Skip to main content

Gen.Variant.Symmi.57379_9a61377f7a


Gen:Variant.Symmi.57379 (B) (Emsisoft), Gen:Variant.Symmi.57379 (AdAware), Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 9a61377f7a267d0733acc68f3f3072cf

SHA1: 5e54992e3afc40333f0ddcf340790d48ad7e349f

SHA256: a4c9fcaad48bb22de6acd412eea7136e979c1c6617836f620fc62dbe2f26e20c

SSDeep: 49152:nGHQYGTwg AM HhgGibN4O9M3uLGgDekt3q wtw9JbtYDvPd3TR47jna/gRkVNOK:Gwt8wM HMvDH xl47za/D4GYEpuSh2e

Size: 4464640 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2015-05-03 21:14:58

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:1780

The Trojan injects its code into the following process(es):

%original file name%.exe:2956

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process regsvr32.exe:1780 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\ZCB_API.DLL (49 bytes)

The process %original file name%.exe:2956 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\ZCB_API.DLL (1 bytes)

Registry activity

The process regsvr32.exe:1780 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\TypeLib]
"(Default)" = "{D7111ECF-2415-46C6-AAD4-EE6802448456}"

[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\ProgID]
"(Default)" = "REGCOM.Register.Api.1"

[HKCR\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\0\win32]
"(Default)" = "c:\ZCB_API.DLL"

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}]
"(Default)" = "ZCBApiPlug Class"

[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\TypeLib]
"(Default)" = "{D7111ECF-2415-46C6-AAD4-EE6802448456}"

[HKCR\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\TypeLib]
"Version" = "1.0"

[HKCR\REGCOM.Register.Api\CurVer]
"(Default)" = "REGCOM.Register.Api.1"

[HKCR\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0]
"(Default)" = "ZCB_APILib"

[HKCR\REGCOM.Register.Api.1\CLSID]
"(Default)" = "{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}"

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\VersionIndependentProgID]
"(Default)" = "REGCOM.Register.Api"

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\InprocServer32]
"(Default)" = "c:\ZCB_API.DLL"

[HKCR\REGCOM.Register.Api.1]
"(Default)" = "ZCBApiPlug Class"

[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}]
"(Default)" = "IZCBApiPlug"

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\REGCOM.Register.Api]
"(Default)" = "ZCBApiPlug Class"

[HKCR\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\HELPDIR]
"(Default)" = "c:"

The process %original file name%.exe:2956 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
7925a1237adddf061c1ec4f9c0328597c:\ZCB_API.DLL

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:1780

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\ZCB_API.DLL (49 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ??
Product Name: ????
Product Version: 1.0.0.0
Legal Copyright: ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ????
Comments: ????
Language: Spanish (Spain, International Sort)

Company Name: ??Product Name: ????Product Version: 1.0.0.0Legal Copyright: ????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ????Comments: ????Language: Spanish (Spain, International Sort)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409699925800d41d8cd98f00b204e9800998ecf8427e
.rdata1003520374573600d41d8cd98f00b204e9800998ecf8427e
.data475136039073000d41d8cd98f00b204e9800998ecf8427e
.rsrc514457685500737281.14454753f0c704956f034c5f6437deb7c865e
.vmp0523059211515200d41d8cd98f00b204e9800998ecf8427e
.vmp15349376438149543827205.44642dcca07c29627637961a1f0efd028fbab
.reloc97320965240960.0726683f22af9f5bc29be1d803560f5fb2037c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://jdyou_152.proxy.kaopuyun.net/Open/V1_4/Soft/Upgrade
hxxp://c.84zcb.com/Open/V1_4/Soft/Upgrade125.77.22.178

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /Open/V1_4/Soft/Upgrade HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible)

Host: c.84zcb.com

Content-Length: 363

Cache-Control: no-cache

data=ZU/VMNyNxS1TnWRRj8GxQjWrbubxbK0I3z4lBE3kH1Lg0zx7Bm8NCL6F1dhzPiI3pLtLGO3rCd5V2DtXaBJo5sQ6HXo6eUWWiW cegStVRiwjeUVmrzou8S4yae3VVvMiUu3yRbPIdm1Ku8RJziEez//9TTQ5zmKRmAQQgmBI8iszeFbtvy4qONM0LFZeinZJbQVvlnxqWvlgwJYnCm/N6Mr3CVSYek/6osDNktRBY89J8tH7/VZBVvfiXpVcKfg5u JZAowUxbhQkiEuHHkjrmK5o/1Iw6ZVwBN8X0r1cBiBaWdZU/VMHEdcEWdhtEF&sign=9C296E0C2193E917A57032C94E3E6593

HTTP/1.1 200 OK

Date: Wed, 07 Dec 2016 22:25:26 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 728

Connection: keep-alive

Cache-Control: private

Server: Microsoft-IIS/7.5

X-AspNetMvc-Version: 4.0

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Cache-Control: no-cache

pmFeIO9K3DilnoBmWvXyvfWSsM8ondhCagHPiKq3tzTSPR2dpWuZt3QAv3xy5QaD/p/saU4FM/nw8fIj0NVbcHHoZCA 5udmJ2SGitbb X5iiUpsjgcPXlASfhFZspBi5ZijI3RujBRhfho3u6DP7F xhWh bYpWf2VPSTS8Yk8ZHtRH9vb8OG5N4B osfVMrnJRBdXJrJkqb1d//fNtodbm6Fujpth0JpuF1lzvGytVKRBDtaBvhQHGVmI2uDP4YlO BRvxfYWDr47imgN1Vuq/74SuMNnB6CsXdQ3qGxIyhyKB4NBKDhho8SqgC3jHO/MJ9bZ9W8ZkcTFOTYiiOZhEQJJe1mp5z3Q4sC2qiPqBDVEI1Z/aU61FZHHAjcCEmuPMy 1BDcNZPSzmAbYOg7Ux9i3F dBgFW8v2L7kbrFyvtpLnVCVUhf1RiJDXjnpubue4eYV6uvWHtG2jXazhrrNuvyMf8FbEniFM20cmwpdo3aUJd/tEcVYwd1mQ6HV8WQAM3tsCyF1TdrwXTcjeU65vLzByfGMnf2m3PiJmvJrdtLx2OJ/Kllf2mzd03zJP6dG1yHpMzg0ewdx6MK6h4Pu3gySTPNpiBhV0MMMKhB5xnz4h0fH/jW1GdfmdCsuqleWAzMYH5bw1YU8pm4o8ZFKg3zuYPJm3B/LANr4wK30hARWS/QOUq3bLXoAL24TQto8H6ZhXiAoip7rXVJYiw==HTTP/1.1 200 OK..Date: Wed, 07 Dec 2016 22:25:26 GMT..Content-Type: text/html; charset=utf-8..Content-Length: 728..Connection: keep-alive..Cache-Control: private..Server: Microsoft-IIS/7.5..X-AspNetMvc-Version: 4.0..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Cache-Control: no-cache..pmFeIO9K3DilnoBmWvXyvfWSsM8ondhCagHPiKq3tzTSPR2dpWuZt3QAv3xy5QaD/p/saU4FM/nw8fIj0NVbcHHoZCA 5udmJ2SGitbb X5iiUpsjgcPXlASfhFZspBi5ZijI3RujBRhfho3u6DP7F xhWh bYpWf2VPSTS8Yk8ZHtRH9vb..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2956:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.vmp0

@.vmp0

`.vmp1

`.vmp1

.reloc

.reloc

t$(SSh

t$(SSh

~%UVW

~%UVW

u$SShe

u$SShe

Bv.SCv=kAv

Bv.SCv=kAv

gdiplus.dll

gdiplus.dll

GdiPlus.dll

GdiPlus.dll

user32.dll

user32.dll

kernel32.dll

kernel32.dll

Kernel32.dll

Kernel32.dll

advapi32.dll

advapi32.dll

Ole32.dll

Ole32.dll

gdi32.dll

gdi32.dll

ole32.dll

ole32.dll

Gdi32.dll

Gdi32.dll

msimg32.dll

msimg32.dll

User32.dll

User32.dll

Gdiplus.dll

Gdiplus.dll

UxTheme.dll

UxTheme.dll

GetKeyState

GetKeyState

GdipSetStringFormatHotkeyPrefix

GdipSetStringFormatHotkeyPrefix

UnloadKeyboardLayout

UnloadKeyboardLayout

GetKeyboardLayoutList

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyboardLayout

ActivateKeyboardLayout

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameA

RegOpenKeyA

RegOpenKeyA

RegDeleteKeyA

RegDeleteKeyA

RegCloseKey

RegCloseKey

RegCreateKeyA

RegCreateKeyA

RegFlushKey

RegFlushKey

LoadKeyboardLayoutA

LoadKeyboardLayoutA

UnregisterHotKey

UnregisterHotKey

RegisterHotKey

RegisterHotKey

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

10/05/12

10/05/12

\.YVV

\.YVV

Ï[H

Ï[H

L 

z>REGCOM.Register.api.1
.UPX0
.UPX1
@.rsrc
GDI32.dll
%c,UJ
SHELL32.dll
IPHLPAPI.DLL
COMDLG32.dll
USER32.dll
%.Dyy
>#>0>=>~>
: ;%;3;8;\;
?!?%?)?-?1?
5#5'5 5/53575
3 3$3(3,3034383
9 9$9(9,9094989
5 5$5(5,505
667[7~7 86
282`3@4}4
ZCB_API.dll
Y3%f{!.
Ke%Sc
hXa.ZktG
6C.Ceu}
J1.Rv
V.av^
SvCL.HC
*VsqL
d%sKC
%%CI7
'~V%y.gUeA
3F|
EJc%Xa
N%xu'
&*"8{@>[
'?.Wo
].Mjq
@1.cK
yr-W`AnV.XC
^r.wp
8%x]5
.koDI
gf%UT
%Gr%D
lCÂ1
=5}%s
p7.FX
-.ZkE6 
 C.gm
,.DFno
yP/.Wl
lr.SB
%U
b).nh
bwMSG
.oVMO
G.zzg
%S Kh
n.RPX
]g#M.yV
E
.IaUC
.yx4m
o.lS=F)h
>X.NM9
pn.FP
H3.Ye
>.ynD
&.nTT
VG#3.wiE
P8j%C
Zd.Jn
.Te>9
.kWkd`
.Cc|O
.xmOZ
h.YW&
F.pag
lD&.MY
]Hpu%U
Gq.zE
-q}?!
.KUh|
@q%c*
v$2.ZM
..SK1
Y}.Mc
%0s./
2.fx4
sms0%c
0.Td'
 .nK2
.HJ\;
a%D-l
.eos08
H.Mf^
1.uprVa
|Cq
%uIA0
Q!.Re%
.pY
h:\Fq
.OW`p
`*.Dh
e.mh"
~I.bf
Öo5L
.De;>
 {X%F&$Z.b
8
H.ZB~
@>P iXB%sJ
2%Cu"~
RUrlt c=
@|G.ZT
w;%x5
.q.rgXj
`(W.WV
vmX.Iz 
7H.OD
=K.yy
oledlg.dll
KERNEL32.dll
HttpOpenRequestA
OLEACC.dll
WININET.dll
VERSION.dll
VJ.wA E
ShellExecuteW
SHLWAPI.dll
OLEAUT32.dll
e*%C$
2S".av
WINSPOOL.DRV
.QCRz
wH%C^,
,.iIm
uRLW84
05.Do
#-Z}V
mv.MK]M
iA.cD
%7u3mj
W%x=uLsaIc
\.pAO
4Ll%S
iS.Ac
[F.qg
.oodJ'
.KrTI
%s=!
d.Hz)
.mp{v
.jc&k
?.ee?!
ADVAPI32.dll
*a.DM
j%FK.dn
REGCOM.Register.Api.1 = s 'ZCBApiPlug Class'
CLSID = s '{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}'
REGCOM.Register.Api = s 'ZCBApiPlug Class'
CurVer = s 'REGCOM.Register.Api.1'
ForceRemove {9CF66319-AA2F-424A-BEEA-9E42E36BEA1A} = s 'ZCBApiPlug Class'
ProgID = s 'REGCOM.Register.Api.1'
VersionIndependentProgID = s 'REGCOM.Register.Api'
TypeLib = s '{D7111ECF-2415-46C6-AAD4-EE6802448456}'
stdole2.tlbWWW
API_LoginWWW
,7API_FindPasswordd
API_LoginOutd
API_QQLoginW
Created by MIDL version 7.00.0555 at Fri Mar 13 14:58:24 2015
Adobe Photoshop CS4 Windows
2012:08:09 14:06:56
urlTEXT
MsgeTEXT
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> 
  •  
  •  
  •  
  •  
  • %dYJH'
    le~.leU
    S%SKz
    >{%UQ
    ,%f.F
    F.ijA
    }%UT0B
    M%D(a
    %.bx&
    {O1%D
    zuI{ %U
    lO.mUY
    d%u
    %4SIo
    w=%do
    s~Iw%f
    tj.zQ
    i?.sG4]Z
    u.rz;
    U&S%xg
    !ECE_[ò
    $"D)DeXE
    TN.WR
    5f.jy
    =n.Te
    %SY>Vo
    &<.nzq>
    z:\DRM7
    -x}W^
    \}.Ord
    z.Nh=i
    x-x}WG
    .WxK'
    .IDATx
    %cri\
    :O .Zl
    hXXp://f.hiphotos.baidu.com/album/s=740;q=90/sign=69bde5a33a292df593c3ae118c0a2d5d/4bed2e738bd4b31c7a52b43787d6277f9f2ff8d4.jpg
    hXXp://b.hiphotos.baidu.com/album/s=740;q=90/sign=be24b17e7d1ed21b7dc92ce19d55acf9/eaf81a4c510fd9f9ee9a75e5252dd42a2934a4a8.jpg
    hXXp://f.hiphotos.baidu.com/album/s=740;q=90/sign=f34523c6dab44aed5d4ebce08327f63c/8435e5dde71190ef039bb253ce1b9d16fcfa60dd.jpg
    hXXp://f.hiphotos.baidu.com/album/s=740;q=90/sign=5fa5abb56b63f624185d3b07b77f9ac5/71cf3bc79f3df8dc7cbaaf1dcd11728b461028b2.jpg
    hXXp://e.hiphotos.baidu.com/album/s=740;q=90/sign=94c20c64bc3eb13540c7b5bf9625d9ee/f3d3572c11dfa9ec9edb769b62d0f703908fc140.jpg
    hXXp://f.hiphotos.baidu.com/album/s=740;q=90/sign=dc4d926a277f9e2f74351f0c2f0b9819/fcfaaf51f3deb48ff1928152f01f3a292cf57846.jpg
    hXXp://e.hiphotos.baidu.com/album/s=740;q=90/sign=c80984f9d688d43ff4a993f64d25a326/f7246b600c338744dff20cf0510fd9f9d72aa002.jpg
    hXXp://h.hiphotos.baidu.com/album/s=740;q=90/sign=d2fbf6429925bc312f5d039c6ee4fc8c/b21c8701a18b87d6d8718893070828381f30fd0f.jpg
    9g.gq;
    P.pS'
    '#g Wv.NxyJ/T
    U9^)%d
    \Config.ini
    @qq.com
    explorer.exe
    DFO.exe
    API_LoginOut
    \Qsdfdg.ime
    \Qsdfdg.dll
    NeopleLauncher.exe
    `.vmp2
    ..jf.
    IMM32.dll
    h.ekc
    -&M.mh
    GetCPInfo
    ImeProcessKey
    imehost.dll
    VP%f#lE
    EnumThreadWindows
    OffsetViewportOrgEx
    SetViewportOrgEx
    CreateDialogIndirectParamA
    233.dll
    WINMM.dll
    ShellExecuteA
    iCrT
    t!u!"
    MSIMG32.dll
    comdlg32.dll
    RegCreateKeyExA
    UnhookWindowsHookEx
    GetViewportExtEx
    lfY%D
    .Qlf%
    )2%2,222
    %soGdj
    4%F$I
    202?262>
    RegOpenKeyExA
    SetWindowsHookExA
    COMCTL32.dll
    GetProcessHeap
    WS2_32.dll
    ."8fTP
    :%cs/
    4{/B
    NË[
    @5ML.wCr5
    L}.PA
    9.kF;
    O43o.hA
    /%x 4
    p%[%u
    &:.Cf
    pf%sRs{b
    <.bx>
    '%ud@$
    lV.Tu
    $;CZx#.LU
    Z`'.yl
    .ru?~
    \J.RC
    ]'.kr
    C.Rk!
    ]5 >82
    z%cnu&
    T@.Qc-
    j{gr%S
    .CNC_
     %xEh
    l#g!Ü
    %cOl^
    -8}#y
    GetViewportOrgEx
    *a%f&
    Cs
    -,.eHI`y
    .4A.zf}TG
    h?%f#q
    .fx}81&YH
    .Zg5bJ
    Y.Zl%$CP
    {Zx%d
    %MUF%x3
    |5$%s
    XN
    %x.(17
    be}%D
    /4%c@El"
    D3J9%xi
    Ô3A
    >3#{$'5,
    Ej}%C
    2$-K}
    -=,%c
    u%f?/&
    %U3;.
    Y %D,
    L%DwYO!
    .CDI}K
    .VDS 
    .TD3>&1
    .gsd\D
    0|.Ni
    tUbg%D
    RN}X%D
    P.Dn'
    .qDL4ifvU
    .ObNHD
    a.xi
    .Iw^.]D
    FZ#2.Vd
    vu.VD
    /u.UG
    (0{$@-.>
    .?.RT
    =*%u|uYuWu
    ():3[>[$
    .NT7-
     %suQT7
    >"3975]4
    .sR)L
    %CH.>~
    x~.DWh
    2ÛQk
    C %U4
    $`c%XQ
    T=
    .Qyu;D
    vM$%F
    .%DkVz"
    nZ^%D
    %uoa:
    $c%5Uv,
    .DBiw
    ?.sjH
    r.CDc
    :/%u7(
    UDP L
    %FqDg`
    >udPlQ
    .cDEj
    Mw.Dm
    D.Jmo
    m4E.Jc
    (;%u|*
    eD;3 A91)D?7/'=5-%D
    DOWQYC =%D
    m_1#&.Cu%
    "=t%D}3d
    EnumChildWindows
    ScaleViewportExtEx
    SetViewportExtEx
    WinExec
    GetWindowsDirectoryA
    Qsdfdg.dll
    2@{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
    09/27/12
    Windows
    imm32.dll
    Keyboard Layout
    Keyboard Layout\Preload
    .comment {color:green}
    %d&&'
    123456789
    00003333
    deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
    inflate 1.1.3 Copyright 1995-1998 Mark Adler
    F%D,3
    %*.*f
    CNotSupportedException
    commctrl_DragListMsg
    Afx:%x:%x:%x:%x:%x
    Afx:%x:%x
    COMCTL32.DLL
    CCmdTarget
    MSWHEEL_ROLLMSG
    __MSVCRT_HEAP_SELECT
    Broken pipe
    Inappropriate I/O control operation
    Operation not permitted
    Tiphlpapi.dll
    MPR.dll
    i1p.vq
    WSOCK32.dll
    .PAVCException@@
    Shell32.dll
    Mpr.dll
    Advapi32.dll
    (&07-034/)7 '
    ?? / %d]
    %d / %d]
    .PAVCFileException@@
    : %d]
    (*.*)|*.*||
    (*.WAV;*.MID)|*.WAV;*.MID|WAV
    (*.WAV)|*.WAV|MIDI
    (*.MID)|*.MID|
    (*.txt)|*.txt|
    (*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
    (*.JPG)|*.JPG|PNG
    (*.PNG)|*.PNG|BMP
    (*.BMP)|*.BMP|GIF
    (*.GIF)|*.GIF|
    (*.ICO)|*.ICO|
    (*.CUR)|*.CUR|
    %s:%d
    windows
    .PAVCNotSupportedException@@
    out.prn
    (*.prn)|*.prn|
    %d.%d
    %d/%d
    1.6.9
    unsupported zlib version
    png_read_image: unsupported transformation
    %d / %d
    Bogus message code %d
    libpng error: %s
    libpng warning: %s
    1.1.3
    bad keyword
    libpng does not support gamma background rgb_to_gray
    Palette is NULL in indexed image
    (%d-%d):
    %ld%c
    USER32.DLL
    hXXp://VVV.baidu.com
    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    HTTP/1.0
    %s 
    Reply-To: %s
    From: %s
    To: %s
    Subject: %s
    Date: %s
    Cc: %s
    %a, %d %b %Y %H:%M:%S
    SMTP
    Y%d
    X%d
    Height%d
    Width%d
    RECT(%d, %d)-(%d, %d)
    Styles0xX
    Control ID%d
    Handle0xX
    %s
    burlywood
    \winhlp32.exe
    (*.htm;*.html)|*.htm;*.html
    %d%d%d
    rundll32.exe shell32.dll,
    .PAVCObject@@
    .PAVCSimpleException@@
    .PAVCMemoryException@@
    .?AVCNotSupportedException@@
    .PAVCResourceException@@
    .PAVCUserException@@
    .?AVCCmdTarget@@
    .?AVCCmdUI@@
    .?AVCTestCmdUI@@
    .PAVCArchiveException@@
    zcÁ
    c:\%original file name%.exe
    #include "l.chs\afxres.rc" // Standard components
    N.Jxd
    *.JxbF
    InternetCrackUrlA
    u$B79%C
    =.nCPgb
    a.GTYOE
    I%sbBW
    msGT
    pT.LZ
    .DT-u
    {QqÑT
    YV-B}T
    ^x.WXZ
    .7.:.%.0.
    m.HS@E^
    '.EXB
    L\~.XT$
    T.bthC
    T$\%X
    'G_
    C.hNSM
    MSX
    7)'
    K.qR\
    $.TL(
    .QkgM
    Fp.Tq
    %SrCT
    .TUn:
    }X.TWt
    :'_.cT
    ^sn2.aD
    %U1l >T
    $r.lO
    S7%fTX
    v.uGT
    4Tg-L}c
    Â[ T
    FTpGs?(
    .iTsOE
    4h1%U
    .AT1o
    ;%F?h
    .Tp8r
    RTeq _%U~>Y
    (w]%.FNT4
    eJ.TI@
    %xT4)
    /.Te1L
    /V.QG
    s.SsIW_u
    c;T%X
    W:\6sun2
    Gl%DxB
    XTWÅ“
    m@.zd
    r@D-n}
    cRT`@
    .Qz5DS
    V.RE/
    .kTSn
    {&.FT
    `~/T}þ
    T.hyszl
    Nl_%uTW~1
    .Tu[8
    %xT4Rv
    ^7.VT
    i*T%S.6
    j)u.Tnb6
    .jT[hwIka
    $D%UV
    wC~.TL=
    .EWQ9y
    YcRT
    Q.wQ
    -V}$Tn4
    .TD@io0
    sN.oT0
    xZ.SW
    .STUG
    @esh.Tz
    3T.XB
    .Ts\~k
    TY%xmJ=
    .Te
    .TLg:
    evK%ST*
    _%Fj}
    wd.gT'
    z,j.vQ
    f%STH
    x.Sp-
    .srT:
    %FTP?j
    (g.No
    2q.TD
    .RC80
    v,%DTb
    X?.Lom
    '.gXc3
    k.yGT
    m.TuYU
    %0XT-$
    tCP/v~!
    .20%U=
    H%C=Z
    WT.SA 
    B.cTj
    %6UB(
    PT.FU
    f^".TE
    Z=.ry
    $%XO]{
    .ac/A
    J.OmxT@
    A.RYv
    .ZjTe
    GFTP
    bD3.VT
    g.ZTx
    PN%UC
    %D},d
    dZ.NT
    .TL4&O
    OQ%u0
    .TdnB
    @$VT%X
    %Ud_qmya
    T~.Lx
    .ET.bZ
    |.TA*
    X2.PAL
    .WRhI
    >Cú
    .RwqnHJ
    (n.NT5-
    #%XfU1
    (z%xN
    .Thp*I>
    k.Thc
    .vVTc
    6J.pQ
    \Tv.tr
    |j.UWLC
    [.TOHG 7
    %C
    .GKT~
    )~.csvT/Q
    @.pV)!T
    @#r3TÞ
    N.DTUK
     t_%D
    .vW]SB
    .PT`%
    .TOLn{
    ].qTX&6
    .pU}5
    7.3T%F
    .BbT(
    ^.mXul
    FY/.Cd^"
    $.ej{
    %uTIs
    O.cj}
    TZ&M%s
    4yP.WkB;
    b].XT
    Y%XW'
    O.PkU
    A.bS\yT
    7.dctY
    TSqL
    [.BTA
    k.vb{
    ~T;A%dl
    Q.mx>(
    T.AvQ
    r.xT"(
    s4.oT
    D4.WT
    %FhfrT
    8.yT[
    ]p.fU5
    .Ts&9
    T.hL4^
    N$.zX
    PTe.rw
    =%DTY
    5/U.Ke
    7.kYv
    .Tj'>
    .TrC:
    v.RTn
    s:bx.jT;A
    .wrD^
    .uT9Q
    od.TR
    Yk.yc
    7.TY9
    TL.bV
    q.Wn\
    #oC.TwU
    ^.RVT
    O-5W}
    %sW{ZT
    .qaE%T
    ,sTw%xB
    S.LT,
    .yY]k
    .TSt_
    s.TAk
    0pT%s
    4.rYd
    ;*T %d
    T.YkI,pV
    _W.ZX
    *az.aM
    cv2.NG
    c.Tk*`
    >W.wT
    .XrT%
    ACrT
    ?^`exE3
    Ou %chyT
    |X.gn
    .VIlT}
    T!.Bj
    '.UPS;
    7w.pC
    .wT)D
    f.Rvb
    "p.PT>
    ;T%xC`}
    BTKx.LZ
    Wh.tG
    V.wxY&
    jÂW
    so.iYt
    pzUT.ko
    [w%x"
    .lu:T!Q
    .vFbtU
    .zUg'
    cu.hT
    wEÃ…
    !JV.Tlo
    t=U%S
    .wt(hO
    .JTqR>E
    p'~%.vq
    JqU.qI
    @.wYQ
    Ys
    TP%8U
    Crtk
    A-d}T
    ^%xmz
    üQ 4
    (%uTo
    >TXZi.OR
    [-v}4
    Ufc.XT
    sT b%U>
    .Iq$7
    T%f b
    k%sTw
    rTs
    cRTd
    ,F&.TU
    HQ;%XT%
    qv.MTq.
    %Sr7y
    TH.bI
    WW_dY0*tE.Tu
    %c Vc(
    $0<.hu>
    xQ.IV
    m.se:t]
    U.UYS3
    H.raY
    4.qVb/
    m.qx-
    .naj,
    .eb4sV
    jU.Sn
    .TSi3
    E%C=T
    WQ%C/.
    yYk.KE
    Y!hn%.Sp
    .iT::
    IbinTCp
    .TS{P*
    a|%d_S
    *-CT}a
    Yg.OqA
    HFtP4
    J[v-Ta}
    ST.pZ
    D~^%S
    q%CU0
    S`mQ05%xh
    d.dOo
    O{T%F
    0/X6.LT
    NO7.LT
    k-T}B
    OkQT.qK
    Si%xW
    I.qx_
    %f}TR
    .orz_
    i>T%u
    a_.gZ$
    f.UeU
    P.eTu
    I[.kTZ
    .qk_P'
    E.StF
    AFeXE
    WB%sT
    6~C.Lx
    B.nT1
    *?.uT3
    4(.sT
    *.ZT;~1I
    !.UA'
    %UI f
    )7.qt!
    '".XI1
     h%U1
    t.oTQ
    0T.Oe
    .swDM
    m].Gk
    =.UU#l
    We$%f
    n_.BU}5
    v.RT3
    0`.NP
    Oq:SQl
    fp.vI
    4/$.jX
    j.EtNT0(
    %F[]3
    t.ATa(;g
    {O%STC
    SC
    %0S[{
    ZTA.UF
    .OT'n
    }.BeT
    .xQ,4N
    .qT:9{
    =X;%f
    i".WT
    b}'"u.QT
    Klk.TY5EV
    F.WZ=
    0aN-6}7
    l.AT[
    jWy%U
    m|T.GM
    T.Wþ
    .ld:jT
    .jThJ9
    M0.tT
    n.kTNjh
    5.vRz
    %4upU
    H8N1.TQ
    (PV.WsE
    nZ.Td~
    4`.TA:
    %uT5(
    JzT2%s
    vT.gl
    WMWn3-h}~
    %dvWirQ
    V.kUW
    %DQNS
    #-i.dQtCf
    %UH[xs
    1.pP]g
    %jQ.MaS
    5ý\M
    t.ZT}EK5
    %0XTJA{5>[
    .vTeJw
    ).YH&s
    ,0.tQb
    f.XT;
    J2.yTHg"
    Tku".XI
    6.TeN
    S.xoX@Twm
    ".YTa
    qzc.oW=
    .bsTmWlO5%JxT
    IT.Xu$3
    ,.Trq
    4.jTa
    %sY8TQ
    \.YIo
    3HWc.uy
    -AT}x
    D.cU1
    A.ULVWD
    tT.kb
    bUDP
    UdpZ
    ^.uTy
    To.ME
    2G-e}
    g.pT2
    jIqXw%sT
    .pnFT6&
    5.QTh
    42]%CT
    %CZ(e
    Te_%S
    f.YTR5
    ?.kH]
    FTpKu
    rM/%C
    |.Tw
    .YTAP
    )j.MT/
    Ijr.NhT
    T.zuP{o
    .TMg@
    c&.Xny
    $WD.iT
    WfTPE
    .GUW\
     .Ty-FMd
    Gw.jrT;
    c.WEW
    *K.iT
    ~`;%U
    b%XqoA
    W-.dP
    2%U}z
    j.ETyq
    I1/).BT
    ;U.qy\
    .iWhy!
    (4'U%u
    W"^j>.PT2ot9wN
    v.gPT
    -v}vY
    k.UE{P
    P.YUT`q;
    1U.mja?
    05i.GT
    ..TF$
    IsQL
    .xezG
    lCRT
    p5%xT(
    .vS ]6
    T.Yk\
    l.eBqQ;
    %Xhql
    `Tv-S%Xp
    mx.iT
    @wo
    .Uk{;
    %XyX{
    AT-n}
    Xr.UT
    T.Zlh
    V.Ty!
    .qTxgi 
    ;%UWg
    .VW3/jf%
    p.txe3WT
    .pTDA
    Q$[%U
    j.Qa7z
    V.WoZ
    06l$FTpH
    MSgTD
    HT.IB
    JWxs%F
    wWmSg_k
    Sw.eT,|x
    Q!%xT5
    `5.wXOY
    ~^.Yj
    S%sfq
    %dXrm
    8u.vT'q
    p!
    h.Tdu{
    fw/.TQ
    @%xT3j
    RT.Fzv
    .PVAN
    e.hLT
    .mzTc
    /.TUB
    ^p%U~
    QMK.WZ
    |gN.mTMe
    a%x~?;T 
    Ts%fT
    L.Wr!~
    q.dOhTB
    %sRb4
    zU.KL%P
    rcH%X
    .pHT9
    .OxbF
    $IxF$.iT
    8PjK.zp
    .TZt!H"
    z.TxV
    .XrU%
    b$.iU
    'FTpU
    #T%Fs
    8JeRT%X
    t> r%xK
    /.TVS
    T-m}].S
    .Tvo;
    h%XT!
    mC%XS
    9%Xg:3
    .Ts[;
    ^Po.eT
    Ti%Sd
    wT\.LW
    5H%x|
    bv8.Tv
    q-H}{
    .jsoe
    &p%sT`!}
    .rkfV
    .CbHL0
    .TxHL0u
    .UU4*X
    SQluN
    -'8(@{?$
    uNRuN$uN.uN
    O _(b%x&
    %Ud6C
    u.Ijt
    5B.onP
    l.lwz]1o
    -q(.Bp
    HttpQueryInfoA
    InternetCanonicalizeUrlA
    %djNrPn
    RASAPI32.dll
    InternetOpenUrlA
    yb@-z}
    .dQ8$
    c.lX}
    w.CZS2Z
    .dm~3|
    tcpt)
    4%D"
    _.PNi
    Pi.Xc
    '0Vh2}.zl\
    M.xwl
    F|.yz
    .vnP@01x
    s.lgnxZ
    (l.aS6
    H.SvvF`b7a
    ;LÃ’
    .MxPUf
    4.VnU
    .etn`
    5#z.Mm.}O
    rD.XK
    5.uO\
    Hi~~a%DW
    8h*.vp6
    UDpz
    t.Ex73
    .uWX]
    0URL 
    b.dg[ I
    .tW(jz
    .IL |
    %fZ(\
    .OpyP
    %dR U
    OOo.tz
    u.lA3"
    UL.Hq
    6G.GK
    Px
    .cW X
    07NZ#.yW
    Vf.MZ
    07[^\%U-{L
    %Dtb(
    %Xod 
    O.tpy
    .PW^U1I
    .fx&eFiw
    H.ivnD
    .Wh5^
    :a9d.lZ?(M
    L{.Hhahb
    (b!O.eY`
    AUk.zoE
    =Z&,gV%X
    .Pnxl
    .rh[^
    .LD;3D
    Ab!%u
    bd.jb
    _-d%X
    ^Z.yb
    4Y<.fr>
    <.mez>
    .EF%h
    %XNTy
    HttpSendRequestA
    1.0.1.1007
    1, 0, 0, 1
    imedllhost09.ime
    1.0.0.0
    (*.*)
    %original file name%.exe_2956_rwx_0091A000_00002000:
    GetViewportExtEx
    WININET.dll
    UnregisterHotKey
    RegCloseKey
    KERNEL32.dll
    GetWindowsDirectoryA
    InternetCrackUrlA
    RegOpenKeyExA
    Bv.SCv=kAv
    u$B79%C
    %original file name%.exe_2956_rwx_00CC1000_00001000:
    SetViewportOrgEx
    HttpQueryInfoA
    CreateDialogIndirectParamA
    SetWindowsHookExA
    %original file name%.exe_2956_rwx_6B583000_00162000:
    b$m%F
    .Rj$&
    |%s}\6b'
    .bgFM
    Z.Tkh
    <.dxm>
    :=%s-
    Va.GK
    dDa.Du
    KeyC
    %.DM%R`}
    4A.DLe
    [;%7X
    &s;Eh%S9W
    '-.DT
    _0Z6a.CXP,U
    U%.C8
    |%cm8
    JWeB{
    "%C,Z
    G-c}(
    &gkR.OC
    I#i.En
    %f|rIAU
    {/LMZ
    WeBx7p
    GJ2k%sa
    $mÃ
    j{eD.jU
    .DTkJ
    %Flu-J 4a
    .EVM~
    tL.Ofd
    :g.cOK[
    LOÀ
    Xy.DD
    9%XPk
    %X2Zo
    .Gx Wy
    mm%C )
    k8%cmLb6
    uZ.JZ
    .aYf,
    .CT_2k
    -l
    }KV%xH
    -`a.RC
    HTg.mI
    -w}N.XS
    t%.Cd
    an.Ch
    ,`.WH
    Gt-c}(
    ,I.zf
    .eb_D
    5Nj.fR
    F"w.nW
    .RsP:^
    %Fg>n*
    !.Lyi
    .Ccp3
    cu.wE
    v.wPN[
    %F:o6
    a.wmr
    .wH"b
    !.Lum
    'u%.DiIR
    lm%CI
    2g|%c
    %S5l
    5.RcS_I
    m.wEQi
    RkeD.bW
    cm8Í.
    .DXF{
    .ji0`wV
    .ZU?E@
    J?Eô
    .Dpe
    .DLs&
    ;b.Ed
    y.Dp8
    !.zPi1z
    .qIvt
    Q.DlSr
    t-c}\
    .WA%m%1m
    .ISk_f
    r.CzA
    gr.fe=O
    0h.Uc\-Y
    %Fk@-
    l.Yx2
    %c|5K
    .fT44
    @$.wFX
    ~.Tkh
    wlG-c}\
    ~3or=Bp.Cc
    ;i.KM
    .ST. 
    u.wEb[
    hExe {
    YZ;b.di
    9.DTo
    q.Dl$
    "W1d=S.az)
    A%d.S
    .sK&Od:s
    rXe%F
    #%D|=
    D.ryX
    U .fZ
    CmDe
    %original file name%.exe_2956_rwx_6B6EF000_00001000:
    %.Dyy
    %original file name%.exe_2956_rwx_6B846000_00001000:
    VJ.wA E
    ShellExecuteW