Sample details: 4ef5f0a660c9ae3e32eb109e1e7bfa30 --

Hashes
MD5: 4ef5f0a660c9ae3e32eb109e1e7bfa30
SHA1: b02b7fde30930161726fdd7e872da43b271f2c3b
SHA256: db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef
SSDEEP: 6144:uj7pn+5J7GRQtr3XMxJR2O5jRQtr3Xxw+:uj47mor3XMxJL5dor3X5
Details
File Type: MS-DOS
Added: 2018-03-06 21:08:22
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Borland_Delphi_30_additional | YRP/Borland_Delphi_30_ | YRP/Borland_Delphi_v40_v50 | YRP/Borland_Delphi_v30 | YRP/Borland_Delphi_DLL | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasModified_DOS_Message | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Browsers | YRP/Dropper_Strings | YRP/Misc_Suspicious_Strings | YRP/anti_dbg | YRP/inject_thread | YRP/network_http | YRP/network_tcp_socket | YRP/escalate_priv | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Advapi_Hash_API | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API |
Source
http://94.130.104.170/Dump//dump1.exe
http://94.130.104.170/Dump/dump1.exe
Strings
		Win32 only!
S[LordPE]
`.rdata
@.data
`.rdata
D$0QPQPW
,VWj@3
PRRj RRRWS
SVSj@Sj
LdrGetProcedureAddress
NtMapViewOfSection
ZwQueueApcThread
I'm DYRE!
Shit happens :)
NtQuerySystemInformation
StrStrIW
SHLWAPI.dll
GetFileSize
SetFilePointer
lstrlenA
FindResourceW
LoadResource
CreateProcessW
GetCurrentProcess
GetModuleHandleW
VirtualFree
WriteFile
SizeofResource
ReadFile
CreateFileW
lstrlenW
GetLastError
GetProcAddress
VirtualAlloc
OpenThread
LockResource
lstrcmpiW
CreateToolhelp32Snapshot
CloseHandle
HeapAlloc
HeapFree
HeapCreate
OutputDebugStringW
ExitProcess
GetCommandLineW
MapViewOfFile
OpenProcess
LoadLibraryW
GetModuleFileNameW
lstrcmpW
OpenMutexW
Process32FirstW
GetProcessId
IsWow64Process
CreateFileMappingW
Process32NextW
lstrcatW
DeleteFileW
lstrcpyW
KERNEL32.dll
wsprintfW
USER32.dll
RegCreateKeyExW
RegCloseKey
RegSetValueExW
ADVAPI32.dll
SHGetFolderPathW
SHELL32.dll
GetProcAddress
GetVersionExW
VirtualAlloc
VirtualFree
VirtualProtect
LoadLibraryA
!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
t/9\$hu)SS
|$$9\$$t@SS
D$dSPj
tw9\$huq
D$d u;
tK9|$@uEWW
QPVhH0
PWWj WWWWS
jd^j X
PWVhjD
VVVVS3
tkWVVj
V j?Y+
jWX_^[
PWWVVVVVS
srv_alias
%d/%s/%s
Win_7_SP1
Win_XP
Win_8.1
Win_Server_2003
Win_Vista_SP2
Win_Vista
Win_Vista_SP1
unknown
_32bit
/%s/%s/0/%s/%d/%s/
/%s/%s/%d/%s/
/%s/%s/%d/%s/%s/
/%s/%s/5/%s/%s/
Opera/9.80
publickey
replace
backconn
%s/%s/0
noname
RtlTimeToSecondsSince1970
%sbound-%d
Content-Disposition: form-data; name="%s"
--%s--
Content-Type: multipart/form-data; boundary=
Content-Length: 
Accept: text/html
Connection: Keep-Alive
%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X
%s_W%d%d%d.%s
config
http://icanhazip.com
No NAT
Full Cone NAT
UDP Firewall
Port restricted NAT
Address restricted NAT
Symmetric NAT
unknown NAT
%d.%d.%d.%d
canot get config
start success
start fail
ClientSetModule
VncStartServer
VncStopServer
222289DD-9234-C9CA-94E3-E60D08C77777
VNCModule
AUTOBACKCONN
start failed
cannot get VNC
RtlCreateUserThread
GetAdaptersAddresses
IPHLPAPI.DLL
WSAWaitForMultipleEvents
WSAResetEvent
WSACreateEvent
WSAEventSelect
WSAEnumNetworkEvents
WSAConnect
WSASend
WSASocketW
WSARecv
WSACloseEvent
GetAddrInfoW
FreeAddrInfoW
WS2_32.dll
StrToIntA
StrStrIA
StrStrIW
StrToIntW
SHLWAPI.dll
InternetConnectA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFile
InternetWriteFile
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
InternetOpenA
HttpEndRequestW
InternetCloseHandle
InternetGetConnectedState
InternetOpenUrlA
WININET.dll
OpenProcessToken
CryptAcquireContextW
GetTokenInformation
CryptReleaseContext
LookupPrivilegeValueW
LookupAccountSidW
CryptCreateHash
CryptDestroyHash
AdjustTokenPrivileges
CryptHashData
CryptVerifySignatureW
CryptImportKey
ConvertStringSecurityDescriptorToSecurityDescriptorW
ADVAPI32.dll
lstrlenA
SetEvent
CreateEventA
GetLastError
ResetEvent
CloseHandle
CreateThread
lstrcpyA
TerminateThread
CreateMutexW
WaitForSingleObject
ReleaseMutex
lstrcmpA
GetVersionExW
lstrcatA
CreateEventW
GetFileSize
FindResourceW
LoadResource
CreateProcessW
SystemTimeToFileTime
GetCurrentProcess
QueryPerformanceCounter
GetModuleHandleW
WriteFile
WideCharToMultiByte
SizeofResource
ReadFile
CreateFileW
lstrlenW
GetProcAddress
VirtualAlloc
GetLocalTime
LockResource
lstrcmpiW
CreateToolhelp32Snapshot
GetCurrentProcessId
GetTickCount
HeapReAlloc
HeapAlloc
HeapFree
HeapDestroy
HeapCreate
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
FlushFileBuffers
GetComputerNameA
lstrcatW
lstrcpyW
GetTempFileNameW
GetTempPathW
OpenMutexW
OpenProcess
VirtualFreeEx
VirtualAllocEx
Process32FirstW
Process32NextW
WriteProcessMemory
KERNEL32.dll
wsprintfA
USER32.dll
SHGetFolderPathW
SHELL32.dll
GetProcAddress
VirtualAlloc
VirtualFree
VirtualProtect
LoadLibraryA
!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
=HTTPt
=GET t
=PUT t
9.rdau
9.texu
t'F<]t
t{Fj V
IHt9Ht
=HTTPt
=GET t
=PUT t
=HTTPt
=GET t
=PUT t
VWPQR3
L$,QWS
QWVhP{
>POSTuK
LoadLibraryExW
/%s/%s/%d/%s/
/%s/%s/%d/%s/%s/
%s/%s/0
/%s/%s/63/checkfile/%s/%s/
Opera/9.80
/%s/%s/63/file/%s/%s/%s/
%sbound-%d
Content-Disposition: form-data; name="%s"
--%s--
Content-Type: multipart/form-data; boundary=
Content-Length: 
Accept: text/html
Connection: Keep-Alive
Content-Length:
Transfer-Encoding:
Cookie: 
Referer: 
X-CSRF-Token: 
X-Requested-With: 
Content-Type: 
Content-Type:
NSPR4.DLL
NSS3.DLL
PR_Read
PR_Write
PR_Close
wininet.dll
Send wininet.dll failed
Check wininet.dll on server failed
Error code %x, %s
Error code %x
AUTOBACKCONN
logkeys
not_support
logpost
X-Forwarded-For: %s
BotInfo: %s %s
vstp341qa=
vstp341qb=
InternetConnectA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFile
InternetWriteFile
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
InternetOpenA
HttpEndRequestW
InternetCloseHandle
WININET.dll
WSAWaitForMultipleEvents
WSAGetOverlappedResult
WSASocketW
WSARecv
WSAResetEvent
WSACreateEvent
WSAConnect
WSASend
WSACloseEvent
WS2_32.dll
StrToIntA
StrStrIA
StrChrA
StrStrIW
SHLWAPI.dll
GetModuleHandleW
GetLastError
SetLastError
GetProcAddress
lstrlenA
WaitForSingleObject
SetEvent
lstrcatA
CreateEventW
CloseHandle
lstrcpyA
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
GetFileSize
lstrcmpA
GetCurrentProcess
QueryPerformanceCounter
VirtualFree
WriteFile
Thread32First
Thread32Next
ReadFile
CreateFileW
VirtualAlloc
OpenThread
lstrcmpiW
CreateToolhelp32Snapshot
GetCurrentThreadId
GetCurrentProcessId
SuspendThread
ResumeThread
GetTickCount
CreateThread
lstrcpynA
HeapReAlloc
HeapAlloc
HeapFree
HeapDestroy
HeapCreate
FlushInstructionCache
VirtualProtect
LoadLibraryA
OutputDebugStringW
LocalAlloc
LocalFree
CreateMutexW
ReleaseMutex
GetModuleFileNameW
lstrcatW
GetWindowsDirectoryW
KERNEL32.dll
wsprintfA
wsprintfW
USER32.dll
CryptGetHashParam
CryptAcquireContextW
CryptReleaseContext
CryptCreateHash
CryptDestroyHash
CryptHashData
ADVAPI32.dll
d[[[[[
[[[[[[[[[[[[js
[RRRR[[[[w|w
vv[[[[[[[[[[[
@@@@AI@@@@LB@@@@@@@@ODS@@@DWC\@`@@@@@@@@@@@@@@dfnk@@jF@@DF@@[D@@
WWWWWWWWWWWW
WccccWWWWT
SSWWWWWWWWWWW
@@@@AI@@@@LB@@@@@@@@ODS@@@DWC\@`@@@@@@@@@@@@@@dfnk@@jF@@DF@@[D@@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
1&151E1O1j1
2H2]2m2r2}2
3,3_3e3r3x3
4!4H4U4h4{4
5$5D5V5i5x5
5/656B6H6X6w6
848G8U8d8o8
9V9n9y9
:$:3:u:z:
;$;,;\;m;u;
<!<&<-<6<=<d<
=1=7=A=G=N=Y=g=q=x=
10191H1M1T1e1q1
4-4?4w4~4
5:5Q5X5^5q5
6:6^6q6
7#7B7d7
989d9x9
96:R:h:v:
;%;9;U;
<&<N<b<t<
=2=R=c=m=
>&>I>R>_>x>
;0H0V0s0
0"1Y1i1
2V2m2y2
3H4R4u4
6 666?6L6r6
7"7/7h7o7y7
8Y8e8q8y8
8"9:9`9f9u9
:!:B:K:m:y:
;';1;I;
;9<N<a<
= =D=b=k=u=
>F>S>n>u>
?4?G?e?w?
0 0<0f0
171a1h1
3+363t3{3	4)4D4t4
5"5K5R5g5q5
6!6f6m6y6
7(8B8b8
979`9m9t9
:$:-:W:p:
=%=S=d=
?"?R?W?a?f?
0H0O0T2X2\2`2d2h2l2@3D3H3L3P3T3X3\3T4\4k4{4
6P6a6o6
737S7f7y7
8P8o8y8
8(919e9w9
:(:::L:`:z:
;(;=;Y;b;u;
<&</<;<R<d<v<
='=3=J=R=r=
>#>+>?>Q>W>a>g>n>y>
1!1.1N1c1q1
2&212:2E2N2Y2b2m2
2#343W3`3k3{3
5(5.5:5E5V5a5
5+6T6`6l6u6
7;7R7X7g7
768U8a8n8~8
:<:C:I:Y:^:d:z:
;';-;6;B;Y;a;
<%<V<]<f<l<q<
=$=0=G=O=t=
>+>5>G>M>W>]>d>o>|>
?0?5???E?N?Y?l?
0?0K0}0
0"131U1^1j1x1
2/2Q2[2e2o2z2
3*3A3^3g3
5,535H5i5r5
7!7P7V7k7x7
808:8c8
8"9D9O9
<(=2=q=
?&?f?p?
1'1g1v1
2!2[2b2s2z2
3$3N3X3
5(5A5R5`5
6#696Z6n6
818Q8{8
9!9*959F9i9
:E:X:_:i:
:(;1;U;t;
;6<@<V<k<t<
2 2`2d2
2,303p3t3
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
0*02090c0m0x0
252L2^2
:5:\:n:
1P1h1z1
3>3F3M3
;$;2;@;N;\;j;x;
< <)<V<}<
=2>C>h?
6+646?6c6
7Q7p7w7
:9;F;u;
<5<<<G<d<m<|<
0(0F1h1
2G2c2{2
2)323N3Y3c3u3
314F4R4
6#676>6P6i6}6
7!7.7A7H7U7f7l7
7)8>8T8i8n8y8
8.9:9}9
9e:t:~:
;P;a;q;>< >
>.?7?b?
+020P0
386I6N6
9R9[9f9}9
;I<f<w<
?E?N?b?i?
0,030=0H0Y0g0n0|0
0?1E1K1P1U1[1
1,21262<2
7,8H8l8s8
93:F:Y:
;$;3;;;Y;
<1<T<Z<k<
>!>*>2>O>b>o>
H6L6P6
WVQRAW
A_ZY^_
GetProcAddress
VWSQAWASATARAPI
AXAZA\A[A_Y[_^
SARAPQVWH
_^YAXAZ[
WPRAPAQH
AYAXZX_
APSQARVWHcw<H
_^AZY[AX
RAPAQWH
_AYAXZ
AWSAVWVAUI
A]^_A^[A_
WQHcO<H
VirtualAlloc
VirtualFree
VirtualProtect
LoadLibraryA
!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
@.rsrc
@.reloc
@UWAVH
VWATAUAVH
0A^A]A\_^
l$ VWATH
VATAUH
\$ ATH
UVWATAUH
PA]A\_^]
UVWATAUH
pA]A\_^]
|$0fff
L$@9M8r
D$@9E8r
D$@9E8r	
t&H9\$Pt
D$@9E8r	
t&H9\$pt
X UVWAVAWH
A_A^_^]
@SWATH
t$ WAUAVH
SUVWATAVAWH
A_A^A\_^][
 Hc|$`L
@UVWAUH
8A]_^]
8A]_^]
D4 ffff
VATAUH
 A]A\^
 A]A\^
|$ ATH
t$ WATAUAVAWH
A_A^A]A\_
3L$P3L$Ti
3L$X3L$\i
3L$ 3L$$i
@WAUAVH
@A^A]_
@A^A]_
D3D$0D3D$4Ei
t*fffff
WATAUAVAWH
 A_A^A]A\_
d$ UAUAVH
fffffff
@WATAUH
@A]A\_
@A]A\_
@SUATH
@SVAUH
@SAUAVH
0A^A][
0A^A][
0A^A][
L$ SVWAVAWH
PA_A^_^[
PA_A^_^[
@SWATH
t&;|$Xu H
X UWAUH
WATAUAVAWH
A_A^A]A\_
<cuV8A
WATAUH
~Cffff
 A]A\_
@UWATH
USVWATAUAVAWH
fffffff
A_A^A]A\_^[]
WATAUAVAWH
 A_A^A]A\_
WATAUAVAWH
 A_A^A]A\_
WATAUAVAWH
 A_A^A]A\_
VWATAUAVH
@A^A]A\_^
t$ ATH
D3L$8D3L$<Ei
t$ ATH
WATAUH
@A]A\_
3L$03L$4i
@VWAUAVAWH
 A_A^A]_^
 A_A^A]_^
w%f93t2
D;t$DuUfE
fD;l$BuGA
@UWAUH
w&fD9#tI
d$(L9d$ t
\$ UATAUAVAWH
 A_A^A]A\]
@UVATAVAWH
 A_A^A\^]H
 A_A^A\^]
SATAUH
PA]A\[
PA]A\[
\$ VAUAVH
 A^A]^
d$Pfff
 A^A]^
UVWATAUAVAWH
0A_A^A]A\_^]
srv_alias
%d/%s/%s
Win_7_SP1
Win_XP
Win_8.1
Win_Server_2003
Win_Vista_SP2
Win_Vista
Win_Vista_SP1
unknown
_64bit
/%s/%s/0/%s/%d/%s/
/%s/%s/%d/%s/
/%s/%s/%d/%s/%s/
/%s/%s/5/%s/%s/
Opera/9.80
publickey
replace
backconn
%s/%s/0
noname
RtlTimeToSecondsSince1970
%sbound-%d
Content-Disposition: form-data; name="%s"
--%s--
Content-Type: multipart/form-data; boundary=
Content-Length: 
Accept: text/html
Connection: Keep-Alive
%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X
%s_W%d%d%d.%s
config
http://icanhazip.com
No NAT
Full Cone NAT
UDP Firewall
Port restricted NAT
Address restricted NAT
Symmetric NAT
unknown NAT
%d.%d.%d.%d
canot get config
start success
start fail
ClientSetModule
VncStartServer
VncStopServer
222289DD-9234-C9CA-94E3-E60D08C77777
VNCModule
AUTOBACKCONN
start failed
cannot get VNC
RtlCreateUserThread
GetAdaptersAddresses
IPHLPAPI.DLL
InternetConnectA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFile
InternetWriteFile
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
InternetOpenA
HttpEndRequestW
InternetCloseHandle
InternetGetConnectedState
InternetOpenUrlA
WININET.dll
WSAWaitForMultipleEvents
WSAResetEvent
WSACreateEvent
WSAEventSelect
WSAEnumNetworkEvents
WSAConnect
WSASend
WSASocketW
WSARecv
WSACloseEvent
GetAddrInfoW
FreeAddrInfoW
WS2_32.dll
StrToIntA
StrStrIA
StrStrIW
StrToIntW
SHLWAPI.dll
OpenProcessToken
CryptAcquireContextW
GetTokenInformation
CryptReleaseContext
LookupPrivilegeValueW
LookupAccountSidW
CryptCreateHash
CryptDestroyHash
AdjustTokenPrivileges
CryptHashData
CryptVerifySignatureW
CryptImportKey
ConvertStringSecurityDescriptorToSecurityDescriptorW
ADVAPI32.dll
lstrlenA
SetEvent
CreateEventA
GetLastError
ResetEvent
CloseHandle
CreateThread
lstrcpyA
TerminateThread
CreateMutexW
WaitForSingleObject
ReleaseMutex
lstrcmpA
GetVersionExW
lstrcatA
CreateEventW
GetFileSize
FindResourceW
LoadResource
CreateProcessW
SystemTimeToFileTime
GetCurrentProcess
QueryPerformanceCounter
GetModuleHandleW
WriteFile
WideCharToMultiByte
SizeofResource
ReadFile
CreateFileW
lstrlenW
GetProcAddress
VirtualAlloc
GetLocalTime
LockResource
lstrcmpiW
CreateToolhelp32Snapshot
GetCurrentProcessId
GetTickCount
HeapReAlloc
HeapAlloc
HeapFree
HeapDestroy
HeapCreate
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
FlushFileBuffers
GetComputerNameA
lstrcatW
lstrcpyW
GetTempFileNameW
GetTempPathW
OpenMutexW
OpenProcess
VirtualFreeEx
VirtualAllocEx
Process32FirstW
IsWow64Process
Process32NextW
WriteProcessMemory
KERNEL32.dll
wsprintfA
USER32.dll
SHGetFolderPathW
SHELL32.dll
GetProcAddress
VirtualAlloc
VirtualFree
VirtualProtect
LoadLibraryA
!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
=HTTPt
=GET t
=PUT t
9.rdau
9.texu
t'F<]t
t{Fj V
IHt9Ht
=HTTPt
=GET t
=PUT t
=HTTPt
=GET t
=PUT t
VWPQR3
L$,QWS
QWVhP{
>POSTuK
LoadLibraryExW
/%s/%s/%d/%s/
/%s/%s/%d/%s/%s/
%s/%s/0
/%s/%s/63/checkfile/%s/%s/
Opera/9.80
/%s/%s/63/file/%s/%s/%s/
%sbound-%d
Content-Disposition: form-data; name="%s"
--%s--
Content-Type: multipart/form-data; boundary=
Content-Length: 
Accept: text/html
Connection: Keep-Alive
Content-Length:
Transfer-Encoding:
Cookie: 
Referer: 
X-CSRF-Token: 
X-Requested-With: 
Content-Type: 
Content-Type:
NSPR4.DLL
NSS3.DLL
PR_Read
PR_Write
PR_Close
wininet.dll
Send wininet.dll failed
Check wininet.dll on server failed
Error code %x, %s
Error code %x
AUTOBACKCONN
logkeys
not_support
logpost
X-Forwarded-For: %s
BotInfo: %s %s
vstp341qa=
vstp341qb=
InternetConnectA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFile
InternetWriteFile
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
InternetOpenA
HttpEndRequestW
InternetCloseHandle
WININET.dll
WSAWaitForMultipleEvents
WSAGetOverlappedResult
WSASocketW
WSARecv
WSAResetEvent
WSACreateEvent
WSAConnect
WSASend
WSACloseEvent
WS2_32.dll
StrToIntA
StrStrIA
StrChrA
StrStrIW
SHLWAPI.dll
GetModuleHandleW
GetLastError
SetLastError
GetProcAddress
lstrlenA
WaitForSingleObject
SetEvent
lstrcatA
CreateEventW
CloseHandle
lstrcpyA
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
GetFileSize
lstrcmpA
GetCurrentProcess
QueryPerformanceCounter
VirtualFree
WriteFile
Thread32First
Thread32Next
ReadFile
CreateFileW
VirtualAlloc
OpenThread
lstrcmpiW
CreateToolhelp32Snapshot
GetCurrentThreadId
GetCurrentProcessId
SuspendThread
ResumeThread
GetTickCount
CreateThread
lstrcpynA
HeapReAlloc
HeapAlloc
HeapFree
HeapDestroy
HeapCreate
FlushInstructionCache
VirtualProtect
LoadLibraryA
OutputDebugStringW
LocalAlloc
LocalFree
CreateMutexW
ReleaseMutex
GetModuleFileNameW
lstrcatW
GetWindowsDirectoryW
KERNEL32.dll
wsprintfA
wsprintfW
USER32.dll
CryptGetHashParam
CryptAcquireContextW
CryptReleaseContext
CryptCreateHash
CryptDestroyHash
CryptHashData
ADVAPI32.dll
d[[[[[
[[[[[[[[[[[[js
[RRRR[[[[w|w
vv[[[[[[[[[[[
@@@@AI@@@@LB@@@@@@@@ODS@@@DWC\@`@@@@@@@@@@@@@@dfnk@@jF@@DF@@[D@@
WWWWWWWWWWWW
WccccWWWWT
SSWWWWWWWWWWW
@@@@AI@@@@LB@@@@@@@@ODS@@@DWC\@`@@@@@@@@@@@@@@dfnk@@jF@@DF@@[D@@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
1&151E1O1j1
2H2]2m2r2}2
3,3_3e3r3x3
4!4H4U4h4{4
5$5D5V5i5x5
5/656B6H6X6w6
848G8U8d8o8
9V9n9y9
:$:3:u:z:
;$;,;\;m;u;
<!<&<-<6<=<d<
=1=7=A=G=N=Y=g=q=x=
10191H1M1T1e1q1
4-4?4w4~4
5:5Q5X5^5q5
6:6^6q6
7#7B7d7
989d9x9
96:R:h:v:
;%;9;U;
<&<N<b<t<
=2=R=c=m=
>&>I>R>_>x>
;0H0V0s0
0"1Y1i1
2V2m2y2
3H4R4u4
6 666?6L6r6
7"7/7h7o7y7
8Y8e8q8y8
8"9:9`9f9u9
:!:B:K:m:y:
;';1;I;
;9<N<a<
= =D=b=k=u=
>F>S>n>u>
?4?G?e?w?
0 0<0f0
171a1h1
3+363t3{3	4)4D4t4
5"5K5R5g5q5
6!6f6m6y6
7(8B8b8
979`9m9t9
:$:-:W:p:
=%=S=d=
?"?R?W?a?f?
0H0O0T2X2\2`2d2h2l2@3D3H3L3P3T3X3\3T4\4k4{4
6P6a6o6
737S7f7y7
8P8o8y8
8(919e9w9
:(:::L:`:z:
;(;=;Y;b;u;
<&</<;<R<d<v<
='=3=J=R=r=
>#>+>?>Q>W>a>g>n>y>
1!1.1N1c1q1
2&212:2E2N2Y2b2m2
2#343W3`3k3{3
5(5.5:5E5V5a5
5+6T6`6l6u6
7;7R7X7g7
768U8a8n8~8
:<:C:I:Y:^:d:z:
;';-;6;B;Y;a;
<%<V<]<f<l<q<
=$=0=G=O=t=
>+>5>G>M>W>]>d>o>|>
?0?5???E?N?Y?l?
0?0K0}0
0"131U1^1j1x1
2/2Q2[2e2o2z2
3*3A3^3g3
5,535H5i5r5
7!7P7V7k7x7
808:8c8
8"9D9O9
<(=2=q=
?&?f?p?
1'1g1v1
2!2[2b2s2z2
3$3N3X3
5(5A5R5`5
6#696Z6n6
818Q8{8
9!9*959F9i9
:E:X:_:i:
:(;1;U;t;
;6<@<V<k<t<
2 2`2d2
2,303p3t3
WVQRAW
A_ZY^_
GetProcAddress
VWSQAWASATARAPI
AXAZA\A[A_Y[_^
SARAPQVWH
_^YAXAZ[
WPRAPAQH
AYAXZX_
APSQARVWHcw<H
_^AZY[AX
RAPAQWH
_AYAXZ
AWSAVWVAUI
A]^_A^[A_
WQHcO<H
VirtualAlloc
VirtualFree
VirtualProtect
LoadLibraryA
!This program cannot be run in DOS mode.
5Rich.
`.rdata
@.data
.pdata
@.rsrc
@.reloc
VWATAUAVH
@A^A]A\_^
|$ ATH
|$ ATH
|$ ATH
ffffff
|$ ATH
WATAUH
 LcT$`I
 A]A\_
VATAUH
 A]A\^
9t$,u/D
9t$,u/D
@VATAUAVAWH
@A_A^A]A\^
3T$83T$<i
3L$@3L$Di
3L$H3L$Li
WATAUAVAWH
 A_A^A]A\_
|$ ATH
@SUWATAWH
0A_A\_][
0A_A\_][
@SVAUH
L$ SVWAVAWH
PA_A^_^[
PA_A^_^[
WATAUH
 A]A\_
t$ ATH
l$ ATH
@UWAUH
|$ ATH
@SVWAWH
WATAUH
PA]A\_
D$ ccsr
D$ btid
D$ btnt
WATAUH
 A]A\_
D*L$@L
WATAUAVAWH
 A_A^A]A\_
UVWATAUAVAWH
0A_A^A]A\_^]
WATAUAVAWH
ffffff
 A_A^A]A\_
$=HTTPt
=GET t
=PUT t
|$ ATH
UVWATAUAVAWH
D$ H9;u
Hc|$ H
t)H)\$xL
0A_A^A]A\_^]
@UVATAUH
A]A\^]
A]A\^]
IcD$,H
D$8rpls@
D$8rspp
fffffff
|$ ATH
?POSTuZH
@UWATH
L$ <:t
|$ ATH
E D8e(t L
SUVWATAVAWH
A_A^A\_^][
/%s/%s/%d/%s/
/%s/%s/%d/%s/%s/
%s/%s/0
/%s/%s/63/checkfile/%s/%s/
Opera/9.80
%sbound-%d
Content-Disposition: form-data; name="%s"
--%s--
Content-Type: multipart/form-data; boundary=
Content-Length: 
Accept: text/html
Connection: Keep-Alive
Content-Length:
Transfer-Encoding:
Cookie: 
Referer: 
X-CSRF-Token: 
X-Requested-With: 
Content-Type: 
Content-Type:
LoadLibraryExW
Check wininet.dll on server failed
Error code %x, %s
Error code %x
AUTOBACKCONN
logkeys
not_support
logpost
X-Forwarded-For: %s
BotInfo: %s %s
vstp341qa=
vstp341qb=
InternetConnectA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFile
InternetWriteFile
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
InternetOpenA
HttpEndRequestW
InternetCloseHandle
WININET.dll
WSAWaitForMultipleEvents
WSAGetOverlappedResult
WSASocketW
WSARecv
WSAResetEvent
WSACreateEvent
WSAConnect
WSASend
WSACloseEvent
WS2_32.dll
StrToIntA
StrStrIA
StrChrA
StrStrIW
SHLWAPI.dll
lstrlenA
WaitForSingleObject
SetEvent
lstrcatA
CreateEventW
CloseHandle
lstrcpyA
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
GetFileSize
lstrcmpA
GetCurrentProcess
QueryPerformanceCounter
GetModuleHandleW
VirtualFree
WriteFile
Thread32First
Thread32Next
ReadFile
CreateFileW
GetLastError
GetProcAddress
VirtualAlloc
OpenThread
lstrcmpiW
CreateToolhelp32Snapshot
GetCurrentThreadId
GetCurrentProcessId
SuspendThread
ResumeThread
GetTickCount
CreateThread
lstrcpynA
HeapReAlloc
HeapAlloc
HeapFree
HeapDestroy
HeapCreate
VirtualQuery
FlushInstructionCache
GetSystemInfo
VirtualProtect
OutputDebugStringW
SetLastError
LocalAlloc
LocalFree
CreateMutexW
ReleaseMutex
GetModuleFileNameW
lstrcatW
GetWindowsDirectoryW
KERNEL32.dll
wsprintfA
wsprintfW
USER32.dll
CryptGetHashParam
CryptAcquireContextW
CryptReleaseContext
CryptCreateHash
CryptDestroyHash
CryptHashData
ADVAPI32.dll
d[[[[[
[[[[[[[[[[[[js
[RRRR[[[[w|w
vv[[[[[[[[[[[
@@@@AI@@@@LB@@@@@@@@ODS@@@DWC\@`@@@@@@@@@@@@@@dfnk@@jF@@DF@@[D@@
WWWWWWWWWWWW
WccccWWWWT
SSWWWWWWWWWWW
@@@@AI@@@@LB@@@@@@@@ODS@@@DWC\@`@@@@@@@@@@@@@@dfnk@@jF@@DF@@[D@@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
P<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN