Trojan.Win32.FlyStudio_dafa0a7d34

by malwarelabrobot on May 29th, 2017 in Malware Descriptions.

Trojan.GenericKD.5071105 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.GenericKD.5071105 (B) (Emsisoft), Artemis!DAFA0A7D349B (McAfee), Trojan.Gen.8!cloud (Symantec), Trojan.GenericKD.5071105 (FSecure), Win32:Malware-gen (Avast), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: dafa0a7d349b5e34d97844f59209029f
SHA1: 4394401f865b9f4434ecaf439cc4783fea6478cb
SHA256: 08066163630d170451e8facb445cf943d22c8aec64dfbaf5d76c3c55be03cb11
SSDeep: 98304:RWfuCd82awmp//oxQeUCz9jHtd/ yxaWkxDi dWNsw4YNiTDwMTBWAcVvZY WrB5:RrDwg/nepb/VaYDMTk8oZnW15
Size: 4556288 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-05-13 03:32:22
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

MaohaWifiSvr.exe:4080
MaohaWifiSvr.exe:768
MaoHaWiFiSetup_239.exe:1980

The Trojan injects its code into the following process(es):

%original file name%.exe:452
Explorer.EXE:284

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process MaohaWifiSvr.exe:768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_0EEA4824454A6D0530EF4C0F6C3F7354 (1496 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE (1480 bytes)
%Program Files%\Maoha\MaohaAP\maohasubstat.dll (163 bytes)
%Program Files%\Maoha\MaohaAP\tipsdll.dll (237 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_0EEA4824454A6D0530EF4C0F6C3F7354 (1 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE (1 bytes)
%Program Files%\Maoha\MaohaAP\MaoHaCD.dll (53 bytes)
C:\Windows\Temp\TarECA0.tmp (2712 bytes)
%Program Files%\Maoha\MaohaAP\Updater\CheckUpdate.dll (258 bytes)
C:\Windows\Temp\CabEC9F.tmp (48 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\TarECA0.tmp (0 bytes)
C:\Windows\Temp\CabEC9F.tmp (0 bytes)

The process MaoHaWiFiSetup_239.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Maoha\MaohaAP\gzipdll.dll (306 bytes)
%Program Files%\Maoha\MaohaAP\APDefault.ini (2 bytes)
%Program Files%\Maoha\MaohaAP\WifiDhcpSvr.dll (214 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MaohaWiFi.lnk (1 bytes)
%Program Files%\Maoha\MaohaAP\driver\maohawifipronat64.cat (14 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\app_tj.png (723 bytes)
%Program Files%\Maoha\MaohaAP\ICSDHCP.ini (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_0EEA4824454A6D0530EF4C0F6C3F7354 (1 bytes)
%Program Files%\Maoha\MaohaAP\Uninst.dar0 (1 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWifiWin7.dll (264 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\logo.png (17 bytes)
%Program Files%\Maoha\MaohaAP\driver\WifiProNat64.inf (3 bytes)
%Program Files%\Maoha\MaohaAP\driver\MaohaWifiProNat64.sys (43 bytes)
%Program Files%\Maoha\MaohaAP\driver\MaohaWifiProNat.sys (38 bytes)
%Program Files%\Maoha\MaohaAP\MaohaDevMng.dll (195 bytes)
%Program Files%\Maoha\MaohaAP\Reg\RasMan_XP.bat (24 bytes)
%Program Files%\Maoha\MaohaAP\driver\DriverInstall_X64.exe (115 bytes)
%Program Files%\Maoha\MaohaAP\RaWifi.dll (185 bytes)
%Program Files%\Maoha\MaohaAP\Reg\RasMan_XP.reg (15 bytes)
%Program Files%\Maoha\MaohaAP\driver\WifiProNat.inf (3 bytes)
%Program Files%\Maoha\MaohaAP\ICSDHCP.dll (618 bytes)
%Program Files%\Maoha\MaohaAP\res\support.dat (35 bytes)
%Program Files%\Maoha\MaohaAP\7z.dll (921 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE (1 bytes)
%Program Files%\Maoha\MaohaAP\maohasubstat.dll (162 bytes)
%Program Files%\Maoha\MaohaAP\Updater\MaohaWiFiUpg.exe (538 bytes)
%Program Files%\Maoha\MaohaAP\drv64\drv64.exe (194 bytes)
%Program Files%\Maoha\MaohaAP\Reg\RasMan_WIN7.bat (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE (1194 bytes)
%Program Files%\Maoha\MaohaAP\dt.exe (13 bytes)
%Program Files%\Maoha\MaohaAP\uninstall.dll (1200 bytes)
%Program Files%\Maoha\MaohaAP\ext\5.dll (27 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWifiBase.dll (287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\MaohaWiFi.lnk (1 bytes)
%Program Files%\Maoha\MaohaAP\MaoHaCD.dll (50 bytes)
%Program Files%\Maoha\MaohaAP\maohawificfg.ini (60 bytes)
%Program Files%\Maoha\MaohaAP\MyTheme.dll (134 bytes)
%Program Files%\Maoha\MaohaAP\Updater\CheckUpdate.dll (256 bytes)
%Program Files%\Maoha\MaohaAP\ResLoader.dll (112 bytes)
%Program Files%\Maoha\MaohaAP\ext\6.dll (70 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MaohaWiFi\Ã¥ÂÂ¸Ã¨Â½Â½MaohaWiFi.lnk (1 bytes)
%Program Files%\Maoha\MaohaAP\welcome\index.html (6 bytes)
%Program Files%\Maoha\MaohaAP\ext\3.dll (19 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBB73.tmp (2712 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWifiSvr.exe (340 bytes)
%Program Files%\Maoha\MaohaAP\Reg\RasMan_WIN7.reg (16 bytes)
%Program Files%\Maoha\MaohaAP\tipsdll.dll (237 bytes)
%Program Files%\Maoha\MaohaAP\WifiHelp64.exe (71 bytes)
%Program Files%\Maoha\MaohaAP\pcidetect.dll (238 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\litlogo.png (1 bytes)
%Program Files%\Maoha\MaohaAP\drv64\DIFxAPI.dll (519 bytes)
%Program Files%\Maoha\MaohaAP\softconfig.dll (1595 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\app_logo.png (10 bytes)
%Program Files%\Maoha\MaohaAP\SmartAction.dll (426 bytes)
%Program Files%\Maoha\MaohaAP\RaAPAPI.dll (1 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWifiXP.dll (157 bytes)
%Program Files%\Maoha\MaohaAP\res\MaohaWiFiDir.ico (226 bytes)
%Program Files%\Maoha\MaohaAP\Uninst.dar1 (18 bytes)
%Program Files%\Maoha\MaohaAP\MaoHaWiFiNet.sys (618 bytes)
%Program Files%\Maoha\MaohaAP\driver\DriverTool.dll (112 bytes)
%Program Files%\Maoha\MaohaAP\driver\DriverInstall.exe (101 bytes)
%Program Files%\Maoha\MaohaAP\YunExplorer.exe (680 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_0EEA4824454A6D0530EF4C0F6C3F7354 (692 bytes)
%Program Files%\Maoha\MaohaAP\MaoHaWiFiNet64.sys (1 bytes)
%Program Files%\Maoha\MaohaAP\ApSetting.ini (487 bytes)
%Program Files%\Maoha\MaohaAP\tips.exe (569 bytes)
%Program Files%\Maoha\MaohaAP\DIFxAPI.dll (323 bytes)
%Program Files%\Maoha\MaohaAP\res\MaohaWiFi.ico (226 bytes)
%Program Files%\Maoha\MaohaAP\SkinBase.dll (125 bytes)
%Program Files%\Maoha\MaohaAP\PhonetypeData.dat (24 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWiFi.exe (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBB72.tmp (51 bytes)
%Program Files%\Maoha\MaohaAP\res\Skin\Skin.rdb (260 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\info.png (9 bytes)
%Program Files%\Maoha\MaohaAP\Uninstall.exe (1399 bytes)
%Program Files%\Maoha\MaohaAP\ext\1.dll (23 bytes)
%Program Files%\Maoha\MaohaAP\HWID.ini (11 bytes)
%Program Files%\Maoha\MaohaAP\ext\4.dll (18 bytes)
%Program Files%\Maoha\MaohaAP\pcid.dll (244 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MaohaWiFi\MaohaWiFi.lnk (1 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBB72.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBB73.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\install[1].htm (0 bytes)

The process %original file name%.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\d9yhteb3 (701 bytes)
C:\MaoHaWiFiSetup_239.exe (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\mF_tbhuabao[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\thea11[1].js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\head-menu-nav-last-ico[1].png (309 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\thea15[1].js (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\414_la[1].htm (12689 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\1493363312352688[1].jpg (20237 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\1121_la[1].htm (248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\global[1].css (43043 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\thea9[1].js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\thea7[1].js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\style[1].css (19041 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\thea10[1].js (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\myfocus-2.0.4.min[1].js (7600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\10798297[1].gif (4533 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\1493362336663248[1].png (3678 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\cat-sp-ico[1].png (397 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logo[1].jpg (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\1493835388636138[1].png (2722 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mF_tbhuabao[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\1493633016839033[1].jpg (6644 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\1493623473579853[1].jpg (235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\thea6[1].js (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\b2de0eca077a3da0efcb2b3e919bea16[1].png (2160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\1493635427127283[1].png (853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\thea8[1].js (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\notimg[1].gif (2 bytes)

Registry activity

The process MaohaWifiSvr.exe:4080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\IconCache.db,"

The process MaohaWifiSvr.exe:768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The process MaoHaWiFiSetup_239.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"URLInfoAbout" = "http://www.maohawifi.com/"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_239_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Maoha\MaohaAP]
"Version" = "100080010"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"UninstallString" = "%Program Files%\Maoha\MaohaAP\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_239_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_239_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"Publisher" = "Ã¦Â·Â±Ã¥Å“Â³Ã¥Â¸â€šÃ§Å’Â«Ã¥â€œË†Ã§Â½â€˜Ã§Â»Å“Ã§Â§â€˜Ã¦Å â‚¬Ã¥Ââ€˜Ã¥Â±â€¢Ã¦Å“â€°Ã©â„¢ÂÃ¥â€¦Â¬Ã¥ÂÂ¸"
"EstimatedSize" = "11514"

[HKLM\SOFTWARE\Maoha\MaohaAP]
"AppPath" = "%Program Files%\Maoha\MaohaAP"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"DisplayVersion" = "1.0.8.10"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_239_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_239_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"HelpLink" = "http://www.maohawifi.com/"

[HKCU\Software\Maoha\MaohaAP]
"AppPath" = "%Program Files%\Maoha\MaohaAP"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"DisplayIcon" = "%Program Files%\Maoha\MaohaAP\MaohaWiFi.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_239_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_239_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Maoha\MaohaAP]
"UnionID" = "239"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"NoModify" = "1"
"InstallLocation" = "%Program Files%\Maoha\MaohaAP"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_239_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"DisplayName" = "MaohaWiFi"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_239_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Maoha\MaohaAP]
"Version" = "100080010"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"InstallDate" = "20170528"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_239_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"NoRepair" = "1"

[HKLM\SOFTWARE\Maoha\MaohaAP]
"UnionID" = "239"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9806E6A6EDD930EACE7A36FBDDD36CC84780F2C4]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 A6 38 51 59"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"9806E6A6EDD930EACE7A36FBDDD36CC84780F2C4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"

[HKLM\SOFTWARE\Microsoft\Tracing\dafa0a7d349b5e34d97844f59209029f_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"fdwSupport" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\dafa0a7d349b5e34d97844f59209029f_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\dafa0a7d349b5e34d97844f59209029f_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\dafa0a7d349b5e34d97844f59209029f_RASMANCS]
"FileTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\dafa0a7d349b5e34d97844f59209029f_RASAPI32]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\dafa0a7d349b5e34d97844f59209029f_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\dafa0a7d349b5e34d97844f59209029f_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\dafa0a7d349b5e34d97844f59209029f_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\dafa0a7d349b5e34d97844f59209029f_RASAPI32]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
bfae8cde6902549029fa33b95983778d	c:\MaoHaWiFiSetup_239.exe
20e131fa17e8605d2484628420525c2a	c:\Program Files\Maoha\MaohaAP\7z.dll
cf73c3a03582408d422d4f7a01190d00	c:\Program Files\Maoha\MaohaAP\DIFxAPI.dll
24d6f19ca07a2ac3bfd6ff1ab3896b85	c:\Program Files\Maoha\MaohaAP\ICSDHCP.dll
8dd69fb54e5c29e07b8725c3c19ccfbd	c:\Program Files\Maoha\MaohaAP\MaoHaCD.dll
c610588fa9f5065f19d735cc72ad351a	c:\Program Files\Maoha\MaohaAP\MaoHaWiFiNet.sys
292f9a2632605d6591e0ea6ed62b6726	c:\Program Files\Maoha\MaohaAP\MaoHaWiFiNet64.sys
82bfea273392f5fcb0f19fe1e62a4440	c:\Program Files\Maoha\MaohaAP\MaohaDevMng.dll
bde7beffd77d80bfbfd47399ba467e49	c:\Program Files\Maoha\MaohaAP\MaohaWiFi.exe
d83716a9bb89a83d1089cf7c5ef231e2	c:\Program Files\Maoha\MaohaAP\MaohaWifiBase.dll
993921373facaef60cb9f9e84aab8301	c:\Program Files\Maoha\MaohaAP\MaohaWifiSvr.exe
c23979c42db65b1d10e733e50ba90bd3	c:\Program Files\Maoha\MaohaAP\MaohaWifiWin7.dll
d3006eb32933300b7da1b121b74b7ce5	c:\Program Files\Maoha\MaohaAP\MaohaWifiXP.dll
cd4d3d1cfdce0becb435a970b8e6a576	c:\Program Files\Maoha\MaohaAP\MyTheme.dll
41fbc54be444b267ad13711b20cbe6e5	c:\Program Files\Maoha\MaohaAP\RaAPAPI.dll
1877c1fc206cc00f602f268c97217291	c:\Program Files\Maoha\MaohaAP\RaWifi.dll
14c49377642096f9a6d7f3dfc00044f2	c:\Program Files\Maoha\MaohaAP\ResLoader.dll
491c3dfceb37cde6fd0086ef5fc225fb	c:\Program Files\Maoha\MaohaAP\SkinBase.dll
c1dd873243befea71d0dc939f38f5afd	c:\Program Files\Maoha\MaohaAP\SmartAction.dll
53924a7da2fd9056b71b1dea9a35fb1c	c:\Program Files\Maoha\MaohaAP\Uninstall.exe
e1ecdad5c7ff885de6f241437e7a44f9	c:\Program Files\Maoha\MaohaAP\Updater\CheckUpdate.dll
9b6e41d5fd9c63c709bda83c0359b7f9	c:\Program Files\Maoha\MaohaAP\Updater\MaohaWiFiUpg.exe
0f43af2015ee8f94e9b7061cedc8783d	c:\Program Files\Maoha\MaohaAP\WifiDhcpSvr.dll
22c9997dcf3d23ede6dbe1ed6a3b0af1	c:\Program Files\Maoha\MaohaAP\WifiHelp64.exe
540a232e81e4e5d67c215af689515e3b	c:\Program Files\Maoha\MaohaAP\YunExplorer.exe
072f2457e70e081384edd61c821c419b	c:\Program Files\Maoha\MaohaAP\driver\DriverInstall.exe
0f43a42e493fbfdee5f8bd0999c3af20	c:\Program Files\Maoha\MaohaAP\driver\DriverInstall_X64.exe
ef7f7d21d627753e4148bc1724b4d639	c:\Program Files\Maoha\MaohaAP\driver\DriverTool.dll
2b903da63c57da124f22e1e79ccec479	c:\Program Files\Maoha\MaohaAP\driver\MaohaWifiProNat.sys
b8f760633541da35bcff7087e710bcb4	c:\Program Files\Maoha\MaohaAP\driver\MaohaWifiProNat64.sys
1a2e5109c2bb5c68d499e17b83acb73a	c:\Program Files\Maoha\MaohaAP\drv64\DIFxAPI.dll
2fb4b755ba2e98ca459d420d34b3e3d7	c:\Program Files\Maoha\MaohaAP\drv64\drv64.exe
a3f1268c29c18452fa7aa902642710d3	c:\Program Files\Maoha\MaohaAP\dt.exe
cadb1a29c7863c1ddbec3e309741d915	c:\Program Files\Maoha\MaohaAP\ext\1.dll
a9b884aae19f1785fd51382809fded7f	c:\Program Files\Maoha\MaohaAP\ext\3.dll
5d53b78f8d73e81d162d62876e4bd1cc	c:\Program Files\Maoha\MaohaAP\ext\4.dll
dbb04e987b4a6b620bf1664b96db616e	c:\Program Files\Maoha\MaohaAP\ext\5.dll
1f0f865b1fea713bb9dc480c7c786197	c:\Program Files\Maoha\MaohaAP\ext\6.dll
68b2a121a539371262af32004abd2b20	c:\Program Files\Maoha\MaohaAP\gzipdll.dll
f96221d6c46ce19751c43c423b7c3ba1	c:\Program Files\Maoha\MaohaAP\maohasubstat.dll
1d66e130dac29c706a1005268d98dab0	c:\Program Files\Maoha\MaohaAP\pcid.dll
b493c0cdee36755385cee0057c25175f	c:\Program Files\Maoha\MaohaAP\pcidetect.dll
0a2041af48f0fbda65876fc7efdc5c9a	c:\Program Files\Maoha\MaohaAP\softconfig.dll
618b8336c03c31a3f79a39d9e89983ea	c:\Program Files\Maoha\MaohaAP\tips.exe
02d316a6166508f4bd5fc478562f2bc1	c:\Program Files\Maoha\MaohaAP\tipsdll.dll
0a2ec8bd4f918532798fc4ae82051862	c:\Program Files\Maoha\MaohaAP\uninstall.dll
df5d515aaa81ac38add50cf5e1187d54	c:\Windows\yyqg.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\%Program Files%\Maoha\MaohaAP\MaoHaWiFiNet.sys" the Trojan controls operations with a system registry by installing the registry notifier.
Using the driver ROOTKITPATH the Trojan attaches its filter-device object to the Volume Device Object (VDO) of the file system driver.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	2338816	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	2342912	4526080	4524544	5.41553	6641f0fdeffac7217b420e22e2e0529c
.rsrc	6868992	32768	30720	2.84817	2a9efdfcf4883e8d5f8a4fbfaa7af941

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.1121.la/	58.218.211.221
hxxp://www.1121.la/skin/iqshwcomm_v2014/css/style.css	58.218.211.221
hxxp://www.1121.la/skin/iqshwcomm_v2014/css/global.css	58.218.211.221
hxxp://www.1121.la/skin/iqshwcomm_v2014/js/myfocus/myfocus-2.0.4.min.js	58.218.211.221
hxxp://www.1121.la/d/js/acmsd/thea15.js	58.218.211.221
hxxp://www.1121.la/d/js/acmsd/thea11.js	58.218.211.221
hxxp://www.1121.la/d/file/soft/QQruanjian/2017-05-01/1493633016839033.jpg	58.218.211.221
hxxp://1st.dl.ourdvs.com/soft/mhwifi/MaoHaWiFiSetup_239.exe
hxxp://441418.p23.tc.cdntip.com/downloads/liming2/HNInstall_Setup_1329860342_liming2_001.exe
hxxp://www.1121.la/d/file/youxifuzhu/paopaokadingche/2017-05-01/1493635427127283.png	58.218.211.221
hxxp://www.1121.la/d/file/b2de0eca077a3da0efcb2b3e919bea16.png	58.218.211.221
hxxp://www.1121.la/d/file/youxifuzhu/paopaokadingche/2017-05-04/1493835388636138.png	58.218.211.221
hxxp://www.1121.la/d/file/qqnews/xw/2017-04-28/1493362336663248.png	58.218.211.221
hxxp://www.1121.la/d/js/acmsd/thea10.js	58.218.211.221
hxxp://www.1121.la/skin/iqshwcomm_v2014/js/myfocus/mf-pattern/mF_tbhuabao.js	58.218.211.221
hxxp://www.1121.la/skin/iqshwcomm_v2014/js/myfocus/mf-pattern/mF_tbhuabao.css	58.218.211.221
hxxp://www.1121.la/templets/iqshw_new/logo.jpg	58.218.211.221
hxxp://www.1121.la/d/js/acmsd/img/10798297.gif	58.218.211.221
hxxp://www.1121.la/d/js/acmsd/thea9.js	58.218.211.221
hxxp://www.414.la/skin/iqshwcomm_v2014/js/myfocus/mf-pattern/mF_tbhuabao.css	58.218.211.221
hxxp://www.414.la/skin/iqshwcomm_v2014/css/style.css	58.218.211.221
hxxp://www.414.la/skin/iqshwcomm_v2014/js/myfocus/mf-pattern/mF_tbhuabao.js	58.218.211.221
hxxp://www.414.la/skin/iqshwcomm_v2014/js/myfocus/myfocus-2.0.4.min.js	58.218.211.221
hxxp://www.414.la/d/file/soft/QQruanjian/2017-05-01/1493633016839033.jpg	58.218.211.221
hxxp://www.414.la/d/js/acmsd/thea11.js	58.218.211.221
hxxp://www.414.la/	58.218.211.221
hxxp://www.414.la/d/js/acmsd/thea10.js	58.218.211.221
hxxp://www.414.la/d/file/youxifuzhu/paopaokadingche/2017-05-01/1493635427127283.png	58.218.211.221
hxxp://www.414.la/d/file/b2de0eca077a3da0efcb2b3e919bea16.png	58.218.211.221
hxxp://www.414.la/d/file/youxifuzhu/paopaokadingche/2017-05-04/1493835388636138.png	58.218.211.221
hxxp://d.heinote.com/downloads/liming2/HNInstall_Setup_1329860342_liming2_001.exe	1.31.173.11
hxxp://www.414.la/d/js/acmsd/thea15.js	58.218.211.221
hxxp://www.414.la/d/file/qqnews/xw/2017-04-28/1493362336663248.png	58.218.211.221
hxxp://res.maoha.com/soft/mhwifi/MaoHaWiFiSetup_239.exe	203.130.56.136
hxxp://www.414.la/skin/iqshwcomm_v2014/css/global.css	58.218.211.221
hxxp://www.414.la/templets/iqshw_new/logo.jpg	58.218.211.221
dns.msftncsi.com	131.107.255.255
service.maohawifi.com	121.10.143.40
unin.maohawifi.com	121.10.143.40
h.q1m.cc	123.56.20.139
update.ss.maohawifi.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /downloads/liming2/HNInstall_Setup_1329860342_liming2_001.exe HTTP/1.1

Host: d.heinote.com

Accept: */*

Referer: hXXp://d.heinote.com/downloads/liming2

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Pragma: no-cache

Cache-Control: no-cache

Connection: close


HTTP/1.1 200 OK

Server: NWS_TCloud_S1

Connection: close

Date: Sun, 28 May 2017 13:23:07 GMT

Cache-Control: max-age=600

Expires: Sun, 28 May 2017 13:33:07 GMT

Last-Modified: Wed, 26 Apr 2017 18:59:47 GMT

Content-Type: application/octet-stream

Content-Length: 9615952

X-NWS-LOG-UUID: 276a4bcf-289d-4c67-ad19-01d966c86d5f

Content-Disposition: attachment; filename="HNInstall_Setup_1329860342_liming2_001.exe"

X-Cache-Lookup: Hit From Disktank3

Accept-Ranges: bytes

MZ......................@...................................0.........
..!..L.!This program cannot be run in DOS mode....$.......Bp.6...e...e
...e..Ne...e..Le...e..Me...e..xe...e=O.d...e.O.d...e.O.dK..e.i;e...e.H
.d...e=O.dD..e=O.d"..e.i<e...e.i,e#..e...e...e.O.dP..e.O@e...e..(e.
..e.O.d...eRich...e........PE..L....esX.................r...^.......Z.
...........@.......................... ......3.....@..................
...................@....p..................P....P..h...0...T..........
.....................@...............P............................text
....p.......r.................. ..`.rdata...T.......V...v.............
.@..@.data...._.......(..................@....gfids.......P...........
...........@..@.tls.........`......................@....rsrc........p.
.....................@..@.reloc..h....P......................@..B.....
......................................................................
......................................................................
...............................................U...h7R......h..N...C..
...].....U..j..p7R...^..]................U..j..t7R..q^..].............
...U..h..N...7R...7..h..N..hC.....]................U..h..N...7R...6..h
..N..8C.....]................U..j.h.7R.h..N.h..N.h..N.h..N.h..N...7R..
.z..]..U..j.h.7R.h..N.h..N.h..N.h..N.h..N...7R...y..]..U..j.h.7R.h..N.
h..N.h..N.h..N.h..N...7R...y..]..U..j.h.7R.hl.N.h..N.h..N.h..N.h..N...
7R...y..]..U..j.h.7R.h..N.h..N.h(.N.hD.N.hX.N...7R..Sy..]...7R......h.
.N..!B..Y.h..N...B..Y.h..N...B..Y.h..N...A..Y..h9R..G...h'.N...A..

<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.1121.la

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 248

Content-Type: text/html

Last-Modified: Fri, 26 May 2017 18:02:57 GMT

Accept-Ranges: bytes

ETag: "fdf2614e4ad6d21:0"

Server: Microsoft-IIS/8.5

Set-Cookie: safedog-flow-item=; expires=bad allocation, 28-May-2017 15:59:37 GMT; domain=1121.la; path=/

Date: Sun, 28 May 2017 13:23:37 GMT
<title>......VVV.414.la</title>..<meta http-equiv="Cont
ent-Language" content="zh-CN">..<meta HTTP-EQUIV="Content-Type" 
CONTENT="text/html; charset=gb2312">..</head>..<meta http-
equiv="refresh" content="0.1;url=hXXp://VVV.414.la"> ..</body>
;..</html>HTTP/1.1 200 OK..Content-Length: 248..Content-Type: te
xt/html..Last-Modified: Fri, 26 May 2017 18:02:57 GMT..Accept-Ranges: 
bytes..ETag: "fdf2614e4ad6d21:0"..Server: Microsoft-IIS/8.5..Set-Cooki
e: safedog-flow-item=; expires=bad allocation, 28-May-2017 15:59:37 GM
T; domain=1121.la; path=/..Date: Sun, 28 May 2017 13:23:37 GMT..<ti
tle>......VVV.414.la</title>..<meta http-equiv="Content-La
nguage" content="zh-CN">..<meta HTTP-EQUIV="Content-Type" CONTEN
T="text/html; charset=gb2312">..</head>..<meta http-equiv=
"refresh" content="0.1;url=hXXp://VVV.414.la"> ..</body>..<
;/html>..

GET /soft/mhwifi/MaoHaWiFiSetup_239.exe HTTP/1.1

Host: res.maoha.com

Accept: */*

Referer: hXXp://res.maoha.com/soft/mhwifi

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Pragma: no-cache

Cache-Control: no-cache

Connection: close


HTTP/1.1 200 OK

Date: Sun, 28 May 2017 13:23:07 GMT

Content-Length: 5223968

Content-Type: stream

Last-Modified: Fri, 02 Dec 2016 08:05:08 GMT

Accept-Ranges: bytes

ETag: "5c9c61cc724cd21:2cac"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Via: 1.1 jxdx77:2 (Cdn Cache Server V2.0)[107 200 2], 1.1 ml34:0 (Cdn Cache Server V2.0)[641 200 0]

Connection: close

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......f..."..R"..R
"..R...Ra..R..|R*..R..}Ry..R .1R&..R .!R?..R"..Rq..R ..R#..RD.aRn..RD.
{R#..R".%R#..RD.~R#..RRich"..R........................PE..L....,,X....
..................H...................@...........................P...
...4P...@.....................................,....`....E...........O.
 ....@O.8W......8............................s..@...............d.....
.......................text............................... ..`.rdata..
............................@..@.data...,r..........................@.
...rsrc.....E..`....E.................@..@.reloc.......@O.......N.....
........@..B..........................................................
......................................................................
......................................................................
......................................................................
...................................................9...\....V3.Ph....j
.PPh...@.t$ ......F.3.........^......D$.....0........U..Qj..E.P.u..u..
1....F.....V...6....F....^.Qj...(.F....t...Pt...gt.3..3.@.h.......F...
.......3.3.h....f............SP....................9].t..u.VhL.G.h....
P..........VhX.G.h....P..............P............]..`.G........d.G.h.
...............SP.(............Phh.G.h`.G......Y........AP.N..........
..P....F........I..,.........................f....U....$SVW3.3..]..}..
...f..3.GW.E.P...]..]..]...P.F..E.SSWP....F..E..u....M..E......}..

<<< skipped >>>

GET / HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 180935

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.2.17

Set-Cookie: safedog-flow-item=; expires=bad allocation, 28-May-2017 15:59:39 GMT; domain=414.la; path=/

Date: Sun, 28 May 2017 13:23:39 GMT
<!doctype html>..<html lang="zh-cmn-Hans">..<head>..
<meta charset="utf-8"/>..<title>414......... - ...........
.,............_..................,......414.........,.................
.............</title>..<meta name="author" content="414......
..."/>..<meta name="keywords" content="414.........,............
...,QQ......,CF,QQ......,............,...Q.........,...............,..
..........,.........,.........,QQ......,QQ.........,QQ............,...
...QQ......,............,QQ......,QQ......,QQ............,............
...,...............,QQ.........,...............,QQ............"/>..
<meta name="description" content="414.....................QQ.......
..QQ..................................................................
.......................................QQ.........,...............,...
......,............,............,............,........................
.........................................................VVV.414.la)"/
>..<meta http-equiv="pragma" content="no-cache">..<meta ht
tp-equiv="Cache-Control" content="no-cache, must-revalidate">..<
meta http-equiv="expires" content="0">..<meta http-equiv="X-UA-C
ompatible" content="IE=edge,chrome=1"/>..<meta name="renderer" c
ontent="webkit"/>..<meta name="viewport" content="width=device-w
idth, initial-scale=1, maximum-scale=1"/>.. <meta property="qc:a
dmins" content="741621542761115456375" /> ..<link rel="shortcut 
icon" href="/favicon.ico">..<link rel="stylesheet" href="/sk<<< skipped >>>

GET /skin/iqshwcomm_v2014/css/style.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 8208

Content-Type: text/css

Content-Encoding: gzip

Last-Modified: Mon, 24 Apr 2017 08:20:59 GMT

Accept-Ranges: bytes

ETag: "80e7edb3d3bcd21:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:42 GMT
...........}{...u........xg..........`;..!..A-.ok...#.g..e!!^.`.'.8...
&.,$..?.1.M...;.W.B.)..TI.....l.Tu.T....S.......l..M.:w...].]..sy.....
.<:...b.......o7/S.......O.W..X...y.[.K..|........g......c....6.[..
.x...z[.[.)_....Z....e.}ql..S....j.%.LD.H..Wuu>.nV..z..v..!l.......
.-...>.5~....:...B..q<..B..>..... F?wEy.kW..}y,\. $CS.E..P7.j
_...Y.?k...rij..{U......a..Y...u[<o....:m...B.R..m..S............s.
.e.7.j...W.w...m.....C..}.............:;..*p.J......zZ......4P.Qr...9.
!.2.c...Tw..6p.0....H.G..*.P)...[.uy@....-.t.F.P...L..tO..|r.Uvn...B..
!........i.F.....r.._..:..s.z.....i]W.....Qj.p....*..........5.|'}....
.A..#.......{.}s7y.L..~..x=S(h......`J..........!.(.Jx..y.'.].WD.2a...
...J.......|0.#.....;$.|....M.... ...h.....j.Y.kj..A.{..cv.......f&.q7
.*{........q.....|j>.C.%(...2E..(.!........K....4.%.....R..X.p...4U
X..I..|.|....R.W.Gs!..j.@t..1 .^....=........y...2.l..U.2y.V).........
Z)g@...#SH7..l.....3s.. .n..xB.^..l.l.Q....D...lq...|.Hs.2...J.2......
.....c..)...Ya.r)}~...f.-...%...)x.z..*..j.7.....4.u..i.L`....z.3S..`&
gt;t...r.#D..Q.u..!:\C.....$\.X-...g....r./......y..?....E.\.O...G...%
n...tu.9Vn]...5.....2`].$...M........p..K..l.W.B...6<I....l.TQ(...B
.6.0...a..".;.a#(..D./V....t"E..uN.&.e'. M_.f...._U.u...0<#.V .k^.R
...mk.......>mZ7..{6..AQ@...<..fI.....UH.A]..2..@.*U..5K..\f5".u
c..F.._.E.k.[..s"RM.{.A..FYK O..K@......uE.`.....-d...|unHG}.I..=_Q...
.....>....,...8m.#q....U..i^|..^....^.8E..nun.#..;B...kb..F.H......
.R.Jf...j{x}Y&M(......4:WEs.U..%!.Cq<.%...2..........J'...q..).<<< skipped >>>

GET /d/js/acmsd/thea15.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 156

Content-Type: application/javascript

Last-Modified: Mon, 01 May 2017 09:57:30 GMT

Accept-Ranges: bytes

ETag: "a63235961c2d21:0"

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:46 GMT
document.write("<a href=\"hXXp://VVV.1121.la\" target=\"_black\">
;<img src=\"/d/js/acmsd/img/10798297.gif\" width=\"580\" height=\"6
0\" border=\"0\" /></a>")....


GET /skin/iqshwcomm_v2014/js/myfocus/mf-pattern/mF_tbhuabao.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 1698

Content-Type: application/javascript

Last-Modified: Fri, 13 May 2016 15:27:22 GMT

Accept-Ranges: bytes

ETag: "069a8f12badd11:0"

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:46 GMT
myFocus.pattern.extend({//*********************tbhuabao***************
***...'mF_tbhuabao':function(settings,$){....var $focus=$(settings);..
..var $picBox=$focus.find('.pic');....var $picUl=$picBox.find('ul');..
..$picUl[0].innerHTML =$picUl[0].innerHTML;//................var $txtL
ist=$focus.addListTxt().find('li');....var $dotList=$focus.addList('do
t').find('li');....$dotList.each(function(){this.innerHTML='<a href
="javascript:;"></a>'});//..........var $prevBtn=$focus.addHt
ml('<div class="prev"><a href="javascript:;"></a><
;/div>');....var $nextBtn=$focus.addHtml('<div class="next">&
lt;a href="javascript:;"></a></div>');....//CSS....var 
w=settings.width,h=settings.height,dotH=17,arrTop=h/2-32/2,n=$txtList.
length;....$focus[0].style.height=h dotH 'px';....$picBox[0].style.css
Text='width:' w 'px;height:' h 'px;';....$picUl[0].style.width=w*2*n '
px';....$txtList.each(function(){this.style.bottom=dotH 'px'});....$pi
cUl.find('li').each(function(){this.style.cssText='width:' w 'px;heigh
t:' h 'px;'});//.........................$prevBtn[0].style.cssText=$ne
xtBtn[0].style.cssText='top:' arrTop 'px;';....//PLAY....$focus.play(f
unction(i){.....var index=i>=n?(i-n):i;.....$txtList[index].style.d
isplay='none';.....$dotList[index].className = '';....},function(i){..
...var index=i>=n?(i-n):i;.....$picUl.slide({left:-w*i});.....$txtL
ist[index].style.display='block';.....$dotList[index].className = 'cur
rent';....},settings.seamless);....//Control....$focus.bindControl<<< skipped >>>

GET /templets/iqshw_new/logo.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 9026

Content-Type: image/jpeg

Last-Modified: Thu, 27 Apr 2017 06:42:36 GMT

Accept-Ranges: bytes

ETag: "a667317521bfd21:0"

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:46 GMT
.PNG........IHDR.......<............7iCCPsRGB IEC61966-2.1..x...wTS
.....7.P.....khR.H..H..*1..J..."6DTpDQ...2(...C.."...Q....D.qp...Id...
.y......~k....g.}........LX....X.......g`......l..p..B..F...|..l......
. ..*.?.......Y"1.P......\...8=W.%.O...4M.0J."Y.2V.s.,[|..e.9.2.<..
s..e...'..9....`......2.&c.tI.@.o...|N6.(....sSdl-c.(2.-.y..H._../X...
.....Z..$...&\S........M....0.7.#.1...Y..r.f..Y.ym..";.8980m-m.(..]...
.v.^....D....W~.....e....mi..]..P....`/....u.}q..|^R..,g ...\K..k)/...
...C_|.R....ax..8.t1C^7nfz.D....p.........u....$../.ED..L L..[.....B.@
.................X..!.@~..(*. .{d ..}..G............}W.L...$..cGD2..Q.
...Z.4 .E@..@...............A(..q`1.....D .........`'..u..4.6p.t.c.48.
...`...R0...)...@......R.t C....X.....C.P...ËH..@..R......f.[.(t....
C..Qh...z.#0...Z..l..`O8.......28......p.|...O....X.?......:..0...FB.x
$..!.....i@.......H...[..EE1PL..........V.6..Q.P..>.U.(j...MFk.....
.t,:....FW.........8.....c.1...L.&.........9....a..X.:......r.bl1..{.{
.{.;.}.#.tp.8_\<N. .U.Zp'pWp...............e.F|.~.?..!(.....HB*a-..
.F8K.KxA$...N.p....XI<D<O.%.%QHf$6).$!m!.'.".". ..Fd.r<YL.Bn&
.!.'.Q.*X*.(..V .(t*\Qx..W4T.T\...X.xDqH...^.H...QZ.T.tT....2U.F9T9Cy.
r....G.,...C.Q.(.(g(cT..OeS..u.F.Y.8.C3...Ri..oh..)....J.J.J..q.).....
...2.a.u.;U-UOU..&.6. .....y...J...F...3.}.....w...@i.i.k.j..8..t.m...
...9.....5.4#4Wh..............:..T.......C.....U.MG..C...c.......d.1.t
5u.u%.....3z.zQz.z.z....,.$.....S.:.!.........,...].......b.6.u.=2V3.0
.7n5.kB6q7Yf.`r..c.2M3.mz..6.7K1.1.2.........-..N.B....L.....le.Z.<<< skipped >>>

GET /skin/iqshwcomm_v2014/css/global.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 11104

Content-Type: text/css

Content-Encoding: gzip

Last-Modified: Mon, 15 Aug 2016 10:37:32 GMT

Accept-Ranges: bytes

ETag: "07e3d7e1f6d11:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:42 GMT
...........}m...y.wU.?..Riw... ....*.........:.,.. .!N A...VSSe....Nqr
).....\.r.J.|...$[.F.]}._.~G7./...f.4..!..~.y...n...../,VA^.....\:.g.O
?..S.r.^<...~.Y...[..h...`..y..6...r.$...8|#).2~.t........ ..5t.gi.
u....y...<....l[&k.7...0I....x..Sa.=......vT.Qd.R;K.4.WC{....... .^
M.m...,..e...e......8.Dv...J.N..q`o.0..o|g...]..2.W....2..A^&.4.."....
........ .t.Ow9.....U.D.....^.......E...-".u..'..;..Q..v1.G.,J.m.<.
!&.<.(..E.....=0WV..l.d.;x...:?y ...!..",,...nQ..`^f.r6..o...|..U..
......w.s.s.$..P2..6.u....\.I.<g.^......"..lYZ...`[.@.|.....m.?....
.6.&..l.....:.0.%..D%2..1Q.!f.B...N.'Q..Y....'..8_....u/).0..H|...U9..
..U.....f9....-..E<.O..Pl..g....s. M.7@. .V.;0 O......h..C.L6...Y.@
cq..[fV.,v.?....u....'../~r..........G...G.Z'w...7Y.T..:I..^........8.
x..W..m.....8.....rI..Jggg..:...&... .WS..."O.e.G..."K....E.QvE|..jF..
f.....j.qmE.w....z...........<X.u..w/....h..Y..AQ.Z.MD."..6g.......
...Ey\.6.$..$!2Zn.x....D.XQ>H.jJ.~....%..(.c..IQ........ .i.Pj.[#.[
*....SZ.3.c..c.;.`...bk.0w ......].Ln.m.`..t.....n."AB...:....@...-%la
..l....r...m......|h....C.....c%...l" .!1...66V.g.......S..0..r.....3j
]Ps...i.f ..T....2".....T} =.r.z...=B.p.&u...>.2...(p.x....l.z.LR..
....:.. .C.......N".s.&v-......`.A..A.../........o..g?y...............
......d=(.(kk[...7..$%.Y..E..JG.s.c.ghU..V.bu*....0....pX...AX.ag8`A.y
.....~g.....Y..E..,.eH.B........t..#...V}.o....[X...)b...._........?z.
..................W..._?z..7.....x.........^......1h.R................
..>...........<....{6f.|.l....;l...;l...;U../.p...&.QaY....K<<< skipped >>>

GET /skin/iqshwcomm_v2014/js/myfocus/myfocus-2.0.4.min.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 5931

Content-Type: application/javascript

Content-Encoding: gzip

Last-Modified: Fri, 13 May 2016 15:27:22 GMT

Accept-Ranges: bytes

ETag: "069a8f12badd11:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:43 GMT
...........Z[r..v.OU.@.:$ .@5..A.VI....e.-.:...IH$.. )Y`..Q.#.@.......
...)d.n@...V>.9e....W.n......K....~.N..T.V4..W.Y....7J.A.>jn4nT.
.......).I.fA.*1s...........].)..I....U..|%v......6.UU.....?9.{..u.¨
..I4n....y.......jY$g.cUU.V.W.j5-.....J.......4..#l\^V..|.....{.......
g..R.....o.W..S.nwV..-..s..2..Q5..g!B.V9..{...].Z...E...5...V.2. 5e.|.
*..U.Q.6*. .m...?....5..p...wG....F....<.T5....3..' ..Cj.n..[.I.^N.
U\.....-uk.3..on..e... ld... ..YA..>. :.3.&..Ay_....|.Q.}b.......r.
.....vb.B'........o.'b.........?-..6.i........P1-......xs...Hc......w.
_.vku...)...S.....*=M7.G....W.h..LjM.O...c.}..@.u..,..m..W..=a$.^.M.f.
.=>.{B........D:...YqHr,..omj.[.uO0V..v.......p......-.I.....G.o...
...Ck.......>a.zk..i....`..8i=..?o.e.*..@ .Z..b~........2..Pj]Y..\.
5..Z]......mH.A.......#.U.i..R.;Z...j..*H..m._...A>.T.......-..6-._
..TZ.ud.!,"r..0..S.sv.z2>.nn5.......#.>..Ezb.=.N.>..'....#..I
.....*2.`\.w.;{bQ\....)....Z&...D..._.P.... .e..T3...2_.....Z..h..E}..
...N5}.p.l.6...i.3.;`..w.b...f~P.....C....t.$...t....$.UJc..l.g.g>.
.wGL.c....yH.{[.Sh........c..C.....k.. .D..d.D...g.....)....u.......3.
c..lT&......^c,%.. ..A..@.'....Z....>...}....m.....I.D... ...N.W.*.
#...Y..IB..T.-...ECQn~..vo.....ZGK`..c...... tC#4..`.V.P...C.j.,..!3..
w.2...W.W.-..O.,7..(..9.@.<.Ig..R........Q..$.5c..`D.....T.......^.
. ;..E..G.\P2..B.wi.D...j.:f(.YH_."[n............o...p......~.... ..R.
...'3G.........u%.sX...p.o..o6z.-....k.-..}.x.4..M....../Q........L .P
Ld}...E~.(i./...>3...B.....$T.=[.r..9..4........P.....=..!.s-..<<< skipped >>>

GET /d/js/acmsd/thea11.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 18

Content-Type: application/javascript

Last-Modified: Mon, 01 May 2017 09:57:30 GMT

Accept-Ranges: bytes

ETag: "a63235961c2d21:0"

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:43 GMT

document.write("")....

GET /d/file/soft/QQruanjian/2017-05-01/1493633016839033.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 41411

Content-Type: image/jpeg

Last-Modified: Mon, 01 May 2017 10:03:36 GMT

Accept-Ranges: bytes

ETag: "e23ac63262c2d21:0"

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:43 GMT
......JFIF...............*. % .*%"%/-*2?iD?::?.\aLi...................
....................-//?7?|DD|........................................
....................U.................................................
............}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:
CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................
......................................................................
..........w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:C
DEFGHIJSTUVWXYZcdefghijstuvwxyz.......................................
.............................................?.z...2Mfq%}.M...6.=M;...
k..Fc.O2@..{....v. c.....2)..Gk.[. .B.<.......n......3............v
9.(.r1$..r9.?..P....,@.7..W.......m.?)${.R%....r.0$....RM.".b...F..s..
.8..n.;.....I..u............I....PC.{...i.|.n.C`.*..y9..........0.....
.,..#`U.....-Y.J...P.@..(....@.(....zP6.v...3f....\9]....m*wzQ`qi...Q.
.......2..GQ.@4.....P.@....P.@....P.@....P.@....P.@....P.@....P.@....P
.@....P.@....P.@....P.@....P.@....P.@....P.@....P.@....P.@....P.@....P
.@....P.@......p.M..(. .....s......*..Q./N.&%.)......f$.Um.._%...X....
.Rb..5...h...4iI...=...v......{.E...3(Y...9#.3.Ba..68..7.1...py>...
..~@.e..s.....[.k.&.....(.K...j>a....c.9..............m;..BT..$S.B.
....z.I.@!c.E'...:...y1..WF...d......$..H...I....\..Xt@....L...?1.]/".
..q....Q....@...7..q...4rI..}...i.B.A.=9..I.D..0.....oA....U.. ...|..'
...jL.v.!.."....../.......^......}.......=...~B........-.B.k...I....E.
..6.....=7......U.$.V...P............G'...r...d6b...*....S.L..'R..<<< skipped >>>

GET /d/file/youxifuzhu/paopaokadingche/2017-05-01/1493635427127283.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 14678

Content-Type: image/png

Last-Modified: Mon, 01 May 2017 10:43:47 GMT

Accept-Ranges: bytes

ETag: "1667dccf67c2d21:0"

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:44 GMT
.PNG........IHDR.............i.K... .IDATx..]..,....'....n...&..h..-G.
....Q.J..0...._|.W.........=;3XcX.........;..........~. @\.u\..~..Ip..
?...._.....drS...P.v(.......a.R.\R._....|.........o.......?..>..../
.|....w.......w.}xU...?U~x=. .O...o..[.~1.7.|...#......?..h..-...X..i.
...?....w*..;..<.t....V......qm...U...M. ...h....(0.w....Th.w.'....
.n........s..Y....%.'.........yC......'x.Ja.e.........0o...g`f.l.4...N
s.<=0O.a:.qo...QFo....j.....Y....Q....<. ..D*...U.h....vaS......
.(.'..`....0&AI..W66...............F1.K...-pD.X[0.5...jb.D; ..../.L..K
..c@....r.q*y{IDh.m! .-J.%....C.hJE@.....l..%.............[...N.S. [& 
j.4.a....3.....(Z&..#...`...c.4f8~U../........W.f8... .....@..._...0..
:., 8v.........f.\.......Lv.* .....:. /...\..~.'d....{./..[.,..PIpi.X.
e...[j_n......n.Q.x....'..G-.y@.m..s}......v...w..Lm!.h\...,.k.......F
...3(.2....!SK.=3.e...B..W4.e.}W..<l.j.A..8..\.y.O.&$..oF.[....L;_.
.2.>...|H.,c.0..x.#.$x.H..n..O...V...q..M....|.b.......C....Z...&!.
....Q.Pg&..i.....B.^.X...$\.J..N.v....;.......Fl.....0..f.. ..9......&
lt; K.Uy.]G.![<..C..........\z.Z...9.....P.-.Kv.c...s......F.:SaHrp
y. (x,...h..y...H..U.)./..Z...~.*...]..F.L......UI.A..4.M.gV....A.....
.C.^.L...?`c....(.... ....)c.j...8*..-./.d.\.2..-r5A..;.<)...]Q.9.T
bl&..."Y....T$.q..&{ 7.....I..=.......:'Di.....eH&...f....<HB...Y..
y.`.R.-3-..N6....,/....}`. ..%....2..`..l...z... ..2..R.W...q..r..._..
0!.nt.M...'../..G)..C.../...w.........~x........F....~....y...{.y.....
..:a.9.._.....N....p"... ).?W:L...8.@..A. .R..<\.v.a.*P.pP.....<<< skipped >>>

GET /d/file/b2de0eca077a3da0efcb2b3e919bea16.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 18535

Content-Type: image/png

Last-Modified: Mon, 15 May 2017 17:14:12 GMT

Accept-Ranges: bytes

ETag: "fa532ac9ecdd21:0"

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:44 GMT
.PNG........IHDR..............b8j.. .IDATx..}..d.y....e%@......a].".Ay
S.0...J V.!.~...&... `.T(. 2 '$..r.... .....N\*#.R.. (Y..#.v*.m...;Z..
..Lw.s....9....{....>.p.?....w_.}.L.;~..Z.........Fc:I...).&....k..
'.2..L'.K.6..[K.d..LM%SI.$.I.1X..Kx.^.....aZ.4.K.....).ON.&.S.NN%.g...
..YH.\.J...=.,.../}.9........c.c......o;m..)...m.zC.v.6$oK.N..@w.... .
Q.. ..C%C...,-&`A....Z.g^K..W.L^..............6............uK.6.~.z...
.S...{..x.0..{[|....a.b.9\<.QnpG.}M-&..5..h.......7.t...C..g.z.5sf.
...........4.Z7...I..f...h..[.`..jA>..v.*.....R........y....{M.o b.
....F...xk...jL/$KK......0..[.9.....N.......L........Lz!X| ...5.p..3[o
....'zP.l6....-.,.db?H.!.M.<.@.j.6..;.pU......U...;.......>.6.Sy
........[K.......!......n........Q...Npb!y.xz....)..wZ..,......t....6.
.0.t..^.../.e....].52....K.u..G.h....3..h..%:......?._...s..1.....c.S.
.i.j..V.*..5Z8.c?...I....Q.....7........G...g~..W?.._~e.y..........I..
k......o.dz........o........I...../&.....F..?o....=..d....E...i.<.N
2..r.t.'.<.@.:/..V!.j.....%\..8.7..........5.g.o.... ..'..'q..{..x.
._..Z<....c.o...............'..q.....S..I ..WD.n..-./.........@..u.
kW....W..w M%.`..;..m...3.|.>h.{............~,.>.q....L.1S3..x..
..Z........9.2..>.....\....}...8~.....~......3..n..%....NCN......r.
...............{x[.$.. ..9...h..9.?..G.=ev.........#..Z@..5.....7^k...
.n.x.u.D....~........ ...T...>......u......I.....%|<4...N...:\..
.....g.../...3h..X8..O........ .#$.8.!e^&ZY...y.K.. P..e...;......?...
>...<.f....A......=....mAj..WpL..z......~..^..O'P.......N.V.<<< skipped >>>

GET /d/file/youxifuzhu/paopaokadingche/2017-05-04/1493835388636138.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 28238

Content-Type: image/png

Last-Modified: Wed, 03 May 2017 18:16:28 GMT

Accept-Ranges: bytes

ETag: "d827d6239c4d21:0"

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:45 GMT
.PNG........IHDR...Z...........j... .IDATx..]..UU.>w.DEQ.J1........
s.Hl....J.4......,.....5.h..4.D..AI........y..............{........;g.
5....{...9....7>.$I)..J..W.iya~..Yk.=....B....L&.rV.......Ft.|;&.C.
...Y......{CR.R%3:.2V....<w......@.j3..n.7.E...L..p.(.Y..&;.g.w.7..
.........*..R.#.y....K..|.I........f.[.i..|...r..W........2.M.)"lOa.z.
ffZ]:..{.?[.......[.'.....R....X .....x(....UB....T..U..[.O9.......D..
S..v.i.vY.Z...N;...T.7.........w.Y..............>8..o...i.Ss.5=|...
.c.........qX.W..h...-7.@h&....`..,N.]g.j6..._.)S%..7&}..L.Rq..W......
.......9o....p!Zj..yN.D..B..z...p..=....`U..E...<.E..j..*.....KF...
...$..TY.<....(..J.,jcJSB..H.j.j..,...yV......&\..Y..$r..TQ.3..Ayr.
..O..A..p.{..}z../.X..*......g.# .\.II.........,|y.(f.q.....B|....oKs.
...w......... _)/.....L.5.>..|.<= "z@.."3..`.2.../$.5.}...V(..xy
..b.....}.....n.wA...G......f...._.w.-o{...<l.X,..........N..\[.G.-
....;e...T.;ae.%:,..@Z. .$..A.;......R.j.Z...n..."...ec8|........A....
wL@pH..\..R0&Y"eETh.$C>..J*.:...`D......)b.g..E.........L.&.;.....M
..T.M)H.M>....%Ki.....>....X=0.T.P"e..".`E.NhBi.Fh)J.1N4........
.AND.h.Q@.bA..8.c....)...QJ.m.T.k.n..$.NZ[..Q.....2....*"....Y1.......
..8.!..'"........[......U...<...N..._h.n.g...?9.....i.m.y....l%W"=.
<L.......b>N.jL.m...%L?..0....P........lTg.....I.@....P'.A{.2..B
D.8....V..*.E0.594N....g.."-H{....`!...@.#.9....!.H2........b.bz..B!S.
....&...qlh7..F .N.c..xt...N(.Th.....46.....C......Q..Sb..P5...0...,.X
.A..u#..m..... 8.. .P..2q....f.*....V..'V..Iz|x6m!2...-.b....H..j.<<< skipped >>>

GET /d/file/qqnews/xw/2017-04-28/1493362336663248.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 32034

Content-Type: image/png

Last-Modified: Fri, 28 Apr 2017 06:52:16 GMT

Accept-Ranges: bytes

ETag: "6e8533f9ebbfd21:0"

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:45 GMT
.PNG........IHDR...w...........I...|.IDATx.....\U..'l.....TJ.."....." 
.E...%.H...(E.)..@. .PDA..)i$..$.6. ..!.'..^.M}...;w...[..e......e...S
v.3.9.=.......@ ....z...'..w>Huu....^ ...@ ......o...!.....@t......
;...@ ......@ ....{...q.e....B....".....@T....................r....@ .
.D...)v.FM...?...........!x....@ .U w..=..XZ..........@ ....Q.r.M.S.|H
^.z.NI.n>.....S...........A.v...A.:..Q......p....P/.?....'.....y.'/
...y".....@..;.5T.E"w<h....[..S.x=o..{...")..V.....9.........R..s2c
..........c}NE.......@ .,mLS....._(H....y9....}.T0..y..C...A..3.y22x,X
v......k.)...)d.y.Cv..T.....Y=...@ .>rg..U..b...&w.G..$w....9f.....
.J.>...Vq3.S..Y..1.e.M........?.....E..M...".......;..9..\...vc....
o....1s.pnbu..A.8.......s=.)u]2{>.....z..c[...? ..@ ...$x&:b.-w..n.
............]....]q.....!s....E.x.W...\....i......L.K....@ .....Y..;m.
3K..u......(.rg..P$m...k.;[.LY.....nv.....3..e..c.`.M.L$..@ ..D.2w....
.....o...=.go.-.sg./.1.z...k...i..;..._..AL..(.~...hA ....Q...?^R...sg
.....O......w.!M.l......I..9S.s.X..#.3q.L^g6.Y;...@ .G.::..~..D)xe.-k.
...MZ.........'.N..YF..R.H.TF...;d.\3p...T\...c.... ..@ ...-w%.sgN;.h.
r...Jr..-\..{.2kV.H.:3n.&N.>w]..V....._s....N..f...g...y".....@...2
.P.r..^..<H.%..^....S..U.,...>fV....%sgoV..)c[..s6!.;f.....}*5..
.@ ..(#..cFy..)..:../...eP..., ...@ ..DO.;......55..}.6n.Lk...U....|..
.z....1..@ .....r..8.o......]...z..X...@ ..D...U...b.@ ....Q.r.@ .....
..!.....@  w....@ ......@ .....r.@ .............@U....................
...................r..............;...........u4Sz....&.b.........<<< skipped >>>

GET /d/js/acmsd/thea10.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 156

Content-Type: application/javascript

Last-Modified: Mon, 01 May 2017 09:57:30 GMT

Accept-Ranges: bytes

ETag: "a63235961c2d21:0"

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:46 GMT
document.write("<a href=\"hXXp://VVV.1121.la\" target=\"_black\">
;<img src=\"/d/js/acmsd/img/10798297.gif\" width=\"760\" height=\"9
0\" border=\"0\" /></a>")....


GET /skin/iqshwcomm_v2014/js/myfocus/mf-pattern/mF_tbhuabao.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.414.la/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.414.la

Connection: Keep-Alive

Cookie: safedog-flow-item=


HTTP/1.1 200 OK

Content-Length: 1799

Content-Type: text/css

Last-Modified: Fri, 13 May 2016 15:27:22 GMT

Accept-Ranges: bytes

ETag: "069a8f12badd11:0"

Server: Microsoft-IIS/8.5

Date: Sun, 28 May 2017 13:23:49 GMT
/*=========mF_tbhuabao========*/...mF_tbhuabao {overflow:visible;posit
ion:relative;}...mF_tbhuabao .loading{ position:absolute; width:100%; 
height:100%; background:#fff url(img/loading.gif) center no-repeat; z-
index:9;}...mF_tbhuabao .pic,.mF_tbhuabao .pic ul{position:absolute;to
p:0;left:0;overflow:hidden;}...mF_tbhuabao .pic li{position:relative;f
loat:left;overflow:hidden;}...mF_tbhuabao .txt li{position:absolute;z-
index:2;width:100%;height:38px;line-height:38px;display:none;}/*......
............*/...mF_tbhuabao .txt li a{display:block;position:relative
;z-index:1;color:#fff;padding-left:16px;font-size:14px;font-weight:bol
d;text-decoration:none;}/*............*/...mF_tbhuabao .txt li b{displ
ay:block;height:100%;width:100%;position:absolute;top:0;left:0;backgro
und:#000;filter:alpha(opacity=30);opacity:0.3;}...mF_tbhuabao .dot{pos
ition:absolute;bottom:0;left:0;height:17px;line-height:17px;width:100%
;text-align:center;}...mF_tbhuabao .dot li {display:inline-block;*disp
lay:inline;*zoom:1;margin:0 4px;}...mF_tbhuabao .dot li a {display:inl
ine-block;*display:inline;*zoom:1;width:14px;height:4px;background-col
or:#ccc;text-decoration:none;-webkit-transition:color 0.4s;-moz-transi
tion:color 0.4s;-o-transition:color 0.4s;transition:color 0.4s;}...mF_
tbhuabao .dot li.current a{background-color:#2888b7;}...mF_tbhuabao .p
rev,.mF_tbhuabao .next{position:absolute;z-index:4;left:10px;}...mF_tb
huabao .next{left:auto;right:10px;}...mF_tbhuabao .prev a,.mF_tbhuabao
 .next a{display:block;width:32px;height:32px;background:url(img/a<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_452:

`.rsrc

t$(SSh

~%UVW

u.hHT

u$SShe

Kernel32.dll

kernel32.dll

wininet.dll

user32.dll

Advapi32.dll

ntdll.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

SetWindowsHookExA

hXXp://VVV.1121.la

ppada666.dat

\dll.dll

\renwu.dll

\ngs.dll

C:\77755555.txt

hXXp://VVV.baidu.com

KartRider.exe

hXXp://VVV.1121.la/gx/fzgx.txt

hXXps://

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXp://

https

WScript.Shell

rundll32.exe url.dll,FileProtocolHandler

HNInstall_Setup_1329860342_liming2_001.exe

c:\HNInstall_Setup_1329860342_liming2_001.exe

hXXp://d.heinote.com/downloads/liming2/HNInstall_Setup_1329860342_liming2_001.exe

\Heinote\Heinote.exe

\Heinote\upgrade.exe

MaoHaWiFiSetup_239.exe

c:\MaoHaWiFiSetup_239.exe

hXXp://res.maoha.com/soft/mhwifi/MaoHaWiFiSetup_239.exe

ProgramFiles\Maoha\MaohaAP\MaohaWiFi.exe

BlackCipher.aes

SpLoginDialog

ngs.dll

.text

`.rdata

@.data

.rsrc

@.vmp0

`.vmp1

`.vmp2

.reloc

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

dll.dll

&rL%d

%s]oRS

OÎ1

WinExec

SHELL32.dll

OLEAUT32.dll

0.La^

%s61}kc

k'%sb

e.OK*

Co`N%c-

FW.TZ"n

Z,%cs

w&.qwQ

Hs5%u1j

R:uFe.er

%cuj?

C%u>7

_@(.pq

.vSig

(!Ì

>j.eO

&#:.zt

WS2_32.dll

RegCreateKeyExA

GDI32.dll

^_S.HT

tUi%d

.tlQj9

rRt%FK

kQ.Cg

.Be1"

43.jc

kk.gSV

P0b.Vt

.UANrPeO

45s2%d

gLH%c

.Is-d

#s]%sP

4.aT,

ZA.TI

.$p.uk

.Sx^pE

j.SV>

^esSH7

9%U.fR

>.Vok

-KnW}

<.nob\$

^$.WS

0%X{r

.Nv3{

URlx

dKt%D

`""_%C

'.hK?

COMCTL32.dll

WINSPOOL.DRV

aF.Ra

x]6%c

''*7&j7#W.Vn:z.b

:.SyD

comdlg32.dll

WINMM.dll

ShellExecuteA

6.sNn

IQ-U}

K.BbJ

.ZFR"

.rB>U'

Tkey

KERNEL32.dll

ole32.dll

.Jq.'=

$\Ý

*ac%c

1r%Us

.cH"H.Q

-:%xM

%1uC:H

bKmsG

tS.MO

ADVAPI32.dll

USER32.dll

;.dD"%c

.dEn$

KAuser32.dll

renwu.dll

O.wj;

Ws.IRD;

ð("H

O=<%s*

.Mg.Z

?.MUn

Qf.Wn

0.wn,

|%0Uy

qW,~U.YQn

d.ak)G

.PJu4y

,F.bp

_GH.Ja>

n.zsuyw

Í&(

6,u.Nm

>'.VE

qR.ar

.IJk6dz62

]q.dw

BÇa

o`#H.Ki

=.mW"}

$X.qrdL

S.zV*

_E|;a.np

R%D`6q

6K.CD

o.QDH6D

.FUQj

\[.Kf

546%cio=Es&o

.Cz@/c

Wxf.Ne

*ole32.dll

*#.cN

U94.cRl

ÐgL

V%d@X

-u}E/

*,.prtvx

00.tlI

}%C(h

#SHELL32.dll

.Bd`/

A.mS1Yod

Ulz].oTs

.Ly.<G

vH.uV

.Cjty

1vTE.Le>

Eoy%uW

rWS2_32.dll

1.rZD

'I.Wr#{B

|-Z}<

.dj>Cs

%Xz\D

bHQ2.DJ

.PY5V

,N%s~

.upPKt

;.fQ@

.fv"-pq

V.tx@\

KfTp

nv.Dk

.iV/G7

NFQ.jt

.k.-E6}S[L_\F

b.yJx

P.Tj.~NF

Rr1%S

I.RHO

,A%XH

P]j.xP,

Gq.vW

dn(=Ë

@].im

5rCl^.pY

qsqLc

Pv.kh

p%x@,

-(-Z}

p%uUN/]uo5

sA.Dl(n

Q8%fI

IK%fuw^

t.hH4E

)V.Cbv

KBCrT

.U.xssP

3W.FQp};

C%DHoWI

Fm_

<5,H.YK

anonymous@123.com

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

abcdefghijklmnopqrstuvwxyz0123456789yyqg.dll

Windows 8

Windows 8.1

Windows 10.0

h.rdata

H.data

.pdata

<B.twA

TransportAddress

winlogon.exe

BlackBone: %s: Process %u is terminating. Abort

BlackBone: %s: Failed to get Ntdll base

BlackBone: %s: Failed to get LdrLoadDll address

BlackBone: %s: User thread failed with status - 0x%X

BlackBone: %s: Invalid injection type specified - %d

BlackBone: %s: PsLookupProcessByProcessId failed with status 0x%X

BlackBone: %s: No PEB present. Aborting

BlackBone: %s: Loader not intialiezd, waiting

BlackBone: %s: Loader was not intialiezd in time. Aborting

BlackBone: %s: Exception, Code: 0x%X

BlackBone: %s: Failed to locate thread

BlackBone: %s: Failed to allocate memory for process list

BlackBone: %s: Failed to locate process

BlackBone: %s: Failed to allocate APC

BlackBone: %s: Failed to insert APC

BlackBone: %s: Invalid SystemModuleInformation size

BlackBone: %s: ZwOpenKey failed with status 0x%X

BlackBone: OS version %d.%d.%d.%d.%d - 0x%x

BBExecuteInNewThread

BlackBone: %s: ZwQueryInformationThread failed with status 0x%X

BlackBone: %s: ZwWaitForSingleObject failed with status 0x%X

BlackBone: %s: ZwCreateThreadEx failed with status 0x%X

SFilter!SfFsNotification: %s %p "%wZ" (%s)

iexplore.exe

360se.exe

360chrome.exe

QQPCTray.exe

QQPCRTP.exe

SFilter!SfAttachToFileSystemDevice: Attaching to file system %p "%wZ" (%s)

SFilter!SfDetachFromFileSystemDevice: Detaching from file system %p "%wZ" (%s)

Function:%x

PsRemoveLoadImageNotifyRoutine:%x

Base:%x

8042_PORT

TRANSPORT

SERIAL_PORT

SERIAL_MOUSE_PORT

PARALLEL_PORT

NAMED_PIPE

KEYBOARD

INPORT_PORT

\xxx\new\nfsdk_src\driver_tdi\std\objfre_win7_amd64\amd64\netfilter2.pdb

%u-Hw

.pL 0

BT%C=Q

#G.yM

B.oF5!EG1

%spiI*@

&'()/*: ,-/.

d.DnXA

P`.cgG

-h}'U

L$.0%C

%S :f

tS.zP

{I.Du

.ZYIm

<appro@openssl.Ng

D%fP@L\

t.Oz6

%U@0'

LcB%d,

L7s.Lc`

ht.lt

}.GJPx

.Bwm,

dssh.

G.Ls0x

7%C|h&

Im.KzC

7`.mG

HL.do

6.en( R

*=m

BF.KLD=R

ZK.ZJ

.bt)5>{

T.ZuY

K.pO {o

F%uCm0

>.sbMu

U.xX%

y$[`I=%D

#.xt0

t5Hy.HDL

.kDHE

/t3.Oi

Hs%dX

/f %u3Um

l-q}'

k;.tB

lcrt

HTTP/1.J

.gG@F

Hrbi.MK

.AX6-

uœx

I%X@B

Mcmd

)rF

u.ZKO

;Q.QV

.et6Y

m%FO'

u1ð

2J]%d

<]%U[b(<

@.JHr

\%s.&

m.at7day

Nv.Dv

`.xsP

4Uc4.pcal

`.pyi

@7o%S2

!O.dg

(8O.dbO

phxI!O.dy

ON.dB

[$.dB

!O.di

<O.HX

2!O.hx

!O.dI

o .dB

u .dB

O.dbO>

(#O.dbO

<P _h.dB

=G.dB

H`PO.dB

hxwO.dB

0P.dB

H`)O.dB

HXDO.dB

(dO.dbO

xO.dB

O.dB,0@

O.dB5

O.dBZ

-O.dbO

?G.dBa

#O(.dB

8b82!O.Xxc;

GH`h!O.dJx

qO.dBe

!O.dt

O.dB(

R%d&p

.pp@0

,,//112244

8;;==>>@

.bmx::

`n#%c

O%.U/

.uR5&m

^.om5r

LG.HK

D.Hog^

k/.fG"

"%sy'

gTH.MB

gXC.nT

.Wqb^?

.%X&1

.QRFt

"!"%" "1

%D%'%1$=%C%

&'&)&5&;

.%.-.3.7.9.?.W.[

3Ó/353A3G3[3

=-=3=7=?

C%C'C3

.dUWTS

/keyC

uPASS`

HTML%x

L.tM'

.HW4O

</.GfT

W6%4s

n .gZ

~.Vt.

*.*d/

&}Vuu%Ue

.HVIM

zcÁ

kDH.PLEMjc

cy%f`

m]o/%s

BaseUrl

WebeA

yoidmsg-v3YM

.VbAv

l}C.we

SSH3/$

-.BK?7-,

,@.sE

[%d]4

'%s'l

@I.Dx

#.Oi6

wKey

URLDow

`.rdata

<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />

KERNEL32.DLL

CRYPT32.dll

PSAPI.DLL

urlmon.dll

RegCloseKey

CertOpenStore

URLDownloadToFileA

KeDelayExecutionThread

ZwQueryValueKey

ZwOpenKey

ZwSetValueKey

ZwQueryKey

ntoskrnl.exe

TDI.SYS

!hXXp://ocsp1.wosign.com/ca6/code200

$hXXp://aia1.wosign.com/ca6.code2.cer06

%hXXp://crls1.wosign.com/ca6-code2.crl0O

hXXp://VVV.wosign.com/policy/0

!Certification Authority of WoSign0

hXXp://crls1.wosign.com/ca1.crl0k

hXXp://ocsp1.wosign.com/ca102

&hXXp://aia1.wosign.com/ca1g2-code2.cer0

"Secure Digital Certificate Signing1)0'

StartCom Certification Authority0

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

hXXp://ocsp.startssl.com/ca00

$hXXp://aia.startssl.com/certs/ca.crt02

!hXXp://crl.startssl.com/sfsca.crl0

$hXXp://crls1.wosign.com/ca1g2-ts.crl0m

hXXp://ocsp1.wosign.com/ca1g2/ts0/

#hXXp://aia1.wosign.com/ca1g2.ts.cer0

!Certification Authority of WoSign

explorer.exe

t.HHt

SSSSh0

BlackBone: %s: Missing parameter

BlackBone: %s: Exception. Code: 0x%X

BlackBone: %s: Failed to get RtlDosApplyFileIsolationRedirection_Ustr

ntkrpamp.exe

ntkrnlmp.exe

ntkrnlpa.exe

WINDOWS_VERSION_NONE

%s: Unknown base relocation type

\xxx\new\nfsdk_src\driver_tdi\std\objfre_win7_x86\i386\netfilter2.pdb

.REOfB

.WfjC

,%S2%G<

.gS@i

YB:%xgG

#$%&'()/*: ,-/.

.LT,3}0

.Sj(S

2]%drHN

'p@WhI.BK

enssl.Hg>

$R.mA

Vhi%U

O@!mL.WA.`]

.nUW}

.CfhU

sXso%S

[d"%C@

{0K,Q%d

.d%uGt

Z}A

b& &p%D!

j.CZ,@

.Zmu0

w'V%C

`_.xT

[FþGGr9

.KUUP

;.BRx

VF%Up

2Q.bt

 )}$B%S:

.eR/h2(^

8t[.QX

WF@.PZ%

W.PK|_

.ps!hk

^.HXO

|a@/

L^SSh

.VR'H

C.lhI

lm_4kk%dZ@*

C2.HX

4B.iX

L2.NK

lvD<mu%C

phb%U.

W7-u}h

u%SZ^

$(,999904

9@.XB

\\.\CtrlSMl4

Fri.at7day

9xtvNv.Dc

bO.pP

tiKA.vE

SL 1.0.2c

Bkeylsg

P|8%d

'%s:%d:

(%d),?

.WnXY

@.qPIU

ÿc822

.sl'%

dB.Cc4c

oX.Ln@4o

.pzh`{

h .rs2

Bq.FC

.At/db

.nNGi

2043072/409

Q}W o

=/MSG

.OFX-

%u'_yS

o[uYQ/%2sBR

a?%d.

~Jg/faq.Dm

N%s0/n

UrlXJ

?[[%s]]

%'%1$=%C%K%O

.%.-.3.7.9.

3Ó/353A3G3[3_3g3k3s3y3

9#9%9)9/9=9

C%C'C3C7C9COCWCiC

D)D;D?.KDQDSDYDeDoD

.mu;=

>.Yb4S

,84011373

L%xOn

.dPtG

eKey

.CyU]

 -8}',U

.QEc7Lg9

5.Xin

8.CFf

`o_%x

.rsrcd;

KeStallExecutionProcessor

HAL.dll

9Ÿ9l9

2 2)202?2

9 9$9(9,9094989<9

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

hXXp://VVV.1121.la/pzgb/

hXXp://VVV.1121.la/znzt/benzhangonggao/2017-05-04/8249.html

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WININET.dll

.PAVCException@@

Shell32.dll

Mpr.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

its:%s::%s

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Referer: %s

Host: %s

GET %s HTTP/1.1

HTTP/1.0

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

GET /soft/mhwifi/MaoHaWiFiSetup_239.exe HTTP/1.1

Host: res.maoha.com

Referer: hXXp://res.maoha.com/soft/mhwifi

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

c:\%original file name%.exe

GetWindowsDirectoryA

GetCPInfo

GetProcessHeap

RegOpenKeyExA

RegCreateKeyA

GetViewportExtEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetKeyState

CreateDialogIndirectParamA

UnhookWindowsHookEx

%C*H[

#include "l.chs\afxres.rc" // Standard components

oledlg.dll

\Device\Tcp

\Device\TcpFlt

\Device\Tcp6Flt

\Device\UdpFlt

\Device\Udp6Flt

Ntdll.dll

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion

\yyqg.dll

\navhome.htm

\Windows\explorer.exe

\SafeWebMon.dll

\spsafe64.dll

\spsafe.dll

\kwsui.dll

\kswebshield.dll

\kshmpgext.dll

\kshmpg.dll

\360sdbho.dll

\SafeWrapper.dll

\SafeWrapper32.dll

\safehmpg64.dll

\safehmpg.dll

\safemon64.dll

\safemon.dll

\TSVulFW.DAT

\QMEmKit.dll

\QMGCShellExt.dll

\QMIESAFEDLL64.DLL

\QMIESAFEDLL.DLL

\QMIEPlus.dll

\TSWebMon.dat

FilterCommunicationPort

FilterConnectionPort

WaitablePort

WindowStation

KeyedEvent

ALPC Port

entkrnlpa.exe

(*.*)

%original file name%.exe_452_rwx_00401000_0068B000:

t$(SSh

~%UVW

u.hHT

u$SShe

Kernel32.dll

kernel32.dll

wininet.dll

user32.dll

Advapi32.dll

ntdll.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

SetWindowsHookExA

hXXp://VVV.1121.la

ppada666.dat

\dll.dll

\renwu.dll

\ngs.dll

C:\77755555.txt

hXXp://VVV.baidu.com

KartRider.exe

hXXp://VVV.1121.la/gx/fzgx.txt

hXXps://

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXp://

https

WScript.Shell

rundll32.exe url.dll,FileProtocolHandler

HNInstall_Setup_1329860342_liming2_001.exe

c:\HNInstall_Setup_1329860342_liming2_001.exe

hXXp://d.heinote.com/downloads/liming2/HNInstall_Setup_1329860342_liming2_001.exe

\Heinote\Heinote.exe

\Heinote\upgrade.exe

MaoHaWiFiSetup_239.exe

c:\MaoHaWiFiSetup_239.exe

hXXp://res.maoha.com/soft/mhwifi/MaoHaWiFiSetup_239.exe

ProgramFiles\Maoha\MaohaAP\MaohaWiFi.exe

BlackCipher.aes

SpLoginDialog

ngs.dll

.text

`.rdata

@.data

.rsrc

@.vmp0

`.vmp1

`.vmp2

.reloc

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

dll.dll

&rL%d

%s]oRS

OÎ1

WinExec

SHELL32.dll

OLEAUT32.dll

0.La^

%s61}kc

k'%sb

e.OK*

Co`N%c-

FW.TZ"n

Z,%cs

w&.qwQ

Hs5%u1j

R:uFe.er

%cuj?

C%u>7

_@(.pq

.vSig

(!Ì

>j.eO

&#:.zt

WS2_32.dll

RegCreateKeyExA

GDI32.dll

^_S.HT

tUi%d

.tlQj9

rRt%FK

kQ.Cg

.Be1"

43.jc

kk.gSV

P0b.Vt

.UANrPeO

45s2%d

gLH%c

.Is-d

#s]%sP

4.aT,

ZA.TI

.$p.uk

.Sx^pE

j.SV>

^esSH7

9%U.fR

>.Vok

-KnW}

<.nob\$

^$.WS

0%X{r

.Nv3{

URlx

dKt%D

`""_%C

'.hK?

COMCTL32.dll

WINSPOOL.DRV

aF.Ra

x]6%c

''*7&j7#W.Vn:z.b

:.SyD

comdlg32.dll

WINMM.dll

ShellExecuteA

6.sNn

IQ-U}

K.BbJ

.ZFR"

.rB>U'

Tkey

KERNEL32.dll

ole32.dll

.Jq.'=

$\Ý

*ac%c

1r%Us

.cH"H.Q

-:%xM

%1uC:H

bKmsG

tS.MO

ADVAPI32.dll

USER32.dll

;.dD"%c

.dEn$

KAuser32.dll

renwu.dll

O.wj;

Ws.IRD;

ð("H

O=<%s*

.Mg.Z

?.MUn

Qf.Wn

0.wn,

|%0Uy

qW,~U.YQn

d.ak)G

.PJu4y

,F.bp

_GH.Ja>

n.zsuyw

Í&(

6,u.Nm

>'.VE

qR.ar

.IJk6dz62

]q.dw

BÇa

o`#H.Ki

=.mW"}

$X.qrdL

S.zV*

_E|;a.np

R%D`6q

6K.CD

o.QDH6D

.FUQj

\[.Kf

546%cio=Es&o

.Cz@/c

Wxf.Ne

*ole32.dll

*#.cN

U94.cRl

ÐgL

V%d@X

-u}E/

*,.prtvx

00.tlI

}%C(h

#SHELL32.dll

.Bd`/

A.mS1Yod

Ulz].oTs

.Ly.<G

vH.uV

.Cjty

1vTE.Le>

Eoy%uW

rWS2_32.dll

1.rZD

'I.Wr#{B

|-Z}<

.dj>Cs

%Xz\D

bHQ2.DJ

.PY5V

,N%s~

.upPKt

;.fQ@

.fv"-pq

V.tx@\

KfTp

nv.Dk

.iV/G7

NFQ.jt

.k.-E6}S[L_\F

b.yJx

P.Tj.~NF

Rr1%S

I.RHO

,A%XH

P]j.xP,

Gq.vW

dn(=Ë

@].im

5rCl^.pY

qsqLc

Pv.kh

p%x@,

-(-Z}

p%uUN/]uo5

sA.Dl(n

Q8%fI

IK%fuw^

t.hH4E

)V.Cbv

KBCrT

.U.xssP

3W.FQp};

C%DHoWI

Fm_

<5,H.YK

anonymous@123.com

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

abcdefghijklmnopqrstuvwxyz0123456789yyqg.dll

Windows 8

Windows 8.1

Windows 10.0

h.rdata

H.data

.pdata

<B.twA

TransportAddress

winlogon.exe

BlackBone: %s: Process %u is terminating. Abort

BlackBone: %s: Failed to get Ntdll base

BlackBone: %s: Failed to get LdrLoadDll address

BlackBone: %s: User thread failed with status - 0x%X

BlackBone: %s: Invalid injection type specified - %d

BlackBone: %s: PsLookupProcessByProcessId failed with status 0x%X

BlackBone: %s: No PEB present. Aborting

BlackBone: %s: Loader not intialiezd, waiting

BlackBone: %s: Loader was not intialiezd in time. Aborting

BlackBone: %s: Exception, Code: 0x%X

BlackBone: %s: Failed to locate thread

BlackBone: %s: Failed to allocate memory for process list

BlackBone: %s: Failed to locate process

BlackBone: %s: Failed to allocate APC

BlackBone: %s: Failed to insert APC

BlackBone: %s: Invalid SystemModuleInformation size

BlackBone: %s: ZwOpenKey failed with status 0x%X

BlackBone: OS version %d.%d.%d.%d.%d - 0x%x

BBExecuteInNewThread

BlackBone: %s: ZwQueryInformationThread failed with status 0x%X

BlackBone: %s: ZwWaitForSingleObject failed with status 0x%X

BlackBone: %s: ZwCreateThreadEx failed with status 0x%X

SFilter!SfFsNotification: %s %p "%wZ" (%s)

iexplore.exe

360se.exe

360chrome.exe

QQPCTray.exe

QQPCRTP.exe

SFilter!SfAttachToFileSystemDevice: Attaching to file system %p "%wZ" (%s)

SFilter!SfDetachFromFileSystemDevice: Detaching from file system %p "%wZ" (%s)

Function:%x

PsRemoveLoadImageNotifyRoutine:%x

Base:%x

8042_PORT

TRANSPORT

SERIAL_PORT

SERIAL_MOUSE_PORT

PARALLEL_PORT

NAMED_PIPE

KEYBOARD

INPORT_PORT

\xxx\new\nfsdk_src\driver_tdi\std\objfre_win7_amd64\amd64\netfilter2.pdb

%u-Hw

.pL 0

BT%C=Q

#G.yM

B.oF5!EG1

%spiI*@

&'()/*: ,-/.

d.DnXA

P`.cgG

-h}'U

L$.0%C

%S :f

tS.zP

{I.Du

.ZYIm

<appro@openssl.Ng

D%fP@L\

t.Oz6

%U@0'

LcB%d,

L7s.Lc`

ht.lt

}.GJPx

.Bwm,

dssh.

G.Ls0x

7%C|h&

Im.KzC

7`.mG

HL.do

6.en( R

*=m

BF.KLD=R

ZK.ZJ

.bt)5>{

T.ZuY

K.pO {o

F%uCm0

>.sbMu

U.xX%

y$[`I=%D

#.xt0

t5Hy.HDL

.kDHE

/t3.Oi

Hs%dX

/f %u3Um

l-q}'

k;.tB

lcrt

HTTP/1.J

.gG@F

Hrbi.MK

.AX6-

uœx

I%X@B

Mcmd

)rF

u.ZKO

;Q.QV

.et6Y

m%FO'

u1ð

2J]%d

<]%U[b(<

@.JHr

\%s.&

m.at7day

Nv.Dv

`.xsP

4Uc4.pcal

`.pyi

@7o%S2

!O.dg

(8O.dbO

phxI!O.dy

ON.dB

[$.dB

!O.di

<O.HX

2!O.hx

!O.dI

o .dB

u .dB

O.dbO>

(#O.dbO

<P _h.dB

=G.dB

H`PO.dB

hxwO.dB

0P.dB

H`)O.dB

HXDO.dB

(dO.dbO

xO.dB

O.dB,0@

O.dB5

O.dBZ

-O.dbO

?G.dBa

#O(.dB

8b82!O.Xxc;

GH`h!O.dJx

qO.dBe

!O.dt

O.dB(

R%d&p

.pp@0

,,//112244

8;;==>>@

.bmx::

`n#%c

O%.U/

.uR5&m

^.om5r

LG.HK

D.Hog^

k/.fG"

"%sy'

gTH.MB

gXC.nT

.Wqb^?

.%X&1

.QRFt

"!"%" "1

%D%'%1$=%C%

&'&)&5&;

.%.-.3.7.9.?.W.[

3Ó/353A3G3[3

=-=3=7=?

C%C'C3

.dUWTS

/keyC

uPASS`

HTML%x

L.tM'

.HW4O

</.GfT

W6%4s

n .gZ

~.Vt.

*.*d/

&}Vuu%Ue

.HVIM

zcÁ

kDH.PLEMjc

cy%f`

m]o/%s

BaseUrl

WebeA

yoidmsg-v3YM

.VbAv

l}C.we

SSH3/$

-.BK?7-,

,@.sE

[%d]4

'%s'l

@I.Dx

#.Oi6

wKey

URLDow

`.rdata

<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />

KERNEL32.DLL

CRYPT32.dll

PSAPI.DLL

urlmon.dll

RegCloseKey

CertOpenStore

URLDownloadToFileA

KeDelayExecutionThread

ZwQueryValueKey

ZwOpenKey

ZwSetValueKey

ZwQueryKey

ntoskrnl.exe

TDI.SYS

!hXXp://ocsp1.wosign.com/ca6/code200

$hXXp://aia1.wosign.com/ca6.code2.cer06

%hXXp://crls1.wosign.com/ca6-code2.crl0O

hXXp://VVV.wosign.com/policy/0

!Certification Authority of WoSign0

hXXp://crls1.wosign.com/ca1.crl0k

hXXp://ocsp1.wosign.com/ca102

&hXXp://aia1.wosign.com/ca1g2-code2.cer0

"Secure Digital Certificate Signing1)0'

StartCom Certification Authority0

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

hXXp://ocsp.startssl.com/ca00

$hXXp://aia.startssl.com/certs/ca.crt02

!hXXp://crl.startssl.com/sfsca.crl0

$hXXp://crls1.wosign.com/ca1g2-ts.crl0m

hXXp://ocsp1.wosign.com/ca1g2/ts0/

#hXXp://aia1.wosign.com/ca1g2.ts.cer0

!Certification Authority of WoSign

explorer.exe

t.HHt

SSSSh0

BlackBone: %s: Missing parameter

BlackBone: %s: Exception. Code: 0x%X

BlackBone: %s: Failed to get RtlDosApplyFileIsolationRedirection_Ustr

ntkrpamp.exe

ntkrnlmp.exe

ntkrnlpa.exe

WINDOWS_VERSION_NONE

%s: Unknown base relocation type

\xxx\new\nfsdk_src\driver_tdi\std\objfre_win7_x86\i386\netfilter2.pdb

.REOfB

.WfjC

,%S2%G<

.gS@i

YB:%xgG

#$%&'()/*: ,-/.

.LT,3}0

.Sj(S

2]%drHN

'p@WhI.BK

enssl.Hg>

$R.mA

Vhi%U

O@!mL.WA.`]

.nUW}

.CfhU

sXso%S

[d"%C@

{0K,Q%d

.d%uGt

Z}A

b& &p%D!

j.CZ,@

.Zmu0

w'V%C

`_.xT

[FþGGr9

.KUUP

;.BRx

VF%Up

2Q.bt

 )}$B%S:

.eR/h2(^

8t[.QX

WF@.PZ%

W.PK|_

.ps!hk

^.HXO

|a@/

L^SSh

.VR'H

C.lhI

lm_4kk%dZ@*

C2.HX

4B.iX

L2.NK

lvD<mu%C

phb%U.

W7-u}h

u%SZ^

$(,999904

9@.XB

\\.\CtrlSMl4

Fri.at7day

9xtvNv.Dc

bO.pP

tiKA.vE

SL 1.0.2c

Bkeylsg

P|8%d

'%s:%d:

(%d),?

.WnXY

@.qPIU

ÿc822

.sl'%

dB.Cc4c

oX.Ln@4o

.pzh`{

h .rs2

Bq.FC

.At/db

.nNGi

2043072/409

Q}W o

=/MSG

.OFX-

%u'_yS

o[uYQ/%2sBR

a?%d.

~Jg/faq.Dm

N%s0/n

UrlXJ

?[[%s]]

%'%1$=%C%K%O

.%.-.3.7.9.

3Ó/353A3G3[3_3g3k3s3y3

9#9%9)9/9=9

C%C'C3C7C9COCWCiC

D)D;D?.KDQDSDYDeDoD

.mu;=

>.Yb4S

,84011373

L%xOn

.dPtG

eKey

.CyU]

 -8}',U

.QEc7Lg9

5.Xin

8.CFf

`o_%x

.rsrcd;

KeStallExecutionProcessor

HAL.dll

9Ÿ9l9

2 2)202?2

9 9$9(9,9094989<9

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

hXXp://VVV.1121.la/pzgb/

hXXp://VVV.1121.la/znzt/benzhangonggao/2017-05-04/8249.html

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WININET.dll

.PAVCException@@

Shell32.dll

Mpr.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

its:%s::%s

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Referer: %s

Host: %s

GET %s HTTP/1.1

HTTP/1.0

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

GET /soft/mhwifi/MaoHaWiFiSetup_239.exe HTTP/1.1

Host: res.maoha.com

Referer: hXXp://res.maoha.com/soft/mhwifi

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

c:\%original file name%.exe

GetWindowsDirectoryA

GetCPInfo

GetProcessHeap

RegOpenKeyExA

RegCreateKeyA

GetViewportExtEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetKeyState

CreateDialogIndirectParamA

UnhookWindowsHookEx

\Device\Tcp

\Device\TcpFlt

\Device\Tcp6Flt

\Device\UdpFlt

\Device\Udp6Flt

Ntdll.dll

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion

\yyqg.dll

\navhome.htm

\Windows\explorer.exe

\SafeWebMon.dll

\spsafe64.dll

\spsafe.dll

\kwsui.dll

\kswebshield.dll

\kshmpgext.dll

\kshmpg.dll

\360sdbho.dll

\SafeWrapper.dll

\SafeWrapper32.dll

\safehmpg64.dll

\safehmpg.dll

\safemon64.dll

\safemon.dll

\TSVulFW.DAT

\QMEmKit.dll

\QMGCShellExt.dll

\QMIESAFEDLL64.DLL

\QMIESAFEDLL.DLL

\QMIEPlus.dll

\TSWebMon.dat

FilterCommunicationPort

FilterConnectionPort

WaitablePort

WindowStation

KeyedEvent

ALPC Port

entkrnlpa.exe

MaoHaWiFiSetup_239.exe_1980:

RD.aRn

.text

`.rdata

@.data

.rsrc

@.reloc

Ht\HtMHt.Huj

uùT$,u

.Sj Z

%u-;T$4r

t.HHt

j.Yf;

_tcPVj@

.PjRW

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

Visual C   CRT: Not enough memory to complete call to strerror.

cmd.exe

Operation not permitted

Inappropriate I/O control operation

Broken pipe

?#%X.y

%S#[k

operator

GetProcessWindowStation

global_complate_download_url

RegCreateKeyTransactedW

RegOpenKeyTransactedW

RegDeleteKeyTransactedW

global_licence_url

Lua_Exec

Lua_MsgBox

Lua_ExitWindows

Lua_URLDownloadToFileAsync

%s%s() : line %d [%s : line %d]

%sunknown : line %d [%s : line %d]

windows

$LuaVersion: Lua 5.2.2 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

function '%s'

function <%s:%d>

(...tail calls...)

bad argument #%d (%s)

calling '%s' on bad self (%s)

bad argument #%d to '%s' (%s)

%s expected, got %s

%s:%d:

%s: %s

invalid option '%s'

stack overflow (%s)

cannot %s %s: %s

%s: %p

PANIC: unprotected error in call to Lua API (%s)

version mismatch: app. needs %f, Lua core provides %f

attempt to %s %s '%s' (a %s value)

attempt to %s a %s value

attempt to compare two %s values

attempt to compare %s with %s

%s:%d: %s

invalid key to 'next'

attempt to load a %s chunk (mode is '%s')

invalid option '%%%c' to 'lua_pushfstring'

error in __gc metamethod (%s)

char(%d)

%s near %s

too many %s (limit is %d)

_HKEY

upvaluejoin

invalid capture index %%%d

missing '[' after '%%f' in pattern

^$* ?.([%-

invalid use of '%c' in replacement string

invalid replacement value (a %s)

\d

invalid option '%%%c' to 'format'

cannot open file '%s' (%s)

standard %s file is closed

field '%s' missing in date table

invalid conversion specifier '%%%s'

system error %d

no file '%s'

'package.%s' must be a string

error loading module '%s' from file '%s':

luaopen_%s

no module '%s' in file '%s'

no field package.preload['%s']

'package.searchers' must be a table

module '%s' not found:%s

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

!\?.dll;!\loadall.dll;.\?.dll

invalid value (%s) at index %d in table for 'concat'

%s: %s precompiled chunk

%s expected

function at line %d

too many %s (limit is %d) in %s

%s expected (to close %s at line %d)

<goto %s> at line %d jumps into the scope of local '%s'

<%s> at line %d not inside a loop

no visible label '%s' for <goto> at line %d

label '%s' already defined on line %d

D:\svn\dtlsetup\dtlsetup\Release\DTLInstaller.pdb

KERNEL32.dll

EnumWindows

ExitWindowsEx

GetKeyState

USER32.dll

GDI32.dll

RegQueryInfoKeyW

RegDeleteKeyW

RegCloseKey

RegEnumKeyExW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

PathIsURLW

SHLWAPI.dll

COMCTL32.dll

MSIMG32.dll

GdiplusShutdown

gdiplus.dll

PSAPI.DLL

URLDownloadToFileW

urlmon.dll

IMM32.dll

GetProcessHeap

GetCPInfo

CreatePipe

zcÁ

global_http_Agent

1.0.8.10

MaohaWiFi.exe

hXXp://VVV.maohawifi.com/licen.html

global_uninst_sub_key

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaWiFi

global_reg_sub_key

global_install_PostURL

hXXp://service.maohawifi.com/client/install.aspx

global_Uninstall_PostURL

hXXp://service.maohawifi.com/client/uninstall.aspx

<?xml version="1.0" encoding="utf-8"?><root><config><bindtype>0</bindtype><projectid>%d</projectid><unionid>%d</unionid><version>%s</version></config></root>

<?xml version="1.0" encoding="utf-8"?><root><config><bindtype>1</bindtype><projectid>%d</projectid><unionid>%d</unionid><version>%s</version></config></root>

\uninstall.dll

HSPostURLEx

GetProcAddress "HSPostURLEx" failed, errcode :

\maohasubstat.dll

install.s.maohawifi.com

(%d )|*

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DC3AC874-9EE2-40a5-8D2C-442A290EF7E2}_is1

\softconfig.dll

MaohaWifiSvr.exe

RaRegistry.exe

MaohaWiFiUpg.exe

drv64.exe

YunExplorer.exe

\unins000.dat

\unins000.exe

GLOBAL_VAR.LUAC

\Uninst.dar0

UNINSTSCRIPT.LUAC

\Uninst.dar1

%s\%s

hkey

subkey

hXXp://VVV.maohawifi.com/

\Uninstall.exe

URLInfoAbout

%Y%m%d

%s\%s.lnk

ÞSKTOP%

%s\%s\%s.lnk

%COMMPROGRAMS%

%s\%s\

%s.lnk

%s\Microsoft\Internet Explorer\Quick Launch\%s.lnk

\MaohaWifiSvr.exe

\other\comfast\comfast.bmp

\res\comfast.bmp

\other\comfast\link.html

\res\link.html

\other\comfast\logo.png

\res\logo.png

\other\comfast\new.png

\res\new.png

\other\comfast\support.dat

\res\support.dat

\other\netsys\logo.png

\other\netsys\netsys.bmp

\res\netsys.bmp

\other\netsys\support.dat

URLDownloadToFile

GetServerCmd

GetUninstSateHttpRpt begin

\MaohaWifiBase.dll

UninstallLib.HSReaderAppInstallList failed ret :

UninstallLib.HSFromatAppInstallList failed ret :

SubStatLib.STAppInstall failed ret :

%TMP%\uninstall.dll

%TMP%\maohasubstat.dll

%TMP%\DriverTool.dll

\driver\DriverTool.dll

%TMP%\DriverInstall_X64.exe

\driver\DriverInstall_X64.exe

%TMP%\DriverInstall.exe

\driver\DriverInstall.exe

%TMP%\softconfig.dll

Urlmon

URLDownloadToFile error

strURL

%TMP%\1.txt

hXXp://VVV.maohawifi.com/happyxie.aspx

maohasubstat.dll

MaoHaWiFiNet.sys

MaoHaWiFiNet64.sys

pcid.dll

tips.exe

tipsdll.dll

MldRes.db

CheckUpdate.dll

Software\Microsoft\Windows\CurrentVersion\Run

"iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:15FA07C35BC411E3A811EC6865CBBEB9" xmpMM:DocumentID="xmp.did:15FA07C45BC411E3A811EC6865CBBEB9"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:15FA07C15BC411E3A811EC6865CBBEB9" stRef:documentID="xmp.did:15FA07C25BC411E3A811EC6865CBBEB9"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:D07D8FC75BE011E3A7BEC341792A0148" xmpMM:DocumentID="xmp.did:D07D8FC85BE011E3A7BEC341792A0148"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D07D8FC55BE011E3A7BEC341792A0148" stRef:documentID="xmp.did:D07D8FC65BE011E3A7BEC341792A0148"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

.IDATx

iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:D259B2C30BCA11E38B32A553045FEDD3" xmpMM:DocumentID="xmp.did:D259B2C40BCA11E38B32A553045FEDD3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D259B2C10BCA11E38B32A553045FEDD3" stRef:documentID="xmp.did:D259B2C20BCA11E38B32A553045FEDD3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

%cT-mm

=MSgc

W%Sz(

-.xsTe

ud;Xh.yKb

AÍP

m.Zo1

tssH"

.gt/A

lkq%d

2&r%U

\.tGt

.kE$F

zXV^%X

Z.euH(

i4ýh

1%FuQ

c3%sS/

%u<"4

%s]~R

>F%xEO

^T9%d/v

.%F>/

%u$`#

.Pb2({

"$?N.RM

.dojTp

)*
?y

L5.rkN

UMsG

.OhDi>

V.Pz%h

kP%Uv

9.Bo;O2

yò!

ch.Qs

%c_v%

-97}[

%D/!2

r8f %X

T{y%D

#.PMT

2%s1B

.clhE

R*.Ys6

iv.XV

\-!R%d

<` {'")),

r.Tv'$

FUZ%D

_.CIs

3_.Sh

$t%Xgn5NCswO

>.ova

Xels.Yv

h%C\`

/.j%x1

.$.BG

)d.jM

z.Rf_"

nk!9!4.ET

Z%d;eA

g-.NCf

.BfMZ1XN}[`

nL%X}

.WPt]

3.Gj|?'

%f=Y&f

3%X(-F4N

.vuftB

od%.RH

C.VE$?{=VF

{]$.Bk

mO%5UY"

\{.JYS

t[.tg_T~-?

%Un[k

ny%f,*

i.RSA!#M

i.kR?

B.voi

bry?}

$$.Py

.ro~"

.MN {

%fX*:" q

y0.VQ

.GT$g

$.Aj%&

ggd%d

;!.dB

O%Smq

.ViA]

V6.DD

^8.HS

:.tRV

bUÜ

d1=(K7%u?

gY%S]

.nauJ

88.?-Z}

43.wq

ea%Xw

~%Xr*

%u5]zf

Jti.aF^

.Pv-:

5"}%F

%c:4}

.cWt1

?.otTJ

a[.ui

8c.La

-xNXn}

|?)%u:C

.uFhSt

 }wjJ(%s#

.VuobH1

.xdCIy|L

-7.mW7

?%D:3~

K-X}r

#C.Hs

U.iyl

;Q%U\

,uA.YD$

b9%XMq"

_B-2p}{

Nun%s

8O%cW

.Mzse

$.Hg{

&.TGQ-

.BHUS

.PYe}F

?.Ib3^

UbNWEb

k/.tm

^EZ.Ce`,2N

gv6 %sm*

hM.XI

m.gqo#_

.mO_<

.MgG6

%DX^''

j.PhT

T,_*

öY[

Wr.xB4

UC.wO

@%U5k

b.Im*TV/J

%j%x,@

/.uCg

T-gc}g

No?(.sU<

8se%D|H

.NpkM

sÿEA

%cw`Y

~ÜU<ND

.Gi&&

P|u6.Eo-

.PK=c

\.Eu2}(c

\%FV*

P,3.VH2

.fCb}

}.mTNT

v.Kb/

?Z%uK

]7-Eg}

P.OR2%0

j%st_

s1.pu;

WSOh%f

.GT?K

#.DPB

5r)|%uA

G:4".xq

\TCPM

<.Vzo

.Sw>&

ÎYEP

.CyNF

SJ5<X.NW

u`.Gp"|=

D9.Ti

%..MF

r%.d*

JV-B}

y#H.QC

H%U:%

(JC.%SD

Cv.pw

WaG%F

.NM$T4fB

w?a%X

%CKKC

~.nH@

p%0XB

-#.Gg

H.fyId

UL Ï

.KCm2

#Y%cj

.ZN# M

.As9O

.Bj2L

-Gee6dZny6}

A.Mcx

77' %x>

-f}yf5: .e

cSQL1

E5%U`

sÛR

%XPGo

2;.Cp

%7U-7

-.Yz(

|.Di$

5ic%f

Z#.Foo[

rTuRl

[.HmUk

.jlZdq

?w.mTJ

!%S]@'

?.tdz

.yQ<;Ka

.gO7`A

.jNXt

#.Rc2

40x%X

=V.oh

vt.rxi

.It^7Y

iw.SB<

<L"\%X

G.xl`

.fqh(

c%sn*V9)

%CMh!r

R.Hdwq'

2%S<M

.jR]?

T.ls3;

.KE-L*_j

L.Pwif

'.WVoZ

5ÄQ

1.mf@

9D=%C

|.Kfl

%u[u_

z.bh,

]juDP

"=B%s

-k.Vd

@%s50

.jd4)

~e`_@%D)

"M.fK

"b8.nr

|~õsq

<.irmI

z%X<#

aM.mc-

e@j%F

iC.vC

.fBa=I

mFPd%X

2xDF.QJC{1

 .FvX6Qd

#:.iS;

{[.uN

!e.Uk

.eBsJ

|7.kM

B1.yy

Kf.xP|

.uN^x

^T%sf

Je6Hi.AR

.Wo{ef2

` %Xl\Hj

.aEAB

kI%S(

ÅPBA

YI%CO

dBq.ni

uR\.GR

e.Nh,

~qO.dG"

SnlH}%c

%6X,AU

~Ug%f

%sL6w|

wH\q.tO;$

&.plGvv-t

)%SzQ

h.QO8*R

ÝBtqg

w.ZDd

cmdW

%d/>/

x.vvb

.Ij]"

v|.OFr

lg.jH

z!PV.sw

.JpY#

-BXok}K

Y.ES\

F<.ml%

"-fO}

R4%sEC}

3.vRRuHI

K|]

.UM}y'

2ir.jL

qWxBkD%X

.ob z$'F

`61l=.fO=

}-KY}

4R.dkUp

z.Df!"K

B2W

.bP`|

.aA?0

Q X%f

/.aL`n

KeY}7

%fqJ9

.Hsvn

-I(.pJ

&Yr%C<

\9%u

%s\9D

2.hl|

HI.eb

-l8}(cgj

.UFZ0

.axA~t)

)-.Mn

<a{q&.OV

.dev&i"Uw

.Jx:j

['Q.iw

.UZ|fY

\xN>.XB

.SFuriHb`

B("N.WM

S%xrch

ncMd

dq.EF

H[R%S

5C".dD

@.Kvt

.ER%I8I

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity type="win32" name="application.exe" version="1.0.0.0" processorArchitecture="X86"></assemblyIdentity><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" language="*" processorArchitecture="X86"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PADDINGXXPADDINGPADD

1!2S2X2~2

8Œ8J8P8c8}8

4.5=546_6~6

=!= =1=@=

3:4}4%5S5

$0,040<0

9 9$9(9,9094989

;$;(;,;0;

7!7&7 70797

0'0=0\0|0

9•9F9M9S9

8‰8D8

? ?@?\?`?|?

3$3,343<3

combase.dll

mscoree.dll

kernel32.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

portuguese-brazilian

szObjectName = %s

DTLInfoTipDlg::OnDTLUMSetAnimationTimer %d

DTLInfoTipDlg::OnDTLUMKillAnimationTimer %d

DoResLua failed, GLOBAL_VAR.LUAC

INSTSCRIPT.LUAC

DoResLua failed, INSTSCRIPT.LUAC

Global\{A043B702-166A-4FB8-9733-E2BC4713F36F}

LAYOUT.XML

DTLInstaller.cpp

LoadResource failed. type : XML, id : LAYOUT.XMLkk file:%s

LoadResource failed. type : XML, id : LAYOUT.XMLkk line:%d

LoadResource failed. type : XML, id : LAYOUT.XMLkk err:%d

LockResource failed.kk file:%s

LockResource failed.kk line:%d

LockResource failed.kk err:%d

Load_buffer failed, %s

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Advapi32.dll

DTLInstallDlg::OnDTLUMSetAnimationTimer %d

DTLInstallDlg::OnDTLUMKillAnimationTimer %d

DTLInitDlg.cpp

------- LoadResource failed. type : XML, id : LAYOUT.XMLkk file:%s

------- LoadResource failed. type : XML, id : LAYOUT.XMLkk line:%d

------- LoadResource failed. type : XML, id : LAYOUT.XMLkk err:%d

------- LockResource failed.kk file:%s

------- LockResource failed.kk line:%d

------- LockResource failed.kk err:%d

------- Load_buffer failed, %s

check Name = %s

backpath = %s

c:\DriversBackup

CheckDir %s, %s

D:\svn\dtlsetup\dtlsetup\Common\Utility\DTLProcessToolHelp.h

OpenProcessToken failed!kk file:%s

OpenProcessToken failed!kk line:%d

OpenProcessToken failed!kk err:%d

LookupPrivilegeValue failed!kk file:%s

LookupPrivilegeValue failed!kk line:%d

LookupPrivilegeValue failed!kk err:%d

AdjustTokenPrivileges failed!kk file:%s

AdjustTokenPrivileges failed!kk line:%d

AdjustTokenPrivileges failed!kk err:%d

GetLogicalDriveStrings failedkk file:%s

GetLogicalDriveStrings failedkk line:%d

GetLogicalDriveStrings failedkk err:%d

LoadResource failed. Type : %s ID : %s

DTLScriptEngine\DTLScriptEngine.cpp

kk file:%s

kk line:%d

kk err:%d

%s %s

Fun:%s, Description:%s it's not exists!

UnCompress %s to %s .

Fun:%s ,LoadResource failed!

Fun:%s, Description: UnCompress failed.!

DeleteSubKey %s failed, errcode: %ld

OpenKey %s failed, errcode: %ld

Delete Value %s, %s, %s

CoCreateInstance(CLSID_InternetShortcut) failed!kk file:%s

CoCreateInstance(CLSID_InternetShortcut) failed!kk line:%d

CoCreateInstance(CLSID_InternetShortcut) failed!kk err:%d

SetURL %s failed!

QueryInterface IID_IPersistFile failed!kk file:%s

QueryInterface IID_IPersistFile failed!kk line:%d

QueryInterface IID_IPersistFile failed!kk err:%d

CoCreateInstance(CLSID_ShellLink) failed!kk file:%s

CoCreateInstance(CLSID_ShellLink) failed!kk line:%d

CoCreateInstance(CLSID_ShellLink) failed!kk err:%d

SetArguments %s failed!

SetDescription %s failed!

SetPath %s failed!

SetWorkingDirectory %s failed!

Save %s failed!

Save Shortcut %s

Create Directory %s!

Copy %s to %s failed!

SHFileOperation error code : %#x

Copy %s to %s !

Move %s to %s failed!

Move %s to %s !

MoveFile %s to %s failed!

MoveFile %s to %s !

Delete %s failed!

OpenSCManager failed!kk file:%s

OpenSCManager failed!kk line:%d

OpenSCManager failed!kk err:%d

OpenService failed!kk file:%s

OpenService failed!kk line:%d

OpenService failed!kk err:%d

QueryServiceStatus failed!kk file:%s

QueryServiceStatus failed!kk line:%d

QueryServiceStatus failed!kk err:%d

StartService failed!kk file:%s

StartService failed!kk line:%d

StartService failed!kk err:%d

StopService failed!kk file:%s

StopService failed!kk line:%d

StopService failed!kk err:%d

Unknow Error in fun:%s

SHGetSpecialFolderPathW csidl=%d failed!

SetEnvironmentVariableW failed!kk file:%s

SetEnvironmentVariableW failed!kk line:%d

SetEnvironmentVariableW failed!kk err:%d

Fun:%s ,CreateFileW %s failed!

Fun:%s ,WriteFile %s failed!

Fun:%s, Description: LoadLibrary %s Failed!

URLDownloadToFileW failedkk file:%s

URLDownloadToFileW failedkk line:%d

URLDownloadToFileW failedkk err:%d

%d,%d,%d,%d

DTLUE::CarouselUIObjectImpl::OnTimer %d

sRiched20.dll

c:\MaoHaWiFiSetup_239.exe

SearchProtocolHost.exe_1904:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_3024:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

MaohaWifiSvr.exe_768:

.text

`.rdata

@.data

.rsrc

@.reloc

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

error RegOpenKeyEx

WifiRegWindowsRun

.\AutoStartProcessor.cpp

error RegOpenKeyEx CurrentUser

SubValue = %I64d. tickcount = %d

error open services has failed. tickcount = %d

error CAutoStartProcessor::BaseCreateProcessAsUser[%S]

CAutoStartProcessor::BaseCreateProcessAsUser[%S] OK

error LoadLibrary[%S]

.\CrashCatchInterface.cpp

error fCCInit[%d][%S]

.\driverloader.cpp

error SERVICE_RUNNING != ServiceStatus.dwCurrentState:%d

error fw.Add

.\init.cpp

.\main.cpp

MaohaWifiSvr.log

nCmdShow[%d] lpCmdLine[%S]

MaohaWifiSvr cmd %S

MaohaWifiSvr Uninstanll %s

.\MaohaFireWall.cpp

error QueryServiceStatus[%S]

error AddXP[%S][%S]

error AddWin7[%S][%S]

.\NotifyProcessor.cpp

error m_cs.SetName[%S]

ManualCheckUpdate bRet[%d]

error switch default m_pMapBuf->type[%d]

error BaseCreateProcessAsUser[%S]

BaseCreateProcessAsUser[%S] OK

bing.s.maohawifi.com

.\ProcessInfoCR.cpp

.\RepairSystemService.cpp

error firewall.StartSrv[SstpSvc]

error firewall.StartSrv[RasMan]

error firewall.StartSrv[MpsSvc] try again.

error firewall.StartSrv[MpsSvc]

error firewall.StartSrv[dot3svc]

error firewall.StartSrv[Wlansvc]

error firewall.StartSrv[DeviceInstall]

error firewall.StartSrv[WZCSVC]

error firewall.Add

error firewall.Add MaohaWifiSvr.exe

.\srvinst.cpp

from[%S]to[%S]

error MoveFileEx szIconCache[%S]

error MoveFileEx szFile[%S]

error SERVICE_RUNNING == ServiceStatus.dwCurrentState:%d

..\..\Common\dtl_base_common\base_critical.cpp

[%S]!

CBaseLog::LogInit

..\..\Common\dtl_base_common\base_log.cpp

[M---- -:-:-:%d][M][%s]---%s

ErrorCode = %d:%s

..\..\Common\dtl_base_common\base_proc.cpp

error fnGetFileVersionInfoSizeA %s

\StringFileInfo\xx\ProductVersion

error pVerValue:%s

..\wifiupdate\BaseFuncs.cpp

HUCmdBufApp

\adb\adb.exe

tips.exe

..\wifiupdate\DTLTips.cpp

Version[%d]

..\wifiupdate\SubmitProcessor.cpp

dispatch.s.maohawifi.com

UnionID[%d]

..\wifiupdate\SubStatInterface.cpp

STUDPProxy

error GetProcAddress m_fSTUDPProxy

STUDPTransfer

error GetProcAddress m_fSTUDPTransfer

STCmdApp

error GetProcAddress m_fSTCmdApp

error m_HUInterface.InitInterface

..\wifiupdate\UpdateProcessor.cpp

error m_HUInterface.AutoCheckUpdate

update.ss.maohawifi.com

\MaohawifiUpdate.dat

port

error MakeSureDirectoryPathExists %s

MaohaWifiSvr.exe

MaohaWiFiUpg.exe

update.xml

.\Repair\FireWall.cpp

error OpengService[%S]

relloc psevStatus memory %d

d:\svn\maohawifi\trunk\MaohaWiFi_New\WifiService\Release\MaohaWifiSvr.pdb

KERNEL32.dll

USER32.dll

GDI32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

WTSAPI32.dll

USERENV.dll

GdiplusShutdown

gdiplus.dll

VERSION.dll

dbghelp.dll

GetCPInfo

GetConsoleOutputCP

.?AVRegistryKey@@

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

3"333>3{3

4!424?4[4

8‚8&;8;

4$4)484_4

:&:4:9:|<

6 6$6(6,606

0$0(0,00040

KERNEL32.DLL

mscoree.dll

$"%s" -auto

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

services.exe

explorer.exe

.DEFAULT\Software\MAOHAWIFISTARTFLAG

\MaohaWiFi.exe

"%s" %s

K\MaohaWifiSvr.exe

e\MaohaCrashCatch.dll

\MaohaWiFi.dat

\MaoHaWiFiNet.sys

\MaoHaWiFiNet64.sys

\MaoHaCD.dll

lGlobal\MaohaWifiFileMapping{294DDACF-AA8A-4c4e-97C5-2D80D55933CD}

eGlobal\MaohaWifiNotifyEvent{F2AED1A3-E52A-4891-B749-867F5772733C}

Global\MaohaWifiNotifyReplyEvent{30BBB239-12E1-49d8-B0D8-82BCC7C9A517}

Global\MaohaWifiNotifyCritical{BF0FB343-47B7-4502-8DE5-3C64C103EDDB}

"%s" %s -runbysrv

\MaohaWifiCtrlDll.dll

\IconCache.db

\Microsoft\Windows\Explorer\

EXPLORER.EXE

s\Updater\CheckUpdate.dll

]\pcid.dll

pcid.dll

\maohasubstat.dll

tipsdll.dll

\ipnathlp.dll

Windows Firewall/Internet Connection Sharing (ICS)

%SystemRoot%\System32\svchost.exe -k netsvcs

@%SystemRoot%\System32\ipnathlp.dll,-106

@%SystemRoot%\System32\ipnathlp.dll,-107

%SystemRoot%\System32\ipnathlp.dll

%Program Files%\Maoha\MaohaAP\MaohaWifiSvr.exe

1, 0, 1, 10

Explorer.EXE_284_rwx_01DA0000_00001000:

C:\Windows\yyqg.dll

Explorer.EXE_284_rwx_6AF61000_002A2000:

RWj%Sj

//!"#$%&'()/*/// ,-/.

|Bj%Sj

6-9'6-9'

$6.:$6.:

*?#1*?#1

>8$4,8$4,

AES for x86, CRYPTOGAMS by <appro@openssl.org>

Camellia for x86 by <appro@openssl.org>

AES for Intel AES-NI, CRYPTOGAMS by <appro@openssl.org>

RC4 for x86, CRYPTOGAMS by <appro@openssl.org>

SHA512 block transform for x86, CRYPTOGAMS by <appro@openssl.org>

SHA256 block transform for x86, CRYPTOGAMS by <appro@openssl.org>

SHA1 block transform for x86, CRYPTOGAMS by <appro@openssl.org>

GHASH for x86, CRYPTOGAMS by <appro@openssl.org>

Montgomery Multiplication for x86, CRYPTOGAMS by <appro@openssl.org>

GF(2^m) Multiplication for x86, CRYPTOGAMS by <appro@openssl.org>

FtPS

w%s(

ksystem32\drivers\%s.sys

\\.\CtrlSM

SYSTEM\CurrentControlSet\Services\%s

Tcpip

SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

Error text not found (please report)

GetProcessWindowStation

operator

OpenSSL 1.0.2c 12 Jun 2015

ALL:!EXPORT:!aNULL:!eNULL:!SSLv2

%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s

EXPORT56

EXPORT40

EXPORT

wrong number of key bits

wrong certificate type

unsupported status type

unsupported ssl version

unsupported protocol

unsupported elliptic curve

unsupported digest type

unsupported compression algorithm

unsupported cipher

unknown pkey type

unknown key exchange type

unknown cmd name

unknown certificate type

unable to find public key parameters

unable to extract public key

unable to decode ecdh certs

unable to decode dh certs

tried to use unsupported cipher

tls peer did not respond with certificate list

tls illegal exporter label

tls client cert req with anon cipher

tlsv1 unsupported extension

tlsv1 certificate unobtainable

tlsv1 bad certificate status response

tlsv1 bad certificate hash value

tlsv1 alert export restriction

sslv3 alert unsupported certificate

sslv3 alert no certificate

sslv3 alert certificate unknown

sslv3 alert certificate revoked

sslv3 alert certificate expired

sslv3 alert bad certificate

signature for non signing certificate

reuse cert type not zero

reuse cert length not zero

public key not rsa

public key is not rsa

public key encrypt error

peer error unsupported certificate type

peer error no certificate

peer error certificate

peer did not return a certificate

null ssl method passed

no publickey

no private key assigned

no privatekey

Peer haven't sent GOST certificate, required for selected ciphersuite

no client cert received

no client cert method

no ciphers passed

no certificate specified

no certificate set

no certificate returned

no certificate assigned

no certificates returned

missing tmp rsa pkey

missing tmp rsa key

missing tmp ecdh key

missing tmp dh key

missing rsa signing cert

missing rsa encrypting cert

missing rsa certificate

missing export tmp rsa key

missing export tmp dh key

missing ecdsa signing cert

missing ecdh cert

missing dsa signing cert

missing dh rsa cert

missing dh key

missing dh dsa cert

krb5 server rd_req (keytab perms?)

key arg too long

invalid ticket keys length

invalid null cmd name

http request

https proxy request

error generating tmp rsa key

ecc cert should have sha1 signature

ecc cert should have rsa signature

ecc cert not for signing

ecc cert not for key agreement

dh key too small

cert length mismatch

cert cb error

certificate verify failed

bad ecc cert

bad dh pub key length

tls1_setup_key_block

tls1_export_keying_material

tls1_cert_verify_mac

ssl_verify_cert_chain

SSL_use_RSAPrivateKey_file

SSL_use_RSAPrivateKey_ASN1

SSL_use_RSAPrivateKey

SSL_use_PrivateKey_file

SSL_use_PrivateKey_ASN1

SSL_use_PrivateKey

SSL_use_certificate_file

SSL_use_certificate_ASN1

SSL_use_certificate

SSL_SET_PKEY

SSL_SET_CERT

ssl_sess_cert_new

ssl_get_sign_pkey

ssl_get_server_send_pkey

SSL_GET_SERVER_SEND_CERT

SSL_GET_SERVER_CERT_INDEX

SSL_CTX_use_RSAPrivateKey_file

SSL_CTX_use_RSAPrivateKey_ASN1

SSL_CTX_use_RSAPrivateKey

SSL_CTX_use_PrivateKey_file

SSL_CTX_use_PrivateKey_ASN1

SSL_CTX_use_PrivateKey

SSL_CTX_use_certificate_file

SSL_CTX_use_certificate_chain_file

SSL_CTX_use_certificate_ASN1

SSL_CTX_use_certificate

SSL_CTX_set_client_cert_engine

SSL_CTX_check_private_key

SSL_CONF_cmd

ssl_check_srvr_ecc_cert_and_alg

SSL_check_private_key

ssl_cert_new

SSL_CERT_INSTANTIATE

ssl_cert_inst

ssl_cert_dup

ssl_build_cert_chain

SSL_add_file_cert_subjects_to_stack

SSL_add_dir_cert_subjects_to_stack

SSL_ADD_CERT_TO_BUF

ssl_add_cert_chain

ssl3_setup_key_block

ssl3_send_server_key_exchange

ssl3_send_server_certificate

ssl3_send_client_key_exchange

ssl3_send_client_certificate

ssl3_send_certificate_request

ssl3_output_cert_chain

ssl3_get_server_certificate

ssl3_get_key_exchange

ssl3_get_client_key_exchange

ssl3_get_client_certificate

ssl3_get_cert_verify

ssl3_get_cert_status

ssl3_get_certificate_request

SSL3_GENERATE_KEY_BLOCK

ssl3_check_cert_and_algorithm

SSL3_ADD_CERT_TO_BUF

ssl2_set_certificate

ssl2_generate_key_material

REQUEST_CERTIFICATE

GET_SERVER_STATIC_DH_KEY

GET_CLIENT_MASTER_KEY

dtls1_send_server_key_exchange

dtls1_send_server_certificate

dtls1_send_client_key_exchange

dtls1_send_client_certificate

dtls1_send_certificate_request

dtls1_output_cert_chain

DTLS1_ADD_CERT_TO_BUF

CLIENT_MASTER_KEY

CLIENT_CERTIFICATE

.\ssl\ssl_cert.c

os.length <= (int)sizeof(ret->session_id)

TLSv1 part of OpenSSL 1.0.2c 12 Jun 2015

SSLv3 part of OpenSSL 1.0.2c 12 Jun 2015

GOST signature length is %d

SSLv2 part of OpenSSL 1.0.2c 12 Jun 2015

s->session->master_key_length >= 0 && s->session->master_key_length <= (int)sizeof(s->session->master_key)

key expansion

client write key

server write key

%s:%d: rec->data != rec->input

((long)msg_hdr->msg_len) > 0

invalid state reached %s:%d

s->d1->w_msg_hdr.msg_len   DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num

s->d1->w_msg_hdr.msg_len   ((s->version==DTLS1_BAD_VER)?3:DTLS1_CCS_HEADER_LENGTH) == (unsigned int)s->init_num

s->init_num == (int)s->d1->w_msg_hdr.msg_len   DTLS1_HM_HEADER_LENGTH

retransmit: message %d non-existant

c->iv_len <= (int)sizeof(s->session->key_arg)

s->s2->key_material_length <= sizeof s->s2->key_material

DTLSv1 part of OpenSSL 1.0.2c 12 Jun 2015

jAES part of OpenSSL 1.0.2c 12 Jun 2015

ssl_sess_cert

ssl_cert

evp_pkey

x509_pkey

%s(%d): OpenSSL internal error, assertion failed: %s

passed a null parameter

DSO support routines

x509 certificate routines

error:lX:%s:%s:%s

Stack part of OpenSSL 1.0.2c 12 Jun 2015

kBig Number part of OpenSSL 1.0.2c 12 Jun 2015

\X

cert_info

X.509 part of OpenSSL 1.0.2c 12 Jun 2015

OPENSSL_ALLOW_PROXY_CERTS

CT Certificate SCTs

ct_cert_scts

CT Precertificate Signer

ct_precert_signer

CT Precertificate Poison

ct_precert_poison

CT Precertificate SCTs

ct_precert_scts

dhSinglePass-cofactorDH-sha512kdf-scheme

dhSinglePass-cofactorDH-sha384kdf-scheme

dhSinglePass-cofactorDH-sha256kdf-scheme

dhSinglePass-cofactorDH-sha224kdf-scheme

dhSinglePass-cofactorDH-sha1kdf-scheme

dhSinglePass-stdDH-sha512kdf-scheme

dhSinglePass-stdDH-sha384kdf-scheme

dhSinglePass-stdDH-sha256kdf-scheme

dhSinglePass-stdDH-sha224kdf-scheme

dhSinglePass-stdDH-sha1kdf-scheme

Any Extended Key Usage

anyExtendedKeyUsage

supportedAlgorithms

crossCertificatePair

certificateRevocationList

cACertificate

userCertificate

userPassword

supportedApplicationContext

Microsoft Local Key set

LocalKeySet

id-Gost28147-89-None-KeyMeshing

id-Gost28147-89-CryptoPro-KeyMeshing

password based MAC

id-PasswordBasedMAC

X509v3 Certificate Issuer

certificateIssuer

certicom-arc

Proxy Certificate Information

proxyCertInfo

Microsoft Smartcardlogin

msSmartcardLogin

joint-iso-itu-t

JOINT-ISO-ITU-T

set-rootKeyThumb

setAttr-Cert

setCext-cCertRequired

setCext-certType

setct-CertResTBE

setct-CertReqTBEX

setct-CertReqTBE

setct-AcqCardCodeMsgTBE

setct-CertInqReqTBS

setct-CertResData

setct-CertReqTBS

setct-CertReqData

setct-PCertResTBS

setct-PCertReqData

setct-AcqCardCodeMsg

certificate extensions

set-certExt

set-msgExt

id-ecPublicKey

id-cmc-confirmCertAcceptance

id-cmc-getCert

id-regInfo-certReq

id-regCtrl-protocolEncrKey

id-regCtrl-oldCertID

id-it-revPassphrase

id-it-keyPairParamRep

id-it-keyPairParamReq

id-it-unsupportedOIDs

id-it-caKeyUpdateInfo

id-it-encKeyPairTypes

id-it-signKeyPairTypes

id-it-caProtEncCert

id-mod-attribute-cert

id-mod-qualified-cert-93

id-mod-qualified-cert-88

id-smime-aa-ets-certCRLTimestamp

id-smime-aa-ets-certValues

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-otherSigCert

id-smime-aa-smimeEncryptCerts

id-smime-aa-signingCertificate

id-smime-aa-encrypKeyPref

id-smime-aa-msgSigDigest

id-smime-ct-publishCert

id-smime-mod-msg-v3

sdsiCertificate

x509Certificate

localKeyID

certBag

pkcs8ShroudedKeyBag

keyBag

pbeWithSHA1And2-KeyTripleDES-CBC

pbeWithSHA1And3-KeyTripleDES-CBC

TLS Web Client Authentication

TLS Web Server Authentication

X509v3 Extended Key Usage

extendedKeyUsage

X509v3 Authority Key Identifier

authorityKeyIdentifier

X509v3 Certificate Policies

certificatePolicies

X509v3 Private Key Usage Period

privateKeyUsagePeriod

X509v3 Key Usage

keyUsage

X509v3 Subject Key Identifier

subjectKeyIdentifier

Netscape Certificate Sequence

nsCertSequence

Netscape CA Policy Url

nsCaPolicyUrl

Netscape Renewal Url

nsRenewalUrl

Netscape CA Revocation Url

nsCaRevocationUrl

Netscape Revocation Url

nsRevocationUrl

Netscape Base Url

nsBaseUrl

Netscape Cert Type

nsCertType

Netscape Certificate Extension

nsCertExt

extendedCertificateAttributes

challengePassword

dhKeyAgreement

crlUrl

certStatus

certId

OCSP_CERTSTATUS

value.unknown

value.revoked

value.good

value.byKey

value.byName

reqCert

OCSP_CERTID

issuerKeyHash

certs

kCERTIFICATE

value.bag

value.safes

value.shkeybag

value.keybag

value.sdsicert

value.x509cert

value.other

enc_key

key_enc_algor

cert

d.encrypted

d.digest

d.signed_and_enveloped

d.enveloped

d.sign

d.data

d.other

.\crypto\evp\evp_pkey.c

PKCS8_PRIV_KEY_INFO

pkey

pkeyalg

ENCRYPTED PRIVATE KEY

PRIVATE KEY

ANY PRIVATE KEY

.\crypto\engine\eng_pkey.c

PEM part of OpenSSL 1.0.2c 12 Jun 2015

phrase is too short, needs to be at least %d chars

Enter PEM pass phrase:

TRUSTED CERTIFICATE

CERTIFICATE REQUEST

NEW CERTIFICATE REQUEST

X509 CERTIFICATE

lhash part of OpenSSL 1.0.2c 12 Jun 2015

Diffie-Hellman part of OpenSSL 1.0.2c 12 Jun 2015

EVP part of OpenSSL 1.0.2c 12 Jun 2015

RSA part of OpenSSL 1.0.2c 12 Jun 2015

RSA PRIVATE KEY

DSA PRIVATE KEY

EC PRIVATE KEY

.\crypto\ec\ec_key.c

EC part of OpenSSL 1.0.2c 12 Jun 2015

.\crypto\dh\dh_key.c

recommended-private-length: %d bits

x%s

public-key:

private-key:

%s: (%d bit)

DH Public-Key

DH Private-Key

priv_key

pub_key

0123456789

Suite B: invalid public key algorithm

Suite B: certificate version invalid

unsupported or invalid name syntax

unsupported or invalid name constraint syntax

unsupported name constraint type

name constraints minimum and maximum not supported

Unsupported extension feature

invalid or inconsistent certificate policy extension

invalid or inconsistent certificate extension

key usage does not include digital signature

key usage does not include CRL signing

unable to get CRL issuer certificate

key usage does not include certificate signing

authority and subject key identifier mismatch

certificate rejected

certificate not trusted

unsupported certificate purpose

proxy certificates not allowed, please set the appropriate flag

invalid non-CA certificate (has CA markings)

invalid CA certificate

certificate revoked

certificate chain too long

unable to verify the first certificate

unable to get local issuer certificate

self signed certificate in certificate chain

self signed certificate

format error in certificate's notAfter field

format error in certificate's notBefore field

certificate has expired

certificate is not yet valid

certificate signature failure

unable to decode issuer public key

unable to decrypt certificate's signature

unable to get certificate CRL

unable to get issuer certificate

ASN.1 part of OpenSSL 1.0.2c 12 Jun 2015

j <= (int)sizeof(ctx->key)

SHA-512 part of OpenSSL 1.0.2c 12 Jun 2015

SHA-256 part of OpenSSL 1.0.2c 12 Jun 2015

MD5 part of OpenSSL 1.0.2c 12 Jun 2015

SHA1 part of OpenSSL 1.0.2c 12 Jun 2015

unsupported type

unsupported recpientinfo type

unsupported recipient type

unsupported key encryption algorithm

unsupported kek algorithm

unsupported content type

signer certificate not found

private key does not match certificate

no public key

no private key

no password

no msgsigdigest

no key or cert

no key

not supported for this key type

not key transport

not key agreement

msgsigdigest wrong length

msgsigdigest verification failure

msgsigdigest error

invalid key length

invalid key encryption parameter

invalid encrypted key length

error setting key

error getting public key

certificate verify error

certificate has no keyid

certificate already present

CMS_SIGNERINFO_VERIFY_CERT

cms_set1_keyid

CMS_RecipientInfo_set0_pkey

CMS_RecipientInfo_set0_password

CMS_RecipientInfo_set0_key

CMS_RecipientInfo_ktri_cert_cmp

cms_msgSigDigest_add1

CMS_GET0_CERTIFICATE_CHOICES

CMS_EncryptedData_set1_key

CMS_decrypt_set1_pkey

CMS_decrypt_set1_password

CMS_decrypt_set1_key

CMS_add1_recipient_cert

CMS_add0_recipient_password

CMS_add0_recipient_key

CMS_add0_cert

unsupported requestorname type

no certificates in chain

error parsing url

PARSE_HTTP_LINE1

OCSP_parse_url

OCSP_cert_id_new

unimplemented public key method

invalid cmd number

invalid cmd name

failed loading public key

failed loading private key

cmd not executable

ENGINE_UNLOAD_KEY

ENGINE_load_ssl_client_cert

ENGINE_load_public_key

ENGINE_load_private_key

ENGINE_get_pkey_meth

ENGINE_get_pkey_asn1_meth

ENGINE_ctrl_cmd_string

ENGINE_ctrl_cmd

ENGINE_cmd_is_executable

unsupported version

unsupported md algorithm

invalid signer certificate purpose

ess signing certificate error

ess add signing cert error

TS_VERIFY_CERT

TS_TST_INFO_set_msg_imprint

TS_RESP_CTX_set_signer_cert

TS_RESP_CTX_set_certs

TS_REQ_set_msg_imprint

TS_MSG_IMPRINT_set_algo

TS_CHECK_SIGNING_CERTS

ESS_SIGNING_CERT_NEW_INIT

ESS_CERT_ID_NEW_INIT

ESS_ADD_SIGNING_CERT

functionality not supported

WIN32_JOINER

unsupported pkcs12 mode

key gen error

PKCS8_add_keyusage

PKCS12_PBE_keyivgen

PKCS12_newpass

PKCS12_MAKE_SHKEYBAG

PKCS12_MAKE_KEYBAG

PKCS12_key_gen_uni

PKCS12_key_gen_asc

PKCS12_add_localkeyid

unsupported option

unable to get issuer keyid

policy syntax not currently supported

operation not defined

no proxy cert policy language defined

no issuer certificate

extension setting not supported

V2I_EXTENDED_KEY_USAGE

V2I_AUTHORITY_KEYID

S2I_SKEY_ID

S2I_ASN1_SKEY_ID

R2I_CERTPOL

unsupported cipher type

unknown operation

unable to find certificate

signing not supported for this key type

operation not supported on this type

no recipient matches key

no recipient matches certificate

encryption not supported for this key type

decrypted key is wrong length

PKCS7_add_certificate

unsupported method

no port specified

no port defined

no accept port specified

BIO_get_port

ECDH_compute_key

data too large for key size

unsupported field

peer key error

passed null parameter

not a supported NIST prime

missing private key

keys not set

invalid private key

gf2m not supported

PKEY_EC_SIGN

PKEY_EC_PARAMGEN

PKEY_EC_KEYGEN

PKEY_EC_DERIVE

PKEY_EC_CTRL_STR

PKEY_EC_CTRL

o2i_ECPublicKey

i2o_ECPublicKey

i2d_ECPrivateKey

EC_KEY_set_public_key_affine_coordinates

EC_KEY_print_fp

EC_KEY_print

EC_KEY_new

EC_KEY_generate_key

EC_KEY_copy

EC_KEY_check_key

ECKEY_TYPE2PARAM

ECKEY_PUB_ENCODE

ECKEY_PUB_DECODE

ECKEY_PRIV_ENCODE

ECKEY_PRIV_DECODE

ECKEY_PARAM_DECODE

ECKEY_PARAM2TYPE

DO_EC_KEY_PRINT

d2i_ECPrivateKey

zlib not supported

fips mode not supported

wrong public key type

unsupported public key type

unsupported encryption algorithm

unsupported any defined by type

unknown public key type

unable to decode rsa private key

unable to decode rsa key

streaming not supported

private key header missing

digest and key type not supported

bad password read

X509_PKEY_new

i2d_RSA_PUBKEY

i2d_PublicKey

i2d_PrivateKey

i2d_EC_PUBKEY

i2d_DSA_PUBKEY

d2i_X509_PKEY

d2i_PublicKey

d2i_PrivateKey

d2i_AutoPrivateKey

unsupported algorithm

unknown key type

unable to get certs public key

public key encode error

public key decode error

no cert set for us to verify

method not supported

loading cert dir

key values mismatch

key type mismatch

cert already in hash table

cant check dh key

X509_verify_cert

X509_STORE_add_cert

X509_REQ_check_private_key

X509_PUBKEY_set

X509_PUBKEY_get

X509_load_cert_file

X509_load_cert_crl_file

X509_get_pubkey_parameters

X509_check_private_key

GET_CERT_BY_SUBJECT

ADD_CERT_DIR

PKEY_DSA_KEYGEN

PKEY_DSA_CTRL

DSA_generate_key

unsupported key components

unsupported encryption

read key

public key no rsa

problems getting password

keyblob too short

keyblob header parse error

expecting public key blob

expecting private key blob

error converting private key

PEM_WRITE_PRIVATEKEY

PEM_READ_PRIVATEKEY

PEM_READ_BIO_PRIVATEKEY

PEM_PK8PKEY

PEM_F_PEM_WRITE_PKCS8PRIVATEKEY

DO_PK8PKEY_FP

DO_PK8PKEY

d2i_PKCS8PrivateKey_fp

d2i_PKCS8PrivateKey_bio

unsupported salt type

unsupported private key algorithm

unsupported prf

unsupported key size

unsupported key derivation function

unsupported keylength

unsuported number of rounds

private key encode error

private key decode error

operaton not initialized

operation not supported for this keytype

no operation set

no key set

keygen failure

invalid operation

expecting a ec key

expecting a ecdsa key

expecting a dsa key

expecting a dh key

expecting an rsa key

different key types

ctrl operation not implemented

command not supported

camellia key setup failed

bn pubkey error

bad key length

aes key setup failed

PKEY_SET_TYPE

PKCS5_V2_PBKDF2_KEYIVGEN

PKCS5_v2_PBE_keyivgen

PKCS5_PBE_keyivgen

FIPS_CIPHER_CTX_SET_KEY_LENGTH

EVP_PKEY_verify_recover_init

EVP_PKEY_verify_recover

EVP_PKEY_verify_init

EVP_PKEY_verify

EVP_PKEY_sign_init

EVP_PKEY_sign

EVP_PKEY_paramgen_init

EVP_PKEY_paramgen

EVP_PKEY_new

EVP_PKEY_keygen_init

EVP_PKEY_keygen

EVP_PKEY_get1_RSA

EVP_PKEY_get1_EC_KEY

EVP_PKEY_GET1_ECDSA

EVP_PKEY_get1_DSA

EVP_PKEY_get1_DH

EVP_PKEY_encrypt_old

EVP_PKEY_encrypt_init

EVP_PKEY_encrypt

EVP_PKEY_derive_set_peer

EVP_PKEY_derive_init

EVP_PKEY_derive

EVP_PKEY_decrypt_old

EVP_PKEY_decrypt_init

EVP_PKEY_decrypt

EVP_PKEY_CTX_dup

EVP_PKEY_CTX_ctrl_str

EVP_PKEY_CTX_ctrl

EVP_PKEY_copy_parameters

EVP_PKEY2PKCS8_broken

EVP_PKCS82PKEY_BROKEN

EVP_PKCS82PKEY

EVP_CIPHER_CTX_set_key_length

ECKEY_PKEY2PKCS8

ECDSA_PKEY2PKCS8

DSA_PKEY2PKCS8

DSAPKEY2PKCS8

D2I_PKEY

CMLL_T4_INIT_KEY

CAMELLIA_INIT_KEY

AES_T4_INIT_KEY

AES_INIT_KEY

AESNI_INIT_KEY

key size too small

invalid public key

PKEY_DH_KEYGEN

PKEY_DH_DERIVE

GENERATE_KEY

DH_generate_key

DH_compute_key

DH_CMS_SET_PEERKEY

COMPUTE_KEY

unsupported signature type

unsupported mask parameter

unsupported mask algorithm

unsupported label source

unsupported encryption type

rsa operations not supported

operation not allowed in fips mode

invalid keybits

illegal or unsupported padding mode

digest too big for rsa key

data too small for key size

RSA_generate_key_ex

RSA_generate_key

RSA_check_key

RSA_BUILTIN_KEYGEN

PKEY_RSA_VERIFYRECOVER

PKEY_RSA_VERIFY

PKEY_RSA_SIGN

PKEY_RSA_CTRL_STR

PKEY_RSA_CTRL

CONF part of OpenSSL 1.0.2c 12 Jun 2015

%d.%d.%d.%d

X509_PUBKEY

public_key

k.\crypto\asn1\x_pubkey.c

%s - d:d:d%.*s %d%s

'() ,-./:=?

%d.%d.%d.%d/%d.%d.%d.%d

%*s%s:

d.registeredID

d.iPAddress

d.uniformResourceIdentifier

d.ediPartyName

d.directoryName

d.dNSName

d.rfc822Name

d.otherName

name.relativename

name.fullname

certificateHold

Certificate Hold

cessationOfOperation

Cessation Of Operation

keyCompromise

Key Compromise

%*sOnly Attribute Certificates

%*sOnly CA Certificates

%*sOnly User Certificates

AUTHORITY_KEYID

keyid

kX509_CERT_PAIR

X509_CERT_AUX

kDSA part of OpenSSL 1.0.2c 12 Jun 2015

value.single

value.set

ddddddZ

ddddddZ

pubkey

Content-Length: %d

%s %s HTTP/1.0

EC_PRIVATEKEY

publicKey

privateKey

value.implicitlyCA

value.parameters

value.named_curve

p.char_two

p.prime

p.ppBasis

p.tpBasis

p.onBasis

p.other

keylength

keyfunc

.pp@0

aEÐ

 (#EÚ

ÚE<<0

RC2 part of OpenSSL 1.0.2c 12 Jun 2015

IDEA part of OpenSSL 1.0.2c 12 Jun 2015

libdes part of OpenSSL 1.0.2c 12 Jun 2015

DES part of OpenSSL 1.0.2c 12 Jun 2015

RAND part of OpenSSL 1.0.2c 12 Jun 2015

You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html

.\crypto\evp\evp_key.c

nkey <= EVP_MAX_KEY_LENGTH

?456789:;<=

!"#$%&'()* ,-./0123

PROXY_CERT_INFO_EXTENSION

Load certs from files in a directory

%s%clx.%s%d

NETSCAPE_CERT_SEQUENCE

jhexkey

rsa_keygen_pubexp

rsa_keygen_bits

ECDH part of OpenSSL 1.0.2c 12 Jun 2015

%s %s%lu (%s0x%lx)

ECDSA part of OpenSSL 1.0.2c 12 Jun 2015

Public-Key

Private-Key

Public-Key: (%d bit)

Private-Key: (%d bit)

J:\projects\openssl-1.0.2c/ssl/certs

J:\projects\openssl-1.0.2c/ssl/cert.pem

SSL_CERT_DIR

SSL_CERT_FILE

TXT_DB part of OpenSSL 1.0.2c 12 Jun 2015

keylen <= sizeof key

EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)

XX

%.14s.dZ

%*sSigned Certificate Timestamp:

%*sPolicy Text: %s

%*scrlUrl:

EXTENDED_KEY_USAGE

%*sZone: %s, User:

.\crypto\x509v3\v3_akey.c

d.usernotice

d.cpsuri

CERTIFICATEPOLICIES

%*sExplicit Text: %s

%*sNumber%s:

%*sOrganization: %s

%*sCPS: %s

<unsupported>

IP Address:%d.%d.%d.%d

URI:%s

DNS:%s

email:%s

EdiPartyName:<unsupported>

X400Name:<unsupported>

othername:<unsupported>

PKEY_USAGE_PERIOD

keyCertSign

Certificate Sign

keyAgreement

Key Agreement

keyEncipherment

Key Encipherment

.\crypto\x509v3\v3_skey.c

CONF_def part of OpenSSL 1.0.2c 12 Jun 2015

[[%s]]

[%s] %s=%s

X:

%lu:%s:%s:%d:%s

%'%1$=%C%K%O%s%

.%.-.3.7.9.?.W.[.o.y.

C%C'C3C7C9COCWCiC

USER32.DLL

NETAPI32.DLL

KERNEL32.DLL

ADVAPI32.DLL

keyInfo

d.receiptList

d.allOrFirstTier

d.compressedData

d.authenticatedData

d.encryptedData

d.digestedData

d.envelopedData

d.signedData

d.ori

d.pwri

d.kekri

d.kari

d.ktri

CMS_PasswordRecipientInfo

keyDerivationAlgorithm

keyIdentifier

CMS_KeyAgreeRecipientInfo

recipientEncryptedKeys

CMS_OriginatorIdentifierOrKey

d.originatorKey

CMS_OriginatorPublicKey

CMS_RecipientEncryptedKey

CMS_KeyAgreeRecipientIdentifier

d.rKeyId

CMS_RecipientKeyIdentifier

CMS_OtherKeyAttribute

keyAttr

keyAttrId

CMS_KeyTransRecipientInfo

encryptedKey

keyEncryptionAlgorithm

certificates

d.crl

d.subjectKeyIdentifier

d.issuerAndSerialNumber

CMS_CertificateChoices

d.v2AttrCert

d.v1AttrCert

d.extendedCertificate

d.certificate

CMS_OtherCertificateFormat

otherCert

otherCertFormat

Basis Type: %s

Field Type: %s

NIST CURVE: %s

ASN1 OID: %s

.\crypto\pkcs12\p12_key.c

Verifying - %s

.\crypto\asn1\x_pkey.c

%s.dll

Visual C   CRT: Not enough memory to complete call to strerror.

Operation not permitted

Inappropriate I/O control operation

Broken pipe

C:\Windows\h.cc

hXXp://h.q1m.cc:7518/t/hijack.txt

C:\Windows\white.cc

hXXp://h.q1m.cc:7518/t/white.txt

whitelist:%d:%s

hXXps://

hXXp://

\firefox.exe

VVV.2345.com/tg

url:%s, jmpto:%s

postBlockHttpResponse url:%s

HTTP/1.1 200 OK

<meta http-equiv="refresh" content="0; url = %s"/>

VVV.taobao.com

winlogon.exe

KartRider.exe

SpLoginDialog

kWtsapi32.dll

SSL\SSLDataProvider.cpp

critical,keyCertSign,cRLSign

%s-%s#ss

%s-%s-%s#child

1.3.6.1.5.5.7.3.1

1.3.6.1.4.1.311.10.3.3

2.16.840.1.113730.4.1

127.0.0.1

kHTTP/1.

http/1.

PORT

504 Unsupported transfer mode

504 Unsupported command

PORT

%s.%s.%s.%s:%d

%s:%s

[%s]:%s

kFile-Count: %d

Total-Bytes: %d

File-Name: %s

{0946134E-4C7F-11D1-8222-444553540000}

\xxx\new\nfsdk_src\Release\Win32Project1.pdb

zcÁ

l}C.we

|VVV.taobao.com

.?AVHttpFilter@@

.?AVHTTPFilter@ProtocolFilters@@

.?AVSMTPFilter@ProtocolFilters@@

.?AVFTPFilter@ProtocolFilters@@

.?AVFTPDataFilter@ProtocolFilters@@

C:\Windows\Explorer.EXE

Inappropriate I/O control opera

PeekNamedPipe

GetProcessHeap

GetCPInfo

RegCloseKey

RegOpenKeyExA

ReportEventA

CertOpenStore

CertAddEncodedCertificateToStore

CertFreeCertificateContext

CertGetCertificateChain

CertVerifyCertificateChainPolicy

CertFreeCertificateChain

CertCloseStore

CertOpenSystemStoreA

CertFindCertificateInStore

CertAddCertificateContextToStore

PFXExportCertStoreEx

CertEnumCertificatesInStore

URLDownloadToFileA

.CyU]

 -8}',U

R&B8.CFftJ=8@@R

(:&008(000

.text

`.rdata

@.data

.rsrc

@.reloc

combase.dll

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

kernel32.dll

C:\Windows

\*.cer

\cert.db

\x.db

\xtls.db

\xv.db

nss\certutil -A -t "TCu" -i "

cert8.db

opcacrt6.dat

ca-certs

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

MaohaWifiSvr.exe:4080
MaohaWifiSvr.exe:768
MaoHaWiFiSetup_239.exe:1980
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_0EEA4824454A6D0530EF4C0F6C3F7354 (1496 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE (1480 bytes)
%Program Files%\Maoha\MaohaAP\maohasubstat.dll (163 bytes)
%Program Files%\Maoha\MaohaAP\tipsdll.dll (237 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_0EEA4824454A6D0530EF4C0F6C3F7354 (1 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE (1 bytes)
%Program Files%\Maoha\MaohaAP\MaoHaCD.dll (53 bytes)
C:\Windows\Temp\TarECA0.tmp (2712 bytes)
%Program Files%\Maoha\MaohaAP\Updater\CheckUpdate.dll (258 bytes)
C:\Windows\Temp\CabEC9F.tmp (48 bytes)
%Program Files%\Maoha\MaohaAP\gzipdll.dll (306 bytes)
%Program Files%\Maoha\MaohaAP\APDefault.ini (2 bytes)
%Program Files%\Maoha\MaohaAP\WifiDhcpSvr.dll (214 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MaohaWiFi.lnk (1 bytes)
%Program Files%\Maoha\MaohaAP\driver\maohawifipronat64.cat (14 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\app_tj.png (723 bytes)
%Program Files%\Maoha\MaohaAP\ICSDHCP.ini (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_0EEA4824454A6D0530EF4C0F6C3F7354 (1 bytes)
%Program Files%\Maoha\MaohaAP\Uninst.dar0 (1 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWifiWin7.dll (264 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\logo.png (17 bytes)
%Program Files%\Maoha\MaohaAP\driver\WifiProNat64.inf (3 bytes)
%Program Files%\Maoha\MaohaAP\driver\MaohaWifiProNat64.sys (43 bytes)
%Program Files%\Maoha\MaohaAP\driver\MaohaWifiProNat.sys (38 bytes)
%Program Files%\Maoha\MaohaAP\MaohaDevMng.dll (195 bytes)
%Program Files%\Maoha\MaohaAP\Reg\RasMan_XP.bat (24 bytes)
%Program Files%\Maoha\MaohaAP\driver\DriverInstall_X64.exe (115 bytes)
%Program Files%\Maoha\MaohaAP\RaWifi.dll (185 bytes)
%Program Files%\Maoha\MaohaAP\Reg\RasMan_XP.reg (15 bytes)
%Program Files%\Maoha\MaohaAP\driver\WifiProNat.inf (3 bytes)
%Program Files%\Maoha\MaohaAP\ICSDHCP.dll (618 bytes)
%Program Files%\Maoha\MaohaAP\res\support.dat (35 bytes)
%Program Files%\Maoha\MaohaAP\7z.dll (921 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE (1 bytes)
%Program Files%\Maoha\MaohaAP\Updater\MaohaWiFiUpg.exe (538 bytes)
%Program Files%\Maoha\MaohaAP\drv64\drv64.exe (194 bytes)
%Program Files%\Maoha\MaohaAP\Reg\RasMan_WIN7.bat (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE (1194 bytes)
%Program Files%\Maoha\MaohaAP\dt.exe (13 bytes)
%Program Files%\Maoha\MaohaAP\uninstall.dll (1200 bytes)
%Program Files%\Maoha\MaohaAP\ext\5.dll (27 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWifiBase.dll (287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\MaohaWiFi.lnk (1 bytes)
%Program Files%\Maoha\MaohaAP\maohawificfg.ini (60 bytes)
%Program Files%\Maoha\MaohaAP\MyTheme.dll (134 bytes)
%Program Files%\Maoha\MaohaAP\ResLoader.dll (112 bytes)
%Program Files%\Maoha\MaohaAP\ext\6.dll (70 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MaohaWiFi\Ã¥ÂÂ¸Ã¨Â½Â½MaohaWiFi.lnk (1 bytes)
%Program Files%\Maoha\MaohaAP\welcome\index.html (6 bytes)
%Program Files%\Maoha\MaohaAP\ext\3.dll (19 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBB73.tmp (2712 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWifiSvr.exe (340 bytes)
%Program Files%\Maoha\MaohaAP\Reg\RasMan_WIN7.reg (16 bytes)
%Program Files%\Maoha\MaohaAP\WifiHelp64.exe (71 bytes)
%Program Files%\Maoha\MaohaAP\pcidetect.dll (238 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\litlogo.png (1 bytes)
%Program Files%\Maoha\MaohaAP\drv64\DIFxAPI.dll (519 bytes)
%Program Files%\Maoha\MaohaAP\softconfig.dll (1595 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\app_logo.png (10 bytes)
%Program Files%\Maoha\MaohaAP\SmartAction.dll (426 bytes)
%Program Files%\Maoha\MaohaAP\RaAPAPI.dll (1 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWifiXP.dll (157 bytes)
%Program Files%\Maoha\MaohaAP\res\MaohaWiFiDir.ico (226 bytes)
%Program Files%\Maoha\MaohaAP\Uninst.dar1 (18 bytes)
%Program Files%\Maoha\MaohaAP\MaoHaWiFiNet.sys (618 bytes)
%Program Files%\Maoha\MaohaAP\driver\DriverTool.dll (112 bytes)
%Program Files%\Maoha\MaohaAP\driver\DriverInstall.exe (101 bytes)
%Program Files%\Maoha\MaohaAP\YunExplorer.exe (680 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_0EEA4824454A6D0530EF4C0F6C3F7354 (692 bytes)
%Program Files%\Maoha\MaohaAP\MaoHaWiFiNet64.sys (1 bytes)
%Program Files%\Maoha\MaohaAP\ApSetting.ini (487 bytes)
%Program Files%\Maoha\MaohaAP\tips.exe (569 bytes)
%Program Files%\Maoha\MaohaAP\DIFxAPI.dll (323 bytes)
%Program Files%\Maoha\MaohaAP\res\MaohaWiFi.ico (226 bytes)
%Program Files%\Maoha\MaohaAP\SkinBase.dll (125 bytes)
%Program Files%\Maoha\MaohaAP\PhonetypeData.dat (24 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWiFi.exe (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBB72.tmp (51 bytes)
%Program Files%\Maoha\MaohaAP\res\Skin\Skin.rdb (260 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\info.png (9 bytes)
%Program Files%\Maoha\MaohaAP\Uninstall.exe (1399 bytes)
%Program Files%\Maoha\MaohaAP\ext\1.dll (23 bytes)
%Program Files%\Maoha\MaohaAP\HWID.ini (11 bytes)
%Program Files%\Maoha\MaohaAP\ext\4.dll (18 bytes)
%Program Files%\Maoha\MaohaAP\pcid.dll (244 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MaohaWiFi\MaohaWiFi.lnk (1 bytes)
C:\Windows\d9yhteb3 (701 bytes)
C:\MaoHaWiFiSetup_239.exe (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\mF_tbhuabao[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\thea11[1].js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\head-menu-nav-last-ico[1].png (309 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\thea15[1].js (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\414_la[1].htm (12689 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\1493363312352688[1].jpg (20237 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\1121_la[1].htm (248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\global[1].css (43043 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\thea9[1].js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\thea7[1].js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\style[1].css (19041 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\thea10[1].js (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\myfocus-2.0.4.min[1].js (7600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\10798297[1].gif (4533 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\1493362336663248[1].png (3678 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\cat-sp-ico[1].png (397 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logo[1].jpg (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\1493835388636138[1].png (2722 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mF_tbhuabao[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\1493633016839033[1].jpg (6644 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\1493623473579853[1].jpg (235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\thea6[1].js (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\b2de0eca077a3da0efcb2b3e919bea16[1].png (2160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\1493635427127283[1].png (853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\thea8[1].js (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\notimg[1].gif (2 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.FlyStudio_dafa0a7d34

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.FlyStudio_dafa0a7d34

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet