Gen.Variant.Strictor.116636_414bcb4e90

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:2932

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2932 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\banben[1].txt (210 bytes)

Registry activity

The process %original file name%.exe:2932 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASMANCS]
"FileTracingMask" = "4294901760"

"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASMANCS]
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\banben[1].txt (210 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1351680	523264	5.54488	0d0d1fbcf691acbec1d9ed0466620ac8
.rdata	1355776	745472	358912	5.54464	26ee3050b9811aa2104be5428d732196
.data	2101248	626688	48640	5.54158	97da4525f53b4621ce6b54f501aa9348
.rsrc	2727936	8192	2048	4.14386	4370bc7efeaa2fb8b772b0351a639653
.aspack	2736128	12288	9728	4.03526	40cf528dbcfeb5785281ffe39d83abe5
.adata	2748416	4096	0	0	d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://hunshang.oss-cn-hangzhou.aliyuncs.com/banben.txt	120.27.176.7
hxxp://count.2881.com/count/count.asp?id=4483&sx=1&ys=43	112.124.34.135

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /banben.txt HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://hunshang.oss-cn-hangzhou.aliyuncs.com/banben.txt

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: hunshang.oss-cn-hangzhou.aliyuncs.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: AliyunOSS

Date: Mon, 12 Dec 2016 09:00:05 GMT

Content-Type: text/plain

Content-Length: 210

Connection: keep-alive

x-oss-request-id: 584E6715A51FBE76AADAD0F2

Accept-Ranges: bytes

ETag: "CF892DC6B7A8A9792BD266138E4E93F5"

Last-Modified: Sun, 11 Dec 2016 07:36:27 GMT

x-oss-object-type: Normal

x-oss-hash-crc64ecma: 8552051326528913180

Content-MD5: z4ktxreoqXkr0mYTjk6T9Q==

x-oss-server-time: 3

V4#[6.6]#4V..jiu[6.5]jiu..MD5[2FF98309FA4C557C604E8374DADDBBD1]MD5..xia[hXXp://hunshang.oss-cn-hangzhou.aliyuncs.com/造梦è%A5¿æ¸¸4魂殇修改器6.6.exe]xiaHTTP/1.1 200 OK..Server: AliyunOSS..Date: Mon, 12 Dec 2016 09:00:05 GMT..Content-Type: text/plain..Content-Length: 210..Connection: keep-alive..x-oss-request-id: 584E6715A51FBE76AADAD0F2..Accept-Ranges: bytes..ETag: "CF892DC6B7A8A9792BD266138E4E93F5"..Last-Modified: Sun, 11 Dec 2016 07:36:27 GMT..x-oss-object-type: Normal..x-oss-hash-crc64ecma: 8552051326528913180..Content-MD5: z4ktxreoqXkr0mYTjk6T9Q==..x-oss-server-time: 3..V4#[6.6]#4V..jiu[6.5]jiu..MD5[2FF98309FA4C557C604E8374DADDBBD1]MD5..xia[hXXp://hunshang.oss-cn-hangzhou.aliyuncs.com/造æ%A2¦è¥¿æ¸¸4魂殇修改器6.6.exe]xia..

GET /count/count.asp?id=4483&sx=1&ys=43 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: count.2881.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Dec 2016 09:02:50 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 629

Content-Type: text/html

Expires: Mon, 12 Dec 2016 09:02:50 GMT

Set-Cookie: ASPSESSIONIDAASRCBAR=GPNGGAOCLMMPCNPHNNJAJLEP; path=/

Cache-control: private

document.write('<a href=hXXp://count.knowsky.com target=_blank title=..........223
..........1324300
..............><img border=0 src=hXXp://count.knowsky.com/img/43/1.gif><img border=0 src=hXXp://count.knowsky.com/img/43/3.gif><img border=0 src=http://count.knowsky.com/img/43/2.gif><img border=0 src=hXXp://count.knowsky.com/img/43/4.gif><img border=0 src=hXXp://count.knowsky.com/img/43/3.gif><img border=0 src=hXXp://count.knowsky.com/img/43/0.gif><img border=0 src=hXXp://count.knowsky.com/img/43/0.gif></a><iframe frameBorder=no scrolling=no name=abc width=0 height=0 src=hXXp://count.knowsky.com/js.asp></iframe>')HTTP/1.1 200 OK..Date: Mon, 12 Dec 2016 09:02:50 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 629..Content-Type: text/html..Expires: Mon, 12 Dec 2016 09:02:50 GMT..Set-Cookie: ASPSESSIONIDAASRCBAR=GPNGGAOCLMMPCNPHNNJAJLEP; path=/..Cache-control: private..document.write('<a href=hXXp://count.knowsky.com target=_blank title=..........223
..........1324300
..............><img border=0 src=hXXp://count.knowsky.com/img/43/1.gif><img border=0 src=http://count.knowsky.com/img/43/3.gif><img border=0 src=http..

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2932:

.text

.text

.rdata

.rdata

.data

.data

.rsrc

.rsrc

.aspack

.aspack

.adata

.adata

t$(SSh

t$(SSh

|$D.tm

|$D.tm

~%UVW

~%UVW

u$SShe

u$SShe

Bv=kAv.SCv

Bv=kAv.SCv

Engine.dll

Engine.dll

kernel32.dll

kernel32.dll

user32.dll

user32.dll

User32.dll

User32.dll

wininet.dll

wininet.dll

advapi32.dll

advapi32.dll

ole32.dll

ole32.dll

?f_in_box.dll

?f_in_box.dll

EnumChildWindows

EnumChildWindows

GetProcessHeap

GetProcessHeap

MapVirtualKeyA

MapVirtualKeyA

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

{B6F7542F-B8FE-46a8-9605-98856A687097}

{B6F7542F-B8FE-46a8-9605-98856A687097}

WebBrowser

WebBrowser

VVV.4399hs.com

VVV.4399hs.com

0@\Engine.dll

0@\Engine.dll

%6u][n

%6u][n

^.VwP

^.VwP

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.dll

ADVAPI32.dll

dbghelp.dll

dbghelp.dll

MSVCP90.dll

MSVCP90.dll

MSVCR90.dll

MSVCR90.dll

USER32.dll

USER32.dll

aa_engine.dll

aa_engine.dll

hXXp://jq.qq.com/?_wv=1027&k=295C0rd

hXXp://jq.qq.com/?_wv=1027&k=295C0rd

.Zs4A

.Zs4A

%D't9

%D't9

Un.CG

Un.CG

%5smK"F

%5smK"F

.SE&Pqg

.SE&Pqg

30.cFKy

30.cFKy

%S4WD

%S4WD

hg%fpM

hg%fpM

S.Ac9SR

S.Ac9SR

0.I%3s

0.I%3s

,wAe.kI

,wAe.kI

aiUy'4xu

aiUy'4xu

%c*@j

%c*@j

.eH'y

.eH'y

{&%U)

{&%U)

lj%4U

lj%4U

xe%CNs

xe%CNs

9F.cLe

9F.cLe

hJK.ZH

hJK.ZH

O.qt0

O.qt0

COMCTL32.dll

COMCTL32.dll

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

MSVCRT.dll

MSVCRT.dll

MSVFW32.dll

MSVFW32.dll

SkinH_EL.dll

SkinH_EL.dll

900000001

900000001

100000001

100000001

100000002

100000002

102000001

102000001

103000001

103000001

104000001

104000001

102000002

102000002

103000002

103000002

104000002

104000002

105000001

105000001

105000002

105000002

106000001

106000001

106100002

106100002

106200003

106200003

106300004

106300004

107100002

107100002

107200003

107200003

108100001

108100001

109000001

109000001

110000001

110000001

110000002

110000002

110000003

110000003

110000004

110000004

110000005

110000005

110000006

110000006

110000007

110000007

110000008

110000008

110000009

110000009

110000010

110000010

110100001

110100001

110100002

110100002

119310001

119310001

119320001

119320001

119330001

119330001

119340001

119340001

119350001

119350001

119310002

119310002

119320002

119320002

119330002

119330002

119340002

119340002

119350002

119350002

119300003

119300003

119310004

119310004

119320004

119320004

119330004

119330004

119340004

119340004

119350004

119350004

119310005

119310005

119320005

119320005

119330005

119330005

119340005

119340005

119350005

119350005

119201001

119201001

119201002

119201002

119201003

119201003

119201004

119201004

119201005

119201005

119202001

119202001

119202002

119202002

119202003

119202003

119202004

119202004

119202005

119202005

120100001

120100001

120200001

120200001

120100002

120100002

120200002

120200002

121000001

121000001

122000001

122000001

125100001

125100001

125200001

125200001

130200001

130200001

135000001

135000001

135100001

135100001

136100001

136100001

136200001

136200001

136200002

136200002

136200003

136200003

137000001

137000001

137100001

137100001

138000001

138000001

138100002

138100002

138200003

138200003

139300001

139300001

140200001

140200001

140200002

140200002

140200003

140200003

140200004

140200004

140200005

140200005

140200006

140200006

140200007

140200007

140200008

140200008

140200009

140200009

140200010

140200010

141300001

141300001

142000001

142000001

142100001

142100001

143000001

143000001

143000002

143000002

143000003

143000003

143000004

143000004

143000005

143000005

143000006

143000006

143000007

143000007

143100001

143100001

144300001

144300001

144300002

144300002

144100001

144100001

144200001

144200001

145300001

145300001

146300001

146300001

149000001

149000001

149100001

149100001

150100001

150100001

150200001

150200001

150200002

150200002

156100001

156100001

156200001

156200001

157100001

157100001

158100001

158100001

159000001

159000001

159100001

159100001

160100001

160100001

160200001

160200001

160200002

160200002

160200003

160200003

161100001

161100001

161200001

161200001

161200002

161200002

161200003

161200003

197000001

197000001

197000002

197000002

197000003

197000003

197100001

197100001

198000001

198000001

198100001

198100001

199000001

199000001

199000002

199000002

199000003

199000003

199000004

199000004

199000005

199000005

199000006

199000006

199000007

199000007

199000008

199000008

199000009

199000009

199100001

199100001

197300001

197300001

hXXps://habo.qq.com/file/showdetail?pk=ADcGb11rB2MIOVs0

hXXps://habo.qq.com/file/showdetail?pk=ADcGb11rB2MIOVs0

lf_in_box.dll

lf_in_box.dll

n@.JNo

n@.JNo

z"fsft.AB

z"fsft.AB

H.PL_"

H.PL_"

f4%5X6

f4%5X6

llback#CreateURLMonikl

llback#CreateURLMonikl

.dll/H

.dll/H

-4a8e-A9C1-

-4a8e-A9C1-

HTTP/1.1 2

HTTP/1.1 2

i:\build_a

i:\build_a

|.pdb?

|.pdb?

Sof.jSy{3E

Sof.jSy{3E

OLEAUT32.dll

OLEAUT32.dll

RegCloseKey

RegCloseKey

f_in_box.dll

f_in_box.dll

FPC_GetImportTableEntry

FPC_GetImportTableEntry

FPC_SetPreProcessURLHandler

FPC_SetPreProcessURLHandler

@hXXp://jq.qq.com/?_wv=1027&k=2BNI7Xr

@hXXp://jq.qq.com/?_wv=1027&k=2BNI7Xr

hXXp://r.virscan.org/report/096fca648efa6b60f86c2837277542c3

hXXp://r.virscan.org/report/096fca648efa6b60f86c2837277542c3

.rb)6t$`6

.rb)6t$`6

wI.VAj

wI.VAj

.CR7C- G

.CR7C- G

!"#$%&'()* ,-./

!"#$%&'()* ,-./

|.DLL@&

|.DLL@&

C:\Ks\BLACK\8

C:\Ks\BLACK\8

.pdbk

.pdbk

E_Loader.dll

E_Loader.dll

hXXp://jq.qq.com/?_wv=1027&k=2B47i4L

hXXp://jq.qq.com/?_wv=1027&k=2B47i4L

hXXp://jq.qq.com/?_wv=1027&k=27p1qHf

hXXp://jq.qq.com/?_wv=1027&k=27p1qHf

hXXp://hunshang.oss-cn-hangzhou.aliyuncs.com/ditu.txt

hXXp://hunshang.oss-cn-hangzhou.aliyuncs.com/ditu.txt

419000001

419000001

419000002

419000002

429000001

429000001

429000002

429000002

429000003

429000003

429000004

429000004

439000001

439000001

439000002

439000002

439000003

439000003

439000004

439000004

439000005

439000005

439000006

439000006

439000007

439000007

439000008

439000008

449000008

449000008

449000009

449000009

449000010

449000010

449000011

449000011

200001001

200001001

210001001

210001001

210001002

210001002

220001001

220001001

220001002

220001002

201001001

201001001

211001001

211001001

211001002

211001002

221001001

221001001

221001002

221001002

200002001

200002001

210002001

210002001

210002002

210002002

220002001

220002001

220002002

220002002

201002001

201002001

211002001

211002001

211002002

211002002

221002001

221002001

221002002

221002002

200003001

200003001

210003001

210003001

210003002

210003002

220003001

220003001

220003002

220003002

201003001

201003001

211003001

211003001

211003002

211003002

221003001

221003001

221003002

221003002

200004001

200004001

210004001

210004001

210004002

210004002

220004001

220004001

220004002

220004002

201004001

201004001

211004001

211004001

211004002

211004002

221004001

221004001

221004002

221004002

200005001

200005001

210005001

210005001

210005002

210005002

220005001

220005001

220005002

220005002

201005001

201005001

211005001

211005001

211005002

211005002

221005001

221005001

221005002

221005002

205000001

205000001

205000002

205000002

215000001

215000001

215000002

215000002

225000003

225000003

225000004

225000004

235000005

235000005

235000006

235000006

235000007

235000007

235000008

235000008

245000004

245000004

245000005

245000005

245000001

245000001

245000002

245000002

245000003

245000003

255000007

255000007

255000008

255000008

255000009

255000009

255000010

255000010

255000011

255000011

255000012

255000012

255000013

255000013

255000014

255000014

255000015

255000015

230001001

230001001

230002001

230002001

230003001

230003001

230004001

230004001

230005001

230005001

231001001

231001001

231002001

231002001

231003001

231003001

231004001

231004001

231005001

231005001

231001002

231001002

231002002

231002002

231003002

231003002

231004002

231004002

231005002

231005002

230001002

230001002

230002002

230002002

230003002

230003002

230004002

230004002

230005002

230005002

231001003

231001003

231002003

231002003

231003003

231003003

231004003

231004003

231005003

231005003

230001003

230001003

230002003

230002003

230003003

230003003

230004003

230004003

230005003

230005003

231001004

231001004

231002004

231002004

231003004

231003004

231004004

231004004

231005004

231005004

230001004

230001004

230002004

230002004

230003004

230003004

230004004

230004004

230005004

230005004

241001001

241001001

241002001

241002001

241003001

241003001

241004001

241004001

241005001

241005001

240001001

240001001

240002001

240002001

240003001

240003001

240004001

240004001

240005001

240005001

240004101

240004101

240003101

240003101

240002101

240002101

241001002

241001002

241002002

241002002

241003002

241003002

241004002

241004002

241005002

241005002

240001002

240001002

240002002

240002002

240003002

240003002

240004002

240004002

240005002

240005002

240004102

240004102

240003102

240003102

240002102

240002102

241001003

241001003

241002003

241002003

241003003

241003003

241004003

241004003

241005003

241005003

240001003

240001003

240002003

240002003

240003003

240003003

240004003

240004003

240005003

240005003

240004103

240004103

240003103

240003103

240002103

240002103

211111001

211111001

212111001

212111001

213111001

213111001

214111001

214111001

223111001

223111001

222111001

222111001

221111001

221111001

224111001

224111001

233111001

233111001

232111001

232111001

231111001

231111001

234111001

234111001

211121001

211121001

212121001

212121001

213121001

213121001

214121001

214121001

" width="252" height="45" src="hXXp://newsimg.5054399.com/uploads/userup/1503/241U64G527.gif" />

" width="252" height="45" src="hXXp://newsimg.5054399.com/uploads/userup/1503/241U64G527.gif" />

" width="252" height="45" src="hXXp://newsimg.5054399.com/uploads/userup/1503/241U9193211.gif" />

" width="252" height="45" src="hXXp://newsimg.5054399.com/uploads/userup/1503/241U9193211.gif" />

hXXp://VVV.4399.com/flash/151038.htm

hXXp://VVV.4399.com/flash/151038.htm

hXXp://dh-cfg.liuxue789.cn/dh.jb

hXXp://dh-cfg.liuxue789.cn/dh.jb

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

http=

https

https

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXps://

hXXp://

hXXp://

[

[

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

hXXp://news.4399.com/gonglue/zmxy4/zhuangbei/

hXXp://news.4399.com/gonglue/zmxy4/zhuangbei/

hXXp://news.4399.com/gonglue/zmxy4/shizhuang/

hXXp://news.4399.com/gonglue/zmxy4/shizhuang/

VBScript.RegExp

VBScript.RegExp

Flash.ocx

Flash.ocx

Shockwave Flash.FlashWindow

Shockwave Flash.FlashWindow

javascript:window.external.AddFavorite

javascript:window.external.AddFavorite

javascript:window.external.addFavorite

javascript:window.external.addFavorite

VVV.4399hs.com]

VVV.4399hs.com]

.comment {color:green}

.comment {color:green}

VVV.4399hs.com/tj.html

VVV.4399hs.com/tj.html

hXXps://graph.qq.com/oauth/show?which=Login&display=pc&response_type=code&client_id=100266617&redirect_uri=hXXp://extlogin.4399.com/qzone/callback.do&state=postLoginHandler=default&redirectUrl=&appId=dev4399&gameId=&cid=&aid=&ref=&autoLogin=false

hXXps://graph.qq.com/oauth/show?which=Login&display=pc&response_type=code&client_id=100266617&redirect_uri=hXXp://extlogin.4399.com/qzone/callback.do&state=postLoginHandler=default&redirectUrl=&appId=dev4399&gameId=&cid=&aid=&ref=&autoLogin=false

(7),01444

(7),01444

'9=82<.342>

'9=82<.342>

!"013@ #

!"013@ #

v.IF_W

v.IF_W

%d&&'

%d&&'

123456789

123456789

00003333

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

inflate 1.1.3 Copyright 1995-1998 Mark Adler

1.2.18

1.2.18

F%*.*f

F%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CCmdTarget

CCmdTarget

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

vs.3.sw

vs.3.sw

vs.2.sw

vs.2.sw

ps.3.sw

ps.3.sw

ps.2.sw

ps.2.sw

Corrupt JPEG data: found marker 0xx instead of RST%d

Corrupt JPEG data: found marker 0xx instead of RST%d

Warning: unknown JFIF revision number %d.d

Warning: unknown JFIF revision number %d.d

Corrupt JPEG data: %u extraneous bytes before marker 0xx

Corrupt JPEG data: %u extraneous bytes before marker 0xx

Inconsistent progression sequence for component %d coefficient %d

Inconsistent progression sequence for component %d coefficient %d

Unknown Adobe color transform code %d

Unknown Adobe color transform code %d

Obtained XMS handle %u

Obtained XMS handle %u

Freed XMS handle %u

Freed XMS handle %u

Unrecognized component IDs %d %d %d, assuming YCbCr

Unrecognized component IDs %d %d %d, assuming YCbCr

JFIF extension marker: RGB thumbnail image, length %u

JFIF extension marker: RGB thumbnail image, length %u

JFIF extension marker: palette thumbnail image, length %u

JFIF extension marker: palette thumbnail image, length %u

JFIF extension marker: JPEG-compressed thumbnail image, length %u

JFIF extension marker: JPEG-compressed thumbnail image, length %u

Opened temporary file %s

Opened temporary file %s

Closed temporary file %s

Closed temporary file %s

Ss=%d, Se=%d, Ah=%d, Al=%d

Ss=%d, Se=%d, Ah=%d, Al=%d

Component %d: dc=%d ac=%d

Component %d: dc=%d ac=%d

Start Of Scan: %d components

Start Of Scan: %d components

Component %d: %dhx%dv q=%d

Component %d: %dhx%dv q=%d

Start Of Frame 0xx: width=%u, height=%u, components=%d

Start Of Frame 0xx: width=%u, height=%u, components=%d

Smoothing not supported with nonstandard sampling ratios

Smoothing not supported with nonstandard sampling ratios

RST%d

RST%d

At marker 0xx, recovery action %d

At marker 0xx, recovery action %d

Selected %d colors for quantization

Selected %d colors for quantization

Quantizing to %d colors

Quantizing to %d colors

Quantizing to %d = %d*%d*%d colors

Quantizing to %d = %d*%d*%d colors

%4u %4u %4u %4u %4u %4u %4u %4u

%4u %4u %4u %4u %4u %4u %4u %4u

Unexpected marker 0xx

Unexpected marker 0xx

Miscellaneous marker 0xx, length %u

Miscellaneous marker 0xx, length %u

with %d x %d thumbnail image

with %d x %d thumbnail image

JFIF extension marker: type 0xx, length %u

JFIF extension marker: type 0xx, length %u

Warning: thumbnail image size does not match data length %u

Warning: thumbnail image size does not match data length %u

JFIF APP0 marker: version %d.d, density %dx%d %d

JFIF APP0 marker: version %d.d, density %dx%d %d

= = = = = = = =

= = = = = = = =

Obtained EMS handle %u

Obtained EMS handle %u

Freed EMS handle %u

Freed EMS handle %u

Define Restart Interval %u

Define Restart Interval %u

Define Quantization Table %d precision %d

Define Quantization Table %d precision %d

Define Huffman Table 0xx

Define Huffman Table 0xx

Define Arithmetic Table 0xx: 0xx

Define Arithmetic Table 0xx: 0xx

Unknown APP14 marker (not Adobe), length %u

Unknown APP14 marker (not Adobe), length %u

Unknown APP0 marker (not JFIF), length %u

Unknown APP0 marker (not JFIF), length %u

Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d

Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d

Unsupported marker type 0xx

Unsupported marker type 0xx

Failed to create temporary file %s

Failed to create temporary file %s

Unsupported JPEG process: SOF type 0xx

Unsupported JPEG process: SOF type 0xx

Cannot quantize to more than %d colors

Cannot quantize to more than %d colors

Cannot quantize to fewer than %d colors

Cannot quantize to fewer than %d colors

Cannot quantize more than %d color components

Cannot quantize more than %d color components

Insufficient memory (case %d)

Insufficient memory (case %d)

Not a JPEG file: starts with 0xx 0xx

Not a JPEG file: starts with 0xx 0xx

Quantization table 0xx was not defined

Quantization table 0xx was not defined

Huffman table 0xx was not defined

Huffman table 0xx was not defined

Backing store not supported

Backing store not supported

Cannot transcode due to multiple use of quantization table %d

Cannot transcode due to multiple use of quantization table %d

Maximum supported image dimension is %u pixels

Maximum supported image dimension is %u pixels

Empty JPEG image (DNL not supported)

Empty JPEG image (DNL not supported)

Bogus DQT index %d

Bogus DQT index %d

Bogus DHT index %d

Bogus DHT index %d

Bogus DAC value 0x%x

Bogus DAC value 0x%x

Bogus DAC index %d

Bogus DAC index %d

Unsupported color conversion request

Unsupported color conversion request

Too many color components: %d, max %d

Too many color components: %d, max %d

Buffer passed to JPEG library is too small

Buffer passed to JPEG library is too small

JPEG parameter struct mismatch: library thinks size is %u, caller expects %u

JPEG parameter struct mismatch: library thinks size is %u, caller expects %u

Improper call to JPEG library in state %d

Improper call to JPEG library in state %d

Invalid scan script at entry %d

Invalid scan script at entry %d

Invalid progressive parameters at scan script entry %d

Invalid progressive parameters at scan script entry %d

Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d

Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d

Unsupported JPEG data precision %d

Unsupported JPEG data precision %d

Invalid memory pool code %d

Invalid memory pool code %d

Wrong JPEG library version: library is %d, caller expects %d

Wrong JPEG library version: library is %d, caller expects %d

IDCT output block size %d not supported

IDCT output block size %d not supported

Invalid component ID %d in SOS

Invalid component ID %d in SOS

Bogus message code %d

Bogus message code %d

0123456789ABCDEF1.0.5

0123456789ABCDEF1.0.5

inflate 1.1.4 Copyright 1995-2002 Mark Adler

inflate 1.1.4 Copyright 1995-2002 Mark Adler

F%D,3

F%D,3

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

MPR.dll

MPR.dll

WINMM.dll

WINMM.dll

WS2_32.dll

WS2_32.dll

VERSION.dll

VERSION.dll

RASAPI32.dll

RASAPI32.dll

AVIFIL32.dll

AVIFIL32.dll

WinExec

WinExec

GetWindowsDirectoryA

GetWindowsDirectoryA

GetCPInfo

GetCPInfo

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

SetWindowsHookExA

SetWindowsHookExA

UnhookWindowsHookEx

UnhookWindowsHookEx

CreateDialogIndirectParamA

CreateDialogIndirectParamA

GetViewportOrgEx

GetViewportOrgEx

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GetViewportExtEx

WINSPOOL.DRV

WINSPOOL.DRV

comdlg32.dll

comdlg32.dll

RegOpenKeyExA

RegOpenKeyExA

RegOpenKeyA

RegOpenKeyA

RegCreateKeyExA

RegCreateKeyExA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

oledlg.dll

oledlg.dll

WSOCK32.dll

WSOCK32.dll

DeleteUrlCacheEntry

DeleteUrlCacheEntry

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

InternetCrackUrlA

InternetCrackUrlA

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

WININET.dll

WININET.dll

.PAVCException@@

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.prn)|*.prn|

(*.*)|*.*||

(*.*)|*.*||

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

: %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

windows

windows

1.6.9

1.6.9

unsupported zlib version

unsupported zlib version

png_read_image: unsupported transformation

png_read_image: unsupported transformation

out.prn

out.prn

%d.%d

%d.%d

%d / %d

%d / %d

%d/%d

%d/%d

libpng error: %s

libpng error: %s

libpng warning: %s

libpng warning: %s

1.1.3

1.1.3

bad keyword

bad keyword

libpng does not support gamma background rgb_to_gray

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

Palette is NULL in indexed image

(%d-%d):

(%d-%d):

%ld%c

%ld%c

VVV.dywt.com.cn

VVV.dywt.com.cn

index.dat

index.dat

desktop.ini

desktop.ini

HTTP/1.0

HTTP/1.0

%s

%s

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

SMTP

SMTP

(*.htm;*.html)|*.htm;*.html

(*.htm;*.html)|*.htm;*.html

its:%s::%s

its:%s::%s

Y%d

Y%d

X%d

X%d

Height%d

Height%d

Width%d

Width%d

RECT(%d, %d)-(%d, %d)

RECT(%d, %d)-(%d, %d)

Styles0xX

Styles0xX

Control ID%d

Control ID%d

Handle0xX

Handle0xX

%s

%s

burlywood

burlywood

\winhlp32.exe

\winhlp32.exe

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

(*.avi)|*.avi

(*.avi)|*.avi

WPFT532.CNV

WPFT532.CNV

WPFT632.CNV

WPFT632.CNV

EXCEL32.CNV

EXCEL32.CNV

write32.wpc

write32.wpc

Windows Write

Windows Write

mswrd632.wpc

mswrd632.wpc

Word for Windows 6.0

Word for Windows 6.0

wword5.cnv

wword5.cnv

Word for Windows 5.0

Word for Windows 5.0

mswrd832.cnv

mswrd832.cnv

mswrd632.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

Word 6.0/95 for Windows & Macintosh

html32.cnv

html32.cnv

operator

operator

keywords

keywords

\d3d9.dll

\d3d9.dll

.PAVCOleException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

.PAVCArchiveException@@

zcÁ

zcÁ

IndexedColor

IndexedColor

nFaceIndexes

nFaceIndexes

faceIndexes

faceIndexes

FloatKeys

FloatKeys

TimedFloatKeys

TimedFloatKeys

tfkeys

tfkeys

AnimationKey

AnimationKey

keyType

keyType

nKeys

nKeys

keys

keys

nUrls

nUrls

urls

urls

?.vW@

?.vW@

right-curly-bracket

right-curly-bracket

left-curly-bracket

left-curly-bracket

0123456789

0123456789

c:\%original file name%.exe

c:\%original file name%.exe

The procedure entry point %s could not be located in the dynamic link library %s

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

winmm.dll

winmm.dll

ws2_32.dll

ws2_32.dll

rasapi32.dll

rasapi32.dll

msvfw32.dll

msvfw32.dll

avifil32.dll

avifil32.dll

gdi32.dll

gdi32.dll

msimg32.dll

msimg32.dll

winspool.drv

winspool.drv

shell32.dll

shell32.dll

oleaut32.dll

oleaut32.dll

comctl32.dll

comctl32.dll

1, 0, 6, 6

1, 0, 6, 6

- Skin.dll

- Skin.dll

4, 4, 0, 0

4, 4, 0, 0

! !(!!"#")""

! !(!!"#")""

>?:)<:>?:)

>?:)<:>?:)

>?:)?:?:

>?:)?:?:

123456789:;

123456789:;

0123456

0123456

!! ##%%&&$$'' (**),,,//

!! ##%%&&$$'' (**),,,//

(){()))?,

(){()))?,

?;

?;

(/) )-),

(/) )-),

]:;?,

]:;?,

(*.*)

(*.*)

%original file name%.exe_2932_rwx_007B0000_00018000:

`.rsrc

`.rsrc

RCv=kAv.SCvs

RCv=kAv.SCvs

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

operator

operator

C:\Users\BLACK\Desktop\E_Loader 1.0\Release\E_Loader.pdb

C:\Users\BLACK\Desktop\E_Loader 1.0\Release\E_Loader.pdb

E_Loader.dll

E_Loader.dll

c:\%original file name%.exe

c:\%original file name%.exe

GetCPInfo

GetCPInfo

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

KERNEL32.DLL

KERNEL32.DLL

kernel32.dll

kernel32.dll

mscoree.dll

mscoree.dll

%original file name%.exe_2932_rwx_10028000_00015000:

msctls_hotkey32

msctls_hotkey32

TVCLHotKey

TVCLHotKey

THotKey

THotKey

\skinh.she

\skinh.she

}uo,x6l5k%x-l h

}uo,x6l5k%x-l h

9p%s m)t4`#b

9p%s m)t4`#b

e"m?c&y1`Ð

e"m?c&y1`Ð

SetViewportOrgEx

SetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

SetWindowsHookExA

SetWindowsHookExA

UnhookWindowsHookEx

UnhookWindowsHookEx

EnumThreadWindows

EnumThreadWindows

EnumChildWindows

EnumChildWindows

`c%US.4/

`c%US.4/

!#$

!#$

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.UPX0

@.UPX0

`.UPX1

`.UPX1

`.reloc

`.reloc

hJK.ZH

hJK.ZH

O.qt0

O.qt0