Skip to main content

Trojan.Win32.FlyStudio_c8c25605dc


Gen:Variant.Graftor.7544 (B) (Emsisoft), Gen:Variant.Graftor.7544 (AdAware), GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: c8c25605dc2395d196e5c43dde6110c9

SHA1: 6ccd282f6ae6c38bd5c4ca847e9236ab5eb76f26

SHA256: 77b1804937103d039478e13ae14f808f24b89dcd77a8ab74743e6da3326659cb

SSDeep: 98304:51fYhqdwkLQHHhsSYt8dIwsR3w7qdwkLQHHhsSYt8T:5TsKSO itsKSOa

Size: 3731456 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171

Company: Appsinstaller

Created at: 2014-03-10 08:13:15

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:404

File activity

The process %original file name%.exe:404 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\SkinH_EL.dll (88 bytes)

Registry activity

The process %original file name%.exe:404 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 7D EE 4C 3F E6 11 B0 41 DA 87 79 24 D1 62 D8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"С°Ë°æ±¾¸üÐÂ.exe" = "c:\%original file name%.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
147127382e001f495d1842ee7a9e7912c:\SkinH_EL.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\SkinH_EL.dll (88 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "С°Ë°æ±¾¸üÐÂ.exe" = "c:\%original file name%.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40964597984628484.5382780b3e15cff32ebcbfd7314971aa55935
.rdata466944317846231784965.34907c99825f99d0ebc088335dcd82b02e44c
.data3645440266698614403.3861501e938f1f23778bc5c232c1b3a20d016
.rsrc391577622336245763.31557130774f231929b97276d75d6c1533080

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://bcs.duapp.com/xiaoba/......../config.xml123.125.114.82

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /xiaoba/......../config.xml HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: bcs.duapp.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS, HEAD

Access-Control-Allow-Headers: Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Thu, 08 May 2014 14:51:28 GMT

Expires: Sat, 24 May 2014 15:17:46 GMT

x-bs-version: 99843B68E4889158BA094511C49158BD

ETag: 67bd0f15aeb038a83139fee5c7c86ea6

Content-Type: text/xml

x-bs-request-id: MTAuMjMuMzcuMjk6ODA4MDoxOTQ5NzA0ODc4OjIxL01heS8yMDE0IDIzOjE3OjQ2IA==

Cache-Control: no-cache

x-bs-meta-crc32: 2472933773

Content-MD5: 67bd0f15aeb038a83139fee5c7c86ea6

x-bs-client-ip: MTkzLjEzOC4yNDQuMjMx

Content-Length: 467

Date: Wed, 21 May 2014 15:17:46 GMT

Server: BaiduBS

<?xml version="1.0" encoding="GB2312"?>..<........>..<........ ......="1.1" ........="hXXp://bcs.duapp.com/xiaoba/......../.........exe" ......="E.............exe" ........="C:\........" ........="....................2.1....................#hhf1.....................bug.#hhf2.......................BUG.#hhf3.......BUG........#hhf4...........................................#hhf5...........ISO2009-2020.............................................."/>..</........>..HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS, HEAD..Access-Control-Allow-Headers: Origin, Content-Type, Accept, Content-Length..Accept-Ranges: bytes..Last-Modified: Thu, 08 May 2014 14:51:28 GMT..Expires: Sat, 24 May 2014 15:17:46 GMT..x-bs-version: 99843B68E4889158BA094511C49158BD..ETag: 67bd0f15aeb038a83139fee5c7c86ea6..Content-Type: text/xml..x-bs-request-id: MTAuMjMuMzcuMjk6ODA4MDoxOTQ5NzA0ODc4OjIxL01heS8yMDE0IDIzOjE3OjQ2IA==..Cache-Control: no-cache..x-bs-meta-crc32: 2472933773..Content-MD5: 67bd0f15aeb038a83139fee5c7c86ea6..x-bs-client-ip: MTkzLjEzOC4yNDQuMjMx..Content-Length: 467..Date: Wed, 21 May 2014 15:17:46 GMT..Server: BaiduBS..<?xml version="1.0" encoding="GB2312"?>..<........>..<........ ......="1.1" ........="hXXp://bcs.duapp.com/xiaoba/......../.........exe" ......="E.............exe" ........="C:\........" ........="....................2.1....................#hhf1.....................bug.#hhf2.......................BUG.#hhf3.......BUG

<<

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_404:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

t$(SSh

t$(SSh

~%UVW

~%UVW

u$SShe

u$SShe

SkinH_EL.dll

SkinH_EL.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

%s;7*

%s;7*

0%x@w

0%x@w

%C^L:

%C^L:

%s T5

%s T5

]E4%F(

]E4%F(

.Funr

.Funr

k%UPp

k%UPp

fg.VG

fg.VG

%C',@

%C',@

>Ùd

>Ùd

0'.Ll

0'.Ll

[I(3/#N0.bd

[I(3/#N0.bd

j"%u=w

j"%u=w

q%Xn`

q%Xn`

@|H.NI

@|H.NI

.wdd!

.wdd!

S|%u4

S|%u4

*.Ea]S

*.Ea]S

Q.CGo

Q.CGo

fTpe

fTpe

.LLbX

.LLbX

-.Mdl

-.Mdl

\-A}=3K

\-A}=3K

Y:.akpS

Y:.akpS

$.Zcqn

$.Zcqn

u.Jck~

u.Jck~

zx/%FN[

zx/%FN[

ce_%D

ce_%D

%C@0H

%C@0H

%s=\RI

%s=\RI

}j%c%Y)

}j%c%Y)

Rx.GR

Rx.GR

4o#.dM

4o#.dM

IeS`%C

IeS`%C

[n 4\.UY

[n 4\.UY

,4.qO,

,4.qO,

gQ'.Io

gQ'.Io

%cLur?

%cLur?

s%DHB

s%DHB

]I%%X

]I%%X

5r.US

5r.US

:mD].tB

:mD].tB

f%fUZ

f%fUZ

.fOuV12

.fOuV12

*_.dC

*_.dC

&-N}<</pre><pre>({?.cQm</pre><pre>.Cqx~c</pre><pre>.`.Qw</pre><pre>**.dU</pre><pre>!n]%x</pre><pre>%X,Cr</pre><pre>&.PFy{xh</pre><pre>.um ZZE7L</pre><pre>/^p%u$</pre><pre>I.NoQY</pre><pre>zu.ew</pre><pre>D/.nT</pre><pre>q.7.qE</pre><pre>W>^T%S</pre><pre>%XiR^</pre><pre>1%SqlnD</pre><pre>U[5%u</pre><pre>.OW74</pre><pre>"E.jV</pre><pre>c T.Om</pre><pre>*U%XOd</pre><pre>D%FW@</pre><pre>.gM>$slt</pre><pre>B.iR%</pre><pre>vv#%sY7x</pre><pre>.TY3F</pre><pre>kEY94</pre><pre>.nyBK</pre><pre>wN%U/</pre><pre>4.Ky%t</pre><pre>.h.fO</pre><pre>.TK$N</pre><pre>%dRB:W</pre><pre>[I9%f</pre><pre>8o%sx</pre><pre>.WE= T!N</pre><pre>#?%s(C(</pre><pre>Rd.hYp</pre><pre>.TX=6</pre><pre>,%x)E</pre><pre>R%X4C (</pre><pre>$7.Gs</pre><pre>d,.bw p</pre><pre>o .Kb</pre><pre>KOz-%c Rd</pre><pre>zkey0</pre><pre>=.Lw/Ch</pre><pre>!c%SGd</pre><pre>A.YA'</pre><pre>`.yV8</pre><pre>.qL8d0{</pre><pre>m>[So;.yd] </pre><pre>_ÎW,</pre><pre>%UZtQ</pre><pre>.Fu:#</pre><pre>SShXuy@</pre><pre>f.kz"</pre><pre>@o.Ns</pre><pre>i.IK(</pre><pre>9rBÀ</pre><pre>.nm[&</pre><pre>.DDU0</pre><pre>%f$8C</pre><pre>\SkinH_EL.dll</pre><pre>C$%cmb</pre><pre>.ppM|</pre><pre> aZ.mO</pre><pre>%-^</pre><pre>.hk;~</pre><pre>KERNEL32.DLL</pre><pre>COMCTL32.dll</pre><pre>GDI32.dll</pre><pre>MSIMG32.dll</pre><pre>MSVCRT.dll</pre><pre>MSVFW32.dll</pre><pre>USER32.dll</pre><pre>http://bcs.duapp.com/xiaoba/</pre><pre>/config.xml</pre><pre>|$D.tm</pre><pre>619953407</pre><pre>anonymous@123.com</pre><pre>.exe|.rar|.zip|.gif|.jpg|.mp3|.rm</pre><pre>Y@SkinH_EL.dll</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>F%*.*f</pre><pre>CNotSupportedException</pre><pre>commctrl_DragListMsg</pre><pre>Afx:%x:%x:%x:%x:%x</pre><pre>Afx:%x:%x</pre><pre>COMCTL32.DLL</pre><pre>CCmdTarget</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>iphlpapi.dll</pre><pre>SHLWAPI.dll</pre><pre>MPR.dll</pre><pre>WINMM.dll</pre><pre>WS2_32.dll</pre><pre>VERSION.dll</pre><pre>RASAPI32.dll</pre><pre>GetProcessHeap</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>GetKeyState</pre><pre>GetViewportOrgEx</pre><pre>WINSPOOL.DRV</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegCreateKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>WININET.dll</pre><pre>GetCPInfo</pre><pre>CreateDialogIndirectParamA</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>SetViewportOrgEx</pre><pre>OffsetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>ScaleViewportExtEx</pre><pre>GetViewportExtEx</pre><pre>comdlg32.dll</pre><pre>.PAVCException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCFileException@@</pre><pre>(*.prn)|*.prn|</pre><pre>(*.*)|*.*||</pre><pre>Shell32.dll</pre><pre>Mpr.dll</pre><pre>Advapi32.dll</pre><pre>User32.dll</pre><pre>Gdi32.dll</pre><pre>Kernel32.dll</pre><pre>(&07-034/)7 '</pre><pre>?? / %d]</pre><pre>%d / %d]</pre><pre>: %d]</pre><pre>(*.WAV;*.MID)|*.WAV;*.MID|WAV</pre><pre>(*.WAV)|*.WAV|MIDI</pre><pre>(*.MID)|*.MID|</pre><pre>(*.txt)|*.txt|</pre><pre>(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG</pre><pre>(*.JPG)|*.JPG|BMP</pre><pre>(*.BMP)|*.BMP|GIF</pre><pre>(*.GIF)|*.GIF|</pre><pre>(*.ICO)|*.ICO|</pre><pre>(*.CUR)|*.CUR|</pre><pre>%s:%d</pre><pre>windows</pre><pre>out.prn</pre><pre>%d.%d</pre><pre>%d / %d</pre><pre>%d/%d</pre><pre>Bogus message code %d</pre><pre>(%d-%d):</pre><pre>%ld%c</pre><pre>%s <%s></pre><pre>Reply-To: %s</pre><pre>From: %s</pre><pre>To: %s</pre><pre>Subject: %s</pre><pre>Date: %s</pre><pre>Cc: %s</pre><pre>%a, %d %b %Y %H:%M:%S</pre><pre>SMTP</pre><pre>[%s:%d]</pre><pre>Range: bytes=%s-</pre><pre>[%s:%d]</pre><pre>PASS %s</pre><pre>PASS ******</pre><pre>USER %s</pre><pre>E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp</pre><pre>SIZE %s</pre><pre>PORT</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)</pre><pre>Referer: %s</pre><pre>Host: %s</pre><pre>GET %s HTTP/1.1</pre><pre>HTTP/1.0</pre><pre>HTTP/1.1</pre><pre>http://</pre><pre>Cookie: %s</pre><pre>%d, %s</pre><pre>\\192.168.0.129\TCP\1037</pre><pre>NSPlayer/9.0.0.2980; {%s}; Host: %s</pre><pre>rmff_fix_header: assuming data.size=%i</pre><pre>rmff_fix_header: assuming data.num_packets=%i</pre><pre>rmff_fix_header: assuming prop.num_packets=%i</pre><pre>rmff_fix_header: setting prop.data_offset from %i to %i</pre><pre>rmff_fix_header: correcting prop.num_streams from %i to %i</pre><pre>rmff_fix_header: correcting prop.size from %i to %i</pre><pre>%s %s %s</pre><pre>Session: %s</pre><pre>Cseq: %u</pre><pre>%*s %s</pre><pre>%*s %u</pre><pre>CSeq: %u</pre><pre>rtsp://%s:%i</pre><pre>rtsp://%s:%i/%s</pre><pre>ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586</pre><pre>GUID: 00000000-0000-0000-0000-000000000000</pre><pre>[%s:%d]</pre><pre>User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)</pre><pre>Range: npt=%s-</pre><pre>%s/streamid=1</pre><pre>%s/streamid=0</pre><pre>Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play</pre><pre>If-Match: %s</pre><pre>RealChallenge2: %s, sd=%s</pre><pre>Title: %s</pre><pre>Copyright: %s</pre><pre>Author: %s</pre><pre>real: Content-length for description too big (> %uMB)!</pre><pre>Require: com.real.retain-entity-for-setup</pre><pre>SupportsMaximumASMBandwidth: 1</pre><pre>Bandwidth: %u</pre><pre>Challenge1: %s</pre><pre>hash output: %x %x %x %x</pre><pre>hash input: %x %x %x %x</pre><pre>stream=%u;rule=%u,</pre><pre>Illegal character '%c' in input.</pre><pre>.PAVCObject@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCMemoryException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCUserException@@</pre><pre>.?AVCCmdTarget@@</pre><pre>.?AVCCmdUI@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCArchiveException@@</pre><pre>zcÁ</pre><pre>#include "l.chs\afxres.rc" // Standard components</pre><pre>http://www.56.com/w56/play_album-aid-12119442_vid-MTAxMzAzNTA2.html</pre><pre>RegCreateKeyA</pre><pre>WSOCK32.dll</pre><pre>HttpQueryInfoA</pre><pre>HttpSendRequestA</pre><pre>HttpOpenRequestA</pre><pre>InternetCrackUrlA</pre><pre>InternetCanonicalizeUrlA</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)</pre><pre>www.dywt.com.cn</pre><pre>s.duapp.com/xiaoba/</pre><pre>="http://bcs.duapp.com/xiaoba/</pre><pre>.exe"</pre><pre>c:\%original file name%.exe</pre><pre>1, 0, 6, 6</pre><pre>(*.*)</pre><pre>1.0.0.0</pre><pre>(http://www.eyuyan.com)</pre><b>%original file name%.exe_404_rwx_10001000_00039000:</b><pre>L$(h%f</pre><pre>SSh0j</pre><pre>msctls_hotkey32</pre><pre>TVCLHotKey</pre><pre>THotKey</pre><pre>\skinh.she</pre><pre>}uo,x6l5k%x-l h</pre><pre>9p%s m)t4`#b</pre><pre>e"m?c&y1`Ð<</pre><pre>SetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>SetWindowsHookExA</pre><pre>UnhookWindowsHookEx</pre><pre>EnumThreadWindows</pre><pre>EnumChildWindows</pre><pre>`c%US.4/</pre><pre>!#$<#$#=</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.UPX0</pre><pre>`.UPX1</pre><pre>`.reloc</pre></pre>


Related articles