Trojan.Generic.19471292_ac1dce347f

by malwarelabrobot on November 7th, 2016 in Malware Descriptions.

Trojan.Generic.19471292 (B) (Emsisoft), Trojan.Generic.19471292 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ac1dce347f2446d026186438f6326f35
SHA1: c69ec662098250e97f3c0faf723b3ca6d45a244e
SHA256: 0d144c78c50d7da4fc48466db7fc0b480d06a98434420569596f1f32b1882ccf
SSDeep: 24576:5M2wqgYAOUKC9tpLJUq2tCBv5MoElG4oftbK0CdrNoMJ9rofw0jqXR8I3HaS4vN1:5UpN2t4ElG4 sdrNo9w0jqX9Zi
Size: 2019328 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2016-10-26 21:56:55
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2180

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_A8352CE05B25F0F9D10DF67B4AF32E1D (3724 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_D3965FB3F59D07F18EB51DE6E2F34F1C (2016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AA7WAFJC.txt (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SBRYYQR6.txt (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_6F40F84EFC7436F970496216E829CD7E (2016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\1.4[1].js (46119 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EZYC00EU.txt (287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\aplus_v2[1].js (1909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\uac[1].js (542 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\um[1].js (286 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_2482221837C207831DF64C0E13622E54 (1464 bytes)
C:\dll.zip (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\kg[1].js (18900 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD347.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_A8352CE05B25F0F9D10DF67B4AF32E1D (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\login.taobao[1].xml (1074 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_2482221837C207831DF64C0E13622E54 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\fp[2].swf (2924 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_6F40F84EFC7436F970496216E829CD7E (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\nc[1].css (7240 bytes)
C:\CrackCaptchaAPI.dll (38904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\font_1451959379_8626566[1].eot (22263 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\pt2[1].js (1864 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\kg[1].js (11450 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\um[2].js (238 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\81[1].js (98212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\1.4[1].js (10493 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD346.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\font_1465353706_4784257[1].eot (5260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\69UIMC0S.txt (287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5AKWAGDB.txt (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\nc[1].js (61469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\xd[1].js (762 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\TB1R5zYKVXXXXb7XVXXXXXXXXXX-32-32[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\new-loginV2[1].css (7667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\nlogin[1].js (18568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\um[1].js (20809 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\login_pc[1].css (401 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1476 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\JSocket[1].swf (485 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)
C:\UUWiseHelper.dll (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\1.4[1].js (1447 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_21E8013D91D4BCA4E3DD193D1780CFED (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_21E8013D91D4BCA4E3DD193D1780CFED (1512 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_D3965FB3F59D07F18EB51DE6E2F34F1C (1 bytes)
C:\sqlite3.dll (19096 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\js[1].js (1015 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\seed-min[1].js (31426 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\login[1].htm (3538 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KIAAR139.txt (93 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD347.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SBRYYQR6.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\aplus_v2[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD346.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\login[1].htm (0 bytes)
C:\dll.zip (0 bytes)

Registry activity

The process %original file name%.exe:2180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Total]
"(Default)" = "91568"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionTime" = "C0 72 5D 44 5B 38 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASAPI32]
"ConsoleTracingMask" = "4294901760"

"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com]
"(Default)" = "14"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\ac1dce347f2446d026186438f6326f35_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "C0 72 5D 44 5B 38 D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
b42b7378004f2052d7b440f6c8199692 c:\CrackCaptchaAPI.dll
dc6b73cbd1f6f5cec640a8c634ae50c8 c:\UUWiseHelper.dll
d6580cc678d0a80596628cd3cab61ff1 c:\sqlite3.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ?????????
Product Name: ???????????
Product Version: 5.2.5.0
Legal Copyright: ?????????
??:http://www.oowise.com
????QQ:9996860
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.2.5.0
File Description: ?????? ?????????
Comments: ?????? ?????????
Language: German (Germany)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 8192 8192 3.72698 54fd7ed452972ca6642bc5c0260eed1c
.text 12288 1139533 1142784 4.49944 f7dcf14ea0c0176ee5657c7f6bd54137
.rdata 1155072 689576 692224 4.2712 10d9c8f15162700675a86d19185195e4
.data 1847296 435921 118784 3.67776 d1f54305deadbddc5f3978b98765716e
.rsrc 2285568 49620 53248 3.89075 1db9f3210c599bb878606a1fbb9d0144

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://ssl.oowise.com/Download/dll.zip 120.25.220.207
hxxp://cdn.globalsigncdn.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDH0GzxSIRcX7TjQ3Cw==
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhmzbUedtf28CkIXb9LojCmw==
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEE1V+4O+uWVgka7IMeo/g6E=
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDDAnOAiDP1BQ8yFjyg==
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYLnHjjHwADjD39iRSceNk=
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDH0GzxSIRcX7TjQ3Cw== 104.16.26.216
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhmzbUedtf28CkIXb9LojCmw== 104.16.26.216
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= 23.43.139.27
hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEE1V+4O+uWVgka7IMeo/g6E= 23.43.139.27
hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYLnHjjHwADjD39iRSceNk= 23.43.139.27
hxxp://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH 104.16.28.216
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDDAnOAiDP1BQ8yFjyg== 104.16.26.216
login.taobao.com 106.11.95.2
img.alicdn.com 23.219.143.8
af.alicdn.com 80.231.126.240
ynuf.alipay.com 140.205.174.93
at.alicdn.com 80.231.126.250
ynuf.aliapp.org 140.205.142.13
aeu.alicdn.com 23.219.143.8
g.alicdn.com 213.244.178.250


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDH0GzxSIRcX7TjQ3Cw== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com


HTTP/1.1 200 OK
Date: Sun, 06 Nov 2016 18:26:25 GMT
Content-Type: application/ocsp-response
Content-Length: 1570
Connection: keep-alive
Set-Cookie: __cfduid=d477bf27f8a68e55de939bcea0198f8391478456784; expires=Mon, 06-Nov-17 18:26:24 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Sun, 06 Nov 2016 16:57:25 GMT
Expires: Thu, 10 Nov 2016 16:57:25 GMT
ETag: "cd1c44b020a23987f32c77e7c755576655168f37"
Cache-Control: public, max-age=340260
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 2fda97f63331405c-SOF
0..........0..... .....0......0...0.......M........u....%...G..2016110
6165725Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
.}....E..N47.....20161106165725Z....20161110165725Z0...*.H............
..$Y..Qp.....s.5...$..k.X.[/......`e`r......h ,..a..i..&,J.rc=._..(VXD
...k..t..nA..asJ1..%...7..m(n....ti.v?C.7.....U{j~......eY.p.5S..w/o.r
A3.S..Q.6..G..|.5...Z.[..<.Y....xW..Z.n.8.$...smz.<. .z..m.}.E..
.....p.....=.Fa...U....Kx.ryE|.B........ ..*fQ.-1T.....K0..G0..C0.. .
......*'....?...F$0...*.H........0f1.0...U....BE1.0...U....GlobalSign
nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G2
0...161019091216Z..170119091216Z0..1.0...U....BE1.0...U....GlobalSign
nv-sa1.0...U....2016072511411M0K..U...DGlobalSign Organization Validat
ion CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0........
.C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D....
.....u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.
6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....
n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...
U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....
0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.
com/repository/0...U...........0...U.%..0... .......0...*.H...........
......v.bV.......)...c..}.....y=...........L.G%...N.<...8Qi..Y.....
......\.fd-.<V=.;0".4..h:v*j..N<M..*...i.Hz{?..[....ML..I.Y....r
.x.n.dS...J......d.JXT..:..P..B..~.KD....b..&..........."..oELo..I

<<< skipped >>>

GET /gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhmzbUedtf28CkIXb9LojCmw== HTTP/1.1

Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com


HTTP/1.1 200 OK
Date: Sun, 06 Nov 2016 18:26:27 GMT
Content-Type: application/ocsp-response
Content-Length: 1576
Connection: keep-alive
Set-Cookie: __cfduid=d5dc6bc4bea92edf0567a2c2092fe5df81478456787; expires=Mon, 06-Nov-17 18:26:27 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Sun, 06 Nov 2016 15:31:39 GMT
Expires: Thu, 10 Nov 2016 15:31:39 GMT
ETag: "2712dfecd45911efee6d4798a94c090401ce675d"
Cache-Control: public, max-age=335112
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 2fda980933c2405c-SOF
0..$.......0..... .....0......0...0.......M........u....%...G..2016110
6153139Z0u0s0K0... ..........M.=......r......{.....a....)S...};..@..|.
..!.6.y._...!v.........20161106153139Z....20161110153139Z0...*.H......
.......H..l.H.Q.NJ/#...twA_...o.;.....qb).o.b.c..|..I....k....."......
.)(..j!.{@#Q..~H0\-....;.U..uUkm...G.........mY...|.....8c....Rf....f[
..y............*...]....B....>.v...65...y...i((....`...h...|...>
y.,OP..Oj......^..E...m>C..Dx.suf....< WC.$...?R...=;.!;.da...K0
..G0..C0.. .......*'....?...F$0...*.H........0f1.0...U....BE1.0...U...
.GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA -
SHA256 - G20...161019091216Z..170119091216Z0..1.0...U....BE1.0...U...
.GlobalSign nv-sa1.0...U....2016072511411M0K..U...DGlobalSign Organiza
tion Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H..........
...0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k
.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>
..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l....
..m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a...
.....0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@.
.|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://www
.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.
H.................v.bV.......)...c..}.....y=...........L.G%...N.<..
.8Qi..Y...........\.fd-.<V=.;0".4..h:v*j..N<M..*...i.Hz{?..[....
ML..I.Y....r.x.n.dS...J......d.JXT..:..P..B..~.KD....b..&.........

<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDDAnOAiDP1BQ8yFjyg== HTTP/1.1

Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com


HTTP/1.1 200 OK
Date: Sun, 06 Nov 2016 18:26:35 GMT
Content-Type: application/ocsp-response
Content-Length: 1570
Connection: keep-alive
Set-Cookie: __cfduid=daf46068fa007ed99c1921ac52ce511e91478456794; expires=Mon, 06-Nov-17 18:26:34 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Sun, 06 Nov 2016 15:52:14 GMT
Expires: Thu, 10 Nov 2016 15:52:14 GMT
ETag: "58b97d4e86ba6dd8c9758907ec359feb7063dd39"
Cache-Control: public, max-age=336339
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 2fda98329540405c-SOF
0..........0..... .....0......0...0.......M........u....%...G..2016110
6155214Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
.0'8..?PP.!c.....20161106155214Z....20161110155214Z0...*.H............
.0...Q....."x.P..e...X....b.B.v.D..i..z...........A..Q..n..a..)e2.;?..
.7.t..V~>X...E...!..5.......-.-.. #.x.2.....n/....yQ..@ .L ....R.p.
S..:. R....jY.$..zCYC...)I..:Qv.......x...V...\.Fc.i.BP..#-....9..:.j.
.....W.Yz... ........y...f.9w..&.0.o...bw..A..v.*....K0..G0..C0.. ....
...*'....?...F$0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-
sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20..
.161019091216Z..170119091216Z0..1.0...U....BE1.0...U....GlobalSign nv-
sa1.0...U....2016072511411M0K..U...DGlobalSign Organization Validation
CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C.
.0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.......
..u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V
..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~
..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U..
.....M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0..
....0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com
/repository/0...U...........0...U.%..0... .......0...*.H..............
...v.bV.......)...c..}.....y=...........L.G%...N.<...8Qi..Y........
...\.fd-.<V=.;0".4..h:v*j..N<M..*...i.Hz{?..[....ML..I.Y....r.x.
n.dS...J......d.JXT..:..P..B..~.KD....b..&..........."..oELo..I..k

<<< skipped >>>

GET /gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhmzbUedtf28CkIXb9LojCmw== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com


HTTP/1.1 200 OK
Date: Sun, 06 Nov 2016 18:26:27 GMT
Content-Type: application/ocsp-response
Content-Length: 1576
Connection: keep-alive
Set-Cookie: __cfduid=d9d10799adc53b93eecf8fd1109331f981478456787; expires=Mon, 06-Nov-17 18:26:27 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Sun, 06 Nov 2016 15:31:39 GMT
Expires: Thu, 10 Nov 2016 15:31:39 GMT
ETag: "2712dfecd45911efee6d4798a94c090401ce675d"
Cache-Control: public, max-age=335112
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 2fda980986034050-SOF
0..$.......0..... .....0......0...0.......M........u....%...G..2016110
6153139Z0u0s0K0... ..........M.=......r......{.....a....)S...};..@..|.
..!.6.y._...!v.........20161106153139Z....20161110153139Z0...*.H......
.......H..l.H.Q.NJ/#...twA_...o.;.....qb).o.b.c..|..I....k....."......
.)(..j!.{@#Q..~H0\-....;.U..uUkm...G.........mY...|.....8c....Rf....f[
..y............*...]....B....>.v...65...y...i((....`...h...|...>
y.,OP..Oj......^..E...m>C..Dx.suf....< WC.$...?R...=;.!;.da...K0
..G0..C0.. .......*'....?...F$0...*.H........0f1.0...U....BE1.0...U...
.GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA -
SHA256 - G20...161019091216Z..170119091216Z0..1.0...U....BE1.0...U...
.GlobalSign nv-sa1.0...U....2016072511411M0K..U...DGlobalSign Organiza
tion Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H..........
...0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k
.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>
..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l....
..m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a...
.....0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@.
.|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://www
.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.
H.................v.bV.......)...c..}.....y=...........L.G%...N.<..
.8Qi..Y...........\.fd-.<V=.;0".4..h:v*j..N<M..*...i.Hz{?..[....
ML..I.Y....r.x.n.dS...J......d.JXT..:..P..B..~.KD....b..&.........

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s2.symcb.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1761
content-transfer-encoding: binary
Cache-Control: max-age=483564, public, no-transform, must-revalidate
Last-Modified: Sat, 5 Nov 2016 08:44:05 GMT
Expires: Sat, 12 Nov 2016 08:44:05 GMT
Date: Sun, 06 Nov 2016 18:26:30 GMT
Connection: keep-alive
0..........0..... .....0......0...0......l..T.#4...c.K.... *...2016110
5084405Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..Q?.t8p.4@A.0........20161105084405Z....20161112084405Z0...*.H.....
.........8v..1[@S.{n.. ... ..~m,XC......B..?a.k.2..r.*..3...U".j......
m..`....Y...y...wl.r.>/B#....|5n.......=S.y.(...$9Q..|W2..M.<nF%
]..x.9W..i..n.{;..n#,...5n^>.......ds.^.....zyiu.Y......-.$.?.Xr..$
..Zh,.<:.~<.........P..IO3...{..n....:.u..O.<.yO.Z.?0....Tx..
......0...0...0.......... .7.$.T.4.....u.0...*.H........0..1.0...U....
US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...
1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSi
gn Class 3 Public Primary Certification Authority - G50...151124000000
Z..161214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U
....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Re
sponder Certificate 40.."0...*.H.............0........./..C.n..RRd-G..
mB...m.0Q..^f..A...av.9....?Q..(.j(..$..P..?[v....9. ...u....v..-<l
....^.Z.C.f.V...$7............G.D.....@T{.....|...msV...{.q...2..y....
.........".u.d.p.%... U.I.0..0.x.-`..Yi....6.lw<....N.k\.....]s...O
... 0....TH.cB.Q.Z...}...p.1....>2 ..........0...0...U.......0.0l..
U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .
......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........
...0... .....0......0 ..U....0...0.1.0...U....TGV-C-600...U......l..T.
#4...c.K.... *.0...U.#..0.....e......0..C9...3130...*.H...........

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEE1V+4O+uWVgka7IMeo/g6E= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ss.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1609
content-transfer-encoding: binary
Cache-Control: max-age=400642, public, no-transform, must-revalidate
Last-Modified: Fri, 4 Nov 2016 09:39:54 GMT
Expires: Fri, 11 Nov 2016 09:39:54 GMT
Date: Sun, 06 Nov 2016 18:26:30 GMT
Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......p...T.......F...,^....2016
1104093954Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C
....MU....e`...1.?......20161104093954Z....20161111093954Z0...*.H.....
........Q.v...B........N..(Ua.37....8...r....'5.y..Z.0.;.....z.*;....)
.{.j..d...R..<4X....y.YVaE...;......4.....m..y...l..%..............
H.h.s...}.C<ic..n..k..J....y......t.V/.>".p&......`Yf [0.....X..
..zy.......}m..0.Uz....L3...y...Q.{..t.~..k....$.......k4WL|?.B...n0..
j0..f0..N.............h.?.]W`.).0...*.H........0~1.0...U....US1.0...U.
...Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&Sym
antec Class 3 Secure Server CA - G40...160822000000Z..161120235959Z0@1
>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Responder0
.."0...*.H.............0..........^.x........e{.C.H......|1fA.E.;.L..&
lt;g.-}.A3.........0xR.O..........Y...H...2...h...a....mi.G{*..a-$..#.
r,.....G'.,&.%....?....]F.2O...-36.3.Hq@U.H!...6_../N.{... [...0_ J...
g.].i..-..W';b{.p.D.......Z.V.g.=v..`...........a.&.v...y..[..e/s.....
.Gi.b.)"..#.........0...0... .....0......0"..U....0...0.1.0...U....TGV
-D-16850...U.#..0..._`.a.U..C..`*..z.C..0...U......p...T.......F...,^.
.0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://VVV.sy
mauth.com/cps0*.. .......0... hXXp://VVV.symauth.com/rpa0...U.%..0...
.......0...U...........0...*.H.............W...P.v.:$.....zR..,G.....
.....[..k... .^...P.C1,q... E[...Xf...`E..uL...`.3..Gv4...{s.O5{....X.
.]7.....<....wW|....E.k..3...K..k......7......AE...*dX:./e.....

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYLnHjjHwADjD39iRSceNk= HTTP/1.1

Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ss.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1609
content-transfer-encoding: binary
Cache-Control: max-age=478542, public, no-transform, must-revalidate
Last-Modified: Sat, 5 Nov 2016 07:18:45 GMT
Expires: Sat, 12 Nov 2016 07:18:45 GMT
Date: Sun, 06 Nov 2016 18:26:36 GMT
Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......p...T.......F...,^....2016
1105071845Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C
....V..x.....=....x.....20161105071845Z....20161112071845Z0...*.H.....
........$.00.@..5.3.U.2...O.d....4]..6..|q.<o.... ...3&0v.=....,..?
K...}:.......@..\...r.>.d...1..`Q.<:.OD.a..3Y.z..Cv..9.~....xP.[
9.....!.....b...WL:4..@..D.....wE.#....k`o(.`B...=t.s.5.x..:.~.b...~4.
........5..mk...........w...<N...o.Y.v.\...{.m.\.O.6.c.H(.....X...n
0..j0..f0..N.............h.?.]W`.).0...*.H........0~1.0...U....US1.0..
.U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&
Symantec Class 3 Secure Server CA - G40...160822000000Z..161120235959Z
0@1>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Respond
er0.."0...*.H.............0..........^.x........e{.C.H......|1fA.E.;.L
..<g.-}.A3.........0xR.O..........Y...H...2...h...a....mi.G{*..a-$.
.#.r,.....G'.,&.%....?....]F.2O...-36.3.Hq@U.H!...6_../N.{... [...0_ J
...g.].i..-..W';b{.p.D.......Z.V.g.=v..`...........a.&.v...y..[..e/s..
....Gi.b.)"..#.........0...0... .....0......0"..U....0...0.1.0...U....
TGV-D-16850...U.#..0..._`.a.U..C..`*..z.C..0...U......p...T.......F...
,^..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://www
.symauth.com/cps0*.. .......0... hXXp://VVV.symauth.com/rpa0...U.%..0
... .......0...U...........0...*.H.............W...P.v.:$.....zR..,G..
........[..k... .^...P.C1,q... E[...Xf...`E..uL...`.3..Gv4...{s.O5{...
.X..]7.....<....wW|....E.k..3...K..k......7......AE...*dX:./e..

<<< skipped >>>

GET /Download/dll.zip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ssl.oowise.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sun, 06 Nov 2016 18:26:20 GMT
Server: Apache
Last-Modified: Thu, 01 Sep 2016 12:19:11 GMT
ETag: "701a8-104a74-53b7138a16dc0"
Accept-Ranges: bytes
Content-Length: 1067636
Connection: close
Content-Type: application/zip
PK........$v.F.Y2..k..........CrackCaptchaAPI.dll.}}xSU...G.P.I!-...(.
Q.B.A..-JJ.i.$.-.|.../...Xg`,.....Qf...GP_u.w.........Bm..V.W.0C..xj;c
....r....4MNJ.....'.c.........9.....t......r\-..r.....g.......''.j.NN^
.z......z|.COf>..O~..;..G37..$...d...0....=:g...,..{..M..8'O...:...
.....[C.{...se............s..i....z..g..}..O..|........8.@..=<.."..
..N..I..,3..O.e..C.qf4....OP..ih.r...Q.}U......Hn......p.@{.g....4..W1
.9....qk.1s.C.>.i.......M?..h...."...F....s6.{....}.c=.}%.g......9.
..(.._.p.....D...l|z.#p.t.[%..7..w..G.?...]...Kp....;.................
W-f.{...s..........u=..]Z..`....f..=........zR......W.%..Nm...........
F...HO....j....n...?..'...Sz.%.[..._j..^C!yOwVaq..q.-`}..m=.^.*.Q....U
....xx....C.........V...'.{.`?..Y....V.......x.J..I-fB.1VpV..5........
......V[......Q..........%.M.{...P....~......G%..(...[..u.x........`P,
;h...*..6....j......./5....g{.y.....k...~P..........;..9,..4......p..4
k. N.@..\...s0...Oj9O...W.....| Q>........O.....S>. .-$...%..N0
3..&....h.i4..Q(.k...LQ"...,....&`.....hY.t . .d..e..LO0es...j..nZ..S.
.})IC.G...N...[M^jL.])....3)o..S.,..n.<..S.....Y.i<...e..h...(..
?...^l...a....1..).....d.......{W1J.A...#:E..\......Tb...j..9...../}..
<.3.T......5....r.U.._$h?.-...5.......D.=E..U:.1.'...r.7..z....a...
.....p...\..~..G,^..b.....'....J6.%;.6..pZ..k..C....=(q.(..(...!D..|..
.<D..Q.3Jc..K.4C........N.....0U......i~....W.......7....b]z.B.^..s
..-'.oj..p..T_|S.w..#...Q{.M"...;..;.7.X.J....<.:.v(.>..-.nS..{.
R..=..Z.....y....DO gs.......@E...42U.....S;.........OFF.?E. N..O.

<<< skipped >>>

GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH HTTP/1.1
Cache-Control: max-age = 10800
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 07:50:34 GMT
If-None-Match: "6b9ba9eca642c891cc02365fc6161341647bd9fc"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.globalsign.com


HTTP/1.1 200 OK
Date: Sun, 06 Nov 2016 18:26:23 GMT
Content-Type: application/ocsp-response
Content-Length: 1518
Connection: keep-alive
Set-Cookie: __cfduid=d4239b93e42a1b7033431a3113e1cea311478456783; expires=Mon, 06-Nov-17 18:26:23 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Sun, 06 Nov 2016 16:07:29 GMT
Expires: Thu, 10 Nov 2016 16:07:29 GMT
ETag: "f3d6a1837a428db76107dba0997cf2e5b583b3b2"
Cache-Control: max-age=10800,public,no-transform,must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 2fda97f346a0405c-SOF
0..........0..... .....0......0...0.......ue......$I1......dO..2016110
6160729Z0n0l0D0... .........W......#....*..2..1..`{f.E....P/}..4....K.
.......DN.BG....20161106160729Z....20161110160729Z0...*.H.............
T{.x.......Z.f....c..C..[..>....}..Fw&DQ.y...{BL...c..l..?.f...K*g.
..w..)....&.NG......k<Y....0;....."A-r.&p`............{.;...`..<
h.{W5..[.,H.....!Nx.=.O6Ue-t..Z. ...g .X..[..Z.....mZ.....>c...DGYA
.;.W..._.5dM#....}....7w|~....:?I........J..i.|cb...^.t6Q3....0...0...
0..........H.i..E...\...I0...*.H........0W1.0...U....BE1.0...U....Glob
alSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA0...1608070
00000Z..161115000000Z0[1.0...U....BE1.0...U....GlobalSign nv-sa110/..U
...(GlobalSign OCSP for Root R1 - Signer 1.20.."0...*.H.............0.
........ga..)..*.n/X..z.<.....E'..rB(Z\'1..,....g.e.{.}...4...8.sU.
...@...h.3D.C......i.LKu..7..uv.#...3hN....1.-..u[.........D../jS.....
`....#.M.vm.:Pj~.t].Fq......B.M.NI~H`..L.n....2.W.....f_>5b. ....].
.....p.6.E. ..P..a....Y......W.......:....K.~..2%G......^0.........0..
0...U...........0...U.%..0... .......0...U.......0.0...U.......ue.....
.$I1......dO0...U.#..0...`{f.E....P/}..4....K0... .....0......0L..U. .
E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/
0...*.H..............$..L...N.x4..FX.j.u.......;.0..>.C)9........z.
...n..k,....f...K....A...a..@...b.qZ....Z......4.L.i...=.C.....0(*....
................1..R.B|..Zn..u.......=2H..^..63.......?!_s..b]J...._..
.o.B..P...H. .s7..s.~..P..@...S...l..9.....$.....3....P6.'.$......

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2180:

.text
`.rdata
@.data
.rsrc
{82B46959-3065-46a0-8340-3BB58B77A259}
bywayboy@gmail.com
hXXp://VVV.ecodeproject.cn/bbs
:16882569
kernel32.dll
ole32.dll
msvcrt.dll
fne.dll
t%SVh
t$(SSh
~%UVW
u$SShe
wininet.dll
WinINet.dll
CrackCaptchaAPI.dll
user32.dll
UUWiseHelper.dll
urlmon.dll
sqlite3.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
Login2
ReportResult
uu_reportError
uu_loginA
UrlMkSetSessionOption
sqlite3_errcode
sqlite3_finalize
sqlite3_prepare_v2
sqlite3_bind_blob
sqlite3_step
sqlite3_get_table
sqlite3_free_table
sqlite3_changes
sqlite3_data_count
sqlite3_reset
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_column_text
sqlite3_column_blob
sqlite3_column_int
sqlite3_column_int64
sqlite3_column_double
GetProcessHeap
sqlite3_sql
sqlite3_column_bytes
sqlite3_open_v2
sqlite3_close
sqlite3_rekey
sqlite3_key
sqlite3_free
sqlite3_errmsg
sqlite3_libversion
sqlite3_busy_timeout
sqlite3_exec
sqlite3_interrupt
WebBrowser
&api=cancellation.lg
&mutualkey=
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXps://login.taobao.com/member/request_nick_check.do?_input_charset=utf-8&username=
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
&loginsite=0&newlogin=0&TPL_redirect_url=http://portal.gongxiao.tmall.com/supplierIndex.htm&from=tb&fc=default&style=default&css_style=&tid=XOR_1_000000000000000000000000000000_63504554470A7C717D71047B&support=000001&CtrlVersion=1,0,0,7&loginType=3&minititle=&minipara=&umto=T068afe2a986ae40dfd2fc252ad4e61e4&pstrong=2&llnick=&sign=&need_sign=&isIgnore=&full_redirect=&popid=&callback=&guf=¬_duplite_str=&need_user_id=&poy=&gvfdcname=10&gvfdcre=&from_encoding=&sub=true&TPL_password_2=&loginASR=0&loginASRSuc=0&allp=&oslanguage=&sr=1366*768&osVer=windows|6.1&naviVer=ie|8
&TPL_password=
hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://qudao.gongxiao.tmall.com/supplier/user/invitation_record_list.htm
/data/login.txt
gotoURL:"
login.taobao.com/member/login_unusual.htm
hXXps://passport.alipay.com/mini_apply_st.js?site=0&token=
hXXps://qudao.gongxiao.tmall.com/supplier/user/invitation_list.htm
checkcodev3.php
hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_list.htm
&how=&app=weblayer&v=3&w=&back=
hXXp://alisec.tmall.com/tmdgetv3.php?code=
supplier_setting.htm'>
1970-01-01 00:00:00
i@hXXps://login.taobao.com/member/login.jhtml?tpl_redirect_url=hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_record_list.htm&style=miniall&enup=true&newMini2=true&full_redirect=true&from=tmall&allp=assets_css=3.0.5/login_pc.css&pms=1452608347355
taobao.com
tracknick=
tmall.com
i < str.length ;
) a[i] = ("00"   str.charCodeAt(i   ).toString(16)).slice(-4);
return "\\u"   a.join("\\u");
return unescape(str.replace(/\\/g, "%"));
) a[i] = str.charCodeAt(i   );
return "&#"   a.join(";&#")   ";";
return str.replace(/&#(x)?([^&]{1,5});?/g, function (a, b, c) {
return String.fromCharCode(parseInt(c,b?16:10));
hXXp://alisec.tmall.com/checkcodev3.php?apply=scc&http_referer=hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_list.htm
hXXp://regcheckcode.taobao.com/auction/checkcode?sessionID=
hXXp://VVV.uuwise.com/User/VipPay.aspx
&api=liuyan.in&table=
&api=gg.in
&api=logica.in
&api=logicinfoa.in
&api=logicb.in
&api=logicinfob.in
&api=imga.in
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_PhysicalMedia")
GetTrait =Obj.SerialNumber
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
GetTrait = Obj.ProcessorId
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_ComputerSystem")
GetTrait = Obj.Name
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_baseboard")
GetTrait = Obj.SerialNumber
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_NetworkAdapterConfiguration")
If Obj.IPEnabled=True Then
GetTrait = Obj.MacAddress
&key=
&api=login.lg&user=
&api=internet.in
<td colspan="2">[\s\S]*?<p>[\s\S]*?<span class="J_WangWang aliww" data-nick="([\s\S]*?)" data-display="[\s\S]*?"></span>[\s\S]*?<a class="icon-[\s\S]*?"></a>[\s\S]*?</p>[\s\S]*?</td>
hXXp://qudao.gongxiao.tmall.com/supplier/json/cancel_invitation_json.htm?action=user/invitation_action&event_submit_do_cancel=t&invitationId=
hXXp://qudao.gongxiao.tmall.com/supplier/json/cancelInvitationJson.htm?action=user/invitation_action&event_submit_do_cancel=t&invitationId=
(.txt)|*.txt
TEAKEY
hXXps://amos.alicdn.com/muliuserstatus.aw?beginnum=0&site=cntaobao&charset=utf-8&uids=
&apply=scc&referer=http://qudao.gongxiao.tmall.com/supplier/user/invitation_list.htm
hXXp://alisec.tmall.com/tmdgetv3.php
hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_record_list.htm?_tb_token_=
hXXp://qudao.gongxiao.tmall.com/supplier/user/invitation_record_list.htm
SELECT ctime FROM normaltb WHERE nick = '
nick =
INSERT INTO normaltb (ID,userid, nick,ctime,type) VALUES
&api=jiekey.lg&user=
hXXp://v3.dama2.com/index/
hXXp://gongxiao.tmall.com/supplier/user/distributor_terminate.htm?cooperateId=
http:
1E7540C7-006A-4852-A1BF-F7D7CEB9879A
32F1C86B-E64C-4EAF-8BC1-C142570008BC
SESSIONkEY
-12027,TEAKEY
&_fms.di._0.c=
&event_submit_do_end_cooperate=t&_fms.di._0.d=1&_fms.di._0.e=
&action=supplier/user/cooperate_action&cooperateId=
<span class="msg"><span class="error">
&action=/supplier/user/cooperate_action&event_submit_do_agree_end_cooperate=1&_tb_token_=
hXXp://gongxiao.tmall.com/supplier/json/json_result.htm?cooperateId=
hXXp://qudao.gongxiao.tmall.com/supplier/user/salers_search_list.htm?
1000001
5000001
10000000
2000000
1000000
hXXp://VVV.ruokuai.com/home/register
hXXp://alisec.taobao.com/tmdgetv3.php?code=
nick":"
hXXps://shopsearch.taobao.com/search?app=shopsearch&fs=1&java=on
hXXp://VVV.ruokuai.com/login
&status=1&action=supplier/user/SalersAction&needPageTotal=false&total=&orderBy=gmt_create&salerType=2&direction=desc&distributorNick=&beginDate=&endDate=&gradeId=&tradeType=&priceCountLow=&priceCountHeigh=&productLineShow=&productLine=&orderCountLow=&orderCountHeigh=
hXXp://gongxiao.tmall.com/supplier/user/my_salers_list.htm
CooperateId_([\s\S]*?)<tr class=#
&cooperateId=
data-nick="
hXXps://amos.alicdn.com/muliuserstatus.aw?beginnum=0&site=cntaobao&charset=utf-8&uids=
&pageTotal=&needPageTotal=false&orderby=default&brandId=0&distributorNick=&userMarket=0
hXXps://goods.gongxiao.tmall.com/supplier/user/distributor/dist_stat_list.htm
<b class="J_WangWang" data-nick="([\s\S]*?)" data-display="inline" data-icon="static" style="vertical-align:text-top"></b>
pageNum=&pageTotal=&needPageTotal=false&orderby=default&brandId=0&distributorNick=
insert into salerlist (shopid, userid,wangwangnick,distributorId,hassend,intime) VALUES
_86&userNick=
hXXp://qudao.gongxiao.tmall.com/supplier/json/invite_result.htm?action=user/invitation_action&event_submit_do_search=t&_input_charset=utf-8&&_ksTS=
hXXp://qudao.gongxiao.tmall.com/supplier/json/invite_result_json.htm?action=user/invitation_action&event_submit_do_invite=t&_input_charset=utf-8&&_ksTS=
hXXp://qudao.gongxiao.tmall.com/supplier/json/jsonResult.htm?action=user/salers_search_action&event_submit_do_recruit=t&tbDisId=
{shopurl}
hXXps://shop.m.taobao.com/shop/shop_info.htm?user_id={shopurl}
hXXp://mai.taobao.com/seller_admin.htm
hXXp://gongxiao.tmall.com/supplier/user/distributor_detail.htm
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
\sqlite3.dll
\CrackCaptchaAPI.dll
\UUWiseHelper.dll
\data\set.ini
\set.ini
hXXp://ssl.oowise.com/AppEn.php?appid=30000000&md5=863461ed672e10c6902837d7fdde3e42
VVV.oowise.com
909797891
&api=BSphpSeSsL.in
&api=v.in
/dll.zip
hXXp://ssl.oowise.com/Download/dll.zip
\dll.zip
&api=GetPleaseregister.lg&user=
&api=chong.lg&user=
&api=weburl.in
(.csv)|*.csv
&api=registration.lg&user=
120894001|
50020808|
50020857|
50008164|
50020611|
50023904|
50010788|
50023282|
50019780|
50018222|
50018264|
50012164|
50007218|
50018004|
50022703|
50011972|
50012100|
50012082|
50002768|
50020332|
50020485|
50020579|
50016349|
50016348|
50008163|
50014812|
50022517|
50008165|
50020275|
50002766|
50016422|
50010728|
50013886|
50011699|
50011740|
50006843|
50006842|
50010404|
50011397|
50017300|
50012029|
50013864|
50025705|
50026316|
50023804|
50026800|
50050359|
50074001|
50468001|
50510002|
50008141|
wangwangnick
nick
SQLite format 3
ON "normaltb" ("userid" ASC, "nick" COLLATE BINARY ASC)
"ID" INTEGER PRIMARY KEY AUTOINCREMENT,
"nick" TEXT,
ON "salerlist" ("wangwangnick" ASC, "distributorId" ASC)1
indexsqlite_autoindex_salerlist_1salerlist
"wangwangnick" TEXT NOT NULL,
PRIMARY KEY ("wangwangnick" ASC, "distributorId")
Ytablesqlite_sequencesqlite_sequence
CREATE TABLE sqlite_sequence(name,seq)
hXXps://
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
&api=timeout.lg
@.reloc
SSSSh
ByScreen.JPG
operator
GetProcessWindowStation
E:\work\UUWiseHelper
\UUWiseHelper.pdb
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExW
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
SHLWAPI.dll
dbghelp.dll
gdiplus.dll
IPHLPAPI.DLL
WS2_32.dll
GetCPInfo
UUWiseHelper.DLL
uu_easyRecognizeUrlA
uu_easyRecognizeUrlW
uu_loginW
uu_recognizeByCodeTypeAndUrlA
uu_recognizeByCodeTypeAndUrlW
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
"0,01070
88J8R8x8
0#0'0-01070;0
=*>0>4>8><>
5%6S6
3$3,383\3|3
:-1014,URL
:-19011,
hXXps://gongxiao.tmall.com/supplier/user/distributor_detail.htm?distributorId=
taobaocdn.com/newrank/
&logintype=2&_ksTS=1419347542359_164&callbackName=MinervaLoginCallback
hXXps://service.taobao.com/support/minerva/sdk/minerva_login.do?version=2&loginname=
&ver=7.00.34T
hXXp://tradecardseller.wangwang.taobao.com/tradecard/nameCard.htm?uid=cntaobao
&ver=8.00.34C
hXXp://tradecard.wangwang.taobao.com/tradecard/buyer/nameCard.htm?uid=cntaobao
hXXps://shop.m.taobao.com/shop/shop_info.htm?user_id={userid}
Accept: application/x-ms-application, image/jpeg, application/xaml xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/msword, */*
User-Agent: Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5
hXXps://shop.m.taobao.com/shop/shop_index.htm?shop_id={shopurl}
.taobao.com/
hXXps://shop
.tmall.
.alitrip.
.taobao.com/search.htm?search=y
J_ShopAsynSearchURL
.taobao.com
item.htm?id=
nickName:'
nickName: '
&wangwangnick=
&shopkeyword=
<td colspan="2">[\s\S]*?distributorId=([\s\S]*?)"[\s\S]*?<p>[\s\S]*?<span class="J_WangWang aliww" data-nick="([\s\S]*?)" data-display="[\s\S]*?"></span>[\s\S]*?<a class="icon-[\s\S]*?"></a>[\s\S]*?</p>[\s\S]*?</td>
SELECT hassend FROM salerlist WHERE wangwangnick = '
&api=url.in
hXXp://VVV.taobao.com/webww/?&ver=1&touid=cntaobao
hXXp://api.ruokuai.com/register.xml
hXXp://api.ruokuai.com/info.xml
hXXp://api.ruokuai.com/recharge.xml
hXXp://api.ruokuai.com/create.xml
hXXp://api.ruokuai.com/reporterror.xml
VBScript.RegExp
&password=
application/x-www-form-urlencoded
WinHttp.WinHttpRequest.5.1
&softkey=
Content-Disposition: form-data; name="password"
{pass}
Content-Disposition: form-data; name="softkey"
{softkey}
Content-Disposition: form-data; name="image"; filename="System.Byte[]"
Primary Key
select count(*) from sqlite_master where type='table' and tbl_name='
select name as title from sqlite_master where type='table'
select name as title from sqlite_master where type='table' and name not like('sqlite%')
sqlite_master
select sql from sqlite_master where type='table' and name='
select sql from sqlite_master where type='index' and name='
select sql from sqlite_master where type='view' and name='
select sql from sqlite_master where type='trigger' and name='
MSXML2.ServerXMLHTTP
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
SetClientCertificate
(Xn*%f
a.pRT
.QD@R
.UIJI
hXXp://VVV.oowise.com
.kof'
oW.kr
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
? deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
WINMM.dll
VERSION.dll
MSVFW32.dll
AVIFIL32.dll
RASAPI32.dll
WinExec
GetWindowsDirectoryA
GetKeyState
MsgWaitForMultipleObjects
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
WINSPOOL.DRV
comdlg32.dll
RegOpenKeyExA
RegCreateKeyExA
ShellExecuteA
COMCTL32.dll
oledlg.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
WSOCK32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
VVV.dywt.com.cn
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) CometHTTP
1.1.4
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCaptchaRecognizer::recognizeByCodeTypeAndUrl
hXXp://s1.uudati.com:
hXXp://s1.taskok.com:
hXXp://s1.uudama.com:
hXXp://s1.uuwise.com:
/Api/config.aspx
2.0.0.5
WiseClientAPI-2.0.0.5
CCaptchaRecognizer::__UpdateTKEY
CCaptchaRecognizer::_IsNeedLogin
/Api/DecodeImg.aspx
xxxxxxxxxxx
hXXp://p1.uuwise.net:
hXXp://p1.uudama.net:
hXXp://p1.taskok.com:
hXXp://p1.uuwise.com:
hXXp://p1.uudama.com:
CCaptchaRecognizer::easyRecognizeUrl
%d%d%d%d%d
CCaptchaRecognizer::_CalcRandomPort
/Api/VerifyAPIFile.aspx
/Api/UserLogin.aspx
CCaptchaRecognizer::login
/Api/UserReg.aspx
/Api/PayCard.aspx
/Api/ReportError.aspx
CCaptchaRecognizer::reportError
/Api/UserPoint.aspx
|2.0.0.5|
/Api/DecodeResult.aspx
ID/KEY/
ByTypeBytes.JPG
%d-%d-%d
CHttpRequestHelper::_ReadResponse
User-Agent:WiseClient-2.0.0.5;
WiseClient-2.0.0.5
CHttpRequestHelper::_InternalRequest
CHttpRequestHelper::RequestGetImage
CHttpRequestHelper::RequestPost
ServerPort
UUExtConfig.ini
-:-:-.%d
tCRYPTDLL.DLL
3.cn.pool.ntp.org
2.cn.pool.ntp.org
1.cn.pool.ntp.org
0.cn.pool.ntp.org
cn.pool.ntp.org
\\.\PHYSICALDRIVE0
Microsoft Windows Millennium Edition
Microsoft Windows 98
Microsoft Windows 95
%s (Build %d)
Service Pack 6a (Build %d)
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Web Edition
Service Pack %d (Build %d)
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003,
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 "R2"
Windows Server 2008
Windows Vista
Windows Server 2008 R2
Windows 7
ox-x-x-x-x-x
\Tencent\Users\*.*
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
!"#$%&'()* ,-.
uuwise.com
2, 0, 0, 5
1.0.0.1
(*.*)
5.2.5.0
:hXXp://VVV.oowise.com


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_A8352CE05B25F0F9D10DF67B4AF32E1D (3724 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_D3965FB3F59D07F18EB51DE6E2F34F1C (2016 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AA7WAFJC.txt (282 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SBRYYQR6.txt (282 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_6F40F84EFC7436F970496216E829CD7E (2016 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\1.4[1].js (46119 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EZYC00EU.txt (287 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\aplus_v2[1].js (1909 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\uac[1].js (542 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\um[1].js (286 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_2482221837C207831DF64C0E13622E54 (1464 bytes)
    C:\dll.zip (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\kg[1].js (18900 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD347.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_A8352CE05B25F0F9D10DF67B4AF32E1D (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\login.taobao[1].xml (1074 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_2482221837C207831DF64C0E13622E54 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\fp[2].swf (2924 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_6F40F84EFC7436F970496216E829CD7E (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\nc[1].css (7240 bytes)
    C:\CrackCaptchaAPI.dll (38904 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\font_1451959379_8626566[1].eot (22263 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\pt2[1].js (1864 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\kg[1].js (11450 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\um[2].js (238 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\81[1].js (98212 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\1.4[1].js (10493 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD346.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\font_1465353706_4784257[1].eot (5260 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\69UIMC0S.txt (287 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5AKWAGDB.txt (108 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\nc[1].js (61469 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\xd[1].js (762 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\TB1R5zYKVXXXXb7XVXXXXXXXXXX-32-32[1].gif (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\new-loginV2[1].css (7667 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\nlogin[1].js (18568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\um[1].js (20809 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\login_pc[1].css (401 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1476 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\JSocket[1].swf (485 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)
    C:\UUWiseHelper.dll (10136 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\1.4[1].js (1447 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_21E8013D91D4BCA4E3DD193D1780CFED (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_21E8013D91D4BCA4E3DD193D1780CFED (1512 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_D3965FB3F59D07F18EB51DE6E2F34F1C (1 bytes)
    C:\sqlite3.dll (19096 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\js[1].js (1015 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\seed-min[1].js (31426 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\login[1].htm (3538 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KIAAR139.txt (93 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now