Susp_Dropper (Kaspersky), Trojan.Agent.BMCQ (B) (Emsisoft), Trojan.Agent.BMCQ (AdAware), Packed.Win32.Themida.FD, Trojan-Downloader.Win32.Karagany.1.FD, Trojan-PSW.Win32.Bzub.2.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.BHO.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan-PSW, Trojan, Worm, EmailWorm, Packed
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 81b715b11b844e3fd409180d1dec58a0
SHA1: 5368f7ad79e2f05cf573621401a8b1627a8126fe
SHA256: 94397bd703d72852e22e2b99272844d2ccf0e0581f26837836ad7ecf70f4a690
SSDeep: 49152:SJo3GzFHjj5955Tbke/4M8ZZW6YvqHMr0lbmbb4mD5onQHT2si kJwFABk9:SJVR35955TUMQZW6sdGbKEi5gmhsqKk9
Size: 2906192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, ACProtect141
Company: no certificate found
Created at: 2015-07-19 18:49:43
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:188
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\UUWiseHelper.dll (291 bytes)
C:\ZMApi.dll (7972 bytes)
C:\dc.dll (122 bytes)
C:\KZSZ.ini (170 bytes)
C:\%original file name%.exe (17629 bytes)
The Trojan deletes the following file(s):
C:\ejhhpjxvlsuyuckoykku.dfg (0 bytes)
Registry activity
The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 72 9F 15 E4 AB C7 8A 3A 83 8E C6 1A 31 38 03"
[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1916x902x32(BGR 0)" = "31,31,31,31"
Dropped PE files
MD5 | File path |
---|---|
7616efe7d78fdf0abbc42e88e60a1a6f | c:\%original file name%.exe |
dc6b73cbd1f6f5cec640a8c634ae50c8 | c:\UUWiseHelper.dll |
3acaceed9edcf17193c69b5409cec1e0 | c:\ZMApi.dll |
f803ad370a8649a143429f179af5f3ab | c:\dc.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\UUWiseHelper.dll (291 bytes)
C:\ZMApi.dll (7972 bytes)
C:\dc.dll (122 bytes)
C:\KZSZ.ini (170 bytes)
C:\%original file name%.exe (17629 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ?????
Product Name: ???????? Www.52Dfg.Com
Product Version: 1.0.0.0
Legal Copyright: ??????????[www.52dfg.com],??????,?????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ??,??,????????,????
Comments: ???????
Language: English (United States)
Company Name: ?????Product Name: ???????? Www.52Dfg.ComProduct Version: 1.0.0.0Legal Copyright: ??????????[www.52dfg.com],??????,?????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ??,??,????????,????Comments: ???????Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 4005888 | 1635328 | 5.5451 | e2e9c47a0fbccd37f3670ebdf43befc9 |
UPX | 4009984 | 1171456 | 1170432 | 5.0495 | 96cde91052be47adf772aa4cdd9cd0ef |
.idata | 5181440 | 4096 | 1536 | 2.69426 | 1aef857903d31d960bbca9f63a39b314 |
.rsrc | 5185536 | 86016 | 85504 | 2.30303 | 763fcc78e37545b576a5510e95996860 |
UPX | 5271552 | 4096 | 4096 | 5.53304 | c0239f696dcebaa5658894553b464339 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
6a8a62a9afd1072199eafe03fbd7dec6
Network Activity
URLs
URL | IP |
---|---|
hxxp://92wg.sinaapp.com/softtj.php?act=add&softname=MZDS | 220.181.136.30 |
hxxp://92wg.sinaapp.com/getupdata.php?act=getver&wgname=MZDS | 220.181.136.30 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /softtj.php?act=add&softname=MZDS HTTP/1.1
Referer: hXXp://92wg.sinaapp.com/softtj.php?act=add&softname=MZDS
Accept: */*
Accept-Language: zh-CN
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
Host: 92wg.sinaapp.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 08 Nov 2015 23:17:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Via: 10.67.15.27
Set-Cookie: saeut=37.57.16.189.1447024625315847; path=/; max-age=311040000
1..1..HTTP/1.1 200 OK..Server: nginx..Date: Sun, 08 Nov 2015 23:17:05 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Via: 10.67.15.27..Set-Cookie: saeut=37.57.16.189.1447024625315847; path=/; max-age=311040000..1..1..0......
GET /getupdata.php?act=getver&wgname=MZDS HTTP/1.1
Referer: hXXp://92wg.sinaapp.com/getupdata.php?act=getver&wgname=MZDS
Accept: */*
Accept-Language: zh-CN
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
Host: 92wg.sinaapp.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 08 Nov 2015 23:17:06 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Via: 10.67.15.66
Set-Cookie: saeut=37.57.16.189.1447024626352775; path=/; max-age=311040000
2d..3.0*1.................................*nofile..HTTP/1.1 200 OK..Server: nginx..Date: Sun, 08 Nov 2015 23:17:06 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Via: 10.67.15.66..Set-Cookie: saeut=37.57.16.189.1447024626352775; path=/; max-age=311040000..2d..3.0*1.................................*nofile....
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_188:
.text
.text
h.idata
h.idata
H.rsrc
H.rsrc
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
ntdll.dll
ntdll.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
user32.dll
user32.dll
kernel32.dll
kernel32.dll
UUWiseHelper.dll
UUWiseHelper.dll
dc.dll
dc.dll
ZMApi.dll
ZMApi.dll
uu_reportError
uu_reportError
uu_loginA
uu_loginA
ReportError
ReportError
ZM_ReportErrorA
ZM_ReportErrorA
CreateIoCompletionPort
CreateIoCompletionPort
{86AB1D8A-7995-4D86-AE5F-18710759228B}
{86AB1D8A-7995-4D86-AE5F-18710759228B}
E9326F3E-A23C-46D3-9C20-3AE825EFA0A7
E9326F3E-A23C-46D3-9C20-3AE825EFA0A7
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
\KZSZ.ini
\KZSZ.ini
*.txt
*.txt
|*.txt
|*.txt
{msg:"
{msg:"
/KZSZ.ini
/KZSZ.ini
hXXp://VVV.sz789.net/reg.aspx
hXXp://VVV.sz789.net/reg.aspx
hXXp://VVV.uudama.com/userReg.html
hXXp://VVV.uudama.com/userReg.html
hXXp://VVV.zhima365.com/userreg.php
hXXp://VVV.zhima365.com/userreg.php
hXXp://VVV.ruokuai.com/home/register
hXXp://VVV.ruokuai.com/home/register
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko QQBrowser/8.1.3700.400
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko QQBrowser/8.1.3700.400
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
].time
].time
\task.dat
\task.dat
MSScriptControl.ScriptControl
MSScriptControl.ScriptControl
function get__key(o) {
function get__key(o) {
a.push(i);
a.push(i);
//return JSON.stringify(jsonobj);
//return JSON.stringify(jsonobj);
if (Object.prototype.toString.apply(O) === '[object Array]') {
if (Object.prototype.toString.apply(O) === '[object Array]') {
for (var i = 0; i
for (var i = 0; i
S.push(O2String(O[i]));
S.push(O2String(O[i]));
J = '[' S.join(',') ']';
J = '[' S.join(',') ']';
else if (Object.prototype.toString.apply(O) === '[object String]') {
else if (Object.prototype.toString.apply(O) === '[object String]') {
J = '"' O.replace(/"/g,"\\\"").replace(/\r/g,"\\r").replace(/\n/g,"\\n") '"';
J = '"' O.replace(/"/g,"\\\"").replace(/\r/g,"\\r").replace(/\n/g,"\\n") '"';
else if (Object.prototype.toString.apply(O) === '[object Number]') {
else if (Object.prototype.toString.apply(O) === '[object Number]') {
else if (Object.prototype.toString.apply(O) === '[object Date]') {
else if (Object.prototype.toString.apply(O) === '[object Date]') {
J = "new Date(" O.getTime() ")";
J = "new Date(" O.getTime() ")";
else if (Object.prototype.toString.apply(O) === '[object RegExp]' || Object.prototype.toString.apply(O) === '[object Function]') {
else if (Object.prototype.toString.apply(O) === '[object RegExp]' || Object.prototype.toString.apply(O) === '[object Function]') {
J = O.toString();
J = O.toString();
else if (Object.prototype.toString.apply(O) === '[object Object]') {
else if (Object.prototype.toString.apply(O) === '[object Object]') {
t = typeof (O[i]) == 'string' ? '"' O[i].replace(/"/g,"\\\"").replace(/\r/g,"\\r").replace(/\n/g,"\\n") '"' : (typeof (O[i]) === 'object' ? O2String(O[i]) : O[i]);
t = typeof (O[i]) == 'string' ? '"' O[i].replace(/"/g,"\\\"").replace(/\r/g,"\\r").replace(/\n/g,"\\n") '"' : (typeof (O[i]) === 'object' ? O2String(O[i]) : O[i]);
S.push(i ':' t);
S.push(i ':' t);
J = '{' S.join(',') '}';
J = '{' S.join(',') '}';
skey
skey
hXXp://ic2.s21.qzone.qq.com/cgi-bin/feeds/feeds2_shield_pannel_get?uin=
hXXp://ic2.s21.qzone.qq.com/cgi-bin/feeds/feeds2_shield_pannel_get?uin=
data.data.hide_uins
data.data.hide_uins
].uin
].uin
data.data.hide_uins[
data.data.hide_uins[
hXXp://w.qzone.qq.com/cgi-bin/feeds/feeds2_shield_pannel_set?g_tk=
hXXp://w.qzone.qq.com/cgi-bin/feeds/feeds2_shield_pannel_set?g_tk=
qzreferrer=http://user.qzone.qq.com/
qzreferrer=http://user.qzone.qq.com/
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
application/x-www-form-urlencoded
application/x-www-form-urlencoded
,nick:}
,nick:}
\Blacklist.dat
\Blacklist.dat
\Whitelist.dat
\Whitelist.dat
\data.dat
\data.dat
hXXp://dfgpath.sinaapp.com/dfg/xy.txt
hXXp://dfgpath.sinaapp.com/dfg/xy.txt
*.jpg;*.jpeg;*.gif;*.png;*.bmp
*.jpg;*.jpeg;*.gif;*.png;*.bmp
|*.jpg;*.jpeg;*.gif;*.png;*.bmp
|*.jpg;*.jpeg;*.gif;*.png;*.bmp
hXXp://w666666.sinaapp.com/dfg/qun.txt
hXXp://w666666.sinaapp.com/dfg/qun.txt
hXXp://login.52dfg.com/xinxi/shuoshuo/getss.php?type=
hXXp://login.52dfg.com/xinxi/shuoshuo/getss.php?type=
[dfg]nick[/dfg]
[dfg]nick[/dfg]
6.htm
6.htm
T@\*.dfg
T@\*.dfg
cmd /c regsvr32 msscript.ocx jscript.dll vbscript.dll /s
cmd /c regsvr32 msscript.ocx jscript.dll vbscript.dll /s
{0:3,1:1,2:3,3:0,4:2}
{0:3,1:1,2:3,3:0,4:2}
hXXp://92wg.sinaapp.com/softtj.php?act=add&softname=MZDS
hXXp://92wg.sinaapp.com/softtj.php?act=add&softname=MZDS
hXXp://92wg.sinaapp.com/getupdata.php?act=getver&wgname=MZDS
hXXp://92wg.sinaapp.com/getupdata.php?act=getver&wgname=MZDS
hXXp://92wg.vipsinaapp.com/softtj.php?act=add&softname=MZDS
hXXp://92wg.vipsinaapp.com/softtj.php?act=add&softname=MZDS
hXXp://92wg.vipsinaapp.com/getupdata.php?act=getver&wgname=MZDS
hXXp://92wg.vipsinaapp.com/getupdata.php?act=getver&wgname=MZDS
hXXp://VVV.52dfg.com/forum-40-1.html?MZDS
hXXp://VVV.52dfg.com/forum-40-1.html?MZDS
hXXp://VVV.52dfg.com
hXXp://VVV.52dfg.com
.rsrc
.rsrc
%S4WD
%S4WD
hg%fpM
hg%fpM
S.Ac9SR
S.Ac9SR
0.I%3s
0.I%3s
,wAe.kI
,wAe.kI
aiUy'4xu
aiUy'4xu
%c*@j
%c*@j
.eH'y
.eH'y
{&%U)
{&%U)
lj%4U
lj%4U
xe%CNs
xe%CNs
9F.cLe
9F.cLe
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
**.dU
**.dU
hXXp://m.qzone.com/combo?action=1&g_f=&refresh_type=1&res_type=2&format=json&sid=
hXXp://m.qzone.com/combo?action=1&g_f=&refresh_type=1&res_type=2&format=json&sid=
hXXp://ic2.s11.qzone.qq.com/cgi-bin/feeds/cgi_get_feeds_count.cgi?uin=
hXXp://ic2.s11.qzone.qq.com/cgi-bin/feeds/cgi_get_feeds_count.cgi?uin=
add: "hXXp://taotao.qq.com/cgi-bin/emotion_cgi_re_feeds",
add: "hXXp://taotao.qq.com/cgi-bin/emotion_cgi_re_feeds",
del: "hXXp://taotao.qq.com/cgi-bin/emotion_cgi_delcomment_ugc",
del: "hXXp://taotao.qq.com/cgi-bin/emotion_cgi_delcomment_ugc",
more: "hXXp://taotao.qq.com/cgi-bin/emotion_cgi_ic_getcomments"
more: "hXXp://taotao.qq.com/cgi-bin/emotion_cgi_ic_getcomments"
del: "hXXp://taotao.qq.com/cgi-bin/emotion_cgi_delreply_ugc",
del: "hXXp://taotao.qq.com/cgi-bin/emotion_cgi_delreply_ugc",
del: "hXXp://taotao.qq.com/cgi-bin/emotion_cgi_delete_v6"
del: "hXXp://taotao.qq.com/cgi-bin/emotion_cgi_delete_v6"
add: "hXXp://photo.qq.com/cgi-bin/common/cgi_add_piccomment_v2",
add: "hXXp://photo.qq.com/cgi-bin/common/cgi_add_piccomment_v2",
del: "hXXp://photo.qq.com/cgi-bin/common/cgi_del_piccomment_v2",
del: "hXXp://photo.qq.com/cgi-bin/common/cgi_del_piccomment_v2",
more: "hXXp://photo.qq.com/cgi-bin/common/cgi_add_piccomment_v2"
more: "hXXp://photo.qq.com/cgi-bin/common/cgi_add_piccomment_v2"
add: "hXXp://photo.qq.com/cgi-bin/common/cgi_add_icreply_v2",
add: "hXXp://photo.qq.com/cgi-bin/common/cgi_add_icreply_v2",
del: "hXXp://photo.qq.com/cgi-bin/common/cgi_del_reply_v2",
del: "hXXp://photo.qq.com/cgi-bin/common/cgi_del_reply_v2",
more: "hXXp://photo.qq.com/cgi-bin/common/cgi_add_icreply_v2"
more: "hXXp://photo.qq.com/cgi-bin/common/cgi_add_icreply_v2"
add: "hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareaddcomment",
add: "hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareaddcomment",
del: "hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzsharedeletecomment",
del: "hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzsharedeletecomment",
more: "hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareget_comment"
more: "hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareget_comment"
del: "hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzsharedelete"
del: "hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzsharedelete"
add: "hXXp://b1.qzone.qq.com/cgi-bin/blognew/add_comment",
add: "hXXp://b1.qzone.qq.com/cgi-bin/blognew/add_comment",
del: "hXXp://b1.qzone.qq.com/cgi-bin/blognew/del_comment",
del: "hXXp://b1.qzone.qq.com/cgi-bin/blognew/del_comment",
more: "hXXp://b1.qzone.qq.com/cgi-bin/blognew/get_comment_list"
more: "hXXp://b1.qzone.qq.com/cgi-bin/blognew/get_comment_list"
add: "hXXp://b1.qzone.qq.com/cgi-bin/blognew/add_reply",
add: "hXXp://b1.qzone.qq.com/cgi-bin/blognew/add_reply",
del: "hXXp://b1.qzone.qq.com/cgi-bin/blognew/del_reply",
del: "hXXp://b1.qzone.qq.com/cgi-bin/blognew/del_reply",
del: "hXXp://b1.qzone.qq.com/cgi-bin/blognew/del_blog"
del: "hXXp://b1.qzone.qq.com/cgi-bin/blognew/del_blog"
add: "hXXp://m.qzone.qq.com/cgi-bin/new/add_reply",
add: "hXXp://m.qzone.qq.com/cgi-bin/new/add_reply",
del: "hXXp://m.qzone.qq.com/cgi-bin/new/del_reply",
del: "hXXp://m.qzone.qq.com/cgi-bin/new/del_reply",
add: "hXXp://u.photo.qq.com/cgi-bin/upp/qun_add_uc_cmt",
add: "hXXp://u.photo.qq.com/cgi-bin/upp/qun_add_uc_cmt",
data.newfeeds_uinlist
data.newfeeds_uinlist
data.newfeeds_uinlist[
data.newfeeds_uinlist[
&scope=0&view=1&daylist=&uinlist=&gid=&flag=1&filter=all&applist=all&refresh=0&aisortEndTime=0&aisortOffset=0&getAisort=0&aisortBeginTime=0&pagenum=1&externparam=&firstGetGroup=0&icServerTime=0&mixnocache=0&scene=0&begintime=0&count=10&dayspac=0&sidomain=ctc.qzonestyle.gtimg.cn&useutf8=1&outputhtmlfeed=1&rd=0.
&scope=0&view=1&daylist=&uinlist=&gid=&flag=1&filter=all&applist=all&refresh=0&aisortEndTime=0&aisortOffset=0&getAisort=0&aisortBeginTime=0&pagenum=1&externparam=&firstGetGroup=0&icServerTime=0&mixnocache=0&scene=0&begintime=0&count=10&dayspac=0&sidomain=ctc.qzonestyle.gtimg.cn&useutf8=1&outputhtmlfeed=1&rd=0.
hXXp://ic2.s11.qzone.qq.com/cgi-bin/feeds/feeds3_html_more?uin=
hXXp://ic2.s11.qzone.qq.com/cgi-bin/feeds/feeds3_html_more?uin=
data.data
data.data
].html
].html
data.data[
data.data[
].key
].key
].abstime
].abstime
].appid
].appid
].typeid
].typeid
].nickname
].nickname
data-unikey="
data-unikey="
data-curkey="
data-curkey="
hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
&curkey=
&curkey=
&unikey=
&unikey=
&richval=&richtype=&private=0¶mstr=1&qzreferrer=http://user.qzone.qq.com/
&richval=&richtype=&private=0¶mstr=1&qzreferrer=http://user.qzone.qq.com/
hXXp://
hXXp://
&richtype=1&private=0¶mstr=1&qzreferrer=http://user.qzone.qq.com/
&richtype=1&private=0¶mstr=1&qzreferrer=http://user.qzone.qq.com/
'].comment.add
'].comment.add
hXXp://user.qzone.qq.com/q/taotao/cgi-bin/emotion_cgi_re_feeds
hXXp://user.qzone.qq.com/q/taotao/cgi-bin/emotion_cgi_re_feeds
Content-Disposition: form-data; name="skey"
Content-Disposition: form-data; name="skey"
{skey}
{skey}
Referer: hXXp://ctc.qzs.qq.com/qzone/client/photo/swf/SimpleLocalFileUploader/Main.swf?max_age=20140605
Referer: hXXp://ctc.qzs.qq.com/qzone/client/photo/swf/SimpleLocalFileUploader/Main.swf?max_age=20140605
Origin: hXXp://ctc.qzs.qq.com
Origin: hXXp://ctc.qzs.qq.com
hXXp://up.photo.qq.com/cgi-bin/upload/cgi_upload_image
hXXp://up.photo.qq.com/cgi-bin/upload/cgi_upload_image
data.url
data.url
1970-01-01 08:00:00
1970-01-01 08:00:00
hXXp://up.qzone.com/cgi-bin/upload/cgi_upload_pic_v2
hXXp://up.qzone.com/cgi-bin/upload/cgi_upload_pic_v2
&base64=1&hd_height=1000&hd_width=2048&hd_quality=96&output_type=json&preupload=1&charset=utf-8&output_charset=utf-8&logintype=sid&Exif_CameraMaker=&Exif_CameraModel=&Exif_Time=&uin=
&base64=1&hd_height=1000&hd_width=2048&hd_quality=96&output_type=json&preupload=1&charset=utf-8&output_charset=utf-8&logintype=sid&Exif_CameraMaker=&Exif_CameraModel=&Exif_Time=&uin=
&logintype=sid&refer=shuoshuo
&logintype=sid&refer=shuoshuo
].picinfo.albumid
].picinfo.albumid
].picinfo.lloc
].picinfo.lloc
].picinfo.sloc
].picinfo.sloc
].picinfo.type
].picinfo.type
].picinfo.height
].picinfo.height
].picinfo.width
].picinfo.width
hXXp://m.qzone.com/mood/publish_mood
hXXp://m.qzone.com/mood/publish_mood
hXXp://dll.1235k.com/api/m.php
hXXp://dll.1235k.com/api/m.php
dfg.dat
dfg.dat
hXXp://dll.1235k.com/api/dfg.dat
hXXp://dll.1235k.com/api/dfg.dat
hXXp://92wg.sinaapp.com/api/api.php?m=99
hXXp://92wg.sinaapp.com/api/api.php?m=99
.exehao.1235k.com/api/api.php?m=99
.exehao.1235k.com/api/api.php?m=99
hXXps://92wg.sinaapp.com/api/api.php?m=1
hXXps://92wg.sinaapp.com/api/api.php?m=1
httphXXps://hao.1235k.com/api/api.php?m=1
httphXXps://hao.1235k.com/api/api.php?m=1
hXXps://92wg.sinaapp.com/api/api.php?m=3
hXXps://92wg.sinaapp.com/api/api.php?m=3
hXXps://hao.1235k.com/api/api.php?m=3
hXXps://hao.1235k.com/api/api.php?m=3
hXXps://92wg.sinaapp.com/api/api.php?m=7
hXXps://92wg.sinaapp.com/api/api.php?m=7
hXXps://hao.1235k.com/api/api.php?m=7
hXXps://hao.1235k.com/api/api.php?m=7
hXXps://92wg.sinaapp.com/api/api.php?m=8
hXXps://92wg.sinaapp.com/api/api.php?m=8
hXXps://hao.1235k.com/api/api.php?m=8
hXXps://hao.1235k.com/api/api.php?m=8
1.txt
1.txt
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command [9]
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command [9]
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main [9]
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main [9]
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel [9]2.txt
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel [9]2.txt
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command [2 8]
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command [2 8]
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main [2 8]
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main [2 8]
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel [2 8]cmd /c regini
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel [2 8]cmd /c regini
"%Program Files%\Internet Explorer\iexplore.exe"
"%Program Files%\Internet Explorer\iexplore.exe"
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\
Software\Policies\Microsoft\Internet Explorer\Main\Default_Page_URL
Software\Policies\Microsoft\Internet Explorer\Main\Default_Page_URL
Software\Microsoft\Internet Explorer\Main\Default_Page_URL
Software\Microsoft\Internet Explorer\Main\Default_Page_URL
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory
*.lnk
*.lnk
Shell.Application
Shell.Application
QQBrowser.exe
QQBrowser.exe
SogouExplorer.exe
SogouExplorer.exe
360se.exe
360se.exe
360chrome.exe
360chrome.exe
baidubrowser.exe
baidubrowser.exe
hao123Juzi.exe
hao123Juzi.exe
hXXp://dfgpath.sinaapp.com/dfg/gonggao.txt
hXXp://dfgpath.sinaapp.com/dfg/gonggao.txt
hXXp://dfgpath.vipsinaapp.com/dfg/gonggao.txt
hXXp://dfgpath.vipsinaapp.com/dfg/gonggao.txt
].txt
].txt
].url
].url
.gif>
.gif>
3.htm
3.htm
5.htm
5.htm
yl.htm
yl.htm
"-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
"-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
\UUWiseHelper.dll
\UUWiseHelper.dll
`.rdata
`.rdata
@.data
@.data
@.reloc
@.reloc
SSSSh
SSSSh
ByScreen.JPG
ByScreen.JPG
operator
operator
GetProcessWindowStation
GetProcessWindowStation
E:\work\UUWiseHelper
E:\work\UUWiseHelper
\UUWiseHelper.pdb
\UUWiseHelper.pdb
KERNEL32.dll
KERNEL32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
urlmon.dll
urlmon.dll
dbghelp.dll
dbghelp.dll
gdiplus.dll
gdiplus.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
WS2_32.dll
WS2_32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
UUWiseHelper.DLL
UUWiseHelper.DLL
uu_easyRecognizeUrlA
uu_easyRecognizeUrlA
uu_easyRecognizeUrlW
uu_easyRecognizeUrlW
uu_loginW
uu_loginW
uu_recognizeByCodeTypeAndUrlA
uu_recognizeByCodeTypeAndUrlA
uu_recognizeByCodeTypeAndUrlW
uu_recognizeByCodeTypeAndUrlW
&uin
&uin
&lang&aid&uin
&lang&aid&uin
&uin
&uin
&pt_randsalt&ptlang&low_login_enable&u1&from_ui&fp&device&aid&pt_ttype&ptredirect&h&g&pt_uistyle&
&pt_randsalt&ptlang&low_login_enable&u1&from_ui&fp&device&aid&pt_ttype&ptredirect&h&g&pt_uistyle&
&pt_verifysession_v1
&pt_verifysession_v1
&uin
&uin
&pt_randsalt&ptlang&low_login_enable&u1&from_ui&fp&device&aid&pt_ttype&ptredirect&h&g&pt_uistyle&pt_vcode_v1&pt_verifysession_v1
&pt_randsalt&ptlang&low_login_enable&u1&from_ui&fp&device&aid&pt_ttype&ptredirect&h&g&pt_uistyle&pt_vcode_v1&pt_verifysession_v1
&&&&&&
&&&&&&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&&navigator.appVersion
&&navigator.appVersion
&
&
&
&
&
&
&
&
&
&
&
&
&&
&&
&
&
&
&
&&
&&
&
&
&version&main_qq&_wv&sid
&version&main_qq&_wv&sid
&password
&password
&softkey
&softkey
&&
&&
&
&
&
&
&
&
&
&
&
&
&&&&
&&&&
&
&
<.ul>
<.ul>
<.rm>
<.rm>
&
&
&
&
&
&
&password&repassword&email&qq&phone&name&softwareid
&password&repassword&email&qq&phone&name&softwareid
&password&repassword&email&qq&phone&name&softwareid
&password&repassword&email&qq&phone&name&softwareid
&password&prepaid_card&softwareid
&password&prepaid_card&softwareid
&password&prepaid_card&softwareid
&password&prepaid_card&softwareid
&password
&password
&password
&password
&
&
&softname
&softname
&wgname
&wgname
&softname
&softname
&wgname
&wgname
&
&
&g_f&refresh_type&res_type&format&sid
&g_f&refresh_type&res_type&format&sid
&scope&view&daylist&uinlist&gid&flag&filter&applist&refresh&aisortEndTime&aisortOffset&getAisort&aisortBeginTime&pagenum&externparam&firstGetGroup&icServerTime&mixnocache&scene&begintime&count&dayspac&sidomain&useutf8&outputhtmlfeed&rd
&scope&view&daylist&uinlist&gid&flag&filter&applist&refresh&aisortEndTime&aisortOffset&getAisort&aisortBeginTime&pagenum&externparam&firstGetGroup&icServerTime&mixnocache&scene&begintime&count&dayspac&sidomain&useutf8&outputhtmlfeed&rd
&curkey
&curkey
&unikey
&unikey
&richval&richtype&private¶mstr&qzreferrer
&richval&richtype&private¶mstr&qzreferrer
&richtype&private¶mstr&qzreferrer
&richtype&private¶mstr&qzreferrer
&base64&hd_height&hd_width&hd_quality&output_type&preupload&charset&output_charset&logintype&Exif_CameraMaker&Exif_CameraModel&Exif_Time&uin
&base64&hd_height&hd_width&hd_quality&output_type&preupload&charset&output_charset&logintype&Exif_CameraMaker&Exif_CameraModel&Exif_Time&uin
&logintype&refer
&logintype&refer
&SSh
&SSh
&uin
&uin
&lang&aid&uin
&lang&aid&uin
&uin
&uin
&pt_randsalt&ptlang&low_login_enable&u1&from_ui&fp&device&aid&pt_ttype&ptredirect&h&g&pt_uistyle&
&pt_randsalt&ptlang&low_login_enable&u1&from_ui&fp&device&aid&pt_ttype&ptredirect&h&g&pt_uistyle&
&pt_verifysession_v1
&pt_verifysession_v1
&uin
&uin
&pt_randsalt&ptlang&low_login_enable&u1&from_ui&fp&device&aid&pt_ttype&ptredirect&h&g&pt_uistyle&pt_vcode_v1&pt_verifysession_v1
&pt_randsalt&ptlang&low_login_enable&u1&from_ui&fp&device&aid&pt_ttype&ptredirect&h&g&pt_uistyle&pt_vcode_v1&pt_verifysession_v1
&&&&&&
&&&&&&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&&navigator.appVersion
&&navigator.appVersion
&
&
&
&
&
&
&
&
&
&
&
&
&&
&&
&
&
&
&
&&
&&
&
&
&version&main_qq&_wv&sid
&version&main_qq&_wv&sid
&password
&password
&softkey
&softkey
&&
&&
&
&
&
&
&
&
&
&
&
&
&&&&
&&&&
&
&
&
&
&password&repassword&email&qq&phone&name&softwareid
&password&repassword&email&qq&phone&name&softwareid
&password&repassword&email&qq&phone&name&softwareid
&password&repassword&email&qq&phone&name&softwareid
&password&prepaid_card&softwareid
&password&prepaid_card&softwareid
&password&prepaid_card&softwareid
&password&prepaid_card&softwareid
&password
&password
&password
&password
&
&
&
&
&:
&:
&
&
&
&
&
&
&
&
&
&
&joiner
&joiner
&non-joiner
&non-joiner
&More
&More
&en
&en
&ft
&ft
&y1
&y1
&
&
<:>
<:>
&
&
<:_:>
<:_:>