Trojan.Win32.FlyStudio_0922161db8

by malwarelabrobot on June 18th, 2017 in Malware Descriptions.

Gen:Variant.Strictor.135052 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Strictor.135052 (B) (Emsisoft), GenericRXBT-CQ!9CDD4F7131B7 (McAfee), ML.Attribute.HighConfidence (Symantec), Trojan-PWS.Win32.QQPass (Ikarus), Gen:Variant.Strictor.135052 (FSecure), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0922161db81ce61b3a7a5e08986698f8
SHA1: c18fae64930c9215ca8aa3b92bb907a416deb81d
SHA256: 9adc5bf957b665e85916946a651beb5ac897740cdca07f871ca5476314668cba
SSDeep: 24576:wjv36kgFt1Q5ZPgPCLEQg9z4zaADmfPT7EolO74cDvBw1HwRaGOzvK5vSOCit93j:wD36kgFt ZPUCLCtxX7llEBwNAaDOX9T
Size: 1492259 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2017-05-20 16:16:19
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1908

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\f30dda4f816a59b3ab8ed614da904531.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\029506795cad33f280122fdd896b942d.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ea81016697da3e03d2125f1b020a8d96.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\96490dc4bc985859888d970e8fd9b954.txt (297 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\212b0fa0fa111459cc3edae1d50ba7f8.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\8df8373986d2124c43b3d42c81e8f3df.txt (226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\91e4215e32fbe531c954ddfb08af735d.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2ffed360123a5d177c7537680bd244f5.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\c811cdec13b869980d35d80854d6ee98.txt (420 bytes)

Registry activity

The process %original file name%.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\0922161db81ce61b3a7a5e08986698f8_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0922161db81ce61b3a7a5e08986698f8_RASAPI32]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\0922161db81ce61b3a7a5e08986698f8_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\0922161db81ce61b3a7a5e08986698f8_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0922161db81ce61b3a7a5e08986698f8_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\0922161db81ce61b3a7a5e08986698f8_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\0922161db81ce61b3a7a5e08986698f8_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 585728 258560 5.5442 1bc95a2ec015b2528dd69a4aefc395c6
.rdata 589824 5423104 1195008 5.54228 e1a732e5d6100fd6540bae22483f1720
.data 6012928 147456 22016 5.53859 189a452a0f636a6fb7a926a7cd1e4f0d
.rsrc 6160384 20480 7680 4.44773 386721ab3f8cb246ac641694503f64d8
.aspack 6180864 8192 7168 3.90927 90bab4a51c3727e4468d291bd9c45a8d
.adata 6189056 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.hc130.com/263340324302320256263326.txt 183.131.220.36
hxxp://hiphotos.jomodns.com/forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/b58f8c5494eef01f72ae6eabeafe9925bc317d21.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/2cf5e0fe9925bc3111e777f654df8db1cb137021.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/09fa513d269759eedbae16a5b8fb43166c22dfe6.jpg
hxxp://imgsrc.baidu.com/forum/pic/item/09fa513d269759eedbae16a5b8fb43166c22dfe6.jpg 119.146.74.48
hxxp://imgsrc.baidu.com/forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg 119.146.74.48
hxxp://www.hc130.com/.........txt 183.131.220.36
hxxp://imgsrc.baidu.com/forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg 119.146.74.48
hxxp://183.131.220.36:8080/.........txt
hxxp://imgsrc.baidu.com/forum/pic/item/b58f8c5494eef01f72ae6eabeafe9925bc317d21.jpg 119.146.74.48
hxxp://imgsrc.baidu.com/forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg 119.146.74.48
hxxp://imgsrc.baidu.com/forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg 119.146.74.48
hxxp://imgsrc.baidu.com/forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg 119.146.74.48
hxxp://imgsrc.baidu.com/forum/pic/item/2cf5e0fe9925bc3111e777f654df8db1cb137021.jpg 119.146.74.48


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sat, 17 Jun 2017 15:30:51 GMT
Content-Type: image/jpeg
Content-Length: 226769
Connection: keep-alive
ETag: "7130635741171976897"
Last-Modified: Thu, 29 Sep 2016 09:22:38 GMT
Expires: Thu, 11 Jan 2018 18:33:00 GMT
Age: 13550994
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>

GET /forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sat, 17 Jun 2017 15:30:56 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: keep-alive
ETag: "7878501113830277673"
Last-Modified: Thu, 29 Sep 2016 09:44:50 GMT
Expires: Sun, 24 Dec 2017 15:49:52 GMT
Age: 15118824
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>

GET /forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sat, 17 Jun 2017 15:31:10 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: keep-alive
ETag: "17719340091593362697"
Last-Modified: Thu, 29 Sep 2016 09:44:51 GMT
Expires: Sun, 24 Dec 2017 15:50:08 GMT
Age: 15118862
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>

GET /forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sat, 17 Jun 2017 15:31:13 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: keep-alive
ETag: "2181626205514252865"
Last-Modified: Thu, 29 Sep 2016 09:44:52 GMT
Expires: Thu, 31 May 2018 08:44:13 GMT
Age: 1060166
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sat, 17 Jun 2017 15:31:35 GMT
Content-Type: image/jpeg
Content-Length: 297656
Connection: keep-alive
ETag: "8194768310413110853"
Last-Modified: Thu, 29 Sep 2016 09:44:52 GMT
Expires: Sun, 24 Dec 2017 15:49:56 GMT
Age: 15118887
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>

GET /forum/pic/item/b58f8c5494eef01f72ae6eabeafe9925bc317d21.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sat, 17 Jun 2017 15:31:39 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: keep-alive
ETag: "14795701971798180519"
Last-Modified: Tue, 06 Jun 2017 14:31:24 GMT
Expires: Wed, 06 Jun 2018 14:32:45 GMT
Age: 953859
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c .........>.@.E.x...y8...?|c,e..DiH.I.}.
6!..)...d.%.J..%Ke.$..T:.%...B.L...Ldi...=|>...w....<...s=..\...
s.....^^..9...m..A...... ..j2G.......mz'...i.\.a..y.....Sg...q..!.
<<< skipped >>>

GET /forum/pic/item/2cf5e0fe9925bc3111e777f654df8db1cb137021.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sat, 17 Jun 2017 15:31:42 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: keep-alive
ETag: "9581466308957369628"
Last-Modified: Tue, 06 Jun 2017 14:31:24 GMT
Expires: Wed, 06 Jun 2018 14:32:45 GMT
Age: 953862
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 1
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c .........fw.N..*...(..I..8P...........G..'
...%:.r8.oAQ...(......o.N.....[,r......-... .X.....'.d. 7.W......$tR..
.h.....B.O{..N...W."..LE.. :...T..*.Q.D....B..|3.}...L(.-......lTE
<<< skipped >>>

GET /forum/pic/item/09fa513d269759eedbae16a5b8fb43166c22dfe6.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sat, 17 Jun 2017 15:31:45 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: keep-alive
ETag: "16725635611382109347"
Last-Modified: Tue, 06 Jun 2017 14:31:24 GMT
Expires: Wed, 06 Jun 2018 14:32:46 GMT
Age: 953865
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c .........H.1.5/u.y..7.e..e.o..W'... .dw3v.
e...bc!..z...k....2..H...N.......#.F...1RD.i.4w.y;K........%i`H......x
..^....L.K.T2..(VV..H4.A.....pb..D..q...I. ...x.....c.<|...>
<<< skipped >>>


GET /.........txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 183.131.220.36:8080
Cache-Control: no-cache


HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Sat, 17 Jun 2017 15:31:29 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..



GET /.........txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 183.131.220.36:8080
Cache-Control: no-cache


HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Sat, 17 Jun 2017 15:31:28 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..



GET /.........txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.hc130.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 5879
Content-Type: text/plain
Content-Location: hXXp://VVV.hc130.com/.........txt
Last-Modified: Thu, 08 Jun 2017 04:44:02 GMT
Accept-Ranges: bytes
ETag: "ec75e9d911e0d21:70b2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 17 Jun 2017 15:31:36 GMT
;................,v:1......:....Blue 0606-[ ..................12345678
9 ]----------------------------------..hwbegin0D0F3E0365040000789C8D93
CB6A1C300C45F785FE4AC67A58B6FA377A265308096DB2CBC7D70D856676B33208end.
.hwbeginDB47F7EAEAE9EDEDF5C7E5727D7EFCFD2B1EDCAEF9FE102FCF977EF9F5FE7C
79BDC6E5FA56CF179FBB774C56AEend..hwbeginEA01BDD04ACABCAC4B15A707C14A84
879FAF8F1F0C43D7FCE000025C5C64BE96E4CAA4019C91E2AAB1BE7F7BBAend..hwbeg
in0F8ED1B3C67F1040ADB55A2667EF7408075AE3164EA26BBB56778F5217531BDAD3BD
683661DF0D3FAF6C02259Eend..hwbegin0FA756A55B81D8F4DDCE042281985DF2150E
1C9DB2D89718049E1B5A431A634FE3CD7E373C0C8875F250A4CC73end..hwbegin5268
C290F4A14E591A1B79DF2A0FE196C441BCF314147473CE961575C630EA7EE549B41773
796F300E2B23353Bend..hwbegin634493311519D324FA2BFCD46A50ADE93AAD461C87
42F29C88901EFB6EF8B2F0617C4C83F61AAA64C3E7320119end..hwbegin234E63C26C
796B7B2D324117CA3537AA348B06CB1E58D01A717FE08EB26434DCC4C77F1FAC02BB4E
F6CA6046D1end..hwbegin4AF2BA55BE0F39D5FAC4BC4A0D16B4F8ECED67085279BFF2
B3529F764F189DDA9A52853416F6BFA694D8F856F9end..hwbegin864966FBA44ECF7A
658C84CDDA7FC3CFB661DC0DA73D0081DAF7A875248A781C331B27962B6DF539C4577E
C271end..hwbegin4CD9EBE3F852C67C265315B1C064CB710C2182CEA29FB4FF019E7D
56E6end..;................,v:1......:....Blue 0606-[ .................
.123456789 ]----------------------------------....;-------------------
--................,....(;)........------------------..[........]..inco
de=0DO0FO3EO03O0EO00O00O00O78O9CO33O32O32OD2O33OB4O30OD3O33O35OD2O33O3
2O30O02O00O14O92O02OBB..;..................,..............,..: ...
<<< skipped >>>


GET /.........txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.hc130.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 5879
Content-Type: text/plain
Content-Location: hXXp://VVV.hc130.com/.........txt
Last-Modified: Thu, 08 Jun 2017 04:44:02 GMT
Accept-Ranges: bytes
ETag: "ec75e9d911e0d21:70b2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 17 Jun 2017 15:31:24 GMT
;................,v:1......:....Blue 0606-[ ..................12345678
9 ]----------------------------------..hwbegin0D0F3E0365040000789C8D93
CB6A1C300C45F785FE4AC67A58B6FA377A265308096DB2CBC7D70D856676B33208end.
.hwbeginDB47F7EAEAE9EDEDF5C7E5727D7EFCFD2B1EDCAEF9FE102FCF977EF9F5FE7C
79BDC6E5FA56CF179FBB774C56AEend..hwbeginEA01BDD04ACABCAC4B15A707C14A84
879FAF8F1F0C43D7FCE000025C5C64BE96E4CAA4019C91E2AAB1BE7F7BBAend..hwbeg
in0F8ED1B3C67F1040ADB55A2667EF7408075AE3164EA26BBB56778F5217531BDAD3BD
683661DF0D3FAF6C02259Eend..hwbegin0FA756A55B81D8F4DDCE042281985DF2150E
1C9DB2D89718049E1B5A431A634FE3CD7E373C0C8875F250A4CC73end..hwbegin5268
C290F4A14E591A1B79DF2A0FE196C441BCF314147473CE961575C630EA7EE549B41773
796F300E2B23353Bend..hwbegin634493311519D324FA2BFCD46A50ADE93AAD461C87
42F29C88901EFB6EF8B2F0617C4C83F61AAA64C3E7320119end..hwbegin234E63C26C
796B7B2D324117CA3537AA348B06CB1E58D01A717FE08EB26434DCC4C77F1FAC02BB4E
F6CA6046D1end..hwbegin4AF2BA55BE0F39D5FAC4BC4A0D16B4F8ECED67085279BFF2
B3529F764F189DDA9A52853416F6BFA694D8F856F9end..hwbegin864966FBA44ECF7A
658C84CDDA7FC3CFB661DC0DA73D0081DAF7A875248A781C331B27962B6DF539C4577E
C271end..hwbegin4CD9EBE3F852C67C265315B1C064CB710C2182CEA29FB4FF019E7D
56E6end..;................,v:1......:....Blue 0606-[ .................
.123456789 ]----------------------------------....;-------------------
--................,....(;)........------------------..[........]..inco
de=0DO0FO3EO03O0EO00O00O00O78O9CO33O32O32OD2O33OB4O30OD3O33O35OD2O33O3
2O30O02O00O14O92O02OBB..;..................,..............,..: ...
<<< skipped >>>

GET /.........txt HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.hc130.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 5879
Content-Type: text/plain
Content-Location: hXXp://VVV.hc130.com/.........txt
Last-Modified: Thu, 08 Jun 2017 04:44:02 GMT
Accept-Ranges: bytes
ETag: "ec75e9d911e0d21:70b2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 17 Jun 2017 15:31:26 GMT
;................,v:1......:....Blue 0606-[ ..................12345678
9 ]----------------------------------..hwbegin0D0F3E0365040000789C8D93
CB6A1C300C45F785FE4AC67A58B6FA377A265308096DB2CBC7D70D856676B33208end.
.hwbeginDB47F7EAEAE9EDEDF5C7E5727D7EFCFD2B1EDCAEF9FE102FCF977EF9F5FE7C
79BDC6E5FA56CF179FBB774C56AEend..hwbeginEA01BDD04ACABCAC4B15A707C14A84
879FAF8F1F0C43D7FCE000025C5C64BE96E4CAA4019C91E2AAB1BE7F7BBAend..hwbeg
in0F8ED1B3C67F1040ADB55A2667EF7408075AE3164EA26BBB56778F5217531BDAD3BD
683661DF0D3FAF6C02259Eend..hwbegin0FA756A55B81D8F4DDCE042281985DF2150E
1C9DB2D89718049E1B5A431A634FE3CD7E373C0C8875F250A4CC73end..hwbegin5268
C290F4A14E591A1B79DF2A0FE196C441BCF314147473CE961575C630EA7EE549B41773
796F300E2B23353Bend..hwbegin634493311519D324FA2BFCD46A50ADE93AAD461C87
42F29C88901EFB6EF8B2F0617C4C83F61AAA64C3E7320119end..hwbegin234E63C26C
796B7B2D324117CA3537AA348B06CB1E58D01A717FE08EB26434DCC4C77F1FAC02BB4E
F6CA6046D1end..hwbegin4AF2BA55BE0F39D5FAC4BC4A0D16B4F8ECED67085279BFF2
B3529F764F189DDA9A52853416F6BFA694D8F856F9end..hwbegin864966FBA44ECF7A
658C84CDDA7FC3CFB661DC0DA73D0081DAF7A875248A781C331B27962B6DF539C4577E
C271end..hwbegin4CD9EBE3F852C67C265315B1C064CB710C2182CEA29FB4FF019E7D
56E6end..;................,v:1......:....Blue 0606-[ .................
.123456789 ]----------------------------------....;-------------------
--................,....(;)........------------------..[........]..inco
de=0DO0FO3EO03O0EO00O00O00O78O9CO33O32O32OD2O33OB4O30OD3O33O35OD2O33O3
2O30O02O00O14O92O02OBB..;..................,..............,..: ...
<<< skipped >>>


GET /.........txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 183.131.220.36:8080
Cache-Control: no-cache


HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Sat, 17 Jun 2017 15:31:28 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1908:

.text
`.rdata
@.data
.rsrc
.aspack
.adata
t$(SSh
~%UVW
u.hP.
u$SShe
Bv.SCv=kAv
ntdll.dll
kernel32.dll
shlwapi.dll
k.eX&h
pG.Le
.OKG'
k@v%D
.qjKb
.>;$>:$~
%.IiZ
h%C;BD
O.rlA
G  H~.Ou}*@6
*6%XS2
)Dz.Bc
%.IWi
^F%Fi
5S%U)
uLp|.aNS
%fTl&K
sE%u7^
IwEB
.jcnA O9
*O-3%Um_Af
 %Xfi$
I.oDER2
%x|uw
o.rM2Lrf
cz.yO
[>2.Ef*}
r.EUN
D.ydZ|
G:\oJ
%dxyf
Ua5.bN
.Jz.9
Ld1%x
?\.zX
dXT% %u2
1Ko
OhM%u
Vv%D%F
XIl%c%
G|Z%d
Adobe Photoshop CS5 Windows
2016:12:24 15:53:35
urlTEXT
MsgeTEXT
#hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2016-12-24T14:33:14 08:00" xmp:ModifyDate="2016-12-24T15:53:35 08:00" xmp:MetadataDate="2016-12-24T15:53:35 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:2E4DDB12AEC9E6118C34F98869735BFC" xmpMM:DocumentID="xmp.did:2D4DDB12AEC9E6118C34F98869735BFC" xmpMM:OriginalDocumentID="xmp.did:2D4DDB12AEC9E6118C34F98869735BFC"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:2D4DDB12AEC9E6118C34F98869735BFC" stEvt:when="2016-12-24T14:33:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/gif to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:2E4DDB12AEC9E6118C34F98869735BFC" stEvt:when="2016-12-24T15:53:35 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
.vk?HxG
2016:12:24 14:59:37
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:crs="hXXp://ns.adobe.com/camera-raw-settings/1.0/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" crs:AlreadyApplied="True" photoshop:LegacyIPTCDigest="7B3DBCF7478532F3D679AC0D72F73A63" photoshop:ColorMode="3" xmp:CreateDate="2016-01-12T17:12:27 08:00" xmp:ModifyDate="2016-12-24T14:59:37 08:00" xmp:MetadataDate="2016-12-24T14:59:37 08:00" xmp:CreatorTool="Adobe Photoshop CS5 Windows" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:47161857A6C9E6118BA5E0E97935A33C" xmpMM:DocumentID="xmp.did:FCB80ACD0EB9E511A90D9B6CB514D116" xmpMM:OriginalDocumentID="xmp.did:FCB80ACD0EB9E511A90D9B6CB514D116"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:FCB80ACD0EB9E511A90D9B6CB514D116" stEvt:when="2016-01-12T17:28:12 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:FDB80ACD0EB9E511A90D9B6CB514D116" stEvt:when="2016-01-12T17:28:12 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:45161857A6C9E6118BA5E0E97935A33C" stEvt:when="2016-12-24T14:58:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:46161857A6C9E6118BA5E0E97935A33C" stEvt:when="2016-12-24T14:58:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:47161857A6C9E6118BA5E0E97935A33C" stEvt:when="2016-12-24T14:59:37 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:41078AF178C9E611BC89FA2214169575" xmpMM:DocumentID="xmp.did:FE8DACE1C9A111E6AD14C12F766AE3F3" xmpMM:InstanceID="xmp.iid:FE8DACE0C9A111E6AD14C12F766AE3F3" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:42078AF178C9E611BC89FA2214169575" stRef:documentID="xmp.did:41078AF178C9E611BC89FA2214169575"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
H'.XA0
~.nqQ
d90.hg
I#1.Rc]p
.bc76$
%\9%S
%UErM
` jgAKT.MA(
VP%u~
<CH%d
:.CI 
%cNP&l"
o8%UB
xCÝ
<.Nl8
&tCpFC
XB%DSr
%S&Z_H1r
*2y%Xa5
vFb%Xja
X,K%U
/kAB%D
8O6.Í
$@CN&fB
@.nP?
*~?K%D
 1.od8
,O.To_
;.VN.
b.xqTA
`.fH),#
.Lakt*
J%C`^
ea.nx
K.sAL
*<;!*<!<
.uB.T
]\ (B%D
@75.xH
8`%Di
PF)%F!
4.qIF
2%DvV@
.yBe4
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
WS2_32.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
gdi32.dll
winmm.dll
winspool.drv
advapi32.dll
shell32.dll
oleaut32.dll
comctl32.dll
ws2_32.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
(*.*)

%original file name%.exe_1908_rwx_001E6000_0000C000:

This program is maDe by dtcser.thank
.MAMA~
.AND~~
P.YOURS
P.BABA
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
ttp://imgsrc.baidu.com/forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg
ttp://imgsrc.baidu.com/forum/pic/item/ca1349540923dd5403c9d106db09b3de9c824821.jpg
C:\ProgramData\Microsoft\Network\Connections\Pbk
C:\Windows\System32\Ras

%original file name%.exe_1908_rwx_001F5000_00024000:

bhXXp://VVV.hc130.com/
.txt|hXXp://183.131.220.36:8080/
.txt|hXXp://VVV.hc130.com|hXXp://VVV.hc130.com/link.htm|hXXp://VVV.hc130.com/Upgrade/list.txt|
|5525802|1
bhXXp://imgsrc.baidu.com/forum/pic/item/1ad5ad6eddc451da7740e366befd5266d116328d.jpg|420649|139aebd7d9d27557d1a3f22e495accc7
hXXp://imgsrc.baidu.com/forum/pic/item/342ac65c103853437b3d68ac9b13b07ecb808849.jpg|420649|89bc4b0b2313aeab1fb51885e51ebb90
hXXp://imgsrc.baidu.com/forum/pic/item/ca1349540923dd5496d148e5d909b3de9d824899.jpg|420649|91a88d7ec01dc29fbe14e3802a977152
hXXp://imgsrc.baidu.com/forum/pic/item/2e2eb9389b504fc276ad5f88eddde71191ef6d49.jpg|420649|fc2c557b9a33117ecf940e891fd552a1
hXXp://imgsrc.baidu.com/forum/pic/item/a686c9177f3e670912a2aa7233c79f3df9dc5599.jpg|124357|a3ece03cc19b65c2f81e78cd53e8e9eb
bhXXp://imgsrc.baidu.com/forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg|420649|74caa486e032c9a95ff7ac69a6335657
hXXp://imgsrc.baidu.com/forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg|420649|f8c4dfdc2d60a199afe37b7d72864b4e
hXXp://imgsrc.baidu.com/forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg|420649|5cf48fa3b58bed6c6c3be7dccd673d66
hXXp://imgsrc.baidu.com/forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg|297656|101037befd84a153d332d67e5aeb686b
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
Local\C:_Users_adm_AppData_Local_Microsoft_Windows_Temporary Internet Files_Content.IE5_index.dat_196608
C:\Windows\system32\iedkcs32.dll
490dc4bc985859888d970e8fd9b954.txt
tp://VVV.hc130.com/
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
zilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
ur.ay
ya.ru
w55c.net
nc.afadf
fdafa.cn
ten.rmba
abmr.net
moc.gnib
bing.com
moc.tfosorcim.secivresatem.serotsenilno
onlinestores.metaservices.microsoft.com
This program is maDe by dtcser.thank
.MAMA~
.AND~~
P.YOURS
P.BABA
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
hXXp://imgsrc.baidu.com/forum/pic/item/ca1349540923dd5403c9d106db09b3de9c824821.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg
moc.ylezimitpo.gol.531950642
246059135.log.optimizely.com
/intl/en/chrome/browser/privacy/
moc.elgoog
google.com
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
Local\C:_Users_adm_AppData_Roaming_Microsoft_Windows_Cookies_index.dat_32768
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
Local\C:_Users_adm_AppData_Local_Microsoft_Windows_History_History.IE5_index.dat_114688
.pac;.jvs;.js
hXXp://imgsrc.baidu.com/forum/pic/item/b58f8c5494eef01f72ae6eabeafe9925bc317d21.jpg|410975|4c131274e3ab776d7dd3014dcd6b99c7
hXXp://imgsrc.baidu.com/forum/pic/item/2cf5e0fe9925bc3111e777f654df8db1cb137021.jpg|410975|36978b9efff0e9b6a9a09f5bbe35f32f
hXXp://imgsrc.baidu.com/forum/pic/item/09fa513d269759eedbae16a5b8fb43166c22dfe6.jpg|410975|14cfd674b76a1c2c229e06f2c85a484b
hXXp://imgsrc.baidu.com/forum/pic/item/ca1349540923dd5403c9d106db09b3de9c824821.jpg|410975|c64f6d20348d09791984d5f67ceb770e
hXXp://imgsrc.baidu.com/forum/pic/item/0d338744ebf81a4caea39aa7dd2a6059242da6cf.jpg|410975|242e03e75b95ae0c431c6d0c4221dbc8
hXXp://imgsrc.baidu.com/forum/pic/item/7acb0a46f21fbe0993a0b57a61600c338644ade6.jpg|410975|e73a62b63d758296f469c46802e1f9cc
hXXp://imgsrc.baidu.com/forum/pic/item/242dd42a2834349b049618ebc3ea15ce37d3becf.jpg|410975|862bd9afd7dee9a171f6b5f8bd096ed8
hXXp://imgsrc.baidu.com/forum/pic/item/eaf81a4c510fd9f9d6ee23072f2dd42a2934a4e6.jpg|410975|8153aa8cfd9dcddc0d1849ffff04a810
hXXp://imgsrc.baidu.com/forum/pic/item/3801213fb80e7bec66bc758f252eb9389b506b7d.jpg|205687|ebcea44616eecc71a68604921cc3b99b
32.dll
penKeyExA
C:\Windows\system32\jsproxy.dll
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\
0922161db81ce61.exe
Microsoft\Windows\Cookies
Microsoft\Windows\History
#ttp://imgsrc.baidu.com/forum/pic/item/ca1349540923dd5403c9d106db09b3de9c824821.jpg
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Meiryo UI BoldSEGOEUIB.TTF,133,83
SEGOEUIB.TTF
MSGOTHIC.TTC,MS UI Gothic
MSJHBD.TTF,128,96
MSJHBD.TTF
MSYHBD.TTF,128,96
MSYHBD.TTF
MALGUNBD.TTF,128,96
MALGUNBD.TTF
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files
oftware\Microsoft\windows\CurrentVersion\Internet Settings\Connections
hXXp://imgsrc.baidu.com/forum/pic/item/2cf5e0fe9925bc3111e777f654df8db1cb137021.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg

%original file name%.exe_1908_rwx_009E5000_00003000:

kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
gdi32.dll
winmm.dll
winspool.drv
advapi32.dll
shell32.dll
ole32.dll
oleaut32.dll
comctl32.dll
ws2_32.dll
comdlg32.dll
RegCloseKey
ShellExecuteA
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>

%original file name%.exe_1908_rwx_01FF0000_0003E000:

.text
`.rdata
@.data
.rsrc
@.reloc
Bv.SCv=kAvt
%*.*f
CNotSupportedException
commctrl_DragListMsg
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
user32.dll
RASAPI32.dll
GetProcessHeap
GetCPInfo
KERNEL32.dll
SetWindowsHookExA
GetKeyState
UnhookWindowsHookEx
USER32.dll
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
comdlg32.dll
WINSPOOL.DRV
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
WSOCK32.dll
ole32.dll
OLEAUT32.dll
FtpDeleteFileA
FtpRenameFileA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpPutFileA
FtpGetFileA
FtpFindFirstFileA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
internet.fne
InternetOpenUrlA
SHLWAPI.dll
MSIMG32.dll
MSVCRT.dll
WS2_32.dll
WINMM.dll
dll.dll
hXXp://imgsrc.baidu.com/forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg|226769|7a360f63ae53e99a493e3599f7a2790f
imgsrc.baidu.com
c:\hwconfig
c:\hwconfig\

%original file name%.exe_1908_rwx_0202F000_00031000:

G|Z%d
qjwyhe.ini
hXXp://101.200.152.202:86/
101.200.152.202
\*.qdat
kernel32.dll
Kernel32.dll
ntdll.dll
shlwapi.dll
user32.dll
wininet.dll
Msimg32.dll
InternetOpenUrlA
program internal error number is %d.
:"%s"
:"%s".
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
%s@%s:%d
.PAVCException@@
HTTP/1.0
0000HTTP
hXXp://VVV.eyuyan.com
service@dywt.com.cn
 86(0411)39895834
 86(0411)39895831
SMTP
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
Windows
ListFtpDir
GetCurrentFtpDir
SetCurrentFtpDir
RemoveFtpDir
CreateFtpDir
RenameFtpFile
DeleteFtpFile
PutFtpFile
GetFtpFile
DisconnectFTPServer
ConnectFTPServer
GetHttpFile
DisconnectSmtpServer
ConnectSmtpServer
internet_fnListFtpDir
internet_fnGetCurrentFtpDir
internet_fnSetCurrentFtpDir
internet_fnRemoveFtpDir
internet_fnCreateFtpDir
internet_fnRenameFtpFile
internet_fnDeleteFtpFile
internet_fnPutFtpFile
internet_fnGetFtpFile
internet_fnDisconnectFTPServer
internet_fnConnectFTPServer
internet_fnGetHttpFile
internet_fnDisconnectSmtpServer
internet_fnConnectSmtpServer
rasapi32.lib
sale@dywt.com.cn
service@dywt.com.cn;sale@dywt.com.cn
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
HELO %s
AUTH LOGIN
LOGIN
AUTH=LOGIN
EHLO %s
Content-Type: application/octet-stream; name=%s
Content-Disposition: attachment; filename=%s
MAIL FROM:<%s>
RCPT TO:<%s>
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCCmdTarget@@
.PAVCArchiveException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCFileException@@
zcÁ
c:\%original file name%.exe
: :$:(:,:
5 5$5(5,50545
6 6$6(6,6064686
8 8$8(8,8
6!646:6@6 808}8
2!262_2|2
8!858\8|8
50646<6@6
8"8*828:8
1.0.0.0
(hXXp://VVV.eyuyan.com)


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\f30dda4f816a59b3ab8ed614da904531.ini (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\029506795cad33f280122fdd896b942d.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ea81016697da3e03d2125f1b020a8d96.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\96490dc4bc985859888d970e8fd9b954.txt (297 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\212b0fa0fa111459cc3edae1d50ba7f8.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\8df8373986d2124c43b3d42c81e8f3df.txt (226 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\91e4215e32fbe531c954ddfb08af735d.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2ffed360123a5d177c7537680bd244f5.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\c811cdec13b869980d35d80854d6ee98.txt (420 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now