Trojan.Generic.20462596_fe346dcb4b

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2956

The Trojan injects its code into the following process(es):

data.dat:2528

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2956 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\data.dat (50 bytes)

The process data.dat:2528 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bea.tmp (5873 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\link[1].htm (41 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ad[1].jpg (6073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bda.tmp (7971 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bfb.tmp (1425 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bea.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bda.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bfb.tmp (0 bytes)

Registry activity

The process data.dat:2528 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\data_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\data_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\data_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\data_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\data_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\data_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\data_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
00bfc92c0f4d0a79fd8cd18efdbdcd1c	c:\data.dat

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:2956
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   C:\data.dat (50 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bea.tmp (5873 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\link[1].htm (41 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ad[1].jpg (6073 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bda.tmp (7971 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bfb.tmp (1425 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	87682	88064	4.37233	45ad6b2ae963e8e00ded61beefcd7569
.rdata	94208	5710	6144	3.35466	9938222213b7b6621e291e04bc69722f
.data	102400	105000	41984	1.2267	1aa98e0d995774b3212ad360bb68aaa3
.rsrc	208896	1104188	1104384	5.54395	58f52154134c3535ce96bedccd280639

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://fuckcs.com/link.htm	209.73.153.38
hxxp://fuckcs.com/ad.jpg	209.73.153.38

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /link.htm HTTP/1.1

Accept: */*

Referer: hXXp://fuckcs.com/link.htm

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: fuckcs.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 41

Content-Type: text/html

Last-Modified: Fri, 25 Nov 2016 13:26:06 GMT

Accept-Ranges: bytes

ETag: "a010f0791f47d21:135d"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 16 Feb 2017 00:03:57 GMT

hXXp://169re.com|hXXp://fuckcs.com/ad.jpg....

GET /ad.jpg HTTP/1.1

Accept: */*

Referer: hXXp://fuckcs.com/ad.jpg

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: fuckcs.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 23376

Content-Type: image/jpeg

Last-Modified: Sun, 20 Nov 2016 16:07:09 GMT

Accept-Ranges: bytes

ETag: "7cb3d2254843d21:135d"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 16 Feb 2017 00:03:57 GMT

......Exif..MM.*............... .......................................................................................(...........1...........2...........i............. .......-....'..-....'.Adobe Photoshop CS6 (Windows).2016:11:22 00:06:11.............0221...................................<...............................n...........v.(.....................~...................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC hXXp://VVV.iec.ch............IEC hXXp://VVV.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1..........................view.........._...............\.....XYZ .....L.V.P...W..meas................................sig ....CRT curv......................

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2956:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

EnumChildWindows

EnumChildWindows

USER32.dll

USER32.dll

SHLWAPI.dll

SHLWAPI.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

GDI32.dll

GDI32.dll

MSVCRT.dll

MSVCRT.dll

WINMM.dll

WINMM.dll

MTMwKCFeX14hKUVkaXQoIV5fXiEp0ruhokY5zbjK07 qudijrEYxMNe80MS/qrnYXHJcblxyXG62/qGitPK/qtPOz7fU2bXju/fXosjr087Pt6Oow7vTzs 31PXDtNeiyOujv6OpXHJcblxyXG7I/aGixL/HsM7S1rvFqsHL0rvQqdb3wfe1xLXYzbzNuMrTo6yxyMjnybPErs 1wdCjrLvws7XVvqOsusu7 bXYyrLDtLXEoaPDv7j2tdjNvL6vsuzNwbfLtcTXsLG4tPrC67a8srvSu9H5o6zNprfRyrG85LXEo6y689D41NnU9rzTsMlcclxuXHJcbsvEoaLPwtTYoaLS4rz7t7TAobXY1rdodHRwOi8vZnVja2NzLmMoIV5fXiEp1qez1jVF0 nA1rOho6jM7MzdxqXF5LK71qez1qOpINans9a52calyM66zsSjyr3KudPDt723qCDPyNTL0NDTzs 3IMi7uvPU2rTyv6q4qNb6ILXju/fXosjrIMzhyr7Xosjrs8m5piC9 NPOz7ewtEY5v6rG9M24ytMgRjEwuKjW te80McoIV5fXiEpV1RXaW5kb3d8Q1NHT824ytMr17zQxDEuMA0K

MTMwKCFeX14hKUVkaXQoIV5fXiEp0ruhokY5zbjK07 qudijrEYxMNe80MS/qrnYXHJcblxyXG62/qGitPK/qtPOz7fU2bXju/fXosjr087Pt6Oow7vTzs 31PXDtNeiyOujv6OpXHJcblxyXG7I/aGixL/HsM7S1rvFqsHL0rvQqdb3wfe1xLXYzbzNuMrTo6yxyMjnybPErs 1wdCjrLvws7XVvqOsusu7 bXYyrLDtLXEoaPDv7j2tdjNvL6vsuzNwbfLtcTXsLG4tPrC67a8srvSu9H5o6zNprfRyrG85LXEo6y689D41NnU9rzTsMlcclxuXHJcbsvEoaLPwtTYoaLS4rz7t7TAobXY1rdodHRwOi8vZnVja2NzLmMoIV5fXiEp1qez1jVF0 nA1rOho6jM7MzdxqXF5LK71qez1qOpINans9a52calyM66zsSjyr3KudPDt723qCDPyNTL0NDTzs 3IMi7uvPU2rTyv6q4qNb6ILXju/fXosjrIMzhyr7Xosjrs8m5piC9 NPOz7ewtEY5v6rG9M24ytMgRjEwuKjW te80McoIV5fXiEpV1RXaW5kb3d8Q1NHT824ytMr17zQxDEuMA0K

MTQwKCFeX14hKV9FTF9QaWNCb3goIV5fXiEpTkVXSU1BR0VfMSghXl9eISlXVFdpbmRvd3wwfENTR0/NuMrTK9e80MQxLjAoIV5fXiEpV1RXaW5kb3d8Q1NHT824ytMr17zQxDEuMA0K

MTQwKCFeX14hKV9FTF9QaWNCb3goIV5fXiEpTkVXSU1BR0VfMSghXl9eISlXVFdpbmRvd3wwfENTR0/NuMrTK9e80MQxLjAoIV5fXiEpV1RXaW5kb3d8Q1NHT824ytMr17zQxDEuMA0K

zsLcsMzhyr58XyZffDQ4fF8mX3zKudPDx u52LHVybG2vtC70Lt8XyZffHxfJl98

zsLcsMzhyr58XyZffDQ4fF8mX3zKudPDx u52LHVybG2vtC70Lt8XyZffHxfJl98

winver.exe

winver.exe

hXXp://

hXXp://

hXXps://

hXXps://

user32.dll

user32.dll

ntdll.dll

ntdll.dll

shlwapi.dll

shlwapi.dll

shell32.dll

shell32.dll

kernel32.dll

kernel32.dll

program internal error number is %d.

program internal error number is %d.

:"%s"

:"%s"

:"%s".

:"%s".

1.1.3

1.1.3

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

.xy&E=c

.xy&E=c

U$C%c

U$C%c

mP%S3

mP%S3

,O..ho

,O..ho

.ETB^N

.ETB^N

O?u.hG

O?u.hG

%Scq2@W

%Scq2@W

.fsax(

.fsax(

N.ul4

N.ul4

.Jjr}'H"

.Jjr}'H"

/C%cM

/C%cM

P.UB5

P.UB5

!.yyF

!.yyF

XC^ L%uM

XC^ L%uM

]G%xV

]G%xV

%SDK4

%SDK4

SQlW

SQlW

G-6%S

G-6%S

eU.gU

eU.gU

.vSNq

.vSNq

5OudP

5OudP

R(%X=

R(%X=

.FX"_

.FX"_

*%d\&

*%d\&

;Z.mfuj

;Z.mfuj

M:\wW

M:\wW

].RxZ

].RxZ

g%U8Y

g%U8Y

M*.rK

M*.rK

59\G%SY

59\G%SY

K..Yk{

K..Yk{

aL&

aL&

.%D'@G

.%D'@G

(&%2U

(&%2U

L.qg6

L.qg6

ce_%D

ce_%D

%C@0H

%C@0H

@s .sk5

@s .sk5

`.sge#V]

`.sge#V]

ANH.aQ

ANH.aQ

;%c&!

;%c&!

\.HH^

\.HH^

*$:%d

*$:%d

%xYs]

%xYs]

[.PX{p

[.PX{p

D0.cSxu

D0.cSxu

.NNR'

.NNR'

7J.yT

7J.yT

%XQn@

%XQn@

rz.yIL

rz.yIL

EcT%x#

EcT%x#

W.XZ~

W.XZ~

..Xc&

..Xc&

2u.eKITFBp

2u.eKITFBp

.yk (Di

.yk (Di

D.gbQP

D.gbQP

GBj%c

GBj%c

}&-4}v

}&-4}v

%s;7*

%s;7*

0%x@w

0%x@w

%C^L:

%C^L:

Õ6m*

Õ6m*

ccu.md!dd

ccu.md!dd

.Lpr4

.Lpr4

m%sBt

m%sBt

5.ch*

5.ch*

tn!ay%F

tn!ay%F

2.kKX

2.kKX

I %d)

I %d)

.aEd(

.aEd(

fTpe

fTpe

hg%fpM

hg%fpM

S.Ac9SR

S.Ac9SR

0.I%3s

0.I%3s

,wAe.kI

,wAe.kI

aiUy'4xu

aiUy'4xu

%c*@j

%c*@j

.eH'y

.eH'y

{&%U)

{&%U)

lj%4U

lj%4U

xe%CNs

xe%CNs

9F.cLe

9F.cLe

.nGA$;P

.nGA$;P

.ZRY][

.ZRY][

.bOLK

.bOLK

, #&')*)

, #&')*)

-0-(0%()(

-0-(0%()(

^E%cO(

^E%cO(

%UMU3"

%UMU3"

version="1.0.0.0"

version="1.0.0.0"

name="Company.Product.Name"

name="Company.Product.Name"

name="Microsoft.Windows.Common-Controls"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

publicKeyToken="6595b64144ccf1df"

{7BF80980-BF32-101A-8BBB-00AA00300CAB}

{7BF80980-BF32-101A-8BBB-00AA00300CAB}

0.1.0.0

0.1.0.0

Bundle.exe

Bundle.exe

data.dat_2528:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

t$(SSh

t$(SSh

~%UVW

~%UVW

u$SShe

u$SShe

Bv.SCv

Bv.SCv

wininet.dll

wininet.dll

kernel32.dll

kernel32.dll

ntdll.dll

ntdll.dll

user32.dll

user32.dll

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

UnhookWindowsHookEx

UnhookWindowsHookEx

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

SetWindowsHookExA

SetWindowsHookExA

EnumWindows

EnumWindows

ShellExecuteA

ShellExecuteA

hXXp://fuckcs.com/link.htm

hXXp://fuckcs.com/link.htm

Wp.Iw

Wp.Iw

A.zkt@

A.zkt@

5p|%U

5p|%U

ù'p

ù'p

oO.wm]b

oO.wm]b

L.qg6

L.qg6

ce_%D

ce_%D

%C@0H

%C@0H

@s .sk5

@s .sk5

.njvX

.njvX

ANH.aQ

ANH.aQ

;%c&!

;%c&!

\.HH^

\.HH^

*$:%d

*$:%d

%xYs]

%xYs]

[.PX{p

[.PX{p

D0.cSxu

D0.cSxu

.NNR'

.NNR'

7J.yT

7J.yT

%XQn@

%XQn@

rz.yIL

rz.yIL

EcT%x#

EcT%x#

W.XZ~

W.XZ~

..Xc&

..Xc&

2u.eKITFBp

2u.eKITFBp

.yk (Di

.yk (Di

D.gbQP

D.gbQP

GBj%c

GBj%c

}&-4}v

}&-4}v

%s;7*

%s;7*

0%x@w

0%x@w

%C^L:

%C^L:

Õ6m*

Õ6m*

ccu.md!dd

ccu.md!dd

f%.Vy

f%.Vy

5r.KV}b

5r.KV}b

5.ch*

5.ch*

y.MMO}

y.MMO}

tn!ay%F

tn!ay%F

2.kKX

2.kKX

I %d)

I %d)

.aEd(

.aEd(

fTpe

fTpe

.LLbX

.LLbX

https

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

http=

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXps://

hXXp://

hXXp://

gdi32.dll

gdi32.dll

\game.dll

\game.dll

%S4WD

%S4WD

hg%fpM

hg%fpM

S.Ac9SR

S.Ac9SR

0.I%3s

0.I%3s

,wAe.kI

,wAe.kI

aiUy'4xu

aiUy'4xu

%c*@j

%c*@j

.eH'y

.eH'y

{&%U)

{&%U)

lj%4U

lj%4U

xe%CNs

xe%CNs

9F.cLe

9F.cLe

hJK.ZH

hJK.ZH

O.qt0

O.qt0

KERNEL32.DLL

KERNEL32.DLL

COMCTL32.dll

COMCTL32.dll

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

MSVCRT.dll

MSVCRT.dll

MSVFW32.dll

MSVFW32.dll

USER32.dll

USER32.dll

SkinH_EL.dll

SkinH_EL.dll

hXXp://fuckcs.com

hXXp://fuckcs.com

%d&&'

%d&&'

123456789

123456789

00003333

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CCmdTarget

CCmdTarget

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

RASAPI32.dll

RASAPI32.dll

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

GetViewportOrgEx

GetViewportOrgEx

WINMM.dll

WINMM.dll

WINSPOOL.DRV

WINSPOOL.DRV

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

WS2_32.dll

WS2_32.dll

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

CreateDialogIndirectParamA

CreateDialogIndirectParamA

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GetViewportExtEx

comdlg32.dll

comdlg32.dll

RegCreateKeyExA

RegCreateKeyExA

%x.tmp

%x.tmp

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

User32.dll

User32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

.PAVCException@@

.PAVCException@@

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

.PAVCFileException@@

.PAVCFileException@@

: %d]

: %d]

(*.*)|*.*||

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

windows

windows

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

out.prn

out.prn

(*.prn)|*.prn|

(*.prn)|*.prn|

%d.%d

%d.%d

%d/%d

%d/%d

1.6.9

1.6.9

unsupported zlib version

unsupported zlib version

png_read_image: unsupported transformation

png_read_image: unsupported transformation

%d / %d

%d / %d

Bogus message code %d

Bogus message code %d

libpng error: %s

libpng error: %s

libpng warning: %s

libpng warning: %s

1.1.3

1.1.3

bad keyword

bad keyword

libpng does not support gamma background rgb_to_gray

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

Palette is NULL in indexed image

(%d-%d):

(%d-%d):

%ld%c

%ld%c

%s

%s

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

SMTP

SMTP

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCArchiveException@@

zcÁ

zcÁ

c:\data.dat

c:\data.dat

#include "l.chs\afxres.rc" // Standard components

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

1, 0, 6, 6

- Skin.dll

- Skin.dll

(*.*)

(*.*)

1.0.0.0

1.0.0.0

(hXXp://VVV.eyuyan.com)

(hXXp://VVV.eyuyan.com)

data.dat_2528_rwx_10000000_0003F000:

`.rsrc

`.rsrc

L$(h%f

L$(h%f

SSh0j

SSh0j

msctls_hotkey32

msctls_hotkey32

TVCLHotKey

TVCLHotKey

THotKey

THotKey

\skinh.she

\skinh.she

}uo,x6l5k%x-l h

}uo,x6l5k%x-l h

9p%s m)t4`#b

9p%s m)t4`#b

e"m?c&y1`Ð

e"m?c&y1`Ð

SetViewportOrgEx

SetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

SetWindowsHookExA

SetWindowsHookExA

UnhookWindowsHookEx

UnhookWindowsHookEx

EnumThreadWindows

EnumThreadWindows

EnumChildWindows

EnumChildWindows

`c%US.4/

`c%US.4/

!#$

!#$

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.UPX0

@.UPX0

`.UPX1

`.UPX1

`.reloc

`.reloc

hJK.ZH

hJK.ZH

O.qt0

O.qt0

KERNEL32.DLL

KERNEL32.DLL

COMCTL32.dll

COMCTL32.dll

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

MSVCRT.dll

MSVCRT.dll

MSVFW32.dll

MSVFW32.dll

USER32.dll

USER32.dll

SkinH_EL.dll

SkinH_EL.dll

1, 0, 6, 6

1, 0, 6, 6

- Skin.dll

- Skin.dll