Trojan.GenericKD.4581100_154c569534
Trojan.Win32.Kolovorot.aby (Kaspersky), Trojan.GenericKD.4581100 (B) (Emsisoft), Trojan.GenericKD.4581100 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS) Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 154c5695346bc935ddaffad51bd4704b
SHA1: f5c4132083eda4fb1f251ffa408edc22a0a78886
SHA256: e8c18d8c8e1d593561166ab2447c0c03faa795ea69173af189e4ca5dbbc89bf1
SSDeep: 12288:uP15tVxUjyvRb7z2ObyFmilIP odATQug/Q57IlDKUF:u1ojyvcObYQ EA/WQSlzF
Size: 667120 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2015-09-25 08:58:55
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es): No processes have been created. The Trojan injects its code into the following process(es):
%original file name%.exe:1908
Mutexes
The following mutexes were created/opened: No objects were found.
File activity
No files have been created.
Registry activity
The process %original file name%.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\154c5695346bc935ddaffad51bd4704b_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\154c5695346bc935ddaffad51bd4704b_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\154c5695346bc935ddaffad51bd4704b_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\154c5695346bc935ddaffad51bd4704b_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\154c5695346bc935ddaffad51bd4704b_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\154c5695346bc935ddaffad51bd4704b_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\154c5695346bc935ddaffad51bd4704b_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\154c5695346bc935ddaffad51bd4704b_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
[HKLM\SOFTWARE\Microsoft\Tracing\154c5695346bc935ddaffad51bd4704b_RASMANCS]
"FileTracingMask" = "4294901760"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ??
Product Name: ??
Product Version: 1.0.0.0
Legal Copyright: ??
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ??
Comments: ??
Language: Russian (Russia)
Company Name: ?? Product Name: ?? Product Version: 1.0.0.0 Legal Copyright: ?? Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0 File Description: ?? Comments: ?? Language: Russian (Russia)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 598016 | 250880 | 5.54453 | 9a07d0a266acf015b2cbeb3770cdd26b |
| .rdata | 602112 | 565248 | 327168 | 5.54429 | f7843754a8ee669a9c115c5feb02754c |
| .data | 1167360 | 356352 | 28160 | 5.52662 | 76517ccb5e0a81a8ecb7ebfcc0a4fddb |
| .rsrc | 1523712 | 413696 | 9728 | 4.5468 | 63fe0ff79f663a43afde1e5c8b3087d2 |
| 0 | 0 | 0 | 0 | ||
| 0 | 0 | 0 | 0 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://x2.tcdn.qq.com/web201105/download.shtml |  |
| hxxp://cf.qq.com/web201105/download.shtml | 203.205.158.61 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /web201105/download.shtml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: cf.qq.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: NWS_X2_MID
Connection: keep-alive
Date: Mon, 20 Mar 2017 16:47:00 GMT
Cache-Control: max-age=60
Expires: Mon, 20 Mar 2017 16:48:00 GMT
Last-Modified: Mon, 20 Mar 2017 16:40:00 GMT
Content-Type: text/html
Content-Length: 16695
X-Cache-Lookup: Hit From Disktank
X-Verify-Code: 146a40ff5a61fbe34637c866fe8c93b2
X-Daa-Tunnel: hop_count=1
X-Cache-Lookup: Hit From Upstream
<!DOCTYPE html>.<html lang="zh-CN">.<head>.<meta charset="gbk">.<meta name="robots" content="all">.<meta name="author" content="Tencent-CP">.<meta name="Copyright" content="Tencent">.<meta name="Description" content="..................................300............................................................................................................................CF.........." />.<meta name="Keywords" content="........,............,................,............,................,CF....,CF....,CF....,................, CF............,QQ................,..............,............,................,CrossFire,FPS........,RPK,........,....,....AK,........,WCG,......,........,........,........,......,....,....,......,......,......,......" />.<title>........-................-........</title>.<script>var d0 = new Date();</script>.<!-- ......cp | ......cp | ......2015/08/13 | ..........hXXp://tgideas.qq.com/ -->.<link rel="stylesheet" type="text/css" href="hXXp://game.gtimg.cn/images/cf/cp/a20150813download/comm.css"/>.</head>.<body>.<div class="banner">...<div class="container c pr" id="hd">....<a class="logo pa" href="http://cf.qq.com/" target="_blank" title="........"></a>....<a href="hXXp://cf.qq.com/web201105/patch.shtml"><p class="fix">........</p></a>....<a href="hXXp://cf.qq.com/act/a20150805tyf/index.shtml" target="_blank"><p>..........</p
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1908:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
.aspack
.aspack
.adata
.adata
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
Bv.SCv=kAv
Bv.SCv=kAv
kernel32.dll
kernel32.dll
user32.dll
user32.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
EnumWindows
EnumWindows
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
hXXp://cf.qq.com/web201105/download.shtml
hXXp://cf.qq.com/web201105/download.shtml
VVV.cf76.com
VVV.cf76.com
%S4WD
%S4WD
hg%fpM
hg%fpM
S.Ac9SR
S.Ac9SR
0.I%3s
0.I%3s
,wAe.kI
,wAe.kI
aiUy'4xu
aiUy'4xu
%c*@j
%c*@j
.eH'y
.eH'y
{&%U)
{&%U)
lj%4U
lj%4U
xe%CNs
xe%CNs
9F.cLe
9F.cLe
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
hXXp://VVV.VVV.cf76.com
hXXp://VVV.VVV.cf76.com
\ESPI11.dll
\ESPI11.dll
.inidata
.inidata
@.reloc
@.reloc
CNotSupportedException
CNotSupportedException
CCmdTarget
CCmdTarget
commctrl_DragListMsg
commctrl_DragListMsg
COMCTL32.DLL
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
KERNEL32.dll
KERNEL32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
WS2_32.dll
WS2_32.dll
GetCPInfo
GetCPInfo
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
WINSPOOL.DRV
WINSPOOL.DRV
comdlg32.dll
comdlg32.dll
SHELL32.dll
SHELL32.dll
SWNPM.dll
SWNPM.dll
.PAVCException@@
.PAVCException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
4"5(5,50545
4"5(5,50545
8!8/878=8
8!8/878=8
3"32383|3"4
3"32383|3"4
2 3=3Q3^3h3r3z3
2 3=3Q3^3h3r3z3
4 41484[4}4
4 41484[4}4
9$9(9,90989
9$9(9,90989
2010057101
2010057101
2010157101
2010157101
2010037901
2010037901
2010038001
2010038001
2010042601
2010042601
2010044501
2010044501
2010044601
2010044601
2010042701
2010042701
2010049501
2010049501
2010053601
2010053601
2010053701
2010053701
2010058801
2010058801
2010061601
2010061601
2010069201
2010069201
2010074301
2010074301
2010075301
2010075301
2010076401
2010076401
2010044804
2010044804
2010008604
2010008604
2010012003
2010012003
2010031904
2010031904
2010054304
2010054304
2010031504
2010031504
2010047504
2010047504
2010041404
2010041404
2010046104
2010046104
2010013904
2010013904
2010023604
2010023604
2010010104
2010010104
2010013604
2010013604
2010020004
2010020004
2010014904
2010014904
2010009904
2010009904
2010013404
2010013404
2010019804
2010019804
2010015004
2010015004
2010010004
2010010004
2010013504
2010013504
2010019904
2010019904
2010014804
2010014804
2010041304
2010041304
2010045004
2010045004
2010007404
2010007404
2010038702
2010038702
2010030004
2010030004
2010050704
2010050704
2010018103
2010018103
2010027502
2010027502
2010011904
2010011904
2010003501
2010003501
2010019702
2010019702
2010028704
2010028704
2010050004
2010050004
2010049904
2010049904
2010009304
2010009304
2010034304
2010034304
2010047704
2010047704
2010031204
2010031204
2010021004
2010021004
2010005601
2010005601
2010008304
2010008304
2010043404
2010043404
2010027604
2010027604
2010022704
2010022704
2010052104
2010052104
2010009604
2010009604
2010014704
2010014704
2010045404
2010045404
2010019602
2010019602
2010011504
2010011504
2010049804
2010049804
2010024004
2010024004
2010042103
2010042103
2010019502
2010019502
2010030304
2010030304
2010046004
2010046004
2010010204
2010010204
2010009704
2010009704
2010042504
2010042504
2010046301
2010046301
2010046401
2010046401
2010005904
2010005904
2010014304
2010014304
2010014204
2010014204
2010008504
2010008504
2010024104
2010024104
2010031601
2010031601
2010020501
2010020501
2010013804
2010013804
2010013005
2010013005
2010014104
2010014104
2010010504
2010010504
2010009204
2010009204
2010018404
2010018404
2010039101
2010039101
2010006404
2010006404
2010010404
2010010404
2010009504
2010009504
2010013304
2010013304
2010039001
2010039001
2010039201
2010039201
2010004704
2010004704
2010051704
2010051704
2010006904
2010006904
2010029204
2010029204
2010024404
2010024404
2010030804
2010030804
2010043304
2010043304
2010052004
2010052004
2010009004
2010009004
2010041204
2010041204
2010030404
2010030404
2010035504
2010035504
2010008104
2010008104
2010010704
2010010704
2010051501
2010051501
2010007504
2010007504
2010008003
2010008003
2010014501
2010014501
2010037701
2010037701
2010007903
2010007903
2010022602
2010022602
2010011104
2010011104
2010053501
2010053501
2010012301
2010012301
2010030602
2010030602
2010014401
2010014401
2010030502
2010030502
2010023702
2010023702
2010015101
2010015101
2010043604
2010043604
2010016303
2010016303
2010018504
2010018504
2010041104
2010041104
2010018604
2010018604
2010044704
2010044704
2010012603
2010012603
2010015604
2010015604
2010052401
2010052401
2010050203
2010050203
2010038602
2010038602
2010039404
2010039404
2010027902
2010027902
2010046501
2010046501
2010015504
2010015504
2010007104
2010007104
2010035304
2010035304
2010013104
2010013104
2010012204
2010012204
2010051105
2010051105
2010039304
2010039304
2010044904
2010044904
2010051604
2010051604
2010018704
2010018704
2010027802
2010027802
2010041004
2010041004
2010043704
2010043704
2010027202
2010027202
2010039504
2010039504
2010027402
2010027402
2010040201
2010040201
2010039704
2010039704
2010040701
2010040701
2010016403
2010016403
2010020604
2010020604
2010020804
2010020804
2010020704
2010020704
2010023203
2010023203
2010042004
2010042004
2010021104
2010021104
2010024902
2010024902
2010018904
2010018904
2010039604
2010039604
2010025002
2010025002
2010043804
2010043804
2010012903
2010012903
2010012703
2010012703
2010015701
2010015701
2010005804
2010005804
2010027004
2010027004
2010027104
2010027104
2010028002
2010028002
2010028102
2010028102
2010024802
2010024802
2010035404
2010035404
2010030902
2010030902
2010019302
2010019302
2010019402
2010019402
2010019202
2010019202
2010011703
2010011703
2010035101
2010035101
2010034901
2010034901
2010035001
2010035001
2010035201
2010035201
2010041904
2010041904
2010058505
2010058505
2010058605
2010058605
2010059404
2010059404
2010059204
2010059204
2010059504
2010059504
2010060901
2010060901
2010061101
2010061101
2011092906
2011092906
3010000401
3010000401
1000003502
1000003502
1000001201
1000001201
1000001501
1000001501
1000001301
1000001301
1000001101
1000001101
3010000501
3010000501
3010000601
3010000601
3010000701
3010000701
2010062701
2010062701
2010066802
2010066802
2010066702
2010066702
2010063304
2010063304
2010061204
2010061204
2010069101
2010069101
1000004201
1000004201
2010069504
2010069504
2010069604
2010069604
2010069704
2010069704
2010069804
2010069804
2010070804
2010070804
2010070904
2010070904
2010072701
2010072701
2010074604
2010074604
2010073001
2010073001
2010073701
2010073701
2010076001
2010076001
2010086301
2010086301
2010086401
2010086401
2010086501
2010086501
2010086601
2010086601
hXXp://wpa.qq.com/msgrd?v=3&uin=2222761314&site=qq&menu=yes
hXXp://wpa.qq.com/msgrd?v=3&uin=2222761314&site=qq&menu=yes
hXXp://VVV.cffkpt.com/buy/result2.asp?num=
hXXp://VVV.cffkpt.com/buy/result2.asp?num=
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
http=
https
https
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
hXXp://
hXXp://
crossfire.exe
crossfire.exe
127.0.0.1
127.0.0.1
|307|100
|307|100
hXXp://VVV.cffkpt.com/buy/paymoney.asp
hXXp://VVV.cffkpt.com/buy/paymoney.asp
@0.0.0.0
@0.0.0.0
@kernel32.dll
@kernel32.dll
VVV.ssrr2.com
VVV.ssrr2.com
VVV.meitu.com
VVV.meitu.com
.wueo%m
.wueo%m
%cy%V8
%cy%V8
.eV2v
.eV2v
9)%fv
9)%fv
F,ö)F;5W.$U9(U
F,ö)F;5W.$U9(U
`.WLP
`.WLP
3F,W.uE
3F,W.uE
#`A%xa
#`A%xa
8z.sL.
8z.sL.
f%f f%f F%*.*f F%*.*f Afx:%x:%x:%x:%x:%x Afx:%x:%x:%x:%x:%x Afx:%x:%x Afx:%x:%x RASAPI32.dll RASAPI32.dll GetProcessHeap GetProcessHeap WinExec WinExec GetViewportOrgEx GetViewportOrgEx WINMM.dll WINMM.dll RegDeleteKeyA RegDeleteKeyA RegCreateKeyExA RegCreateKeyExA RegEnumKeyA RegEnumKeyA RegOpenKeyA RegOpenKeyA ShellExecuteA ShellExecuteA ole32.dll ole32.dll OLEAUT32.dll OLEAUT32.dll InternetCrackUrlA InternetCrackUrlA InternetCanonicalizeUrlA InternetCanonicalizeUrlA WININET.dll WININET.dll CreateDialogIndirectParamA CreateDialogIndirectParamA GetViewportExtEx GetViewportExtEx .PAVCNotSupportedException@@ .PAVCNotSupportedException@@ .PAVCFileException@@ .PAVCFileException@@ (*.prn)|*.prn| (*.prn)|*.prn| (*.*)|*.*|| (*.*)|*.*|| Shell32.dll Shell32.dll Mpr.dll Mpr.dll Advapi32.dll Advapi32.dll User32.dll User32.dll Gdi32.dll Gdi32.dll Kernel32.dll Kernel32.dll (&07-034/)7 ' (&07-034/)7 ' ?? / %d] ?? / %d] %d / %d] %d / %d] : %d] : %d] (*.WAV;*.MID)|*.WAV;*.MID|WAV (*.WAV;*.MID)|*.WAV;*.MID|WAV (*.WAV)|*.WAV|MIDI (*.WAV)|*.WAV|MIDI (*.MID)|*.MID| (*.MID)|*.MID| (*.txt)|*.txt| (*.txt)|*.txt| (*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG (*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG (*.JPG)|*.JPG|BMP (*.JPG)|*.JPG|BMP (*.BMP)|*.BMP|GIF (*.BMP)|*.BMP|GIF (*.GIF)|*.GIF| (*.GIF)|*.GIF| (*.ICO)|*.ICO| (*.ICO)|*.ICO| (*.CUR)|*.CUR| (*.CUR)|*.CUR| %s:%d %s:%d windows windows out.prn out.prn %d.%d %d.%d %d / %d %d / %d %d/%d %d/%d Bogus message code %d Bogus message code %d (%d-%d): (%d-%d): %ld%c %ld%c %s\ESPI%d.dll %s\ESPI%d.dll hXXp://dywt.com.cn hXXp://dywt.com.cn service@dywt.com.cn service@dywt.com.cn 86(0411)88995834 86(0411)88995834 86(0411)88995831 86(0411)88995831 Windows Windows (ESPINN.dll(NN (ESPINN.dll(NN This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info CallerInfoCopyCmd CallerInfoCopyCmd SetIPPort SetIPPort GetIPPort GetIPPort "C:\Windows\System32\ESPI11.dll" "C:\Windows\System32\ESPI11.dll" ProviderInstallCopyCmd ProviderInstallCopyCmd SockDataCopyCmd SockDataCopyCmd SockAddrCopyCmd SockAddrCopyCmd enetintercept_fnSockAddrSetIPPort enetintercept_fnSockAddrSetIPPort enetintercept_fnSockAddrGetIPPort enetintercept_fnSockAddrGetIPPort enetintercept_fnInstallCopyCmd enetintercept_fnInstallCopyCmd enetintercept_fnSockDataCopyCmd enetintercept_fnSockDataCopyCmd enetintercept_fnSockAddrCopyCmd enetintercept_fnSockAddrCopyCmd enetintercept_fnCallerInfoCopyCmd enetintercept_fnCallerInfoCopyCmd hXXp://VVV.eyuyan.com hXXp://VVV.eyuyan.com 86(0411)39895834 86(0411)39895834 86(0411)39895831 86(0411)39895831 DelAllKeyValues DelAllKeyValues DelKeyValue DelKeyValue GetAllKeys GetAllKeys GetKeyValue GetKeyValue AddKeyValue AddKeyValue DSGetErrMsg DSGetErrMsg BiTreeGetCurNodeKey BiTreeGetCurNodeKey ListGetCurNodeKey ListGetCurNodeKey ListUpdateNodeFromKey ListUpdateNodeFromKey ListRemoveNodeFromKey ListRemoveNodeFromKey edatastructure_fnMapDelAllKeyValues edatastructure_fnMapDelAllKeyValues edatastructure_fnMapDelKeyValue edatastructure_fnMapDelKeyValue edatastructure_fnMapGetAllKeys edatastructure_fnMapGetAllKeys edatastructure_fnMapGetKeyValue edatastructure_fnMapGetKeyValue edatastructure_fnMapAddKeyValue edatastructure_fnMapAddKeyValue edatastructure_fnBiTreeGetCurNodeKey edatastructure_fnBiTreeGetCurNodeKey edatastructure_fnListGetCurNodeKey edatastructure_fnListGetCurNodeKey edatastructure_fnListUpdateNodeFromKey edatastructure_fnListUpdateNodeFromKey edatastructure_fnListRemoveNodeFromKey edatastructure_fnListRemoveNodeFromKey Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) HTTP/1.0 HTTP/1.0 %s %s Reply-To: %s Reply-To: %s From: %s From: %s To: %s To: %s Subject: %s Subject: %s Date: %s Date: %s Cc: %s Cc: %s %a, %d %b %Y %H:%M:%S %a, %d %b %Y %H:%M:%S SMTP SMTP .PAVCResourceException@@ .PAVCResourceException@@ .PAVCUserException@@ .PAVCUserException@@ zcÁ zcÁ c:\%original file name%.exe c:\%original file name%.exe #include "l.chs\afxres.rc" // Standard components #include "l.chs\afxres.rc" // Standard components The procedure entry point %s could not be located in the dynamic link library %s The procedure entry point %s could not be located in the dynamic link library %s The ordinal %u could not be located in the dynamic link library %s The ordinal %u could not be located in the dynamic link library %s rasapi32.dll rasapi32.dll gdi32.dll gdi32.dll winmm.dll winmm.dll winspool.drv winspool.drv advapi32.dll advapi32.dll shell32.dll shell32.dll oleaut32.dll oleaut32.dll comctl32.dll comctl32.dll 1, 0, 6, 6 1, 0, 6, 6 - Skin.dll - Skin.dll 0.0.0.0 0.0.0.0 (2004-2010) (2004-2010) (*.*) (*.*) 1.0.0.0 1.0.0.0 %original file name%.exe_1908_rwx_005D9000_00002000:
kernel32.dll kernel32.dll user32.dll user32.dll The procedure entry point %s could not be located in the dynamic link library %s The procedure entry point %s could not be located in the dynamic link library %s The ordinal %u could not be located in the dynamic link library %s The ordinal %u could not be located in the dynamic link library %s rasapi32.dll rasapi32.dll gdi32.dll gdi32.dll winmm.dll winmm.dll winspool.drv winspool.drv advapi32.dll advapi32.dll shell32.dll shell32.dll ole32.dll ole32.dll oleaut32.dll oleaut32.dll comctl32.dll comctl32.dll ws2_32.dll ws2_32.dll wininet.dll wininet.dll comdlg32.dll comdlg32.dll RegCloseKey RegCloseKey ShellExecuteA ShellExecuteA InternetCrackUrlA InternetCrackUrlA 1.0.0.0 1.0.0.0 %original file name%.exe_1908_rwx_10000000_0003E000:
`.rsrc `.rsrc L$(h%f L$(h%f SSh0j SSh0j msctls_hotkey32 msctls_hotkey32 TVCLHotKey TVCLHotKey THotKey THotKey \skinh.she \skinh.she }uo,x6l5k%x-l h }uo,x6l5k%x-l h 9p%s m)t4`#b 9p%s m)t4`#b e"m?c&y1`Ð
e"m?c&y1`Ð
SetViewportOrgEx SetViewportOrgEx SetViewportExtEx SetViewportExtEx SetWindowsHookExA SetWindowsHookExA UnhookWindowsHookEx UnhookWindowsHookEx EnumThreadWindows EnumThreadWindows EnumChildWindows EnumChildWindows `c%US.4/ `c%US.4/ !#$
!#$
.text .text `.rdata `.rdata @.data @.data .rsrc .rsrc @.UPX0 @.UPX0 `.UPX1 `.UPX1 `.reloc `.reloc hJK.ZH hJK.ZH O.qt0 O.qt0 KERNEL32.DLL KERNEL32.DLL COMCTL32.dll COMCTL32.dll GDI32.dll GDI32.dll MSIMG32.dll MSIMG32.dll MSVCRT.dll MSVCRT.dll MSVFW32.dll MSVFW32.dll USER32.dll USER32.dll SkinH_EL.dll SkinH_EL.dll 1, 0, 6, 6 1, 0, 6, 6 - Skin.dll - Skin.dll