Skip to main content

Trojan.Generic.12788002_7c2f7a62a1


Trojan.Generic.12788002 (B) (Emsisoft), Trojan.Generic.12788002 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 7c2f7a62a1e87ec835623d2d32ccb079

SHA1: d573c3c694357518cc0824e90f29dde9326246e2

SHA256: 945b74c93e31dd29029d642e7930a513d947e545564a4b91fc31d6d18d599f73

SSDeep: 6144:2f8jZtAaaoR6LronjyWLf2bGY434mWA6oI7oRNV/7TJMIQaP/p0g:2fQZak6LU20cm4eI7orTfQaP/p0

Size: 407552 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6

Company: no certificate found

Created at: 2015-01-21 13:10:59

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:556

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:556 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\24094908420141110112210[1].htm (46662 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\xunleihuiyuan[1].htm (8281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\584[1].htm (5041 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\2409490842014111013118567[1].htm (34684 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@163[1].txt (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\24094908420141110112210[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\xunleihuiyuan[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\2409490842014111013118567[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\584[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:556 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A E9 DF 91 D0 BE AA 22 A1 0E F4 18 DB 2D 4E 22"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\24094908420141110112210[1].htm (46662 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\xunleihuiyuan[1].htm (8281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\584[1].htm (5041 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\2409490842014111013118567[1].htm (34684 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@163[1].txt (169 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: NVIDIA Corporation
Product Name: ?????????
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments:
Language: English (United Kingdom)

Company Name: NVIDIA CorporationProduct Name: ?????????Product Version: 1.0.0.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: Comments: Language: English (United Kingdom)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0409668403200d41d8cd98f00b204e9800998ecf8427e
UPX16881283809283804165.484265987f5a34497fa282352081bc4e8ad97
.rsrc106905628672261123.7531640f27eef385a0b0ffc08817c045f9511

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://www.buyuba.pw/scrs.php113.10.242.21
hxxp://skins12138.blog.163.com/blog/static/24094908420141110112210/115.238.126.134
hxxp://www.xunleihuiyuan.net/vip/584.html116.211.121.155
hxxp://skins12138.blog.163.com/blog/static/2409490842014111013118567/115.238.126.134
hxxp://www.xunleihuiyuan.net/116.211.121.155

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

Referer: hXXp://VVV.xunleihuiyuan.net/

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: VVV.xunleihuiyuan.net

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 18 May 2015 06:24:39 GMT

Content-Type: text/html; Charset=UTF-8

Content-Length: 25761

Connection: keep-alive

Vary: Accept-Encoding

Cache-Control: max-age=3600

X-Cache: miss

Expires: Mon, 18 May 2015 07:24:39 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh-CN" lang="zh-CN">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<meta http-equiv="Content-Language" content="zh-CN" />...<meta name="Keywords" content="..................,......VIP......,......VIP......" />...<meta name="description" content="...................................................VIP.................................................................." />...<title>..........................._.............................................</title>...<!-- <link rel="stylesheet" rev="stylesheet" href="hXXp://VVV.xunleihuiyuan.net/themes/dazhuer/style/dazhuer.css" type="text/css" media="screen" /> -->...<link rel="stylesheet" rev="stylesheet" href="hXXp://VVV.xunleihuiyuan.net/themes/dazhuer/source/style.css.asp" type="text/css" media="screen" />...<link rel="alternate" type="application/rss xml" href="hXXp://VVV.xunleihuiyuan.net/rss.xml" title="..........................." />...<script language="JavaScript" src="hXXp://VVV.xunleihuiyuan.net/script/common.js" type="text/javascript"></script>...<script language="JavaScript" type="text/javascript">....var str00="hXXp://www.xunleihuiyuan.net/";....var str01="...........................";....var str02="...........................";....var str03="..........

<<< skipped >>>

GET /vip/584.html HTTP/1.1

Referer: hXXp://VVV.xunleihuiyuan.net/vip/584.html

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: VVV.xunleihuiyuan.net

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 18 May 2015 06:24:44 GMT

Content-Type: text/html

Content-Length: 20341

Connection: keep-alive

Vary: Accept-Encoding

Last-Modified: Mon, 18 May 2015 04:29:24 GMT

Accept-Ranges: bytes

ETag: "b1c244382391d01:0"

X-Cache: miss

Expires: Mon, 18 May 2015 07:24:44 GMT

Cache-Control: max-age=3600

...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh-CN" lang="zh-CN">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<meta http-equiv="Content-Language" content="zh-CN" />...<meta name="Keywords" content="........................,......VIP......,......vip......" />..<meta name="description" content="..................echangab:1......9995793..................mikumikumiku01:2......1933553..................mylee126:1......5753595" />..<meta name="author" content="root" />..<title>5...18... ........................ ..............._.................._...........................</title>...<!-- <link rel="stylesheet" rev="stylesheet" href="hXXp://VVV.xunleihuiyuan.net/themes/dazhuer/style/dazhuer.css" type="text/css" media="screen" /> -->...<link rel="stylesheet" rev="stylesheet" href="hXXp://VVV.xunleihuiyuan.net/themes/dazhuer/source/style.css.asp" type="text/css" media="screen" />...<link rel="alternate" type="application/rss xml" href="hXXp://VVV.xunleihuiyuan.net/feed.asp?cmt=584" title="Comments Feed for 5...18... ........................ ..............." />...<script language="JavaScript" src="hXXp://VVV.xunleihuiyuan.net/script/common.js" type="text/javascript"></script>...<script language="JavaScript" type="text/javascript">....var str00="hXXp://ww

<<< skipped >>>

GET /blog/static/2409490842014111013118567/ HTTP/1.1

Referer: hXXp://skins12138.blog.163.com/blog/static/2409490842014111013118567/

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: skins12138.blog.163.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 18 May 2015 06:24:49 GMT

Content-Type: text/html;charset=GBK

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Set-Cookie: NTESBLOGSI=127E21863658A71DF007E4719EED3A2E.blog113-8010; Domain=.blog.163.com; Path=/

Set-Cookie: usertrack=c 5 hlVZhbHCSRdAYsPYAg==; expires=Tue, 17-May-16 06:24:49 GMT; domain=.163.com; path=/

P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"

ac6.. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.. <meta http-equiv="content-type" content="text/html;charset=gbk"/>.. <meta http-equiv="content-style-type" content="text/css"/>.. <meta http-equiv="content-script-type" content="text/javascript"/>.. <meta name="version" content="neblog-1.0"/>.. <script type="text/javascript">.. .. .. document.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=location.hash); .. document.domain = location.hostname.replace(/^.*\.([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicTimeStamp=function(){return '4ef2023e0d0ccec5701674bb78203199';};.. .. //BLOG-647:....OS.............................. (function(){.. window.setTimeout(function(){.. var _loginUserIcon = document.getElementById('loginUserIcon');.. var _rsavatarimg = document.getElementById('rsavatarimg');.. if(!!_loginUserIcon){.. var _loaded1 = false;.. var _img1 = new Image();.. _img1.onload = function(){.. _loaded1 = true;.. _img1.onload = null;.. };.. _img1.src = _loginUserIcon.src;.. window.setTimeout(function(){.. if(!_loaded1){..

<<< skipped >>>

GET /blog/static/24094908420141110112210/ HTTP/1.1

Referer: hXXp://skins12138.blog.163.com/blog/static/24094908420141110112210/

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: skins12138.blog.163.com

Cache-Control: no-cache

Cookie: NTESBLOGSI=127E21863658A71DF007E4719EED3A2E.blog113-8010; usertrack=c 5 hlVZhbHCSRdAYsPYAg==

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 18 May 2015 06:24:51 GMT

Content-Type: text/html;charset=GBK

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

579.. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.. <meta http-equiv="content-type" content="text/html;charset=gbk"/>.. <meta http-equiv="content-style-type" content="text/css"/>.. <meta http-equiv="content-script-type" content="text/javascript"/>.. <meta name="version" content="neblog-1.0"/>.. <script type="text/javascript">.. .. .. document.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=location.hash); .. document.domain = location.hostname.replace(/^.*\.([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicTimeStamp=function(){return '4ef2023e0d0ccec5701674bb78203199';};.. .. //BLOG-647:....OS.............................. (function(){.. window.setTimeout(function(){.. var _loginUserIcon = document.getElementById('loginUserIcon');.. var _rsavatarimg = document.getElementById('rsavatarimg');.. if(!!_loginUserIcon){.. var _loaded1 = false;.. var _img1 = new Image();.. _img1.onload = function(){.. _loaded1 = true;.. _img1.onload = null;.. };.. _img1.src = _loginUserIcon.src;.. ..5a8.. window.setTimeout(function(){.. if(!_loaded1){..

<<< skipped >>>

GET /scrs.php HTTP/1.1

Referer: hXXp://VVV.buyuba.pw/scrs.php

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: VVV.buyuba.pw

Cache-Control: no-cache

HTTP/1.1 400 Bad Request

Content-Type: text/html

Date: Mon, 18 May 2015 06:25:43 GMT

Connection: close

Content-Length: 39

<h1>Bad Request (Invalid Hostname)</h1>..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_556:

`.rsrc

`.rsrc

t$(SSh

t$(SSh

~%UVW

~%UVW

u$SShe

u$SShe

wininet.dll

wininet.dll

kernel32.dll

kernel32.dll

ole32.dll

ole32.dll

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

ShellExecuteA

ShellExecuteA

.rsrc

.rsrc

%S4WD

%S4WD

hg%fpM

hg%fpM

S.Ac9SR

S.Ac9SR

0.I%3s

0.I%3s

,wAe.kI

,wAe.kI

aiUy'4xu

aiUy'4xu

%c*@j

%c*@j

.eH'y

.eH'y

{&%U)

{&%U)

lj%4U

lj%4U

xe%CNs

xe%CNs

9F.cLe

9F.cLe

hJK.ZH

hJK.ZH

O.qt0

O.qt0

KERNEL32.DLL

KERNEL32.DLL

COMCTL32.dll

COMCTL32.dll

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

MSVCRT.dll

MSVCRT.dll

MSVFW32.dll

MSVFW32.dll

USER32.dll

USER32.dll

SkinH_EL.dll

SkinH_EL.dll

5v.KS

5v.KS

hXXp://VVV.xunleihuiyuan.net/

hXXp://VVV.xunleihuiyuan.net/

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

http=

https

https

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXps://

hXXp://

hXXp://

hXXp://skins12138.blog.163.com/blog/static/2409490842014111013118567/

hXXp://skins12138.blog.163.com/blog/static/2409490842014111013118567/

hXXp://skins12138.blog.163.com/blog/static/24094908420141110112210/

hXXp://skins12138.blog.163.com/blog/static/24094908420141110112210/

WinHttp.WinHttpRequest.5.1

WinHttp.WinHttpRequest.5.1

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

@VBScript.RegExp

@VBScript.RegExp

F%*.*f

F%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CCmdTarget

CCmdTarget

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

user32.dll

user32.dll

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

MPR.dll

MPR.dll

VERSION.dll

VERSION.dll

WSOCK32.dll

WSOCK32.dll

.PAVCException@@

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.prn)|*.prn|

(*.*)|*.*||

(*.*)|*.*||

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

User32.dll

User32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

: %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

windows

windows

out.prn

out.prn

%d.%d

%d.%d

%d / %d

%d / %d

%d/%d

%d/%d

Bogus message code %d

Bogus message code %d

(%d-%d):

(%d-%d):

%ld%c

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

HTTP/1.0

%s

%s

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

SMTP

SMTP

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCArchiveException@@

zcÁ

zcÁ

c:\%original file name%.exe

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

#include "l.chs\afxres.rc" // Standard components

GetCPInfo

GetCPInfo

WinExec

WinExec

GetProcessHeap

GetProcessHeap

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

GetViewportExtEx

GetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

SetViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GetKeyState

GetKeyState

SetWindowsHookExA

SetWindowsHookExA

CreateDialogIndirectParamA

CreateDialogIndirectParamA

UnhookWindowsHookEx

UnhookWindowsHookEx

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

InternetCrackUrlA

InternetCrackUrlA

.text

.text

`.rdata

`.rdata

@.data

@.data

5gcKey

5gcKey

kMo

kMo

Z{UrlA3

Z{UrlA3

ADVAPI32.dll

ADVAPI32.dll

comdlg32.dll

comdlg32.dll

OLEAUT32.dll

OLEAUT32.dll

RASAPI32.dll

RASAPI32.dll

SHELL32.dll

SHELL32.dll

WININET.dll

WININET.dll

WINMM.dll

WINMM.dll

WINSPOOL.DRV

WINSPOOL.DRV

WS2_32.dll

WS2_32.dll

1, 0, 6, 6

1, 0, 6, 6

- Skin.dll

- Skin.dll

(*.*)

(*.*)

1.0.0.0

1.0.0.0

%original file name%.exe_556_rwx_00401000_00103000:

t$(SSh

t$(SSh

~%UVW

~%UVW

u$SShe

u$SShe

wininet.dll

wininet.dll

kernel32.dll

kernel32.dll

ole32.dll

ole32.dll

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

ShellExecuteA

ShellExecuteA

.rsrc

.rsrc

%S4WD

%S4WD

hg%fpM

hg%fpM

S.Ac9SR

S.Ac9SR

0.I%3s

0.I%3s

,wAe.kI

,wAe.kI

aiUy'4xu

aiUy'4xu

%c*@j

%c*@j

.eH'y

.eH'y

{&%U)

{&%U)

lj%4U

lj%4U

xe%CNs

xe%CNs

9F.cLe

9F.cLe

hJK.ZH

hJK.ZH

O.qt0

O.qt0

KERNEL32.DLL

KERNEL32.DLL

COMCTL32.dll

COMCTL32.dll

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

MSVCRT.dll

MSVCRT.dll

MSVFW32.dll

MSVFW32.dll

USER32.dll

USER32.dll

SkinH_EL.dll

SkinH_EL.dll

5v.KS

5v.KS

hXXp://VVV.xunleihuiyuan.net/

hXXp://VVV.xunleihuiyuan.net/

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

http=

https

https

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXps://

hXXp://

hXXp://

hXXp://skins12138.blog.163.com/blog/static/2409490842014111013118567/

hXXp://skins12138.blog.163.com/blog/static/2409490842014111013118567/

hXXp://skins12138.blog.163.com/blog/static/24094908420141110112210/

hXXp://skins12138.blog.163.com/blog/static/24094908420141110112210/

WinHttp.WinHttpRequest.5.1

WinHttp.WinHttpRequest.5.1

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

@VBScript.RegExp

@VBScript.RegExp

F%*.*f

F%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CCmdTarget

CCmdTarget

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

user32.dll

user32.dll

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

MPR.dll

MPR.dll

VERSION.dll

VERSION.dll

WSOCK32.dll

WSOCK32.dll

.PAVCException@@

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.prn)|*.prn|

(*.*)|*.*||

(*.*)|*.*||

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

User32.dll

User32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

: %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

windows

windows

out.prn

out.prn

%d.%d

%d.%d

%d / %d

%d / %d

%d/%d

%d/%d

Bogus message code %d

Bogus message code %d

(%d-%d):

(%d-%d):

%ld%c

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

HTTP/1.0

%s

%s

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

SMTP

SMTP

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCArchiveException@@

zcÁ

zcÁ

c:\%original file name%.exe

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

#include "l.chs\afxres.rc" // Standard components

GetCPInfo

GetCPInfo

WinExec

WinExec

GetProcessHeap

GetProcessHeap

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

GetViewportExtEx

GetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

SetViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GetKeyState

GetKeyState

SetWindowsHookExA

SetWindowsHookExA

CreateDialogIndirectParamA

CreateDialogIndirectParamA

UnhookWindowsHookEx

UnhookWindowsHookEx

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

InternetCrackUrlA

InternetCrackUrlA

.text

.text

`.rdata

`.rdata

@.data

@.data

1, 0, 6, 6

1, 0, 6, 6

- Skin.dll

- Skin.dll

(*.*)

(*.*)

%original file name%.exe_556_rwx_10000000_0003E000:

`.rsrc

`.rsrc

L$(h%f

L$(h%f

SSh0j

SSh0j

msctls_hotkey32

msctls_hotkey32

TVCLHotKey

TVCLHotKey

THotKey

THotKey

\skinh.she

\skinh.she

}uo,x6l5k%x-l h

}uo,x6l5k%x-l h

9p%s m)t4`#b

9p%s m)t4`#b

e"m?c&y1`Ð

e"m?c&y1`Ð

SetViewportOrgEx

SetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

SetWindowsHookExA

SetWindowsHookExA

UnhookWindowsHookEx

UnhookWindowsHookEx

EnumThreadWindows

EnumThreadWindows

EnumChildWindows

EnumChildWindows

`c%US.4/

`c%US.4/

!#$

!#$

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.UPX0

@.UPX0

`.UPX1

`.UPX1

`.reloc

`.reloc

hJK.ZH

hJK.ZH

O.qt0

O.qt0

KERNEL32.DLL

KERNEL32.DLL

COMCTL32.dll

COMCTL32.dll

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

MSVCRT.dll

MSVCRT.dll

MSVFW32.dll

MSVFW32.dll

USER32.dll

USER32.dll

SkinH_EL.dll

SkinH_EL.dll

1, 0, 6, 6

1, 0, 6, 6

- Skin.dll

- Skin.dll