Trojan.GenericKD.3222113 (B) (Emsisoft), Trojan.GenericKD.3222113 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b0e76e5fa28e60f5494725558e503e6e
SHA1: 35843cb8a70d28d2b52b02e1c3648eec90fb2a9b
SHA256: 2a011c15433155a87df5df7a2331bc659cbd3c251ed531c31a213cdbc56d005b
SSDeep: 24576:O8mMKiqIH4RqU3S3pWaYm0ms5M6WrU5QAnCKNpmAOYYbwmxQ7E:WicRqU3SZd90bm43CY96TOg
Size: 1736704 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-11-26 08:28:36
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1552
Mutexes
The following mutexes were created/opened:
ZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!___DDrawCheckExclMode____DDrawExclMode__DDrawWindowListMutexDDrawDriverObjectListMutexRasPbFileShimCacheMutex
File activity
The process %original file name%.exe:1552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
Registry activity
The process %original file name%.exe:1552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1322288916"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 50 C3 6D C5 74 EF 08 F7 30 7F 7C 57 01 CC C6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ???????
Product Name: ??YY?????????
Product Version: 4.0.0.0
Legal Copyright: ???????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.0.0.0
File Description: ??QQ:1261278285
Comments: ??QQ:1261278285
Language: English (United States)
Company Name: ???????Product Name: ??YY?????????Product Version: 4.0.0.0Legal Copyright: ???????Legal Trademarks: Original Filename: Internal Name: File Version: 4.0.0.0File Description: ??QQ:1261278285Comments: ??QQ:1261278285Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1206370 | 1208320 | 5.09774 | efb072a618776273fcd58af23797b3b6 |
.rdata | 1212416 | 396518 | 397312 | 4.45323 | c5e0607ecb3791bcc31d60712294ac8a |
.data | 1609728 | 388427 | 94208 | 4.41003 | 469763cfdc25c6703795a4c2c51d5940 |
.rsrc | 1998848 | 29656 | 32768 | 3.56209 | 810facead66414b2db86b0f96e8bdfd2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://124.232.163.136/wanda/api.php | |
hxxp://124.232.163.136/wanda/api.php?WebShieldDRSessionVerify=eYMnR7JeA74b317eN6jy |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /wanda/api.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://124.232.163.136/wanda/api.php
Accept-Language: en-us
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 124.232.163.136
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.5.13
X-Powered-By: ASP.NET
Date: Sun, 05 Jun 2016 20:04:47 GMT
Content-Length: 25
No input file specified......
GET /wanda/api.php?WebShieldDRSessionVerify=eYMnR7JeA74b317eN6jy HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://124.232.163.136/wanda/api.php
Accept-Language: en-us
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 124.232.163.136
Cache-Control: no-cache
HTTP/1.1 302 Found
Server: Safedog/4.0.0
Location: /wanda/api.php
Content-Length: 0
Connection: Close
Content-Type: text/html
POST /wanda/api.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://124.232.163.136/wanda/api.php
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 124.232.163.136
Cache-Control: no-cache
action=q_s&sid=8
HTTP/1.1 302 Found
Server: Safedog/4.0.0
Location: /wanda/api.php?WebShieldDRSessionVerify=eYMnR7JeA74b317eN6jy
Content-Length: 0
Connection: Close
Content-Type: text/html
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1552:
.text
.text
.rdata
.rdata
@.data
@.data
.rsrc
.rsrc
t%SVh
t%SVh
t$(SSh
t$(SSh
|$D.tm
|$D.tm
~%UVW
~%UVW
t.It It
t.It It
u$SShe
u$SShe
ole32.dll
ole32.dll
wininet.dll
wininet.dll
WanDaVC.dll
WanDaVC.dll
kernel32.dll
kernel32.dll
gdiplus.dll
gdiplus.dll
user32.dll
user32.dll
WinINet.dll
WinINet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
GetVcodeFromURL
GetVcodeFromURL
GdiplusShutdown
GdiplusShutdown
EnumWindows
EnumWindows
GetWindowsDirectoryA
GetWindowsDirectoryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
*.txt
*.txt
(*.*)|*.*
(*.*)|*.*
1261278285
1261278285
z>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
z>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
http=
HTTP/1.1
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXp://
\TEMP.TMP
\TEMP.TMP
\config.ini
\config.ini
Atexe
Atexe
baIK&.com/login.do
baIK&.com/login.do
hXXps://udb.
hXXps://udb.
&password=
&password=
url=&username=
url=&username=
.com/welcome.do
.com/welcome.do
The URL has moved
The URL has moved
.com/ajax.do
.com/ajax.do
action=checkLoginFreqIp&ajax=true&whichOpra=设置密ä¿Â问题action=password&ajax=true&whichOpra=设置密ä¿Â问题&currpswd=
action=checkLoginFreqIp&ajax=true&whichOpra=设置密ä¿Â问题action=password&ajax=true&whichOpra=设置密ä¿Â问题&currpswd=
.com/security/authorization.do?ajax=true
.com/security/authorization.do?ajax=true
action=password&ajax=true&whichOpra=设置密ä¿Â问题&currpswd=
action=password&ajax=true&whichOpra=设置密ä¿Â问题&currpswd=
.com/security/question.do?action=questionB&ajax=true
.com/security/question.do?action=questionB&ajax=true
.com/logout.do
.com/logout.do
hXXps://
hXXps://
.com/verify/login.do
.com/verify/login.do
hXXps://udb.yy.com/security/authorization.do?ajax=true
hXXps://udb.yy.com/security/authorization.do?ajax=true
action=password&currpswd=
action=password&currpswd=
hXXps://udb.yy.com/account2/resetQuestion4_2_2.do
hXXps://udb.yy.com/account2/resetQuestion4_2_2.do
.com/account2/resetQuestion3_2_1.do
.com/account2/resetQuestion3_2_1.do
.com/account2/resetQuestion3_2_2.do
.com/account2/resetQuestion3_2_2.do
hXXp://udb.
hXXp://udb.
.com/account2/resetQuestion4_2_2.do
.com/account2/resetQuestion4_2_2.do
action=checkLoginFreqIp&ajax=true&whichOpra=ä¿®æâ€Â¹Ã¥Â¯â€ ä¿Â问题
action=checkLoginFreqIp&ajax=true&whichOpra=ä¿®æâ€Â¹Ã¥Â¯â€ ä¿Â问题
action=question&ajax=true&whichOpra=ä¿®æâ€Â¹Ã¥Â¯â€ ä¿Â问题&answer=
action=question&ajax=true&whichOpra=ä¿®æâ€Â¹Ã¥Â¯â€ ä¿Â问题&answer=
action=checkLoginFreqIp&ajax=true&whichOpra=设置密ä¿Â邮箱
action=checkLoginFreqIp&ajax=true&whichOpra=设置密ä¿Â邮箱
action=question&ajax=true&whichOpra=设置密ä¿Â邮箱&answer=
action=question&ajax=true&whichOpra=设置密ä¿Â邮箱&answer=
action=password&ajax=true&whichOpra=设置密ä¿Â邮箱&currpswd=
action=password&ajax=true&whichOpra=设置密ä¿Â邮箱&currpswd=
.com/security/email.do?action=emailB&email=
.com/security/email.do?action=emailB&email=
.com/security/email.do
.com/security/email.do
hXXps://udb.yy.com/account/email4_0_2.do?ajax=true&resetId=
hXXps://udb.yy.com/account/email4_0_2.do?ajax=true&resetId=
.com/account/email2.do
.com/account/email2.do
.com/account2/email3_1_1.do
.com/account2/email3_1_1.do
.com/account/email3_1_3.do?ajax=true
.com/account/email3_1_3.do?ajax=true
yy.com
yy.com
.com/password.do
.com/password.do
.com/password.do?ajax=true
.com/password.do?ajax=true
&password=&newpassword=
&password=&newpassword=
hXXps://udb.yy.com/account2/emailFast1_1.do?ajax=true
hXXps://udb.yy.com/account2/emailFast1_1.do?ajax=true
duowan.com
duowan.com
.com/account/forgetPassword2.do
.com/account/forgetPassword2.do
.com/ajax.do?action=checkSecurityCode&ajax=true&securityCode1=
.com/ajax.do?action=checkSecurityCode&ajax=true&securityCode1=
.com/account/forgetPassword2_checkUser4ToModifyPwdWithAuthToken.do?Ajax=true
.com/account/forgetPassword2_checkUser4ToModifyPwdWithAuthToken.do?Ajax=true
.com/account/forgetPassword2_toModifyPwdWithAuthToken.do
.com/account/forgetPassword2_toModifyPwdWithAuthToken.do
.com/security/authorization.do?ajax=true&auth_no_login_user=
.com/security/authorization.do?ajax=true&auth_no_login_user=
.com/account/forgetPassword2_modifyPwdWithAuthToken.do
.com/account/forgetPassword2_modifyPwdWithAuthToken.do
&newpassword=
&newpassword=
Account.passwordQuestion2.init('success')
Account.passwordQuestion2.init('success')
hXXps://udb.yy.com/login.jsp
hXXps://udb.yy.com/login.jsp
&url=http://VVV.yy.com
&url=http://VVV.yy.com
&passwd=
&passwd=
hXXps://udb.yy.com/security/index.do
hXXps://udb.yy.com/security/index.do
hXXps://udb.yy.com/verify/register.do?1315474843062
hXXps://udb.yy.com/verify/register.do?1315474843062
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
**.dU
**.dU
hXXp://shop62281233.taobao.com/
hXXp://shop62281233.taobao.com/
hXXp://124.232.163.136/wanda/api.php
hXXp://124.232.163.136/wanda/api.php
%S4WD
%S4WD
hg%fpM
hg%fpM
S.Ac9SR
S.Ac9SR
0.I%3s
0.I%3s
,wAe.kI
,wAe.kI
aiUy'4xu
aiUy'4xu
%c*@j
%c*@j
.eH'y
.eH'y
{&%U)
{&%U)
lj%4U
lj%4U
xe%CNs
xe%CNs
9F.cLe
9F.cLe
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
VVV.3600gz.cn
VVV.3600gz.cn
hXXp://124.232.163.136/wanda/exe/
hXXp://124.232.163.136/wanda/exe/
action=login&u=
action=login&u=
hXXp://VVV.ip138.com/ip2city.asp
hXXp://VVV.ip138.com/ip2city.asp
hXXp://checkip.dyndns.org/
hXXp://checkip.dyndns.org/
hXXp://whois.ipcn.org/
hXXp://whois.ipcn.org/
hXXp://ip.chinaz.com/
hXXp://ip.chinaz.com/
0.0.0.0
0.0.0.0
LoginID
LoginID
LoginPW
LoginPW
hXXp://wpa.qq.com/msgrd?V=1&Uin=
hXXp://wpa.qq.com/msgrd?V=1&Uin=
@qq.com
@qq.com
lrf6868@126.com
lrf6868@126.com
smtp.126.com
smtp.126.com
.exe.tmp
.exe.tmp
Del Temp.zip
Del Temp.zip
\Temp.zip
\Temp.zip
5update.bat
5update.bat
(@\info.ini
(@\info.ini
anonymous@123.com
anonymous@123.com
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
{EE09B103-97E0-11CF-978F-00A02463E06F}
{EE09B103-97E0-11CF-978F-00A02463E06F}
Keys
Keys
@VBScript.RegExp
@VBScript.RegExp
hXXp://bc.3600gz.cno
hXXp://bc.3600gz.cno
Adobe Photoshop CS2 Windows
Adobe Photoshop CS2 Windows
2010:10:21 00:30:36
2010:10:21 00:30:36
~?k}%C
~?k}%C
urlTEXT
urlTEXT
MsgeTEXT
MsgeTEXT
"!& 7/&)4)!"0A149;>>>%.DIC;
"!& 7/&)4)!"0A149;>>>%.DIC;
2010:11:24 10:10:55
2010:11:24 10:10:55
9Z).aY
9Z).aY
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
RASAPI32.dll
RASAPI32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
GetKeyState
GetKeyState
GetViewportOrgEx
GetViewportOrgEx
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
\\.\Scsi0:
\\.\Scsi0:
\\.\PhysicalDrive0
\\.\PhysicalDrive0
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
glViewport
glViewport
glTexEnvfv
glTexEnvfv
glTexEnvf
glTexEnvf
\glu32.dll
\glu32.dll
\Opengl32.dll
\Opengl32.dll
glPassThrough
glPassThrough
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
HELO %s
HELO %s
SMTP
SMTP
AUTH LOGIN
AUTH LOGIN
LOGIN
LOGIN
AUTH=LOGIN
AUTH=LOGIN
EHLO %s
EHLO %s
Content-Type: application/octet-stream; name=%s
Content-Type: application/octet-stream; name=%s
Content-Disposition: attachment; filename=%s
Content-Disposition: attachment; filename=%s
MAIL FROM:
MAIL FROM:
RCPT TO:
RCPT TO:
x86 Family %s Model %s Stepping %s
x86 Family %s Model %s Stepping %s
X-X-X-X
X-X-X-X
\\.\Smartvsd
\\.\Smartvsd
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
\\.\Scsi%d:
\\.\Scsi%d:
[%s:%d]
[%s:%d]
Range: bytes=%s-
Range: bytes=%s-
[%s:%d]
[%s:%d]
PASS %s
PASS %s
PASS ******
PASS ******
USER %s
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
SIZE %s
PORT
PORT
User-Agent: %s
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Referer: %s
Host: %s
Host: %s
GET %s HTTP/1.1
GET %s HTTP/1.1
HTTP/1.0
HTTP/1.0
Cookie: %s
Cookie: %s
%d, %s
%d, %s
\\192.168.0.129\TCP\1037
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
%s %s %s
Session: %s
Session: %s
Cseq: %u
Cseq: %u
%*s %s
%*s %s
%*s %u
%*s %u
CSeq: %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i
rtsp://%s:%i/%s
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
Range: npt=%s-
%s/streamid=1
%s/streamid=1
%s/streamid=0
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
If-Match: %s
RealChallenge2: %s, sd=%s
RealChallenge2: %s, sd=%s
Title: %s
Title: %s
Copyright: %s
Copyright: %s
Author: %s
Author: %s
real: Content-length for description too big (> %uMB)!
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Bandwidth: %u
Challenge1: %s
Challenge1: %s
hash output: %x %x %x %x
hash output: %x %x %x %x
hash input: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
stream=%u;rule=%u,
Illegal character '%c' in input.
Illegal character '%c' in input.
1.1.3
1.1.3
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
right-curly-bracket
right-curly-bracket
left-curly-bracket
left-curly-bracket
.232.163.136
.232.163.136
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
0246813579
0246813579
1, 0, 6, 6
1, 0, 6, 6
- Skin.dll
- Skin.dll
(*.*)
(*.*)
4.0.0.0
4.0.0.0
%original file name%.exe_1552_rwx_00401000_00127000:
t%SVh
t%SVh
t$(SSh
t$(SSh
|$D.tm
|$D.tm
~%UVW
~%UVW
t.It It
t.It It
u$SShe
u$SShe
%original file name%.exe_1552_rwx_10028000_00015000:
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
}uo,x6l5k%x-l h
}uo,x6l5k%x-l h
9p%s m)t4`#b
9p%s m)t4`#b
e"m?c&y1`Ã
e"m?c&y1`Ã
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc
hJK.ZH
hJK.ZH
O.qt0
O.qt0