Trojan.Win32.Swrort.3.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3cbfcf601db1fdfb495978d8b65a01bb
SHA1: 894987966f277feb3ee4ec221d1a1b7f668208e7
SHA256: 1dffdb8dfe4a72e5cb63d4388468e13a9b03b7a47dd9c678419cb314f1f74106
SSDeep: 196608:rtCvtHT5OrJ21nFH5azqhP92O8CtM1bZjDb:utHt2J2Npkz 9zm19j/
Size: 6418432 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-10-12 05:41:13
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
regsvr32.exe:2460
regsvr32.exe:2640
regsvr32.exe:2456
regsvr32.exe:1256
regsvr32.exe:560
regsvr32.exe:3156
regsvr32.exe:3136
regsvr32.exe:3336
regsvr32.exe:3168
regsvr32.exe:2364
regsvr32.exe:3176
%original file name%.exe:2636
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process regsvr32.exe:2460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:2640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:3156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:3136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:3336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:3168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:3176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process %original file name%.exe:2636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (8230 bytes)
Registry activity
The process regsvr32.exe:2460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:2640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:2456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"(Default)" = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR]
"(Default)" = "c:\Data\"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}]
"(Default)" = "Idmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0]
"(Default)" = "Dm"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"Version" = "1.0"
The process regsvr32.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:3156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:3136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:3336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:3168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:2364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:3176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
Dropped PE files
| MD5 | File path |
|---|---|
| c578b6820bda5689940560147c6e5ffc | c:\Data\dm.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:2460
regsvr32.exe:2640
regsvr32.exe:2456
regsvr32.exe:1256
regsvr32.exe:560
regsvr32.exe:3156
regsvr32.exe:3136
regsvr32.exe:3336
regsvr32.exe:3168
regsvr32.exe:2364
regsvr32.exe:3176
%original file name%.exe:2636 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Data\dm.dll (823 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 1089674 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 1097728 | 5081452 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .data | 6180864 | 464330 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .vmp0 | 6647808 | 2222432 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .vmp1 | 8871936 | 6402944 | 6406144 | 5.54379 | 1488ed11268773b3c49d5f26b4f6f20b |
| .rsrc | 15278080 | 5744 | 8192 | 2.96136 | 8f4caf869bb8932369e369f030084df2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| comroute.baibaoyun.com | 120.27.136.132 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2636:
.text
.text
`.rdata
`.rdata
@.data
@.data
.vmp0
.vmp0
`.vmp1
`.vmp1
`.rsrc
`.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
Hw2.Hw
Hw2.Hw
wininet.dll
wininet.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
kernel32.dll
kernel32.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
\Data\ .exe
\Data\ .exe
.rsrc
.rsrc
^.WUh
^.WUh
P.Rl.
P.Rl.
%4HS2%S\p
%4HS2%S\p
\\%SH
\\%SH
*dY%F
*dY%F
5@\UWSSHh
5@\UWSSHh
VE;.WoXI
VE;.WoXI
^x`>x.ht
^x`>x.ht
@.Be$>;
@.Be$>;
%C:O@V
%C:O@V
QE;%x
QE;%x
,>.Ptm|t6
,>.Ptm|t6
.bKQ~
.bKQ~
WudP
WudP
DQW%uX
DQW%uX
]P.jV
]P.jV
burU.qj1[
burU.qj1[
.QJY|
.QJY|
7q.vD[NqS
7q.vD[NqS
.IY\p,A
.IY\p,A
UDpH
UDpH
#W"%c
#W"%c
.zor!
.zor!
.tb;M0^
.tb;M0^
4%d,k
4%d,k
?.wk)
?.wk)
z0%cx=n
z0%cx=n
]/m%C
]/m%C
Q6.ZgT
Q6.ZgT
=%X(>I'(
=%X(>I'(
>_.gsJ
>_.gsJ
$.CNH
$.CNH
C.kwFt
C.kwFt
T.Aga
T.Aga
tW#EBk%X
tW#EBk%X
.Xb?n
.Xb?n
<.hvdr>
<.hvdr>
p.Hx9
p.Hx9
%FrG.2?
%FrG.2?
W?2,%D!s0o
W?2,%D!s0o
G`.gr
G`.gr
.BMGU
.BMGU
.pV^uI
.pV^uI
%d&&'
%d&&'
''&%$$#""!!
''&%$$#""!!
N^NO.Os%
N^NO.Os%
_%*.*f I64
_%*.*f I64
SupportedException
SupportedException
tMsg|
tMsg|
MLZ.DLL7(
MLZ.DLL7(
?CmdT
?CmdT
/'.IN
/'.IN
.MSVCRTg
.MSVCRTg
.PAVMqL
.PAVMqL
(&07-034/)7
(&07-034/)7
f.DbIn
f.DbIn
s:%dW
s:%dW
Eh.dE
Eh.dE
keyw
keyw
2(%d-
2(%d-
0xX
0xX
.Nb~X
.Nb~X
gz0\.Kk
gz0\.Kk
zcÃ
zcÃ
ub%Dl*\
ub%Dl*\
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
comdlg32.dll
comdlg32.dll
GDI32.dll
GDI32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
WS2_32.dll
WS2_32.dll
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
J.jS]3
J.jS]3
n};%s
n};%s
)q4(.id
)q4(.id
y.Yc~
y.Yc~
vv.Xu
vv.Xu
>.iEBq
>.iEBq
.Ux2L
.Ux2L
u9.ND
u9.ND
;5sD%S
;5sD%S
V.Ev~
V.Ev~
Z.Ko@*
Z.Ko@*
1%u4=T
1%u4=T
3Z?xCdsQL
3Z?xCdsQL
fH%xJ"
fH%xJ"
U.Pds,
U.Pds,
%.X.
%.X.
Y.Yfg
Y.Yfg
#h7Y.JL|
#h7Y.JL|
d:W.iL)
d:W.iL)
Ã…Q!?
Ã…Q!?
O%U3@*
O%U3@*
5FJ.FU(
5FJ.FU(
N,Vj.Sa
N,Vj.Sa
4.idg8c
4.idg8c
bbF%U
bbF%U
uI.mY
uI.mY
.lDMF
.lDMF
A5.La
A5.La
P.rYe/G
P.rYe/G
&%sFn
&%sFn
.Ecg[
.Ecg[
rV%DS
rV%DS
AE.Nz
AE.Nz
X}%UNV
X}%UNV
k7.zUU
k7.zUU
|k.YHu
|k.YHu
[O.zqbgd
[O.zqbgd
g5Ni%C
g5Ni%C
01%Sd
01%Sd
(Pk.yf
(Pk.yf
0NE.Jz
0NE.Jz
>P;.JP
>P;.JP
^"U%S
^"U%S
.TS.>
.TS.>
0`%u.
0`%u.
&.pB=
&.pB=
xh.YR
xh.YR
U.Sl)}
U.Sl)}
me*%F
me*%F
D.wOz
D.wOz
%SW&H!Z>
%SW&H!Z>
.dYF]
.dYF]
ý'W
ý'W
-pRl}
-pRl}
.bt>
.bt>
ke%D_
ke%D_
0.OW8
0.OW8
.SsYS
.SsYS
;%S:a
;%S:a
Uc%s
Uc%s
n%fO4
n%fO4
%x$qeJH
%x$qeJH
B\.zS
B\.zS
GC.Ub5
GC.Ub5
@3^.%c
@3^.%c
.utV.
.utV.
w$%s8
w$%s8
.bXeZ
.bXeZ
(%Xv=z
(%Xv=z
7#.ce
7#.ce
&A.VMwx
&A.VMwx
%C}QN*po
%C}QN*po
.VBpooNr
.VBpooNr
C0[%d*SK
C0[%d*SK
{#.LJ~M9jG=
{#.LJ~M9jG=
:.Rk?i
:.Rk?i
MsW"-x}
MsW"-x}
#.Nu([
#.Nu([
f>'.nNj
f>'.nNj
:k.MP
:k.MP
.zPTC
.zPTC
.GR# ^
.GR# ^
) ]R%FM
) ]R%FM
.WvftOO
.WvftOO
w%S\s
w%S\s
5!.JV
5!.JV
U2_.tb>
U2_.tb>
N.UKbJr%'
N.UKbJr%'
hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime
hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime
https
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
http=
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
hXXp://
hXXp://
hXXp://wpa.qq.com/msgrd?v=3&uin=346350253&site=qq&menu=yes
hXXp://wpa.qq.com/msgrd?v=3&uin=346350253&site=qq&menu=yes
UserLogin
UserLogin
windows
windows
dx.mouse.state.api|dx.mouse.position.lock.api
dx.mouse.state.api|dx.mouse.position.lock.api
\Data\dm.dll
\Data\dm.dll
!!"#$%&'())?
!!"#$%&'())?
%C%]uSj
%C%]uSj
Ha.QE
Ha.QE
xCmD$L
xCmD$L
s.Nd)
s.Nd)
A_%.ID,
A_%.ID,
n.Nn0 b
n.Nn0 b
.hh=@-
.hh=@-
T8.Sz
T8.Sz
.dTR0
.dTR0
.PWh=j
.PWh=j
nL.nP?
nL.nP?
webH
webH
NQt%F
NQt%F
.XV LV#
.XV LV#
PGPus(.Gz
PGPus(.Gz
.ROH=
.ROH=
]v%UO
]v%UO
uù u
uù u
0k00[ `.kh#
0k00[ `.kh#
.scwX
.scwX
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
CxImage 6.0.0
CxImage 6.0.0
deflate 1.2.3 Copyright 1995-200d
deflate 1.2.3 Copyright 1995-200d
a .WO
a .WO
e processors when executed
e processors when executed
>support g
>support g
X:
X:
UxTheme.dll
UxTheme.dll
;9HttpCli
;9HttpCli
7.PAVCExcep=^
7.PAVCExcep=^
.1.2600.441~
.1.2600.441~
PSAPI.DLLU%f
PSAPI.DLLU%f
%u%x-
%u%x-
88.185.3
88.185.3
20 4.49.
20 4.49.
0.4.10n
0.4.10n
129.6.15.29
129.6.15.29
202.120.
202.120.
\.\%c
\.\%c
g%s#$A
g%s#$A
"LuCBy%d
"LuCBy%d
./*.bmp
./*.bmp
log.tx
log.tx
cpublic.inject.type.54
cpublic.inject.type.54
LL keypadput
LL keypadput
k.ap*
k.ap*
.=.minmax
.=.minmax
x.cfake`?
x.cfake`?
defense.szX
defense.szX
.sel/O
.sel/O
on.Leve
on.Leve
mp7%ss
mp7%ss
tCPo
tCPo
wKeyboardD
wKeyboardD
Scsi%d:
Scsi%d:
H%d_%
H%d_%
1.2.24
1.2.24
%ct t
%ct t
: %s=
: %s=
= (%d/10
= (%d/10
gx=%f, gy
gx=%f, gy
%ld, pass
%ld, pass
xkey
xkey
'%ds=
'%ds=
3%u B
3%u B
orm.de6
orm.de6
`O%dhx%dv qV
`O%dhx%dv qV
FD=%u, "
FD=%u, "
'z %4u
'z %4u
iY;kUnkeY
iY;kUnkeY
%ld%c$
%ld%c$
-t.SSSj
-t.SSSj
MSVCRT
MSVCRT
ntoskrnl.exQ
ntoskrnl.exQ
8)939@9|9
8)939@9|9
#&$&@'!?
#&$&@'!?
9}%U}
9}%U}
3(Ãd
3(Ãd
6,?-.7?`
6,?-.7?`
SAPI.DLLK04e
SAPI.DLLK04e
506:6?6[
506:6?6[
8(83888?
8(83888?
>,?0?4?8?
>,?0?4?8?
.net4x7
.net4x7
.Crz03
.Crz03
hÕ@e
hÕ@e
:;.ofSb
:;.ofSb
R.of'z
R.of'z
B{.zS,y
B{.zS,y
6o.ob#
6o.ob#
Ftpf
Ftpf
PIpE
PIpE
.Sj_^
.Sj_^
.vCb'PK
.vCb'PK
WlCmd
WlCmd
l%u$}0
l%u$}0
Jy%s2;J
Jy%s2;J
x-d}X
x-d}X
_~.SO
_~.SO
'.Sj?
'.Sj?
.Increm
.Increm
WinExe&Copy
WinExe&Copy
.DIBi
.DIBi
uDPtoLPNq`n
uDPtoLPNq`n
fo@@UAE@XZ.on
fo@@UAE@XZ.on
ad.boa
ad.boa
.DD-?J8
.DD-?J8
1,//2/,/
1,//2/,/
7G#V%F
7G#V%F
(.text
(.text
@.tp0
@.tp0
{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'
{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'
'Dm.EXE'
'Dm.EXE'
val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}
val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}
dm.dmsoft = s 'dm.dmsoft'
dm.dmsoft = s 'dm.dmsoft'
CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'
CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'
CurVer = s 'dm.dmsoft'
CurVer = s 'dm.dmsoft'
ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'
ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'
ProgID = s 'dm.dmsoft'
ProgID = s 'dm.dmsoft'
stdole2.tlbWWW
stdole2.tlbWWW
~cmdWd
~cmdWd
KeyPress
KeyPress
.aKeyDownWd
.aKeyDownWd
MKeyUpWWWd
MKeyUpWWWd
ShowScrMsgWW
ShowScrMsgWW
msgWd
msgWd
SetShowErrorMsgW
SetShowErrorMsgW
>SGetWindowStateWW
>SGetWindowStateWW
U@SetWindowSizeWWWd
U@SetWindowSizeWWWd
SetWindowStateWWd
SetWindowStateWWd
iRSetKeypadDelayWWd
iRSetKeypadDelayWWd
BkeypadWW
BkeypadWW
SetExportDictWWWd
SetExportDictWWWd
keyWd
keyWd
FindWindowSuperW
FindWindowSuperW
qHKeyDownCharW
qHKeyDownCharW
pOkey_strWd
pOkey_strWd
KeyUpCharWWWd
KeyUpCharWWWd
KeyPressChard
KeyPressChard
KeyPressStrWd
KeyPressStrWd
EnableKeypadPatchWWWd
EnableKeypadPatchWWWd
=PEnableKeypadSyncd
=PEnableKeypadSyncd
EnableRealKeypadd
EnableRealKeypadd
GetKeyStateWd
GetKeyStateWd
[.ReadFiled
[.ReadFiled
WaitKeyW
WaitKeyW
!key_coded
!key_coded
joEnumWindowSuperW
joEnumWindowSuperW
urlW
urlW
=EnableKeypadMsgWd
=EnableKeypadMsgWd
EnableMouseMsgWWd
EnableMouseMsgWWd
method KeyPressWWW
method KeyPressWWW
method KeyDown
method KeyDown
method KeyUpWW
method KeyUpWW
method ShowScrMsgW
method ShowScrMsgW
method SetShowErrorMsg
method SetShowErrorMsg
method GetWindowStateW
method GetWindowStateW
method SetWindowSizeWW
method SetWindowSizeWW
method SetWindowStateW
method SetWindowStateW
method SetKeypadDelayW
method SetKeypadDelayW
method SetExportDictWW
method SetExportDictWW
method FindWindowSuper
method FindWindowSuper
method KeyDownChar
method KeyDownChar
method KeyUpCharWW
method KeyUpCharWW
method KeyPressCharWWW
method KeyPressCharWWW
method KeyPressStr
method KeyPressStr
method EnableKeypadPatchWW
method EnableKeypadPatchWW
method EnableKeypadSyncWWW
method EnableKeypadSyncWWW
method EnableRealKeypadWWW
method EnableRealKeypadWWW
method GetKeyState
method GetKeyState
method WaitKey
method WaitKey
method EnumWindowSuper
method EnumWindowSuper
method EnableKeypadMsg
method EnableKeypadMsg
method EnableMouseMsgW
method EnableMouseMsgW
IMM32.dll
IMM32.dll
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
VERSION.dll
VERSION.dll
dm.dll
dm.dll
"\Data\dm.dll /s
"\Data\dm.dll /s
hXXp://VVV.game2.cn/playGame/code/dtx
hXXp://VVV.game2.cn/playGame/code/dtx
&password=
&password=
op=login&usercode=
op=login&usercode=
hXXp://VVV.game2.cn/websiteAjax/
hXXp://VVV.game2.cn/websiteAjax/
&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=getToken&userName=
&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=getToken&userName=
hXXps://login.360.cn/?func=jQuery11210259506186048403_
hXXps://login.360.cn/?func=jQuery11210259506186048403_
&proxy=http://wan.360.cn/psp_jump.html&callback=QiUserJsonp615662574&func=QiUserJsonp615662574
&proxy=http://wan.360.cn/psp_jump.html&callback=QiUserJsonp615662574&func=QiUserJsonp615662574
src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=login&lm=0&captFlag=1&rtype=data&validatelm=0&isKeepAlive=1&captchaApp=i360&userName=
src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=login&lm=0&captFlag=1&rtype=data&validatelm=0&isKeepAlive=1&captchaApp=i360&userName=
hXXps://login.360.cn/
hXXps://login.360.cn/
hXXp://dtx.wan.360.cn/game_login.php?channel=521260009&src=newwan-syzt1-dtx&advid=521254815__dtx__S112&server_id=S
hXXp://dtx.wan.360.cn/game_login.php?channel=521260009&src=newwan-syzt1-dtx&advid=521254815__dtx__S112&server_id=S
hXXp://s1.dtx.g.1360.com/indexLogin.php?
hXXp://s1.dtx.g.1360.com/indexLogin.php?
1970-01-01 08:00:00
1970-01-01 08:00:00
hXXp://passport.51wan.com/login_index_theLogin_0.html
hXXp://passport.51wan.com/login_index_theLogin_0.html
hXXp://my.51wan.com/gamelogin_wd_serverList_dtx-2.html
hXXp://my.51wan.com/gamelogin_wd_serverList_dtx-2.html
-0-.html
-0-.html
hXXp://my.51wan.com/game_toolbar_0_dtx-
hXXp://my.51wan.com/game_toolbar_0_dtx-
hXXp://res.dtx.game2.com.cn/index/index51wan.html?
hXXp://res.dtx.game2.com.cn/index/index51wan.html?
hXXp://VVV.game2.cn/verifyCode.php
hXXp://VVV.game2.cn/verifyCode.php
hXXp://passport.360.cn/captcha.php?m=create&app=i360&scene=login&userip=+7+d1+hWWDPiXFBqruKw1g==&level=default&sign=706d82&r=1472615666&_=
hXXp://passport.360.cn/captcha.php?m=create&app=i360&scene=login&userip=+7+d1+hWWDPiXFBqruKw1g==&level=default&sign=706d82&r=1472615666&_=
hXXp://passport.51wan.com/verify.php?for=login
hXXp://passport.51wan.com/verify.php?for=login
@.reloc
@.reloc
RSSh C
RSSh C
T$
T$
D$
D$
~$)~()|$
~$)~()|$
3|$83|$0
3|$83|$0
3|$@3|$4
3|$@3|$4
|$43|$(#
|$43|$(#
.QZ^&
.QZ^&
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
CryptoMaterial: this object does not support precomputation
CryptoMaterial: this object does not support precomputation
GeneratableCryptoMaterial: this object does not support key/parameter generation
GeneratableCryptoMaterial: this object does not support key/parameter generation
: this object doesn't support resynchronization
: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
StreamTransformation: this object doesn't support random access
(3-!0,1'8"5.*2$
(3-!0,1'8"5.*2$
120.26.81.103
120.26.81.103
//./%s
//./%s
XXXXXX
XXXXXX
%s|%s
%s|%s
Empty key
Empty key
[32m>>Connect select ret %d
[32m>>Connect select ret %d
..\t_baibaoyun\protocol\network\TSocket.cpp
..\t_baibaoyun\protocol\network\TSocket.cpp
[34m[%s %s %d]
[34m[%s %s %d]
[32m>>Connect field errno :%d err: %s
[32m>>Connect field errno :%d err: %s
[32m>>ret:%d,error:%d,len:%d,err:%s
[32m>>ret:%d,error:%d,len:%d,err:%s
num_key
num_key
hXXp://apicom.baibaoyun.com/cloudapi/GeneralExec?arg=
hXXp://apicom.baibaoyun.com/cloudapi/GeneralExec?arg=
[32m>>close g_sockClient %d
[32m>>close g_sockClient %d
..\t_baibaoyun\protocol\TLogin.cpp
..\t_baibaoyun\protocol\TLogin.cpp
TLogin::clearInfo
TLogin::clearInfo
ProcessPushMsg ret : %d
ProcessPushMsg ret : %d
[32m>>ProcessPushMsg is in
[32m>>ProcessPushMsg is in
TLogin::ProcessPushMsg
TLogin::ProcessPushMsg
TLogin::SimpleLogin
TLogin::SimpleLogin
%s TSocket::Connect err %d
%s TSocket::Connect err %d
TLogin::SimpleLogOut
TLogin::SimpleLogOut
TLogin::PushConnect
TLogin::PushConnect
%d.%d.%d.%d
%d.%d.%d.%d
KeySize
KeySize
: this object does't support a special last block
: this object does't support a special last block
NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes
NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes
: this object doesn't support multiple channels
: this object doesn't support multiple channels
is not a valid key length
is not a valid key length
InvertibleRSAFunction: computational error during private key operation
InvertibleRSAFunction: computational error during private key operation
for this key
for this key
: this key is too short to encrypt any messages
: this key is too short to encrypt any messages
for this public key
for this public key
EffectiveKeyLength
EffectiveKeyLength
RC2: effective key length parameter exceeds maximum
RC2: effective key length parameter exceeds maximum
?#%X.y
?#%X.y
E:\4.0\bbyPlugin\Release\t_baibaoyun_win32.pdb
E:\4.0\bbyPlugin\Release\t_baibaoyun_win32.pdb
KERNEL32.dll
KERNEL32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
InternetOpenUrlA
InternetOpenUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
t_baibaoyun_win32.dll
t_baibaoyun_win32.dll
generatersakey
generatersakey
generatersakeyW
generatersakeyW
login
login
loginW
loginW
msgcallback_login
msgcallback_login
msgcallback_loginW
msgcallback_loginW
msgcallback_loginex
msgcallback_loginex
msgcallback_loginexW
msgcallback_loginexW
msgcallback_push
msgcallback_push
msgcallback_pushW
msgcallback_pushW
.?AVPublicKeyAlgorithm@CryptoPP@@
.?AVPublicKeyAlgorithm@CryptoPP@@
.?AVPrivateKeyAlgorithm@CryptoPP@@
.?AVPrivateKeyAlgorithm@CryptoPP@@
.?AVPrivateKey@CryptoPP@@
.?AVPrivateKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPrivateKey@CryptoPP@@@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPrivateKey@CryptoPP@@@CryptoPP@@
.?AVPKCS8PrivateKey@CryptoPP@@
.?AVPKCS8PrivateKey@CryptoPP@@
.?AVPublicKey@CryptoPP@@
.?AVPublicKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPublicKey@CryptoPP@@@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPublicKey@CryptoPP@@@CryptoPP@@
.?AVX509PublicKey@CryptoPP@@
.?AVX509PublicKey@CryptoPP@@
.?AVHexEncoder@CryptoPP@@
.?AVHexEncoder@CryptoPP@@
.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0A@$0PP@$00$03$0A@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0A@$0PP@$00$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$00$0IA@$00$03$0A@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$00$0IA@$00$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$FixedKeyLength@$0BI@$03$0A@@CryptoPP@@
.?AV?$FixedKeyLength@$0BI@$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$03$0DI@$00$03$0A@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$03$0DI@$00$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$FixedKeyLength@$0BA@$03$0A@@CryptoPP@@
.?AV?$FixedKeyLength@$0BA@$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
comroute.baibaoyun.com
comroute.baibaoyun.com
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
.PAVRSAFunction@CryptoPP@@
.PAVRSAFunction@CryptoPP@@
.PAVInvertibleRSAFunction@CryptoPP@@
.PAVInvertibleRSAFunction@CryptoPP@@
.PBVPrimeSelector@CryptoPP@@
.PBVPrimeSelector@CryptoPP@@
.PB_W
.PB_W
.PAV?$basic_istream@DU?$char_traits@D@std@@@std@@
.PAV?$basic_istream@DU?$char_traits@D@std@@@std@@
.PAV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.PAV?$basic_ostream@DU?$char_traits@D@std@@@std@@
45
45
00x0
00x0
9&939&:6:
9&939&:6:
2%2*2/242>2
2%2*2/242>2
5_5K5X5a5
5_5K5X5a5
8Â8K8X8a8
8Â8K8X8a8
6$6)6.646;6
6$6)6.646;6
6o7U7y7
6o7U7y7
0!1)11282
0!1)11282
6$71757?7
6$71757?7
6$6(6.6:6
6$6(6.6:6
= =$=(=,=
= =$=(=,=
5$5*505?5
5$5*505?5
6!6(6-6;6
6!6(6-6;6
2 2$2(2,20242
2 2$2(2,20242
1.0.0.0
1.0.0.0
CCmdTarget
CCmdTarget
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
COMCTL32.DLL
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
UnhookWindowsHookEx
UnhookWindowsHookEx
!Win32 .DLL.
!Win32 .DLL.
.MPRESS1
.MPRESS1
.MPRESS2>
.MPRESS2>
>%Crc{
>%Crc{
f7.ST
f7.ST
Ah&`%xw
Ah&`%xw
-Qwg}W
-Qwg}W
.Rg^5
.Rg^5
ra(%X
ra(%X
-RL}tAWq
-RL}tAWq
3r.DU
3r.DU
!A
!A
#.jK$
#.jK$
.If//
.If//
i5v.dU`
i5v.dU`
wfd%C
wfd%C
.seH9
.seH9
H7\Ûy
H7\Ûy
%dWA4
%dWA4
.WmO.
.WmO.
Q.HX)
Q.HX)
ÃœU2
ÃœU2
.ubwO%
.ubwO%
?.MK9
?.MK9
d.DHb
d.DHb
.jtv,
.jtv,
Jnx&%D
Jnx&%D
%d{u2
%d{u2
msgcallback_autologinW
msgcallback_autologinW
msgcallback_autologin
msgcallback_autologin
shell32.dll
shell32.dll
program internal error number is %d.
program internal error number is %d.
:"%s"
:"%s"
:"%s".
:"%s".
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCException@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.exe "
.exe "
hXXp://VVV.game2.cn/member/
hXXp://VVV.game2.cn/member/
&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=http&o=sso&m=checkNeedCaptcha&account=
&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=http&o=sso&m=checkNeedCaptcha&account=
hXXp://login.360.cn/?callback=jQuery1121004880054023122077_
hXXp://login.360.cn/?callback=jQuery1121004880054023122077_
hXXp://passport.51wan.com/login_index_needToValidate_0.html?jsoncallback=jQuery182016474190838213354_
hXXp://passport.51wan.com/login_index_needToValidate_0.html?jsoncallback=jQuery182016474190838213354_
hXXp://member.8090yxs.com/login.php?action=checkuser&username=
hXXp://member.8090yxs.com/login.php?action=checkuser&username=
hXXp://member.8090yxs.com/game/game.php?game=dtx&full=play_gamecode&client=pc&server=s
hXXp://member.8090yxs.com/game/game.php?game=dtx&full=play_gamecode&client=pc&server=s
return Math.floor((1 Math.random()) * 65536).toString(16).substring(1)
return Math.floor((1 Math.random()) * 65536).toString(16).substring(1)
&captcha=&autoLogin=1&client_id=1100&xd=http://wan.sogou.com/static/jump.html&token=
&captcha=&autoLogin=1&client_id=1100&xd=http://wan.sogou.com/static/jump.html&token=
hXXps://account.sogou.com/web/login
hXXps://account.sogou.com/web/login
hXXp://wan.sogou.com/play.do?gid=653&sid=
hXXp://wan.sogou.com/play.do?gid=653&sid=
hXXp://wan.sogou.com/clientplay.do?sid=
hXXp://wan.sogou.com/clientplay.do?sid=
hXXp://VVV.dahei.com/websiteAjax/op/login/
hXXp://VVV.dahei.com/websiteAjax/op/login/
hXXp://VVV.dahei.com/joinGame/code/dtx
hXXp://VVV.dahei.com/joinGame/code/dtx
hXXp://VVV.ao7.ufojoy.com/game/dtx.phtml
hXXp://VVV.ao7.ufojoy.com/game/dtx.phtml
form_submit_key_time
form_submit_key_time
form_submit_key_v1
form_submit_key_v1
form_submit_key_v2
form_submit_key_v2
&url=/game/dtx.phtml
&url=/game/dtx.phtml
&form_submit_key_v2=
&form_submit_key_v2=
&form_submit_key_v1=
&form_submit_key_v1=
&act=submit&form_submit_key_time=
&act=submit&form_submit_key_time=
hXXp://VVV.ao7.ufojoy.com/user/login.phtml
hXXp://VVV.ao7.ufojoy.com/user/login.phtml
VVV.ao7.ufojoy.com
VVV.ao7.ufojoy.com
hXXp://VVV.ao7.ufojoy.com/game/dtx/servers.phtml
hXXp://VVV.ao7.ufojoy.com/game/dtx/servers.phtml
.phtml
.phtml
hXXp://VVV.ao7.ufojoy.com/server/login/
hXXp://VVV.ao7.ufojoy.com/server/login/
http://res.dtx.game2.com.cn/index/indexufojoy.html?
http://res.dtx.game2.com.cn/index/indexufojoy.html?
repass
repass
UserChangePass
UserChangePass
dm.dmsoft
dm.dmsoft
SetKeypadDelay
SetKeypadDelay
SetShowErrorMsg
SetShowErrorMsg
SetWindowState
SetWindowState
,(!73!73!73!73!73!73!73!73!73 @;
,(!73!73!73!73!73!73!73!73!73 @;
.comment {color:green}
.comment {color:green}
.jS.T
.jS.T
SiX^@=65.eB
SiX^@=65.eB
;.APi
;.APi
A%x*>l
A%x*>l
@%S&)
@%S&)
;%DuH
;%DuH
LSc
LSc
A$(d%cn
A$(d%cn
8.jPs
8.jPs
.jJX[
.jJX[
*e.NaJ
*e.NaJ
pY-|þ
pY-|þ
.YrVUp\
.YrVUp\
diTXtXML:com.adobe.xmp
diTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
~.agAV
~.agAV
.nn-!*
.nn-!*
.tkyt
.tkyt
G:\^(
G:\^(
.RhcD
.RhcD
o.vH|
o.vH|
?h(%do
?h(%do
=7%f__
=7%f__
SOCrt
SOCrt
htu%d
htu%d
=VR^.uzL
=VR^.uzL
%fPa4
%fPa4
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
!.RNi
!.RNi
%x_Xj
%x_Xj
GO#.Dx
GO#.Dx
Z>%0S_
Z>%0S_
Mm.gS
Mm.gS
(j.AKt
(j.AKt
`8.zNx:
`8.zNx:
%cK8R
%cK8R
@9u[%ul
@9u[%ul
.hr''y
.hr''y
_h@A%s
_h@A%s
.yqh(t
.yqh(t
E%X[-
E%X[-
\`!%C[8
\`!%C[8
!%D&&
!%D&&
TW%U8
TW%U8
.mN`SH
.mN`SH
.VX1P5
.VX1P5
i4
i4
X(U%Ui
X(U%Ui
.xQCO
.xQCO
usSh:Zq
usSh:Zq
D-o.OF
D-o.OF
eN%6u
eN%6u
.LI[P
.LI[P
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
1.2.18
F%*.*f
F%*.*f
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WSOCK32.dll
WSOCK32.dll
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
msscript.ocx
msscript.ocx
Y%dY%dX%dX%dHeight%dHeight%dWidth%dWidth%dRECT(%d, %d)-(%d, %d)RECT(%d, %d)-(%d, %d)Styles0xXStyles0xXControl ID%dControl ID%dHandle0xXHandle0xX| %s |
| %s |
burlywood
burlywood
\winhlp32.exe
\winhlp32.exe
VVV.dywt.com.cn
VVV.dywt.com.cn
index.dat
index.dat
desktop.ini
desktop.ini
\StringFileInfo\%s\Comments
\StringFileInfo\%s\Comments
\StringFileInfo\%s\ProductVersion
\StringFileInfo\%s\ProductVersion
\StringFileInfo\%s\ProductName
\StringFileInfo\%s\ProductName
\StringFileInfo\%s\OriginalFilename
\StringFileInfo\%s\OriginalFilename
\StringFileInfo\%s\LegalTrademarks
\StringFileInfo\%s\LegalTrademarks
\StringFileInfo\%s\LegalCopyright
\StringFileInfo\%s\LegalCopyright
\StringFileInfo\%s\InternalName
\StringFileInfo\%s\InternalName
\StringFileInfo\%s\FileDescription
\StringFileInfo\%s\FileDescription
\StringFileInfo\%s\CompanyName
\StringFileInfo\%s\CompanyName
\StringFileInfo\%s\FileVersion
\StringFileInfo\%s\FileVersion
000%x
000%x
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
(*.avi)|*.avi
(*.avi)|*.avi
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
c:\%original file name%.exe
c:\%original file name%.exe
uwp-B}
uwp-B}
].mB3
].mB3
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
USER32.DLL
USER32.DLL
sice.sys
sice.sys
siwvid.sys
siwvid.sys
ntice.sys
ntice.sys
iceext.sys
iceext.sys
syser.sys
syser.sys
sbiedll.dll
sbiedll.dll
%d-%d-%d
%d-%d-%d
winhttp.dll
winhttp.dll
activation.php?code=
activation.php?code=
deactivation.php?hash=
deactivation.php?hash=
l\.RU
l\.RU
zWEb
zWEb
.Mm87
.Mm87
[M%X]s
[M%X]s
WW.re
WW.re
.AV
.AV
hYc.OD'
hYc.OD'
f5y%f
f5y%f
2~-x}
2~-x}
Uf>)5
Uf>)5
e"h%D
e"h%D
Wgx!w.ha
Wgx!w.ha
k9iTCp
k9iTCp
-S6EW}
-S6EW}
%f-i)
%f-i)
iA.Zk
iA.Zk
,qrO.qXv
,qrO.qXv
.McNr\M>
.McNr\M>
f%D g
f%D g
.vVof
.vVof
ve.AO
ve.AO
.GA=X
.GA=X
&.SaY5'S
&.SaY5'S
5.eTr
5.eTr
h5X-Mw}
h5X-Mw}
]b.GTb
]b.GTb
o.tCAg;i
o.tCAg;i
za%uNJ
za%uNJ
%up}ih
%up}ih
"s%DXbl
"s%DXbl
^,G%C
^,G%C
f„6f
f„6f
E_.QeP
E_.QeP
..ry@
..ry@
L[.ZBL
L[.ZBL
y~7H%s-(Wg$#
y~7H%s-(Wg$#
~!'He^IC%X
~!'He^IC%X
-.Rc&W@
-.Rc&W@
ack%f
ack%f
.zGRd
.zGRd
kr^-A}
kr^-A}
ul.Xps
ul.Xps
Nc.GfE
Nc.GfE
R.oU6m
R.oU6m
D0Sql.y
D0Sql.y
*hLScRt
*hLScRt
%F}^2
%F}^2
Ef5y%f
Ef5y%f
sQL&;
sQL&;
.aOp2
.aOp2
n.pEz6O
n.pEz6O
Q .%U5
Q .%U5
>.AG1,
>.AG1,
5,U%s
5,U%s
s.EwJ
s.EwJ
nA%S
nA%S
\%.qt:
\%.qt:
q?.ecR-
q?.ecR-
[u.VC
[u.VC
.cRJ&*
.cRJ&*
se8 %.nC
se8 %.nC
.bm_w
.bm_w
b.gp^(
b.gp^(
].jz0\C
].jz0\C
1.QJ@
1.QJ@
.aN\8
.aN\8
68b%x
68b%x
.GODZ
.GODZ
%F
%F
9L1Chr%F
9L1Chr%F
Zc.tr"*i;V.
Zc.tr"*i;V.
t.FP*k
t.FP*k
aL%FW
aL%FW
l\.je
l\.je
[%Fy,
[%Fy,
%dv?*Y
%dv?*Y
P.Sc^
P.Sc^
>$.jj
>$.jj
M6.FU2
M6.FU2
j1.UN_
j1.UN_
.QD(M
.QD(M
A_.Oixx
A_.Oixx
*.spu
*.spu
.VUh_mX
.VUh_mX
/q.mf
/q.mf
M%XB\
M%XB\
.bSAxJK
.bSAxJK
P`.zd
P`.zd
.DiHz
.DiHz
..8\V.hD
..8\V.hD
gj.Ga
gj.Ga
2.Aou2,
2.Aou2,
.xDuC
.xDuC
.LmT(
.LmT(
i/o%.d
i/o%.d
sb#sy%F)
sb#sy%F)
CmF.wW"
CmF.wW"
]%UbO
]%UbO
wl%CG
wl%CG
Uf5y%f
Uf5y%f
Gdg%s
Gdg%s
T.rwa
T.rwa
i.uLi
i.uLi
r.xir
r.xir
r%xir
r%xir
r%xirZa&
r%xirZa&
r.zir
r.zir
r%xir,j{_
r%xir,j{_
r.zirL
r.zirL
.ziQX
.ziQX
LhXXp://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
LhXXp://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
hXXp://pki-ocsp.symauth.com0
hXXp://pki-ocsp.symauth.com0
ehXXp://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0
ehXXp://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0
FVERSION.dll
FVERSION.dll
kSHELL32.dll
kSHELL32.dll
5%dmT{n
5%dmT{n
WTSAPI32.dll
WTSAPI32.dll
E%1x_u
E%1x_u
YxF.ap
YxF.ap
,
,
G%xhc
G%xhc
%xS$k
%xS$k
t%U|8J5
t%U|8J5
f%U@Cn
f%U@Cn
[Db%S"
[Db%S"
K1.AD}
K1.AD}
.PZ}WDa
.PZ}WDa
.LOJOS
.LOJOS
p v%ul
p v%ul
=%5xK
=%5xK
/Þ]
/Þ]
.kDB'wt
.kDB'wt
.MYbe
.MYbe
.FQFr
.FQFr
$D&M%u| tU
$D&M%u| tU
.VF?2P
.VF?2P
.VW$VJ
.VW$VJ
O.GW;
O.GW;
.SK~t$
.SK~t$
h>JA.Rs
h>JA.Rs
S0Û
S0Û
YF.Sl
YF.Sl
B5.Hh!
B5.Hh!
d).pK
d).pK
P.thu
P.thu
E.JKD
E.JKD
.FYqaT
.FYqaT
.YG^;q
.YG^;q
Â-5
Â-5
;#-%UB`?
;#-%UB`?
.mN!t
.mN!t
'4.MU'g
'4.MU'g
Ix%SpQ
Ix%SpQ
%Cj[q
%Cj[q
WaUDp
WaUDp
{.cGY
{.cGY
.LB$`
.LB$`
%f js
%f js
Gbj#3%s
Gbj#3%s
P .CO
P .CO
@T(A.Zx
@T(A.Zx
EY*_I.ak
EY*_I.ak
.Se;]
.Se;]
8].JQ
8].JQ
T.leU
T.leU
#L.Gi1
#L.Gi1
D.RT|,bA
D.RT|,bA
`{%s0
`{%s0
C.Cf"
C.Cf"
%UZlA
%UZlA
$17!.Ih
$17!.Ih
.zam 1
.zam 1
g{.Qk
g{.Qk
.Zmp7U
.Zmp7U
^.Da=
^.Da=
.Ad!o!9
.Ad!o!9
.qN6`
.qN6`
7[.Wct
7[.Wct
.Uk].
.Uk].
"AB%U
"AB%U
;p%dw
;p%dw
/?a.nK
/?a.nK
s Msz.NS
s Msz.NS
p%Xg;4Q
p%Xg;4Q
D6M%d_$
D6M%d_$
-rZ}b
-rZ}b
i.iE*|nA
i.iE*|nA
2<.ug>
2<.ug>
'.ixp2
'.ixp2
dfLSQl
dfLSQl
mz2%D
mz2%D
FSQl
FSQl
wu.rO
wu.rO
?V.dDL
?V.dDL
.tpcH
.tpcH
.O%u3j)]
.O%u3j)]
Z k&.iRQFi
Z k&.iRQFi
nx.dt
nx.dt
G%dva
G%dva
t.LkGD
t.LkGD
cH%fi
cH%fi
W-gLM}
W-gLM}
!1%D(
!1%D(
.%d@4
.%d@4
|%XRD
|%XRD
G.Gp:
G.Gp:
(%Fl]
(%Fl]
yh.dn
yh.dn
kS.ey
kS.ey
s.bPb
s.bPb
=%F|P
=%F|P
.kDlq/
.kDlq/
FVWh%U
FVWh%U
xs`%Uu
xs`%Uu
]D?%s
]D?%s
ii1C2.ol
ii1C2.ol
SMsG
SMsG
oRR
oRR
g:.GoTn
g:.GoTn
X%d%9
X%d%9
.jBCw
.jBCw
1^keY?
1^keY?
Q.wFx
Q.wFx
.af%$
.af%$
9RB.zT
9RB.zT
aD.pS
aD.pS
.aezn
.aezn
.aXd,
.aXd,
{7.ZUf=si
{7.ZUf=si
d.Yt0q
d.Yt0q
Ike%u
Ike%u
.Pa:O
.Pa:O
To%X`O
To%X`O
'.oEM
'.oEM
F.eGyce
F.eGyce
0.So@
0.So@
T[.lB
T[.lB
.yLaN
.yLaN
.ONX"
.ONX"
.hf"nT
.hf"nT
a0.Hr
a0.Hr
P,.zzo
P,.zzo
1?.cw
1?.cw
9jGe.RO
9jGe.RO
Q-`#\.fr
Q-`#\.fr
%1u=/
%1u=/
J.Ec)
J.Ec)
k&.xr
k&.xr
%crM8
%crM8
vV.OR
vV.OR
pI.TF
pI.TF
-%UTa
-%UTa
.zUNC
.zUNC
v\$Ì-
v\$Ì-
qNCRTw2
qNCRTw2
1%du]d
1%du]d
;o=EX%c&
;o=EX%c&
L.zHh-2
L.zHh-2
n~.TC
n~.TC
%sZ_%x
%sZ_%x
.TGrfW_p
.TGrfW_p
1%f'(
1%f'(
4>%s6
4>%s6
\.VFCS2Hu
\.VFCS2Hu
^.aAM?
^.aAM?
)-plH}
)-plH}
NxCD.jR>9x
NxCD.jR>9x
o%d@uv
o%d@uv
2.FT!
2.FT!
A.Yu$^
A.Yu$^
%u8cy
%u8cy
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
*c_x?.Cq
*c_x?.Cq
MSVFW32.dll
MSVFW32.dll
.Rzw^
.Rzw^
h%doo
h%doo
h%ftG
h%ftG
.HuXNdE
.HuXNdE
)0.YTvX
)0.YTvX
Q-A}3
Q-A}3
*bC%u
*bC%u
%C T|
%C T|
.rW[k
.rW[k
Wy
Wy
3v%Cq
3v%Cq
!b>%4u
!b>%4u
;.RUom
;.RUom
.AslXM
.AslXM
b.Utn!
b.Utn!
yC=%x
yC=%x
F|.Vg
F|.Vg
n?þ
n?þ
,^.uwB
,^.uwB
[.cZ!
[.cZ!
BZ%1x
BZ%1x
X.efad
X.efad
tA%Fo
tA%Fo
,.nP[r
,.nP[r
%cyH~
%cyH~
!%U[K
!%U[K
Vucrt
Vucrt
.dT3K
.dT3K
/.jnuvZ=0
/.jnuvZ=0
Å“?e
Å“?e
m}.lf
m}.lf
-.PC]
-.PC]
K.FvmCb
K.FvmCb
%X1
%X1
0*r%2S
0*r%2S
.XJF[
.XJF[
'.wh(h
'.wh(h
Sl.aE|
Sl.aE|
.iZ>3
.iZ>3
.Hhvoo
.Hhvoo
#[&.lKAO
#[&.lKAO
X%COT
X%COT
1.VQD
1.VQD
.vuN'
.vuN'
cg.QT
cg.QT
M$PN.Mv
M$PN.Mv
%C\4j
%C\4j
.iTimhE
.iTimhE
x].WO
x].WO
%cxMj
%cxMj
M!.Wm
M!.Wm
vO1q.mNd\{]
vO1q.mNd\{]
8=a%C
8=a%C
Z6%Ur
Z6%Ur
,.fRDFX6
,.fRDFX6
f".eo
f".eo
.GA!a
.GA!a
WhE7.XYb_
WhE7.XYb_
O_73#%F
O_73#%F
-I}Xf
-K}y`
-K}y`
?%S[q%
?%S[q%
d %dl
d %dl
ik.pv
ik.pv
.$8&%u
.$8&%u
.tJQ\
.tJQ\
?*n.IO
?*n.IO
EWeB
EWeB
.ja&.
.ja&.
X.kA)
X.kA)
e|7%X
e|7%X
?N:
?N:
bC"%CO
bC"%CO
L.mrM
L.mrM
70r%f
70r%f
%S`@"
%S`@"
Þ>]
Þ>]
.Yq%&0
.Yq%&0
B(%x,A{
B(%x,A{
Xk[%U
Xk[%U
;.Ok=
;.Ok=
%DNFZ
%DNFZ
%uMwz
%uMwz
Q.Xl=
Q.Xl=
EKey
EKey
6C.Xe9
6C.Xe9
ftPs
ftPs
%Cq8?!Y
%Cq8?!Y
j':.uDl
j':.uDl
k'nP%c
k'nP%c
%soyR
%soyR
h%Fy{
h%Fy{
r.CDo
r.CDo
.fl.n
.fl.n
Ye%xp
Ye%xp
-Og}w
-Og}w
Ps{%u
Ps{%u
X.iQCy
X.iQCy
3.BZnm
3.BZnm
2s@F.Wv}4
2s@F.Wv}4
.aKmDW
.aKmDW
NTs.BU
NTs.BU
N,r{n.TBT
N,r{n.TBT
.KA~3
.KA~3
nm_
nm_
j.eO}
j.eO}
zCMd
zCMd
?.ZnZ
?.ZnZ
i.NG*
i.NG*
.GiS;
.GiS;
[0%U)DE
[0%U)DE
%sqHT
%sqHT
-pW}i
-pW}i
&g.JN
&g.JN
WGP.anJCb
WGP.anJCb
.lc ^
.lc ^
yuc4ck%s
yuc4ck%s
#;.Lm
#;.Lm
%X!ud
%X!ud
@.ewJ
@.ewJ
}.BHEeY?
}.BHEeY?
K*.zj
K*.zj
%xH`Bf
%xH`Bf
O.ysD
O.ysD
%xw}\`\W
%xw}\`\W
P%x]O
P%x]O
2B`%u*
2B`%u*
.wZw=On5
.wZw=On5
dÔSZ
dÔSZ
%f-'q
%f-'q
^eW[.cIv
^eW[.cIv
.NU=Q
.NU=Q
-XSE=.TG
-XSE=.TG
|%d:D
|%d:D
gt.LYi
gt.LYi
hfXb
hfXb
!.Thw8v
!.Thw8v
I#.Uq
I#.Uq
%X4#|
%X4#|
.fP>5
.fP>5
:.Rea
:.Rea
2.zO)
2.zO)
%UlPQs
%UlPQs
F%FkO)
F%FkO)
B.sYR
B.sYR
.Le7Rb
.Le7Rb
P?%FM
P?%FM
S&.jf
S&.jf
NJlZ6aU#%d
NJlZ6aU#%d
osurlX
osurlX
D%K.rP
D%K.rP
5.bio
5.bio
,\%C|
,\%C|
.TT-as
.TT-as
^hu.Ff
^hu.Ff
o3A.LJ
o3A.LJ
;J~ _rf%U
;J~ _rf%U
.Y.tD
.Y.tD
F0.lQ`
F0.lQ`
&.AiI
&.AiI
.Fy?L
.Fy?L
.yPI/k
.yPI/k
e.SH[
e.SH[
a.LjaDY
a.LjaDY
;{fTp7
;{fTp7
.grQG
.grQG
{.ui,
{.ui,
ti.He{
ti.He{
5.yEeVP
5.yEeVP
}%f)8bn@
}%f)8bn@
{c.sX
{c.sX
Om.Oi^`o
Om.Oi^`o
%8S5ui
%8S5ui
bc%S#e;
bc%S#e;
.Xymy
.Xymy
M%CkM%
M%CkM%
N{.ag.
N{.ag.
J)<.cz>
J)<.cz>
%Xh&Fb
%Xh&Fb
.hRe,
.hRe,
s-3}-H]
s-3}-H]
Ä%U
Ä%U
.qe}ta
.qe}ta
V.XvH
V.XvH
Q8m%f
Q8m%f
s!.zP
s!.zP
nl%4Sz
nl%4Sz
.Qz3.
.Qz3.
5d.LS^
5d.LS^
.FVXQ
.FVXQ
o7x%C
o7x%C
.lWR!
.lWR!
(j3f.mR
(j3f.mR
D_%DH
D_%DH
y.mA6
y.mA6
.vU,:
.vU,:
?.nH'
?.nH'
zm.Tq
zm.Tq
&.eB
&.eB
whC.Gq]R
whC.Gq]R
a".DVs
a".DVs
.ouY*
.ouY*
)"%S'zI~
)"%S'zI~
yg%%Ds
yg%%Ds
K$8`%D\
K$8`%D\
N.jZ%
N.jZ%
?.Ud=
?.Ud=
15%soY
15%soY
].dLV
].dLV
W0I%s
W0I%s
J.lDS
J.lDS
Sf|U
Sf|U
Z%Uw};ez
Z%Uw};ez
%fLp
%fLp
.Wh&9
.Wh&9
%cUhj
%cUhj
m.pLO
m.pLO
3(Gk|m8e.sL
3(Gk|m8e.sL
.mX$f
.mX$f
k=i%D
k=i%D
a'R%d
a'R%d
6SM.Fcr
6SM.Fcr
).MZG
).MZG
.tBFZ8$O
.tBFZ8$O
Xc.fK
Xc.fK
0\.jf
0\.jf
1P.jg
1P.jg
Z2.FT
Z2.FT
AkR%s
AkR%s
%F(Bo
%F(Bo
&.Jwm
&.Jwm
*Q%SOs
*Q%SOs
.LJjq'
.LJjq'
3.hn0r
3.hn0r
Jw.eg
Jw.eg
.VdNZ
.VdNZ
.Nyc}
.Nyc}
Web}tA?
Web}tA?
.Oz"GT
.Oz"GT
.xWXX
.xWXX
x%X-z
x%X-z
i$.Do
i$.Do
mmj.QX
mmj.QX
#.VX>#`Z
#.VX>#`Z
.qD^#
.qD^#
mi.AC
mi.AC
B;=[.nBH
B;=[.nBH
0dA%uVC
0dA%uVC
q.lxO
q.lxO
E.ir?
E.ir?
%C@'/
%C@'/
%sII0
%sII0
!}&ó
!}&ó
:4.mW
:4.mW
.lXdo
.lXdo
SR.AM
SR.AM
D.Wln
D.Wln
Ti-kzU}Wa-
Ti-kzU}Wa-
.DWyxE
.DWyxE
%U60`
%U60`
%Dj-ih
%Dj-ih
%Cx(l
%Cx(l
Uf.de
Uf.de
dI.oW
dI.oW
Ze@Id%F
Ze@Id%F
uudO}%c
uudO}%c
%X,!/
%X,!/
.%Xxe
.%Xxe
.sO27
.sO27
%%CMdh0
%%CMdh0
^%S'nUI_
^%S'nUI_
7[.Bd
7[.Bd
f]&.II
f]&.II
r.Ah4
r.Ah4
.YCtZ
.YCtZ
%fKNw
%fKNw
NhuW0.FHr
NhuW0.FHr
' H%x9lY
' H%x9lY
^.YW2
^.YW2
.udxBd
.udxBd
*UDp0
*UDp0
0
0
iÄWK0
iÄWK0
hF.IN
hF.IN
Vg.tl
Vg.tl
&Li.qi
&Li.qi
e.ZyZ
e.ZyZ
n%UXv
n%UXv
:U%cG
:U%cG
%Xi~pT
%Xi~pT
Sdu%U7
Sdu%U7
[=T&5%U
[=T&5%U
n?-7}
n?-7}
gX%CQzE
gX%CQzE
.Ua}4/
.Ua}4/
-.yqE
-.yqE
].Hdg
].Hdg
a-H%u;
a-H%u;
%xZ|B
%xZ|B
.Lxx~z
.Lxx~z
Dmw.RsM
Dmw.RsM
6%|0&} %
6%|0&} %
-Kuc%dt
-Kuc%dt
x9.Wv
x9.Wv
/3%Do3
/3%Do3
&.mb\Q
&.mb\Q
SH.ou
SH.ou
gB.NX
gB.NX
6~.Jmy>
6~.Jmy>
!ÖS
!ÖS
p.BgB
p.BgB
\=%5S
\=%5S
m#q'.dd
m#q'.dd
.UxRXu
.UxRXu
T?%ut
T?%ut
kB6g.zB#
kB6g.zB#
s.vd!0
s.vd!0
eb!:.Uja
eb!:.Uja
@o.EWm
@o.EWm
{_.pb
{_.pb
WeBBu
WeBBu
1-s} a
1-s} a
VuZm%s
VuZm%s
.SSqm @
.SSqm @
.vleE
.vleE
%f=0DKT%}x
%f=0DKT%}x
.jl`#B
.jl`#B
b$.NY
b$.NY
.zOvTP
.zOvTP
l,r%s
l,r%s
{|Q
{|Q
wfI.WI
wfI.WI
:-9.RL
:-9.RL
.vBx{
.vBx{
l%CS$
l%CS$
%3u$n
%3u$n
!.qf]
!.qf]
q6l@%X5CT
q6l@%X5CT
?Y`%UUF
?Y`%UUF
".je
".je
|p%.c
|p%.c
zo0%Fo
zo0%Fo
.hztTOgS1
.hztTOgS1
emSg
emSg
z.GP/7
z.GP/7
W.bXF
W.bXF
(5.QP
(5.QP
8i%3U
8i%3U
%Xm9*
%Xm9*
ruRL
ruRL
8%SZv
8%SZv
RQr17.ox
RQr17.ox
.wo| !
.wo| !
8s%C
8s%C
.pK=@&=
.pK=@&=
`.cLG
`.cLG
r.Iuy
r.Iuy
Ue-o}L
Ue-o}L
L%X_n
L%X_n
0.xD`Q
0.xD`Q
6^3r%c
6^3r%c
I.ysd
I.ysd
RASAPI32.dll
RASAPI32.dll
xH`
xH`
7.bD $l
7.bD $l
.LwvE=
.LwvE=
%c(OF
%c(OF
AVIFIL32.dll
AVIFIL32.dll
{Z.Aq
{Z.Aq
6.gq2
6.gq2
.BAqs
.BAqs
3, 1233, 0, 0
3, 1233, 0, 0
mscoree.dll
mscoree.dll
nKERNEL32.DLL
nKERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
%s_tmp
%s_tmp
errcode : %d,
errcode : %d,
1.0.0.2
1.0.0.2
Error at hooking API "%S"
Error at hooking API "%S"
Dumping first %d bytes:
Dumping first %d bytes:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cannot %s server %s
Cannot %s server %s
Error: 0x%X
Error: 0x%X
The procedure entry point %s could not be located in the module %s
The procedure entry point %s could not be located in the module %s
Cannot load file %s
Cannot load file %s
Error: %d
Error: %d