Tue, 03/21/2017 - 04:07

Trojan.Generic.20490643_ce58858cf9

Trojan.Generic.20490643 (B) (Emsisoft), Trojan.Generic.20490643 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS) Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

Summary

MD5: ce58858cf934faff370df9a87e4501d6

SHA1: 885b88738a383cb225250059a76ab45031648464

SHA256: 50f0c5f4bb9a2ce652f9bbfe0d23d0b4944c3da528a850bf5ff0284392552317

SSDeep: 24576:UZImNoP3JCGtsmUWABcCktGtIRb92nxfN2nqhXjuLojq8C:Uz fJYmUCCa8IRx2x12qh6LalC

Size: 1527808 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6

Company: no certificate found

Created at: 2016-11-03 08:04:54

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es): No processes have been created. The Trojan injects its code into the following process(es):

%original file name%.exe:1900

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:1900 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\sslnavcancel[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\getimage[1].jpg (2144 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_A7AD5ECEFDDB55D03EC8A580934831A0 (692 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_A7AD5ECEFDDB55D03EC8A580934831A0 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD623.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0A2EA55F20CC96EF43A26E7FAF8A2217 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\httpErrorPagesScripts[1] (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0A2EA55F20CC96EF43A26E7FAF8A2217 (412 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\navcancl[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1224 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD622.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD623.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD622.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1900 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASMANCS]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\sslnavcancel[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\getimage[1].jpg (2144 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_A7AD5ECEFDDB55D03EC8A580934831A0 (692 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_A7AD5ECEFDDB55D03EC8A580934831A0 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD623.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0A2EA55F20CC96EF43A26E7FAF8A2217 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\httpErrorPagesScripts[1] (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0A2EA55F20CC96EF43A26E7FAF8A2217 (412 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\navcancl[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1224 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD622.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ??????
Product Name: 2016???Q??Q??[vip?????]
Product Version: 1.9.6.0
Legal Copyright:

Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.9.6.0
File Description: ????qq?????Q???
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

Company Name: ?????? Product Name: 2016???Q??Q??[vip?????] Product Version: 1.9.6.0 Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.9.6.0 File Description: ????qq?????Q??? Comments: ??????????(http://www.eyuyan.com) Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	786106	786432	4.53179	ba838b5b8bd592a3c95f6970d847f793
.rdata	790528	617262	618496	4.89045	1d165cc57001bf63f3ee854cdd4bcbcb
.data	1409024	300234	86016	3.78543	c8df97cf31112958a5ee3352d27f2ad8
.rsrc	1712128	29704	32768	3.89631	4924d77ba657c49a0465f9ed68190932

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://a1574.b.akamai.net/getimage?aid=11000101&0.46598424223382673
hxxp://captcha.qq.com/getimage?aid=11000101&0.46598424223382673	112.90.83.73
hxxp://guenon.mig.tencent-cloud.net/web/payszx/index.jsp?p=yd&appId=1
hxxp://pay.qq.com/	14.18.245.151
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEHF2+m7Z+GDj1WzD9OigflM=
hxxp://e6845.dscb1.akamaiedge.net/ss.crl
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0=	23.42.27.27
hxxp://mpay.qq.com/web/payszx/index.jsp?p=yd&appId=1	119.147.21.163
hxxp://ptlogin2.qq.com/getimage?aid=11000101&0.46598424223382673	2.21.89.43
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon	172.217.20.174
hxxp://ss.symcb.com/ss.crl	23.42.21.163
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY	172.217.20.174
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=	23.42.27.27
hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEHF2+m7Z+GDj1WzD9OigflM=	23.42.27.27

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0= HTTP/1.1

Cache-Control: max-age = 363986

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sun, 17 Nov 2013 16:06:48 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1454

content-transfer-encoding: binary

Cache-Control: max-age=396679, public, no-transform, must-revalidate

Last-Modified: Fri, 17 Mar 2017 15:56:48 GMT

Expires: Fri, 24 Mar 2017 15:56:48 GMT

Date: Mon, 20 Mar 2017 01:48:11 GMT

Connection: keep-alive

0..........0..... .....0......0...0........FC..&..<.0...Y......20170317155648Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..%...0a.. ...M|......20170317155648Z....20170324155648Z0...*.H.............~y..._e.OK.E.d..p.....-..g..CT.0.~.....().sK..}...c;..Q;.;F.^zv...F(....7U.........3...;...yt..<.v.......]Z..A.o.Fd...i}....t5@o.iU..~......y.Sv0K^p.,...*......?!~...diK.q...qr..."?.W...{S....$.......S..\6.M....b.)........MZ..4_..#.....Z.....[.2...dw...%.u....0...0...0..4.......My_e.\....'....j0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 50.."0...*.H.............0.............4..IP.....B..h.....]..).]w.!"..a..{...="....._...~.s1.E.......;...6&/...\2..A....\..T aH:.8lH^.....l.v.$...K=sZf.*.|.%.Pb.......B..*f.T\w.:.s.... ....9..4..cV...3.qc.c..j<.f.....>1X.I...P%?.........5R-....Ca14..X.U....u.....:.z.\.k..b.E.v..,.J................0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-470...*.H.............G..\..R.P..e]...N.....m.....4f......b4"8v..b.R....`.Auz..........2=...@..........5..cWh....J......r...g.h......Kw'...j.@...x.....

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEHF2+m7Z+GDj1WzD9OigflM= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcd.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1609

content-transfer-encoding: binary

Cache-Control: max-age=591891, public, no-transform, must-revalidate

Last-Modified: Sun, 19 Mar 2017 22:08:46 GMT

Expires: Sun, 26 Mar 2017 22:08:46 GMT

Date: Mon, 20 Mar 2017 01:48:22 GMT

Connection: keep-alive

0..E......>0..:.. .....0..... 0..'0......E ....e.u.....x..7....20170319220846Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C....qv.n..`..l....~S....20170319220846Z....20170326220846Z0...*.H..............f.#........H......<..4n....*...M.........[S.o..{......[D...7........*..jf]6.<...&..4*....@......q..S.)..Q.........^.^.>..n.....TGC=......R.......BVjuHY.FLS......sE.S$S!...^.%.......g....vC......W.F_"Z.k.f...bae........G......B.StZ...jv...O.A]..l.5;...U......n0..j0..f0..N.......Dh.ciH.........!0...*.H........0~1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&Symantec Class 3 Secure Server CA - G40...170204000000Z..170505235959Z0@1>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Responder0.."0...*.H.............0......... B.}.@...E2.......&kg.#.c..7f#0....!....Z.G..|.o..W{2.m.l.cM...%......V.Wx6I.t....Q,U^......;.U<ie...X.{.6. .4...ep....q..OuV...F...s.f....!....K....O....Oj.?Yd6^Mlw.6.k..*./.......b..Q4...H.s.........(...toW...9...............&...D...{T{........4.;/pa<...........0...0... .....0......0"..U....0...0.1.0...U....TGV-D-38570...U.#..0..._`.a.U..C..`*..z.C..0...U......E ....e.u.....x..7..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://www.symauth.com/cps0*.. .......0... hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0...*.H.............x..b5XG.........T^2.....T..............zq.............f....#|.....P...R.....]...la.(.21{...C.....K.....R..H.b....3L..52}5.8.......%.......l=..$X$_..01.3.....&l

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=405589, public, no-transform, must-revalidate

Last-Modified: Fri, 17 Mar 2017 18:27:12 GMT

Expires: Fri, 24 Mar 2017 18:27:12 GMT

Date: Mon, 20 Mar 2017 01:48:16 GMT

Connection: keep-alive

0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..20170317182712Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..Q?.t8p.4@A.0........20170317182712Z....20170324182712Z0...*.H................E9.q.h..T.vi.K.}[.....v.9......F...&......X..d6pj..q.Q..,R..F.$.........o:g*.|...n..1.q|...c....n..W.q......7....1mX-....hr..'...6...&...e.|....q8@........'~._.T..i..Z."...)..........V....V.U.e.......,.|.....L...X.j)....n...V(..%."fO[Q..\..."y.e....Z.B.....0...0...0..........^..)......<...T.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 50.."0...*.H.............0.............................m..|........1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z........ ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4.....D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://www.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..7Z0...U.#..0.....e......0..C9...3130...*.H.............<wN..g...S.

<<< skipped >>>

GET /getimage?aid=11000101&0.46598424223382673 HTTP/1.1

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://ptlogin2.qq.com/getimage?aid=11000101&0.46598424223382673

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: captcha.qq.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: tencent http server

Accept-Ranges: bytes

Pragma: No-cache

P3P: CP=CAO PSA OUR

Content-Length: 2368

Set-Cookie: verifysession=h013d04c62b54ab627dc04a93fd526c5eb5ad88ad941617911717f7034478cfb6b06ad58adbbb4933f0; PATH=/; DOMAIN=qq.com;

Connection: close

Content-Type: image/jpeg

......JFIF............."5ef65eed..B.............aG.........C................(.....1#%.(:3=<9387@H\N@DWE78PmQW_bghg>Mqypdx\egc...C......./../cB8Bcccccccccccccccccccccccccccccccccccccccccccccccccc......5...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......H.i...2.%..9.3.=sR......Y.......(.b.s..=.s.Wp].w3.[.b@....s..... q..R...8,.7!......3.*...4\.m....9.Gv.jM..[..]...J.-.ln..#..q]..vo.!.14FE....z...r..Wv..D...........8..]v.o{kbc.&ig-..r.A......1q..........J(....(...k.Dg ...(.?A\...v..h..o........$(.x.......6..\G.R..0....^wv..#BQ0.$.,...B.....n..f.21.&.=.7.F...a..H?..O. F........v.....Q.p......"...H............I_......M..a..>.E...H..U.Rzr n..NPv..jI..QEIAE.P.'.....-m.R?...H.........s.(k{|G01.Y.N>.<~u....s.:....d....p8....o...m<.F.8.$~.s...^.*...ZW.__.c.P..9.(.lu7.-.O`..2..)<...?.kZ....3Zh.*)...?.Z..4...a..f..`p......8,!.....v7...........3....8)^....&w.x........$....r.... g|.zF?....f...3...i<.{.....?.jWV2[Ab.Qu2>..?..%B..AGu}.M...._.....[..c....."kh.....<...E.<h.B-..1.#.St}SSM.......(.f..q..c:.j....l...:g....I..:.z.$....q....$o#.EE%J....1...Sk...Ch.R..}.. ../.R.]..].9..I.f0..`.*s..

<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: pay.qq.com

Connection: Keep-Alive

Cookie: verifysession=h013d04c62b54ab627dc04a93fd526c5eb5ad88ad941617911717f7034478cfb6b06ad58adbbb4933f0

HTTP/1.1 302 Found

Date: Mon, 20 Mar 2017 01:48:04 GMT

Server: Apache

Location: hXXps://pay.qq.com/

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 183

Connection: close

Content-Type: text/html; charset=iso-8859-1

..........-....0.D.|...l..Z\.CD.Ga.J...).s8H.{r.......$..?.)......T.1.[.<..b..U...1...#.L.H !..}\..>. .C-...G.<...q..._.&.....i......=..U.H.....k......1h....}.U......9b.O.......El......

GET /web/payszx/index.jsp?p=yd&appId=1 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: mpay.qq.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: HTTP Load Balancer/2.0

Location: hXXp://pay.qq.com

Content-Type: text/html; charset=utf-8

Content-Length: 55

Date: Mon, 20 Mar 2017 01:48:03 GMT

Cache-Control: no-cache

Pragma: no-cache

The URL has moved <a href="hXXp://pay.qq.com">here</a>.HTTP/1.1 302 Found..Server: HTTP Load Balancer/2.0..Location: hXXp://pay.qq.com..Content-Type: text/html; charset=utf-8..Content-Length: 55..Date: Mon, 20 Mar 2017 01:48:03 GMT..Cache-Control: no-cache..Pragma: no-cache..The URL has moved <a href="hXXp://pay.qq.com">here</a>...

GET /getimage?aid=11000101&0.46598424223382673 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: ptlogin2.qq.com

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: Tencent Login Server/2.0.0

Location: hXXp://captcha.qq.com/getimage?aid=11000101&0.46598424223382673

Content-Type: text/html

Content-Length: 5

X-N: S

Date: Mon, 20 Mar 2017 01:48:02 GMT

Connection: keep-alive

X-N: S

0..HTTP/1.1 302 Moved Temporarily..Server: Tencent Login Server/2.0.0..Location: hXXp://captcha.qq.com/getimage?aid=11000101&0.46598424223382673..Content-Type: text/html..Content-Length: 5..X-N: S..Date: Mon, 20 Mar 2017 01:48:02 GMT..Connection: keep-alive..X-N: S..0..

GET /getimage?aid=11000101&0.46598424223382673 HTTP/1.1

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://ptlogin2.qq.com/getimage?aid=11000101&0.46598424223382673

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: ptlogin2.qq.com

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: Tencent Login Server/2.0.0

Location: hXXp://captcha.qq.com/getimage?aid=11000101&0.46598424223382673

Content-Type: text/html

Date: Mon, 20 Mar 2017 01:48:02 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Connection: Transfer-Encoding

00000005..0....00000000..

GET /getimage?aid=11000101&0.46598424223382673 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: captcha.qq.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: tencent http server

Accept-Ranges: bytes

Pragma: No-cache

P3P: CP=CAO PSA OUR

Content-Length: 2010

Set-Cookie: verifysession=h0117b92d73648111be1fdbca1a1ac49993b053d64d525126f36d07e0df5556adc7168c603c3453ec68; PATH=/; DOMAIN=qq.com;

Connection: close

Content-Type: image/jpeg

......JFIF............."446566f3..B..............&.........C................(.....1#%.(:3=<9387@H\N@DWE78PmQW_bghg>Mqypdx\egc...C......./../cB8Bcccccccccccccccccccccccccccccccccccccccccccccccccc......5...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?../....1. |...<..zR...$............i.........g..4......Y...Cd..|g..J....B...${K.F9........Z].........2H........$..^G.s.~......j..i%.ke#g.P....4.b.[:.C.A..A...i&...;H.I......].. ..... .O.W..Ry.Cv..........h...[?..._.Gclf.$g....I5ryZv.z.%..l..W*.'?.z......:."1....}*T....kXR..F#......."9A.n.`.y. .I.x..1KI.-..7I....W..EJ.....P2I. ...t..I4.I...&..=..u.Q...v{?>I.\......4..KT/gw.4...o.F.dP....=..:.:sRxn.......yj.c'........C...........{q]-...Z..r.c>......f94..=.Q].!E.P.......|/u8..?....u.]..S...'p..8.?...E.J..S...\....q..#lR.7..$r.....v5.....%..h.....Kg.....<....#..&(.u>.B)..4....sK18....._.H...s.(o....Y..Iw*WqbG...._.<.x..Vn...?:w.ex..m....m.0A...[....H.U.}....y.Vt. .k.=Dx?...%`{;.}k.6.-....G$..:{.K............;pOo.z~..<Z..R2.@.......x..2.D..y....M..X.K.5..i.!.@.8.....(.x.-.\...i.....)-..a. Ua7p .-,D[.f.R^.d.... .&..`S...b=.3N......pI..,..`.~..*3

<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon HTTP/1.1

Cache-Control: max-age = 345600

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 404 Not Found

Date: Mon, 20 Mar 2017 01:48:59 GMT

Content-Type: text/html; charset=UTF-8

Server: ocsp_responder

Content-Length: 1668

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

<!DOCTYPE html>.<html lang=en>. <meta charset=utf-8>. <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">. <title>Error 404 (Not Found)!!1</title>. <style>. *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//VVV.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//VVV.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}. </style>. <a href=//VVV.google.com/><span id=logo aria-label=Google></span></a>. <p><b>404.</b> <ins>Tha

<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY HTTP/1.1

Cache-Control: max-age = 345600

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 404 Not Found

Date: Mon, 20 Mar 2017 01:49:05 GMT

Content-Type: text/html; charset=UTF-8

Server: ocsp_responder

Content-Length: 1668

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

GET /ss.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcb.com

HTTP/1.1 200 OK

Server: Apache

ETag: "2388cd8933b5c29a94912017ff29226d:1489957895"

Last-Modified: Sun, 19 Mar 2017 21:11:35 GMT

Date: Mon, 20 Mar 2017 01:48:26 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Connection: Transfer-Encoding

Content-Type: application/pkix-crl

00006000..0....0.......0...*.H........0~1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&Symantec Class 3 Secure Server CA - G4..170319210119Z..170326210119Z0....0!....K..Kx.:.....37..160628125652Z0!....Rk.......(!u....160331033634Z0!....lv...>.?O...^...160622011159Z0!.....6w...iP...s.M..160608011251Z0!.......1^...B.Ph.H..161208073412Z0!....r-...0u..B\.`...160602011343Z0!.............. .....170306134411Z0!......1....9..a..&..170217175936Z0!....E.u2..1....L....160315011119Z0!....&...X.M?....&F..170223165404Z0!....N.....e....F?B..160401232208Z0!............XW.M....150816010821Z0!......x....Xvheqrv..170102113703Z0!......y.....a..C....160621011139Z0!....Q8*.|..]6.".4...150330080110Z0!.....!!..O..........151124201031Z0!....2.....E..yYT.E..161207145003Z0!....eL.Y icf}.:..N..140508200907Z0!....]3.>.o...SE.....170217175912Z0!.......BRyb. si..!..170211011123Z0!.......OD....G..7N..170211011123Z0!.......>..z(L..0i...150517010832Z0!......qBv,....XF....170315011039Z0!....m..D...j .......170303024631Z0!......Q.0...j.D.....160601160659Z0!.............j f....160613011111Z0!.....v.;..u7.3......160916195205Z0!....#...1.@..o.&8f..170217011223Z0!.....8.@.N..w.n.aw..160122052207Z0!.......n....[...6a..140729211122Z0!.....Z...k1S.<.. I..150727184447Z0!...";.M....Gp.f.....160621163727Z0!...#D..!jhMz........160906045841Z0!...#]........x.zW-..160329114327Z0!...$.K/."T....w`K...160215003231Z0!...%.vu..;..r*y..E..150802010744Z0!...&...$...tX...5...160810011135Z0!...(SD.....h.4vtr...160727

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1900:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

Bv.SCv=kAv

wininet.dll

kernel32.dll

user32.dll

gdiplus.dll

ole32.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

EnumWindows

GdiplusShutdown

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

V1.9.6.0

hXXp://ptlogin2.qq.com/getimage?aid=11000101&0.46598424223382673

hXXp://

hXXps://

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

HTTP/1.1

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

2261939640

1979702092

2195733177

2629814928

2055665890

1626987327

2576630023

2924736578

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

hXXp://pay.qq.com/ipay/index.shtml

hXXp://VVV.77sqb.com/k.php

hXXp://pay.qq.com/cgi-bin/account/account_qqcard_save_qbqd.cgi

&CardPassword=

@wininet.dll

VVV.meitu.com

VVV.zsno1.com/7

1.gif

2.gif

3.gif

4.gif

5.gif

6.gif

yB.cP

.dTr7

{(.mop~

.Xzxy

%xFwM

f_.Yc

G.HBP

y.WFx

'*U%F

.kYEIY

, #&')*)

-0-(0%()(

*u%UiMS

.qU'(

M<.yr>

.ui-5

xZN.ucK

.NN4=

pD.dh

-8C}{

m.RTta=

N1T'.eKNd

1276458045

hXXp://mpay.qq.com/web/payszx/index.jsp?p=yd&appId=1p

hXXp://175qb.com

hXXp://yuntv.letv.com/bcloud.swf?uu=e394040e6e&vu=2dd8fcdc60&auto_play=1&gpcflag=1

%d&&'

123456789

00003333

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

GetProcessHeap

WinExec

GetWindowsDirectoryA

KERNEL32.dll

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetViewportOrgEx

WINMM.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

oledlg.dll

WS2_32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

HTTP/1.0

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

Y%d

X%d

Height%d

Width%d

RECT(%d, %d)-(%d, %d)

Styles0xX

Control ID%d

Handle0xX

.comment {color:green}

burlywood

\winhlp32.exe

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

- Skin.dll

(*.*)

1.9.6.0

(hXXp://VVV.eyuyan.com)

%original file name%.exe_1900_rwx_10000000_0003E000:

`.rsrc

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

1, 0, 6, 6

- Skin.dll