Trojan.GenericKD.3145748_259af714dd

by malwarelabrobot on May 29th, 2016 in Malware Descriptions.

Trojan.GenericKD.3145748 (AdAware), Trojan.Win32.IEDummy.FD, Trojan.Win32.Swrort.3.FD, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 259af714ddcf5e9407353e066144a1d7
SHA1: df4f0b2df5b755f41665a2717f848bb09a454c92
SHA256: 352588f2e20edd22693af1f21fcb010caf6076fe8d6af2ac8ae0da0896196155
SSDeep: 49152:ON26FOnzGn6LJvqkwnpC mWd6uIccz31vqa T8qJkiR:O06FOznLo0 Dd6uxcrqJkiR
Size: 2300219 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-14 19:16:10
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Dementia.exe:1992
Dementia.exe:1532
Dementia.exe:1012
attrib.exe:868
attrib.exe:2088
attrib.exe:1988
attrib.exe:1536
attrib.exe:2112
attrib.exe:2064
sc.exe:212
taskkill.exe:1436
taskkill.exe:2028
%original file name%.exe:772
ping.exe:2120
msdtc.exe:1788
net.exe:1976
net.exe:1336
net1.exe:380
net1.exe:1236
Miciosoft .NET.exe:948
irsetup.exe:1332
rar.exe:1512

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Dementia.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings% (4 bytes)
C:\ (4 bytes)
%WinDir%\oci.dll (4708 bytes)
%Documents and Settings%\%current user%\FAVORITES (4 bytes)
%Documents and Settings%\All Users\APPLICATION DATA (4 bytes)
%Program Files%\WIRESHARK (16 bytes)
%WinDir%\WinSxS (12 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft dementia\Dementia.exe (2850 bytes)
%WinDir%\oci.temp (39 bytes)
%Documents and Settings%\All Users (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
%WinDir%\Fonts (920 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
C:\$Directory (1388 bytes)
%System% (6144 bytes)
%WinDir% (492 bytes)
%Program Files%\COMMON FILES (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\oci.txt (1588 bytes)
%WinDir%\Prefetch\IRSETUP.EXE-1B1C97F2.pf (40 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
%Program Files% (8 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%System%\config (8 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
%System%\wbem (1064 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft dementia\360Game.zlib (99 bytes)
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_668.dat (4 bytes)
%WinDir%\Prefetch\259AF714DDCF5E9407353E066144A-10973936.pf (20 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft dementia\360Game.temp (6264 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Cookies (192 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft dementia\360Game.zlib (0 bytes)
%WinDir%\oci.temp (0 bytes)
%WinDir%\oci.txt (0 bytes)

The process %original file name%.exe:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

The process msdtc.exe:1788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\MsDtc\MSDTC.LOG (3888 bytes)
%System%\config\SOFTWARE.LOG (5606 bytes)
%System%\config\software (2708 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft dementia\360Game.exe (7403 bytes)
%System%\MsDtc\Trace\dtctrace.log (28 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft dementia\config.ini (4686 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft dementia\config.ini (0 bytes)

The process Miciosoft .NET.exe:948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\WindowsNET\Dementia.sys (79290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Dementia[1].rar (110785 bytes)

The process irsetup.exe:1332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\5.ico (3634 bytes)
C:\WindowsNET\Miciosoft .NET.exe (28 bytes)
C:\WindowsNET\Rar.exe (5761 bytes)
C:\ProgramData\Temps\Dementia.exe (5777 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\5.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)

The process rar.exe:1512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft dementia\dlcore.dll (8545 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft dementia\Dementia.exe (6761 bytes)

Registry activity

The process Dementia.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 0F 41 D9 5F 61 55 AB A0 DD 8C 9D F7 AA 4A 47"

The process Dementia.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 46 07 9F DC 66 40 10 FF 43 9C F5 A8 07 B1 A9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"net.exe" = "Net Command"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\MSDTC\MTxOCI]
"OracleOciLibPath" = "%WinDir%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\Microsoft dementia]
"Dementia.exe" = "Creative Software AutoUpdate"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\MSDTC]
"ObjectName" = "LocalSystem"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Local AppWizard-Generated Applications\hello word\Recent File List]

The process Dementia.exe:1012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF E4 15 28 F5 3E B8 D1 88 BA E7 E1 EB 90 C6 33"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Tencent\TodayDo]
"RunTaskQQ" = "20160528"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services]
"MarkTime" = "2016-05-28 01:27"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process attrib.exe:868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 09 8C 1F F1 5B 76 71 58 4B A8 D4 E2 BF 59 82"

The process attrib.exe:2088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 76 56 6D DC 63 CC 96 A4 F4 64 55 DD 58 7F D3"

The process attrib.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 81 C3 BD F8 96 98 F6 BD BD 0C C2 5C AC C2 3C"

The process attrib.exe:1536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 72 29 F3 AA FC 00 BF 05 76 12 56 51 80 12 5F"

The process attrib.exe:2112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 1D 35 02 C6 D9 83 0A 05 7A DD 67 CB 8D 1C 04"

The process attrib.exe:2064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 94 16 C3 99 8E 31 E0 C0 5B 3F 8B 2A A4 11 4C"

The process sc.exe:212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 D8 8B 40 C0 6B 6E 06 51 CA F6 B9 DB C1 9E 72"

The process taskkill.exe:1436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 CF A1 D4 1B 2F 2B F5 D1 45 8E 1B C5 22 42 DC"

The process taskkill.exe:2028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 4E 29 B7 8D 68 2E 1F F2 59 B6 17 E7 27 CB 39"

The process %original file name%.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 E8 5D 8C B5 02 E3 DD EA AF 11 2B FA D9 27 D8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process ping.exe:2120 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 0D 7F 9A B8 F1 21 3B A3 85 E9 5D D1 5A 66 15"

The process msdtc.exe:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 3D 9E 20 3A 0A C1 56 D8 BB BD A7 D1 45 5C EF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows PlayGame" = "%Documents and Settings%\All Users\Application Data\Microsoft dementia\360Game.exe"

The process net.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 83 E2 61 C9 32 2B EE DD 25 1C CF 12 B3 73 31"

The process net.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 21 8F FE DA 59 D8 3E 5E E2 22 5F 6E 7E 22 F3"

The process net1.exe:380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 0F 4B A1 53 1F D3 2F E3 41 3C 50 AB 47 FE 18"

The process net1.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D DB 2D 1B 96 CE B0 03 3A C1 99 57 32 D6 48 AA"

The process Miciosoft .NET.exe:948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\ProgramData\Temps]
"Dementia.exe" = "Creative Software AutoUpdate"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 55 88 40 BC E2 B3 62 F9 09 E7 61 41 8F 94 67"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WindowsNET]
"rar.exe" = "命令行 RAR"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process irsetup.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WindowsNET]
"Miciosoft .NET.exe" = "Miciosoft .NET"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 A4 F5 01 51 B6 66 7E CE 1E BE CA 96 C4 F6 12"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process rar.exe:1512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 A6 C3 70 B3 4B ED CE C6 4F 95 5D 7B 78 78 B7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
d641a3f56fc8b4a79328177a609b5b20 c:\Documents and Settings\All Users\Application Data\Microsoft dementia\360Game.exe
d641a3f56fc8b4a79328177a609b5b20 c:\Documents and Settings\All Users\Application Data\Microsoft dementia\360Game.temp
60164af0388620090a69c8b6c08bbddb c:\Documents and Settings\All Users\Application Data\Microsoft dementia\Dementia.exe
ca07ec98e407dd7e196831207703e3a0 c:\Documents and Settings\All Users\Application Data\Microsoft dementia\dlcore.dll
05a45d03e9641ea467f34473aa71fe52 c:\WINDOWS\oci.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Setup Factory Runtime
Product Version: 9.1.0.0
Legal Copyright: Setup Engine Copyright (c) 2004-2012 Indigo Rose Corporation
Legal Trademarks: Setup Factory is a trademark of Indigo Rose Corporation.
Original Filename: suf_launch.exe
Internal Name: suf_launch
File Version: 9.1.0.0
File Description: Setup Application
Comments: Created with Setup Factory
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 22296 22528 4.47735 c76b9ce587690b8a39ba7840b7dd540c
.rdata 28672 11906 12288 3.44864 e96aa4f970e6f6799910a72904df3100
.data 40960 6504 3072 1.79291 e504fdbba062ee9bbd9ac425a4f5c0f5
.rsrc 49152 28108 28160 4.03415 f07da938ca4a81c16d34f6b033be873e
.reloc 77824 4242 4608 2.5731 a88bdb6f651ecf67b1b3db4a2866ea4e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 13
2561ffa6912df85a0bb87432895cb317
e9e40026efc93b842bebcb877eb31eca
3538c76ffd14e375ef9312822024c600
95d4c354da12c172e4d48780dd53be79
80594f65f65a77c7d877a0ff53c51e71
3db1efb1e8735ae3426c9f46153e5377
f482854f7f32af1c960b43c2cc1c8ace
0c9a8a861f7e9b9b24f3715187e4ec07
cff88f12e54579f4fe5db5c960fea71f
640b80532feb77e1b9f1b70ec7c6cc66
0544897a94eb799b364b0ff2d5e6aae0
18b03133a016b751096c507e93e8e4cb
85bd4dce420cbf20f67e1be20971983a

URLs

URL IP
hxxp://yun.n.shifen.com/s/1dD5xS7B
hxxp://yun.n.shifen.com/ppres/static/css/error_all.css?t=201303212934
hxxp://yun.n.shifen.com/ppres/static/js/plug/html5.js
hxxp://yun.n.shifen.com/ppres/static/js/buss/error_all.js
hxxp://yun.n.shifen.com/ppres/static/thirdparty/header/module_header.js?t=201303212934
hxxp://yun.n.shifen.com/feproxy/ad/list?list[0][id]=web-text&list[0][w]=0&list[0][h]=0&uk=
hxxp://yun.n.shifen.com/ppres/static/images/frame-icon.png?t=201605245555?@=-1
hxxp://yun.n.shifen.com/api/analytics?type=web_header_title_click&clienttype=0&currentUrl=http://yun.baidu.com/s/1dD5xS7B&t=1464388027447
hxxp://yun.n.shifen.com/rest/2.0/pcs/adx?m=callback&h=0&w=0&p=web-text&s=1464388018;661327933426169;web-text-s-20;v;4f1c1e4b8de8c18859a70f1891ebeb11&t=1464388027478
hxxp://yun.n.shifen.com/disk/cmsdata?do=manual&ch=pan_focuspic&t=1464388027806
hxxp://yun.n.shifen.com/ppres/static/images/error/error.png?t=201605245555?@=-1
hxxp://www.xmhairong.com/htl/Dementia.rar 123.57.83.143
hxxp://yun.baidu.com/feproxy/ad/list?list[0][id]=web-text&list[0][w]=0&list[0][h]=0&uk= 123.125.112.218
hxxp://pan.baidu.com/api/analytics?type=web_header_title_click&clienttype=0&currentUrl=http://yun.baidu.com/s/1dD5xS7B&t=1464388027447 123.125.112.218
hxxp://pan.baidu.com/ppres/static/js/plug/html5.js 123.125.112.218
hxxp://pan.baidu.com/ppres/static/images/frame-icon.png?t=201605245555?@=-1 123.125.112.218
hxxp://pan.baidu.com/ppres/static/css/error_all.css?t=201303212934 123.125.112.218
hxxp://yun.baidu.com/ppres/static/thirdparty/header/module_header.js?t=201303212934 123.125.112.218
hxxp://pan.baidu.com/rest/2.0/pcs/adx?m=callback&h=0&w=0&p=web-text&s=1464388018;661327933426169;web-text-s-20;v;4f1c1e4b8de8c18859a70f1891ebeb11&t=1464388027478 123.125.112.218
hxxp://pan.baidu.com/ppres/static/images/error/error.png?t=201605245555?@=-1 123.125.112.218
hxxp://yun.baidu.com/ppres/static/js/buss/error_all.js 123.125.112.218
hxxp://yun.baidu.com/s/1dD5xS7B 123.125.112.218
hxxp://yun.baidu.com/disk/cmsdata?do=manual&ch=pan_focuspic&t=1464388027806 123.125.112.218
www.360renzheng.com 117.28.188.98


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ppres/static/css/error_all.css?t=201303212934 HTTP/1.1
Accept: */*
Referer: hXXp://yun.baidu.com/s/1dD5xS7B
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pan.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=8BAB9156D0B005C2C41AEA5B41BB81E4:FG=1


HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/css
Date: Fri, 27 May 2016 22:26:54 GMT
Flow-Level: 3
Last-Modified: Tue, 24 May 2016 07:00:28 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Pragma: no-cache
Server: nginx
Set-Cookie: BAIDUID=4BDF7007B4308A7CF0BB5A41A0BD4591:FG=1; expires=Sat, 27-May-17 22:26:54 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding
X-Powered-By: BaiduCloud
Yld: 9203377068009788232
Yme: ZIGW/i4rX00WdTQMUmr/tGtPovkeQhz0owpHwyiEoxOA
Transfer-Encoding: chunked
8f9.............Z.....}..P.0.......\..... @..)@..%...dI......y..... ..
<./r.H"%Z.,..P....<w..t../vL..8....c.I.<.Sj'..xv.......dc.%..
<&.>/.vM.k\.lW$%Qm.E}(..`.h..{J..".....b...4..~n...ub.q{...f...8
.iv..S....m..1)a.....MiU..~I....9M@..<.....]...$6o.<.K..q.......
.....&..=>....YBJZ.....G..=.zH.nL.Yl8..F...4#(....w..H.K.. D...E.b.
..A)~H..~N!...q....b.z...p/.M.0.QL.....$..........>.......[..I...j.
.D...........|[email protected].......:.q...W<.w.k..I~.6.
)N.............~.....aRk9.8....#.&%........{.,...a.lt...4..X..u.<..
.4.....8&.b%N ..hJu......<?..i...g$m...\.8.....{./.}.../..>.....
a.*.....j.M....}I..U.....#>._a..S`qq.......n...Z...~........;.W<
w.e9*IAp}z......C.>[email protected](.'......N.F. .....%r..... ..[.;.=0
.$.../...)-*Z.O0..8~..o...........O%..f. ..NY.$.............J.......#T
P..E.H..~...5..K........^.D.:.V.......:i.a g-aV0...9.....M.4.{.8.b9...
.B....)x}.yX"z\..g..|[.z.G..U.r;..[.S....H..E..L&..;...[...E...Ho.,...
....q..a...5.....E.G`".H..Hbt.4..a..}...4l..X.'Ak=...N.......ET.>5.
.d..T..%.G.0.......#x..3..L.rO..W.h.4...6j...T.<..h..D..J..tz....H.
1..&..U.A...XX.b......,...Fd..c..!....@ ..t3.....x...L....!a.......r..
~..m..S...=MA.~.....r..."..w..N..Z........=.q.yL~.b<..e.....S. ..e.
$FF8..s9.....uo...yg..Y..._..x....."x....~..~...Yx.......p.. ..1.r.Q..
..7.X...j..6X...N.......w..i~....#...kr...hH.j..!:..H.e ....Q.5....i..
..u F.g.b]..B...}m..... [..mB....._...A..=##R. .{.C.N..lZ......j\`k-l.
.4.........&.d...\!....1.j,.&.E.{.hk*......gL|.....1..nM/ ........
<<< skipped >>>

GET /ppres/static/images/frame-icon.png?t=201605245555?@=-1 HTTP/1.1


Accept: */*
Referer: hXXp://yun.baidu.com/s/1dD5xS7B
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pan.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=9E219A7B836381A2B347DBECDD711A52:FG=1


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 4846
Content-Type: image/png
Date: Fri, 27 May 2016 22:26:58 GMT
Etag: "5743fc0c-12ee"
Flow-Level: 3
Last-Modified: Tue, 24 May 2016 07:00:28 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Pragma: no-cache
Server: nginx
Set-Cookie: BAIDUID=F97250058CC2F845A25D3E889712053B:FG=1; expires=Sat, 27-May-17 22:26:58 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
X-Powered-By: BaiduCloud
Yld: 9203378124887204427
Yme: ZIGW/i4rV0kMajYYTmvhr21XvfkfVAHyoAhPyyfHzLTyFFozKcfreg==
.PNG........IHDR...q..........o./....tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:112DEC527BD511E59855F7
10C66B7D33" xmpMM:DocumentID="xmp.did:112DEC537BD511E59855F710C66B7D33
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:112DEC507BD511E5
9855F710C66B7D33" stRef:documentID="xmp.did:112DEC517BD511E59855F710C6
6B7D33"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>...t....PLTE-j....&V..C?@@@...........2.*
T...............PPP...9r.....94...C..ppp.V{...7~....000...:v.4i..F....
]]].;{.GJzY.......mmm......9|... )Y.9z..........JII...MMM...#D.2s.....
..4s....ddd.E.&&&   ...(M..KU......VUU..7#R.......ZZZ*`.... >.8...1
jSSS......www*)).^.3t.Dj..7t,,,.#KNt.0g....XXX!L.4.....*R.6p.6{....5x.
...7}.###.3c5u.."C'W.....8l._.._.===:::333444666...222>>>...8
88```.........8..9t.9........hhh.A3utu~~~|||8..zyy7.....8..sst...EEE8.
.8..ccc...kkk6y.9...[.. .............5u..........oooHGG.......&..t..*.
........G.{..."......stu...........0.v.........*.............-^..6
<<< skipped >>>

GET /rest/2.0/pcs/adx?m=callback&h=0&w=0&p=web-text&s=1464388018;661327933426169;web-text-s-20;v;4f1c1e4b8de8c18859a70f1891ebeb11&t=1464388027478 HTTP/1.1


Accept: */*
Referer: hXXp://yun.baidu.com/s/1dD5xS7B
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pan.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=F97250058CC2F845A25D3E889712053B:FG=1


HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html
Date: Fri, 27 May 2016 22:26:59 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Pragma: no-cache
Server: nginx
Set-Cookie: BAIDUID=7F754715B3C043D1D5C01F59E97795FE:FG=1; expires=Sat, 27-May-17 22:26:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding
X-Powered-By: BaiduCloud
Yld: 9203378329914334767
Yme: ZIGW/i4rX0wbdTYEUmr/tGpJovIaVAHyoAhKyiA=
Content-Length: 54
..........S..V*J-,M-...LQ.R21.413031.402.4S...../@"...HTTP/1.1 200 OK.
.Cache-Control: no-cache..Connection: keep-alive..Content-Encoding: gz
ip..Content-Type: text/html..Date: Fri, 27 May 2016 22:26:59 GMT..P3p:
 CP=" OTI DSP COR IVA OUR IND COM "..Pragma: no-cache..Server: nginx..
Set-Cookie: BAIDUID=7F754715B3C043D1D5C01F59E97795FE:FG=1; expires=Sat
, 27-May-17 22:26:59 GMT; max-age=31536000; path=/; domain=.baidu.com;
 version=1..Vary: Accept-Encoding..X-Powered-By: BaiduCloud..Yld: 9203
378329914334767..Yme: ZIGW/i4rX0wbdTYEUmr/tGpJovIaVAHyoAhKyiA=..Conten
t-Length: 54............S..V*J-,M-...LQ.R21.413031.402.4S...../@".....



GET /s/1dD5xS7B HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yun.baidu.com
Connection: Keep-Alive


HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html
Date: Fri, 27 May 2016 22:26:53 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Pragma: no-cache
Server: nginx
Set-Cookie: BAIDUID=8BAB9156D0B005C2C41AEA5B41BB81E4:FG=1; expires=Sat, 27-May-17 22:26:53 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding
X-Powered-By: BaiduCloud
Yld: 9203376732233638179
Transfer-Encoding: chunked
8bc.............Y{s.......w...$3......m.K....0.n..0.k....uU=b{;;.Y.$.!
e.,......$..nI.!......W....X.l9!..K.q....=?]G?..9....O3.# ..........._
d...X..#.~g...!.4..1....p.v.!.2.....v^.wnY...;.Ey...eI.c2.N.X.W..L"I4.
.....a...dH./eQ..Rh^....?,.a9......i0..m.t.............X...^.u...0...F
.Y$.Ax:e.FN..'.#..Hx.....].R.l0g...E......../.y......>z/..*.i..|,xI
g.Q..m ...QJ]..&]..V)I...VI....I.U....:.k|....g.'..f.f.|=*.D,0..t=..8.
....Di.... .a6.$.s.\QGC}RF.h/<b...<kOr.....P}F.....$M..\0...2...
P...N.|.....A...P$.....tA.Y....*.V.Q...7J..8[..iX...H.D..J..3........V
....dK.!..Bu..C......c..[.g....,.$.p........6.7F.t......DZ....:.S..4;c
l..si.....D&............h.ij..Ac...$.g.8....d...!.e...#j..F...$5......
.k..v..Z..v..*gjrC.(......B.<.e.VQ.....0.....,1.a....w...[....Ew,.f
...O.x"5.....lv.K.F..i.?:......Mk..!..%(p..3um.'.$.......m[W.>...V.
...?..qGg...k.WO..Y!.......Z..*..(....hE.)y.P=.sm..!/?~].{z...l.1%?;..
......y....Z{.3l...s.. K...e.........{.......lbf.s....K..8...b[.P,....
.............fm.......8Q.*F.>)..,n ..R.k....$....{.*.....1.w...9..*
..V...u.q.V...3.c....".U.....Z^}...x....Ti%%E...L..:.vM.9..p....9.... 
...s.L..c..KgXk.Z..J.o..6..7*...X./K=.W.Ww.k!.f...V..........*.I.!.%Z.
*./..h}..c.x.2*.s.}0Z..2...o.......!6.S..V....-Gx..D.W..d.Is./)"....z.
~............f<.HD..'....._..D(....#...HoB.O.....=-a.$.?.&....S...-
q$...M.?.......[.. .....e........p6..2XJg..6...k...Bd..{i.?.oV.7.. o..
.U...R....I7.V8V..........o^.V~..c.....^..e.k.D_.ZU....YA...n}...,..K.
........L..@^.R3KvR..*..P..D.....{..r......\.h....[_..?..W*...G..I
<<< skipped >>>

GET /ppres/static/js/buss/error_all.js HTTP/1.1


Accept: */*
Referer: hXXp://yun.baidu.com/s/1dD5xS7B
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yun.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=B5E62F285F9858A09A611B208AD33D0E:FG=1


HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/x-javascript
Date: Fri, 27 May 2016 22:26:55 GMT
Flow-Level: 3
Last-Modified: Tue, 24 May 2016 07:00:28 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Pragma: no-cache
Server: nginx
Set-Cookie: BAIDUID=E94612E1118354C80756FECFA78B0F72:FG=1; expires=Sat, 27-May-17 22:26:55 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding
X-Powered-By: BaiduCloud
Yld: 9203377364629014437
Yme: ZIGW/i4rX04SdTYCUmr/tGZLovkYVAH1oAhPyyfXwa7qUR5hG2 2s7E=
Transfer-Encoding: chunked
8dc...............{.F.0.W$$K.&D.9.......C..9..P4.Z.$&....mE.....>AP
......".>.....j..qz.....I.O[....|....4......b....q:.4..-gs...'.....
........z....</........u...6..........)....c1......~.].~p....7{....
.......;o.......o\|.3|.}...E.{y...C..E}....E..]..o....u.r..r........l.
.....>...~..r..fw.k.y..:.....o...p.8h..m.s..t..?.x....h..|.B......Z
.....h.(V...d.....CC.....^..,:.A..._.642.v...U..=,.C.xu.p..>..../..
....'...a.=.2{(.#..x.../..^.T..../.....}.w.?..........w..............x
...o...h.~.....W5.s..n^w........JG...E.9:n6...<.E..._.......o....0.
-g.....],........n.8.<=....O...x>.=.....w.Ok....U.g..lv6....Z...
..rz..3z~..A...5z..M...W.......(@d~.O..s.......w;S8.../..x.5....=..=..
.4.,.,#|.4.Q...I1.].E.p..(.....'.V...jO..>.Z{j..AQ..]...g..np...-.m
A.t.g....h./.....`..U&..i..w.._......h....|.3._..'...Q|)......Z.....j.
...O|..;Qgk.K0.^......]......;...i1...Z.:.S...Q_...u....xq6....i...E..
....-....6..v;$Lh...y.j4..R......f\]...t..>>.'.......pBC....0...
4|uW.>N..A.j2....F....7@..:...U.Kv../....K.grX...m..cJ.........I..4
.Fs..m.T...z;......q........[..PB;..,........5~...."!...t.T...0v ,....
....M......~....r.0e.v.Q...5.L.2.?.. J...........<..i5.W.;.g..M.1..
...iN..AC..5]Q.'.FZ.&..k..)...G.n.6. .s......n`tX......."........ .).|
.sI..&.[...K...{c..0yr...bE%.. ..y..w"..&.IT...S.*[email protected]...]...l9..^=
......v.N=.;.S.~.9.-....~..4..i....W#.y..p.......D....6F..$={....V.<
;.....vZ.....@`>.y..].....&.*.p._&.W..PK...R.?...*..G.[....w....d._
....S....{..=T.n...j...*..k.s'..'..bz.q...V.5L.-#[email protected]./.........
<<< skipped >>>

GET /ppres/static/thirdparty/header/module_header.js?t=201303212934 HTTP/1.1


Accept: */*
Referer: hXXp://yun.baidu.com/s/1dD5xS7B
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yun.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=E94612E1118354C80756FECFA78B0F72:FG=1


HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/x-javascript
Date: Fri, 27 May 2016 22:26:57 GMT
Flow-Level: 3
Last-Modified: Tue, 24 May 2016 07:00:28 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Pragma: no-cache
Server: nginx
Set-Cookie: BAIDUID=9E219A7B836381A2B347DBECDD711A52:FG=1; expires=Sat, 27-May-17 22:26:57 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding
X-Powered-By: BaiduCloud
Yld: 9203377820361116565
Yme: ZIGW/i4rX04SdTQBUmr/tGZLovoeTxz3qApHwyiEkOq7
Transfer-Encoding: chunked
d98...............[.H.8.U.2.{.On...|`.$..2...G.e...<..`......V.u.&.
...yg..u.Q]]]w.2....9.(....&...;..{.7........e../.....g..f......:w....
.....f.Q.9.i....9S.L..75G..~....z..'..z.c[;......'=.Y?..H.?...........
..ck?.U..u,O...l4.sz../.4...........Y..........Q.C..;i...c..Zc..~'vw..
....N...l,..<{.Ypi..'......m.............k.......3._....g.q.}..&dj}
]...........5..nO...U..3.\. N.%D..}.....3.....k<..:T."....0v'.tMWg.
f...].(._...l`......y^q}=.........e....g...>..j)../.U....O..?|*.$.k
..F.8...l0........E.].g..6.....`jS.....=,.._g.P6...zQk....q......m#...
.LM;.6n5C;.B.N..3..o..K9..}.5...]_.Z1o53....j.....q......u.../...*..:.
..Y9^_.Se]?>.....d...h....Fvn^.|.......U.....L..z..Aw....S.(./.1|..
I.6.G0...7.j...D....?\"*x..~)h..B5....@cd..#.$<.g ...x..K4..q......
.....L].)...88.a...w7q.i.\..7'..=..5......G..u..;..2raZ......k0.Uh....
[.#8.&2....3RK.........$m.Y]?...A....:4.......gp~ .G0..I"}....k...k..T
.8[m.>. .....j-.`k...y..5o .G3..z.'...~...U.....'......I...........
..[.:Aq.^......Z..-.)..e.t6._.tm\.....G.......hA^...*..2pV...).C....(/
..Kz^.........=f....d.......u.._.k.....0'ih.......M0k.M....J]........=
..o)....Km.....\...h.W..e...@..#..f];......%...A3*.D.WK.......`M..*.C.
.Z...._..&N.....}q?'w...D.!...a!.&wP.;.!.L}[email protected]#.....Y.s...
=..7.....-....;..g.D..0\.V..*.....Jy...Z....?~k0....!.`.....2$......B`
.@F..[.R....-.........{...&9..VCn....S...;..._>2.o...;..<.[.....
..,.`\..u.Hp...r\........H..G..k...3c.yz.P...;J...P....[1r.5....z..D.u
...r)j2..A.......l.a....f^.r.[..S.?z..dU.-VQ7... 1u9.G..r_..&...h1
<<< skipped >>>

GET /feproxy/ad/list?list[0][id]=web-text&list[0][w]=0&list[0][h]=0&uk= HTTP/1.1


x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: hXXp://yun.baidu.com/s/1dD5xS7B
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yun.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=9E219A7B836381A2B347DBECDD711A52:FG=1


HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/json; charset=UTF-8
Date: Fri, 27 May 2016 22:26:58 GMT
Flow-Level: 3
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Pragma: no-cache
Server: nginx
Set-Cookie: BAIDUID=30B24ECA2B45FEE949724FB6D146F482:FG=1; expires=Sat, 27-May-17 22:26:58 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding
X-Powered-By: BaiduCloud
Yld: 9203378085759463058
Yme: ZIGW/i4rX04SdTYCUmr/tGtPovkcQhz3qQpHwyiE
Content-Length: 340
.............n. .E..EWN..0...CJ...G(~.6$M..{.R...........`....8C.... .
..yx.)..........0.1...n;...XD*.Vr.J....#Z...L1.X%].3D.*.ZI.!.a.:.eGqL^
a^.4n2.Q\P.et..m....Z.........m...........J....x.W.T..F*W.=.{.]..v.Tn.
].6......A>u.4.n.}...Y....>....x...o............QAD....NI..b....
.OS....m.4.T..!8P.Z\.S..XYt.J....^..5..3..i....%.....0.$;.T,h.....HTTP
/1.1 200 OK..Cache-Control: no-cache..Connection: keep-alive..Content-
Encoding: gzip..Content-Type: application/json; charset=UTF-8..Date: F
ri, 27 May 2016 22:26:58 GMT..Flow-Level: 3..P3p: CP=" OTI DSP COR IVA
 OUR IND COM "..Pragma: no-cache..Server: nginx..Set-Cookie: BAIDUID=3
0B24ECA2B45FEE949724FB6D146F482:FG=1; expires=Sat, 27-May-17 22:26:58 
GMT; max-age=31536000; path=/; domain=.baidu.com; version=1..Vary: Acc
ept-Encoding..X-Powered-By: BaiduCloud..Yld: 9203378085759463058..Yme:
 ZIGW/i4rX04SdTYCUmr/tGtPovkcQhz3qQpHwyiE..Content-Length: 340........
.......n. .E..EWN..0...CJ...G(~.6$M..{.R...........`....8C.... ...yx.)
..........0.1...n;...XD*.Vr.J....#Z...L1.X%].3D.*.ZI.!.a.:.eGqL^a^.4n2
.Q\P.et..m....Z.........m...........J....x.W.T..F*W.=.{.]..v.Tn.].6...
...A>u.4.n.}...Y....>....x...o............QAD....NI..b.....OS...
.m.4.T..!8P.Z\.S..XYt.J....^..5..3..i....%.....0.$;.T,h........
.
<<< skipped >>>

GET /disk/cmsdata?do=manual&ch=pan_focuspic&t=1464388027806 HTTP/1.1


x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: hXXp://yun.baidu.com/s/1dD5xS7B
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yun.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=F97250058CC2F845A25D3E889712053B:FG=1


HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Fri, 27 May 2016 22:26:59 GMT
Expires: 0
Flow-Level: 3
Nginx-Cache: HIT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Pragma: no-cache
Server: nginx
Set-Cookie: BAIDUID=71994A0F65150656ECDC127D78FA4E74:FG=1; expires=Sat, 27-May-17 22:26:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding
X-Powered-By: BaiduCloud
Yld: 9203378421075766597
Content-Length: 183
............A..0.E...Pf].X,j/.!.H..!b..L.)..)...D.........$.....X.d..Z
.d.....S........X..b...T`.V$e.......c%.y..a.Bw...;/../....i"J..o..|...
.nbY.|. .f.....V...3~<...q..J.3.a|..0......HTTP/1.1 200 OK..Cache-C
ontrol: no-cache..Connection: keep-alive..Content-Encoding: gzip..Cont
ent-Type: text/html; charset=utf-8..Date: Fri, 27 May 2016 22:26:59 GM
T..Expires: 0..Flow-Level: 3..Nginx-Cache: HIT..P3p: CP=" OTI DSP COR 
IVA OUR IND COM "..Pragma: no-cache..Server: nginx..Set-Cookie: BAIDUI
D=71994A0F65150656ECDC127D78FA4E74:FG=1; expires=Sat, 27-May-17 22:26:
59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1..Vary: 
Accept-Encoding..X-Powered-By: BaiduCloud..Yld: 9203378421075766597..C
ontent-Length: 183..............A..0.E...Pf].X,j/.!.H..!b..L.)..)...D.
........$.....X.d..Z.d.....S........X..b...T`.V$e.......c%.y..a.Bw...;
/../....i"J..o..|....nbY.|. .f.....V...3~<...q..J.3.a|..0........



GET /ppres/static/js/plug/html5.js HTTP/1.1
Accept: */*
Referer: hXXp://yun.baidu.com/s/1dD5xS7B
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pan.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=8BAB9156D0B005C2C41AEA5B41BB81E4:FG=1


HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/x-javascript
Date: Fri, 27 May 2016 22:26:54 GMT
Flow-Level: 3
Last-Modified: Tue, 24 May 2016 07:00:28 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Pragma: no-cache
Server: nginx
Set-Cookie: BAIDUID=B5E62F285F9858A09A611B208AD33D0E:FG=1; expires=Sat, 27-May-17 22:26:54 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Vary: Accept-Encoding
X-Powered-By: BaiduCloud
Yld: 9203377068331699211
Yme: ZIGW/i4rX0wbdTYEUmr/tGtNov4eVAP3oAhPyyeT
Content-Length: 780
..........mTMs.6...W8.......7.i&.3=..L...D%..K.............J......}...
w....f4.:-...&.d...z...s...J...S2..T&..........B...C.p.,....6T...)....
p........t..|h.)-8...........j lcR..#.k.%....."g...../LJ$..........%_.
...b..s$..$g...K_%...-W...yJ.k&..JU.1gk..T<.N^1.b...<..s.n....5.
.....p...<.-....G.6Jc.H?$....(.j.HZR.5..........Z.....BIE.j..Hp....
.OSRlG][....I.S.........#.5d.#..v3DPr.J.}..a..n....]./.f.^..v...o.....
e.e....?!.S.....Z?[^.5.d....|.DZ..-.u..Po:.W.lWn.sD._Z...!..TcA.a..:..
........".I.i...Vi...r.....#....8Y...L....8k..c..*.....:....$O.....A..
z.s.Qx..9...]]..&5.|9_.....x."4f....Ao.TA.~.y.H..."#t}..(>...eQ.Q.r
X.=.. ..m....._x.qUd......q.i....$../...5wn..M...W..H...k.......6..{Ky
...c.qA.....I.s0 ...~^..|?..'hq3/L.......".p......%.B....l..g.3...4B=.
{.}.\r.4I...}....$[...HTTP/1.1 200 OK..Cache-Control: no-cache..Connec
tion: keep-alive..Content-Encoding: gzip..Content-Type: application/x-
javascript..Date: Fri, 27 May 2016 22:26:54 GMT..Flow-Level: 3..Last-M
odified: Tue, 24 May 2016 07:00:28 GMT..P3p: CP=" OTI DSP COR IVA OUR 
IND COM "..Pragma: no-cache..Server: nginx..Set-Cookie: BAIDUID=B5E62F
285F9858A09A611B208AD33D0E:FG=1; expires=Sat, 27-May-17 22:26:54 GMT; 
max-age=31536000; path=/; domain=.baidu.com; version=1..Vary: Accept-E
ncoding..X-Powered-By: BaiduCloud..Yld: 9203377068331699211..Yme: ZIGW
/i4rX0wbdTYEUmr/tGtNov4eVAP3oAhPyyeT..Content-Length: 780............m
TMs.6...W8.......7.i&.3=..L...D%..K.............J......}...w....f4.:-.
..&.d...z...s...J...S2..T&..........B...C.p.,....6T...)....p......
<<< skipped >>>

GET /api/analytics?type=web_header_title_click&clienttype=0&currentUrl=http://yun.baidu.com/s/1dD5xS7B&t=1464388027447 HTTP/1.1


Accept: */*
Referer: hXXp://yun.baidu.com/s/1dD5xS7B
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pan.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=F97250058CC2F845A25D3E889712053B:FG=1


HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: keep-alive
Content-Type: image/jpeg; charset=UTF-8
Date: Fri, 27 May 2016 22:26:59 GMT
Flow-Level: 3
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Pragma: no-cache
Server: nginx
Set-Cookie: BAIDUID=4F9C212ADBC36B6EA9203FA30D512549:FG=1; expires=Sat, 27-May-17 22:26:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
X-Powered-By: BaiduCloud
Yld: 9203378327851027777
Yme: ZIGW/i4rV0kMajYYTmvhrmlXvvsWVAf3oAhPyyc=
Content-Length: 48
  ..{"errno":0,"request_id":3438770804414139713}....


GET /ppres/static/images/error/error.png?t=201605245555?@=-1 HTTP/1.1


Accept: */*
Referer: hXXp://yun.baidu.com/s/1dD5xS7B
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pan.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=F97250058CC2F845A25D3E889712053B:FG=1


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 5719
Content-Type: image/png
Date: Fri, 27 May 2016 22:26:59 GMT
Etag: "5743fc0c-1657"
Flow-Level: 3
Last-Modified: Tue, 24 May 2016 07:00:28 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Pragma: no-cache
Server: nginx
Set-Cookie: BAIDUID=4F9C212ADBC36B6EDBB0B7BE7202F274:FG=1; expires=Sat, 27-May-17 22:26:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
X-Powered-By: BaiduCloud
Yld: 9203378425521977887
Yme: ZIGW/ywrWk8MaT0YTmvhrm1XvfMXVAPxoAhPyyc=
.PNG........IHDR..............n......sBIT.....O.....PLTE`3.s.......0..
...L.....`.f,........S.jZ}S)..<.....".p$...........:...yS?.....r.}=
l@!..x.|[.....i....R"..I....{A.....s.........{....i....T...].s/..\....
......kMsJ)...........u..7...........W.t'...........r....X...c..~.C...
..j'..[..|..n...d8!}X3..z.......]H.....G.....I.............sc..t......
..z..F....t(..Y..~.....n..;.`<..........lC..Q.........uO8..c.......
..kB)...........:.}K...........y.pI..>.......dR....K..c,.rC........
m....e...l..>...sK4..5...h<"..Y..m.......`9..B.....d.~,...._)..c
..W.....r..Fs...xj....i:..,..M.rCmD/b5...b..R............zS1..j....q:}
]C..H..a..~....{R.....7...................aI....n!..Q..r..|..s.......r
X..b.....T....~(.f4.....P..y.....-.|1..z.......vQ.n:.......K!.........
..Y.................m..R.....{........t..?..X.\0..b.c".....4..o.....y.
9.-....tRNS...........................................................
......................................................................
......................................................................
..........................................................`......pHYs.
..........~.....tEXtCreation Time.11/06/13.y.m....tEXtSoftware.Adobe F
ireworks CS5q..6....IDATx....\S......].....`.RW..Z*b...V..,....E....V.
...-......B...@........*R..r/..El...... ..m..^.s.9..sN......Q..=.|.<
;......7.....V..<Q0..0......{.l./<...7.4_x.UA.|.......4_x..AAl.x
..w..=`.|...........A.Ao...{...=..._p.;A.}....7.}...=Av)..s.4vk.i.E.'.
r....J.......=..8Q.....[[email protected]......,..pjb..Z.......o..3.A.
<<< skipped >>>


GET /htl/Dementia.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.xmhairong.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Sun, 08 May 2016 07:14:37 GMT
Accept-Ranges: bytes
ETag: "1880548f9a8d11:0"
Server: Microsoft-IIS/7.5
Date: Fri, 27 May 2016 22:27:00 GMT
Content-Length: 478300
Rar!.....s..................|N.....h.=*[email protected]..|..[j.$..1...*.T
{[email protected]}..u.,........H5t)^.~..`..a.'..Rr..
G3..t.....B.._.>[email protected]..,....../k.....<.....<
;.. ......k....B....=$0..k.5."t!..c..k&x.}.(v.kEiNb...6.u,)... ."B.'..
k ....X.....8.p...Y.L.R.g........ .?.o...j...D.5..c...<.....<..E
.)........6.:...L........?Q..EZF6......L....fV.&..4..lL|.0...(x...J5].
TT.F....I.z......']...:G9.V....".U....t!l.L.i.i...{.YH....(?...y.y.T..
.....S.TI$.........I...%.Eo.]......$;.:..('*DOS.%._qs.w....y.*.&...p9.
.yC.....V..V`.w.......a N'.B..^.Z|J....0...b...........(...F=..RC.Fr.x
g..kVaP... ./...a.?.^..D.T....>H....%#............-_.]....e..Y3.-u.
...~...7.I.0%.....l....M.{n.....$.4..4.MU.../{......(.......01...A..~.
.(..M...`-&.X....v...H.:>......ixK.O.._.......R_....S|..S.....#Bw..
..........cJ`.P..;.R...=O.....u..}M.42..gjn.66....L..J.Z...f.D.]|...M.
`.....\p..WL..D... ?;..........\.>M...5...N,.r..6.S...W.V..Y- .....
%j.... ..I...$.~_..1c....a..u....4............,.._.......TV.......9...
O....*..|.u........di.4\*m..5...jc..m..).D=.....Y..K......ig.z*.....1.
...k......?RB.W>.f|..WymS.R.....j.._B.`.....e...-i.z..k.f.......a6.
ZS.......D.yK&.....-..U`S.....D....Z'...K..y..Q.A.....p...N.......H..9
.9..r..T.%V...1....Fn..v..%....M...:2.SEr...;N.:.z .T..^..&.....<.q
GLK...d...kX..j.M...*.-J]...S...6....&.... .>...Y[.|.7F?.P..IH.j...
.....t?qvw..".1...w..[.0../.p......OJ.H.X...H.7.[.T...:..........O.1..
.FxXZ.o..9 ....h.q..._[.b.)\....j.F.......Z!.......c..*...g.q.r...
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_256:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

msdtc.exe_1788:

.text
`.data
.rsrc
KERNEL32.dll
msvcrt.dll
MSDTCTM.dll
msdtcexe.pdb
_wcmdln
2001.12.4414.700
MSDTC.EXE
Microsoft(R) is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation
03.01.00.4414

Dementia.exe_1012:

.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
;~TtCP
tJSSh
FtPj
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
operator
GetProcessWindowStation
127.0.0.1
0.0.0.0
RegCreateKeyTransactedW
,%u,%u,%u,%u,%u,%u,%u,%u,%u,%u,%u,%u,%u,%u,%u
upload_data.qq.com
121.14.102.16
COMM:%u,%u,%u,%I64u,%I64u,%d,%d,%d,%d,%d,%d,%d,%d,%d
,0,0,0,0,0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows Xp)
Host: %s:%d
(%d) d:d:d.d000 %s: %s
pdlxf.qq.com
fs-tcp-conn.qq.com
stun.qq.com
xuanfengnet.qq.com
fs-hello.qq.com
fs-conn.qq.com
fs-h2u.qq.com
fs-report.qq.com
R:\TempView\Misc\Setup3\build\Release\QQSetupEx.pdb
WS2_32.dll
NETAPI32.dll
VERSION.dll
CreatePipe
GetWindowsDirectoryW
KERNEL32.dll
USER32.dll
GDI32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyW
RegDeleteKeyW
RegEnumKeyW
ADVAPI32.dll
SHFileOperationW
ShellExecuteW
ShellExecuteExW
SHELL32.dll
ole32.dll
SHLWAPI.dll
CryptCATCatalogInfoFromContext
WTHelperGetProvCertFromChain
WINTRUST.dll
CertGetNameStringW
CRYPT32.dll
GetCPInfo
GetProcessHeap
.?AVCVideoMsg@@
zcÁ
^SQLS^
'%cMMV#)
Hummer Backup Setup EXE
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!-- Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!-- Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
2(3,3034383<3
?#? ?<?[?
0#0-02070
8 8$8(8,808
6'7,717@7
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile("%s")
install.log
Section: "%s"
.DEFAULT\Control Panel\International
logging set to %d
settings logging to %d
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
Rename failed: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
HKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
hXXp://dldir1.qq.com/qqfile/qq/plugin/setuppkg.7z.output
_TX~QQSetupEx~0503~A1C22B84-CE8D-437A-AA60-6D3ABCB18ACF
Advapi32.dll
windows
RCreateWindowsDirTemp
R:\TempView\Misc\Setup3\BackupDownloader\BackupDownload.cpp
create folder :%s error, errcode:%lu
dir:%s
ParseCmdLine
`anonymous-namespace'::ParseCmdLine
Software\Tencent\Report
cmd line
r:\tempview\misc\setup3\backupdownloader\installobject\InstallObject.h
GetExitCodeProcess exit code : %u
CInstallObjectAgent::CloseProcessHandle
ID=%d
r:\tempview\misc\setup3\backupdownloader\installobject\InstallObjectDefault.h
%d.%d.%d.%d
R:\TempView\Misc\Setup3\BackupDownloader\InstallObject\InstallObjectDefault.cpp
%s\drivers\usbvideo.sys
usbvideo.sys file version: %s
5.1.2600.2729
usbvideo.sys file version is big than 5.1.2600.2729, no need install KB899271
SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB899271
has register key:SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB899271 , no need install KB899271
hXXp://download.microsoft.com/download/4/6/0/460ca2ec-55b8-46d6-afb6-b644a7e03d71/WindowsXP-KB899271-v4-x86-CHS.exe
hXXp://dldir1.qq.com/music/clntupate/QzoneMusicInstall.exe
hXXp://dldir1.qq.com/music/clntupate/QQPhotoDrawExSetupForQQ.exe
hXXp://dldir1.qq.com/P2PUpdate/P2PSetup.exe
hXXp://dldir1.qq.com/qqfile/qq/videomsg/VideoMsgInstall.exe
hXXp://dldir1.qq.com/qqfile/qq/plugin/VideoShowPlayerInstall.exe
hXXp://dldir1.qq.com/qqfile/qq/plugin/VideoBeautyInstall.exe
hXXp://dldir1.qq.com/invc/cyclone/QQMiniDL_Setup.exe
hXXp://dldir1.qq.com/qqfile/qq/plugin/QQGameMicro_setup.exe
\QQGame.exe
QQGame.exe
hXXp://dldir1.qq.com/qqfile/qq/plugin/HotWordInstall.exe
hXXp://androidpc.app.qq.com/app1/vertis.do?id=201409090001
BrowserInstaller.exe
@hXXp://dldl.qq.com/dl/qqie8
hXXp://dldl.qq.com/dl/qq
hXXp://dldir1.qq.com/music/clntupate/QQMusicDownloader.exe
hXXp://dldir1.qq.com/qqtv/qqlivesetup.exe
QQBrowser_Setup_QQ.exe
hXXp://dldir3.qq.com/minigamefile/QQGameDownloader.exe
hXXp://ws.sj.qq.com/webservices/download.do?yw=qq
QQPhoneManager_700024.exe
@\rundll32.exe
R:\TempView\Misc\Setup3\BackupDownloader\Util\7zUtil.cpp
decoder doesn't support this archive
ERROR #%d
gfile path : %s
R:\TempView\Misc\Setup3\BackupDownloader\Util\DecryptUtil.cpp
Open file failed, error code : %u
Get file size failed, error code : %u
File size too large, HighPart = %u
AR:\TempView\Misc\Setup3\BackupDownloader\DataReport\DataReport.cpp
DataReport::UploadInstallResult
log.tlg
\\.\PhysicalDrive0
Siphlpapi.dll
ACreateDownloader. uiCustomID = %d
strFilePath = %s
uiCustomID = %d
CDownload::IsWorking(). m_bInited = %d
strUrl = %s
strFileName = %s
CDownload::DeleteTask(). uiTaskID = %d
CDownload::HandleDeleteTask(). uiTaskID = %d
CDownload::DeleteTask(). strUrl = %s
CDownload::HandleDeleteTask(). strUrl = %s
CDownload::SetDownloadSpeed(). uiSpeed = %d
CDownload::SetP2PUploadSpeed(). uiSpeed = %d
CDownload::HandleSetP2PUploadSpeed(). uiSpeed = %d
CDownload::SetSafeMode(). bSafeMode = %d
CDownload::HandleSetSafeMode(). bSafeMode = %d
stProxyInfo.eProxyType = %d
stProxyInfo.strProxyIP = %s
stProxyInfo.usProxyPort = %d
CDownload::OnNotify()->OnDownloadComplete. uiTaskID = %d, uiResult = %d, uiErrorCode = %d, uiDetailErrorCode = %d
Adlcore.dll
QQPCDetector.dll
R:\TempView\Misc\Setup3\BackupDownloader\Network\BizInstallerMgr.cpp
task:%lu, download error code:%d
task:%lu, filename:%s
{39F5E8C5-2BA9-48df-B58E-D30D58E271ED}
%d not need to download
%d need to download
name = %s
url = %s
args = %s
filename = %s
dlcore dll not exist, file:%s
iter->bFinished:%d
Start ObjectId:%u
m_oDownloadMgr.StartTask returns:%d
default file %s download ok, local file : %s
optional file %s download ok, local file : %s
%s...
ObjId: %u
Name: %s
Url: %s
Args: %s
Filename: %s
install a file:%s
run install failed, error code : %u
GetDectectorResult() successed, wording: %s
RunDetector successed, dwOperator == %d
RunDetector failed, dwOperator == %d
dwOperator Invaild, dwOperator == %d
GetInstallObjsReportString
CBizInstallerMgr::GetInstallObjsReportString
R:\TempView\Misc\Setup3\BackupDownloader\Network\BizInstallerWindow.cpp
WM_TASKTRAY_MSG
dwCookie:%d
R:\TempView\Misc\Setup3\BackupDownloader\Network\DownloadMgr.cpp
CreateDownloadTask,Url:%s, localPath:%s
CDownloadMgr::CreateHttpDownloadTask
m_oDownloader.StartTask, dwCookie:%d, return %d
CDownloadMgr::DeleteTask, dwCookie:%d
m_mapCookieToTask.erase, dwCookie:%d
szFileName = %s
%Documents and Settings%\All Users\Application Data\Microsoft dementia\Dementia.exe
8.2.17724.0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Dementia.exe:1992
    Dementia.exe:1532
    Dementia.exe:1012
    attrib.exe:868
    attrib.exe:2088
    attrib.exe:1988
    attrib.exe:1536
    attrib.exe:2112
    attrib.exe:2064
    sc.exe:212
    taskkill.exe:1436
    taskkill.exe:2028
    %original file name%.exe:772
    ping.exe:2120
    msdtc.exe:1788
    net.exe:1976
    net.exe:1336
    net1.exe:380
    net1.exe:1236
    Miciosoft .NET.exe:948
    irsetup.exe:1332
    rar.exe:1512

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings% (4 bytes)
    %WinDir%\oci.dll (4708 bytes)
    %Documents and Settings%\%current user%\FAVORITES (4 bytes)
    %Documents and Settings%\All Users\APPLICATION DATA (4 bytes)
    %Program Files%\WIRESHARK (16 bytes)
    %WinDir%\WinSxS (12 bytes)
    %Program Files%\Internet Explorer (4 bytes)
    %WinDir%\AppPatch (4 bytes)
    %Documents and Settings%\%current user%\Local Settings (4 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft dementia\Dementia.exe (2850 bytes)
    %WinDir%\oci.temp (39 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    %WinDir%\Fonts (920 bytes)
    %Documents and Settings%\All Users\Documents\My Music (4 bytes)
    C:\$Directory (1388 bytes)
    %System% (6144 bytes)
    %Program Files%\COMMON FILES (4 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
    %WinDir%\oci.txt (1588 bytes)
    %WinDir%\Prefetch\IRSETUP.EXE-1B1C97F2.pf (40 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
    %Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
    %System%\config (8 bytes)
    %System%\wbem (1064 bytes)
    %System%\drivers (32 bytes)
    %Documents and Settings%\All Users\Start Menu (4 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft dementia\360Game.zlib (99 bytes)
    %WinDir%\Temp\Perflib_Perfdata_668.dat (4 bytes)
    %WinDir%\Prefetch\259AF714DDCF5E9407353E066144A-10973936.pf (20 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
    %Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft dementia\360Game.temp (6264 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
    %Documents and Settings%\%current user%\Cookies (192 bytes)
    %Documents and Settings%\%current user%\My Documents (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
    %System%\MsDtc\MSDTC.LOG (3888 bytes)
    %System%\config\SOFTWARE.LOG (5606 bytes)
    %System%\config\software (2708 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft dementia\360Game.exe (7403 bytes)
    %System%\MsDtc\Trace\dtctrace.log (28 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft dementia\config.ini (4686 bytes)
    C:\WindowsNET\Dementia.sys (79290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Dementia[1].rar (110785 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\5.ico (3634 bytes)
    C:\WindowsNET\Miciosoft .NET.exe (28 bytes)
    C:\WindowsNET\Rar.exe (5761 bytes)
    C:\ProgramData\Temps\Dementia.exe (5777 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft dementia\dlcore.dll (8545 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows PlayGame" = "%Documents and Settings%\All Users\Application Data\Microsoft dementia\360Game.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now