Trojan.Win32.FlyStudio_783c774efb

by malwarelabrobot on June 19th, 2017 in Malware Descriptions.

Gen:Variant.Graftor.361970 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.361970 (B) (Emsisoft), GenericRXBT-CQ!90AB20B3720E (McAfee), ML.Attribute.HighConfidence (Symantec), Trojan-Dropper.Win32.Daws (Ikarus), Gen:Variant.Graftor.361970 (FSecure), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 783c774efb308b5a5a3d334169d9a5f6
SHA1: e07bced7396c73433eb196aec49986d94794d666
SHA256: f84061f72b6a71d2f0fffd8c04a8e27e3c5d2de84a43b7f7ca99b7d9c2d4626c
SSDeep: 24576:IFQewglKsaH4pJ97mq7ig2oNbXvNC4dtw0 nl6vPQhafUqz:IF92saHG7/7lbXJtH2AvA6Pz
Size: 1304396 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: no certificate found
Created at: 2017-06-07 10:38:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3524

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7f19c6cad4fa35d52d1bc545133dc11c.ini (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\d6fdbd645b69628a97bbc4a422e07544.txt (419 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ea81016697da3e03d2125f1b020a8d96.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\419eaabbd797897cc94575b9ed88e606.txt (419 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\96490dc4bc985859888d970e8fd9b954.txt (297 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\71b5f4dfec1525d01ec8bb060eed7267.txt (419 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\212b0fa0fa111459cc3edae1d50ba7f8.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\8df8373986d2124c43b3d42c81e8f3df.txt (226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\be3cc57af3ed577fe4da99371f04a824.txt (419 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\c811cdec13b869980d35d80854d6ee98.txt (420 bytes)

Registry activity

The process %original file name%.exe:3524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\783c774efb308b5a5a3d334169d9a5f6_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\783c774efb308b5a5a3d334169d9a5f6_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\783c774efb308b5a5a3d334169d9a5f6_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\783c774efb308b5a5a3d334169d9a5f6_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\783c774efb308b5a5a3d334169d9a5f6_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\783c774efb308b5a5a3d334169d9a5f6_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\783c774efb308b5a5a3d334169d9a5f6_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\783c774efb308b5a5a3d334169d9a5f6_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\783c774efb308b5a5a3d334169d9a5f6_RASAPI32]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 6139904 1293824 5.54507 771a43bdc458d3110ad4288831439626
.rsrc 6144000 12288 8704 4.02237 3724f6bc944158797ef1ffd7607da8c9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://lb.lybaomu.com/xzq13.txt 117.23.50.10
hxxp://hiphotos.jomodns.com/forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/0b7b02087bf40ad1262425635e2c11dfa8ecce6a.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/63d9f2d3572c11dfe1115da36a2762d0f603c26a.jpg
hxxp://hiphotos.jomodns.com/forum/pic/item/a044ad345982b2b75f19db4438adcbef77099ba8.jpg
hxxp://imgsrc.baidu.com/forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg 119.146.74.48
hxxp://imgsrc.baidu.com/forum/pic/item/a044ad345982b2b75f19db4438adcbef77099ba8.jpg 119.146.74.48
hxxp://imgsrc.baidu.com/forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg 119.146.74.48
hxxp://imgsrc.baidu.com/forum/pic/item/0b7b02087bf40ad1262425635e2c11dfa8ecce6a.jpg 119.146.74.48
hxxp://imgsrc.baidu.com/forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg 119.146.74.48
hxxp://imgsrc.baidu.com/forum/pic/item/63d9f2d3572c11dfe1115da36a2762d0f603c26a.jpg 119.146.74.48
hxxp://imgsrc.baidu.com/forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg 119.146.74.48
hxxp://imgsrc.baidu.com/forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg 119.146.74.48


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /xzq13.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: lb.lybaomu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 9569
Content-Type: text/plain
Last-Modified: Sun, 18 Jun 2017 02:08:05 GMT
Accept-Ranges: bytes
ETag: "f0e8edb8d7e7d21:2784"
Server: Microsoft-IIS/6.0
Date: Sun, 18 Jun 2017 15:06:32 GMT
                              ;........,........................;.....
......................................................................
.........................;................,v:1......:....Blue 0212-[ .
.................123456789 ]----------------------------------..hwbegi
n0D0F3E03ED020000789C8DD24D6E9B410806E07DA55EC51EFE99DE06662071252B56E
AEC7CF87E55B348765EB1end..hwbeginE3E1055EEFF7DBAFF3F9727DF9F3BE4E1997F
D715A6FD773BFBD7F5CCFB7CB3A5FEE753D8FB41C38DCB279C406end..hwbegin54641
425295C00BBC36BADD238FDBEBD3C1826983E88B57C5B0F9EDA68150A499611392B36C
2CF1FAFCFE14A7Bend..hwbegin366E12FB8F1500C80ED24053DCA375D0C2EFF8B4EA5
1AEE9E193674DA039AD296D2669D7D3780CE6D8C4321D13end..hwbeginD3A461EE642
68FBDB2DA6CCC99E15FF1D19DDCA2EDC7E8064E454397A93B6A2EE4A7711EC4D346D0E
0428166D4end..hwbegin1E6A1E47B2755056544213BFE2B88F7508E09225B576F852B
158CDD43B42FB69DC178C0135690E40A04649897Fend..hwbegin5D7719E9F1038535E
57B72B58E2640A9803413D760D075A49F22C1F4342EF28934564E72F2A3B8E15E8A2EC
7DFend..hwbeginF1DEDA9FB8213B3CD6121A9D9083D31CF6C09CC9B5BCC1C782E3E47
F01A184E154end..;................,v:1......:....Blue 0212-[ ..........
........123456789 ]----------------------------------............;....
....|........|........|...... IP|....|........|..........|............
;.............. 1=0629......................;..........:..........,...
.................DLL,............:LoginDll.dll..;---------------------
----------------------------..[1.80......]..........[17-09......]|----
----............--------|........|127.0.0.1|9003|password..[1.80..
<<< skipped >>>


GET /forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 18 Jun 2017 15:15:09 GMT
Content-Type: image/jpeg
Content-Length: 226769
Connection: keep-alive
ETag: "7130635741171976897"
Last-Modified: Thu, 29 Sep 2016 09:22:38 GMT
Expires: Thu, 11 Jan 2018 18:33:00 GMT
Age: 13636452
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>

GET /forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 18 Jun 2017 15:15:11 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: keep-alive
ETag: "7878501113830277673"
Last-Modified: Thu, 29 Sep 2016 09:44:50 GMT
Expires: Sun, 24 Dec 2017 15:49:52 GMT
Age: 15204279
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>

GET /forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 18 Jun 2017 15:15:14 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: keep-alive
ETag: "17719340091593362697"
Last-Modified: Thu, 29 Sep 2016 09:44:51 GMT
Expires: Sun, 24 Dec 2017 15:50:08 GMT
Age: 15204306
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>

GET /forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 18 Jun 2017 15:15:18 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: keep-alive
ETag: "2181626205514252865"
Last-Modified: Thu, 29 Sep 2016 09:44:52 GMT
Expires: Thu, 31 May 2018 08:44:13 GMT
Age: 1145611
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>

GET /forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 18 Jun 2017 15:15:21 GMT
Content-Type: image/jpeg
Content-Length: 297656
Connection: keep-alive
ETag: "8194768310413110853"
Last-Modified: Thu, 29 Sep 2016 09:44:52 GMT
Expires: Sun, 24 Dec 2017 15:49:56 GMT
Age: 15204313
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>

GET /forum/pic/item/0b7b02087bf40ad1262425635e2c11dfa8ecce6a.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 18 Jun 2017 15:15:25 GMT
Content-Type: image/jpeg
Content-Length: 419176
Connection: keep-alive
ETag: "9524486303931949286"
Last-Modified: Mon, 27 Feb 2017 11:59:36 GMT
Expires: Tue, 27 Feb 2018 12:00:14 GMT
Age: 9602039
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....`.`.....C..............................................
......................C...............................................
........................P.Q...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?....o.?.
.........x..:|..~.kWP.'S...k:.....xK.."...'..4..u}WV.......(...6.r.W.Y
.m..g.O..\ha.r.F.1.a.B..`.f..i.R..:T.)..a....2.G.S.[.3...O<^e...8..
...iT..T.UJ.).3.:N.j......Z..RW9..h....\~......../k..../..c.......O...
^....k!...6[................9.6........=h.....a.....G..=...n...[...7..
....>].I%...IYtVWv..w.G.r.l./.~:.Z....y...o..8.@K..5.;UAb9.T..$....
....K...I ..F!.7Q]....h}. .i^.......E)p.C(&._..{...tXgeyF.ZZFM........
..i_.|Ku.....p... V..KmJ.....|\....O$w..U....Y....qo...Sl.^........?kS
3..t.O.R-.}..1.i......h.2 ...N\.......Xd.g-.K.(...R.Vk......y......u .
...4..|;..H....>#.!0..I.?.'.P.F......bP.W...T....o6...j.... ,N.|.. 
5.ir.I.=......7..KE...e..z.O..?{..,....7...S..~.......k...?....{G.U..|
P.._..d1..S.o..,..B..... ...W..xL..%.....R.yT.j.#..U).V.y.yT.KM9...d..
..1J4..k!..........]a...m$..\.\...h.............c....{....nI.>Z... 
.........k...&.;=t..O\.......di.D........_..Z.i........?.....\....
<<< skipped >>>

GET /forum/pic/item/63d9f2d3572c11dfe1115da36a2762d0f603c26a.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 18 Jun 2017 15:15:32 GMT
Content-Type: image/jpeg
Content-Length: 419176
Connection: keep-alive
ETag: "17307354061229507302"
Last-Modified: Mon, 27 Feb 2017 11:59:36 GMT
Expires: Tue, 27 Feb 2018 12:00:14 GMT
Age: 9602045
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....`.`.....C..............................................
......................C...............................................
........................P.Q...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?....o.?.
.........x..:|..~.kWP.'S...k:.....xK.."...'..4..u}WV.......(...6.r.W.Y
.m..g.O..\ha.r.F.1.a.B..`.f..i.R..:T.)..a....2.G.S.[.3...O<^e...8..
...iT..T.UJ.).3.:N.j......Z..RW9..h....\~......../k..../..c.......O...
^....k!...6[................9.6........=h.....a.....G..=...n...[...7..
....>].I%...IYtVWv..w.G.r.l./.~:.Z....y...o..8.@K..5.;UAb9.T..$....
....K...I ..F!.7Q]....h}. .i^.......E)p.C(&._..{...tXgeyF.ZZFM........
..i_.|Ku.....p... V..KmJ.....|\....O$w..U....Y....qo...Sl.^........?kS
3..t.O.R-.}..1.i......h.2 ...N\.......Xd.g-.K.(...R.Vk......y......u .
...4..|;..H....>#.!0..I.?.'.P.F......bP.W...T....o6...j.... ,N.|.. 
5.ir.I.=......7..KE...e..z.O..?{..,....7...S..~.......k...?....{G.U..|
P.._..d1..S.o..,..B..... ...W..xL..%.....R.yT.j.#..U).V.y.yT.KM9...d..
..1J4..k!..........]a...m$..\.\...h.............c....{....nI.>Z... 
.........k...&.;=t..O\.......di.D........_..Z.i........?.....\....
<<< skipped >>>

GET /forum/pic/item/a044ad345982b2b75f19db4438adcbef77099ba8.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsrc.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 18 Jun 2017 15:15:48 GMT
Content-Type: image/jpeg
Content-Length: 419176
Connection: keep-alive
ETag: "14172967432279861572"
Last-Modified: Mon, 27 Feb 2017 11:59:36 GMT
Expires: Tue, 27 Feb 2018 12:00:15 GMT
Age: 9602060
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....`.`.....C..............................................
......................C...............................................
........................P.Q...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?....o.?.
.........x..:|..~.kWP.'S...k:.....xK.."...'..4..u}WV.......(...6.r.W.Y
.m..g.O..\ha.r.F.1.a.B..`.f..i.R..:T.)..a....2.G.S.[.3...O<^e...8..
...iT..T.UJ.).3.:N.j......Z..RW9..h....\~......../k..../..c.......O...
^....k!...6[................9.6........=h.....a.....G..=...n...[...7..
....>].I%...IYtVWv..w.G.r.l./.~:.Z....y...o..8.@K..5.;UAb9.T..$....
....K...I ..F!.7Q]....h}. .i^.......E)p.C(&._..{...tXgeyF.ZZFM........
..i_.|Ku.....p... V..KmJ.....|\....O$w..U....Y....qo...Sl.^........?kS
3..t.O.R-.}..1.i......h.2 ...N\.......Xd.g-.K.(...R.Vk......y......u .
...4..|;..H....>#.!0..I.?.'.P.F......bP.W...T....o6...j.... ,N.|.. 
5.ir.I.=......7..KE...e..z.O..?{..,....7...S..~.......k...?....{G.U..|
P.._..d1..S.o..,..B..... ...W..xL..%.....R.yT.j.#..U).V.y.yT.KM9...d..
..1J4..k!..........]a...m$..\.\...h.............c....{....nI.>Z... 
.........k...&.;=t..O\.......di.D........_..Z.i........?.....\....
<<< skipped >>>


GET /xzq13.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: lb.lybaomu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 9569
Content-Type: text/plain
Last-Modified: Sun, 18 Jun 2017 02:08:05 GMT
Accept-Ranges: bytes
ETag: "f0e8edb8d7e7d21:2784"
Server: Microsoft-IIS/6.0
Date: Sun, 18 Jun 2017 15:06:27 GMT
                              ;........,........................;.....
......................................................................
.........................;................,v:1......:....Blue 0212-[ .
.................123456789 ]----------------------------------..hwbegi
n0D0F3E03ED020000789C8DD24D6E9B410806E07DA55EC51EFE99DE06662071252B56E
AEC7CF87E55B348765EB1end..hwbeginE3E1055EEFF7DBAFF3F9727DF9F3BE4E1997F
D715A6FD773BFBD7F5CCFB7CB3A5FEE753D8FB41C38DCB279C406end..hwbegin54641
425295C00BBC36BADD238FDBEBD3C1826983E88B57C5B0F9EDA68150A499611392B36C
2CF1FAFCFE14A7Bend..hwbegin366E12FB8F1500C80ED24053DCA375D0C2EFF8B4EA5
1AEE9E193674DA039AD296D2669D7D3780CE6D8C4321D13end..hwbeginD3A461EE642
68FBDB2DA6CCC99E15FF1D19DDCA2EDC7E8064E454397A93B6A2EE4A7711EC4D346D0E
0428166D4end..hwbegin1E6A1E47B2755056544213BFE2B88F7508E09225B576F852B
158CDD43B42FB69DC178C0135690E40A04649897Fend..hwbegin5D7719E9F1038535E
57B72B58E2640A9803413D760D075A49F22C1F4342EF28934564E72F2A3B8E15E8A2EC
7DFend..hwbeginF1DEDA9FB8213B3CD6121A9D9083D31CF6C09CC9B5BCC1C782E3E47
F01A184E154end..;................,v:1......:....Blue 0212-[ ..........
........123456789 ]----------------------------------............;....
....|........|........|...... IP|....|........|..........|............
;.............. 1=0629......................;..........:..........,...
.................DLL,............:LoginDll.dll..;---------------------
----------------------------..[1.80......]..........[17-09......]|----
----............--------|........|127.0.0.1|9003|password..[1.80..
<<< skipped >>>

GET /xzq13.txt HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: lb.lybaomu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 9569
Content-Type: text/plain
Last-Modified: Sun, 18 Jun 2017 02:08:05 GMT
Accept-Ranges: bytes
ETag: "f0e8edb8d7e7d21:2784"
Server: Microsoft-IIS/6.0
Date: Sun, 18 Jun 2017 15:06:28 GMT
                              ;........,........................;.....
......................................................................
.........................;................,v:1......:....Blue 0212-[ .
.................123456789 ]----------------------------------..hwbegi
n0D0F3E03ED020000789C8DD24D6E9B410806E07DA55EC51EFE99DE06662071252B56E
AEC7CF87E55B348765EB1end..hwbeginE3E1055EEFF7DBAFF3F9727DF9F3BE4E1997F
D715A6FD773BFBD7F5CCFB7CB3A5FEE753D8FB41C38DCB279C406end..hwbegin54641
425295C00BBC36BADD238FDBEBD3C1826983E88B57C5B0F9EDA68150A499611392B36C
2CF1FAFCFE14A7Bend..hwbegin366E12FB8F1500C80ED24053DCA375D0C2EFF8B4EA5
1AEE9E193674DA039AD296D2669D7D3780CE6D8C4321D13end..hwbeginD3A461EE642
68FBDB2DA6CCC99E15FF1D19DDCA2EDC7E8064E454397A93B6A2EE4A7711EC4D346D0E
0428166D4end..hwbegin1E6A1E47B2755056544213BFE2B88F7508E09225B576F852B
158CDD43B42FB69DC178C0135690E40A04649897Fend..hwbegin5D7719E9F1038535E
57B72B58E2640A9803413D760D075A49F22C1F4342EF28934564E72F2A3B8E15E8A2EC
7DFend..hwbeginF1DEDA9FB8213B3CD6121A9D9083D31CF6C09CC9B5BCC1C782E3E47
F01A184E154end..;................,v:1......:....Blue 0212-[ ..........
........123456789 ]----------------------------------............;....
....|........|........|...... IP|....|........|..........|............
;.............. 1=0629......................;..........:..........,...
.................DLL,............:LoginDll.dll..;---------------------
----------------------------..[1.80......]..........[17-09......]|----
----............--------|........|127.0.0.1|9003|password..[1.80..
<<< skipped >>>

GET /xzq13.txt HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: lb.lybaomu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 9569
Content-Type: text/plain
Last-Modified: Sun, 18 Jun 2017 02:08:05 GMT
Accept-Ranges: bytes
ETag: "f0e8edb8d7e7d21:2784"
Server: Microsoft-IIS/6.0
Date: Sun, 18 Jun 2017 15:06:31 GMT
                              ;........,........................;.....
......................................................................
.........................;................,v:1......:....Blue 0212-[ .
.................123456789 ]----------------------------------..hwbegi
n0D0F3E03ED020000789C8DD24D6E9B410806E07DA55EC51EFE99DE06662071252B56E
AEC7CF87E55B348765EB1end..hwbeginE3E1055EEFF7DBAFF3F9727DF9F3BE4E1997F
D715A6FD773BFBD7F5CCFB7CB3A5FEE753D8FB41C38DCB279C406end..hwbegin54641
425295C00BBC36BADD238FDBEBD3C1826983E88B57C5B0F9EDA68150A499611392B36C
2CF1FAFCFE14A7Bend..hwbegin366E12FB8F1500C80ED24053DCA375D0C2EFF8B4EA5
1AEE9E193674DA039AD296D2669D7D3780CE6D8C4321D13end..hwbeginD3A461EE642
68FBDB2DA6CCC99E15FF1D19DDCA2EDC7E8064E454397A93B6A2EE4A7711EC4D346D0E
0428166D4end..hwbegin1E6A1E47B2755056544213BFE2B88F7508E09225B576F852B
158CDD43B42FB69DC178C0135690E40A04649897Fend..hwbegin5D7719E9F1038535E
57B72B58E2640A9803413D760D075A49F22C1F4342EF28934564E72F2A3B8E15E8A2EC
7DFend..hwbeginF1DEDA9FB8213B3CD6121A9D9083D31CF6C09CC9B5BCC1C782E3E47
F01A184E154end..;................,v:1......:....Blue 0212-[ ..........
........123456789 ]----------------------------------............;....
....|........|........|...... IP|....|........|..........|............
;.............. 1=0629......................;..........:..........,...
.................DLL,............:LoginDll.dll..;---------------------
----------------------------..[1.80......]..........[17-09......]|----
----............--------|........|127.0.0.1|9003|password..[1.80..
<<< skipped >>>

GET /xzq13.txt HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: lb.lybaomu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 9569
Content-Type: text/plain
Last-Modified: Sun, 18 Jun 2017 02:08:05 GMT
Accept-Ranges: bytes
ETag: "f0e8edb8d7e7d21:2784"
Server: Microsoft-IIS/6.0
Date: Sun, 18 Jun 2017 15:06:31 GMT
                              ;........,........................;.....
......................................................................
.........................;................,v:1......:....Blue 0212-[ .
.................123456789 ]----------------------------------..hwbegi
n0D0F3E03ED020000789C8DD24D6E9B410806E07DA55EC51EFE99DE06662071252B56E
AEC7CF87E55B348765EB1end..hwbeginE3E1055EEFF7DBAFF3F9727DF9F3BE4E1997F
D715A6FD773BFBD7F5CCFB7CB3A5FEE753D8FB41C38DCB279C406end..hwbegin54641
425295C00BBC36BADD238FDBEBD3C1826983E88B57C5B0F9EDA68150A499611392B36C
2CF1FAFCFE14A7Bend..hwbegin366E12FB8F1500C80ED24053DCA375D0C2EFF8B4EA5
1AEE9E193674DA039AD296D2669D7D3780CE6D8C4321D13end..hwbeginD3A461EE642
68FBDB2DA6CCC99E15FF1D19DDCA2EDC7E8064E454397A93B6A2EE4A7711EC4D346D0E
0428166D4end..hwbegin1E6A1E47B2755056544213BFE2B88F7508E09225B576F852B
158CDD43B42FB69DC178C0135690E40A04649897Fend..hwbegin5D7719E9F1038535E
57B72B58E2640A9803413D760D075A49F22C1F4342EF28934564E72F2A3B8E15E8A2EC
7DFend..hwbeginF1DEDA9FB8213B3CD6121A9D9083D31CF6C09CC9B5BCC1C782E3E47
F01A184E154end..;................,v:1......:....Blue 0212-[ ..........
........123456789 ]----------------------------------............;....
....|........|........|...... IP|....|........|..........|............
;.............. 1=0629......................;..........:..........,...
.................DLL,............:LoginDll.dll..;---------------------
----------------------------..[1.80......]..........[17-09......]|----
----............--------|........|127.0.0.1|9003|password..[1.80..
<<< skipped >>>

GET /xzq13.txt HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: lb.lybaomu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 9569
Content-Type: text/plain
Last-Modified: Sun, 18 Jun 2017 02:08:05 GMT
Accept-Ranges: bytes
ETag: "f0e8edb8d7e7d21:2784"
Server: Microsoft-IIS/6.0
Date: Sun, 18 Jun 2017 15:06:32 GMT
                              ;........,........................;.....
......................................................................
.........................;................,v:1......:....Blue 0212-[ .
.................123456789 ]----------------------------------..hwbegi
n0D0F3E03ED020000789C8DD24D6E9B410806E07DA55EC51EFE99DE06662071252B56E
AEC7CF87E55B348765EB1end..hwbeginE3E1055EEFF7DBAFF3F9727DF9F3BE4E1997F
D715A6FD773BFBD7F5CCFB7CB3A5FEE753D8FB41C38DCB279C406end..hwbegin54641
425295C00BBC36BADD238FDBEBD3C1826983E88B57C5B0F9EDA68150A499611392B36C
2CF1FAFCFE14A7Bend..hwbegin366E12FB8F1500C80ED24053DCA375D0C2EFF8B4EA5
1AEE9E193674DA039AD296D2669D7D3780CE6D8C4321D13end..hwbeginD3A461EE642
68FBDB2DA6CCC99E15FF1D19DDCA2EDC7E8064E454397A93B6A2EE4A7711EC4D346D0E
0428166D4end..hwbegin1E6A1E47B2755056544213BFE2B88F7508E09225B576F852B
158CDD43B42FB69DC178C0135690E40A04649897Fend..hwbegin5D7719E9F1038535E
57B72B58E2640A9803413D760D075A49F22C1F4342EF28934564E72F2A3B8E15E8A2EC
7DFend..hwbeginF1DEDA9FB8213B3CD6121A9D9083D31CF6C09CC9B5BCC1C782E3E47
F01A184E154end..;................,v:1......:....Blue 0212-[ ..........
........123456789 ]----------------------------------............;....
....|........|........|...... IP|....|........|..........|............
;.............. 1=0629......................;..........:..........,...
.................DLL,............:LoginDll.dll..;---------------------
----------------------------..[1.80......]..........[17-09......]|----
----............--------|........|127.0.0.1|9003|password..[1.80..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3524:

.text
`.rsrc
t$(SSh
B\0%D
~%UVW
u$SShe
iu2.iu
K(.wS
ntdll.dll
kernel32.dll
shlwapi.dll
k.eX&h
pG.Le
.OKG'
k@v%D
.qjKb
.>;$>:$~
%.IiZ
h%C;BD
O.rlA
G  H~.Ou}*@6
*6%XS2
)Dz.Bc
%.IWi
^F%Fi
5S%U)
uLp|.aNS
%fTl&K
sE%u7^
IwEB
.jcnA O9
*O-3%Um_Af
 %Xfi$
I.oDER2
%x|uw
o.rM2Lrf
cz.yO
[>2.Ef*}
r.EUN
D.ydZ|
G:\oJ
%dxyf
Ua5.bN
.Jz.9
Ld1%x
?\.zX
dXT% %u2
1Ko
OhM%u
Vv%D%F
XIl%c%
G|Z%d
Adobe Photoshop CS5 Windows
2016:12:24 15:53:35
urlTEXT
MsgeTEXT
#hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2016-12-24T14:33:14 08:00" xmp:ModifyDate="2016-12-24T15:53:35 08:00" xmp:MetadataDate="2016-12-24T15:53:35 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:2E4DDB12AEC9E6118C34F98869735BFC" xmpMM:DocumentID="xmp.did:2D4DDB12AEC9E6118C34F98869735BFC" xmpMM:OriginalDocumentID="xmp.did:2D4DDB12AEC9E6118C34F98869735BFC"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:2D4DDB12AEC9E6118C34F98869735BFC" stEvt:when="2016-12-24T14:33:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/gif to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:2E4DDB12AEC9E6118C34F98869735BFC" stEvt:when="2016-12-24T15:53:35 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
.vk?HxG
2016:12:24 14:59:37
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:crs="hXXp://ns.adobe.com/camera-raw-settings/1.0/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" crs:AlreadyApplied="True" photoshop:LegacyIPTCDigest="7B3DBCF7478532F3D679AC0D72F73A63" photoshop:ColorMode="3" xmp:CreateDate="2016-01-12T17:12:27 08:00" xmp:ModifyDate="2016-12-24T14:59:37 08:00" xmp:MetadataDate="2016-12-24T14:59:37 08:00" xmp:CreatorTool="Adobe Photoshop CS5 Windows" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:47161857A6C9E6118BA5E0E97935A33C" xmpMM:DocumentID="xmp.did:FCB80ACD0EB9E511A90D9B6CB514D116" xmpMM:OriginalDocumentID="xmp.did:FCB80ACD0EB9E511A90D9B6CB514D116"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:FCB80ACD0EB9E511A90D9B6CB514D116" stEvt:when="2016-01-12T17:28:12 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:FDB80ACD0EB9E511A90D9B6CB514D116" stEvt:when="2016-01-12T17:28:12 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:45161857A6C9E6118BA5E0E97935A33C" stEvt:when="2016-12-24T14:58:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:46161857A6C9E6118BA5E0E97935A33C" stEvt:when="2016-12-24T14:58:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:47161857A6C9E6118BA5E0E97935A33C" stEvt:when="2016-12-24T14:59:37 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:41078AF178C9E611BC89FA2214169575" xmpMM:DocumentID="xmp.did:FE8DACE1C9A111E6AD14C12F766AE3F3" xmpMM:InstanceID="xmp.iid:FE8DACE0C9A111E6AD14C12F766AE3F3" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:42078AF178C9E611BC89FA2214169575" stRef:documentID="xmp.did:41078AF178C9E611BC89FA2214169575"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
H'.XA0
~.nqQ
d90.hg
I#1.Rc]p
.bc76$
%\9%S
%UErM
` jgAKT.MA(
VP%u~
<CH%d
:.CI 
%cNP&l"
o8%UB
xCÝ
<.Nl8
&tCpFC
XB%DSr
%S&Z_H1r
*2y%Xa5
vFb%Xja
X,K%U
/kAB%D
8O6.Í
$@CN&fB
@.nP?
*~?K%D
 1.od8
,O.To_
;.VN.
b.xqTA
`.fH),#
.Lakt*
J%C`^
ea.nx
K.sAL
*<;!*<!<
.uB.T
]\ (B%D
@75.xH
8`%Di
PF)%F!
4.qIF
2%DvV@
.yBe4
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
WS2_32.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
233333333333331
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>v
(*.*)

%original file name%.exe_3524_rwx_001E0000_00003000:

The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

%original file name%.exe_3524_rwx_00210000_0003E000:

.text
`.rdata
@.data
.rsrc
@.reloc
kumViu1BkuG?iu2.iu
%*.*f
CNotSupportedException
commctrl_DragListMsg
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
user32.dll
RASAPI32.dll
GetProcessHeap
GetCPInfo
KERNEL32.dll
SetWindowsHookExA
GetKeyState
UnhookWindowsHookEx
USER32.dll
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
comdlg32.dll
WINSPOOL.DRV
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
WSOCK32.dll
ole32.dll
OLEAUT32.dll
FtpDeleteFileA
FtpRenameFileA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpPutFileA
FtpGetFileA
FtpFindFirstFileA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
internet.fne
InternetOpenUrlA
SHLWAPI.dll
MSIMG32.dll
MSVCRT.dll
WS2_32.dll
WINMM.dll
dll.dll
hXXp://imgsrc.baidu.com/forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg|226769|7a360f63ae53e99a493e3599f7a2790f
imgsrc.baidu.com
c:\hwconfig
c:\hwconfig\

%original file name%.exe_3524_rwx_0024F000_00031000:

G|Z%d
qjwyhe.ini
hXXp://101.200.152.202:86/
101.200.152.202
\*.qdat
kernel32.dll
Kernel32.dll
ntdll.dll
shlwapi.dll
user32.dll
wininet.dll
Msimg32.dll
InternetOpenUrlA
program internal error number is %d.
:"%s"
:"%s".
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
%s@%s:%d
.PAVCException@@
HTTP/1.0
0000HTTP
hXXp://VVV.eyuyan.com
service@dywt.com.cn
 86(0411)39895834
 86(0411)39895831
SMTP
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
Windows
ListFtpDir
GetCurrentFtpDir
SetCurrentFtpDir
RemoveFtpDir
CreateFtpDir
RenameFtpFile
DeleteFtpFile
PutFtpFile
GetFtpFile
DisconnectFTPServer
ConnectFTPServer
GetHttpFile
DisconnectSmtpServer
ConnectSmtpServer
internet_fnListFtpDir
internet_fnGetCurrentFtpDir
internet_fnSetCurrentFtpDir
internet_fnRemoveFtpDir
internet_fnCreateFtpDir
internet_fnRenameFtpFile
internet_fnDeleteFtpFile
internet_fnPutFtpFile
internet_fnGetFtpFile
internet_fnDisconnectFTPServer
internet_fnConnectFTPServer
internet_fnGetHttpFile
internet_fnDisconnectSmtpServer
internet_fnConnectSmtpServer
rasapi32.lib
sale@dywt.com.cn
service@dywt.com.cn;sale@dywt.com.cn
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
HELO %s
AUTH LOGIN
LOGIN
AUTH=LOGIN
EHLO %s
Content-Type: application/octet-stream; name=%s
Content-Disposition: attachment; filename=%s
MAIL FROM:<%s>
RCPT TO:<%s>
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCCmdTarget@@
.PAVCArchiveException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCFileException@@
zcÁ
c:\%original file name%.exe
: :$:(:,:
5 5$5(5,50545
6 6$6(6,6064686
8 8$8(8,8
6!646:6@6 808}8
2!262_2|2
8!858\8|8
50646<6@6
8"8*828:8
1.0.0.0
(hXXp://VVV.eyuyan.com)

%original file name%.exe_3524_rwx_002C6000_0000C000:

This program is maDe by dtcser.thank
.MAMA~
.AND~~
P.YOURS
P.BABA
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
ttp://imgsrc.baidu.com/forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg
ttp://imgsrc.baidu.com/forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg
C:\ProgramData\Microsoft\Network\Connections\Pbk
C:\Windows\System32\Ras

%original file name%.exe_3524_rwx_002D5000_00026000:

hXXp://lb.lybaomu.com/xzq13.txt|hXXp://117.23.50.11:89/xzq13.txt|hXXp://lb.lybaomu.com|hXXp://lb.lybaomu.com/link.htm|hXXp://lb.lybaomu.com/Upgrade/list.txt|
610.58souso.com|402591813|2
hXXp://imgsrc.baidu.com/forum/pic/item/1ad5ad6eddc451da7740e366befd5266d116328d.jpg|420649|139aebd7d9d27557d1a3f22e495accc7
hXXp://imgsrc.baidu.com/forum/pic/item/342ac65c103853437b3d68ac9b13b07ecb808849.jpg|420649|89bc4b0b2313aeab1fb51885e51ebb90
hXXp://imgsrc.baidu.com/forum/pic/item/ca1349540923dd5496d148e5d909b3de9d824899.jpg|420649|91a88d7ec01dc29fbe14e3802a977152
hXXp://imgsrc.baidu.com/forum/pic/item/2e2eb9389b504fc276ad5f88eddde71191ef6d49.jpg|420649|fc2c557b9a33117ecf940e891fd552a1
hXXp://imgsrc.baidu.com/forum/pic/item/a686c9177f3e670912a2aa7233c79f3df9dc5599.jpg|124357|a3ece03cc19b65c2f81e78cd53e8e9eb
hXXp://imgsrc.baidu.com/forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg|420649|74caa486e032c9a95ff7ac69a6335657
hXXp://imgsrc.baidu.com/forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg|420649|f8c4dfdc2d60a199afe37b7d72864b4e
hXXp://imgsrc.baidu.com/forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg|420649|5cf48fa3b58bed6c6c3be7dccd673d66
hXXp://imgsrc.baidu.com/forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg|297656|101037befd84a153d332d67e5aeb686b
402591813
C:\Windows\system32\iedkcs32.dll
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
zilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
ur.ay
ya.ru
w55c.net
nc.afadf
fdafa.cn
ten.rmba
abmr.net
moc.gnib
bing.com
moc.tfosorcim.secivresatem.serotsenilno
onlinestores.metaservices.microsoft.com
This program is maDe by dtcser.thank
.MAMA~
.AND~~
P.YOURS
P.BABA
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
hXXp://imgsrc.baidu.com/forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/8c1001e93901213f25b5ac5c5de736d12e2e95a8.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg
moc.ylezimitpo.gol.531950642
246059135.log.optimizely.com
/intl/en/chrome/browser/privacy/
moc.elgoog
google.com
hXXp://imgsrc.baidu.com/forum/pic/item/4034970a304e251f426f0678ae86c9177e3e5392.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
Local\C:_Users_adm_AppData_Local_Microsoft_Windows_Temporary Internet Files_Content.IE5_index.dat_196608
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
Local\C:_Users_adm_AppData_Roaming_Microsoft_Windows_Cookies_index.dat_32768
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
Local\C:_Users_adm_AppData_Local_Microsoft_Windows_History_History.IE5_index.dat_114688
.pac;.jvs;.js
imgsrc.baidu.com
783c774efb308b5.exe
Microsoft\Windows\Cookies
Microsoft\Windows\History
#ttp://imgsrc.baidu.com/forum/pic/item/8c1001e93901213f25b5ac5c5de736d12e2e95a8.jpg
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
132.11.168.192.in-ad
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files
oftware\Microsoft\windows\CurrentVersion\Internet Settings\Connections
omu.com/xzq13.tx
hXXp://imgsrc.baidu.com/forum/pic/item/0b7b02087bf40ad1262425635e2c11dfa8ecce6a.jpg

%original file name%.exe_3524_rwx_00401000_004E9000:

t$(SSh
B\0%D
~%UVW
u$SShe
iu2.iu
K(.wS
ntdll.dll
kernel32.dll
shlwapi.dll
k.eX&h
pG.Le
.OKG'
k@v%D
.qjKb
.>;$>:$~
%.IiZ
h%C;BD
O.rlA
G  H~.Ou}*@6
*6%XS2
)Dz.Bc
%.IWi
^F%Fi
5S%U)
uLp|.aNS
%fTl&K
sE%u7^
IwEB
.jcnA O9
*O-3%Um_Af
 %Xfi$
I.oDER2
%x|uw
o.rM2Lrf
cz.yO
[>2.Ef*}
r.EUN
D.ydZ|
G:\oJ
%dxyf
Ua5.bN
.Jz.9
Ld1%x
?\.zX
dXT% %u2
1Ko
OhM%u
Vv%D%F
XIl%c%

%original file name%.exe_3524_rwx_008EB000_000F1000:

G|Z%d
ntdll.dll
kernel32.dll
shlwapi.dll
Adobe Photoshop CS5 Windows
2016:12:24 15:53:35
urlTEXT
MsgeTEXT
#hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2016-12-24T14:33:14 08:00" xmp:ModifyDate="2016-12-24T15:53:35 08:00" xmp:MetadataDate="2016-12-24T15:53:35 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:2E4DDB12AEC9E6118C34F98869735BFC" xmpMM:DocumentID="xmp.did:2D4DDB12AEC9E6118C34F98869735BFC" xmpMM:OriginalDocumentID="xmp.did:2D4DDB12AEC9E6118C34F98869735BFC"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:2D4DDB12AEC9E6118C34F98869735BFC" stEvt:when="2016-12-24T14:33:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/gif to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:2E4DDB12AEC9E6118C34F98869735BFC" stEvt:when="2016-12-24T15:53:35 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
.vk?HxG
2016:12:24 14:59:37
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:crs="hXXp://ns.adobe.com/camera-raw-settings/1.0/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" crs:AlreadyApplied="True" photoshop:LegacyIPTCDigest="7B3DBCF7478532F3D679AC0D72F73A63" photoshop:ColorMode="3" xmp:CreateDate="2016-01-12T17:12:27 08:00" xmp:ModifyDate="2016-12-24T14:59:37 08:00" xmp:MetadataDate="2016-12-24T14:59:37 08:00" xmp:CreatorTool="Adobe Photoshop CS5 Windows" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:47161857A6C9E6118BA5E0E97935A33C" xmpMM:DocumentID="xmp.did:FCB80ACD0EB9E511A90D9B6CB514D116" xmpMM:OriginalDocumentID="xmp.did:FCB80ACD0EB9E511A90D9B6CB514D116"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:FCB80ACD0EB9E511A90D9B6CB514D116" stEvt:when="2016-01-12T17:28:12 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:FDB80ACD0EB9E511A90D9B6CB514D116" stEvt:when="2016-01-12T17:28:12 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:45161857A6C9E6118BA5E0E97935A33C" stEvt:when="2016-12-24T14:58:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:46161857A6C9E6118BA5E0E97935A33C" stEvt:when="2016-12-24T14:58:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:47161857A6C9E6118BA5E0E97935A33C" stEvt:when="2016-12-24T14:59:37 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:41078AF178C9E611BC89FA2214169575" xmpMM:DocumentID="xmp.did:FE8DACE1C9A111E6AD14C12F766AE3F3" xmpMM:InstanceID="xmp.iid:FE8DACE0C9A111E6AD14C12F766AE3F3" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:42078AF178C9E611BC89FA2214169575" stRef:documentID="xmp.did:41078AF178C9E611BC89FA2214169575"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
H'.XA0
~.nqQ
d90.hg
I#1.Rc]p
.bc76$
%\9%S
%UErM
` jgAKT.MA(
VP%u~
<CH%d
:.CI 
%cNP&l"
o8%UB
xCÝ
<.Nl8
&tCpFC
XB%DSr
%S&Z_H1r
*2y%Xa5
vFb%Xja
X,K%U
/kAB%D
8O6.Í
$@CN&fB
@.nP?
*~?K%D
 1.od8
,O.To_
;.VN.
b.xqTA
`.fH),#
.Lakt*
J%C`^
ea.nx
K.sAL
*<;!*<!<
.uB.T
]\ (B%D
@75.xH
8`%Di
PF)%F!
4.qIF
2%DvV@
.yBe4
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
iu2.iu
K(.wS
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
WS2_32.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
(*.*)

%original file name%.exe_3524_rwx_009DD000_00002000:

kernel32.dll
USER32.dll
GDI32.dll
WINMM.dll
WINSPOOL.DRV
ADVAPI32.dll
RegCloseKey
SHELL32.dll
ShellExecuteA
ole32.dll
OLEAUT32.dll
COMCTL32.dll
WS2_32.dll
comdlg32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7f19c6cad4fa35d52d1bc545133dc11c.ini (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\d6fdbd645b69628a97bbc4a422e07544.txt (419 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ea81016697da3e03d2125f1b020a8d96.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\419eaabbd797897cc94575b9ed88e606.txt (419 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\96490dc4bc985859888d970e8fd9b954.txt (297 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\71b5f4dfec1525d01ec8bb060eed7267.txt (419 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\212b0fa0fa111459cc3edae1d50ba7f8.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\8df8373986d2124c43b3d42c81e8f3df.txt (226 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\be3cc57af3ed577fe4da99371f04a824.txt (419 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\c811cdec13b869980d35d80854d6ee98.txt (420 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now