Susp_Dropper (Kaspersky), Gen:Variant.Strictor.116636 (B) (Emsisoft), Gen:Variant.Strictor.116636 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 414bcb4e90e6f1734e97b3f309d369b1
SHA1: 93468ba6e8b8a9c46d5a8e81e32c39e93aba947a
SHA256: a1a6b08cd71b114c7e4bc2dc43451870d1134f2d61b51766d8c0dfd91fb27ef0
SSDeep: 12288:8h2A8dF8bifYCnA3qnzYQOXWnzFyq3QSjiWhgvhYNburHN1fsENb5et3R0XFL9CW:1RdF8bL6zfdxz3QKdgeUHDeNcx
Size: 976650 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2016-11-13 08:49:23
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:2932
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\banben[1].txt (210 bytes)
Registry activity
The process %original file name%.exe:2932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASMANCS]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASMANCS]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
[HKLM\SOFTWARE\Microsoft\Tracing\414bcb4e90e6f1734e97b3f309d369b1_RASMANCS]
"FileDirectory" = "%windir%\tracing"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\banben[1].txt (210 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1351680 | 523264 | 5.54488 | 0d0d1fbcf691acbec1d9ed0466620ac8 |
.rdata | 1355776 | 745472 | 358912 | 5.54464 | 26ee3050b9811aa2104be5428d732196 |
.data | 2101248 | 626688 | 48640 | 5.54158 | 97da4525f53b4621ce6b54f501aa9348 |
.rsrc | 2727936 | 8192 | 2048 | 4.14386 | 4370bc7efeaa2fb8b772b0351a639653 |
.aspack | 2736128 | 12288 | 9728 | 4.03526 | 40cf528dbcfeb5785281ffe39d83abe5 |
.adata | 2748416 | 4096 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://hunshang.oss-cn-hangzhou.aliyuncs.com/banben.txt | 120.27.176.7 |
hxxp://count.2881.com/count/count.asp?id=4483&sx=1&ys=43 | 112.124.34.135 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /banben.txt HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://hunshang.oss-cn-hangzhou.aliyuncs.com/banben.txt
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: hunshang.oss-cn-hangzhou.aliyuncs.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: AliyunOSS
Date: Mon, 12 Dec 2016 09:00:05 GMT
Content-Type: text/plain
Content-Length: 210
Connection: keep-alive
x-oss-request-id: 584E6715A51FBE76AADAD0F2
Accept-Ranges: bytes
ETag: "CF892DC6B7A8A9792BD266138E4E93F5"
Last-Modified: Sun, 11 Dec 2016 07:36:27 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 8552051326528913180
Content-MD5: z4ktxreoqXkr0mYTjk6T9Q==
x-oss-server-time: 3
V4#[6.6]#4V..jiu[6.5]jiu..MD5[2FF98309FA4C557C604E8374DADDBBD1]MD5..xia[hXXp://hunshang.oss-cn-hangzhou.aliyuncs.com/造梦è%A5¿æ¸¸4é‚殇修æâ€Â¹Ã¥â„¢Â¨6.6.exe]xiaHTTP/1.1 200 OK..Server: AliyunOSS..Date: Mon, 12 Dec 2016 09:00:05 GMT..Content-Type: text/plain..Content-Length: 210..Connection: keep-alive..x-oss-request-id: 584E6715A51FBE76AADAD0F2..Accept-Ranges: bytes..ETag: "CF892DC6B7A8A9792BD266138E4E93F5"..Last-Modified: Sun, 11 Dec 2016 07:36:27 GMT..x-oss-object-type: Normal..x-oss-hash-crc64ecma: 8552051326528913180..Content-MD5: z4ktxreoqXkr0mYTjk6T9Q==..x-oss-server-time: 3..V4#[6.6]#4V..jiu[6.5]jiu..MD5[2FF98309FA4C557C604E8374DADDBBD1]MD5..xia[hXXp://hunshang.oss-cn-hangzhou.aliyuncs.com/造æ%A2¦è¥¿æ¸¸4é‚殇修æâ€Â¹Ã¥â„¢Â¨6.6.exe]xia..
GET /count/count.asp?id=4483&sx=1&ys=43 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: count.2881.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Dec 2016 09:02:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 629
Content-Type: text/html
Expires: Mon, 12 Dec 2016 09:02:50 GMT
Set-Cookie: ASPSESSIONIDAASRCBAR=GPNGGAOCLMMPCNPHNNJAJLEP; path=/
Cache-control: private
document.write('<a href=hXXp://count.knowsky.com target=_blank title=..........223
..........1324300
..............><img border=0 src=hXXp://count.knowsky.com/img/43/1.gif><img border=0 src=hXXp://count.knowsky.com/img/43/3.gif><img border=0 src=http://count.knowsky.com/img/43/2.gif><img border=0 src=hXXp://count.knowsky.com/img/43/4.gif><img border=0 src=hXXp://count.knowsky.com/img/43/3.gif><img border=0 src=hXXp://count.knowsky.com/img/43/0.gif><img border=0 src=hXXp://count.knowsky.com/img/43/0.gif></a><iframe frameBorder=no scrolling=no name=abc width=0 height=0 src=hXXp://count.knowsky.com/js.asp></iframe>')HTTP/1.1 200 OK..Date: Mon, 12 Dec 2016 09:02:50 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 629..Content-Type: text/html..Expires: Mon, 12 Dec 2016 09:02:50 GMT..Set-Cookie: ASPSESSIONIDAASRCBAR=GPNGGAOCLMMPCNPHNNJAJLEP; path=/..Cache-control: private..document.write('<a href=hXXp://count.knowsky.com target=_blank title=..........223
..........1324300
..............><img border=0 src=hXXp://count.knowsky.com/img/43/1.gif><img border=0 src=http://count.knowsky.com/img/43/3.gif><img border=0 src=http..
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2932:
.text
.text
.rdata
.rdata
.data
.data
.rsrc
.rsrc
.aspack
.aspack
.adata
.adata
t$(SSh
t$(SSh
|$D.tm
|$D.tm
~%UVW
~%UVW
u$SShe
u$SShe
Bv=kAv.SCv
Bv=kAv.SCv
Engine.dll
Engine.dll
kernel32.dll
kernel32.dll
user32.dll
user32.dll
User32.dll
User32.dll
wininet.dll
wininet.dll
advapi32.dll
advapi32.dll
ole32.dll
ole32.dll
?f_in_box.dll
?f_in_box.dll
EnumChildWindows
EnumChildWindows
GetProcessHeap
GetProcessHeap
MapVirtualKeyA
MapVirtualKeyA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
{B6F7542F-B8FE-46a8-9605-98856A687097}
{B6F7542F-B8FE-46a8-9605-98856A687097}
WebBrowser
WebBrowser
VVV.4399hs.com
VVV.4399hs.com
0@\Engine.dll
0@\Engine.dll
%6u][n
%6u][n
^.VwP
^.VwP
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
dbghelp.dll
dbghelp.dll
MSVCP90.dll
MSVCP90.dll
MSVCR90.dll
MSVCR90.dll
USER32.dll
USER32.dll
aa_engine.dll
aa_engine.dll
hXXp://jq.qq.com/?_wv=1027&k=295C0rd
hXXp://jq.qq.com/?_wv=1027&k=295C0rd
.Zs4A
.Zs4A
%D't9
%D't9
Un.CG
Un.CG
%5smK"F
%5smK"F
.SE&Pqg
.SE&Pqg
30.cFKy
30.cFKy
%S4WD
%S4WD
hg%fpM
hg%fpM
S.Ac9SR
S.Ac9SR
0.I%3s
0.I%3s
,wAe.kI
,wAe.kI
aiUy'4xu
aiUy'4xu
%c*@j
%c*@j
.eH'y
.eH'y
{&%U)
{&%U)
lj%4U
lj%4U
xe%CNs
xe%CNs
9F.cLe
9F.cLe
hJK.ZH
hJK.ZH
O.qt0
O.qt0
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
SkinH_EL.dll
SkinH_EL.dll
900000001
900000001
100000001
100000001
100000002
100000002
102000001
102000001
103000001
103000001
104000001
104000001
102000002
102000002
103000002
103000002
104000002
104000002
105000001
105000001
105000002
105000002
106000001
106000001
106100002
106100002
106200003
106200003
106300004
106300004
107100002
107100002
107200003
107200003
108100001
108100001
109000001
109000001
110000001
110000001
110000002
110000002
110000003
110000003
110000004
110000004
110000005
110000005
110000006
110000006
110000007
110000007
110000008
110000008
110000009
110000009
110000010
110000010
110100001
110100001
110100002
110100002
119310001
119310001
119320001
119320001
119330001
119330001
119340001
119340001
119350001
119350001
119310002
119310002
119320002
119320002
119330002
119330002
119340002
119340002
119350002
119350002
119300003
119300003
119310004
119310004
119320004
119320004
119330004
119330004
119340004
119340004
119350004
119350004
119310005
119310005
119320005
119320005
119330005
119330005
119340005
119340005
119350005
119350005
119201001
119201001
119201002
119201002
119201003
119201003
119201004
119201004
119201005
119201005
119202001
119202001
119202002
119202002
119202003
119202003
119202004
119202004
119202005
119202005
120100001
120100001
120200001
120200001
120100002
120100002
120200002
120200002
121000001
121000001
122000001
122000001
125100001
125100001
125200001
125200001
130200001
130200001
135000001
135000001
135100001
135100001
136100001
136100001
136200001
136200001
136200002
136200002
136200003
136200003
137000001
137000001
137100001
137100001
138000001
138000001
138100002
138100002
138200003
138200003
139300001
139300001
140200001
140200001
140200002
140200002
140200003
140200003
140200004
140200004
140200005
140200005
140200006
140200006
140200007
140200007
140200008
140200008
140200009
140200009
140200010
140200010
141300001
141300001
142000001
142000001
142100001
142100001
143000001
143000001
143000002
143000002
143000003
143000003
143000004
143000004
143000005
143000005
143000006
143000006
143000007
143000007
143100001
143100001
144300001
144300001
144300002
144300002
144100001
144100001
144200001
144200001
145300001
145300001
146300001
146300001
149000001
149000001
149100001
149100001
150100001
150100001
150200001
150200001
150200002
150200002
156100001
156100001
156200001
156200001
157100001
157100001
158100001
158100001
159000001
159000001
159100001
159100001
160100001
160100001
160200001
160200001
160200002
160200002
160200003
160200003
161100001
161100001
161200001
161200001
161200002
161200002
161200003
161200003
197000001
197000001
197000002
197000002
197000003
197000003
197100001
197100001
198000001
198000001
198100001
198100001
199000001
199000001
199000002
199000002
199000003
199000003
199000004
199000004
199000005
199000005
199000006
199000006
199000007
199000007
199000008
199000008
199000009
199000009
199100001
199100001
197300001
197300001
hXXps://habo.qq.com/file/showdetail?pk=ADcGb11rB2MIOVs0
hXXps://habo.qq.com/file/showdetail?pk=ADcGb11rB2MIOVs0
lf_in_box.dll
lf_in_box.dll
n@.JNo
n@.JNo
z"fsft.AB
z"fsft.AB
H.PL_"
H.PL_"
f4%5X6
f4%5X6
llback#CreateURLMonikl
llback#CreateURLMonikl
.dll/H
.dll/H
-4a8e-A9C1-
-4a8e-A9C1-
HTTP/1.1 2
HTTP/1.1 2
i:\build_a
i:\build_a
|.pdb?
|.pdb?
Sof.jSy{3E
Sof.jSy{3E
OLEAUT32.dll
OLEAUT32.dll
RegCloseKey
RegCloseKey
f_in_box.dll
f_in_box.dll
FPC_GetImportTableEntry
FPC_GetImportTableEntry
FPC_SetPreProcessURLHandler
FPC_SetPreProcessURLHandler
@hXXp://jq.qq.com/?_wv=1027&k=2BNI7Xr
@hXXp://jq.qq.com/?_wv=1027&k=2BNI7Xr
hXXp://r.virscan.org/report/096fca648efa6b60f86c2837277542c3
hXXp://r.virscan.org/report/096fca648efa6b60f86c2837277542c3
.rb)6t$`6
.rb)6t$`6
wI.VAj
wI.VAj
.CR7C- G
.CR7C- G
!"#$%&'()* ,-./
!"#$%&'()* ,-./
|.DLL@&
|.DLL@&
C:\Ks\BLACK\8
C:\Ks\BLACK\8
.pdbk
.pdbk
E_Loader.dll
E_Loader.dll
hXXp://jq.qq.com/?_wv=1027&k=2B47i4L
hXXp://jq.qq.com/?_wv=1027&k=2B47i4L
hXXp://jq.qq.com/?_wv=1027&k=27p1qHf
hXXp://jq.qq.com/?_wv=1027&k=27p1qHf
hXXp://hunshang.oss-cn-hangzhou.aliyuncs.com/ditu.txt
hXXp://hunshang.oss-cn-hangzhou.aliyuncs.com/ditu.txt
419000001
419000001
419000002
419000002
429000001
429000001
429000002
429000002
429000003
429000003
429000004
429000004
439000001
439000001
439000002
439000002
439000003
439000003
439000004
439000004
439000005
439000005
439000006
439000006
439000007
439000007
439000008
439000008
449000008
449000008
449000009
449000009
449000010
449000010
449000011
449000011
200001001
200001001
210001001
210001001
210001002
210001002
220001001
220001001
220001002
220001002
201001001
201001001
211001001
211001001
211001002
211001002
221001001
221001001
221001002
221001002
200002001
200002001
210002001
210002001
210002002
210002002
220002001
220002001
220002002
220002002
201002001
201002001
211002001
211002001
211002002
211002002
221002001
221002001
221002002
221002002
200003001
200003001
210003001
210003001
210003002
210003002
220003001
220003001
220003002
220003002
201003001
201003001
211003001
211003001
211003002
211003002
221003001
221003001
221003002
221003002
200004001
200004001
210004001
210004001
210004002
210004002
220004001
220004001
220004002
220004002
201004001
201004001
211004001
211004001
211004002
211004002
221004001
221004001
221004002
221004002
200005001
200005001
210005001
210005001
210005002
210005002
220005001
220005001
220005002
220005002
201005001
201005001
211005001
211005001
211005002
211005002
221005001
221005001
221005002
221005002
205000001
205000001
205000002
205000002
215000001
215000001
215000002
215000002
225000003
225000003
225000004
225000004
235000005
235000005
235000006
235000006
235000007
235000007
235000008
235000008
245000004
245000004
245000005
245000005
245000001
245000001
245000002
245000002
245000003
245000003
255000007
255000007
255000008
255000008
255000009
255000009
255000010
255000010
255000011
255000011
255000012
255000012
255000013
255000013
255000014
255000014
255000015
255000015
230001001
230001001
230002001
230002001
230003001
230003001
230004001
230004001
230005001
230005001
231001001
231001001
231002001
231002001
231003001
231003001
231004001
231004001
231005001
231005001
231001002
231001002
231002002
231002002
231003002
231003002
231004002
231004002
231005002
231005002
230001002
230001002
230002002
230002002
230003002
230003002
230004002
230004002
230005002
230005002
231001003
231001003
231002003
231002003
231003003
231003003
231004003
231004003
231005003
231005003
230001003
230001003
230002003
230002003
230003003
230003003
230004003
230004003
230005003
230005003
231001004
231001004
231002004
231002004
231003004
231003004
231004004
231004004
231005004
231005004
230001004
230001004
230002004
230002004
230003004
230003004
230004004
230004004
230005004
230005004
241001001
241001001
241002001
241002001
241003001
241003001
241004001
241004001
241005001
241005001
240001001
240001001
240002001
240002001
240003001
240003001
240004001
240004001
240005001
240005001
240004101
240004101
240003101
240003101
240002101
240002101
241001002
241001002
241002002
241002002
241003002
241003002
241004002
241004002
241005002
241005002
240001002
240001002
240002002
240002002
240003002
240003002
240004002
240004002
240005002
240005002
240004102
240004102
240003102
240003102
240002102
240002102
241001003
241001003
241002003
241002003
241003003
241003003
241004003
241004003
241005003
241005003
240001003
240001003
240002003
240002003
240003003
240003003
240004003
240004003
240005003
240005003
240004103
240004103
240003103
240003103
240002103
240002103
211111001
211111001
212111001
212111001
213111001
213111001
214111001
214111001
223111001
223111001
222111001
222111001
221111001
221111001
224111001
224111001
233111001
233111001
232111001
232111001
231111001
231111001
234111001
234111001
211121001
211121001
212121001
212121001
213121001
213121001
214121001
214121001
" width="252" height="45" src="hXXp://newsimg.5054399.com/uploads/userup/1503/241U64G527.gif" />
" width="252" height="45" src="hXXp://newsimg.5054399.com/uploads/userup/1503/241U64G527.gif" />
" width="252" height="45" src="hXXp://newsimg.5054399.com/uploads/userup/1503/241U9193211.gif" />
" width="252" height="45" src="hXXp://newsimg.5054399.com/uploads/userup/1503/241U9193211.gif" />
hXXp://VVV.4399.com/flash/151038.htm
hXXp://VVV.4399.com/flash/151038.htm
hXXp://dh-cfg.liuxue789.cn/dh.jb
hXXp://dh-cfg.liuxue789.cn/dh.jb
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
http=
https
https
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
hXXp://
hXXp://
[
[
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
hXXp://news.4399.com/gonglue/zmxy4/zhuangbei/
hXXp://news.4399.com/gonglue/zmxy4/zhuangbei/
hXXp://news.4399.com/gonglue/zmxy4/shizhuang/
hXXp://news.4399.com/gonglue/zmxy4/shizhuang/
VBScript.RegExp
VBScript.RegExp
Flash.ocx
Flash.ocx
Shockwave Flash.FlashWindow
Shockwave Flash.FlashWindow
javascript:window.external.AddFavorite
javascript:window.external.AddFavorite
javascript:window.external.addFavorite
javascript:window.external.addFavorite
VVV.4399hs.com]
VVV.4399hs.com]
.comment {color:green}
.comment {color:green}
VVV.4399hs.com/tj.html
VVV.4399hs.com/tj.html
hXXps://graph.qq.com/oauth/show?which=Login&display=pc&response_type=code&client_id=100266617&redirect_uri=hXXp://extlogin.4399.com/qzone/callback.do&state=postLoginHandler=default&redirectUrl=&appId=dev4399&gameId=&cid=&aid=&ref=&autoLogin=false
hXXps://graph.qq.com/oauth/show?which=Login&display=pc&response_type=code&client_id=100266617&redirect_uri=hXXp://extlogin.4399.com/qzone/callback.do&state=postLoginHandler=default&redirectUrl=&appId=dev4399&gameId=&cid=&aid=&ref=&autoLogin=false
(7),01444
(7),01444
'9=82<.342>
'9=82<.342>
!"013@ #
!"013@ #
v.IF_W
v.IF_W
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
1.2.18
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
vs.3.sw
vs.3.sw
vs.2.sw
vs.2.sw
ps.3.sw
ps.3.sw
ps.2.sw
ps.2.sw
Corrupt JPEG data: found marker 0xx instead of RST%d
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Obtained XMS handle %u
Freed XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Opened temporary file %s
Closed temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
Smoothing not supported with nonstandard sampling ratios
RST%d
RST%d
At marker 0xx, recovery action %d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
= = = = = = = =
Obtained EMS handle %u
Obtained EMS handle %u
Freed EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Unsupported marker type 0xx
Failed to create temporary file %s
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Cannot quantize more than %d color components
Insufficient memory (case %d)
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Backing store not supported
Cannot transcode due to multiple use of quantization table %d
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DQT index %d
Bogus DHT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC value 0x%x
Bogus DAC index %d
Bogus DAC index %d
Unsupported color conversion request
Unsupported color conversion request
Too many color components: %d, max %d
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Wrong JPEG library version: library is %d, caller expects %d
IDCT output block size %d not supported
IDCT output block size %d not supported
Invalid component ID %d in SOS
Invalid component ID %d in SOS
Bogus message code %d
Bogus message code %d
0123456789ABCDEF1.0.5
0123456789ABCDEF1.0.5
inflate 1.1.4 Copyright 1995-2002 Mark Adler
inflate 1.1.4 Copyright 1995-2002 Mark Adler
F%D,3
F%D,3
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
RASAPI32.dll
RASAPI32.dll
AVIFIL32.dll
AVIFIL32.dll
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
CreateDialogIndirectParamA
CreateDialogIndirectParamA
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
WINSPOOL.DRV
WINSPOOL.DRV
comdlg32.dll
comdlg32.dll
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyA
RegOpenKeyA
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
oledlg.dll
oledlg.dll
WSOCK32.dll
WSOCK32.dll
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
VVV.dywt.com.cn
VVV.dywt.com.cn
index.dat
index.dat
desktop.ini
desktop.ini
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
its:%s::%s
its:%s::%s
Y%d Y%d X%dX%dHeight%dHeight%dWidth%dWidth%dRECT(%d, %d)-(%d, %d)RECT(%d, %d)-(%d, %d)Styles0xXStyles0xXControl ID%dControl ID%dHandle0xXHandle0xX%s |
%s |
burlywood
burlywood
\winhlp32.exe
\winhlp32.exe
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
(*.avi)|*.avi
(*.avi)|*.avi
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
operator
operator
keywords
keywords
\d3d9.dll
\d3d9.dll
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
IndexedColor
IndexedColor
nFaceIndexes
nFaceIndexes
faceIndexes
faceIndexes
FloatKeys
FloatKeys
TimedFloatKeys
TimedFloatKeys
tfkeys
tfkeys
AnimationKey
AnimationKey
keyType
keyType
nKeys
nKeys
keys
keys
nUrls
nUrls
urls
urls
?.vW@
?.vW@
right-curly-bracket
right-curly-bracket
left-curly-bracket
left-curly-bracket
0123456789
0123456789
c:\%original file name%.exe
c:\%original file name%.exe
The procedure entry point %s could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
winmm.dll
winmm.dll
ws2_32.dll
ws2_32.dll
rasapi32.dll
rasapi32.dll
msvfw32.dll
msvfw32.dll
avifil32.dll
avifil32.dll
gdi32.dll
gdi32.dll
msimg32.dll
msimg32.dll
winspool.drv
winspool.drv
shell32.dll
shell32.dll
oleaut32.dll
oleaut32.dll
comctl32.dll
comctl32.dll
1, 0, 6, 6
1, 0, 6, 6
- Skin.dll
- Skin.dll
4, 4, 0, 0
4, 4, 0, 0
! !(!!"#")""
! !(!!"#")""
>?:)<:>?:)
>?:)<:>?:)
>?:)?:?:
>?:)?:?:
123456789:;
123456789:;
0123456
0123456
!! ##%%&&$$'' (**),,,//
!! ##%%&&$$'' (**),,,//
(){()))?,
(){()))?,
?;
?;
(/) )-),
(/) )-),
]:;?,
]:;?,
(*.*)
(*.*)
%original file name%.exe_2932_rwx_007B0000_00018000:
`.rsrc
`.rsrc
RCv=kAv.SCvs
RCv=kAv.SCvs
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
operator
operator
C:\Users\BLACK\Desktop\E_Loader 1.0\Release\E_Loader.pdb
C:\Users\BLACK\Desktop\E_Loader 1.0\Release\E_Loader.pdb
E_Loader.dll
E_Loader.dll
c:\%original file name%.exe
c:\%original file name%.exe
GetCPInfo
GetCPInfo
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
KERNEL32.DLL
KERNEL32.DLL
kernel32.dll
kernel32.dll
mscoree.dll
mscoree.dll
%original file name%.exe_2932_rwx_10028000_00015000:
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
}uo,x6l5k%x-l h
}uo,x6l5k%x-l h
9p%s m)t4`#b
9p%s m)t4`#b
e"m?c&y1`Ã
e"m?c&y1`Ã
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc
hJK.ZH
hJK.ZH
O.qt0
O.qt0