• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Thu, 03/30/2017 - 03:04

Gen.Variant.Strictor.113557_4a484393b1

Gen:Variant.Strictor.113557 (BitDefender), not-a-virus:RiskTool.Win32.IMEStartup.wpk (Kaspersky), Gen:Variant.Strictor.113557 (B) (Emsisoft), ML.Attribute.HighConfidence (Symantec), Gen:Variant.Strictor.113557 (FSecure), Gen:Variant.Strictor.113557 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS) Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: 4a484393b122ba5ea5d1805514cae7a1

SHA1: 8d2243dd4cc58c4c534f803dc0821c0d79c2566a

SHA256: 6bdb2996688a63f96abe515695e598eca3f39cea050d699303b5545078fd2f6b

SSDeep: 24576:LTCYvdzvWSMfXnK2YT6cixAVrcbzocI2qgVS/939TRho10FXB7CgBxlCKDdi:PC2ZTTYKIzM2Ze31R 10nQKD8

Size: 1689600 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: ASPackv212, UPolyXv05_v6

Company: Essentware

Created at: 2017-03-10 19:56:10

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es): No processes have been created. The Trojan injects its code into the following process(es):

%original file name%.exe:2880

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:2880 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\tj[1].htm (339 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\navcancl[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\httpErrorPagesScripts[1] (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032920170330\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TA3DKYRR.txt (125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\67ff8.tmp (7971 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\stat[1].js (1321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UW7Q6M8K.txt (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\navcancl[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68018.tmp (5873 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68029.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\httpErrorPagesScripts[1] (5 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\info_48[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bullet[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\background_gradient[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\navcancl[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016102820161029 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68018.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68029.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ErrorPageTemplate[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\67ff8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\errorPageStrings[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\httpErrorPagesScripts[1] (0 bytes)

Registry activity

The process %original file name%.exe:2880 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032920170330]
"CachePrefix" = ":2017032920170330:"
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{E549E976-C5F2-4E77-819D-55BC9B7C25BC}"

[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032920170330]
"CacheRepair" = "0"
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASAPI32]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032920170330]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032920170330"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\4a484393b122ba5ea5d1805514cae7a1_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016102820161029]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\tj[1].htm (339 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\navcancl[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ErrorPageTemplate[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\info_48[1] (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\httpErrorPagesScripts[1] (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032920170330\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bullet[1] (447 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TA3DKYRR.txt (125 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\67ff8.tmp (7971 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\stat[1].js (1321 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\errorPageStrings[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UW7Q6M8K.txt (135 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\navcancl[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ErrorPageTemplate[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\errorPageStrings[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\background_gradient[1] (453 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\background_gradient[1] (453 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bullet[1] (447 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68018.tmp (5873 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68029.tmp (1425 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\info_48[1] (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\httpErrorPagesScripts[1] (5 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ????????
Product Name: ????????
Product Version: 6.9.0.1
Legal Copyright: www.ucbug.com
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 6.9.0.1
File Description: www.ucbug.com ????????
Comments: www.ucbug.com ????????
Language: English (United States)

Company Name: ???????? Product Name: ???????? Product Version: 6.9.0.1 Legal Copyright: www.ucbug.com Legal Trademarks: Original Filename: Internal Name: File Version: 6.9.0.1 File Description: www.ucbug.com ???????? Comments: www.ucbug.com ???????? Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409611550723773445.5447744750dc3d7d55f6bc2ea59d40f798f24
.rdata1159168185139212702725.544892276e4dafe764542faeb433e6ebc482c
.data3010560356352250885.53681ba6aa45e09846f30d7371f19635b8759
.rsrc33669122457681924.38443e8b3824af427c19c862f93bbaa7ba64d
.asssjj3391488819276803.805353c6ec7784d2b6ba0fc72e03d32c8354f
.adata3399680409600d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://asssjjdata.sddata6.com//asjjdata/cs.txt192.225.225.167
hxxp://asssjjdata.sddata6.com//asjjdata/banben.txt192.225.225.167
hxxp://asssjjdata.sddata6.com//asjjdata/zdbanben.txt192.225.225.167
hxxp://asssjjdata.sddata6.com//asjjdata/tj.html?V6.9192.225.225.167
hxxp://asssjjdata.sddata6.com//asjjdata/gxdz.txt192.225.225.167
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=1252900975&show=pic
hxxp://s23.cnzz.com/stat.php?id=1252900975&show=pic1.99.192.16
dns.msftncsi.com131.107.255.255
my.4399.com
c.cnzz.com
asdata.ui10.net
z5.cnzz.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET //asjjdata/cs.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: asssjjdata.sddata6.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 1

Content-Type: text/plain

Last-Modified: Wed, 22 Feb 2017 18:53:54 GMT

Accept-Ranges: bytes

ETag: "a564d133d8dd21:17ec"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 29 Mar 2017 14:25:39 GMT

1HTTP/1.1 200 OK..Content-Length: 1..Content-Type: text/plain..Last-Modified: Wed, 22 Feb 2017 18:53:54 GMT..Accept-Ranges: bytes..ETag: "a564d133d8dd21:17ec"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Wed, 29 Mar 2017 14:25:39 GMT..1....

GET //asjjdata/banben.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: asssjjdata.sddata6.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 4

Content-Type: text/plain

Last-Modified: Fri, 17 Mar 2017 14:29:08 GMT

Accept-Ranges: bytes

ETag: "9564d0d62a9fd21:17ec"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 29 Mar 2017 14:25:46 GMT

V7.0....

GET //asjjdata/zdbanben.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: asssjjdata.sddata6.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 4

Content-Type: text/plain

Last-Modified: Sat, 19 Jul 2014 17:54:04 GMT

Accept-Ranges: bytes

ETag: "c4cbe46d7aa3cf1:17ec"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 29 Mar 2017 14:25:46 GMT

V0.1....

GET //asjjdata/tj.html?V6.9 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: asssjjdata.sddata6.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 339

Content-Type: text/html

Last-Modified: Sat, 19 Jul 2014 18:20:35 GMT

Accept-Ranges: bytes

ETag: "978397227ea3cf1:17ec"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 29 Mar 2017 14:25:46 GMT

<script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? " hXXps://" : " hXXp://");document.write(unescape("ipt src='" cnzz_protocol "s23.cnzz.com/stat.php?id=1252900975%26show=pic' type='text/javascript'>"));</script>..

GET //asjjdata/gxdz.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: asssjjdata.sddata6.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 30

Content-Type: text/plain

Last-Modified: Fri, 17 Feb 2017 23:13:24 GMT

Accept-Ranges: bytes

ETag: "6dd8a707389d21:17ec"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 29 Mar 2017 14:26:07 GMT

hXXp://VVV.asssjj.com/?6.72|W|HTTP/1.1 200 OK..Content-Length: 30..Content-Type: text/plain..Last-Modified: Fri, 17 Feb 2017 23:13:24 GMT..Accept-Ranges: bytes..ETag: "6dd8a707389d21:17ec"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Wed, 29 Mar 2017 14:26:07 GMT..http://VVV.asssjj.com/?6.72|W|..

GET /stat.php?id=1252900975&show=pic HTTP/1.1

Accept: */*

Referer: hXXp://asssjjdata.sddata6.com//asjjdata/tj.html?V6.9

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: s23.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 10990

Connection: keep-alive

Date: Wed, 29 Mar 2017 13:07:52 GMT

Last-Modified: Wed, 29 Mar 2017 13:07:51 GMT

Cache-Control: max-age=5400,s-maxage=5400

Via: cache20.l2et2-1[0,200-0,H], cache4.l2et2-1[6,0], kunlun4.cn74[0,200-0,H], kunlun5.cn74[0,0]

Age: 4707

X-Cache: HIT TCP_MEM_HIT dirn:11:32477764

X-Swift-SaveTime: Wed, 29 Mar 2017 13:43:01 GMT

X-Swift-CacheTime: 3291

Timing-Allow-Origin: *

EagleId: deba319e14907975798336642e

(function(){function k(){this.c="1252900975";this.ca="z";this.Z="pic";this.W="";this.Y="";this.C="1490792871";this.aa="z5.cnzz.com";this.X="";this.G="CNZZDATA" this.c;this.F="_CNZZDbridge_" this.c;this.P="_cnzz_CV" this.c;this.R="CZ_UUID" this.c;this.L="UM_distinctid";this.H="0";this.K={};this.a={};this.Aa()}function g(a,.b){try{var c=[];c.push("siteid=1252900975");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,m=decodeURIComponent,r=unescape;k.prototype={Aa:function(){try{this.ja(),this.V(),this.wa(),this.T(),this.za(),.this.w(),this.ua(),this.ta(),this.xa(),this.o(),this.sa(),this.va(),this.ya(),this.qa(),this.oa(),thCustomVar":if(3<=a.length){if(!a[1]||!a[2])return!1;var d=a[1],l=a[2],n=a[3]||0;a=0;for(var h in this.a.b)a ;if(5<=a)return!1;var p;0==n?p="p":-1==n||-2==n?p=n:p=(new Date).getTime() 1E3*n;this.a.b[d]={};this.a.b[d].da=l;this.a.b[d].h=p;this.I()}break;case "_deleteCustomVar":2<=a.length&&(d=a[1],this.a.b[d]&&(delete this.a.b[d],this.I()));break;case "_trackPageContent":a[1]&&(this.D=a[1],this.s(),delete this.D);case "_trackPageAction":c=.[];a[1]&&a[2]&&(c.push(f(a[1])),c.push(f(a[2])),this.u=c.join("|"),this.s(),delete this.u);break;case "_setUUid":var m=a[1];if(128<m.length)return!1;var k=

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2880:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

.asssjj

.asssjj

.adata

.adata

t$(SSh

t$(SSh

~%UVW

~%UVW

u$SShe

u$SShe

Bv=kAv.SCv

Bv=kAv.SCv

kernel32.dll

kernel32.dll

gdi32.dll

gdi32.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

wininet.dll

wininet.dll

shlwapi.dll

shlwapi.dll

ws2_32.dll

ws2_32.dll

WS2_32.dll

WS2_32.dll

mswsock.dll

mswsock.dll

Shlwapi.dll

Shlwapi.dll

GetAsyncKeyState

GetAsyncKeyState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

MapVirtualKeyA

MapVirtualKeyA

GetKeyNameTextA

GetKeyNameTextA

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

DeleteUrlCacheEntry

DeleteUrlCacheEntry

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindCloseUrlCache

FindCloseUrlCache

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

WebBrowser

WebBrowser

hXXp://my.4399.com/zhuanti/home/adxsk-getCode-app-ssjj-sid-

hXXp://my.4399.com/zhuanti/home/adxsk-getCode-app-ssjj-sid-

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.*)|*.*

(*.*)|*.*

hXXp://my.4399.com/yxssjj/

hXXp://my.4399.com/yxssjj/

hXXp://my.qzone.qq.com/app/1102503166.html

hXXp://my.qzone.qq.com/app/1102503166.html

).txt

).txt

00ptlogin2.qq.com

00ptlogin2.qq.com

ptnick_

ptnick_

ptui_loginuin=

ptui_loginuin=

hXXp://

hXXp://

\dm.dll

\dm.dll

!!"#$%&'())?

!!"#$%&'())?

%C%]uSj

%C%]uSj

Ha.QE

Ha.QE

xCmD$L

xCmD$L

s.Nd)

s.Nd)

A_%.ID,

A_%.ID,

n.Nn0 b

n.Nn0 b

[email protected]

[email protected]

T8.Sz

T8.Sz

.dTR0

.dTR0

.PWh=j

.PWh=j

nL.nP?

nL.nP?

webH

webH

NQt%F

NQt%F

.XV LV#

.XV LV#

PGPus(.Gz

PGPus(.Gz

.ROH=

.ROH=

]v%UO

]v%UO

uù u

uù u

0k00[ `.kh#

0k00[ `.kh#

.scwX

.scwX

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

CxImage 6.0.0

CxImage 6.0.0

deflate 1.2.3 Copyright 1995-200d

deflate 1.2.3 Copyright 1995-200d

a .WO

a .WO

e processors when executed

e processors when executed

>support g

>support g

X:

X:

UxTheme.dll

UxTheme.dll

;9HttpCli

;9HttpCli

7.PAVCExcep=^

7.PAVCExcep=^

.1.2600.441~

.1.2600.441~

PSAPI.DLLU%f

PSAPI.DLLU%f

%u%x-

%u%x-

88.185.3

88.185.3

20 4.49.

20 4.49.

0.4.10n

0.4.10n

129.6.15.29

129.6.15.29

202.120.

202.120.

\.\%c

\.\%c

g%s#$A

g%s#$A

"LuCBy%d

"LuCBy%d

./*.bmp

./*.bmp

log.tx

log.tx

cpublic.inject.type.54

cpublic.inject.type.54

LL keypadput

LL keypadput

k.ap*

k.ap*

.=.minmax

.=.minmax

x.cfake`?

x.cfake`?

defense.szX

defense.szX

.sel/O

.sel/O

on.Leve

on.Leve

mp7%ss

mp7%ss

tCPo

tCPo

wKeyboardD

wKeyboardD

Scsi%d:

Scsi%d:

H%d_%

H%d_%

1.2.24

1.2.24

%ct t

%ct t

: %s=

: %s=

= (%d/10

= (%d/10

gx=%f, gy

gx=%f, gy

%ld, pass

%ld, pass

xkey

xkey

'%ds=

'%ds=

3%u B

3%u B

orm.de6

orm.de6

`O%dhx%dv qV

`O%dhx%dv qV

FD=%u, "

FD=%u, "

'z %4u

'z %4u

iY;kUnkeY

iY;kUnkeY

%ld%c$

%ld%c$

-t.SSSj

-t.SSSj

MSVCRT

MSVCRT

ntoskrnl.exQ

ntoskrnl.exQ

8)[email protected]|9

8)[email protected]|9

#&$&@'!?

#&$&@'!?

9}%U}

9}%U}

3(Ýd

3(Ýd

6,?-.7?`

6,?-.7?`

SAPI.DLLK04e

SAPI.DLLK04e

506:6?6[

506:6?6[

8(83888?

8(83888?

>,?0?4?8?

>,?0?4?8?

.net4x7

.net4x7

.Crz03

.Crz03

hÕ@e

hÕ@e

:;.ofSb

:;.ofSb

R.of'z

R.of'z

B{.zS,y

B{.zS,y

6o.ob#

6o.ob#

Ftpf

Ftpf

PIpE

PIpE

.Sj_^

.Sj_^

.vCb'PK

.vCb'PK

WlCmd

WlCmd

l%u$}0

l%u$}0

Jy%s2;J

Jy%s2;J

x-d}X

x-d}X

_~.SO

_~.SO

'.Sj?

'.Sj?

.Increm

.Increm

WinExe&Copy

WinExe&Copy

.DIBi

.DIBi

uDPtoLPNq`n

uDPtoLPNq`n

[email protected]@[email protected]

[email protected]@[email protected]

ad.boa

ad.boa

.DD-?J8

.DD-?J8

1,//2/,/

1,//2/,/

7G#V%F

7G#V%F

(.text

(.text

@.tp0

@.tp0

{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'

{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'

'Dm.EXE'

'Dm.EXE'

val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}

val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}

dm.dmsoft = s 'dm.dmsoft'

dm.dmsoft = s 'dm.dmsoft'

CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'

CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'

CurVer = s 'dm.dmsoft'

CurVer = s 'dm.dmsoft'

ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'

ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'

ProgID = s 'dm.dmsoft'

ProgID = s 'dm.dmsoft'

stdole2.tlbWWW

stdole2.tlbWWW

~cmdWd

~cmdWd

KeyPress

KeyPress

.aKeyDownWd

.aKeyDownWd

MKeyUpWWWd

MKeyUpWWWd

ShowScrMsgWW

ShowScrMsgWW

msgWd

msgWd

SetShowErrorMsgW

SetShowErrorMsgW

>SGetWindowStateWW

>SGetWindowStateWW

[email protected]

[email protected]

SetWindowStateWWd

SetWindowStateWWd

iRSetKeypadDelayWWd

iRSetKeypadDelayWWd

BkeypadWW

BkeypadWW

SetExportDictWWWd

SetExportDictWWWd

keyWd

keyWd

FindWindowSuperW

FindWindowSuperW

qHKeyDownCharW

qHKeyDownCharW

pOkey_strWd

pOkey_strWd

KeyUpCharWWWd

KeyUpCharWWWd

KeyPressChard

KeyPressChard

KeyPressStrWd

KeyPressStrWd

EnableKeypadPatchWWWd

EnableKeypadPatchWWWd

=PEnableKeypadSyncd

=PEnableKeypadSyncd

EnableRealKeypadd

EnableRealKeypadd

GetKeyStateWd

GetKeyStateWd

[.ReadFiled

[.ReadFiled

WaitKeyW

WaitKeyW

!key_coded

!key_coded

joEnumWindowSuperW

joEnumWindowSuperW

urlW

urlW

=EnableKeypadMsgWd

=EnableKeypadMsgWd

EnableMouseMsgWWd

EnableMouseMsgWWd

method KeyPressWWW

method KeyPressWWW

method KeyDown

method KeyDown

method KeyUpWW

method KeyUpWW

method ShowScrMsgW

method ShowScrMsgW

method SetShowErrorMsg

method SetShowErrorMsg

method GetWindowStateW

method GetWindowStateW

method SetWindowSizeWW

method SetWindowSizeWW

method SetWindowStateW

method SetWindowStateW

method SetKeypadDelayW

method SetKeypadDelayW

method SetExportDictWW

method SetExportDictWW

method FindWindowSuper

method FindWindowSuper

method KeyDownChar

method KeyDownChar

method KeyUpCharWW

method KeyUpCharWW

method KeyPressCharWWW

method KeyPressCharWWW

method KeyPressStr

method KeyPressStr

method EnableKeypadPatchWW

method EnableKeypadPatchWW

method EnableKeypadSyncWWW

method EnableKeypadSyncWWW

method EnableRealKeypadWWW

method EnableRealKeypadWWW

method GetKeyState

method GetKeyState

method WaitKey

method WaitKey

method EnumWindowSuper

method EnumWindowSuper

method EnableKeypadMsg

method EnableKeypadMsg

method EnableMouseMsgW

method EnableMouseMsgW

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.dll

ADVAPI32.dll

GDI32.dll

GDI32.dll

IMM32.dll

IMM32.dll

MFC42.DLL

MFC42.DLL

MSVCRT.dll

MSVCRT.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

SHELL32.dll

SHELL32.dll

USER32.dll

USER32.dll

VERSION.dll

VERSION.dll

WINMM.dll

WINMM.dll

RegCloseKey

RegCloseKey

dm.dll

dm.dll

dm.dmsoft

dm.dmsoft

hXXp://my.4399.com/yxssjj/?from=news&newsrefer=

hXXp://my.4399.com/yxssjj/?from=news&newsrefer=

FpUdP

FpUdP

:t6.dB

:t6.dB

s.ftlZ

s.ftlZ

Y.dlh

Y.dlh

oLQP.xL

oLQP.xL

0244>" `

0244>" `

%U{&X

%U{&X

ComboLBox%SHE_

ComboLBox%SHE_

otkeyScrol;r[MDIClil

otkeyScrol;r[MDIClil

#3276870

#3276870

l5k%x-l h

l5k%x-l h

9p%s m)t4`#

9p%s m)t4`#

&y1`Ð

&y1`Ð

f`c%US.

f`c%US.

COMCTL32.dll

COMCTL32.dll

MSIMG32.dll

MSIMG32.dll

MSVFW32.dll

MSVFW32.dll

SkinH_EL.dll

SkinH_EL.dll

ptlogin.4399.com

ptlogin.4399.com

hXXp://VVV.ucbug.com/soft/42883.html

hXXp://VVV.ucbug.com/soft/42883.html

VVV.asssjj.com (

VVV.asssjj.com (

hXXp://asdata.ui10.net/

hXXp://asdata.ui10.net/

/asjjdata/cs.txt

/asjjdata/cs.txt

hXXp://asssjjdata.sddata6.com/

hXXp://asssjjdata.sddata6.com/

hXXp://VVV.asssjj.com/

hXXp://VVV.asssjj.com/

/asjjdata/banben.txt

/asjjdata/banben.txt

/asjjdata/zdbanben.txt

/asjjdata/zdbanben.txt

/asjjdata/tj.html?V

/asjjdata/tj.html?V

hXXp://asssjjdata.sddata6.com/asjjdata/tj.html?V

hXXp://asssjjdata.sddata6.com/asjjdata/tj.html?V

/asjjdata/gxdz.txt

/asjjdata/gxdz.txt

hXXp://VVV.ucbug.com/

hXXp://VVV.ucbug.com/

VVV.ucbug.com

VVV.ucbug.com

/asjjdata/gonggao/gglx.txt

/asjjdata/gonggao/gglx.txt

/asjjdata/gonggao/tcgg.txt

/asjjdata/gonggao/tcgg.txt

/asjjdata/gonggao/wbgg.txt

/asjjdata/gonggao/wbgg.txt

! VVV.ucbug.com

! VVV.ucbug.com

/asjjdata/gonggao/zxgg.html

/asjjdata/gonggao/zxgg.html

/asjjdata/tjrj.txt

/asjjdata/tjrj.txt

hXXp://asssjjdata.sddata6.com/asjjdata/tjrj.txt

hXXp://asssjjdata.sddata6.com/asjjdata/tjrj.txt

hXXp://asdata.ui10.net/asssjjdata/logindata/tjjs.txt

hXXp://asdata.ui10.net/asssjjdata/logindata/tjjs.txt

VVV.ucbug.com (

VVV.ucbug.com (

asdata.sddata6.com

asdata.sddata6.com

127.0.0.1

127.0.0.1

VVV.ucbug.com

VVV.ucbug.com

VVV.asssjj.com

VVV.asssjj.com

WS2_32.DLL

WS2_32.DLL

wsock32.dll

wsock32.dll

sound/player/pl_step.mp3

sound/player/pl_step.mp3

sound/kill/head_shot.mp3

sound/kill/head_shot.mp3

sound/weapon/m3_fire.mp3

sound/weapon/m3_fire.mp3

.Pr!J

.Pr!J

!.h%X

!.h%X

TS.bt

TS.bt

[email protected]#

[email protected]#

"1.Zx7

"1.Zx7

.jYhH

.jYhH

O%5sX

O%5sX

't%Fs

't%Fs

;N.VL

;N.VL

%Fg04L

%Fg04L

s.iF_

s.iF_

.Jz$&

.Jz$&

.Ha7%7

.Ha7%7

.OZ>8b)LwS

.OZ>8b)LwS

A%u3*

A%u3*

,)

,)

uXJ2X.Ag

uXJ2X.Ag

*Xt.GO

*Xt.GO

AZ.NR

AZ.NR

f-8},

f-8},

j'.tm

j'.tm

,.XxG

,.XxG

S%u&ns/$

S%u&ns/$

&.KxM

&.KxM

%SV4F&1

%SV4F&1

)\.CK

)\.CK

F.xo-d

F.xo-d

Y.HH ep:

Y.HH ep:

hXXp://asdata.ui10.net/asssjjdata/logindata

hXXp://asdata.ui10.net/asssjjdata/logindata

hXXp://asdata.sddata6.com/asssjjdata/logindata

hXXp://asdata.sddata6.com/asssjjdata/logindata

/t.asp

/t.asp

/login.asp

/login.asp

/reg.asp

/reg.asp

/shiy.asp

/shiy.asp

@Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

@Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

http=

HTTP/1.1

HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

/lobby.php?

/lobby.php?

hXXp://asdata.ui10.net/asssjjdata/logindata/tsdata1611.txt

hXXp://asdata.ui10.net/asssjjdata/logindata/tsdata1611.txt

hXXp://asdata.sddata6.com/asssjjdata/logindata/tsdata1611.txt

hXXp://asdata.sddata6.com/asssjjdata/logindata/tsdata1611.txt

d3d9.dll

d3d9.dll

[email protected]://cdn.ssjj.iwan4399.com

[email protected]://cdn.ssjj.iwan4399.com

lobby.php

lobby.php

qqopenapp.com/

qqopenapp.com/

index_qq.php

index_qq.php

/index_qq.php?

/index_qq.php?

VVV.ucbug.com

VVV.ucbug.com

ddd

ddd

d:d:d

d:d:d

d-d-d

d-d-d

d/d/d

d/d/d

d.d.d

d.d.d

ddd

ddd

d-d-d d:d:d

d-d-d d:d:d

d/d/d d:d:d

d/d/d d:d:d

d.d.d d:d:d

d.d.d d:d:d

dddddd

dddddd

G|Z%d

G|Z%d

GetKeyboardType,MessageBoxA,CharNextA

GetKeyboardType,MessageBoxA,CharNextA

advapi32.dll

advapi32.dll

RegQueryValueExA,RegOpenKeyExA,RegCloseKey

RegQueryValueExA,RegOpenKeyExA,RegCloseKey

javascript:parent.window.UniLogin.toQzoneLogin(true)

javascript:parent.window.UniLogin.toQzoneLogin(true)

javascript:parent.window.UniLogin.toWeiboLogin(true)

javascript:parent.window.UniLogin.toWeiboLogin(true)

javascript:parent.window.UniLogin.toWeixinLogin(true)

javascript:parent.window.UniLogin.toWeixinLogin(true)

qq.com/cgi-bin/xlogin?appid=

qq.com/cgi-bin/xlogin?appid=

4399.com/qzone/callback.do?code=

4399.com/qzone/callback.do?code=

weibo.com/oauth2/authorize?forcelogin=

weibo.com/oauth2/authorize?forcelogin=

4399.com/weibo/callback.do?state=

4399.com/weibo/callback.do?state=

weixin.qq.com/connect/qrconnect?appid=

weixin.qq.com/connect/qrconnect?appid=

4399.com/weixin/callback.do?

4399.com/weixin/callback.do?

C:\Windows\System32\Drivers\etc\hostshXXp://VVV.super-ec.cnhXXp://wghai.com/echXXp://qsyou.com/echXXp://bbs.wghai.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/ec-user.php?string=hXXp://down.wghai.com/up/super-ec/

C:\Windows\System32\Drivers\etc\hostshXXp://VVV.super-ec.cnhXXp://wghai.com/echXXp://qsyou.com/echXXp://bbs.wghai.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/ec-user.php?string=hXXp://down.wghai.com/up/super-ec/

.txthXXp://down.wghai.com/up/super-ec/tongji.asphXXp://down.wghai.com/up/super-ec/ec.txt

.txthXXp://down.wghai.com/up/super-ec/tongji.asphXXp://down.wghai.com/up/super-ec/ec.txt

hXXp://VVV.super-ec.cn

hXXp://VVV.super-ec.cn

" class="txt" />Function Getcpuid()

" class="txt" />Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

getcpuid=cpu.ProcessorId

[email protected]

[email protected]

V6.9 VVV.ucbug.com

V6.9 VVV.ucbug.com

hXXp://asssjjdata.sddata6.com/asjjdata/gonggao/zxgg.htmlP

hXXp://asssjjdata.sddata6.com/asjjdata/gonggao/zxgg.htmlP

(VVV.ucbug.com)

(VVV.ucbug.com)

hXXp://extlogin.4399.com/qzone/redirectToAuthorize.do?params=postLoginHandler=default&redirectUrl=&appId=ssjj&gameId=news&cid=-1&aid=-3&ref=&autoLogin=false&v=1429304245861

hXXp://extlogin.4399.com/qzone/redirectToAuthorize.do?params=postLoginHandler=default&redirectUrl=&appId=ssjj&gameId=news&cid=-1&aid=-3&ref=&autoLogin=false&v=1429304245861

hXXp://extlogin.4399.com/weibo/redirectToAuthorize.do?params=postLoginHandler=default&redirectUrl=&appId=ssjj&gameId=news&cid=-1&aid=-3&ref=&autoLogin=false&v=1429304302642

hXXp://extlogin.4399.com/weibo/redirectToAuthorize.do?params=postLoginHandler=default&redirectUrl=&appId=ssjj&gameId=news&cid=-1&aid=-3&ref=&autoLogin=false&v=1429304302642

hXXp://extlogin.4399.com/weixin/redirectToAuthorize.do?params=postLoginHandler=default&redirectUrl=&appId=ssjj&gameId=news&cid=-1&aid=-3&ref=&autoLogin=false&v=1435328091750

hXXp://extlogin.4399.com/weixin/redirectToAuthorize.do?params=postLoginHandler=default&redirectUrl=&appId=ssjj&gameId=news&cid=-1&aid=-3&ref=&autoLogin=false&v=1435328091750

%d&&'

%d&&'

123456789

123456789

00003333

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CCmdTarget

CCmdTarget

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

MPR.dll

MPR.dll

RASAPI32.dll

RASAPI32.dll

GetProcessHeap

GetProcessHeap

WinExec

WinExec

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

RegisterHotKey

RegisterHotKey

UnregisterHotKey

UnregisterHotKey

GetKeyboardLayout

GetKeyboardLayout

VkKeyScanExA

VkKeyScanExA

keybd_event

keybd_event

GetViewportOrgEx

GetViewportOrgEx

WINSPOOL.DRV

WINSPOOL.DRV

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyA

RegCreateKeyExA

RegCreateKeyExA

ShellExecuteA

ShellExecuteA

oledlg.dll

oledlg.dll

WSOCK32.dll

WSOCK32.dll

InternetCrackUrlA

InternetCrackUrlA

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

CreateDialogIndirectParamA

CreateDialogIndirectParamA

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GetViewportExtEx

comdlg32.dll

comdlg32.dll

%x.tmp

%x.tmp

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

(*.prn)|*.prn|

(*.prn)|*.prn|

(*.*)|*.*||

(*.*)|*.*||

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

User32.dll

User32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

: %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

windows

windows

1.6.9

1.6.9

unsupported zlib version

unsupported zlib version

png_read_image: unsupported transformation

png_read_image: unsupported transformation

out.prn

out.prn

%d.%d

%d.%d

%d / %d

%d / %d

%d/%d

%d/%d

Bogus message code %d

Bogus message code %d

libpng error: %s

libpng error: %s

libpng warning: %s

libpng warning: %s

1.1.3

1.1.3

bad keyword

bad keyword

libpng does not support gamma background rgb_to_gray

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

Palette is NULL in indexed image

(%d-%d):

(%d-%d):

%ld%c

%ld%c

%d%d%d

%d%d%d

rundll32.exe shell32.dll,

rundll32.exe shell32.dll,

VVV.dywt.com.cn

VVV.dywt.com.cn

index.dat

index.dat

desktop.ini

desktop.ini

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

HTTP/1.0

%s

%s

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

SMTP

SMTP

(*.htm;*.html)|*.htm;*.html

(*.htm;*.html)|*.htm;*.html

its:%s::%s

its:%s::%s

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

zcÁ

zcÁ

hXXp://VVV.asssjj.com/?6.72|W|

hXXp://VVV.asssjj.com/?6.72|W|

c:\%original file name%.exe

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

#include "l.chs\afxres.rc" // Standard components

The procedure entry point %s could not be located in the dynamic link library %s

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

winmm.dll

winmm.dll

rasapi32.dll

rasapi32.dll

winspool.drv

winspool.drv

shell32.dll

shell32.dll

oleaut32.dll

oleaut32.dll

comctl32.dll

comctl32.dll

3, 1233, 0, 0

3, 1233, 0, 0

13456789

13456789

1, 0, 6, 6

1, 0, 6, 6

(*.*)

(*.*)

6.9.0.1

6.9.0.1

VVV.ucbug.com

VVV.ucbug.com

%original file name%.exe_2880_rwx_0073C000_00003000:

kernel32.dll

kernel32.dll

user32.dll

user32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

winmm.dll

winmm.dll

ws2_32.dll

ws2_32.dll

rasapi32.dll

rasapi32.dll

gdi32.dll

gdi32.dll

winspool.drv

winspool.drv

advapi32.dll

advapi32.dll

shell32.dll

shell32.dll

ole32.dll

ole32.dll

oleaut32.dll

oleaut32.dll

comctl32.dll

comctl32.dll

oledlg.dll

oledlg.dll

wininet.dll

wininet.dll

comdlg32.dll

comdlg32.dll

RegOpenKeyExA

RegOpenKeyExA

ShellExecuteA

ShellExecuteA

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

6.9.0.1

6.9.0.1

VVV.ucbug.com

VVV.ucbug.com

VVV.ucbug.com

VVV.ucbug.com

%original file name%.exe_2880_rwx_019F0000_0003D000:

`.rsrc

`.rsrc

L$(h%f

L$(h%f

SSh0j

SSh0j

msctls_hotkey32

msctls_hotkey32

TVCLHotKey

TVCLHotKey

THotKey

THotKey

\skinh.she

\skinh.she

}uo,x6l5k%x-l h

}uo,x6l5k%x-l h

9p%s m)t4`#b

9p%s m)t4`#b

e"m?c&y1`Ð

e"m?c&y1`Ð

SetViewportOrgEx

SetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

SetWindowsHookExA

SetWindowsHookExA

UnhookWindowsHookEx

UnhookWindowsHookEx

EnumThreadWindows

EnumThreadWindows

EnumChildWindows

EnumChildWindows

`c%US.4/

`c%US.4/

!#$

!#$

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.UPX0

@.UPX0

`.UPX1

`.UPX1

`.reloc

`.reloc

f`c%US.

f`c%US.

KERNEL32.DLL

KERNEL32.DLL

COMCTL32.dll

COMCTL32.dll

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

MSVCRT.dll

MSVCRT.dll

MSVFW32.dll

MSVFW32.dll

USER32.dll

USER32.dll

SkinH_EL.dll

SkinH_EL.dll

1, 0, 6, 6

1, 0, 6, 6