MD5: 980711409eec6ba31a174c9d93451cff
SHA1: 5e3b9ceeb591ed6f5e405d09fa122c0cedc49ecb
SHA256: 829c6c7a3103fcf989aab8b4f89c11fbf92238b106ea70feff7b6517363506cd
SSDeep: 49152:r2a8wQ2UjKOLm6XwQ WAlizEd9Pbda6uV JUcI:prQ2UjKOLrmDizEd9Pby9
Size: 2777088 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: Mail.Ru
Created at: 2017-06-29 12:33:08
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3308

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\TLzz.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar24DF.tmp (2712 bytes)
C:\TLnn.dll (425 bytes)
C:\data\ÅäÖÃÎļþ.ini (497 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab24DE.tmp (51 bytes)
C:\TLcc.dll (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab24DE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar24DF.tmp (0 bytes)

Registry activity

The process %original file name%.exe:3308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\980711409eec6ba31a174c9d93451cff_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\980711409eec6ba31a174c9d93451cff_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "https://www.2345.com/?kfanxing2013"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\980711409eec6ba31a174c9d93451cff_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\980711409eec6ba31a174c9d93451cff_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\980711409eec6ba31a174c9d93451cff_RASMANCS]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\980711409eec6ba31a174c9d93451cff_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\980711409eec6ba31a174c9d93451cff_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\980711409eec6ba31a174c9d93451cff_RASAPI32]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??QQ?:63613937
Product Name: ????
Product Version: 2.1.10.2
Legal Copyright: ????????????????????!
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.1.10.2
File Description: ?????????!
Comments: ??QQ?:63613937
Language: German (Germany)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://tlguanjia.com/	180.178.46.130
hxxp://tlguanjia.com/online/tongji.php	180.178.46.130
hxxp://www.2345.com/?kfanxing2013	42.62.30.180
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=
hxxp://gpla1.wac.v2cdn.net/CRL/Omniroot2025.crl
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=	23.46.123.27
hxxp://cdp1.public-trust.com/CRL/Omniroot2025.crl	93.184.220.20
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=	23.46.123.27

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /?kfanxing2013 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.2345.com

Cache-Control: no-cache

HTTP/1.1 302 Temporarily Moved

Location: hXXps://VVV.2345.com/?kfanxing2013

Accept-Ranges: bytes

Date: Sat, 08 Jul 2017 18:47:18 GMT

Age: 0

Connection: close

x-hits: 0

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=498485, public, no-transform, must-revalidate

Last-Modified: Fri, 7 Jul 2017 13:13:13 GMT

Expires: Fri, 14 Jul 2017 13:13:13 GMT

Date: Sat, 08 Jul 2017 18:47:26 GMT

Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..2017070
7131313Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
[email protected]...*.H.....
........^xg%...#I......#.Zg......>1..a..L'.......<nm(.0.......#i
.z......9.h.W. .x.=.aV.4Y...U..V.v.^...'...T...._ln@30..!=R........_7.
...?.d..v..h...]......'...wg...x..IE..........B*.v.s...8.}....vN..{qG.
j..R....K.3...[.XU......~.U......;P^.{.......n.u..3..[..n`. ....0...0.
..0..........^..)......<...T.0...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006
 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 
3 Public Primary Certification Authority - G50...161122000000Z..171214
235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Syman
tec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder C
ertificate 50.."0...*.H.............0.............................m..|
........1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.
)Z........ ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...
#..H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4.
....D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`
.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...ht
tp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... ....
.0......0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...
r..7Z0...U.#..0.....e......0..C9...3130...*.H.............<wN..
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1

Cache-Control: max-age = 547348

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 19 Nov 2013 21:12:41 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1664

content-transfer-encoding: binary

Cache-Control: max-age=485887, public, no-transform, must-revalidate

Last-Modified: Fri, 7 Jul 2017 09:43:18 GMT

Expires: Fri, 14 Jul 2017 09:43:18 GMT

Date: Sat, 08 Jul 2017 18:48:12 GMT

Connection: keep-alive
0..|......u0..q.. .....0.....b0..^0.............V.m......E!....2017070
7094318Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....^[email protected]...*.H........
.......{.-.....M).$_... .n:......:.........w.nI.%L...a....H..Q/pb..J./
r.u...h.]..`..x.u..^a.<[email protected]=)hri..)z... S.k.........
.h..1' }g...m4.(.-..`...i...{.....M...4....b...T.....G...Yi...oI....=~
.`.[_L.......sqH-I3..P.'.....{)!.q...c.....{,.~..D.<.p....0...0...0
..................[Df..{.,0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...161213000000Z..211231235959Z0F1D0B..U...;Symantec 
Class 3 Code Signing 2009-2 CA SHA1 OCSP Responder0.."0...*.H.........
....0.............2q..J..:...3....X.?.....9K.G....,......e.c,..9YI...z
.qA 0....9...CG......6.qX>.Xo.....g..=..B.E.......qB..W.|..>.qT.
4Z|....H. m...m..qy]Gi...0N.T.....N,[email protected].......=..G.0.
....y4N"mK.J...."..".......ju.....k...x........P.]S=t....*..'.........
....0...0...U.......0.0f..U. ._0]0[..`.H...E....0L0#.. .........https:
//d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0...U.%..0... 
.......0...U.............
<<< skipped >>>

GET /CRL/Omniroot2025.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 16 Nov 2013 06:15:02 GMT

If-None-Match: "200da-5b6-4eb453c33260e"

User-Agent: Microsoft-CryptoAPI/6.1

Host: cdp1.public-trust.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/x-pkcs7-crl

Date: Sat, 08 Jul 2017 18:48:06 GMT

Etag: "200da-f1d-5538171641a3c"

Last-Modified: Tue, 04 Jul 2017 17:45:01 GMT

Server: ECS (frf/8799)

X-Cache: HIT

Content-Length: 3869
0...0......0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U..
..CyberTrust1"0 ..U....Baltimore CyberTrust Root..170704170957Z..17092
9170957Z0..`0....'k...120111220757Z0....'k...120111220847Z0....'.C..13
0130174530Z0....'....130807173059Z0....'....140122185220Z0....'....140
212185542Z0....'yr..150701184507Z0....'#...100303201301Z0....''q..1004
14175202Z0....'L...110224181251Z0....'Pn..110309142119Z0....'....10021
6203312Z0....'#...100303201213Z0....'3#..100908172555Z0....''n..101208
175627Z0....''m..101208175749Z0....''p..101208175916Z0....'H...1101141
62156Z0#...'X>..110815145134Z0.0...U.......0#...'Z2..110818184101Z0
.0...U.......0....'g...120111164333Z0....'g...120111164409Z0....'g...1
20111164519Z0....'....100216213519Z0....''s..100414175225Z0....''k..10
0414181839Z0....'3"..100908172705Z0....'3$..100908172728Z0....''o..101
208175645Z0....''l..101208175727Z0....'H...110119195142Z0....'Nz..1103
02154045Z0....'c...111207220933Z0....'g...120111164445Z0....''r..10041
4175143Z0....'8...101012182723Z0....'e...120111163041Z0....'VJ..110714
160903Z0....'s...130123162633Z0....'....130904190524Z0....'....1310242
14319Z0....'....140129172435Z0....'....140129172453Z0....'....13102421
4310Z0....'....131101204601Z0....'....140219171632Z0....'.^..140409155
638Z0....'i...140709171930Z0....'/:..141119193302Z0....'J...1506031846
05Z0....'k...150603185020Z0....'k...150603185058Z0....'k...15060318513
1Z0....'k...120111220827Z0....'8...140716191203Z0....'....131219195909
Z0....'....140219171545Z0....'k...151105070000Z0....'q...160126173
<<< skipped >>>

GET / HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: tlguanjia.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/html

Last-Modified: Sat, 08 Jul 2017 10:51:34 GMT

Accept-Ranges: bytes

ETag: "483b662ad8f7d21:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Date: Sat, 08 Jul 2017 18:47:18 GMT

Content-Length: 14140
...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "
hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html
 xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http
-equiv="Content-Type" content="text/html; charset=utf-8" />..    &l
t;link type="image/x-icon" href="hXXp://xtl.changyou.com/favicon.ico" 
rel="icon"/>..    <link type="image/x-icon" href="hXXp://xtl.cha
ngyou.com/favicon.ico" rel="shortcut icon" /><title>.........
.........</title>..<style type="text/css">..<!--..body 
{...font: 100%/1.4 Verdana, Arial, Helvetica, sans-serif;...background
-color: #CCCCCC;...margin: 0;...padding: 0;...color: #3F0;...backgroun
d-image: url();...background-repeat: repeat;...margin-left: 0px;..}../
* ~~ ....../............... ~~ */..ul, ol, dl { /* ...................
......................................................................
......................................................................
..........................................LI...DT ... DD..............
......................................................................
................................................... .nav ......... */.
..padding: 0;...margin: 0;..}..h1, h2, h3, h4, h5, h6, p {...margin-to
p: 0;. /* ...................................................... div .
...................................... div ...........................
.................. */...padding-right: 15px;...padding-left: 15px; /* 
... div .............................. div .......................
<<< skipped >>>

GET /online/tongji.php HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: tlguanjia.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.4.45

X-Powered-By: ASP.NET

Date: Sat, 08 Jul 2017 18:47:19 GMT

Content-Length: 67
document.write('......... 2681, ...... 712, ...... 107, ...... 2');HTT
P/1.1 200 OK..Content-Type: text/html; charset=utf-8..Server: Microsof
t-IIS/8.5..X-Powered-By: PHP/5.4.45..X-Powered-By: ASP.NET..Date: Sat,
 08 Jul 2017 18:47:19 GMT..Content-Length: 67..document.write('.......
.. 2681, ...... 712, ...... 107, ...... 2');..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

user32.dll

kernel32.dll

TLbb.dll

shlwapi.dll

TLcc.dll

ntdll.dll

KERNEL32.DLL

NTDLL.DLL

oleaut32.dll

shell32.dll

Winhttp.dll

Wininet.dll

EnumThreadWindows

MsgWaitForMultipleObjects

GetProcessHeap

WinHttpOpen

WinHttpCloseHandle

WinHttpSetTimeouts

WinHttpAddRequestHeaders

WinHttpSetOption

WinHttpQueryHeaders

WinHttpCrackUrl

WinHttpConnect

WinHttpOpenRequest

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpSetCredentials

{B6F7542F-B8FE-46a8-9605-98856A687097}

{15EB1853-EE4C-468f-BAA5-63D186FDB911}

hXXp://shang.qq.com/wpa/qunwpa?idkey=a0008f2496cd82b11387c53afb8a6994c073d995b6a3a9c3847f26af320dcfc1

[email protected]

.iqW>

"3/%F

INFOhXXps://VVV.2345.com/?kfanxing2013

@.reloc

SWSSh

t%SVP

GetProcessWindowStation

C:\xn.log

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

hXXp://

hXXps://

PTF://

HTTP/1.1

application/x-www-form-urlencoded

Referer: %s

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Content-Type: %s

Content-Length: %d

:%s Flags:%s

hXXp://91.xndama.com/Post.aspx

hXXp://da.xndama.com/Post.aspx

hXXp://ma.xndama.com/Post.aspx

hXXp://xn.xndama.com/Post.aspx

operate=1&posttype=0

1.0.1.7

operate=2&posttype=0

operate=3&posttype=0&tid=%s

operate=4&posttype=0&tid=%s

operate=5&posttype=0&SN=%s

operate=6&posttype=0&SN=%s&F_ID=%s&ClientCode=%s&Password=%s&SoftID=%s

operate=7&posttype=0&SN=%s&F_ID=%s&ClientCode=%s&Password=%s&PCCode=%s&SoftID=%s

operate=24&posttype=0&SN=%s&F_ID=%s&ClientCode=%s&Password=%s&PCCode=%s&SoftID=%s&Remark=%s&SurplusPoints=%d&Presenter=%s

operate=8&posttype=0&SN=%s&F_ID=%s&ClientCode=%s&CardNO=%s&SoftID=%s

operate=9&posttype=0&SN=%s&F_ID=%s&ClientCode=%s&Password=%s&SoftID=%s

operate=10&posttype=0&SN=%s&F_ID=%s&ClientCode=%s&Password=%s&SoftID=%s

operate=11&posttype=0&SN=%s&F_ID=%s&ClientCode=%s&Password=%s&NewPassWord=%s&SoftID=%s

operate=12&posttype=0&SN=%s&F_ID=%s&ClientCode=%s&CQTF=%d&SoftID=%s

operate=21&posttype=0&SN=%s&F_ID=%s&ClientCode=%s&OnlineTime=%d&PCCode=%s&SoftID=%s

operate=22&posttype=0&SN=%s&F_ID=%s&ClientCode=%s&SoftID=%s

operate=23&posttype=0&SN=%s&F_ID=%s&ClientCode=%s&SoftID=%s

operate=13&posttype=0&SN=%s&F_ID=%s&CardCode=%s&NewCardCode=%s&SoftID=%s

operate=14&posttype=0&SN=%s&F_ID=%s&CardCode=%s&SoftID=%s&PCCode=%s

operate=15&posttype=0&SN=%s&F_ID=%s&CardCode=%s&SoftID=%s&PCCode=%s

operate=16&posttype=0&SN=%s&F_ID=%s&CardCode=%s&OnlineTime=%d&PCCode=%s&SoftID=%s

operate=17&posttype=0&SN=%s&F_ID=%s&CardCode=%s&SoftID=%s

operate=18&posttype=0&SN=%s&F_ID=%s&CardCode=%s&CQTF=%d&SoftID=%s

operate=23&posttype=0&SN=%s&F_ID=%s&CardCode=%s&SoftID=%s

operate=31&posttype=1&SN=%s&ProjectCode=%s&OutTime=%d&PCCode=%s&RunNum=0&F_ID=%s&SoftID=%s&Remark=%s&ClientCode=%s&PassWord=%s&Base64Image=

operate=34&posttype=1&SN=%s&ProjectCode=%s&OutTime=%d&PCCode=%s&RunNum=0&CID=%s&CTF=%d&Remark=%s&Base64Image=

operate=30&posttype=1&SN=%s&ProjectCode=%s&OutTime=%d&PCCode=%s&RunNum=0&Remark=%s&Base64Image=

operate=33&posttype=1&SN=%s&ProjectCode=%s&OutTime=%d&PCCode=%s&RunNum=0&CID=%s&Remark=%s&Base64Image=

operate=32&posttype=1&SN=%s&ProjectCode=%s&OutTime=%d&PCCode=%s&RunNum=0&F_ID=%s&SoftID=%s&Remark=%s&CardCode=%s&Base64Image=

operate=20&posttype=0&SN=%s&F_ID=%s&SoftID=%s

operate=25&posttype=0&SN=%s&F_ID=%s&ClientCode=%s&CQTF=%d&SoftID=%s

F:\MyWorkProjects\XinNuo\Release\XinNuo.pdb

KERNEL32.dll

USER32.dll

GDI32.dll

ole32.dll

GdiplusShutdown

gdiplus.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

HttpEndRequestA

WININET.dll

IPHLPAPI.DLL

GetCPInfo

XinNuo.dll

GetErrorMsg

SendReport

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

8 88Y8^8

8 8$8(8,8

TLzz.dll

C8.zor

TLnn.dll

.reloc

B.rmnet

__MSVCRT_HEAP_SELECT

SHLWAPI.dll

OLEAUT32.dll

Sunday.dll

$@15638236

myDll.dll

2-252;2~2

7)71777=7~7

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

[email protected]

GdiPlus.dll

program internal error number is %d. (0x%Xh)

:"%s"

:"%s".

zcÁ

00

4"4(4,414@4[4

7)73797|7

9–9x9

: :$:(:,:0:4:8:

< <$<(<,<

1*12181>1

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

COMCTL32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

SkinH_EL.dll

7788521111

hXXp://VVV.2345.com/?kfanxing2013\

20150619165656266

#NO_OPERATION

hXXp://tlguanjia.com/

hXXp://blog.sina.com.cn/likaid

\TLbb.dll

\tem.dll

\tem.bat

ren tem.dll

del TLbb.dll

ren tem.dll TLbb.dll

BaseNamedObjects\A292F57D-84FD-4465-9A03-0C8232E731AA_0

BaseNamedObjects\A292F57D-84FD-4465-9A03-0C8232E731AA_1Temp\

hXXp://tlguanjia.com/speak/proposal.asp

&password=

\SkinH_EL.dll

/data/user.ini

18742444922

tem.dll

hXXp://tlguanjia.com/online/tongji.php

hXXp://VVV.2345.com/?kfanxing2013

[email protected]

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

hXXp://shapi.shdati.com/getmoney_post

hXXp://shapi.shdati.com/report_post

hXXp://shapi.shdati.com/upload

Content-Disposition: form-data; name="password"

{pass}

Content-Disposition: form-data; name="picture"; filename="System.Byte[]"

hXXp://shapi.shdati.com/RegUser

hXXp://shapi.shdati.com/Pay

hXXp://shapi.shdati.com/ExistsUser

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)

XMLHttpRequest

814212053

222634285

38839021

1 2 3 4 5 6 7

@changyou.com

@game.sohu.com

@Sohu.com

@chinaren.com

@sogou.com

@17173.com

;Z.QJ

J%Cnf

a(.ip

.GyEt

<>.Vf

Adobe Photoshop CS6 (Windows)

2017:04:30 15:42:55

urlTEXT

MsgeTEXT

/hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmp:CreateDate="2017-04-30T15:33:03 08:00" xmp:ModifyDate="2017-04-30T15:42:55 08:00" xmp:MetadataDate="2017-04-30T15:42:55 08:00" dc:format="image/jpeg" photoshop:LegacyIPTCDigest="00000000000000000000000000000001" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:4A2151BC772DE7119FDECD38EBB46A72" xmpMM:DocumentID="xmp.did:472151BC772DE7119FDECD38EBB46A72" xmpMM:OriginalDocumentID="xmp.did:472151BC772DE7119FDECD38EBB46A72"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:472151BC772DE7119FDECD38EBB46A72" stEvt:when="2017-04-30T15:33:03 08:00" stEvt:softwareAgent="Adobe Photoshop CS6 (Windows)"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/png to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:482151BC772DE7119FDECD38EBB46A72" stEvt:when="2017-04-30T15:36:34 08:00" stEvt:softwareAgent="Adobe Photoshop CS6 (Windows)" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:4A2151BC772DE7119FDECD38EBB46A72" stEvt:when="2017-04-30T15:42:55 08:00" stEvt:softwareAgent="Adobe Photoshop CS6 (Windows)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

IEC hXXp://VVV.iec.ch

.IEC 61966-2.1 Default RGB colour space - sRGB

CRT curv

$4t%u&

4].mx

rbo

IÝI

5c%UQqU

.ig2n 

@C

%*4Q.eQ!Q

.gz;K

%xrs/

31` ;@@^

O.YGE}

M$R%C

;R.VU

TU%UI

(7),01444

'9=82<.342

\r_e.kuz

os.xE

$.Dm&

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

1.2.18

?%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

WMSWHEEL_ROLLMSG

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

iphlpapi.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

AVIFIL32.dll

WinExec

GetKeyState

ExitWindowsEx

GetKeyboardLayout

VkKeyScanExA

keybd_event

EnumWindows

RegisterHotKey

UnregisterHotKey

SetWindowsHookExA

UnhookWindowsHookEx

EnumChildWindows

CreateDialogIndirectParamA

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

WINSPOOL.DRV

comdlg32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

oledlg.dll

InternetOpenUrlA

InternetCrackUrlA

InternetCanonicalizeUrlA

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Host: %s

GET %s HTTP/1.1

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

VVV.dywt.com.cn

\StringFileInfo\%s\Comments

\StringFileInfo\%s\ProductVersion

\StringFileInfo\%s\ProductName

\StringFileInfo\%s\OriginalFilename

\StringFileInfo\%s\LegalTrademarks

\StringFileInfo\%s\LegalCopyright

\StringFileInfo\%s\InternalName

\StringFileInfo\%s\FileDescription

\StringFileInfo\%s\CompanyName

\StringFileInfo\%s\FileVersion

000%x

hXXp://VVV.baidu.com

%d%d%d

rundll32.exe shell32.dll,

(*.avi)|*.avi

RICHED32.DLL

RICHED20.DLL

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

operator

keywords

(*.htm;*.html)|*.htm;*.html

LOCK CMPXCHG8B may crash some processors when executed

Win95/98 may crash when VxD call is executed in user mode

Win95/98 may crash when NOT ESP is executed

Win95/98 may crash when NEG ESP is executed

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

document.write('

814212053(

[email protected]

tp://tlguanjia.com/

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

d.MHtBa

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

nKERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

!"#$%&'()

1, 0, 6, 6

- Skin.dll

Content-Type:application/x-www-form-urlencoded

(*.*)

2.1.10.2

63613937

%original file name%.exe_3308_rwx_10028000_00015000:

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

hJK.ZH

O.qt0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
   C:\TLzz.dll (15 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar24DF.tmp (2712 bytes)
   C:\TLnn.dll (425 bytes)
   C:\data\ÅäÖÃÎļþ.ini (497 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab24DE.tmp (51 bytes)
   C:\TLcc.dll (106 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.