Trojan.Win32.FlyStudio_1d3fdfeb81

by malwarelabrobot on June 30th, 2017 in Malware Descriptions.

HEUR:Packed.Win32.Blackv.gen (Kaspersky), Packed-LF!1D3FDFEB8156 (McAfee), ML.Attribute.HighConfidence (Symantec), Win32:Evo-gen [Susp] (AVG), Win32:Evo-gen [Susp] (Avast), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Packed


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1d3fdfeb8156d756faf44fc26ac0e4b2
SHA1: ca6aa0580d644dca405d84d0d5e21c8d41d40ff9
SHA256: ec9f4fdce0076946aa677ab6fb56ca931bc0b06016f81124d2a09519d4141504
SSDeep: 98304:y9krsTAn3wM8kHW8t4I D21UhcEglVQfnG2/ ZUGgbSjn/X1:y rvwvkHW8txurgliG qb1
Size: 5443584 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, ACProtect141
Company: no certificate found
Created at: 2017-04-06 11:23:27
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:3400

The Trojan injects its code into the following process(es):

%original file name%.exe:2712

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:3400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\eylogin.dll (146 bytes)

The process %original file name%.exe:2712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{df6546sd4fwer}.she (12 bytes)
C:\eylogin.dll (2 bytes)
C:\Windows\System32\jedata.dll (178 bytes)

Registry activity

The process regsvr32.exe:3400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\EyLogin.EyLoginSoft\CurVer]
"(Default)" = "EyLogin.EyLoginSoft"

[HKCR\AppID\EyLogin.DLL]
"AppID" = "{29D16463-BCC9-4BD5-B4E7-07CB4AC0768A}"

[HKCR\EyLogin.EyLoginSoft\CLSID]
"(Default)" = "{C691BF80-87AF-43A7-AD56-28D5DA857FBD}"

[HKCR\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\VersionIndependentProgID]
"(Default)" = "EyLogin.EyLoginSoft"

[HKCR\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\HELPDIR]
"(Default)" = "c:"

[HKCR\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0]
"(Default)" = "EyLogin 1.0.2.5 ÀàÐÍ¿â"

[HKCR\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\0\win32]
"(Default)" = "c:\eylogin.dll"

[HKCR\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\EyLogin.EyLoginSoft]
"(Default)" = "EyLoginSoft Class"

[HKCR\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\TypeLib]
"(Default)" = "{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}"

[HKCR\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}]
"(Default)" = "IEyLoginSoft"

[HKCR\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ProgID]
"(Default)" = "EyLogin.EyLoginSoft"

[HKCR\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32]
"(Default)" = "c:\eylogin.dll"

[HKCR\AppID\{29D16463-BCC9-4BD5-B4E7-07CB4AC0768A}]
"(Default)" = "EyLogin"

[HKCR\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}]
"(Default)" = "EyLoginSoft Class"

[HKCR\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib]
"(Default)" = "{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}"

The process %original file name%.exe:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Dropped PE files

MD5 File path
114054313070472cd1a6d7d28f7c5002 c:\Windows\System32\jedata.dll
3bdb92b38bdc6a5702ec1454534d0951 c:\eylogin.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 7286784 4349952 5.54511 d6d289847686328eddaf6abfcdd87323
.sedata 7290880 1060864 1060864 5.17503 4a0e57bd2c30a64be74f290aadb8733d
.idata 8351744 4096 4096 1.01785 53594550ded8176bfb265702b3d425e0
.rsrc 8355840 12288 12288 2.05798 b3d1d7526e6f51f11dc39c932677d076
.sedata 8368128 4096 4096 5.53125 8d8e1cba0ed5650bb5559229b7031cd3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.cnblogs.com/ruingking/articles/6201861.html 42.121.252.58
plugin.eydata.net 183.131.212.37


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /ruingking/articles/6201861.html HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: zh-cn
Referer: hXXp://VVV.cnblogs.com/ruingking/articles/6201861.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.cnblogs.com


HTTP/1.1 200 OK
Date: Thu, 29 Jun 2017 04:35:30 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 5760
Connection: keep-alive
Vary: Accept-Encoding
Cache-Control: private, max-age=10
Expires: Thu, 29 Jun 2017 04:35:35 GMT
Last-Modified: Thu, 29 Jun 2017 04:35:25 GMT
X-UA-Compatible: IE=10
X-Frame-Options: SAMEORIGIN
..<!DOCTYPE html>..<html lang="zh-cn">..<head>..<
meta charset="utf-8"/>..<meta name="viewport" content="width=dev
ice-width, initial-scale=1" />..<title>testsanshierli - houda
o - .........</title>..<link type="text/css" rel="stylesheet"
 href="/bundles/blog-common.css?v=m_FXmwz3wxZoecUwNEK23PAzc-j9vbX_C6Mb
lJ5ouMc1"/>.<link id="MainCss" type="text/css" rel="stylesheet" 
href="/skins/ClearGertrude/bundle-ClearGertrude.css?v=nXd7A2mXPlCDquT0
Fv2noIJmYNlG9k_aSdW4dtprbvg1"/>.<link id="mobile-style" media="o
nly screen and (max-width: 768px)" type="text/css" rel="stylesheet" hr
ef="/skins/ClearGertrude/bundle-ClearGertrude-mobile.css?v=KHI1Jz2mwH4
BJTdg34zd6Kp3VwhYzr7HQOHQJNbIdw41"/>..<link title="RSS" type="ap
plication/rss xml" rel="alternate" href="hXXp://VVV.cnblogs.com/ruingk
ing/rss"/>..<link title="RSD" type="application/rsd xml" rel="Ed
itURI" href="hXXp://VVV.cnblogs.com/ruingking/rsd.xml"/>.<link t
ype="application/wlwmanifest xml" rel="wlwmanifest" href="hXXp://VVV.c
nblogs.com/ruingking/wlwmanifest.xml"/>..<script src="//common.c
nblogs.com/script/jquery.js" type="text/javascript"></script>
  ..<script type="text/javascript">var currentBlogApp = 'ruingki
ng', cb_enable_mathjax=false;var isLogined=false;</script>..<
script src="/bundles/blog-common.js?v=E1-LyrzANB2jbN9omtnpOHx3eU0Kt3Dy
islfhU0b5p81" type="text/javascript"></script>..</head>
..<body>..<a name="top"></a>..<div id="header
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2712:

.text
`.sedata
h.idata
H.rsrc
@.sedata
OSShG
t$(SSh
~%UVW
u$SShe
iu2.iu
K(.wS
jedata.dll
wininet.dll
kernel32.dll
GetProcessHeap
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
@qq.com
hXXp://VVV.cnblogs.com/ruingking/articles/6201861.html
Login
c:\User.ini
%System%\jedata.dll
.rsrc
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
{df6546sd4fwer}.she
%s T5
]E4%F(
.Funr
0'.Ll
k%UPp
fg.VG
%C',@
>Ùd
fJ.WM_
%s;7*
0%x@w
%C^L:
**.dU
Tn&.hL
l.rfH
%s;@;r
,.0.-*.Yw
.WE= T!N
#?%s(C(
5r.US
:mD].tB
I %d)
.aEd(
Avi.CT
xhZ_6%U
%SY!8i
%du2$"
.unOZ
fTpe
.LLbX
n.BjCw
Õ6m*
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
.yk (Di
D.gbQP
B.PQn
sI%fX
a.mGtn
EcMD*}
?hXXps://item.taobao.com/item.htm?id=
sell.taobao.com
hXXp://
&searcy_type=item&s_from=newHeader&source=&ssid=s5-e&search=y&spm=a1z10.1.1996643285.d4916901&initiative_id=shopz_20160720&app=shopsearch
hXXps://shopsearch.taobao.com/search?q=@
"thisshop" data-action="//
.taobao.com/search.htm?search=y&keyword=&lowPrice=&highPrice=
hXXps://
/search.htm
/i/asynSearch.htm?
&path=/search.htm&search=y&spm=a1z10.3-c.w4002-6720434583.122.RHbVlf&pageNo=1
.taobao.com/i/asynSearch.htm?_ksTS=1473418591587_158&callback=jsonp159&mid=
&path=/search.htm&search=y&spm=a1z10.3-c.w4002-6720434583.122.RHbVlf&pageNo=
hXXps://item.taobao.com/item.htm?spm=a1z10.1-c.w4004-1197473997.4.JSLDXk&id=
location.protocol==='http:' ? '
http:
item.htm?id=
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
c:\99999999.xls
hXXps://top.taobao.com/
MSScriptControl.ScriptControl
&pvid=10_111.170.21.192_338_1472804386079
hXXp://pub.alimama.com/common/adzone/newSelfAdzone2.json?tag=29&itemId=
Referer: hXXp://pub.alimama.com/myunion.htm?spm=a2320.7388781.a214tr8.d006.77qRFn#!/promo/self/items?q=http://item.taobao.com/item.htm?id=45047643429&spm=2014.21458878.0.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: hXXp://pub.alimama.com/promo/search/index.htm?spm=2013.1.0.0.Wxod93&q=https://item.taobao.com/item.htm?id=45492946520
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
hXXp://pub.alimama.com/common/adzone/selfAdzoneCreate.json
&pvid=10_111.170.21.192_201_1472806491215
hXXp://pub.alimama.com/common/code/getAuctionCode.json?auctionid=
hXXp://pub.alimama.com/items/search.json?q=https://item.taobao.com/item.htm?id=
&pvid=10_123.174.209.249_6645_1467645519493
hXXp://pub.alimama.com/pubauc/getCommonCampaignByItemId.json?itemId=
"shortLinkUrl":"
"url":"
hXXp://pub.alimama.com/common/adzone/newSelfAdzone2.json?tag=29&t=1464860784482&pvid=50_171.80.122.49_371_1464860779618&_tb_token_=
&t=1464860787319&pvid=50_171.80.122.49_371_1464860779618&_tb_token_=
s.click.taobao.com
hXXps://spbh.taobao.com/cite/jsonp/getAllLimitItem.do?type=2&=&pirateItemId=&status=
hXXps://spbh.taobao.com/cite/jsonp/getWarnItem.do?type=1&createEndDate=&createStartDate=&pirateItemId=&status=
"gmtCreate":"(.*?)","gmtModify":"(.*?)","id":(.*?),"isAnonymous":1,"lastCheckTime":"(.*?)","pirateItemId":(.*?),"pirateItemName":"(.*?)","pirateItemPicUrl":"(.*?)","(.*?)tus":(.*?),"
\Data.Dat
,"nid":"(.*?)","(.*?),"raw_title":"(.*?)","pic_url
"nid":"(.*?)","category":"(.*?)","pid":"(.*?)","title":"(.*?)","raw_title":"(.*?)","pic_url":"(.*?)","detail_url":"(.*?)","view_price":"(.*?)","view_fee":"(.*?)","item_loc":"(.*?)","reserve_price":"(.*?)","view_sales":"(.*?)
(.*?)","comment_count":"(.*?)","user_id":"(.*?)","nick":"(.*?)","
https:
hXXp://zhaopengju116.0613.npycom.com/guanjianzi.txt
detail.tmall.com
\DataGaoYong.Dat
"auctionUrl":"
auctionUrl":"(.*?)"
"nick":"(.*?)","
hXXps://login.taobao.com/member/login.jhtml?style=mini&redirectURL=http://sell.taobao.com/auction/merchandise/auction_list.htm
\function\Ks.Dat
\daochu.txt
hXXps://login.taobao.com/member/login.jhtml?style=mini&from=alimama&qq-pf-to=pcqq.c2c
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.2.0yAZhT&topId=TR_FS&leafId=50010850
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.3.0yAZhT&topId=TR_SM&leafId=1101
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.4.0yAZhT&topId=TR_HZP&leafId=121454013
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.5.0yAZhT&topId=TR_MY&leafId=50013618
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.6.0yAZhT&topId=TR_SP&leafId=50008055
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.7.0yAZhT&topId=TR_WT&leafId=50014075
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.8.0yAZhT&topId=TR_JJ&leafId=50016434
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.9.0yAZhT&topId=TR_ZH&leafId=50011975
VVV.alimama.com
hXXp://zhaopengju116.0613.npycom.com/dianpu.txt
<a href="//item.taobao.com/item.htm\?id=(.*?)" target=_blank title="(.*?)">
Tmall.com
1.0.2.5
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
application/x-www-form-urlencoded
WinHttp.WinHttpRequest.5.1
SetClientCertificate
XMLHttpRequest
hXXp://VVV.alimama.com/member/login.htm?spm=a219t.7473494.1998155389.1.oARXhP&forward=hXXp://pub.alimama.com
hXXp://pub.alimama.com/
&auctionTag=&shopTag=&t=1477063023346&_tb_token_=test&pvid=10_171.80.106.242_436_1477063011739
hXXp://pub.alimama.com/items/search.json?q=
&auctionTag=&shopTag=&t=1477063549400&_tb_token_=test&pvid=10_171.80.106.242_557_1477063506897
hXXp://pub.alimama.com/myunion.htm?spm=a219t.7473494.1998155389.3.NtCItR#!/promo/self/items?q=手表
&spm=a219t.7900221/19.1998910419.d9a1dac8eqqhd.2G6WZ2&channel=qqhd&_t=1477570107923&perPageSize=40&shopTag=&t=1477570107938&_tb_token_=test&pvid=19_171.80.106.242_8963_1477570073874
hXXp://pub.alimama.com/items/channel/qqhd.json?q=https://detail.tmall.com/item.htm?id=
hXXps://cunsupplier.taobao.com/auction/cuntao/sellNestedSave.htm?mod=save&itemId=
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm?type=21
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm?spm=686.1000925.0.0.In0gui&type=21
&setVal=&orderField=1&orderBy=0&singleId=&singleIdNum=&singleIdMinNum=&distributionIds=&action=goodsmanager/GoodsManageAction&event_submit_do_recommend=&event_submit_do_delete=&event_submit_do_off_shelf=&event_submit_do_unrecommend=&event_submit_do_set_lighting_auction=&shopCatName=&searchKeyword=&pageNO=
&_t=1472798550626&auctionTag=&perPageSize=40&shopTag=&t=1472798550629&_tb_token_=test&pvid=10_111.170.21.192_7799_1472798225476
hXXp://pub.alimama.com/report/getTbkPaymentDetails.json?spm=a219t.7664554.1998457203.68.mjZqtR&queryType=1&payStatus=&DownloadID=DOWNLOAD_REPORT_INCOME_NEW&startTime=
hXXp://pub.alimama.com/myunion.htm?spm=a219t.7900221/1.a214tr8.2.IqdFD4
Mozilla/5.0 (Linux; U; Android 4.0.2; en-us; Galaxy Nexus Build/ICL53F) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&sort=default&bcoffset=0&p4ppushleft=,44&filter=&s=
hXXps://s.taobao.com/search?q=
]&s=
&imgfile=&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160921&bcoffset=-5&ntoffset=-5&p4ppushleft=1,48&filter=reserve_price[
&imgfile=&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160921&sort=sale-desc&bcoffset=-3&p4ppushleft=,44&s=
&imgfile=&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160921&sort=sale-desc&bcoffset=-6&p4ppushleft=,44&filter=reserve_price[
&imgfile=&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160921&sort=renqi-desc&bcoffset=-5&ntoffset=-5&p4ppushleft=1,48&s=
&imgfile=&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160921&sort=renqi-desc&bcoffset=-2&ntoffset=-2&p4ppushleft=1,48&filter=reserve_price[
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm?type=11
&searchKeyword=&startPrice=&endPrice=&recommend=&outId=&startNum=&endNum=&itemConditionSet=&category=&scatid=&operate=&operate=&pageNO=
&setVal=&orderField=1&orderBy=0&singleId=&singleIdNum=&singleIdMinNum=&distributionIds=&action=goodsmanager/GoodsManageAction&event_submit_do_recommend=&event_submit_do_delete=&event_submit_do_off_shelf=&event_submit_do_unrecommend=&event_submit_do_set_lighting_auction=&shopCatName=È«²¿·ÖÀà&_tb_token_=
&operate=&pageNO=
&searchKeyword=&startPrice=&endPrice=&recommend=&outId=&startNum=&endNum=&itemConditionSet=&category=&scatid=&operate=
&pageName=goodsOnSale&banner=&page=1&setVal=1&orderField=1&orderBy=0&singleId=&singleIdNum=&singleIdMinNum=&distributionIds=&action=goodsmanager/GoodsManageAction&event_submit_do_recommend=&event_submit_do_delete=&event_submit_do_off_shelf=1&event_submit_do_unrecommend=&event_submit_do_set_lighting_auction=&shopCatName=È«²¿·ÖÀà&_tb_token_=
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm?type=1
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm?spm=686.1000925.a1zvx.d44.3nwCD5&type=1
&orderField=1&orderBy=0&otherOrderBy=0&otherOrderBy2=0&singleId=&singleIdNum=&singleIdMinNum=&x_id=1d56865e1101efa1ee37ed3a104e39446&isarchive=false&action=goodsmanager/GoodsManageAction&distributionIds=&lastStartRow=$q.lastStartRow&lastStopRow=$q.lastStopRow&lastPageSize=0&shopCatName=È«²¿·ÖÀà&searchKeyword=&startPrice=&endPrice=&status=inStock&outId=&startNum=&endNum=&category=&scatid=&operate=&operate=&event_submit_do_delete=&event_submit_do_up_shelf=&pageNO=
&pageName=goodsInStock&banner=$q.banner&page=
&operate=&event_submit_do_delete=1&event_submit_do_up_shelf=&pageNO=
&pageName=goodsInStock&banner=$q.banner&page=1&orderField=1&orderBy=0&otherOrderBy=0&otherOrderBy2=0&singleId=&singleIdNum=&singleIdMinNum=&x_id=1cb4d1e2bb360a14aa74198e405ea0951&isarchive=false&action=goodsmanager/GoodsManageAction&distributionIds=&lastStartRow=$q.lastStartRow&lastStopRow=$q.lastStopRow&lastPageSize=0&shopCatName=È«²¿·ÖÀà&searchKeyword=&startPrice=&endPrice=&status=inStock&outId=&startNum=&endNum=&category=&scatid=&operate=
&pageName=goodsOnSale&banner=&page=1&setVal=1&orderField=1&orderBy=0&singleId=&singleIdNum=&singleIdMinNum=&distributionIds=&action=goodsmanager/GoodsManageAction&event_submit_do_recommend=&event_submit_do_delete=1&event_submit_do_off_shelf=&event_submit_do_unrecommend=&event_submit_do_set_lighting_auction=&shopCatName=È«²¿·ÖÀà&_tb_token_=
hXXp://pub.alimama.com/items/channel/qqhd.json?q=
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm?spm=686.1000925.a1zvx.d44.GFTqFF&type=1
&operate=&event_submit_do_delete=&event_submit_do_up_shelf=1&pageNO=
&pageName=goodsInStock&banner=$q.banner&page=1&orderField=1&orderBy=0&otherOrderBy=0&otherOrderBy2=0&singleId=&singleIdNum=&singleIdMinNum=&x_id=1c41ac37ee5dad8e04005d3af6a77b7b3&isarchive=false&action=goodsmanager/GoodsManageAction&distributionIds=&lastStartRow=$q.lastStartRow&lastStopRow=$q.lastStopRow&lastPageSize=0&shopCatName=È«²¿·ÖÀà&searchKeyword=&startPrice=&endPrice=&status=inStock&outId=&startNum=&endNum=&category=&scatid=&operate=
hXXps://mdskip.taobao.com/core/initItemDetail.htm?queryMemberRight=true&cachedTimestamp=1477020342761&isAreaSell=false&tmallBuySupport=true&service3C=false&cartEnable=true&isRegionLevel=false&isSecKill=false&showShopProm=false&isForbidBuyItem=false&itemId=
hXXp://mdskip.taobao.com/core/initItemDetail.htm?queryMemberRight=true&cachedTimestamp=1477020342761&isAreaSell=false&tmallBuySupport=true&service3C=false&cartEnable=true&isRegionLevel=false&isSecKill=false&showShopProm=false&isForbidBuyItem=false&itemId=
hXXp://pub.alimama.com/items/search.json?q=https://detail.tmall.com/item.htm?&id=
hXXps://spbh.taobao.com/cite/jsonp/getAllLimitItem.do?type=2&=&pirateItemId=&status=¤tPage=1&_ksTS=1473130248007_125&callback=jsonp126
hXXps://tcc.taobao.com/charity/apply_charity.htm
hXXps://tcc.taobao.com/charity/list_charity.htm?is_from_my=true&auctionids=
&_t=1477019272837&auctionTag=&perPageSize=40&shopTag=&t=1477019272837&_tb_token_=test&pvid=10_113.89.38.46_416_1477019272837
hXXp://pub.alimama.com/items/search.json?toPage=1&queryType=2&q=https://detail.tmall.com/item.htm?id=
hXXps://detailskip.taobao.com/service/getData/1/p1/item/detail/sib.htm?itemId=
hXXps://item.taobao.com/item.htm?spm=a230r.1.14.54.qUdPEa&id=527350749069&ns=1&abbucket=17
VBScript.RegExp
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&sort=default&bcoffset=0&p4ppushleft=,44&filter=&filter_tianmao=tmall&s=
]&ntoffset=-4&s=
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&sort=default&bcoffset=-4&p4ppushleft=1,48&filter_tianmao=tmall&filter=reserve_price[
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=-3&p4ppushleft=,44&filter=&filter_tianmao=tmall&sort=sale-desc&s=
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=0&p4ppushleft=,44&filter_tianmao=tmall&sort=sale-desc&filter=reserve_price[
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=-5&p4ppushleft=1,48&filter=&filter_tianmao=tmall&sort=renqi-desc&ntoffset=-5&s=
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=1&p4ppushleft=1,48&filter_tianmao=tmall&sort=renqi-desc&ntoffset=1&filter=reserve_price[
]&ntoffset=-1&s=
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&sort=default&bcoffset=-1&p4ppushleft=1,48&filter=reserve_price[
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=-3&p4ppushleft=,44&filter=&sort=sale-desc&s=
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=-3&p4ppushleft=,44&sort=sale-desc&filter=reserve_price[
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=-2&p4ppushleft=1,48&filter=&sort=renqi-desc&ntoffset=-2&s=
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=-2&p4ppushleft=1,48&sort=renqi-desc&ntoffset=-2&filter=reserve_price[
eylogin.dll
EyLogin.EyLoginSoft
`.rdata
@.data
.upx0
.upx1
.reloc
@.rsrc
OLEAUT32.dll
IPHLPAPI.DLL
KERNEL32.dll
EWS2_32.dll
ADVAPI32.dll
X8P.%x
3UL
03 d%D''
R03_d%d'3
B%D!M{)
user32.dll
WLDAP32.dll
SHLWAPI.dll
 hK%x/
/A.rG
Hy.eB
/F %S6
Blm%s
U%u,Qt
.byZrv8
k$.BkH
.lD{o k|
Fkey
EkF%F
q3#%U
)~(/ 9#7
.KL $
`r(%S
://q)%c_
/%Dz%4
%U fC
.Qa3r
n
5
y-Ps}
h%S/3
2/0)3 -%
xZ.PEw 
|.xDc
%3s@u
%sR[>
*g".gN
 u.YL
rG6t.oJ
P.oQd9
^%3sv
%S2'Q2
?.oRu
J.TB)_`
q8%u8
(0%s$
esemejeae^eXeUeReLeJeFeCe=e;e4q
e~e{euehedeee\eXeSeQeJeGe>e9
e}exevemedeaeYeReLeMeJeIeFe@eCe5q
%cy_y
W.ns1
ô#~
,Wh%C
.wY]SW
%d)!(
y.Wmc
SHELL32.dll
ole32.dll
RegQueryInfoKeyW
m.WH}
EyLogin.DLL
#%F-h4
ShellExecuteW
1P.Zsq8
18J%F
u.M%D
J%[.IE
d.Ac"
1\t%fX
IN%X14
YSO.st
×2}L
V1/%C
D.VxD
L$.BRh
.vY/)
N.Kk_
WV#.ib
%xZL`
$.YeC
<.hPW
x:.ze
%D*1}
_d.PO&
"b.la^
>n%U1
1*.ql:
-p}e6
8.Ip!
}N|.Cw
|w.AR!
.Kxg}
-.yb.
AJ:u5.gC
;.wy1!
.4*%d
1p6U.vJ
#*.uCw
.ta[_1
lK.Iy
w%x!P
oh.em
1z.Jq
H10%u
%1U(}
6.Dth
[-
%1u40.
:;k.rah
b.dHZg
1o%x7
f>_1v%d'P
*m%s1:
.lm\,
285Url
j5Á
1ts%Uo
o.gbI
E1%D,g
1frxÍ1
$v=
"c%C'
K,.vQ
d{1<Ð
W{%D,1o
1K.fE
6q1%D
]!^<
},o%x
.taZ%1W
SD.sGTz
$`ae.rE
Rw*1v%D
Z.hWE]L
V[/C.zO
0.XR,
{1.RhF
\%F$-
h1.Xm
 ;D>%d
.TJ5>E1
%1xG 
1n%UT
4" .aS
0-B%F
%fwj 
GÏD
%S1lE
B;-t}
sPn%F
.oviw
.lIZY
N3%u!3
%1UoY
%X1_o
hbC.%uQ
V%ci%
-U}o<f[
w%Sr1>
.NgUj
1L.bw
N-1}.
E*1.AOQ<
5zFtp1
ñrv
-n%fm
]%uL1
!:.Ln
C1.ZY8
.IwbZ
2.FI1
1.HCT*
uO.Ef
b.aRkZ1
w.QZY
%.D,7
1F.hz
-1}<D
[%d\?
 $1.qA
t.uh^
\?%D.
dfDY0%S
%fs9e
.LFvBop
)qvo.lO
Udpm?
-1}C$
zI1Þ
$.aeq
1o$.Aqt
j.HV6
Y%u1C
*@%Sk{
.POxw
;%<?<^<{<
3.44484<4@4
=*>0>4>8><>
1%3U3z3Z5y7}7
7,767@7|7
8„8C8M8Z8w8
=&=0=:=%>/>
5 5$5(5,50545
= =$=(=,=0=4=8=<=@=
;";-;:;];
11s2
77V7
6$6,636:6
<$=*=5=>=
5 5$50545
004080<0
2 2,242<2|3
2 2$2(2,20242
6 6$6(6,60646
4 4@4\4`4
5 5@5\5`5
e:\vm
\CEyLogin.pdb
'%APPID%' = s 'EyLogin'
'EyLogin.DLL'
EyLogin.EyLoginSoft = s 'EyLoginSoft Class'
CLSID = s '{C691BF80-87AF-43A7-AD56-28D5DA857FBD}'
CurVer = s 'EyLogin.EyLoginSoft'
ForceRemove {C691BF80-87AF-43A7-AD56-28D5DA857FBD} = s 'EyLoginSoft Class'
ProgID = s 'EyLogin.EyLoginSoft'
VersionIndependentProgID = s 'EyLogin.EyLoginSoft'
'TypeLib' = s '{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}'
stdole2.tlbWWW
O~EyLoginW
EyLoginSoftWd
IEyLoginSoftd
SetAppKeyWWW
appKeyWWd
UserLoginWWW
interfaceKeyd
9UserLoginSingleW
@LGetCpuIDd
keyWd
EyLogin 1.0.2.5
EyLoginSoft ClassW
Created by MIDL version 7.00.0500 at Fri Sep 26 01:18:07 2014
SetAppKey
UserLogin
GetCpuID
UserLoginSingle
07918888888888
2~.Ht
_^`545*)-#"&%$(&%*(&*('*(' ('*'&*&%)$$(#"&
$&%), .[[\
8;=.16667
 *.MLO
{}}~}|}}|}}|}}|}}}~
;;;777222
=<=777222
;;;777223
:78867><=@>?@>?@>?@>?@>?@>?@>?@>?@>?@>?@>??=>=;<\[]`_^111
)'*(&).,/0.10.1/,0)&*utv
'&)&%(, .--0 *-"!$
&%'%"%*( %#&[\^
>u].uT.tS.tS.tS.tS.tS.tS*tSAuV
,uC-vM.uQ.tS.tS.tS.uT>u]
>u].uT.tS.tS vT0rSYXW
>u].uT.tS.tS.tS.tS.tS.tS uR9xm^PNE[knxz
y`AuV*tS.tS.tS.tS.tS.tS.tS.uT>u]
~|{~|{~|{~|{
MKKUSSWUUXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVUSSHFH
hXXps://login.taobao.com/member/login.jhtml?style=mini&from=alimama&qq-pf-to=pcqq.c2cr
F%D,3
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
hXXp://VVV.eyuyan.com
service@dywt.com.cn
 86(0411)39895834
 86(0411)39895831
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
DelAllKeyValues
DelKeyValue
GetAllKeys
GetKeyValue
AddKeyValue
DSGetErrMsg
BiTreeGetCurNodeKey
ListGetCurNodeKey
ListUpdateNodeFromKey
ListRemoveNodeFromKey
edatastructure_fnMapDelAllKeyValues
edatastructure_fnMapDelKeyValue
edatastructure_fnMapGetAllKeys
edatastructure_fnMapGetKeyValue
edatastructure_fnMapAddKeyValue
edatastructure_fnBiTreeGetCurNodeKey
edatastructure_fnListGetCurNodeKey
edatastructure_fnListUpdateNodeFromKey
edatastructure_fnListRemoveNodeFromKey
Excel.Application
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
0123456789
://VVV.cnblogs.com/ruingking/articles/6201861.html
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
'.wt&
g^L%CZ
%%0uM
ntdll.dll
advapi32.dll
hid.dll
iphlpapi.dll
mscoree.dll
mscorwks.dll
mscorsvr.dll
KernelBase.dll
mscoreei.dll
clr.dll
diasymreader.dll
SEGetNumExecUsed
SEGetNumExecLeft
SESetNumExecUsed
SEGetExecTimeUsed
SEGetExecTimeLeft
SESetExecTime
SEGetTotalExecTimeUsed
SEGetTotalExecTimeLeft
SESetTotalExecTime
SECheckExecTime
SECheckTotalExecTime
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
PSAPI.DLL
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
u.tX$
.uX-]
.rm|O
c$urL
.Lh6iM 
.hg1H
.Hj-^
*Q.HL8
rH%CL
H%f!F
LL%c>"Q
RgO%c^
Y.Eo^6
%C?p=
}[rc.GD
.JCk%
rmG%X
#J.UM
v!2CMd
.bXIJ
dM
.JwnL
a5Q%C
bE([yI.eM
.cM_vm
^$%SR4
[%d&.
,%C{62
G5Q%C
I`%X;
.LA4aM
4R.ZdML
SQll}z-C
b3eM%F
v@.LPT
.kUgI<
zfDl.Jwi
^s.wVm
.tG@QJ
WS2_32.dll
WINMM.dll
WINSPOOL.DRV
-<h2.iu
%DUt\
oledlg.dll
comdlg32.dll
u*.Af
$WinExec
nyGetWindowsDirectoryA
GetCPInfo
.GetScrollRange
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
GetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
}LOffsetViewportOrgEx
ScaleViewportExtEx
GetViewportExtEx
uCOMCTL32.dll
dOLEAUT32.dll
7comdlg32.dll
ShellExecuteA
Safengine Shielden v2.3.9.0
1, 0, 6, 6
- Skin.dll
1, 0, 2, 5
(*.*)

%original file name%.exe_2712_rwx_00401000_006F5000:

OSShG
t$(SSh
~%UVW
u$SShe
iu2.iu
K(.wS
jedata.dll
wininet.dll
kernel32.dll
GetProcessHeap
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
@qq.com
hXXp://VVV.cnblogs.com/ruingking/articles/6201861.html
Login
c:\User.ini
%System%\jedata.dll
.rsrc
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
{df6546sd4fwer}.she
%s T5
]E4%F(
.Funr
0'.Ll
k%UPp
fg.VG
%C',@
>Ùd
fJ.WM_
%s;7*
0%x@w
%C^L:
**.dU
Tn&.hL
l.rfH
%s;@;r
,.0.-*.Yw
.WE= T!N
#?%s(C(
5r.US
:mD].tB
I %d)
.aEd(
Avi.CT
xhZ_6%U
%SY!8i
%du2$"
.unOZ
fTpe
.LLbX
n.BjCw
Õ6m*
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
.yk (Di
D.gbQP
B.PQn
sI%fX
a.mGtn
EcMD*}
?hXXps://item.taobao.com/item.htm?id=
sell.taobao.com
hXXp://
&searcy_type=item&s_from=newHeader&source=&ssid=s5-e&search=y&spm=a1z10.1.1996643285.d4916901&initiative_id=shopz_20160720&app=shopsearch
hXXps://shopsearch.taobao.com/search?q=@
"thisshop" data-action="//
.taobao.com/search.htm?search=y&keyword=&lowPrice=&highPrice=
hXXps://
/search.htm
/i/asynSearch.htm?
&path=/search.htm&search=y&spm=a1z10.3-c.w4002-6720434583.122.RHbVlf&pageNo=1
.taobao.com/i/asynSearch.htm?_ksTS=1473418591587_158&callback=jsonp159&mid=
&path=/search.htm&search=y&spm=a1z10.3-c.w4002-6720434583.122.RHbVlf&pageNo=
hXXps://item.taobao.com/item.htm?spm=a1z10.1-c.w4004-1197473997.4.JSLDXk&id=
location.protocol==='http:' ? '
http:
item.htm?id=
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
c:\99999999.xls
hXXps://top.taobao.com/
MSScriptControl.ScriptControl
&pvid=10_111.170.21.192_338_1472804386079
hXXp://pub.alimama.com/common/adzone/newSelfAdzone2.json?tag=29&itemId=
Referer: hXXp://pub.alimama.com/myunion.htm?spm=a2320.7388781.a214tr8.d006.77qRFn#!/promo/self/items?q=http://item.taobao.com/item.htm?id=45047643429&spm=2014.21458878.0.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: hXXp://pub.alimama.com/promo/search/index.htm?spm=2013.1.0.0.Wxod93&q=https://item.taobao.com/item.htm?id=45492946520
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
hXXp://pub.alimama.com/common/adzone/selfAdzoneCreate.json
&pvid=10_111.170.21.192_201_1472806491215
hXXp://pub.alimama.com/common/code/getAuctionCode.json?auctionid=
hXXp://pub.alimama.com/items/search.json?q=https://item.taobao.com/item.htm?id=
&pvid=10_123.174.209.249_6645_1467645519493
hXXp://pub.alimama.com/pubauc/getCommonCampaignByItemId.json?itemId=
"shortLinkUrl":"
"url":"
hXXp://pub.alimama.com/common/adzone/newSelfAdzone2.json?tag=29&t=1464860784482&pvid=50_171.80.122.49_371_1464860779618&_tb_token_=
&t=1464860787319&pvid=50_171.80.122.49_371_1464860779618&_tb_token_=
s.click.taobao.com
hXXps://spbh.taobao.com/cite/jsonp/getAllLimitItem.do?type=2&=&pirateItemId=&status=
hXXps://spbh.taobao.com/cite/jsonp/getWarnItem.do?type=1&createEndDate=&createStartDate=&pirateItemId=&status=
"gmtCreate":"(.*?)","gmtModify":"(.*?)","id":(.*?),"isAnonymous":1,"lastCheckTime":"(.*?)","pirateItemId":(.*?),"pirateItemName":"(.*?)","pirateItemPicUrl":"(.*?)","(.*?)tus":(.*?),"
\Data.Dat
,"nid":"(.*?)","(.*?),"raw_title":"(.*?)","pic_url
"nid":"(.*?)","category":"(.*?)","pid":"(.*?)","title":"(.*?)","raw_title":"(.*?)","pic_url":"(.*?)","detail_url":"(.*?)","view_price":"(.*?)","view_fee":"(.*?)","item_loc":"(.*?)","reserve_price":"(.*?)","view_sales":"(.*?)
(.*?)","comment_count":"(.*?)","user_id":"(.*?)","nick":"(.*?)","
https:
hXXp://zhaopengju116.0613.npycom.com/guanjianzi.txt
detail.tmall.com
\DataGaoYong.Dat
"auctionUrl":"
auctionUrl":"(.*?)"
"nick":"(.*?)","
hXXps://login.taobao.com/member/login.jhtml?style=mini&redirectURL=http://sell.taobao.com/auction/merchandise/auction_list.htm
\function\Ks.Dat
\daochu.txt
hXXps://login.taobao.com/member/login.jhtml?style=mini&from=alimama&qq-pf-to=pcqq.c2c
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.2.0yAZhT&topId=TR_FS&leafId=50010850
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.3.0yAZhT&topId=TR_SM&leafId=1101
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.4.0yAZhT&topId=TR_HZP&leafId=121454013
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.5.0yAZhT&topId=TR_MY&leafId=50013618
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.6.0yAZhT&topId=TR_SP&leafId=50008055
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.7.0yAZhT&topId=TR_WT&leafId=50014075
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.8.0yAZhT&topId=TR_JJ&leafId=50016434
|hXXps://top.taobao.com/index.php?spm=a1z5i.1.2.9.0yAZhT&topId=TR_ZH&leafId=50011975
VVV.alimama.com
hXXp://zhaopengju116.0613.npycom.com/dianpu.txt
<a href="//item.taobao.com/item.htm\?id=(.*?)" target=_blank title="(.*?)">
Tmall.com
1.0.2.5
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
application/x-www-form-urlencoded
WinHttp.WinHttpRequest.5.1
SetClientCertificate
XMLHttpRequest
hXXp://VVV.alimama.com/member/login.htm?spm=a219t.7473494.1998155389.1.oARXhP&forward=hXXp://pub.alimama.com
hXXp://pub.alimama.com/
&auctionTag=&shopTag=&t=1477063023346&_tb_token_=test&pvid=10_171.80.106.242_436_1477063011739
hXXp://pub.alimama.com/items/search.json?q=
&auctionTag=&shopTag=&t=1477063549400&_tb_token_=test&pvid=10_171.80.106.242_557_1477063506897
hXXp://pub.alimama.com/myunion.htm?spm=a219t.7473494.1998155389.3.NtCItR#!/promo/self/items?q=手表
&spm=a219t.7900221/19.1998910419.d9a1dac8eqqhd.2G6WZ2&channel=qqhd&_t=1477570107923&perPageSize=40&shopTag=&t=1477570107938&_tb_token_=test&pvid=19_171.80.106.242_8963_1477570073874
hXXp://pub.alimama.com/items/channel/qqhd.json?q=https://detail.tmall.com/item.htm?id=
hXXps://cunsupplier.taobao.com/auction/cuntao/sellNestedSave.htm?mod=save&itemId=
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm?type=21
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm?spm=686.1000925.0.0.In0gui&type=21
&setVal=&orderField=1&orderBy=0&singleId=&singleIdNum=&singleIdMinNum=&distributionIds=&action=goodsmanager/GoodsManageAction&event_submit_do_recommend=&event_submit_do_delete=&event_submit_do_off_shelf=&event_submit_do_unrecommend=&event_submit_do_set_lighting_auction=&shopCatName=&searchKeyword=&pageNO=
&_t=1472798550626&auctionTag=&perPageSize=40&shopTag=&t=1472798550629&_tb_token_=test&pvid=10_111.170.21.192_7799_1472798225476
hXXp://pub.alimama.com/report/getTbkPaymentDetails.json?spm=a219t.7664554.1998457203.68.mjZqtR&queryType=1&payStatus=&DownloadID=DOWNLOAD_REPORT_INCOME_NEW&startTime=
hXXp://pub.alimama.com/myunion.htm?spm=a219t.7900221/1.a214tr8.2.IqdFD4
Mozilla/5.0 (Linux; U; Android 4.0.2; en-us; Galaxy Nexus Build/ICL53F) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&sort=default&bcoffset=0&p4ppushleft=,44&filter=&s=
hXXps://s.taobao.com/search?q=
]&s=
&imgfile=&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160921&bcoffset=-5&ntoffset=-5&p4ppushleft=1,48&filter=reserve_price[
&imgfile=&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160921&sort=sale-desc&bcoffset=-3&p4ppushleft=,44&s=
&imgfile=&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160921&sort=sale-desc&bcoffset=-6&p4ppushleft=,44&filter=reserve_price[
&imgfile=&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160921&sort=renqi-desc&bcoffset=-5&ntoffset=-5&p4ppushleft=1,48&s=
&imgfile=&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160921&sort=renqi-desc&bcoffset=-2&ntoffset=-2&p4ppushleft=1,48&filter=reserve_price[
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm?type=11
&searchKeyword=&startPrice=&endPrice=&recommend=&outId=&startNum=&endNum=&itemConditionSet=&category=&scatid=&operate=&operate=&pageNO=
&setVal=&orderField=1&orderBy=0&singleId=&singleIdNum=&singleIdMinNum=&distributionIds=&action=goodsmanager/GoodsManageAction&event_submit_do_recommend=&event_submit_do_delete=&event_submit_do_off_shelf=&event_submit_do_unrecommend=&event_submit_do_set_lighting_auction=&shopCatName=È«²¿·ÖÀà&_tb_token_=
&operate=&pageNO=
&searchKeyword=&startPrice=&endPrice=&recommend=&outId=&startNum=&endNum=&itemConditionSet=&category=&scatid=&operate=
&pageName=goodsOnSale&banner=&page=1&setVal=1&orderField=1&orderBy=0&singleId=&singleIdNum=&singleIdMinNum=&distributionIds=&action=goodsmanager/GoodsManageAction&event_submit_do_recommend=&event_submit_do_delete=&event_submit_do_off_shelf=1&event_submit_do_unrecommend=&event_submit_do_set_lighting_auction=&shopCatName=È«²¿·ÖÀà&_tb_token_=
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm?type=1
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm?spm=686.1000925.a1zvx.d44.3nwCD5&type=1
&orderField=1&orderBy=0&otherOrderBy=0&otherOrderBy2=0&singleId=&singleIdNum=&singleIdMinNum=&x_id=1d56865e1101efa1ee37ed3a104e39446&isarchive=false&action=goodsmanager/GoodsManageAction&distributionIds=&lastStartRow=$q.lastStartRow&lastStopRow=$q.lastStopRow&lastPageSize=0&shopCatName=È«²¿·ÖÀà&searchKeyword=&startPrice=&endPrice=&status=inStock&outId=&startNum=&endNum=&category=&scatid=&operate=&operate=&event_submit_do_delete=&event_submit_do_up_shelf=&pageNO=
&pageName=goodsInStock&banner=$q.banner&page=
&operate=&event_submit_do_delete=1&event_submit_do_up_shelf=&pageNO=
&pageName=goodsInStock&banner=$q.banner&page=1&orderField=1&orderBy=0&otherOrderBy=0&otherOrderBy2=0&singleId=&singleIdNum=&singleIdMinNum=&x_id=1cb4d1e2bb360a14aa74198e405ea0951&isarchive=false&action=goodsmanager/GoodsManageAction&distributionIds=&lastStartRow=$q.lastStartRow&lastStopRow=$q.lastStopRow&lastPageSize=0&shopCatName=È«²¿·ÖÀà&searchKeyword=&startPrice=&endPrice=&status=inStock&outId=&startNum=&endNum=&category=&scatid=&operate=
&pageName=goodsOnSale&banner=&page=1&setVal=1&orderField=1&orderBy=0&singleId=&singleIdNum=&singleIdMinNum=&distributionIds=&action=goodsmanager/GoodsManageAction&event_submit_do_recommend=&event_submit_do_delete=1&event_submit_do_off_shelf=&event_submit_do_unrecommend=&event_submit_do_set_lighting_auction=&shopCatName=È«²¿·ÖÀà&_tb_token_=
hXXp://pub.alimama.com/items/channel/qqhd.json?q=
hXXps://sell.taobao.com/auction/merchandise/auction_list.htm?spm=686.1000925.a1zvx.d44.GFTqFF&type=1
&operate=&event_submit_do_delete=&event_submit_do_up_shelf=1&pageNO=
&pageName=goodsInStock&banner=$q.banner&page=1&orderField=1&orderBy=0&otherOrderBy=0&otherOrderBy2=0&singleId=&singleIdNum=&singleIdMinNum=&x_id=1c41ac37ee5dad8e04005d3af6a77b7b3&isarchive=false&action=goodsmanager/GoodsManageAction&distributionIds=&lastStartRow=$q.lastStartRow&lastStopRow=$q.lastStopRow&lastPageSize=0&shopCatName=È«²¿·ÖÀà&searchKeyword=&startPrice=&endPrice=&status=inStock&outId=&startNum=&endNum=&category=&scatid=&operate=
hXXps://mdskip.taobao.com/core/initItemDetail.htm?queryMemberRight=true&cachedTimestamp=1477020342761&isAreaSell=false&tmallBuySupport=true&service3C=false&cartEnable=true&isRegionLevel=false&isSecKill=false&showShopProm=false&isForbidBuyItem=false&itemId=
hXXp://mdskip.taobao.com/core/initItemDetail.htm?queryMemberRight=true&cachedTimestamp=1477020342761&isAreaSell=false&tmallBuySupport=true&service3C=false&cartEnable=true&isRegionLevel=false&isSecKill=false&showShopProm=false&isForbidBuyItem=false&itemId=
hXXp://pub.alimama.com/items/search.json?q=https://detail.tmall.com/item.htm?&id=
hXXps://spbh.taobao.com/cite/jsonp/getAllLimitItem.do?type=2&=&pirateItemId=&status=¤tPage=1&_ksTS=1473130248007_125&callback=jsonp126
hXXps://tcc.taobao.com/charity/apply_charity.htm
hXXps://tcc.taobao.com/charity/list_charity.htm?is_from_my=true&auctionids=
&_t=1477019272837&auctionTag=&perPageSize=40&shopTag=&t=1477019272837&_tb_token_=test&pvid=10_113.89.38.46_416_1477019272837
hXXp://pub.alimama.com/items/search.json?toPage=1&queryType=2&q=https://detail.tmall.com/item.htm?id=
hXXps://detailskip.taobao.com/service/getData/1/p1/item/detail/sib.htm?itemId=
hXXps://item.taobao.com/item.htm?spm=a230r.1.14.54.qUdPEa&id=527350749069&ns=1&abbucket=17
VBScript.RegExp
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&sort=default&bcoffset=0&p4ppushleft=,44&filter=&filter_tianmao=tmall&s=
]&ntoffset=-4&s=
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&sort=default&bcoffset=-4&p4ppushleft=1,48&filter_tianmao=tmall&filter=reserve_price[
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=-3&p4ppushleft=,44&filter=&filter_tianmao=tmall&sort=sale-desc&s=
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=0&p4ppushleft=,44&filter_tianmao=tmall&sort=sale-desc&filter=reserve_price[
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=-5&p4ppushleft=1,48&filter=&filter_tianmao=tmall&sort=renqi-desc&ntoffset=-5&s=
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=1&p4ppushleft=1,48&filter_tianmao=tmall&sort=renqi-desc&ntoffset=1&filter=reserve_price[
]&ntoffset=-1&s=
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&sort=default&bcoffset=-1&p4ppushleft=1,48&filter=reserve_price[
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=-3&p4ppushleft=,44&filter=&sort=sale-desc&s=
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=-3&p4ppushleft=,44&sort=sale-desc&filter=reserve_price[
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=-2&p4ppushleft=1,48&filter=&sort=renqi-desc&ntoffset=-2&s=
&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.50862.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20160814&bcoffset=-2&p4ppushleft=1,48&sort=renqi-desc&ntoffset=-2&filter=reserve_price[
eylogin.dll
EyLogin.EyLoginSoft
.text
`.rdata
@.data
.upx0
.upx1
.reloc
@.rsrc
OLEAUT32.dll
IPHLPAPI.DLL
KERNEL32.dll
EWS2_32.dll
ADVAPI32.dll
X8P.%x
3UL
03 d%D''
R03_d%d'3
B%D!M{)
user32.dll
WLDAP32.dll
SHLWAPI.dll
 hK%x/
/A.rG
Hy.eB
/F %S6
Blm%s
U%u,Qt
.byZrv8
k$.BkH
.lD{o k|
Fkey
EkF%F
q3#%U
)~(/ 9#7
.KL $
`r(%S
://q)%c_
/%Dz%4
%U fC
.Qa3r
n
5
y-Ps}
h%S/3
2/0)3 -%
xZ.PEw 
|.xDc
%3s@u
%sR[>
*g".gN
 u.YL
rG6t.oJ
P.oQd9
^%3sv
%S2'Q2
?.oRu
J.TB)_`
q8%u8
(0%s$
esemejeae^eXeUeReLeJeFeCe=e;e4q
e~e{euehedeee\eXeSeQeJeGe>e9
e}exevemedeaeYeReLeMeJeIeFe@eCe5q
%cy_y
W.ns1
ô#~
,Wh%C
.wY]SW
%d)!(
y.Wmc
SHELL32.dll
ole32.dll
RegQueryInfoKeyW
m.WH}
EyLogin.DLL
#%F-h4
ShellExecuteW
1P.Zsq8
18J%F
u.M%D
J%[.IE
d.Ac"
1\t%fX
IN%X14
YSO.st
×2}L
V1/%C
D.VxD
L$.BRh
.vY/)
N.Kk_
WV#.ib
%xZL`
$.YeC
<.hPW
x:.ze
%D*1}
_d.PO&
"b.la^
>n%U1
1*.ql:
-p}e6
8.Ip!
}N|.Cw
|w.AR!
.Kxg}
-.yb.
AJ:u5.gC
;.wy1!
.4*%d
1p6U.vJ
#*.uCw
.ta[_1
lK.Iy
w%x!P
oh.em
1z.Jq
H10%u
%1U(}
6.Dth
[-
%1u40.
:;k.rah
b.dHZg
1o%x7
f>_1v%d'P
*m%s1:
.lm\,
285Url
j5Á
1ts%Uo
o.gbI
E1%D,g
1frxÍ1
$v=
"c%C'
K,.vQ
d{1<Ð
W{%D,1o
1K.fE
6q1%D
]!^<
},o%x
.taZ%1W
SD.sGTz
$`ae.rE
Rw*1v%D
Z.hWE]L
V[/C.zO
0.XR,
{1.RhF
\%F$-
h1.Xm
 ;D>%d
.TJ5>E1
%1xG 
1n%UT
4" .aS
0-B%F
%fwj 
GÏD
%S1lE
B;-t}
sPn%F
.oviw
.lIZY
N3%u!3
%1UoY
%X1_o
hbC.%uQ
V%ci%
-U}o<f[
w%Sr1>
.NgUj
1L.bw
N-1}.
E*1.AOQ<
5zFtp1
ñrv
-n%fm
]%uL1
!:.Ln
C1.ZY8
.IwbZ
2.FI1
1.HCT*
uO.Ef
b.aRkZ1
w.QZY
%.D,7
1F.hz
-1}<D
[%d\?
 $1.qA
t.uh^
\?%D.
dfDY0%S
%fs9e
.LFvBop
)qvo.lO
Udpm?
-1}C$
zI1Þ
$.aeq
1o$.Aqt
j.HV6
Y%u1C
*@%Sk{
.POxw
;%<?<^<{<
3.44484<4@4
=*>0>4>8><>
1%3U3z3Z5y7}7
7,767@7|7
8„8C8M8Z8w8
=&=0=:=%>/>
5 5$5(5,50545
= =$=(=,=0=4=8=<=@=
;";-;:;];
11s2
77V7
6$6,636:6
<$=*=5=>=
5 5$50545
004080<0
2 2,242<2|3
2 2$2(2,20242
6 6$6(6,60646
4 4@4\4`4
5 5@5\5`5
e:\vm
\CEyLogin.pdb
'%APPID%' = s 'EyLogin'
'EyLogin.DLL'
EyLogin.EyLoginSoft = s 'EyLoginSoft Class'
CLSID = s '{C691BF80-87AF-43A7-AD56-28D5DA857FBD}'
CurVer = s 'EyLogin.EyLoginSoft'
ForceRemove {C691BF80-87AF-43A7-AD56-28D5DA857FBD} = s 'EyLoginSoft Class'
ProgID = s 'EyLogin.EyLoginSoft'
VersionIndependentProgID = s 'EyLogin.EyLoginSoft'
'TypeLib' = s '{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}'
stdole2.tlbWWW
O~EyLoginW
EyLoginSoftWd
IEyLoginSoftd
SetAppKeyWWW
appKeyWWd
UserLoginWWW
interfaceKeyd
9UserLoginSingleW
@LGetCpuIDd
keyWd
EyLogin 1.0.2.5
EyLoginSoft ClassW
Created by MIDL version 7.00.0500 at Fri Sep 26 01:18:07 2014
SetAppKey
UserLogin
GetCpuID
UserLoginSingle
07918888888888
2~.Ht
_^`545*)-#"&%$(&%*(&*('*(' ('*'&*&%)$$(#"&
$&%), .[[\
8;=.16667
 *.MLO
{}}~}|}}|}}|}}|}}}~
;;;777222
=<=777222
;;;777223
:78867><=@>?@>?@>?@>?@>?@>?@>?@>?@>?@>?@>??=>=;<\[]`_^111
)'*(&).,/0.10.1/,0)&*utv
'&)&%(, .--0 *-"!$
&%'%"%*( %#&[\^
>u].uT.tS.tS.tS.tS.tS.tS*tSAuV
,uC-vM.uQ.tS.tS.tS.uT>u]
>u].uT.tS.tS vT0rSYXW
>u].uT.tS.tS.tS.tS.tS.tS uR9xm^PNE[knxz
y`AuV*tS.tS.tS.tS.tS.tS.tS.uT>u]
~|{~|{~|{~|{
MKKUSSWUUXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVXVVUSSHFH
hXXps://login.taobao.com/member/login.jhtml?style=mini&from=alimama&qq-pf-to=pcqq.c2cr
F%D,3
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
hXXp://VVV.eyuyan.com
service@dywt.com.cn
 86(0411)39895834
 86(0411)39895831
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
DelAllKeyValues
DelKeyValue
GetAllKeys
GetKeyValue
AddKeyValue
DSGetErrMsg
BiTreeGetCurNodeKey
ListGetCurNodeKey
ListUpdateNodeFromKey
ListRemoveNodeFromKey
edatastructure_fnMapDelAllKeyValues
edatastructure_fnMapDelKeyValue
edatastructure_fnMapGetAllKeys
edatastructure_fnMapGetKeyValue
edatastructure_fnMapAddKeyValue
edatastructure_fnBiTreeGetCurNodeKey
edatastructure_fnListGetCurNodeKey
edatastructure_fnListUpdateNodeFromKey
edatastructure_fnListRemoveNodeFromKey
Excel.Application
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
0123456789
://VVV.cnblogs.com/ruingking/articles/6201861.html
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
- Skin.dll
1, 0, 2, 5
(*.*)

%original file name%.exe_2712_rwx_00B14000_00003000:

MSVCRT.dll
u.tX$
IPHLPAPI.DLL
PSAPI.DLL
KERNEL32.dll
.uX-]

%original file name%.exe_2712_rwx_00B18000_00002000:

KERNEL32.dll
MSVCRT.dll
ADVAPI32.dll
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
USER32.dll
SHELL32.dll

%original file name%.exe_2712_rwx_00BAB000_00046000:

KERNEL32.dll
USER32.dll
OLEAUT32.dll
ole32.dll
GDI32.dll
ADVAPI32.dll
SHELL32.dll
WS2_32.dll
WINMM.dll
WINSPOOL.DRV
-<h2.iu
COMCTL32.dll
WLDAP32.dll
%DUt\
oledlg.dll
comdlg32.dll
u*.Af

%original file name%.exe_2712_rwx_00BF2000_00002000:

KERNEL32.dll
$WinExec
nyGetWindowsDirectoryA
GetProcessHeap
GetCPInfo
USER32.dll

%original file name%.exe_2712_rwx_10001000_00039000:

L$(h%f
SSh0j
hu2.iu
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc

%original file name%.exe_2712_rwx_6A107000_0015F000:

.jU,f
qw.xc"
.jh&H_}
g<5.HYn
.OG:.
(.tw;
L2K%d
`3.xc
.Ge`GZt
.uTy`
.SN9F`1
}.Sdb
.kzO>
O6.oe
7=r.in9*
6opG%U?
j5O%c
h%C.L
.FA({
%XLo}fn
U3?.xS!rjk
\%XT{1$
URlm
,bCz.tO
!?:%sg0MB
.pG8_
B\.Lw
.tK?5
%xxa]%
.FKa{
.Zw*2
R.lsw
G"=
.sGNB
.UP$x
.tJp -
u.YT?Lf
t%F l
ek.zR-
/Q.Te
.lDSd
=Xm%S
T%4x=
.NPq<c
<9%SF
m.Wh#
bc.qQH
.jZOA
%D?*7Q
9:w.Sj
wn%xp
C>%x2s
M.Ksz
>.Hys
1,=.eg6
%xTmY]
z,.cgJ
D~.EY
p%X:5
9.pY"
9Mý
.lOqs
 }LkLvvy%S
StCP
ih.tr
n~{}.Ij
~yK%X/
twEB
keYk
6g.si
.snuOt
>m.Oru
%ctmuDm
#'.xS.)
q2Whe%c
/.OTzov
%X@DA
.PJay}lW
5Ylc*% j%D;b\
Ln%sf
q7.eO
z`$#l
~).wa
.zr6J
[.zS@q
VQ.Pj
%3X/y%h
t)%C'
Bs yT%4x
bdW7FHr.HT
.GHJ BV/
i.IO6LW[$
o.uV!
}.SDo%j


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:3400

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\eylogin.dll (146 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{df6546sd4fwer}.she (12 bytes)
    C:\Windows\System32\jedata.dll (178 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now