Dropped.Trojan.GenericKD.4529132_a3e587bd01

Dropped:Trojan.GenericKD.4529132 (BitDefender), Trojan:Win32/Dorv.A (Microsoft), Backdoor.Win32.Hupigon.uvzu (Kaspersky), BackDoor.Pigeon1.10442 (DrWeb), Dropped:Trojan.GenericKD.4529132 (B) (Emsisoft...
Blog rating:1 out of5 with1 ratings

Dropped.Trojan.GenericKD.4529132_a3e587bd01

by malwarelabrobot on April 12th, 2017 in Malware Descriptions.

Dropped:Trojan.GenericKD.4529132 (BitDefender), Trojan:Win32/Dorv.A (Microsoft), Backdoor.Win32.Hupigon.uvzu (Kaspersky), BackDoor.Pigeon1.10442 (DrWeb), Dropped:Trojan.GenericKD.4529132 (B) (Emsisoft), Artemis!A3E587BD01CB (McAfee), Trojan.Gen.6 (Symantec), Dropped:Trojan.GenericKD.4529132 (FSecure), BackDoor.Hupigon6.OKT.dropper (AVG), Win32:Malware-gen (Avast), Dropped:Trojan.GenericKD.4529132 (AdAware), Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a3e587bd01cb7dc6e84e8ad3ac51eebd
SHA1: 8a50763ce87bc11de5f133d997a3a541bc1a3baa
SHA256: 0b85a149cd706daf1246529d67143ab613e2fea3849d69250a016b5466d5ef99
SSDeep: 49152:1 DdIwXu3MRYJurnYqbF3t5OxLb4wb9nLq4kyKGSeYkzPv0:wDCcRY7qbF3t5OZbdNLqkKGSenX0
Size: 1969152 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: iTorrent LLC
Created at: 2016-09-20 00:27:44
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

kss.txt:2084

The Dropped injects its code into the following process(es):

QQ.exe:3904
%original file name%.exe:4008

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process kss.txt:2084 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\QQ.exe (7482 bytes)

The process %original file name%.exe:4008 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\¹¤³Ìʦ.dll (244 bytes)
C:\ÒôÀÖ.mp3 (212 bytes)
C:\kss.txt (50 bytes)
C:\Windows\System32\ESPI11.dll (723 bytes)

The Dropped deletes the following file(s):

C:\¹¤³Ìʦ.dll (0 bytes)

Registry activity

The process kss.txt:2084 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qq" = "%Program Files%\QQ.exe"

The process %original file name%.exe:4008 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"1002" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1003" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"FileName" = "C:\Windows\system32\ESPI11.dll"
"1001" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"1012" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1014" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

Dropped PE files

MD5 File path
13598cad23c44d6181e4537929398c5f c:\Program Files\QQ.exe
b4c2caaa15d4e505ad2858ab15eafb58 c:\Windows\System32\ESPI11.dll
13598cad23c44d6181e4537929398c5f c:\kss.txt

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: CF??? 0920A
Product Name: CF??? 0920A
Product Version: 1.0.0.0
Legal Copyright: CF??? 0920A
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: CF??? 0920A
Comments: CF??? 0920A
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1224704 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1228800 1880064 1879552 5.43835 2f1bfb2d4c94e5312b5626d37d702911
.rsrc 3108864 90112 88576 2.70845 9228b0446c18b7f8d691a9c20cb91c3e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
ailinya.f3322.net 14.210.28.70
teredo.ipv6.microsoft.com 157.56.106.189
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Dropped connects to the servers at the folowing location(s):

%original file name%.exe_4008:

`.rsrc
~`Crt
t$(SSh
~%UVW
u$SShe
ws2_32.dll
kernel32.dll
crossfire.exe.
crossfire.exe
0026000
0000000001
0000030000
0000040000
0000340000
0000260000
0000300000
0000690000
0000790000
47455420
00011800
52415306
101.226.129.226
111.13.34.161
117.175.94.107
117.144.243.160
111.13.34.162
120.198.201.236
101.226.76.210
183.232.125.226
61.151.186.35
115.25.209.123
101.226.68.38
117.144.245.229
101.227.130.43
687474703A2F2F67616D65736166652E71712E636F6D*hXXp://gamesafe.qq.com
rez@qq.com:9921817579981
(%d, %d, %d)
(hXXp://gamesafe.qq.com)
2573A3AC2573A3AC2573A3A120202020BBF2D6D8D7B0D3CECFB7BFCDBBA7B6CB20202020C7EBBBF1C8A1D5FDC8B7CEC4BCFEBDF8D0D0CCE6BBBB*%s
Tenslx.dat
.text
`.rdata
@.data
.inidata
.rsrc
@.reloc
CNotSupportedException
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
user32.dll
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
WS2_32.dll
COMCTL32.dll
GetCPInfo
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
WINSPOOL.DRV
comdlg32.dll
SHELL32.dll
SWNPM.dll
.PAVCException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
4"5(5,50545
8!8/878=8
3"32383|3"4
2 3=3Q3^3h3r3z3
4 41484[4}4
9$9(9,90989
<0=4=8=<=
LAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU(
{D.TypH
J#sSh
P.zgCP
(V.JX9
W03%d
iMSG
D.Nv,
==B.bmI5
iI<.bN
.pf``j
Y1.nD
U%Dna
{<*Kr.hEv
S"sSh
SC.nH
@*&4".'>1
Ox.Ts
dZ.bK7
%URwY
Jv?.aJ
'D.jI
%5s8*
LAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
q5.IPF
%C>iE
I.IH1
=Ê$K
2008-12-09
.idata
.rdata
P.reloc
P.vmp0
.vmp1
fvkeY
J.yB*[J
A*.FS
shell32.dll
d[imagehlp.dll
.blT[
Doleaut32.dll
quartz.dll
.Vpy}
5%uri
wininet.dll
winmm.dll
wsock32.dll
U.RLaK
UcmD
y%U>db
SJ.LJ
t*.Yd
.rD}hxx:R4
z%Sc{V
H.CWjS[
\%x]P
}.pwq
a.wby;M
.SXZ?35S
_%uoN
z.Hdm
&).Vi
Y.Sg)
$.Gc^
%se2O"'
.rD{hx
-Vz}v
.iYV]^
.wKp~
gdi32.dll
.Ox#/
G~.hl
Uk{URLMON.DLL
DeleteUrlCacheEntry
version.dll
N-`%C
dKO%X
u.sJP
URLDownloadToFileA
%.WqI
rasapi32.dll
Dmpr.dll
eole32.dll
mx.Ll
Hadvapi32.dll
comctl32.dll
%DY),
.Oz;G
B32.zO
D_W.RK
navicap32.dll
oT.xP
.hSQZ
W!.YM
Jy-5E}*
EmSG
f0.OSK8[k
'.CAM
.ndu}
S.jh(M4m
HSM%S
,bw.dL"
u5.aH
.tSZ:Tz/
.OSAs
*[%dtV
#wO-g.ef
.sqsmY
U#.AN:7'
'<%.wH
$0**,-.0%
7(-6( 6(
<requestedExecutionLevel level="requireAdministrator"/>
kss.txt
0.0.0.0
@ws2_32.dll
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
F%*.*f
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WININET.dll
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
%s\ESPI%d.dll
hXXp://dywt.com.cn
service@dywt.com.cn
 86(0411)88995834
 86(0411)88995831
Windows
(ESPINN.dll(NN
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
CallerInfoCopyCmd
SetIPPort
GetIPPort
"C:\Windows\System32\ESPI11.dll"
ProviderInstallCopyCmd
SockDataCopyCmd
SockAddrCopyCmd
enetintercept_fnSockAddrSetIPPort
enetintercept_fnSockAddrGetIPPort
enetintercept_fnInstallCopyCmd
enetintercept_fnSockDataCopyCmd
enetintercept_fnSockAddrCopyCmd
enetintercept_fnCallerInfoCopyCmd
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCResourceException@@
.PAVCUserException@@
zcÁ
LAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUz
LAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
c:\%original file name%.exe
WinExec
GetProcessHeap
RegDeleteKeyA
RegCreateKeyExA
RegEnumKeyA
RegOpenKeyA
GetViewportExtEx
GetViewportOrgEx
ShellExecuteA
CreateDialogIndirectParamA
#include "l.chs\afxres.rc" // Standard components
KERNEL32.DLL
ole32.dll
OLEAUT32.dll
WINMM.dll
(2004-2010)
hXXp://VVV.eyuyan.com
1>@80:;"
.UvvK
8.5.18600.0
(*.*)
1.0.0.0

%original file name%.exe_4008_rwx_00401000_002F5000:

t$(SSh
~%UVW
u$SShe
ws2_32.dll
kernel32.dll
crossfire.exe.
crossfire.exe
0026000
0000000001
0000030000
0000040000
0000340000
0000260000
0000300000
0000690000
0000790000
47455420
00011800
52415306
101.226.129.226
111.13.34.161
117.175.94.107
117.144.243.160
111.13.34.162
120.198.201.236
101.226.76.210
183.232.125.226
61.151.186.35
115.25.209.123
101.226.68.38
117.144.245.229
101.227.130.43
687474703A2F2F67616D65736166652E71712E636F6D*hXXp://gamesafe.qq.com
rez@qq.com:9921817579981
(%d, %d, %d)
(hXXp://gamesafe.qq.com)
2573A3AC2573A3AC2573A3A120202020BBF2D6D8D7B0D3CECFB7BFCDBBA7B6CB20202020C7EBBBF1C8A1D5FDC8B7CEC4BCFEBDF8D0D0CCE6BBBB*%s
Tenslx.dat
.text
`.rdata
@.data
.inidata
.rsrc
@.reloc
CNotSupportedException
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
user32.dll
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
WS2_32.dll
COMCTL32.dll
GetCPInfo
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
WINSPOOL.DRV
comdlg32.dll
SHELL32.dll
SWNPM.dll
.PAVCException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
4"5(5,50545
8!8/878=8
3"32383|3"4
2 3=3Q3^3h3r3z3
4 41484[4}4
9$9(9,90989
<0=4=8=<=
LAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU(
{D.TypH
J#sSh
P.zgCP
(V.JX9
W03%d
iMSG
D.Nv,
==B.bmI5
iI<.bN
.pf``j
Y1.nD
U%Dna
{<*Kr.hEv
S"sSh
SC.nH
@*&4".'>1
Ox.Ts
dZ.bK7
%URwY
Jv?.aJ
'D.jI
%5s8*
LAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
q5.IPF
%C>iE
I.IH1
=Ê$K
2008-12-09
.idata
.rdata
P.reloc
P.vmp0
.vmp1
fvkeY
J.yB*[J
A*.FS
shell32.dll
d[imagehlp.dll
.blT[
Doleaut32.dll
quartz.dll
.Vpy}
5%uri
wininet.dll
winmm.dll
wsock32.dll
U.RLaK
UcmD
y%U>db
SJ.LJ
t*.Yd
.rD}hxx:R4
z%Sc{V
H.CWjS[
\%x]P
}.pwq
a.wby;M
.SXZ?35S
_%uoN
z.Hdm
&).Vi
Y.Sg)
$.Gc^
%se2O"'
.rD{hx
-Vz}v
.iYV]^
.wKp~
gdi32.dll
.Ox#/
G~.hl
Uk{URLMON.DLL
DeleteUrlCacheEntry
version.dll
N-`%C
dKO%X
u.sJP
URLDownloadToFileA
%.WqI
rasapi32.dll
Dmpr.dll
eole32.dll
mx.Ll
Hadvapi32.dll
comctl32.dll
%DY),
.Oz;G
B32.zO
D_W.RK
navicap32.dll
oT.xP
.hSQZ
W!.YM
Jy-5E}*
EmSG
f0.OSK8[k
'.CAM
.ndu}
S.jh(M4m
HSM%S
,bw.dL"
u5.aH
.tSZ:Tz/
.OSAs
*[%dtV
#wO-g.ef
.sqsmY
U#.AN:7'
'<%.wH
$0**,-.0%
7(-6( 6(
<requestedExecutionLevel level="requireAdministrator"/>
kss.txt
0.0.0.0
@ws2_32.dll
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
F%*.*f
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WININET.dll
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
%s\ESPI%d.dll
hXXp://dywt.com.cn
service@dywt.com.cn
 86(0411)88995834
 86(0411)88995831
Windows
(ESPINN.dll(NN
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
CallerInfoCopyCmd
SetIPPort
GetIPPort
"C:\Windows\System32\ESPI11.dll"
ProviderInstallCopyCmd
SockDataCopyCmd
SockAddrCopyCmd
enetintercept_fnSockAddrSetIPPort
enetintercept_fnSockAddrGetIPPort
enetintercept_fnInstallCopyCmd
enetintercept_fnSockDataCopyCmd
enetintercept_fnSockAddrCopyCmd
enetintercept_fnCallerInfoCopyCmd
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCResourceException@@
.PAVCUserException@@
zcÁ
LAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUz
LAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
c:\%original file name%.exe
WinExec
GetProcessHeap
RegDeleteKeyA
RegCreateKeyExA
RegEnumKeyA
RegOpenKeyA
GetViewportExtEx
GetViewportOrgEx
ShellExecuteA
CreateDialogIndirectParamA
(2004-2010)
hXXp://VVV.eyuyan.com
1>@80:;"
.UvvK
8.5.18600.0

QQ.exe_3904:

.idata
.rdata
P.reloc
P.vmp0
.vmp1
.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
OnKeyDown
OnKeyPress
OnKeyUp
THintActionD%C
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecute
QQ.exe
ailinya.f3322.net
127.0.0.1
2016-09-19 19:17:35
%Program Files%\ie8\
iexplore.exe
ole32.dll
SourcePort
DestPort
UnitTCPIP
TCPIPORT
TCPIPORT4
ws2_32.dll
iphlpapi.dll
1.2.3
<?xml version="1.0" encoding="UNICODE"?><tree2xml app="SVCHOST.exe">
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
(The key is too long to be read.)
HKEY_DYN_DATA
Microsoft\Network\Connections\pbk\rasphone.pbk
rasapi32.dll
rnaph.dll
cmd /c "
%dMB,
" WindowsPath="
" ExeShortName="
" ExeFileName="
\Software\Microsoft\Windows\CurrentVersion\uninstall
\software\microsoft\windows\currentversion\uninstall\
TRemoteShellCmdU
TtcpDDOSThread
TwebDDOSThread
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE 3.01)
hXXp://
advapi32.dll
cmd /c shutdown -s -f -t 0
cmd /c shutdown -r -f -t 0
Down.exe
Set objws=WScript.CreateObject("wscript.shell")
objws.Run kavpath,,true
ctfmon.exe
Move.exe
Port
UDPSockError
TMYNMUDP
MYNMUDP
RemotePort<
LocalPort<
ReportLevelL
0.0.0.0
%d.%d.%d.%d
FilterGraph %p pid %x
D:\dat_aq\DSPACK234\src\DSPack\DSUtil.pas
($%x).
vpDoNotRenderColorKeyAndBorder
Operation
TOnDVDCMD
CmdID
OnDVDCMDStartx0I
OnDVDCMDEndL[A
OnDVDWarningFormatNotSupportedL[A
D:\dat_aq\DSPACK234\src\DSPack\DSPack.pas
FormKeyDown
Msxml2.XMLHTTP
\Program Files\Internet Explorer\iexplore.exe
ntdll.dll
Kernel32.dll
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
192.168.48.135
h.Hxt
?E"Q:%s
/J.sw
!P.Sd
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
operator
%Program Files%\QQ.exe
.ObgnzM
}!%X}f(
.swK/y
0h1%c
&?%dR
N%xOf
j.Ptx
.rk<H
*%cTM
6/h@#.qv
33eø
V.Ooa
HR%FS
\!%x]
-=%xJ<AM
.mWU\
@rvz.Rp
.hYhW^{}
4m.Tb
.mY/e
h-.IP
.cVu46vCQ`
.DZJs
-.scL
]Z?%s
webZcTc
6:H.QA
K.Hz[O
F7.he7E
(R%D=7
0 0<0@0`0
fvkeY
J.yB*[J
A*.FS
shell32.dll
d[imagehlp.dll
.blT[
Doleaut32.dll
quartz.dll
.Vpy}
5%uri
wininet.dll
winmm.dll
wsock32.dll
U.RLaK
UcmD
y%U>db
SJ.LJ
t*.Yd
.rD}hxx:R4
z%Sc{V
H.CWjS[
\%x]P
}.pwq
a.wby;M
.SXZ?35S
_%uoN
z.Hdm
&).Vi
Y.Sg)
$.Gc^
%se2O"'
.rD{hx
-Vz}v
.iYV]^
.wKp~
gdi32.dll
.Ox#/
G~.hl
Uk{URLMON.DLL
DeleteUrlCacheEntry
version.dll
N-`%C
dKO%X
u.sJP
user32.dll
URLDownloadToFileA
%.WqI
Dmpr.dll
eole32.dll
mx.Ll
Hadvapi32.dll
%DY),
.Oz;G
B32.zO
D_W.RK
navicap32.dll
oT.xP
.hSQZ
W!.YM
Jy-5E}*
EmSG
f0.OSK8[k
'.CAM
.ndu}
S.jh(M4m
HSM%S
,bw.dL"
u5.aH
.tSZ:Tz/
.OSAs
*[%dtV
#wO-g.ef
.sqsmY
U#.AN:7'
'<%.wH
$0**,-.0%
7(-6( 6(
<requestedExecutionLevel level="requireAdministrator"/>
KERNEL32.DLL
mscoree.dll
Error at initialization of bundled DLL: %s
Error at hooking API "%S"
Dumping first %d bytes:
8.5.18600.0

QQ.exe_3904_rwx_004B6000_00093000:

?E"Q:%s
/J.sw
!P.Sd
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
%Program Files%\QQ.exe
.ObgnzM
}!%X}f(
.swK/y
0h1%c
&?%dR
N%xOf
j.Ptx
.rk<H
*%cTM
6/h@#.qv
33eø
V.Ooa
HR%FS
\!%x]
-=%xJ<AM
.mWU\
@rvz.Rp
.hYhW^{}
4m.Tb
.mY/e
h-.IP
.cVu46vCQ`
.DZJs
-.scL
]Z?%s
webZcTc
6:H.QA
K.Hz[O
F7.he7E
(R%D=7
0 0<0@0`0
KERNEL32.DLL
mscoree.dll
Error at initialization of bundled DLL: %s
Error at hooking API "%S"
Dumping first %d bytes:

QQ.exe_3904_rwx_00553000_00001000:

wininet.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    kss.txt:2084

  2. Delete the original Dropped file.
  3. Delete or disinfect the following files created/modified by the Dropped:

    %Program Files%\QQ.exe (7482 bytes)
    C:\¹¤³Ìʦ.dll (244 bytes)
    C:\ÒôÀÖ.mp3 (212 bytes)
    C:\kss.txt (50 bytes)
    C:\Windows\System32\ESPI11.dll (723 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "qq" = "%Program Files%\QQ.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 1 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now