MD5: 3cbfcf601db1fdfb495978d8b65a01bb
SHA1: 894987966f277feb3ee4ec221d1a1b7f668208e7
SHA256: 1dffdb8dfe4a72e5cb63d4388468e13a9b03b7a47dd9c678419cb314f1f74106
SSDeep: 196608:rtCvtHT5OrJ21nFH5azqhP92O8CtM1bZjDb:utHt2J2Npkz 9zm19j/
Size: 6418432 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-10-12 05:41:13
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

regsvr32.exe:2460
regsvr32.exe:2640
regsvr32.exe:2456
regsvr32.exe:1256
regsvr32.exe:560
regsvr32.exe:3156
regsvr32.exe:3136
regsvr32.exe:3336
regsvr32.exe:3168
regsvr32.exe:2364
regsvr32.exe:3176
%original file name%.exe:2636

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:2460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:2640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:3156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:3136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:3336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:3168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:3176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process %original file name%.exe:2636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (8230 bytes)

Registry activity

The process regsvr32.exe:2460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:2640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:2456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"(Default)" = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR]
"(Default)" = "c:\Data\"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}]
"(Default)" = "Idmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0]
"(Default)" = "Dm"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"Version" = "1.0"

The process regsvr32.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:3156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:3136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:3336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:3168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:2364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:3176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
comroute.baibaoyun.com	120.27.136.132

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.vmp0

`.vmp1

`.rsrc

t$(SSh

~%UVW

u$SShe

Hw2.Hw

wininet.dll

ole32.dll

oleaut32.dll

kernel32.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

\Data\ .exe

.rsrc

^.WUh

P.Rl.

%4HS2%S\p

\\%SH

*dY%F

5@\UWSSHh

VE;.WoXI

^x`>x.ht

@.Be$>;

%C:O@V

QE;%x

,>.Ptm|t6

.bKQ~

WudP

DQW%uX

]P.jV

burU.qj1[

.QJY|

7q.vD[NqS

.IY\p,A

UDpH

#W"%c

.zor!

.tb;M0^

4%d,k

?.wk)

z0%cx=n

]/m%C

Q6.ZgT

=%X(>I'(

>_.gsJ

 $.CNH

C.kwFt

T.Aga

tW#EBk%X

.Xb?n

<.HVdr

p.Hx9

%FrG.2?

W?2,%D!s0o

G`.gr

.BMGU

.pV^uI

%d&&'

''&%$$#""!!

N^NO.Os%

_%*.*f I64

SupportedException

tMsg|

MLZ.DLL7(

?CmdT

/'.IN

.MSVCRTg

.PAVMqL

(&07-034/)7

f.DbIn

s:%dW

Eh.dE

keyw

2(%d-

0xX

.Nb~X

gz0\.Kk

zcÁ

ub%Dl*\

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

GDI32.dll

OLEAUT32.dll

oledlg.dll

SHELL32.dll

USER32.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

RegCloseKey

ShellExecuteA

J.jS]3

n};%s

)q4(.id

y.Yc~

vv.Xu

>.iEBq

.Ux2L

u9.ND

;5sD%S

V.Ev~

Z.Ko@*

1%u4=T

3Z?xCdsQL

fH%xJ"

U.Pds,

%.X.<

Y.Yfg

#h7Y.JL|

d:W.iL)

ÅQ!?

O%U3@*

5FJ.FU(

N,Vj.Sa

4.idg8c

bbF%U

uI.mY

.lDMF

A5.La

P.rYe/G

&%sFn

.Ecg[

rV%DS

AE.Nz

X}%UNV

k7.zUU

|k.YHu

[O.zqbgd

g5Ni%C

01%Sd

(Pk.yf

0NE.Jz

>P;.JP

^"U%S

.TS.>

0`%u.

&.pB=

xh.YR

U.Sl)}

me*%F

D.wOz

%SW&H!Z>

.dYF]

ý'W<

-pRl}

 .bt>

ke%D_

0.OW8

.SsYS

;%S:a

Uc%s 

n%fO4

%x$qeJH

B\.zS

GC.Ub5

@3^.%c

<%8u;

.utV.

w$%s8

.bXeZ

(%Xv=z

7#.ce

<w.bm

&A.VMwx

%C}QN*po

.VBpooNr

C0[%d*SK

{#.LJ~M9jG=

:.Rk?i

MsW"-x}

#.Nu([

f>'.nNj

:k.MP

.zPTC<

.GR# ^

) ]R%FM

.WvftOO

w%S\s

5!.JV

U2_.tb>

N.UKbJr%'

hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXp://

hXXp://wpa.qq.com/msgrd?v=3&uin=346350253&site=qq&menu=yes

UserLogin

windows

dx.mouse.state.api|dx.mouse.position.lock.api

\Data\dm.dll

!!"#$%&'())?

%C%]uSj

Ha.QE

xCmD$L

s.Nd)

A_%.ID,

n.Nn0 b

.hh=@-

T8.Sz

.dTR0

.PWh=j

nL.nP?

webH

NQt%F

.XV LV#

PGPus(.Gz

.ROH=

]v%UO

uù u

0k00[ `.kh#

.scwX

?456789:;<=

!"#$%&'()* ,-./0123

CxImage 6.0.0

deflate 1.2.3 Copyright 1995-200d

a .WO<t

e processors when executed

>support g

X:

UxTheme.dll

;9HttpCli

7.PAVCExcep=^

.1.2600.441~

PSAPI.DLLU%f

%u%x-

88.185.3

20 4.49.

0.4.10n

129.6.15.29

202.120.

\.\%c

g%s#$A

"LuCBy%d

./*.bmp

log.tx

cpublic.inject.type.54

LL keypadput

k.ap*

.=.minmax

x.cfake`?

defense.szX

.sel/O

on.Leve

mp7%ss

tCPo

wKeyboardD

Scsi%d:

H%d_%

1.2.24

%ct t

: %s=

= (%d/10

gx=%f, gy

%ld, pass

xkey

'%ds=

3%u B

orm.de6

`O%dhx%dv qV

FD=%u, "

'z %4u

iY;kUnkeY

%ld%c$

-t.SSSj

MSVCRT

ntoskrnl.exQ

8)939@9|9

#&$&@'!?

9}%U}

3(Ýd

6,?-.7?`

SAPI.DLLK04e

506:6?6[

8(83888?

>,?0?4?8?<?

.net4x7

.Crz03

hÕ@e

:;.ofSb

R.of'z

B{.zS,y

6o.ob#

Ftpf

PIpE

.Sj_^

.vCb'PK

WlCmd

l%u$}0

Jy%s2;J

x-d}X

_~.SO

'.Sj?

.Increm

WinExe&Copy

.DIBi

uDPtoLPNq`n

fo@@[email protected]

ad.boa

.DD-?J8

1,//2/,/

7G#V%F

(.text

@.tp0

{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'

'Dm.EXE'

val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}

dm.dmsoft = s 'dm.dmsoft'

CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'

CurVer = s 'dm.dmsoft'

ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'

ProgID = s 'dm.dmsoft'

stdole2.tlbWWW

~cmdWd

KeyPress

.aKeyDownWd

MKeyUpWWWd

ShowScrMsgWW

msgWd

SetShowErrorMsgW

>SGetWindowStateWW

U@SetWindowSizeWWWd

SetWindowStateWWd

iRSetKeypadDelayWWd

BkeypadWW

SetExportDictWWWd

keyWd

FindWindowSuperW

qHKeyDownCharW

pOkey_strWd

KeyUpCharWWWd

KeyPressChard

KeyPressStrWd

EnableKeypadPatchWWWd

=PEnableKeypadSyncd

EnableRealKeypadd

GetKeyStateWd

[.ReadFiled

WaitKeyW

!key_coded

joEnumWindowSuperW

urlW

=EnableKeypadMsgWd

EnableMouseMsgWWd

method KeyPressWWW

method KeyDown

method KeyUpWW

method ShowScrMsgW

method SetShowErrorMsg

method GetWindowStateW

method SetWindowSizeWW

method SetWindowStateW

method SetKeypadDelayW

method SetExportDictWW

method FindWindowSuper

method KeyDownChar

method KeyUpCharWW

method KeyPressCharWWW

method KeyPressStr

method EnableKeypadPatchWW

method EnableKeypadSyncWWW

method EnableRealKeypadWWW

method GetKeyState

method WaitKey

method EnumWindowSuper

method EnableKeypadMsg

method EnableMouseMsgW

IMM32.dll

MFC42.DLL

MSVCRT.dll

VERSION.dll

dm.dll

"\Data\dm.dll /s

hXXp://VVV.game2.cn/playGame/code/dtx

&password=

op=login&usercode=

hXXp://VVV.game2.cn/websiteAjax/

&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=getToken&userName=

hXXps://login.360.cn/?func=jQuery11210259506186048403_

&proxy=http://wan.360.cn/psp_jump.html&callback=QiUserJsonp615662574&func=QiUserJsonp615662574

src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=login&lm=0&captFlag=1&rtype=data&validatelm=0&isKeepAlive=1&captchaApp=i360&userName=

hXXps://login.360.cn/

hXXp://dtx.wan.360.cn/game_login.php?channel=521260009&src=newwan-syzt1-dtx&advid=521254815__dtx__S112&server_id=S

hXXp://s1.dtx.g.1360.com/indexLogin.php?

1970-01-01 08:00:00

hXXp://passport.51wan.com/login_index_theLogin_0.html

hXXp://my.51wan.com/gamelogin_wd_serverList_dtx-2.html

-0-.html

hXXp://my.51wan.com/game_toolbar_0_dtx-

hXXp://res.dtx.game2.com.cn/index/index51wan.html?

hXXp://VVV.game2.cn/verifyCode.php

hXXp://passport.360.cn/captcha.php?m=create&app=i360&scene=login&userip=+7+d1+hWWDPiXFBqruKw1g==&level=default&sign=706d82&r=1472615666&_=

hXXp://passport.51wan.com/verify.php?for=login

@.reloc

RSSh C

T$<RSSh C

D$<PSSh

~$)~()|$

3|$83|$0

3|$@3|$4

|$43|$(#

.QZ^&

xSSSh

FTPjKS

FtPj;S

C.PjRV

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

CryptoMaterial: this object does not support precomputation

GeneratableCryptoMaterial: this object does not support key/parameter generation

: this object doesn't support resynchronization

StreamTransformation: this object doesn't support random access

<4,$?7/'

(3-!0,1'8"5.*2$

120.26.81.103

//./%s

XXXXXX

%s|%s

Empty key

[32m>>Connect select ret %d

..\t_baibaoyun\protocol\network\TSocket.cpp

[34m[%s %s %d]

[32m>>Connect field errno :%d err: %s

[32m>>ret:%d,error:%d,len:%d,err:%s

num_key

hXXp://apicom.baibaoyun.com/cloudapi/GeneralExec?arg=

[32m>>close g_sockClient %d

..\t_baibaoyun\protocol\TLogin.cpp

TLogin::clearInfo

ProcessPushMsg ret : %d

[32m>>ProcessPushMsg is in

TLogin::ProcessPushMsg

TLogin::SimpleLogin

%s TSocket::Connect err %d

TLogin::SimpleLogOut

TLogin::PushConnect

%d.%d.%d.%d

KeySize

: this object does't support a special last block

NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes

: this object doesn't support multiple channels

is not a valid key length

InvertibleRSAFunction: computational error during private key operation

for this key

: this key is too short to encrypt any messages

for this public key

EffectiveKeyLength

RC2: effective key length parameter exceeds maximum

?#%X.y

E:\4.0\bbyPlugin\Release\t_baibaoyun_win32.pdb

KERNEL32.dll

IPHLPAPI.DLL

InternetOpenUrlA

WININET.dll

GetCPInfo

GetProcessHeap

t_baibaoyun_win32.dll

generatersakey

generatersakeyW

login

loginW

msgcallback_login

msgcallback_loginW

msgcallback_loginex

msgcallback_loginexW

msgcallback_push

msgcallback_pushW

.?AVPublicKeyAlgorithm@CryptoPP@@

.?AVPrivateKeyAlgorithm@CryptoPP@@

.?AVPrivateKey@CryptoPP@@

.?AV?$ASN1CryptoMaterial@VPrivateKey@CryptoPP@@@CryptoPP@@

.?AVPKCS8PrivateKey@CryptoPP@@

.?AVPublicKey@CryptoPP@@

.?AV?$ASN1CryptoMaterial@VPublicKey@CryptoPP@@@CryptoPP@@

.?AVX509PublicKey@CryptoPP@@

.?AVHexEncoder@CryptoPP@@

.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AV?$VariableKeyLength@$0BA@$0A@$0PP@$00$03$0A@@CryptoPP@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AV?$VariableKeyLength@$0BA@$00$0IA@$00$03$0A@@CryptoPP@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AV?$FixedKeyLength@$0BI@$03$0A@@CryptoPP@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AV?$VariableKeyLength@$0BA@$03$0DI@$00$03$0A@@CryptoPP@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AV?$FixedKeyLength@$0BA@$03$0A@@CryptoPP@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AVSimpleKeyingInterface@CryptoPP@@

comroute.baibaoyun.com

.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@

.?AVInvalidKeyLength@CryptoPP@@

.PAVRSAFunction@CryptoPP@@

.PAVInvertibleRSAFunction@CryptoPP@@

.PBVPrimeSelector@CryptoPP@@

.PB_W

.PAV?$basic_istream@DU?$char_traits@D@std@@@std@@

.PAV?$basic_ostream@DU?$char_traits@D@std@@@std@@

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

45

00x0

9&939&:6:

2%2*2/242>2

5_5K5X5a5

88K8X8a8

6$6)6.646;6

6o7U7y7

0!1)11282

6$71757?7

6$6(6.6:6

= =$=(=,=

5$5*505?5

6!6(6-6;6

<!<(<5<><\<

2 2$2(2,20242

1.0.0.0

CCmdTarget

CNotSupportedException

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

user32.dll

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

RegCreateKeyExA

RegOpenKeyExA

SetWindowsHookExA

GetKeyState

UnhookWindowsHookEx

!Win32 .DLL.

.MPRESS1

.MPRESS2>

>%Crc{

f7.ST

Ah&`%xw

-Qwg}W

.Rg^5

ra(%X

-RL}tAWq

3r.DU

!A

#.jK$

.If//

i5v.dU`

wfd%C

.seH9

H7\Ûy

%dWA4

.WmO.

Q.HX)

<ij.AQ

ÜU2

.ubwO%

?.MK9

d.DHb

.jtv,

Jnx&%D

%d{u2

msgcallback_autologinW

msgcallback_autologin

shell32.dll

program internal error number is %d.

:"%s"

:"%s".

.?AVCCmdTarget@@

.PAVCException@@

.?AVCCmdUI@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

.exe "

hXXp://VVV.game2.cn/member/

&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=http&o=sso&m=checkNeedCaptcha&account=

hXXp://login.360.cn/?callback=jQuery1121004880054023122077_

hXXp://passport.51wan.com/login_index_needToValidate_0.html?jsoncallback=jQuery182016474190838213354_

hXXp://member.8090yxs.com/login.php?action=checkuser&username=

hXXp://member.8090yxs.com/game/game.php?game=dtx&full=play_gamecode&client=pc&server=s

return Math.floor((1   Math.random()) * 65536).toString(16).substring(1)

&captcha=&autoLogin=1&client_id=1100&xd=http://wan.sogou.com/static/jump.html&token=

hXXps://account.sogou.com/web/login

hXXp://wan.sogou.com/play.do?gid=653&sid=

hXXp://wan.sogou.com/clientplay.do?sid=

hXXp://VVV.dahei.com/websiteAjax/op/login/

hXXp://VVV.dahei.com/joinGame/code/dtx

hXXp://VVV.ao7.ufojoy.com/game/dtx.phtml

form_submit_key_time

form_submit_key_v1

form_submit_key_v2

&url=/game/dtx.phtml

&form_submit_key_v2=

&form_submit_key_v1=

&act=submit&form_submit_key_time=

hXXp://VVV.ao7.ufojoy.com/user/login.phtml

VVV.ao7.ufojoy.com

hXXp://VVV.ao7.ufojoy.com/game/dtx/servers.phtml

.phtml

hXXp://VVV.ao7.ufojoy.com/server/login/

http://res.dtx.game2.com.cn/index/indexufojoy.html?

repass

UserChangePass

dm.dmsoft

SetKeypadDelay

SetShowErrorMsg

SetWindowState

,(!73!73!73!73!73!73!73!73!73 @;

.comment {color:green}

.jS.T

SiX^@=65.eB

;.APi

A%x*>l

@%S&)

;%DuH

LSc

A$(d%cn

8.jPs

.jJX[

*e.NaJ

pY-|þ

.YrVUp\

diTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9E0C3F8A626BE211ABD1D5C56F68DC7C" xmpMM:DocumentID="xmp.did:BA32D29D96DD11E28E5CF121068396E5" xmpMM:InstanceID="xmp.iid:BA32D29C96DD11E28E5CF121068396E5" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:19648B32A596E2119A57D512E7129882" stRef:documentID="xmp.did:9E0C3F8A626BE211ABD1D5C56F68DC7C"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

~.agAV

.nn-!*

.tkyt

G:\^(

.RhcD

o.vH|

?h(%do

=7%f__

SOCrt

htu%d

=VR^.uzL

%fPa4<O

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:07A07843552A11E5B02FFBCBFB9DF547" xmpMM:DocumentID="xmp.did:07A07844552A11E5B02FFBCBFB9DF547"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:07A07841552A11E5B02FFBCBFB9DF547" stRef:documentID="xmp.did:07A07842552A11E5B02FFBCBFB9DF547"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

!.RNi

%x_Xj

GO#.Dx

<CrT$I

Z>%0S_

Mm.gS

(j.AKt

`8.zNx:

%cK8R

@9u[%ul

.hr''y

_h@A%s

.yqh(t

E%X[-

\`!%C[8

!%D&&

TW%U8

.mN`SH

.VX1P5

i4

X(U%Ui

.xQCO

usSh:Zq

D-o.OF

eN%6u

.LI[P

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

1.2.18

F%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

MSWHEEL_ROLLMSG

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WSOCK32.dll

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

msscript.ocx

<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>

<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0xX</td></tr>

<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0xX</td></tr>

<table><tr><td><icon handle=0x%X></td><td>%s</td></tr></table>

burlywood

\winhlp32.exe

VVV.dywt.com.cn

index.dat

desktop.ini

\StringFileInfo\%s\Comments

\StringFileInfo\%s\ProductVersion

\StringFileInfo\%s\ProductName

\StringFileInfo\%s\OriginalFilename

\StringFileInfo\%s\LegalTrademarks

\StringFileInfo\%s\LegalCopyright

\StringFileInfo\%s\InternalName

\StringFileInfo\%s\FileDescription

\StringFileInfo\%s\CompanyName

\StringFileInfo\%s\FileVersion

000%x

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

;3 #>6.&

'2, / 0&7!4-)1#

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

.PAVCResourceException@@

.PAVCUserException@@

.PAVCArchiveException@@

c:\%original file name%.exe

uwp-B}

].mB3

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

USER32.DLL

sice.sys

siwvid.sys

ntice.sys

iceext.sys

syser.sys

sbiedll.dll

%d-%d-%d

winhttp.dll

activation.php?code=

deactivation.php?hash=

l\.RU

zWEb

.Mm87

[M%X]s

WW.re

.AV<4

hYc.OD'

f5y%f

2~-x}

Uf>)5

e"h%D

Wgx!w.ha

k9iTCp

-S6EW}

%f-i)

iA.Zk

,qrO.qXv

.McNr\M>

f%D g

.vVof

ve.AO

.GA=X

&.SaY5'S

5.eTr

h5X-Mw}

]b.GTb

o.tCAg;i

za%uNJ

%up}ih

"s%DXbl

^,G%C

f„6f

E_.QeP

..ry@

L[.ZBL

y~7H%s-(Wg$#

~!'He^IC%X

-.Rc&W@

ack%f

.zGRd

kr^-A}

ul.Xps

Nc.GfE

R.oU6m

D0Sql.y

*hLScRt

%F}^2

Ef5y%f

sQL&;

.aOp2

n.pEz6O

Q .%U5

>.AG1,

5,U%s

s.EwJ

nA%S 

\%.qt:

q?.ecR-

[u.VC

.cRJ&*

se8 %.nC

.bm_w

b.gp^(

].jz0\C

1.QJ@

.aN\8

68b%x

.GODZ

%F<]L\

9L1Chr%F

Zc.tr"*i;V.

t.FP*k

aL%FW

l\.je

[%Fy,

%dv?*Y

P.Sc^

>$.jj

M6.FU2

j1.UN_

.QD(M

A_.Oixx

*.spu

.VUh_mX

/q.mf

M%XB\

.bSAxJK

P`.zd

.DiHz

..8\V.hD

gj.Ga

2.Aou2,

.xDuC

.LmT(

i/o%.d

sb#sy%F)

CmF.wW"

]%UbO

wl%CG

Uf5y%f

Gdg%s

T.rwa

i.uLi

r.xir

r%xir

r%xirZa&

r.zir

r%xir,j{_

r.zirL

.ziQX

LhXXp://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07

hXXp://pki-ocsp.symauth.com0

ehXXp://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0

FVERSION.dll

kSHELL32.dll

5%dmT{n

WTSAPI32.dll

E%1x_u

YxF.ap

,<E%d%}u

G%xhc

%xS$k

t%U|8J5

f%U@Cn

[Db%S"

K1.AD}

.PZ}WDa

.LOJOS

p v%ul

=%5xK

/Þ]

.kDB'wt

.MYbe

.FQFr

$D&M%u| tU

.VF?2P

.VW$VJ

O.GW;

.SK~t$

h>JA.Rs

S0Û

YF.Sl

B5.Hh!

d).pK

P.thu

E.JKD

.FYqaT

.YG^;q

Â-5

;#-%UB`?

.mN!t

'4.MU'g

Ix%SpQ

%Cj[q

WaUDp

{.cGY

.LB$`

%f js

Gbj#3%s

P .CO

@T(A.Zx

EY*_I.ak

.Se;]

8].JQ

T.leU

#L.Gi1

D.RT|,bA

`{%s0

C.Cf"

%UZlA

$17!.Ih

.zam 1

g{.Qk

.Zmp7U

^.Da=

.Ad!o!9

.qN6`

7[.Wct

.Uk].

"AB%U

;p%dw

/?a.nK

s Msz.NS

p%Xg;4Q

D6M%d_$<

-rZ}b

i.iE*|nA

2<.Ug

'.ixp2

dfLSQl

mz2%D

FSQl<Z?

wu.rO

?V.dDL

.tpcH

.O%u3j)]

Z k&.iRQFi

nx.dt

G%dva

t.LkGD

cH%fi

W-gLM}

!1%D(

.%d@4

|%XRD

G.Gp:

(%Fl]

yh.dn

kS.ey

s.bPb

=%F|P

.kDlq/

FVWh%U

xs`%Uu

]D?%s

ii1C2.ol

SMsG

oRR

g:.GoTn

X%d%9

.jBCw

1^keY?

Q.wFx

.af%$

9RB.zT

aD.pS

.aezn

.aXd,

{7.ZUf=si

d.Yt0q

Ike%u

.Pa:O

To%X`O

'.oEM

F.eGyce

0.So@

T[.lB

.yLaN

.ONX"

<!L$%DI

.hf"nT

a0.Hr

P,.zzo

1?.cw

9jGe.RO

Q-`#\.fr

%1u=/

J.Ec)

k&.xr

%crM8

vV.OR

pI.TF

-%UTa

.zUNC

v\$Ì-

qNCRTw2

1%du]d

;o=EX%c&

L.zHh-2

n~.TC

%sZ_%x

.TGrfW_p

1%f'(

4>%s6

\.VFCS2Hu

^.aAM?

)-plH}

NxCD.jR>9x

o%d@uv<

2.FT!

A.Yu$^

%u8cy

InternetCanonicalizeUrlA

*c_x?.Cq

MSVFW32.dll

.Rzw^

h%doo

h%ftG

.HuXNdE

)0.YTvX

Q-A}3

*bC%u

%C T|

.rW[k

W
y

3v%Cq

!b>%4u<

;.RUom <G 3

.AslXM

b.Utn!

yC=%x

F|.Vg

n?þ

,^.uwB

[.cZ!

BZ%1x

X.efad

tA%Fo<

,.nP[r

%cyH~

!%U[K

Vucrt

.dT3K

/.jnuvZ=0

œ?e

m}.lf

-.PC]

K.FvmCb

%X1<=J

0*r%2S

.XJF[

'.wh(h

Sl.aE|

.iZ>3

.Hhvoo

#[&.lKAO

X%COT

1.VQD

.vuN'

cg.QT

 M$PN.Mv

%C\4j

.iTimhE

x].WO

%cxMj

M!.Wm

vO1q.mNd\{]

8=a%C

Z6%Ur

,.fRDFX6

f".eo

.GA!a

WhE7.XYb_

O_73#%F

R%c/<a

-I}Xf

-K}y`

?%S[q%

d %dl

ik.pv

.$8&%u

.tJQ\

?*n.IO

EWeB

.ja&.

X.kA)

e|7%X

?N:

bC"%CO

L.mrM

70r%f

%S`@"

Þ>]

.Yq%&0

B(%x,A{

Xk[%U

;.Ok=

%DNFZ

%uMwz

Q.Xl=

EKey

6C.Xe9

ftPs

%Cq8?!Y

j':.uDl

k'nP%c

%soyR

h%Fy{

r.CDo

.fl.n

Ye%xp

-Og}w

Ps{%u

X.iQCy

3.BZnm

[email protected]}4

.aKmDW

NTs.BU

N,r{n.TBT

.KA~3

nm_

j.eO}

zCMd

?.ZnZ

i.NG*

.GiS;

[0%U)DE

%sqHT

-pW}i

&g.JN

WGP.anJCb

.lc ^

yuc4ck%s

#;.Lm

%X!ud

@.ewJ

}.BHEeY?

K*.zj

%xH`Bf

O.ysD

%xw}\`\W

P%x]O

2B`%u*

.wZw=On5

dÔSZ

%f-'q

^eW[.cIv

.NU=Q

-XSE=.TG

|%d:D

gt.LYi

hfXb

!.Thw8v

I#.Uq

 %X4#|

.fP>5

:.Rea

2.zO)

%UlPQs

F%FkO)

B.sYR

.Le7Rb

P?%FM

S&.jf

NJlZ6aU#%d

osurlX

D%K.rP

5.bio

,\%C|

.TT-as

^hu.Ff

o3A.LJ

;J~ _rf%U

.Y.tD

F0.lQ`

&.AiI

.Fy?L

.yPI/k

e.SH[

a.LjaDY

;{fTp7

.grQG

{.ui,

ti.He{

5.yEeVP

}%f)8bn@

{c.sX

Om.Oi^`o

%8S5ui

bc%S#e;

.Xymy

M%CkM%

N{.ag.

J)<.CZ 

%Xh&Fb

.hRe,

s-3}-H]

Ä%U

.qe}ta

V.XvH

Q8m%f

s!.zP

nl%4Sz

.Qz3.

5d.LS^

.FVXQ

o7x%C

.lWR!

(j3f.mR

D_%DH

y.mA6

.vU,:

?.nH'

zm.Tq

 &.eB

whC.Gq]R

a".DVs

.ouY*

)"%S'zI~

yg%%Ds

K$8`%D\

N.jZ%

?.Ud=

15%soY

].dLV

W0I%s

J.lDS

Sf|U

Z%Uw};ez

%fLp 

.Wh&9

%cUhj

m.pLO

3(Gk|m8e.sL

.mX$f

k=i%D

a'R%d

6SM.Fcr

).MZG

<b.rh

.tBFZ8$O

Xc.fK

0\.jf

1P.jg

Z2.FT

AkR%s

%F(Bo

&.Jwm

*Q%SOs

.LJjq'

3.hn0r

Jw.eg

.VdNZ

.Nyc}

Web}tA?

.Oz"GT

.xWXX

x%X-z

i$.Do

mmj.QX

#.VX>#`Z

.qD^#

mi.AC

B;=[.nBH

0dA%uVC

q.lxO

E.ir?

%C@'/

%sII0

!}&ó

:4.mW

.lXdo

SR.AM

D.Wln

Ti-kzU}Wa-<

.DWyxE

%U60`

%Dj-ih

%Cx(l

Uf.de

dI.oW

Ze@Id%F

uud&#O}%c

%X,!/

.%Xxe

.sO27

%%CMdh0

^%S'nUI_

7[.Bd

f]&.II

r.Ah4

.YCtZ

%fKNw

NhuW0.FHr

' H%x9lY

^.YW2

.udxBd

*UDp0

0<BtcPD

iÄWK0

hF.IN

Vg.tl

&Li.qi

e.ZyZ

n%UXv

:U%cG

%Xi~pT

Sdu%U7

[=T&5%U

n?-7}

gX%CQzE

.Ua}4/

-.yqE

].Hdg

a-H%u;

%xZ|B

.Lxx~z

Dmw.RsM

6%|0&} %

-Kuc%dt

x9.Wv

/3%Do3

&.mb\Q

SH.ou

gB.NX

6~.Jmy>

!ÖS

p.BgB

\=%5S

m#q'.dd

.UxRXu

T?%ut

kB6g.zB#

s.vd!0

eb!:.Uja

@o.EWm

{_.pb

WeBBu

1-s} a

VuZm%s

.SSqm @

.vleE

%f=0DKT%}x

.jl`#B

b$.NY

.zOvTP

l,r%s

{|Q

wfI.WI

:-9.RL

.vBx{

l%CS$

%3u$n

!.qf]

q6l@%X5CT

?Y`%UUF

".je<J

|p%.c

zo0%Fo

.hztTOgS1

emSg

z.GP/7

W.bXF

(5.QP

8i%3U

%Xm9*

ruRL

8%SZv

RQr17.ox

.wo| !

 8s%C

.pK=@&=

`.cLG

r.Iuy

Ue-o}L

L%X_n

0.xD`Q

6^3r%c

I.ysd

RASAPI32.dll

xH`

7.bD $l

.LwvE=

%c(OF

AVIFIL32.dll

{Z.Aq

6.gq2

.BAqs

3, 1233, 0, 0

mscoree.dll

nKERNEL32.DLL

WUSER32.DLL

%s_tmp

errcode : %d,

1.0.0.2

Error at hooking API "%S"

Dumping first %d bytes:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Cannot %s server %s

Error: 0x%X

The procedure entry point %s could not be located in the module %s

Cannot load file %s

Error: %d

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   regsvr32.exe:2460
   regsvr32.exe:2640
   regsvr32.exe:2456
   regsvr32.exe:1256
   regsvr32.exe:560
   regsvr32.exe:3156
   regsvr32.exe:3136
   regsvr32.exe:3336
   regsvr32.exe:3168
   regsvr32.exe:2364
   regsvr32.exe:3176
   %original file name%.exe:2636

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Data\dm.dll (823 bytes)
   

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.