Trojan.Win32.FlyStudio_aa6018bc37 – Adaware

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2156

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2156 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\AmandaUpdata.exe (929 bytes)

Registry activity

The process %original file name%.exe:2156 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\aa6018bc373aac97e1857d0ca7f9aa1d_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKLM\SOFTWARE\Microsoft\Tracing\aa6018bc373aac97e1857d0ca7f9aa1d_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "D0 F8 82 C3 28 8F D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\aa6018bc373aac97e1857d0ca7f9aa1d_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\Tracing\aa6018bc373aac97e1857d0ca7f9aa1d_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\aa6018bc373aac97e1857d0ca7f9aa1d_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\aa6018bc373aac97e1857d0ca7f9aa1d_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\aa6018bc373aac97e1857d0ca7f9aa1d_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\aa6018bc373aac97e1857d0ca7f9aa1d_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\aa6018bc373aac97e1857d0ca7f9aa1d_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\aa6018bc373aac97e1857d0ca7f9aa1d_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "D0 F8 82 C3 28 8F D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
35e87b75f290dcbe39eecf52381d7459	c:\AmandaUpdata.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2156
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
C:\AmandaUpdata.exe (929 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: iporus QQ:1099490909
Product Name: WeChat Lite
Product Version: 3.0.0.0
Legal Copyright: WeChat lite??????????????
????????,????????????
?????(??/??/??);???????
?????????????????????
?,?????????,????!????
??????web??????,??????,
????????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.0.0.0
File Description: ?????
Comments: ?????WeChat Lite
??:www.52chat.cc
Language: Language Neutral

Company Name: iporus QQ:1099490909Product Name: WeChat LiteProduct Version: 3.0.0.0Legal Copyright: WeChat lite??????????????????????,?????????????????(??/??/??);?????????????????????????????,?????????,????!??????????web??????,??????,????????????Legal Trademarks: Original Filename: Internal Name: File Version: 3.0.0.0File Description: ?????Comments: ?????WeChat Lite??:www.52chat.ccLanguage: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1016486	1019904	4.49464	699939c5fdcbd9f5a70b486aabb925df
.rdata	1024000	1510660	1511424	5.10722	6da9cd672e7788d5efe253bf1e453967
.data	2535424	424202	110592	3.72769	7a74bddb8f9c7bce1e0d5a60d2dfd259
.rsrc	2961408	49688	53248	3.4213	f0022ead53dd469f9233e923c22d4e65

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://u755.v.qingcdn.com/AmandaUpdata.exe
hxxp://u755.v.qingcdn.com/Ã§â€°Ë†Ã¦Å“Â¬Ã¥ÂÂ·.txt
hxxp://o9fqva4p0.bkt.clouddn.com/Ã§â€°Ë†Ã¦Å“Â¬Ã¥ÂÂ·.txt	150.138.141.93
hxxp://o9fqva4p0.bkt.clouddn.com/AmandaUpdata.exe	150.138.141.93

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /AmandaUpdata.exe HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: o9fqva4p0.bkt.clouddn.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 25 Feb 2017 05:34:04 GMT

Content-Type: application/x-msdownload

Content-Length: 929792

Connection: keep-alive

Server: openresty

Accept-Ranges: bytes

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: X-Log, X-Reqid

Access-Control-Max-Age: 2592000

Cache-Control: public, max-age=31536000

Content-Disposition: inline; filename="AmandaUpdata.exe"

Content-Transfer-Encoding: binary

ETag: "FgE5TcjQwOmsz6cXQkw9RS5pkgyp"

Last-Modified: Wed, 18 Jan 2017 13:38:36 GMT

X-Log: mc.g;IO:1

X-M-Log: QNM:xs449;QNM2:9

X-M-Reqid: sw0AALJnSKVYn6EU

X-Qiniu-Zone: 0

X-Qnm-Cache: Hit

X-Reqid: mxgAANRfTb3nYZsU

X-Ser: BC15_dx-lt-yd-zhejiang-huzhou-2-cache-4, BC94_dx-shandong-qingdao-1-cache-4

X-Cache: HIT from BC94_dx-shandong-qingdao-1-cache-4(baishan)

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J...............u...........%...X...".......P...l.......8...P...8...........................C...........Rich............................PE..L...Co.X..........................................@..........................................................................:..,....p...`..............................................................................8............................text............................... ..`.rdata..............................@..@.data...H....`...`...`..............@....rsrc....`...p...p..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /Ã§â€°Ë†Ã¦Å“Â¬Ã¥ÂÂ·.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: o9fqva4p0.bkt.clouddn.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 25 Feb 2017 05:34:11 GMT

Content-Type: text/plain

Content-Length: 5

Connection: keep-alive

Server: openresty

Accept-Ranges: bytes

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: X-Log, X-Reqid

Access-Control-Max-Age: 2592000

Cache-Control: public, max-age=31536000

Content-Disposition: inline; filename="Ã§â€°Ë†Ã¦Å“Â¬Ã¥ÂÂ·.txt"

Content-Transfer-Encoding: binary

ETag: "FgZ1LS-3_mX2GPQKmjPr5MyOIEMX"

Last-Modified: Tue, 24 Jan 2017 06:31:17 GMT

Vary: Accept-Encoding

X-Log: mc.g:1/404;mc.g;RS;mc.s;IO:132

X-M-Log: QNM:xs467;QNM2:161

X-M-Reqid: jAMAAPLnRhQLsKAU

X-Qiniu-Zone: 0

X-Qnm-Cache: Hit

X-Reqid: jAMAAPYWvNZ6oZwU

X-Ser: BC19_dx-lt-hebei-shijiazhuang-2-cache-5, BC98_dx-shandong-qingdao-1-cache-4

X-Cache: HIT from BC98_dx-shandong-qingdao-1-cache-4(baishan)

3.2.6HTTP/1.1 200 OK..Date: Sat, 25 Feb 2017 05:34:11 GMT..Content-Type: text/plain..Content-Length: 5..Connection: keep-alive..Server: openresty..Accept-Ranges: bytes..Access-Control-Allow-Origin: *..Access-Control-Expose-Headers: X-Log, X-Reqid..Access-Control-Max-Age: 2592000..Cache-Control: public, max-age=31536000..Content-Disposition: inline; filename="Ã§â€°Ë†Ã¦Å“Â¬Ã¥ÂÂ·.txt"..Content-Transfer-Encoding: binary..ETag: "FgZ1LS-3_mX2GPQKmjPr5MyOIEMX"..Last-Modified: Tue, 24 Jan 2017 06:31:17 GMT..Vary: Accept-Encoding..X-Log: mc.g:1/404;mc.g;RS;mc.s;IO:132..X-M-Log: QNM:xs467;QNM2:161..X-M-Reqid: jAMAAPLnRhQLsKAU..X-Qiniu-Zone: 0..X-Qnm-Cache: Hit..X-Reqid: jAMAAPYWvNZ6oZwU..X-Ser: BC19_dx-lt-hebei-shijiazhuang-2-cache-5, BC98_dx-shandong-qingdao-1-cache-4..X-Cache: HIT from BC98_dx-shandong-qingdao-1-cache-4(baishan)..3.2.6..

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2156:

.text

`.rdata

@.data

.rsrc

t$(SSh

|$D.tm

~%UVW

u$SShe

ole32.dll

kernel32.dll

Kernel32.dll

GdiPlus.dll

user32.dll

message.dll

Ole32.dll

{B6F7542F-B8FE-46a8-9605-98856A687097}

\AmandaUpdata.exe

hXXp://o9fqva4p0.bkt.clouddn.com/AmandaUpdata.exe

3.2.6

\AmandaUpdata.exe -up

\message.dll

hXXp://o9fqva4p0.bkt.clouddn.com/Ã§â€°Ë†Ã¦Å“Â¬Ã¥ÂÂ·.txt

\data\Set.ini

pass_ticket

skey

synckey

NickName

&synckey=

&skey=

/cgi-bin/mmwebwx-bin/synccheck?r=

hXXps://webpush.

{"BaseRequest":{"Uin":[uin],"Sid":"[sid]","Skey":"[skey]","DeviceID":"[deviceid]"},"SyncKey":[key],"rr":-1592985138}

[skey]

[key]

return "e" ("" Math.random().toFixed(15)).substring(2, 17)

function time(){return new Date().getTime()}

WinHttp.WinHttpRequest.5.1

MSXML2.ServerXMLHTTP.6.0

hXXp://

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Content-Type: application/x-www-form-urlencoded

hXXps://login.weixin.qq.com/jslogin?appid=wx782c26e4c19acffb&redirect_uri=https://wx.qq.com/cgi-bin/mmwebwx-bin/webwxnewloginpage&fun=new&lang=zh_CN&_=

hXXps://login.weixin.qq.com/qrcode/

hXXps://login.weixin.qq.com/cgi-bin/mmwebwx-bin/login?loginicon=true&uuid=

window.code=201

window.code=200

/cgi-bin/mmwebwx-bin/webwxinit

hXXps://

Skey#

"User": \{"Uin": (\d ),"UserName": "(.*?)","NickName": "(.*?)",

/cgi-bin/mmwebwx-bin/webwxstatusnotify

ClientMsgId#

@ping 127.0.0.1 -n

del Restart.bat

\Restart.bat

Amanda Robot 3.2.6-

.chat.dll

hXXp://VVV.52chat.cc/forum.php?mod=forumdisplay&fid=39

, #&')*)

-0-(0%()(

.gM1x

.uK5n

/k|%D

5n%f(

4T.rn

l.au};e

t-f

.GJl;

=pw.VR

.npga

b.iNc

.xEl>V

E{%Sqb

LÂs

%F"c!

y>;.mv

Y%%xh

KDSMÂl

"=.eJ~

1.DL

we%X|

.mUlQ

?mSgm

<.jt>

f.yC0

Ea.zj

>5.KX

.LUn

j%.Ko

TV8-r%S

wBKÅ“

t}&.aBp

.byv5wq

.Vz&w

qG%UQoU

[Ssh;}

%z.QB]

/cgi-bin/mmwebwx-bin/webwxoplog?lang=zh_CN&pass_ticket=

CmdId#

/cgi-bin/mmwebwx-bin/webwxupdatechatroom?fun=modtopic

Amanda Robot 3.2.6

\plugin\*.chat.dll

{"BaseRequest":{"Uin":[uin],"Sid":"[sid]","Skey":"[skey]","DeviceID":"[deviceid]"},"Msg":{"Type":1,"Content":"[msg]","FromUserName":"[FromUserName]","ToUserName":"[ToUserName]","LocalID":"[time]","ClientMsgId":"[time]"}}

[imageUrl=

[msg]

/cgi-bin/mmwebwx-bin/webwxsendmsg?lang=zh_CN

{"BaseRequest":{"Uin":[uin],"Sid":"[sid]","Skey":"[skey]","DeviceID":"[deviceid]"},"Msg":{"Type":3,"MediaId":"[mediaid]","FromUserName":"[FromUserName]","ToUserName":"[ToUserName]","LocalID":"[time]","ClientMsgId":"[time]"}}

/cgi-bin/mmwebwx-bin/webwxsendmsgimg?fun=async&f=json

/cgi-bin/mmwebwx-bin/webwxpreview?fun=upload

--------------QMO.Package.Partition.6681144.1957164416.30505904

Content-Disposition: form-data; name="msgimgrequest"

{"MsgType":3,"Type":3,"FromUserName":"[FromUserName]","ToUserName":"[ToUserName]","MsgId":"[time]","LocalID":"[time]","ClientMsgId":"[time]","CreateTime":[time10],"MMStatus":0}

Content-Disposition: form-data; name="filename"; filename="C:\Users\ADMINI~1\AppData\Local\Temp\{FA56FC32-EEC7-4A0D-861D-BD62481B7F83}.tmp"

--------------QMO.Package.Partition.6681144.1957164416.30505904--

Content-Type: multipart/form-data; boundary=------------QMO.Package.Partition.6681144.1957164416.30505904

{"BaseRequest":{"Uin":[uin],"Sid":"[sid]","Skey":"[skey]","DeviceID":"[deviceid]"},"Msg":{"Type":47,"EmojiFlag":[type],"EMoticonMd5":"[md5]","FromUserName":"[fromusername]","ToUserName":"[tousername]","LocalID":"[time]","ClientMsgId":"[time]"},"Scene":0}

/cgi-bin/mmwebwx-bin/webwxsendemoticon?fun=sys

{"BaseRequest":{"Uin":[uin],"Sid":"[sid]","Skey":"[skey]","DeviceID":"[deviceid]"},"Msg":{"FromUserName":"[fromusername]","ToUserName":"[tousername]","Type":42,"Content":"[xml]","ClientMsgId":[time],"LocalID":[time]}}

' certflag='

' nickname='

/cgi-bin/mmwebwx-bin/webwxsendmsg?sid=

skey#

/cgi-bin/mmwebwx-bin/webwxverifyuser?lang=zh_CN&pass_ticket=

&seq=0&skey=

/cgi-bin/mmwebwx-bin/webwxgetcontact?pass_ticket=

","HeadImgUrl

NickName": "

HeadImgUrl": "

&lang=zh_CN&pass_ticket=

/cgi-bin/mmwebwx-bin/webwxverifyuser?r=

{"AddMemberList":"[UserName]","ChatRoomName":"[RoomName]","BaseRequest":{"Uin":[uin],"Sid":"[sid]","Skey":"[skey]","DeviceID":"[devideid]"}}

/cgi-bin/mmwebwx-bin/webwxupdatechatroom?fun=addmember&pass_ticket=

/cgi-bin/mmwebwx-bin/webwxupdatechatroom?fun=invitemember

{"DelMemberList":"[UserName]","ChatRoomName":"[RoomName]","BaseRequest":{"Uin":[uin],"Sid":"[sid]","Skey":"[skey]","DeviceID":"[devideid]"}}

/cgi-bin/mmwebwx-bin/webwxupdatechatroom?fun=delmember&pass_ticket=

"Uin": 0,"UserName": "@@(.*?)","NickName": "(.*?|)","HeadImgUrl": "/cgi-bin/mmwebwx-bin/webwxgetheadimg\?seq=(\d )&

{"BaseRequest":{"Uin":[uin],"Sid":"[sid]","Skey":"[sid]","DeviceID":"[deviceid]"},"Count":[num],"List":[[msg]]}

/cgi-bin/mmwebwx-bin/webwxbatchgetcontact?type=ex&r=

"Uin": 0,"UserName": "@(.*?)","NickName": "(.*?|)","AttrStatus"

window.synccheck={retcode:#

/cgi-bin/mmwebwx-bin/webwxsync?sid=

hXXp://wx.qq.com/

res.wx.qq.com

\{"UserName": "(.*?)","NickName": "(.*?|)","Sex": (\d ),"HeadImgUpdateFlag": \d ,"ContactType": \d ,"Alias": "(.*?|)","ChatRoomOwner": "(.*?|)","HeadImgUrl": "(.*?)","ContactFlag":.*?"VerifyFlag": (\d ),"RemarkName": "(.*?|)","Statues": \d ,"AttrStatus": \d ,"Province": "(.*?|)","City": "(.*?|)","SnsFlag": \d ,"KeyWord": "(.*?|)"\}

\{"MsgId".*?NewMsgId": \d ,#

MsgType":

"MsgId": "

_EventGroupMsg

_EventFrinendMsg

/cgi-bin/mmwebwx-bin/webwxgetmsgimg?MsgID=

[imageUrl=hXXps://

"clientmsgid="

[voiceUrl=hXXps://

nickname="

certflag="24"

[videoUrl=hXXps://

oldmsgid>

[Remove:MsgID=

fromnickname="

3.2.2

\reply.ini

VVV.52chat.cc

WeChat Lite 3.2.6

_EventOpenWindows

/cgi-bin/mmwebwx-bin/webwxlogout?redirect=1&type=0&skey=

Y@hXXp://jq.qq.com/?_wv=1027&k=2AM3CGO

.zF7;

%%%sv

nwz%f

l.itX

.YXWR

3.2.6

VBScript.RegExp

regsvr32 vbscript.dll

song2388959@163.com (

1099490909

%d&&'

123456789

00003333

1.2.18

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

MSVFW32.dll

AVIFIL32.dll

RASAPI32.dll

GetProcessHeap

WinExec

GetCPInfo

KERNEL32.dll

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

EnumChildWindows

CreateDialogIndirectParamA

USER32.dll

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GDI32.dll

MSIMG32.dll

WINSPOOL.DRV

comdlg32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

WSOCK32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

VVV.dywt.com.cn

(*.avi)|*.avi

RICHED32.DLL

RICHED20.DLL

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

operator

keywords

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÃ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

(*.*)

3.0.0.0