HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8d8a001fab4c7ef0dc29ebbc05da9bfe
SHA1: c48149ba49191a464d62c8f62b1afe8afc3f2171
SHA256: fef0d932978a16e9e0ba839e948d52c8c429250c062eb57ff78651518158b31e
SSDeep: 12288:myR4TTQP0pef9aAwvO0ZfMSgrlKxqc9ZKr:myFP8DAwvZfMSacjUr
Size: 400896 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company:
Created at: 2013-05-18 21:32:49
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1476
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\empty.exe (9 bytes)
Registry activity
The process %original file name%.exe:1476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF B8 F0 14 88 04 30 E6 F5 6B 79 34 F5 D9 16 DF"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\empty.exe (9 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Heikl
Product Name: QQ???????
Product Version: 1.0.0.0
Legal Copyright: BY:Heikl QQ 11164118
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ????
Comments: ?????
Language: English (United States)
Company Name: HeiklProduct Name: QQ???????Product Version: 1.0.0.0Legal Copyright: BY:Heikl QQ 11164118Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ????Comments: ?????Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 2162688 | 388096 | 5.54478 | 9ed2de5f3d0fdddcd9e3f7a8a06c8d77 |
.rsrc | 2166784 | 12288 | 11776 | 4.01256 | cfe6b8949280615578c341a033f6ff0d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://im2.n.shifen.com/heikl/item/42d0616d465737a1c5d249fd | |
hxxp://im2.n.shifen.com/search/error.html | |
hxxp://hi.baidu.com/heikl/item/42d0616d465737a1c5d249fd | 123.125.114.169 |
hxxp://im.baidu.com/search/error.html | 123.125.114.169 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /heikl/item/42d0616d465737a1c5d249fd HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: hi.baidu.com
Cache-Control: no-cache
HTTP/1.1 302 Found
Date: Sun, 16 Oct 2016 23:04:18 GMT
Server: Apache
Location: hXXp://im.baidu.com/search/error.html
Content-Length: 221
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://im.baidu.com/search/error.html">here</a>.</p>.</body></html>.HTTP/1.1 302 Found..Date: Sun, 16 Oct 2016 23:04:18 GMT..Server: Apache..Location: hXXp://im.baidu.com/search/error.html..Content-Length: 221..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://im.baidu.com/search/error.html">here</a>.</p>.</body></html>...
GET /search/error.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: im.baidu.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 16 Oct 2016 23:04:19 GMT
Server: Apache
Last-Modified: Mon, 07 Dec 2015 10:58:52 GMT
ETag: "a92"
Accept-Ranges: bytes
Content-Length: 2706
Connection: Keep-Alive
Content-Type: text/html
<html>.<head>..<title>....--..............</title>..<META http-equiv=content-type content="text/html; charset=gb2312">.<META content="MSHTML 6.00.2462.0" name=GENERATOR></HEAD>.</head>.<style type="text/css">..p1 {..FONT-SIZE: 14px; LINE-HEIGHT: 24px; FONT-FAMILY: "....".}...f12 {..FONT-SIZE: 12px; LINE-HEIGHT: 20px.}..p2 {..FONT-SIZE: 14px; LINE-HEIGHT: 24px; color: #333333.}.</style>.<body text=#000000 vLink=#0033cc aLink=#800080 link=#0033cc bgColor=#ffffff .topMargin=0>.<center>.<table width=650 border=0 align="center">. <tr height=60>. <td width=139 valign="top" height="66"><a href="hXXps://VVV.baidu.com"><img src="img/logo.gif" border="0"></a></td>. <td valign="bottom" width="100%">. <table width="100%" border="0" cellpadding="0" cellspacing="0">. <tr bgcolor="#e5ecf9">. <td height="24"> <b class="p1">..............</b></td>. ..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1476:
.text
.text
`.rsrc
`.rsrc
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
user32.dll
user32.dll
gdiplus.dll
gdiplus.dll
kernel32.dll
kernel32.dll
gdi32.dll
gdi32.dll
wininet.dll
wininet.dll
msimg32.dll
msimg32.dll
comctl32.dll
comctl32.dll
COMCTL32.DLL
COMCTL32.DLL
User32.dll
User32.dll
Wininet.dll
Wininet.dll
ole32.dll
ole32.dll
GdiPlus.dll
GdiPlus.dll
Gdiplus.dll
Gdiplus.dll
shlwapi.dll
shlwapi.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
GdiplusShutdown
GdiplusShutdown
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
InternetOpenUrlA
InternetOpenUrlA
GdipSetPenLineJoin
GdipSetPenLineJoin
GdipGetPenLineJoin
GdipGetPenLineJoin
GdipSetStringFormatHotkeyPrefix
GdipSetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
?hXXp://wpa.qq.com/msgrd?v=3&uin=11164118
?hXXp://wpa.qq.com/msgrd?v=3&uin=11164118
hXXp://check.ptlogin2.qq.com/check?uin=
hXXp://check.ptlogin2.qq.com/check?uin=
hXXp://captcha.qq.com/getimage?aid=1003903&r=0.1234567890123456&uin=
hXXp://captcha.qq.com/getimage?aid=1003903&r=0.1234567890123456&uin=
&webqq_type=10&remember_uin=1&login2qq=1&aid=1003903&u1=http://web.qq.com/loginproxy.html?login2qq=1&webqq_type=10&h=1&ptredirect=0&ptlang=2052&from_ui=1&pttype=1&dumy=&fp=loginerroralert&action=2-6-7203&mibao_css=m_webqq&t=1&g=1
&webqq_type=10&remember_uin=1&login2qq=1&aid=1003903&u1=http://web.qq.com/loginproxy.html?login2qq=1&webqq_type=10&h=1&ptredirect=0&ptlang=2052&from_ui=1&pttype=1&dumy=&fp=loginerroralert&action=2-6-7203&mibao_css=m_webqq&t=1&g=1
hXXp://ptlogin2.qq.com/login?u=
hXXp://ptlogin2.qq.com/login?u=
ptwebqq=
ptwebqq=
hXXp://d.web2.qq.com/channel/login2
hXXp://d.web2.qq.com/channel/login2
","psessionid":null}&clientid=
","psessionid":null}&clientid=
","passwd_sig":"","clientid":"
","passwd_sig":"","clientid":"
r={"status":"online","ptwebqq":"
r={"status":"online","ptwebqq":"
vfwebqq":"
vfwebqq":"
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
http=
HTTP/1.1
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXp://
GetPassword
GetPassword
hXXp://s.web2.qq.com/api/modify_my_details2
hXXp://s.web2.qq.com/api/modify_my_details2
"}
"}
","vfwebqq":"
","vfwebqq":"
","personal":"
","personal":"
","homepage":"
","homepage":"
","college":"
","college":"
","occupation":"
","occupation":"
","email":"
","email":"
","mobile":"
","mobile":"
","phone":"
","phone":"
","birthday":"
","birthday":"
","birthmonth":"
","birthmonth":"
","birthyear":"
","birthyear":"
","blood":"
","blood":"
","constel":"
","constel":"
","shengxiao":"
","shengxiao":"
","gender":"
","gender":"
r={"nick":"
r={"nick":"
`~!@#$%^&*()-_= [{]};:'\|,<.>/?"
`~!@#$%^&*()-_= [{]};:'\|,<.>/?"
hXXp://s.web2.qq.com/api/set_long_nick2
hXXp://s.web2.qq.com/api/set_long_nick2
?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}
?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}
\empty.exe
\empty.exe
`.data
`.data
.rsrc
.rsrc
could not empty working set for process #%d [%s]
could not empty working set for process #%d [%s]
could not empty working set for process #%d
could not empty working set for process #%d
USAGE: empty.exe {pid | task-name}
USAGE: empty.exe {pid | task-name}
AdjustTokenPrivileges failed with %d
AdjustTokenPrivileges failed with %d
LookupPrivilegeValue failed with %d
LookupPrivilegeValue failed with %d
OpenProcessToken failed with %d
OpenProcessToken failed with %d
empty.pdb
empty.pdb
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
CloseWindowStation
CloseWindowStation
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
GetProcessWindowStation
GetProcessWindowStation
EnumWindows
EnumWindows
EnumWindowStationsA
EnumWindowStationsA
USER32.dll
USER32.dll
ntdll.dll
ntdll.dll
OLEAUT32.dll
OLEAUT32.dll
(7),01444
(7),01444
'9=82<.342>
'9=82<.342>
hXXp://VVV.52pojie.cn
hXXp://VVV.52pojie.cn
hXXp://hi.baidu.com/Heikl
hXXp://hi.baidu.com/Heikl
var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128>>9)16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B>16) (D>>16) (C>>16);return(B>>(32-B))}function str2binl(D){var C=Array();var A=(1>5]|=(D.charCodeAt(B/chrsz)&A)>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)>2]>>8*((B 1)%4))&255)>2]>>8*((B 2)%4))&255);for(var A=0;AD.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i
var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128>>9)16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B>16) (D>>16) (C>>16);return(B>>(32-B))}function str2binl(D){var C=Array();var A=(1>5]|=(D.charCodeAt(B/chrsz)&A)>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)>2]>>8*((B 1)%4))&255)>2]>>8*((B 2)%4))&255);for(var A=0;AD.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i
ID Heikl hXXp://hi.baidu.com/Heikl
ID Heikl hXXp://hi.baidu.com/Heikl
hXXp://hi.baidu.com/heikl/item/42d0616d465737a1c5d249fd
hXXp://hi.baidu.com/heikl/item/42d0616d465737a1c5d249fd
C:\gx.tmp
C:\gx.tmp
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
\ .bat
\ .bat
{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}
{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}
hXXp://VVV.52pojie.cn/
hXXp://VVV.52pojie.cn/
hXXp://hi.baidu.com/Heikl
hXXp://hi.baidu.com/Heikl
Heikl@qq.com
Heikl@qq.com
138888888
138888888
1986-1-1
1986-1-1
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
RASAPI32.dll
RASAPI32.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
GetKeyState
GetKeyState
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
WSOCK32.dll
WSOCK32.dll
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
VVV.dywt.com.cn
VVV.dywt.com.cn
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
5.2.3790.0 built by: dnsrv_dev(v-smgum)
5.2.3790.0 built by: dnsrv_dev(v-smgum)
empty.exe
empty.exe
Windows
Windows
Operating System
Operating System
5.2.3790.0
5.2.3790.0
(*.*)
(*.*)
1.0.0.0
1.0.0.0
%original file name%.exe_1476_rwx_00401000_00210000:
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
user32.dll
user32.dll
gdiplus.dll
gdiplus.dll
kernel32.dll
kernel32.dll
gdi32.dll
gdi32.dll
wininet.dll
wininet.dll
msimg32.dll
msimg32.dll
comctl32.dll
comctl32.dll
COMCTL32.DLL
COMCTL32.DLL
User32.dll
User32.dll
Wininet.dll
Wininet.dll
ole32.dll
ole32.dll
GdiPlus.dll
GdiPlus.dll
Gdiplus.dll
Gdiplus.dll
shlwapi.dll
shlwapi.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
GdiplusShutdown
GdiplusShutdown
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
InternetOpenUrlA
InternetOpenUrlA
GdipSetPenLineJoin
GdipSetPenLineJoin
GdipGetPenLineJoin
GdipGetPenLineJoin
GdipSetStringFormatHotkeyPrefix
GdipSetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
?hXXp://wpa.qq.com/msgrd?v=3&uin=11164118
?hXXp://wpa.qq.com/msgrd?v=3&uin=11164118
hXXp://check.ptlogin2.qq.com/check?uin=
hXXp://check.ptlogin2.qq.com/check?uin=
hXXp://captcha.qq.com/getimage?aid=1003903&r=0.1234567890123456&uin=
hXXp://captcha.qq.com/getimage?aid=1003903&r=0.1234567890123456&uin=
&webqq_type=10&remember_uin=1&login2qq=1&aid=1003903&u1=http://web.qq.com/loginproxy.html?login2qq=1&webqq_type=10&h=1&ptredirect=0&ptlang=2052&from_ui=1&pttype=1&dumy=&fp=loginerroralert&action=2-6-7203&mibao_css=m_webqq&t=1&g=1
&webqq_type=10&remember_uin=1&login2qq=1&aid=1003903&u1=http://web.qq.com/loginproxy.html?login2qq=1&webqq_type=10&h=1&ptredirect=0&ptlang=2052&from_ui=1&pttype=1&dumy=&fp=loginerroralert&action=2-6-7203&mibao_css=m_webqq&t=1&g=1
hXXp://ptlogin2.qq.com/login?u=
hXXp://ptlogin2.qq.com/login?u=
ptwebqq=
ptwebqq=
hXXp://d.web2.qq.com/channel/login2
hXXp://d.web2.qq.com/channel/login2
","psessionid":null}&clientid=
","psessionid":null}&clientid=
","passwd_sig":"","clientid":"
","passwd_sig":"","clientid":"
r={"status":"online","ptwebqq":"
r={"status":"online","ptwebqq":"
vfwebqq":"
vfwebqq":"
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
http=
HTTP/1.1
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXp://
GetPassword
GetPassword
hXXp://s.web2.qq.com/api/modify_my_details2
hXXp://s.web2.qq.com/api/modify_my_details2
"}
"}
","vfwebqq":"
","vfwebqq":"
","personal":"
","personal":"
","homepage":"
","homepage":"
","college":"
","college":"
","occupation":"
","occupation":"
","email":"
","email":"
","mobile":"
","mobile":"
","phone":"
","phone":"
","birthday":"
","birthday":"
","birthmonth":"
","birthmonth":"
","birthyear":"
","birthyear":"
","blood":"
","blood":"
","constel":"
","constel":"
","shengxiao":"
","shengxiao":"
","gender":"
","gender":"
r={"nick":"
r={"nick":"
`~!@#$%^&*()-_= [{]};:'\|,<.>/?"
`~!@#$%^&*()-_= [{]};:'\|,<.>/?"
hXXp://s.web2.qq.com/api/set_long_nick2
hXXp://s.web2.qq.com/api/set_long_nick2
?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}
?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}
\empty.exe
\empty.exe
.text
.text
`.data
`.data
.rsrc
.rsrc
could not empty working set for process #%d [%s]
could not empty working set for process #%d [%s]
could not empty working set for process #%d
could not empty working set for process #%d
USAGE: empty.exe {pid | task-name}
USAGE: empty.exe {pid | task-name}
AdjustTokenPrivileges failed with %d
AdjustTokenPrivileges failed with %d
LookupPrivilegeValue failed with %d
LookupPrivilegeValue failed with %d
OpenProcessToken failed with %d
OpenProcessToken failed with %d
empty.pdb
empty.pdb
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
CloseWindowStation
CloseWindowStation
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
GetProcessWindowStation
GetProcessWindowStation
EnumWindows
EnumWindows
EnumWindowStationsA
EnumWindowStationsA
USER32.dll
USER32.dll
ntdll.dll
ntdll.dll
OLEAUT32.dll
OLEAUT32.dll
(7),01444
(7),01444
'9=82<.342>
'9=82<.342>
hXXp://VVV.52pojie.cn
hXXp://VVV.52pojie.cn
hXXp://hi.baidu.com/Heikl
hXXp://hi.baidu.com/Heikl
var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128>>9)16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B>16) (D>>16) (C>>16);return(B>>(32-B))}function str2binl(D){var C=Array();var A=(1>5]|=(D.charCodeAt(B/chrsz)&A)>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)>2]>>8*((B 1)%4))&255)>2]>>8*((B 2)%4))&255);for(var A=0;AD.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i
var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128>>9)16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B>16) (D>>16) (C>>16);return(B>>(32-B))}function str2binl(D){var C=Array();var A=(1>5]|=(D.charCodeAt(B/chrsz)&A)>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)>2]>>8*((B 1)%4))&255)>2]>>8*((B 2)%4))&255);for(var A=0;AD.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i
ID Heikl hXXp://hi.baidu.com/Heikl
ID Heikl hXXp://hi.baidu.com/Heikl
hXXp://hi.baidu.com/heikl/item/42d0616d465737a1c5d249fd
hXXp://hi.baidu.com/heikl/item/42d0616d465737a1c5d249fd
C:\gx.tmp
C:\gx.tmp
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
\ .bat
\ .bat
{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}
{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}
hXXp://VVV.52pojie.cn/
hXXp://VVV.52pojie.cn/
hXXp://hi.baidu.com/Heikl
hXXp://hi.baidu.com/Heikl
Heikl@qq.com
Heikl@qq.com
138888888
138888888
1986-1-1
1986-1-1
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
RASAPI32.dll
RASAPI32.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
GetKeyState
GetKeyState
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
WSOCK32.dll
WSOCK32.dll
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
VVV.dywt.com.cn
VVV.dywt.com.cn
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
5.2.3790.0 built by: dnsrv_dev(v-smgum)
5.2.3790.0 built by: dnsrv_dev(v-smgum)
empty.exe
empty.exe
Windows
Windows
Operating System
Operating System
5.2.3790.0
5.2.3790.0
(*.*)
(*.*)
%original file name%.exe_1476_rwx_00612000_00002000:
kernel32.dll
kernel32.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
RASAPI32.dll
RASAPI32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
ADVAPI32.dll
ADVAPI32.dll
RegCloseKey
RegCloseKey
SHELL32.dll
SHELL32.dll
ShellExecuteA
ShellExecuteA
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
WININET.dll
WININET.dll
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
comdlg32.dll
comdlg32.dll
1.0.0.0
1.0.0.0
%original file name%.exe_1476_rwx_00AE0000_00003000:
The procedure %s could not be located in the DLL %s.
The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.