Gen.Variant.Mikey.38538_0169e46229 – Adaware

Gen:Variant.Mikey.38538 (B) (Emsisoft), Gen:Variant.Mikey.38538 (AdAware), Trojan.Win32.Swrort.3.FD, GenericInjector.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 0169e462298b10fd20b22d6d60660c01

SHA1: 7f39009b852fc9c42516f0ddff12ae0ab2d1becc

SHA256: 521043c2701636c535468c8eaae1597c71bafb122b8d843262a72672844b5726

SSDeep: 98304:Vddegn/bR6nVZHQVrsEcTiiAvLa0oYkufXQIP0WyH9XDV:Ug6ZHQVrsEyi80 gAIMWuDV

Size: 6214144 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2016-05-31 09:57:48

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

sc.exe:2312
sc.exe:2216
Browser_V5.6.13381.9_r_4681_(Build1606081220).exe:2156
stats_uploader.exe:2212
stats_uploader.exe:3848
UCBrowser.exe:2756
ADSkip.v1.0.523.2104_Silent.exe:1748
%original file name%.exe:224
UCService.exe:3608
UCService.exe:2804
UCService.exe:3820
netsh.exe:2488
netsh.exe:2588
netsh.exe:320
netsh.exe:476
netsh.exe:2660
netsh.exe:2508
ADSkip.exe:756
ADSkipSvc.exe:2396
ADSkipSvc.exe:1152
setup.exe:2840
MiniTPFw.exe:1012

The Trojan injects its code into the following process(es):

MiniThunderPlatform.exe:1036
UCBrowser.exe:2680

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process Browser_V5.6.13381.9_r_4681_(Build1606081220).exe:2156 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir2156_19268\stats_uploader.exe (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\setup.exe (17426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir2156_10848\wow_installer.prefs (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\SETUP.EX_ (1709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\CHROME.PACKED.7Z (359691 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\SETUP.EX_ (0 bytes)

The process UCBrowser.exe:2756 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\UCBrowser\User Data\Default\Preferences (2 bytes)
%Program Files%\UCBrowser\Application\Share\unconfirmed_config (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\UCBrowser\User Data\1.tmp (837 bytes)

The Trojan deletes the following file(s):

%Program Files%\UCBrowser\Application\Share\unconfirmed_config (0 bytes)

The process ADSkip.v1.0.523.2104_Silent.exe:1748 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\drivers\blNetFilter.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win7\blNetFilter.sys (1856 bytes)
%Program Files%\ADSKIP\askRules.dll (3361 bytes)
%Program Files%\ADSKIP\CustomRule.txt (2 bytes)
%Program Files%\ADSKIP\res\400.dat (24 bytes)
%Program Files%\ADSKIP\dbghelp.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8\blNetFilter.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\uninst.exe (32824 bytes)
%Program Files%\ADSKIP\driver\Win32\Win7\blNetFilter.sys (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askProtect.sys (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\BugReport.exe (5520 bytes)
%Program Files%\ADSKIP\askComm.dll (8657 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\AdSkip\Uninstall AdSkip.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5983 (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5982 (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5981 (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5980 (8560 bytes)
%Program Files%\ADSKIP\driver\Win32\Win8\blNetFilter.sys (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askComm.dll (38103 bytes)
%Program Files%\ADSKIP\askProtect64.sys (1281 bytes)
%System%\drivers\askProtect.sys (1281 bytes)
%Program Files%\ADSKIP\CheckSum.dat (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\Install.xml (2 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5981 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askWfd.dll (12088 bytes)
%Program Files%\ADSKIP\driver\x64\Win8\blNetFilter.sys (54 bytes)
%Program Files%\ADSKIP\askProtect.sys (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\400.dat (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\2001 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res (4 bytes)
%Program Files%\ADSKIP\BugReport.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\dbghelp.dll (34773 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5980 (1281 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5983 (1425 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5982 (673 bytes)
%Program Files%\ADSKIP\res\000.dat (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\ADSkipSvc.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\1012.dat (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1 (4 bytes)
%Program Files%\ADSKIP\res\0002.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\2001 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\101.dat (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CheckSum.dat (64 bytes)
%Program Files%\ADSKIP\zlib1.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnRuleOptionEN.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\000.dat (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51004 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\0003.dat (280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51000 (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\zlib1.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51002 (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51003 (15536 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\AdSkip\AdSkip.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\se1.dat (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnRuleOptionEN.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\09999.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askUpdate.dll (32128 bytes)
%Program Files%\ADSKIP\ADSkip.exe (19686 bytes)
%Program Files%\ADSKIP\res\09999_EN.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\ADSkip.exe (86996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askProtect64.sys (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\WinXP\blNetFilter.sys (3616 bytes)
%Documents and Settings%\%current user%\Desktop\AdSkip.lnk (1 bytes)
%Program Files%\ADSKIP\res\300.dat (1281 bytes)
%Program Files%\ADSKIP\CrashHandler.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askMain.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\300.dat (8560 bytes)
%Program Files%\ADSKIP\DuiLib.dll (5441 bytes)
%Program Files%\ADSKIP\res\1012.dat (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip (4 bytes)
%Program Files%\ADSKIP\ADSkipSvc.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\DuiLib.dll (25112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\09999_EN.dat (4 bytes)
%Program Files%\ADSKIP\uninst.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win7\blNetFilter.sys (1552 bytes)
%Program Files%\ADSKIP\driver\Win32\WinXP\blNetFilter.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51001 (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8.1\blNetFilter.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CrashHandler.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8.1\blNetFilter.sys (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSafe4.zip (69133 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5992 (673 bytes)
%Program Files%\ADSKIP\uninstall.xml (3 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5991 (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askRules.dll (19096 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5994 (673 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5995 (673 bytes)
%Program Files%\ADSKIP\askMain.dll (1425 bytes)
%Program Files%\ADSKIP\driver\Win32\Win8.1\blNetFilter.sys (45 bytes)
%Program Files%\ADSKIP\res\09999.dat (4 bytes)
%System%\drivers\tcpip.sys (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnRuleOption.dat (4 bytes)
%Program Files%\ADSKIP\askWfd.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5994 (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5995 (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5991 (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5992 (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CustomRule.txt (2 bytes)
%Program Files%\ADSKIP\res\0003.dat (280 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnRuleOption.dat (4 bytes)
%Program Files%\ADSKIP\driver\x64\Win8.1\blNetFilter.sys (54 bytes)
%Program Files%\ADSKIP\res\se1.dat (673 bytes)
%Program Files%\ADSKIP\driver\x64\Win7\blNetFilter.sys (52 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002 (2321 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003 (2321 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000 (4185 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001 (2321 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnJsonconfig.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\0002.dat (4 bytes)
%System%\drivers\tcpip.sys_backup (2319 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnJsonconfig.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8\blNetFilter.sys (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askMisc.dll (23424 bytes)
%Program Files%\ADSKIP\res\101.dat (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\AdSkip.lnk (1 bytes)
%Program Files%\ADSKIP\askUpdate.dll (7345 bytes)
%Program Files%\ADSKIP\askMisc.dll (4545 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askComm.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51002 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\09999.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\ADSkip.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askProtect64.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\2001 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win7\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnRuleOption.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5995 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\WinXP\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5991 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5992 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\WinXP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CustomRule.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\uninst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51003 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askProtect.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\zlib1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\400.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\ADSkipSvc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5980 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askMain.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\300.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\101.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\BugReport.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CheckSum.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\1012.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\DuiLib.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\09999_EN.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnJsonconfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\0002.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\dbghelp.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5983 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\000.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5981 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51001 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51004 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8.1\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51000 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8.1\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CrashHandler.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5982 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askMisc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5994 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSafe4.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\se1.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnRuleOptionEN.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\0003.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askRules.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\Install.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win7\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askUpdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askWfd.dll (0 bytes)

The process %original file name%.exe:224 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\monitorlist.data (178 bytes)
C:\download\MiniThunderPlatform.exe (746 bytes)
C:\download\msvcr71.dll (1629 bytes)
C:\download\download_engine.dll (24427 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downlist.data (686 bytes)
C:\download\minizip.dll (784 bytes)
C:\download\ThunderFW.exe (1333 bytes)
C:\download\zlib1.dll (745 bytes)
C:\download\msvcp71.dll (1784 bytes)
C:\download\id.dat (40 bytes)
C:\xldl.dll (1922 bytes)
C:\download\MiniTPFw.exe (745 bytes)
C:\download\atl71.dll (118 bytes)
C:\download\dl_peer_id.dll (314 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\AdSkip.lnk (0 bytes)
%Documents and Settings%\%current user%\Desktop\AdSkip.lnk (0 bytes)

The process MiniThunderPlatform.exe:1036 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ADSkip.v1.0.523.2104_Silent.exe.td.cfg (14273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Browser_V5.6.13381.9_r_4681_(Build1606081220).exe.td.cfg (16328 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\asyn_frame.dat (2749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Browser_V5.6.13381.9_r_4681_(Build1606081220).exe.td (111530 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\stat.dat (44 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\200U (447 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\error.dat (284 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\DownloadLib\pub_store.dat (405 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\download.cfg (1007 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ADSkip.v1.0.523.2104_Silent.exe.td (18018 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ADSkip.v1.0.523.2104_Silent.exe.td.cfg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Browser_V5.6.13381.9_r_4681_(Build1606081220).exe.td.cfg (0 bytes)

The process UCService.exe:3608 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\UCBrowser\Application\ucsvc.log (1461 bytes)

The process UCService.exe:2804 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\UCBrowser\Application\ucsvc.log (970 bytes)

The process ADSkip.exe:756 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001.zip (511 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\cafl.dat (37 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnJsonconfig.dat (3 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\ErrorLog.txt (448 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002 (19592 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003 (16288 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000 (20624 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001 (14184 bytes)
%Program Files%\ADSKIP\res\yxx.dat (22192 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004 (13584 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnRuleOptionEN.dat (2 bytes)
%Program Files%\ADSKIP\res\txx.dat (8560 bytes)
%Program Files%\ADSKIP\res\txx.dat.zip (628 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000.zip (2067 bytes)
%Program Files%\ADSKIP\res\yxx.dat.zip (2812 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004.zip (1334 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\config.dat (2359 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002.zip (3086 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003.zip (1491 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001.zip (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnJsonconfig.dat (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002 (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003 (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000 (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001 (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004 (0 bytes)
%Program Files%\ADSKIP\res\txx.dat.zip (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000.zip (0 bytes)
%Program Files%\ADSKIP\res\yxx.dat.zip (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004.zip (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002.zip (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003.zip (0 bytes)

The process setup.exe:2840 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\VERSION (11 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome.dll (286042 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\zh-cn\start.dat (12 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\config.dat (6408 bytes)
%Program Files%\UCBrowser\Application\Uninstall.exe (18934 bytes)
%Program Files%\UCBrowser\Application\Share\target_locale (5 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\zh-cn\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\delegate_execute.exe (3751 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\google.com.png (521 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\chrome.7z (1199069 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Languages\chs.locale (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Drivers\ucguard.sys (72 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\custom.dat (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libEGL.dll (88 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\marketing\1001.ico (192 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\id\start.dat (7 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\12dc664d-0442-4570-a7c8-f3aa22922cec.com.png (252 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\baidu.com.png (426 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\etao.com.png (335 bytes)
%Program Files%\UCBrowser\Application\UCBrowser.exe (7547 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\es-419\start.dat (7 bytes)
%Program Files%\UCBrowser\Application\master_preferences (235 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\google.com.png (457 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Languages\settings.xml (103 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Update\InstalledConfig.xml (680 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\courgette.dll (281 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Drivers\ucguard-x64.sys (81 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\start.dat (12 bytes)
%Program Files%\UCBrowser\Application\update_task.exe (2321 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\7z.dll (6361 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\zh-cn\config.dat (6408 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\es-419\config.dat (151 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\qq.png (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\etaohaitao.com.png (438 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\taobao.com.png (290 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\win10.pak (8 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨\ÃƒÂ¥Ã‚ÂÃ‚Â¸ÃƒÂ¨Ã‚Â½Ã‚Â½UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\bing.com.png (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\alipay.png (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\natives_blob.bin (1711 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\stats_uploader.exe (279 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_100_percent.pak (7386 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\pt-br\config.dat (151 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libexif.dll (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chrome_installer.log (1252 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\zh-CN\external_extensions.json (939 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\youku.com.png (653 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\pt-br\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\UCBrowser.exe (7386 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\update_task.exe (1696 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\taobao.png (389 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\ru\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\en-in\config.dat (166 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\youku.com.png (764 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Backup\UCBrowser.exe (7386 bytes)
%Program Files%\UCBrowser\Application\Share\start.dat (12 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\d3dcompiler_47.dll (22433 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\extension\noads.png (4 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\bing.com.png (1 bytes)
%Program Files%\UCBrowser\Application\VERSION (11 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\desktop\facebook.ico (131 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\theme_tool.exe (1851 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\UCProxySDK.dll (9606 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\sogou.com.png (1 bytes)
%Program Files%\UCBrowser\Application\wow_helper.exe (601 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\start.dat (7 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\baidu.com.png (682 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\ru\config.dat (152 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\google.com.hk.png (457 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\molt_tool.exe (1814 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Update\curl-ca-bundle.crt (260 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Uninstall.exe (17629 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\baidu.png (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\es-419\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\12dc664d-0442-4570-a7c8-f3aa22922cec.com.png (479 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\browsing_data_remover.exe (236 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\amazon.png (507 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\sogou.com.png (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\en-in\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\win10_100_percent.pak (1697 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\PepperFlash\manifest.json (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\weibo.png (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libucguard.dll (179 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\tmall.com.png (196 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\en-in\start.dat (7 bytes)
%Program Files%\UCBrowser\Application\5.6.13381.9\Installer\setup.exe (7547 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Locales\zh-CN.pak (255 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\tmall.com.png (200 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\etao.com.png (252 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\id-ID\external_extensions.json (494 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\wow_helper.exe (80 bytes)
%Program Files%\UCBrowser\Application\Share\config.dat (7345 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨\UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\updater.dll (15021 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\pt-br\start.dat (7 bytes)
%Program Files%\UCBrowser\Application\Share\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libGLESv2.dll (7972 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\ru\start.dat (7 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\resources.pak (172310 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\pp_helper.png (1 bytes)
%Program Files%\UCBrowser\Application\UCService.exe (6841 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\snapshot_blob.bin (1802 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\icudtl.dat (34008 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\taobao.png (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\UCService.exe (6334 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\uc123.png (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Update\UpdateOption.xml (189 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\taobao.com.png (304 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\config_updater.dll (7386 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\external_extensions.json (494 bytes)
%Documents and Settings%\All Users\Desktop\UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\config.dat (151 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_watcher.dll (1680 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\desktop\tmall_points.ico (144 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\id\config.dat (164 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_elf.dll (201 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\share.dat (66 bytes)
%Program Files%\UCBrowser\Application\molt_tool.exe (3361 bytes)
%System%\drivers\ucguard.sys (601 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\UCAgent.exe (12289 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\5.6.13381.9.manifest (248 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_200_percent.pak (7972 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Locales\en-US.pak (258 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\PepperFlash\pepflashplayer.dll (124061 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\pt-BR\external_extensions.json (494 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\extension\renren.png (4 bytes)
%Program Files%\UCBrowser\Application\5.6.13381.9\Installer\chrmstp.exe (7547 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\en-IN\external_extensions.json (622 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\id\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_child.dll (321430 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\win10_200_percent.pak (1723 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir2840_15169 (0 bytes)

Registry activity

The process sc.exe:2312 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 7D F9 D6 8F B8 4A 91 1E E0 F6 F1 CE 1A 87 1B"

The process sc.exe:2216 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 5F F1 EC 4E EC F3 2D 37 2A 85 22 17 A1 DC 95"

The process Browser_V5.6.13381.9_r_4681_(Build1606081220).exe:2156 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB E1 5E 83 76 11 C5 91 0E 0B 2A 02 83 7D B3 BA"

[HKCU\Software\UCBrowserPID]
"MachineIDEx" = "c0ed19538daa6d6db815ffd0b1233981v000000253f20c75"
"MachineID" = "d2713585a62dd2677f88d0fff85b3fe7"

[HKLM\SOFTWARE\UCBrowserPID]
"MachineIDEx" = "c0ed19538daa6d6db815ffd0b1233981v000000253f20c75"
"MachineID" = "d2713585a62dd2677f88d0fff85b3fe7"
"FirstBID" = "800"

[HKCU\Software\UCBrowserPID]
"FirstBID" = "800"

The process stats_uploader.exe:2212 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 9B 95 66 77 BE AB 5A 6D 2C 07 13 29 70 80 78"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process stats_uploader.exe:3848 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F B9 DB 43 A2 CE 3C 41 2A 4D D6 65 77 22 62 06"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process UCBrowser.exe:2756 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"irc" = "UCHTML"

[HKCU\Software\Classes\UCHTML.AssocFile.HTM\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\UCHTML.AssocFile.XHT\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"Guid" = "2e8d9ec5-a712-48c4-8ce0-631eb0c1cd65"

[HKCU\Software\Classes\UCHTML.AssocFile.MHT\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\UCHTML.AssocFile.CRX\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\UCHTML.AssocFile.CRX\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,4"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"ShowIconsCommand" = "%Program Files%\UCBrowser\Application\UCBrowser.exe --show-icons"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities]
"ApplicationDescription" = "UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨ÃƒÂ¦Ã‹Å“Ã‚Â¯ÃƒÂ¤Ã‚Â¸Ã¢â€šÂ¬ÃƒÂ¦Ã‚Â¬Ã‚Â¾ÃƒÂ¥Ã‚Â¿Ã‚Â«ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ£Ã¢â€šÂ¬Ã‚ÂÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ©Ã¢â€šÂ¬Ã…Â¡ÃƒÂ§Ã¢â‚¬ÂÃ‚Â¨ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨ÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ©Ã¢â‚¬Â¡Ã¢â‚¬Â¡ÃƒÂ§Ã¢â‚¬ÂÃ‚Â¨TridentÃƒÂ¥Ã¢â‚¬â„¢Ã…â€™WebKitÃƒÂ¥Ã‚ÂÃ…â€™ÃƒÂ¦Ã‚Â¸Ã‚Â²ÃƒÂ¦Ã…Â¸Ã¢â‚¬Å“ÃƒÂ¥Ã‚Â¼Ã¢â‚¬Â¢ÃƒÂ¦Ã¢â‚¬Å“Ã…Â½ÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ¤Ã‚Â»Ã…Â½ÃƒÂ¥Ã‚Â¿Ã‚Â«ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ£Ã¢â€šÂ¬Ã‚ÂÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¨ÃƒÂ¥Ã‚Â¤Ã…Â¡ÃƒÂ¤Ã‚Â¸Ã‚ÂªÃƒÂ¦Ã¢â‚¬â€œÃ‚Â¹ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ¨Ã‚Â¿Ã¢â‚¬ÂºÃƒÂ¨Ã‚Â¡Ã…â€™ÃƒÂ¤Ã‚Â¼Ã‹Å“ÃƒÂ¥Ã…â€™Ã¢â‚¬â€œÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ¤Ã‚Â¸Ã‚ÂºÃƒÂ¥Ã‚Â¹Ã‚Â¿ÃƒÂ¥Ã‚Â¤Ã‚Â§ÃƒÂ¤Ã‚ÂºÃ¢â‚¬â„¢ÃƒÂ¨Ã‚ÂÃ¢â‚¬ÂÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ§Ã¢â‚¬ÂÃ‚Â¨ÃƒÂ¦Ã‹â€ Ã‚Â·ÃƒÂ¦Ã‚ÂÃ‚ÂÃƒÂ¤Ã‚Â¾Ã¢â‚¬ÂºÃƒÂ¦Ã¢â‚¬ÂºÃ‚Â´ÃƒÂ¥Ã‚Â¥Ã‚Â½ÃƒÂ§Ã…Â¡Ã¢â‚¬Å¾ÃƒÂ§Ã¢â‚¬ÂÃ‚Â¨ÃƒÂ¦Ã‹â€ Ã‚Â·ÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¤Ã‚Â½Ã¢â‚¬Å“ÃƒÂ©Ã‚ÂªÃ…â€™ÃƒÂ£Ã¢â€šÂ¬Ã¢â‚¬Å¡"

[HKCU\Software\Classes\UCHTML.AssocFile.SHTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml]
"Progid" = "UCHTML.AssocFile.XHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"webcal" = "UCHTML"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"BitNames" = " DOT11_ASSOCIATE DOT11_ROAMING DOT11_1X DOT11_PNP DOT11_SCAN DOT11_RECEIVE DOT11_SEND DOT11_IOCTL DOT11_OID DOT11_MISC DOT11_UPCALL DOT11_KEYMGR DOT11_PEER DOT11_SOFTAP DOT11_PAM DOT11_REPEATER DOT11_APROUTER DOT11_WME DOT11_CONFIG DOT11_MSM DOT11_MSM_ADAPT DOT11_MSM_SCAN DOT11_MSM_CONNECT DOT11_MSM_SECURITY_PKT DOT11_NOTIFY_OBJECT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\UCHTML.AssocFile.MHT\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\UCHTML.AssocFile.WEBP\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".shtm" = "UCHTML.AssocFile.SHTM"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"Guid" = "0c5a3172-2248-44fd-b9a6-8389cb1dc56a"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKCR\UCHTML.AssocFile.SHTM\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Classes\.webp]
"(Default)" = "UCHTML"

[HKCU\Software\Classes\UCHTML.AssocFile.SHTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtm]
"Progid" = "UCHTML.AssocFile.SHTM"

[HKCU\Software\Classes\UCHTML.AssocFile.XHT\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\.shtm\OpenWithProgids]
"UCHTML.AssocFile.SHTM" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.webp]
"Progid" = "UCHTML.AssocFile.WEBP"

[HKCR\UCHTML.AssocFile.XHTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCR\UCHTML.AssocFile.HTM\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\UCBrowser\Running]
"browser-2756" = "1"

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKCR\.xhtml\OpenWithProgids]
"UCHTML.AssocFile.XHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".crx" = "UCHTML.AssocFile.CRX"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"HideIconsCommand" = "%Program Files%\UCBrowser\Application\UCBrowser.exe --hide-icons"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"ControlFlags" = "1"

[HKCR\UCHTML.AssocFile.WEBP\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Classes\UCHTML.AssocFile.MHT\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Classes\UCHTML.AssocFile.WEBP\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities]
"ApplicationName" = "UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

[HKCU\Software\Classes\.html]
"(Default)" = "UCHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"nntp" = "UCHTML"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"BitNames" = " WLANHC_AUTOCONFIG WLANHC_RNWFMSM WLANHC_FATMSM WLANHC_DLLMAIN WLANHC_TEST"

[HKCU\Software\Classes\UCHTML.AssocFile.XHT\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"https" = "UCHTML"

[HKCR\UCHTML.AssocFile.SHTM\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Classes\UCHTML.AssocFile.HTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm]
"Progid" = "UCHTML.AssocFile.HTM"

[HKLM\SOFTWARE\UCBrowser]
"usagestats" = "0"

[HKCU\Software\Classes\.crx]
"(Default)" = "UCHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtm]
"Progid" = "UCHTML.AssocFile.SHTM"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"mailto" = "UCHTML"

[HKCR\.htm\OpenWithProgids]
"UCHTML.AssocFile.HTM" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities]
"ApplicationIcon" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht]
"Progid" = "UCHTML.AssocFile.XHT"

[HKLM\SOFTWARE\UCBrowser\FirstNotDefault]
"S-1-5-21-1844237615-1960408961-1801674531-1003" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\UCBrowser\StabilityMetrics]
"user_experience_metrics.stability.exited_cleanly" = "1"

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,0"

[HKLM\SOFTWARE\RegisteredApplications]
"UCBrowser" = "Software\Clients\StartMenuInternet\UCBrowser\Capabilities"

[HKCU\Software\Classes\UCHTML.AssocFile.XHTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"BitNames" = " SECHC_LOG_FLAG_ASSERT SECHC_LOG_FLAG_INIT SECHC_LOG_FLAG_DIAG SECHC_LOG_FLAG_ONEX_DIAG SECHC_LOG_FLAG_REPAIR SECHC_LOG_FLAG_STATE SECHC_LOG_FLAG_EXT SECHC_LOG_FLAG_EVENT_LOG SECHC_LOG_FLAG_FUNCTION SECHC_LOG_FLAG_MEMORY SECHC_LOG_FLAG_LOCKS"

[HKCR\UCHTML\CLSID]
"(Default)" = ""

[HKCR\UCHTML.AssocFile.XHTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Classes\UCHTML.AssocFile.SHTM\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm]
"Progid" = "UCHTML.AssocFile.HTM"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".webp" = "UCHTML.AssocFile.WEBP"

[HKCU\Software\Classes\UCHTML.AssocFile.SHTM\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\UCHTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Classes\.xht]
"(Default)" = "UCHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.webp]
"Progid" = "UCHTML.AssocFile.WEBP"

[HKCU\Software\Classes\UCHTML.AssocFile.XHTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crx]
"Progid" = "UCHTML.AssocFile.CRX"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".htm" = "UCHTML.AssocFile.HTM"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml]
"Progid" = "UCHTML.AssocFile.XHTML"

[HKCU\Software\Classes\UCHTML.AssocFile.CRX\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 6D FC 86 05 0E 1A B3 02 CE CE 3F 37 61 76 49"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht]
"Progid" = "UCHTML.AssocFile.MHT"

[HKCU\Software\Classes\UCHTML.AssocFile.HTM\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crx]
"Progid" = "UCHTML.AssocFile.CRX"

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKCR\UCHTML]
"(Default)" = "UC HTML Document"

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"BitNames" = " DOT11_AUTOCONF DOT11_AUTOCONF_CLIENT DOT11_AUTOCONF_UI DOT11_FATMSM DOT11_COMMON DOT11_WLANGPA DOT11_CLASS_COINSTALLER"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"BitNames" = " WD_LOG_FLAG_INIT WD_LOG_FLAG_RPC WD_LOG_FLAG_EVENT WD_LOG_FLAG_INTERFACE WD_LOG_FLAG_CONNECTION WD_LOG_FLAG_CONTROL WD_LOG_FLAG_LOCKS WD_LOG_FLAG_MEMORY WD_LOG_FLAG_REFERENCES WD_LOG_FLAG_FUNCTION_TRACE WD_LOG_FLAG_ASSERT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".html" = "UCHTML.AssocFile.HTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html]
"Progid" = "UCHTML.AssocFile.HTML"

[HKCR\UCHTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,1"

[HKCR\.shtml\OpenWithProgids]
"UCHTML.AssocFile.SHTML" = ""

[HKCR\UCHTML.AssocFile.HTM\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\UCBrowser.exe]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe"

[HKCU\Software\Classes\UCHTML.AssocFile.WEBP\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".mht" = "UCHTML.AssocFile.MHT"

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml]
"Progid" = "UCHTML.AssocFile.SHTML"

[HKCR\UCHTML.AssocFile.MHT\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"tel" = "UCHTML"
"news" = "UCHTML"

[HKCR\UCHTML.AssocFile.HTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"Guid" = "d905ac1c-65e7-4242-99ea-fe66a8355df8"

[HKCU\Software\Classes\.shtml]
"(Default)" = "UCHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\UCBrowser.exe]
"Path" = "%Program Files%\UCBrowser\Application"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKCR\.mht\OpenWithProgids]
"UCHTML.AssocFile.MHT" = ""

[HKCU\Software\Classes\UCHTML]
"(Default)" = "UC HTML Document"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"urn" = "UCHTML"
"ftp" = "UCHTML"

[HKCU\Software\Classes\.htm]
"(Default)" = "UCHTML"

[HKCU\Software\Classes\UCHTML.AssocFile.HTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".shtml" = "UCHTML.AssocFile.SHTML"
".xht" = "UCHTML.AssocFile.XHT"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"mms" = "UCHTML"

[HKCR\.crx\OpenWithProgids]
"UCHTML.AssocFile.CRX" = ""

[HKCU\Software\Classes\.mht]
"(Default)" = "UCHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html]
"Progid" = "UCHTML.AssocFile.HTML"

[HKCR\.webp\OpenWithProgids]
"UCHTML.AssocFile.WEBP" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"Guid" = "6da4ddca-0901-4bae-9ad4-7e6030bab531"

[HKCU\Software\Classes\UCHTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"Guid" = "637a0f36-dff5-4b2f-83dd-b106c1c725e2"

[HKCU\Software\Classes\.shtm]
"(Default)" = "UCHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht]
"Progid" = "UCHTML.AssocFile.MHT"

[HKCR\.html\OpenWithProgids]
"UCHTML.AssocFile.HTML" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\UCHTML.AssocFile.XHT\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".xhtml" = "UCHTML.AssocFile.XHTML"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"smsto" = "UCHTML"
"sms" = "UCHTML"
"http" = "UCHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml]
"Progid" = "UCHTML.AssocFile.SHTML"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"IconsVisible" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht]
"Progid" = "UCHTML.AssocFile.XHT"

[HKCU\Software\Classes\.xhtml]
"(Default)" = "UCHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser]
"(Default)" = "UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\Startmenu]
"StartMenuInternet" = "UCBrowser"

[HKCR\UCHTML.AssocFile.SHTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\UCHTML.AssocFile.SHTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"ReinstallCommand" = "%Program Files%\UCBrowser\Application\UCBrowser.exe --make-default-browser"

[HKCU\Software\Classes\UCHTML\CLSID]
"(Default)" = ""

[HKCU\Software\Classes\UCHTML.AssocFile.CRX\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,4"

[HKCR\UCHTML.AssocFile.HTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "UCBrowser"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\.xht\OpenWithProgids]
"UCHTML.AssocFile.XHT" = ""

[HKCU\Software\Classes\UCHTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\UCBrowser\Running]
"browser-2756"

The process ADSkip.v1.0.523.2104_Silent.exe:1748 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADSKIP]
"URLInfoAbout" = "http://www.adskiper.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADSKIP]
"DisplayVersion" = "1.0.523.2104"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\ADSKIP]
"join_feeling_plan" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\ADSKIP]
"InstallTime" = "2016-06-23 02:25"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\ADSKIP]
"ADSkip.exe" = "ADSkip 32 Bit Application"
"ADSkipSvc.exe" = "ADSkip 32 Bit Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\ADSKIP]
"InsErr1" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADSKIP]
"DisplayIcon" = "%Program Files%\ADSKIP\ADSkip.exe"

[HKCU\Software\ADSKIP]
"InstallType" = "2"
"Version" = "1.0.523.2104"
"CurVer" = "1.0.523.2104"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\ADSKIP]
"usercode" = "v1.0.523.2104_Silent"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADSKIP]
"UninstallString" = "%Program Files%\ADSKIP\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADSKIP]
"DisplayName" = "AdSkip"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 18 44 A1 31 97 63 6D 0D 42 AA 3F 96 7D C4 1A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\ADSKIP]
"InstallCode" = "1c976270104fe22d89b26b49818e10afbd277962612989d8b6a27421f094eff95dc51307ae0431860284b4d16b5fe000c2d33123da83ee5f613984d140444c2f9d609bebdeb55606293878b3273b8a1cc7b1a3fdd1f3f"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADSKIP]
"Publisher" = "Biling Network Technology Co. Ltd."

[HKCU\Software\ADSKIP]
"CheckCode" = "ae0438a1c098bca7797b0762100c291d1ea8e8491c8296261c512df04b4d16b5f8fb9a307d27"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process %original file name%.exe:224 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 F3 27 8C 8B F6 C8 08 0E DD C4 C3 B5 C8 36 52"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Download]
"MiniTPFw.exe" = "MiniTPFw Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"ADSkip.v1.0.523.2104_Silent.exe" = "ADSkip 32 Bit Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Browser_V5.6.13381.9_r_4681_(Build1606081220).exe" = "UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%original file name%.exe -start" = "c:\%original file name%.exe -start"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process MiniThunderPlatform.exe:1036 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 90 44 F8 7D 46 7E 8B AD 9E 2E C8 28 1F F5 57"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process UCService.exe:3608 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 D4 CD 57 3E 3A D7 AE FD 5A 46 54 F7 65 FE FC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

The process UCService.exe:2804 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A CB DA 8D 57 AB 27 AE E8 86 C0 55 3F 32 0A AB"

The process UCService.exe:3820 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 C3 A8 B0 62 18 6D 3F C7 F6 6B E9 3D 78 C6 38"

The process netsh.exe:2488 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A DA 44 2C AA 91 90 96 D8 33 13 D0 EE C9 03 66"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\UCBrowser\Application]
"UCBrowser.exe"

The process netsh.exe:2588 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 8B FC 95 54 80 7E 9F 7E B8 10 C9 75 82 B7 53"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\UCBrowser\Application]
"UCBrowser.exe" = "%Program Files%\UCBrowser\Application\UCBrowser.exe:*:Enabled:UCÃƒÆ’Ã‚Â¦Ãƒâ€šÃ‚ÂµÃƒâ€šÃ‚ÂÃƒÆ’Ã‚Â¨Ãƒâ€šÃ‚Â§Ãƒâ€¹Ã¢â‚¬Â ÃƒÆ’Ã‚Â¥ÃƒÂ¢Ã¢â‚¬Å¾Ã‚Â¢Ãƒâ€šÃ‚Â¨"

The process netsh.exe:320 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 21 FE 47 5E 3D D0 44 C9 E4 9F F3 31 FA 32 DA"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\ADSKIP]
"ADSkip.exe" = "%Program Files%\ADSKIP\ADSkip.exe:*:Enabled:ADSKIP"

The process netsh.exe:476 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 1D 20 F9 07 32 E6 72 4E 71 C7 F0 28 07 67 A0"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\ADSKIP]
"ADSkipSvc.exe" = "%Program Files%\ADSKIP\ADSkipSvc.exe:*:Enabled:ADSkipSvc"

The process netsh.exe:2660 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 B8 B6 DA 7E E6 08 BB 9B B2 8C C1 29 A0 7C EF"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

The process netsh.exe:2508 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 40 CD 91 62 C4 F1 56 5A 88 1E 16 80 9A 53 74"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

The process ADSkip.exe:756 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\ADSKIP]
"join_feeling_plan" = ""
"AutoFlag" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\ADSKIP]
"InstallCode" = ""

[HKLM]
"Start" = "0"

[HKCU\Software\ADSKIP]
"AutoStart" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\ADSKIP]
"InstallType" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 DE F3 DB 46 71 46 E4 3B DA 1D 5A 0D 9C 07 22"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\ADSkipSvc]
"Start" = "2"

The process ADSkipSvc.exe:2396 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 07 C1 90 9C D1 C1 A6 0C C8 7D 23 E8 03 23 8C"

The process ADSkipSvc.exe:1152 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 24 3B ED 0B 9B 46 3D 91 0C 32 3A 3D E6 87 25"

The process setup.exe:2840 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\UCGuard\Instances\ucguard]
"Flags" = "0"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"DebugLevel" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"VersionMajor" = "13381"

[HKLM\System\CurrentControlSet\Services\UCGuard\Instances]
"DefaultInstance" = "ucguard"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\UCBrowser\Commands\on-os-upgrade]
"CommandLine" = "%Program Files%\UCBrowser\Application\5.6.13381.9\Installer\setup.exe --on-os-upgrade --system-level --verbose-logging"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}]
"IsInstalled" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"DisplayName" = "UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

[HKCU\Software\UCBrowser]
"PreDefaultBrowser" = "htmlfile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"NoModify" = "1"
"DisplayIcon" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,0"

[HKLM\SOFTWARE\UCBrowser]
"InstallerError" = "0"
"InstallTime" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\UCBrowser]
"UninstallArguments" = " --uninstall --system-level"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}]
"StubPath" = "%Program Files%\UCBrowser\Application\5.6.13381.9\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"DisplayVersion" = "5.6.13381.9"

[HKLM\System\CurrentControlSet\Services\UCGuard\Instances\ucguard]
"Altitude" = "888999"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"Version" = "5.6.13381.9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\UCBrowser]
"oopcrashes" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\UCBrowser]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\UCBrowser\Application\UCBrowser.exe"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"DependOnService" = "FltMgr"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}]
"(Default)" = "UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"ImagePath" = "system32\DRIVERS\ucguard.sys"

[HKLM\SOFTWARE\UCBrowser\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"Group" = "PNP_TDI"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"InstallDate" = "20160623"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\UCBrowser]
"InstallerExtraCode1" = "9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 15 80 1F F8 8D 7D 6E B6 DE 98 60 46 3C B0 A5"

[HKLM\SOFTWARE\UCBrowser]
"InstallerResult" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"VersionMinor" = "9"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"Type" = "1"

[HKLM\SOFTWARE\UCBrowser]
"pv" = "5.6.13381.9"
"Name" = "UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"Tag" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"Publisher" = "ÃƒÂ¥Ã‚Â¹Ã‚Â¿ÃƒÂ¥Ã‚Â·Ã…Â¾ÃƒÂ¥Ã‚Â¸Ã¢â‚¬Å¡ÃƒÂ¥Ã…Â Ã‚Â¨ÃƒÂ¦Ã¢â€žÂ¢Ã‚Â¯ÃƒÂ¨Ã‚Â®Ã‚Â¡ÃƒÂ§Ã‚Â®Ã¢â‚¬â€ÃƒÂ¦Ã…â€œÃ‚ÂºÃƒÂ§Ã‚Â§Ã¢â‚¬ËœÃƒÂ¦Ã…Â Ã¢â€šÂ¬ÃƒÂ¦Ã…â€œÃ¢â‚¬Â°ÃƒÂ©Ã¢â€žÂ¢Ã‚ÂÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¬ÃƒÂ¥Ã‚ÂÃ‚Â¸"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\UCBrowser]
"UninstallString" = "%Program Files%\UCBrowser\Application\Uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}]
"Version" = "43,0,0,0"

[HKLM\SOFTWARE\UCBrowser]
"ap" = "-stage:refreshing_policy"

[HKCU\Software\UCBrowser]
"Path" = "%Program Files%\UCBrowser\Application"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"ErrorControl" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"UninstallString" = "%Program Files%\UCBrowser\Application\Uninstall.exe --uninstall --system-level"
"InstallLocation" = "%Program Files%\UCBrowser\Application"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}]
"Localized Name" = "UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

[HKLM\SOFTWARE\UCBrowser]
"installId" = "{C41E48D1-AA46-4E7B-BEE7-150B6602EEA0}"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\UCBrowser\Application]
"UCBrowser.exe" = "%Program Files%\UCBrowser\Application\UCBrowser.exe:*:Enabled:UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\UCGuard]
"Start" = "1"

The process MiniTPFw.exe:1012 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B E3 25 90 FF 02 C0 4B 09 11 3D 5A CB F3 99 0F"

Dropped PE files

MD5	File path
c4ba8b63923d681bd00deb8fbcd12cca	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ADSkip.v1.0.523.2104_Silent.exe
9137ad342e6d77194f8a57d4f9e92bac	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Browser_V5.6.13381.9_r_4681_(Build1606081220).exe
a829f040da54dd809731d403ae83caf2	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\CR_E4C92.tmp\setup.exe
174d697c06d02aab649bc0f09e70651b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\scoped_dir2156_19268\stats_uploader.exe
9c95fe1fb78cd9a16e5bed8d9dfde238	c:\Program Files\ADSKIP\ADSkip.exe
1b97af3d24e4bd18952ad3f792402ef6	c:\Program Files\ADSKIP\ADSkipSvc.exe
cbc246367ae5153df82e65f2c01ab1bc	c:\Program Files\ADSKIP\BugReport.exe
75cffcfe3fe8b863e008ff5ba5193c97	c:\Program Files\ADSKIP\CrashHandler.dll
9484d30589ba06ccb68271679b6612cb	c:\Program Files\ADSKIP\DuiLib.dll
d2e3fbc25b8541ade1c345d8c9372511	c:\Program Files\ADSKIP\askComm.dll
d1be61ba142f179753fba092c90b327b	c:\Program Files\ADSKIP\askMain.dll
50f55372196752dedf9de9660ea1e4e1	c:\Program Files\ADSKIP\askMisc.dll
34a7f56776f4966fcc48b74b46e47bd3	c:\Program Files\ADSKIP\askProtect.sys
e264539144ca3e6f830dd2a97cc04151	c:\Program Files\ADSKIP\askProtect64.sys
c6470bdb1b9b048159b948cf196dfb20	c:\Program Files\ADSKIP\askRules.dll
0c56193f66766e37984a0d8524a4e05e	c:\Program Files\ADSKIP\askUpdate.dll
559f14ca8660450893eee0a213273f71	c:\Program Files\ADSKIP\askWfd.dll
d073f34aa9677ae56ef037f902232085	c:\Program Files\ADSKIP\dbghelp.dll
5a5855ac4c0d0bbb01ba561803e33262	c:\Program Files\ADSKIP\driver\Win32\Win7\blNetFilter.sys
55447eef016c5e3186f5996b916c6a45	c:\Program Files\ADSKIP\driver\Win32\Win8.1\blNetFilter.sys
36f02429c553f3bd5179fe62d3e245bc	c:\Program Files\ADSKIP\driver\Win32\Win8\blNetFilter.sys
cfc7dc4719cdb3555721db6b34b74ce0	c:\Program Files\ADSKIP\driver\Win32\WinXP\blNetFilter.sys
3406d4f76488bb60f942b17bd6147679	c:\Program Files\ADSKIP\driver\x64\Win7\blNetFilter.sys
3e18aa340143b421b356d8240aa7d51c	c:\Program Files\ADSKIP\driver\x64\Win8.1\blNetFilter.sys
14ef139317c2e3e28c68513f578ce707	c:\Program Files\ADSKIP\driver\x64\Win8\blNetFilter.sys
99e3130350cebb997ab37013e4993554	c:\Program Files\ADSKIP\uninst.exe
8ac275b39f47cd375de5c582af7bc5df	c:\Program Files\ADSKIP\zlib1.dll
34a7f56776f4966fcc48b74b46e47bd3	c:\WINDOWS\system32\drivers\askProtect.sys
cfc7dc4719cdb3555721db6b34b74ce0	c:\WINDOWS\system32\drivers\blNetFilter.sys
14ac2d781326318239b4953b0bbb456c	c:\WINDOWS\system32\drivers\tcpip.sys_backup
58bb62e88687791ad2ea5d8d6e3fe18b	c:\download\MiniTPFw.exe
e2e9483568dc53f68be0b80c34fe27fb	c:\download\MiniThunderPlatform.exe
f0372ff8a6148498b19e04203dbb9e69	c:\download\ThunderFW.exe
79cb6457c81ada9eb7f2087ce799aaa7	c:\download\atl71.dll
dba9a19752b52943a0850a7e19ac600a	c:\download\dl_peer_id.dll
1a87ff238df9ea26e76b56f34e18402c	c:\download\download_engine.dll
7fd4f79aca0b09fd3a60841a47ca96e7	c:\download\minizip.dll
a94dc60a90efd7a35c36d971e3ee7470	c:\download\msvcp71.dll
ca2f560921b7b8be1cf555a5a18d54c3	c:\download\msvcr71.dll
89f6488524eaa3e5a66c5f34f3b92405	c:\download\zlib1.dll
208662418974bca6faab5c0ca6f7debf	c:\xldl.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\blNetFilter.sys" the Trojan controls creation and closing of processes by installing the process notifier.

Using the driver "%System%\DRIVERS\ucguard.sys" the Trojan controls creation and closing of processes by installing the process notifier.

Using the driver "%System%\DRIVERS\ucguard.sys" the Trojan controls creation and closing of threads by installing the thread notifier.

Using the driver "%System%\DRIVERS\ucguard.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

The Trojan installs the following kernel-mode hooks:

ZwTerminateProcess
ZwCreateKey
ZwDeleteKey
ZwDeleteValueKey
ZwLoadKey
ZwLoadKey2
ZwOpenKey
ZwQueryValueKey
ZwRenameKey
ZwReplaceKey
ZwRestoreKey
ZwSetSecurityObject
ZwSetValueKey

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
sc.exe:2312
sc.exe:2216
Browser_V5.6.13381.9_r_4681_(Build1606081220).exe:2156
stats_uploader.exe:2212
stats_uploader.exe:3848
UCBrowser.exe:2756
ADSkip.v1.0.523.2104_Silent.exe:1748
%original file name%.exe:224
UCService.exe:3608
UCService.exe:2804
UCService.exe:3820
netsh.exe:2488
netsh.exe:2588
netsh.exe:320
netsh.exe:476
netsh.exe:2660
netsh.exe:2508
ADSkip.exe:756
ADSkipSvc.exe:2396
ADSkipSvc.exe:1152
setup.exe:2840
MiniTPFw.exe:1012
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir2156_19268\stats_uploader.exe (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\setup.exe (17426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir2156_10848\wow_installer.prefs (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\SETUP.EX_ (1709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\CHROME.PACKED.7Z (359691 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\UCBrowser\User Data\Default\Preferences (2 bytes)
%Program Files%\UCBrowser\Application\Share\unconfirmed_config (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\UCBrowser\User Data\1.tmp (837 bytes)
%System%\drivers\blNetFilter.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win7\blNetFilter.sys (1856 bytes)
%Program Files%\ADSKIP\askRules.dll (3361 bytes)
%Program Files%\ADSKIP\CustomRule.txt (2 bytes)
%Program Files%\ADSKIP\res\400.dat (24 bytes)
%Program Files%\ADSKIP\dbghelp.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8\blNetFilter.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\uninst.exe (32824 bytes)
%Program Files%\ADSKIP\driver\Win32\Win7\blNetFilter.sys (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askProtect.sys (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\BugReport.exe (5520 bytes)
%Program Files%\ADSKIP\askComm.dll (8657 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\AdSkip\Uninstall AdSkip.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5983 (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5982 (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5981 (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5980 (8560 bytes)
%Program Files%\ADSKIP\driver\Win32\Win8\blNetFilter.sys (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askComm.dll (38103 bytes)
%Program Files%\ADSKIP\askProtect64.sys (1281 bytes)
%System%\drivers\askProtect.sys (1281 bytes)
%Program Files%\ADSKIP\CheckSum.dat (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\Install.xml (2 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5981 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askWfd.dll (12088 bytes)
%Program Files%\ADSKIP\driver\x64\Win8\blNetFilter.sys (54 bytes)
%Program Files%\ADSKIP\askProtect.sys (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\400.dat (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\2001 (7 bytes)
%Program Files%\ADSKIP\BugReport.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\dbghelp.dll (34773 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5980 (1281 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5983 (1425 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5982 (673 bytes)
%Program Files%\ADSKIP\res\000.dat (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\ADSkipSvc.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\1012.dat (16424 bytes)
%Program Files%\ADSKIP\res\0002.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\2001 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\101.dat (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CheckSum.dat (64 bytes)
%Program Files%\ADSKIP\zlib1.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnRuleOptionEN.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\000.dat (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51004 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\0003.dat (280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51000 (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\zlib1.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51002 (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51003 (15536 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\AdSkip\AdSkip.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\se1.dat (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnRuleOptionEN.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\09999.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askUpdate.dll (32128 bytes)
%Program Files%\ADSKIP\ADSkip.exe (19686 bytes)
%Program Files%\ADSKIP\res\09999_EN.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\ADSkip.exe (86996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askProtect64.sys (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\WinXP\blNetFilter.sys (3616 bytes)
%Documents and Settings%\%current user%\Desktop\AdSkip.lnk (1 bytes)
%Program Files%\ADSKIP\res\300.dat (1281 bytes)
%Program Files%\ADSKIP\CrashHandler.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askMain.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\300.dat (8560 bytes)
%Program Files%\ADSKIP\DuiLib.dll (5441 bytes)
%Program Files%\ADSKIP\res\1012.dat (3073 bytes)
%Program Files%\ADSKIP\ADSkipSvc.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\DuiLib.dll (25112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\09999_EN.dat (4 bytes)
%Program Files%\ADSKIP\uninst.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win7\blNetFilter.sys (1552 bytes)
%Program Files%\ADSKIP\driver\Win32\WinXP\blNetFilter.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51001 (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8.1\blNetFilter.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CrashHandler.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8.1\blNetFilter.sys (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSafe4.zip (69133 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5992 (673 bytes)
%Program Files%\ADSKIP\uninstall.xml (3 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5991 (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askRules.dll (19096 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5994 (673 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5995 (673 bytes)
%Program Files%\ADSKIP\askMain.dll (1425 bytes)
%Program Files%\ADSKIP\driver\Win32\Win8.1\blNetFilter.sys (45 bytes)
%Program Files%\ADSKIP\res\09999.dat (4 bytes)
%System%\drivers\tcpip.sys (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnRuleOption.dat (4 bytes)
%Program Files%\ADSKIP\askWfd.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5994 (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5995 (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5991 (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5992 (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CustomRule.txt (2 bytes)
%Program Files%\ADSKIP\res\0003.dat (280 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnRuleOption.dat (4 bytes)
%Program Files%\ADSKIP\driver\x64\Win8.1\blNetFilter.sys (54 bytes)
%Program Files%\ADSKIP\res\se1.dat (673 bytes)
%Program Files%\ADSKIP\driver\x64\Win7\blNetFilter.sys (52 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002 (2321 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003 (2321 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000 (4185 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001 (2321 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnJsonconfig.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\0002.dat (4 bytes)
%System%\drivers\tcpip.sys_backup (2319 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnJsonconfig.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8\blNetFilter.sys (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askMisc.dll (23424 bytes)
%Program Files%\ADSKIP\res\101.dat (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\AdSkip.lnk (1 bytes)
%Program Files%\ADSKIP\askUpdate.dll (7345 bytes)
%Program Files%\ADSKIP\askMisc.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\monitorlist.data (178 bytes)
C:\download\MiniThunderPlatform.exe (746 bytes)
C:\download\msvcr71.dll (1629 bytes)
C:\download\download_engine.dll (24427 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downlist.data (686 bytes)
C:\download\minizip.dll (784 bytes)
C:\download\ThunderFW.exe (1333 bytes)
C:\download\zlib1.dll (745 bytes)
C:\download\msvcp71.dll (1784 bytes)
C:\download\id.dat (40 bytes)
C:\xldl.dll (1922 bytes)
C:\download\MiniTPFw.exe (745 bytes)
C:\download\atl71.dll (118 bytes)
C:\download\dl_peer_id.dll (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ADSkip.v1.0.523.2104_Silent.exe.td.cfg (14273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Browser_V5.6.13381.9_r_4681_(Build1606081220).exe.td.cfg (16328 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\asyn_frame.dat (2749 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\stat.dat (44 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\200U (447 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\error.dat (284 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\DownloadLib\pub_store.dat (405 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\download.cfg (1007 bytes)
%Program Files%\UCBrowser\Application\ucsvc.log (1461 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001.zip (511 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\cafl.dat (37 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\ErrorLog.txt (448 bytes)
%Program Files%\ADSKIP\res\yxx.dat (22192 bytes)
%Program Files%\ADSKIP\res\txx.dat (8560 bytes)
%Program Files%\ADSKIP\res\txx.dat.zip (628 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000.zip (2067 bytes)
%Program Files%\ADSKIP\res\yxx.dat.zip (2812 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004.zip (1334 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\config.dat (2359 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002.zip (3086 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003.zip (1491 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\VERSION (11 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome.dll (286042 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\zh-cn\start.dat (12 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\config.dat (6408 bytes)
%Program Files%\UCBrowser\Application\Uninstall.exe (18934 bytes)
%Program Files%\UCBrowser\Application\Share\target_locale (5 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\zh-cn\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\delegate_execute.exe (3751 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\google.com.png (521 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\chrome.7z (1199069 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Languages\chs.locale (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Drivers\ucguard.sys (72 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\custom.dat (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libEGL.dll (88 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\marketing\1001.ico (192 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\id\start.dat (7 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\12dc664d-0442-4570-a7c8-f3aa22922cec.com.png (252 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\baidu.com.png (426 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\etao.com.png (335 bytes)
%Program Files%\UCBrowser\Application\UCBrowser.exe (7547 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\es-419\start.dat (7 bytes)
%Program Files%\UCBrowser\Application\master_preferences (235 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\google.com.png (457 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Languages\settings.xml (103 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Update\InstalledConfig.xml (680 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\courgette.dll (281 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Drivers\ucguard-x64.sys (81 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\start.dat (12 bytes)
%Program Files%\UCBrowser\Application\update_task.exe (2321 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\7z.dll (6361 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\zh-cn\config.dat (6408 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\es-419\config.dat (151 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\qq.png (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\etaohaitao.com.png (438 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\taobao.com.png (290 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\win10.pak (8 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨\ÃƒÂ¥Ã‚ÂÃ‚Â¸ÃƒÂ¨Ã‚Â½Ã‚Â½UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\bing.com.png (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\alipay.png (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\natives_blob.bin (1711 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\stats_uploader.exe (279 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_100_percent.pak (7386 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\pt-br\config.dat (151 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libexif.dll (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chrome_installer.log (1252 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\zh-CN\external_extensions.json (939 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\youku.com.png (653 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\pt-br\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\UCBrowser.exe (7386 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\update_task.exe (1696 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\taobao.png (389 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\ru\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\en-in\config.dat (166 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\youku.com.png (764 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Backup\UCBrowser.exe (7386 bytes)
%Program Files%\UCBrowser\Application\Share\start.dat (12 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\d3dcompiler_47.dll (22433 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\extension\noads.png (4 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\bing.com.png (1 bytes)
%Program Files%\UCBrowser\Application\VERSION (11 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\desktop\facebook.ico (131 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\theme_tool.exe (1851 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\UCProxySDK.dll (9606 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\sogou.com.png (1 bytes)
%Program Files%\UCBrowser\Application\wow_helper.exe (601 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\start.dat (7 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\baidu.com.png (682 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\ru\config.dat (152 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\google.com.hk.png (457 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\molt_tool.exe (1814 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Update\curl-ca-bundle.crt (260 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Uninstall.exe (17629 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\baidu.png (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\es-419\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\12dc664d-0442-4570-a7c8-f3aa22922cec.com.png (479 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\browsing_data_remover.exe (236 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\amazon.png (507 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\sogou.com.png (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\en-in\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\win10_100_percent.pak (1697 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\PepperFlash\manifest.json (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\weibo.png (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libucguard.dll (179 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\tmall.com.png (196 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\en-in\start.dat (7 bytes)
%Program Files%\UCBrowser\Application\5.6.13381.9\Installer\setup.exe (7547 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Locales\zh-CN.pak (255 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\tmall.com.png (200 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\etao.com.png (252 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\id-ID\external_extensions.json (494 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\wow_helper.exe (80 bytes)
%Program Files%\UCBrowser\Application\Share\config.dat (7345 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨\UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\updater.dll (15021 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\pt-br\start.dat (7 bytes)
%Program Files%\UCBrowser\Application\Share\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libGLESv2.dll (7972 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\ru\start.dat (7 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\resources.pak (172310 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\pp_helper.png (1 bytes)
%Program Files%\UCBrowser\Application\UCService.exe (6841 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\snapshot_blob.bin (1802 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\icudtl.dat (34008 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\taobao.png (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\UCService.exe (6334 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\uc123.png (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Update\UpdateOption.xml (189 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\taobao.com.png (304 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\config_updater.dll (7386 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\external_extensions.json (494 bytes)
%Documents and Settings%\All Users\Desktop\UCÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\config.dat (151 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_watcher.dll (1680 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\desktop\tmall_points.ico (144 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\id\config.dat (164 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_elf.dll (201 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\share.dat (66 bytes)
%Program Files%\UCBrowser\Application\molt_tool.exe (3361 bytes)
%System%\drivers\ucguard.sys (601 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\UCAgent.exe (12289 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\5.6.13381.9.manifest (248 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_200_percent.pak (7972 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Locales\en-US.pak (258 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\PepperFlash\pepflashplayer.dll (124061 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\pt-BR\external_extensions.json (494 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\extension\renren.png (4 bytes)
%Program Files%\UCBrowser\Application\5.6.13381.9\Installer\chrmstp.exe (7547 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\en-IN\external_extensions.json (622 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\id\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_child.dll (321430 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\win10_200_percent.pak (1723 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%original file name%.exe -start" = "c:\%original file name%.exe -start"
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ???
Product Name: ????
Product Version: 2.0.2.1618
Legal Copyright: Copyright (C) 2007-2013 xiami.com All Rights Reserved.
Legal Trademarks:
Original Filename: ????
Internal Name: ????
File Version: 2.0.2.1618
File Description: ????
Comments:
Language: English (United States)

Company Name: ???Product Name: ????Product Version: 2.0.2.1618Legal Copyright: Copyright (C) 2007-2013 xiami.com All Rights Reserved.Legal Trademarks: Original Filename: ????Internal Name: ????File Version: 2.0.2.1618File Description: ????Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	224771	225280	4.5508	172187516d330187b4de5842d93592d1
.rdata	229376	76456	76800	3.73485	c99e2c0977676d6753c8bd045e645299
.data	307200	8356	5120	2.49539	8053a525ee758dbe4ac3e142255d2a47
.gfids	319488	604	1024	1.79363	4c83d9a68fbc2a648f05822166b0a8f2
.tls	323584	9	512	0.014135	1f354d76203061bfdd5a53dae48d5435
.rsrc	327680	5894144	5891584	4.52167	5e4c45cdfa44f136de57cd1649b3bbfd
.reloc	6221824	12548	12800	4.55408	9ebf1a2b18f86b5b6a810b5fa6a36f9f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_224:

.text

`.rdata

@.data

.gfids

@.tls

.rsrc

@.reloc

j.Yf;

_tcPVj@

.PjRW

address family not supported

broken pipe

function not supported

inappropriate io control operation

not supported

operation canceled

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

InitOnceExecuteOnce

operator

operator ""

?#%X.y

%S#[k

XL_GetFileSizeWithUrl

XL_ParseThunderPrivateUrl

XL_CreateTaskByURL

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; KB974487)

hXXp://VVV.baidu.com

Server-Key

[SDK] result = %s

[SDK] Serverkey = %s

[SDK] Key = %s

[SDK] OneDeCrypt= %s

[SDK] TwoDeCrypt= %s

hXXp://VVV.api4.pw/api/downlist

downlist.data

[URL]

[SDK] url = %s ,process = %s

hXXp://VVV.api4.pw/api/monitorlist

monitorlist.data

[SDK] type = %d , value = %s

hXXp://VVV.api4.pw/api/send

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

\\.\PhysicalDrive0

Windows 10

Windows Server Technical Preview

Windows Vista

Windows Server 2008

Windows 7

Windows Server 2008 R2

Windows 8

Windows Server 2012

Windows 8.1

Windows Server 2012 R2

Windows XP

Windows Server 2003

Web Server Edition

Error %u in WinHttpQueryDataAvailable.

Error %u in WinHttpReadData.

RegDeleteKeyExW

InvokeMainViaCRT

ExitMainViaCRT

Microsoft.CRTProvider

C:\Users\Hooyi\Desktop\

M\CPAV3-1\Release\CpaMain.pdb

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCL

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XLA

.CRT$XLZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$zETW0

.rdata$zETW1

.rdata$zETW2

.rdata$zETW9

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.gfids$x

.gfids$y

.tls$

.tls$ZZZ

.rsrc$01

.rsrc$02

KERNEL32.dll

USER32.dll

ShellExecuteExW

ShellExecuteW

SHELL32.dll

SHLWAPI.dll

GetCPInfo

GetProcessHeap

RegOpenKeyExW

RegEnumKeyExW

RegDeleteKeyW

RegCloseKey

RegNotifyChangeKeyValue

ADVAPI32.dll

WinHttpQueryDataAvailable

WinHttpCrackUrl

WinHttpConnect

WinHttpSetTimeouts

WinHttpSendRequest

WinHttpCloseHandle

WinHttpOpenRequest

WinHttpReadData

WinHttpQueryHeaders

WinHttpAddRequestHeaders

WinHttpOpen

WinHttpCheckPlatform

WinHttpReceiveResponse

WINHTTP.dll

PSAPI.DLL

.?AU_Crt_new_delete@std@@

.PA_W

.?AVCWinHttp@@

c:\%original file name%.exe

:|u%SS3

956|&56|

.tgPV

FTPjK

FtPj;

C.PjRVj

;|u.VV3

msvcr71.pdb

kernel32.dll

6|__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

MSVCR71.dll

_CRT_RTC_INIT

__crtCompareStringA

__crtCompareStringW

__crtGetLocaleInfoW

__crtGetStringTypeW

__crtLCMapStringA

__crtLCMapStringW

__p__acmdln

__p__wcmdln

_acmdln

_amsg_exit

_execl

_execle

_execlp

_execlpe

_execv

_execve

_execvp

_execvpe

_pipe

_wcmdln

_wexecl

_wexecle

_wexeclp

_wexeclpe

_wexecv

_wexecve

_wexecvp

_wexecvpe

6|mscoree.dll

setnewh.cpp

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

GetProcessWindowStation

user32.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

portuguese-brazilian

}7|.com

cmd.exe

command.com

GetConsoleOutputCP

PeekNamedPipe

CreatePipe

Assertion failed: %s, file %s, line %d

?)9|?)9|

zcÃ

3 3$3(3,3034383

5 5$5(5,5

=$=1=]={=

: :*:2:=:

6%7s7

?!?0?@?|?

6 6$6(6,6064686

4(6,686@6

0 0$0(0,0

Can not run Unicode version of ATL71.DLL on Windows 95, Windows98 or Windows Me.

ole32.dll

OLEAUT32.dll

GDI32.dll

atl71.pdb

RegCreateKeyExW

RegQueryInfoKeyW

MsgWaitForMultipleObjects

CreateDialogIndirectParamW

CreateDialogIndirectParamA

ATL71.DLL

advapi32.dll

gdi32.dll

oleaut32.dll

CloseWindowStation

EnumDesktopWindows

OpenWindowStationA

SetProcessWindowStation

SetViewportExtEx

SetViewportOrgEx

CryptDestroyKey

CryptExportKey

RegCreateKeyA

RegCreateKeyExA

RegCreateKeyW

RegDeleteKeyA

RegEnumKeyA

RegEnumKeyW

RegOpenKeyA

RegOpenKeyExA

RegOpenKeyW

ReportEventW

stdole2.tlbWWW

hpcmdtReservedWWW

.ShowUIWW

RbstrGuidCmdGroup

nCmdIDWW

uGetOptionKeyPath

dzpbstrKey

5TranslateUrl

bstrURLInWWW

pbstrURLOutW

pbMsgReflect

pbstrOptionKeyPathWW,

Set the option key pathWWW

Get the option key pathWWW

Created by MIDL version 6.00.0362 at Tue Jul 11 18:07:22 2006

SSSSh

c:\windows\temp

7y"HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

Ey".tlb

\\.\Scsi0:

\\.\IDE21201.VXD

101111111111

222222222222

111111111111

000000000000

filter%u

XXXXXX

\pub_store.dat

.\UnknownBase.cpp

e:\xl7\Product Release\dl_peer_id.pdb

iphlpapi.dll

RegQueryInfoKeyA

RegEnumKeyExA

MSVCP71.dll

dl_peer_id.DLL

Dl_peer_id.XlPeerId.1 = s 'XlPeerId Class'

CLSID = s '{5D72951E-2B86-41B9-835F-464346928269}'

Dl_peer_id.XlPeerId = s 'XlPeerId Class'

CurVer = s 'Dl_peer_id.XlPeerId.1'

ForceRemove {5D72951E-2B86-41B9-835F-464346928269} = s 'XlPeerId Class'

ProgID = s 'Dl_peer_id.XlPeerId.1'

VersionIndependentProgID = s 'Dl_peer_id.XlPeerId'

'TypeLib' = s '{3E618540-AFE5-4DFC-B440-1A760323133B}'

Dl_peer_id.DownloadLibPlugin.1 = s 'DownloadLibPlugin Class'

CLSID = s '{D76D152E-836B-489B-A333-930A7F22A1D4}'

Dl_peer_id.DownloadLibPlugin = s 'DownloadLibPlugin Class'

CurVer = s 'Dl_peer_id.DownloadLibPlugin.1'

ForceRemove {D76D152E-836B-489B-A333-930A7F22A1D4} = s 'DownloadLibPlugin Class'

ProgID = s 'Dl_peer_id.DownloadLibPlugin.1'

VersionIndependentProgID = s 'Dl_peer_id.DownloadLibPlugin'

> >,>0>@>

hXXp://ocsp.verisign.com0

"hXXp://crl.verisign.com/tss-ca.crl0

Thawte Certification1

0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

{.Rich

t.SVW

j.Pj.Qj.R

j.Qj.Rj.P

.thMUQ

SQSSSSSSh

8^%u;

8X%u*

t%SSj

!"#$%&'()*" ,-./01

T$8RSSh

SSSSSh

szKey

SSSh5

3|$

3|$@3|$,

3|$,3|$$

3|$03|$(

3|$43|$(

3|$83|$,

3|$$3|$(

user_udp_listen_port

user_tcp_listen_port

dl_udp_listen_port

dl_tcp_listen_port

dl_udp_default_port

dl_tcp_default_port

0123456789

https=

http=

[%I64u,%I64u]%s

LANG%x

[%s] overflowed.

[%s] includes non-numberic character.

[%s] is an empty std::string.

download_interface.dll

Version_%d_%d_%d_%d\

GetCurrentExeFullPath

Bad IUnknown:0xX

%s[%d.%d.%d.%d]:0xX[%X]

download.cfg

.\DownloadLib.cpp

xl_stat.dll

down_dispatcher.dll

ptl.dll

p2p.dll

backend_agent.dll

p2p_local_res.dll

p2p_upload.dll

p2sp.dll

fs.dll

dl_peer_id.dll

{A091AD25-4931-4569-9EC2-14FF003DE671}

asyn_frame.dll

prop.txt

va.dll

p2p_session_com.dll

al.dll

member_stat.dll

task_report.dll

xl_mole.dll

module_downloader.dll

media_data.dll

addinmanager.dll

p2p_network_com.dll

xlpfmc.dll

emule_id.dll

stream.dll

p2sp_pd.dll

{D76D152E-836B-489B-A333-930A7F22A1D4}

{174583A8-CA6D-4d16-96EC-7B9C03B86956}

{6F4EE6C4-55B7-4ff3-8670-03E0BD595D74}

bt_kernel.dll

{34B2E147-6B19-47ba-99C8-0755C2AFD066}

emule_kernel.dll

{12CF75BA-3FFD-4ea0-AEEA-6C5E113DAA82}

{790987D5-8ACC-4383-9005-E35F0B59F9FD}

{C4CEDAFD-E96F-4221-A8FA-CB1B350C4152}

{EF165A54-C96A-4fcd-9EB8-CC9DCC08FB5C}

{0D61278E-CF63-4B97-94D4-62E8DE662F31}

dphubt.dll

{D38016AB-AC47-483a-BD4B-812CCDCD4236}

{69281D18-CC2D-4d02-825B-B77B176BDBEC}

{DCEE4103-3E9E-4a3e-9BD8-E432B5CA7A25}

{D49969FF-0395-4E56-BA6A-39D2FDE49144}

stat.dat

HKEY_CURRENT_CONFIG

\/:*?"|

ftps://

hXXps://

PTF://

hXXp://

index.html

.rmvb

.mpga

.mpeg

.\AsynFrame.cpp

.\asyn_io_manager.cpp

operation_type_none == _connecting_queue[event_handle]._opt_type

0 == _connecting_queue[event_handle]._ip_addresses.size()

_connecting_queue.count(event_handle)

.\connect_manager.cpp

_connecting_queue[event_handle]._ip_addresses.size()

_socket2event_map.count(socket_handle)

_socket2event_map.count(info._operation_ptr->operate_handle())

operation_ptr->operate_handle()

operation_ptr->is_pending()

operation_ptr

_connecting_queue[event_handle]._opt_type == operation_type_connect

.\asyn_io_operation.cpp

operation_ptr->is_pending() == false

.\asyn_file_device.cpp

result == _io_operation

.\socks_proxy_verifier.cpp

Referer: hXXp://VVV.xunlei.com/

Host: VVV.xunlei.com

User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.1

hXXp://VVV.xunlei.com/

127.0.0.1

0.0.0.0

SCHANNEL.DLL

_operation_ptr == NULL

.\AsynSSLSocket.cpp

bytes_transfered == _data_operate_bytes

_operation_ptr != NULL

.\AsynSpeedLimitSocket.cpp

buffer_pos expected_bytes buffer_len()

.\asyn_socket_device_imp.cpp

operation_ptr != NULL

.\file_asyn_io_helper.cpp

enable_fcrt

.\asyn_io_handler.cpp

operation_ptr->handdler_ptr() == this

.\timer_manager.cpp

.\wait_objects_thread.cpp

.\asyn_socks_socket_device.cpp

.\socks_asyn_server_socket.cpp

.\asyn_udp_device.cpp

.\asyn_icmp_device.cpp

.\socks_wrapper.cpp

sock5: unsupport authenticate method:

sock5: no acceptable method to login proxy server

unsupported socks ver no:

sock5 not support passord of length exceed 255

sock5 not support user name of length exceed 255

no set user name,can't login socks5 proxy server

socks5 server user name and password authenticate not passed

exceed 255, sock5 not support this

not support ipv6 address

sock5 server : address type not supported

sock5 server : command not supported

asyn_frame.dat

.sandai.net

error.dat

.\dl_plugin_fs.cpp

(id is_free == false)

.\file_io_unit.cpp

map_it != _data_map.end()

map_it != _reading_ranges_array.end()

.\cache_strategy.cpp

.\rest_range_read_manager.cpp

it_done != _file_rest_queue_done.end()

.\io_manager.cpp

p2s_idx_hub_port

hub5idx.shub.hz.sandai.net

p2s_res_hub_port

hub5sr.shub.hz.sandai.net

p2s_hub_port

port

imhub5t.hz.sandai.net

.td.cfg

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

cmd_report_abnormal_response

d:\minidownloadlib\branches\branch_wbf\p2sp\sim_class\../com_class/CCommand.h

g;CP2spSubTask_url

d:\minidownloadlib\branches\branch_wbf\p2sp\sim_class\download_plugin.h

.unknow

0 != _need_calc_blocknos.size()

.\xunlei_bcid_calculator.cpp

.\bcids_info.cpp

cfgfile error version: %d

("execute_cmd

\MiniDownloadLib\branches\branch_wbf\p2sp\protocol\cmd_tcp_handler.cpp

invalid_cmd

tcp_connect_error

report_time

TCPH_Failed

TCPH_NetError

TCPH_BothRes

TCPH_OnlySeedRes

TCPH_OnlyNonSeedRes

TCPH_NoRes

cmd_query_hub

cmd_query_res_info_hub

cmd_query_server_res

\MiniDownloadLib\branches\branch_wbf\p2sp\protocol\command.cpp

cmd_report_fetch_hint_error

cmd_report_fetch_hint_error_response

!_gcid.empty() && _sub_task_file_size != 0

.\p2sp_sub_task_imp.cpp

.\resource_info_ex.cpp

HTTP/1.1

httpresponse_header don't have field: Content-Length

httpresponse_header don't have field: Content-Range

httpresponse header don't have field: Content-Range

httpresponse_header don't have field: Content-Disposition

Httponly

HttpOnly

httponly

IDataPipe

dupsock_chunked_http_data_pipe

dupsock_data_pipe

_data_operation == NULL

.\ftp_data_pipe.cpp

operation_ptr == _data_operation

data_len

PASS ******

does not surpport this type of ftp proxy

_asyn_io_operation == NULL

_data_operation != NULL

_assigned_range.pos()

_encode_filename_count<_all_encoded_filename.size>

_all_encoded_filename.size()>0

ftp_min_expected_sum_length

ftp_data_pipe

PROT failed, server may not support ssl

PBSZ failed, server may not support ssl

_encode_filename_count

port command exec failure

PORT

OP_SOCK_BIND == operation_ptr->operation_type()

OP_SOCK_CONNECT == operation_ptr->operation_type()

_ssl_explicit && operation_ptr == _asyn_io_operation

operation_ptr == _asyn_io_operation

_is_ssl && operation_ptr == _data_operation

http request return error, can't get entity_length

operation_ptr->operation_type() == OP_SOCK_CONNECT

operation_ptr == _ayso_io_operation

.\http_data_pipe.cpp

not send request,can't get redirect_url

yahoo.com

_cur_process_path_pos

(unsigned)_small_file_pos

Shlwapi.dll

http_min_expected_sum_length

cur_proxy.proxy_type == HTTP_PROXY

http_data_pipe

.xunlei.com

6to23.com

_process_full_paths.push_back has logical error

encode_mode _http_full_paths.size()

.\http_url_range_pipe.cpp

_server_resource_ptr->range_type() == VSU_RANGE_URL

.\p2s_task_event_handler.cpp

1 == resources.size()

.\server_res_store.cpp

cmd_query_hub_response

cmd_query_res_info_response

cmd_query_server_res_response

.\p2s_res_searcher.cpp

d..\p2s_sub_task.cpp

max_url_length

cmd_report_change_ex

cmd_insert_server

.movie

video/vnd.mpegurl

.wmls

text/vnd.wap.wmlscript

text/vnd.wap.wml

.html

image/x-portable-pixmap

image/x-portable-graymap

image/x-portable-bitmap

image/x-portable-anymap

.wbmp

image/vnd.wap.wbmp

image/vnd.djvu

.tiff

.arpm

audio/x-mpegurl

.midi

.xhtml

.ustar

.texi

.sv4crc

.sv4cpio

.shar

.latex

.gtar

.cpio

.bcpio

.wmlsc

application/vnd.wap.wmlscriptc

.wmlc

application/vnd.wap.wmlc

.wbxml

application/vnd.wap.wbxml

application/vnd.ms-powerpoint

application/vnd.ms-excel

application/vnd.mif

_dispatch_info.offset

.\p2sp_data_pipe.cpp

.\limit_asyn_socket_device.cpp

_client_cur_len _dispatch_info.offset == _dispatch_info.expected_pos

1 == range_q.size()

.\ftp_data_reader.cpp

.\server_data_pipe.cpp

read notify failure, and not support range, exit

support keep alive and socket is not pending , reopen

pipe reading, pos != cur pos, cur pos:

support keep alive but pipe is not connected

pipe reading, pos == cur pos, do read direct

change ranges while state is opening, support keep alive ! pos != old_range_pos reconnect

pipe opening, pos != old pos , old pos:

pipe opening, pos == old pos

change zero range while state is opening. close this pipe.

change zero range while state is connecting. close this pipe.

pipe idle, pos != cur pos, not support range reconnect

pipe idle, pos != cur pos, connect again, cur pos:

pipe idle, pos != cur pos, not support keep alive, so reconnect

pipe idle, pos == cur pos, support keep alive, so do sub open

change_ranges at state: idle but not support range , do read direct

change zero range while state is idle. close this pipe.

change ranges while retry waiting! and is zero range. so close pipe.

, but not support range, range pos:

occur exception: redirect but schema not support, no retry

occur exception: redirect but self redirect url, no retry

occur exception: redirect but no redirect url, no retry

occur exception: redirect but wrong redirect port, no retry

io_complete, handle_open_notify return not support range, is html:

cmd_report_notstable_response

cmd_report_notstable

_cfgdata_info._bcid_calculator.get_bcids().block_size() != 0

\MiniDownloadLib\branches\branch_wbf\p2sp\datamanagement_imp\data_file_handler.cpp

0 !=_data_receiver_list.size()

.td.decprs

.\data_file_manager.cpp

_asyn_file_op_ptr == operation_ptr

cmd_report_new_task

cmd_report_new_task_response

cmd_report_task_life_cycle

cmd_report_task_life_cycle_resp

cmd_report_change_ex_response

cmd_insert_server_response

.\simple_data_receiver.cpp

cmd_report_dwstat

cmd_report_dwstat_resp

cmd_report_download_failure

cmd_vote_urlinfo

cmd_report_abnormal

cmd_report_correction_resp

cmd_report_correction

1.2.3

%c%c%c%c%c%c

%c%c%c%c%c%c%c%c%c

%c%c%c%c%c%c%c

%c%c%c%c%c

%c%c%c%c

%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

%c%c%c

.\data_receiver.cpp

cmd_report_download_failure_response

cmd_vote_urlinfo_resp

pipe_base_socre

simu_max_alternate_pipes

simu_pipes_per_task

simu_max_simultaneity_pipes

simu_min_simultaneity_pipes

random_unchoke_pipe_num

optimistic_unchoke_pipe_num

pure_upload_pipe_max

cid_store_server_port

hubciddata.hz.sandai.net

\cid_store.dat

hubstat_port

hubstat.hz.sandai.net

imhubstat.hz.sandai.net

pmap_port

pmap.hz.sandai.net

udp_recv_speed_max

udp_send_speed_max

diff_nat_tcp_recv_speed_max

diff_nat_tcp_send_speed_max

same_nat_tcp_recv_speed_max

same_nat_tcp_send_speed_max

udp_recv_bytes

udp_send_bytes

udp_recv_times

udp_send_times

diff_nat_tcp_recv_bytes

diff_nat_tcp_send_bytes

diff_nat_tcp_recv_times

diff_nat_tcp_send_times

same_nat_tcp_recv_bytes

same_nat_tcp_send_bytes

same_nat_tcp_recv_times

same_nat_tcp_send_times

cmd_retry_interval

cmd_enroll

passive_report_period

cmd_enroll_resp

config_port

hub5c.hz.sandai.net

cmd_reportcrack_resp

cmd_report_change_dir_for_ids_resp

cmd_report_del_uncomp_task_response

cmd_query_resstat_resp

new asyn_io_operation failed.

POST / HTTP/1.1

/ HTTP/1.1

POST hXXp://

udp_retry_times

command [%s] encode length [%lu] is greater than udp packet max length [%lu].

udp_recv_timeout_interval

wrap_with_http

cmd_query_base_conf

cmd_query_base_conf_resp

%d.%d.%d.%d

cmd_report_change_dir_for_ids

cmd_report_del_uncomp_task

cmd_query_resstat

cmd_reportcrack

cmd_getconfig

cmd_getconfig_resp

default_udp_port

dl_port

default_tcp_port

broker_tcp_conn_succ

broker_tcp_connection

direct_tcp_conn_succ

direct_tcp_connection

PS_PORT_ALLOC

AS_PORT_ALLOC

CONE_PORT_ALLOC

UNKNOWN_PORT_ALLOC

DELTA_PORT_OTHER

DELTA_PORT_0

DELTA_PORT_4

DELTA_PORT_3

DELTA_PORT_2

DELTA_PORT_1

UNKNOWN_DELTA_PORT

255.255.255.0

bind port failed.

http_wrapper_enable

p2p_cmd_reportp2pstatresp

report_time_obj

cmd_reportp2pobjstatresp

d:\minidownloadlib\branches\branch_wbf\ptl\back_agent\../com_class/CCommand.h

ReportP2PTraverseStatEvents

NAT_SERVER_PORT_LIST

8000,4000,3076,4004,5004

nat_check_port

BROKERCMD

path_stat_server_port

relay.phub.hz.sandai.net

P2P_UPDATE_EX_PORT_FACTOR

P2P_UPDATE_EX_PORT_INTERVAL

P2P_BIND_PORT_MAX_RETRY

hub5pnc.hz.sandai.net

TRACKER_PORT

hub5pn.hz.sandai.net

ping_server_port

hub5u.hz.sandai.net

P2P_NAT_CHECK_UDP_MAX_RETRY

P2P_NAT_CHECK_UDP_TIMEOUT

P2P_DEFAULT_LISTEN_DUMMY_PORT

relay.hz.sandai.net

_dest_dummy_port:

_source_dummy_port:

p2p_cmd_old::decode should decode

but decode cmd =[

UNKNOWNCMD

p2p_cmd_tcp::decode bodylen[

p2p_cmd_tcp::decode buff_size

HTTP/1.1 200 OK

asyn_http_socket

asyn_http_socket_device

p2p_cmd_statistic

cmd_reportp2pobjstat

enable_tcp_mode

No second port.

No source port.

No mapped port.

external_port

upnp.exe

describe_url

send udp data error

UDP send_to() is commanded to stop!

%u.%u.%u.%u

_local_port

_delta_port

_latest_ex_port

_local_dummy_port

_remote_port

port :

p2p_cmd_udp::decode buff_size

_guess_ex_port

_remote_dummy_port

_dest_dummy_port

_source_dummy_port

obj_dummy_port :

src_dummy_port :

_my_dummy_port

port:

no next_report_day

AddPortMapping

Thunder5

POST %s HTTP/1.1

HOST: %s:%u

Content-Length: %d

SOAPACTION: "%s#%s"

xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"

s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">

%s %s>

GET %s HTTP/1.1

Host: %s:%d

controlURL

URLBase

cmd_report_upnp

cmd_report_upnp_response

239.255.255.250

M-SEARCH * HTTP/1.1

HOST:239.255.255.250:1900

unknown escape character: '&%s'

{D69684C8-7381-478C-A595-9FFBD8EA3506}

coisp_cdn.dat

coisp_ipsec.dat

recv_all_cmd_bytes

recv_all_cmd_count

send_all_cmd_bytes

send_all_cmd_count

pus_report_interval

p2p_hub_port

imhub5pr.hz.sandai.net

tracker_port

hub5p.hz.sandai.net

hub5pr.hz.sandai.net

score_port

score.phub.hz.sandai.net

zero_cdn_port

thunder7.zhub.sandai.net

_read_buffer2ref_count.count(data_input_ptr)

.\p2pres_repository.cpp

pipe_min_retry_time

check_pipe_alive_limit

check_pipe_alive_interval

udp_valid

tcp_valid

peer://%s@%s:%hu/%s

d:\minidownloadlib\branches\branch_wbf\p2p\dl_plugin\back_agent\../com_class/CCommand.h

cmd_retry_isrconline_interval

cmd_relogin_interval

_command_queue.size()

.\hub_protocol\p2phub_tcp_handler.cpp

force_report_p2p_res

cmd_p2perrorstatresp

cmd_report_invalid_peer

.\p2p_pipe_base.cpp

(tcp)

(udp)

remove choke pipe:

pipe deleted.

insert choke pipe:

pipe already closed and deleted!

]. pipe didn't send or recv for [

INVALID_CMD

send UNKNOWNCMD failed. error_code=[

recv UNKNOWNCMD failed. error_code=[

new asyn_io_operation == NULL!!

an operation need illegal [

encode cmd exception =

impossible _pipe_type =

0000000000000000

cmd_old_head->encode caused exception:

read_buffer notify error. post an operation simulant send GETRESP(failed).

recv opt_unknown_recv_cmd_old_header failed! error_code=[

opt_unknown_recv_cmd_old failed! error_code=[

old p2p command decode get unknown cmd_name =

PIPE

add_accepted_p2p_pipe failed!

accepted with TCP connection.

illegal pipe_open_type =

broker_open: impossible PIPE_TYPE =

incorrect pipe_open_type =

Unknown operation types =

range_to_save.pos()[

cmd_requestresp data_len

Unknown operation=

recv cmd tcp header failed! error_code=[

decode cmd tcp header exception =

cmd name is unknown. header data: protocol version[

] cmd_name[

Unknown _pipe_type =

p2p_data_pipe

cmd_report_upload_statistic_resp

cmd_report_upload_statistic

.\peer_res_store.cpp

.\download_task\resource_info_ex.cpp

.\command.cpp

cmd_is_src_online

cmd_insert_rc

cmd_delete_rc

cmd_delete_rc_resp

cmd_report_rclist

cmd_p2perrorstat

.\cmd_tcp_handler.cpp

cmd_query_self_p2p_score

cmd_query_self_p2p_score_resp

.\cmd_udp_handler.cpp

p2p_cmd_old::encode Empty command name to encode!

p2p_cmd_old::decode cmd name should =[

]. but decode cmd =[

p2p_cmd_old::decode buff_size [

cmd_query_p2phub

cmd_query_p2phub_resp

cmd_query_tracker

.\hub_protocol\cmd_query_tracker.cpp

cmd_query_tracker_resp

tracker_cmd_delete

tracker_cmd_delete_resp

cmd_is_src_online_resp

cmd_insert_rc_resp

cmd_report_rclist_resp

user_global_tcp_connection_limit

.\DispatcherMain.cpp

.\dispatcher.cpp

%d.txt

hyper_speed_mode_pipe_limit

task_url

max_non_p2sp_pipes_count

max_recv_data_internal_http

max_recv_data_internal_ftp

max_pipe_on_same_host

max_pipe_count

calc_speed_pipe_score_fator

open a pipe

find a pipe by substring in res_id

show pipe information

list all pipes

net_stat_recovery_mode_reserve_pipe_num

max_reserved_pipe_count_base

not_support_range_pipe_reopen_interval

max_normal_pipe_reopen_interval

normal_pipe_reopen_interval

new_pipe_count_base_dec_delta_slow

new_pipe_count_base_dec_delta_fast

new_pipe_count_base_inc_delta_slow

new_pipe_count_base_inc_delta_fast

default_open_pipe_count_on_task_start

?to_open_count >= pipes_created_once

.\normal_connect_dispatch.cpp

succ open pipe :

usage: open pipe_ptr

succ close pipe :

usage: close pipe_ptr

pipe_history_max_speed:

pipe_recent_max_speed:

pipe_speed:

pipe:

not found pipe:

usage: info pipe_ptr

pipe:

lixian.vip.xunlei.com

is_in(pipe_wrapper_ptr)

.\resource_wrapper.cpp

pipe_list

idle_cause >= PIPE_IDLE_INIT && idle_cause

.\data_pipe_wrapper.cpp

d:\minidownloadlib\branches\branch_wbf\down_dispatcher\dispatcher\data_pipe_wrapper.h

data_pipe_wrapper

max_dispatch_p2p_pipe_count

max_dispatch_server_pipe_count

max_overlap_p2p_pipes

max_overlap_server_pipes

.\normal_dispatcher_imp_new.cpp

next_it != _cur_map.end()

next_it != _cur_map.begin()

end_of_range != _cur_map.end()

end_of_range != _cur_map.begin()

i->first == r_r.pos()

_cur_map.size() >= 2

.\normal_dispatcher_imp_opt.cpp

_cur_map.size() > 0

_cur_map.size() > 1

pipe_ptr->get_connect_time() != UINT_MAX

enable_pipeline

max_pipeline_count

block_range.length() > cut_len

.\small_file_dispatcher_v2.cpp

.\dispatch_range_queue.cpp

range_pos->r.is_contain(assign_range) || assign_range.is_full_range()

can_download_ranges().ranges().size() == 1

ranges.size()==1

can_download_ranges().ranges().size() != 0

current_queue.all_range_length() == current_all_length

.\peer_data_pipe.cpp

.\density_calculator.cpp

m_queue->m_allocate_begin_pos != m_queue->m_ranges_info.begin()

.\sequential_range_iterator.cpp

.\allocate_iterator.cpp

hubstat.sandai.net

last_passive_report

P:passive_report_delay

Tlast_report_time

report_period

cmd_report_statistic

cmd_report_statistic_resp

d:\minidownloadlib\branches\branch_wbf\xl_stat\back_agent\shub_command.cpp

Kernel32.dll

Run-Time Check Failure #%d - %s

MSPDB71.DLL

IMAGEHLP.DLL

KERNEL32.DLL

ADVAPI32.DLL

dl_crt

not_support_p2p_acc

support_p2p_acc

not_support_mhxy_v1

support_mhxy_v1

not_forced_tcp_mode

forced_tcp_mode

RSA part of OpenSSL 0.9.8b 04 May 2006

passed a null parameter

DSO support routines

x509 certificate routines

Big Number part of OpenSSL 0.9.8b 04 May 2006

ssl_sess_cert

ssl_cert

evp_pkey

x509_pkey

%s(%d): OpenSSL internal error, assertion failed: %s

lhash part of OpenSSL 0.9.8b 04 May 2006

Stack part of OpenSSL 0.9.8b 04 May 2006

RAND part of OpenSSL 0.9.8b 04 May 2006

You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html

ASN.1 part of OpenSSL 0.9.8b 04 May 2006

certicom-arc

Proxy Certificate Information

proxyCertInfo

Microsoft Smartcardlogin

msSmartcardLogin

joint-iso-itu-t

JOINT-ISO-ITU-T

set-rootKeyThumb

setAttr-Cert

setCext-cCertRequired

setCext-certType

setct-CertResTBE

setct-CertReqTBEX

setct-CertReqTBE

setct-AcqCardCodeMsgTBE

setct-CertInqReqTBS

setct-CertResData

setct-CertReqTBS

setct-CertReqData

setct-PCertResTBS

setct-PCertReqData

setct-AcqCardCodeMsg

certificate extensions

set-certExt

set-msgExt

id-ecPublicKey

id-cmc-confirmCertAcceptance

id-cmc-getCert

id-regInfo-certReq

id-regCtrl-protocolEncrKey

id-regCtrl-oldCertID

id-it-revPassphrase

id-it-keyPairParamRep

id-it-keyPairParamReq

id-it-unsupportedOIDs

id-it-caKeyUpdateInfo

id-it-encKeyPairTypes

id-it-signKeyPairTypes

id-it-caProtEncCert

id-mod-attribute-cert

id-mod-qualified-cert-93

id-mod-qualified-cert-88

id-smime-aa-ets-certCRLTimestamp

id-smime-aa-ets-certValues

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-otherSigCert

id-smime-aa-smimeEncryptCerts

id-smime-aa-signingCertificate

id-smime-aa-encrypKeyPref

id-smime-aa-msgSigDigest

id-smime-ct-publishCert

id-smime-mod-msg-v3

sdsiCertificate

x509Certificate

localKeyID

certBag

pkcs8ShroudedKeyBag

keyBag

pbeWithSHA1And2-KeyTripleDES-CBC

pbeWithSHA1And3-KeyTripleDES-CBC

TLS Web Client Authentication

TLS Web Server Authentication

X509v3 Extended Key Usage

extendedKeyUsage

X509v3 Authority Key Identifier

authorityKeyIdentifier

X509v3 Certificate Policies

certificatePolicies

X509v3 Private Key Usage Period

privateKeyUsagePeriod

X509v3 Key Usage

keyUsage

X509v3 Subject Key Identifier

subjectKeyIdentifier

Netscape Certificate Sequence

nsCertSequence

Netscape CA Policy Url

nsCaPolicyUrl

Netscape Renewal Url

nsRenewalUrl

Netscape CA Revocation Url

nsCaRevocationUrl

Netscape Revocation Url

nsRevocationUrl

Netscape Base Url

nsBaseUrl

Netscape Cert Type

nsCertType

Netscape Certificate Extension

nsCertExt

extendedCertificateAttributes

challengePassword

dhKeyAgreement

USER32.DLL

NETAPI32.DLL

SHA1 part of OpenSSL 0.9.8b 04 May 2006

SHA-256 part of OpenSSL 0.9.8b 04 May 2006

DlSHA-512 part of OpenSSL 0.9.8b 04 May 2006

port error

d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb

WS2_32.dll

WININET.dll

USERENV.dll

VERSION.dll

CreateIoCompletionPort

GetWindowsDirectoryA

zlib1.dll

MSWSOCK.dll

NETAPI32.dll

ReportEventA

download_engine.dll

get_default_listen_port

get_http_request_header

get_http_request_method

get_listen_port

get_task_url

get_url_str

is_support_dispatch_strategy

is_support_schema

parse_url

report_crack

report_crack_cancel

report_file_to_phub

set_http_request_header

set_http_request_method

set_listen_port

set_report_strategy

set_stat_ref_url

url_info_to_str

.?AUIAsynIoOperationEvents@@

.?AV?$singleton_ex@Vmsg_pool@@@@

.?AVmsg_pool@@

.?AVCAsynIoOperationLayer@@

.?AUIAsynTcpListener@@

.?AUIAsynTcpListener2@@

.?AVCAsynTcpListener@@

.?AV?$CComObject@VCAsynTcpListener@@@ATL@@

.?AVCAsynSock5TcpListener@@

.?AV?$CComObject@VCAsynSock5TcpListener@@@ATL@@

.?AUIAsynUdpSocket2@@

.?AUIAsynUdpSocket@@

.?AVCAsynUdpSocket@@

.?AV?$CComObject@VCAsynUdpSocket@@@ATL@@

.?AUIAsynTcpSocket@@

.?AVCAsynTcpSocket@@

.?AV?$CComObject@VCAsynTcpSocket@@@ATL@@

.?AVCAsynSock5UdpSocket@@

.?AV?$CComObject@VCAsynSock5UdpSocket@@@ATL@@

.?AUIAsynIoOperationObject@@

.?AUIAsynIoOperation@@

.?AUIAsynFileScatterOperation@@

.?AVCAsynIoOperation@@

.?AV?$CComObject@VCAsynIoOperation@@@ATL@@

.?AUIAsynProxyTcpSocket@@

.?AVCAsynSock5TcpSocket@@

.?AV?$CComObject@VCAsynSock5TcpSocket@@@ATL@@

.?AVasyn_io_operation@@

.?AVCAsynIoOperationObjects@@

.?AVftp_proxy_verifier@@

.?AVhttp_proxy_verifier@@

.?AVwait_objects_thread_operation_list@@

.?AVasyn_udp_device@@

.?AVcmd_tcp_handler@ns_p2sp@@

.?AVhub_cmd_tcp_handler@ns_p2sp@@

.?AVstatistic_report_handler@ns_p2sp@@

.?AUIHttpResource@@

.?AUIHttpResource2@@

.?AUIHttpResource3@@

.?AUIHttpResource4@@

.?AVp2sp_data_pipe@ns_p2sp@@

.?AUIServerDataPipe@@

.?AUIDataPipe@@

.?AVcmd_query@ns_p2sp@@

.?AVcmd_query_res_info@ns_p2sp@@

.?AVcmd_query_server_res@ns_p2sp@@

.?AVcmd_report_fetch_hint_error@ns_p2sp@@

.?AVcmd_report_fetch_hint_error_response@ns_p2sp@@

.?AVhttpresponse_header@@

.?AVserver_pipe_manager@ns_p2sp@@

.?AV?$CEventsRaiser@UIDataPipeEvents@@$0PPPPPPPP@@@

.?AVpipe_events_raiser@ns_p2sp@@

.?AV?$CServerDataPipeRoot@UIServerDataPipe@@@@

.?AVdupsock_chunked_http_data_pipe@ns_p2sp@@

.?AVdupsock_data_pipe@ns_p2sp@@

.?AVserver_data_pipe@ns_p2sp@@

.?AVftp_data_pipe@ns_p2sp@@

.?AUIHttpDataPipe@@

.?AUIHttpDataPipe2@@

.?AV?$CServerDataPipeRoot@UIHttpDataPipe2@@@@

.?AVhttp_data_pipe@ns_p2sp@@

.?AVhttp_url_range_pipe@ns_p2sp@@

.?AVasyn_io_operation@ns_p2sp@@

.?AVp2p_cmd_exception@ns_p2sp@@

.?AVp2p_cmd_exception_insufficient_write@ns_p2sp@@

.?AVp2p_cmd_exception_insufficient_read@ns_p2sp@@

.?AVcmd_query_response@ns_p2sp@@

.?AVcmd_query_res_info_response@ns_p2sp@@

.?AVcmd_query_server_res_response@ns_p2sp@@

.?AVcmd_report_change_ex@ns_p2sp@@

.?AVcmd_insert_server@ns_p2sp@@

.?AVCAsynIoOperationEvents@ns_p2sp@@

.?AV?$CComObject@VCAsynIoOperationEvents@ns_p2sp@@@ATL@@

.?AVftp_data_reader@ns_p2sp@@

.?AVhttpresponse_data@ns_p2sp@@

.?AVcmd_report_notstable_response@ns_p2sp@@

.?AVcmd_report_notstable@ns_p2sp@@

.?AVhttp_response@ns_p2sp@@

.?AVhttpresponse_stream_data@ns_p2sp@@

.?AVhttpresponse_chunked_data@ns_p2sp@@

.?AVfile_create_operation@@

.?AVcmd_report_new_task@ns_p2sp@@

.?AVcmd_report_new_task_response@ns_p2sp@@

.?AVcmd_report_task_life_cycle@ns_p2sp@@

.?AVcmd_report_task_life_cycle_resp@ns_p2sp@@

.?AVcmd_report_change_ex_response@ns_p2sp@@

.?AVcmd_insert_server_response@ns_p2sp@@

.?AVcmd_report_dwstat@ns_p2sp@@

.?AVcmd_report_dwstat_resp@ns_p2sp@@

.?AVcmd_report_download_failure@ns_p2sp@@

.?AVcmd_vote_urlinfo@ns_p2sp@@

.?AVcmd_report_abnormal_response@ns_p2sp@@

.?AVcmd_report_abnormal@ns_p2sp@@

.?AVcmd_report_correction_resp@ns_p2sp@@

.?AVcmd_report_correction@ns_p2sp@@

.?AVcmd_report_download_failure_response@ns_p2sp@@

.?AVcmd_vote_urlinfo_resp@ns_p2sp@@

.?AVcmd_handler@ns_back_agent@@

.?AVcmd_tcp_handler@ns_back_agent@@

.?AV?$CCommandSender@Vcmd_tcp_handler@ns_back_agent@@UIShubCommand@@VCShubCommand@2@@ns_back_agent@@

.?AV?$CCommandSender@Vcmd_tcp_handler@ns_back_agent@@UIPhubCommand@@VCPhubCommand@2@@ns_back_agent@@

.?AVcmd_udp_handler@ns_back_agent@@

.?AV?$CCommandSender@Vcmd_udp_handler@ns_back_agent@@UIPhubCommand@@VCPhubCommand@2@@ns_back_agent@@

.?AV?$CCommandSender@Vcmd_tcp_handler@ns_back_agent@@UICommand@@VCCommandEx@2@@ns_back_agent@@

.?AV?$CCommandSender@Vcmd_udp_handler@ns_back_agent@@UICommand@@VCCommandEx@2@@ns_back_agent@@

.?AVcmd_tcp_encrypted_handler@ns_back_agent@@

.?AV?$CCommandSender@Vcmd_tcp_encrypted_handler@ns_back_agent@@UIShubCommand@@VCShubCommand@2@@ns_back_agent@@

.?AV?$CCommandSender@Vcmd_tcp_encrypted_handler@ns_back_agent@@UIPhubCommand@@VCPhubCommand@2@@ns_back_agent@@

.?AV?$CCommandSender@Vcmd_tcp_encrypted_handler@ns_back_agent@@UICommand@@VCCommandEx@2@@ns_back_agent@@

.?AV?$CComObject@V?$CCommandSender@Vcmd_tcp_handler@ns_back_agent@@UIShubCommand@@VCShubCommand@2@@ns_back_agent@@@ATL@@

.?AV?$CComObject@V?$CCommandSender@Vcmd_tcp_handler@ns_back_agent@@UIPhubCommand@@VCPhubCommand@2@@ns_back_agent@@@ATL@@

.?AV?$CComObject@V?$CCommandSender@Vcmd_udp_handler@ns_back_agent@@UIPhubCommand@@VCPhubCommand@2@@ns_back_agent@@@ATL@@

.?AV?$CComObject@V?$CCommandSender@Vcmd_tcp_handler@ns_back_agent@@UICommand@@VCCommandEx@2@@ns_back_agent@@@ATL@@

.?AV?$CComObject@V?$CCommandSender@Vcmd_udp_handler@ns_back_agent@@UICommand@@VCCommandEx@2@@ns_back_agent@@@ATL@@

.?AV?$CComObject@V?$CCommandSender@Vcmd_tcp_encrypted_handler@ns_back_agent@@UIShubCommand@@VCShubCommand@2@@ns_back_agent@@@ATL@@

.?AV?$CComObject@V?$CCommandSender@Vcmd_tcp_encrypted_handler@ns_back_agent@@UIPhubCommand@@VCPhubCommand@2@@ns_back_agent@@@ATL@@

.?AV?$CComObject@V?$CCommandSender@Vcmd_tcp_encrypted_handler@ns_back_agent@@UICommand@@VCCommandEx@2@@ns_back_agent@@@ATL@@

.?AVconfig_hub_tcp_handler@ns_back_agent@@

.?AVstatistic_report_handler@ns_back_agent@@

.?AVthunderS_enroll_tcp_handler@ns_back_agent@@

.?AVcmd_enroll_resp@ns_back_agent@@

.?AVpmap_tcp_handler@ns_back_agent@@

.?AVcmd_query_base_conf@ns_back_agent@@

.?AVcmd_query_base_conf_resp@ns_back_agent@@

.?AVcmd_enroll@ns_back_agent@@

.?AVcmd_report_change_dir_for_ids@ns_back_agent@@

.?AVcmd_report_change_dir_for_ids_resp@ns_back_agent@@

.?AVcmd_report_del_uncomp_task@ns_back_agent@@

.?AVcmd_report_del_uncomp_task_response@ns_back_agent@@

.?AVcmd_query_resstat@ns_back_agent@@

.?AVcmd_reportcrack@ns_back_agent@@

.?AVcmd_getconfig@ns_back_agent@@

.?AVcmd_getconfig_resp@ns_back_agent@@

.?AVcmd_query_resstat_resp@ns_back_agent@@

.?AVcmd_reportcrack_resp@ns_back_agent@@

.?AVp2p_intranet_cmd@ns_ptl@@

.?AVp2p_cmd_keepalive@ns_ptl@@

.?AVasyn_io_operation@nssc@@

.?AVbroker_io_operation@ns_ptl@@

.?AVall_udt_accept_operation@ns_ptl@@

.?AVpassive_peek_operation@ns_ptl@@

.?AVpassive_connection_dispatcher@ns_ptl@@

.?AVstatistic_report_handler@ns_ptl@@

.?AVReportP2PTraverseStatEvents@ns_ptl@@

.?AVudp_socket_portal@ns_ptl@@

.?AVudp_data_handler_imp@ns_ptl@@

.?AVp2p_cmd_exception@ns_ptl@@

.?AVudp_make_peer_reachable_event_handler@ns_ptl@@

.?AVudp_make_peer_reachable_strategy@ns_ptl@@

.?AVudp_passive_punch_hole_strategy@ns_ptl@@

.?AVudp_punch_hole_strategy@ns_ptl@@

.?AVudp_direct_connect_strategy@ns_ptl@@

.?AVudp_passive_direct_connect_strategy@ns_ptl@@

.?AVincoming_udp_broker_connection_handler@ns_ptl@@

.?AVudp_broker_cmd_handler@ns_ptl@@

.?AVudp_passive_broker_strategy@ns_ptl@@

.?AVp2p_cmd_p2psyn@ns_ptl@@

.?AVudp_broker_strategy@ns_ptl@@

.?AVudp_relay_strategy@ns_ptl@@

.?AVptl_tcp_socket@ns_ptl@@

.?AVp2p_cmd_p2preset@ns_ptl@@

.?AVp2p_cmd_getpeersn@ns_ptl@@

.?AVcmd_brokerreq@ns_ptl@@

.?AVcmd_brokerreq2@ns_ptl@@

.?AVp2p_cmd_base@ns_ptl@@

.?AVp2p_cmd_tcp@ns_ptl@@

.?AVcmd_transferlayercontrolresp@ns_ptl@@

.?AVp2p_cmd_exception_insufficient_read@ns_ptl@@

.?AVcmd_transferlayercontrol@ns_ptl@@

.?AVasyn_http_socket_device@ns_ptl@@

.?AVp2p_cmd_statistic@ns_ptl@@

.?AVcmd_reportp2pobjstat@ns_ptl@@

.?AVp2p_cmd_binding_response@ns_ptl@@

.?AVp2p_cmd_binding_request@ns_ptl@@

.?AVudp_socket@ns_ptl@@

.?AVudp_socket_imp@ns_ptl@@

.?AVp2p_cmd_nn2snlogout@ns_ptl@@

.?AVp2p_cmd_getmysn@ns_ptl@@

.?AVp2p_cmd_pingsn@ns_ptl@@

.?AVcmd_query_relay_peer_resp@ns_ptl@@

.?AVp2p_cmd_RelayRequestResp@ns_ptl@@

.?AVp2p_cmd_RelayRequest@ns_ptl@@

.?AVcmd_brokercmd2@ns_ptl@@

.?AVp2p_cmd_getmysnres@ns_ptl@@

.?AVcmd_udp_broker_cmd@ns_ptl@@

.?AVp2p_cmd_udp@ns_ptl@@

.?AVp2p_cmd_brokercmd@ns_ptl@@

.?AVp2p_cmd_someonecallu@ns_ptl@@

.?AVp2p_cmd_punchhole@ns_ptl@@

.?AVp2p_cmd_pingsnres@ns_ptl@@

.?AVp2p_cmd_icallsomeoneres@ns_ptl@@

.?AVp2p_cmd_getpeersnres@ns_ptl@@

.?AVp2p_cmd_advanced_ack@ns_ptl@@

.?AVcmd_brokercmd@ns_ptl@@

.?AVp2p_cmd_icallsomeone@ns_ptl@@

.?AVcmd_udp_broker_req@ns_ptl@@

.?AVcmd_query_relay_peer@ns_ptl@@

.?AVp2p_cmd_brokerreq@ns_ptl@@

.?AVp2p_cmd_exception_insufficient_write@ns_ptl@@

.?AVp2p_cmd_reportp2pstatresp@ns_ptl@@

.?AVcmd_reportp2pobjstatresp@ns_ptl@@

.?AVp2p_cmd_logout@ns_ptl@@

.?AVcmd_ping@ns_ptl@@

.?AVasyn_tcp_handler@ns_ptl@@

.?AVcmd_report_upnp@ns_ptl@@

.?AVcmd_report_upnp_response@ns_ptl@@

.?AVasyn_udp_handler@ns_ptl@@

.?AV?$msg_base@Vp2pres_repository@ns_p2p@@@ns_p2p@@

.?AVresource_upload_control_msg@ns_p2p@@

.?AVp2p_data_pipe@ns_p2p@@

.?AVp2p_pipe_base@ns_p2p@@

.?AVbroker_pipe_record@ns_p2p@@

.?AVupload_p2p_pipes@ns_p2p@@

.?AVpending_p2p_pipes@ns_p2p@@

.?AVmsg@p2p_sub_task@ns_p2p@@

.?AVasyn_notify_msg@p2p_sub_task@ns_p2p@@

.?AVmsg@p2phub_tcp_handler@ns_p2p@@

.?AVremove_single_msg@p2phub_tcp_handler@ns_p2p@@

.?AVupdate_single_msg@p2phub_tcp_handler@ns_p2p@@

.?AVp2phub_tcp_handler@ns_p2p@@

.?AVstatistic_report_handler@ns_p2p@@

.?AVp2p_acc_cert_verifier@ns_p2p@@

.?AVcmd_tcp_handler@ns_p2p@@

.?AVquery_p2p_score_tcp_handler@ns_p2p@@

.?AVcmd_udp_handler@ns_p2p@@

.?AVp2phub_udp_handler@ns_p2p@@

.?AVcmd_report_invalid_peer@ns_p2p@@

.?AVp2p_pipe_speed_caculator@ns_p2p@@

.?AVp2p_cmd_base@ns_p2p@@

.?AVp2p_cmd_old@ns_p2p@@

.?AVp2p_cmd_tcp@ns_p2p@@

.?AVp2p_cmd_old_get@ns_p2p@@

.?AVp2p_cmd_request@ns_p2p@@

.?AUIChokePipeUploadScore@@

.?AUIExtraDataPipe@@

.?AUIChokePipe@@

.?AUIP2pDataPipe@@

.?AUIP2pDataPipe2@@

.?AVcmd_report_upload_statistic_resp@ns_p2p@@

.?AVcmd_report_upload_statistic@ns_p2p@@

.?AVcmd_tracker_delete_resp@ns_p2p@@

.?AVtracker_udp_handler@ns_p2p@@

.?AVasyn_tcp_device@ns_p2p@@

.?AVp2p_pipe_manager@ns_p2p@@

.?AVcmd_is_src_online@ns_p2p@@

.?AVcmd_insert_rc@ns_p2p@@

.?AVcmd_delete_rc@ns_p2p@@

.?AVcmd_delete_rc_resp@ns_p2p@@

.?AVcmd_report_rclist@ns_p2p@@

.?AVcmd_p2perrorstat@ns_p2p@@

.?AVcmd_p2perrorstatresp@ns_p2p@@

.?AVcmd_query_self_p2p_score@ns_p2p@@

.?AVcmd_query_self_p2p_score_resp@ns_p2p@@

.?AVp2p_cmd_exception@ns_p2p@@

.?AVp2p_cmd_exception_insufficient_write@ns_p2p@@

.?AVp2p_cmd_exception_insufficient_read@ns_p2p@@

.?AVp2p_cmd_requestresp@ns_p2p@@

.?AVp2p_cmd_old_resp@ns_p2p@@

.?AVp2p_cmd_exception_protocol_ver_too_high@ns_p2p@@

.?AVp2p_cmd_old_connect@ns_p2p@@

.?AVp2p_cmd_old_connectresp@ns_p2p@@

.?AVp2p_cmd_old_getresp@ns_p2p@@

.?AVp2p_cmd_handshake@ns_p2p@@

.?AVp2p_cmd_handshakeresp@ns_p2p@@

.?AVp2p_cmd_interested@ns_p2p@@

.?AVp2p_cmd_notinterested@ns_p2p@@

.?AVp2p_cmd_interestedresp@ns_p2p@@

.?AVp2p_cmd_extradata@ns_p2p@@

.?AVp2p_cmd_extradataresp@ns_p2p@@

.?AVp2p_cmd_cancel@ns_p2p@@

.?AVp2p_cmd_cancelresp@ns_p2p@@

.?AVp2p_cmd_fin@ns_p2p@@

.?AVp2p_cmd_finresp@ns_p2p@@

.?AVp2p_cmd_keepalive1@ns_p2p@@

.?AVp2p_cmd_unknowncmd@ns_p2p@@

.?AVp2p_cmd_choke@ns_p2p@@

.?AVp2p_cmd_unchoke@ns_p2p@@

.?AVcmd_query_p2phub@ns_p2p@@

.?AVcmd_query_p2phub_resp@ns_p2p@@

.?AVcmd_query_tracker@ns_p2p@@

.?AUpeer_res2@cmd_query_tracker_resp@ns_p2p@@

.?AVcmd_query_tracker_resp@ns_p2p@@

.?AVcmd_tracker_delete@ns_p2p@@

.?AVcmd_is_src_online_resp@ns_p2p@@

.?AVcmd_insert_rc_resp@ns_p2p@@

.?AVcmd_report_rclist_resp@ns_p2p@@

.?AUIDataPipeEvents@@

.?AVdata_pipe_wrapper@ns_down_dispatcher@@

.?AVserver_data_pipe@ns_down_dispatcher@@

.?AVpeer_data_pipe@ns_down_dispatcher@@

.?AVcmd_tcp_handler@ns_xl_data@@

.?AVreport_handler@ns_xl_data@@

.?AVcmd_report_statistic_resp@ns_xl_data@@

.?AVcmd_report_statistic@ns_xl_data@@

.?AVCAsynIoOperationEvents@nssc@@

.?AV?$CComObject@VCAsynIoOperationEvents@nssc@@@ATL@@

.?AVasyn_tcp_device_imp@nssc@@

.?AVasyn_udp_device@nssc@@

'0:0`0{0

4I4F4S4`4

8%8S8u8

= =,=2=8=>=

6r7S7o7t7

4T5U5d5

3#393]3}3

9Å¸9i9

4 4$4(4,494

5 5$5(5,505{5

9"9(919?9

6%7,727]7

0%0/090|0

6m6Q6d6v6

9'9-989A9F9S9Y9s9}9

4]5

8Å’8^8n8t879K9

00F0

1%1S1o1

5371979

:.:3:8:&;

4090>0`0

&1?164#8

8Â8W8

2(3-383>3

3!3&333^3

3$3 34494>4

9(;-;2;"?

4 5Y5U5^5c5u5~5

?(?1?:???

6d6C6R6a6p6u6

:$;(;,;0;4;8;

9(9,9094989

5 5$5(5,50545|5

3 3$3(3,3034383

: :$:(:,:0:4:

; ;$;(;,;0;

$0(0,0004080

7(8,8084888

= =$=0=4=8=`=|=

4 4(4,4044484

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

Operate1604

ver = 3.2.1.42

.textbss1U

.idata

httpsProxy

ftpProxy

httpProxy

dwTcpSpeedLimit

ref_url_length

ref_url

url_length

udp_port

tcp_port

strCurrentExeFullPath

strExeFullPath

bug_report_dir

ShExecInfo

cmd_line

hKey

CertInfo

hMsg

XLBugReport_path

hXXp://store.paycenter.uc.cn

mail-attachment.googleusercontent.com

d:\minitp\src\minithunderplatform\src\minithunderplatform\downloadenginemanager.cpp

80000055

d:\minitp\src\minithunderplatform\src\dl_common\common\utility.cpp

_XL_SetAlwaysSendReport@4

_XL_SetReportShowMode@4

_XL_SetBugReportRootDir@4

unknown SDParameterType: %d when SDParameter::encode_data

unknown SDParameterType: %d when SDParameter::decode_data

d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb

RASAPI32.dll

CryptMsgClose

CertCloseStore

CertFreeCertificateContext

CertGetNameStringW

CertFindCertificateInStore

CryptMsgGetParam

CRYPT32.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

d:\Project\MiniTPFw\MiniTPFw\Release\MiniTPFw.pdb

Yv4SSSSh

e:\code_svn\xl_framework\xl_component\minizip\Release\minizip.pdb

minizip.dll

unzOpenCurrentFilePassword

msvcp71.pdb

C?|!%x

\9?|49?|

\|4|

_Wcrtomb

__Wcrtomb_lk

wcrtomb

0 00C0R0b0k0~0

0-1}1@2

2 2(202@2`2

HNetCfg.FwMgr

HNetCfg.FwAuthorizedApplication

HNetCfg.FwOpenPort

d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb

9$9,92979=9

$1014181

> >@>`>

,[!1.2.3

%c%c%c%c%c%c%c%c%c%c

FTpl

u.VV3

codepage:%d

:?\/*|"

?456789:;

!"#$%&'()* ,-./0123

mscoree.dll

d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb

InternetCrackUrlW

HttpQueryInfoW

HttpSendRequestW

HttpOpenRequestW

XLDownloadEngine.dll

2"2.272@2`2

4 4$4(4,4044484

5"6(6,60646>7

7084888

:$:8:<:>

3!5 5 656?6

7-8}8

3 3$3,3@3`3

ext-ms-win-ntuser-windowstation-l1-1-0

\xldl.dll

\download\atl71.dll

\download\dl_peer_id.dll

\download\download_engine.dll

\download\id.dat

\download\MiniThunderPlatform.exe

\download\MiniTPFw.exe

\download\minizip.dll

\download\msvcp71.dll

\download\msvcr71.dll

\download\zlib1.dll

\download\ThunderFW.exe

xldl.dll

[SDK] Load xl down dll pat : %s

\MiniTPFw.exe

MiniTPFw.exe

[SDK] colse xl firewall tips %s %s

@can not load xldl.dll

[SDK] Close_XL_Firewall_Tips result = %s

@[SDK] CMonitorFolder delete file path %s

[SDK] MonitorProcessCallBack hide window ok proccess : %s

[SDK] MonitorReportCallBack callback %d %s

[SDK] Upload Report, PID: %d,Name: %s

[SDK] Stop Upload Report

[DOWN FILE] FileName = %s ,Progress = %.2f%%

[DOWN FILE] Error FileName = %s

[DOWN FILE] success FileName = %s

[RUN FILE] success File = %s

ntdll.dll

Software\Microsoft\Windows\CurrentVersion\Run

[SDK] CMonitorFolder DoFirstRemove %s

[SDK] CMonitorFolder DoFirstRemove Delete File %s

[SDK] CMonitorFolder Thread Run %s

[SDK] CMonitorRegistry Delete Reg %s

[SDK] CMonitorTrayIcon hide tray icon %s ok !

AAdvapi32.dll

7.10.6030.0

MSVCR71.DLL

Visual Studio .NET

!"754$#8

ATL Module for Windows (Unicode)

3, 2, 2, 16

shell32.dll

auto_test.cfg

5,0,2,288

id.dat

dc.ini

MINITP\BugReport\

{C6B7F4D9-8D15-4a48-A722-B54C3D6FCE70}

_67960FC3-A819-4fca-B939-F2B110716584_

{16C9DF46-AAF4-485d-AABE-4FE09E17E524}

%s=%s

%hu%c%hu%c%hu%c%hu

http redirect loop for 5 times

http redirect url is invalid

http header is invalid

xml no key

invalid rsa public key

invalid aes key

\*.dll

XLBugReport.exe

XLBugHandler.dll

%sThumbs.db

Thumbs.db

%s*.*

3.2.1.42

M-%.2d-%.2d%.2d:%.2d:%.2d

\MiniThunderPlatform.exe"

ThunderFW.exe

1, 0, 0, 1

MSVCP71.DLL

2, 0, 0, 4

!"#$%&'()* ,-./012

DLL support by Alessandro Iacopetti & Gilles Vollant

download\MiniThunderPlatform.exe

nkernel32.dll

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

2.0.2.1618

MiniThunderPlatform.exe_1036:

.textbss1U

.text

`.rdata

@.data

.idata

.rsrc

httpsProxy

ftpProxy

httpProxy

dwTcpSpeedLimit

ref_url_length

ref_url

url_length

udp_port

tcp_port

strCurrentExeFullPath

strExeFullPath

bug_report_dir

ShExecInfo

cmd_line

hKey

CertInfo

hMsg

XLBugReport_path

SSSh5

hXXp://store.paycenter.uc.cn

mail-attachment.googleusercontent.com

d:\minitp\src\minithunderplatform\src\minithunderplatform\downloadenginemanager.cpp

80000055

\/:*?"|

d:\minitp\src\minithunderplatform\src\dl_common\common\utility.cpp

_XL_SetAlwaysSendReport@4

_XL_SetReportShowMode@4

_XL_SetBugReportRootDir@4

unknown SDParameterType: %d when SDParameter::encode_data

unknown SDParameterType: %d when SDParameter::decode_data

Kernel32.dll

Run-Time Check Failure #%d - %s

MSPDB71.DLL

PSAPI.DLL

IMAGEHLP.DLL

KERNEL32.DLL

RegCloseKey

RegOpenKeyExA

ADVAPI32.DLL

d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb

||80000360

VERSION.dll

RASAPI32.dll

KERNEL32.dll

USER32.dll

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

MSVCP71.dll

SHLWAPI.dll

MSVCR71.dll

_CRT_RTC_INIT

_wcmdln

_amsg_exit

CryptMsgClose

CertCloseStore

CertFreeCertificateContext

CertGetNameStringW

CertFindCertificateInStore

CryptMsgGetParam

CRYPT32.dll

GetProcessHeap

id.dat

dl_peer_id.dll

dc.ini

download_engine.dll

MINITP\BugReport\

{C6B7F4D9-8D15-4a48-A722-B54C3D6FCE70}

_67960FC3-A819-4fca-B939-F2B110716584_

{16C9DF46-AAF4-485d-AABE-4FE09E17E524}

%s=%s

%hu%c%hu%c%hu%c%hu

http redirect loop for 5 times

http redirect url is invalid

http header is invalid

xml no key

invalid rsa public key

invalid aes key

shell32.dll

\*.dll

XLBugReport.exe

XLBugHandler.dll

%sThumbs.db

Thumbs.db

%s*.*

3.2.1.42

ADSkip.exe_756:

.text

`.rdata

@.data

.rsrc

@.reloc

w%s(

.FAy-

-5-5--678

-[\]^_-7

|$L.uV

.tD8E

%uU9t$Xu?

|$X.uHj

22222222

22222222222222222

|$H%uk

|$H%u'

|$H.uH

%ur9T$

|$H%u

|$L%u

|$T%u-9L$(V

|$D.uZ

~8.uq

~8.uG

<.ta>

j.Yf;

_tcPVj@

.PjRW

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

1.2.8

GetProcessWindowStation

MaxPolicyElementKey

pExecutionResource

%s>

%s="%s"

%s='%s'

version="%s"

encoding="%s"

standalone="%s"

BDMNetMon.sys

kisknl.sys

ksapi.sys

kisnetmxp.sys

{C27B22E3-B783-438a-9A89-FB540D1C83FF}

{23D0387D-2353-4DA0-B3F2-BA7F67359928}

{ADCA0512-6548-4D8B-A17C-DC8421EE3109}

{FC25C1A5-ADDF-45E3-A380-C9C1A032AB38}

{DB44A98E-BC3B-4308-810D-9A73D87F7FD1}

SQLite format 3

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

!!""##$$%%&&''(())** ,,--..//00112233445566778899

CREATE TABLE sqlite_master(

sql text

3.10.0

CREATE TEMP TABLE sqlite_temp_master(

Shell32.dll

%d.%d.%d

6.0.6

Internet Explorer\iexplore.exe

%d.%d.%d.%d

PathFileExists err %d

pid = %d

DeleteFile %ws, err = %d

Could not open file (error %d)

Could not create file mapping object (%d).

Could not map view of file (%d).

SELECT * FROM WINDOWS_FILES WHERE PATH LIKE '%Local State'

Show ads on a webpage

Block an ad by its URL

blink.pzz

cafl.dat

hXXp://bbs.adskiper.com/showthread.php?tid=2

SQLITE_

d-d-d d:d:d

d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

API call with %s database connection pointer

RowKey

GetProcessHeap

os_win.c:%d: (%lu) %s(%s) - %s

delayed %dms for lock/sharing conflict at line %d

%s-shm

%s%c%s

recovered %d pages from %s

recovered %d frames from WAL file %s

cannot limit WAL size: %s

invalid page number %d

2nd reference to page %d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

failed to get page %d

freelist leaf count too big on page %d

Page %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On page %d at right child:

Offset %d out of range %d..%d

Multiple uses for byte %u of page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Pointer map page %d is referenced

unknown database %s

%s(%d)

%s-mjXXXXXX9XXz

MJ delete: %s

MJ collide: %s

-mjX9X

FOREIGN KEY constraint failed

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

FOREIGN KEY

abort at %d in [%s]: %s

%s constraint failed: %s

%s constraint failed

cannot open savepoint - SQL statements in progress

no such savepoint: %s

cannot release savepoint - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

database table is locked: %s

statement aborts at %d: [%s] %s

cannot open value of type %s

cannot open virtual table: %s

cannot open table without rowid: %s

cannot open view: %s

no such column: "%s"

foreign key

indexed

cannot open %s column for writing

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s

%s: %s

%s prohibited in %s

the "." operator

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

too many SQL variables

too many columns in %s

EXECUTE %s%s SUBQUERY %d

hex literal too big: %s

misuse of aggregate: %s()

%.*s"%w"%s

%s%.*s"%w"

sqlite_rename_table

sqlite_rename_trigger

sqlite_rename_parent

%s OR name=%Q

type='trigger' AND (%s)

sqlite_

table %s may not be altered

there is already another table or index with this name: %s

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

sqlite_stat1

sqlite_stat3

sqlite_stat4

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE %s=%Q

sqlite_%

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

too many attached databases - max %d

database %s is already in use

unable to open database: %s

no such database: %s

cannot detach database %s

database %s is locked

sqlite_detach

sqlite_attach

%s %T cannot reference objects in database %s

%s cannot use variables

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

too many columns on %s

duplicate column name: %s

default value of column [%s] is not constant

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

PRIMARY KEY missing on table %s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

sqlite_stat%d

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

sqlite_stat

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

cannot create a TEMP index on non-TEMP table "%s"

table %s may not be indexed

views may not be indexed

virtual tables may not be indexed

there is already a table named %s

index %s already exists

sqlite_autoindex_%s_%d

expressions prohibited in PRIMARY KEY and UNIQUE constraints

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

a JOIN clause is required before %s

%s.%s

%s.rowid

unable to identify the object to be reindexed

duplicate WITH table name: %s

no such collation sequence: %s

table %s may not be modified

cannot modify %s because it is a view

sqlite_version

sqlite_source_id

sqlite_log

sqlite_compileoption_used

sqlite_compileoption_get

foreign key mismatch - "%w" referencing "%w"

table %S has no column named %s

table %S has %d columns but %d values were supplied

%d values for %d columns

sqlite3_extension_init

unable to open shared library [%s]

sqlite3_

no entry point [%s] in shared library [%s]

error during initialization: %s

automatic extension loading failed: %s

defer_foreign_keys

foreign_key_check

foreign_key_list

foreign_keys

*** in database %s ***

NULL value in %s.%s

unsupported encoding: %s

malformed database schema (%s)

%z - %s

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

column%d

%.*z:%u

recursive aggregate queries not supported

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

'%s' is not a function

multiple references to recursive table: %s

circular reference: %s

table %s has %d values for %d columns

multiple recursive references: %s

recursive reference in a subquery: %s

sqlite_sq_%p

too many references to "%s": max 65535

%s.%s.%s

no such table: %s

SCAN TABLE %s%s%s

expected %d columns for '%s' but got %d

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

DELETE FROM %Q.%s WHERE name=%Q AND type='trigger'

-- TRIGGER %s

no such column: %s

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor called recursively: %s

vtable constructor failed: %s

vtable constructor did not declare schema: %s

no such module: %s

ANY(%s)

SUBQUERY %d

TABLE %s

AS %s

PRIMARY KEY

COVERING INDEX %s

INDEX %s

USING INTEGER PRIMARY KEY (rowid%s?)

VIRTUAL TABLE INDEX %d:%s

too many arguments on %s() - max %d

automatic index on %s(%s)

table %s: xBestIndex returned an invalid plan

%s.xBestIndex() malfunction

at most %d tables in a join

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

SQL logic error or missing database

unknown operation

large file support is disabled

unknown database: %s

no such %s mode: %s

%s mode not allowed: %s

no such vfs: %s

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

no such table column: %s.%s

GetLexerCount

GetLexerName

GetLexerFactory

%c%c X X

JOIN

REPORT

Clarion Keywords

fold.at.else

0123456789

01234567

Primary keywords and identifiers

Secondary keywords and identifiers

Documentation comment keywords

Task marker and error marker keywords

styling.within.preprocessor

Set to 0 to disallow the '$' character in identifiers with the cpp lexer.

lexer.cpp.allow.dollars

lexer.cpp.track.preprocessor

lexer.cpp.update.preprocessor

lexer.cpp.verbatim.strings.allow.escapes

lexer.cpp.triplequoted.strings

lexer.cpp.hashquoted.strings

lexer.cpp.backquoted.strings

lexer.cpp.escape.sequence

fold.cpp.syntax.based

This option enables folding multi-line comments and explicit fold points when using the C lexer. Explicit fold points allows adding extra folding by placing a //{ comment at the start and a //} at the end of a section that should fold.

fold.comment

Set this property to 0 to disable folding multi-line comments when fold.comment=1.

fold.cpp.comment.multiline

Set this property to 0 to disable folding explicit fold points when fold.comment=1.

fold.cpp.comment.explicit

fold.cpp.explicit.start

fold.cpp.explicit.end

fold.cpp.explicit.anywhere

This option enables folding preprocessor directives when using the C lexer. Includes C#'s explicit #region and #endregion folding directives.

fold.preprocessor

fold.compact

([{=,:;!%^&*|?~ -

$@\&#{}[]

lexer.css.scss.language

lexer.css.less.language

lexer.css.hss.language

important

Operators

mssql

msgid

msgstr

msgctxt

ps.level

PS Level 1 operators

PS Level 2 operators

PS Level 3 operators

RIP-specific operators

User-defined operators

Keywords

tab.timmy.whinge.level

lexer.python.literals.binary

lexer.python.strings.u

lexer.python.strings.b

lexer.python.strings.over.newline

When enabled, it will not style keywords2 items that are used as a sub-identifier. Example: when set, will not highlight "foo.open" when "open" is a keywords2 item.

lexer.python.keywords2.no.sub.identifiers

This option enables folding multi-line quoted strings when using the Python lexer.

fold.quotes.python

import

cimport

TCL Keywords

TK Keywords

iTCL Keywords

Directive operands

lexer.asm.comment.delimiter

fold.asm.syntax.based

fold.asm.comment.multiline

This option enables folding explicit fold points when using the Asm lexer. Explicit fold points allows adding extra folding by placing a ;{ comment at the start and a ;} at the end of a section that should fold.

fold.asm.comment.explicit

fold.asm.explicit.start

fold.asm.explicit.end

fold.asm.explicit.anywhere

Reserved operators

Set to 0 to disallow the '#' character at the end of identifiers and literals with the haskell lexer (GHC -XMagicHash extension)

lexer.haskell.allow.hash

lexer.haskell.allow.quotes

Set to 1 to allow the '?' character at the start of identifiers with the haskell lexer (GHC & Hugs -XImplicitParams extension)

lexer.haskell.allow.questionmark

Set to 0 to disallow "safe" keyword in imports (GHC -XSafe, -XTrustworthy, -XUnsafe extensions)

lexer.haskell.import.safe

lexer.haskell.cpp

Set to 1 to enable folding of import declarations

fold.haskell.imports

()[]{}:=;-\/&%$! |^?,.*~@

fold.comment.nimrod

fold.quotes.nimrod

area base basefont br col command embed frame hr img input isindex keygen link meta param source track wbr

asp.default.language

fold.html

fold.html.preprocessor

fold.hypertext.comment

fold.hypertext.heredoc

html.tags.case.sensitive

lexer.xml.allow.scripts

lexer.html.mako

lexer.html.django

([{=,:;!%^&*|?~

.xXabcdefABCDEF

JavaScript keywords

VBScript keywords

Python keywords

PHP keywords

SGML and DTD keywords

%D \module

lexer.metapost.comment.process

lexer.metapost.interface.default

Set to 0 to disable folding Pod blocks when using the Perl lexer.

fold.perl.pod

Set to 0 to disable folding packages when using the Perl lexer.

fold.perl.package

fold.perl.comment.explicit

fold.perl.at.else

"$;&`' ,./\%:=~!?@[]

^&\()- =|{}[]:;>,?!.~

\[$@%&* ];

Language Keywords

lexer.caml.magic

!~=@^ -*/()[];,:.#

)]};,'"`#

!$%&* -./:?@^|~

Keywords2

Keywords3

Sequence keywords and identifiers

User defined keywords and identifiers

SQL*Plus

User Keywords 1

User Keywords 2

User Keywords 3

User Keywords 4

This option enables SQL folding on a "ELSE" and "ELSIF" line of an IF statement.

fold.sql.at.else

fold.sql.only.begin

lexer.sql.backticks.identifier

If "lexer.sql.numbersign.comment" property is set to 0 a line beginning with '#' will not be a comment.

lexer.sql.numbersign.comment

Enables backslash as an escape character in SQL.

sql.backslash.escapes

Set to 1 to colourise recognized words with dots (recommended for Oracle PL/SQL objects).

lexer.sql.allow.dotted.word

This option enables folding multi-line comments when using the Verilog lexer.

This option enables folding preprocessor directives when using the Verilog lexer.

fold.verilog.flags

lexer.verilog.track.preprocessor

lexer.verilog.update.preprocessor

Set to 1 to style input, output, and inout ports differently from regular keywords.

lexer.verilog.portstyling

Set to 1 to style identifiers that are all uppercase as documentation keyword.

lexer.verilog.allupperkeywords

lexer.verilog.fold.preprocessor.else

join

join_any

join_none

| || |& & && ; ;; ( ) { }

^&%()- =|{}[]:;>,*/!.~@

Keywords 1

Keywords 2

Keywords 3 (unused)

Keywords 4 (unused)

ReservedKeywords

PragmaKeyswords

DoxygeneKeywords

Major Keywords

Procedure keywords

mysql

Cmdlets

-,.=:\@()

lexer.tex.comment.process

lexer.tex.auto.if

lexer.tex.use.keywords

lexer.tex.interface.default

Unsupported DMIS Minor Words

Unsupported DMIS Major Words

Corresponding keywords for code folding end

Keywords for code folding start

control keywords

keywords

string definition keywords

User defined keywords

Pascal keywords

Predefined keywords

Section keywords and Forth words

nnCrontab keywords

exports

lexer.pascal.smart.highlighting

#$&'()* ,-./:;@[]^{}

operator

,. -*/:;[]()%&

fold.at.Parenthese

fold.at.Begin

Keywords 6

Keywords 5

fold.d.syntax.based

Keywords 7

fold.d.comment.explicit

fold.d.comment.multiline

fold.d.explicit.end

fold.d.explicit.start

fold.d.explicit.anywhere

lexer.d.fold.at.else

nsis.ignorecase

nsis.uservars

PageExEnd

nsis.foldutilcmd

Keyword list 2

Keyword list 1

Keyword list 4

Keyword list 3

Minor keywords (if, then, try, ...)

Major keywords (class, predicates, ...)

Documentation keywords without the '@' (short, detail, ...)

Directive keywords without the '#' (include, requires, ...)

BlitzBasic Keywords

PureBasic PreProcessor Keywords

PureBasic Keywords

FreeBasic PreProcessor Keywords

FreeBasic Keywords

This option enables folding explicit fold points when using the Basic lexer. Explicit fold points allows adding extra folding by placing a ;{ (BB/PB) or '{ (FB) comment at the start and a ;} (BB/PB) or '} (FB) at the end of a section that should be folded.

fold.basic.syntax.based

fold.basic.comment.explicit

fold.basic.explicit.start

fold.basic.explicit.anywhere

fold.basic.explicit.end

B Keywords

A Keywords

Extended Keywords

lexer.flagship.styling.within.preprocessor

.and.

.not.

Keywords Commands

Doxygen keywords

Other keywords

fold.rust.syntax.based

Keywords 4

fold.rust.comment.explicit

fold.rust.comment.multiline

fold.rust.explicit.end

fold.rust.explicit.start

fold.rust.explicit.anywhere

lexer.rust.fold.at.else

function_keywords

.java:

lexer.errorlist.value.separate

lexer.errorlist.escape.sequences

Operation Codes

!?~=@^|& -*/$%()[]{};,:.#

)]};,'"#

Secondary keywords

fold.coffeescript.comment

User keywords

escript.case.sensitive

Functions and special operators

fold.directive

#autoit keywords

#autoit Sent keys

*/- ()={}~[];,.^%:#

lexer.props.allow.initial.spaces

%[^.|&=\/]

23456789*#$

tcmd

fold.comment.yaml

PASSED

TADS3 Keywords

%^&*()- ={}[]:;,/?!.~|\

Keywords and reserved words

Literal operators

[*!~ -*/$=&^|

_~*$?!@/\;,.=:"&`'

E:\4.0

\trunk\ADSafe4.0_new\OutPutFile\Release\ADSafe.pdb

ADSafe.exe

KERNEL32.dll

ExitWindowsEx

GetKeyState

USER32.dll

GDI32.dll

RegCreateKeyExW

RegQueryInfoKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHDeleteKeyW

SHLWAPI.dll

PSAPI.DLL

gdiplus.dll

?ResponseDefaultKeyEvent@WindowImplBase@DuiLib@@MAEJI@Z

?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z

?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?messageMap@CNotifyPump@DuiLib@@1UDUI_MSGMAP@2@B

?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ

?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z

DuiLib.dll

RPCRT4.dll

WTSAPI32.dll

VERSION.dll

FindFirstUrlCacheEntryW

DeleteUrlCacheEntryW

FindNextUrlCacheEntryW

FindCloseUrlCache

WININET.dll

IMM32.dll

GetCPInfo

GetKeyboardLayout

MsgWaitForMultipleObjects

zcÃ

1.0.523.2104

.?AVunsupported_os@Concurrency@@

.?AVinvalid_scheduler_policy_key@Concurrency@@

.?AVinvalid_oversubscribe_operation@Concurrency@@

.?AUITopologyExecutionResource@Concurrency@@

.?AUIExecutionContext@Concurrency@@

.?AVExecutionResource@details@Concurrency@@

.?AUIExecutionResource@Concurrency@@

.?AV?$_Func_impl@U?$_Callable_obj@V@@$0A@@std@@V?$allocator@V?$_Func_class@XW4MsgBoxRet@@@std@@@2@XW4MsgBoxRet@@@std@@

.?AV?$_Func_base@XW4MsgBoxRet@@@std@@

.?AVCMsgBox@@

.?AVCMsgDelayHandle@@

.?AVinvalid_operation@Concurrency@@

.?AURegexError@@

.?AVDocumentIndexer@?A0x6a166ef8@@

.?AVCharacterIndexer@@

.?AVExternalLexerModule@@

.?AVLexerModule@@

.?AVILexerWithSubStyles@@

.?AVLexerCPP@@

.?AUOptionSetCPP@?A0x8efaeb54@@

.?AVILexer@@

.?AVLexerPython@@

.?AVLexerAsm@@

.?AVLexerHaskell@@

.?AVLexerPerl@@

.?AUOptionSetSQL@@

.?AVLexerSQL@@

.?AV?$OptionSet@UOptionsSQL@@@@

.?AVLexerVerilog@@

.?AVLexerRegistry@@

.?AVLexerDMIS@@

.?AVLexerD@@

.?AVLexerVisualProlog@@

.?AVLexerBasic@@

.?AVLexerRust@@

.?AVLexerLaTeX@@

.?AVLexerBase@@

.?AVLexerSimple@@

about.png}RY

about_back.png

add_rules_top.png

bkimage.png

w.xb?

bottom_layout.png

btn_add.png

btn_add_filter.png}T

%5xDf

btn_cancel.png}V{XRw

btn_cancle.png}S[h

btn_close.png}R{

btn_filterlist_add.pngM

btn_filter_cancel.png}Tk8

btn_filter_update.png}R

btn_main.png}R

btn_send.png

btn_submit.png}T{

btn_update_code.png}R

btn_version_click.png

btn_version_normal.png

checkbox.png}R

code_enter.png

customize.png

DlgAbout.xml

DlgAddRules.xml

DlgFilterAdd.xml

DlgMsgBox_Skip.xml

dlgset_btn.png

DlgSkip.xml

DlgUpdate_Skip.xml

email.png

Filterlists.png}R

filter_inner_bck.png

filter_top.png

filter_type.png}V{8

font.xml

green_filter_type.png

headtext_customize.png

h.xO7

headtext_filters.png

headtext_settings.png

hint.png

input.png

layout_bk_left.png

:(%s~

<.udn>

t,R!G.cH

list_arrow.png

list_CustomRule.xml

list_custom_close.png}S[H

list_custom_line.png

list_delete.png}Rw

tI3%U

list_filter.xmlm

list_rulekind.xml

logo.png

main_left_logo.png

main_left_opt_selected.png

main_line.png

menu/bk_top.png

Ã*m52

menu/check.png}VgXSg

menu/help.png}TwXSw

menu/open.png}Vy8

menu/quit.png}Ty8TQ

menu_adskip_tray.xml

Ã‡zc

message_box.png

opt.png

opt_ok.png

progressb.png

progressf.png

refresh.png

scrollbar/scrollbar.xml

scrollbar/scrollbar_bk.png

scrollbar/scrollbar_thumb.png

select_line.png

Settings.png

subject_hot.png

subject_normal.png

Support.png}R

tab_customize.xml

tab_filterlist.xml

tab_settings.xml

tab_support.xml

text_filter_type.png}S}

title_customize.png

a9Ã™

4;9%dm

nI%D

title_filterlist.png

title_settings.png

DHN%U

UN%Ufr

Ss7wEb~_

L%Ud[d

a;9L2

Tm.jR

title_support.png

top.png

top_about.png

%uI4Z

triangle.png}SMh

update_complete.png

update_failed.png

verification_code.png

white_filter_type.png}TwTSw

about.png

btn_add_filter.png

btn_cancel.png

btn_cancle.png

btn_close.png

btn_filterlist_add.png

btn_filter_cancel.png

btn_filter_update.png

btn_main.png

btn_submit.png

btn_update_code.png

checkbox.png

Filterlists.png

filter_type.png

list_custom_close.png

list_delete.png

list_filter.xml

menu/check.png

menu/help.png

menu/open.png

menu/quit.png

Support.png

text_filter_type.png

triangle.png

white_filter_type.png

7%7S7

7#7*71787?7^7

6h6D6U6a6r6~6

=&>0>)?3?

3'41464?4

1(2,20242

5#5*5/5=5^5

:!:&:4:=:

:$:):7:@:

9 9$9(9,9

1 1$1(1,1014181

0 0$0(0,0

949'>2>:>

= =$=(=,=

.04080

0"1/181\1

? ?$?(?,?0?4?8?

1$1(1,10173

1$1=1`1}1

1 1$1(1,101

:$;(;,;0;4;8;

8 8$8(8,80848

7 7$7(7,7074787

4 4$4(4,4

> >$>(>,>0>4>8>

3 3$3(3,3@3`3

> >@>\>`>

3$3,343

combase.dll

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

advapi32.dll

portuguese-brazilian

USER32.DLL

nWebPageADCount

iWebPageADTime

YssShare

HeapSetInformation Fail ERR=(%d)

%u:0xx

g:0xx

Private_%u_

CShareObject init osver=%d %d

%sMAP_%s

CreateFileMapping %s Fail err=%d...

initWin7 %s obj=%s Ok

%sMUTEX_%s

CreateMutex %s Fail...

initWin7 obj=%s ok

Advapi32.dll

kernel32.dll

askProtect64.sys

askProtect.sys

\\.\askProtect

adb.exe

askComm.dll

The Key Components of ADSKIP Updated Successfully. Please Restart your PC.

askUpdate.dll

{904D6AEE-646A-44E6-ABCE-6BAC8CEA45A2}

Global\%s

Key files missing, please reinstall Adskip!

action.txt

00050000

00020127

ADSkipSvc.exe

%s\%s\

0explorer.exe

%s\%s

http\shell\open\command

oWin81_%d

Win2012_%d

Win8_%d

Win10_%d

Win7_%d

Win2008_%d

WinVista_%d

Win2003_%d

WinXP_%d

Win2000_%d

ADSkip.exe

Baidu\BaiduBrowser\user_data\default\chrome_profile\Cache

Google\Chrome\User Data\Default\Cache

Temp\Maxthon3Cache\Temp\Webkit\Cache

Tencent\QQBrowser\ChromeTab\User Data\Default\Cache

SogouExplorer\Webkit\Default\Cache

Opera Software\Opera Stable\Cache

360Chrome\Chrome\User Data\Default\Cache

115Chrome\User Data\Default\Cache

2345explorer.exe

360se.exe

360chrome.exe

ucbrowser.exe

baidubrowser.exe

chrome.exe

firefox.exe

sogouexplorer.exe

qqbrowser.exe

maxthon.exe

liebao.exe

opera.exe

theworld.exe

115chrome.exe

taobrowser.exe

YDlgAbout.xml

AhXXp://VVV.adskiper.com/license.html#license

bbs.adskiper.com

VVV.adskiper.com

@DlgAddRules.xml

\CustomRule.txt

@DlgBackUpWait.xml

2345Explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Application Data\360Chrome\Chrome\User Data\Default\CacheIE

UCBrowser.exe

\Baidu\BaiduBrowser\user_data\default\settings\user_setting.db

\Mozilla\Firefox\Profiles

*.default*

SogouExplorer.exe

\SogouExplorer\commcfg.xml

Opera

TheWorld.exe

115Chrome.exe

yyexplorer.exe

\YYExplorer\User Data\resource.db

Software\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

pd.user_setting_cache_dir

BCMsgBox

DlgMsgBox

Last updated at %s

opt_support

hXXps://

hXXp://

00020129

%s%d%s

hack.ini

%H:%M:%S %m/%d/%Y

szReport_log

max.aquadzign@mail.com

@5FA7598D-51CD-4B56-84CB-7A996C28CE51.png

Xblue\optimize_center.png

blue\optimize_outside.png

msimg32.dll

file='right.png' dest='364,2,376,14'

file='right.png' dest='368,16,381,29'

file='right.png' dest='372,26,387,42'

file='right.png' dest='380,40,397,57'

Cblue/Windmill_leaf.png

CCrashHandler.dll

askMisc.dll

askWfd.dll

askMain.dll

askRules.dll

user32.dll

Shlwapi.dll

Id:%d

shell32.dll

sShell_TrayWnd

VisualStudioEditorOperationsLineCutCopyClipboardTag

rcomctl32.dll

LD2D1.DLL

DWRITE.DLL

Nmshjdic.hanjadic

%Program Files%\ADSKIP\ADSkip.exe

bfile='right.png' dest='364,2,376,14'

bfile='right.png' dest='368,16,381,29'

bfile='right.png' dest='372,26,387,42'

bfile='right.png' dest='380,40,397,57'

ADSkipSvc.exe_2396:

.text

`.rdata

@.data

.rsrc

@.reloc

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

GetProcessWindowStation

operator

E:\4.0

\trunk\ADSafe4.0_new\OutPutFile\Release\ADSafeSvc.pdb

GetProcessHeap

KERNEL32.dll

ReportEventW

ADVAPI32.dll

SHELL32.dll

SHLWAPI.dll

WTSAPI32.dll

USERENV.dll

Secur32.dll

GetCPInfo

zcÃ

9 9$9(9,90949~9

6%6S6f6

3 3-363/4

0 0$0(0,000

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

explorer.exe

nkernel32.dll

%s failed with %d

{DB44A98E-BC3B-4308-810D-9A73D87F7FD1}

Global\ADSafe%s%s

winlogon.exe

%s\%s

"%s" %s

ADSafe.exe

{904D6AEE-646A-44E6-ABCE-6BAC8CEA45A2}

Global\%s

ADSkip.exe

%Program Files%\ADSKIP\ADSkipSvc.exe

1.0.511.2101

UCService.exe_3608:

.text

`.rdata

@.data

.rsrc

@.reloc

9passZ

PSSSSSSh

SSSSh

j.Xf9

8j.Xf;

j.Yf;

_tcPVj@

.PjRW

stats-url

os=%d.%d.%d(sp%d.%d)

5.6.13381.9

module_code=%d.%d&error_code=%d&customized_data=%s

bluesky.1.19.1.1.6

hXXps://mmstat.ucweb.com/bluesky.

>4%8$81#

'';>46#>89

90$81#

{]wwwwwwu2!6;"6#>89umwu6;#2%u{]wwwwwwu#6#umwu

$$84>6#>89$

iu{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu

02#!6;u{]wwwwwwu2!6;"6#>89umwu6;#2%u{]wwwwwwu#6#umwu

u{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu

u{]wwwwwwu64#8%umwuu]wwww*]ww

5%8 $2%umw

4u{]wwwwwwu2!6;"6#>89umwu&"2%.u{]wwwwwwu#6#umwu}

edcb2/';8%2%y2/2}u{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu

;>2568y2/2}u{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu

56>3"5%8 $2%y2/2}u{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu

$808"2/';8%2%y2/2}u{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu

dag$2y2/2}u{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu

dag4?%8:2y2/2}u{]wwwwwwu64#8%umwuu]wwww*]ww

{]wwwwwwu2!6;"6#>89umwu&"2%.u{]wwwwwwu#6#umwur

ru{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu

#%"946#2u{]wwwwwwu2!6;"6#>89umwu&"2%.u{]wwwwwwu#6#umwur

ru{]wwwwwwu64#8%umwuu{]wwwwwwu8'#>89$umw,]wwwwwwwwu'%8:'#

%2:8!2u{]wwwwwwu2!6;"6#>89umwu&"2%.u{]wwwwwwu#6#umwur

d:\webapps\b\build\slave\repo\build\src\wow\tools\service\durex\wow_durex_default_browser_pretender.cc

https

explorer.exe

d:\webapps\b\build\slave\repo\build\src\wow\tools\service\durex\wow_force_default_browser_enabler.cc

libucguard.dll

d:\webapps\b\build\slave\repo\build\src\wow\tools\service\durex\wow_huorong_api_wrapper.cc

ucsvc_config.dat

d:\webapps\b\build\slave\repo\build\src\wow\tools\service\durex\wow_persistent_store.cc

Loading config. msg:

guarder_option.policy_version

d:\webapps\b\build\slave\repo\build\src\wow\tools\service\durex\wow_proxy_delegate.cc

d:\webapps\b\build\slave\repo\build\src\wow\tools\service\durex\wow_security_driver_controller.cc

REG_openkey

REG_mkkey

REG_rmkey

REG_mvkey

REG_rstrkey

\\.\Pipe\TerminalServer\SystemExecSrvr\%d

d:\webapps\b\build\slave\repo\build\src\wow\tools\service\public\wow_launch_process_with_token.cc

check-product-exe-interval

d:\webapps\b\build\slave\repo\build\src\wow\tools\service\wow_elevated_process_delegate.cc

d:\webapps\b\build\slave\repo\build\src\wow\tools\service\wow_nt_service.cc

d:\webapps\b\build\slave\repo\build\src\wow\tools\service\wow_nt_service_impl.cc

Current process is windows service.

Cannot create CommandExecutionDelegate.

&cmd=

d:\webapps\b\build\slave\repo\build\src\wow\tools\service\wow_process_restrictions.cc

d:\webapps\b\build\slave\repo\build\src\wow\tools\service\wow_proxy_process_delegate.cc

Global\UCSvc.{1BF734CB-9BDA-4074-A109-3B2A6707B336}

Global\DHCPServer.{1BF734CB-9BDA-4074-A109-3B2A6707B336}

d:\webapps\b\build\slave\repo\build\src\wow\tools\service\wow_service_process_delegate.cc

Failed to reply message. execution result:

Failed to get the dir of current exe.

0123456789

0123456789:

d:\webapps\b\build\slave\repo\build\src\wow\base\stats\wow_stats_helper.cc

1.19.1.2.1_SysEvent

1.19.1.3.1_SysEvent

1.19.1.3.2_SysEvent

4.1.4.1.6_SysEvent

10.1.1.1.1_SysEvent

d:\webapps\b\build\slave\repo\build\src\wow\base\wow_shared_memory_ipc_channel.cc

.read

.write

d:\webapps\b\build\slave\repo\build\src\wow\base\win\wow_priviledge_utils.cc

d:\webapps\b\build\slave\repo\build\src\wow\base\win\wow_machine_info_utils_win.cc

wow wow_base::MachineInfoUtils::GetCPUBrand

\\.\PhysicalDrive%d

\\.\Scsi%d:

Drive%dModelNumber

Drive%dSerialNumber

DriveÃœontrollerRevisionNumber

DriveÃœontrollerBufferSize

Drive%dType

windowsZones

?#%X.y

GetProcessWindowStation

operator

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

d:\webapps\b\build\slave\repo\build\src\base\process\process_win.cc

(0x%X)

Error (0x%X) while retrieving error. (0x%X)

Dictionary keys must be quoted.

Unsupported encoding. JSON must be UTF-8.

icudtl.dat is not exists!

d:\webapps\b\build\slave\repo\build\src\base\files\memory_mapped_file.cc

icudtl.dat exists, but Initialize failed.

ICU.Initialize

MsgLoop:

d:\webapps\b\build\slave\repo\build\src\base\win\shortcut.cc

PlatformFile.UnknownErrors.Windows

\uX

Line: %i, column: %i, %s

d:\webapps\b\build\slave\repo\build\src\base\threading\thread_local_win.cc

d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_log.cc

tracing/thread_%d

[0;3%dm

Chrome.MessageLoopProblem

KeyDown

Chrome_WidgetWin

Chrome_RenderWidgetHostHWND

Histogram.InconsistentCountHigh

Histogram.InconsistentCountLow

Histogram: %s recorded %d samples

(flags = 0x%x)

disabled-by-default-toplevel.flow

(%d = %3.1f%%)

WorkerThread-%d

.syzygy

.thunks

"%d":

d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_buffer.cc

renderer.scheduler

disabled-by-default-cc.debug.picture

disabled-by-default-cc.debug

d:\webapps\b\build\slave\repo\build\src\base\trace_event\memory_dump_manager.cc

%s/%s

d:\webapps\b\build\slave\repo\build\src\base\threading\thread.cc

%d:%s

D:\webapps\b\build\slave\repo\build\src\out\Release\UCService.exe.pdb

UCService.exe

USERENV.dll

WINTRUST.dll

WTSAPI32.dll

InternetOpenUrlW

WININET.dll

VERSION.dll

PSAPI.DLL

WINMM.dll

SHLWAPI.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

ADVAPI32.dll

WaitNamedPipeW

GetWindowsDirectoryW

CreateIoCompletionPort

GetProcessHeap

KERNEL32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

EnumDesktopWindows

OpenWindowStationA

EnumWindowStationsA

CloseWindowStation

MsgWaitForMultipleObjectsEx

CallMsgFilterW

USER32.dll

NETAPI32.dll

GetCPInfo

zcÃ

&ka=&kb=d2713585a62dd2677f88d0fff85b3fe7&kc=c0ed19538daa6d6db815ffd0b1233981v000000253f20c75&firstpid=0501&bid=800&ver=5.6.13381.9

%Program Files%\UCBrowser\Application\UCService.exe

;";';.;~;

2 262@2

2.34383

%0U0r0

333D3J3P3W3f3

0 0$0(0,0004080

3 3$3(3,303

*2.22262

2 2$2(2,2024282034383

7 7$7(7,7

stats_uploader.exe

.ProgId

UCBrowser.exe

.Hash

\https\

\http\

%s%s%s%s

@EXEC_create

bqqurlmgr.exe

qq.exe

services.exe

UC_BROWSER_EXE

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

new_UCService.exe

old_UCService.exe

UCAgent.exe

Aucsvc.log

resources.pak

chrome_100_percent.pak

chrome_200_percent.pak

hXXp://testenv.ucbrowser-dWNicm93c2Vy.local

molt.log

setup.exe

.\\.\X:

000000000003

Fmscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

portuguese-brazilian

kernel32.dll

Ndebug.log

ntdll.dll

icudtl.dat

\StringFileInfo\xx\%ls

shell32.dll

BChrome_MessagePumpWindow_%p

ASOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Advapi32.dll

UCWeb Inc.

1.0.0.0

UCBrowser.exe_328:

.text

`.rdata

@.data

@.rsrc

@.reloc

SHA256 block transform for x86, CRYPTOGAMS by

HtdHtHHHt.HH

j.Yf;

_tcPVj@

.PjRW

d:\webapps\b\build\slave\repo\build\src\chrome\app\chrome_exe_main_win.cc

d:\webapps\b\build\slave\repo\build\src\chrome\app\main_dll_loader_win.cc

Failed to load Chrome DLL from

ChromeMain

RelaunchChromeBrowserWithNewCommandLineIfNeeded

RelaunchChromeBrowserWithNewCommandLineIfNeeded from

Could not find exported function

MetricsReportingEnabled

1.3.21.115

Chrome

0.0.0.0-devel

font_key_name

url-chunk

subresource_url

%s-%x

CHROME_MAIN_TICKS

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\module_util_win.cc

No valid Chrome version found

chrome-sxs

Cannot initialize AppCommands from an invalid key.

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_commands.cc

Failed to open key "

Skipping over key "

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\language_selector.cc

Cannot initialize an AppCommand from an invalid key.

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_command.cc

kernel32.dll

d:\webapps\b\build\slave\repo\build\src\sandbox\win\src\sandbox_policy_base.cc

CreateNamedPipeW

NtCreateKey

NtOpenKey

NtOpenKeyEx

CHROME_VERSION

CHROME_METRO_CONNECTED

CHROME_CRASHED

CHROME_RESTART

CHROME_BREAKPAD_PIPE_NAME

d:\webapps\b\build\slave\repo\build\src\components\crash\content\app\breakpad_win.cc

stats-url-exit

stats-url-browser-hang

stats-url

\UCBrowser\User Data\chrome_debug.log

origin breakpad::SetCrashKeyValueImpl

NTDLL.DLL

dbghelp.dll

SHELL32.dll

ole32.dll

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

?#%X.y

GetProcessWindowStation

operator

@-@-@-@-

@-@-@-@-@-@-@-@-

(0x%X)

Error (0x%X) while retrieving error. (0x%X)

d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_log.cc

tracing/thread_%d

[0;3%dm

d:\webapps\b\build\slave\repo\build\src\base\process\process_win.cc

%s-%Iu

(%d = %3.1f%%)

Histogram.InconsistentCountHigh

Histogram.InconsistentCountLow

Histogram: %s recorded %d samples

(flags = 0x%x)

PlatformFile.UnknownErrors.Windows

user32.dll

WorkerThread-%d

.thunks

.syzygy

d:\webapps\b\build\slave\repo\build\src\base\threading\thread_local_win.cc

"%d":

d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_buffer.cc

renderer.scheduler

disabled-by-default-cc.debug.picture

disabled-by-default-cc.debug

disabled-by-default-toplevel.flow

d:\webapps\b\build\slave\repo\build\src\base\trace_event\memory_dump_manager.cc

%s/%s

MsgLoop:

\uX

d:\webapps\b\build\slave\repo\build\src\base\threading\thread.cc

%d:%s

Chrome.MessageLoopProblem

KeyDown

Chrome_WidgetWin

Chrome_RenderWidgetHostHWND

full-memory-crash-report

D:\webapps\b\build\slave\repo\build\src\out\Release\initialexe\chrome.exe.pdb

chrome.exe

ClearBreakpadPipeEnvironmentVariable

ClearCrashKeyValueImpl

SetCrashKeyValueImpl

SignalChromeElf

chrome_elf.dll

VERSION.dll

WINMM.dll

RegCreateKeyExW

RegQueryInfoKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

MsgWaitForMultipleObjectsEx

CallMsgFilterW

CloseWindowStation

CreateWindowStationW

SetProcessWindowStation

USER32.dll

GetProcessHeap

GetWindowsDirectoryW

CreateIoCompletionPort

GetProcessHandleCount

KERNEL32.dll

USERENV.dll

GetCPInfo

SetNamedPipeHandleState

TransactNamedPipe

WaitNamedPipeW

zcÃ

UUVQcrtw

r%s @

nq.af

444444444444

474747474747

777777777777

777//6()/777

.mmm,Y

0000000000000000000

z.sa;

.gaB|s

D[%1x

>EÂu

.vXZZ

.lecIS

?(.Ul

.WbqfL

8 8'868=8

1*11181`2

>$?=?]?}?

?%?0?9?@?

>(>2>9>~>

=">(>,>0>4>

5!5%5)5-51555

7,858@8{8

9 9(90989@9

5 5$5(5,5054585

: :$:(:,:0:4:

config_updater.dll

updater.dll

chrome_watcher.dll

chrome.dll

chrome_child.dll

UCBrowser.exe

metro_driver.dll

{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}

{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

Browse the web

Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium

Software\Microsoft\Windows\CurrentVersion\Uninstall\

-chrome

-chromeframe

WebAccessible

E{65122CB0-EA0F-47DF-A953-017170ED12F9}

WebKit

Software\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_TEXT

HKEY_PERFORMANCE_NLSTEXT

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

ntdll.dll

pipe\

Ekernel32.dll

kernelbase.dll

\Sessions\%d\AppContainerNamedObjects\%ls

ALPC Port

eKey

Fkernel32.dll

gdi32.dll

xntdll.dll

wow_helper.exe"

Crash Reports

script.log

resources.pak

chrome

pepflashplayer.dll

\\.\pipe\GoogleCrashServices\

\\.\pipe\UCBrowserCrashServices

error %u

%d.%d.%d.%d

unspecified-crash-key

stats_uploader.exe

Gmscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

USER32.DLL

rpcrt4.dll

%s\%s.dmp

x-x-x-xx-xxxxxx

mshtml.dll

\uninstall.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HuorongSysdiag

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD

Ndebug.log

BCmdLine

\StringFileInfo\xx\%ls

Chrome_MessageWindow

Ntdll.dll

Advapi32.dll

shell32.dll

DChrome_MessagePumpWindow_%p

Chrome Frame

{49AE23F3-CF25-4041-9387-DC9D1B578555}

{EE1C56C8-D145-437E-A83F-74406D742719}

%Program Files%\UCBrowser\Application\UCBrowser.exe

UCWeb Inc.

5.6.13381.9

chrome_exe

UCBrowser.exe_2132:

.text

`.rdata

@.data

@.rsrc

@.reloc

SHA256 block transform for x86, CRYPTOGAMS by

HtdHtHHHt.HH

j.Yf;

_tcPVj@

.PjRW

d:\webapps\b\build\slave\repo\build\src\chrome\app\chrome_exe_main_win.cc

d:\webapps\b\build\slave\repo\build\src\chrome\app\main_dll_loader_win.cc

Failed to load Chrome DLL from

ChromeMain

RelaunchChromeBrowserWithNewCommandLineIfNeeded

RelaunchChromeBrowserWithNewCommandLineIfNeeded from

Could not find exported function

MetricsReportingEnabled

1.3.21.115

Chrome

0.0.0.0-devel

font_key_name

url-chunk

subresource_url

%s-%x

CHROME_MAIN_TICKS

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\module_util_win.cc

No valid Chrome version found

chrome-sxs

Cannot initialize AppCommands from an invalid key.

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_commands.cc

Failed to open key "

Skipping over key "

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\language_selector.cc

Cannot initialize an AppCommand from an invalid key.

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_command.cc

kernel32.dll

d:\webapps\b\build\slave\repo\build\src\sandbox\win\src\sandbox_policy_base.cc

CreateNamedPipeW

NtCreateKey

NtOpenKey

NtOpenKeyEx

CHROME_VERSION

CHROME_METRO_CONNECTED

CHROME_CRASHED

CHROME_RESTART

CHROME_BREAKPAD_PIPE_NAME

d:\webapps\b\build\slave\repo\build\src\components\crash\content\app\breakpad_win.cc

stats-url-exit

stats-url-browser-hang

stats-url

\UCBrowser\User Data\chrome_debug.log

origin breakpad::SetCrashKeyValueImpl

NTDLL.DLL

dbghelp.dll

SHELL32.dll

ole32.dll

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

?#%X.y

GetProcessWindowStation

operator

@-@-@-@-

@-@-@-@-@-@-@-@-

(0x%X)

Error (0x%X) while retrieving error. (0x%X)

d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_log.cc

tracing/thread_%d

[0;3%dm

d:\webapps\b\build\slave\repo\build\src\base\process\process_win.cc

%s-%Iu

(%d = %3.1f%%)

Histogram.InconsistentCountHigh

Histogram.InconsistentCountLow

Histogram: %s recorded %d samples

(flags = 0x%x)

PlatformFile.UnknownErrors.Windows

user32.dll

WorkerThread-%d

.thunks

.syzygy

d:\webapps\b\build\slave\repo\build\src\base\threading\thread_local_win.cc

"%d":

d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_buffer.cc

renderer.scheduler

disabled-by-default-cc.debug.picture

disabled-by-default-cc.debug

disabled-by-default-toplevel.flow

d:\webapps\b\build\slave\repo\build\src\base\trace_event\memory_dump_manager.cc

%s/%s

MsgLoop:

\uX

d:\webapps\b\build\slave\repo\build\src\base\threading\thread.cc

%d:%s

Chrome.MessageLoopProblem

KeyDown

Chrome_WidgetWin

Chrome_RenderWidgetHostHWND

full-memory-crash-report

D:\webapps\b\build\slave\repo\build\src\out\Release\initialexe\chrome.exe.pdb

chrome.exe

ClearBreakpadPipeEnvironmentVariable

ClearCrashKeyValueImpl

SetCrashKeyValueImpl

SignalChromeElf

chrome_elf.dll

VERSION.dll

WINMM.dll

RegCreateKeyExW

RegQueryInfoKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

MsgWaitForMultipleObjectsEx

CallMsgFilterW

CloseWindowStation

CreateWindowStationW

SetProcessWindowStation

USER32.dll

GetProcessHeap

GetWindowsDirectoryW

CreateIoCompletionPort

GetProcessHandleCount

KERNEL32.dll

USERENV.dll

GetCPInfo

SetNamedPipeHandleState

TransactNamedPipe

WaitNamedPipeW

zcÃ

UUVQcrtw

r%s @

nq.af

444444444444

474747474747

777777777777

777//6()/777

.mmm,Y

0000000000000000000

z.sa;

.gaB|s

D[%1x

>EÂu

.vXZZ

.lecIS

?(.Ul

.WbqfL

8 8'868=8

1*11181`2

>$?=?]?}?

?%?0?9?@?

>(>2>9>~>

=">(>,>0>4>

5!5%5)5-51555

7,858@8{8

9 9(90989@9

5 5$5(5,5054585

: :$:(:,:0:4:

config_updater.dll

updater.dll

chrome_watcher.dll

chrome.dll

chrome_child.dll

UCBrowser.exe

metro_driver.dll

{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}

{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

Browse the web

Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium

Software\Microsoft\Windows\CurrentVersion\Uninstall\

-chrome

-chromeframe

WebAccessible

E{65122CB0-EA0F-47DF-A953-017170ED12F9}

WebKit

Software\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_TEXT

HKEY_PERFORMANCE_NLSTEXT

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

ntdll.dll

pipe\

Ekernel32.dll

kernelbase.dll

\Sessions\%d\AppContainerNamedObjects\%ls

ALPC Port

eKey

Fkernel32.dll

gdi32.dll

xntdll.dll

wow_helper.exe"

Crash Reports

script.log

resources.pak

chrome

pepflashplayer.dll

\\.\pipe\GoogleCrashServices\

\\.\pipe\UCBrowserCrashServices

error %u

%d.%d.%d.%d

unspecified-crash-key

stats_uploader.exe

Gmscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

USER32.DLL

rpcrt4.dll

%s\%s.dmp

x-x-x-xx-xxxxxx

mshtml.dll

\uninstall.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HuorongSysdiag

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD

Ndebug.log

BCmdLine

\StringFileInfo\xx\%ls

Chrome_MessageWindow

Ntdll.dll

Advapi32.dll

shell32.dll

DChrome_MessagePumpWindow_%p

Chrome Frame

{49AE23F3-CF25-4041-9387-DC9D1B578555}

{EE1C56C8-D145-437E-A83F-74406D742719}

%Program Files%\UCBrowser\Application\UCBrowser.exe

UCWeb Inc.

5.6.13381.9

chrome_exe

UCBrowser.exe_2680:

.text

`.rdata

@.data

@.rsrc

@.reloc

SHA256 block transform for x86, CRYPTOGAMS by

HtdHtHHHt.HH

j.Yf;

_tcPVj@

.PjRW

d:\webapps\b\build\slave\repo\build\src\chrome\app\chrome_exe_main_win.cc

d:\webapps\b\build\slave\repo\build\src\chrome\app\main_dll_loader_win.cc

Failed to load Chrome DLL from

ChromeMain

RelaunchChromeBrowserWithNewCommandLineIfNeeded

RelaunchChromeBrowserWithNewCommandLineIfNeeded from

Could not find exported function

MetricsReportingEnabled

1.3.21.115

Chrome

0.0.0.0-devel

font_key_name

url-chunk

subresource_url

%s-%x

CHROME_MAIN_TICKS

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\module_util_win.cc

No valid Chrome version found

chrome-sxs

Cannot initialize AppCommands from an invalid key.

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_commands.cc

Failed to open key "

Skipping over key "

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\language_selector.cc

Cannot initialize an AppCommand from an invalid key.

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_command.cc

kernel32.dll

d:\webapps\b\build\slave\repo\build\src\sandbox\win\src\sandbox_policy_base.cc

CreateNamedPipeW

NtCreateKey

NtOpenKey

NtOpenKeyEx

CHROME_VERSION

CHROME_METRO_CONNECTED

CHROME_CRASHED

CHROME_RESTART

CHROME_BREAKPAD_PIPE_NAME

d:\webapps\b\build\slave\repo\build\src\components\crash\content\app\breakpad_win.cc

stats-url-exit

stats-url-browser-hang

stats-url

\UCBrowser\User Data\chrome_debug.log

origin breakpad::SetCrashKeyValueImpl

NTDLL.DLL

dbghelp.dll

SHELL32.dll

ole32.dll

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

?#%X.y

GetProcessWindowStation

operator

@-@-@-@-

@-@-@-@-@-@-@-@-

(0x%X)

Error (0x%X) while retrieving error. (0x%X)

d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_log.cc

tracing/thread_%d

[0;3%dm

d:\webapps\b\build\slave\repo\build\src\base\process\process_win.cc

%s-%Iu

(%d = %3.1f%%)

Histogram.InconsistentCountHigh

Histogram.InconsistentCountLow

Histogram: %s recorded %d samples

(flags = 0x%x)

PlatformFile.UnknownErrors.Windows

user32.dll

WorkerThread-%d

.thunks

.syzygy

d:\webapps\b\build\slave\repo\build\src\base\threading\thread_local_win.cc

"%d":

d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_buffer.cc

renderer.scheduler

disabled-by-default-cc.debug.picture

disabled-by-default-cc.debug

disabled-by-default-toplevel.flow

d:\webapps\b\build\slave\repo\build\src\base\trace_event\memory_dump_manager.cc

%s/%s

MsgLoop:

\uX

d:\webapps\b\build\slave\repo\build\src\base\threading\thread.cc

%d:%s

Chrome.MessageLoopProblem

KeyDown

Chrome_WidgetWin

Chrome_RenderWidgetHostHWND

full-memory-crash-report

D:\webapps\b\build\slave\repo\build\src\out\Release\initialexe\chrome.exe.pdb

chrome.exe

ClearBreakpadPipeEnvironmentVariable

ClearCrashKeyValueImpl

SetCrashKeyValueImpl

SignalChromeElf

chrome_elf.dll

VERSION.dll

WINMM.dll

RegCreateKeyExW

RegQueryInfoKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

MsgWaitForMultipleObjectsEx

CallMsgFilterW

CloseWindowStation

CreateWindowStationW

SetProcessWindowStation

USER32.dll

GetProcessHeap

GetWindowsDirectoryW

CreateIoCompletionPort

GetProcessHandleCount

KERNEL32.dll

USERENV.dll

GetCPInfo

SetNamedPipeHandleState

TransactNamedPipe

WaitNamedPipeW

zcÃ

UUVQcrtw

r%s @

nq.af

444444444444

474747474747

777777777777

777//6()/777

.mmm,Y

0000000000000000000

z.sa;

.gaB|s

D[%1x

>EÂu

.vXZZ

.lecIS

?(.Ul

.WbqfL

8 8'868=8

1*11181`2

>$?=?]?}?

?%?0?9?@?

>(>2>9>~>

=">(>,>0>4>

5!5%5)5-51555

7,858@8{8

9 9(90989@9

5 5$5(5,5054585

: :$:(:,:0:4:

config_updater.dll

updater.dll

chrome_watcher.dll

chrome.dll

chrome_child.dll

UCBrowser.exe

metro_driver.dll

{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}

{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

Browse the web

Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium

Software\Microsoft\Windows\CurrentVersion\Uninstall\

-chrome

-chromeframe

WebAccessible

E{65122CB0-EA0F-47DF-A953-017170ED12F9}

WebKit

Software\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_TEXT

HKEY_PERFORMANCE_NLSTEXT

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

ntdll.dll

pipe\

Ekernel32.dll

kernelbase.dll

\Sessions\%d\AppContainerNamedObjects\%ls

ALPC Port

eKey

Fkernel32.dll

gdi32.dll

xntdll.dll

wow_helper.exe"

Crash Reports

script.log

resources.pak

chrome

pepflashplayer.dll

\\.\pipe\GoogleCrashServices\

\\.\pipe\UCBrowserCrashServices

error %u

%d.%d.%d.%d

unspecified-crash-key

stats_uploader.exe

Gmscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

USER32.DLL

rpcrt4.dll

%s\%s.dmp

x-x-x-xx-xxxxxx

mshtml.dll

\uninstall.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HuorongSysdiag

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD

Ndebug.log

BCmdLine

\StringFileInfo\xx\%ls

Chrome_MessageWindow

Ntdll.dll

Advapi32.dll

shell32.dll

DChrome_MessagePumpWindow_%p

Chrome Frame

{49AE23F3-CF25-4041-9387-DC9D1B578555}

{EE1C56C8-D145-437E-A83F-74406D742719}

%Program Files%\UCBrowser\Application\UCBrowser.exe

UCWeb Inc.

5.6.13381.9

chrome_exe

UCBrowser.exe_3468:

.text

`.rdata

@.data

@.rsrc

@.reloc

SHA256 block transform for x86, CRYPTOGAMS by

HtdHtHHHt.HH

j.Yf;

_tcPVj@

.PjRW

d:\webapps\b\build\slave\repo\build\src\chrome\app\chrome_exe_main_win.cc

d:\webapps\b\build\slave\repo\build\src\chrome\app\main_dll_loader_win.cc

Failed to load Chrome DLL from

ChromeMain

RelaunchChromeBrowserWithNewCommandLineIfNeeded

RelaunchChromeBrowserWithNewCommandLineIfNeeded from

Could not find exported function

MetricsReportingEnabled

1.3.21.115

Chrome

0.0.0.0-devel

font_key_name

url-chunk

subresource_url

%s-%x

CHROME_MAIN_TICKS

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\module_util_win.cc

No valid Chrome version found

chrome-sxs

Cannot initialize AppCommands from an invalid key.

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_commands.cc

Failed to open key "

Skipping over key "

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\language_selector.cc

Cannot initialize an AppCommand from an invalid key.

d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_command.cc

kernel32.dll

d:\webapps\b\build\slave\repo\build\src\sandbox\win\src\sandbox_policy_base.cc

CreateNamedPipeW

NtCreateKey

NtOpenKey

NtOpenKeyEx

CHROME_VERSION

CHROME_METRO_CONNECTED

CHROME_CRASHED

CHROME_RESTART

CHROME_BREAKPAD_PIPE_NAME

d:\webapps\b\build\slave\repo\build\src\components\crash\content\app\breakpad_win.cc

stats-url-exit

stats-url-browser-hang

stats-url

\UCBrowser\User Data\chrome_debug.log

origin breakpad::SetCrashKeyValueImpl

NTDLL.DLL

dbghelp.dll

SHELL32.dll

ole32.dll

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

?#%X.y

GetProcessWindowStation

operator

@-@-@-@-

@-@-@-@-@-@-@-@-

(0x%X)

Error (0x%X) while retrieving error. (0x%X)

d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_log.cc

tracing/thread_%d

[0;3%dm

d:\webapps\b\build\slave\repo\build\src\base\process\process_win.cc

%s-%Iu

(%d = %3.1f%%)

Histogram.InconsistentCountHigh

Histogram.InconsistentCountLow

Histogram: %s recorded %d samples

(flags = 0x%x)

PlatformFile.UnknownErrors.Windows

user32.dll

WorkerThread-%d

.thunks

.syzygy

d:\webapps\b\build\slave\repo\build\src\base\threading\thread_local_win.cc

"%d":

d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_buffer.cc

renderer.scheduler

disabled-by-default-cc.debug.picture

disabled-by-default-cc.debug

disabled-by-default-toplevel.flow

d:\webapps\b\build\slave\repo\build\src\base\trace_event\memory_dump_manager.cc

%s/%s

MsgLoop:

\uX

d:\webapps\b\build\slave\repo\build\src\base\threading\thread.cc

%d:%s

Chrome.MessageLoopProblem

KeyDown

Chrome_WidgetWin

Chrome_RenderWidgetHostHWND

full-memory-crash-report

D:\webapps\b\build\slave\repo\build\src\out\Release\initialexe\chrome.exe.pdb

chrome.exe

ClearBreakpadPipeEnvironmentVariable

ClearCrashKeyValueImpl

SetCrashKeyValueImpl

SignalChromeElf

chrome_elf.dll

VERSION.dll

WINMM.dll

RegCreateKeyExW

RegQueryInfoKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

MsgWaitForMultipleObjectsEx

CallMsgFilterW

CloseWindowStation

CreateWindowStationW

SetProcessWindowStation

USER32.dll

GetProcessHeap

GetWindowsDirectoryW

CreateIoCompletionPort

GetProcessHandleCount

KERNEL32.dll

USERENV.dll

GetCPInfo

SetNamedPipeHandleState

TransactNamedPipe

WaitNamedPipeW

zcÃ

UUVQcrtw

r%s @

nq.af

444444444444

474747474747

777777777777

777//6()/777

.mmm,Y

0000000000000000000

z.sa;

.gaB|s

D[%1x

>EÂu

.vXZZ

.lecIS

?(.Ul

.WbqfL

8 8'868=8

1*11181`2

>$?=?]?}?

?%?0?9?@?

>(>2>9>~>

=">(>,>0>4>

5!5%5)5-51555

7,858@8{8

9 9(90989@9

5 5$5(5,5054585

: :$:(:,:0:4:

config_updater.dll

updater.dll

chrome_watcher.dll

chrome.dll

chrome_child.dll

UCBrowser.exe

metro_driver.dll

{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}

{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

Browse the web

Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium

Software\Microsoft\Windows\CurrentVersion\Uninstall\

-chrome

-chromeframe

WebAccessible

E{65122CB0-EA0F-47DF-A953-017170ED12F9}

WebKit

Software\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_TEXT

HKEY_PERFORMANCE_NLSTEXT

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

ntdll.dll

pipe\

Ekernel32.dll

kernelbase.dll

\Sessions\%d\AppContainerNamedObjects\%ls

ALPC Port

eKey

Fkernel32.dll

gdi32.dll

xntdll.dll

wow_helper.exe"

Crash Reports

script.log

resources.pak

chrome

pepflashplayer.dll

\\.\pipe\GoogleCrashServices\

\\.\pipe\UCBrowserCrashServices

error %u

%d.%d.%d.%d

unspecified-crash-key

stats_uploader.exe

Gmscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

USER32.DLL

rpcrt4.dll

%s\%s.dmp

x-x-x-xx-xxxxxx

mshtml.dll

\uninstall.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HuorongSysdiag

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD

Ndebug.log

BCmdLine

\StringFileInfo\xx\%ls

Chrome_MessageWindow

Ntdll.dll

Advapi32.dll

shell32.dll

DChrome_MessagePumpWindow_%p

Chrome Frame

{49AE23F3-CF25-4041-9387-DC9D1B578555}

{EE1C56C8-D145-437E-A83F-74406D742719}

%Program Files%\UCBrowser\Application\UCBrowser.exe

UCWeb Inc.

5.6.13381.9

chrome_exe

UCBrowser.exe_2680_rwx_0730A000_000F5000:

jJh%u