Dropped.Trojan.Generic.20281016_a44df22c09

by malwarelabrobot on May 17th, 2017 in Malware Descriptions.

Dropped:Trojan.Generic.20281016 (BitDefender), Trojan:Win32/Dynamer!ac (Microsoft), Backdoor.Win32.Androm.mnkv (Kaspersky), Trojan.Siggen6.63994 (DrWeb), Dropped:Trojan.Generic.20281016 (B) (Emsisoft), Artemis!A44DF22C098D (McAfee), ML.Attribute.HighConfidence (Symantec), Dropped:Trojan.Generic.20281016 (FSecure), Atros4.BUDI.dropper (AVG), Win32:Malware-gen (Avast), HT_FLYSTUDIO_GD240034.UVPM (TrendMicro), Dropped:Trojan.Generic.20281016 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, EmailWorm, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a44df22c098d2e424f7fc81d371327d7
SHA1: c1e2bcc37ffcf9c374ab0f5471fc154f4e2341d4
SHA256: ff9a4eab0574dc63b89ae2b40487da65b507907b72b546a08f9b13600a6707b4
SSDeep: 49152:6wPcDMe0FNDMTswr92yjAdxD uYRUAiuoaG:lP8Me0fMA0UyjAdxD nqS
Size: 2400256 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2017-01-15 22:22:06
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Dropped creates the following process(es):
No processes have been created.
The Dropped injects its code into the following process(es):

WerFault.exe:2288
%original file name%.exe:2956
CDM.exe:264

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2956 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\CDM.exe (1810 bytes)
C:\%original file name%.exe (16158 bytes)

The process CDM.exe:264 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\W2K8EVQ2.txt (109 bytes)
C:\CDM.exe (6841 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\dlldy[1].htm (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dlldy[1].htm (42 bytes)
C:\Proxy.dll (326 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\gengxin[1].htm (232 bytes)

Registry activity

The process WerFault.exe:2288 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "FD 00 00 C0 00 00 00 00 00 00 00 00 D7 59 49 00"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

The process %original file name%.exe:2956 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\a44df22c098d2e424f7fc81d371327d7_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\a44df22c098d2e424f7fc81d371327d7_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\a44df22c098d2e424f7fc81d371327d7_RASAPI32]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\a44df22c098d2e424f7fc81d371327d7_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\a44df22c098d2e424f7fc81d371327d7_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\a44df22c098d2e424f7fc81d371327d7_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\a44df22c098d2e424f7fc81d371327d7_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process CDM.exe:264 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\CDM_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\CDM_RASMANCS]
"ConsoleTracingMask" = "4294901760"

"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\CDM_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\CDM_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\CDM_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ÎÒµÄÆô¶¯Ïî" = "C:\CDM.exe"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
04fb66508e8fbfa25d50fcfe3929be84 c:\CDM.exe
beb1ea045490ba658f11b9f564e50068 c:\CDM.exe.bak
65eca73f39f1c9d671519035e0585314 c:\Proxy.dll
ea5ff425e0f6798bb981216fbf90a51d c:\%original file name%.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.dywt.com.cn)
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 686982 688128 4.52934 4baa35d8013e0178839c34b3706c1200
.rdata 692224 1085098 1085440 4.25681 9c9475af0aeffa6c70a0310060ee77ad
.data 1777664 363912 106496 3.65446 534e0dfb12fe425c6d5957bfc67c4405
.rsrc 2142208 94420 98304 3.62674 9f6d5518b0bcabefd81cd94237b0fd08
.bak 2240512 6403 8192 4.38113 4eb3f35c8bf55823feb258ef493c0849
.bak 2248704 6403 8192 4.37507 7a0b8d43cfcdd0b346898197f1cc0b68
.bak 2256896 6403 8192 4.40826 c4c732ab5a318c6039e5babf1016a0b9
.bak 2265088 6403 8192 4.39516 7d90b9376b771ebe2e18ea04eeef2da0
.bak 2273280 6403 8192 4.40941 f3a6a21cf8a6915bf1414daabf1436db
.bak 2281472 6403 8192 4.32451 6327d4ac0975cfc2cb9126f5e722e11e
.bak 2289664 6403 8192 4.38369 11868f342ad19f03e2964f5c63de6a4c
.bak 2297856 6403 8192 4.40462 a2b1ca2532daa29f039dbdee7422dd46
.bak 2306048 6403 8192 4.33146 1e5c99ee9cbca3f197b0e1c5bbf46e4e
.bak 2314240 6403 8192 4.41334 59dc7a5e1b4d7afa753de9acd13a61e3
.bak 2322432 6403 8192 4.35977 01aae6158fbebaf9410e5ebfc4aed164
.bak 2330624 6403 8192 4.29377 d8029b4ad637c3172d4a486f439a3430
.bak 2338816 6403 8192 4.36712 c674cde4bafe27312891fb1e02a965c3
.bak 2347008 6403 8192 4.40381 16eeb5bff577478403deb5ff53026b0d
.bak 2355200 6403 8192 4.40262 c1837c80162fbb8aac38d5d35de52b59
.bak 2363392 6403 8192 4.39975 facd56c3fda10c87aab7ce2241166cfa
.bak 2371584 6403 8192 4.36125 13e9a4827d0a8fdfe191282b519661dd
.bak 2379776 6403 8192 4.3845 d8c01ebb01fd80b3889186c86e15d647
.bak 2387968 6403 8192 4.37363 fe7a22fbdf4cc1fe06b64d5a322b75d7
.bak 2396160 6403 8192 4.39039 9751a79b58c9ef503ccb1180f54d3991
.bak 2404352 6403 8192 4.40671 4d16a99a01b997fc5c534aa1af0e85f5
.bak 2412544 6403 8192 4.36217 cf90f784da78545d4f2e66d1e4d355be
.bak 2420736 6403 8192 4.3897 b5ae8dc650df0600c4cf48cf152e90fc
.bak 2428928 6403 8192 4.39471 630e10ce48a5bb80948684bff0093c0a
.bak 2437120 6403 8192 4.39011 2e223f2f6a5bd87f867ad23b5631fda4
.bak 2445312 6403 8192 4.35558 4833cf89f70ac9a1ad5acfe7875f2222
.bak 2453504 6403 8192 4.30352 878a30e724a68f6f207c6b0b333374dd
.bak 2461696 6403 8192 4.35721 6fce5ae996cf2c1b02a949e8297dbb34
.bak 2469888 6403 8192 4.39586 4f776ad5e904560b7b1beba74eb42aa2
.bak 2478080 6403 8192 4.34614 789d622c3f632a0b34737a8e68c508a9
.bak 2486272 6403 8192 4.41374 1b52151f5e7dfbcd35e25c8bfcf24b33
.bak 2494464 6403 8192 4.33752 0e052cf915bf233a70cf71977d14a020
.bak 2502656 6403 8192 4.33453 49b43ccc24714bcb89c97b1ab2ea35ba
.bak 2510848 6403 8192 4.36256 ff56a9b4e6dd17810a331699457eced2
.bak 2519040 6403 8192 4.39543 30ebbcd4bf4ae45ee4966a81460be0e9
.bak 2527232 6403 8192 4.37961 1f374ccac86a0d4061271aaf7b72f889
.bak 2535424 6403 8192 4.39373 9fbe75c1843fbc1e33cbbbec53059049
.bak 2543616 6403 8192 4.38681 f533136265bec1c9529022764f477b87
.bak 2551808 6403 8192 4.40418 46e39545b5578e848a576a75ae426f6d
.bak 2560000 6403 8192 4.3933 9cd3444587310abeb309d35bc99f3275
.bak 2568192 6403 8192 4.41648 19c28bb84df067d25595ec7f7c6d7c3d
.bak 2576384 6403 8192 4.39337 2bb4214af4bb4d6fd5aa53c3f70d844f
.bak 2584576 6403 8192 4.42723 47d70604abb22a4330b5f1daf84e660d
.bak 2592768 6403 8192 4.40041 c1d29c684b207b1279505b3109940b40
.bak 2600960 6403 8192 4.35812 f02bc1c516dda2eb650f5aa3e4678c4a
.bak 2609152 6403 8192 4.36857 f87127e63b944e26240d14d62937f9e9
.bak 2617344 6403 8192 4.41511 f498446dfae80da9a13b4a3bf5c9941e
.bak 2625536 6403 8192 4.36551 2bf8cbf8acd9c04ceefa96b13b24753b
.bak 2633728 6403 8192 4.35017 7873619523a31c4642851de759150714
.bak 2641920 6403 8192 4.38499 03bee09979133841fffbd8429fc852b9
.bak 2650112 6403 8192 4.42283 47fdbe72a68a6843dcbd0c6656432c20

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://rj.xie6.cn/gengxin.asp?id=845&bs=MAYI&_r=32024 162.159.210.13
hxxp://120.24.185.26/yixiuge/xxl.txt
hxxp://rj.xie6.cn/dlldy.asp?cz=hqfwq&bs=MAYI 162.159.210.13
hxxp://rj.xie6.cn/dlldy.asp?cz=hqzjip 162.159.210.13
dns.msftncsi.com 131.107.255.255
hi.baidu.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /yixiuge/xxl.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 120.24.185.26
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Server: nginx
Date: Tue, 16 May 2017 00:03:49 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
Vary: Accept-Encoding
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx</
center>..</body>..</html>..<!-- a padding to disable
 MSIE and Chrome friendly error page -->..<!-- a padding to disa
ble MSIE and Chrome friendly error page -->..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..HTTP/1.1 4
04 Not Found..Server: nginx..Date: Tue, 16 May 2017 00:03:49 GMT..Cont
ent-Type: text/html..Content-Length: 564..Connection: keep-alive..Vary
: Accept-Encoding..<html>..<head><title>404 Not Foun
d</title></head>..<body bgcolor="white">..<center
><h1>404 Not Found</h1></center>..<hr><c
enter>nginx</center>..</body>..</html>..<!-- a
 padding to disable MSIE and Chrome friendly error page -->..<!-
- a padding to disable MSIE and Chrome friendly error page -->..<
;!-- a padding to disable MSIE and Chrome friendly error page -->..
<!-- a padding to disable MSIE and Chrome friendly error page -->
;..<!-- a padding to disable MSIE and Chrome friendly error page --
>..<!-- a padding to disable MSIE and Chrome friendly error 
<<< skipped >>>


GET /yixiuge/xxl.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 120.24.185.26
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Server: nginx
Date: Tue, 16 May 2017 00:03:45 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
Vary: Accept-Encoding
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx</
center>..</body>..</html>..<!-- a padding to disable
 MSIE and Chrome friendly error page -->..<!-- a padding to disa
ble MSIE and Chrome friendly error page -->..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..HTTP/1.1 4
04 Not Found..Server: nginx..Date: Tue, 16 May 2017 00:03:45 GMT..Cont
ent-Type: text/html..Content-Length: 564..Connection: keep-alive..Vary
: Accept-Encoding..<html>..<head><title>404 Not Foun
d</title></head>..<body bgcolor="white">..<center
><h1>404 Not Found</h1></center>..<hr><c
enter>nginx</center>..</body>..</html>..<!-- a
 padding to disable MSIE and Chrome friendly error page -->..<!-
- a padding to disable MSIE and Chrome friendly error page -->..<
;!-- a padding to disable MSIE and Chrome friendly error page -->..
<!-- a padding to disable MSIE and Chrome friendly error page -->
;..<!-- a padding to disable MSIE and Chrome friendly error page --
>..<!-- a padding to disable MSIE and Chrome friendly error 
<<< skipped >>>


GET /gengxin.asp?id=845&bs=MAYI&_r=32024 HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Host: rj.xie6.cn


HTTP/1.1 200 OK
Date: Tue, 16 May 2017 00:03:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dd1f6e0c9316ca2c139ab7f516e5a82711494893010; expires=Wed, 16-May-18 00:03:30 GMT; path=/; domain=.xie6.cn; HttpOnly
Cache-Control: private
Vary: Accept-Encoding
Set-Cookie: ASPSESSIONIDCCRDDBAD=DHHMCHPABEEDJLIIECFKMKEE; path=/
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 35fa1300d4e84f4a-DME
e8..416B1BD09594E42FB1E8ADF1280D5C2B5AB6E09F50956C14DC636013AF636312D2
5D5BEE288489943286E61CDC686615DD646611D9116367D8166613DC116364DD686718
DC656217D8156712DC156367DD686718DC616660DC616718D8166619DD116411DD6267
67DD686618D8156710DD636611..0..HTTP/1.1 200 OK..Date: Tue, 16 May 2017
 00:03:30 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Co
nnection: keep-alive..Set-Cookie: __cfduid=dd1f6e0c9316ca2c139ab7f516e
5a82711494893010; expires=Wed, 16-May-18 00:03:30 GMT; path=/; domain=
.xie6.cn; HttpOnly..Cache-Control: private..Vary: Accept-Encoding..Set
-Cookie: ASPSESSIONIDCCRDDBAD=DHHMCHPABEEDJLIIECFKMKEE; path=/..X-Powe
red-By: ASP.NET..Server: yunjiasu-nginx..CF-RAY: 35fa1300d4e84f4a-DME.
.e8..416B1BD09594E42FB1E8ADF1280D5C2B5AB6E09F50956C14DC636013AF636312D
25D5BEE288489943286E61CDC686615DD646611D9116367D8166613DC116364DD68671
8DC656217D8156712DC156367DD686718DC616660DC616718D8166619DD116411DD626
767DD686618D8156710DD636611..0......


GET /dlldy.asp?cz=hqfwq&bs=MAYI HTTP/1.1


Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
User-Agent: 13290
Host: rj.xie6.cn
Cookie: __cfduid=dd1f6e0c9316ca2c139ab7f516e5a82711494893010; ASPSESSIONIDCCRDDBAD=DHHMCHPABEEDJLIIECFKMKEE


HTTP/1.1 200 OK
Date: Tue, 16 May 2017 00:03:33 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private
Vary: Accept-Encoding
Set-Cookie: ASPSESSIONIDCCQBBCCD=JALOLFABNNKEACMIGPBPHHFC; path=/
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 35fa130fd26d4f4a-DME
2a..ok:222.186.21.71:5300|222.186.34.252:5000|..0......


GET /dlldy.asp?cz=hqzjip HTTP/1.1


Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: rj.xie6.cn
Cookie: __cfduid=dd1f6e0c9316ca2c139ab7f516e5a82711494893010; ASPSESSIONIDCCRDDBAD=DHHMCHPABEEDJLIIECFKMKEE; ASPSESSIONIDCCQBBCCD=JALOLFABNNKEACMIGPBPHHFC


HTTP/1.1 200 OK
Date: Tue, 16 May 2017 00:03:33 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private
Vary: Accept-Encoding
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 35fa131463ed4f4a-DME
11..ip:194.242.96.218..0..HTTP/1.1 200 OK..Date: Tue, 16 May 2017 00:0
3:33 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connect
ion: keep-alive..Cache-Control: private..Vary: Accept-Encoding..X-Powe
red-By: ASP.NET..Server: yunjiasu-nginx..CF-RAY: 35fa131463ed4f4a-DME.
.11..ip:194.242.96.218..0..

The Dropped connects to the servers at the folowing location(s):

%original file name%.exe_2956:

.text
`.rdata
@.data
.rsrc
@.bak
t$(SSh
~%UVW
u$SShe
Av=kAv.SCv
user32.dll
gdiplus.dll
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
hXXp://120.24.185.26/yixiuge/xxl.txt
Proxy.dll
Kernel32.dll
kernel32.dll
\CDM.exe
software\microsoft\windows\CurrentVersion\Run\
\Proxy.dll
@.reloc
f9z.vk
__MSVCRT_HEAP_SELECT
CreateIoCompletionPort
GetProcessHeap
KERNEL32.dll
MsgWaitForMultipleObjects
USER32.dll
GDI32.dll
ADVAPI32.dll
ole32.dll
WS2_32.dll
SHLWAPI.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
WININET.dll
OLEAUT32.dll
WINMM.dll
GetCPInfo
proxy_AA555.dll
8@HNetCfg.FwMgr
hXXps://
hXXp://
https
http:
Client: VVV.xie6.cn
https:
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
/gengxin.asp?id=
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
@/dlldy.asp?cz=hqfwq&bs=MAYI
/dlldy.asp?cz=hqzjip
4@0.0.0.0
<@WinINet.dll
ws2_32.dll
urlmon
URLDownloadToFileA
program internal error number is %d.
%s%x.tmp
:"%s"
:"%s".
zcÁ
7!8 808:8
0#0 040=0
5$5(5,5054585<5@5
$0004080
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
Broken pipe
Inappropriate I/O control operation
Operation not permitted
RASAPI32.dll
WinExec
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
ShellExecuteA
SHELL32.dll
COMCTL32.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
;3 #>6.&
'2, / 0&7!4-)1#
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
#include "l.chs\afxres.rc" // Standard components
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADC:\CDM.exe
VVV.168guaji.com
1.2.18
F%*.*f
MSWHEEL_ROLLMSG
MSVFW32.dll
AVIFIL32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
c:\%original file name%.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
%S'vSG$wL"'vHN0rH&<
F.VnQ2
f.La1}ONz.
,vPK85\K82EV$rME5jMI:1\K8%U
aqt%v(1!gjezjf|9.sa%n{r4v{~;-jy!o~:-o~=4rb}<ase<m|>-o~*$?"?l.8>
.yyh"
z$5."$%X{}zGx%}//v~
&.dUz;,D`:?S;(%Fr
".dUz;-D/{8
9.dUz; D/{.
8<(&8=):
.vcH~
:j%c;n
.Sz~XGy
!H}~JJ:$GMldAN:$/.adACe~/-bsGC{%
%uPZW
%uN|-
O:J%S2
qvyB4>~b.pr]i.6
tT.zc
&nfY.}wA.qx
d.eMD
mdS%sfG
`{LxE%s
..skt
ZzY[.UQ
z_[.UQ
.PIZ(
AUrl/ 
Up0%xs
>httpu
hTTP/h
hXXp://hi.baidu.com/aegifjftrggluze/item/be185dc989cae4f4984aa0df
baidu.com
1.6.2.1
(*.*)
1.0.0.0
(hXXp://VVV.dywt.com.cn)

%original file name%.exe_2956_rwx_00687000_00002000:

>httpu
hTTP/h
hXXp://hi.baidu.com/aegifjftrggluze/item/be185dc989cae4f4984aa0df
baidu.com

CDM.exe_264:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
Bv.SCv
Proxy.dll
Kernel32.dll
kernel32.dll
user32.dll
gdiplus.dll
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
\CDM.exe
software\microsoft\windows\CurrentVersion\Run\
\Proxy.dll
@.reloc
f9z.vk
__MSVCRT_HEAP_SELECT
CreateIoCompletionPort
GetProcessHeap
KERNEL32.dll
MsgWaitForMultipleObjects
USER32.dll
GDI32.dll
ADVAPI32.dll
ole32.dll
WS2_32.dll
SHLWAPI.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
WININET.dll
OLEAUT32.dll
WINMM.dll
GetCPInfo
proxy_AA555.dll
8@HNetCfg.FwMgr
hXXps://
hXXp://
https
http:
Client: VVV.xie6.cn
https:
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
/gengxin.asp?id=
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
@/dlldy.asp?cz=hqfwq&bs=MAYI
/dlldy.asp?cz=hqzjip
4@0.0.0.0
<@WinINet.dll
ws2_32.dll
urlmon
URLDownloadToFileA
program internal error number is %d.
%s%x.tmp
:"%s"
:"%s".
zcÁ
7!8 808:8
0#0 040=0
5$5(5,5054585<5@5
$0004080
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
Broken pipe
Inappropriate I/O control operation
Operation not permitted
RASAPI32.dll
WinExec
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
ShellExecuteA
SHELL32.dll
COMCTL32.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
;3 #>6.&
'2, / 0&7!4-)1#
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
C:\CDM.exe
#include "l.chs\afxres.rc" // Standard components
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
1.6.2.1
(*.*)
1.0.0.0
(hXXp://VVV.dywt.com.cn)

%original file name%.exe_2956_rwx_02060000_00002000:

>httpu
hTTP/h
hXXp://hi.baidu.com/aegifjftrggluze/item/be185dc989cae4f4984aa0df
baidu.com

CDM.exe_264_rwx_014C0000_00002000:

>httpu
hTTP/h
hXXp://hi.baidu.com/aegifjftrggluze/item/be185dc989cae4f4984aa0df
baidu.com

svchost.exe_3616:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

WerFault.exe_2288:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
USER32.dll
msvcrt.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
IMM32.dll
wer.dll
COMCTL32.dll
faultrep.dll
.Ew;AEwNDEw
Dw.AEw
CBv.TBv7
Starting kernel vertical - %S
rundll32.exe
NtQueryInformationProcess failed with status: 0x%x
Reporting never started for process id %u
StringCchPrintf failed with 0x%x
NtWow64QueryInformationProcess64 failed with 0x%x
NtWow64ReadVirtualMemory64 failed with 0x%x
NtQueryInformationProcess failed with status 0x%x
WerpNtWow64QueryInformationProcess64 failed with status 0x%x
StringCchCopy failed with 0x%x
Invalid arg in %s
wdi.dll
dbgeng.dll
dbghelp.dll
SETUPAPI.dll
SHELL32.dll
VERSION.dll
WTSAPI32.dll
WerFault.pdb
PSShD
tSSh,<
t.PSj6
t5SSh
SShx`
tsShxc
t.Ph0j
_amsg_exit
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
GetProcessHeap
GetWindowsDirectoryW
RegDeleteKeyW
ReportEventW
RegOpenKeyW
RegSetKeyValueW
GetProcessWindowStation
EnumWindows
NtAlpcSendWaitReceivePort
NtAlpcConnectPort
ShipAssert
ntdll.dll
RegisterErrorReportingDialog
WerReportSubmit
WerReportAddFile
WerReportCreate
WerReportCloseHandle
WerReportSetUIOption
WerpGetReportConsent
WerpSetIntegratorReportId
WerpReportCancel
WerpAddRegisteredDataToReport
WerReportAddDump
WerpCreateIntegratorReportId
WerpSetReportFlags
WerpGetReportFlags
WerpIsTransportAvailable
WerReportSetParameter
WerpInitiateCrashReporting
version="1.0.0.0"
name="Microsoft.Windows.Feedback.Watson"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<requestedExecutionLevel
ÝCD0
#$$$3355<
##$$$335566
% "#$$$3355666=
"#$$33555666
!.DQ$
.Py>o
Kÿg
.ib:?
T3%X_
a,M.cbd
KEYW8
KEYWH
? ?$?(?,?0?4?8?
1 2$2(2,20242
>,?0?4?8?<?@?
?%?5?:?|?
5'565^5{5
3#3(353_3
=#='= =/=3=7=;=?=
=#=(=>=]=
>!>&>3>}>
1!1&131[1
Microsoft\Windows\WindowsErrorReporting\WerFault
%s %s
Global\WerKernelVerticalReporting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
CrashDumpEnabled.Old
CrashDumpEnabled.New
%SystemRoot%\MEMORY.DMP
LiveKernelReports
Software\Microsoft\Windows\Windows Error Reporting\LiveKernelReports
LiveKernelReportsPath
BCCode=%x&BCP1=%p&BCP2=%p&BCP3=%p&BCP4=%p&OS Version=%u_%u_%u&Service Pack=%u_%u&Product=%u_%u
*WerKernelReporting
%SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\Windows Error Reporting\KernelFaults\Queue
sysdata.xml
%s -k -q
SOFTWARE\Microsoft\Windows NT\CurrentVersion
<OSVER>%u.%u.%u %u.%u</OSVER>
<OSLANGUAGE>%u</OSLANGUAGE>
<ARCHITECTURE>%u</ARCHITECTURE>
<PRODUCTTYPE>%u</PRODUCTTYPE>
<FILESIZE>%u</FILESIZE>
<CREATIONDATE>d-d-d d:d:d</CREATIONDATE>
<NAME>%s</NAME>
<DATA>%s</DATA>
<ERROR>Failed at Step: %s with error 0x%x</ERROR>
%sDrivers\%s.sys
</%s>
<%s>%s</%s>
%u.%u.%u.%u
*.mrk
WER-%u-%u.sysdata.xml
Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER
SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\MemoryDiagnostic
Web Server
Software\Microsoft\Windows\Windows Error Reporting\Debug
%SystemRoot%\Minidump
0xx (0xx, 0xx, 0xx, 0xx)
%s\%2.2d%2.2d%2.2d-%u-%2.2d.dmp
*.dmp
Software\Microsoft\Windows\Windows Error Reporting
Software\Policies\Microsoft\Windows\Windows Error Reporting
\KernelObjects\SystemErrorPortReady
%s\%s
Microsoft.Windows.Setup
\WindowsErrorReportingServicePort
(0x%x): %s
%u %s
WindowsNTVersion
%u.%u
ErrorPort
\StringFileInfo\xx\%s
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
%s="%s"
%s.%s
%s %d
Software\Microsoft\Windows\Windows Error Reporting\Hangs
_NT_EXECUTABLE_IMAGE_PATH
wxmu.dmp
wxhu.dmp
axmu.dmp
axhu.dmp
hu.kdmp
mu.kdmp
hu.dmp
mu.dmp
Software\Microsoft\.NETFramework
NOT_TCPIP
sos.dll
version.xml
.version.xml
%s.xml
memory.hdmp
minidump.mdmp
Local\WERReportingForProcess%d
atk.kdmp
Software\Microsoft\Windows\Windows Error Reporting\Hangs\NHRTimes
%i|%d|%d
xxxxxxxxxxxxxxxx
xx
%d.%d.%d.%d
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)S:(ML;;NR;;;HI)
dc.noreflect
dc.xpmemdump
dc.xpdata
dc.CustomDump
dc.expmodmem
dc.expmoddata
dc.OnDemandKdmp
dc.xpmodmem
dc.xpmoddata
default=%s
memory=%s
module=%s
.dbgcfg.ini
ElevatedDataCollectionStatus.txt
Open process failed unexpectedly: 0X%X
Attempting to cross-proc reporting process!
Elevation:Administrator!new:%s
Reflection attempt failed: 0X%X
Attempting to reflect reporting process!
Could not collect dump for reflection cross process: 0x%x
Could not collect xproc for reflection: 0x%x
CollectFile for reflection failed: 0x%x
Could not collect dump for cross process: 0x%x
CollectReflectionDump failed with: 0x%x
0 processes found for xproc module: %s
Could not collect cross dump from module: 0x%x
CollectCrossProcessModuleDumps failed: 0x%x
CollectCrossProcessDumps failed: 0x%x
KernelDump failed: 0x%x
ProcessHandle
%s|%s
rpcrt4
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
sntdll.dll
WerDiagController.dll
Software\Microsoft\Windows\Windows Error Reporting\Plugins
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
%s\%s\%u-%u.etl
%s\%s\%u-%u.etl_%d
Microsoft\Windows\FDR
%s-%d
Software\Microsoft\Windows\Windows Error Reporting\Plugins\DriverVerifier
Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
%d-AppRecorderEnabled
%s /stop
psr.exe
Software\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules
verifier.dll
nVerifier.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
lsvchost.exe
"%s" "%s" "%s"
%s\system32\cofire.exe
psapi.dll
sfc_os.dll
werfault.exe
%s\%s-(PID-%u)-%u
%s\%s-(PID-%u).dmp
%s\*-(PID-*)-*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit
kernel32.dll
kernelbase.dll
ReportingMode
WinShipAssert
WindowsMessageReportingB1
Windows
ws2_32.dll
Software\Microsoft\SQMClient\%s\AdaptiveSqm\ManifestInfo
%s\Sqm%d.bin
CorporateWerPortNumber
BypassDataThrottling
Software\Microsoft\Windows\Windows Error Reporting\Consent
Windows Problem Reporting
6.1.7600.16385 (win7_rtm.090713-1255)
WerFault.exe
Windows
Operating System
6.1.7600.16385
Microsoft-Windows-WER-Diag/Operational


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Dropped file.
  3. Delete or disinfect the following files created/modified by the Dropped:

    C:\CDM.exe (1810 bytes)
    C:\%original file name%.exe (16158 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\W2K8EVQ2.txt (109 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\dlldy[1].htm (17 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dlldy[1].htm (42 bytes)
    C:\Proxy.dll (326 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\gengxin[1].htm (232 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ÎÒµÄÆô¶¯Ïî" = "C:\CDM.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now