Trojan.Win32.Swrort.3_aa59e4285a

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS) Behaviour: Trojan The description has been automatically generated by Lavasoft Malware Analysis Syst...
Blog rating:2 out of5 with2 ratings

Trojan.Win32.Swrort.3_aa59e4285a

by malwarelabrobot on August 24th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: aa59e4285a1660f523c74bb79124c58c
SHA1: a11da065bc5edbc869cd32a4143be0e820441106
SHA256: 409625e52982f2e65bd1390a0593516fb31ec0066282a7d9a2e933ffd29a1037
SSDeep: 12288:2LHxxpnXRCpT3s3TCW3Zg9J6oImoSAM5KELYIBfWG:OxxlXRs3W13ZgVLFz
Size: 529408 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2016-03-28 12:32:06
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3832

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\hm[1].js (14631 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NAV8NZAK.txt (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\77975585[1].png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\440673[1].png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\ad[1].css (632 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017082320170824\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\www.luje[1].xml (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\001[1].png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XJVJR09V.txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\I6HU93O3.txt (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\ad[1].htm (999 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014 (0 bytes)

Registry activity

The process %original file name%.exe:3832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017082320170824]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\aa59e4285a1660f523c74bb79124c58c_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Total]
"(Default)" = "91617"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017082320170824]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017082320170824"

[HKLM\SOFTWARE\Microsoft\Tracing\aa59e4285a1660f523c74bb79124c58c_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\aa59e4285a1660f523c74bb79124c58c_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\luje.cn]
"(Default)" = "63"

[HKLM\SOFTWARE\Microsoft\Tracing\aa59e4285a1660f523c74bb79124c58c_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017082320170824]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017082320170824]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\aa59e4285a1660f523c74bb79124c58c_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017082320170824]
"CachePrefix" = ":2017082320170824:"

[HKLM\SOFTWARE\Microsoft\Tracing\aa59e4285a1660f523c74bb79124c58c_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\aa59e4285a1660f523c74bb79124c58c_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\aa59e4285a1660f523c74bb79124c58c_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\aa59e4285a1660f523c74bb79124c58c_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\aa59e4285a1660f523c74bb79124c58c_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\aa59e4285a1660f523c74bb79124c58c_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101320161014]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ???
Product Name: ??????
Product Version: 0.0.1.121
Legal Copyright: Copyright (C) ?? 2013
Legal Trademarks:
Original Filename: ??????.exe
Internal Name: ??????
File Version: 0.0.1.121
File Description: ??????
Comments:
Language: English

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 905216 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 909312 397312 395776 5.54436 9d7f9ddbd7140dd37e9434b2ac427ff7
.rsrc 1306624 135168 132608 3.88707 3ffb79d3705df292b23ac3ba5eec9e79

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.luje.cn/ad/ad.html 47.90.42.203
hxxp://www.luje.cn/ad/ad.css 47.90.42.203
hxxp://www.luje.cn/ad/001.png 47.90.42.203
hxxp://www.luje.cn/ad/77975585.png 47.90.42.203
hxxp://www.luje.cn/ad/440673.png 47.90.42.203
hxxp://hm.e.shifen.com/hm.js?333672882cfd10de10d1fed56d00cd75
hxxp://popup.jointreport-switch.com/?uid=2016 115.238.244.83
hxxp://hm.e.shifen.com/hm.gif?cc=0&ck=1&cl=32-bit&ds=1916x902&et=0&fl=23.0&ja=1&ln=en-us&lo=0&nv=1&rnd=1844789585&si=333672882cfd10de10d1fed56d00cd75&st=1&v=1.2.16&lv=1&ct=!!&sn=27353
hxxp://hm.baidu.com/hm.js?333672882cfd10de10d1fed56d00cd75 220.181.7.190
hxxp://hm.baidu.com/hm.gif?cc=0&ck=1&cl=32-bit&ds=1916x902&et=0&fl=23.0&ja=1&ln=en-us&lo=0&nv=1&rnd=1844789585&si=333672882cfd10de10d1fed56d00cd75&st=1&v=1.2.16&lv=1&ct=!!&sn=27353 220.181.7.190
teredo.ipv6.microsoft.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /hm.js?333672882cfd10de10d1fed56d00cd75 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.luje.cn/ad/ad.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: hm.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: max-age=0, must-revalidate
Content-Encoding: gzip
Content-Length: 8609
Content-Type: application/javascript
Date: Wed, 23 Aug 2017 05:23:07 GMT
Etag: 26df6ac0ecbc04ce0589b652f00630c8
P3p: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Server: apache
Set-Cookie: HMACCOUNT=2215FCA6D1E4491A; Path=/; Domain=hm.baidu.com; Expires=Sun, 18 Jan 2038 00:00:00 GMT
...............(function(){var h={},mt={},c={id:"333672882cfd10de10d1f
ed56d00cd75",dm:["jovi.cn"],js:"tongji.baidu.com/hm-web/js/",etrk:[],i
con:'',ctrk:false,align:-1,nv:-1,vdur:1800000,age:31536000000,rec:0,rp
:[],trust:0,vcard:0,qiao:0,lxb:0,conv:0,med:0,cvcc:'',cvcf:[],apps:''}
;.Zyw.F.._...hh@l..$ .!. _.w.8.k&C.~..A.... %..w..>.......=..>..
..UU.......,.......-.t..t......#w......v."..y...m.cu"..Ei.l..Y........
..%...{..A...h...*..j.~...og.Q...$.g.4..S..<pkZ..r.g.`.....b6f.x...
1Kw.Vu..g7...{...........B..O.k.Di.....s..7QPNV...&...58..xR...B......
.......s.XP....]....._FYj2.Pn-.`.....[-3tS~c<c%.!N~.%....jYm.fYN.3.
.k......A.....q...~..'..)3VNp...al......,.y.C.]f?.z....tlZ....N .?.9..
u}`..qDk..r.C...e.....H.y6.....e:.#.X6....u6......_.=f.7f`&{v1......c.
....f.eo....e..f..p.....................V..BO..ww3.XQh2.d..X.]7....Q.`
...;....vSM....8d..k....AN....K...1O.........V8.F..^W$...e~..q`upx~..Y
..$.a.Z.Y.O..Z*.........^.Sk...s..............F.o)......i9O....i.g._=.
...2....).[.n..7(K.O.Jp......Y.KN\.u....... 0......$K...'.....[[.6....
.....Z.nN...%.......^.Y........*T.]..4B..nw.Zv.]4z............M..A;.5.
.9..22.-.Y..r.MSl..V @3.LmvF..@......=....Y.AY .9./G........)k.f....0I
..r.g."..k..v..j....p..Dv..,...x...&.....v...JY|`...O...:.g...7.Ba*...
.....I..Qd.... ...D-Y.l.......P.v;Cr}}}...\...QG... P.b.g1...=mL.g.8..
l...jx...H...O.I........%.W...0...;...`Y..xh.......&..<......YG.^.1
D-......%.. |]._J.K.,...f..P4Cl.....{..\_...y-:.g.c...7..F.!#....!..d.
.<.Rp..:~...).<.x....x..Q...5P..!.c..WH.V .LP#^.....PE.9....
<<< skipped >>>

GET /hm.gif?cc=0&ck=1&cl=32-bit&ds=1916x902&et=0&fl=23.0&ja=1&ln=en-us&lo=0&nv=1&rnd=1844789585&si=333672882cfd10de10d1fed56d00cd75&st=1&v=1.2.16&lv=1&ct=!!&sn=27353 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.luje.cn/ad/ad.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: hm.baidu.com
Connection: Keep-Alive
Cookie: HMACCOUNT=2215FCA6D1E4491A


HTTP/1.1 200 OK
Cache-Control: private, max-age=0, no-cache
Content-Length: 43
Content-Type: image/gif
Date: Wed, 23 Aug 2017 05:23:13 GMT
Pragma: no-cache
Server: apache
X-Content-Type-Options: nosniff
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Cache-Cont
rol: private, max-age=0, no-cache..Content-Length: 43..Content-Type: i
mage/gif..Date: Wed, 23 Aug 2017 05:23:13 GMT..Pragma: no-cache..Serve
r: apache..X-Content-Type-Options: nosniff..GIF89a.............!......
.,...........L..;..



GET /ad/001.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.luje.cn/ad/ad.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.luje.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 23 Aug 2017 05:23:03 GMT
Server: Apache
Last-Modified: Tue, 04 Jul 2017 13:10:32 GMT
ETag: "20259-b87-5537d9bbe2e4f"
Accept-Ranges: bytes
Content-Length: 2951
Vary: User-Agent
Keep-Alive: timeout=15, max=300
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR.......<.............PLTE.....z........m..4..;.....
...1..i..I..Z.....A..-.....(..... ..#..E..L.....W..q..S.. ..t..P..^..&
..d.....8..bC/...>..f..!...._..\...x../!..2%.C4..~.....i0dF..c#..B.
.......3T;.....u..i...%uQ..r .....0..?..3..-..'eM ..?TA...%..T..Uf../.
..^IDATh....B.H..;..!`....q.&0."..-...g..}.zF.F....j.kc6.KU..=.}..0...
c...Y.*..P..8.j......T...........m.{....~|`...s.u..@'........3....tyy.
....#..../_..p..`.cU...q.p`..0...@....2.&\P..2.f.v...ed.K.@.......X...
,7.d5...!s..a.p...$.9..;.....0............(=.|..l...,..&X.1....9.jxdQ.
..$o^F)`.{.K.......Wq.LF.1I......c.0F.W1J..{.1..\.c.XF.`~.52..1..I.* 1
. E.s....T0.........W.[H.g...G.s..L.$J.&....j_JLj...kLj.\.:(..1...2.bY
....9.q..5..U..1.&....nnn....`.......8&\y.......h\%.VZ.$........ac....
.V.. .........._Z...."Kr6;g.......{.<..y`.0...U.qB.....H..9J._.....
a.Ij.....5yO....j.$.N.MV....-;..I......_....l...*{U.J.DJ..J).5..Q.q.).
..?6.4....;.....?....b..........!....s..Y.<q._.....aE..5V.d.K.Z.qhj
l..4.......}.[.5.......~.k.'V..C...v....$.K.......k...$.`..3.5m.Z!....
y......iLz..b.............]......`.]........u(>..\bMz......!.%.....
.-Z! !JB#p%.......X0.b73.m;..;...=..EI.......!..9..zM8.5.D...`W...h.1.
.*.Z...U..4..)....X]..wq...t.{;.4....l....\.4..."..M....?..r...../....
....f.".(G*..n.cJ..Z?....1n....VA....Ai.....@....$...b..... ..7[.cR...
,......W$U.Ntzt$Q..QB4......I...6...K....0..)..bq.Kp.H.>z5.'Y...*..
...SPv.....}.#.."...?......f...t...`Qm.3.S'....K.~.1..<.._a2a......
..N..`..#)Rp,...h.z.@;...........t.....k;...=j.jM.$..(..).M)2I.I..
<<< skipped >>>

GET /ad/440673.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.luje.cn/ad/ad.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.luje.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 23 Aug 2017 05:23:04 GMT
Server: Apache
Last-Modified: Tue, 04 Jul 2017 13:13:37 GMT
ETag: "20272-1633-5537da6c1b2d3"
Accept-Ranges: bytes
Content-Length: 5683
Vary: User-Agent
Keep-Alive: timeout=15, max=299
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR.......8.....?.a.....PLTE|..}..{..}..|..{..{..|..}..|.
.~.....y..z.....................w........||....lm....lm..........x..8.
....lk.JJ....:..... *.9..x.....v.....;:...................*,..........
H........g...........8..)...........lj.[].,)..........}|. ,....9......
..............|~.\^.(..)..w..X.....lm.*,..........LJ.:<.,-.g..W....
.............I........\[.KM.;;.*'....v...........|}.............}|.{|.
{y.9.~...............7..Y..][..........y..............jk....\X....y..*
(.......e..............t.x.......IDATh.4..o.H...s......\...X....4<"
.h. T..T...*.)].I......6...aw..{d.3.<...0..@.Q......bO..1...L....6L
1Z..0.,p.A..j.....b...b...w..,b"...,...b..$L$....)0pI`\ X.e(.. .......
-......`Q.......L....L.2M...ab.&.F....X-a.1...b.8^.(man....0.....Al.p.
2`.. ...=...........`...%J.b*a.....:....p.a.L..@...>..Z..,..\.SX.6.
.....?..........x.....K.<.q.)...6.(.i..`L......e.Y(......~........(
...rl.."f...ta...s..,....s..,....f.....c.gZ.... %z/..l.."Q....$..M.{.2
.:w....0o..yp/z.f.v....)....WTE.`h........*_.zw5.....zf...w0>25.;?7
.F%..}...#=a\`..Z....V.z.[..u...9.W..q......;.(]NH...........#..:..6&.
?.W.A...X..:<.8.=...s......Oy...NM.....@.....G..xIZ.I.I;.a(.b.<.
.....~...].....7%Z..a..~..FY.u/...8.../.r&...$:....j.r....K.?../.pM...
..8i^.....#%......o6...j.$.s.r..[?....B...tFU....u.F.....ec......~o.R.
2.y..R.z.*....1^..!........L*Z...?2...~.{TV.U....X...;...&.... ..*..".
... .......$.....pX.4...l.........N.E...!.....L....=<v.F.e8.z.=....
)...M.I....d..^kl..J[......{..ey..'.}[..I.....eX.....lr.. .5.....U
<<< skipped >>>


GET /?uid=2016 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.luje.cn/ad/ad.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: popup.jointreport-switch.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: tengine
Date: Wed, 23 Aug 2017 05:23:12 GMT
Content-Type: text/html; charset=gb2312
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.28
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Cache-Control: no-cache, must-revalidate
Set-Cookie: lgPTN29823270664418=0; expires=Wed, 23-Aug-2017 16:00:00 GMT; path=/; domain=.jointreport-switch.com
2f86..var popUrl = 'hXXp://popup.jointreport-switch.com/jointreport_pr
ocess.php?ap=MzY2MXw3NTgzNWUxMmI5MWJiYWM3ODMwM2FlMGU2ZGEyZmYwNzkzOA=='
;..var lgUnionPushUrl = CrazyInitUrl(popUrl);..function CrazyInitUrl(u
rls){...var sf=0,sc=0,ol='',sd=0;...var ae = function(p) {....v = fals
e;....document.write('<SCRIPT LANGUAGE=VBScript>\n on error resu
me next \n v = IsObject(CreateObject("' p '"))<\/SCRIPT>\n');...
.if(v){.....return '1';....}else{.....return '0';....}...};...var af =
 function(p) {....var m = '';....for (var i=0; i < navigator.mimeTy
pes.length; i  ){.....m  = navigator.mimeTypes[i].type.toLowerCase();.
...}....v = '0';....if (m.indexOf(p) != -1){.....if (navigator.mimeTyp
es[p].enabledPlugin != null) v = '1';....}....return v;...};...var __d
m  = (navigator.appName.indexOf("Netscape") != -1);...var __di  = (nav
igator.userAgent.toLowerCase().indexOf("msie") != -1);...var __dw = ((
navigator.userAgent.toLowerCase().indexOf("win")!=-1) || (navigator.us
erAgent.toLowerCase().indexOf("32bit")!=-1));...if(__dw && __di) sf = 
ae("ShockwaveFlash.ShockwaveFlash.1");...if(!__dw || __dm) fs = af("ap
plication/x-shockwave-flash");...if(navigator.appName=="Netscape"){...
.ol = navigator.language.substr(0,2);...}else{....ol = navigator.userL
anguage.substr(0,2);...}...try{....var us = window.screen.width '_' wi
ndow.screen.height;...}catch(e){....var us = 0;...}...if(navigator.coo
kieEnabled) sc = 1;...if(document.getElementById) sd = 1;...var t = ne
w Date();...var pushTime = parseInt(t.getTime()/1000);...urls ='&p
<<< skipped >>>


GET /ad/ad.html HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.luje.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 23 Aug 2017 05:23:03 GMT
Server: Apache
Last-Modified: Mon, 21 Aug 2017 11:33:11 GMT
ETag: "20288-1b8b-55741d7ff2663"
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 2602
Keep-Alive: timeout=15, max=300
Connection: Keep-Alive
Content-Type: text/html
............[......7@......: .....j..-.....~3....x.ER..Rdc.0.:5..E.:..
I.4...~(.\..........!9C...I...p.s;..9...6.y..?..s.6..{...a.K6..../...l
.>.>..t.Z...%N.rj......h..%./i;?vO2m="...t.3,w1t.%.G......9-.<
;..J...2.....1..|o..I.,.........VN..6...9!..].P/i.....I..4.6.8ny...L.s
O.Q ...U5e.vk.Q4.xXaoi..v.z..y..../...XUT..h9...kl"...N.L....:.G......
..... ......'..}......5...O2A....Sc.....jl$.W..2.&zSW....Zp.*.6.).K...
8%S.......l....f......".p......^Gi.^.\....r..q..s.Sci...C..^...y......
.?..b...&..P...0..a..b..../....z.EW..Y^*p...e.t..7xHW9..s.....L.q?...f
......R"...t..W.[y..s...=.....{9..<...Q......vj..2M....z(Ak..GU..`M
..0G..hb#*pSl.. .......rP.(5..[0<jl!f...Dx.0.cJ..0aK.....HJf|..<
/4b.a.|.....T2.E..i.^=Sp.cW.S.k....OV1%.5..D.-....t.-..o....C7}...A.&D
...8|..`..}:0G.....e..C....k.R....,.5.D"..P.LB\..E..X.R.9..........9..
M..f6 {[``..My.:0C.H.u..b6.x..A9.Nb........f..M...u'.]1[..q.;......l..
f.G.._.$*.d..81S..r../^.ML..L...L.........b2....I......n....4q..y.o.._
.bM.L,Ol..5S.....y....q..N..*.&.%...........L.S`h.)o.9.A...tAgL..0....
&....o.dY....$q5.........@.v.zc..n.. .6.]xov=......Y...BoVa......,....
..I.B..|%....ps.-.)M.X...@..._..r.. .....;..,...V....."J.H...%....}..&
lt;..r. k9..l\.........Gj......49%~y1c..........M..#8.........^c....&g
t;.X%|....`.......hh.l.EWl`.....V.rrW......j. q.x.........4...u..UH.D.
m.;G.-...{).#@.v\.. .m...pW......K..R..Kk...'....~..=..t...}....wr.5Y.
&u._...~.....C.......ea......|rI...3..Y...}Yyu.Z...........r:F..V6....
.......3.~e....p.....i.. .;$v.-.e........E.....K..........Z..1....
<<< skipped >>>

GET /ad/ad.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.luje.cn/ad/ad.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.luje.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 23 Aug 2017 05:23:03 GMT
Server: Apache
Last-Modified: Tue, 04 Jul 2017 13:15:42 GMT
ETag: "20287-278-5537dae320b77"
Accept-Ranges: bytes
Content-Length: 632
Vary: User-Agent
Keep-Alive: timeout=15, max=299
Connection: Keep-Alive
Content-Type: text/css
a {.    color: #f00;.    text-decoration: none;.}.a:link {..white-spac
e: nowrap;..color: #f00;..text-decoration: none.}.a:visited {..color: 
#f00;..text-decoration: none.}.a:hover {..cursor: pointer;..color: #f0
0;..text-decoration: underline.}.a:active {..color: #f00;..text-decora
tion: none.}.div {.    width:156px;.    border:0;.    margin:0px auto;
.    font-size:12px;.    line-height: 15px;.}./*table {.    border-col
lapse:collapse;.    border-spacing:0;.}*/.body {.    background:#ded;.
    border:0;.    margin:0;.    text-align:center;.    overflow:hidden
;.}.img {.    vertical-align:top;.    outline-width:0px;.    border:0;
.}HTTP/1.1 200 OK..Date: Wed, 23 Aug 2017 05:23:03 GMT..Server: Apache
..Last-Modified: Tue, 04 Jul 2017 13:15:42 GMT..ETag: "20287-278-5537d
ae320b77"..Accept-Ranges: bytes..Content-Length: 632..Vary: User-Agent
..Keep-Alive: timeout=15, max=299..Connection: Keep-Alive..Content-Typ
e: text/css..a {.    color: #f00;.    text-decoration: none;.}.a:link 
{..white-space: nowrap;..color: #f00;..text-decoration: none.}.a:visit
ed {..color: #f00;..text-decoration: none.}.a:hover {..cursor: pointer
;..color: #f00;..text-decoration: underline.}.a:active {..color: #f00;
..text-decoration: none.}.div {.    width:156px;.    border:0;.    mar
gin:0px auto;.    font-size:12px;.    line-height: 15px;.}./*table {. 
   border-collapse:collapse;.    border-spacing:0;.}*/.body {.    back
ground:#ded;.    border:0;.    margin:0;.    text-align:center;.    ov
erflow:hidden;.}.img {.    vertical-align:top;.    outline-width:0
<<< skipped >>>

GET /ad/77975585.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.luje.cn/ad/ad.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.luje.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 23 Aug 2017 05:23:04 GMT
Server: Apache
Last-Modified: Tue, 04 Jul 2017 13:14:51 GMT
ETag: "2027b-1419-5537dab3012a5"
Accept-Ranges: bytes
Content-Length: 5145
Vary: User-Agent
Keep-Alive: timeout=15, max=298
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR.......<......z#.....PLTE.................w..v..w..
u..t.(y..v.......S.....%y..x....7}.......I..m........A~.......E~.,z.d.
.=}..........`...x.......N.."y....2{.................../{.......W..Z..
...{........s..........................L........]....................h
...s....w.............B)b..N.........U7XyHM.u..Z@J1]..P..N.j3.........
;$eZ>Tl@Q..B..A.c;..4..3..%............3.j..V..Ou]G.UE.b9../..!....
..............dDOnLI..3.......\?.t6.s .}............XnUJyTC..3.y)..!.~
!...|.rcOP.OG|fC.o..s, .s..W..4.. ........i..'..".{.........\.F......I
DATh....r.6...:..;66.q..k.=. ...$0.4....#.....rZN......6.V.....H.|....
_./._./.OD...?....9...~.zn.^.......i.....K8.B..8..Z...;.....|.......^.
......zv.a4w.Ja.*.@...H/#.6...z=..a&7....8......k....y.DU.......IHo..-
@J.-..o..*u:....Z9.. ...[@.E]O'.....W....w'.v.F\........I.....W...e[V.
Y..x....E.!..?.n..Ui......3f;..U......eGQ6..Lk...__[.....@YA..~t...a.&
gt;...Qy......{7s.G.....N..............E.,..4..S.8...J...w......B...L.
Oy..M.N....w.N..>....7...|..>....:.E..?..`...c....#......t..(W..
.p38..;..e$.B.1..C....2....u...`l..a~......H..~...M.C...-F..P.:....Y..
.....@..bnU...S.....i.,.O.{.............%>..DZ....mJ..i.- \c}`(%.G8
0...jm..........)m.}....g...|z..S.H..2...1.....B.v....s..%e.?...#.`...
..Vq.[..E.U..~....g ..9.MG..=... ....af2..-...i.k5.(a'8...=`....(:....
.^.Wc.g.&.%.g....}..Ag...0...os..L8.......7...2}._.sx._i~.R.Cj..Z...c%
$..J.V.4.7 .K8.s^.o........#..5..)\Ry...B.g...m.k.xk.......v.._&J.!.%S
.Fl..p9.j.G...PS>..Z....6.u.W..Y.$f.;f.x{.\.U-..V.J...~.....C..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3832:

`.rsrc
u.SQWW
xSSSh
FTPjKS
FtPj;S
C.PjRV
cmd.exe
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
GetProcessWindowStation
operator
_CMDLINE
import preload;
com.each = function(obj) begin
if(type(obj)==type.function)obj=obj();
if(!com.IsObject(obj))error('
try{enumerator = com.GetEnumerator(obj);}catch(e){err=e}if(err)error(err,2);var index = 0;var function iterator() {var value = enumerator.Next();if(!value)return;index = index 1;return index, value ;}return iterator;end
There was not enough memory to complete the operation
Windows error
Unsupported feature required
%d.%d
com.dll
Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}
Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}
Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
com.getIUnknow() QueryInterface Failed!
-mapid %d
hh.exe
ID:0x%X: %s
pointer/*com.VARIANT*/
$Spp: aardio v10.0 Copyright (C) aardio.com $
$URL: aardio.com $
File %s, Line %d
ExportConstants
ExportEnumerations
ole.host
{Expected}: ::MSG struct
com.CreateEmbed
Invalid form.hwnd!
Union type not supported!
Record type not supported!
TKIND_MODULE and TKIND_MAX not supported!
Exception (%s)
IDispatch.Pointer
invalid object(com.IDispatch)
Property putref not supported.
Property puts with more than two parameters aren't supported.
showMsg
error: error during error handler execution.
.aardio
import ide.debug;
{Bad argument}:@%d '%s'
{Calling}:'%s'
{Bad argument}:@%d
{Expected}:%s
{Got}:%s
{File}:%s
{Line}:#%d
invalid option:'%s'
%s.%s
attempt to use a closed object: %s:#%d ( type:'%s.%s')
stack overflow (%s)
name conflict for namespace '%s'
{Failed}:%s
{Error}:%s
{Field}:'%s'
thread id:%d
thread error:%s
callback : _struct error '...%s'
Cannot load library '%s'.
%s._struct not found!
Invalid _struct{%s...},Expected a field name! [in]
field:%s
{Field}:%s.%s
Invalid _struct: {...%s},Data Type Error(%c...key:%s) [out]
{ %s }
Invalid _struct{%s...},Expected a field name! [out]
Failed to get the size of the dynamic array!field(%s)
Cannot load remote library '%s'.
Cannot find remote function '%s' in the dll.
Cannot find function '%s' in the dll.
{Declare api}:'%s'
{Data type error}: '...%s'
Struct size has more than %d
%s %s[%d]
invalid key to 'next'
Cann't modify a %s : '%s'
join
<%s@>
^$* ?.:([\-{<%
invalid replacement value (a %s)
%sX
~!@#$%^&*()_ -={}[]|\:;<>?/.,"
{Attempt to}:%s
{Kind}:%s
{Name}:'%s'
{Type}:%s
attempt to:compare two %s values
attempt to:compare %s with %s
line:#%d
file:%s:
no function environment for tail call at level %d
in function '%s'
in function <%s:%d>
import
import-namespace conflict for global.%s
import ide;
importFile
import %s failed ! file not found
import %s failed !syntax error:
import %s failed :
import-namespace conflict for self.%s
-%s%s
%s: %p
io.file
Invalid time:Invalid dayofweek(%d) outside valid range(0~6)
Invalid time:Invalid month(%d) outside valid range(1~12)
Invalid time:Invalid day(%d) outside valid range(1~31)
Invalid time:hour(%d) outside valid range(0~23)
Invalid time:minute (%d) outside valid range(0~59)
Invalid time:second(%d) outside valid range(0~59)
Invalid time:year(%d) outside valid range(1900~9999)
Invalid format directive(...%s)
time(%f,"%s","%s")
time(%f,"%s")
time(%f)
thread.call() error
[%d]=
raw.malloc(%d,
\xX
math.size64(%d,%d)
joinpath
chcp %d
io.file(closed)
io.file(%p)
standard %s file is closed
buffer( raw.malloc() )
%s\%s
_exepath
_exedir
_exefile
'tostring' must return a string to 'io.print'
char(%d)
{Near}:'%s'
$"%s"
%s: %s in precompiled chunk
{Expected}:'%s'
main function has more than %d %s
function at line %d has more than %d %s
{Match for}:'%s'
{Match line}:%d
{Expected}:keyword
?#%X.y
%S#[k
zcÁ
win.guid
raw.interface
ole32.dll
{00000000-0000-0000-C000-000000000046}
win.guid
com.interface
{0000010c-0000-0000-C000-000000000046}
com.interface.IPersist
{0000010b-0000-0000-C000-000000000046}
win.ole
{7FD52380-4E07-101B-AE2D-08002B2EC713}
com.interface.IPersistFile
{000214F9-0000-0000-C000-000000000046}
GetHotkey
int(WORD &pwHotkey)
SetHotkey
int(WORD wHotkey)
GetShowCmd
int(int &piShowCmd)
SetShowCmd
int(int iShowCmd)
pointer GetPath;pointer GetIDList;pointer SetIDList;pointer GetDescription;pointer SetDescription;pointer GetWorkingDirectory;pointer SetWorkingDirectory;pointer GetArguments;pointer SetArguments;pointer GetHotkey;pointer SetHotkey;pointer GetShowCmd;pointer SetShowCmd;pointer GetIconLocation;pointer SetIconLocation;pointer SetRelativePath;pointer Resolve;pointer SetPath
com.picture
util.table
string.conv
web.json
getPassword
keyEvent
isShiftPressed
int bKeyDown;WORD wRepeatCount;WORD wVirtualKeyCode;WORD wVirtualScanCode;union uChar;INT dwControlKeyState
struct dwMousePosition;INT dwButtonState;INT dwControlKeyState;INT dwEventFlags
struct keyEvent;struct mouseEvent;struct windowBufferSizeEvent;struct menuEvent;struct focusEvent
dwControlKeyState
bKeyDown
wVirtualKeyCode
maximumWindowSize
struct size;struct cursorPosition;WORD attributes;struct srWindow;struct maximumWindowSize
GetConsoleOutputCP
SetConsoleOutputCP
advapi32.dll
bool(POINTER hKey,pointer hHash,bool final,INT flags,pointer pbData,INT &len,INT bufLen)
bool(POINTER hKey,pointer hHash,bool final,INT flags,pointer pbData,INT &len)
bool(POINTER hHash,pointer sign,INT sigLen,pointer hPubKey,ustring sDesc,INT flags)
GenKey
CryptGenKey
bool(POINTER hProv,INT Algid,INT dwFlags,pointer &phKey)
GetUserKey
CryptGetUserKey
bool(POINTER hProv,INT dwKeySpec,pointer &phKey)
ExportKey
CryptExportKey
bool(POINTER hKey,pointer hExpKey,INT blobType,INT flags,string &pbData,INT &dataLen)
ImportKey
CryptImportKey
bool(POINTER hProv,struct pbData,INT dataLen,pointer hPubKey,INT flags,pointer &phKey)
ImportStringKey
bool(POINTER hProv,pointer pbData,INT dataLen,pointer hPubKey,INT flags,pointer &phKey)
SetKeyParam
CryptSetKeyParam
bool(POINTER hKey,INT blobType,pointer data,int flag)
DestroyKey
CryptDestroyKey
bool(POINTER hKey)
DuplicateKey
CryptDuplicateKey
bool(POINTER hKey,pointer r,INT flags,pointer &outKey)
duplicateKey
crypt.hash
genKey
getUserKey
hasKey
setKey
setKeyParam
importKey
exportKey
exportPlainTextKey
exportPrivateKey
exportPublicKey
setPassword
createHashByKey
setKey()->DuplicateKey()
deriveKey
crypt.bin
Crypt32.dll
int(POINTER hProv,int algid,pointer hKey,int flags, pointer& phHash)
DeriveKey
CryptDeriveKey
bool(POINTER hProv,INT Algid,POINTER hBaseData,int flags,pointer &phKey)
bool(POINTER hHash,INT keySpec,ustring sDesc,INT flags,string &sign,INT &sigLen
hKey
fsys.path
SHFileOperation
SHFileOperationW
Ole32.dll
operation
int hwnd;INT wFunc;ustring pFrom;ustring pTo;WORD fFlags;int fAnyOperationsAborted;pointer hNameMappings;ustring lpszProgressTitle
util.metaProperty
fsys.time
fsys.size
fsys.version
com.interface.IShellLink
inet.url
hotkey
showCmd
{00021401-0000-0000-C000-000000000046}
(urlpath)
win.version
Shell.Application
*.lnk
fsys.file
sys.info
Shlwapi.dll
[\/\:\*\?\"\<\>]
Version.dll
%d.%d.%d.d
%d.%d.d
\StringFileInfo\XX\%s
.LOGFONT
Gdi32.dll
int(ptr hdcDest,int xoriginDest,int yoriginDest,int wDest,int hDest,pointer hdcSrc,int xoriginSrc,int yoriginSrc,int wSrc,int hSrc,INT crTransparent)
ptr hdcSrc, struct ptSrc, INT crKey,struct blend, INT flags)
#X
#X
Shcore.dll
gdip.image
errMsg
gdip.core
Gdiplus.dll
GdiplusShutdown
UnsupportedGdiplusVersion!
PropertyNotSupported!
gdip.bitmap
{E09D739D-CCD4-44EE-8EBA-3FBF8BE4FC58}
{66087055-AD66-4C7C-9A18-38A2310B8337}
{3A4E2661-3109-4E56-8536-42C156E7DCFA}
{24D18C76-814A-41A4-BF53-1C219CCCF797}
{6D42C53A-229A-4825-8BB7-5C99E2B9A8B8}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
{8D0EB2D1-A58E-4EA8-AA14-108074B7B6F9}
{EDB33BCE-0266-4A77-B904-27216099E717}
{F2E455DC-09B3-4316-8260-676ADA32481C}
{292266FC-AC40-47BF-8CFC-A85B89A655DE}
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF403-1A04-11D3-9A73-0000F81EF32E}
{557CF404-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{557CF407-1A04-11D3-9A73-0000F81EF32E}
*.jpg
fsys.stream
%u/%u
%d/%d
Wininet.dll
pointer(ustring agent,INT accessType,ustring proxy,ustring proxyBypass,INT flags)
pointer(POINTER hInet,ustring serverName,INT serverPort,ustring userName,ustring password,INT service,INT flags,INT context)
FindFirstUrlCacheEntry
FindFirstUrlCacheEntryW
pointer(ustring lpszUrlSearchPattern,struct &lpFirstCacheEntryInfo,INT& lpcbCacheEntryInfo)
FindNextUrlCacheEntry
FindNextUrlCacheEntryW
FindCloseUrlCache
GetUrlCacheEntryInfo
int(str url,struct &acheEntryInfo,INT &size)
DeleteUrlCacheEntryW
int(ustring urlname)
bool(str url,str name,str &data,INT & size)
int(str url,str name,str data)
INT dwAccessType;string ansiProxy;string ansiProxyBypass
proxyBypass
inet.proxyByPassList
inet.proxyList
ansiProxyBypass
inet.proxyUsername
inet.proxyPassword
INT reserved;INT exemptDelta
INT cbSize;ustring url;ustring fileName;INT cacheEntryType;INT useCount;INT hitRate;INT sizeLow;INT sizeHigh;struct lastModifiedTime;struct expireTime;struct lastAccessTime;struct lastSyncTime;ustring headerInfo;INT headerInfoSize;ustring fileExtension;union reserved;BYTE buffer[4016]
hXXp://
win.ui
inet.http
inet.httpFile
httpFile
inet.file
HttpOpenRequest
HttpOpenRequestW
HttpAddRequestHeadersW
HttpQueryInfoW
HttpSendRequest
HttpSendRequestW
HttpSendRequestEx
HttpSendRequestExW
HttpEndRequest
HttpEndRequestW
Mozilla/4.0
securityFlagIgnoreCertCnInvalid
securityFlagIgnoreCertDateInvalid
port
password
proxyPassword
beginRequest->HttpOpenRequest
lastReuestUrl
joinHeaders
[^/\\] \.[^.] $
index.html
Content-Type:application/x-www-form-urlencoded; charset=utf-8
\.[^\\/.] $
.dowload
.dow!oad
, HTTP
UrlCombine
UrlCombineW
UrlCanonicalize
UrlCanonicalizeW
int(ustring url,ustring& out,INT& size, INT flags)
UrlIsA
https
passwordLen
INT size;ptr scheme;INT schemeLen;INT schemeNum;ptr host;INT hostLen;WORD port;ptr user;INT userLen;ptr password;INT passwordLen;ptr path;INT pathLen;ptr extraInfo;INT extraInfoLen
InternetCrackUrlW
User32.dll
Kernel32.dll
preload.string
preload.table
preload.raw
preload.math
preload.thread
EXCEPTION_FLT_DENORMAL_OPERAND
EXCEPTION_FLT_INVALID_OPERATIO
0xX
web.form
aardio - webform
!%a, %d %b %Y %H:%M:%S GMT
!%Y-%m-%dT%H:%M:%SZ
=(string.loadcode)
\.*(. )(%\[\])$
\.*(. )\.([^.] )$
MsgWaitForMultipleObjects
Psapi.dll
ntdll.dll
int(ustring app, ustring &cmd, pointer processAttributes,pointer threadAttributes, bool inheritHandles, INT creationFlags,ustring environment, ustring lpCurrentDirectory, struct lpStartupInfo, struct& lpProcessInformation )
Advapi32.dll
int(ustring user,ustring domain,ustring pwd,INT flags,ustring app, ustring &cmd, INT creationFlags,ustring environment, ustring lpCurrentDirectory, struct lpStartupInfo, struct& lpProcessInformation )
FindExecutable
isExe
findExe
SHELLEXECUTEINFO
joinArguments
INT cbSize;INT fMask;int hwnd;ustring lpVerb;ustring lpFile;ustring lpParameters;ustring lpDirectory;int nShow;int hInstApp;pointer lpIDList;ustring lpClass;int hkeyClass;INT dwHotKey;union DUMMY;pointer hProcess
ShellExecuteExW
Explorer.exe
szExePath
INT dwSize;INT th32ModuleID;INT th32ProcessID;INT GlblcntUsage;INT ProccntUsage;addr modBaseAddr;INT modBaseSize;pointer hModule;WORD szModule[256];WORD szExePath[260]
szExeFile
INT dwSize;INT cntUsage;INT th32ProcessID;INT th32DefaultHeapID;INT th32ModuleID;INT cntThreads;INT th32ParentProcessID;INT pcPriClassBase;INT dwFlags;WORD szExeFile[260]
process.atom
process.file
thread.table
{3EA9E65D-B101-42AF-93D7-08522F8841CD}.commands
{89ACA2D9-FC21-4834-8C70-0FDFD267EB27}.return
thread.command
INIT.THREAD.CALL.{7EC7B22E-F1A6-4AA7-B5A3-4741C583AA00}
{ /*...*/ }
com.interface.IPersistStreamInit
web.form.query
getWebForm
mapurl
getLocationURL
res://ieframe.dll/
Content-Type: application/x-www-form-urlencoded
XMLHttpRequest
web.form.util.crossDomain(true)
/res/js/jQuery/jQuery.min.js
/view/js/jQuery/jQuery.min.js
hXXp://libs.baidu.com/jquery/1.10.2/jquery.min.js
hXXp://lib.sinaapp.com/js/jquery/1.10.2/jquery-1.10.2.min.js
hXXp://code.jquery.com/jquery-1.10.2.min.js
onkeydown
onkeyup
webForm
int(addr hwnd,INT msg,ADDR wParam,addr lParam)
int(ptr lpPrevWndFunc,addr hwnd,INT Msg,ADDR wParam,addr lParam)
addr(addr hwnd,INT msg,ADDR wParam,addr lParam)
addr(int idThread,INT msg,ADDR wParam,addr lParam)
addr(addr hwnd,INT msg,ptr wParam,ptr lParam)
addr(addr hwnd,INT msg,int &wParam,int &lParam)
addr(addr hwnd,INT msg,ptr wParam,ptr lParam,INT flags,INT timeout,int & resultult)
GetAsyncKeyState
word(int vKey)
GetKeyState
word( int vKey)
int( addr hwnd,INT uCmd)
bool(addr hwnd,int cmd)
msgbox
msgboxTest
msgboxErr
msgboxTimeout
win.invoke()
INT(ADDR hDlg,struct msg)
UxTheme.dll
%s[TID:%d]
INT length;INT flags;INT showCmd;struct ptMinPosition;struct ptMaxPosition;struct rcNormalPosition
Rpcrt4
Rpcrt4.dll
fsys.localfile
win.image
Shell32.dll
Oleaut32.dll
win.property
win.ui.background
.win.ui.ctrl
reghotkey
unreghotkey
cmdTranslate
_hotkeys
RegisterHotKey
UnregisterHotKey
win.ui.atom
{2F5CEA45-75CB-4721-AB15-9AE33ABCCF77}
win.ui.ctrl.metaProperty
win.ui.ctrl.static
win.ui.ctrl.button
win.ui.ctrl.custom
win.ui.ctrl
win.ui.ctrl.thread
win.ui.ctrl.picturebox
win.ui.ctrl.progress
Comctl32.dll
Windows
Windows XP
Windows Server 2003 R2
Windows Storage Server 2003
Windows Home Server
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Windows 8.1
Windows Server 2012 R2
Windows 10
Windows Server 10
%d.%d %sBuild %d
EnumWindows
EnumChildWindows
\res\update.aardio
win.ui.menu
gdip.graphics
\res\ad.aardio
\res\note.aardio
\res\num.png
\res\num1.png
566B3196-EE23-45B5-8CDE-47A56F58597C
ncdd.exe
ncde.exe
hXXp://VVV.jovi.cn/
hXXp://VVV.jovi.cn/down.php?id=104
fsys.lnk
urla
hXXp://VVV.jovi.cn/ad/ad.html
urlb
hXXp://VVV.luje.cn/ad/ad.html
jovi.cn/ad/ad.html
luje.cn/ad/ad.html
\res\adwin.aardio
urlaa
urlbb
translateUrl
VVV.luje.cn
win.ui.statusbar
thread.event
fsys.mmap
shengji.exe
.data
.boot
srcExe
.singleton
inet.downBox
hXXp://VVV.jovi.cn/download.php?fn=
/d.tmp
d.tmp
GetProcessHeap
GetCPInfo
CreatePipe
RegOpenKeyExA
RegCloseKey
RegEnumKeyExA
RegCreateKeyExA
SetViewportOrgEx
SetViewportExtEx
SHDeleteKeyA
.text
`.rdata
@.data
.rsrc
2z7%DV
dgu%x
`%dH=
%f>wZb
6560422
-./0123456789:
!"#$%&'()* ,
23456789
&'()** ,
211333221
233222$"
RS.TLUUVLMW4133333PF3FFFFXXXCY
./0%""1222234567809:;<
!"#""$""%&'()* ,
version="5.1.0.0"
.exe"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!-- Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
<requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> </requestedPrivileges>
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
ADVAPI32.dll
GDI32.dll
KERNEL32.DLL
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
Interface: %s
%H:%M:%S
%Y/%m/%d %H:%M:%S
%m/%d/%Y %H:%M:%S
%y/%m/%d %H:%M:%S
%m/%d/%y %H:%M:%S
%Y/%m/%d
%m/%d/%Y
%y/%m/%d
%m/%d/%y
c:\%original file name%.exe
COM.INTERFACE
COM.INTERFACE.IPERSIST
COM.INTERFACE.IPERSISTFILE COM.INTERFACE.IPERSISTSTREAMINIT
COM.INTERFACE.ISHELLLINK
COM.PICTURE
CRYPT.BIN
CRYPT.HASH
FSYS.FILE
FSYS.LNK
FSYS.LOCALFILE
FSYS.MMAP
FSYS.PATH
FSYS.SIZE
FSYS.TIME
FSYS.VERSION
GDIP.BITMAP
GDIP.CORE
GDIP.GRAPHICS
GDIP.IMAGE
INET.DOWNBOX
INET.FILE
INET.HTTP
INET.HTTPFILE
INET.URL
PRELOAD.MATH
PRELOAD.RAW
PRELOAD.STRING
PRELOAD.TABLE
PRELOAD.THREAD
PROCESS.ATOM
PROCESS.FILE
RAW.INTERFACE
STRING.CONV
SYS.INFO
THREAD.COMMAND
THREAD.EVENT
THREAD.TABLE
UTIL.METAPROPERTY
UTIL.TABLE
WEB.FORM
WEB.FORM.QUERY
WEB.JSON
WIN.GUID
WIN.IMAGE
WIN.OLE
WIN.PROPERTY
WIN.UI
WIN.UI.ATOM
WIN.UI.BACKGROUND
WIN.UI.CTRL
WIN.UI.CTRL.BUTTON
WIN.UI.CTRL.CUSTOM
WIN.UI.CTRL.METAPROPERTY
WIN.UI.CTRL.PICTUREBOX
WIN.UI.CTRL.PROGRESS
WIN.UI.CTRL.STATIC
WIN.UI.CTRL.THREAD
WIN.UI.MENU
WIN.UI.STATUSBAR
WIN.VERSION
/RES/AD.AARDIO
/RES/ADWIN.AARDIO
/RES/NOTE.AARDIO
/RES/NUM.PNG
/RES/NUM1.PNG
/RES/UPDATE.AARDIO
0.0.1.121

%original file name%.exe_3832_rwx_00401000_0013B000:

u.SQWW
xSSSh
FTPjKS
FtPj;S
C.PjRV
cmd.exe
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
GetProcessWindowStation
operator
_CMDLINE
import preload;
com.each = function(obj) begin
if(type(obj)==type.function)obj=obj();
if(!com.IsObject(obj))error('
try{enumerator = com.GetEnumerator(obj);}catch(e){err=e}if(err)error(err,2);var index = 0;var function iterator() {var value = enumerator.Next();if(!value)return;index = index 1;return index, value ;}return iterator;end
There was not enough memory to complete the operation
Windows error
Unsupported feature required
%d.%d
com.dll
Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}
Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}
Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
com.getIUnknow() QueryInterface Failed!
-mapid %d
hh.exe
ID:0x%X: %s
pointer/*com.VARIANT*/
$Spp: aardio v10.0 Copyright (C) aardio.com $
$URL: aardio.com $
File %s, Line %d
ExportConstants
ExportEnumerations
ole.host
{Expected}: ::MSG struct
com.CreateEmbed
Invalid form.hwnd!
Union type not supported!
Record type not supported!
TKIND_MODULE and TKIND_MAX not supported!
Exception (%s)
IDispatch.Pointer
invalid object(com.IDispatch)
Property putref not supported.
Property puts with more than two parameters aren't supported.
showMsg
error: error during error handler execution.
.aardio
import ide.debug;
{Bad argument}:@%d '%s'
{Calling}:'%s'
{Bad argument}:@%d
{Expected}:%s
{Got}:%s
{File}:%s
{Line}:#%d
invalid option:'%s'
%s.%s
attempt to use a closed object: %s:#%d ( type:'%s.%s')
stack overflow (%s)
name conflict for namespace '%s'
{Failed}:%s
{Error}:%s
{Field}:'%s'
thread id:%d
thread error:%s
callback : _struct error '...%s'
Cannot load library '%s'.
%s._struct not found!
Invalid _struct{%s...},Expected a field name! [in]
field:%s
{Field}:%s.%s
Invalid _struct: {...%s},Data Type Error(%c...key:%s) [out]
{ %s }
Invalid _struct{%s...},Expected a field name! [out]
Failed to get the size of the dynamic array!field(%s)
Cannot load remote library '%s'.
Cannot find remote function '%s' in the dll.
Cannot find function '%s' in the dll.
{Declare api}:'%s'
{Data type error}: '...%s'
Struct size has more than %d
%s %s[%d]
invalid key to 'next'
Cann't modify a %s : '%s'
join
<%s@>
^$* ?.:([\-{<%
invalid replacement value (a %s)
%sX
~!@#$%^&*()_ -={}[]|\:;<>?/.,"
{Attempt to}:%s
{Kind}:%s
{Name}:'%s'
{Type}:%s
attempt to:compare two %s values
attempt to:compare %s with %s
line:#%d
file:%s:
no function environment for tail call at level %d
in function '%s'
in function <%s:%d>
import
import-namespace conflict for global.%s
import ide;
importFile
import %s failed ! file not found
import %s failed !syntax error:
import %s failed :
import-namespace conflict for self.%s
-%s%s
%s: %p
io.file
Invalid time:Invalid dayofweek(%d) outside valid range(0~6)
Invalid time:Invalid month(%d) outside valid range(1~12)
Invalid time:Invalid day(%d) outside valid range(1~31)
Invalid time:hour(%d) outside valid range(0~23)
Invalid time:minute (%d) outside valid range(0~59)
Invalid time:second(%d) outside valid range(0~59)
Invalid time:year(%d) outside valid range(1900~9999)
Invalid format directive(...%s)
time(%f,"%s","%s")
time(%f,"%s")
time(%f)
thread.call() error
[%d]=
raw.malloc(%d,
\xX
math.size64(%d,%d)
joinpath
chcp %d
io.file(closed)
io.file(%p)
standard %s file is closed
buffer( raw.malloc() )
%s\%s
_exepath
_exedir
_exefile
'tostring' must return a string to 'io.print'
char(%d)
{Near}:'%s'
$"%s"
%s: %s in precompiled chunk
{Expected}:'%s'
main function has more than %d %s
function at line %d has more than %d %s
{Match for}:'%s'
{Match line}:%d
{Expected}:keyword
?#%X.y
%S#[k
zcÁ
win.guid
raw.interface
ole32.dll
{00000000-0000-0000-C000-000000000046}
win.guid
com.interface
{0000010c-0000-0000-C000-000000000046}
com.interface.IPersist
{0000010b-0000-0000-C000-000000000046}
win.ole
{7FD52380-4E07-101B-AE2D-08002B2EC713}
com.interface.IPersistFile
{000214F9-0000-0000-C000-000000000046}
GetHotkey
int(WORD &pwHotkey)
SetHotkey
int(WORD wHotkey)
GetShowCmd
int(int &piShowCmd)
SetShowCmd
int(int iShowCmd)
pointer GetPath;pointer GetIDList;pointer SetIDList;pointer GetDescription;pointer SetDescription;pointer GetWorkingDirectory;pointer SetWorkingDirectory;pointer GetArguments;pointer SetArguments;pointer GetHotkey;pointer SetHotkey;pointer GetShowCmd;pointer SetShowCmd;pointer GetIconLocation;pointer SetIconLocation;pointer SetRelativePath;pointer Resolve;pointer SetPath
com.picture
util.table
string.conv
web.json
getPassword
keyEvent
isShiftPressed
int bKeyDown;WORD wRepeatCount;WORD wVirtualKeyCode;WORD wVirtualScanCode;union uChar;INT dwControlKeyState
struct dwMousePosition;INT dwButtonState;INT dwControlKeyState;INT dwEventFlags
struct keyEvent;struct mouseEvent;struct windowBufferSizeEvent;struct menuEvent;struct focusEvent
dwControlKeyState
bKeyDown
wVirtualKeyCode
maximumWindowSize
struct size;struct cursorPosition;WORD attributes;struct srWindow;struct maximumWindowSize
GetConsoleOutputCP
SetConsoleOutputCP
advapi32.dll
bool(POINTER hKey,pointer hHash,bool final,INT flags,pointer pbData,INT &len,INT bufLen)
bool(POINTER hKey,pointer hHash,bool final,INT flags,pointer pbData,INT &len)
bool(POINTER hHash,pointer sign,INT sigLen,pointer hPubKey,ustring sDesc,INT flags)
GenKey
CryptGenKey
bool(POINTER hProv,INT Algid,INT dwFlags,pointer &phKey)
GetUserKey
CryptGetUserKey
bool(POINTER hProv,INT dwKeySpec,pointer &phKey)
ExportKey
CryptExportKey
bool(POINTER hKey,pointer hExpKey,INT blobType,INT flags,string &pbData,INT &dataLen)
ImportKey
CryptImportKey
bool(POINTER hProv,struct pbData,INT dataLen,pointer hPubKey,INT flags,pointer &phKey)
ImportStringKey
bool(POINTER hProv,pointer pbData,INT dataLen,pointer hPubKey,INT flags,pointer &phKey)
SetKeyParam
CryptSetKeyParam
bool(POINTER hKey,INT blobType,pointer data,int flag)
DestroyKey
CryptDestroyKey
bool(POINTER hKey)
DuplicateKey
CryptDuplicateKey
bool(POINTER hKey,pointer r,INT flags,pointer &outKey)
duplicateKey
crypt.hash
genKey
getUserKey
hasKey
setKey
setKeyParam
importKey
exportKey
exportPlainTextKey
exportPrivateKey
exportPublicKey
setPassword
createHashByKey
setKey()->DuplicateKey()
deriveKey
crypt.bin
Crypt32.dll
int(POINTER hProv,int algid,pointer hKey,int flags, pointer& phHash)
DeriveKey
CryptDeriveKey
bool(POINTER hProv,INT Algid,POINTER hBaseData,int flags,pointer &phKey)
bool(POINTER hHash,INT keySpec,ustring sDesc,INT flags,string &sign,INT &sigLen
hKey
fsys.path
SHFileOperation
SHFileOperationW
Ole32.dll
operation
int hwnd;INT wFunc;ustring pFrom;ustring pTo;WORD fFlags;int fAnyOperationsAborted;pointer hNameMappings;ustring lpszProgressTitle
util.metaProperty
fsys.time
fsys.size
fsys.version
com.interface.IShellLink
inet.url
hotkey
showCmd
{00021401-0000-0000-C000-000000000046}
(urlpath)
win.version
Shell.Application
*.lnk
fsys.file
sys.info
Shlwapi.dll
[\/\:\*\?\"\<\>]
Version.dll
%d.%d.%d.d
%d.%d.d
\StringFileInfo\XX\%s
.LOGFONT
Gdi32.dll
int(ptr hdcDest,int xoriginDest,int yoriginDest,int wDest,int hDest,pointer hdcSrc,int xoriginSrc,int yoriginSrc,int wSrc,int hSrc,INT crTransparent)
ptr hdcSrc, struct ptSrc, INT crKey,struct blend, INT flags)
#X
#X
Shcore.dll
gdip.image
errMsg
gdip.core
Gdiplus.dll
GdiplusShutdown
UnsupportedGdiplusVersion!
PropertyNotSupported!
gdip.bitmap
{E09D739D-CCD4-44EE-8EBA-3FBF8BE4FC58}
{66087055-AD66-4C7C-9A18-38A2310B8337}
{3A4E2661-3109-4E56-8536-42C156E7DCFA}
{24D18C76-814A-41A4-BF53-1C219CCCF797}
{6D42C53A-229A-4825-8BB7-5C99E2B9A8B8}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
{8D0EB2D1-A58E-4EA8-AA14-108074B7B6F9}
{EDB33BCE-0266-4A77-B904-27216099E717}
{F2E455DC-09B3-4316-8260-676ADA32481C}
{292266FC-AC40-47BF-8CFC-A85B89A655DE}
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF403-1A04-11D3-9A73-0000F81EF32E}
{557CF404-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{557CF407-1A04-11D3-9A73-0000F81EF32E}
*.jpg
fsys.stream
%u/%u
%d/%d
Wininet.dll
pointer(ustring agent,INT accessType,ustring proxy,ustring proxyBypass,INT flags)
pointer(POINTER hInet,ustring serverName,INT serverPort,ustring userName,ustring password,INT service,INT flags,INT context)
FindFirstUrlCacheEntry
FindFirstUrlCacheEntryW
pointer(ustring lpszUrlSearchPattern,struct &lpFirstCacheEntryInfo,INT& lpcbCacheEntryInfo)
FindNextUrlCacheEntry
FindNextUrlCacheEntryW
FindCloseUrlCache
GetUrlCacheEntryInfo
int(str url,struct &acheEntryInfo,INT &size)
DeleteUrlCacheEntryW
int(ustring urlname)
bool(str url,str name,str &data,INT & size)
int(str url,str name,str data)
INT dwAccessType;string ansiProxy;string ansiProxyBypass
proxyBypass
inet.proxyByPassList
inet.proxyList
ansiProxyBypass
inet.proxyUsername
inet.proxyPassword
INT reserved;INT exemptDelta
INT cbSize;ustring url;ustring fileName;INT cacheEntryType;INT useCount;INT hitRate;INT sizeLow;INT sizeHigh;struct lastModifiedTime;struct expireTime;struct lastAccessTime;struct lastSyncTime;ustring headerInfo;INT headerInfoSize;ustring fileExtension;union reserved;BYTE buffer[4016]
hXXp://
win.ui
inet.http
inet.httpFile
httpFile
inet.file
HttpOpenRequest
HttpOpenRequestW
HttpAddRequestHeadersW
HttpQueryInfoW
HttpSendRequest
HttpSendRequestW
HttpSendRequestEx
HttpSendRequestExW
HttpEndRequest
HttpEndRequestW
Mozilla/4.0
securityFlagIgnoreCertCnInvalid
securityFlagIgnoreCertDateInvalid
port
password
proxyPassword
beginRequest->HttpOpenRequest
lastReuestUrl
joinHeaders
[^/\\] \.[^.] $
index.html
Content-Type:application/x-www-form-urlencoded; charset=utf-8
\.[^\\/.] $
.dowload
.dow!oad
, HTTP
UrlCombine
UrlCombineW
UrlCanonicalize
UrlCanonicalizeW
int(ustring url,ustring& out,INT& size, INT flags)
UrlIsA
https
passwordLen
INT size;ptr scheme;INT schemeLen;INT schemeNum;ptr host;INT hostLen;WORD port;ptr user;INT userLen;ptr password;INT passwordLen;ptr path;INT pathLen;ptr extraInfo;INT extraInfoLen
InternetCrackUrlW
User32.dll
Kernel32.dll
preload.string
preload.table
preload.raw
preload.math
preload.thread
EXCEPTION_FLT_DENORMAL_OPERAND
EXCEPTION_FLT_INVALID_OPERATIO
0xX
web.form
aardio - webform
!%a, %d %b %Y %H:%M:%S GMT
!%Y-%m-%dT%H:%M:%SZ
=(string.loadcode)
\.*(. )(%\[\])$
\.*(. )\.([^.] )$
MsgWaitForMultipleObjects
Psapi.dll
ntdll.dll
int(ustring app, ustring &cmd, pointer processAttributes,pointer threadAttributes, bool inheritHandles, INT creationFlags,ustring environment, ustring lpCurrentDirectory, struct lpStartupInfo, struct& lpProcessInformation )
Advapi32.dll
int(ustring user,ustring domain,ustring pwd,INT flags,ustring app, ustring &cmd, INT creationFlags,ustring environment, ustring lpCurrentDirectory, struct lpStartupInfo, struct& lpProcessInformation )
FindExecutable
isExe
findExe
SHELLEXECUTEINFO
joinArguments
INT cbSize;INT fMask;int hwnd;ustring lpVerb;ustring lpFile;ustring lpParameters;ustring lpDirectory;int nShow;int hInstApp;pointer lpIDList;ustring lpClass;int hkeyClass;INT dwHotKey;union DUMMY;pointer hProcess
ShellExecuteExW
Explorer.exe
szExePath
INT dwSize;INT th32ModuleID;INT th32ProcessID;INT GlblcntUsage;INT ProccntUsage;addr modBaseAddr;INT modBaseSize;pointer hModule;WORD szModule[256];WORD szExePath[260]
szExeFile
INT dwSize;INT cntUsage;INT th32ProcessID;INT th32DefaultHeapID;INT th32ModuleID;INT cntThreads;INT th32ParentProcessID;INT pcPriClassBase;INT dwFlags;WORD szExeFile[260]
process.atom
process.file
thread.table
{3EA9E65D-B101-42AF-93D7-08522F8841CD}.commands
{89ACA2D9-FC21-4834-8C70-0FDFD267EB27}.return
thread.command
INIT.THREAD.CALL.{7EC7B22E-F1A6-4AA7-B5A3-4741C583AA00}
{ /*...*/ }
com.interface.IPersistStreamInit
web.form.query
getWebForm
mapurl
getLocationURL
res://ieframe.dll/
Content-Type: application/x-www-form-urlencoded
XMLHttpRequest
web.form.util.crossDomain(true)
/res/js/jQuery/jQuery.min.js
/view/js/jQuery/jQuery.min.js
hXXp://libs.baidu.com/jquery/1.10.2/jquery.min.js
hXXp://lib.sinaapp.com/js/jquery/1.10.2/jquery-1.10.2.min.js
hXXp://code.jquery.com/jquery-1.10.2.min.js
onkeydown
onkeyup
webForm
int(addr hwnd,INT msg,ADDR wParam,addr lParam)
int(ptr lpPrevWndFunc,addr hwnd,INT Msg,ADDR wParam,addr lParam)
addr(addr hwnd,INT msg,ADDR wParam,addr lParam)
addr(int idThread,INT msg,ADDR wParam,addr lParam)
addr(addr hwnd,INT msg,ptr wParam,ptr lParam)
addr(addr hwnd,INT msg,int &wParam,int &lParam)
addr(addr hwnd,INT msg,ptr wParam,ptr lParam,INT flags,INT timeout,int & resultult)
GetAsyncKeyState
word(int vKey)
GetKeyState
word( int vKey)
int( addr hwnd,INT uCmd)
bool(addr hwnd,int cmd)
msgbox
msgboxTest
msgboxErr
msgboxTimeout
win.invoke()
INT(ADDR hDlg,struct msg)
UxTheme.dll
%s[TID:%d]
INT length;INT flags;INT showCmd;struct ptMinPosition;struct ptMaxPosition;struct rcNormalPosition
Rpcrt4
Rpcrt4.dll
fsys.localfile
win.image
Shell32.dll
Oleaut32.dll
win.property
win.ui.background
.win.ui.ctrl
reghotkey
unreghotkey
cmdTranslate
_hotkeys
RegisterHotKey
UnregisterHotKey
win.ui.atom
{2F5CEA45-75CB-4721-AB15-9AE33ABCCF77}
win.ui.ctrl.metaProperty
win.ui.ctrl.static
win.ui.ctrl.button
win.ui.ctrl.custom
win.ui.ctrl
win.ui.ctrl.thread
win.ui.ctrl.picturebox
win.ui.ctrl.progress
Comctl32.dll
Windows
Windows XP
Windows Server 2003 R2
Windows Storage Server 2003
Windows Home Server
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Windows 8.1
Windows Server 2012 R2
Windows 10
Windows Server 10
%d.%d %sBuild %d
EnumWindows
EnumChildWindows
\res\update.aardio
win.ui.menu
gdip.graphics
\res\ad.aardio
\res\note.aardio
\res\num.png
\res\num1.png
566B3196-EE23-45B5-8CDE-47A56F58597C
ncdd.exe
ncde.exe
hXXp://VVV.jovi.cn/
hXXp://VVV.jovi.cn/down.php?id=104
fsys.lnk
urla
hXXp://VVV.jovi.cn/ad/ad.html
urlb
hXXp://VVV.luje.cn/ad/ad.html
jovi.cn/ad/ad.html
luje.cn/ad/ad.html
\res\adwin.aardio
urlaa
urlbb
translateUrl
VVV.luje.cn
win.ui.statusbar
thread.event
fsys.mmap
shengji.exe
.data
.boot
srcExe
.singleton
inet.downBox
hXXp://VVV.jovi.cn/download.php?fn=
/d.tmp
d.tmp
GetProcessHeap
GetCPInfo
CreatePipe
RegOpenKeyExA
RegCloseKey
RegEnumKeyExA
RegCreateKeyExA
SetViewportOrgEx
SetViewportExtEx
SHDeleteKeyA
.text
`.rdata
@.data
.rsrc
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
Interface: %s
%H:%M:%S
%Y/%m/%d %H:%M:%S
%m/%d/%Y %H:%M:%S
%y/%m/%d %H:%M:%S
%m/%d/%y %H:%M:%S
%Y/%m/%d
%m/%d/%Y
%y/%m/%d
%m/%d/%y
c:\%original file name%.exe
COM.INTERFACE
COM.INTERFACE.IPERSIST
COM.INTERFACE.IPERSISTFILE COM.INTERFACE.IPERSISTSTREAMINIT
COM.INTERFACE.ISHELLLINK
COM.PICTURE
CRYPT.BIN
CRYPT.HASH
FSYS.FILE
FSYS.LNK
FSYS.LOCALFILE
FSYS.MMAP
FSYS.PATH
FSYS.SIZE
FSYS.TIME
FSYS.VERSION
GDIP.BITMAP
GDIP.CORE
GDIP.GRAPHICS
GDIP.IMAGE
INET.DOWNBOX
INET.FILE
INET.HTTP
INET.HTTPFILE
INET.URL
PRELOAD.MATH
PRELOAD.RAW
PRELOAD.STRING
PRELOAD.TABLE
PRELOAD.THREAD
PROCESS.ATOM
PROCESS.FILE
RAW.INTERFACE
STRING.CONV
SYS.INFO
THREAD.COMMAND
THREAD.EVENT
THREAD.TABLE
UTIL.METAPROPERTY
UTIL.TABLE
WEB.FORM
WEB.FORM.QUERY
WEB.JSON
WIN.GUID
WIN.IMAGE
WIN.OLE
WIN.PROPERTY
WIN.UI
WIN.UI.ATOM
WIN.UI.BACKGROUND
WIN.UI.CTRL
WIN.UI.CTRL.BUTTON
WIN.UI.CTRL.CUSTOM
WIN.UI.CTRL.METAPROPERTY
WIN.UI.CTRL.PICTUREBOX
WIN.UI.CTRL.PROGRESS
WIN.UI.CTRL.STATIC
WIN.UI.CTRL.THREAD
WIN.UI.MENU
WIN.UI.STATUSBAR
WIN.VERSION
/RES/AD.AARDIO
/RES/ADWIN.AARDIO
/RES/NOTE.AARDIO
/RES/NUM.PNG
/RES/NUM1.PNG
/RES/UPDATE.AARDIO


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\hm[1].js (14631 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NAV8NZAK.txt (94 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\77975585[1].png (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\440673[1].png (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\ad[1].css (632 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017082320170824\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\www.luje[1].xml (150 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\001[1].png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XJVJR09V.txt (111 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\I6HU93O3.txt (99 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\ad[1].htm (999 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 2 (2 votes)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now