Susp_Dropper (Kaspersky), Trojan.Generic.20462596 (B) (Emsisoft), Trojan.Generic.20462596 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: fe346dcb4b431ed264148a2a1d64b8d1
SHA1: 44360015a0e98ab839addbe69c30bd348649784b
SHA256: b1a34baba9b98e72adaa66bc256a38583354600f786bc17b244e39f041e99108
SSDeep: 24576:gy621jVmT6E2C5sTX6Ocse2MAb9MG8Bty1Q8B3anvt5Rm8YO:giVmT6E2O9SMG8nKQCAbKO
Size: 1241600 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-25 11:57:44
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:2956
The Trojan injects its code into the following process(es):
data.dat:2528
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\data.dat (50 bytes)
The process data.dat:2528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bea.tmp (5873 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\link[1].htm (41 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ad[1].jpg (6073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bda.tmp (7971 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bfb.tmp (1425 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bea.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bda.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bfb.tmp (0 bytes)
Registry activity
The process data.dat:2528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\data_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\data_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\data_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\data_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\data_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\data_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\data_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
00bfc92c0f4d0a79fd8cd18efdbdcd1c | c:\data.dat |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2956
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\data.dat (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bea.tmp (5873 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\link[1].htm (41 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ad[1].jpg (6073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bda.tmp (7971 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\68bfb.tmp (1425 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 87682 | 88064 | 4.37233 | 45ad6b2ae963e8e00ded61beefcd7569 |
.rdata | 94208 | 5710 | 6144 | 3.35466 | 9938222213b7b6621e291e04bc69722f |
.data | 102400 | 105000 | 41984 | 1.2267 | 1aa98e0d995774b3212ad360bb68aaa3 |
.rsrc | 208896 | 1104188 | 1104384 | 5.54395 | 58f52154134c3535ce96bedccd280639 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://fuckcs.com/link.htm | 209.73.153.38 |
hxxp://fuckcs.com/ad.jpg | 209.73.153.38 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /link.htm HTTP/1.1
Accept: */*
Referer: hXXp://fuckcs.com/link.htm
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: fuckcs.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 41
Content-Type: text/html
Last-Modified: Fri, 25 Nov 2016 13:26:06 GMT
Accept-Ranges: bytes
ETag: "a010f0791f47d21:135d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 16 Feb 2017 00:03:57 GMT
hXXp://169re.com|hXXp://fuckcs.com/ad.jpg....
GET /ad.jpg HTTP/1.1
Accept: */*
Referer: hXXp://fuckcs.com/ad.jpg
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: fuckcs.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 23376
Content-Type: image/jpeg
Last-Modified: Sun, 20 Nov 2016 16:07:09 GMT
Accept-Ranges: bytes
ETag: "7cb3d2254843d21:135d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 16 Feb 2017 00:03:57 GMT
......Exif..MM.*............... .......................................................................................(...........1...........2...........i............. .......-....'..-....'.Adobe Photoshop CS6 (Windows).2016:11:22 00:06:11.............0221...................................<...............................n...........v.(.....................~...................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC hXXp://VVV.iec.ch............IEC hXXp://VVV.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1..........................view.........._...............\.....XYZ .....L.V.P...W..meas................................sig ....CRT curv......................
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2956:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
EnumChildWindows
EnumChildWindows
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
GDI32.dll
GDI32.dll
MSVCRT.dll
MSVCRT.dll
WINMM.dll
WINMM.dll
MTMwKCFeX14hKUVkaXQoIV5fXiEp0ruhokY5zbjK07 qudijrEYxMNe80MS/qrnYXHJcblxyXG62/qGitPK/qtPOz7fU2bXju/fXosjr087Pt6Oow7vTzs 31PXDtNeiyOujv6OpXHJcblxyXG7I/aGixL/HsM7S1rvFqsHL0rvQqdb3wfe1xLXYzbzNuMrTo6yxyMjnybPErs 1wdCjrLvws7XVvqOsusu7 bXYyrLDtLXEoaPDv7j2tdjNvL6vsuzNwbfLtcTXsLG4tPrC67a8srvSu9H5o6zNprfRyrG85LXEo6y689D41NnU9rzTsMlcclxuXHJcbsvEoaLPwtTYoaLS4rz7t7TAobXY1rdodHRwOi8vZnVja2NzLmMoIV5fXiEp1qez1jVF0 nA1rOho6jM7MzdxqXF5LK71qez1qOpINans9a52calyM66zsSjyr3KudPDt723qCDPyNTL0NDTzs 3IMi7uvPU2rTyv6q4qNb6ILXju/fXosjrIMzhyr7Xosjrs8m5piC9 NPOz7ewtEY5v6rG9M24ytMgRjEwuKjW te80McoIV5fXiEpV1RXaW5kb3d8Q1NHT824ytMr17zQxDEuMA0K
MTMwKCFeX14hKUVkaXQoIV5fXiEp0ruhokY5zbjK07 qudijrEYxMNe80MS/qrnYXHJcblxyXG62/qGitPK/qtPOz7fU2bXju/fXosjr087Pt6Oow7vTzs 31PXDtNeiyOujv6OpXHJcblxyXG7I/aGixL/HsM7S1rvFqsHL0rvQqdb3wfe1xLXYzbzNuMrTo6yxyMjnybPErs 1wdCjrLvws7XVvqOsusu7 bXYyrLDtLXEoaPDv7j2tdjNvL6vsuzNwbfLtcTXsLG4tPrC67a8srvSu9H5o6zNprfRyrG85LXEo6y689D41NnU9rzTsMlcclxuXHJcbsvEoaLPwtTYoaLS4rz7t7TAobXY1rdodHRwOi8vZnVja2NzLmMoIV5fXiEp1qez1jVF0 nA1rOho6jM7MzdxqXF5LK71qez1qOpINans9a52calyM66zsSjyr3KudPDt723qCDPyNTL0NDTzs 3IMi7uvPU2rTyv6q4qNb6ILXju/fXosjrIMzhyr7Xosjrs8m5piC9 NPOz7ewtEY5v6rG9M24ytMgRjEwuKjW te80McoIV5fXiEpV1RXaW5kb3d8Q1NHT824ytMr17zQxDEuMA0K
MTQwKCFeX14hKV9FTF9QaWNCb3goIV5fXiEpTkVXSU1BR0VfMSghXl9eISlXVFdpbmRvd3wwfENTR0/NuMrTK9e80MQxLjAoIV5fXiEpV1RXaW5kb3d8Q1NHT824ytMr17zQxDEuMA0K
MTQwKCFeX14hKV9FTF9QaWNCb3goIV5fXiEpTkVXSU1BR0VfMSghXl9eISlXVFdpbmRvd3wwfENTR0/NuMrTK9e80MQxLjAoIV5fXiEpV1RXaW5kb3d8Q1NHT824ytMr17zQxDEuMA0K
zsLcsMzhyr58XyZffDQ4fF8mX3zKudPDx u52LHVybG2vtC70Lt8XyZffHxfJl98
zsLcsMzhyr58XyZffDQ4fF8mX3zKudPDx u52LHVybG2vtC70Lt8XyZffHxfJl98
winver.exe
winver.exe
hXXp://
hXXp://
hXXps://
hXXps://
user32.dll
user32.dll
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
shell32.dll
shell32.dll
kernel32.dll
kernel32.dll
program internal error number is %d.
program internal error number is %d.
:"%s"
:"%s"
:"%s".
:"%s".
1.1.3
1.1.3
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
.xy&E=c
.xy&E=c
U$C%c
U$C%c
mP%S3
mP%S3
,O..ho
,O..ho
.ETB^N
.ETB^N
O?u.hG
O?u.hG
%Scq2@W
%Scq2@W
.fsax(
.fsax(
N.ul4
N.ul4
.Jjr}'H"
.Jjr}'H"
/C%cM
/C%cM
P.UB5
P.UB5
!.yyF
!.yyF
XC^ L%uM
XC^ L%uM
]G%xV
]G%xV
%SDK4
%SDK4
SQlW
SQlW
G-6%S
G-6%S
eU.gU
eU.gU
.vSNq
.vSNq
5OudP
5OudP
R(%X=
R(%X=
.FX"_
.FX"_
*%d\&
*%d\&
;Z.mfuj
;Z.mfuj
M:\wW
M:\wW
].RxZ
].RxZ
g%U8Y
g%U8Y
M*.rK
M*.rK
59\G%SY
59\G%SY
K..Yk{
K..Yk{
aL&
aL&
.%D'@G
.%D'@G
(&%2U
(&%2U
L.qg6
L.qg6
ce_%D
ce_%D
%C@0H
%C@0H
@s .sk5
@s .sk5
`.sge#V]
`.sge#V]
ANH.aQ
ANH.aQ
;%c&!
;%c&!
\.HH^
\.HH^
*$:%d
*$:%d
%xYs]
%xYs]
[.PX{p
[.PX{p
D0.cSxu
D0.cSxu
.NNR'
.NNR'
7J.yT
7J.yT
%XQn@
%XQn@
rz.yIL
rz.yIL
EcT%x#
EcT%x#
W.XZ~
W.XZ~
..Xc&
..Xc&
2u.eKITFBp
2u.eKITFBp
.yk (Di
.yk (Di
D.gbQP
D.gbQP
GBj%c
GBj%c
}&-4}v
}&-4}v
%s;7*
%s;7*
0%x@w
0%x@w
%C^L:
%C^L:
Õ6m*
Õ6m*
ccu.md!dd
ccu.md!dd
.Lpr4
.Lpr4
m%sBt
m%sBt
5.ch*
5.ch*
tn!ay%F
tn!ay%F
2.kKX
2.kKX
I %d)
I %d)
.aEd(
.aEd(
fTpe
fTpe
hg%fpM
hg%fpM
S.Ac9SR
S.Ac9SR
0.I%3s
0.I%3s
,wAe.kI
,wAe.kI
aiUy'4xu
aiUy'4xu
%c*@j
%c*@j
.eH'y
.eH'y
{&%U)
{&%U)
lj%4U
lj%4U
xe%CNs
xe%CNs
9F.cLe
9F.cLe
.nGA$;P
.nGA$;P
.ZRY][
.ZRY][
.bOLK
.bOLK
, #&')*)
, #&')*)
-0-(0%()(
-0-(0%()(
^E%cO(
^E%cO(
%UMU3"
%UMU3"
version="1.0.0.0"
version="1.0.0.0"
name="Company.Product.Name"
name="Company.Product.Name"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
{7BF80980-BF32-101A-8BBB-00AA00300CAB}
{7BF80980-BF32-101A-8BBB-00AA00300CAB}
0.1.0.0
0.1.0.0
Bundle.exe
Bundle.exe
data.dat_2528:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
Bv.SCv
Bv.SCv
wininet.dll
wininet.dll
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
user32.dll
user32.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
UnhookWindowsHookEx
UnhookWindowsHookEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetWindowsHookExA
SetWindowsHookExA
EnumWindows
EnumWindows
ShellExecuteA
ShellExecuteA
hXXp://fuckcs.com/link.htm
hXXp://fuckcs.com/link.htm
Wp.Iw
Wp.Iw
A.zkt@
A.zkt@
5p|%U
5p|%U
ù'p
ù'p
oO.wm]b
oO.wm]b
L.qg6
L.qg6
ce_%D
ce_%D
%C@0H
%C@0H
@s .sk5
@s .sk5
.njvX
.njvX
ANH.aQ
ANH.aQ
;%c&!
;%c&!
\.HH^
\.HH^
*$:%d
*$:%d
%xYs]
%xYs]
[.PX{p
[.PX{p
D0.cSxu
D0.cSxu
.NNR'
.NNR'
7J.yT
7J.yT
%XQn@
%XQn@
rz.yIL
rz.yIL
EcT%x#
EcT%x#
W.XZ~
W.XZ~
..Xc&
..Xc&
2u.eKITFBp
2u.eKITFBp
.yk (Di
.yk (Di
D.gbQP
D.gbQP
GBj%c
GBj%c
}&-4}v
}&-4}v
%s;7*
%s;7*
0%x@w
0%x@w
%C^L:
%C^L:
Õ6m*
Õ6m*
ccu.md!dd
ccu.md!dd
f%.Vy
f%.Vy
5r.KV}b
5r.KV}b
5.ch*
5.ch*
y.MMO}
y.MMO}
tn!ay%F
tn!ay%F
2.kKX
2.kKX
I %d)
I %d)
.aEd(
.aEd(
fTpe
fTpe
.LLbX
.LLbX
https
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
http=
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
hXXp://
hXXp://
gdi32.dll
gdi32.dll
\game.dll
\game.dll
%S4WD
%S4WD
hg%fpM
hg%fpM
S.Ac9SR
S.Ac9SR
0.I%3s
0.I%3s
,wAe.kI
,wAe.kI
aiUy'4xu
aiUy'4xu
%c*@j
%c*@j
.eH'y
.eH'y
{&%U)
{&%U)
lj%4U
lj%4U
xe%CNs
xe%CNs
9F.cLe
9F.cLe
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
hXXp://fuckcs.com
hXXp://fuckcs.com
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
RASAPI32.dll
RASAPI32.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
GetViewportOrgEx
GetViewportOrgEx
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
WS2_32.dll
WS2_32.dll
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
RegCreateKeyExA
RegCreateKeyExA
%x.tmp
%x.tmp
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
.PAVCException@@
.PAVCException@@
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
c:\data.dat
c:\data.dat
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
1, 0, 6, 6
- Skin.dll
- Skin.dll
(*.*)
(*.*)
1.0.0.0
1.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
data.dat_2528_rwx_10000000_0003F000:
`.rsrc
`.rsrc
L$(h%f
L$(h%f
SSh0j
SSh0j
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
}uo,x6l5k%x-l h
}uo,x6l5k%x-l h
9p%s m)t4`#b
9p%s m)t4`#b
e"m?c&y1`Ã
e"m?c&y1`Ã
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
1, 0, 6, 6
1, 0, 6, 6
- Skin.dll
- Skin.dll