Trojan.GenericKD.2525644 (B) (Emsisoft), Trojan.GenericKD.2525644 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5312a300604fcf5da5cb5b748b73c246
SHA1: 5cfcf139be7aed142e8939bc546d06abb907937c
SHA256: 19ba6787fd7ce37626481de9088cdf6da3bdd6e180750d924e31d78124384841
SSDeep: 49152:lxAeU88ItvaET/ve6pQZE8P5oYL/ZBWIk6cK:l5RlmwQZE8P5nL/n1n
Size: 1658368 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-06 01:08:33
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:320
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\title[1].css (984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\default[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41IR45E3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICNDMG3A\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C9EJGDEF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\slzkai[1].htm (23 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\slzkai[1].htm (0 bytes)
Registry activity
The process %original file name%.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 BE 91 CB AD 81 26 1C 10 1F 9E A2 4A 36 71 A7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\title[1].css (984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\default[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41IR45E3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICNDMG3A\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C9EJGDEF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLNS9NSS\slzkai[1].htm (23 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ??
Product Name: ???????
Product Version: 1.8.0.7
Legal Copyright: ?? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.8.0.7
File Description: ???????
Comments: ??????????(http://www.eyuyan.com)
Language: English (Canada)
Company Name: ??Product Name: ???????Product Version: 1.8.0.7Legal Copyright: ?? ????Legal Trademarks: Original Filename: Internal Name: File Version: 1.8.0.7File Description: ???????Comments: ??????????(http://www.eyuyan.com)Language: English (Canada)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 1196032 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 1200128 | 1585152 | 1584640 | 5.44337 | 669c644683ff5f96cb2fc3f4ebf28c04 |
.rsrc | 2785280 | 73728 | 72704 | 3.00236 | 6fc74614d8d823e554ef6b204b0a6607 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.hksite.cdncenter.cn/slzkai | |
hxxp://hpcc-page.cnc.ccgslb.net/website/plugin/title/css/title.css?v=14273332 | |
hxxp://hpcc-page.cnc.ccgslb.net/website/template/default/css/default.css?v=14105106 | |
hxxp://www.slzaqfh.com/slzkai | 119.28.1.58 |
hxxp://static.websiteonline.cn/website/plugin/title/css/title.css?v=14273332 | 60.6.197.39 |
hxxp://static.websiteonline.cn/website/template/default/css/default.css?v=14105106 | 60.6.197.39 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /slzkai HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.slzaqfh.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sat, 08 Aug 2015 04:27:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.27
Set-Cookie: PHPSESSID=qflmn0thk8gcq8otmmbq9g2rv4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
5a3f..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">...<head>....<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />...<title>.....................</title>...<meta content="........................................................................................................." name="keywords" />...<meta content="...................................................................................................................................................................................................................................................2......................................................95........." name="description" />.....<link rel="shortcut icon" href="hXXp://hk8289b1.pic21.websiteonline.cn/upload/ooopic_1421163015.ico" type="image/x-icon" />...<link rel="Bookmark" href="hXXp://hk8289b1.pic21.websiteonline.cn/upload/ooopic_1421163015.ico" />........<link href="hXXp://static.websiteonline.cn/website/template/default/css/default.css?v=14105106" rel="stylesheet" type="text/css" />.<link href="hXXp://static.websiteonline.cn/website/plugin/title/css/title.css?v=14273332" rel="stylesheet" type="text/css" />.<!--...............css-->..<style>...............prop_rotate_angle sup,.prop_rotate_angle .posblk-de
<<< skipped >>>
GET /website/plugin/title/css/title.css?v=14273332 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.slzaqfh.com/slzkai
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.websiteonline.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/css
Connection: keep-alive
Date: Thu, 06 Aug 2015 02:36:26 GMT
Powered-By-ChinaCache: HIT from 06053323H8.18
Content-Length: 984
Last-Modified: Thu, 26 Mar 2015 01:29:00 GMT
Cache-Control: max-age=604800
Expires: Thu, 13 Aug 2015 02:36:26 GMT
Age: 179447
Server: Tengine/1.5.2
CC_CACHE: TCP_HIT
Accept-Ranges: bytes
@charset "UTF-8";...wp-title_content {overflow:hidden;}...wp-title_content .wp-script,...wp-title_content .wp-style,...wp-title_content .wp-iframe {display:none;font-size:0;width:0;height:0;}...wp-title_content img.wp-flash,...wp-title_content img.wp-rm,...wp-title_content img.wp-media {border:none;background-position:center center;background-repeat:no-repeat;width:32px;height:32px;}...wp-title_content img.wp-flash {background-image:url(../view/icons/flash.gif);}...wp-title_content img.wp-rm {background-image:url(../view/icons/rm.gif);}...wp-title_content img.wp-media {background-image:url(../view/icons/media.gif);}...wp-title_content img.wp-anchor {border:none;width:16px;height:16px;}...wp-title_content ul {list-style:disc inside;}...wp-title_content ul li {list-style-type:disc;}...wp-title_content ol {list-style:decimal inside;}...wp-title_content ol li {list-style-type:decimal;}...wp-title_content span, .wp-title_content p, .wp-title_content div {line-height:140%;}HTTP/1.1 200 OK..Content-Type: text/css..Connection: keep-alive..Date: Thu, 06 Aug 2015 02:36:26 GMT..Powered-By-ChinaCache: HIT from 06053323H8.18..Content-Length: 984..Last-Modified: Thu, 26 Mar 2015 01:29:00 GMT..Cache-Control: max-age=604800..Expires: Thu, 13 Aug 2015 02:36:26 GMT..Age: 179447..Server: Tengine/1.5.2..CC_CACHE: TCP_HIT..Accept-Ranges: bytes..@charset "UTF-8";...wp-title_content {overflow:hidden;}...wp-title_content .wp-script,...wp-title_content .wp-style,...wp-title_content .wp-iframe {display:none;font-size:0;width:0;height:0;
<<< skipped >>>
GET /website/template/default/css/default.css?v=14105106 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.slzaqfh.com/slzkai
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.websiteonline.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/css
Connection: keep-alive
Date: Thu, 06 Aug 2015 02:34:08 GMT
Vary: Accept-Encoding
Powered-By-ChinaCache: HIT from 06053323H8.11
Content-Length: 3332
Content-Encoding: gzip
Expires: Thu, 13 Aug 2015 02:34:08 GMT
Last-Modified: Thu, 04 Sep 2014 03:15:00 GMT
Cache-Control: max-age=604800
Age: 179588
Server: Tengine/1.5.2
CC_CACHE: TCP_HIT
Accept-Ranges: bytes
...........Z.o...?......#.@r?.k.\$..u.C.C.^.`1K...s9,..jM.h{...A.E..........F.....5....}ofH.?vE....-.....7.....{.G...d......{..7zG.................Q....w7....=.F........}..{.......{.OXp.R...Ih.......K..4....<......Y.x..v.Bf.....*t..{..M...7.t..bI.t....=.uY81.lv.O....f.?`&u?Z%....M`hJg.3R...%Uj.i...]...6.Q....p!.$.u.p.|.e.nL..Ab'._..R. .K....L.......L..2..4.y(Yl.v.>..?en....uw......(Q....E........vc..<0....xi.a.J...X`.$B...75\....74.c......ng..D.u..p-..W.&b....tv.C.6...9..*1.0d.A.n.U....~.j..;.7....!y..".!j3.............f..0.......X<....#...U|px....@...?Bs.._...L..zy.....c..;.?...O...M.L.[a........DW)..../...h6.s.*.6y.......a....q.6L. ...;z.A..S..........ll.w7.|...B...#..$)["..~.j...;4..$vl.....f..b.....a..q.1a....l!....JJ.P..J..!A......X.......o..O..0`....v)&.P.<..s...[v.D....8f......}7..A...e..t:[...Eg..VieT......Hy$..4...h..l[.......;wp..$i@7...RNX.\,.;.#.Qo.\..s.)........^@H..z......^.3.K.C.G:..?...../.=}....O.u..OL..o.#......x..k...h..k.........b0..D".6W.:2".j...q. :'......c../f..o.c..'$wjm..Q.a...J0...`$Z.{....N.QW...{;..yM..HTTP/1.1 200 OK..Content-Type: text/css..Connection: keep-alive..Date: Thu, 06 Aug 2015 02:34:08 GMT..Vary: Accept-Encoding..Powered-By-ChinaCache: HIT from 06053323H8.11..Content-Length: 3332..Content-Encoding: gzip..Expires: Thu, 13 Aug 2015 02:34:08 GMT..Last-Modified: Thu, 04 Sep 2014 03:15:00 GMT..Cache-Control: max-age=604800..Age: 179588..Server: Tengine/1.5.2..CC_CACHE: TCP_HIT..Accept-Ranges: bytes.............Z.o...?......#.@r?.k.\$..u.C.C.^.`1K...s9,..jM.h{...
<<< skipped >>>
GET /slzkai HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.slzaqfh.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sat, 08 Aug 2015 04:27:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.27
Set-Cookie: PHPSESSID=rb9m1bni7dr2rd89bka3b3pmr1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
1c00.............\ys.......w.C..X.3..$..tQ<*...W.T.......... ..(.Q..X.%9Y[.-.r.X.-.Y.mY.wI...k...^..`..HPV..-Sq0G.........}...b..... U.ZUz.W._:0'.b..........~.../.$iJ\:h.....V].....CR..8......( I......T..,.:..1..S)9...s........f...655..S..}.C/.......@.i........ob....Y.........V.1.N.t`!.PZ2...m.........s.}......c.qT.rZ*Vt.i8..S.e.....N...........'.w..O......s7....z(..|....Zm....<|............Gw..|.f. .^.r.{....../.{...y..T.1...qt..KM.u?:.`?...w......'.b2.PONcX....[.j.....}...G..g...o.9......o6>.t...x...'.u.....~k../........I....I.....k.o..(................. .k..l.........]..|.~..=.....;.......S..{..7..|y..h...s.j....w.C...w0.....Kw7.....q..c@Y...Tz..p;...o....f.6.$..u..U..,.F5.jV,.)........m.=N.,g.....4.bBSV..$....m(...jT-..Z...y-....d\K ....0j.d..%C=...9O.F.oY.5.^~...A........7....,n..;=.1j....j.(......Mq.....9-...Z|"...9Z5...p...T.-Q|....phT[Kf..'..I.7zb2.L&F...Xl....['.g...9.~.b..i.&!......m5.....y..T5.f...x.4.f... .K.e..X.<fd5.q....Zvv..<.......\.8..e.t(/.........@q..*W<,X....Yo.q9.U.R......-....5K..4.|.8lT.x......q. =Yn..$".......t:P/[.....#..m..\w.. .6.t....>KO..z.Z1.9.i.#...b.K.:v.4.M.5........N.K&oe....b.K.._..!j..H3R.F.[....e...JMw.....c..H5F.....>..............-C.K.o......._4...E...T.......cS..........%1Y.../'px-.:....P.I.../0...e.....0e..X.*BL..Br..!..GiT./.k..F.l......y=.N)..s...a..q:.ry.I.!......*8..H...i..z.p;..!./.x..-.>....%..jF..Rl5...{P...%..{.....U.9J..z.~V..dP.Vq.b ..`By...@...2jVI...r.Z..U[.....`..c.k.\6.NS..XE......@...0@...U.a...).d:...B3...\p....L)./....f....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_320:
`.rsrc
`.rsrc
(i.Lh
(i.Lh
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
iphlpapi.dll
iphlpapi.dll
ws2_32.dll
ws2_32.dll
user32.dll
user32.dll
kernel32.dll
kernel32.dll
ole32.dll
ole32.dll
OLEACC.DLL
OLEACC.DLL
gdiplus.dll
gdiplus.dll
Ole32.dll
Ole32.dll
gdi32.dll
gdi32.dll
advapi32.dll
advapi32.dll
GetExtendedTcpTable
GetExtendedTcpTable
GdiplusShutdown
GdiplusShutdown
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
RegEnumKeyA
RegEnumKeyA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
{B6F7542F-B8FE-46a8-9605-98856A687097}
{B6F7542F-B8FE-46a8-9605-98856A687097}
WebBrowser
WebBrowser
[I(3/#N0.bd
[I(3/#N0.bd
j"%u=w
j"%u=w
q%Xn`
q%Xn`
@|H.NI
@|H.NI
.wdd!
.wdd!
S|%u4
S|%u4
843008880
843008880
k3"
k3"
Nc:\kss.ini
Nc:\kss.ini
.idata
.idata
.edata
.edata
P.vmp0
P.vmp0
`.vmp1
`.vmp1
.reloc
.reloc
P.rsrc
P.rsrc
version.dll
version.dll
shell32.dll
shell32.dll
1e.ro4A
1e.ro4A
oleaut32.dll
oleaut32.dll
H0.gW
H0.gW
comctl32.dll
comctl32.dll
d.jF/"
d.jF/"
r#'%C
r#'%C
6.Xdp
6.Xdp
g|$^.Cn
g|$^.Cn
>.bM8
>.bM8
>Z.Ye
>Z.Ye
w4R`$p%s*
w4R`$p%s*
f.zo~L^
f.zo~L^
wsock32.dll
wsock32.dll
ntdll.dll
ntdll.dll
Ë.L@
Ë.L@
l.sQ{
l.sQ{
c-t{.FF
c-t{.FF
b#I".wM
b#I".wM
e.ENZ
e.ENZ
xip.tu
xip.tu
@>.vO
@>.vO
%FX2Fsi
%FX2Fsi
qKT.jLka
qKT.jLka
3.LD7
3.LD7
Uq
Uq
G,.gd
G,.gd
<.cff>
<.cff>
&8.XMj
&8.XMj
$~O.Ba
$~O.Ba
)].Wd
)].Wd
/_{M%U
/_{M%U
Q%s6|
Q%s6|
lVfeVg
lVfeVg
!%uO
!%uO
mh.ud
mh.ud
m%Csn%
m%Csn%
kq84.QaI
kq84.QaI
)f%fg
)f%fg
.SuDYw
.SuDYw
K)`p.frC
K)`p.frC
*%s!%
*%s!%
aR.dDb&
aR.dDb&
.xk 4g
.xk 4g
ShellExecuteA
ShellExecuteA
)%S{.
)%S{.
'U}.Ue
'U}.Ue
l%S(8x$!(
l%S(8x$!(
1L%UJ
1L%UJ
.vtbw
.vtbw
.iA5N
.iA5N
yyhKa%S
yyhKa%S
d.Zd=#R
d.Zd=#R
x0r%F{
x0r%F{
.IPi)
.IPi)
Vj.jH
Vj.jH
>M%X9
>M%X9
/8[
/8[
bc.lTk
bc.lTk
ks_GetMsg
ks_GetMsg
kssPlugin.dll
kssPlugin.dll
tole32.dll
tole32.dll
5555555555
5555555555
6666666666
6666666666
%Program Files%\Internet Explorer\iexplore.exe hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://buyer.trade.taobao.com/trade/itemlist/list_bought_items.htm?type=mytaobao&tracelog=newmdbb
%Program Files%\Internet Explorer\iexplore.exe hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://buyer.trade.taobao.com/trade/itemlist/list_bought_items.htm?type=mytaobao&tracelog=newmdbb
.rsrc
.rsrc
%S4WD
%S4WD
hg%fpM
hg%fpM
S.Ac9SR
S.Ac9SR
0.I%3s
0.I%3s
,wAe.kI
,wAe.kI
aiUy'4xu
aiUy'4xu
%c*@j
%c*@j
.eH'y
.eH'y
{&%U)
{&%U)
lj%4U
lj%4U
xe%CNs
xe%CNs
9F.cLe
9F.cLe
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
hXXp://buyer.trade.taobao.com/trade/detail/trade_item_detail.htm?bizOrderId=
hXXp://buyer.trade.taobao.com/trade/detail/trade_item_detail.htm?bizOrderId=
trade.taobao.com/trade/security/security
trade.taobao.com/trade/security/security
class="J_WangWang" data-nick="
class="J_WangWang" data-nick="
class="J_WangWang" data-nick=
class="J_WangWang" data-nick=
data-nick=
data-nick=
hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://buyer.trade.taobao.com/trade/itemlist/list_bought_items.htm?type=mytaobao&tracelog=newmdbb
hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://buyer.trade.taobao.com/trade/itemlist/list_bought_items.htm?type=mytaobao&tracelog=newmdbb
1.9.exe
1.9.exe
\ .bat
\ .bat
iexplore.exe
iexplore.exe
360chrome.exe
360chrome.exe
360SE.exe
360SE.exe
SogouExplorer.exe
SogouExplorer.exe
sogouexplorer.exe
sogouexplorer.exe
The world .exe
The world .exe
twchrome.exe
twchrome.exe
Maxthon.exe
Maxthon.exe
2345Explorer.exe
2345Explorer.exe
QQBrowser.exe
QQBrowser.exe
Liebao.exe
Liebao.exe
anonymous@123.com
anonymous@123.com
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
hXXp://
hXXp://
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
window.location.reload()
window.location.reload()
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
text|password|file
comdlg32.dll
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
843008880@qq.com
843008880@qq.com
hXXp://VVV.slzaqfh.com/slzkai4
hXXp://VVV.slzaqfh.com/slzkai4
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
VERSION.dll
VERSION.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
1.1.3
1.1.3
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
[%s:%d]
[%s:%d]
Range: bytes=%s-
Range: bytes=%s-
[%s:%d]
[%s:%d]
PASS %s
PASS %s
PASS ******
PASS ******
USER %s
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
SIZE %s
PORT
PORT
User-Agent: %s
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Referer: %s
Host: %s
Host: %s
GET %s HTTP/1.1
GET %s HTTP/1.1
HTTP/1.1
HTTP/1.1
Cookie: %s
Cookie: %s
%d, %s
%d, %s
\\192.168.0.129\TCP\1037
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
%s %s %s
Session: %s
Session: %s
Cseq: %u
Cseq: %u
%*s %s
%*s %s
%*s %u
%*s %u
CSeq: %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i
rtsp://%s:%i/%s
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
Range: npt=%s-
%s/streamid=1
%s/streamid=1
%s/streamid=0
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
If-Match: %s
RealChallenge2: %s, sd=%s
RealChallenge2: %s, sd=%s
Title: %s
Title: %s
Copyright: %s
Copyright: %s
Author: %s
Author: %s
real: Content-length for description too big (> %uMB)!
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Bandwidth: %u
Challenge1: %s
Challenge1: %s
hash output: %x %x %x %x
hash output: %x %x %x %x
hash input: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
stream=%u;rule=%u,
Illegal character '%c' in input.
Illegal character '%c' in input.
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
right-curly-bracket
right-curly-bracket
left-curly-bracket
left-curly-bracket
0123456789
0123456789
1057202
1057202
c:\%original file name%.exe
c:\%original file name%.exe
4300888
4300888
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetCPInfo
WinExec
WinExec
GetProcessHeap
GetProcessHeap
ScaleViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
SetViewportExtEx
GetViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
EnumChildWindows
EnumChildWindows
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
.text
.text
`.rdata
`.rdata
@.data
@.data
%FN~/
%FN~/
UrlA3Q(
UrlA3Q(
%Http
%Http
ADVAPI32.dll
ADVAPI32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
RASAPI32.dll
RASAPI32.dll
SHELL32.dll
SHELL32.dll
WININET.dll
WININET.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
WS2_32.dll
WS2_32.dll
9.5.25.212
9.5.25.212
1, 0, 6, 6
1, 0, 6, 6
- Skin.dll
- Skin.dll
(*.*)
(*.*)
1.8.0.7
1.8.0.7
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
%original file name%.exe_320_rwx_00401000_002A6000:
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
iphlpapi.dll
iphlpapi.dll
ws2_32.dll
ws2_32.dll
user32.dll
user32.dll
kernel32.dll
kernel32.dll
ole32.dll
ole32.dll
OLEACC.DLL
OLEACC.DLL
gdiplus.dll
gdiplus.dll
Ole32.dll
Ole32.dll
gdi32.dll
gdi32.dll
advapi32.dll
advapi32.dll
GetExtendedTcpTable
GetExtendedTcpTable
GdiplusShutdown
GdiplusShutdown
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
RegEnumKeyA
RegEnumKeyA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
{B6F7542F-B8FE-46a8-9605-98856A687097}
{B6F7542F-B8FE-46a8-9605-98856A687097}
WebBrowser
WebBrowser
[I(3/#N0.bd
[I(3/#N0.bd
j"%u=w
j"%u=w
q%Xn`
q%Xn`
@|H.NI
@|H.NI
.wdd!
.wdd!
S|%u4
S|%u4
843008880
843008880
k3"
k3"
Nc:\kss.ini
Nc:\kss.ini
.idata
.idata
.edata
.edata
P.vmp0
P.vmp0
`.vmp1
`.vmp1
.reloc
.reloc
P.rsrc
P.rsrc
version.dll
version.dll
shell32.dll
shell32.dll
1e.ro4A
1e.ro4A
oleaut32.dll
oleaut32.dll
H0.gW
H0.gW
comctl32.dll
comctl32.dll
d.jF/"
d.jF/"
r#'%C
r#'%C
6.Xdp
6.Xdp
g|$^.Cn
g|$^.Cn
>.bM8
>.bM8
>Z.Ye
>Z.Ye
w4R`$p%s*
w4R`$p%s*
f.zo~L^
f.zo~L^
wsock32.dll
wsock32.dll
ntdll.dll
ntdll.dll
Ë.L@
Ë.L@
l.sQ{
l.sQ{
c-t{.FF
c-t{.FF
b#I".wM
b#I".wM
e.ENZ
e.ENZ
xip.tu
xip.tu
@>.vO
@>.vO
%FX2Fsi
%FX2Fsi
qKT.jLka
qKT.jLka
3.LD7
3.LD7
Uq
Uq
G,.gd
G,.gd
<.cff>
<.cff>
&8.XMj
&8.XMj
$~O.Ba
$~O.Ba
)].Wd
)].Wd
/_{M%U
/_{M%U
Q%s6|
Q%s6|
lVfeVg
lVfeVg
!%uO
!%uO
mh.ud
mh.ud
m%Csn%
m%Csn%
kq84.QaI
kq84.QaI
)f%fg
)f%fg
.SuDYw
.SuDYw
K)`p.frC
K)`p.frC
*%s!%
*%s!%
aR.dDb&
aR.dDb&
.xk 4g
.xk 4g
ShellExecuteA
ShellExecuteA
)%S{.
)%S{.
'U}.Ue
'U}.Ue
l%S(8x$!(
l%S(8x$!(
1L%UJ
1L%UJ
.vtbw
.vtbw
.iA5N
.iA5N
yyhKa%S
yyhKa%S
d.Zd=#R
d.Zd=#R
x0r%F{
x0r%F{
.IPi)
.IPi)
Vj.jH
Vj.jH
>M%X9
>M%X9
/8[
/8[
bc.lTk
bc.lTk
ks_GetMsg
ks_GetMsg
kssPlugin.dll
kssPlugin.dll
tole32.dll
tole32.dll
5555555555
5555555555
6666666666
6666666666
%Program Files%\Internet Explorer\iexplore.exe hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://buyer.trade.taobao.com/trade/itemlist/list_bought_items.htm?type=mytaobao&tracelog=newmdbb
%Program Files%\Internet Explorer\iexplore.exe hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://buyer.trade.taobao.com/trade/itemlist/list_bought_items.htm?type=mytaobao&tracelog=newmdbb
.rsrc
.rsrc
%S4WD
%S4WD
hg%fpM
hg%fpM
S.Ac9SR
S.Ac9SR
0.I%3s
0.I%3s
,wAe.kI
,wAe.kI
aiUy'4xu
aiUy'4xu
%c*@j
%c*@j
.eH'y
.eH'y
{&%U)
{&%U)
lj%4U
lj%4U
xe%CNs
xe%CNs
9F.cLe
9F.cLe
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
hXXp://buyer.trade.taobao.com/trade/detail/trade_item_detail.htm?bizOrderId=
hXXp://buyer.trade.taobao.com/trade/detail/trade_item_detail.htm?bizOrderId=
trade.taobao.com/trade/security/security
trade.taobao.com/trade/security/security
class="J_WangWang" data-nick="
class="J_WangWang" data-nick="
class="J_WangWang" data-nick=
class="J_WangWang" data-nick=
data-nick=
data-nick=
hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://buyer.trade.taobao.com/trade/itemlist/list_bought_items.htm?type=mytaobao&tracelog=newmdbb
hXXps://login.taobao.com/member/login.jhtml?redirectURL=http://buyer.trade.taobao.com/trade/itemlist/list_bought_items.htm?type=mytaobao&tracelog=newmdbb
1.9.exe
1.9.exe
\ .bat
\ .bat
iexplore.exe
iexplore.exe
360chrome.exe
360chrome.exe
360SE.exe
360SE.exe
SogouExplorer.exe
SogouExplorer.exe
sogouexplorer.exe
sogouexplorer.exe
The world .exe
The world .exe
twchrome.exe
twchrome.exe
Maxthon.exe
Maxthon.exe
2345Explorer.exe
2345Explorer.exe
QQBrowser.exe
QQBrowser.exe
Liebao.exe
Liebao.exe
anonymous@123.com
anonymous@123.com
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
hXXp://
hXXp://
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
window.location.reload()
window.location.reload()
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
text|password|file
comdlg32.dll
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
843008880@qq.com
843008880@qq.com
hXXp://VVV.slzaqfh.com/slzkai4
hXXp://VVV.slzaqfh.com/slzkai4
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
VERSION.dll
VERSION.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
1.1.3
1.1.3
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
[%s:%d]
[%s:%d]
Range: bytes=%s-
Range: bytes=%s-
[%s:%d]
[%s:%d]
PASS %s
PASS %s
PASS ******
PASS ******
USER %s
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
SIZE %s
PORT
PORT
User-Agent: %s
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Referer: %s
Host: %s
Host: %s
GET %s HTTP/1.1
GET %s HTTP/1.1
HTTP/1.1
HTTP/1.1
Cookie: %s
Cookie: %s
%d, %s
%d, %s
\\192.168.0.129\TCP\1037
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
%s %s %s
Session: %s
Session: %s
Cseq: %u
Cseq: %u
%*s %s
%*s %s
%*s %u
%*s %u
CSeq: %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i
rtsp://%s:%i/%s
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
Range: npt=%s-
%s/streamid=1
%s/streamid=1
%s/streamid=0
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
If-Match: %s
RealChallenge2: %s, sd=%s
RealChallenge2: %s, sd=%s
Title: %s
Title: %s
Copyright: %s
Copyright: %s
Author: %s
Author: %s
real: Content-length for description too big (> %uMB)!
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Bandwidth: %u
Challenge1: %s
Challenge1: %s
hash output: %x %x %x %x
hash output: %x %x %x %x
hash input: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
stream=%u;rule=%u,
Illegal character '%c' in input.
Illegal character '%c' in input.
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
right-curly-bracket
right-curly-bracket
left-curly-bracket
left-curly-bracket
0123456789
0123456789
1057202
1057202
c:\%original file name%.exe
c:\%original file name%.exe
4300888
4300888
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetCPInfo
WinExec
WinExec
GetProcessHeap
GetProcessHeap
ScaleViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
SetViewportExtEx
GetViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
EnumChildWindows
EnumChildWindows
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
.text
.text
`.rdata
`.rdata
@.data
@.data
%FN~/
%FN~/
9.5.25.212
9.5.25.212
1, 0, 6, 6
1, 0, 6, 6
- Skin.dll
- Skin.dll
(*.*)
(*.*)
%original file name%.exe_320_rwx_00CB8000_0000C000:
x.yvr
x.yvr
x.yvkd
x.yvkd
x.yvw
x.yvw
x.yvq5v
x.yvq5v
%original file name%.exe_320_rwx_00D4D000_000CA000:
version.dll
version.dll
user32.dll
user32.dll
shell32.dll
shell32.dll
1e.ro4A
1e.ro4A
oleaut32.dll
oleaut32.dll
H0.gW
H0.gW
comctl32.dll
comctl32.dll
advapi32.dll
advapi32.dll
gdi32.dll
gdi32.dll
d.jF/"
d.jF/"
r#'%C
r#'%C
6.Xdp
6.Xdp
g|$^.Cn
g|$^.Cn
>.bM8
>.bM8
>Z.Ye
>Z.Ye
w4R`$p%s*
w4R`$p%s*
f.zo~L^
f.zo~L^
wsock32.dll
wsock32.dll
ntdll.dll
ntdll.dll
Ë.L@
Ë.L@
l.sQ{
l.sQ{
c-t{.FF
c-t{.FF
b#I".wM
b#I".wM
e.ENZ
e.ENZ
xip.tu
xip.tu
@>.vO
@>.vO
%FX2Fsi
%FX2Fsi
qKT.jLka
qKT.jLka
3.LD7
3.LD7
Uq
Uq
G,.gd
G,.gd
<.cff>
<.cff>
&8.XMj
&8.XMj
$~O.Ba
$~O.Ba
)].Wd
)].Wd
/_{M%U
/_{M%U
Q%s6|
Q%s6|
lVfeVg
lVfeVg
!%uO
!%uO
mh.ud
mh.ud
m%Csn%
m%Csn%
kq84.QaI
kq84.QaI
)f%fg
)f%fg
.SuDYw
.SuDYw
K)`p.frC
K)`p.frC
*%s!%
*%s!%
aR.dDb&
aR.dDb&
.xk 4g
.xk 4g
ShellExecuteA
ShellExecuteA
RegCloseKey
RegCloseKey
)%S{.
)%S{.
'U}.Ue
'U}.Ue
l%S(8x$!(
l%S(8x$!(
1L%UJ
1L%UJ
.vtbw
.vtbw
.iA5N
.iA5N
yyhKa%S
yyhKa%S
d.Zd=#R
d.Zd=#R
x0r%F{
x0r%F{
.IPi)
.IPi)
Vj.jH
Vj.jH
>M%X9
>M%X9
/8[
/8[
bc.lTk
bc.lTk
ks_GetMsg
ks_GetMsg
kssPlugin.dll
kssPlugin.dll
tole32.dll
tole32.dll
kernel32.dll
kernel32.dll
%original file name%.exe_320_rwx_10000000_0003E000:
`.rsrc
`.rsrc
L$(h%f
L$(h%f
SSh0j
SSh0j
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
}uo,x6l5k%x-l h
}uo,x6l5k%x-l h
9p%s m)t4`#b
9p%s m)t4`#b
e"m?c&y1`Ã
e"m?c&y1`Ã
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
1, 0, 6, 6
1, 0, 6, 6
- Skin.dll
- Skin.dll