Gen:Variant.Graftor.153738 (B) (Emsisoft), Gen:Variant.Graftor.153738 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 911bb184460388ebad4c018604b0e486
SHA1: 7996b131d84cbb4369f1ac944c97c6c1da54f13a
SHA256: 668ad53056947e1457bdd1cce2cf033f2c90e90cbceb3adc6429cdaaa74b042b
SSDeep: 24576:hOYjPd9rheo 7a0oJTZaqdiXSp0c02uFG6dAk3CMDPFt:hndOHuTTZaqdwk0c05HGi7
Size: 1581056 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-11-11 06:45:07
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1792
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\error[1].htm (801 bytes)
C:\SkinH_EL.dll (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logo[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017031720170318\index.dat (16 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016102820161029 (0 bytes)
Registry activity
The process %original file name%.exe:1792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"
[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASMANCS]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASMANCS]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"
[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017031720170318]
"CachePrefix" = ":2017031720170318:"
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017031720170318"
[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017031720170318]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017031720170318]
"CacheRepair" = "0"
"CacheLimit" = "8192"
[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"
[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASAPI32]
"MaxFileSize" = "1048576"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016102820161029]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
| MD5 | File path |
|---|---|
| 147127382e001f495d1842ee7a9e7912 | c:\SkinH_EL.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\error[1].htm (801 bytes)
C:\SkinH_EL.dll (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logo[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017031720170318\index.dat (16 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ????(????) v1.1
Product Version: 1.1.10.6
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.10.6
File Description: ???????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral
Company Name: Product Name: ????(????) v1.1Product Version: 1.1.10.6Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.1.10.6File Description: ???????Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 531499 | 532480 | 4.53705 | f60170d00c60fb69792a366f576f91e7 |
| .rdata | 536576 | 950624 | 954368 | 5.39818 | e19103ae201afbd3748829c49313511e |
| .data | 1490944 | 247498 | 65536 | 3.54406 | f1966f08d09d59e61d6375a7e6db6976 |
| .rsrc | 1740800 | 22804 | 24576 | 3.73558 | a249c7f547ae594640bbce1523b84375 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://im2.n.shifen.com/ehzbwvfkfbbcfid/item/48866a1867ae7b29d0d66dc4 | |
| hxxp://im2.n.shifen.com/search/error.html | |
| hxxp://im2.n.shifen.com/search/img/logo.gif | |
| hxxp://im.baidu.com/search/img/logo.gif | 123.125.114.169 |
| hxxp://hi.baidu.com/ehzbwvfkfbbcfid/item/48866a1867ae7b29d0d66dc4 | 123.125.114.169 |
| hxxp://im.baidu.com/search/error.html | 123.125.114.169 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ehzbwvfkfbbcfid/item/48866a1867ae7b29d0d66dc4 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: hi.baidu.com
Cache-Control: no-cache
HTTP/1.1 302 Found
Date: Thu, 16 Mar 2017 23:30:25 GMT
Server: Apache
Location: hXXp://im.baidu.com/search/error.html
Content-Length: 221
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://im.baidu.com/search/error.html">here</a>.</p>.</body></html>.HTTP/1.1 302 Found..Date: Thu, 16 Mar 2017 23:30:25 GMT..Server: Apache..Location: hXXp://im.baidu.com/search/error.html..Content-Length: 221..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://im.baidu.com/search/error.html">here</a>.</p>.</body></html>...
GET /ehzbwvfkfbbcfid/item/48866a1867ae7b29d0d66dc4 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: hi.baidu.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Thu, 16 Mar 2017 23:30:22 GMT
Server: Apache
Location: hXXp://im.baidu.com/search/error.html
Content-Length: 221
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://im.baidu.com/search/error.html">here</a>.</p>.</body></html>.HTTP/1.1 302 Found..Date: Thu, 16 Mar 2017 23:30:22 GMT..Server: Apache..Location: hXXp://im.baidu.com/search/error.html..Content-Length: 221..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://im.baidu.com/search/error.html">here</a>.</p>.</body></html>...
GET /search/error.html HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: im.baidu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 16 Mar 2017 23:30:26 GMT
Server: Apache
Last-Modified: Mon, 07 Dec 2015 10:58:52 GMT
ETag: "a92"
Accept-Ranges: bytes
Content-Length: 2706
Connection: Keep-Alive
Content-Type: text/html
<html>.<head>..<title>....--..............</title>..<META http-equiv=content-type content="text/html; charset=gb2312">.<META content="MSHTML 6.00.2462.0" name=GENERATOR></HEAD>.</head>.<style type="text/css">..p1 {..FONT-SIZE: 14px; LINE-HEIGHT: 24px; FONT-FAMILY: "....".}...f12 {..FONT-SIZE: 12px; LINE-HEIGHT: 20px.}..p2 {..FONT-SIZE: 14px; LINE-HEIGHT: 24px; color: #333333.}.</style>.<body text=#000000 vLink=#0033cc aLink=#800080 link=#0033cc bgColor=#ffffff .topMargin=0>.<center>.<table width=650 border=0 align="center">. <tr height=60>. <td width=139 valign="top" height="66"><a href="hXXps://VVV.baidu.com"><img src="img/logo.gif" border="0"></a></td>. <td valign="bottom" width="100%">. <table width="100%" border="0" cellpadding="0" cellspacing="0">. <tr bgcolor="#e5ecf9">. <td height="24"> <b class="p1">..............</b></td>. <td height="24" class="p2">. <div align="right"><a href="hXXps://VVV.baidu.com">........</a> </div></td>. </tr>. <tr>. <td height="20" class="p2" colspan="2"></td>. </tr>. </table></td>. </tr>.</table>.<br>.<table width=650 border=0 align="center" cellpadding=8 cellspacing=0>. <tr> . <td align=center><div align="left"
<<< skipped >>>
GET /search/error.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: im.baidu.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 16 Mar 2017 23:30:25 GMT
Server: Apache
Last-Modified: Mon, 07 Dec 2015 10:58:51 GMT
ETag: "a92"
Accept-Ranges: bytes
Content-Length: 2706
Connection: Keep-Alive
Content-Type: text/html
<html>.<head>..<title>....--..............</title>..<META http-equiv=content-type content="text/html; charset=gb2312">.<META content="MSHTML 6.00.2462.0" name=GENERATOR></HEAD>.</head>.<style type="text/css">..p1 {..FONT-SIZE: 14px; LINE-HEIGHT: 24px; FONT-FAMILY: "....".}...f12 {..FONT-SIZE: 12px; LINE-HEIGHT: 20px.}..p2 {..FONT-SIZE: 14px; LINE-HEIGHT: 24px; color: #333333.}.</style>.<body text=#000000 vLink=#0033cc aLink=#800080 link=#0033cc bgColor=#ffffff .topMargin=0>.<center>.<table width=650 border=0 align="center">. <tr height=60>. <td width=139 valign="top" height="66"><a href="hXXps://VVV.baidu.com"><img src="img/logo.gif" border="0"></a></td>. <td valign="bottom" width="100%">. <table width="100%" border="0" cellpadding="0" cellspacing="0">. <tr bgcolor="#e5ecf9">. <td height="24"> <b class="p1">..............</b></td>. <td height="24" class="p2">. <div align="right"><a href="hXXps://VVV.baidu.com">........</a> </div></td>. </tr>. <tr>. <td height="20" class="p2" colspan="2"></td>. </tr>. </table></td>. </tr>.</table>.<br>.<table width=650 border=0 align="center" cellpadding=8 cellspacing=0>. <tr> . <td align=center><div align="left"
<<< skipped >>>
GET /search/img/logo.gif HTTP/1.1
Accept: */*
Referer: hXXp://im.baidu.com/search/error.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: im.baidu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 16 Mar 2017 23:30:26 GMT
Server: Apache
Last-Modified: Mon, 08 Sep 2008 08:16:39 GMT
ETag: "671"
Accept-Ranges: bytes
Content-Length: 1649
Connection: Keep-Alive
Content-Type: image/gif
GIF89a........$.....ol....QN........*..................rl.SK...........!.?6..A>...b[..`].....~.}....#........!.......,............'.di.h..l..p,...Q....D...Pe.t.....@@.....1..O..p....0.q-.E...,n.[U5r4.w(..~_2p..y.v..|.{..........m.v.i..>..Q~.........3.tVj.......-.....".r.".....'.]...y.....$..W_..$dj.....e........%.....O.....Y....e.,.....x!Ag...L.^(.x%\.I...........6.....B...L.!c.3.~...........h..7.$.q&b@......y.M..H1DPq ...P.N ..A..H `.JR.0..x~ .....h..]kU....<....m........C..KSa.;.....DH`hg.....J.|.l.......Y......5......2~#.GDWp..t.\.....7...[n..4D{(.q..z$,>B.Cy........6...*...t.w..5p.[A.....H..y......%"..}R.N.C.`..........e...Z...m.......W...V0.xr...........(..((`.J'..S.duP...<........8....8.(.ur.....a`...z`d{.y....$i...Bh...hp...BH.U(D..P.9 ..!q.P.X.8..V...\.$.[..:...A...l...Ahz%@Z:.].K.G$.B\....eAV0.z.L...M..i...e..{I.'..~ .q%@....%1.L.H.C..&D..~........\...`.......Z..|Mr.g......z.a.....v...=0..'.@..!.j@H.=....V.VZ..U.e..F@..".....9._,(.@..L....].....d...R .....o..b ...N ..{].[..L....w;...e....l...$Q\Fk.f....68...U...(.KB....t.N...... ..f...P.l...G...\.<.t.P..@...i..p.m2.d.i.......nN...#|#.G.....`.........ra..VvW~$..K.d.'v...{M*...T.,...|.h.G.<&...k.\.9^..z. .........>....T....~..l.....B.d.~}.7Uy>y.......=F.A...?....p.L..4.}..n...*.~............(@....., `.;A..T.......Z.X.......T..x..n$.....nT.4>...| ......4.<...y....D0C#...."<.....@..lB..-.."d..f...X..Az .z3....<.....6..8,....'. ... ..fd...G........... ......P............Dp.....%.^.......M..M.:c..0....L.......%.<.P
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1792:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
Bv.SCv=kAv
Bv.SCv=kAv
SkinH_EL.dll
SkinH_EL.dll
kernel32.dll
kernel32.dll
user32.dll
user32.dll
UnregisterHotKey
UnregisterHotKey
RegisterHotKey
RegisterHotKey
EnumWindows
EnumWindows
SetWindowsHookExA
SetWindowsHookExA
WebBrowser
WebBrowser
hXXp://VVV.huoyan.tv/api.php#!u=
hXXp://VVV.huoyan.tv/api.php#!u=
hXXp://yunbofang.400gb.com/
hXXp://yunbofang.400gb.com/
hXXp://hi.baidu.com/ehzbwvfkfbbcfid/item/48866a1867ae7b29d0d66dc4
hXXp://hi.baidu.com/ehzbwvfkfbbcfid/item/48866a1867ae7b29d0d66dc4
fJ.WM_
fJ.WM_
CX%xm
CX%xm
Õ6m*
Õ6m*
n.BjCw
n.BjCw
%s;7*
%s;7*
0%x@w
0%x@w
%C^L:
%C^L:
%s T5
%s T5
]E4%F(
]E4%F(
.Funr
.Funr
k%UPp
k%UPp
fg.VG
fg.VG
%C',@
%C',@
>Ùd
>Ùd
0'.Ll
0'.Ll
[I(3/#N0.bd
[I(3/#N0.bd
j"%u=w
j"%u=w
q%Xn`
q%Xn`
@|H.NI
@|H.NI
.wdd!
.wdd!
S|%u4
S|%u4
*.Ea]S
*.Ea]S
Q.CGo
Q.CGo
fTpe
fTpe
.LLbX
.LLbX
-.Mdl
-.Mdl
\-A}=3K
\-A}=3K
Y:.akpS
Y:.akpS
$.Zcqn
$.Zcqn
.WE= T!N
.WE= T!N
#?%s(C(
#?%s(C(
u.Jck~
u.Jck~
zx/%FN[
zx/%FN[
%s=\RI
%s=\RI
}j%c%Y)
}j%c%Y)
Rx.GR
Rx.GR
4o#.dM
4o#.dM
IeS`%C
IeS`%C
[n 4\.UY
[n 4\.UY
,4.qO,
,4.qO,
gQ'.Io
gQ'.Io
%cLur?
%cLur?
s%DHB
s%DHB
]I%%X
]I%%X
5r.US
5r.US
:mD].tB
:mD].tB
f%fUZ
f%fUZ
.fOuV12
.fOuV12
*_.dC
*_.dC
&-N}
&-N}
({?.cQm
({?.cQm
.Cqx~c
.Cqx~c
.`.Qw
.`.Qw
**.dU
**.dU
!n]%x
!n]%x
%X,Cr
%X,Cr
&.PFy{xh
&.PFy{xh
.um ZZE7L
.um ZZE7L
/^p%u$
/^p%u$
I.NoQY
I.NoQY
zu.ew
zu.ew
D/.nT
D/.nT
b\SkinH_EL.dll
b\SkinH_EL.dll
C$%cmb
C$%cmb
.ppM|
.ppM|
aZ.mO
aZ.mO
%-^
%-^
.hk;~
.hk;~
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
hXXp://down.qixiu98.com:83/QXDownloader_1999_11497.exe
hXXp://down.qixiu98.com:83/QXDownloader_1999_11497.exe
hXXp://down.qiyue98.net:83/tuiguang/QYDownloader_1991_5511497.exe
hXXp://down.qiyue98.net:83/tuiguang/QYDownloader_1991_5511497.exe
hXXp://VVV.iphone5tuan.com/ffdy_110_11497.exe
hXXp://VVV.iphone5tuan.com/ffdy_110_11497.exe
hXXp://d.7wgame.com/5see/5see_ta05_11497.exe
hXXp://d.7wgame.com/5see/5see_ta05_11497.exe
hXXp://software.wowo98.com.cn/partner_new/wowo_21_11497_pure.exe
hXXp://software.wowo98.com.cn/partner_new/wowo_21_11497_pure.exe
hXXp://1413535245.huajianzhanlan.com/ndl.aspx?uid=9095&sid=11497&tid=3
hXXp://1413535245.huajianzhanlan.com/ndl.aspx?uid=9095&sid=11497&tid=3
A@hXXp://down2.videospeedy.com/5126setup_74_11497.exe
A@hXXp://down2.videospeedy.com/5126setup_74_11497.exe
hXXp://software.lingxiu98.com.cn/partner_new/lingxiu_37_11497.exe
hXXp://software.lingxiu98.com.cn/partner_new/lingxiu_37_11497.exe
VVV.baidu.com
VVV.baidu.com
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
ole32.dll
ole32.dll
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
RASAPI32.dll
RASAPI32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
GetViewportOrgEx
GetViewportOrgEx
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
WSOCK32.dll
WSOCK32.dll
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
%d%d%d
%d%d%d
rundll32.exe shell32.dll,
rundll32.exe shell32.dll,
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
VVV.dywt.com.cn
VVV.dywt.com.cn
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
1, 0, 6, 6
(*.*)
(*.*)
1.1.10.6
1.1.10.6
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
%original file name%.exe_1792_rwx_10001000_00039000:
L$(h%f
L$(h%f
SSh0j
SSh0j
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
%fm$'N
%fm$'N
}uo,x6l5k%x-l h
}uo,x6l5k%x-l h
9p%s m)t4`#b
9p%s m)t4`#b
e"m?c&y1`Ã
e"m?c&y1`Ã
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc