HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Barys.2621 (B) (Emsisoft), Gen:Variant.Barys.2621 (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 50c967eef42832cb79c8740229bf6cab
SHA1: 4ddccd3c4734d67e0d56b94a913ea7999d433126
SHA256: e42c4e438e216699e7fbcf9717dfaeb90dfdde44059305b646484e9f302270eb
SSDeep: 196608:ixXCTGsYohPWR8/UOaMlxgDNOOgjIDlJ34F5IN:2XCijhRnIM4Pe8
Size: 7151616 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-01 15:53:48
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:864
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:864 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ip2city[1].htm (383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B7.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B5.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B6.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hm3path.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hm2path.tmp (3 bytes)
%System%\DFkss.ini (34 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B7.tmp (0 bytes)
%System%\drivers\etc\hosts (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (0 bytes)
Registry activity
The process %original file name%.exe:864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA D4 29 3A 11 1D F4 29 7A D4 37 75 07 B7 31 36"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ip2city[1].htm (383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B7.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B5.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B6.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hm3path.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hm2path.tmp (3 bytes)
%System%\DFkss.ini (34 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1666458 | 1667072 | 4.44563 | 05071716dc0b091118ba136d3772354c |
.rdata | 1671168 | 3662836 | 3665920 | 5.43853 | 71bac63b9cf15af6115cdd0183b0067f |
.data | 5337088 | 388721 | 110592 | 3.95719 | 90e53f1c8e2510c39f4642611594587a |
.rsrc | 5726208 | 26656 | 28672 | 2.88027 | 36f408cf13171154193caead28df0408 |
.vmp0 | 5754880 | 1559577 | 1560576 | 5.39927 | 5b26e85753f89140ea4544e42f962b9f |
.vmp1 | 7315456 | 111304 | 114688 | 5.44117 | 1066013788bb0b7605865eed40da62b7 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://yd.ecoma.glb0.lxdns.com/ip2city.asp | |
hxxp://www.ip138.com/ip2city.asp | 218.92.221.155 |
city.ip138.com | 123.134.186.209 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ip2city.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.ip138.com/ip2city.asp
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.ip138.com
Cache-Control: no-cache
HTTP/1.0 302 Moved Temporarily
Server: Cdn Cache Server V2.0
Date: Fri, 24 Oct 2014 03:44:42 GMT
Content-Length: 0
Location: hXXp://city.ip138.com/ip2city.asp
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_864:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.vmp0
@.vmp0
`.vmp1
`.vmp1
e~L$J%U
e~L$J%U
%FGdi0
%FGdi0
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
kf-N}
kf-N}
kernel32.dll
kernel32.dll
Kernel32.dll
Kernel32.dll
ntdll.dll
ntdll.dll
user32.dll
user32.dll
ole32.dll
ole32.dll
WinINet.dll
WinINet.dll
shlwapi.dll
shlwapi.dll
advapi32.dll
advapi32.dll
Wininet.dll
Wininet.dll
Shlwapi.dll
Shlwapi.dll
gdiplus.dll
gdiplus.dll
SHLWAPI.DLL
SHLWAPI.DLL
GdiPlus.dll
GdiPlus.dll
VERSION.DLL
VERSION.DLL
Imagehlp.dll
Imagehlp.dll
Crypt32.dll
Crypt32.dll
gdi32.dll
gdi32.dll
msimg32.dll
msimg32.dll
winmm.dll
winmm.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
SetWindowsHookExA
SetWindowsHookExA
RegOpenKeyA
RegOpenKeyA
RegEnumKeyA
RegEnumKeyA
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ImageGetCertificateHeader
ImageGetCertificateHeader
ImageGetCertificateData
ImageGetCertificateData
EnumWindows
EnumWindows
RtlGetProcessHeaps
RtlGetProcessHeaps
GetAsyncKeyState
GetAsyncKeyState
GetProcessHeap
GetProcessHeap
GetKeyState
GetKeyState
{18C0788E-59AE-4112-B452-6BF0C1B727FB}
{18C0788E-59AE-4112-B452-6BF0C1B727FB}
\.pL.
\.pL.
Windows
Windows
0,8999($
0,8999($
.SCK_LINES/9
.SCK_LINES/9
.jJ^\
.jJ^\
.ERZDLL$
.ERZDLL$
%fLH^A
%fLH^A
n.ef"
n.ef"
g%s_%d
g%s_%d
=.Xh"
=.Xh"
.Hjsp"
.Hjsp"
ANSI_CHARSE.Dc
ANSI_CHARSE.Dc
O7E(AL("%s
O7E(AL("%s
KeywnF
KeywnF
.cu%t
.cu%t
\-ú
\-ú
.NDFR8P
.NDFR8P
Ix.Lv?h]#
Ix.Lv?h]#
keysK
keysK
A.DHq*-
A.DHq*-
8X%Fx
8X%Fx
L.@%u
L.@%u
.QunW
.QunW
.da]o
.da]o
.PP`
.PP`
.pas8
.pas8
6.Pob
6.Pob
oOV?.DD@
oOV?.DD@
.ChS-v
.ChS-v
#yfP.re
#yfP.re
KERNEL32.DLL
KERNEL32.DLL
comctl32.dll
comctl32.dll
oleaut32.dll
oleaut32.dll
version.dll
version.dll
wsock32.dll
wsock32.dll
rsadll.dll
rsadll.dll
0.0.0.0
0.0.0.0
hXXp://VVV.ip138.com/ip2city.asp
hXXp://VVV.ip138.com/ip2city.asp
http=
http=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXp://
Windows XP
Windows XP
Windows 7
Windows 7
f.QB.
f.QB.
.Uf[g
.Uf[g
%C'=9
%C'=9
,2.pw*
,2.pw*
z>Windows 2000
z>Windows 2000
@Windows Server 2003
@Windows Server 2003
@Windows Vista
@Windows Vista
@Windows 8
@Windows 8
@kAsLU2IKWfCQ6LOIjvUObm6VY59ELn5ooBAMpNmVcw5 x3F4COx20neF9Yp8u89o6srSIBE0eKQXoplXv3n8c2G6HjMQsJEkQNkmHdtvSTtgnHnvZocNvpSejN2meb G5jS7i2vi0JPdhvZfl9N049XhUrlbm4uVV2iK2 04Pxhi1jxUsFjLW9oXEQD2sfNHtxehfBMNZ4OwSlfgp3dthyEEINGshN3UU6ZYWSCWtT1WZhfct1rK a224MhQVm6mnarE9lGvM1Y1ODcDI/ofhJXJ5xlsKxoZZNVB6ocDwvDRGgYm76dkaE0zbvaNZAcC/Shz2AmI4MW8MKJX6v9bc6qPZ 5Llb/AGh6MT7KuUXpDYWTzJV3v4gyHM6nnky//pZuFopPN0jmPP0wrTSLsEtbdc1efEr91ozAFOdxh J0F1MQ0LDcHotL8RE1czAoKscqWRFnVDALbckxUI9e3z7cmg/1IOAbA7RzWgV0yvmm65hbyAH15NPc6G4 Z8Jr9My7vzKou HvhGGS/sTpMgZiBxwDRBFGifKKpFBYg/6ymJyW3GhyCfcey3iDY/P7XIpe08Fws1lQfQymAsTX2je4Qnsda8xcfqeeilCfXl/ONpDQXZFKGHqmi9qABouXYmbfo/uKrf5SS8iEMiVpb2eL52WfUDaF4LlhmjYjujspRmm1IQ/PABZjyQodQGU4y/ROnqt1eGIEh83yjQKs3vTLdkk3Seq9Wdtr K yla3hUaVcCHbxJynxb uKaXZoJ8qfyaFcd6vCgF9km67QZcsu 3GToObHT4SeDyTP4d1HX8t0DcxABllCx8c9nr5TlENy ToAdWX4g4ffFh5UlsdGm4qXFFqDhe8N3clfdOiUe5xAlokoOyQbHiJlORLStEmIAWLjr71RVv/rm2MosmIC/FyqbTBu9StKpn22UBMvfPesQ9QzIOvrwayXRfoNO 9kvqgQa9OPnEaSXr9XrHjvj5RiFYDU7qV8qZ/xqZ4IyMS7Q6HkY6wQruwPWJ9ao5zm37JeWjCMCGQ72w9mc5zDAPD7UqbV5etGgVxR suON0zQIqPCyWsyHZC5y5PuJu0hvk5XNIA2vHuRycbcvgLKoxMePGKAHmYs08aIFZeK4R51osF7BWf0DOam9sxkJvWNR/b6iPhsfwukYTL9FEE6GGP5kdZsz82PHxPZ/4RKaW48inMRAHbzjHAYplWfoU BeGBjY9yXoOMTxpH8HlLgVLcBW944G9/GDnScIDkLJyEurJ9JhA7eMsiwrs0LMVYKRTAkTbQ ZE9BV0aImcuAwJ ZJjcbu/RBRw/sTWMqlOzFgYaJv4hHecWLj SF3zDTXx7Fc/8ore3U ZqdID S2Vg4vgwtOOpiM5WHR5Hxs8t6b4qoiKDBKocQqEvsodlX6NM6K3OH/0JJpcColC2QUwBpGdLuLx77xlCLolzm3YZazqoFYbT/UHnvZqKcukriCNkYZTpE2QCPKM2cL4YvV8GeWO 1Ve25x6EGhfuz8F32FjzfB7cqQ kIPEeJY6h6BJv0OyF0 lkyawC1DG6O8x44LZzEHzj 5NvCwRkA778EOzKquA61OCkykbKVtXlhrV4mcDKSUjXxdoz4mF2KN W0NVvOfzCqLjaVNgkg7oHaZDopUqgg5EZd/TELkrJ7K4Lj9s6C8bANebRG2GPDSFbdsBNh4do8uS RJbQ==
@kAsLU2IKWfCQ6LOIjvUObm6VY59ELn5ooBAMpNmVcw5 x3F4COx20neF9Yp8u89o6srSIBE0eKQXoplXv3n8c2G6HjMQsJEkQNkmHdtvSTtgnHnvZocNvpSejN2meb G5jS7i2vi0JPdhvZfl9N049XhUrlbm4uVV2iK2 04Pxhi1jxUsFjLW9oXEQD2sfNHtxehfBMNZ4OwSlfgp3dthyEEINGshN3UU6ZYWSCWtT1WZhfct1rK a224MhQVm6mnarE9lGvM1Y1ODcDI/ofhJXJ5xlsKxoZZNVB6ocDwvDRGgYm76dkaE0zbvaNZAcC/Shz2AmI4MW8MKJX6v9bc6qPZ 5Llb/AGh6MT7KuUXpDYWTzJV3v4gyHM6nnky//pZuFopPN0jmPP0wrTSLsEtbdc1efEr91ozAFOdxh J0F1MQ0LDcHotL8RE1czAoKscqWRFnVDALbckxUI9e3z7cmg/1IOAbA7RzWgV0yvmm65hbyAH15NPc6G4 Z8Jr9My7vzKou HvhGGS/sTpMgZiBxwDRBFGifKKpFBYg/6ymJyW3GhyCfcey3iDY/P7XIpe08Fws1lQfQymAsTX2je4Qnsda8xcfqeeilCfXl/ONpDQXZFKGHqmi9qABouXYmbfo/uKrf5SS8iEMiVpb2eL52WfUDaF4LlhmjYjujspRmm1IQ/PABZjyQodQGU4y/ROnqt1eGIEh83yjQKs3vTLdkk3Seq9Wdtr K yla3hUaVcCHbxJynxb uKaXZoJ8qfyaFcd6vCgF9km67QZcsu 3GToObHT4SeDyTP4d1HX8t0DcxABllCx8c9nr5TlENy ToAdWX4g4ffFh5UlsdGm4qXFFqDhe8N3clfdOiUe5xAlokoOyQbHiJlORLStEmIAWLjr71RVv/rm2MosmIC/FyqbTBu9StKpn22UBMvfPesQ9QzIOvrwayXRfoNO 9kvqgQa9OPnEaSXr9XrHjvj5RiFYDU7qV8qZ/xqZ4IyMS7Q6HkY6wQruwPWJ9ao5zm37JeWjCMCGQ72w9mc5zDAPD7UqbV5etGgVxR suON0zQIqPCyWsyHZC5y5PuJu0hvk5XNIA2vHuRycbcvgLKoxMePGKAHmYs08aIFZeK4R51osF7BWf0DOam9sxkJvWNR/b6iPhsfwukYTL9FEE6GGP5kdZsz82PHxPZ/4RKaW48inMRAHbzjHAYplWfoU BeGBjY9yXoOMTxpH8HlLgVLcBW944G9/GDnScIDkLJyEurJ9JhA7eMsiwrs0LMVYKRTAkTbQ ZE9BV0aImcuAwJ ZJjcbu/RBRw/sTWMqlOzFgYaJv4hHecWLj SF3zDTXx7Fc/8ore3U ZqdID S2Vg4vgwtOOpiM5WHR5Hxs8t6b4qoiKDBKocQqEvsodlX6NM6K3OH/0JJpcColC2QUwBpGdLuLx77xlCLolzm3YZazqoFYbT/UHnvZqKcukriCNkYZTpE2QCPKM2cL4YvV8GeWO 1Ve25x6EGhfuz8F32FjzfB7cqQ kIPEeJY6h6BJv0OyF0 lkyawC1DG6O8x44LZzEHzj 5NvCwRkA778EOzKquA61OCkykbKVtXlhrV4mcDKSUjXxdoz4mF2KN W0NVvOfzCqLjaVNgkg7oHaZDopUqgg5EZd/TELkrJ7K4Lj9s6C8bANebRG2GPDSFbdsBNh4do8uS RJbQ==
\DFkss.ini
\DFkss.ini
password
password
\hm2path.tmp
\hm2path.tmp
\hm3path.tmp
\hm3path.tmp
ad.ini
ad.ini
hXXp://198.40.60.248:9999/getword.php?wgname=dfyo
hXXp://198.40.60.248:9999/getword.php?wgname=dfyo
1970-1-1 00:00:01
1970-1-1 00:00:01
!!!))),,,
!!!))),,,
\update.exe
\update.exe
MSXML2.XMLHTTP.6.0
MSXML2.XMLHTTP.6.0
MSXML2.XMLHTTP.5.0
MSXML2.XMLHTTP.5.0
MSXML2.XMLHTTP.4.0
MSXML2.XMLHTTP.4.0
MSXML2.XMLHTTP.3.0
MSXML2.XMLHTTP.3.0
MSXML2.XMLHTTP
MSXML2.XMLHTTP
Microsoft.XMLHTTP.1.0
Microsoft.XMLHTTP.1.0
Can't create XMLHTTP connection object
Can't create XMLHTTP connection object
Mozilla/4.0 (compatible; MSiE 6.0; Windows NT 5.1;)
Mozilla/4.0 (compatible; MSiE 6.0; Windows NT 5.1;)
application/x-www-form-urlencoded
application/x-www-form-urlencoded
errmsg_s
errmsg_s
x.yvr
x.yvr
x.yvkd
x.yvkd
Uo.eo
Uo.eo
YJ%DtvQ
YJ%DtvQ
%S!K]n.
%S!K]n.
VVV.daofengwg.com
VVV.daofengwg.com
:VVV.daofengwg.com
:VVV.daofengwg.com
:|:czkey:|:
:|:czkey:|:
anonymous@123.com
anonymous@123.com
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
\ly.dat
\ly.dat
\SKY.dat
\SKY.dat
ws2_32.dll
ws2_32.dll
!Game.ini
!Game.ini
ServerPort=30471
ServerPort=30471
LoginNo=15683
LoginNo=15683
ServerAddr=127.0.0.1
ServerAddr=127.0.0.1
ShowInitialMsg=1
ShowInitialMsg=1
GameLogin.exe
GameLogin.exe
.Silvana
.Silvana
%5x(Vk&
%5x(Vk&
9vp%c
9vp%c
?P"7~%Fr9
?P"7~%Fr9
2ma%D$
2ma%D$
0:#O.dS
0:#O.dS
%UatH-.
%UatH-.
l.YDq
l.YDq
7s[!m]D
7s[!m]D
qp.hE
qp.hE
}.WoN
}.WoN
X.Nb\
X.Nb\
LN&5.Uw
LN&5.Uw
/.DD5
/.DD5
p6G.uC
p6G.uC
PT}%U^/
PT}%U^/
v%xO@{J
v%xO@{J
_$$.Vs
_$$.Vs
G%X'
G%X'
.%7X\
.%7X\
.xN^yUD
.xN^yUD
V.vK[V
V.vK[V
Tz.WhsR
Tz.WhsR
t53%.mz
t53%.mz
H%x:m
H%x:m
_/.eI7
_/.eI7
.bm7/
.bm7/
Q%cgG
Q%cgG
6.TW'i
6.TW'i
s.yq`R;
s.yq`R;
.Ch-6
.Ch-6
JtcPh
JtcPh
IFoT.nsu
IFoT.nsu
,.lulnS
,.lulnS
of%XRpV
of%XRpV
.7q.ew
.7q.ew
5.hJE
5.hJE
#.Ej`
#.Ej`
=ô%
=ô%
?.Oaa
?.Oaa
t_e.hO
t_e.hO
.xn`sv
.xn`sv
.BS`N
.BS`N
m.Gn9
m.Gn9
Üyk
Üyk
5GOP.sE
5GOP.sE
oT`%Dg2uE
oT`%Dg2uE
%xe.N
%xe.N
!%FO`
!%FO`
YM.uyKF
YM.uyKF
jN %d
jN %d
.yMpC
.yMpC
iYI>.fe9
iYI>.fe9
%1sR;
%1sR;
`5.CxiN
`5.CxiN
cm%D,
cm%D,
u:A,%Uz*
u:A,%Uz*
/z CMd
/z CMd
z Cmd
z Cmd
]z÷
]z÷
ES.ks
ES.ks
%U5j)V
%U5j)V
Haf%d
Haf%d
.dO$W
.dO$W
B.gL,
B.gL,
8[.FJAE
8[.FJAE
wfTPq
wfTPq
m&%sI%
m&%sI%
\.bRM
\.bRM
x%sGA^
x%sGA^
mNf%Di
mNf%Di
E.Du:
E.Du:
t.MQ`@
t.MQ`@
%Uh(.VqJ
%Uh(.VqJ
.AIXx
.AIXx
y.CRQ
y.CRQ
osSHT
osSHT
`H1%d
`H1%d
K.YYF
K.YYF
2.HH=
2.HH=
V!.fE
V!.fE
;D%uWe
;D%uWe
.ZeWFF
.ZeWFF
8`X.wK
8`X.wK
0-lY}
0-lY}
5 #.GQ
5 #.GQ
].YHu
].YHu
f.Xc)Q
f.Xc)Q
|[.JM
|[.JM
[.DYH
[.DYH
.NBZ^
.NBZ^
.cj;C
.cj;C
Msg3a3
Msg3a3
Vi.iF
Vi.iF
B.TWx
B.TWx
%X<:>
%X<:>
%3xu>
%3xu>
8H%dnZ
8H%dnZ
qIh.pnU
qIh.pnU
.wm8[X
.wm8[X
t.NE>
t.NE>
nR.Ur
nR.Ur
6mSGQ}
6mSGQ}
V.UeUc]
V.UeUc]
.nK@L
.nK@L
-%uE4
-%uE4
d%X| i
d%X| i
e.cu3I
e.cu3I
p[.tZ
p[.tZ
.da?5)
.da?5)
.aKh;
.aKh;
s%fT/
s%fT/
l`.nn[6
l`.nn[6
%d:N9
%d:N9
`.DdY
`.DdY
^DL.lT
^DL.lT
'.OEA
'.OEA
[$-F.tf
[$-F.tf
ÀA#!
ÀA#!
bK.xT
bK.xT
z8.tH
z8.tH
V.Fv
V.Fv
{)%S E
{)%S E
.Ob-S
.Ob-S
T.TgE
T.TgE
/L%U!Q
/L%U!Q
MSG'#
MSG'#
of.%u76
of.%u76
6x[Ã
6x[Ã
%XdZx
%XdZx
R3.us#
R3.us#
.sZN=
.sZN=
%X?4z
%X?4z
R4<.kj>
R4<.kj>
$gD0j%X
$gD0j%X
#xL
#xL
.%F=q
.%F=q
.ThEcZv
.ThEcZv
.Eh"F]
.Eh"F]
8.db3
8.db3
Msgbv
Msgbv
g.ONcu
g.ONcu
.xpva
.xpva
%Fg^
%Fg^
zv0>.ni
zv0>.ni
E.Ux*
E.Ux*
wx.mE
wx.mE
.JIp@
.JIp@
>=9%C
>=9%C
'adn.Cb
'adn.Cb
i%dh.
i%dh.
O%uoM
O%uoM
%.F
%.F
.cas>=
.cas>=
.kknY
.kknY
?.MNE;
?.MNE;
mDxr%D
mDxr%D
S|3h.JL
S|3h.JL
H4.fv
H4.fv
iJ.qY
iJ.qY
`%se[
`%se[
.dtaJ.%
.dtaJ.%
%f}~)
%f}~)
.JGEM
.JGEM
(,.wU
(,.wU
{l.Dh
{l.Dh
_S%%x
_S%%x
&Ë!w
&Ë!w
JJ.GI
JJ.GI
^%x;%El
^%x;%El
.Nu.>yt
.Nu.>yt
.zCxB
.zCxB
l:%fY
l:%fY
6%s)#
6%s)#
tCp:\
tCp:\
%2SeY5e
%2SeY5e
&%DM7
&%DM7
1t.lE
1t.lE
V.Fv(%
V.Fv(%
.Qnka
.Qnka
T.CbN_
T.CbN_
(.kL
(.kL
g.td4R;
g.td4R;
j,b.NT
j,b.NT
%fI}r
%fI}r
.nC>V_
.nC>V_
pny .FB
pny .FB
,D.WL
,D.WL
QF%Fs
QF%Fs
>.qzN
>.qzN
.WBjf
.WBjf
^Nt.xo
^Nt.xo
.Pff9mq
.Pff9mq
j7%xz]
j7%xz]
.qG'o
.qG'o
C[ß
C[ß
:J_%c
:J_%c
J:_A^0c.HY
J:_A^0c.HY
F_.ID
F_.ID
Ni%sT#F
Ni%sT#F
T.jO1M
T.jO1M
0#s\}%D
0#s\}%D
KS!F%f
KS!F%f
b%s;>
b%s;>
V%dW)K
V%dW)K
I.hiq
I.hiq
%xL]S
%xL]S
'v.dH
'v.dH
{8.ae
{8.ae
.hh=J
.hh=J
shell32.dll
shell32.dll
Game.mdata
Game.mdata
getpassward
getpassward
CheckSky.dll
CheckSky.dll
`.gl1
`.gl1
`.tls
`.tls
.reloc
.reloc
data\objects.wzl
data\objects.wzl
dll at:%s
dll at:%s
1.2.5
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
inflate 1.2.5 Copyright 1995-2010 Mark Adler
internal state. The program cannot safely continue execution and must
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
continue execution and must now be terminated.
mscoree.dll
mscoree.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
Please contact the application's support team for more information.
GetProcessWindowStation
GetProcessWindowStation
f:\ChuanQi\GLCore\GLCore\Release\CQ.pdb
f:\ChuanQi\GLCore\GLCore\Release\CQ.pdb
USER32.dll
USER32.dll
%FQ %_Q
%FQ %_Q
GLCore.dll
GLCore.dll
SHLWAPI.dll
SHLWAPI.dll
%F:G9{>
%F:G9{>
KERNEL32.dll
KERNEL32.dll
l%xx(~
l%xx(~
>[A|%c
>[A|%c
!-o%d{X
!-o%d{X
,000
,000
0 0$000
0 0$000
6$787&888
6$787&888
01r1
01r1
(3,30343@3
(3,30343@3
Thawte Certification1
Thawte Certification1
hXXp://ocsp.thawte.com0
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
.Class 3 Public Primary Certification Authority0
.Class 3 Public Primary Certification Authority0
hXXp://crl.verisign.com/pca3.crl0
hXXp://crl.verisign.com/pca3.crl0
hXXps://VVV.verisign.com/cps0
hXXps://VVV.verisign.com/cps0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://logo.verisign.com/vslogo.gif04
hXXp://ocsp.verisign.com0
hXXp://ocsp.verisign.com0
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/cps0*
#hXXp://crl.verisign.com/pca3-g5.crl04
#hXXp://crl.verisign.com/pca3-g5.crl04
@.reloc
@.reloc
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
WS2_32.dll
WS2_32.dll
GetCPInfo
GetCPInfo
jx.dll
jx.dll
\!Game.ini
\!Game.ini
WS2_32.DLL
WS2_32.DLL
mswsock.dll
mswsock.dll
program internal error number is %d.
program internal error number is %d.
:"%s"
:"%s"
:"%s".
:"%s".
zcÃ
zcÃ
3*4044484
3*4044484
3"3&3*3.32363:3>3
3"3&3*3.32363:3>3
001A2B3C4D5Ec:\kss.ini
001A2B3C4D5Ec:\kss.ini
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
ServiceName\\.\
ServiceName\\.\
Zy_Msg_WM_UPDATERECT
Zy_Msg_WM_UPDATERECT
^@ZySoft.ZyUI.WindowClass.Window
^@ZySoft.ZyUI.WindowClass.Window
ZySoft.ZyUI.WindowClass.ComboBox
ZySoft.ZyUI.WindowClass.ComboBox
ZySoft.ZyUI.WindowClass.menu
ZySoft.ZyUI.WindowClass.menu
ZySoft.ZyUI.WindowClass.menu1
ZySoft.ZyUI.WindowClass.menu1
x@{}M%sk
x@{}M%sk
*%D N
*%D N
^.AVK0
^.AVK0
)%xg'Xoo
)%xg'Xoo
Gl.zi
Gl.zi
aóL=@
aóL=@
.aT[w
.aT[w
(^%x$
(^%x$
m.SkE
m.SkE
.IDAT
.IDAT
"""\\\222
"""\\\222
hXXp://VVV.sf778.com/down
hXXp://VVV.sf778.com/down
/up.rar?a=
/up.rar?a=
VVV.jxdlq.com
VVV.jxdlq.com
LyDlq.Com
LyDlq.Com
Www.WeDlq.Net
Www.WeDlq.Net
VVV.wsdlq.com
VVV.wsdlq.com
wshom.ocx
wshom.ocx
\LEG.dat
\LEG.dat
\gm2.dat
\gm2.dat
\Game2.dat
\Game2.dat
\mir2.dat
\mir2.dat
\yx.dat
\yx.dat
*.yxlg
*.yxlg
\3K.dat
\3K.dat
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
iphlpapi.dll
iphlpapi.dll
MPR.dll
MPR.dll
VERSION.dll
VERSION.dll
%SaBHz`
%SaBHz`
%x.tmp
%x.tmp
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
%s,%d
%s,%d
%s.lnk
%s.lnk
1.1.3
1.1.3
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
[%s:%d]
[%s:%d]
Range: bytes=%s-
Range: bytes=%s-
[%s:%d]
[%s:%d]
PASS %s
PASS %s
PASS ******
PASS ******
USER %s
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
SIZE %s
PORT
PORT
User-Agent: %s
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Referer: %s
Host: %s
Host: %s
GET %s HTTP/1.1
GET %s HTTP/1.1
Cookie: %s
Cookie: %s
%d, %s
%d, %s
\\192.168.0.129\TCP\1037
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
%s %s %s
Session: %s
Session: %s
Cseq: %u
Cseq: %u
%*s %s
%*s %s
%*s %u
%*s %u
CSeq: %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i
rtsp://%s:%i/%s
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
Range: npt=%s-
%s/streamid=1
%s/streamid=1
%s/streamid=0
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
If-Match: %s
RealChallenge2: %s, sd=%s
RealChallenge2: %s, sd=%s
Title: %s
Title: %s
Copyright: %s
Copyright: %s
Author: %s
Author: %s
real: Content-length for description too big (> %uMB)!
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Bandwidth: %u
Challenge1: %s
Challenge1: %s
hash output: %x %x %x %x
hash output: %x %x %x %x
hash input: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
stream=%u;rule=%u,
Illegal character '%c' in input.
Illegal character '%c' in input.
(%S)%M%D %y-%m-%d
(%S)%M%D %y-%m-%d
After RemoveDC(), pen counter: %d, bursh counter: %d, font counter: %d
After RemoveDC(), pen counter: %d, bursh counter: %d, font counter: %d
!!! Create pen ERROR! ErrNo.[%d]
!!! Create pen ERROR! ErrNo.[%d]
Create pen No.%d
Create pen No.%d
!!! Create brush ERROR! ErrNo.[%d]
!!! Create brush ERROR! ErrNo.[%d]
Create brush No.%d
Create brush No.%d
!!! Create font ERROR! ErrNo.[%d]
!!! Create font ERROR! ErrNo.[%d]
Create font No.%d
Create font No.%d
- Delete pen No.%d
- Delete pen No.%d
- Delete brush No.%d
- Delete brush No.%d
- Delete font No.%d
- Delete font No.%d
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
right-curly-bracket
right-curly-bracket
left-curly-bracket
left-curly-bracket
0123456789
0123456789
HTTP/1.1 200 OK
HTTP/1.1 200 OK
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
ip138.com
ip138.com
38.com/ip2city.asp
38.com/ip2city.asp
70-1-1 00:00:01
70-1-1 00:00:01
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
2[=:(=6)*
2[=:(=6)*
X.ja(A
X.ja(A
.Dp/g
.Dp/g
|.oF
|.oF
n5F%F
n5F%F
7-.kf
7-.kf
4ut%XYR`
4ut%XYR`
.oNW4
.oNW4
{nI5F%6sc@)Fd
{nI5F%6sc@)Fd
8>%S$]D23
8>%S$]D23
h.QnI
h.QnI
l^%F%&
l^%F%&
^-S29f}m
^-S29f}m
.ST1J
.ST1J
3%Fnn
3%Fnn
.gFo|m7h
.gFo|m7h
3L.yN
3L.yN
Zõ~C
Zõ~C
\l.oax
\l.oax
Z.UWf
Z.UWf
.klNaa
.klNaa
_0M.zD"
_0M.zD"
A.Evh
A.Evh
.cM`=
.cM`=
.Uv)1
.Uv)1
td.MfHq
td.MfHq
u6O.WS
u6O.WS
.OX]v
.OX]v
\-vSl}
\-vSl}
crt2R
crt2R
}%.f
}%.f
a=%C\;
a=%C\;
[[%6s
[[%6s
s:%cT78
s:%cT78
%fX^;w
%fX^;w
3=V%F
3=V%F
a
a
.LeDE
.LeDE
%. O.bl$
%. O.bl$
%uv$T
%uv$T
>0õ
>0õ
.oF:^_q
.oF:^_q
`Q.Ef=
`Q.Ef=
%c}G*V
%c}G*V
.KTFi{
.KTFi{
9b[%6s
9b[%6s
#M\%F
#M\%F
%SY19Zc
%SY19Zc
ZKw>g.Og
ZKw>g.Og
.StuH
.StuH
g.IW_w
g.IW_w
lnFtpU
lnFtpU
D.tuT
D.tuT
.NOF&}
.NOF&}
9.wF_
9.wF_
%FGpi3d
%FGpi3d
.ss=c
.ss=c
.ssPg
.ssPg
.OANX=
.OANX=
&O A.Wx
&O A.Wx
.YR0e=
.YR0e=
.wdU2P
.wdU2P
n5F%6s
n5F%6s
%f]V)Rz*Kl
%f]V)Rz*Kl
(!.VM
(!.VM
D$,%ug
D$,%ug
.?dd.oxB
.?dd.oxB
^%urA
^%urA
.HQ A
.HQ A
Túqs{
Túqs{
%V%Fsd.G\
%V%Fsd.G\
SQl1b0
SQl1b0
&%Cx.M
&%Cx.M
.SS0q
.SS0q
ysQL]
ysQL]
N%V-s}N/
N%V-s}N/
C%5sx.W9
C%5sx.W9
>%S$M4
>%S$M4
-.cZ)pA
-.cZ)pA
hU.Uvf
hU.Uvf
2%f{e*
2%f{e*
üuqo
üuqo
y8.oLe
y8.oLe
5N%UG
5N%UG
92^%F
92^%F
GP-D}D]
GP-D}D]
o[>>%S
o[>>%S
%FklI
%FklI
.UV5>
.UV5>
.wGsHD
.wGsHD
-z9}^
-z9}^
' =.Zx
' =.Zx
YlovøX
YlovøX
N%F%F{
N%F%F{
:.IIt
:.IIt
hIZ4.vWH
hIZ4.vWH
h-F%f{{
h-F%f{{
%C|ne
%C|ne
Fsd.Te
Fsd.Te
%U,}\
%U,}\
?P%ftN
?P%ftN
$`.gI
$`.gI
Y.ohE
Y.ohE
|h=>0%C
|h=>0%C
>e.un5E6
>e.un5E6
6MN-.ss=.6b)
6MN-.ss=.6b)
>,@#T%f]n
>,@#T%f]n
4@Y.oL}
4@Y.oL}
S2o6_.Wp
S2o6_.Wp
jLRt%u
jLRt%u
O%U?"Cp
O%U?"Cp
&gNHl%Fs0I;/
&gNHl%Fs0I;/
l"6
l"6
×Gl8
×Gl8
|E^%U
|E^%U
^þ~
^þ~
w7=.gI#
w7=.gI#
_hI%S
_hI%S
YrAR^_0A.OPa
YrAR^_0A.OPa
<.hd_4>
<.hd_4>
`Q.EV
`Q.EV
%F[\9
%F[\9
w:\*S
w:\*S
a:\,S
a:\,S
ÂI(U
ÂI(U
2nGh;%FW
2nGh;%FW
s0Q^s;KERNEL32.dll
s0Q^s;KERNEL32.dll
%F{ew
%F{ew
comdlg32.dll
comdlg32.dll
WINMM.dll
WINMM.dll
H %U$
H %U$
SHELL32.dll
SHELL32.dll
j,e.WU-
j,e.WU-
LBcP
LBcP
WININET.dll
WININET.dll
GDI32.dll
GDI32.dll
COMCTL32.dll
COMCTL32.dll
OLEAUT32.dll
OLEAUT32.dll
OU@ao.Mjp"
OU@ao.Mjp"
6}}%CWG
6}}%CWG
.oV6|K$5fX
.oV6|K$5fX
$aSADVAPI32.dll
$aSADVAPI32.dll
DpIZC%F
DpIZC%F
.KDaQ}
.KDaQ}
HWINSPOOL.DRV
HWINSPOOL.DRV
aT%fwe
aT%fwe
DEFc=.oN
DEFc=.oN
%X1r[
%X1r[
WLDAP32.dll
WLDAP32.dll
ShellExecuteA
ShellExecuteA
QN@WS2_32.dll
QN@WS2_32.dll
rekE%X
rekE%X
lRASAPI32.dll
lRASAPI32.dll
MK%FKc
MK%FKc
%.Whiz
%.Whiz
TFRMCHRPASSWORD
TFRMCHRPASSWORD
TFRMGETPASSWORD
TFRMGETPASSWORD
1.0.0.0
1.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
(*.*)
(*.*)
%original file name%.exe_864_rwx_00AFA000_00001000:
ÂI(U
ÂI(U
%original file name%.exe_864_rwx_00B0F000_00001000:
ShellExecuteA
ShellExecuteA
QN@WS2_32.dll
QN@WS2_32.dll
%original file name%.exe_864_rwx_01090000_00072000:
`.rsrc
`.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
USER32.DLL
USER32.DLL
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
MAPI32.DLL
MAPI32.DLL
!"#$%xi
!"#$%xi
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreview
KeyPreview
WindowState
WindowState
OnKeyDown
OnKeyDown
OnKeyPressl
OnKeyPressl
OnKeyUp
OnKeyUp
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
AutoHotkeys
AutoHotkeys
TMainMenuDp
TMainMenuDp
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeyword,
HelpKeyword,
crSQLWait
crSQLWait
%s (%s)
%s (%s)
imm32.dll
imm32.dll
readnowid.mtx
readnowid.mtx
D:\ksreg_delphi\V9\_rsa_delphi_dll\UnitSock.pas
D:\ksreg_delphi\V9\_rsa_delphi_dll\UnitSock.pas
333333333333333333
333333333333333333
33333833
33333833
3333339
3333339
3333333333333338
3333333333333338
:*"*"$3338
:*"*"$3338
3333333
3333333
33333333
33333333
33333333333
33333333333
3333333333338
3333333333338
33338?383
33338?383
333333333333
333333333333
:*3:"$3338
:*3:"$3338
333333333333333
333333333333333
KWindows
KWindows
UrlMon
UrlMon
GetCPInfo
GetCPInfo
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
SetViewportOrgEx
SetViewportOrgEx
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
MapVirtualKeyA
MapVirtualKeyA
LoadKeyboardLayoutA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
GetKeyboardType
GetKeyboardType
38000=344
38000=344
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc
#yfP.re
#yfP.re
KERNEL32.DLL
KERNEL32.DLL
advapi32.dll
advapi32.dll
gdi32.dll
gdi32.dll
user32.dll
user32.dll
version.dll
version.dll
wsock32.dll
wsock32.dll
rsadll.dll
rsadll.dll
No help keyword specified.
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt Clipboard does not support Icons/Menu '%s' is already being used by another form
Alt Clipboard does not support Icons/Menu '%s' is already being used by another form
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Resource %s not found
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Property %s does not exist
Unsupported clipboard format
Unsupported clipboard format
Class %s not found
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid stream format$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Ancestor for '%s' not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation