MD5: 3647b6730f26c670f725df320dd5d93d
SHA1: e10ea8df96ec5006da19de59e257edb2180d9185
SHA256: 8ff3f0fa380a8132a0f12f0ce6325d6f75066b8d2b98d7dd90a900b0436e2e49
SSDeep: 196608:KSCipl99Llz/p9VIsPV4cvs4WySbJgCCr/I8qdxebjicEoxh3p84hs:LCW99xz/as7vxSaCqILoiUxh5xW
Size: 10592256 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2015-12-24 17:17:39
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3604

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\img\9b14.bmp (516 bytes)
C:\img\9b9.bmp (516 bytes)
C:\img\7jt1.bmp (372 bytes)
C:\img\dyt2j.bmp (516 bytes)
C:\img\¸ç²¼ÁÖ.bmp (612 bytes)
C:\img\bb7.bmp (1 bytes)
C:\img\bb8.bmp (1 bytes)
C:\img\ys.dll (1856 bytes)
C:\img\sy9.bmp (180 bytes)
C:\img\9b20.bmp (436 bytes)
C:\img\sy10.bmp (184 bytes)
C:\img\0.8.1.2.bmp (852 bytes)
C:\img\fx.ini (4 bytes)
C:\img\sy15.bmp (180 bytes)
C:\img\³õʼ»¯.bmp (1 bytes)
C:\img\dyt16.bmp (144 bytes)
C:\img\dyt2j1.bmp (444 bytes)
C:\img\gpdl1.bmp (996 bytes)
C:\img\dyt2j15.bmp (552 bytes)
C:\img\9b7.bmp (524 bytes)
C:\img\·¨Ê¦.bmp (532 bytes)
C:\img\Ììʹ.bmp (564 bytes)
C:\img\dyt2j19.bmp (564 bytes)
C:\img\dyt3j11.bmp (420 bytes)
C:\img\gpdl.bmp (864 bytes)
C:\img\9b17.bmp (436 bytes)
C:\img\dyt2j4.bmp (516 bytes)
C:\img\0.8.7.bmp (532 bytes)
C:\img\dyt3j21.bmp (252 bytes)
C:\img\sb7.bmp (340 bytes)
C:\img\¾ÞÈË.bmp (804 bytes)
C:\img\9b18.bmp (480 bytes)
C:\img\sb4.bmp (340 bytes)
C:\img\13jjt5.bmp (228 bytes)
C:\img\Å®Íõ.bmp (700 bytes)
C:\img\6jt1.bmp (324 bytes)
C:\img\ÊÕ±ø4.bmp (432 bytes)
C:\img\12jjt4.bmp (252 bytes)
C:\img\9b26.bmp (364 bytes)
C:\img\dyt.bmp (148 bytes)
C:\img\7jt4.bmp (372 bytes)
C:\img\»ØÓª1.bmp (628 bytes)
C:\img\9b13.bmp (436 bytes)
C:\img\sy7.bmp (204 bytes)
C:\img\dyt10.bmp (132 bytes)
C:\img\bb9.bmp (1 bytes)
C:\img\13jjt7.bmp (300 bytes)
C:\img\sy3.bmp (204 bytes)
C:\img\9b5.bmp (516 bytes)
C:\img\bb4.bmp (1 bytes)
C:\img\Õ¨µ¯.bmp (924 bytes)
C:\img\dyt15.bmp (144 bytes)
C:\img\dyt3j17.bmp (252 bytes)
C:\img\dyt11.bmp (144 bytes)
C:\img\12jjt.bmp (244 bytes)
C:\img\dyt2j17.bmp (588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\img.zip (2 bytes)
C:\img\sbd2.bmp (396 bytes)
C:\img\9b10.bmp (436 bytes)
C:\img\0.9.261.bmp (540 bytes)
C:\img\dyt3j18.bmp (276 bytes)
C:\img\ÂùÍõ.bmp (1 bytes)
C:\img\dyt13.bmp (164 bytes)
C:\img\hwgg.bmp (700 bytes)
C:\img\dyt2j13.bmp (624 bytes)
C:\img\7jt11.bmp (348 bytes)
C:\img\9b19.bmp (468 bytes)
C:\img\6jt.bmp (300 bytes)
C:\img\°ë2.bmp (144 bytes)
C:\img\9b21.bmp (404 bytes)
C:\img\9b28.bmp (420 bytes)
C:\img\dyt2j2.bmp (516 bytes)
C:\img\9b32.bmp (436 bytes)
C:\img\ÊÕ±ø5.bmp (324 bytes)
C:\img\8jt3.bmp (324 bytes)
C:\img\9b31.bmp (524 bytes)
C:\img\6jt10.bmp (420 bytes)
C:\img\6jt9.bmp (344 bytes)
C:\img\jk.txt (104 bytes)
C:\img\7jt8.bmp (324 bytes)
C:\img\kldl.bmp (480 bytes)
C:\img\Å®Íõ¼¼ÄÜ.bmp (616 bytes)
C:\img\9b6.bmp (564 bytes)
C:\img\sy6.bmp (184 bytes)
C:\img\dyt3j4.bmp (448 bytes)
C:\img\dyt2j7.bmp (552 bytes)
C:\img\Å©Ãñ.bmp (660 bytes)
C:\img\jydl.bmp (588 bytes)
C:\img\dyt3j3.bmp (588 bytes)
C:\img\9b3.bmp (564 bytes)
C:\img\7jt13.bmp (344 bytes)
C:\img\dyt2j11.bmp (564 bytes)
C:\img\bddl.bmp (760 bytes)
C:\img\sb6.bmp (308 bytes)
C:\img\dyt3j8.bmp (552 bytes)
C:\img\dyt3j24.bmp (276 bytes)
C:\img\gpdl2.bmp (404 bytes)
C:\img\6jt3.bmp (396 bytes)
C:\img\sy13.bmp (164 bytes)
C:\img\dyt6.bmp (132 bytes)
C:\img\dyt2j8.bmp (516 bytes)
C:\img\Ƥ¿¨³¬ÈË.bmp (564 bytes)
C:\img\dyt3j9.bmp (468 bytes)
C:\img\6jt2.bmp (304 bytes)
C:\img\¹Ø±ÕÓÒÉϽÇ.bmp (968 bytes)
C:\img\ÊÕ±ø.bmp (516 bytes)
C:\img\bb6.bmp (1 bytes)
C:\img\dyt2j18.bmp (516 bytes)
C:\img\9b8.bmp (684 bytes)
C:\img\»ØÓª.bmp (372 bytes)
C:\img\dyt19.bmp (144 bytes)
C:\img\8jt6.bmp (372 bytes)
C:\img\sb3.bmp (372 bytes)
C:\img\8jt4.bmp (372 bytes)
C:\img\anzhidl.bmp (968 bytes)
C:\img\lianxiangdl.bmp (468 bytes)
C:\img\9b30.bmp (420 bytes)
C:\img\dyt3j22.bmp (300 bytes)
C:\img\bb.bmp (1 bytes)
C:\img\ÉÁµç·¨Êõ.bmp (876 bytes)
C:\img\ÓÄÁé.bmp (660 bytes)
C:\img\7jt7.bmp (304 bytes)
C:\img\ÍƼöÅäÖÃ\8±¾´«Í³´òÓãģʽ.ini (3 bytes)
C:\img\dyt2j6.bmp (588 bytes)
C:\img\sb10.bmp (372 bytes)
C:\img\ÍƼöÅäÖÃ\£¨ÍƼö£©8¡¢9¡¢10¡¢11Ö÷Á÷µÍ±­Ë¢ÍâÖñ¾Ä£Ê½£¡.ini (4 bytes)
C:\img\dyt3j5.bmp (480 bytes)
C:\img\dyt4.bmp (148 bytes)
C:\img\8jt1.bmp (324 bytes)
C:\img\dyt2j20.bmp (588 bytes)
C:\img\dyt2j10.bmp (516 bytes)
C:\img\bb3.bmp (1 bytes)
C:\img\³õʼ»¯4.bmp (480 bytes)
C:\img\6jt8.bmp (324 bytes)
C:\img\sy.bmp (228 bytes)
C:\img\ËÑË÷.bmp (1 bytes)
C:\img\·¨Ê¦1.bmp (404 bytes)
C:\img\sjqd.bmp (480 bytes)
C:\img\8jt7.bmp (372 bytes)
C:\img\dyt21.bmp (144 bytes)
C:\img\Ö§³Ö¿â.ini (70 bytes)
C:\img\Ò°Öí.bmp (708 bytes)
C:\img\sy1.bmp (180 bytes)
C:\img\12jjt2.bmp (196 bytes)
C:\img\7jt5.bmp (324 bytes)
C:\img\dyt3j16.bmp (372 bytes)
C:\img\¹­¼ýÊÖ.bmp (588 bytes)
C:\img\dyt3j15.bmp (252 bytes)
C:\img\sb12.bmp (340 bytes)
C:\img\³õʼ»¯2.bmp (1 bytes)
C:\img\7jt10.bmp (324 bytes)
C:\img\9b16.bmp (500 bytes)
C:\img\sb11.bmp (340 bytes)
C:\img\0.9.8.bmp (628 bytes)
C:\img\dyt3j19.bmp (392 bytes)
C:\img\dyt12.bmp (144 bytes)
C:\img\dyt2j9.bmp (732 bytes)
C:\img\sb1.bmp (372 bytes)
C:\img\ÍƼöÅäÖÃ\6±¾ÍƼöÅäÖÃ.ini (2 bytes)
C:\img\8jt5.bmp (324 bytes)
C:\img\13jjt4.bmp (196 bytes)
C:\img\bb10.bmp (1 bytes)
C:\img\sc.txt (1 bytes)
C:\img\ÍƼöÅäÖÃ\9±¾´«Í³´òÓãģʽ.ini (3 bytes)
C:\img\dyt3j1.bmp (500 bytes)
C:\img\9b34.bmp (364 bytes)
C:\img\9b33.bmp (372 bytes)
C:\img\dm.dll (34186 bytes)
C:\img\9b11.bmp (436 bytes)
C:\img\dyt8.bmp (144 bytes)
C:\img\6jt6.bmp (348 bytes)
C:\img\9b15.bmp (468 bytes)
C:\img\bb5.bmp (1 bytes)
C:\img\6jt11.bmp (420 bytes)
C:\img\9b2.bmp (516 bytes)
C:\img\13jjt6.bmp (224 bytes)
C:\img\ËÑË÷1.bmp (480 bytes)
C:\img\dyt2j14.bmp (500 bytes)
C:\img\sy4.bmp (180 bytes)
C:\img\9b1.bmp (552 bytes)
C:\img\dyt9.bmp (164 bytes)
C:\img\ÊÕ±ø3.bmp (364 bytes)
C:\img\9b23.bmp (516 bytes)
C:\img\7jt2.bmp (348 bytes)
C:\img\ѵÁ·1.bmp (404 bytes)
C:\img\sy14.bmp (164 bytes)
C:\img\ÍƼöÅäÖÃ\10´«Í³´òÓãģʽ.ini (3 bytes)
C:\img\7jt6.bmp (444 bytes)
C:\img\dyt2j12.bmp (552 bytes)
C:\img\9b25.bmp (336 bytes)
C:\img\³õʼ»¯3.bmp (984 bytes)
C:\img\ÆøÇò.bmp (448 bytes)
C:\img\9b27.bmp (420 bytes)
C:\img\Ò°ÂùÈË.bmp (656 bytes)
C:\img\bb2.bmp (1 bytes)
C:\img\sy11.bmp (204 bytes)
C:\img\9b.bmp (468 bytes)
C:\img\7jt3.bmp (372 bytes)
C:\img\dyt2j16.bmp (552 bytes)
C:\img\dyt17.bmp (148 bytes)
C:\img\7jt14.bmp (372 bytes)
C:\img\bddlgg.bmp (1 bytes)
C:\img\13jjt2.bmp (224 bytes)
C:\img\9b22.bmp (420 bytes)
C:\img\0.8.1.bmp (644 bytes)
C:\img\360dl.bmp (784 bytes)
C:\img\sy5.bmp (180 bytes)
C:\img\bb1.bmp (1 bytes)
C:\img\dyt3j7.bmp (364 bytes)
C:\img\13jjt.bmp (244 bytes)
C:\img\6jt5.bmp (372 bytes)
C:\img\13jjt1.bmp (204 bytes)
C:\img\dyt1.bmp (144 bytes)
C:\img\9b4.bmp (612 bytes)
C:\img\DmReg.dll (1552 bytes)
C:\img\0.8.1.3.bmp (732 bytes)
C:\img\³õʼ»¯1.bmp (1 bytes)
C:\img\µÐ¾üͻϮ.bmp (476 bytes)
C:\img\anzhidl1.bmp (588 bytes)
C:\img\8jt2.bmp (372 bytes)
C:\img\dyt2j21.bmp (552 bytes)
C:\img\6jt4.bmp (324 bytes)
C:\img\7jt12.bmp (324 bytes)
C:\img\dyt20.bmp (144 bytes)
C:\img\dyt3j2.bmp (364 bytes)
C:\img\dyt3j14.bmp (364 bytes)
C:\img\dyt3j6.bmp (604 bytes)
C:\img\dyt3j10.bmp (480 bytes)
C:\img\7jt.bmp (324 bytes)
C:\img\9b29.bmp (372 bytes)
C:\img\dyt18.bmp (132 bytes)
C:\img\sbd3.bmp (304 bytes)
C:\img\dyt3j13.bmp (500 bytes)
C:\img\dyt2j22.bmp (552 bytes)
C:\img\sbd.bmp (444 bytes)
C:\img\dyt3j23.bmp (280 bytes)
C:\img\6jt7.bmp (348 bytes)
C:\img\dyt3.bmp (164 bytes)
C:\img\dyt3j.bmp (308 bytes)
C:\img\ËÑË÷»¤¶Ü.bmp (1 bytes)
C:\img\sb5.bmp (340 bytes)
C:\img\7jt9.bmp (448 bytes)
C:\img\sb.bmp (372 bytes)
C:\img\bb11.bmp (1 bytes)
C:\img\9b12.bmp (436 bytes)
C:\img\ѵÁ·.bmp (304 bytes)
C:\img\yszso.dll (27704 bytes)
C:\img\sy8.bmp (164 bytes)
C:\img\oppodl.bmp (804 bytes)
C:\img\dyt14.bmp (144 bytes)
C:\img\13jjt3.bmp (212 bytes)
C:\img\ѵÁ·2.bmp (336 bytes)
C:\img\sbd1.bmp (504 bytes)
C:\img\ÂùÍõ¼¼ÄÜ.bmp (484 bytes)
C:\img\8jt.bmp (324 bytes)
C:\img\°ë3.bmp (180 bytes)
C:\img\·ÉÁú.bmp (768 bytes)
C:\img\sy2.bmp (204 bytes)
C:\img\0.9.26.bmp (636 bytes)
C:\img\sy.txt (444 bytes)
C:\img\dyt7.bmp (132 bytes)
C:\img\°ë1.bmp (156 bytes)
C:\img\sy16.bmp (184 bytes)
C:\img\0.8.9.bmp (468 bytes)
C:\img\tb.bmp (1 bytes)
C:\img\sy12.bmp (180 bytes)
C:\img\ÍƼöÅäÖÃ\7±¾ÍƼöÅäÖÃ.ini (2 bytes)
C:\img\dyt2.bmp (132 bytes)
C:\img\sb9.bmp (372 bytes)
C:\img\ÊÕ±ø1.bmp (564 bytes)
C:\img\12jjt1.bmp (228 bytes)
C:\img\dyt3j20.bmp (276 bytes)
C:\img\sb8.bmp (372 bytes)
C:\img\dyt2j3.bmp (480 bytes)
C:\img\dyt3j12.bmp (744 bytes)
C:\img\9b24.bmp (420 bytes)
C:\img\¾è±ø.bmp (372 bytes)
C:\img\ÊÕ±ø2.bmp (560 bytes)
C:\img\dyt5.bmp (148 bytes)
C:\img\kpzs.bmp (468 bytes)
C:\img\dyt2j5.bmp (552 bytes)
C:\img\12jjt3.bmp (224 bytes)

Registry activity

The process %original file name%.exe:3604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: coc??
Product Name: coc??
Product Version: 1.2.0.0
Legal Copyright: coc?? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.2.0.0
File Description: coc??
Comments: coc??
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://shaohea.com/web/user.asp	60.205.35.163

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /web/user.asp HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded

Accept: text/html, application/xhtml xml, */*

Accept-Encoding: gbk, GB2312

Accept-Language: zh-cn

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Content-Length: 117

Host: shaohea.com

code=2D50D4F11C6A583711674347A01F5BBB2576AF605D1EEF64E482B7F8254C922BC4383046A3764BC772DE0D07D168BDFCC80282B434767468
HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 184

Content-Type: text/html

Server: Microsoft-IIS/7.5

Set-Cookie: ASPSESSIONIDCQSBACCQ=DLIBBJEDOBIEAECDMOACPMPE; path=/

Date: Fri, 18 Aug 2017 12:21:35 GMT
7B0F8AA50739077A14939848B03752572F92A69D429EE89FE266B57B3094DAD91A7C33
48EFFEA425A92DCDB644CC0CB69B43CDFA61B5BAC369ABF8E6DE657AF8C7AD7BCCDF25
820570A70C45FD7DB2A7CC9B1CC63FBA476FF4DB90F9HTTP/1.1 200 OK..Cache-Con
trol: private..Content-Length: 184..Content-Type: text/html..Server: M
icrosoft-IIS/7.5..Set-Cookie: ASPSESSIONIDCQSBACCQ=DLIBBJEDOBIEAECDMOA
CPMPE; path=/..Date: Fri, 18 Aug 2017 12:21:35 GMT..7B0F8AA50739077A14
939848B03752572F92A69D429EE89FE266B57B3094DAD91A7C3348EFFEA425A92DCDB6
44CC0CB69B43CDFA61B5BAC369ABF8E6DE657AF8C7AD7BCCDF25820570A70C45FD7DB2
A7CC9B1CC63FBA476FF4DB90F9..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.vmp0

.vmp1

.rsrc

t%SVh

t$(SSh

|$D.tm

FTPU

~%UVW

u$SShe

kernel32.dll

user32.dll

NTDLL.dll

ntdll.dll

Winhttp.dll

ole32.dll

ys.dll

wininet.dll

Kernel32.dll

dmreg.dll

psapi.dll

shlwapi.dll

advapi32.dll

shdocvw.dll

Shell32.dll

User32.dll

winmm.dll

Winmm.dll

shell32.dll

imm32.dll

Powrprof.dll

rasapi32.dll

ws2_32.dll

IPHLPAPI.DLL

ADVAPI32.DLL

MsgWaitForMultipleObjects

WinHttpCheckPlatform

WinHttpCrackUrl

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpSetCredentials

WinHttpCloseHandle

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpQueryHeaders

EnumWindows

ShellExecuteA

RegCreateKeyA

RegOpenKeyA

RegEnumKeyA

RegCloseKey

RegFlushKey

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

SHFileOperationA

GetWindowsDirectoryA

ExitWindowsEx

GetKeyboardLayout

GetKeyboardLayoutList

ActivateKeyboardLayout

GetProcessHeap

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

{B6F7542F-B8FE-46a8-9605-98856A687097}

0101010101

30426153

http=

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Content-Type: application/x-www-form-urlencoded

Adodb.Stream

WinHttp

WindowsForms10

HD-Frontend.exe

HD-Quit.exe

HD-StartLauncher.exe

HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks

HD-Adb.exe -s emulator-5554

HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks\Guests\Android\FrameBuffer\0

HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks\Guests\Android\Config

NK-Frontend.exe

NK-Quit.exe

NK-StartLauncher.exe

HKEY_LOCAL_MACHINE\SOFTWARE\NlueStacks

NK-Adb.exe -s localhost:5552

HKEY_LOCAL_MACHINE\SOFTWARE\NlueStacks\Guests\Android\FrameBuffer\0

KP-Frontend.exe

HKEY_LOCAL_MACHINE\SOFTWARE\ClueStacks

HKEY_LOCAL_MACHINE\SOFTWARE\ClueStacks\Guests\Android\FrameBuffer\0

@1970-01-01 08:00:00

function timea(){var d,s;d=new Date();d.setTime('

windows

dx.graphic.opengl

2.bmp

906835-101010

0.8.1.2.bmp|0.8.1.bmp|0.8.1.3.bmp|0.8.7.bmp|0.8.9.bmp|kpzs.bmp|0.9.8.bmp|0.9.26.bmp|0.9.261.bmp

.bmp|

1.bmp

2.bmp|

3.bmp|

4.bmp

\pz.ini

\data\setsoft.ini

\img\yszso.dll

\img\ys.dll

\img\DmReg.dll

\img\dm.dll

Dm.dll

Dmreg.dll

yszso.dll

Support library mismatch

@Windows 10

Windows Server Technical Preview

Windows Vista

Windows Server 2008

Windows 7

Windows Server 2008 R2

Windows 8

Windows Server 2012

Windows 8.1

Windows Server 2012 R2

Windows 2000

Windows XP

Windows Server 2003 R2,

Windows Storage Server 2003

Windows Home Server

Windows XP Professional x64 Edition

Windows Server 2003,

Windows 98

Web Server Edition

SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuild

hXXp://VVV.taobao.com/

0-0-0 0:0:0

hXXp://VVV.baidu.com/

hXXp://VVV.qq.com/

WinHttp.WinHttpRequest.5.1

%d-%d-%d %d:%d:%d

2016-1-1 18:05:58

2Windows Defender

@.reloc

MFC42u.DLL

MSVCRT.dll

KERNEL32.dll

VERSION.dll

MSVCP60.dll

USER32.dll

ZwQueryKey

ZwQueryValueKey

ZwOpenKeyEx

ZwOpenKey

\\.\%c%c%d

78M8X8

3970566

sy.txt

sc.txt

hXXp://VVV.yszso.com/gg.txt

\img\fx.ini

sjqd.bmp

282828-050505

282828-101010

gpdl.bmp|gpdl1.bmp|gpdl2.bmp|jydl.bmp|kldl.bmp|oppodl.bmp|360dl.bmp|bddl.bmp|anzhidl.bmp|anzhidl1.bmp|lianxiangdl.bmp

bddlgg.bmp

hwgg.bmp

392841-101010

1.bmp|

4.bmp|

5.bmp

tb.bmp

9b.bmp|9b1.bmp|9b2.bmp|9b3.bmp|9b4.bmp|9b5.bmp|9b6.bmp|9b7.bmp|9b8.bmp|9b9.bmp|9b10.bmp|9b11.bmp|9b12.bmp|9b13.bmp|9b14.bmp|9b15.bmp|9b16.bmp|9b17.bmp|9b18.bmp|9b19.bmp|9b20.bmp|9b21.bmp|9b22.bmp|9b23.bmp|9b24.bmp|9b25.bmp|9b26.bmp|9b27.bmp|9b28.bmp|9b29.bmp|9b30.bmp|9b31.bmp|9b32.bmp|9b33.bmp|9b34.bmp|bb.bmp|bb1.bmp|bb2.bmp|bb3.bmp|bb4.bmp|bb5.bmp|bb6.bmp|bb7.bmp|bb8.bmp|bb9.bmp|bb10.bmp|bb11.bmp|sb.bmp|sb1.bmp|sb3.bmp|sb4.bmp|sb5.bmp|sb6.bmp|sb7.bmp|sb8.bmp|sb9.bmp|sb10.bmp|sb11.bmp|sb12.bmp|sbd.bmp|sbd1.bmp|sbd2.bmp|sbd3.bmp

908397-101010

286191-101010

dyt.bmp|dyt1.bmp|dyt2.bmp|dyt2j.bmp|dyt2j1.bmp|dyt2j2.bmp|dyt2j3.bmp|dyt2j4.bmp|dyt2j5.bmp|dyt2j6.bmp|dyt2j7.bmp|dyt2j8.bmp|dyt2j9.bmp|dyt2j10.bmp|dyt2j11.bmp|dyt2j12.bmp|dyt2j13.bmp|dyt2j14.bmp|dyt2j15.bmp|dyt2j16.bmp|dyt2j17.bmp|dyt2j18.bmp|dyt2j19.bmp|dyt2j20.bmp|dyt2j21.bmp|dyt2j22.bmp|dyt3.bmp|dyt3j.bmp|dyt3j1.bmp|dyt3j2.bmp|dyt3j3.bmp|dyt3j4.bmp|dyt3j5.bmp|dyt3j6.bmp|dyt3j7.bmp|dyt3j8.bmp|dyt3j9.bmp|dyt3j10.bmp|dyt3j11.bmp|dyt3j12.bmp|dyt3j13.bmp|dyt3j14.bmp|dyt3j15.bmp|dyt3j16.bmp|dyt3j17.bmp|dyt3j18.bmp|dyt3j19.bmp|dyt3j20.bmp|dyt3j21.bmp|dyt3j22.bmp|dyt3j23.bmp|dyt3j24.bmp|dyt4.bmp|dyt5.bmp|dyt6.bmp|dyt7.bmp|dyt8.bmp|dyt9.bmp|dyt10.bmp|dyt11.bmp|dyt12.bmp|dyt13.bmp|dyt14.bmp|dyt15.bmp|dyt16.bmp|dyt17.bmp|dyt18.bmp|dyt19.bmp|dyt20.bmp|dyt21.bmp

6jt.bmp|6jt1.bmp|6jt2.bmp|6jt3.bmp|6jt4.bmp|6jt5.bmp|6jt6.bmp|6jt7.bmp|6jt8.bmp|6jt9.bmp|6jt10.bmp|6jt11.bmp

7jt.bmp|7jt1.bmp|7jt2.bmp|7jt3.bmp|7jt4.bmp|7jt5.bmp|7jt6.bmp|7jt7.bmp|7jt8.bmp|7jt9.bmp|7jt10.bmp|7jt11.bmp|7jt12.bmp|7jt13.bmp|7jt14.bmp|8jt.bmp|8jt1.bmp|8jt2.bmp|8jt3.bmp|8jt4.bmp|8jt5.bmp|8jt6.bmp|8jt7.bmp

12jjt.bmp|12jjt1.bmp|12jjt2.bmp|12jjt3.bmp|12jjt4.bmp

13jjt.bmp|13jjt1.bmp|13jjt2.bmp|13jjt3.bmp|13jjt4.bmp|13jjt5.bmp|13jjt6.bmp|13jjt7.bmp

sy.bmp|sy1.bmp|sy2.bmp|sy3.bmp|sy4.bmp|sy5.bmp|sy6.bmp|sy7.bmp|sy8.bmp|sy9.bmp|sy10.bmp|sy11.bmp|sy12.bmp|sy13.bmp|sy14.bmp|sy15.bmp|sy16.bmp

config.ini

\img.zip

img/0.8.1.2.bmp

img/0.8.1.3.bmp

img/0.8.1.bmp

img/0.8.7.bmp

img/0.8.9.bmp

img/0.9.26.bmp

img/0.9.261.bmp

img/0.9.8.bmp

1%XaF

img/12jjt.bmp

img/12jjt1.bmp

img/12jjt2.bmp

img/12jjt3.bmp

img/12jjt4.bmp

img/13jjt.bmp

img/13jjt1.bmp

img/13jjt2.bmp

img/13jjt3.bmp

img/13jjt4.bmp

img/13jjt5.bmp

img/13jjt6.bmp

img/13jjt7.bmp

img/360dl.bmp

img/6jt.bmp

img/6jt1.bmp

img/6jt10.bmp

img/6jt11.bmp

img/6jt2.bmp

%uj\W\

img/6jt3.bmp

img/6jt4.bmp

img/6jt5.bmp

img/6jt6.bmp

img/6jt7.bmp

img/6jt8.bmp

img/6jt9.bmp

img/7jt.bmp

img/7jt1.bmp

img/7jt10.bmp

img/7jt11.bmp

img/7jt12.bmp

img/7jt13.bmp

img/7jt14.bmp

img/7jt2.bmp

img/7jt3.bmp

img/7jt4.bmp

img/7jt5.bmp

img/7jt6.bmp

img/7jt7.bmp

img/7jt8.bmp

img/7jt9.bmp

img/8jt.bmp

img/8jt1.bmp

img/8jt2.bmp

img/8jt3.bmp

#U\%D

img/8jt4.bmp

img/8jt5.bmp

img/8jt6.bmp

img/8jt7.bmp

img/9b.bmp

img/9b1.bmp

img/9b10.bmp

img/9b11.bmp

img/9b12.bmp

img/9b13.bmp

img/9b14.bmp

img/9b15.bmp

img/9b16.bmp

img/9b17.bmp

img/9b18.bmp

img/9b19.bmp

img/9b2.bmp

img/9b20.bmp

img/9b21.bmp

img/9b22.bmp

img/9b23.bmp

img/9b24.bmp

img/9b25.bmp

img/9b26.bmp

img/9b27.bmp

img/9b28.bmp

img/9b29.bmp

img/9b3.bmp

img/9b30.bmp

img/9b31.bmp

img/9b32.bmp

img/9b33.bmp

img/9b34.bmp

img/9b4.bmp

img/9b5.bmp

img/9b6.bmp

img/9b7.bmp

img/9b8.bmp

img/9b9.bmp

img/anzhidl.bmp

img/anzhidl1.bmp

img/bb.bmp

img/bb1.bmp

img/bb10.bmp

img/bb11.bmp

img/bb2.bmp

img/bb3.bmp

img/bb4.bmp

img/bb5.bmp

img/bb6.bmp

img/bb7.bmp

img/bb8.bmp

img/bb9.bmp

img/bddl.bmp

img/bddlgg.bmp

img/dm.dll

a%cm}

K&%d(p

o'.ue

*%FI)

:Æ/

%DVt[

:.dy8

%d#]]

".nW6?

ys,%D

ql.qC

``NA%U

.Yq*p{;S

^*;%Dk\

[:.hP

.pemm

Jt-p}

.UtWB

ui*%S

.%SS&

.At9qYi;

?wq.RZ

ykT.Dh,

.CJR#.k

T$[%d

X!%UL-^

.WhcO}

2%C~Fw

FC %f

?c.Ou

*%Cj[

;A).bf

Fx].OI

.El#z

]:~%SG

.Hb CO

l1C-

U.yCR

j$

yc.Sc

4~.Mh

%Us@iD*l

nsQl

v.Hyv

M.xg~

.tm^A

`.IBx

T%uas

3.nH@

TL.ug

de%Si3

! U%f

3.uPw 

E.HU{

).dK^

!>.SU

S.rO>

}Q[M%c

.nP>)

gn.Cj

ÎSX3

C.eJb

C|wrf-6D}

.gX"H

e%s[3&^ j

%UM,B

}.xsr

u%u *

yf.bZ

so .Lf

.$.eR

Z.sGM

4.iW4

.do_I

>-.bY>

ja.Sh

~"=%c~FIFeF}

UUr%C

fj%SS

 %XN.

T@%CJ

$.Fre}[_)

C%TÀf

u-7E}

Xk.ET

pfcF%c

X:.Mc

tF.eo

img/DmReg.dll

img/dyt.bmp

img/dyt1.bmp

img/dyt10.bmp

img/dyt11.bmp

img/dyt12.bmp

img/dyt13.bmp

img/dyt14.bmp

img/dyt15.bmp

img/dyt16.bmp

img/dyt17.bmp

img/dyt18.bmp

img/dyt19.bmp

img/dyt2.bmp

img/dyt20.bmp

img/dyt21.bmp

img/dyt2j.bmp

img/dyt2j1.bmp

img/dyt2j10.bmp

img/dyt2j11.bmp

img/dyt2j12.bmp

img/dyt2j13.bmp

img/dyt2j14.bmp

img/dyt2j15.bmp

img/dyt2j16.bmp

img/dyt2j17.bmp

img/dyt2j18.bmp

img/dyt2j19.bmp

img/dyt2j2.bmp

aaBh%c

img/dyt2j20.bmp

img/dyt2j21.bmp

img/dyt2j22.bmp

img/dyt2j3.bmp

img/dyt2j4.bmp

img/dyt2j5.bmp

img/dyt2j6.bmp

img/dyt2j7.bmp

img/dyt2j8.bmp

img/dyt2j9.bmp

img/dyt3.bmp

img/dyt3j.bmp

img/dyt3j1.bmp

img/dyt3j10.bmp

img/dyt3j11.bmp

img/dyt3j12.bmp

img/dyt3j13.bmp

img/dyt3j14.bmp

img/dyt3j15.bmp

img/dyt3j16.bmp

img/dyt3j17.bmp

img/dyt3j18.bmp

img/dyt3j19.bmp

img/dyt3j2.bmp

img/dyt3j20.bmp

img/dyt3j21.bmp

img/dyt3j22.bmp

img/dyt3j23.bmp

img/dyt3j24.bmp

img/dyt3j3.bmp

img/dyt3j4.bmp

img/dyt3j5.bmp

img/dyt3j6.bmp

img/dyt3j7.bmp

img/dyt3j8.bmp

img/dyt3j9.bmp

img/dyt4.bmp

img/dyt5.bmp

img/dyt6.bmp

img/dyt7.bmp

img/dyt8.bmp

img/dyt9.bmp

img/fx.ini

img/gpdl.bmp

img/gpdl1.bmp

img/gpdl2.bmp

img/hwgg.bmp

img/jk.txt

img/jydl.bmp

img/kldl.bmp

img/kpzs.bmp

img/lianxiangdl.bmp

%C`LZR

img/oppodl.bmp

img/sb.bmp

img/sb1.bmp

img/sb10.bmp

img/sb11.bmp

img/sb12.bmp

img/sb3.bmp

img/sb4.bmp

img/sb5.bmp

img/sb6.bmp

img/sb7.bmp

img/sb8.bmp

img/sb9.bmp

img/sbd.bmp

img/sbd1.bmp

img/sbd2.bmp

img/sbd3.bmp

img/sc.txt

img/sjqd.bmp

img/sy.bmp

img/sy.txt

img/sy1.bmp

img/sy10.bmp

img/sy11.bmp

img/sy12.bmp

img/sy13.bmp

img/sy14.bmp

img/sy15.bmp

img/sy16.bmp

img/sy2.bmp

img/sy3.bmp

img/sy4.bmp

img/sy5.bmp

img/sy6.bmp

img/sy7.bmp

img/sy8.bmp

img/sy9.bmp

img/tb.bmp

img/ys.dll

.KOZH

img/yszso.dll

.SWyIYz4

ù<%

i.vhc

U:\kg

%dn?)0

(w\.PGUa

.CE:9

w=5%u

:l.YU

ux.ax6m)w

Rai%CrZ

U.uyV

&.Fh6iK@

.Lk;z

msGa

7%0xlm

}~.iH

.Xz~$<

.tK|W)

.QL_N)=

0.QL_]

%]%SB

2K.zw

O.eo}v

~W.tM

%FvSBx

x#X~%C

Ha.lqn

&S.FJ_k@

4 G%d

o<3%x

.tOr]

8ÿC

q.xnb

n3.Em

1%c&[

6`.OV

;b%s D@

{l.iO

D4.xh

X.xYp

fK.vH

%uhP0

.mi`Ie

7].io

-7}RX 9Qq

dl.oh

F.uw"Mmh

WÆ9

%f-f 

gAc.uC

S<.Mx

T~%fhxI

T.Gjh

4W.zpy

Qg.Zg

GFEf.OI

r%S*2

g%U1?

>.Hd~

3.bmp

A.xnSa

1003DF103B82-9791-4290-9AAB

urlmon.dll

Shlwapi.dll

unrar.dll

URLDownloadToFileA

RARSetPassword

hXXp://VVV.yszso.com/6.html

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVFW32.dll

SkinH_EL.dll

.VXTN)

\.ct}

chttp

VVV.yszso.com

\unrar.dll

9.vrSW

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb

SetThreadExecutionState

GetCPInfo

ADVAPI32.dll

GetConsoleOutputCP

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

0)00070>0

0 00X0

1%2X2g2p2

2 2$2(2,282<2

= =(=0=<=`=

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

win.rar GmbH1

win.rar GmbH0

%u>|Y

hXXps://secure.comodo.net/CPS0C

2hXXp://crl.comodoca.com/COMODORSACodeSigningCA.crl0t

2hXXp://crt.comodoca.com/COMODORSACodeSigningCA.crt0$

hXXp://ocsp.comodoca.com0

"COMODO RSA Certification Authority0

3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05

hXXp://ocsp.usertrust.com0

;hXXp://crl.comodoca.com/COMODORSACertificationAuthority.crl0q

/hXXp://crt.comodoca.com/COMODORSAAddTrustCA.crt0$

({d.hu

&linkpassword=

shorturl=

yunpan.cn/lk/

yunpan.cn/share/verifyPassword

yunpan.cn/share/downloadfile/

"downloadurl":"

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

HTTP/1.1

hXXps://

hXXp://

hXXp://api.linkr.net/pan?url=

VBScript.RegExp

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

>1.2.18

A inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

AVIFIL32.dll

WinExec

GetKeyState

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

WINMM.dll

WINSPOOL.DRV

comdlg32.dll

SHELL32.dll

OLEAUT32.dll

WS2_32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Mpr.dll

Advapi32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

(*.avi)|*.avi

1.2.18

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

NULL row buffer for row %ld, pass %d

libpng error: %s, offset=%d

libpng error no. %s: %s

libpng warning no. %s: %s

keywords

Unknown zTXt compression type %d

Incomplete compressed datastream in %s chunk

Data error in compressed datastream in %s chunk

Buffer error in compressed datastream in %s chunk

gamma = (%d/100000)

gx=%f, gy=%f, bx=%f, by=%f

wx=%f, wy=%f, rx=%f, ry=%f

incorrect gamma=(%d/100000)

iTXt chunk not supported.

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

#include "l.chs\afxres.rc" // Standard components

#"hJÞ

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD\COC

'  7;-9=-9= 9<(48

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

scripting.FileSystemObject

00:00:00

PJa-Acmd.exe /c del "

cmd.exe /c copy /y

cmd.exe /c move /y

@ping 127.0.0.1 -n 3 >nul

@ping 127.0.0.1 -n 1 >nul

del 123.bat

\123.bat

a.txt

a.txt"

\TEMP.TMP

dm.dmsoft

xml.parste

SetShowErrorMsg

KeyPress

KeyDown

KeyUp

KeyDownChar

KeyUpChar

KeyPressChar

KeyPressStr

SetKeypadDelay

WaitKey

EnumWindowSuper

FindWindowSuper

GetWindowState

SetWindowSize

SetWindowState

EnumIniKey

EnumIniKeyPwd

EnableKeypadMsg

EnableMouseMsg

EnableKeypadPatch

EnableKeypadSync

EnableRealKeypad

@@\config.ini

\\.\PHYSICALDRIVE

\\.\SCSI

\\.\SMARTVSD

\\.\PhysicalDrive0

c:\windows\system32\drivers\etc\hosts

RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters

VVV.baidu.com

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

rundll32.exe shell32.dll,Control_RunDLL

Shell.Application

0A\\.\PhysicalDrive

access.cpl

sysdm.cpl

rundll32.exe shell32.dll,SHHelpShortcuts_RunDLL AddPrinter

appwiz.cpl

rundll32.exe diskcopy.dll,DiskCopyRunDll

timedate.cpl

desk.cpl

joy.cpl

mlcfg32.cpl

wgpocpl.cpl

main.cpl

rundll32.exe shell32.dll,Control_RunDLL modem.cpl,,add

mmsys.cpl

rundll32.exe shell32.dll,Control_RunDLL netcpl.cpl

rundll32.exe shell32.dll,Control_RunDLL password.cpl

inetcpl.cpl

RunDLL32.exe Shell32.dll,Control_RunDLL StiCpl.cpl

ODBCCP32.CPL

RunDLL32.exe Shell32.dll,Control_RunDLL Telephon.cpl

PowerCfg.cpl

RunDLL32.exe Shell32.dll,Control_RunDLL BdeAdmin.CPL

rundll32.exe shell32.dll,Control_RunDLL

Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

wshom.ocx

HTTP\shell\

HTTP\shell\e\command\

https\shell\

https\shell\e\command\

cmd /c netsh interface ip set address

SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\000

x86 Family %d Model %d Stepping %d

Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

Getcpuid

.A\Microsoft\Network\Connections\pbk\rasphone.pbk

hXXp://VVV.ip138.com

Adobe Photoshop CS6 (Windows)

2015:10:03 12:15:46

IEC hXXp://VVV.iec.ch

.IEC 61966-2.1 Default RGB colour space - sRGB

CRT curv

.evYk

n%ckwV

urlTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="7779AD3F53E3FF6440D95AEF8F315CC0" xmpMM:InstanceID="xmp.iid:CF36D36B8569E511B5BDDAEBA6AB6A00" xmpMM:OriginalDocumentID="7779AD3F53E3FF6440D95AEF8F315CC0" dc:format="image/jpeg" photoshop:LegacyIPTCDigest="99AB4E8B26354C325BEEBE5330A83A52" photoshop:ColorMode="3" xmp:CreateDate="2015-09-20T23:22:19 08:00" xmp:ModifyDate="2015-10-03T12:15:46 08:00" xmp:MetadataDate="2015-10-03T12:15:46 08:00" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:F6B3407CAE5FE5118E83E9D46D556A47" stEvt:when="2015-09-20T23:44:31 08:00" stEvt:softwareAgent="Adobe Photoshop CS6 (Windows)" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:CF36D36B8569E511B5BDDAEBA6AB6A00" stEvt:when="2015-10-03T12:15:46 08:00" stEvt:softwareAgent="Adobe Photoshop CS6 (Windows)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> <photoshop:DocumentAncestors> <rdf:Bag> <rdf:li>7779AD3F53E3FF6440D95AEF8F315CC0</rdf:li> <rdf:li>AC9A314A193F61A5F5B17B0D06C3687F</rdf:li> </rdf:Bag> </photoshop:DocumentAncestors> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

.Dal.88

<%SHF\

?.IcF

.tO.(6

yl.kC%

^.Wmd

jk0msg

~ssh.

.Rdu,

WW%fKj

900-1000

2000-2199

2200-2399

2400-2599

2600-2799

2800-2999

3000-3199

*.ini

|*.ini

1000000

vs.3.sw

vs.2.sw

ps.3.sw

ps.2.sw

Corrupt JPEG data: found marker 0xx instead of RST%d

Warning: unknown JFIF revision number %d.d

Corrupt JPEG data: %u extraneous bytes before marker 0xx

Inconsistent progression sequence for component %d coefficient %d

Unknown Adobe color transform code %d

Obtained XMS handle %u

Freed XMS handle %u

Unrecognized component IDs %d %d %d, assuming YCbCr

JFIF extension marker: RGB thumbnail image, length %u

JFIF extension marker: palette thumbnail image, length %u

JFIF extension marker: JPEG-compressed thumbnail image, length %u

Opened temporary file %s

Closed temporary file %s

Ss=%d, Se=%d, Ah=%d, Al=%d

Component %d: dc=%d ac=%d

Start Of Scan: %d components

Component %d: %dhx%dv q=%d

Start Of Frame 0xx: width=%u, height=%u, components=%d

Smoothing not supported with nonstandard sampling ratios

RST%d

At marker 0xx, recovery action %d

Selected %d colors for quantization

Quantizing to %d colors

Quantizing to %d = %d*%d*%d colors

%4u %4u %4u %4u %4u %4u %4u %4u

Unexpected marker 0xx

Miscellaneous marker 0xx, length %u

with %d x %d thumbnail image

JFIF extension marker: type 0xx, length %u

Warning: thumbnail image size does not match data length %u

JFIF APP0 marker: version %d.d, density %dx%d %d

= = = = = = = =

Obtained EMS handle %u

Freed EMS handle %u

Define Restart Interval %u

Define Quantization Table %d precision %d

Define Huffman Table 0xx

Define Arithmetic Table 0xx: 0xx

Unknown APP14 marker (not Adobe), length %u

Unknown APP0 marker (not JFIF), length %u

Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d

Unsupported marker type 0xx

Failed to create temporary file %s

Unsupported JPEG process: SOF type 0xx

Cannot quantize to more than %d colors

Cannot quantize to fewer than %d colors

Cannot quantize more than %d color components

Insufficient memory (case %d)

Not a JPEG file: starts with 0xx 0xx

Quantization table 0xx was not defined

Huffman table 0xx was not defined

Backing store not supported

Cannot transcode due to multiple use of quantization table %d

Maximum supported image dimension is %u pixels

Empty JPEG image (DNL not supported)

Bogus DQT index %d

Bogus DHT index %d

Bogus DAC value 0x%x

Bogus DAC index %d

Unsupported color conversion request

Too many color components: %d, max %d

Buffer passed to JPEG library is too small

JPEG parameter struct mismatch: library thinks size is %u, caller expects %u

Improper call to JPEG library in state %d

Invalid scan script at entry %d

Invalid progressive parameters at scan script entry %d

Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d

Unsupported JPEG data precision %d

Invalid memory pool code %d

Wrong JPEG library version: library is %d, caller expects %d

IDCT output block size %d not supported

Invalid component ID %d in SOS

0123456789ABCDEF1.0.5

inflate 1.1.4 Copyright 1995-2002 Mark Adler

F%*.*f

SHLWAPI.dll

MPR.dll

y6.pca

WSOCK32.dll

HX%s#

\\.\Scsi0:

icmp.dll

:%d) |

%I64d%s

:0{}%s

:%d)%s

X-X-X-X-X-X

msctls_hotkey32

;3 #>6.&

'2, / 0&7!4-)1#

glViewport

glTexEnvfv

glTexEnvf

\glu32.dll

\Opengl32.dll

glPassThrough

\d3d9.dll

IndexedColor

nFaceIndexes

faceIndexes

FloatKeys

TimedFloatKeys

tfkeys

AnimationKey

keyType

nKeys

keys

nUrls

urls

?.vW@

right-curly-bracket

left-curly-bracket

!snb.sn

c:\%original file name%.exe

hb.Kxf

activation.php?code=

deactivation.php?hash=

.?AVIUrlBuilderSource@@

\|p%C 1m

-0}?Q

Z.UGc

|;bx.YW

.%xD~

;7.rL

NEU%X

j.CV|

q- %F

'at@,.kv

'%CKV

Q.fnk

.qpq<

JxZM%C

 l%1X9%4`

}.CxWP6b(

;.Nb:B

C^D%d

ai%F^

#.GgA

.hfzH

EN'.dX

X}=%0X

bq.UKg

p.IDx

%.dV\

SFg7.Ku

9DM^%C=

2H .AcG

E:\*m

Ft.cE

[_JS).mv

w:\sS

g.Izk

,.ge`?uU

tFhny.gm

%Xa$;

ÐoF

.VGRIy6B

Eg.Bw

,:E%F#?

!)h.Ix

.flu"A

.aaR{

4VJ@@'tCp

CC/%X7

.ijH"

d.qUG

w%d!4

.xzoyD

f.HQ0

x/.kv4EW

}c0.YC~<

'V%X 

#X%0X

X%Uz~tx

-!.dVt

.bSy;

[%4sy

.TA*5

K%d;|

R`-R}E

D$$%ud

?UF%SO

'Œ}

.ME,3

uCRt

~.pb)

'w H.YCLZ

d.yl?)

$.Ocg

%.mv{C

.xG*q

D$(h%X}d

2|.tV|V

lP.eu

<.bd&D

vg.cR

2Q8b.tw4

Ûm{

.Zzk-8

e#%xB

1<Y%S

.NMaQ

.KJ;a

&^]8%xU

@I%u)p

=%0X#Z

QE%do

v%ujX

%F|nL

'%Sa4

-%s;b

25.cS

i)h .YW

E.mfu

{E.qi

A.Oxy|d

%uH$z

Y%d_<{Xj

*td?x%X

;.PT"

Z.MxI

1%Fs?<

p;.Ah

n,1%s

.ZQu5

Vp;.yy

-e}\/UC

.tMPI

0%F%l^

D$(.JI

.hqf\

m'.ed

R-Ä

S.PT8

B.Kv<

w.SfC

vq.%C

Q&e.%d

E%Uiqo

}}Y%F

L8%sT

PW.LW

%C&'x

A!8%DWM

c%d%L

K0M.OS8

c.hro

vTCP

AyS %D

k%S6 %

%4XP@

.ZKq3

F.sM_

Jc.xkM

3%d;D

%Cu_j

Fl.TA*5

s.cmP

r%CWn

0<V%d'

.fiI0

a&%us

.EPb`

bT;.IM

3V%FR

.ps]P

Ç"\

E .iM

bx.YW

.sHGs

.zDK%

G.tV|n

-5K%d

S|ØQ(

d%uFN!

pR%d/

6nL %s

.ZnTWme

b.XejE/z

|C.iIW

K<X%C

(.Cz{

2.mD@

rdv×w

QT#3.ES

.CD7{

M.edV

_.ZfP

V%X|mN

~e.tN

.q.Il

,.qX:

=%FlJ`

.MU"=R

=M 0

v-qt}k

8S.Gf

F.leUU$

:.JA1@

/.OA416

n.mDA

l.DYPt

.NE|T

=6".mV

!m

[r

#.JW\2(*m

.Tq,m

%uU9z#

K$.ut

#u3w.jBf&

_(.rN

.iZbS(

3T%U (

xI%UC

:%dor~

y1-NB}M{)

#1.yJ

r%CY@

"h.cVV

F<.cd

.ay"'t

!c%x_

P%U&TxsT

z#PEF%u

.fi^;

:.IM?

`.w.kzl

/p.ZUU

.pU/%

MDcF.hfz@

.ener

h>%SitR

%dv0O

Cl.Dt

H=%Fl

F%Fq#Dja

%xt~?

-5J}{by

k%dWM

2.gQZ2

G[%fx;

'f-B}

"-5ew}D

$.Jg-

q.Mzs

n4.YP

.DK ZP

TcPL

Y"-%c

%SP&Q,

K%c_9

.cNdI

hÁ!

.kV8Z>}

L;I

.iAU}

<oRI%u0

*z.KV

s|%8u

$.MBQ

#.ccZ

}.xm=

R.bmw

c-bH46}

t(rV%u

.hfzPY

v%fKt

9m.oc

r.JA)i

.Ew`z

.pIq|

JM6

nRXiw\V%Xo

.AAfJx

1%FjZo

fG^øf;"

h?%u(

w<R

I.BJ~

).XcJv

>.gmM

8iO.UG

k.gmM

.EJs|

'x:%d

.xj8|5

je.Cb

.tDY>

J.dGAu4

Ô']

>wu.RNat

JE%ss

Ud.edv

.ZoB.

<SC.IP

) _.hu

9i.air

.PsQij

sF.hf

8Û"

L.CKV

%X#Z|

^.dqj8

s5

((%U{f

%f$p<

YurL

C.eMB

u6V%X

syf.mG

M'CvO8|.%d?

\12%f

4.QHgY

s.SËX

<6%X]

eüVBQ

.izzZ

SCRT

%4sS@

O[.iQ

dNÕ

%ch%r7;

P;.qQr

.sK3g)

a4Q.Ly

ecN(%s-@

.hCaI

FK%Cl

.yjuG

5z#%fqa

.Dhs[ocoo

:$>%D

nuser32.dll

u}m.nu

(.QFd

DLah.em

.vB7V

iphlpapi.dll

Tqole32.dll

@.whz

%fs{F

zz_%s

.Cd7J

3_.Dw

86OBg%c

%.Xfm

.ta{~

 1C.fu

.U%S'

#{.zw?

s.Cw6

|r.dM7f

%%FNc

"(.KN

f.gf\

T%X7T"

%xDAB

NBl%D

iJ.wT

NC.fo`

.Vr^MRT}

5`.OK

Ea%fT@

.KDbL.T

%dt66

.yOZy

".Qb_e

bnjo.gYwQDY

.OX2g9M&^

.aygM

r%4xd|

.wp5y#

!d.Yst

W.BT#<

&s.cIqTU

.SanI

eaw|P.hQ4oO

un.KnD

A.QT\

y.xk&

.vaN(r

=.ao>

v/.cA

5M.lR

cexE

h.ug/

*&l.KYj

GHv8.CSEs^}

Kf.To?R&

%uuiQ

&5.qn

c.Uz[

Pt%dN

mn.Ks

4y.qR

..sjs

Ap.oR

%cpLr,

.mzgW

cRT0U

c<.pC

.Uv pDy

L!3zE.VT

i.jD.k

z.SK&r~

H{%%F

c/.rsP

$y&.xv6

.fO).

.vg$n5Y

4QR%f

.ub6s

4UDp*a1

TK%5u

F&.hR

M.MxK\

%u;f.

×Pw

8.DM F:

37.nv

4"m.TMBa

_.ZtmN

UEVE.Ph

'~'}'|'{

w5vpu-t%s

.JqgI

.Yo8A

 .QgU3\

x.QX-

%u/F2

!.qf@

W& %U

8H.vP

bLv.ci

Y.xvW^

Ng.ab

Vc(><%d

)V.sY

[/.pH

.EBR(z

^z%C#

%%u7$

?Bb%S

.qwZu

uDp0x

ex.kG-

4%syB

nce-%U

2R.SV

5%fl!

E|} Z5 %u

~.at55;

z.uf7

k.obs

4.lUV

M(.Ar

/I'V5E`a.Vm|

X.kbp_

Q<%fro

%U?lE"

|R%C&

"yO%U

L\.Xf

.VtB%'~S

.ZlhK'

%XjK 

`j)%C

%cg|.

.iMpBx

.IE0!y

6.FD=

-o

]{_%U

/Uz%X

hc#%s

;=y%Um

9.vZ(

e8/%U

Å3{e

.ck*/i

*%X]=

Vx

{V.AC

>.owZ

Ae-1%u

D.OcFy_

o@{%uh

w6.hy

%dPCD

ql.tk

uGU.oWt

xez%U<X

7N.yeT

%C^.{

GA%x,D

5z%8U

r9.Po%"

X.sqCu

%xT1y

kn/%U}T

D.QE$

.HUVp

Z$`w.GO

ybx.Gf

.Cbmq

~!,V%C

Y_5.zws3f

.vU`;E

"F.Kxem

cJDe.AV

Cl]

`-qy}

R.OuJ`?

.wU=&

=.cjl

~C%dw

-nE}'X

.Uk/w

\%x34t

:7.BF

'-uj}

~_.fP

.iS{U

P.OFA

Z%3S=

%Dyem

].fN#?

MVÛ

?[

>1.UBE

"%d)\

rj.SVK

Vq,.wk*R

B5.rHp

LV.UvT

@zls

.eV<P

%FUH@?

%xUVS

.PVOS

{ BX.um

5^%XS

S.aF,

6q.uQ

0k.dN

!um%UfN

-Mqq}

Q,zx%d

!N.WM

%d 3D

4%X2'5

.OXg9

.yVm3e

..NO("

!9.So:

94.wuPP\9

QD.vgs

MqOv.gF

nj.Kn

,.Tht

,=k%u

.gVRFy

j*5t%D

u.ws}

.hM_b

v/.DAf

\O.BZ

o3u~.sO

]..So

.vxW{

.kHmq

*.mts

76(%f

FWl.Fphg

.cmpe

*.vXa

T.pA2

p.td.l

.fheNd

.bA-t

\<.vf

qw%d=

C.vNPT

.rvXU

.uhyV

.hRWTb

U.GRM

.sE1.}

c.Hs6M

f%c<"pl~

J.td,

.Qu0P

.LQ, }

.su8~aUG

l}P%Ss

x0.iy

.YV@EF

in%Uo

tY.cb

Ge.TR

(.boNhD

~(%4U.

'.Tf&r

a.xAR

M.WL:

5/h.of

: XN%U

(85%-=1!

)93# ;/?

4,$<2*":

3 #;1)!9

(&$" ><:

1/- )'%#

ymsGv

k.oPl

Nj.tJ,

.em b

#lÀ

5%U"m

-J%C^|P

%D^{-

.vF"f8

iA)f%u

' .ir

udpm

UF.gc{

%sEkfFx

n*M=.LIN

.MKZz

.>2"*:4$

,<0 (85%

-=1!)93#

,$<2*":0

 #;1)!9/

&$" ><:8

/- )'%#!

4.qxx

.Fkj)\

.eNnpL

.SoUMP

.oN.o

.oG.o

.oY.o

KW.fklu

74.XuT/o

.Ym6e

.Vw*@

.vtT%

Xc.eZ

:m.IT

/5.YX-

.qlGj

qs%f'

b.%c/

%C'zV,

.Nd(3V

^%7u-

h.Um>s

?Mr%D

{k-r}g

%f)&Z

%f&3<

.dxPf=

}\Qm%F

.nVe"

.FB-9

%s'Wi

%uO=i3Q

gkN29T3%D#

NY.iK

aE?.ct

fTp<e

.Mh3g

6\V.qc

1D&i.roQ

`%8sp

W1%ct

%.u2a

3$5.Re

Pkw;3%X

.sE-{<

-1Id}

KÂRc

J`v.oY

V.KJt

%SGcf

=.qKI

&.qZi

-B2%U

.iMbs

O.bJs

ryF6%D

;RnvA.Iu

,.Sg2

òjU

A}.Iv

iY.fe

%2xaT

.Uf(|

^L.fkz

.Vq|`

.ONz}{U

('.Vdm

5V.qvu

li.aD5

õQ|2

f%xEZ

.hsIu%

LNd.WV

F|%u;

.Pecvh`

<%sV~L

%dj[a

q.IZ,

6bx%Xi

(%sON

@5}Î

C!a.Gs

 l.dD

%srBC

9I_%SX

D.QT\V

gq%sM

"UDpv

pPw%u

.xfJ^

5-%sv

KeYl

M.FWzt

.L$j;%d

.GxPf

7m%d'

-2S{%F

j.vk(@m

z%s8|

.ng#dt

$}.VV

La*ssH%E

<x%.sWw{

\.Qw{a

.AV]@

Xt.aB#4N

_(;q%C

KYz.Gi'{

u)%dp

}%fV`

w"URl

.zv}Q

&.Yn3(

\.GzZ

v.kpi

%U,|0dc

(.bNT%

 e.bh3

@‚f

Br.Mz

\1.nd

%sG\3o

50%f[

0g.Vi

%X)tXYB

V`%f'/db

@n%uI8

/e.jF

$oH%U

H%s}@

XL%D(

.oUNt

%xZg_

cx%f`W

xO-%c

2S.Jd

%%cPY

v_vu>gÚ

1.sqef

.Vw [f/

.HV ;|

]RE.aUo*j

t.Qg-

5%c>1

mDb}V%f

`H{.DG

mU%Dh

J.ShY

|.CUk

%Xt~S

~V.Qg&

E8%s&

-l7}7

dT.HOi0

K<.nDp

,9334`^)

"Tw;%s.

z.Rh-

j.sW#

e.Ns7

v5

%5US]

.Il*gSDq

`a5jQ%C

{%Sjq`

fh.xGy3

z%s!G|

%u7te

h.WwV

9.Ng=

oQ.th

m%xpNo

-Vb}Q

ld.VA

x l%u

qg%CV`

I>%dr

%u[5k

ph.vY

Y.MVs

RX.ut

.PrJ&V}t

z0l.ax

\%Uc9

)%cVx

:[5%U

.xs=w<

}ü?

.ny,k

%F~4v

4:GO.xT

r.CUo

53x%Sl

TQ.lO

z.Rh*

.tg*}

.VIXa

lW%XzR

Î;I

.nh)Eq

O.sDo$

V.Yh&f|

T%CnO^

Ftprn

.FWuw

.exL#

ur.Mm c

jz.Vc

.Cv7I

5.DZH

C.mZ>

h.UI<

S.Vsx

N%c W

(q.Lt#

6i.hJ

%u@E5

c'e%C

r3c4%s

-Y7S}&

X.yOG

f.ts\5

.Xn(@

\%F|.

r-A45H}L

Um%fq$`p

Cl.qj

O1.ig

%fV3"

%6uO@

r.sVB

Å5?

={Ov.fY2

w</%U

B.osh

Sn6p%f

.zAa6

@H!%f

w&.Vu[

%XRb/

&l$t%d

-D}a'o&

.mL- 

t.FXV`

e%sIkf

bJ%uv

v9.CW

`.Qtn

7.SYV

.oz-t

l-$

.cy`5-

%uI=A

jK.Vz

Af%Uz

j%cR!

-%XfS

l.|F%f

H.rDE

W@'%CU

s&b.hV

2a.sZ=

4_wr%d

UÒZ[

oJ`.VI

F{|@.sV

kV%U{

I%7sN

v-%F~

cM-9%x

HC3.DL

%Dz:.

.Ajm&

N%SYHf:

%d^AHB-

Zl.hE

&wr%c

5oz%C

R[.qe

]s.lG

B{.sV

.ea|k

N.mc^

.ec=%f

f.edb

~NRh%X

`i.Nn/Y\

.dspj

\uDPM

/ .qo

s\.Wc

_G%UR

z.qS7

v.gTx

 a.iM

m%xs&

ah.Vcd

6|.Yh%w

h;.Ye

 .fs{

IJk%F

%Dy\w

FP.UN

6v.qP

8%UrN

d"&V%Dh 4

V%X7w

?dg%UE

%dR:#

@^.ar

%5u.^

,~F%d

-Ibp}

.Uh<?

BO.Hd9

%U !0

dGF%s

&b.fh-

.xD)e

_wG[

O.dD~H

#.VqJ[*

g%0XV

xq.WV/

SV&%4s

.rk|Zp

7v.wm1

'zR%S|

VXú

4x7r%fM

=^n.vl

W.OzQ

.Vg|V

.fxier

KeY\5

x.fQ!

-V}/f

|%u7r

vd%.x

A?.Zs

V%f ZL

`3y%Uj

oV%c=^~1

.PsVb

tb.xP8

"urL1

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>

{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}

{26037A0E-7CBD-4FFF-9C63-56F2D0770214}

1, 0, 6, 6

- Skin.dll

Maximum allowed array size (%u) is exceeded

rtmp%d

Crypt32.dll

WaitForMultipleObjects error %d, GetLastError %d

mscoree.dll

5.30.2

Unrar.dll

(*.*)

1.0.0.0

! !(!!"#")""

>?:)<:>?:)<

>?:)<)>?:<<;>?:

123456789:;

0123456

!! ##%%&&$$''  (**),,,//

(){()))?,

?;<=;,;<]

(/) )-),

]:;<)>?,

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

1.2.0.0

%original file name%.exe_3604_rwx_009B5000_005DB000:

hb.Kxf

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

activation.php?code=

deactivation.php?hash=

.?AVIUrlBuilderSource@@

c:\%original file name%.exe

\|p%C 1m

-0}?Q

Z.UGc

|;bx.YW

.%xD~

;7.rL

NEU%X

j.CV|

q- %F

'at@,.kv

'%CKV

Q.fnk

.qpq<

JxZM%C

 l%1X9%4`

}.CxWP6b(

;.Nb:B

C^D%d

ai%F^

#.GgA

.hfzH

EN'.dX

X}=%0X

bq.UKg

p.IDx

%.dV\

SFg7.Ku

9DM^%C=

2H .AcG

E:\*m

Ft.cE

[_JS).mv

w:\sS

g.Izk

,.ge`?uU

tFhny.gm

%Xa$;

ÐoF

.VGRIy6B

Eg.Bw

,:E%F#?

!)h.Ix

.flu"A

.aaR{

4VJ@@'tCp

CC/%X7

.ijH"

d.qUG

w%d!4

.xzoyD

f.HQ0

x/.kv4EW

}c0.YC~<

'V%X 

#X%0X

X%Uz~tx

-!.dVt

.bSy;

[%4sy

.TA*5

K%d;|

R`-R}E

D$$%ud

?UF%SO

'Œ}

.ME,3

uCRt

~.pb)

'w H.YCLZ

d.yl?)

$.Ocg

%.mv{C

.xG*q

D$(h%X}d

2|.tV|V

lP.eu

<.bd&D

vg.cR

2Q8b.tw4

Ûm{

.Zzk-8

e#%xB

1<Y%S

.NMaQ

.KJ;a

&^]8%xU

@I%u)p

=%0X#Z

QE%do

v%ujX

%F|nL

'%Sa4

-%s;b

25.cS

i)h .YW

E.mfu

{E.qi

A.Oxy|d

%uH$z

Y%d_<{Xj

*td?x%X

;.PT"

Z.MxI

1%Fs?<

p;.Ah

n,1%s

.ZQu5

Vp;.yy

-e}\/UC

.tMPI

0%F%l^

D$(.JI

.hqf\

m'.ed

R-Ä

S.PT8

B.Kv<

w.SfC

vq.%C

Q&e.%d

E%Uiqo

}}Y%F

L8%sT

PW.LW

%C&'x

A!8%DWM

c%d%L

K0M.OS8

c.hro

vTCP

AyS %D

k%S6 %

%4XP@

.ZKq3

F.sM_

Jc.xkM

3%d;D

%Cu_j

Fl.TA*5

s.cmP

r%CWn

0<V%d'

.fiI0

a&%us

.EPb`

bT;.IM

3V%FR

.ps]P

Ç"\

E .iM

bx.YW

.sHGs

.zDK%

G.tV|n

-5K%d

S|ØQ(

d%uFN!

pR%d/

6nL %s

.ZnTWme

b.XejE/z

|C.iIW

K<X%C

(.Cz{

2.mD@

rdv×w

QT#3.ES

.CD7{

M.edV

_.ZfP

V%X|mN

~e.tN

.q.Il

,.qX:

=%FlJ`

.MU"=R

=M 0

v-qt}k

8S.Gf

F.leUU$

:.JA1@

/.OA416

n.mDA

l.DYPt

.NE|T

=6".mV

!m

[r

#.JW\2(*m

.Tq,m

%uU9z#

K$.ut

#u3w.jBf&

_(.rN

.iZbS(

3T%U (

xI%UC

:%dor~

y1-NB}M{)

#1.yJ

r%CY@

"h.cVV

F<.cd

.ay"'t

!c%x_

P%U&TxsT

z#PEF%u

.fi^;

:.IM?

`.w.kzl

/p.ZUU

.pU/%

MDcF.hfz@

.ener

h>%SitR

%dv0O

Cl.Dt

H=%Fl

F%Fq#Dja

%xt~?

-5J}{by

k%dWM

2.gQZ2

G[%fx;

'f-B}

"-5ew}D

$.Jg-

q.Mzs

n4.YP

.DK ZP

TcPL

Y"-%c

%SP&Q,

K%c_9

.cNdI

hÁ!

.kV8Z>}

L;I

.iAU}

<oRI%u0

*z.KV

s|%8u

$.MBQ

#.ccZ

}.xm=

R.bmw

c-bH46}

t(rV%u

.hfzPY

v%fKt

9m.oc

r.JA)i

.Ew`z

.pIq|

JM6

nRXiw\V%Xo

.AAfJx

1%FjZo

fG^øf;"

h?%u(

w<R

I.BJ~

).XcJv

>.gmM

8iO.UG

k.gmM

.EJs|

'x:%d

.xj8|5

je.Cb

.tDY>

J.dGAu4

Ô']

>wu.RNat

JE%ss

Ud.edv

.ZoB.

<SC.IP

) _.hu

9i.air

.PsQij

sF.hf

8Û"

L.CKV

%X#Z|

^.dqj8

s5

((%U{f

%f$p<

YurL

C.eMB

u6V%X

syf.mG

M'CvO8|.%d?

\12%f

4.QHgY

s.SËX

<6%X]

eüVBQ

.izzZ

SCRT

%4sS@

O[.iQ

dNÕ

%ch%r7;

P;.qQr

.sK3g)

a4Q.Ly

ecN(%s-@

.hCaI

FK%Cl

.yjuG

KERNEL32.DLL

mscoree.dll

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

%original file name%.exe_3604_rwx_01C59000_00001000:

\Windows\system32\cmd.exe

nClass{3FD224BA-8556-47fb-B260-3E451BAE2793}

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\img\9b14.bmp (516 bytes)
   C:\img\9b9.bmp (516 bytes)
   C:\img\7jt1.bmp (372 bytes)
   C:\img\dyt2j.bmp (516 bytes)
   C:\img\¸ç²¼ÁÖ.bmp (612 bytes)
   C:\img\bb7.bmp (1 bytes)
   C:\img\bb8.bmp (1 bytes)
   C:\img\ys.dll (1856 bytes)
   C:\img\sy9.bmp (180 bytes)
   C:\img\9b20.bmp (436 bytes)
   C:\img\sy10.bmp (184 bytes)
   C:\img\0.8.1.2.bmp (852 bytes)
   C:\img\fx.ini (4 bytes)
   C:\img\sy15.bmp (180 bytes)
   C:\img\³õʼ»¯.bmp (1 bytes)
   C:\img\dyt16.bmp (144 bytes)
   C:\img\dyt2j1.bmp (444 bytes)
   C:\img\gpdl1.bmp (996 bytes)
   C:\img\dyt2j15.bmp (552 bytes)
   C:\img\9b7.bmp (524 bytes)
   C:\img\·¨Ê¦.bmp (532 bytes)
   C:\img\Ììʹ.bmp (564 bytes)
   C:\img\dyt2j19.bmp (564 bytes)
   C:\img\dyt3j11.bmp (420 bytes)
   C:\img\gpdl.bmp (864 bytes)
   C:\img\9b17.bmp (436 bytes)
   C:\img\dyt2j4.bmp (516 bytes)
   C:\img\0.8.7.bmp (532 bytes)
   C:\img\dyt3j21.bmp (252 bytes)
   C:\img\sb7.bmp (340 bytes)
   C:\img\¾ÞÈË.bmp (804 bytes)
   C:\img\9b18.bmp (480 bytes)
   C:\img\sb4.bmp (340 bytes)
   C:\img\13jjt5.bmp (228 bytes)
   C:\img\Å®Íõ.bmp (700 bytes)
   C:\img\6jt1.bmp (324 bytes)
   C:\img\ÊÕ±ø4.bmp (432 bytes)
   C:\img\12jjt4.bmp (252 bytes)
   C:\img\9b26.bmp (364 bytes)
   C:\img\dyt.bmp (148 bytes)
   C:\img\7jt4.bmp (372 bytes)
   C:\img\»ØÓª1.bmp (628 bytes)
   C:\img\9b13.bmp (436 bytes)
   C:\img\sy7.bmp (204 bytes)
   C:\img\dyt10.bmp (132 bytes)
   C:\img\bb9.bmp (1 bytes)
   C:\img\13jjt7.bmp (300 bytes)
   C:\img\sy3.bmp (204 bytes)
   C:\img\9b5.bmp (516 bytes)
   C:\img\bb4.bmp (1 bytes)
   C:\img\Õ¨µ¯.bmp (924 bytes)
   C:\img\dyt15.bmp (144 bytes)
   C:\img\dyt3j17.bmp (252 bytes)
   C:\img\dyt11.bmp (144 bytes)
   C:\img\12jjt.bmp (244 bytes)
   C:\img\dyt2j17.bmp (588 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\img.zip (2 bytes)
   C:\img\sbd2.bmp (396 bytes)
   C:\img\9b10.bmp (436 bytes)
   C:\img\0.9.261.bmp (540 bytes)
   C:\img\dyt3j18.bmp (276 bytes)
   C:\img\ÂùÍõ.bmp (1 bytes)
   C:\img\dyt13.bmp (164 bytes)
   C:\img\hwgg.bmp (700 bytes)
   C:\img\dyt2j13.bmp (624 bytes)
   C:\img\7jt11.bmp (348 bytes)
   C:\img\9b19.bmp (468 bytes)
   C:\img\6jt.bmp (300 bytes)
   C:\img\°ë2.bmp (144 bytes)
   C:\img\9b21.bmp (404 bytes)
   C:\img\9b28.bmp (420 bytes)
   C:\img\dyt2j2.bmp (516 bytes)
   C:\img\9b32.bmp (436 bytes)
   C:\img\ÊÕ±ø5.bmp (324 bytes)
   C:\img\8jt3.bmp (324 bytes)
   C:\img\9b31.bmp (524 bytes)
   C:\img\6jt10.bmp (420 bytes)
   C:\img\6jt9.bmp (344 bytes)
   C:\img\jk.txt (104 bytes)
   C:\img\7jt8.bmp (324 bytes)
   C:\img\kldl.bmp (480 bytes)
   C:\img\Å®Íõ¼¼ÄÜ.bmp (616 bytes)
   C:\img\9b6.bmp (564 bytes)
   C:\img\sy6.bmp (184 bytes)
   C:\img\dyt3j4.bmp (448 bytes)
   C:\img\dyt2j7.bmp (552 bytes)
   C:\img\Å©Ãñ.bmp (660 bytes)
   C:\img\jydl.bmp (588 bytes)
   C:\img\dyt3j3.bmp (588 bytes)
   C:\img\9b3.bmp (564 bytes)
   C:\img\7jt13.bmp (344 bytes)
   C:\img\dyt2j11.bmp (564 bytes)
   C:\img\bddl.bmp (760 bytes)
   C:\img\sb6.bmp (308 bytes)
   C:\img\dyt3j8.bmp (552 bytes)
   C:\img\dyt3j24.bmp (276 bytes)
   C:\img\gpdl2.bmp (404 bytes)
   C:\img\6jt3.bmp (396 bytes)
   C:\img\sy13.bmp (164 bytes)
   C:\img\dyt6.bmp (132 bytes)
   C:\img\dyt2j8.bmp (516 bytes)
   C:\img\Ƥ¿¨³¬ÈË.bmp (564 bytes)
   C:\img\dyt3j9.bmp (468 bytes)
   C:\img\6jt2.bmp (304 bytes)
   C:\img\¹Ø±ÕÓÒÉϽÇ.bmp (968 bytes)
   C:\img\ÊÕ±ø.bmp (516 bytes)
   C:\img\bb6.bmp (1 bytes)
   C:\img\dyt2j18.bmp (516 bytes)
   C:\img\9b8.bmp (684 bytes)
   C:\img\»ØÓª.bmp (372 bytes)
   C:\img\dyt19.bmp (144 bytes)
   C:\img\8jt6.bmp (372 bytes)
   C:\img\sb3.bmp (372 bytes)
   C:\img\8jt4.bmp (372 bytes)
   C:\img\anzhidl.bmp (968 bytes)
   C:\img\lianxiangdl.bmp (468 bytes)
   C:\img\9b30.bmp (420 bytes)
   C:\img\dyt3j22.bmp (300 bytes)
   C:\img\bb.bmp (1 bytes)
   C:\img\ÉÁµç·¨Êõ.bmp (876 bytes)
   C:\img\ÓÄÁé.bmp (660 bytes)
   C:\img\7jt7.bmp (304 bytes)
   C:\img\ÍƼöÅäÖÃ\8±¾´«Í³´òÓãģʽ.ini (3 bytes)
   C:\img\dyt2j6.bmp (588 bytes)
   C:\img\sb10.bmp (372 bytes)
   C:\img\ÍƼöÅäÖÃ\£¨ÍƼö£©8¡¢9¡¢10¡¢11Ö÷Á÷µÍ±­Ë¢ÍâÖñ¾Ä£Ê½£¡.ini (4 bytes)
   C:\img\dyt3j5.bmp (480 bytes)
   C:\img\dyt4.bmp (148 bytes)
   C:\img\8jt1.bmp (324 bytes)
   C:\img\dyt2j20.bmp (588 bytes)
   C:\img\dyt2j10.bmp (516 bytes)
   C:\img\bb3.bmp (1 bytes)
   C:\img\³õʼ»¯4.bmp (480 bytes)
   C:\img\6jt8.bmp (324 bytes)
   C:\img\sy.bmp (228 bytes)
   C:\img\ËÑË÷.bmp (1 bytes)
   C:\img\·¨Ê¦1.bmp (404 bytes)
   C:\img\sjqd.bmp (480 bytes)
   C:\img\8jt7.bmp (372 bytes)
   C:\img\dyt21.bmp (144 bytes)
   C:\img\Ö§³Ö¿â.ini (70 bytes)
   C:\img\Ò°Öí.bmp (708 bytes)
   C:\img\sy1.bmp (180 bytes)
   C:\img\12jjt2.bmp (196 bytes)
   C:\img\7jt5.bmp (324 bytes)
   C:\img\dyt3j16.bmp (372 bytes)
   C:\img\¹­¼ýÊÖ.bmp (588 bytes)
   C:\img\dyt3j15.bmp (252 bytes)
   C:\img\sb12.bmp (340 bytes)
   C:\img\³õʼ»¯2.bmp (1 bytes)
   C:\img\7jt10.bmp (324 bytes)
   C:\img\9b16.bmp (500 bytes)
   C:\img\sb11.bmp (340 bytes)
   C:\img\0.9.8.bmp (628 bytes)
   C:\img\dyt3j19.bmp (392 bytes)
   C:\img\dyt12.bmp (144 bytes)
   C:\img\dyt2j9.bmp (732 bytes)
   C:\img\sb1.bmp (372 bytes)
   C:\img\ÍƼöÅäÖÃ\6±¾ÍƼöÅäÖÃ.ini (2 bytes)
   C:\img\8jt5.bmp (324 bytes)
   C:\img\13jjt4.bmp (196 bytes)
   C:\img\bb10.bmp (1 bytes)
   C:\img\sc.txt (1 bytes)
   C:\img\ÍƼöÅäÖÃ\9±¾´«Í³´òÓãģʽ.ini (3 bytes)
   C:\img\dyt3j1.bmp (500 bytes)
   C:\img\9b34.bmp (364 bytes)
   C:\img\9b33.bmp (372 bytes)
   C:\img\dm.dll (34186 bytes)
   C:\img\9b11.bmp (436 bytes)
   C:\img\dyt8.bmp (144 bytes)
   C:\img\6jt6.bmp (348 bytes)
   C:\img\9b15.bmp (468 bytes)
   C:\img\bb5.bmp (1 bytes)
   C:\img\6jt11.bmp (420 bytes)
   C:\img\9b2.bmp (516 bytes)
   C:\img\13jjt6.bmp (224 bytes)
   C:\img\ËÑË÷1.bmp (480 bytes)
   C:\img\dyt2j14.bmp (500 bytes)
   C:\img\sy4.bmp (180 bytes)
   C:\img\9b1.bmp (552 bytes)
   C:\img\dyt9.bmp (164 bytes)
   C:\img\ÊÕ±ø3.bmp (364 bytes)
   C:\img\9b23.bmp (516 bytes)
   C:\img\7jt2.bmp (348 bytes)
   C:\img\ѵÁ·1.bmp (404 bytes)
   C:\img\sy14.bmp (164 bytes)
   C:\img\ÍƼöÅäÖÃ\10´«Í³´òÓãģʽ.ini (3 bytes)
   C:\img\7jt6.bmp (444 bytes)
   C:\img\dyt2j12.bmp (552 bytes)
   C:\img\9b25.bmp (336 bytes)
   C:\img\³õʼ»¯3.bmp (984 bytes)
   C:\img\ÆøÇò.bmp (448 bytes)
   C:\img\9b27.bmp (420 bytes)
   C:\img\Ò°ÂùÈË.bmp (656 bytes)
   C:\img\bb2.bmp (1 bytes)
   C:\img\sy11.bmp (204 bytes)
   C:\img\9b.bmp (468 bytes)
   C:\img\7jt3.bmp (372 bytes)
   C:\img\dyt2j16.bmp (552 bytes)
   C:\img\dyt17.bmp (148 bytes)
   C:\img\7jt14.bmp (372 bytes)
   C:\img\bddlgg.bmp (1 bytes)
   C:\img\13jjt2.bmp (224 bytes)
   C:\img\9b22.bmp (420 bytes)
   C:\img\0.8.1.bmp (644 bytes)
   C:\img\360dl.bmp (784 bytes)
   C:\img\sy5.bmp (180 bytes)
   C:\img\bb1.bmp (1 bytes)
   C:\img\dyt3j7.bmp (364 bytes)
   C:\img\13jjt.bmp (244 bytes)
   C:\img\6jt5.bmp (372 bytes)
   C:\img\13jjt1.bmp (204 bytes)
   C:\img\dyt1.bmp (144 bytes)
   C:\img\9b4.bmp (612 bytes)
   C:\img\DmReg.dll (1552 bytes)
   C:\img\0.8.1.3.bmp (732 bytes)
   C:\img\³õʼ»¯1.bmp (1 bytes)
   C:\img\µÐ¾üͻϮ.bmp (476 bytes)
   C:\img\anzhidl1.bmp (588 bytes)
   C:\img\8jt2.bmp (372 bytes)
   C:\img\dyt2j21.bmp (552 bytes)
   C:\img\6jt4.bmp (324 bytes)
   C:\img\7jt12.bmp (324 bytes)
   C:\img\dyt20.bmp (144 bytes)
   C:\img\dyt3j2.bmp (364 bytes)
   C:\img\dyt3j14.bmp (364 bytes)
   C:\img\dyt3j6.bmp (604 bytes)
   C:\img\dyt3j10.bmp (480 bytes)
   C:\img\7jt.bmp (324 bytes)
   C:\img\9b29.bmp (372 bytes)
   C:\img\dyt18.bmp (132 bytes)
   C:\img\sbd3.bmp (304 bytes)
   C:\img\dyt3j13.bmp (500 bytes)
   C:\img\dyt2j22.bmp (552 bytes)
   C:\img\sbd.bmp (444 bytes)
   C:\img\dyt3j23.bmp (280 bytes)
   C:\img\6jt7.bmp (348 bytes)
   C:\img\dyt3.bmp (164 bytes)
   C:\img\dyt3j.bmp (308 bytes)
   C:\img\ËÑË÷»¤¶Ü.bmp (1 bytes)
   C:\img\sb5.bmp (340 bytes)
   C:\img\7jt9.bmp (448 bytes)
   C:\img\sb.bmp (372 bytes)
   C:\img\bb11.bmp (1 bytes)
   C:\img\9b12.bmp (436 bytes)
   C:\img\ѵÁ·.bmp (304 bytes)
   C:\img\yszso.dll (27704 bytes)
   C:\img\sy8.bmp (164 bytes)
   C:\img\oppodl.bmp (804 bytes)
   C:\img\dyt14.bmp (144 bytes)
   C:\img\13jjt3.bmp (212 bytes)
   C:\img\ѵÁ·2.bmp (336 bytes)
   C:\img\sbd1.bmp (504 bytes)
   C:\img\ÂùÍõ¼¼ÄÜ.bmp (484 bytes)
   C:\img\8jt.bmp (324 bytes)
   C:\img\°ë3.bmp (180 bytes)
   C:\img\·ÉÁú.bmp (768 bytes)
   C:\img\sy2.bmp (204 bytes)
   C:\img\0.9.26.bmp (636 bytes)
   C:\img\sy.txt (444 bytes)
   C:\img\dyt7.bmp (132 bytes)
   C:\img\°ë1.bmp (156 bytes)
   C:\img\sy16.bmp (184 bytes)
   C:\img\0.8.9.bmp (468 bytes)
   C:\img\tb.bmp (1 bytes)
   C:\img\sy12.bmp (180 bytes)
   C:\img\ÍƼöÅäÖÃ\7±¾ÍƼöÅäÖÃ.ini (2 bytes)
   C:\img\dyt2.bmp (132 bytes)
   C:\img\sb9.bmp (372 bytes)
   C:\img\ÊÕ±ø1.bmp (564 bytes)
   C:\img\12jjt1.bmp (228 bytes)
   C:\img\dyt3j20.bmp (276 bytes)
   C:\img\sb8.bmp (372 bytes)
   C:\img\dyt2j3.bmp (480 bytes)
   C:\img\dyt3j12.bmp (744 bytes)
   C:\img\9b24.bmp (420 bytes)
   C:\img\¾è±ø.bmp (372 bytes)
   C:\img\ÊÕ±ø2.bmp (560 bytes)
   C:\img\dyt5.bmp (148 bytes)
   C:\img\kpzs.bmp (468 bytes)
   C:\img\dyt2j5.bmp (552 bytes)
   C:\img\12jjt3.bmp (224 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.