Gen:Variant.Strictor.28070 (B) (Emsisoft), Gen:Variant.Strictor.28070 (AdAware), Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 033b0618625974a797eb42b53aa4dfcb
SHA1: 549bf3b97310a926d9593820d661d1093438e5ee
SHA256: 19629448fcf86858d033a5ce8cad5a38f27f729e1db4b0c07a46d335a39748a0
SSDeep: 24576:px5NMKzCRXrp9eLDSoFJ9rofw0jqXR8OAVZ59oU:pOKurp9cDjQw0jqXAkU
Size: 1396736 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: Dummy, Ltd.
Created at: 2015-03-19 17:19:42
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:396
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\UUWiseHelper.dll (291 bytes)
Registry activity
The process %original file name%.exe:396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 EB C1 37 52 A8 42 F7 16 82 34 92 A6 39 6F 9F"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
Dropped PE files
MD5 | File path |
---|---|
dc6b73cbd1f6f5cec640a8c634ae50c8 | c:\UUWiseHelper.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\UUWiseHelper.dll (291 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral
Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 694082 | 696320 | 4.53027 | f47615205dbf8f6baed99f044aeb320d |
.rdata | 700416 | 511494 | 512000 | 4.53321 | f65ab691a6c6d397227ed28a4c8ef0c0 |
.data | 1212416 | 309931 | 86016 | 3.41518 | ae508075da10511c366fb96537b6ec2b |
.rsrc | 1523712 | 95848 | 98304 | 4.91199 | 511e90172753825c97e2015c5b42abca |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://s1.uuwise.com/Api/config.aspx | 116.255.181.152 |
lc.uudama.com | 116.255.181.147 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /Api/config.aspx HTTP/1.1
User-Agent: WiseClientAPI-2.0.0.5
Version: 2.0.0.5
HASH: dc6b73cbd1f6f5cec640a8c634ae50c8
Cache-Control: no-cache
Accept: */*
TTL: 1439765218166
Content-Type: multipart/form-data; boundary=-------------aabbccddeeff007dc3d73a70130
Content-Length: 378
Host: s1.uuwise.com
Connection: Keep-Alive
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="HASH"
151DACFFAD6E2D210D6B75795BA0A980
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="SID"
103287
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="InitTTL"
1439765218072
---------------aabbccddeeff007dc3d73a70130--
HTTP/1.1 200 OK
Date: Sun, 16 Aug 2015 22:46:59 GMT
Server: Microsoft-IIS/6.0
ServerV: 10040
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=2pdakv45eujs2mzlriqmj345; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 180
313030302C6C632E757564616D612E636F6D3A393230303A3130312C7570622E7575776973652E636F6D3A38303A3130322C7570622E7575776973652E636F6D3A38303A3130332C7C307C3139342E3234322E39362E32313820HTTP/1.1 200 OK..Date: Sun, 16 Aug 2015 22:46:59 GMT..Server: Microsoft-IIS/6.0..ServerV: 10040..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Set-Cookie: ASP.NET_SessionId=2pdakv45eujs2mzlriqmj345; path=/; HttpOnly..Cache-Control: private..Content-Type: text/html; charset=utf-8..Content-Length: 180..313030302C6C632E757564616D612E636F6D3A393230303A3130312C7570622E7575776973652E636F6D3A38303A3130322C7570622E7575776973652E636F6D3A38303A3130332C7C307C3139342E3234322E39362E32313820..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_396:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
ole32.dll
ole32.dll
kernel32.dll
kernel32.dll
UUWiseHelper.dll
UUWiseHelper.dll
wininet.dll
wininet.dll
uu_loginA
uu_loginA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://tp.hd.mi.com/gettimestamp?callback=jQuery111008230111180524786_
hXXp://tp.hd.mi.com/gettimestamp?callback=jQuery111008230111180524786_
function time(){return new Date().getTime()}
function time(){return new Date().getTime()}
1970-01-01 00:00:00
1970-01-01 00:00:00
TEAKEY
TEAKEY
*.txt
*.txt
|*.txt
|*.txt
DD8DC977-AB1D-4687-AC61-774457CC8B40
DD8DC977-AB1D-4687-AC61-774457CC8B40
\UUWiseHelper.dll
\UUWiseHelper.dll
@.reloc
@.reloc
SSSSh
SSSSh
ByScreen.JPG
ByScreen.JPG
operator
operator
GetProcessWindowStation
GetProcessWindowStation
E:\work\UUWiseHelper
E:\work\UUWiseHelper
\UUWiseHelper.pdb
\UUWiseHelper.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
urlmon.dll
urlmon.dll
dbghelp.dll
dbghelp.dll
gdiplus.dll
gdiplus.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
WS2_32.dll
WS2_32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
UUWiseHelper.DLL
UUWiseHelper.DLL
uu_easyRecognizeUrlA
uu_easyRecognizeUrlA
uu_easyRecognizeUrlW
uu_easyRecognizeUrlW
uu_loginW
uu_loginW
uu_recognizeByCodeTypeAndUrlA
uu_recognizeByCodeTypeAndUrlA
uu_recognizeByCodeTypeAndUrlW
uu_recognizeByCodeTypeAndUrlW
uu_reportError
uu_reportError
zcÃ
zcÃ
"0,01070
"0,01070
8Â8J8R8x8
8Â8J8R8x8
0#0'0-01070;0
0#0'0-01070;0
=*>0>4>8>
=*>0>4>8>
5%6S6
5%6S6
3$3,383\3|3
3$3,383\3|3
32F1C86B-E64C-4EAF-8BC1-C142570008BC
32F1C86B-E64C-4EAF-8BC1-C142570008BC
:-1014,URL
:-1014,URL
:-19011,
:-19011,
hXXp://hwid1.vmall.com/casserver/randomcode
hXXp://hwid1.vmall.com/casserver/randomcode
hXXps://hwid1.vmall.com/casserver/remoteLogin
hXXps://hwid1.vmall.com/casserver/remoteLogin
&password=
&password=
submit=true&loginUrl=http://hwid1.vmall.com/oauth2/portal/login.jsp&service=http://VVV.vmall.com/account/caslogin?url=http%3A%2F%2FVVV.vmall.com%2F&loginChannel=26000000&reqClientType=26&deviceID=&adUrl=&lang=zh-cn&inviterUserID=&inviter=&viewType=0&quickAuth=&userAccount=
submit=true&loginUrl=http://hwid1.vmall.com/oauth2/portal/login.jsp&service=http://VVV.vmall.com/account/caslogin?url=http%3A%2F%2FVVV.vmall.com%2F&loginChannel=26000000&reqClientType=26&deviceID=&adUrl=&lang=zh-cn&inviterUserID=&inviter=&viewType=0&quickAuth=&userAccount=
SESSIONkEY
SESSIONkEY
-12027,TEAKEY
-12027,TEAKEY
W%SGs
W%SGs
.BzHR
.BzHR
ri.Ndv
ri.Ndv
j>.cXz
j>.cXz
.qXdt
.qXdt
.Vo%P
.Vo%P
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
SkinH_EL.dll
SkinH_EL.dll
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
http=
https
https
HTTP/1.1
HTTP/1.1
hXXp://
hXXp://
hXXps://
hXXps://
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Adodb.Stream
Adodb.Stream
@ole32.dll
@ole32.dll
2015-03-19 10:08:00
2015-03-19 10:08:00
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
user32.dll
user32.dll
RASAPI32.dll
RASAPI32.dll
WinExec
WinExec
GetKeyState
GetKeyState
GetViewportOrgEx
GetViewportOrgEx
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegOpenKeyExA
RegOpenKeyExA
ShellExecuteA
ShellExecuteA
WININET.dll
WININET.dll
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
RegCreateKeyExA
RegCreateKeyExA
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
right-curly-bracket
right-curly-bracket
left-curly-bracket
left-curly-bracket
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
76666677777767654131
76666677777767654131
//..//0052*($
//..//0052*($
.myQ S'@
.myQ S'@
sj%C;>#
sj%C;>#
"t.CT
"t.CT
.rP;%
.rP;%
%s5I0!
%s5I0!
|$-7}&TT}'{kx$
|$-7}&TT}'{kx$
CCaptchaRecognizer::recognizeByCodeTypeAndUrl
CCaptchaRecognizer::recognizeByCodeTypeAndUrl
hXXp://s1.uudati.com:
hXXp://s1.uudati.com:
hXXp://s1.taskok.com:
hXXp://s1.taskok.com:
hXXp://s1.uudama.com:
hXXp://s1.uudama.com:
hXXp://s1.uuwise.com:
hXXp://s1.uuwise.com:
/Api/config.aspx
/Api/config.aspx
2.0.0.5
2.0.0.5
WiseClientAPI-2.0.0.5
WiseClientAPI-2.0.0.5
CCaptchaRecognizer::__UpdateTKEY
CCaptchaRecognizer::__UpdateTKEY
CCaptchaRecognizer::_IsNeedLogin
CCaptchaRecognizer::_IsNeedLogin
/Api/DecodeImg.aspx
/Api/DecodeImg.aspx
xxxxxxxxxxx
xxxxxxxxxxx
hXXp://p1.uuwise.net:
hXXp://p1.uuwise.net:
hXXp://p1.uudama.net:
hXXp://p1.uudama.net:
hXXp://p1.taskok.com:
hXXp://p1.taskok.com:
hXXp://p1.uuwise.com:
hXXp://p1.uuwise.com:
hXXp://p1.uudama.com:
hXXp://p1.uudama.com:
CCaptchaRecognizer::easyRecognizeUrl
CCaptchaRecognizer::easyRecognizeUrl
%d%d%d%d%d
%d%d%d%d%d
CCaptchaRecognizer::_CalcRandomPort
CCaptchaRecognizer::_CalcRandomPort
/Api/VerifyAPIFile.aspx
/Api/VerifyAPIFile.aspx
/Api/UserLogin.aspx
/Api/UserLogin.aspx
CCaptchaRecognizer::login
CCaptchaRecognizer::login
/Api/UserReg.aspx
/Api/UserReg.aspx
/Api/PayCard.aspx
/Api/PayCard.aspx
/Api/ReportError.aspx
/Api/ReportError.aspx
CCaptchaRecognizer::reportError
CCaptchaRecognizer::reportError
/Api/UserPoint.aspx
/Api/UserPoint.aspx
|2.0.0.5|
|2.0.0.5|
/Api/DecodeResult.aspx
/Api/DecodeResult.aspx
ID/KEY/
ID/KEY/
ByTypeBytes.JPG
ByTypeBytes.JPG
%d-%d-%d
%d-%d-%d
CHttpRequestHelper::_ReadResponse
CHttpRequestHelper::_ReadResponse
User-Agent:WiseClient-2.0.0.5;
User-Agent:WiseClient-2.0.0.5;
WiseClient-2.0.0.5
WiseClient-2.0.0.5
CHttpRequestHelper::_InternalRequest
CHttpRequestHelper::_InternalRequest
CHttpRequestHelper::RequestGetImage
CHttpRequestHelper::RequestGetImage
CHttpRequestHelper::RequestPost
CHttpRequestHelper::RequestPost
ServerPort
ServerPort
UUExtConfig.ini
UUExtConfig.ini
-:-:-.%d
-:-:-.%d
tCRYPTDLL.DLL
tCRYPTDLL.DLL
3.cn.pool.ntp.org
3.cn.pool.ntp.org
2.cn.pool.ntp.org
2.cn.pool.ntp.org
1.cn.pool.ntp.org
1.cn.pool.ntp.org
0.cn.pool.ntp.org
0.cn.pool.ntp.org
cn.pool.ntp.org
cn.pool.ntp.org
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
Microsoft Windows Millennium Edition
Microsoft Windows Millennium Edition
Microsoft Windows 98
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 95
%s (Build %d)
%s (Build %d)
Service Pack 6a (Build %d)
Service Pack 6a (Build %d)
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Web Edition
Web Edition
Service Pack %d (Build %d)
Service Pack %d (Build %d)
Microsoft Windows NT
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP
Microsoft Windows Server 2003,
Microsoft Windows Server 2003,
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 "R2"
Microsoft Windows Server 2003 "R2"
Windows Server 2008
Windows Server 2008
Windows Vista
Windows Vista
Windows Server 2008 R2
Windows Server 2008 R2
Windows 7
Windows 7
ox-x-x-x-x-x
ox-x-x-x-x-x
\Tencent\Users\*.*
\Tencent\Users\*.*
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
!"#$%&'()* ,-.
!"#$%&'()* ,-.
uuwise.com
uuwise.com
2, 0, 0, 5
2, 0, 0, 5
1.0.0.1
1.0.0.1
1, 0, 5, 7
1, 0, 5, 7
(*.*)
(*.*)
1.0.0.0
1.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
%original file name%.exe_396_rwx_10000000_0003C000:
`.rsrc
`.rsrc
L$(h%f
L$(h%f
SSh0j
SSh0j
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
SetWindowsHookExA
SetWindowsHookExA
8$#5=625;
8$#5=625;
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
1, 0, 5, 7
1, 0, 5, 7