Gen.Trojan.Heur.2mKff5Vm8dgO_cb66a9e592

by malwarelabrobot on June 15th, 2017 in Malware Descriptions.

Gen:Trojan.Heur.2mKff5Vm8dgO (BitDefender), Gen:Trojan.Heur.2mKff5Vm8dgO (B) (Emsisoft), Gen:Trojan.Heur.2mKff5Vm8dgO (FSecure), Gen:Trojan.Heur.2mKff5Vm8dgO (AdAware), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: cb66a9e59232395e3567346194a7e9b2
SHA1: da503562050aa7ad4f39526f01b4a25611d65e86
SHA256: 77973b87ce99f2116bc71795537f60385789f3b389e1b9f6f6cf8c60b661e259
SSDeep: 24576:PeWryok68aorKNLIJsfYB81960aEye9MMT:PeNI8aorIfS81Q0aK9MMT
Size: 894976 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-06-10 06:09:09
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3620

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1424 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Windows\System32\MSINET.OCX (132 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_08FB9EC5743398E31767B56091EBB96D (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_08FB9EC5743398E31767B56091EBB96D (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (248 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
C:\Windows\System32\MSWINSCK.OCX (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8D23.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8D22.tmp (51 bytes)
C:\Windows\System32\drivers\etc\hosts (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (624 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8D23.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8D22.tmp (0 bytes)
C:\Windows\System32\drivers\etc\hosts (0 bytes)

Registry activity

The process %original file name%.exe:3620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\cb66a9e59232395e3567346194a7e9b2_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]
"(Default)" = "DInetEvents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "30 FF AF 40 C2 E4 D2 01"
"WpadDecisionReason" = "1"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Tracing\cb66a9e59232395e3567346194a7e9b2_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"

[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}]
"(Default)" = "IInet"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.ocx"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.ocx"

[HKLM\SOFTWARE\Microsoft\Tracing\cb66a9e59232395e3567346194a7e9b2_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Tracing\cb66a9e59232395e3567346194a7e9b2_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\MSINET.ocx"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\cb66a9e59232395e3567346194a7e9b2_RASMANCS]
"MaxFileSize" = "1048576"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Tracing\cb66a9e59232395e3567346194a7e9b2_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cb66a9e59232395e3567346194a7e9b2_RASAPI32]
"MaxFileSize" = "1048576"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Tracing\cb66a9e59232395e3567346194a7e9b2_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.ocx"

[HKLM\SOFTWARE\Microsoft\Tracing\cb66a9e59232395e3567346194a7e9b2_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cb66a9e59232395e3567346194a7e9b2_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\cb66a9e59232395e3567346194a7e9b2_RASAPI32]
"EnableFileTracing" = "0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\MSINET.ocx, 1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "30 FF AF 40 C2 E4 D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

Dropped PE files

MD5 File path
90a39346e9b67f132ef133725c487ff6 c:\Windows\System32\MSINET.OCX
9484c04258830aa3c2f2a70eb041414c c:\Windows\System32\MSWINSCK.OCX

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1128 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.tenchi-files.ga
::1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.dubeta.id
127.0.0.1 www.vazdancer.net
127.0.0.1 www.hikarahikaru.com
127.0.0.1 vista-tigabelas.blogspot.com
127.0.0.1 www.tenchi-files.ga


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: http://rhm-files.blogspot.com
Product Name: Resource Injector
Product Version: 1.00.0149
Legal Copyright: Copyright (c) Rhm-Files 2017 - All Right Reserved
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 1.00.0149
File Description: Cheat Crossfire Indonesia
Comments: Resource Injector Created By Markus Tunggul Wulung Aji
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1204224 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1208320 610304 610304 5.46006 d15dec309c501f8d4fad1765e8ce5160
.rsrc 1818624 286720 283648 5.21159 857e14601b9f637ae80a651155d5d504

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98=
hxxp://www3.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDYgRZp9HNkC
hxxp://www3.l.google.com/GIAG2.crl
hxxp://crl.geotrust.com/crls/secureca.crl 23.51.117.163
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDYgRZp9HNkC 216.58.214.238
hxxp://g.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98= 23.51.123.27
sites.google.com 216.58.214.238
pki.google.com 216.58.214.238


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: g.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1390
content-transfer-encoding: binary
Cache-Control: max-age=502102, public, no-transform, must-revalidate
Last-Modified: Mon, 12 Jun 2017 23:23:10 GMT
Expires: Mon, 19 Jun 2017 23:23:10 GMT
Date: Wed, 14 Jun 2017 03:57:02 GMT
Connection: keep-alive
0..j......c0.._.. .....0.....P0..L0......V.T'S...q..."...zr.*..2017061
2232310Z0s0q0I0... ..........9.....yP..`...<.......*.A.....>U...
.... ....!%...Y.w..{f'.....20170612232310Z....20170619232310Z0...*.H..
.............A..P....^E......R6~.......=.E..i.."...$.....#............
....A..?IW3..R..)k:.%t.... ........u.....r..|.-,....b...UO.J}M<.S.$
.V.k.*&.}....Y....z.j..c}t...x........F.C.Y.~N.Y4..iB..hZI\..H..4.y..:
7.c..g..l=..;.(L....a2.H...,.2....Y.,.I..7.;.E|..~...y... 5.....0...0.
..0..s............ ...y..^..g0...*.H........0B1.0...U....US1.0...U....
GeoTrust Inc.1.0...U....GeoTrust Global CA0...161208112535Z..171214112
535Z02100...U...'GeoTrust Global CA TGV OCSP Responder 50.."0...*.H...
..........0...............S....!....,.t.?....d...M@.._.=.S..,."......G
dv._c..D1..N'E.:.....a2.......{/rD. .c.2..P...!.....Xn..}....{{.zI9.Y.
...../.....;.......fu..,...B._o..B..g....o........?Y\.?...y.H*..]yi...
..3.......F.6.....Q.........{B..19..Kz...\z...P..._...-!.....'.Ym.....
...0..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..0... 
.......0...U...........0...U.......0.0"..U....0...0.1.0...U....TGV-OFF
-570...*.H..............md.....yV{......y:5..@l#..5.......o..X....,r}.
[email protected]/Q..;.vd..?.j.m....../hv..A.......g.......a..
...G..\.'*.b..>.....L.Y.To<.@>...&1..9.w.....N*Au.e.....b..K.
..PO47.J.....{.C\....G..0/.a.Eo.`z.<;IA...  #.''[email protected].\_..'.
]q.f._.WN....
<<< skipped >>>


GET /crls/secureca.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT
If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.geotrust.com


HTTP/1.1 200 OK
Server: Apache
ETag: "18df5b431f8971f57f1e848846fbb4cf:1497411036"
Last-Modified: Wed, 14 Jun 2017 03:30:36 GMT
Date: Wed, 14 Jun 2017 03:56:56 GMT
Content-Length: 325
Connection: keep-alive
Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..170614032300Z..170624032300Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H............>..m...../
[email protected].........^W:W.E.\.....}..z.oK....1...,X....Nr.....e`A0B...L..J.
..D.....J.N..<.{..}!^q..jo....k.C..h..G...N..I..HTTP/1.1 200 OK..Se
rver: Apache..ETag: "18df5b431f8971f57f1e848846fbb4cf:1497411036"..Las
t-Modified: Wed, 14 Jun 2017 03:30:36 GMT..Date: Wed, 14 Jun 2017 03:5
6:56 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: a
pplication/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....E
quifax1-0 ..U...$Equifax Secure Certificate Authority..170614032300Z..
170624032300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H....
........>..m...../[email protected].........^W:W.E.\.....}..z.oK....1...,X...
.Nr.....e`A0B...L..J...D.....J.N..<.{..}!^q..jo....k.C..h..G...N..I
....



GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDYgRZp9HNkC HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Tue, 13 Jun 2017 23:05:37 GMT
Expires: Sat, 17 Jun 2017 23:05:37 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Cache-Control: public, max-age=345600
Age: 17491
0..........0..... .....0......0...0......J......h.v....b..Z./..2017061
3132750Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.6 E.}.......20170613132750Z....20170620132750Z0...*.H.............k..
......r.../...X.n..L......j.L........7y\...[N...U.Y....r..c..S7I..<
.6p...`...(...)HOj.......9.......`3I%.vf.,a.9F.)g ..L.*.s..u...H...n"K
.......X....,..^}.".n/........9..R... .fHU.......A.k.pg.<..G.Y.....
....1=k.Qn]...s..H.....V...7.`..r..fB....@,......HTTP/1.1 200 OK..Cont
ent-Type: application/ocsp-response..Date: Tue, 13 Jun 2017 23:05:37 G
MT..Expires: Sat, 17 Jun 2017 23:05:37 GMT..Server: ocsp_responder..Co
ntent-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: S
AMEORIGIN..Cache-Control: public, max-age=345600..Age: 17491..0.......
...0..... .....0......0...0......J......h.v....b..Z./..20170613132750Z
0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..6 E.}..
.....20170613132750Z....20170620132750Z0...*.H.............k........r.
../...X.n..L......j.L........7y\...[N...U.Y....r..c..S7I..<.6p...`.
..(...)HOj.......9.......`3I%.vf.,a.9F.)g ..L.*.s..u...H...n"K.......X
....,..^}.".n/........9..R... .fHU.......A.k.pg.<..G.Y.........1=k.
Qn]...s..H.....V...7.`..r..fB....@,........

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3620:

`.rsrc
.Ivd*
RhmFiles.ProgressBar
MSINET.ocx
InetCtlsObjects.Inet
mswinsck.ocx
MSWinsockLib.Winsock
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
FC:\Windows\system32\stdole2.tlb
VBA6.DLL
shell32.dll
ShellExecuteA
l=`C:\Windows\system32\mswinsck.oca
user32.dll
GetAsyncKeyState
PSAPI.DLL
Q{C:\Windows\System32\MSINET.oca
olepro32.dll
KeyDown
KeyPress
KeyUp
C:\Windows\system32\MSVBVM60.DLL\3
GGGGF.GGGGK
y-e.uF|
f.qqp
msgf
p.sC8l
r9.Yy
(4..Xh
o9Sf1%U?
_~-fW}
2017-03-04
w.wr9
<.Op6d~
I^M%x ]
00/00/0000
Waiting crossfire.exe...
00:00:00
KeyCode
KeyAscii
.text
`.rdata
@.data
.vmp0
.vmp1
.reloc
@.rsrc
pe0%ur
GDI32.dll
R6.Fv
KERNEL32.dll
;w\%d
bc%Ur
USER32.dll
gz.vi
r.KZG9z5x
MSVCR90.dll
ÏFm
$.JbM
.YDt'A
d3d9.dll
8.AuR
EY.he
MSVCP90.dll
u>%u:
@j.XR
d:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\CFID\Base D3D Menu Rhm-Files Crossfire\Release\Rhm-Files_CFID.pdb
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 VVV.tenchi-files.ga
::1 VVV.rezpektor-key.net
127.0.0.1 VVV.rezpektor-key.net
127.0.0.1 VVV.dubeta.id
127.0.0.1 VVV.vazdancer.net
127.0.0.1 VVV.hikarahikaru.com
127.0.0.1 vista-tigabelas.blogspot.com
Haloo Admin PKL saya tau anda jago crack tapi tolong jangan hapus credit link website kami :D
`.data
.rsrc
MSWNSK98.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
MSWINSCK.OCX
"255.255.255.255
"6.00.8169
WSOCK32.dll
ole32.dll
ADVAPI32.dll
OLEAUT32.dll
GetProcessHeap
GetWindowsDirectoryA
GetKeyState
CreateDialogIndirectParamA
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
"%s%s.DLL
%s%s.DLL
%u\%s.dll
{lX-X-X-XX-XXXXXX}
CLSID\%s
%s Object
%s.%s.%ld
%s.%s
%s.%s\CurVer
%s\InprocServer
VERSION.DLL
%ld - %s
stdole2.tlbWWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
}|RemotePortWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckMsgTooBig
sckPortNotSupportedW
MSWinSck.OcxWW
MSWNSK98.chmWW
TCP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Invalid operation at current state
The operation is canceledW
Socket is non-blocking and the specified operation will blockW 
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
?$?0?6?<?
4'484%5-5
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0<
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at [email protected]; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
Internet Control URL Property Page
INET98.CHM
FTp/L#
rL#.OL#
MSINET.OCX
hXXp://
PTF://
hXXps://
Microsoft URL Control - 6.01.9782
SSShp&M#
WININET.dll
InternetCreateUrlA
InternetCrackUrlA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
HttpQueryInfoA
FtpFindFirstFileA
FtpRemoveDirectoryA
FtpGetCurrentDirectoryA
FtpCreateDirectoryA
FtpSetCurrentDirectoryA
FtpRenameFileA
FtpPutFileA
FtpGetFileA
FtpDeleteFileA
MsgWaitForMultipleObjects
OL#%s%s.DLL
0?NicFTPWWW
icHTTPWW
icHTTPSW,
icUrlOpenFailedW
icBadUrl
0NSicNoExecuteW
`icFtpCommandFailedWW
qicUnsupportedTypeWWW
icUnsupportedCommand
0-gicInvalidOperationWW
icExecutingW
0jHicInvalidForFtpW
hicInvalidURL
icIncorrectPasswordW
icLoginFailureWW
icInetInvalidOperationWW
[icOperationCancelled
00XicSecCertDateInvalid
0.(icSecCertCnInvalidWW
0WwicHttpToHttpsOnRedir
icHttpsToHttpOnRedir
.icPostIsNonSecureWWW
BicClientAuthCertNeededWW
icHttpsHttpSubmitRedirWW
icFtpTransferInProgressW
icFtpDropped
icFtpNoPassiveModeWW
ficHttpHeaderNotFound
icHttpDownlevelServerWWW
icHttpInvalidServerResponseW
icHttpInvalidHeaderW
icHttpInvalidQueryRequestWWW
icHttpHeaderAlreadyExistsWWW
0`>icHttpRedirectFailed
0~ icHttpCookieNeedsConfirmationWWW
7icHttpCookieDeclined
0DSicHttpRedirectNeedsConfirmationW
icSecInvalidCert
icSecCertRevoked
}|RemotePortWW
StillExecutingWW
URLW
Password
OpenURLW
yOperationWWW
~_URLX
MSINet.Ocx
FTPWWW
HTTPWW
Secure HTTPWWW
Unable to open URL
URL is malformedWW&
Protocol not supported for this method
You must execute an operation before retrieving dataWW
FTP command failed
Not a valid or supported commandWW
Invalid operation argument
Still executing last requestWW,
This call is not valid for an FTP connectionWW
Invalid URLWWW
Incorrect password
Login failureW
Invalid operationW
Operation cancelledWWW
Security certificate date invalidW#
Security certificate number invalidWWW
HTTP to HTTPS on redirectW
HTTPS to HTTP on redirectW
Client authorization certificate neededWWW
HTTPS HTTP submit redirWWW
FTP - Transfer in progress
FTP - Connection droppedWW
FTP - no passive modeW
HTTP - Header not foundWWW
HTTP - Downlevel serverWWW
HTTP - Invalid server response
HTTP - Invalid HeaderW
HTTP - Invalid query requestWW
HTTP - Header already existsWW
HTTP - Redirect failed
HTTP - cookie needs confirmationWW
HTTP - cookie declined"
HTTP - redirect needs confirmation
Invalid certWW
Cert revokedWW
Protocol to use for this URLWW
Returns/Sets the internet port to be used on the remote computerWW5
Returns/Sets the URL used by this controlW*
Password to use for authentication;
Open a URL&
Method used to cancel the request currently being executed
2 2>2`2~2
ocx\msinet.dbg
Thawte Certification1
hXXp://ocsp.verisign.com0
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
"hXXp://crl.verisign.com/tss-ca.crl0
9hXXp://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
hXXp://msdn.microsoft.com/vbasic0
KERNEL32.DLL
MSVBVM60.DLL
Q*\AD:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\CFID\Resource Injector CFID [ Rhm-Files ]\Project1.vbp
78E1BDD1-9941-11cf-9756-00AA00C00908
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Dll Injected...Creating Thread.....
kernel32.dll
Can't find LoadLibrary API from kernel32.dll
hXXps://sites.google.com/site/dataconstantinefilesb99794977/11-06-2017.txt?attredirects=0&d=1
@*\AD:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\CFID\Resource Injector CFID [ Rhm-Files ]\Project1.vbp
RemotePort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
&LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service
Protocol family not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
Pass&word
6.01.9782
Returns/Sets the remote computer@Returns/Sets the internet port to be used on the remote computer
5Returns information received from the remote computer9Returns a response code received from the remote computer6Returns the low-level internet handle for this control.Returns whether this control is currently busy)Returns/Sets the URL used by this control5Returns/Sets the Document to be retrieved from server
>Returns/Sets the proxy behavior for this control's connections7Event interface for Microsoft Internet Transfer Control#Microsoft Internet Transfer Control&Issue a request to the remote computer:Method used to cancel the request currently being executed
Secure HTTP
Protocol to use for this URL#User name to use for authentication"Password to use for authentication
Open a URL
URL is malformed&Protocol not supported for this method Unable to connect to remote host
Unable to complete request4You must execute an operation before retrieving data
Request timed out Not a valid or supported command
Still executing last request,This call is not valid for an FTP connection
Invalid URL
Login failure
Invalid operation
Operation cancelled
Handle exists!Security certificate date invalid#Security certificate number invalid
HTTP to HTTPS on redirect
HTTPS to HTTP on redirect
Post is non-secure'Client authorization certificate needed
FTP - Connection dropped
HTTP - Header not found
HTTP - Downlevel server
HTTP - Invalid Header
HTTP - Invalid query request
HTTP - Header already exists
HTTP - Redirect failed
HTTPS HTTP submit redir
FTP - no passive mode HTTP - cookie needs confirmation
HTTP - cookie declined"HTTP - redirect needs confirmation
Invalid cert
Cert revoked
URL'URL properties for the internet control
hXXp://rhm-files.blogspot.com
1.00.0149
_CFID.exe

%original file name%.exe_3620_rwx_00401000_001BA000:

RhmFiles.ProgressBar
MSINET.ocx
InetCtlsObjects.Inet
mswinsck.ocx
MSWinsockLib.Winsock
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
FC:\Windows\system32\stdole2.tlb
VBA6.DLL
shell32.dll
ShellExecuteA
l=`C:\Windows\system32\mswinsck.oca
user32.dll
GetAsyncKeyState
PSAPI.DLL
Q{C:\Windows\System32\MSINET.oca
olepro32.dll
KeyDown
KeyPress
KeyUp
C:\Windows\system32\MSVBVM60.DLL\3
GGGGF.GGGGK
y-e.uF|
f.qqp
msgf
p.sC8l
r9.Yy
(4..Xh
o9Sf1%U?
_~-fW}
2017-03-04
w.wr9
<.Op6d~
I^M%x ]
00/00/0000
Waiting crossfire.exe...
00:00:00
KeyCode
KeyAscii
.text
`.rdata
@.data
.vmp0
.vmp1
.reloc
@.rsrc
pe0%ur
GDI32.dll
R6.Fv
KERNEL32.dll
;w\%d
bc%Ur
USER32.dll
gz.vi
r.KZG9z5x
MSVCR90.dll
ÏFm
$.JbM
.YDt'A
d3d9.dll
8.AuR
EY.he
MSVCP90.dll
u>%u:
@j.XR
d:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\CFID\Base D3D Menu Rhm-Files Crossfire\Release\Rhm-Files_CFID.pdb
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 VVV.tenchi-files.ga
::1 VVV.rezpektor-key.net
127.0.0.1 VVV.rezpektor-key.net
127.0.0.1 VVV.dubeta.id
127.0.0.1 VVV.vazdancer.net
127.0.0.1 VVV.hikarahikaru.com
127.0.0.1 vista-tigabelas.blogspot.com
Haloo Admin PKL saya tau anda jago crack tapi tolong jangan hapus credit link website kami :D
`.data
.rsrc
MSWNSK98.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
MSWINSCK.OCX
"255.255.255.255
"6.00.8169
WSOCK32.dll
ole32.dll
ADVAPI32.dll
OLEAUT32.dll
GetProcessHeap
GetWindowsDirectoryA
GetKeyState
CreateDialogIndirectParamA
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
"%s%s.DLL
%s%s.DLL
%u\%s.dll
{lX-X-X-XX-XXXXXX}
CLSID\%s
%s Object
%s.%s.%ld
%s.%s
%s.%s\CurVer
%s\InprocServer
VERSION.DLL
%ld - %s
stdole2.tlbWWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
}|RemotePortWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckMsgTooBig
sckPortNotSupportedW
MSWinSck.OcxWW
MSWNSK98.chmWW
TCP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Invalid operation at current state
The operation is canceledW
Socket is non-blocking and the specified operation will blockW 
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
?$?0?6?<?
4'484%5-5
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0<
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at [email protected]; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
Internet Control URL Property Page
INET98.CHM
FTp/L#
rL#.OL#
MSINET.OCX
hXXp://
PTF://
hXXps://
Microsoft URL Control - 6.01.9782
SSShp&M#
WININET.dll
InternetCreateUrlA
InternetCrackUrlA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
HttpQueryInfoA
FtpFindFirstFileA
FtpRemoveDirectoryA
FtpGetCurrentDirectoryA
FtpCreateDirectoryA
FtpSetCurrentDirectoryA
FtpRenameFileA
FtpPutFileA
FtpGetFileA
FtpDeleteFileA
MsgWaitForMultipleObjects
OL#%s%s.DLL
0?NicFTPWWW
icHTTPWW
icHTTPSW,
icUrlOpenFailedW
icBadUrl
0NSicNoExecuteW
`icFtpCommandFailedWW
qicUnsupportedTypeWWW
icUnsupportedCommand
0-gicInvalidOperationWW
icExecutingW
0jHicInvalidForFtpW
hicInvalidURL
icIncorrectPasswordW
icLoginFailureWW
icInetInvalidOperationWW
[icOperationCancelled
00XicSecCertDateInvalid
0.(icSecCertCnInvalidWW
0WwicHttpToHttpsOnRedir
icHttpsToHttpOnRedir
.icPostIsNonSecureWWW
BicClientAuthCertNeededWW
icHttpsHttpSubmitRedirWW
icFtpTransferInProgressW
icFtpDropped
icFtpNoPassiveModeWW
ficHttpHeaderNotFound
icHttpDownlevelServerWWW
icHttpInvalidServerResponseW
icHttpInvalidHeaderW
icHttpInvalidQueryRequestWWW
icHttpHeaderAlreadyExistsWWW
0`>icHttpRedirectFailed
0~ icHttpCookieNeedsConfirmationWWW
7icHttpCookieDeclined
0DSicHttpRedirectNeedsConfirmationW
icSecInvalidCert
icSecCertRevoked
}|RemotePortWW
StillExecutingWW
URLW
Password
OpenURLW
yOperationWWW
~_URLX
MSINet.Ocx
FTPWWW
HTTPWW
Secure HTTPWWW
Unable to open URL
URL is malformedWW&
Protocol not supported for this method
You must execute an operation before retrieving dataWW
FTP command failed
Not a valid or supported commandWW
Invalid operation argument
Still executing last requestWW,
This call is not valid for an FTP connectionWW
Invalid URLWWW
Incorrect password
Login failureW
Invalid operationW
Operation cancelledWWW
Security certificate date invalidW#
Security certificate number invalidWWW
HTTP to HTTPS on redirectW
HTTPS to HTTP on redirectW
Client authorization certificate neededWWW
HTTPS HTTP submit redirWWW
FTP - Transfer in progress
FTP - Connection droppedWW
FTP - no passive modeW
HTTP - Header not foundWWW
HTTP - Downlevel serverWWW
HTTP - Invalid server response
HTTP - Invalid HeaderW
HTTP - Invalid query requestWW
HTTP - Header already existsWW
HTTP - Redirect failed
HTTP - cookie needs confirmationWW
HTTP - cookie declined"
HTTP - redirect needs confirmation
Invalid certWW
Cert revokedWW
Protocol to use for this URLWW
Returns/Sets the internet port to be used on the remote computerWW5
Returns/Sets the URL used by this controlW*
Password to use for authentication;
Open a URL&
Method used to cancel the request currently being executed
2 2>2`2~2
ocx\msinet.dbg
Thawte Certification1
hXXp://ocsp.verisign.com0
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
"hXXp://crl.verisign.com/tss-ca.crl0
9hXXp://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
hXXp://msdn.microsoft.com/vbasic0
Q*\AD:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\CFID\Resource Injector CFID [ Rhm-Files ]\Project1.vbp
78E1BDD1-9941-11cf-9756-00AA00C00908
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Dll Injected...Creating Thread.....
kernel32.dll
Can't find LoadLibrary API from kernel32.dll
hXXps://sites.google.com/site/dataconstantinefilesb99794977/11-06-2017.txt?attredirects=0&d=1
@*\AD:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\CFID\Resource Injector CFID [ Rhm-Files ]\Project1.vbp
RemotePort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
&LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service
Protocol family not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
Pass&word
6.01.9782
Returns/Sets the remote computer@Returns/Sets the internet port to be used on the remote computer
5Returns information received from the remote computer9Returns a response code received from the remote computer6Returns the low-level internet handle for this control.Returns whether this control is currently busy)Returns/Sets the URL used by this control5Returns/Sets the Document to be retrieved from server
>Returns/Sets the proxy behavior for this control's connections7Event interface for Microsoft Internet Transfer Control#Microsoft Internet Transfer Control&Issue a request to the remote computer:Method used to cancel the request currently being executed
Secure HTTP
Protocol to use for this URL#User name to use for authentication"Password to use for authentication
Open a URL
URL is malformed&Protocol not supported for this method Unable to connect to remote host
Unable to complete request4You must execute an operation before retrieving data
Request timed out Not a valid or supported command
Still executing last request,This call is not valid for an FTP connection
Invalid URL
Login failure
Invalid operation
Operation cancelled
Handle exists!Security certificate date invalid#Security certificate number invalid
HTTP to HTTPS on redirect
HTTPS to HTTP on redirect
Post is non-secure'Client authorization certificate needed
FTP - Connection dropped
HTTP - Header not found
HTTP - Downlevel server
HTTP - Invalid Header
HTTP - Invalid query request
HTTP - Header already exists
HTTP - Redirect failed
HTTPS HTTP submit redir
FTP - no passive mode HTTP - cookie needs confirmation
HTTP - cookie declined"HTTP - redirect needs confirmation
Invalid cert
Cert revoked
URL'URL properties for the internet control


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1424 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
    C:\Windows\System32\MSINET.OCX (132 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_08FB9EC5743398E31767B56091EBB96D (463 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_08FB9EC5743398E31767B56091EBB96D (660 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (248 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
    C:\Windows\System32\MSWINSCK.OCX (108 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8D23.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8D22.tmp (51 bytes)
    C:\Windows\System32\drivers\etc\hosts (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (624 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now