Trojan.Win32.FlyStudio_8d8a001fab

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:1476

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1476 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\empty.exe (9 bytes)

Registry activity

The process %original file name%.exe:1476 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF B8 F0 14 88 04 30 E6 F5 6B 79 34 F5 D9 16 DF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %WinDir%\empty.exe (9 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Heikl
Product Name: QQ???????
Product Version: 1.0.0.0
Legal Copyright: BY:Heikl QQ 11164118
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ????
Comments: ?????
Language: English (United States)

Company Name: HeiklProduct Name: QQ???????Product Version: 1.0.0.0Legal Copyright: BY:Heikl QQ 11164118Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ????Comments: ?????Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	2162688	388096	5.54478	9ed2de5f3d0fdddcd9e3f7a8a06c8d77
.rsrc	2166784	12288	11776	4.01256	cfe6b8949280615578c341a033f6ff0d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://im2.n.shifen.com/heikl/item/42d0616d465737a1c5d249fd
hxxp://im2.n.shifen.com/search/error.html
hxxp://hi.baidu.com/heikl/item/42d0616d465737a1c5d249fd	123.125.114.169
hxxp://im.baidu.com/search/error.html	123.125.114.169

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /heikl/item/42d0616d465737a1c5d249fd HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: hi.baidu.com

Cache-Control: no-cache

HTTP/1.1 302 Found

Date: Sun, 16 Oct 2016 23:04:18 GMT

Server: Apache

Location: hXXp://im.baidu.com/search/error.html

Content-Length: 221

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://im.baidu.com/search/error.html">here</a>.</p>.</body></html>.HTTP/1.1 302 Found..Date: Sun, 16 Oct 2016 23:04:18 GMT..Server: Apache..Location: hXXp://im.baidu.com/search/error.html..Content-Length: 221..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://im.baidu.com/search/error.html">here</a>.</p>.</body></html>...

GET /search/error.html HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: im.baidu.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 16 Oct 2016 23:04:19 GMT

Server: Apache

Last-Modified: Mon, 07 Dec 2015 10:58:52 GMT

ETag: "a92"

Accept-Ranges: bytes

Content-Length: 2706

Connection: Keep-Alive

Content-Type: text/html

<html>.<head>..<title>....--..............</title>..<META http-equiv=content-type content="text/html; charset=gb2312">.<META content="MSHTML 6.00.2462.0" name=GENERATOR></HEAD>.</head>.<style type="text/css">..p1 {..FONT-SIZE: 14px; LINE-HEIGHT: 24px; FONT-FAMILY: "....".}...f12 {..FONT-SIZE: 12px; LINE-HEIGHT: 20px.}..p2 {..FONT-SIZE: 14px; LINE-HEIGHT: 24px; color: #333333.}.</style>.<body text=#000000 vLink=#0033cc aLink=#800080 link=#0033cc bgColor=#ffffff .topMargin=0>.<center>.<table width=650 border=0 align="center">. <tr height=60>. <td width=139 valign="top" height="66"><a href="hXXps://VVV.baidu.com"><img src="img/logo.gif" border="0"></a></td>. <td valign="bottom" width="100%">. <table width="100%" border="0" cellpadding="0" cellspacing="0">. <tr bgcolor="#e5ecf9">. <td height="24"> <b class="p1">..............</b></td>. ..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1476:

.text

.text

`.rsrc

`.rsrc

t%SVh

t%SVh

t$(SSh

t$(SSh

~%UVW

~%UVW

u$SShe

u$SShe

user32.dll

user32.dll

gdiplus.dll

gdiplus.dll

kernel32.dll

kernel32.dll

gdi32.dll

gdi32.dll

wininet.dll

wininet.dll

msimg32.dll

msimg32.dll

comctl32.dll

comctl32.dll

COMCTL32.DLL

COMCTL32.DLL

User32.dll

User32.dll

Wininet.dll

Wininet.dll

ole32.dll

ole32.dll

GdiPlus.dll

GdiPlus.dll

Gdiplus.dll

Gdiplus.dll

shlwapi.dll

shlwapi.dll

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

GdiplusShutdown

GdiplusShutdown

SetWindowsHookExA

SetWindowsHookExA

UnhookWindowsHookEx

UnhookWindowsHookEx

InternetOpenUrlA

InternetOpenUrlA

GdipSetPenLineJoin

GdipSetPenLineJoin

GdipGetPenLineJoin

GdipGetPenLineJoin

GdipSetStringFormatHotkeyPrefix

GdipSetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

?hXXp://wpa.qq.com/msgrd?v=3&uin=11164118

?hXXp://wpa.qq.com/msgrd?v=3&uin=11164118

hXXp://check.ptlogin2.qq.com/check?uin=

hXXp://check.ptlogin2.qq.com/check?uin=

hXXp://captcha.qq.com/getimage?aid=1003903&r=0.1234567890123456&uin=

hXXp://captcha.qq.com/getimage?aid=1003903&r=0.1234567890123456&uin=

&webqq_type=10&remember_uin=1&login2qq=1&aid=1003903&u1=http://web.qq.com/loginproxy.html?login2qq=1&webqq_type=10&h=1&ptredirect=0&ptlang=2052&from_ui=1&pttype=1&dumy=&fp=loginerroralert&action=2-6-7203&mibao_css=m_webqq&t=1&g=1

&webqq_type=10&remember_uin=1&login2qq=1&aid=1003903&u1=http://web.qq.com/loginproxy.html?login2qq=1&webqq_type=10&h=1&ptredirect=0&ptlang=2052&from_ui=1&pttype=1&dumy=&fp=loginerroralert&action=2-6-7203&mibao_css=m_webqq&t=1&g=1

hXXp://ptlogin2.qq.com/login?u=

hXXp://ptlogin2.qq.com/login?u=

ptwebqq=

ptwebqq=

hXXp://d.web2.qq.com/channel/login2

hXXp://d.web2.qq.com/channel/login2

","psessionid":null}&clientid=

","psessionid":null}&clientid=

","passwd_sig":"","clientid":"

","passwd_sig":"","clientid":"

r={"status":"online","ptwebqq":"

r={"status":"online","ptwebqq":"

vfwebqq":"

vfwebqq":"

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

http=

HTTP/1.1

HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

hXXp://

hXXp://

GetPassword

GetPassword

hXXp://s.web2.qq.com/api/modify_my_details2

hXXp://s.web2.qq.com/api/modify_my_details2

"}

"}

","vfwebqq":"

","vfwebqq":"

","personal":"

","personal":"

","homepage":"

","homepage":"

","college":"

","college":"

","occupation":"

","occupation":"

","email":"

","email":"

","mobile":"

","mobile":"

","phone":"

","phone":"

","birthday":"

","birthday":"

","birthmonth":"

","birthmonth":"

","birthyear":"

","birthyear":"

","blood":"

","blood":"

","constel":"

","constel":"

","shengxiao":"

","shengxiao":"

","gender":"

","gender":"

r={"nick":"

r={"nick":"

`~!@#$%^&*()-_= [{]};:'\|,<.>/?"

`~!@#$%^&*()-_= [{]};:'\|,<.>/?"

hXXp://s.web2.qq.com/api/set_long_nick2

hXXp://s.web2.qq.com/api/set_long_nick2

?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

\empty.exe

\empty.exe

`.data

`.data

.rsrc

.rsrc

could not empty working set for process #%d [%s]

could not empty working set for process #%d [%s]

could not empty working set for process #%d

could not empty working set for process #%d

USAGE: empty.exe {pid | task-name}

USAGE: empty.exe {pid | task-name}

AdjustTokenPrivileges failed with %d

AdjustTokenPrivileges failed with %d

LookupPrivilegeValue failed with %d

LookupPrivilegeValue failed with %d

OpenProcessToken failed with %d

OpenProcessToken failed with %d

empty.pdb

empty.pdb

KERNEL32.dll

KERNEL32.dll

msvcrt.dll

msvcrt.dll

ADVAPI32.dll

ADVAPI32.dll

CloseWindowStation

CloseWindowStation

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

GetProcessWindowStation

GetProcessWindowStation

EnumWindows

EnumWindows

EnumWindowStationsA

EnumWindowStationsA

USER32.dll

USER32.dll

ntdll.dll

ntdll.dll

OLEAUT32.dll

OLEAUT32.dll

(7),01444

(7),01444

'9=82<.342>

'9=82<.342>

hXXp://VVV.52pojie.cn

hXXp://VVV.52pojie.cn

hXXp://hi.baidu.com/Heikl

hXXp://hi.baidu.com/Heikl

var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128>>9)16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B>16) (D>>16) (C>>16);return(B>>(32-B))}function str2binl(D){var C=Array();var A=(1>5]|=(D.charCodeAt(B/chrsz)&A)>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)>2]>>8*((B 1)%4))&255)>2]>>8*((B 2)%4))&255);for(var A=0;AD.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i

var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128>>9)16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B>16) (D>>16) (C>>16);return(B>>(32-B))}function str2binl(D){var C=Array();var A=(1>5]|=(D.charCodeAt(B/chrsz)&A)>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)>2]>>8*((B 1)%4))&255)>2]>>8*((B 2)%4))&255);for(var A=0;AD.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i

ID Heikl hXXp://hi.baidu.com/Heikl

ID Heikl hXXp://hi.baidu.com/Heikl

hXXp://hi.baidu.com/heikl/item/42d0616d465737a1c5d249fd

hXXp://hi.baidu.com/heikl/item/42d0616d465737a1c5d249fd

C:\gx.tmp

C:\gx.tmp

User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)

User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)

\ .bat

\ .bat

{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}

{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}

hXXp://VVV.52pojie.cn/

hXXp://VVV.52pojie.cn/

hXXp://hi.baidu.com/Heikl

hXXp://hi.baidu.com/Heikl

Heikl@qq.com

Heikl@qq.com

138888888

138888888

1986-1-1

1986-1-1

F%*.*f

F%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

CCmdTarget

CCmdTarget

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

MPR.dll

MPR.dll

WINMM.dll

WINMM.dll

WS2_32.dll

WS2_32.dll

VERSION.dll

VERSION.dll

RASAPI32.dll

RASAPI32.dll

GetProcessHeap

GetProcessHeap

WinExec

WinExec

GetKeyState

GetKeyState

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

WINSPOOL.DRV

WINSPOOL.DRV

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

COMCTL32.dll

COMCTL32.dll

WSOCK32.dll

WSOCK32.dll

InternetCrackUrlA

InternetCrackUrlA

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

CreateDialogIndirectParamA

CreateDialogIndirectParamA

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GetViewportExtEx

comdlg32.dll

comdlg32.dll

.PAVCException@@

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.prn)|*.prn|

(*.*)|*.*||

(*.*)|*.*||

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

: %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

windows

windows

out.prn

out.prn

%d.%d

%d.%d

%d / %d

%d / %d

%d/%d

%d/%d

Bogus message code %d

Bogus message code %d

(%d-%d):

(%d-%d):

%ld%c

%ld%c

VVV.dywt.com.cn

VVV.dywt.com.cn

HTTP/1.0

HTTP/1.0

%s

%s

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

SMTP

SMTP

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCArchiveException@@

zcÁ

zcÁ

c:\%original file name%.exe

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

#include "l.chs\afxres.rc" // Standard components

5.2.3790.0 built by: dnsrv_dev(v-smgum)

5.2.3790.0 built by: dnsrv_dev(v-smgum)

empty.exe

empty.exe

Windows

Windows

Operating System

Operating System

5.2.3790.0

5.2.3790.0

(*.*)

(*.*)

1.0.0.0

1.0.0.0

%original file name%.exe_1476_rwx_00401000_00210000:

t%SVh

t%SVh

t$(SSh

t$(SSh

~%UVW

~%UVW

u$SShe

u$SShe

user32.dll

user32.dll

gdiplus.dll

gdiplus.dll

kernel32.dll

kernel32.dll

gdi32.dll

gdi32.dll

wininet.dll

wininet.dll

msimg32.dll

msimg32.dll

comctl32.dll

comctl32.dll

COMCTL32.DLL

COMCTL32.DLL

User32.dll

User32.dll

Wininet.dll

Wininet.dll

ole32.dll

ole32.dll

GdiPlus.dll

GdiPlus.dll

Gdiplus.dll

Gdiplus.dll

shlwapi.dll

shlwapi.dll

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

GdiplusShutdown

GdiplusShutdown

SetWindowsHookExA

SetWindowsHookExA

UnhookWindowsHookEx

UnhookWindowsHookEx

InternetOpenUrlA

InternetOpenUrlA

GdipSetPenLineJoin

GdipSetPenLineJoin

GdipGetPenLineJoin

GdipGetPenLineJoin

GdipSetStringFormatHotkeyPrefix

GdipSetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

?hXXp://wpa.qq.com/msgrd?v=3&uin=11164118

?hXXp://wpa.qq.com/msgrd?v=3&uin=11164118

hXXp://check.ptlogin2.qq.com/check?uin=

hXXp://check.ptlogin2.qq.com/check?uin=

hXXp://captcha.qq.com/getimage?aid=1003903&r=0.1234567890123456&uin=

hXXp://captcha.qq.com/getimage?aid=1003903&r=0.1234567890123456&uin=

&webqq_type=10&remember_uin=1&login2qq=1&aid=1003903&u1=http://web.qq.com/loginproxy.html?login2qq=1&webqq_type=10&h=1&ptredirect=0&ptlang=2052&from_ui=1&pttype=1&dumy=&fp=loginerroralert&action=2-6-7203&mibao_css=m_webqq&t=1&g=1

&webqq_type=10&remember_uin=1&login2qq=1&aid=1003903&u1=http://web.qq.com/loginproxy.html?login2qq=1&webqq_type=10&h=1&ptredirect=0&ptlang=2052&from_ui=1&pttype=1&dumy=&fp=loginerroralert&action=2-6-7203&mibao_css=m_webqq&t=1&g=1

hXXp://ptlogin2.qq.com/login?u=

hXXp://ptlogin2.qq.com/login?u=

ptwebqq=

ptwebqq=

hXXp://d.web2.qq.com/channel/login2

hXXp://d.web2.qq.com/channel/login2

","psessionid":null}&clientid=

","psessionid":null}&clientid=

","passwd_sig":"","clientid":"

","passwd_sig":"","clientid":"

r={"status":"online","ptwebqq":"

r={"status":"online","ptwebqq":"

vfwebqq":"

vfwebqq":"

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

http=

HTTP/1.1

HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

hXXp://

hXXp://

GetPassword

GetPassword

hXXp://s.web2.qq.com/api/modify_my_details2

hXXp://s.web2.qq.com/api/modify_my_details2

"}

"}

","vfwebqq":"

","vfwebqq":"

","personal":"

","personal":"

","homepage":"

","homepage":"

","college":"

","college":"

","occupation":"

","occupation":"

","email":"

","email":"

","mobile":"

","mobile":"

","phone":"

","phone":"

","birthday":"

","birthday":"

","birthmonth":"

","birthmonth":"

","birthyear":"

","birthyear":"

","blood":"

","blood":"

","constel":"

","constel":"

","shengxiao":"

","shengxiao":"

","gender":"

","gender":"

r={"nick":"

r={"nick":"

`~!@#$%^&*()-_= [{]};:'\|,<.>/?"

`~!@#$%^&*()-_= [{]};:'\|,<.>/?"

hXXp://s.web2.qq.com/api/set_long_nick2

hXXp://s.web2.qq.com/api/set_long_nick2

?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

\empty.exe

\empty.exe

.text

.text

`.data

`.data

.rsrc

.rsrc

could not empty working set for process #%d [%s]

could not empty working set for process #%d [%s]

could not empty working set for process #%d

could not empty working set for process #%d

USAGE: empty.exe {pid | task-name}

USAGE: empty.exe {pid | task-name}

AdjustTokenPrivileges failed with %d

AdjustTokenPrivileges failed with %d

LookupPrivilegeValue failed with %d

LookupPrivilegeValue failed with %d

OpenProcessToken failed with %d

OpenProcessToken failed with %d

empty.pdb

empty.pdb

KERNEL32.dll

KERNEL32.dll

msvcrt.dll

msvcrt.dll

ADVAPI32.dll

ADVAPI32.dll

CloseWindowStation

CloseWindowStation

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

GetProcessWindowStation

GetProcessWindowStation

EnumWindows

EnumWindows

EnumWindowStationsA

EnumWindowStationsA

USER32.dll

USER32.dll

ntdll.dll

ntdll.dll

OLEAUT32.dll

OLEAUT32.dll

(7),01444

(7),01444

'9=82<.342>

'9=82<.342>

hXXp://VVV.52pojie.cn

hXXp://VVV.52pojie.cn

hXXp://hi.baidu.com/Heikl

hXXp://hi.baidu.com/Heikl

var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128>>9)16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B>16) (D>>16) (C>>16);return(B>>(32-B))}function str2binl(D){var C=Array();var A=(1>5]|=(D.charCodeAt(B/chrsz)&A)>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)>2]>>8*((B 1)%4))&255)>2]>>8*((B 2)%4))&255);for(var A=0;AD.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i

var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128>>9)16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B>16) (D>>16) (C>>16);return(B>>(32-B))}function str2binl(D){var C=Array();var A=(1>5]|=(D.charCodeAt(B/chrsz)&A)>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)>2]>>8*((B 1)%4))&255)>2]>>8*((B 2)%4))&255);for(var A=0;AD.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i

ID Heikl hXXp://hi.baidu.com/Heikl

ID Heikl hXXp://hi.baidu.com/Heikl

hXXp://hi.baidu.com/heikl/item/42d0616d465737a1c5d249fd

hXXp://hi.baidu.com/heikl/item/42d0616d465737a1c5d249fd

C:\gx.tmp

C:\gx.tmp

User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)

User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)

\ .bat

\ .bat

{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}

{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}

hXXp://VVV.52pojie.cn/

hXXp://VVV.52pojie.cn/

hXXp://hi.baidu.com/Heikl

hXXp://hi.baidu.com/Heikl

Heikl@qq.com

Heikl@qq.com

138888888

138888888

1986-1-1

1986-1-1

F%*.*f

F%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

CCmdTarget

CCmdTarget

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

MPR.dll

MPR.dll

WINMM.dll

WINMM.dll

WS2_32.dll

WS2_32.dll

VERSION.dll

VERSION.dll

RASAPI32.dll

RASAPI32.dll

GetProcessHeap

GetProcessHeap

WinExec

WinExec

GetKeyState

GetKeyState

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

WINSPOOL.DRV

WINSPOOL.DRV

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

COMCTL32.dll

COMCTL32.dll

WSOCK32.dll

WSOCK32.dll

InternetCrackUrlA

InternetCrackUrlA

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

CreateDialogIndirectParamA

CreateDialogIndirectParamA

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GetViewportExtEx

comdlg32.dll

comdlg32.dll

.PAVCException@@

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.prn)|*.prn|

(*.*)|*.*||

(*.*)|*.*||

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

: %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

windows

windows

out.prn

out.prn

%d.%d

%d.%d

%d / %d

%d / %d

%d/%d

%d/%d

Bogus message code %d

Bogus message code %d

(%d-%d):

(%d-%d):

%ld%c

%ld%c

VVV.dywt.com.cn

VVV.dywt.com.cn

HTTP/1.0

HTTP/1.0

%s

%s

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

SMTP

SMTP

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCArchiveException@@

zcÁ

zcÁ

c:\%original file name%.exe

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

#include "l.chs\afxres.rc" // Standard components

5.2.3790.0 built by: dnsrv_dev(v-smgum)

5.2.3790.0 built by: dnsrv_dev(v-smgum)

empty.exe

empty.exe

Windows

Windows

Operating System

Operating System

5.2.3790.0

5.2.3790.0

(*.*)

(*.*)

%original file name%.exe_1476_rwx_00612000_00002000:

kernel32.dll

kernel32.dll

WINMM.dll

WINMM.dll

WS2_32.dll

WS2_32.dll

RASAPI32.dll

RASAPI32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

WINSPOOL.DRV

WINSPOOL.DRV

ADVAPI32.dll

ADVAPI32.dll

RegCloseKey

RegCloseKey

SHELL32.dll

SHELL32.dll

ShellExecuteA

ShellExecuteA

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

COMCTL32.dll

COMCTL32.dll

WININET.dll

WININET.dll

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

comdlg32.dll

comdlg32.dll

1.0.0.0

1.0.0.0

%original file name%.exe_1476_rwx_00AE0000_00003000:

The procedure %s could not be located in the DLL %s.

The procedure %s could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.