Gen.Variant.Symmi.71494_2ad36360c4

by malwarelabrobot on May 28th, 2017 in Malware Descriptions.

Gen:Variant.Symmi.71494 (BitDefender), Trojan:WinNT/Mooqkel.A (Microsoft), Trojan.Win32.Inject.acvlc (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), DLOADER.Trojan (DrWeb), Gen:Variant.Symmi.71494 (B) (Emsisoft), Artemis!2AD36360C413 (McAfee), ML.Attribute.HighConfidence (Symantec), Trojan.Win32.Mooqkel (Ikarus), Gen:Variant.Symmi.71494 (FSecure), Win32/Blacked (AVG), Win32:Evo-gen [Susp] (Avast), TROJ_GEN.R02LC0DEA17 (TrendMicro), Gen:Variant.Symmi.71494 (AdAware), Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2ad36360c4139192e29c4d4524e7c367
SHA1: 34172deaf8102bcef120b59d5fd1ebdf3f0913ce
SHA256: 54184e45d4bd6d4d7d7daec5410aef1cb8facf2b76efe74d8ba2d8b641a6566a
SSDeep: 49152:GDehtQIiJ6sAbR6yWoNvpEJ2 MEWZzF5jNUztm5h6sA n2NX1GabxtttYr5GR5my:ZPRM6YyWoNvpERjWZzF5RUA9A nct1CK
Size: 2503168 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: iTorrent LLC
Created at: 1970-01-01 03:15:09
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

rundll32.exe:4024

The Trojan injects its code into the following process(es):

%original file name%.exe:1796

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\task.txt (2472 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\V90M6I2A.txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\regini.txt (85 bytes)
C:\Windows\WINX.dll (1010 bytes)
C:\spl.dll (237 bytes)
C:\Windows\WIN32EX.dll (2621 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\pc_new_int_95[1].php (7721 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\task.bat (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\task.zip (58 bytes)
C:\Windows\QF.dll (2012 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\task.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\task.zip (0 bytes)

The process rundll32.exe:4024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1GXYYTFM\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O0NZWV44\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BXCFHVKQ\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\84VN2V3Y\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\2ad36360c4139192e29c4d4524e7c367_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\2ad36360c4139192e29c4d4524e7c367_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2ad36360c4139192e29c4d4524e7c367_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"%original file name%.exe" = "7000"

[HKLM\SOFTWARE\Microsoft\Tracing\2ad36360c4139192e29c4d4524e7c367_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\2ad36360c4139192e29c4d4524e7c367_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2ad36360c4139192e29c4d4524e7c367_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\2ad36360c4139192e29c4d4524e7c367_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\2ad36360c4139192e29c4d4524e7c367_RASMANCS]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
2553c1a7717ea4c0eb149a0eeda55265 c:\Windows\QF.dll
7fc843eb20c2ce77c923d4e789ff907b c:\Windows\WIN32EX.dll
9c2e7a13a03d04d8c45f417e814200de c:\Windows\WINX.dll
11c41df482a924470507773e67f3f9c1 c:\spl.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 999424 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1003520 2502656 2500608 5.42209 545f9b401fe0889a35e32e75c127f0ec
.rsrc 3506176 4096 1536 2.95437 8ede9267c53b08f5f70ef036fffb28ad

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 6
1dea752fdc3bbed259a568120864a19d
5b28f88714cb631a5755bfcfbbf9e124
ad4f06941351faf6e0fbc6731b05a8d4
12d2b2bf3d04d8553a5bd85867c6bb6f
032c408dd96c513ec22853a331c1dfbe
d1d12a0234f30da5ad01744c13f47b9f

URLs

URL IP
hxxp://www.5meiren.com/jw2/interact 121.42.51.120
s.langyx.com 27.50.128.158
center.2015cn.com 116.28.63.213
dns.msftncsi.com 131.107.255.255
www.haowanmc.com
xz.langyx.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /jw2/interact HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: VVV.5meiren.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.9.4
Date: Sat, 27 May 2017 10:18:06 GMT
Content-Type: text/plain
Connection: close
XjFeMF5odHRwOi8vd3d3LmJhaWR1LmNvbV4xXjFeMQ==...

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1796:

`.rsrc
#R%XP
D$%SP
tGHt.Ht&
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
operator
USER32.DLL
Winmm.dll
dsound.dll
kernel32.dll
[TxInitMuted]_1 err:%d
[TxInitMuted]_2 err:%d
[TxInitMuted]_3 err:%d
[TxInitMuted]_4 err:%d hr:X
[TxInitMuted]_5 err:%d
WebBrowserContainer
WebBrowser Container Wnd
VVV.5meiren.com
Name1:%s
Microsoft Windows NT 4.0
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 R2
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows Server 2008 R2
Microsoft Windows 8
window.alert=function(){}
window.prompt=function(){}
window.confirm=function(){}
127.0.0.1
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
bytes=%d-
bytes=%d-%d
HTTP/
HTTP/
Enter SetWindowsAPIHook!
Exit SetWindowsAPIHook!
:%d: %s
0xX,
LolClient.exe
?456789:;<=
!"#$%&'()* ,-./0123
X_X_X_XX_XXXXXX
XXXXXX
%s /sid:%s /mac:%s /uid:%s
spl.dll
C:\Windows\WIN32EX.dll
C:\Windows\QF.dll
C:\Windows\WINX.dll
{7A23EC4a-F9C9-4b1a-A812-489C7A8C8937}
hXXp://
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
Advapi32.dll
RegDeleteKeyExA
Ftaskkill /pid %d
taskkill /F /pid %d
clsmn.exe
VERSION.dll
\StringFileInfo\XX\%s
\bin\ADPLUS_qie_NBC.pdb
.?AVCConfigTcpClient@@
.?AVCHttpHeader@@
.?AVCWebAdUIHelper@@
c:\%original file name%.exe
.text
`.rdata
@.data
.gfids
@.tls
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
address family not supported
broken pipe
function not supported
InitOnceExecuteOnce
operator ""
?#%X.y
%S#[k
insert:%s
C:\Users\Administrator\AppData\Local\User Data\Default\Extensions\
C:\Users\Administrator\AppData\Local\User Data\Default\Preferences
C:\Users\Administrator\AppData\Local\User Data
refer.dat
%s err~
\chrome_profile
\extension\extension.db
extension.db
/pc_new_int.php
xz.langyx.com
/pc_new_int_95.php
/pc_new_int_wk.php
task.zip
task.txt
%s:%d
()$^.* ?[]|\-{},:=!
HTTP/1.1 200 OK
HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36
X-X-X-X-X-X
%s conect err! %s~
%s conect err~
regini.txt
task.bat
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections [1 7 17]
echo HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections [1 7 17]>regini.txt
regini regini.txt
[%d]%s
s.journalforum.org:9500
/Junqn.php
Catch err MyGetPath1[%s]
Catch err MyGetPath1[%d]
Catch err MyGetPath[%s]
Catch err MyGetPath[%d]
Failed send(),error code:%d
NO permission :%d~
NO find:%d~
Software\Microsoft\Windows\CurrentVersion\Internet Settings
AutoConfigURL
**:%s
Open Key err~
s.langyx.com:8443
[%s]recv:%s
.php?s=
start check:%s
ProxyHttp1.1
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
SetValue:[%s]
cpt=%d
HTTP/1
connect %s:%d err~
HTTP/1.1 200 Connection established
ProxyServer:%s Err~
Failed connect(%s),error code:%d
%s%s%s
1.17.03.6
bde14a8b0ba4a043d72cac25138ce6e9.wx
tab:%s
uid:%s
Recv:%s~
task try:%d
Sleep [%d]...
/staic.pac
try:%d
Failed socket(),error code :%d
hXXp://127.0.0.1:%d/%s
Task:%s
127.0.0.1:
Failed accept(),error code :%d
setcrx.zip
\chrome_profile\pref
G:\Work\PBSVN\PE\pe_2015\PE sjc\WAProxy\Release\WAProxy.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.gfids$x
.gfids$y
.tls$
.tls$ZZZ
.rsrc$01
.rsrc$02
WAProxy.dll
KERNEL32.dll
USER32.dll
RegCreateKeyA
RegOpenKeyExA
RegCloseKey
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
WS2_32.dll
URLDownloadToFileA
urlmon.dll
NETAPI32.dll
DeleteUrlCacheEntry
WININET.dll
GetCPInfo
GetProcessHeap
.?AU_Crt_new_delete@std@@
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
5!5-52585B5L5W5q5}5
8!8-82888B8L8W8q8}8
0-0S0f0}0
=&>/>7>~>
3#4'4 4/43474;4?4
4%4X4u4
;=.4=1-=3&=5
.OsFN
.jv`-
.ElE~N
.sIAG
%X`pcB
".Hj,
.tc<>
X.Hr0\=Y
&'()* ,-.1/0
$?Î
\.HLPT
u%xo$
%uL\W
$(9999,04
l.dllmain_
plug_web
!@@410kdtsdf26url
Download>[AGENT:%s]
.jdcGZ
/0123456789:;
.UtObj
|>45346574
H/X
HTTP/Ja
1.2.5B
6''''5432
wOU ("%s") i
d'$%u\3^Q
%FwWl
H.dqD
.bC*@o
cH.H.ccH.H.cc
[?yCUdp
BGnickC#
k InT.Jz_
=Key_
'Url#
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
dbghelp.dll
IPHLPAPI.DLL
DownLoad.dll
115.159.4.107
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
hXXp://localhost.ptlogin2.qq.com:4300/pt_get_uins?callback=ptui_getuins_CB&r=0.7478418888058513&pt_local_tk=0.3858416392467916
:u9k\StringFileInfo\lx\%s
>>> Time: %d ms
\Msg3.0.db
Referer: hXXp://localhost:80/addfirend.html
Content-Type: application/x-www-form-urlencoded
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
\\.\pipe\PipeWrite_qq
\\.\pipe\PipeRead_qq
wxgx.dll
\wxgx.dll
/qt3/?f=%s
/qt3/?q=%s&t=%s
/qt3/?q=%s
"tencent://AddContact/?subcmd=all&uin=
&website=VVV.baidu.com&fuin=
"tencent://AddContact/?fromId=45&fromSubId=1&subcmd=all&uin=
Timwp.exe
/qt3/?ver=%s
%s\Connection
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
/qt3/?5mac%d=%s
ntdll.dll
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ole32.dll
OLEAUT32.dll
MSVCP90.dll
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
MSVCR90.dll
_malloc_crt
_amsg_exit
_crt_debugger_hook
PSAPI.DLL
QQAdd.dll
.vmp0
.vmp1
.reloc
@.rsrc
ejme5%u
6 7<7@7`7
7.Tkx
]USER32.dll
#6

.NOn4
?j.Kl
user32.dll
*9.i.QF
"%uxx
?).Ii
.LpdKn
P.GT^k
iu.JY
h\V.Uf9
a#EL-2}13
.xo)W
nGkx.wG
.vgYce
"y.QFVv
zI|%d
431%s8
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
> >(>0><>`>
c:/windows/ax01.da0
%stmp09023%d/
$Ñ.dz
%sconfig.xml
rundll32.exe
%d [%s]
CreateMutex result is X %d
CreateFile errors %d %s
WriteFile errors %d %s
svchost.exe
err_ResourceHacker.exe=%d
%sResourceHacker.log
C:/Windows/System32/drivers/etc/hosts
[%s] [%s] [%s]
hXXp://wd.inibin.com/wd3/?usr=%s&mac=%s
hXXp://qtask.zzinfor.cn/wd3/?usr=%s&mac=%s
XDriverInstall:%s %s
\DosDevices\%s%s
\\.\WxClient
D60007F0-ADF1-4436-BB43-570CE2A55153
%s\%s
aaa.log
WebNds_xxx.exe
package.xml
WebNdsInstall.exe
c:/nnn.txt
XDriverGetStatus OpenService() Faild %d !
inflate 1.2.8 Copyright 1995-2013 Mark Adler
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
XDriverControl() Faild X %d !
1.2.8
XDriverGetStatus %s [%d] !
PauseDriver OpenService() Faild %d !
UnInstallDriver OpenService() Faild %d !
UnInstallDriver ControlService() Faild %d !
UnInstallDriver DeleteSrevice() Faild %d !
InstallDriver CrateService() Faild %d !
InstallDriver OpenService() Faild %d !
InstallDriver StartService() Faild %d !
%s.wk
XIOControl Create Device failed %d !
XIOControl DeviceIoControl %d !
[%s %s]
%d [%s %s]
11111 %s
LoadLibrary[%s]Errors [%d]!
GetProcAddress[%s DllRegisterServer]Errors [%d]!
[%d]!
RegistryDll=%d i = %d
%s*.*
%s%s\
Content-Length: %u
Host: %s:%u
Accept: *.*,
Open link error. ErrCode=[%u]
Open request handle error. ErrCode=[%u]
Upload File error. ErrCode=[%u]
End request error. ErrCode=[%u]
GET %s HTTP/1.1
Host:%s
[%s] %d
\X11.DMP
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
x-x-x-x-x-x
XDriverIOControl EventOpen errors X
XDriverIOControl EventClose errors X
WaitForSingleObject result is %d %d
%d %s
%s%%X
Host: %s
%s %d %s
HTTP/1.1
NOT HTTP
Warnning UnKnow %s %s
Open File Err:%s
Http DownLoad
User-Agent: Mozilla/4.0
alloc memory errors %d %s
ReadFile errors %d %s
SetFilePoint Errors %d %s
[d-d-d d:d:d]
0.0.0.0
%s%s%s_new%s
XXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxx
no hex string %s[000]
xdarray_push setcapacity error[%d %d]
xdarray_insert error[%d %d]
xdarray_insert inter_setcapacity error[%d %d]
xdarray_set error[%d %d]
xdarray_erase error[%d %d]
999 %s
unknown json string %s
01 [%s]
... %s
def.dll
[InstallDriver] str_driverpath:%s str_servicename:%s
[InstallDriver] OpenSCManager error.getlasterror is %d.
[InstallDriver] CreateService error.getlasterror is %d.
[InstallDriver] OpenService error.getlasterror is %d.
[InstallDriver] StartService error.getlasterror is %d.
\\.\EnuN
te32.th32OwnerProcessID:%d threadid:%d, threadstaaddr:x szHex:%s
XXXX
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
BarClientView.exe
RegDeleteKeyA
RegEnumKeyExA
RegQueryInfoKeyA
RegEnumKeyA
ShellExecuteExA
InternetOpenUrlA
SHLWAPI.dll
GetConsoleOutputCP
XSourceDll.dll
zcÁ
h.rdata
H.data
.pdata
,wxcliker64.sys,preboot.sys,QQProtectX64.sys,qqprotectx64.sys
i:\code\sftdi\removecmpcallback\objfre_win7_amd64\amd64\EnuN.pdb
ntoskrnl.exe
<VeriSign Class 3 Public Primary Certification Authority - G50
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
tpWSSh
xinject_config_check white_list_clear %d %s
MsgDebugView
XHCSem_%d_078012142_DEC
OLEACC.DLL
hXXps://
%s %s
qqbrowser.exe
[XGetProcessIdByName] Next pid:%d
[XGetProcessIdByName] pid:%d
C:\Windows\System32
C:\Windows\SysWOW64
GetFileVersionInfoSize error %d FilePath:%s
\StringFileInfo\%s\OriginalFilename
115Chrome.exe
2345chrome.exe
2345explorer.exe
350chrome.exe
360chroma.exe
360chrome.exe
360sa.exe
350se.exe
360se.exe
58fly_ie.exe
7chrome.exe
baidubr.exe
baidubrowser.exe
baiduplayerbrow.exe
chrome.exe
f1browser.exe
firefox.exe
hao123juzi.exe
Juzi.exe
krbrowser.exe
liebao.exe
Maxthon.exe
opera.exe
qqbrowser.ex
Ruiying.exe
saayaa.exe
Sogou Explorer.exe
SogouExplorer.exe
taobrowser.exe
Taogo3.exe
TheWorld.exe
ttraveler.exe
twchrome.exe
UCBrowser.exe
[EnumerationProcess] bAdd:%d pid:%d
EnumChildWindows
GDI32.dll
XUSerProgram.dll
JWININET.dll
'i.FNl
S.nJy
=.vcm
1wmzL}.if|l
Ê(VO#
>s"Sql
@7(0n%s
pv
%uIh}
:.;4;8;<;@;
2-2T2}2
< <<<@<`<
]xk%S
P..%C
.Ok)il\!
(e%fG
^Ds%fYv6
PH.Lk
cg.Xl)
o]SHLWAPI.dll
0/C
$-K}-k#
$-K}-
o0t%f
4*50565<5
2-3E3P3t3}3
6$6)60656
0#101.3{4
> >$>(>,>0>4>
? ?<?@?\?`?|?
$@#$ $@#$ $@#$ $@#$
HTTP/1.1 404 OK
<html><head><meta charset='GBK'><title>HTTP 404
HTTP/1.1 302 Found
Location: %s
g:\working\svn\vc\sftdi\m2tdi\M2Tdi.pdb
HAL.dll
TDI.SYS
90:4:8:<:@:
[%d %d]
i:\code\wfp\wfpintercept_syl\objfre_win7_amd64\amd64\WxClient.pdb
NDIS.SYS
FwpsCalloutUnregisterByKey0
fwpkclnt.sys
}s o
].GX?
O.Hk9
{MCMD
k?tCp
x2~.Ms8
@.lx!
g).VP@o
.wi?%}
.RMhW
k%cx,
1.To:
snJ.pm
;x.rW
.egG?
0o=-1}
wZ.lC
A.mWB
~'.yw?\
G.pE^
`3.Ls
%C\z)
%Cyo1
#.BqaW
C}.qo'v?
tp~".zO
e4.qo)Iy
0~.px
8to%DNP
Vlms.WY
g.qZwSZw
.wJv9
$.5".uH\jJ\
!/<%/< /
.at.\
1-8d}
^W,-b}
{.QazY
%d<Stq
 .DOm7
.MW)n
=|.Do6
.RN`Z*
msG3P
>'?-?3?9?@?
6%6X6h6
=$=-=4===}=
RegCreateKeyExA
UrlUnescapeA
InternetCrackUrlA
InternetCanonicalizeUrlA
.Ana4
6^6"7'7=7
7.fV8[8|8
WSOCK32.dll
ekernel32.dll
mscoree.dll
.\process_stat.cpp
Assertion failed: %s, file %s, line %d
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
1.17.3.6
1.0.1.41
C:\windows\system32\sqlncli.dll
\Device\Tcp
Callout that finds and replaces a token from a TCP stream
Filter that finds and replaces a token from a TCP stream
Filter that finds and replaces a token from a TCP stream (@ Flow Established)
*\CROSSFIRE.EXE
*\TPHELPER.EXE
*\TPWEB.EXE
*\LOLCLIENT.EXE
*\DNFCHINA.EXE
*\WOW.EXE
*\QQSPEED_LOADER.EXE
*\LOADER.EXE
*\TGAME.EXE
*\WORLDOFTANKS.EXE
*\NBA2KONLINE.EXE
*\DOTA2.EXE
*\MSANGO.BIN
*\CROSSPROXY.EXE
*\CLIENT.EXE
*\OVERWATCH.EXE
*\QQMICROGAMEBOXTRAY.EXE
*\QQMICROGAMEBOX.EXE
*\WEBBROWSERPROCESS.EXE
*\QQGAME.EXE
*\WEBCONTAINER.EXE
*\QQGAMEQCK2600.EXE
*\SNSWEBBROWSER.EXE
*\IEPROC.EXE
*\WUXIA_CLIENT.EXE
*\GAMEFILESYSTEM.EXE
*\MINIQTALK.EXE
*\EFLAUNCH.EXE
*\GAMEUPDATE.EXE
*\ZZSSDD222.EXE
*\XIANJIAN.EXE
*\GAMEPLAZA.EXE
*\OBTCLNT.EXE
*\MSGWIN.EXE
*\OBTPLUGIN.EXE
*\ENTRY.EXE
*\OPTIONPC.EXE

%original file name%.exe_1796_rwx_00D61000_0033F000:

D$%SP
tGHt.Ht&
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
operator
USER32.DLL
Winmm.dll
dsound.dll
kernel32.dll
[TxInitMuted]_1 err:%d
[TxInitMuted]_2 err:%d
[TxInitMuted]_3 err:%d
[TxInitMuted]_4 err:%d hr:X
[TxInitMuted]_5 err:%d
WebBrowserContainer
WebBrowser Container Wnd
VVV.5meiren.com
Name1:%s
Microsoft Windows NT 4.0
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 R2
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows Server 2008 R2
Microsoft Windows 8
window.alert=function(){}
window.prompt=function(){}
window.confirm=function(){}
127.0.0.1
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
bytes=%d-
bytes=%d-%d
HTTP/
HTTP/
Enter SetWindowsAPIHook!
Exit SetWindowsAPIHook!
:%d: %s
0xX,
LolClient.exe
?456789:;<=
!"#$%&'()* ,-./0123
X_X_X_XX_XXXXXX
XXXXXX
%s /sid:%s /mac:%s /uid:%s
spl.dll
C:\Windows\WIN32EX.dll
C:\Windows\QF.dll
C:\Windows\WINX.dll
{7A23EC4a-F9C9-4b1a-A812-489C7A8C8937}
hXXp://
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
Advapi32.dll
RegDeleteKeyExA
Ftaskkill /pid %d
taskkill /F /pid %d
clsmn.exe
VERSION.dll
\StringFileInfo\XX\%s
\bin\ADPLUS_qie_NBC.pdb
.?AVCConfigTcpClient@@
.?AVCHttpHeader@@
.?AVCWebAdUIHelper@@
c:\%original file name%.exe
.text
`.rdata
@.data
.gfids
@.tls
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
address family not supported
broken pipe
function not supported
InitOnceExecuteOnce
operator ""
?#%X.y
%S#[k
insert:%s
C:\Users\Administrator\AppData\Local\User Data\Default\Extensions\
C:\Users\Administrator\AppData\Local\User Data\Default\Preferences
C:\Users\Administrator\AppData\Local\User Data
refer.dat
%s err~
\chrome_profile
\extension\extension.db
extension.db
/pc_new_int.php
xz.langyx.com
/pc_new_int_95.php
/pc_new_int_wk.php
task.zip
task.txt
%s:%d
()$^.* ?[]|\-{},:=!
HTTP/1.1 200 OK
HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36
X-X-X-X-X-X
%s conect err! %s~
%s conect err~
regini.txt
task.bat
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections [1 7 17]
echo HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections [1 7 17]>regini.txt
regini regini.txt
[%d]%s
s.journalforum.org:9500
/Junqn.php
Catch err MyGetPath1[%s]
Catch err MyGetPath1[%d]
Catch err MyGetPath[%s]
Catch err MyGetPath[%d]
Failed send(),error code:%d
NO permission :%d~
NO find:%d~
Software\Microsoft\Windows\CurrentVersion\Internet Settings
AutoConfigURL
**:%s
Open Key err~
s.langyx.com:8443
[%s]recv:%s
.php?s=
start check:%s
ProxyHttp1.1
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
SetValue:[%s]
cpt=%d
HTTP/1
connect %s:%d err~
HTTP/1.1 200 Connection established
ProxyServer:%s Err~
Failed connect(%s),error code:%d
%s%s%s
1.17.03.6
bde14a8b0ba4a043d72cac25138ce6e9.wx
tab:%s
uid:%s
Recv:%s~
task try:%d
Sleep [%d]...
/staic.pac
try:%d
Failed socket(),error code :%d
hXXp://127.0.0.1:%d/%s
Task:%s
127.0.0.1:
Failed accept(),error code :%d
setcrx.zip
\chrome_profile\pref
G:\Work\PBSVN\PE\pe_2015\PE sjc\WAProxy\Release\WAProxy.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.gfids$x
.gfids$y
.tls$
.tls$ZZZ
.rsrc$01
.rsrc$02
WAProxy.dll
KERNEL32.dll
USER32.dll
RegCreateKeyA
RegOpenKeyExA
RegCloseKey
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
WS2_32.dll
URLDownloadToFileA
urlmon.dll
NETAPI32.dll
DeleteUrlCacheEntry
WININET.dll
GetCPInfo
GetProcessHeap
.?AU_Crt_new_delete@std@@
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
5!5-52585B5L5W5q5}5
8!8-82888B8L8W8q8}8
0-0S0f0}0
=&>/>7>~>
3#4'4 4/43474;4?4
4%4X4u4
;=.4=1-=3&=5
.OsFN
.jv`-
.ElE~N
.sIAG
%X`pcB
".Hj,
.tc<>
X.Hr0\=Y
&'()* ,-.1/0
$?Î
\.HLPT
u%xo$
%uL\W
$(9999,04
l.dllmain_
plug_web
!@@410kdtsdf26url
Download>[AGENT:%s]
.jdcGZ
/0123456789:;
.UtObj
|>45346574
H/X
HTTP/Ja
1.2.5B
6''''5432
wOU ("%s") i
d'$%u\3^Q
%FwWl
H.dqD
.bC*@o
cH.H.ccH.H.cc
[?yCUdp
BGnickC#
k InT.Jz_
=Key_
'Url#
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
dbghelp.dll
IPHLPAPI.DLL
DownLoad.dll
115.159.4.107
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
hXXp://localhost.ptlogin2.qq.com:4300/pt_get_uins?callback=ptui_getuins_CB&r=0.7478418888058513&pt_local_tk=0.3858416392467916
:u9k\StringFileInfo\lx\%s
>>> Time: %d ms
\Msg3.0.db
Referer: hXXp://localhost:80/addfirend.html
Content-Type: application/x-www-form-urlencoded
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
\\.\pipe\PipeWrite_qq
\\.\pipe\PipeRead_qq
wxgx.dll
\wxgx.dll
/qt3/?f=%s
/qt3/?q=%s&t=%s
/qt3/?q=%s
"tencent://AddContact/?subcmd=all&uin=
&website=VVV.baidu.com&fuin=
"tencent://AddContact/?fromId=45&fromSubId=1&subcmd=all&uin=
Timwp.exe
/qt3/?ver=%s
%s\Connection
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
/qt3/?5mac%d=%s
ntdll.dll
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ole32.dll
OLEAUT32.dll
MSVCP90.dll
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
MSVCR90.dll
_malloc_crt
_amsg_exit
_crt_debugger_hook
PSAPI.DLL
QQAdd.dll
.vmp0
.vmp1
.reloc
@.rsrc
ejme5%u
6 7<7@7`7
7.Tkx
]USER32.dll
#6

.NOn4
?j.Kl
user32.dll
*9.i.QF
"%uxx
?).Ii
.LpdKn
P.GT^k
iu.JY
h\V.Uf9
a#EL-2}13
.xo)W
nGkx.wG
.vgYce
"y.QFVv
zI|%d
431%s8
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
> >(>0><>`>
c:/windows/ax01.da0
%stmp09023%d/
$Ñ.dz
%sconfig.xml
rundll32.exe
%d [%s]
CreateMutex result is X %d
CreateFile errors %d %s
WriteFile errors %d %s
svchost.exe
err_ResourceHacker.exe=%d
%sResourceHacker.log
C:/Windows/System32/drivers/etc/hosts
[%s] [%s] [%s]
hXXp://wd.inibin.com/wd3/?usr=%s&mac=%s
hXXp://qtask.zzinfor.cn/wd3/?usr=%s&mac=%s
XDriverInstall:%s %s
\DosDevices\%s%s
\\.\WxClient
D60007F0-ADF1-4436-BB43-570CE2A55153
%s\%s
aaa.log
WebNds_xxx.exe
package.xml
WebNdsInstall.exe
c:/nnn.txt
XDriverGetStatus OpenService() Faild %d !
inflate 1.2.8 Copyright 1995-2013 Mark Adler
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
XDriverControl() Faild X %d !
1.2.8
XDriverGetStatus %s [%d] !
PauseDriver OpenService() Faild %d !
UnInstallDriver OpenService() Faild %d !
UnInstallDriver ControlService() Faild %d !
UnInstallDriver DeleteSrevice() Faild %d !
InstallDriver CrateService() Faild %d !
InstallDriver OpenService() Faild %d !
InstallDriver StartService() Faild %d !
%s.wk
XIOControl Create Device failed %d !
XIOControl DeviceIoControl %d !
[%s %s]
%d [%s %s]
11111 %s
LoadLibrary[%s]Errors [%d]!
GetProcAddress[%s DllRegisterServer]Errors [%d]!
[%d]!
RegistryDll=%d i = %d
%s*.*
%s%s\
Content-Length: %u
Host: %s:%u
Accept: *.*,
Open link error. ErrCode=[%u]
Open request handle error. ErrCode=[%u]
Upload File error. ErrCode=[%u]
End request error. ErrCode=[%u]
GET %s HTTP/1.1
Host:%s
[%s] %d
\X11.DMP
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
x-x-x-x-x-x
XDriverIOControl EventOpen errors X
XDriverIOControl EventClose errors X
WaitForSingleObject result is %d %d
%d %s
%s%%X
Host: %s
%s %d %s
HTTP/1.1
NOT HTTP
Warnning UnKnow %s %s
Open File Err:%s
Http DownLoad
User-Agent: Mozilla/4.0
alloc memory errors %d %s
ReadFile errors %d %s
SetFilePoint Errors %d %s
[d-d-d d:d:d]
0.0.0.0
%s%s%s_new%s
XXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxx
no hex string %s[000]
xdarray_push setcapacity error[%d %d]
xdarray_insert error[%d %d]
xdarray_insert inter_setcapacity error[%d %d]
xdarray_set error[%d %d]
xdarray_erase error[%d %d]
999 %s
unknown json string %s
01 [%s]
... %s
def.dll
[InstallDriver] str_driverpath:%s str_servicename:%s
[InstallDriver] OpenSCManager error.getlasterror is %d.
[InstallDriver] CreateService error.getlasterror is %d.
[InstallDriver] OpenService error.getlasterror is %d.
[InstallDriver] StartService error.getlasterror is %d.
\\.\EnuN
te32.th32OwnerProcessID:%d threadid:%d, threadstaaddr:x szHex:%s
XXXX
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
BarClientView.exe
RegDeleteKeyA
RegEnumKeyExA
RegQueryInfoKeyA
RegEnumKeyA
ShellExecuteExA
InternetOpenUrlA
SHLWAPI.dll
GetConsoleOutputCP
XSourceDll.dll
zcÁ
h.rdata
H.data
.pdata
,wxcliker64.sys,preboot.sys,QQProtectX64.sys,qqprotectx64.sys
i:\code\sftdi\removecmpcallback\objfre_win7_amd64\amd64\EnuN.pdb
ntoskrnl.exe
<VeriSign Class 3 Public Primary Certification Authority - G50
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
tpWSSh
xinject_config_check white_list_clear %d %s
MsgDebugView
XHCSem_%d_078012142_DEC
OLEACC.DLL
hXXps://
%s %s
qqbrowser.exe
[XGetProcessIdByName] Next pid:%d
[XGetProcessIdByName] pid:%d
C:\Windows\System32
C:\Windows\SysWOW64
GetFileVersionInfoSize error %d FilePath:%s
\StringFileInfo\%s\OriginalFilename
115Chrome.exe
2345chrome.exe
2345explorer.exe
350chrome.exe
360chroma.exe
360chrome.exe
360sa.exe
350se.exe
360se.exe
58fly_ie.exe
7chrome.exe
baidubr.exe
baidubrowser.exe
baiduplayerbrow.exe
chrome.exe
f1browser.exe
firefox.exe
hao123juzi.exe
Juzi.exe
krbrowser.exe
liebao.exe
Maxthon.exe
opera.exe
qqbrowser.ex
Ruiying.exe
saayaa.exe
Sogou Explorer.exe
SogouExplorer.exe
taobrowser.exe
Taogo3.exe
TheWorld.exe
ttraveler.exe
twchrome.exe
UCBrowser.exe
[EnumerationProcess] bAdd:%d pid:%d
EnumChildWindows
GDI32.dll
XUSerProgram.dll
JWININET.dll
'i.FNl
S.nJy
=.vcm
1wmzL}.if|l
Ê(VO#
>s"Sql
@7(0n%s
pv
%uIh}
:.;4;8;<;@;
2-2T2}2
< <<<@<`<
]xk%S
P..%C
.Ok)il\!
(e%fG
^Ds%fYv6
PH.Lk
cg.Xl)
o]SHLWAPI.dll
0/C
$-K}-k#
$-K}-
o0t%f
4*50565<5
2-3E3P3t3}3
6$6)60656
0#101.3{4
> >$>(>,>0>4>
? ?<?@?\?`?|?
$@#$ $@#$ $@#$ $@#$
HTTP/1.1 404 OK
<html><head><meta charset='GBK'><title>HTTP 404
HTTP/1.1 302 Found
Location: %s
g:\working\svn\vc\sftdi\m2tdi\M2Tdi.pdb
HAL.dll
TDI.SYS
90:4:8:<:@:
[%d %d]
i:\code\wfp\wfpintercept_syl\objfre_win7_amd64\amd64\WxClient.pdb
NDIS.SYS
FwpsCalloutUnregisterByKey0
fwpkclnt.sys
}s o
].GX?
O.Hk9
{MCMD
k?tCp
x2~.Ms8
@.lx!
g).VP@o
.wi?%}
.RMhW
k%cx,
1.To:
snJ.pm
;x.rW
.egG?
0o=-1}
wZ.lC
A.mWB
~'.yw?\
G.pE^
`3.Ls
%C\z)
%Cyo1
#.BqaW
C}.qo'v?
tp~".zO
e4.qo)Iy
0~.px
8to%DNP
Vlms.WY
g.qZwSZw
.wJv9
$.5".uH\jJ\
!/<%/< /
.at.\
1-8d}
^W,-b}
{.QazY
%d<Stq
 .DOm7
.MW)n
=|.Do6
.RN`Z*
msG3P
>'?-?3?9?@?
6%6X6h6
=$=-=4===}=
RegCreateKeyExA
UrlUnescapeA
InternetCrackUrlA
InternetCanonicalizeUrlA
ekernel32.dll
mscoree.dll
.\process_stat.cpp
Assertion failed: %s, file %s, line %d
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
1.17.3.6
1.0.1.41
C:\windows\system32\sqlncli.dll
\Device\Tcp
Callout that finds and replaces a token from a TCP stream
Filter that finds and replaces a token from a TCP stream
Filter that finds and replaces a token from a TCP stream (@ Flow Established)
*\CROSSFIRE.EXE
*\TPHELPER.EXE
*\TPWEB.EXE
*\LOLCLIENT.EXE
*\DNFCHINA.EXE
*\WOW.EXE
*\QQSPEED_LOADER.EXE
*\LOADER.EXE
*\TGAME.EXE
*\WORLDOFTANKS.EXE
*\NBA2KONLINE.EXE
*\DOTA2.EXE
*\MSANGO.BIN
*\CROSSPROXY.EXE
*\CLIENT.EXE
*\OVERWATCH.EXE
*\QQMICROGAMEBOXTRAY.EXE
*\QQMICROGAMEBOX.EXE
*\WEBBROWSERPROCESS.EXE
*\QQGAME.EXE
*\WEBCONTAINER.EXE
*\QQGAMEQCK2600.EXE
*\SNSWEBBROWSER.EXE
*\IEPROC.EXE
*\WUXIA_CLIENT.EXE
*\GAMEFILESYSTEM.EXE
*\MINIQTALK.EXE
*\EFLAUNCH.EXE
*\GAMEUPDATE.EXE
*\ZZSSDD222.EXE
*\XIANJIAN.EXE
*\GAMEPLAZA.EXE
*\OBTCLNT.EXE
*\MSGWIN.EXE
*\OBTPLUGIN.EXE
*\ENTRY.EXE
*\OPTIONPC.EXE

%original file name%.exe_1796_rwx_6C371000_0007E000:

<.tc<>
111111111111
11111111
1111111111
Kernel.dll
Main.exe
plug_web
Launcher.dll
center.2019cn.com
center.2017cn.com
center.2015cn.com
Download>>>[AGENT:%s]
\config.ini
.crc?id=
run.xml
prosafe.dll
Download>>>if (zip_file.size() == 0)
Download>>>%d == FALSE || %d == 0 || %d == 0 || %d == 0
GetProcessWindowStation
operator
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
1620127iso_646.irv:19911351932windows-519320920001x-cp20001
1000932csshiftjis
1350221windows-502210712000cp12000
1028597iso_8859-70628605latin90501200utf160700154ptcp1541410010x-mac-romanian
1410001x-mac-japanese1200932cswindows31j
0601251cp12511201258windows-12580601125cp1125
1201257windows-12570601250cp12500601133cp1133
1201256windows-12561100932windows-31j
1000936csgb2312801201255windows-1255
1201254windows-1254
1052936hz-gb-23121201253windows-12531400949ks_c_5601_19871528599iso_8859-9:19890601201cp1201
0601200cp12001201252windows-1252
0810029x-mac-ce1201251windows-12511528598iso_8859-8:19880900949ks_c_56011110000csmacintosh
1201250windows-12501300932shifft_jis-ms
1528597csisolatingreek1100874windows-874
1100936windows-9360520127ascii
1100932windows-9321100437codepage437
0928596iso8859-60900154csptcp154
http-equiv
X:X:X:X:X:X
7lCommLogOpt.ini
[PID:%d] [d:d:d]
%s%s[%d-%d-%d].log
HTTP/1.0
7l255.255.255.255
Unknown relocation: %d
dddddd.dmp
Kernel32.dll
7lTCP
X%sX%sX%sX%sX%sX
%d.%d.%d.%d
inflate 1.2.5 Copyright 1995-2010 Mark Adler
;l deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
P9l1.2.5
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%d_byte ptr
0xX
 0xX
-0xX
[0xI64X] ANOMALY: REX prefix before legacy prefix 0xX
[0xI64X] ANOMALY: Duplicate prefix 0xX
[0xI64X] ERROR: Reached maximum prefix count %d
[0xI64X] ANOMALY: Reached maximum prefix count %d
[0xI64X] ERROR: Invalid opcode 0xX
[0xI64X] ERROR: Invalid two byte opcode 0xX 0xX
[0xI64X] ERROR: Opcode 0xX 0xX ("%s") illegal in 64-bit mode
[0xI64X] ERROR: Opcode 0xX 0xX ("%s") illegal with 16-bit operand size
[0xI64X] ERROR: Illegal SSE instruction opcode 0xX 0xX   prefix 0xX
[0xI64X] ERROR: Illegal SSE instruction opcode 0xX 0xX   prefix 0xX   extension %d
[0xI64X] ERROR: Invalid group opcode 0xX 0xX extension 0xX
[0xI64X] ERROR: Opcode 0xX ("%s") illegal in 64-bit mode
[0xI64X] ERROR: Opcode 0xX ("%s") illegal with 16-bit operand size
[0xI64X] ERROR: Invalid group opcode 0xX extension 0xX
[0xI64X] ERROR: Illegal opcode 0xX 0xX   modrm 0xX
[0xI64X] ERROR: Invalid FPU opcode 0xX   modrm extension 0xX (index 0xX)
[0xI64X] ANOMALY: operand size prefix used with 3DNOW instruction
[0xI64X] ERROR: Illegal opcode 0xX 0xX   suffix 0xX
[0xI64X] ERROR: Instruction "%s" (opcode 0xX) can't be used in 16-bit X86
[0xI64X] ERROR: Instruction "%s" (opcode 0xX) can only be used in X86-64
[0xI64X] ANOMALY: operand size prefix used with FPU/MMX/SSEx
[0xI64X] ANOMALY: use of operand size prefix meaningless when REX.w=1
[0xI64X] ANOMALY: use of REX.w is meaningless (default operand size is 64)
[0xI64X] ANOMALY: unexpected segment 0xX
[0xI64X] ERROR: Illegal use of lock prefix for instruction "%s"
[0xI64X] ERROR: maximum instruction length reached ("%s")
[0xI64X] ANOMALY: ENTER has invalid operand 2
[0xI64X] ANOMALY: ENTER has invalid operand 3
[0xI64X] ANOMALY: ret has invalid operand 1
[0xI64X] ANOMALY: retf has invalid operand 1
[0xI64X] ANOMALY: Instruction "%s" is modifying the stack
[0xI64X] ANOMALY: "%s" has invalid stack change 0xX
%s:[%s]
0xX=
]=0xX
[0xI64X] ANOMALY: Unexpected operand size prefix
%s 0xX:[
%s %s:[
[0xI64X] ERROR: mod != 3 for AMODE_PR ("%s")
[0xI64X] ERROR: invalid mmx register %d for AMODE_PR ("%s")
[0xI64X] ERROR: AMODE_PR illegal in 16-bit mode ("%s")
[0xI64X] ERROR: mod != 3 for AMODE_VR ("%s")
[0xI64X] ERROR: AMODE_VR illegal in 16-bit mode ("%s")
[0xI64X] ERROR: invalid mmx register %d for AMODE_P ("%s")
[0xI64X] ERROR: AMODE_P illegal in 16-bit mode ("%s")
[0xI64X] ERROR: mod != 3 for AMODE_R ("%s")
seg_X
[0xI64X] ERROR: mod = 3 for AMODE_M ("%s")
[0xI64X] ERROR: mod = 3 for AMODE_E with OPTYPE_p ("%s")
.?AVHttpDownFile@@
.?AVyCUdp@@
.?AVyCTcp@@
c:\%original file name%.exe
c:\Log\
360c4139192e29c4d4524e7c367.exe
%original file name%.exe
c:\CommLogOpt.ini
2e29c4d4524e7c367.exe
GetCPInfo
GetProcessHeap
RegOpenKeyExA
RegCloseKey
InternetOpenUrlA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
HttpAddRequestHeadersA
8888888
.text
`.rdata
@.data
.rsrc
@.reloc
[?yCUdp
BGnickC#
k InT.Jz_
=Key_
mscoree.dll
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
Disassembler->Instruction.Address == Address
Disassembler->Instruction.Length < MAX_INSTRUCTION_LENGTH
X86Instruction->SrcAddressIndex == OperandIndex || X86Instruction->DstAddressIndex == OperandIndex
!(Operand->Length & 1)
X86Instruction->OperandSize == 2
Instruction->OpcodeLength == 2 && X86Instruction->HasModRM && Instruction->OperandCount == 2
X86Instruction->OperandSize == 8
X86Instruction->OperandSize >= 4
!(Instruction->Operands[0].Flags & 0x7F)
!(Instruction->Operands[1].Flags & 0x7F)
!(Instruction->Operands[2].Flags & 0x7F)
Instruction->OperandCount == 1
!Instruction->CodeBranch.AddressOffset
Operand1->Length <= 0xFF
Operand1->Flags & OP_ADDRESS
Operand1->Type == OPTYPE_OFFSET
!(Operand1->Flags & (OP_GLOBAL|OP_FAR))
!Instruction->DataDst.Count
!Instruction->DataSrc.Count
Operand->Length <= 0xFF
Instruction->OperandCount == 1 && Operand1->Length
!(Operand->Flags & 0x7F)
>Operand->Flags & (OP_EXEC|OP_SRC|OP_DST)
>OperandIndex < 2
OperandIndex == 1
Operand->Length == 1
X86Instruction->OperandSize >= Operand->Length
(Operand->Flags & OP_EXEC) && (Instruction->Groups & ITYPE_EXEC)
(Operand)->TargetAddress
(Operand)->Length <= 8
(Operand)->Flags & OP_FAR
[!((Operand)->Flags & OP_FAR)
X86_Registers[Operand->Register]
Operand->Length
LibInterface.cpp
Assertion failed: %s, file %s, line %d


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    rundll32.exe:4024

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\task.txt (2472 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\V90M6I2A.txt (111 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\regini.txt (85 bytes)
    C:\Windows\WINX.dll (1010 bytes)
    C:\spl.dll (237 bytes)
    C:\Windows\WIN32EX.dll (2621 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\pc_new_int_95[1].php (7721 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\task.bat (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\task.zip (58 bytes)
    C:\Windows\QF.dll (2012 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1GXYYTFM\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O0NZWV44\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BXCFHVKQ\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\84VN2V3Y\desktop.ini (67 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now