…Â¾Ã‚ÂÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ§Ã¢â‚¬Â°Ã‚Â¹ÃƒÂ¦Ã¢â€šÂ¬Ã‚Â§ÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨ÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ§Ã¢â‚¬Â¢Ã…â€™ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ§Ã¢â‚¬Å¡Ã‚Â«ÃƒÂ©Ã¢â‚¬Â¦Ã‚Â·ÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ©Ã¢â‚¬Â¡Ã¢â‚¬Â¡ÃƒÂ§Ã¢â‚¬ÂÃ‚Â¨TridentÃƒÂ¥Ã¢â‚¬â„¢Ã…â€™WebKitÃƒÂ¥Ã‚ÂÃ…â€™ÃƒÂ¦Ã‚Â¸Ã‚Â²ÃƒÂ¦Ã…Â¸Ã¢â‚¬Å“ÃƒÂ¥Ã‚Â¼Ã¢â‚¬Â¢ÃƒÂ¦Ã¢â‚¬Å“Ã…Â½ÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ¥Ã‚Â¹Ã‚Â¶ÃƒÂ¦Ã¢â‚¬Â¢Ã‚Â´ÃƒÂ¥Ã‚ÂÃ‹â€ ÃƒÂ©Ã¢â‚¬Â¡Ã¢â‚¬ËœÃƒÂ¥Ã‚Â±Ã‚Â±ÃƒÂ¨Ã¢â‚¬Â¡Ã‚ÂªÃƒÂ¥Ã‚Â®Ã‚Â¶ÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾BIPSÃƒÂ¨Ã‚Â¿Ã¢â‚¬ÂºÃƒÂ¨Ã‚Â¡Ã…â€™ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ©Ã‹Å“Ã‚Â²ÃƒÂ¦Ã…Â Ã‚Â¤ÃƒÂ£Ã¢â€šÂ¬Ã¢â‚¬Å¡ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨ÃƒÂ¥Ã‚Â¯Ã‚Â¹ChromeÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾WebkitÃƒÂ¥Ã¢â‚¬Â Ã¢â‚¬Â¦ÃƒÂ¦Ã‚Â Ã‚Â¸ÃƒÂ¨Ã‚Â¿Ã¢â‚¬ÂºÃƒÂ¨Ã‚Â¡Ã…â€™ÃƒÂ¤Ã‚ÂºÃ¢â‚¬Â ÃƒÂ¨Ã‚Â¶Ã¢â‚¬Â¦ÃƒÂ¨Ã‚Â¿Ã¢â‚¬Â¡100ÃƒÂ©Ã‚Â¡Ã‚Â¹ÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ¦Ã…Â Ã¢â€šÂ¬ÃƒÂ¦Ã…â€œÃ‚Â¯ÃƒÂ¤Ã‚Â¼Ã‹Å“ÃƒÂ¥Ã…â€™Ã¢â‚¬â€œÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ¤Ã‚Â½Ã‚Â¿ÃƒÂ¨Ã‚Â®Ã‚Â¿ÃƒÂ©Ã¢â‚¬â€Ã‚Â®ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ©Ã‚Â¡Ã‚ÂµÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã¢â‚¬ÂºÃ‚Â´ÃƒÂ¥Ã‚Â¿Ã‚Â«ÃƒÂ£Ã¢â€šÂ¬Ã¢â‚¬Å¡ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¶ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â·ÃƒÂ¦Ã…â€œÃ¢â‚¬Â°ÃƒÂ©Ã‚Â¦Ã¢â‚¬â€œÃƒÂ¥Ã‹â€ Ã¢â‚¬ÂºÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ¦Ã¢â€žÂ¢Ã‚ÂºÃƒÂ¨Ã†â€™Ã‚Â½ÃƒÂ¥Ã‹â€ Ã¢â‚¬Â¡ÃƒÂ¦Ã‚ÂÃ‚Â¢ÃƒÂ¥Ã‚Â¼Ã¢â‚¬Â¢ÃƒÂ¦Ã¢â‚¬Å“Ã…Â½ÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ¥Ã…Â Ã‚Â¨ÃƒÂ¦Ã¢â€šÂ¬Ã‚ÂÃƒÂ©Ã¢â€šÂ¬Ã¢â‚¬Â°ÃƒÂ¦Ã¢â‚¬Â¹Ã‚Â©ÃƒÂ¥Ã¢â‚¬Â Ã¢â‚¬Â¦ÃƒÂ¦Ã‚Â Ã‚Â¸ÃƒÂ¥Ã…â€™Ã‚Â¹ÃƒÂ©Ã¢â‚¬Â¦Ã‚ÂÃƒÂ¤Ã‚Â¸Ã‚ÂÃƒÂ¥Ã‚ÂÃ…â€™ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ©Ã‚Â¡Ã‚ÂµÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ¥Ã‚Â¹Ã‚Â¶ÃƒÂ¤Ã‚Â¸Ã¢â‚¬ÂÃƒÂ¥Ã‚Â®Ã…â€™ÃƒÂ§Ã‚Â¾Ã…Â½ÃƒÂ¦Ã¢â‚¬ÂÃ‚Â¯ÃƒÂ¦Ã…â€™Ã‚ÂHTML5ÃƒÂ¦Ã¢â‚¬â€œÃ‚Â°ÃƒÂ¥Ã¢â‚¬ÂºÃ‚Â½ÃƒÂ©Ã¢â€žÂ¢Ã¢â‚¬Â¦ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ©Ã‚Â¡Ã‚ÂµÃƒÂ¦Ã‚Â Ã¢â‚¬Â¡ÃƒÂ¥Ã¢â‚¬Â¡Ã¢â‚¬Â ÃƒÂ£Ã¢â€šÂ¬Ã¢â‚¬Å¡ÃƒÂ¦Ã…Â¾Ã‚ÂÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ¥Ã‚ÂÃ…â€™ÃƒÂ¦Ã¢â‚¬â€Ã‚Â¶ÃƒÂ¤Ã‚Â¹Ã…Â¸ÃƒÂ¥Ã¢â‚¬Â¦Ã¢â‚¬Â¦ÃƒÂ¥Ã‹â€ Ã¢â‚¬Â ÃƒÂ¤Ã‚Â¿Ã‚ÂÃƒÂ¨Ã‚Â¯Ã‚ÂÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¼ÃƒÂ¥Ã‚Â®Ã‚Â¹ÃƒÂ¦Ã¢â€šÂ¬Ã‚Â§ÃƒÂ£Ã¢â€šÂ¬Ã¢â‚¬Å¡"

[HKCR\https\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCR\Liebao.URL\shell]
"(Default)" = "open"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe]
"(Default)" = "ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKCR\https]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".html" = "Liebao.HTML"

[HKCU\Software\Classes\.shtml]
"(Default)" = "Liebao.HTML"

[HKCR\HTTP]
"URL Protocol" = ""

[HKCR\.mhtm]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\Liebao.HTML\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCU\Software\Classes\Liebao.URL\shell\open\ddeexec]
"(Default)" = ""

[HKCR\Liebao.URL\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationDescription" = "ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨ÃƒÂ¦Ã‹Å“Ã‚Â¯ÃƒÂ§Ã¢â‚¬ÂÃ‚Â±ÃƒÂ©Ã¢â‚¬Â¡Ã¢â‚¬ËœÃƒÂ¥Ã‚Â±Ã‚Â±ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ§Ã‚Â»Ã…â€œÃƒÂ¥Ã…Â½Ã¢â‚¬Â ÃƒÂ¦Ã¢â‚¬â€Ã‚Â¶ÃƒÂ¥Ã‚ÂÃ…Â ÃƒÂ¥Ã‚Â¹Ã‚Â´ÃƒÂ¥Ã‚Â¤Ã…Â¡ÃƒÂ¥Ã‚Â¼Ã¢â€šÂ¬ÃƒÂ¥Ã‚ÂÃ¢â‚¬ËœÃƒÂ£Ã¢â€šÂ¬Ã‚ÂÃƒÂ¦Ã…Â½Ã‚Â¨ÃƒÂ¥Ã¢â‚¬Â¡Ã‚ÂºÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ¤Ã‚Â¸Ã‚Â»ÃƒÂ¦Ã¢â‚¬Â°Ã¢â‚¬Å“ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¤Ã‚Â¸Ã…Â½ÃƒÂ¦Ã…Â¾Ã‚ÂÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ§Ã¢â‚¬Â°Ã‚Â¹ÃƒÂ¦Ã¢â€šÂ¬Ã‚Â§ÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨ÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ§Ã¢â‚¬Â¢Ã…â€™ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ§Ã¢â‚¬Å¡Ã‚Â«ÃƒÂ©Ã¢â‚¬Â¦Ã‚Â·ÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ©Ã¢â‚¬Â¡Ã¢â‚¬Â¡ÃƒÂ§Ã¢â‚¬ÂÃ‚Â¨TridentÃƒÂ¥Ã¢â‚¬â„¢Ã…â€™WebKitÃƒÂ¥Ã‚ÂÃ…â€™ÃƒÂ¦Ã‚Â¸Ã‚Â²ÃƒÂ¦Ã…Â¸Ã¢â‚¬Å“ÃƒÂ¥Ã‚Â¼Ã¢â‚¬Â¢ÃƒÂ¦Ã¢â‚¬Å“Ã…Â½ÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ¥Ã‚Â¹Ã‚Â¶ÃƒÂ¦Ã¢â‚¬Â¢Ã‚Â´ÃƒÂ¥Ã‚ÂÃ‹â€ ÃƒÂ©Ã¢â‚¬Â¡Ã¢â‚¬ËœÃƒÂ¥Ã‚Â±Ã‚Â±ÃƒÂ¨Ã¢â‚¬Â¡Ã‚ÂªÃƒÂ¥Ã‚Â®Ã‚Â¶ÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾BIPSÃƒÂ¨Ã‚Â¿Ã¢â‚¬ÂºÃƒÂ¨Ã‚Â¡Ã…â€™ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ©Ã‹Å“Ã‚Â²ÃƒÂ¦Ã…Â Ã‚Â¤ÃƒÂ£Ã¢â€šÂ¬Ã¢â‚¬Å¡ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨ÃƒÂ¥Ã‚Â¯Ã‚Â¹ChromeÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾WebkitÃƒÂ¥Ã¢â‚¬Â Ã¢â‚¬Â¦ÃƒÂ¦Ã‚Â Ã‚Â¸ÃƒÂ¨Ã‚Â¿Ã¢â‚¬ÂºÃƒÂ¨Ã‚Â¡Ã…â€™ÃƒÂ¤Ã‚ÂºÃ¢â‚¬Â ÃƒÂ¨Ã‚Â¶Ã¢â‚¬Â¦ÃƒÂ¨Ã‚Â¿Ã¢â‚¬Â¡100ÃƒÂ©Ã‚Â¡Ã‚Â¹ÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ¦Ã…Â Ã¢â€šÂ¬ÃƒÂ¦Ã…â€œÃ‚Â¯ÃƒÂ¤Ã‚Â¼Ã‹Å“ÃƒÂ¥Ã…â€™Ã¢â‚¬â€œÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ¤Ã‚Â½Ã‚Â¿ÃƒÂ¨Ã‚Â®Ã‚Â¿ÃƒÂ©Ã¢â‚¬â€Ã‚Â®ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ©Ã‚Â¡Ã‚ÂµÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã¢â‚¬ÂºÃ‚Â´ÃƒÂ¥Ã‚Â¿Ã‚Â«ÃƒÂ£Ã¢â€šÂ¬Ã¢â‚¬Å¡ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¶ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â·ÃƒÂ¦Ã…â€œÃ¢â‚¬Â°ÃƒÂ©Ã‚Â¦Ã¢â‚¬â€œÃƒÂ¥Ã‹â€ Ã¢â‚¬ÂºÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ¦Ã¢â€žÂ¢Ã‚ÂºÃƒÂ¨Ã†â€™Ã‚Â½ÃƒÂ¥Ã‹â€ Ã¢â‚¬Â¡ÃƒÂ¦Ã‚ÂÃ‚Â¢ÃƒÂ¥Ã‚Â¼Ã¢â‚¬Â¢ÃƒÂ¦Ã¢â‚¬Å“Ã…Â½ÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ¥Ã…Â Ã‚Â¨ÃƒÂ¦Ã¢â€šÂ¬Ã‚ÂÃƒÂ©Ã¢â€šÂ¬Ã¢â‚¬Â°ÃƒÂ¦Ã¢â‚¬Â¹Ã‚Â©ÃƒÂ¥Ã¢â‚¬Â Ã¢â‚¬Â¦ÃƒÂ¦Ã‚Â Ã‚Â¸ÃƒÂ¥Ã…â€™Ã‚Â¹ÃƒÂ©Ã¢â‚¬Â¦Ã‚ÂÃƒÂ¤Ã‚Â¸Ã‚ÂÃƒÂ¥Ã‚ÂÃ…â€™ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ©Ã‚Â¡Ã‚ÂµÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ¥Ã‚Â¹Ã‚Â¶ÃƒÂ¤Ã‚Â¸Ã¢â‚¬ÂÃƒÂ¥Ã‚Â®Ã…â€™ÃƒÂ§Ã‚Â¾Ã…Â½ÃƒÂ¦Ã¢â‚¬ÂÃ‚Â¯ÃƒÂ¦Ã…â€™Ã‚ÂHTML5ÃƒÂ¦Ã¢â‚¬â€œÃ‚Â°ÃƒÂ¥Ã¢â‚¬ÂºÃ‚Â½ÃƒÂ©Ã¢â€žÂ¢Ã¢â‚¬Â¦ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ©Ã‚Â¡Ã‚ÂµÃƒÂ¦Ã‚Â Ã¢â‚¬Â¡ÃƒÂ¥Ã¢â‚¬Â¡Ã¢â‚¬Â ÃƒÂ£Ã¢â€šÂ¬Ã¢â‚¬Å¡ÃƒÂ¦Ã…Â¾Ã‚ÂÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ¥Ã‚ÂÃ…â€™ÃƒÂ¦Ã¢â‚¬â€Ã‚Â¶ÃƒÂ¤Ã‚Â¹Ã…Â¸ÃƒÂ¥Ã¢â‚¬Â¦Ã¢â‚¬Â¦ÃƒÂ¥Ã‹â€ Ã¢â‚¬Â ÃƒÂ¤Ã‚Â¿Ã‚ÂÃƒÂ¨Ã‚Â¯Ã‚ÂÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¼ÃƒÂ¥Ã‚Â®Ã‚Â¹ÃƒÂ¦Ã¢â€šÂ¬Ã‚Â§ÃƒÂ£Ã¢â€šÂ¬Ã¢â‚¬Å¡"

[HKCR\.mhtml]
"(Default)" = "Liebao.HTML"

[HKCR\Liebao.HTML\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCU\Software\Classes\AppID\{0002DF01-0000-0000-C000-000000000046}]
"(Default)" = "Internet Explorer(Ver 1.0)"

[HKCR\file\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCU\Software\Classes\htmlfile\shell]
"(Default)" = "open"

[HKCU\Software\Classes\mhtmlfile\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"

[HKCU\Software\Classes\Liebao.URL]
"URL Protocol" = ""

[HKCU\Software\TENCENT\Traveler]
"EXE" = "%Program Files%\liebao\liebao.exe"

[HKCU\Software\Classes\.mht]
"(Default)" = "Liebao.HTML"

[HKCR\HTTP\shell\open\ddeexec\Application]
"(Default)" = ""

[HKLM\SOFTWARE\TENCENT\Traveler]
"EXE" = "%Program Files%\liebao\liebao.exe"

[HKCR\mhtmlfile\shell]
"(Default)" = "open"

[HKCR\Liebao.URL]
"(Default)" = "Liebao HTML Document"

[HKCU\Software\Classes\.shtm]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\Liebao.HTML\shell]
"(Default)" = "open"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".shtml" = "Liebao.HTML"

[HKCU\Software\Classes\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\TreatAs]
"(Default)" = "{0002DF01-0000-0000-C000-000000000046}"

[HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\%Program Files%\liebao]
"liebao.exe" = "ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"ftp" = "Liebao.URL"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "liebao.exe"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".xhtml" = "Liebao.HTML"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe]
"(Default)" = "ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

[HKCU\Software\RegisteredApplications]
"liebao.exe" = "Software\Clients\StartMenuInternet\liebao.exe\Capabilities"

[HKCR\Liebao.HTML\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Classes\Liebao.HTML]
"URL Protocol" = ""

[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKCR\Liebao.URL\shell\open\ddeexec]
"NoActivateHandler" = ""
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid" = "Liebao.URL"

[HKCU\Software\Classes\https\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCR\ftp\shell]
"(Default)" = "open"

[HKCR\InternetShortcut\shell]
"(Default)" = "open"

[HKCR\Liebao.URL\DefaultIcon]
"(Default)" = "%Program Files%\liebao\liebao.exe,1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".htm" = "Liebao.HTML"

[HKCU\Software\Classes\Liebao.URL\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCR\https\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCR\.xht]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\ftp\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".htm" = "Liebao.HTML"

[HKCR\mhtmlfile\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"

[HKCR\ftp\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid" = "Liebao.URL"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "liebao.exe"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCR\Liebao.HTML\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid" = "Liebao.URL"

The process down_s_66_82685.exe:1988 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\liebao]
"UID" = "3c5f6e2b73049b0ecc3362e627a51fa3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 D9 BF FE 0E 04 BC E1 BC 7C 6C CD 9F 39 6E 5D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Kingsoft\KBROWSER]
"vtime" = "1400765523"

[HKCR\CLSID\{DA3CB2BC-1CCA-412d-BC7C-4DFB532D2223}\Implemented Categories\{D7BD91AA-CB34-4eae-A9D1-2DB9A7C6815C}]
"UID" = "3c5f6e2b73049b0ecc3362e627a51fa3"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ping.exe:972 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 D9 13 7E 78 4F 19 0C 9D 6E 39 7A 0B 14 D6 07"

The process tencentdl.exe:1932 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}]
"(Default)" = "Downloader Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
"(Default)" = "c:\program files\common files\tencent\qqdownload\122\tencentdl.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\DownloadProxy.Downloader.1]
"(Default)" = "Downloader Class"

[HKCR\DownloadProxy.Downloader.1\CLSID]
"(Default)" = "{70DE12EA-79F4-46bc-9812-86DB50A2FD64}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\DownloadProxy.Downloader]
"(Default)" = "Downloader Class"

[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\LocalServer32]
"(Default)" = "c:\program files\common files\tencent\qqdownload\122\tencentdl.exe"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\VersionIndependentProgID]
"(Default)" = "DownloadProxy.Downloader"

[HKCR\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}]
"(Default)" = "DownloadProxy"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\DownloadProxy.Downloader\CurVer]
"(Default)" = "DownloadProxy.Downloader.1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\ProgID]
"(Default)" = "DownloadProxy.Downloader.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCR\AppID\DownloadProxy.EXE]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 83 76 56 7D 6B AB BB 78 B0 56 59 90 A3 B3 2A"

[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}]
"(Default)" = "_IDownloaderEvents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0]
"(Default)" = "DownloadProxy 1.0 Type Library"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\DownloadProxy.Downloader\CLSID]
"(Default)" = "{70DE12EA-79F4-46bc-9812-86DB50A2FD64}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process netsh.exe:320 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 3F 4A 72 9A DC FA 0A 01 00 1C 3E 3C 8A 6E 11"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Common Files\Tencent\QQDownload\122]
"Tencentdl.exe" = "%Program Files%\Common Files\Tencent\QQDownload\122\Tencentdl.exe:*:Enabled:ÃƒÂ¨Ã¢â‚¬Â¦Ã‚Â¾ÃƒÂ¨Ã‚Â®Ã‚Â¯ÃƒÂ¤Ã‚ÂºÃ‚Â§ÃƒÂ¥Ã¢â‚¬Å“Ã‚ÂÃƒÂ¤Ã‚Â¸Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ§Ã‚Â»Ã¢â‚¬Å¾ÃƒÂ¤Ã‚Â»Ã‚Â¶"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Common Files\Tencent\QQDownload\122]
"Tencentdl.exe" = "%Program Files%\Common Files\Tencent\QQDownload\122\Tencentdl.exe:*:Enabled:ÃƒÂ¨Ã¢â‚¬Â¦Ã‚Â¾ÃƒÂ¨Ã‚Â®Ã‚Â¯ÃƒÂ¤Ã‚ÂºÃ‚Â§ÃƒÂ¥Ã¢â‚¬Å“Ã‚ÂÃƒÂ¤Ã‚Â¸Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ§Ã‚Â»Ã¢â‚¬Å¾ÃƒÂ¤Ã‚Â»Ã‚Â¶"

The process ÃƒÆ’Ã…Â ÃƒÆ’Ã¢â‚¬â€œÃƒâ€šÃ‚Â»ÃƒÆ’Ã‚ÂºÃƒâ€šÃ‚ÂºÃƒÆ’Ã‚Â¤ÃƒÆ’Ã¢â‚¬Â¢Ãƒâ€šÃ‚Â¨Ãƒâ€šÃ‚Â»ÃƒÆ’Ã‚Âº.exe:652 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 28 CD B6 37 93 88 58 0C C4 FB 54 CE C4 7E B1"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The process Tencentdl.exe:848 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 8A 46 BD AD 74 4B 18 7B 8D 9E 0F 64 E3 B4 8C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\program files\common files\tencent\qqdownload\122]
"Tencentdl.exe" = "ÃƒÂ¨Ã¢â‚¬Â¦Ã‚Â¾ÃƒÂ¨Ã‚Â®Ã‚Â¯ÃƒÂ©Ã‚Â«Ã‹Å“ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¤Ã‚Â¸Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ¥Ã‚Â¼Ã¢â‚¬Â¢ÃƒÂ¦Ã¢â‚¬Å“Ã…Â½"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 0liebao.exe:1948 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 5E 11 0A 94 ED 82 8C 63 55 9A F5 D3 84 B6 3B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp]
"setup.bat" = "setup"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process knbcenter.exe:2036 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 A6 0F C5 90 88 5E B1 BD 69 7A B6 B3 AC 3C BB"

[HKLM\System\CurrentControlSet\Services\knbcenter]
"ImagePath" = "%Program Files%\liebao\4.5.34.6725\KNBCenter.exe"

The process knbcenter.exe:916 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 40 9D 2C 07 E4 E8 E4 43 9E CD 86 9F D7 31 A8"

[HKLM\System\CurrentControlSet\Services\knbcenter]
"Description" = "ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨ÃƒÂ¤Ã‚Â¸Ã‚Â»ÃƒÂ¥Ã…Â Ã‚Â¨ÃƒÂ©Ã‹Å“Ã‚Â²ÃƒÂ¥Ã‚Â¾Ã‚Â¡ÃƒÂ¯Ã‚Â¼Ã‹â€ BIPSÃƒÂ¯Ã‚Â¼Ã¢â‚¬Â°ÃƒÂ¥Ã‚ÂÃ…Â ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ§Ã‚Â»Ã¢â‚¬Å¾ÃƒÂ¤Ã‚Â»Ã‚Â¶ÃƒÂ¦Ã¢â‚¬ÂºÃ‚Â´ÃƒÂ¦Ã¢â‚¬â€œÃ‚Â°ÃƒÂ¦Ã…â€œÃ‚ÂÃƒÂ¥Ã…Â Ã‚Â¡ÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ¥Ã‚Â¸Ã‚Â®ÃƒÂ¥Ã…Â Ã‚Â©ÃƒÂ§Ã¢â‚¬ÂÃ‚Â¨ÃƒÂ¦Ã‹â€ Ã‚Â·ÃƒÂ©Ã‹Å“Ã‚Â²ÃƒÂ¥Ã‚Â¾Ã‚Â¡ÃƒÂ¦Ã…â€œÃ¢â€šÂ¬ÃƒÂ¦Ã¢â‚¬â€œÃ‚Â°ÃƒÂ¦Ã…â€œÃ‚Â¨ÃƒÂ©Ã‚Â©Ã‚Â¬ÃƒÂ£Ã¢â€šÂ¬Ã¢â‚¬Å¡"

The process reg.exe:1976 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 5F 5F B3 0D 3F F8 A8 6E B0 5B 81 DC CB 5B 53"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.duba.com/?un_4_413286"

The process reg.exe:708 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 C1 6E 85 4B FB D3 D0 94 EE 9F FA 4A 47 37 98"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.duba.com/?un_4_413286"

The process skinupdater.exe:348 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 19 E1 6D DD B4 03 1E 75 C0 04 D6 8C 8B 13 D2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Dropped PE files

MD5	File path
2aa21c79b5dd2b5152d49f5825c87388	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0liebao.exe
143f817034ae745c8225c424fa944f43	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\1.tmp\down_s_66_82685.exe
b209163d6c82ef393c15c02ed206bbc4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ÃƒÅ Ãƒâ€“Ã‚Â»ÃƒÂºÃ‚ÂºÃƒÂ¤Ãƒâ€¢Ã‚Â¨Ã‚Â»ÃƒÂº.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\KNBDrv.sys" the Trojan controls creation and closing of processes by installing the process notifier.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
ksbinstaller_66_82685.exe:984
%original file name%.exe:1264
KNBCenter.exe:1240
regsvr32.exe:1536
liebao.exe:1780
liebao.exe:516
down_s_66_82685.exe:1988
ping.exe:972
wuauclt.exe:924
tencentdl.exe:1932
netsh.exe:320
Tencentdl.exe:848
0liebao.exe:1948
knbcenter.exe:2036
knbcenter.exe:916
reg.exe:1976
reg.exe:708
skinupdater.exe:348
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\send_ba0.gz (586 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaearchb.dat (6341 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztma002d.psg (74 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecore.ini (172 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbpolicy.dll (15628 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\alipay.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\baifubao.png (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\atxhlp.dat (21 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\xinput1_3.dll (880 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kdumprep.exe (7541 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢ÃƒÂ©Ã…â€œÃ‚Â¸ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ¥Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¥Ã‚Â¤Ã‚Â§ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨.lnk (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb3002.ksg (8 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseutil.dll (2976 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj021204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb0005.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\unknown.ksg (422 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\libvideo.dat (15 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\safesearch_unsafe.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\bc.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\vinfo.ini (833 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\spdb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepbb002.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaevname.dat (108 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksedset.ini (425 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepc0002.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7001.vsg (265 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨\ÃƒÂ¤Ã‚Â¿Ã‚Â®ÃƒÂ¥Ã‚Â¤Ã‚ÂÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (748 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome.dll (503987 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb0002.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\cdeploy.dat (11 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Localauto.db (40 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\false.psg (132 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\PepperFlash\manifest.json (2 bytes)
%System%\drivers\ksapi.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\KNBDrv64.sys (1543 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\99bill.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Install.bat (24 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\plugins\npaliedit.dll (2836 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\gare.db (66 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj011204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb7001.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb3001.ksg (92 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Extract.dll (3773 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\incognito.dat (1650 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepba000.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7999.vsg (266 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kmsgsvc.dll (8953 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepac002.ksg (3702 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\nffflelpnjalbndohecponhmlcihbgeo\1.0\skin_thumbnail.png (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\karchive.dat (101 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb6001.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\boc.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaext2.dat (85 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\skinupdater.exe (21987 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\autofilljs2.dat (89 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\FixBrowser.exe (18429 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\Preferences (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\adfilter.dat (131 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfb0002.fsg (288 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kui.pak (30655 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvba012.vsg (273 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\en-US.pak (195 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kBrowserUpgrade2.dll (2787 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (634 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\falset.fsg (120 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksecfg.ini (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\psbc.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zema0007.psg (68 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\lego.dat (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\befc2009.psg (82 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztmb0014.psg (68 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksbwdet2.dll (10359 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\p1tl.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\mousegesturelib.xml (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨\ÃƒÂ¥Ã‚ÂÃ‚Â¸ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (726 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb0003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\newtab_img2.zip (7972 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\nologin.dat (897 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\pkw2.dat (772 bytes)
%Program Files%\liebao\2014522163323984_1\browserpacket.xml (178 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome_touch_100_percent.pak (6399 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbctrl.dll (3109 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ManualUpgrade.exe (9449 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\resources.pak (45687 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢ÃƒÂ©Ã…â€œÃ‚Â¸ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ¥Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¥Ã‚Â¤Ã‚Â§ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨.lnk (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\config\kseeat.cfg (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\send_318.gz (238 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\trackers.dat (1760 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ksapi.sys (712 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\ceb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\Preferences_resintall (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\safepay_site.dat (19 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\tn.dat (1704 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecore.dat (327 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\AllSigns.ini (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfc000f.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\kui_en-US.pak (25 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksesscan.dll (7879 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\sqlite3.exe (5007 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\ljdfelebfnfpjclmmkljlnagcdkpfpdl\1.0\Cached Theme.pak (6363 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\zlib1.dll (1112 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\KPreferences (503 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb8009.ksg (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\uninst.exe (10202 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseexf.dat (107 bytes)
%Program Files%\liebao\liebao.exe (11518 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksepnf.dat (107 bytes)
%System%\drivers\knbdrv.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\dlcore.dll (20026 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\pkw.dat (669 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb8003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\checkvideo.dat (61 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb8008.vsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\d3dcompiler_46.dll (28052 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\localurl.db (3668 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kadfilter.dll (5863 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\LegoIcon\lego.dat (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\MouseGesture.dll (8245 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\feature2.dat (23 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\libGLESv2.dll (5682 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\install_info.json (255 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\safepay.dat (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\install2_log.log (72726 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj101204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepac001.ksg (1844 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\third_party\baidu_hd_query.dll (3341 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztmc0000.psg (66 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\falset.psg (132 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\czb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\PepperFlash\pepflashplayer.dll (110917 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb7001.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kBUpdateHelper.dll (13747 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ffmpegsumo.dll (11323 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\kvipinter.dll (3811 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨\ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (632 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ksapi.dll (691 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb9008.vsg (264 bytes)
%System%\drivers\KNBDrv64.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\hxb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseescan.dll (4564 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfc000b.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Logos.db (3769 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Local State (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvc0011.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ktoolupd.dll (2779 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\icbc.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj141203.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.exe (14580 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb6002.ksg (4 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipbb004.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btfb7001.fsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb0001.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\Allvinfo.ini (833 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseset.dat (229 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\srvpref.dat (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj051204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\zh-CN.pak (193 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\resource.dat (735 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Bookmarks (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\d3dcompiler_43.dll (15709 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\false.ksg (888 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvc0019.vsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\ksais.dat (8 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\anti_injection2.dat (710 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\scom.dll (1596 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\libEGL.dll (1722 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kfcdetect.dll (7469 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\SecondaryTile.png (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\plugins\np-mswmp.dll (1724 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfb0005.fsg (288 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\uplive.dll (15007 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\sqlite.dll (1872 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvbb00d.vsg (270 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\signs.ini (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\tenpay.png (2 bytes)
%Program Files%\liebao\test_access (30 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome_100_percent.pak (6387 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\cmb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaearcha.dat (1358 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\gdeploy.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb9002.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\gdb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaextend.dat (106 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\upgrade.dll (9080 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecoref.dat (106 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipba004.ksg (7 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecorea.dat (173 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kaxhlp.dll (4594 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\adb_easylist.dat (7386 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbdrv.sys (1326 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\webresource.dat (7712 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.dll (210497 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\TNProxy.dll (5849 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.ico (30 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\switchcore.db (7386 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\nffflelpnjalbndohecponhmlcihbgeo\1.0\Cached Theme.pak (1610 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\knbcenter.exe (4415 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\unionpay.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\DownloadProxy.dll (4458 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb0002.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kwnp.dat (23 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\master_preferences (557 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Tencentdl.exe (8880 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\sdb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipc0003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\cyui.exe (3249 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\safesearch_safe.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksbwdt.ini (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7002.vsg (294 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\DesktopTips.exe (7305 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\kui_zh-CN.pak (24 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecorem.dat (97 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\wd.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btfc2009.psg (92 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb7004.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\DownloadProxyPS.dll (1806 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÃƒÂ§Ã…â€™Ã…Â½ÃƒÂ¨Ã‚Â±Ã‚Â¹ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (652 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\cysvc.dll (6685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0liebao.exe (3750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ÃƒÆ’Ã…Â ÃƒÆ’Ã¢â‚¬â€œÃƒâ€šÃ‚Â»ÃƒÆ’Ã‚ÂºÃƒâ€šÃ‚ÂºÃƒÆ’Ã‚Â¤ÃƒÆ’Ã¢â‚¬Â¢Ãƒâ€šÃ‚Â¨Ãƒâ€šÃ‚Â»ÃƒÆ’Ã‚Âº.exe (12288 bytes)
%Program Files%\liebao\4.5.34.6725\Data\expand_safepay.dat (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\upgrade\manager.log (455 bytes)
%Program Files%\liebao\4.5.34.6725\log\kmctrl.log (1537 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\upgrade\cleanup.log (1064 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\LOG (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\2.tmp (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000001 (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000002 (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000002.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.tmp (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\send_5ac.gz (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe (365108 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd (9216408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd.cfg (3656 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\dlcore.dll (14022 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\Tencentdl.exe (6841 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\extract.dll (2105 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\DownloadProxyPS.dll (601 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\InstallInfo.xml (25 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\tnproxy.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\setup.bat (350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\down_s_66_82685.exe (5547 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ????????
Product Name:
Product Version: 1.0.0.0
Legal Copyright: ????? ?????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????????????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

Company Name: ????????Product Name: Product Version: 1.0.0.0Legal Copyright: ????? ?????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????????????Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	40132	40448	4.51726	4b3aeb2fc3b7b21ea3fdd5ad16a9ddf5
DATA	45056	15632	15872	5.26127	1fb0fcf0a8c302fd1e7df6150f434d7e
BSS	61440	1825	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	65536	1730	2048	2.91217	9e9581a6aeb1c6de49e8280941f8bb34
.tls	69632	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	73728	24	512	0.142404	996c4942e3a4d2795a22f3ace698d094
.reloc	77824	1792	2048	4.24404	d645c969d7346a611453d5e9e94c66f4
.rsrc	81920	2630444	2630656	5.53486	0aaa3ad251a10f1f12ad7ae8e034fabc

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://lbdata.tj.ijinshan.com/data/	114.112.93.201
hxxp://lbdl.union.ijinshan.com/?pid=66&spid=82685&date=1400765523	114.112.93.101
hxxp://lbdl.union.ijinshan.com/liebao/66_82685.pack	114.112.93.101
hxxp://lbdl.union.ijinshan.com/liebao/66_0.pack	114.112.93.101
hxxp://tf01.dlmix.glb0.lxdns.com/liebao/pack/ksbInstaller_6725_66_0.pack
hxxp://d.union.ijinshan.com/liebao/pack/ksbInstaller_6725_66_0.pack	8.37.234.15

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /liebao/pack/ksbInstaller_6725_66_0.pack HTTP/1.1

Range: bytes=11728801-

Pragma: no-cache

Cache-Control: no-cache

Connection: Close

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: d.union.ijinshan.com

HTTP/1.0 206 Partial Content

Date: Thu, 22 May 2014 13:32:05 GMT

Server: Tengine/1.5.2

Content-Type: application/octet-stream

Last-Modified: Thu, 09 Jan 2014 09:24:45 GMT

Accept-Ranges: bytes

Content-Range: bytes 11728801-46915205/46915206

Content-Length: 35186405

X-Cache: HIT from cache.51cdn.com

Via: 1.0 jg9:38080 (Cdn Cache Server V2.0)

Connection: close

q..../d.N....Wj;8`...h.4Z...]w.=..=.Ibb..'u4.3F..HK.!.s...5...l....y....._=$$...q...#.auK".T...........@......PH.Obp..V;...D..W.O$a..?O>..`-.K..F ....pg..E..9$..(..!@.T.u.....v...|hS...ww....f....2.v1.4x.-.2..R.un......K@.(....F0.......I..&....g.X ..]..F...M.\..S..QR.K.!...F..r.<(..Q.y^.......wK..P.^...Q.L...n4.....mfT......p.]um.9.|..m..".......,..S.o...=..Z.......%...H.'.Ss.h.....}._&40.7...8.A.2sj.......pH._X....E .....x...D.......n.....T.y.}.....D.G....Y..QY.X..B..v.N)'/.2I.........]C.i8.......~..A...KKY.]x......~K..1".?...`}?.....mu.i...,..kz3.%...Hs16....f.L:...N.g@...wd...o............$MM<..C.4 .d.S.......r.`=D.`..u..$!.OwL..l....$.09F.ko7..|G......m..(}..6q.0:%.."...W.....-.%w...8......F..X....&uA...zg)n......Y.=..M%. .....M.V~.......s.b..........r..9l...$..F.t0.pnW...*..N..3..B..3P.P...w.JL...z.7..l.QV..I1?....h....Ob1.eS..[...`.....z .d&......P8u....h.N.En.S........34.Q..F..m...FsTq_.t~.-.j......dEk....g..sa/.%_..:}_...17t..>.....0.......T....X.TG:........x.k..h.w..x.J..2.8#.a.....e@3..NzE.A...0..F3#Y..c..CD..;=Z.....4. ..3] qg...xdo.X....U...G.yD..y..b...u.........X.#...u../.hL#.1)n...u;....\.fd.u..Jv.2.bP..>...n<..j...&cx.......&zJ...f.?k.dz......n`.%..#...y.k.....M....b.....O.E..e#..jd..-.0Z V..a 4...c.L..O..DC.C.W#H.~p.W....*.R..E.5...j#>Vt.....C.%v}...H.S...U.6piM)..DB.....f.....hg.f$.....e..U.|._x...Yn....`JB.Q.M~.@04Ot`ns...ue.TE\.R.. .].........:.QF|...S2.......5I.6....@.c[..Hk.....g..'...*...(C{A.R...G.w.9..\...`O...i.....9P.......#.S....3<2.M^.....a.... >.x=.....}.

<<< skipped >>>

GET /liebao/pack/ksbInstaller_6725_66_0.pack HTTP/1.1

Range: bytes=35186403-

Pragma: no-cache

Cache-Control: no-cache

Connection: Close

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: d.union.ijinshan.com

HTTP/1.0 206 Partial Content

Date: Thu, 22 May 2014 13:32:05 GMT

Server: Tengine/1.5.2

Content-Type: application/octet-stream

Last-Modified: Thu, 09 Jan 2014 09:24:45 GMT

Accept-Ranges: bytes

Content-Range: bytes 35186403-46915205/46915206

Content-Length: 11728803

X-Cache: HIT from cache.51cdn.com

Via: 1.0 jg9:38080 (Cdn Cache Server V2.0)

Connection: close

._....M....Z...o\..OBD..CT.s.....n7...;e. .H..m$.._,.......s7..Z..F...Z?../..^42'x.9.3.:.A.T...N...2?u......4...woT...;...~.4..NC.....c..q.i-...3.F.sHGZ.c...q[a..c.....@..u..Z-..".L0C{.5.....,.12.<&v...e.^"....C..po.".LO...9.i.pf.F..4..r7w.9.)....J.8..i.d..;..uA.kup.'"p]..~.'u..$... /].0....@.>..y.ws..k.|..H......G...-E..O9.*.... .V6.%.4....o...&.0"H.{``..<A..}...,.7E.............Q......a...........6.~..R.`\q\m.X=..I...D]..........n....!V.q...Q...bZ...9../.o....L.xT.@BI.)8....,.{... .ea......e....3..:..f&..'..p(.o......\..$..M..........p...h.r......c\#..fj..).....g......)#.?...4(....#...qU.........e...`..O.....4Y..KJ....|................\;..Z..F./.d......Qa.{@v....H.w'.V....8`.-..v.....;)w....q.......EG..'...../.9V...O,....M...%...`66.t.`s..:.ZTr.w.!. .1`#....y..U..<g.Joo.....`)......}e%.h..-{:#.....h..Wo......A8.B.nA....:......M.n...|.U..}....6*O.G..r..E..E{...c.[5O...1Z@....do....;d.~_^..3..ZY.....kT....{..3.....kc...Qj7#..E..Y......=-.zv.b.<...Nr..?.3_.j.[.f..........$..h0.:..(o.....}D...Y'6.E.~.....[....!...T.....".xb..u.m.N.....{So....).T.*.i....?.x,.....9.N..<..2#..]~6.y........w.1...}I:mf?=..Q.......PLJvAB|..X..m...p...u..)...F......... @.....8*......w..EY.....>..W#...W.^...l.R...4..........Aj..'...7>.....f....c.....!..s...h$`.O...b.....l*..b.JK.....\......i...T.V...Y.._c}H...ZRt...;FR?.0N..Z.j..^)Wo...'....O..../..-..p.:}.....{...0.E..r.p.U......K....h.....<.8e#U~..D<...C..|.......k.....a.".U....2)...i/.=.5tf.=g...H`..]o..N.a.>U...w9'&..-.Nw.H5(.W....t[.9P..*Pu.;..e[e..=

<<< skipped >>>

GET /liebao/pack/ksbInstaller_6725_66_0.pack HTTP/1.1

Range: bytes=23457602-

Pragma: no-cache

Cache-Control: no-cache

Connection: Close

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: d.union.ijinshan.com

HTTP/1.0 206 Partial Content

Date: Thu, 22 May 2014 13:32:05 GMT

Server: Tengine/1.5.2

Content-Type: application/octet-stream

Last-Modified: Thu, 09 Jan 2014 09:24:45 GMT

Accept-Ranges: bytes

Content-Range: bytes 23457602-46915205/46915206

Content-Length: 23457604

X-Cache: HIT from cache.51cdn.com

Via: 1.0 jg9:38080 (Cdn Cache Server V2.0)

Connection: close

....x...0.`AH..e.,..'...0..Li...d=....;.......l~.$......b...k.EP. .Q,d0.............X.sU.m..4.... GH0..........LO{KF.gP<.......~................{.......rU..\5...@.#a...S0fZ[..ZV'1`=...n.H.P.]P.H.C...l(tVJ.M^.).. .pJC..^....1.4.8UE....l...0.O....W)v...z...`..t.;..z .........".p4OS.E..?..}C..*:T=.\....F*N.h.]....`h.K.?6.A..{..gD.K......Lg/(.d`...pB!..'W......Z."..>.....o..X.H8.....5& y....-.c...k..$.,.U....}yP.d.'.=4q....... !...%.....{4G.2"u.!..3F..n%}._4..k.Zcj....2.._;-.d..7...Q.X..,.&?[..0.....G&...M..,.q&.D.wS........`........D.y..:.PE.v=....$........ hi.?...}.3.....TsFE.5..S..'..j.)............}.jL...*.t.............;|~.K..y.."m.1...;.H....x.4..).. w/...D.~....4M.........D...SY#q.....U.Z...iw.G.i..G.%........k[L...m._.$.Hsd|..........R&...`.^.9..|Xq.\....qn&_Y^..aL.<3..YS./....,P._.=........x..MH......?H<.w*..^....l"}#.B:...c>....t.G.'...3j..D....A...O.x.....=.m..i..z.. b!.....%.D .-Qb...YOd...K....`w9\x8{.........C...Q1....i...T....U./L......A.V.1.1.....:...%E.{.y.7.X..{...lJX.(m.#.ke.......=..K.....b.U...h....6?X..>..t.m..\|^.=......nH......}.q...8...r..D....#pR..l#-..2k......V..&.&.o.....#.T.9.D..n#....xR..9._.8........].03.fi0........x..]c_.^.{...$....Rd.Ps.~..b~C).0.L.......;i2..t..}.fS..>...8..... 7.....9...m..;g-.B?f.^ Gn..u.1}k.P..........N.\...YmMd..y.x..b........q.].. (..r....h.......9.i......."h]z....bc.].A...}......O...._...2b..V..-Up.......j} ..5....>........MVu..]......7...ZO.Dg.r.X.9.T..Nx...\:....%u....w.......Gsd..O........#..a...S..S...#..6..s......F...aPp_.3?..".s.

<<< skipped >>>

POST /data/ HTTP/1.1

Connection: close

Cache-Control: no-cache

User-Agent: liebao

Host: lbdata.tj.ijinshan.com

Content-Length: 177

............A..0..... '.....(..Z..5....p.=..6..k.. ~Q.......x...6.<..K....@KH.!.&.Pt.\..&|.r..[F......b..a..QRr....#.9:...y!4.tU ...^.L..3.u...[m.B............................

HTTP/1.1 200 OK

Server: ngx_openresty/1.4.3.4

Date: Thu, 22 May 2014 13:32:00 GMT

Content-Type: text/plain

Content-Length: 35

Connection: close

[common]..result=1..time=1400765520..

GET /liebao/pack/ksbInstaller_6725_66_0.pack HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)

Host: d.union.ijinshan.com

Connection: Close

HTTP/1.0 200 OK

Date: Thu, 22 May 2014 13:32:05 GMT

Server: Tengine/1.5.2

Content-Type: application/octet-stream

Last-Modified: Thu, 09 Jan 2014 09:24:45 GMT

Accept-Ranges: bytes

Content-Length: 46915206

X-Cache: HIT from cache.51cdn.com

Via: 1.0 jg9:38080 (Cdn Cache Server V2.0)

Connection: close

x...}|T..8~.%.M.d.L`..QW..1.....@6D!....DL...u....$V...U......Z_.-Z.<.mQ....`.^......h'.T. ....93w7.......~.;/g...s...3....... .....B... ....y:A....Y.....h..........-Y..................?oi...... .....C...8jT.M.q....7........{.#........};.6 ......>..]k.^.q.......}.../...p....iL.\...w.........F..y.........].......G.)..uiB.......^......._..,...tA.@ ..G..zAH.t,?.......~.#.^(ia........,....Ve..`..f!.m.p..}............g.e...1GE.Q.....F.)..'~..N.....o..L. ......VM\......p..=.{...g...zK&r0aJ.~Vf.."......L.,^&....7.....[.l.. ....F...=Y..........'.l..U..e..p.y?n...@....9..{T.....H...`.........V....C.&/i....2../H..........&.../...l....f.]..!|s.7>...y....9......B..I.......H?O...........On.7.l._..:3.<=*...A...yt./......b.(/....Ov....j.jH.m.......G.@>.......F....yC..B....h..tD..B....=...e..<._...R]yv].i.GK..jpH)....]....M..Jv.rl...cV2o(..5..4 ..8.PWI(R";EG.....bz.J.C.......j<GUW.`.6/......e.....H..=^.r=..e.:Rb.[....sc.]..7....Sg~[..X..6.=].......,7*w.......$..t].A...w...=.y..s}J.:.!..h{.a?.~j.U.I.U.....HK....j.*.i2|MvA.......t.....NGw....n...y]........Q......G..... ..%....o..;I.aoR...%z}..3..{.....E............g...*{H.Vcr}=..|.Py$Q.U..F..Se.Py.;....U5T.#.#j..m9t.l....xmWu`...../Ce...!.........Z:...s...E.L.3r.....rS.9u..U..H.g..jN.....g<...'..L.oB......WUnL.B.xG.iC. .l3...U...3.g.m..`.87..w.e'..-..?.D.:.t..b8uU'....^.;...-6.$..G..k......]..,......N.{...>C.&..#a2.e.....Xn<.3...c..........ez.A..t...oW...._.1T...udAM..lj.u...O....W.j..>... `..>6...=...i.;..'...'G.....<........*..}...dd..2..

<<< skipped >>>

GET /?pid=66&spid=82685&date=1400765523 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; )

Host: lbdl.union.ijinshan.com

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Server: kws

Date: Thu, 22 May 2014 13:32:02 GMT

Content-Type: text/html

Content-Length: 176

Location: hXXp://lbdl.union.ijinshan.com/liebao/66_82685.pack

Connection: keep-alive

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>kws</center>..</body>..</html>......

GET /liebao/66_82685.pack HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; )

Host: lbdl.union.ijinshan.com

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Server: kws

Date: Thu, 22 May 2014 13:32:02 GMT

Content-Type: text/html

Content-Length: 176

Location: hXXp://lbdl.union.ijinshan.com/liebao/66_0.pack

Connection: keep-alive

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>kws</center>..</body>..</html>......

GET /liebao/66_0.pack HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; )

Host: lbdl.union.ijinshan.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: kws

Date: Thu, 22 May 2014 13:32:02 GMT

Content-Type: text/plain

Content-Length: 131

Last-Modified: Thu, 09 Jan 2014 09:33:51 GMT

Connection: keep-alive

Accept-Ranges: bytes

x.E.A.. .@...W..e0M<@..4d..Rq0..oL........f.i...cO.\......cf.....,.....a.'.KqO..S...Q...N....^...s.B.......&.....0p...q........."5.HTTP/1.1 200 OK..Server: kws..Date: Thu, 22 May 2014 13:32:02 GMT..Content-Type: text/plain..Content-Length: 131..Last-Modified: Thu, 09 Jan 2014 09:33:51 GMT..Connection: keep-alive..Accept-Ranges: bytes..x.E.A.. .@...W..e0M<@..4d..Rq0..oL........f.i...cO.\......cf.....,.....a.'.KqO..S...Q...N....^...s.B.......&.....0p...q........."5...

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

cmd.exe_520:

.text

`.data

.rsrc

KERNEL32.dll

NTDLL.DLL

msvcrt.dll

USER32.dll

SetConsoleInputExeNameW

APerformUnaryOperation: '%c'

APerformArithmeticOperation: '%c'

ADVAPI32.dll

SHELL32.dll

MPR.dll

RegEnumKeyW

RegDeleteKeyW

RegCloseKey

RegOpenKeyW

RegCreateKeyExW

RegOpenKeyExW

ShellExecuteExW

CmdBatNotification

GetWindowsDirectoryW

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

_pipe

GetProcessWindowStation

cmd.pdb

CMD Internal Error %s

)(&&())))(&))

)&((&)&))&())

)&((&)&)&()))

)(&&()))&))))

CMD.EXE

()|&=,;"

COPYCMD

\XCOPY.EXE

CMDCMDLINE

WKERNEL32.DLL

Software\Policies\Microsoft\Windows\System

0123456789

cmd.exe

DIRCMD

%d.%d.d

Ungetting: '%s'

DisableCMD

GeToken: (%x) '%s'

%s\Shell\Open\Command

%x %c

*** Unknown type: %x

Args: `%s'

Cmd: %s Type: %x

%s (%s) %s

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

.exe"

.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

CMDEXTVERSION

KEYS

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

%s %s

(%s) %s

%s %s%s

&()[]{}^=;!%' ,`~

d%sd%s

-%sd%sd%sd

d%sd%sd

%s=%s

X-X

.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS

<> -*/%()|^&=,

\CMD.EXE

Windows Command Processor

5.1.2600.5512 (xpsp.080413-2111)

Cmd.Exe

Windows

Operating System

5.1.2600.5512

Press any key to continue . . . %0

operable program or batch file.

The system cannot execute the specified program.

and press any key when ready. %0

Microsoft Windows XP [Version %1]%0

a pipe operation.

KEYS is on.

KEYS is off.

The process tried to write to a nonexistent pipe.

The switch /Y may be preset in the COPYCMD environment variable.

to prompt on overwrites unless COPY command is being executed from

Switches may be preset in the DIRCMD environment variable. Override

Quits the CMD.EXE program (command interpreter) or the current batch

CMD.EXE. If executed from outside a batch script, it

will quit CMD.EXE

ERRORLEVEL that number. If quitting CMD.EXE, sets the process

Displays or sets a search path for executable files.

Type PATH ; to clear all search-path settings and direct cmd.exe to search

Changes the cmd.exe command prompt.

$B | (pipe)

$V Windows XP version number

Displays, sets, or removes cmd.exe environment variables.

Displays the Windows XP version.

Tells cmd.exe whether to verify that your files are written correctly to a

Records comments (remarks) in a batch file or CONFIG.SYS.

Press any key to continue . . . %0

Directs cmd.exe to a labeled line in a batch program.

NOT Specifies that Windows XP should carry out

will execute the command after the ELSE keyword if the

I The new environment will be the original environment passed

to the cmd.exe and not the current environment.

SEPARATE Start 16-bit Windows program in separate memory space

SHARED Start 16-bit Windows program in shared memory space

If it is an internal cmd command or a batch file then

the command processor is run with the /K switch to cmd.exe.

If it is not an internal cmd command or batch file then

parameters These are the parameters passed to the command/program

under Windows XP.

Starts a new instance of the Windows XP command interpreter

CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]

/D Disable execution of AutoRun commands from registry (see below)

/A Causes the output of internal commands to a pipe or file to be ANSI

/U Causes the output of internal commands to a pipe or file to be

variable var at execution time. The %var% syntax expands variables

of an executable file.

If /D was NOT specified on the command line, then when CMD.EXE starts, it

either or both are present, they are executed first.

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

can enable or disable extensions for all invocations of CMD.EXE on a

following REG_DWORD values in the registry using REGEDT32.EXE:

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions

particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You

can enable or disable completion for all invocations of CMD.EXE on a

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion

at execution time.

CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable

completion for all invocations of CMD.EXE on a machine and/or user logon

the registry using REGEDT32.EXE:

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar

Shift key with the control character will move through the list

&()[]{}^=;!%' ,`~

Command Processor Extensions enabled by default. Use CMD /? for details.

ASSOC [.ext[=[fileType]]]

.ext Specifies the file extension to associate the file type with

ASSOC .pl=PerlScript

FTYPE PerlScript=perl.exe %%1 %%*

script.pl 1 2 3

set PATHEXT=.pl;%%PATHEXT%%

The restartable option to the COPY command is not supported by

this version of the operating system.

The following usage of the path operator in batch-parameter

The unicode output option to CMD.EXE is not supported by this

version of the operating system.

If Command Extensions are enabled the DATE command supports

If Command Extensions are enabled the TIME command supports

If Command Extensions are enabled the PROMPT command supports

is pretty simple and supports the following operations, in decreasing

! ~ - - unary operators

* / %% - arithmetic operators

- - arithmetic operators

&= ^= |= <<= >>=

If you use any of the logical or modulus operators, you will need to

values. If SET /A is executed from the command line outside of a

assignment operator requires an environment variable name to the left of

the assignment operator. Numeric values are decimal numbers, unless

occurrence of the remaining portion of str1.

Finally, support for delayed environment variable expansion has been

added. This support is always disabled by default, but may be

enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?

of text is read, not when it is executed. The following example

So the actual FOR loop we are executing is:

%Í%% - expands to the current directory string.

%ÚTE%% - expands to current date using same format as DATE command.

%%CMDEXTVERSION%% - expands to the current Command Processor Extensions

%%CMDCMDLINE%% - expands to the original command line that invoked the

If Command Extensions are enabled the SHIFT command supports

control is passed to the statement after the label specified. You must

%%4 %%5 ...)

CMD /? for details.

This works because on old versions of CMD.EXE, SETLOCAL does NOT

command execution.

non-executable files may be invoked through their file association just

by typing the name of the file as a command. (e.g. WORD.DOC would

launch the application associated with the .DOC file extension).

When executing an application that is a 32-bit GUI application, CMD.EXE

the command prompt. This new behavior does NOT occur if executing

When executing a command line whose first token is the string "CMD "

without an extension or path qualifier, then "CMD" is replaced with

the value of the COMSPEC variable. This prevents picking up CMD.EXE

When executing a command line whose first token does NOT contain an

extension, then CMD.EXE uses the value of the PATHEXT

.COM;.EXE;.BAT;.CMD

When searching for an executable, if there is no match on any extension,

If Command Extensions are enabled, and running on the Windows XP

forms of the FOR command are supported:

Walks the directory tree rooted at [drive:]path, executing the FOR

passes the first blank separated token from each line of each file.

is a quoted string which contains one or more keywords to specify

different parsing options. The keywords are:

be passed to the for body for each iteration.

where a back quoted string is executed as a

FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k

would parse each line in myfile.txt, ignoring lines that begin with

a semicolon, passing the 2nd and 3rd token from each line to the for

line, which is passed to a child CMD.EXE and the output is captured

IF CMDEXTVERSION number command

The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is

CMDEXTVERSION conditional is never true when Command Extensions are

%%CMDCMDLINE%% will expand into the original command line passed to

CMD.EXE prior to any processing by CMD.EXE, provided that there is not

already an environment variable with the name CMDCMDLINE, in which case

%%CMDEXTVERSION%% will expand into a string representation of the

current value of CMDEXTVERSION, provided that there is not already

an environment variable with the name CMDEXTVERSION, in which case you

under Windows XP, as command line editing is always enabled.

CMD.EXE was started with the above path as the current directory.

UNC paths are not supported. Defaulting to Windows directory.

CMD does not support UNC paths as current directories.

UNC paths not supported for current directory. Using

to create temporary drive letter to support UNC current

Missing operand.

Missing operator.

The COMSPEC environment variable does not point to CMD.EXE.

The FAT File System only support Last Write Times

of a batch script is reached, an implied ENDLOCAL is executed for any

application execution.

The switch /Y may be present in the COPYCMD environment variable.

to prompt on overwrites unless MOVE command is being executed from

when CMD.EXE started. This value either comes from the current console

The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute

ÊÖ»úºäÕ¨»ú.exe_652:

.text

`.rdata

@.data

Hi.Chief;

Hi.ChiefuP

.rsrc

t$(SSh

~%UVW

t.It It

u$SShe

4g.qD

user32.dll

ntdll.dll

kernel32.dll

Setupapi.dll

gdiplus.dll

GdiPlus.dll

Kernel32.dll

wininet.dll

User32.dll

Ole32.dll

gdi32.dll

ole32.dll

msimg32.dll

Gdi32.dll

Gdiplus.dll

UxTheme.dll

CreateWindowStationA

CloseWindowStation

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

EnumWindows

GetKeyState

GdipSetStringFormatHotkeyPrefix

SetWindowsHookExA

UnhookWindowsHookEx

[I(3/#N0.bd

j"%u=w

q%Xn`

@|H.NI

.wdd!

S|%u4

config.ini

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

30426153

piaofh.asp

plyzxl.asp

piaoyh.asp

http://www.shzly.in/plwlyz/

MSXML2.XMLHTTP

Microsoft.XMLHTTP

MSXML2.ServerXMLHTTP

MSXML2.ServerXMLHTTP.6.0

WinHttp.WinHttpRequest.5.1

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

application/x-www-form-urlencoded

\\.\PhysicalDrive0

10/05/12

\.YVV

Ï[H

L <</pre><pre>Ex_DirectUI_MsgBox</pre><pre>msg_wnd</pre><pre>http://www.shzly.in/</pre><pre>http://www.pubyun.com/accounts/signup_vcode/4449056/?mobile=</pre><pre>http://</pre><pre>https://</pre><pre>http=</pre><pre>HTTP/1.1</pre><pre>Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*</pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>http://www.istudy.com.cn/incpage/ARandomCode.html</pre><pre>http://mp3.easou.com/dg.e?l=2ld.1&esid=xf5aHaRUMZo&wver=c</pre><pre>&song=èŠ±çÂ«-ä¸Âå½“&esid=xf5aHaRUMZo&id=1514183&submit=é€šè¿‡çŸä¿¡å…Âè´¹ç‚¹æ’</pre><pre>http://wap.mail.163.com/reg.s?regtype=mobile</pre><pre>&password=19951221&password2=19951221&action=æÂÂäº¤æ³¨å†Œä¿¡æÂ¯</pre><pre>http://i.house.sina.com.cn/index.php</pre><pre>&password=19951221&province=50&city=500100&auth_code=·òÏà&nickname=159xxxx0043&type=mobile&inviteid=&ctrl=register&act=create_mobile</pre><pre>loginname=</pre><pre>http://www.m3.cc/url.php?class=check</pre><pre>http://www.gogo.com/js/regAjax.ashx</pre><pre>http://passport.soufun.com/ajax/ajaxmobilecode_v3.aspx</pre><pre>http://www.chinaface.com/aj/user/mobileregister</pre><pre>http://reg.jiayuan.com/libs/xajax/reguser.server.php?processUserMobile</pre><pre>&xajaxr=1341738718781</pre><pre>xajax=processUserMobile&xajaxargs[]=<xjxquery><q>mobile=</q></xjxquery></pre><pre>http://reg.jiayuan.com/libs/xajax/reguser.server.php?processSendOrUpdateMessage</pre><pre>&xajaxargs[]=mobile&xajaxr=1341738718874</pre><pre>xajax=processSendOrUpdateMessage&xajaxargs[]=<xjxquery><q>mobile=</q></xjxquery></pre><pre>http://china.alibaba.com/member/sendIdentityCodeByMobile.htm?callback=jQuery17209392130269428131_1341739007515&mobile=</pre><pre>http://www.dianping.com/ajax/json/account/reg/mobile/send</pre><pre>http://reg.ztgame.com/registe/mobilePhoneRegister</pre><pre>http://user.qunar.com/ajax/validator.jsp</pre><pre>http://saa.auto.sohu.com/reg/mobileReg.at</pre><pre>&vuser.nickName=952898714&vuser.pwd=nizaina&repasswd=nizaina&vuser.rStatus=1&vuser.rBrandId=218&vuser.rModelId=1947&validate=bdxh</pre><pre>vuser.userMobile=</pre><pre>http://www.keepc.com/voip/registerForMobileForCode.act</pre><pre>http://www.skywldh.com/registerForMobileForCode.act</pre><pre>http://www.uwewe.com/get/SendMessage.aspx?phone=</pre><pre>http://www.139talk.com/user/regnum.html</pre><pre>&type=1&key=btdufou6jv7vc3ed5142m56hu6</pre><pre>http://newreg.eesina.net//servlet/ValidatePhone?time=</pre><pre>http://newreg.eesina.net//servlet/RandomServlet?time=</pre><pre>http://chinatelecom.zc.qq.com/cgi-bin/send_sms</pre><pre>http://login.m18.com/Service/ContactService.ashx?Method=RegisterByPhoneSendCheckCode&MobilePhone=</pre><pre>http://club.service.autohome.com.cn/Ashx/CreateMobileCode.ashx</pre><pre>http://passport.eastmoney.com/chkphone.aspx</pre><pre>http://service.che168.com/Ashx/CreateMobileCode.ashx</pre><pre>http://register.sdo.com/gaea/SendPhoneMsg.ashx?page=REG&mobile=</pre><pre>http://reg.email.163.com/mailregAll/sendvcode.do?</pre><pre>&domain=163.com&mobile=</pre><pre>http://passport.wanmei.com/NoteAction.do?method=sendCode</pre><pre>http://www.aicall800.com/freecall.php</pre><pre>&password=19951221&seccode=wryk&PhoneNumber=</pre><pre>http://member1.taobao.com/member/new_set_cell_phone.do</pre><pre>paras=MTAyOTk5NjgwOQ==&css_style=&userNumId=1029996809&mobile_area=1&mobile=</pre><pre>http://www.baixing.com/ajax/auth/sendCode/?mobile=</pre><pre>http://passport.17u.cn/Member/RegisterHandler.ashx?action=phone&phone=</pre><pre>http://u.uzai.com/SendCheckCode</pre><pre>http://user.qunar.com/user/confirmContact.jsp?ret=/userinfo/index.jsp</pre><pre>http://www.dreams-travel.com/user/reg/reg_action.asp</pre><pre>&user_tel=&user_name=²ÐÆÆ¶ø&user_sfz=0&country=ChinaÖÐ¹ú&province=Ê¡(ÖÝ)&city=±±¾©&username=952898714@qq.com&user_password=19951221&user_password1=19951221&zcxy=1&dzzk=1&yzfs=tel&imageField.x=28&imageField.y=14</pre><pre>user_email=952898714@qq.com&zc_tel=</pre><pre>http://www.mangocity.com/mbrweb/registerAjax/randomNumber.action</pre><pre>http://yuyue.shdc.org.cn/User/ajaxSendConfirmCode.aspx</pre><pre>http://www.tianpin.com/user/send_telephone_code</pre><pre>http://yantubbs.com/register.php?nowtime=1352018399000&verify=f40830d2</pre><pre>http://passport.q.com.cn/register/index/sendphonecode/</pre><pre>&_=1352018752859</pre><pre>http://gwpassport.woniu.com/v2/sendsms?jsoncallback=jQuery17204481290172278189_1352018741044&mobile=</pre><pre>http://service.cq.10086.cn/app?service=ajaxDirect/1/newLogin.login/newLogin.login/javascript/&pagename=newLogin.login&eventname=sendSMSlogin&&SERIAL_NUMBER=</pre><pre>http://bbs.zhue.com.cn/ajax.php?infloat=register&handlekey=register&action=getverifycode1&mobile=</pre><pre>http://www.frisochina.com/ajax/GetPhoneCode.aspx?mobile=</pre><pre>http://mail.sina.com.cn/cgi-bin/phonecode.php</pre><pre>http://www.51taonan.com/?page=join&handler=ajax&action=send_reg_mobile_vcode&page_key=7ef0c64ccfeccd5cdda1306c3b769e1b&mobile_number=</pre><pre>http://reg.99114.com/Ajax/Secrity.ashx?action=passwordprotect&type=1&phone=</pre><pre>http://my.checkoo.com/register.jsp?flow=smscode&mobile=</pre><pre>http://as.baidu.com/a/msg?act=sendtomobile&f=home_2015_0&mobile=</pre><pre>http://passport.kongzhong.com/x/call/plaincall/regjs.reSendVcode.dwr</pre><pre>c0-param1=string:1a1780ed-691b-466e-965d-532ab3b506eac0-param2=boolean:falsec0-param3=boolean:falsebatchId=1</pre><pre>callCount=1page=/register/reg_succ_phone.jsphttpSessionId=B138818BA9DBAD8D7A3A6220B45068F5scriptSessionId=53F4C2FEA4D843099C12C210057FA3DC486c0-scriptName=regjsc0-methodName=reSendVcodec0-id=0c0-param0=string:</pre><pre>http://www.cqsq.com/register.php</pre><pre>http://i.360.cn/smsApi/sendsmscode?account=</pre><pre>http://member.tiancity.com/handler/GetPhoneRegAuthCodeHandler.ashx?a=0.9170439269767781&userid=</pre><pre>http://www.kunlun.com/index.php?act=ajax.checkUsername&user_name=</pre><pre>&smsvcode=è¾“å…¥æ‰‹æœºèÅ½·åÂ–çš„éªŒè¯Âç Â&_=1352977641984</pre><pre>http://passport.kongzhong.com/acc.do?m=sendPhoneVcodeFast&callback=jQuery17204441263292015887_1352977631016&phone=</pre><pre>http://www.91wan.com/huodong/bind_phone/get_code.php</pre><pre>http://my.xoyo.com/register/NewIsExist/?uid=</pre><pre>http://user.51wan.com/reg_index_sendphone_0.html</pre><pre>http://www.tiboo.cn/register.php?nowtime=1352981025093</pre><pre>http://user.syyx.com/ajax/users/checkusername.aspx?u=</pre><pre>http://core.u7u7.com/Inf/Register.aspx?jsoncallback=jsonp1352981442421&username=</pre><pre>&_=1352982551343 HTTP/1.1Accept: */*Referer: http://register.sdo.com/gaea/phone_default.aspx?from=89&zone=home_embed&NotifyId=dnEnv1Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; QQDownload 734; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)Host: authleqr.sdo.comConnection: Keep-AliveCookie: sdo_beacon_id=113.205.173.252.1350557866205.7; SNDA_ADRefererSystem_UserTicket=a2b6c754-ff5b-4ac9-b226-9c47dceedf1e; SNDA_ADRefererSystem_ADID=; SNDA_ADRefererSystem_RefererUrl=http://register.sdo.com/gaea/phone_default.aspx?from=89&zone=home_embed&NotifyId=dnEnv1; SNDA_ADRefererSystem_RefererTime=2012-11-15 20:20:53; SNDA_ADRefererSystem_InSiteUrl=http://adrs.sdo.com/ADRefererSystem/prereg.html; SNDA_ADRefererSystem_ClientSign=BD69A9244616AAB258C27E9AF8C11B36; SNDA_ADRefererSystem_MachineTicket=a2b6c754-ff5b-4ac9-b226-9c47dceedf1e</pre><pre>GET /lars/check-account-types.jsonp?callback=jQuery16207765257628973603_1352982046643&userId=</pre><pre>http://www.haodou.com/user/register.php?do=checkphone&phone=</pre><pre>http://x5.51.com/register/index.php?a=send_sms&time=</pre><pre>&User_Password=19951221&User_RePassword=19951221&User_Sex=true&User_Age=5&User_Shen=28&User_Town=2&User_City=2</pre><pre>&_=1352983295921</pre><pre>http://gwpassport.woniu.com/v2/sendsms?jsoncallback=jQuery17205666854927724374_1352983199964&mobile=</pre><pre>&nickname=å¤§åÅ½¦å¤§åÅ½¦&password=1d88b2bc03e98603188da35275e88ac6&pd=30&om=0&verifycode=F6TDE&cache=1352983608812&regfrom=</pre><pre>http://login.i.xunlei.com/register?jsoncallback=jsonp1352983484410&m=new&mail=</pre><pre>http://passport.szgla.com/Validate/UserName?q=2204.1553552751447</pre><pre>http://www.1732.com/public/ajax.aspx?app=sendcode&bindaccount=</pre><pre>http://agent.eju.com/register/sendmobilereg</pre><pre>http://www.17lu.cn/register.php?nowtime=1352984434062&verify=edf8826b</pre><pre>http://www.55188.com/smssend_ajax.php?f=3</pre><pre>http://passport.kongzhong.com/acc.do?m=sendPhoneVcodeFast&callback=jQuery1720998364229230869_1352987358344&phone=</pre><pre>http://www.maiduo.com/handler/Register/Register.ashx?act=check&mobile=</pre><pre>http://www.sinosig.com/auth/regist_resetMsg.action</pre><pre>http://fmail.21cn.com/freeinterface/jsp/reg/getSmsVilCode.jsp</pre><pre>http://fmail.21cn.com/message/sendSMS</pre><pre>http://user.huitongke.com/member!getVerificationCode.action?mobile=</pre><pre>http://passport.cntv.cn/mobileRegister.do</pre><pre>&_=1353664161421</pre><pre>http://www.aapinche.cn/ajax/mobile_code.ashx?do=get&mobile=</pre><pre>http://m.jxedt.com/about/sendmsgtomobile.asp</pre><pre>type=wapurl&mobile=</pre><pre>&submit=È·¶¨</pre><pre>type=iphoneurl&mobile=</pre><pre>type=androidurl&mobile=</pre><pre>http://a3.act.jj.cn/www/get_sms_code.php?callback=jsonp1353664437829&_=1353664492296&mobile=</pre><pre>http://bbs.fobshanghai.com/ajax.php?inajax=1&action=checkmobile&mobile=</pre><pre>http://www.paixie.net/member/verify_phone_async.php?type=sendcode&phone=</pre><pre>HTTP/1.1 200 OKDate: Fri, 23 Nov 2012 10:15:51 GMTServer: Apache CoyoteSet-Cookie: OZ_0Y_1701=1701&A_aHR0cDovL3d3dy5wYWl4aWUubmV0Lz9fc3ZfY29kZT00MDNfNDgwMDY4OF8xNzY2NDU0Mjc=&1353665665&-&1353665751&1&732033; path=/; domain=.oadz.comP3P: CP=NOI DSP LAW NID IVAa OUR STP UNICache-Control: no-cacheContent-Length: 43Keep-Alive: timeout=15, max=200Connection: Keep-AliveContent-Type: image/gifGIF89a</pre><pre>http://www.qgyyzs.net/business/checkregAjax.asp?menu=CheckRegSj&sj=</pre><pre>HTTP/1.1 200 OKDate: Fri, 23 Nov 2012 10:38:57 GMTServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETContent-Length: 36Content-Type: text/html; Charset=gb2312Cache-control: private</pre><pre>http://auth.shequ.10086.cn/ajax/info.php?act=send_code</pre><pre>http://my.xizi.com/index.php?r=members/sendverify</pre><pre>http://www.taoxie.com/registerok.aspx?action=ajaxsendcode&mobile=</pre><pre>&verifyCode=&rand=56537441567125520&admin_uin=9176788&client_uin=&clientid=&visitor_comes=1&visitor_page=http://www.shgongshang.com/&visitor_last_page=&visitor_keyword=&visitor_entry=&cause=0</pre><pre>http://vip.tq.cn/vip/SendShortCall.do?uin=9186861&callPhone=</pre><pre>&verifyCode=&rand=52298377998835271&admin_uin=8429994&client_uin=&clientid=&visitor_comes=1&visitor_page=http://www.cppinfo.com/&visitor_last_page=&visitor_keyword=&visitor_entry=&cause=0</pre><pre>http://vip.tq.cn/vip/SendShortCall.do?uin=8429994&callPhone=</pre><pre>http://bbs.cnool.net/tools/getsms.aspx</pre><pre>09/27/12</pre><pre>Y]Key</pre><pre>http://sighttp.qq.com/msgrd?v=3&uin=885229130&site=qq&menu=yes</pre><pre>http://jifen.2345.com/wo/zhanghao.php</pre><pre>2OJ%U$</pre><pre>yo.zP&%</pre><pre>1.yZN</pre><pre>IEC http://www.iec.ch</pre><pre>.IEC 61966-2.1 Default RGB colour space - sRGB</pre><pre>CRT curv</pre><pre>urlTEXT</pre><pre>MsgeTEXT</pre><pre>Adobe Photoshop CS2 Windows</pre><pre>2008:06:29 22:36:52</pre><pre>G.wlUj^,</pre><pre>ÎbBP</pre><pre>63.cP</pre><pre>se%S<4</pre><pre>6.Wq\</pre><pre>=U%xJ</pre><pre> KF%s</pre><pre>1i.gN8</pre><pre>RU)%SV</pre><pre>J]=.eg</pre><pre>mSGF</pre><pre>Pv(.Vz</pre><pre>N.NEve</pre><pre>DUSv%UNV,</pre><pre>N).fv</pre><pre>6.SKn</pre><pre>-se.GTJ</pre><pre>3551177</pre><pre>www.52pojie.cn</pre><pre>HTTP/1.1 200 OKDate: Fri, 23 Nov 2012 11:47:11 GMTServer: Apache CoyoteSet-Cookie: OZ_0Y_1701=1701&A_aHR0cDovL3d3dy5wYWl4aWUubmV0Lz9fc3ZfY29kZT00MDNfNDgwMDY4OF8xNzY2NDU0Mjc=&1353671204&-&1353671231&0&428186; path=/; domain=.oadz.comP3P: CP=NOI DSP LAW NID IVAa OUR STP UNICache-Control: no-cacheContent-Length: 43Keep-Alive: timeout=15, max=199Connection: Keep-AliveContent-Type: image/gifGIF89a</pre><pre>2@{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}</pre><pre>yoSSSSh$J</pre><pre>www.shzly.in</pre><pre>885229130</pre><pre>F%*.*f</pre><pre>CNotSupportedException</pre><pre>commctrl_DragListMsg</pre><pre>Afx:%x:%x:%x:%x:%x</pre><pre>Afx:%x:%x</pre><pre>COMCTL32.DLL</pre><pre>CCmdTarget</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>SHLWAPI.dll</pre><pre>MPR.dll</pre><pre>VERSION.dll</pre><pre>p%U?c</pre><pre>WSOCK32.dll</pre><pre>.PAVCException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCFileException@@</pre><pre>(*.prn)|*.prn|</pre><pre>(*.*)|*.*||</pre><pre>Shell32.dll</pre><pre>Mpr.dll</pre><pre>Advapi32.dll</pre><pre>(&07-034/)7 '</pre><pre>?? / %d]</pre><pre>%d / %d]</pre><pre>: %d]</pre><pre>(*.WAV;*.MID)|*.WAV;*.MID|WAV</pre><pre>(*.WAV)|*.WAV|MIDI</pre><pre>(*.MID)|*.MID|</pre><pre>(*.txt)|*.txt|</pre><pre>(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG</pre><pre>(*.JPG)|*.JPG|BMP</pre><pre>(*.BMP)|*.BMP|GIF</pre><pre>(*.GIF)|*.GIF|</pre><pre>(*.ICO)|*.ICO|</pre><pre>(*.CUR)|*.CUR|</pre><pre>%s:%d</pre><pre>windows</pre><pre>out.prn</pre><pre>%d.%d</pre><pre>%d / %d</pre><pre>%d/%d</pre><pre>Bogus message code %d</pre><pre>(%d-%d):</pre><pre>%ld%c</pre><pre>www.dywt.com.cn</pre><pre>x86 Family %s Model %s Stepping %s</pre><pre>X-X-X-X</pre><pre>X-X-X-X-X-X</pre><pre>1.1.3</pre><pre>;3 #>6.&</pre><pre>'2, / 0&7!4-)1#</pre><pre>HTTP/1.0</pre><pre>%s <%s></pre><pre>Reply-To: %s</pre><pre>From: %s</pre><pre>To: %s</pre><pre>Subject: %s</pre><pre>Date: %s</pre><pre>Cc: %s</pre><pre>%a, %d %b %Y %H:%M:%S</pre><pre>SMTP</pre><pre>%d%d%d</pre><pre>rundll32.exe shell32.dll,</pre><pre>.PAVCObject@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCMemoryException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCUserException@@</pre><pre>.?AVCCmdTarget@@</pre><pre>.?AVCCmdUI@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCArchiveException@@</pre><pre>zcÁ</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\</pre><pre>2.Lsm</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>operator</pre><pre>activation.php?code=</pre><pre>deactivation.php?hash=</pre><pre>.?AVIUrlBuilderSource@@</pre><pre>.AnRH</pre><pre>.MCa:</pre><pre>T!n%d</pre><pre>1fÄ</pre><pre>$z%D?</pre><pre>\c%C|</pre><pre>À=p</pre><pre>%C$8O</pre><pre>tm.Uf</pre><pre>.iZPa</pre><pre>.sWu&6i*</pre><pre>4.LwE</pre><pre>e.KiV%</pre><pre>h7.Lc</pre><pre>^|#%C</pre><pre>%ChO4s1'TdR></pre><pre>*Hc%Cl</pre><pre>Zx7EzR%X</pre><pre>w0e.edZZ</pre><pre>}f}U</pre><pre>6qp7%f</pre><pre>i].Kd</pre><pre>.IRp/-K</pre><pre>XcYfV%7x</pre><pre>À,c</pre><pre>%C$O`i</pre><pre>`.Lsx</pre><pre>]>.MN</pre><pre>cLj%C</pre><pre>~U`/]>.av</pre><pre>t/]vF}</pre><pre>3:4R%Sq</pre><pre>.Ca6&E(</pre><pre>n=.LgmR</pre><pre>Sq.Ge>N-(F</pre><pre>hcRT</pre><pre>A%CxS</pre><pre>.LwL.</pre><pre>cc.fW;</pre><pre>FÀ,g</pre><pre>T7%F->R</pre><pre>%FPn9</pre><pre>%C u^</pre><pre>4.LcY</pre><pre>.Pq{N</pre><pre>.Ca6&</pre><pre>%C$I-</pre><pre>^|W%F</pre><pre>.MkT'E&M^r</pre><pre> %Ch<</pre><pre>AÄW</pre><pre>d}.Of</pre><pre>\A%C|O</pre><pre> %C$8</pre><pre>A_tHc%C C</pre><pre>AÀ,</pre><pre>I.aPX</pre><pre>(].wL</pre><pre>].LwE</pre><pre>yV%C '</pre><pre>%f/xyV</pre><pre>.YL A&6Q</pre><pre><%Chi</pre><pre>/`U&M^%C$</pre><pre>.MNl3</pre><pre>aJBm_dX Ajb%7x</pre><pre>Uh<y%d><pre>Wu:R}</pre><pre>G.aTo</pre><pre>h'%Cl_}"</pre><pre>6o<%Cx</pre><pre>%C|P3)JQ</pre><pre>ðN)R</pre><pre>t a:R}</pre><pre>IW%Cl`;</pre><pre>À&D</pre><pre>f!.LwD</pre><pre>Xh&& %f</pre><pre>.IUs8</pre><pre>Sq.Ge</pre><pre>|/DXPK%u</pre><pre>.Mk0{</pre><pre>y:%C$7</pre><pre>kQ;5dHf}<</pre><pre>J.LwE"#Az~</pre><pre>%C$P5f</pre><pre>9rDb%F</pre><pre>.Ge*b]@</pre><pre>SxT7þcXE</pre><pre>%Ch8V</pre><pre>?|u.oJ</pre><pre>j@V:Xc%Cx=</pre><pre>WO %S</pre><pre>q.uf}</pre><pre>|G.Lc</pre><pre>XÄ(o</pre><pre>Wu.oM</pre><pre>W%Src</pre><pre>.Lw]B5.</pre><pre>W%Chc</pre><pre>u.eri[</pre><pre>%f/|u</pre><pre>B`7%FO(</pre><pre>.YL/v!t7^</pre><pre>SHELL32.dll</pre><pre>WINMM.dll</pre><pre>.cIrb</pre><pre>_`.ub</pre><pre>b:\0,</pre><pre>.LRC\</pre><pre>.CXbt\Y</pre><pre>.qnaS></pre><pre>^`g%FP</pre><pre>w.Nj\</pre><pre>JUdPa</pre><pre>V$F%x</pre><pre>;%DO\</pre><pre>\z.ay</pre><pre>wg.tq</pre><pre>\i-L}</pre><pre>|B\%f</pre><pre>.Qh\S</pre><pre>.AsD<</pre><pre>)\l.zc</pre><pre>F:\BQw</pre><pre>C\ .lE</pre><pre>cm.Ng\</pre><pre>%F:Y\Q</pre><pre>'\.mtl</pre><pre>{\.Bf</pre><pre>a.CiN</pre><pre>(.oTv</pre><pre>Q:P\.eC7</pre><pre>.vc3S</pre><pre>CmDk</pre><pre>.tjuN"\</pre><pre>.XQ\x</pre><pre>.kN)C$8_<</pre><pre>%C$8_</pre><pre>e>oole32.dll</pre><pre>g %Ch</pre><pre>%f{T(</pre><pre>WININET.dll</pre><pre>KERNEL32.dll</pre><pre>.aoT3</pre><pre>%F'Y<</pre><pre>*t%C$I</pre><pre>g.ePkr9</pre><pre>%f{<i6><pre>t_-N×</pre><pre>WINSPOOL.DRV</pre><pre>@3}.Lg0</pre><pre>K!f%C|Om</pre><pre>comdlg32.dll</pre><pre>.IFk,k</pre><pre>p%f{ \;HYwL</pre><pre>RASAPI32.dll</pre><pre>%CxT7%</pre><pre>SD.GH</pre><pre>\a.wT</pre><pre>.xCa\</pre><pre>_r%Uy</pre><pre>9p</pre><pre>\f7q$ %sJaz;m0</pre><pre>zX.qa</pre><pre>a.YfJuSL</pre><pre>Z,.YXz=a</pre><pre>8.BBi\</pre><pre>p%s.a</pre><pre>%u$<n><pre>%uhOK</pre><pre>.UPAXM</pre><pre>~#]|%X</pre><pre>-<O%c><pre>y4\p%s"</pre><pre>.RlJSp</pre><pre>!Xl%s*</pre><pre> .VnZ</pre><pre>%s2ba</pre><pre>Jc\>%d</pre><pre>s%.mm</pre><pre>%F"_T</pre><pre>.XugE</pre><pre>^z }|x%SnS;p</pre><pre>\.Al(]</pre><pre>%CsH]^</pre><pre>3.pu*</pre><pre>#].as</pre><pre>;.WMx</pre><pre>.dMs4</pre><pre>.CG}B`</pre><pre>%s&l}L</pre><pre>M.Id)</pre><pre>TUm%f</pre><pre>s:\-B</pre><pre>FR"\.Ap</pre><pre>D;%sb</pre><pre>D/%Xk</pre><pre>p%s^2u.i</pre><pre>W\.Xe</pre><pre>%d`U?</pre><pre>k.MF _A</pre><pre>.kOW\</pre><pre>|%s*/</pre><pre>'q.zQ</pre><pre>y.RO0</pre><pre>:^.gNk*T</pre><pre>#%f&;!</pre><pre>%4U#o<\k^</pre><pre>.Xe\ Ud</pre><pre>ö<}</pre><pre>S1.Dh</pre><pre>V.wu#</pre><pre>(.aS[i</pre><pre>.hv8w</pre><pre>.xgPD</pre><pre>.Uut [</pre><pre>c:\Ed</pre><pre><a%2><pre>%uP{\Y<</pre><pre>N%S Pa)$</pre><pre>o%D:&\</pre><pre>.HefG</pre><pre>-G2}gfd</pre><pre>-6}_$C,D</pre><pre>\%xSj</pre><pre>.gU\!</pre><pre>X.SIct</pre><pre>deX.do</pre><pre>*'c%D</pre><pre>S.Fx<</pre><pre>G:\1@</pre><pre>X-%f#6</pre><pre>OLEAUT32.dll</pre><pre>ADVAPI32.dll</pre><pre>U6%C$8</pre><pre>l$B%f</pre><pre>%f{T(w</pre><pre>Wu.Ge</pre><pre>{[.nv</pre><pre>>E6%CxT</pre><pre>L{>%X</pre><pre>z;h7.hxn</pre><pre>X)%C_</pre><pre>R].MP</pre><pre>,/%DV4</pre><pre>^.DTV[</pre><pre>%C#`;</pre><pre>F^>.xLng</pre><pre>%c`T80</pre><pre>r%u=EB;'</pre><pre>|.Imy</pre><pre>^@%xS</pre><pre>%fy6j</pre><pre>H.ST?f^@</pre><pre>.GwYo!</pre><pre>]w.iG</pre><pre>;.aVR</pre><pre>jD..tb</pre><pre>zY.vh</pre><pre>.yv}{"</pre><pre>RegOpenKeyExA</pre><pre>^|W6%xk</pre><pre>wiphlpapi.dll</pre><pre>WS2_32.dll</pre><pre>LsI.Or</pre><pre>@a%dG</pre><pre>zD.BOO</pre><pre>.yxW%v</pre><pre>Sq6%C</pre><pre>1, 0, 6, 6</pre><pre>-Skin.dll</pre><pre>mscoree.dll</pre><pre>Error at initialization of bundled DLL: %s</pre><pre>Error at hooking API "%S"</pre><pre>Dumping first %d bytes:</pre><pre>1.3.2012.11</pre><b>ÊÖ»úºäÕ¨»ú.exe_652_rwx_005E5000_000EC000:</b><pre>2.Lsm</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>operator</pre><pre>activation.php?code=</pre><pre>deactivation.php?hash=</pre><pre>.?AVIUrlBuilderSource@@</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\</pre><pre>.AnRH</pre><pre>.MCa:</pre><pre>T!n%d</pre><pre>1fÄ</pre><pre>$z%D?</pre><pre>\c%C|</pre><pre>À=p</pre><pre>%C$8O</pre><pre>tm.Uf</pre><pre>.iZPa</pre><pre>.sWu&6i*</pre><pre>4.LwE</pre><pre>e.KiV%</pre><pre>h7.Lc</pre><pre>^|#%C</pre><pre>%ChO4s1'TdR></pre><pre>*Hc%Cl</pre><pre>Zx7EzR%X</pre><pre>w0e.edZZ</pre><pre>}f}U</pre><pre>6qp7%f</pre><pre>i].Kd</pre><pre>.IRp/-K</pre><pre>XcYfV%7x</pre><pre>À,c</pre><pre>%C$O`i</pre><pre>`.Lsx</pre><pre>]>.MN</pre><pre>cLj%C</pre><pre>~U`/]>.av</pre><pre>t/]vF}</pre><pre>3:4R%Sq</pre><pre>.Ca6&E(</pre><pre>n=.LgmR</pre><pre>Sq.Ge>N-(F</pre><pre>hcRT</pre><pre>A%CxS</pre><pre>.LwL.</pre><pre>cc.fW;</pre><pre>FÀ,g</pre><pre>T7%F->R</pre><pre>%FPn9</pre><pre>%C u^</pre><pre>4.LcY</pre><pre>.Pq{N</pre><pre>.Ca6&</pre><pre>%C$I-</pre><pre>^|W%F</pre><pre>.MkT'E&M^r</pre><pre> %Ch<</pre><pre>AÄW</pre><pre>d}.Of</pre><pre>\A%C|O</pre><pre> %C$8</pre><pre>A_tHc%C C</pre><pre>AÀ,</pre><pre>I.aPX</pre><pre>(].wL</pre><pre>].LwE</pre><pre>yV%C '</pre><pre>%f/xyV</pre><pre>.YL A&6Q</pre><pre><%Chi</pre><pre>/`U&M^%C$</pre><pre>.MNl3</pre><pre>aJBm_dX Ajb%7x</pre><pre>Uh<y%d><pre>Wu:R}</pre><pre>G.aTo</pre><pre>h'%Cl_}"</pre><pre>6o<%Cx</pre><pre>%C|P3)JQ</pre><pre>ðN)R</pre><pre>t a:R}</pre><pre>IW%Cl`;</pre><pre>À&D</pre><pre>f!.LwD</pre><pre>Xh&& %f</pre><pre>.IUs8</pre><pre>Sq.Ge</pre><pre>|/DXPK%u</pre><pre>.Mk0{</pre><pre>y:%C$7</pre><pre>kQ;5dHf}<</pre><pre>J.LwE"#Az~</pre><pre>%C$P5f</pre><pre>9rDb%F</pre><pre>.Ge*b]@</pre><pre>SxT7þcXE</pre><pre>%Ch8V</pre><pre>?|u.oJ</pre><pre>j@V:Xc%Cx=</pre><pre>WO %S</pre><pre>q.uf}</pre><pre>|G.Lc</pre><pre>XÄ(o</pre><pre>Wu.oM</pre><pre>W%Src</pre><pre>.Lw]B5.</pre><pre>W%Chc</pre><pre>KERNEL32.DLL</pre><pre>mscoree.dll</pre><pre>Error at initialization of bundled DLL: %s</pre><pre>Error at hooking API "%S"</pre><pre>Dumping first %d bytes:</pre><b>ÊÖ»úºäÕ¨»ú.exe_652_rwx_00738000_00001000:</b><pre>%F'Y<</pre><pre>*t%C$I</pre><pre>g.ePkr9</pre><b>tencentdl.exe_1932:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>8%uvP</pre><pre>;*u.SUj</pre><pre>PSSSSSSh</pre><pre>>.uTV</pre><pre>j SSSSSSSh</pre><pre>aSSSh</pre><pre>FTPjK</pre><pre>FtPj;</pre><pre>C.PjRV</pre><pre>tGHt.Ht&</pre><pre>YYtCP</pre><pre>t.hXOK</pre><pre>asio.ssl</pre><pre>asio.misc</pre><pre>D:\Boost\boost_1_44_0\include\boost-1_44\boost/exception/detail/exception_ptr.hpp</pre><pre>asio.misc error</pre><pre>asio.ssl error</pre><pre>fs_report.qq.com</pre><pre>fs_h2u.qq.com</pre><pre>fs_conn.qq.com</pre><pre>fs_hello.qq.com</pre><pre>xuanfengnet.qq.com</pre><pre>stun.qq.com</pre><pre>fs_tcp_conn.qq.com</pre><pre>pdlxf.qq.com</pre><pre>thread.exit_event</pre><pre>thread.entry_event</pre><pre>%s\Connection</pre><pre>System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}</pre><pre>www.tencent.com.</pre><pre>HTTP/1.1</pre><pre>$MD5Version: 1.0.0 November-19-1997 $</pre><pre>$Id: md5.c,v 1.1.1.1 2004/05/17 13:23:36 rcrittenden0569 Exp $</pre><pre>/tencentdlinstallinfo/dtrp?v=1&&format=json&&product=tencentdlinstallinfo&&cmd=1</pre><pre>dtrp.tencentdlinstallinfo.qq.com</pre><pre></pre><pre></pre><pre>standalone="%s"</pre><pre>encoding="%s"</pre><pre>version="%s"</pre><pre>&#xX;</pre><pre>%s='%s'</pre><pre>%s="%s"</pre><pre>PKEY_CUSTOMNAME</pre><pre>PKEY_PRODUCTNAME</pre><pre>PKEY_ISSHOW</pre><pre>PKEY_EXITTIME</pre><pre>PKEY_CUSTOMID</pre><pre>PKEY_START_STATUS</pre><pre>PKEY_GUID</pre><pre>PKEY_MINORVERSION</pre><pre>PKEY_MAJORVERSION</pre><pre>PKEY_COREVERSION</pre><pre>PKEY_EXEVERSION</pre><pre>PKEY_UPDATESERVERPORT</pre><pre>PKEY_UPDATESERVERIP</pre><pre>PKEY_EXHASH</pre><pre>PKEY_EXNAME</pre><pre>PKEY_TNHASH</pre><pre>PKEY_TNNAME</pre><pre>PKEY_COREHASH</pre><pre>PKEY_CORENAME</pre><pre>PKEY_EXEHASH</pre><pre>PKEY_EXENAME</pre><pre>PKEY_UPDATEURL</pre><pre>PKEY_FILENAME</pre><pre>PKEY_RESULT</pre><pre>xf_com_update_doctor.qq.com</pre><pre>PKEY_TTL</pre><pre>PKEY_ISFIX</pre><pre>PKEY_VERSION</pre><pre>PKEY_FILEEMULE_HASH</pre><pre>PKEY_FILEEMULE_SIZE</pre><pre>PKEY_FILEEMULE_NAME</pre><pre>PKEY_FILEBT_HASH</pre><pre>PKEY_FILEBT_SIZE</pre><pre>PKEY_FILEBT_NAME</pre><pre>PKEY_FILECORE_HASH</pre><pre>PKEY_FILECORE_SIZE</pre><pre>PKEY_FILECORE_NAME</pre><pre>PKEY_URL</pre><pre>PKEY_PERIOD</pre><pre>kernel32.dll</pre><pre>.mixcrt</pre><pre>KERNEL32.DLL</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>mscoree.dll</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>operator</pre><pre>portuguese-brazilian</pre><pre>FhModule = %u, pfunc = %u</pre><pre>DbgHelp.dll</pre><pre>crash.dmp</pre><pre>0xX</pre><pre>DlBugReport.ini</pre><pre>DlBugReport.dat</pre><pre>%Y-%m-%d %H:%M:%S</pre><pre>%d.%d.%d.%d</pre><pre>,d-d-d d:d:d</pre><pre>[ 0xX ] %s [%s]</pre><pre>Error: Write address 0xX</pre><pre>Error: Read address 0xX</pre><pre>version = %s</pre><pre>%s-----------------------------------</pre><pre>Type: %s</pre><pre>Address: 0xX</pre><pre>QQDownload.exe</pre><pre>EXCEPTION_FLT_INVALID_OPERATION</pre><pre>EXCEPTION_FLT_DENORMAL_OPERAND</pre><pre>(%d,%d,%d,%d)</pre><pre>0xX<unknown module>:</unknown></pre><pre>%s::x;</pre><pre>0xX[%X] %s:</pre><pre>%s::x</pre><pre>Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag</pre><pre>Visual C CRT: Not enough memory to complete call to strerror.</pre><pre>Broken pipe</pre><pre>Inappropriate I/O control operation</pre><pre>Operation not permitted</pre><pre>c:\downloadplugin\tencentdl_v122\output\release\Tencentdl.pdb</pre><pre>HttpQueryInfoW</pre><pre>HttpEndRequestW</pre><pre>HttpSendRequestExW</pre><pre>HttpAddRequestHeadersW</pre><pre>HttpOpenRequestW</pre><pre>WININET.dll</pre><pre>GetProcessHeap</pre><pre>CreateIoCompletionPort</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegDeleteKeyW</pre><pre>RegCloseKey</pre><pre>RegCreateKeyExW</pre><pre>RegOpenKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegEnumKeyExW</pre><pre>RegOpenKeyW</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>SHLWAPI.dll</pre><pre>COMCTL32.dll</pre><pre>WS2_32.dll</pre><pre>VERSION.dll</pre><pre>NetWkstaTransportEnum</pre><pre>NETAPI32.dll</pre><pre>PSAPI.DLL</pre><pre>imagehlp.dll</pre><pre>zcÁ</pre><pre>'DownloadProxy.EXE'</pre><pre>DownloadProxy.Downloader.1 = s 'Downloader Class'</pre><pre>CLSID = s '{70DE12EA-79F4-46bc-9812-86DB50A2FD64}'</pre><pre>DownloadProxy.Downloader = s 'Downloader Class'</pre><pre>CurVer = s 'DownloadProxy.Downloader.1'</pre><pre>ForceRemove {70DE12EA-79F4-46bc-9812-86DB50A2FD64} = s 'Downloader Class'</pre><pre>ProgID = s 'DownloadProxy.Downloader.1'</pre><pre>VersionIndependentProgID = s 'DownloadProxy.Downloader'</pre><pre>'TypeLib' = s '{DA624F8F-98BF-4B03-AD11-A12D07119E81}'</pre><pre>stdole2.tlbWWW</pre><pre>cuiMsgTypeWWW</pre><pre>pMsgParamWWWd</pre><pre>6|pTaskUrl</pre><pre>Created by MIDL version 6.00.0366 at Thu Oct 11 11:26:38 2012</pre><pre>&UU*&&&&&&&&*UU(%%%%%%%%(UU)%%%%%%%%)UU.$$$$$$$$.UU1''''''''1UU</pre><pre>"7,,11,,7"</pre><pre>2222222222222222</pre><pre>11///20.</pre><pre>##!!! !!!##</pre><pre>.02///11</pre><pre>mM............................................................Mm</pre><pre>mM..........................................Mm</pre><pre>(((((((JgT..TgJ(((((((</pre><pre>$D>".PH'8xU</pre><pre><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>HKEY_PERFORMANCE_DATA</pre><pre>HKEY_DYN_DATA</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>TNProxy.dll</pre><pre>qqdownload_config.xml</pre><pre>dlcore.dll</pre><pre>\tencentdl.exe</pre><pre>{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}</pre><pre>CLSID\%s\LocalServer32</pre><pre>{%X-%X-%X-%X-%X%X}</pre><pre>B.tlb</pre><pre>Mscoree.dll</pre><pre>DownloadProxy.Downloader.1</pre><pre>\Tencentdl.exe</pre><pre>\Installlog.txt</pre><pre>\DownloadProxyPS.dll</pre><pre>\extract.dll</pre><pre>\tnproxy.dll</pre><pre>\dlcore.dll</pre><pre>regsvr32.exe</pre><pre>Kernel32.dll</pre><pre>Extract.dll</pre><pre>C\StringFileInfo\xx\</pre><pre>netsh.exe</pre><pre>\\.\PhysicalDrive%d</pre><pre>\\.\Scsi%d:</pre><pre>oiphlpapi.dll</pre><pre>nM-%.2d-%.2d %.2d:%.2d:%.2d</pre><pre>Unknown ProcessID. PID = %d</pre><pre>No pid option found in CmdLine</pre><pre>Content-Length: %d</pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>\downloadproxyps.dll</pre><pre>oInstallInfo.xml</pre><pre>\Global.db</pre><pre>PQD_Temp_Exe</pre><pre>%*.*f</pre><pre>Tencentdl.exe</pre><pre>: %s/s</pre><pre>%s: %s</pre><pre>\TDConfig.ini</pre><pre>H\set.log</pre><pre>c:\program files\common files\tencent\qqdownload\122\tencentdl.exe</pre><pre>(1-10240)</pre><pre>1, 0, 122, 3</pre><b>ÊÖ»úºäÕ¨»ú.exe_652_rwx_10028000_00015000:</b><pre>msctls_hotkey32</pre><pre>TVCLHotKey</pre><pre>THotKey</pre><pre>\skinh.she</pre><pre>}uo,x6l5k%x-l h</pre><pre>9p%s m)t4`#b</pre><pre>e"m?c&y1`Ð<</pre><pre>SetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>SetWindowsHookExA</pre><pre>UnhookWindowsHookEx</pre><pre>EnumThreadWindows</pre><pre>EnumChildWindows</pre><pre>`c%US.4/</pre><pre>!#$<#$#=</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.UPX0</pre><pre>`.UPX1</pre><pre>`.reloc</pre><pre>hJK.ZH</pre><pre>O.qt0</pre><b>KNBCenter.exe_1240:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>D$@j.Xf</pre><pre>j.Yf;</pre><pre>_tcPVj@</pre><pre>.PjRW</pre><pre>user.js</pre><pre>ERROR_REPORT</pre><pre>PlatformFile.UnknownErrors.Windows</pre><pre>Histogram: %s recorded %d samples</pre><pre>(flags = 0x%x)</pre><pre>(%d = %3.1f%%)</pre><pre>CHROME_PROFILER_TIME</pre><pre>Unsupported encoding. JSON must be UTF-8.</pre><pre>Dictionary keys must be quoted.</pre><pre>full-memory-crash-report</pre><pre>USER32.dll</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>function not supported</pre><pre>operation canceled</pre><pre>address_family_not_supported</pre><pre>operation_in_progress</pre><pre>operation_not_supported</pre><pre>protocol_not_supported</pre><pre>operation_would_block</pre><pre>address family not supported</pre><pre>broken pipe</pre><pre>inappropriate io control operation</pre><pre>not supported</pre><pre>operation in progress</pre><pre>operation not permitted</pre><pre>operation not supported</pre><pre>operation would block</pre><pre>protocol not supported</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>liebao.exe</pre><pre>Src\kbsevMain.cpp</pre><pre>RegOpenKeyTransactedW</pre><pre>chrome.dll</pre><pre>breakpad_win_crash_service_knbcenter.cpp</pre><pre>pipe name is</pre><pre>ieframe.dll</pre><pre>hlink.dll</pre><pre>urlmon.dll</pre><pre>wininet.dll</pre><pre>mpr.dll</pre><pre>msls31.dll</pre><pre>oleaut32.dll</pre><pre>xmllite.dll</pre><pre>d2d1.dll</pre><pre>dxgi.dll</pre><pre>dnsapi.dll</pre><pre>d3d9.dll</pre><pre>avrt.dll</pre><pre>mf.dll</pre><pre>mfplat.dll</pre><pre>mfreadwrite.dll</pre><pre>msdmo.dll</pre><pre>authz.dll</pre><pre>msacm32.dll</pre><pre>setupapi.dll</pre><pre>evr.dll</pre><pre>avifil32.dll</pre><pre>wmdrmsdk.dll</pre><pre>\liebao\User Data\liebao.log</pre><pre>4.5.34.6725</pre><pre>report_dump_file</pre><pre>lXXxXXXXXXXX</pre><pre>http://dump.upload.duba.net/DumpFileUploader/duba_dump/__utm.gif</pre><pre>c:\liebao_src_pool\release.branch_34\src\security\tmp\Release\knbcenter\dbginfo\knbcenter.pdb</pre><pre>VERSION.dll</pre><pre>PSAPI.DLL</pre><pre>WaitNamedPipeW</pre><pre>TransactNamedPipe</pre><pre>SetNamedPipeHandleState</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeW</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>KERNEL32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegCloseKey</pre><pre>ADVAPI32.dll</pre><pre>SHLWAPI.dll</pre><pre>WTSAPI32.dll</pre><pre>USERENV.dll</pre><pre>WINMM.dll</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>zcÁ</pre><pre>%Program Files%\liebao\4.5.34.6725\KNBCenter.exe</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false" /></pre><pre>;#;'; ;/;3;7; <</pre><pre>1"1&1*1.12161:1</pre><pre>024282<2</pre><pre>; ;@;`;|;</pre><pre>0 0004080<0@0</pre><pre>4 4$40484<4</pre><pre>debug.log</pre><pre>.\debug.log</pre><pre>debug_message.exe</pre><pre>\StringFileInfo\xx\%ls</pre><pre>kernel32.dll</pre><pre>Chrome_MessagePumpWindow_%p</pre><pre>Emscoree.dll</pre><pre>- CRT not initialized</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- floating point support not loaded</pre><pre>portuguese-brazilian</pre><pre>USER32.DLL</pre><pre>LIEBAO_EXE_PATH</pre><pre>CHROME_DLL_PATH</pre><pre>KNBCenter.exe</pre><pre>knbctrl.dll</pre><pre>kBrowserUpgrade2.dll</pre><pre>ksapi.dll</pre><pre>Local\LBKSINIT_{DE37097C-AC19-4513-9D64-E2E3D51676AE}</pre><pre>knbcenter.log</pre><pre>rknbpolicy.dll</pre><pre>\kmsgsvc.dll</pre><pre>Advapi32.dll</pre><pre>SYSTEM\CurrentControlSet\Services\%s</pre><pre>%d.%d.%d.%d</pre><pre>FLT_DENORMAL_OPERAND</pre><pre>FLT_INVALID_OPERATION</pre><pre>gcswf32.dll</pre><pre>\liebao\User Data\report.ini</pre><pre>report</pre><pre>cmdline</pre><pre>DumpKey</pre><pre>\kdumprep.exe"</pre><pre>https://clients2.google.com/cr/report</pre><pre>1441792</pre><pre>Breakpad/1.0 (Windows)</pre><pre>\\.\pipe\LiebaoCrashServices_SecSvr</pre><pre>dbghelp.dll</pre><pre>rpcrt4.dll</pre><pre>%s\%s.dmp</pre><pre>ddddddd</pre><pre>CLSID\{DA3CB2BC-1CCA-412d-BC7C-4DFB532D2223}\Implemented Categories\{D7BD91AA-CB34-4eae-A9D1-2DB9A7C6815C}</pre><pre>CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}</pre><pre>x-x-x-xx-xxxxxx</pre><pre>/browser_version "4.5.34.6725"</pre><pre>%s\*.dmp</pre><pre>Data\kxecolbd.dat</pre><pre>%s%d\</pre><pre>Windows</pre><pre>Liebao\Crash Reports</pre><pre>verifier.dll</pre><pre>-full.dmp</pre><pre>knbcenter.dll</pre></pre></pre></pre></pre></y%d></pre></pre></pre></pre></a%2></pre></O%c></pre></n></pre></i6></pre></pre></pre></pre></pre></y%d></pre></pre>

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps

Related articles