MD5: f27380be39f3002c9eed6a6a4295f711
SHA1: 600661cb2608f512ff75fb65fb7b4a7c32b18aff
SHA256: 085ef0b1f4a50b007d31a0384a61ca274b9c14af9c7c8cc977805154b95ac1ca
SSDeep: 24576:ZrR3uj6Lnlyk0HZ6ExKpoHtMphMtzyCoSo8xXTojXMgjLJUQEX2jn0gQ7/:ZrRzLnl06QKaWaVoSo8xDoQiGQ02QgQ7
Size: 1501696 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-06-13 00:22:06
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2748

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\dc.dll (122 bytes)

Registry activity

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Nano_WM????
Product Name: ????
Product Version: 2.2.4.0
Legal Copyright: Nano|Copyright For WM????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.2.4.0
File Description: *??
*3300735363@qq.com
Comments: ????_UI_CS
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.njwmkj.com/ice9//index.php/api/client/getarret	121.42.89.58

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

`.rsrc

7%C=D

t%SVh

t$(SSh

~%UVW

<.up3

<8%u=

.FGy/

u$SShe

@(.uv

Jiu2.iu

1wK(.wS

diu2.iu

ole32.dll

kernel32.dll

gdi32.dll

user32.dll

advapi32.dll

shlwapi.dll

wininet.dll

Winhttp.dll

Kernel32.dll

dc.dll

Dayu.dll

MsgWaitForMultipleObjects

WinHttpCheckPlatform

WinHttpCrackUrl

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpSetCredentials

WinHttpCloseHandle

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpQueryHeaders

sqlite3_errcode

sqlite3_finalize

sqlite3_prepare_v2

sqlite3_bind_blob

sqlite3_step

sqlite3_get_table

sqlite3_free_table

sqlite3_changes

sqlite3_data_count

sqlite3_reset

sqlite3_column_count

sqlite3_column_name

sqlite3_column_decltype

sqlite3_column_text

sqlite3_column_blob

sqlite3_column_int

sqlite3_column_int64

sqlite3_column_double

GetProcessHeap

sqlite3_sql

sqlite3_column_bytes

sqlite3_open_v2

sqlite3_close

sqlite3_rekey

sqlite3_key

sqlite3_free

sqlite3_errmsg

sqlite3_libversion

sqlite3_busy_timeout

sqlite3_exec

sqlite3_interrupt

{84A90340-1CE7-4C96-8FFC-FB0124DE9AD7}

{B6F7542F-B8FE-46a8-9605-98856A687097}

{E5D631FE-E3C9-4eb3-A687-C89598FE6691}

Sqlite3

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

\dc.dll

.text

`.rdata

@.data

.rsrc

@.reloc

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

MFC42.DLL

MSVCRT.dll

KERNEL32.dll

GdiplusShutdown

gdiplus.dll

WSOCK32.dll

MSVCP60.dll

ReportError

ReportError_A

VBYB_ReportError

VB_ReportError

uu_loginA

uu_loginW

uu_reportError

debug.ini

ReportError:%s

Error:%s

%s|!|%s

\dms.pdb

%u%u,

dclog.txt

config.ini

port

settimeout:%d

[%d]%s

reg2:%s

checkok:%s %s

check fail:%s %s %s

check:%s %s

getcjfail:%s %s

getcj:%s %s

%s%uout

%s%uin

put img ok:%s

put img fail:%s

put img:%s %s %d

get result ok:%s,%s

get result fail:%s

get result:%s

notifyfail ok:%s

%s\%d-%s.png

notifyfail fail:%s,%s

notifyfail:%s

getimgok:%s,%s

getimg:%s

getinfo fail:%s

getinfo:%s,%s

setresult:%s,%s

HTTP/1.1 200 OK

recv:%d

send:%d

GET /ip.txt HTTP/1.1

Host: %s

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

select:%d

ioctlsocket:%d

socket:%d

api.qqchaoren.net

14.17.65.24

14.17.65.23

dama2.qqchaoren.net

dama1.qqchaoren.net

connect total:%s %d

:%s %d

connect discard:%s %d

[d-d-d d:d:d](u)

recv timeout:<%d>

recvfail:<%d>%d

server close:<%d>%d

recv:<%d>%d

send:<%d>%d

sendfail:<%d>%d

connect timeout:<%d>

connectok:<%d>%s %hu

127.0.0.1

1.1.3

/index.php/api/client/unbundling

return hex_md5("abc").toLowerCase() == "900150983cd24fb0d6963f7d28e17f72"

return binl2rstr(binl_md5(rstr2binl(a), a.length * 8))

if(e.length > 16) {

e = binl_md5(e, c.length * 8)

var g = binl_md5(a.concat(rstr2binl(f)), 512   f.length * 8);

return binl2rstr(binl_md5(d.concat(g), 512   128))

for(var d = 0; d < c.length; d  ) {

a = c.charCodeAt(d);

b  = f.charAt((a >>> 4) & 15)   f.charAt(a & 15)

while(  d < c.length) {

e = d   1 < c.length ? c.charCodeAt(d   1) : 0;

b  = String.fromCharCode(a)

b  = String.fromCharCode(192 | ((a >>> 6) & 31), 128 | (a & 63))

b  = String.fromCharCode(224 | ((a >>> 12) & 15), 128 | ((a >>> 6) & 63), 128 | (a & 63))

b  = String.fromCharCode(240 | ((a >>> 18) & 7), 128 | ((a >>> 12) & 63), 128 | ((a >>> 6) & 63), 128 | (a & 63))

var a = Array(b.length >> 2);

for(var c = 0; c < a.length; c  ) {

for(var c = 0; c < b.length * 8; c  = 8) {

a[c >> 5] |= (b.charCodeAt(c / 8) & 255) << (c % 32)

for(var c = 0; c < b.length * 32; c  = 8) {

a  = String.fromCharCode((b[c >> 5] >>> (c % 32)) & 255)

for(var g = 0; g < p.length; g  = 16) {

len = str.length;

c1 = str.charCodeAt(i  ) & 0xff;

out  = base64EncodeChars.charAt(c1 >> 2);

out  = base64EncodeChars.charAt((c1 & 0x3) << 4);

c2 = str.charCodeAt(i  );

out  = base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4));

out  = base64EncodeChars.charAt((c2 & 0xF) << 2);

c3 = str.charCodeAt(i  );

out  = base64EncodeChars.charAt(((c2 & 0xF) << 2) | ((c3 & 0xC0) >> 6));

out  = base64EncodeChars.charAt(c3 & 0x3F);

c1 = base64DecodeChars[str.charCodeAt(i  ) & 0xff];

c2 = base64DecodeChars[str.charCodeAt(i  ) & 0xff];

out  = String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));

c3 = str.charCodeAt(i  ) & 0xff;

out  = String.fromCharCode(((c2 & 0XF) << 4) | ((c3 & 0x3C) >> 2));

c4 = str.charCodeAt(i  ) & 0xff;

out  = String.fromCharCode(((c3 & 0x03) << 6) | c4);

c = str.charCodeAt(i);

out  = str.charAt(i);

out  = String.fromCharCode(0xE0 | ((c >> 12) & 0x0F));

out  = String.fromCharCode(0x80 | ((c >> 6) & 0x3F));

out  = String.fromCharCode(0x80 | ((c >> 0) & 0x3F));

out  = String.fromCharCode(0xC0 | ((c >> 6) & 0x1F));

c = str.charCodeAt(i  );

out  = str.charAt(i - 1);

char2 = str.charCodeAt(i  );

out  = String.fromCharCode(((c & 0x1F) << 6) | (char2 & 0x3F));

char3 = str.charCodeAt(i  );

out  = String.fromCharCode(((c & 0x0F) << 12) | ((char2 & 0x3F) << 6) | ((char3 & 0x3F) << 0));

var tmp = Date.parse(new Date()).toString();

tmp = tmp.substr(0, 10);

var r = Math.random() * (max - min);

var re = Math.round(r   min);

re = Math.max(Math.min(re, max), min)

return str.replace(/(^\s*)|(\s*$)/g, "");

function n(txt,key,ikey){

//var ikey ="mm.2ksqrvOIpZxoWZ3r_9-B6gxGR60g6";

var tlen = txt.length;

var _chars = chars.split('');

var _key = key.split('');

var _txt = txt.split('');

while(!(typeof(_key[i]) == 'undefined')) knum  = _key[i  ].charCodeAt();

var nh1 = chars.indexOf(ch1);

_txt.splice(knum % tlen--,1,'');

txt = _txt.join('');

_txt = txt.split('');

var nh2 = chars.indexOf(ch2);

_txt.splice(nh1 % tlen--,1,'');

var nh3 = chars.indexOf(ch3);

_txt.splice(nh2 % tlen--,1,'');

var bong = hex_md5( hex_md5( hex_md5(key   ch1)   ch2   ikey)   ch3);

var mdKey = bong.substr(nhnum%8,knum%8   16); //substr(,nhnum%8,knum%8   16); //

var _mdKey = mdKey.split('');

tlen = txt.length;

var klen = mdKey.length;

j = chars.indexOf(_txt[i])- nhnum - _mdKey[k  ].charCodeAt();

tmp = tmp.replace(/\-/g, " ");

tmp = tmp.replace(/\_/g,"/");

tmp = tmp.replace(/\./g,"=");

var jie = tmp.substr(0,11);

if (jie.match(/\d{10}_/)){

tmp = tmp.substr(11);

function r(txt, key,ikey) {

//var ikey = "-x6g6ZWm2G9g_vr0Bo.pOq3kRIxsZ6rm";

var bong = hex_md5(hex_md5(hex_md5(key   ch1)   ch2   ikey)   ch3);

var mdKey = bong.substr(nhnum % 8, knum % 8   16); //substr(,nhnum%8,knum%8   16); //

txt = txt.replace(/\ /g, "-");

txt = txt.replace(/\//g, "_");

txt = txt.replace(/\=/g, ".");

j = (nhnum   chars.indexOf(_txt[i])   _mdKey[k  ].charCodeAt()) % 64;

var tmplen = tmp.length;

obj = new ActiveXObject("WinHttp.WinHttpRequest.5.1")

function Ajax(url, data) {

obj.Open("POST", url, false);

obj.Open("GET", url, false);

obj.SetRequestHeader("Accept", "*/*");

obj.SetRequestHeader("Accept-Language", "zh-cn");

obj.SetRequestHeader("User-Agent", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)");

obj.SetRequestHeader("Content-Type", "application/x-www-form-urlencoded");

obj.SetRequestHeader("Referer", url); //

obj.SetTimeouts(t, t, t, t); //

obj.Send();

obj.Send(data);

AllResponseHeaders = obj.GetAllResponseHeaders //

Xlr = obj.ResponseText();

return Xlr.replace(/\s/g, '');

.explicit

] (\[|{|'')

/index.php/api/client/passforget

%cR11

/index.php/api/client/login

\Config.ini

login

password

/index.php/api/client/sendcode

/index.php/api/client/getdata

/index.php/api/client/get

sSHIPM[u

}~~}||{|{}

~~~}}}~~

~}{{||}~

~~|}{|}~

~|{{{{|}~

~}|{{||}~

~}}}|}}~~

~~}}}}~~

*.txt

\office.tmp

&key=

hXXp://VVV.pulami.com/server/txtapi/api.php

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Content-Type: application/x-www-form-urlencoded

hXXp://

hXXps://

\TimeInfos.dll

\data\CookData.db

\Dayu.dll

t.bf.

,R.vC

.Nc#U

HQW.fT

H -0}

j.IAp3a=

{.dwM

_&.XB

\ EXE

OOtD%U'

%Ftq:

*.UwS<

vr.Re

BT.Hf

wEbM

3.6.18

ATE TABLE sql

REINDEXEDESCAPE

ACHECKEYBEFO

sError 0x%x (%u

%s-mjX

922337203685477580

keyinfo(%

0s0%s&

- SQL

%dpnever u

,%d)v3

depthÿ

.xht7/9CorruL#

: "%sr

%s%sBv2

|p_nssh

brv[%s]

X,%d 18)

\%s',

T %T%s

part.an

.SUNI

>%d:g

Sd-

O%s,%Q HIDDEN.

key(z

r..iU

?(%d))

%fg {%s}

KERNEL32.DLL

sqlite3.dll

sqlite3_aggregate_context

sqlite3_aggregate_count

sqlite3_auto_extension

sqlite3_backup_finish

sqlite3_backup_init

sqlite3_backup_pagecount

sqlite3_backup_remaining

sqlite3_backup_step

sqlite3_bind_double

sqlite3_bind_int

sqlite3_bind_int64

sqlite3_bind_null

sqlite3_bind_parameter_count

sqlite3_bind_parameter_index

sqlite3_bind_parameter_name

sqlite3_bind_text

sqlite3_bind_text16

sqlite3_bind_value

sqlite3_bind_zeroblob

sqlite3_blob_bytes

sqlite3_blob_close

sqlite3_blob_open

sqlite3_blob_read

sqlite3_blob_write

sqlite3_busy_handler

sqlite3_clear_bindings

sqlite3_collation_needed

sqlite3_collation_needed16

sqlite3_column_bytes16

sqlite3_column_database_name

sqlite3_column_database_name16

sqlite3_column_decltype16

sqlite3_column_name16

sqlite3_column_origin_name

sqlite3_column_origin_name16

sqlite3_column_table_name

sqlite3_column_table_name16

sqlite3_column_text16

sqlite3_column_type

sqlite3_column_value

sqlite3_commit_hook

sqlite3_complete

sqlite3_complete16

sqlite3_config

sqlite3_context_db_handle

sqlite3_create_collation

sqlite3_create_collation16

sqlite3_create_collation_v2

sqlite3_create_function

sqlite3_create_function16

sqlite3_create_module

sqlite3_create_module_v2

sqlite3_db_config

sqlite3_db_handle

sqlite3_db_mutex

sqlite3_db_status

sqlite3_declare_vtab

sqlite3_enable_load_extension

sqlite3_enable_shared_cache

sqlite3_errmsg16

sqlite3_expired

sqlite3_extended_errcode

sqlite3_extended_result_codes

sqlite3_file_control

sqlite3_get_autocommit

sqlite3_get_auxdata

sqlite3_global_recover

sqlite3_initialize

sqlite3_last_insert_rowid

sqlite3_libversion_number

sqlite3_limit

sqlite3_load_extension

sqlite3_malloc

sqlite3_memory_alarm

sqlite3_memory_highwater

sqlite3_memory_used

sqlite3_mprintf

sqlite3_mutex_alloc

sqlite3_mutex_enter

sqlite3_mutex_free

sqlite3_mutex_leave

sqlite3_mutex_try

sqlite3_next_stmt

sqlite3_open

sqlite3_open16

sqlite3_os_end

sqlite3_os_init

sqlite3_overload_function

sqlite3_prepare

sqlite3_prepare16

sqlite3_prepare16_v2

sqlite3_profile

sqlite3_progress_handler

sqlite3_randomness

sqlite3_realloc

sqlite3_release_memory

sqlite3_reset_auto_extension

sqlite3_result_blob

sqlite3_result_double

sqlite3_result_error

sqlite3_result_error16

sqlite3_result_error_code

sqlite3_result_error_nomem

sqlite3_result_error_toobig

sqlite3_result_int

sqlite3_result_int64

sqlite3_result_null

sqlite3_result_text

sqlite3_result_text16

sqlite3_result_text16be

sqlite3_result_text16le

sqlite3_result_value

sqlite3_result_zeroblob

sqlite3_rollback_hook

sqlite3_set_authorizer

sqlite3_set_auxdata

sqlite3_shutdown

sqlite3_sleep

sqlite3_snprintf

sqlite3_soft_heap_limit

sqlite3_sourceid

sqlite3_status

sqlite3_stmt_status

sqlite3_strnicmp

sqlite3_table_column_metadata

sqlite3_test_control

sqlite3_thread_cleanup

sqlite3_threadsafe

sqlite3_total_changes

sqlite3_trace

sqlite3_transfer_bindings

sqlite3_update_hook

sqlite3_user_data

sqlite3_value_blob

sqlite3_value_bytes

sqlite3_value_bytes16

sqlite3_value_double

sqlite3_value_int

sqlite3_value_int64

sqlite3_value_numeric_type

sqlite3_value_text

sqlite3_value_text16

sqlite3_value_text16be

sqlite3_value_text16le

sqlite3_value_type

sqlite3_version

sqlite3_vfs_find

sqlite3_vfs_register

sqlite3_vfs_unregister

sqlite3_vmprintf

sqlite3_win32_mbcs_to_utf8

/index.php/api/client/get_key

/index.php/api/client/userdebug

hXXp://VVV.njwmkj.com/404/tjhbvipb.exe

@ping -n 1 127.0.0.1>nul

@ping -n 2 127.0.0.1>nul

@ping -n 3 127.0.0.1>nul

\ .bat

hXXp://VVV.njwmkj.com/404/tip2.txt

http=

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Adodb.Stream

WinHttp

/index.php/api/client/passchange

hXXp://VVV.njwmkj.com/ice9/

\\.\PHYSICALDRIVE

\\.\SCSI

\\.\SMARTVSD

\\.\PhysicalDrive0

.mul_announcement

.mul_state

.mul_version_num

.mul_version_url

.mul_version_subc

.mul_version_switch

/index.php/api/client/getarret

hXXp://api.ruokuai.com/register.xml

hXXp://api.ruokuai.com/info.xml

hXXp://api.ruokuai.com/recharge.xml

hXXp://api.ruokuai.com/create.xml

hXXp://api.ruokuai.com/reporterror.xml

vip827b3t5566passwordq136422102code463

%D&j)

hXXp://api.ele.me/user/messages/bind

hXXp://restapi.ele.me/v1/user?extras[]=gift_amount

hXXp://restapi.ele.me/marketing/v2/startup_hongbao

hXXp://restapi.ele.me/member/v1/red_badge/status

hXXps://mainsite-restapi.ele.me/v1/users/

HTTP_UNAUTHORIZED

/orders?extras[]=basket&extras[]=restaurant&extras[]=rate_info&extras[]=pay_expired_time&limit=10&offset=0&type=last_three_month"},{"method":"GET","url":"/v1/users/

{"timeout":10000,"requests":[{"method":"GET","url":"/v2/users/

Referer: hXXps://VVV.ele.me/profile/order

hXXps://mainsite-restapi.ele.me/batch

hXXps://m.ele.me/restapi/v1/users/

","type":"old_password"}

","old_password":"

{"action":"password","new_password":"

hXXps://mainsite-restapi.ele.me/v1/user/password

',password = '

hXXps://mainsite-restapi.ele.me/v1/captchas

hXXps://mainsite-restapi.ele.me/v1/captchas/

","password":"

hXXps://mainsite-restapi.ele.me/v1/login

insert into cookies(username,password,userid,sid) values ('

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

/index.php/api/client/register

/index.php/api/client/recharge

/index.php/api/client/spacetime

/index.php/api/client/secede

\^$ .{}[]=()-"

\^$ .{}[]=()?*|"

\^$ .{}[]=()?*"

\^$ .{}[]=?*"

VBScript.RegExp

&password=

application/x-www-form-urlencoded

&softkey=

Content-Disposition: form-data; name="password"

{pass}

Content-Disposition: form-data; name="softkey"

{softkey}

Content-Disposition: form-data; name="image"; filename="System.Byte[]"

Primary Key

select count(*) from sqlite_master where type='table' and tbl_name='

select name as title from sqlite_master where type='table'

select name as title from sqlite_master where type='table' and name not like('sqlite%')

sqlite_master

select sql from sqlite_master where type='table' and name='

SELECT name FROM sqlite_master WHERE type='table' ORDER BY name

sqlite_sequence

select sql from sqlite_master where type='index' and name='

select sql from sqlite_master where type='view' and name='

select sql from sqlite_master where type='trigger' and name='

SetClientCertificate

).txt|*.txt

0-6,32-14,6-5,10-5

hXXp://VVV.ka20.com/Shop-38ef36069.html

_gm_repass2

_zhmm_newpass

_gm_repass1

_gm_repass

_gm_newpass

'.iHRDRXR

_reg_repass

_zc_repass

_zc_pass

_reg_pass

_jb_pass

 AM-BN-CO.DO.

_gm_pass

%d&&'

123456789

00003333

1.2.18

__MSVCRT_HEAP_SELECT

EnumChildWindows

USER32.dll

GDI32.dll

ShellExecuteA

SHELL32.dll

IMM32.dll

SHLWAPI.dll

WINMM.dll

GetCPInfo

exui.dll

F3.7.11

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLYHerF

?456789:;<=

!"#$%&'()* ,-./0123

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

MPR.dll

VERSION.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

keye

10FE000C-ACC4-4d21-BF4D-135DEAAB9175

ex_ui keye

msimg32.dll

214821178

73C0558A-EC75-4af4-AE00-26C2F3091309

C4F42B3E-E268-4841-B178-410077863BF9

F9F51895-6A82-4012-A380-31BE87C35394

VVV.meitu.com

937C8B4E-863C-4915-98DB-1AB7FFC3F0BFL

F9527F43-AC13-4b6e-B923-C9011E3FE5DC

C7DA8792-CB01-4104-8EF5-E08965E12F3C

2A947078-BC9C-48e7-BF4C-A8BD831117C84

45D194E9-0244-4ea9-8751-813ACF85EEEF

FB3DADD5-3E2F-48eb-BD31-AA43D142DA77

vk=15vd=9999vx=0vv= vi=-3}{vt=v?=2vs=

vk=10vd=12vx=1vv= vi=-3}{vt=v?=31vs=

vk=10vd=31vx=1vv= vi=-3}

2747873D-7005-4c4e-AAD9-25D85698EFEE

\wke.dll

\lib\ex_ui\wke.dll

C:\exui

wke.dll

D:\exui

\lib\ex_ui\wke.dll)

wke.dll

4F4232B4-AE1B-449c-BF6F-1B3DD0351CBF

{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}

A46CAE6A-3EFD-48dc-9E3C-CA251E75E97A

E53BD398-631F-443d-A550-89085D2E46A6D

ryxzxzw@163.com QQ 1060943567 QQ

1:128623809

diTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0B7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0A7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>w

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0F7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0E7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695B87A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695B77A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>p

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695BC7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BB7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695C07A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BF7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>G

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C8A76F497A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C8A76F487A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>]

015621FD-C063-4706-B16E-A8877DC952E1

0FE5D74C-29B7-4980-BC1D-70650F50AA2E

GdiPlus.dll

lib\ex_ui\AttributeEditorexui.dll

Ole32.dll

shell32.dll

imm32.dll

GetAsyncKeyState

wkeKeyDown

wkeKeyUp

wkeCreateWebView

wkeGlobalExec

wkeLoadURLW

wkeDestroyWebView

wkeKeyPress

program internal error number is %d.

%s%x.tmp

:"%s"

:"%s".

zcÁ

c:\%original file name%.exe

;3 #>6.&

'2, / 0&7!4-)1#

large file support is disabled

unknown operation

SQL logic error or missing database

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_log

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

RowKey

SQLITE_

d-d-d d:d:d

d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

os_win.c:%d: (%d) %s(%s) - %s

OsError 0x%x (%u)

delayed %dms for lock/sharing conflict

%s-shm

%s\etilqs_

unknown database %s

cannot limit WAL size: %s

Recovered %d frames from WAL file %s

MJ delete: %s

-mjX9X

MJ collide: %s

%s-mjXXXXXX9XXz

foreign key constraint failed

%s(%d)

keyinfo(%d

bind on a busy prepared statement: [%s]

statement aborts at %d: [%s] %s

constraint failed at %d in [%s]

abort at %d in [%s]: %s

database table is locked: %s

cannot change %s wal mode from within a transaction

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

sqlite_temp_master

cannot commit transaction - SQL statements in progress

cannot release savepoint - SQL statements in progress

no such savepoint: %s

cannot open savepoint - SQL statements in progress

Outstanding page count goes from %d to %d during this analysis

Pointer map page %d is referenced

Page %d is never used

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

freelist leaf count too big on page %d

2nd reference to page %d

invalid page number %d

Fragmentation of %d bytes reported as %d on page %d

Multiple uses for byte %d of page %d

Corruption detected in cell %d on page %d

On page %d at right child:

On tree page %d cell %d:

btreeInitPage() returns error code %d

unable to get the page. error code=%d

Page %d:

zeroblob(%d)

cannot open %s column for writing

no such column: "%s"

cannot open view: %s

cannot open virtual table: %s

indexed

foreign key

cannot open value of type %s

%.*s"%w"%s

%s%.*s"%w"

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

unable to open database: %s

database %s is already in use

too many attached databases - max %d

database %s is locked

cannot detach database %s

no such database: %s

%s: %s

%s: %s.%s

API call with %s database connection pointer

error during initialization: %s

no entry point [%s] in shared library [%s]

unable to open shared library [%s]

sqlite3_extension_init

%s - %s

malformed database schema (%s)

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unsupported file format

database schema is locked: %s

sqlite3_get_table() called with two or more incompatible queries

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

PRAGMA vacuum_db.synchronous=OFF

cannot VACUUM - SQL statements in progress

no such module: %s

vtable constructor did not declare schema: %s

vtable constructor failed: %s

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

Expression tree is too large (maximum depth %d)

too many SQL variables

variable number must be between ?1 and ?%d

too many columns in %s

there is already another table or index with this name: %s

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

view %s may not be altered

%s OR name=%Q

type='trigger' AND (%s)

table %s may not be altered

sqlite_

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

Cannot add a PRIMARY KEY column

sqlite_altertab_%s

DELETE FROM %Q.%s WHERE %s=%Q

CREATE TABLE %Q.%s(%s)

misuse of aggregate: %s()

EXECUTE %s%s SUBQUERY %d

invalid name: "%s"

not authorized to use function: %s

%s: %s.%s.%s

misuse of aliased aggregate %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

duplicate column name: %s

too many columns on %s

default value of column [%s] is not constant

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

no such collation sequence: %s

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

%s %T cannot reference objects in database %s

view %s is circularly defined

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

table %s may not be dropped

sqlite_stat

sqlite_stat%d

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

table %s has no column named %s

sqlite_autoindex_%s_%d

index %s already exists

there is already a table named %s

virtual tables may not be indexed

views may not be indexed

table %s may not be indexed

indexed columns are not unique

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

no such index: %S

a JOIN clause is required before %s

unable to identify the object to be reindexed

cannot modify %s because it is a view

table %s may not be modified

foreign key mismatch

table %S has no column named %s

%d values for %d columns

table %S has %d columns but %d values were supplied

PRIMARY KEY must be unique

%s.%s may not be NULL

*** in database %s ***

unsupported encoding: %s

foreign_key_list

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

no such index: %s

no such table: %s

%s.%s

sqlite_subquery_%p_

cannot join using column %s - column not present in both tables

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

USE TEMP B-TREE FOR %s

SELECTs to the left and right of %s do not have the same number of result columns

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

COMPOUND SUBQUERIES %d AND %d %s(%s)

SCAN TABLE %s %s%s(~%d rows)

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

-- TRIGGER %s

no such column: %s

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

cannot use index: %s

at most %d tables in a join

table %s: xBestIndex returned an invalid plan

%s (~%lld rows)

%s VIRTUAL TABLE INDEX %d:%s

%s (rowid<?)

%s (rowid>?)

%s (rowid>? AND rowid<?)

%s (rowid=?)

%s USING INTEGER PRIMARY KEY

%s USING %s%sINDEX%s%s%s

%s AS %s

%s TABLE %s

%s SUBQUERY %d

unable to close due to unfinished backup operation

unable to use function %s in the requested context

unknown database: %s

no such vfs: %s

%s mode not allowed: %s

no such %s mode: %s

automatic extension loading failed: %s

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

#include "l.chs\afxres.rc" // Standard components

WinExec

GetWindowsDirectoryA

RegCreateKeyExA

RegCloseKey

RegOpenKeyExA

GetViewportOrgEx

GetViewportExtEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

CreateDialogIndirectParamA

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PAD

ADVAPI32.dll

AVIFIL32.dll

COMCTL32.dll

comdlg32.dll

MSIMG32.dll

MSVFW32.dll

OLEAUT32.dll

RASAPI32.dll

WININET.dll

WINSPOOL.DRV

WLDAP32.dll

WS2_32.dll

!"#$%&'()* ,-

25, 0, 0, 1

Windows

!$).056;

.Ro_|

888816666554443

6666554443

!6666554443

(*.*)

2.2.4.0

*3300735363@qq.com

%original file name%.exe_2748_rwx_00401000_00546000:

t%SVh

t$(SSh

~%UVW

<.up3

<8%u=

.FGy/

u$SShe

@(.uv

Jiu2.iu

1wK(.wS

diu2.iu

ole32.dll

kernel32.dll

gdi32.dll

user32.dll

advapi32.dll

shlwapi.dll

wininet.dll

Winhttp.dll

Kernel32.dll

dc.dll

Dayu.dll

MsgWaitForMultipleObjects

WinHttpCheckPlatform

WinHttpCrackUrl

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpSetCredentials

WinHttpCloseHandle

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpQueryHeaders

sqlite3_errcode

sqlite3_finalize

sqlite3_prepare_v2

sqlite3_bind_blob

sqlite3_step

sqlite3_get_table

sqlite3_free_table

sqlite3_changes

sqlite3_data_count

sqlite3_reset

sqlite3_column_count

sqlite3_column_name

sqlite3_column_decltype

sqlite3_column_text

sqlite3_column_blob

sqlite3_column_int

sqlite3_column_int64

sqlite3_column_double

GetProcessHeap

sqlite3_sql

sqlite3_column_bytes

sqlite3_open_v2

sqlite3_close

sqlite3_rekey

sqlite3_key

sqlite3_free

sqlite3_errmsg

sqlite3_libversion

sqlite3_busy_timeout

sqlite3_exec

sqlite3_interrupt

{84A90340-1CE7-4C96-8FFC-FB0124DE9AD7}

{B6F7542F-B8FE-46a8-9605-98856A687097}

{E5D631FE-E3C9-4eb3-A687-C89598FE6691}

Sqlite3

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

\dc.dll

.text

`.rdata

@.data

.rsrc

@.reloc

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

MFC42.DLL

MSVCRT.dll

KERNEL32.dll

GdiplusShutdown

gdiplus.dll

WSOCK32.dll

MSVCP60.dll

ReportError

ReportError_A

VBYB_ReportError

VB_ReportError

uu_loginA

uu_loginW

uu_reportError

debug.ini

ReportError:%s

Error:%s

%s|!|%s

\dms.pdb

%u%u,

dclog.txt

config.ini

port

settimeout:%d

[%d]%s

reg2:%s

checkok:%s %s

check fail:%s %s %s

check:%s %s

getcjfail:%s %s

getcj:%s %s

%s%uout

%s%uin

put img ok:%s

put img fail:%s

put img:%s %s %d

get result ok:%s,%s

get result fail:%s

get result:%s

notifyfail ok:%s

%s\%d-%s.png

notifyfail fail:%s,%s

notifyfail:%s

getimgok:%s,%s

getimg:%s

getinfo fail:%s

getinfo:%s,%s

setresult:%s,%s

HTTP/1.1 200 OK

recv:%d

send:%d

GET /ip.txt HTTP/1.1

Host: %s

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

select:%d

ioctlsocket:%d

socket:%d

api.qqchaoren.net

14.17.65.24

14.17.65.23

dama2.qqchaoren.net

dama1.qqchaoren.net

connect total:%s %d

:%s %d

connect discard:%s %d

[d-d-d d:d:d](u)

recv timeout:<%d>

recvfail:<%d>%d

server close:<%d>%d

recv:<%d>%d

send:<%d>%d

sendfail:<%d>%d

connect timeout:<%d>

connectok:<%d>%s %hu

127.0.0.1

1.1.3

/index.php/api/client/unbundling

return hex_md5("abc").toLowerCase() == "900150983cd24fb0d6963f7d28e17f72"

return binl2rstr(binl_md5(rstr2binl(a), a.length * 8))

if(e.length > 16) {

e = binl_md5(e, c.length * 8)

var g = binl_md5(a.concat(rstr2binl(f)), 512   f.length * 8);

return binl2rstr(binl_md5(d.concat(g), 512   128))

for(var d = 0; d < c.length; d  ) {

a = c.charCodeAt(d);

b  = f.charAt((a >>> 4) & 15)   f.charAt(a & 15)

while(  d < c.length) {

e = d   1 < c.length ? c.charCodeAt(d   1) : 0;

b  = String.fromCharCode(a)

b  = String.fromCharCode(192 | ((a >>> 6) & 31), 128 | (a & 63))

b  = String.fromCharCode(224 | ((a >>> 12) & 15), 128 | ((a >>> 6) & 63), 128 | (a & 63))

b  = String.fromCharCode(240 | ((a >>> 18) & 7), 128 | ((a >>> 12) & 63), 128 | ((a >>> 6) & 63), 128 | (a & 63))

var a = Array(b.length >> 2);

for(var c = 0; c < a.length; c  ) {

for(var c = 0; c < b.length * 8; c  = 8) {

a[c >> 5] |= (b.charCodeAt(c / 8) & 255) << (c % 32)

for(var c = 0; c < b.length * 32; c  = 8) {

a  = String.fromCharCode((b[c >> 5] >>> (c % 32)) & 255)

for(var g = 0; g < p.length; g  = 16) {

len = str.length;

c1 = str.charCodeAt(i  ) & 0xff;

out  = base64EncodeChars.charAt(c1 >> 2);

out  = base64EncodeChars.charAt((c1 & 0x3) << 4);

c2 = str.charCodeAt(i  );

out  = base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4));

out  = base64EncodeChars.charAt((c2 & 0xF) << 2);

c3 = str.charCodeAt(i  );

out  = base64EncodeChars.charAt(((c2 & 0xF) << 2) | ((c3 & 0xC0) >> 6));

out  = base64EncodeChars.charAt(c3 & 0x3F);

c1 = base64DecodeChars[str.charCodeAt(i  ) & 0xff];

c2 = base64DecodeChars[str.charCodeAt(i  ) & 0xff];

out  = String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));

c3 = str.charCodeAt(i  ) & 0xff;

out  = String.fromCharCode(((c2 & 0XF) << 4) | ((c3 & 0x3C) >> 2));

c4 = str.charCodeAt(i  ) & 0xff;

out  = String.fromCharCode(((c3 & 0x03) << 6) | c4);

c = str.charCodeAt(i);

out  = str.charAt(i);

out  = String.fromCharCode(0xE0 | ((c >> 12) & 0x0F));

out  = String.fromCharCode(0x80 | ((c >> 6) & 0x3F));

out  = String.fromCharCode(0x80 | ((c >> 0) & 0x3F));

out  = String.fromCharCode(0xC0 | ((c >> 6) & 0x1F));

c = str.charCodeAt(i  );

out  = str.charAt(i - 1);

char2 = str.charCodeAt(i  );

out  = String.fromCharCode(((c & 0x1F) << 6) | (char2 & 0x3F));

char3 = str.charCodeAt(i  );

out  = String.fromCharCode(((c & 0x0F) << 12) | ((char2 & 0x3F) << 6) | ((char3 & 0x3F) << 0));

var tmp = Date.parse(new Date()).toString();

tmp = tmp.substr(0, 10);

var r = Math.random() * (max - min);

var re = Math.round(r   min);

re = Math.max(Math.min(re, max), min)

return str.replace(/(^\s*)|(\s*$)/g, "");

function n(txt,key,ikey){

//var ikey ="mm.2ksqrvOIpZxoWZ3r_9-B6gxGR60g6";

var tlen = txt.length;

var _chars = chars.split('');

var _key = key.split('');

var _txt = txt.split('');

while(!(typeof(_key[i]) == 'undefined')) knum  = _key[i  ].charCodeAt();

var nh1 = chars.indexOf(ch1);

_txt.splice(knum % tlen--,1,'');

txt = _txt.join('');

_txt = txt.split('');

var nh2 = chars.indexOf(ch2);

_txt.splice(nh1 % tlen--,1,'');

var nh3 = chars.indexOf(ch3);

_txt.splice(nh2 % tlen--,1,'');

var bong = hex_md5( hex_md5( hex_md5(key   ch1)   ch2   ikey)   ch3);

var mdKey = bong.substr(nhnum%8,knum%8   16); //substr(,nhnum%8,knum%8   16); //

var _mdKey = mdKey.split('');

tlen = txt.length;

var klen = mdKey.length;

j = chars.indexOf(_txt[i])- nhnum - _mdKey[k  ].charCodeAt();

tmp = tmp.replace(/\-/g, " ");

tmp = tmp.replace(/\_/g,"/");

tmp = tmp.replace(/\./g,"=");

var jie = tmp.substr(0,11);

if (jie.match(/\d{10}_/)){

tmp = tmp.substr(11);

function r(txt, key,ikey) {

//var ikey = "-x6g6ZWm2G9g_vr0Bo.pOq3kRIxsZ6rm";

var bong = hex_md5(hex_md5(hex_md5(key   ch1)   ch2   ikey)   ch3);

var mdKey = bong.substr(nhnum % 8, knum % 8   16); //substr(,nhnum%8,knum%8   16); //

txt = txt.replace(/\ /g, "-");

txt = txt.replace(/\//g, "_");

txt = txt.replace(/\=/g, ".");

j = (nhnum   chars.indexOf(_txt[i])   _mdKey[k  ].charCodeAt()) % 64;

var tmplen = tmp.length;

obj = new ActiveXObject("WinHttp.WinHttpRequest.5.1")

function Ajax(url, data) {

obj.Open("POST", url, false);

obj.Open("GET", url, false);

obj.SetRequestHeader("Accept", "*/*");

obj.SetRequestHeader("Accept-Language", "zh-cn");

obj.SetRequestHeader("User-Agent", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)");

obj.SetRequestHeader("Content-Type", "application/x-www-form-urlencoded");

obj.SetRequestHeader("Referer", url); //

obj.SetTimeouts(t, t, t, t); //

obj.Send();

obj.Send(data);

AllResponseHeaders = obj.GetAllResponseHeaders //

Xlr = obj.ResponseText();

return Xlr.replace(/\s/g, '');

.explicit

] (\[|{|'')

/index.php/api/client/passforget

%cR11

/index.php/api/client/login

\Config.ini

login

password

/index.php/api/client/sendcode

/index.php/api/client/getdata

/index.php/api/client/get

sSHIPM[u

}~~}||{|{}

~~~}}}~~

~}{{||}~

~~|}{|}~

~|{{{{|}~

~}|{{||}~

~}}}|}}~~

~~}}}}~~

*.txt

\office.tmp

&key=

hXXp://VVV.pulami.com/server/txtapi/api.php

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Content-Type: application/x-www-form-urlencoded

hXXp://

hXXps://

\TimeInfos.dll

\data\CookData.db

\Dayu.dll

t.bf.

,R.vC

.Nc#U

HQW.fT

H -0}

j.IAp3a=

{.dwM

_&.XB

\ EXE

OOtD%U'

%Ftq:

*.UwS<

vr.Re

BT.Hf

wEbM

3.6.18

ATE TABLE sql

REINDEXEDESCAPE

ACHECKEYBEFO

sError 0x%x (%u

%s-mjX

922337203685477580

keyinfo(%

0s0%s&

- SQL

%dpnever u

,%d)v3

depthÿ

.xht7/9CorruL#

: "%sr

%s%sBv2

|p_nssh

brv[%s]

X,%d 18)

\%s',

T %T%s

part.an

.SUNI

>%d:g

Sd-

O%s,%Q HIDDEN.

key(z

r..iU

?(%d))

%fg {%s}

KERNEL32.DLL

sqlite3.dll

sqlite3_aggregate_context

sqlite3_aggregate_count

sqlite3_auto_extension

sqlite3_backup_finish

sqlite3_backup_init

sqlite3_backup_pagecount

sqlite3_backup_remaining

sqlite3_backup_step

sqlite3_bind_double

sqlite3_bind_int

sqlite3_bind_int64

sqlite3_bind_null

sqlite3_bind_parameter_count

sqlite3_bind_parameter_index

sqlite3_bind_parameter_name

sqlite3_bind_text

sqlite3_bind_text16

sqlite3_bind_value

sqlite3_bind_zeroblob

sqlite3_blob_bytes

sqlite3_blob_close

sqlite3_blob_open

sqlite3_blob_read

sqlite3_blob_write

sqlite3_busy_handler

sqlite3_clear_bindings

sqlite3_collation_needed

sqlite3_collation_needed16

sqlite3_column_bytes16

sqlite3_column_database_name

sqlite3_column_database_name16

sqlite3_column_decltype16

sqlite3_column_name16

sqlite3_column_origin_name

sqlite3_column_origin_name16

sqlite3_column_table_name

sqlite3_column_table_name16

sqlite3_column_text16

sqlite3_column_type

sqlite3_column_value

sqlite3_commit_hook

sqlite3_complete

sqlite3_complete16

sqlite3_config

sqlite3_context_db_handle

sqlite3_create_collation

sqlite3_create_collation16

sqlite3_create_collation_v2

sqlite3_create_function

sqlite3_create_function16

sqlite3_create_module

sqlite3_create_module_v2

sqlite3_db_config

sqlite3_db_handle

sqlite3_db_mutex

sqlite3_db_status

sqlite3_declare_vtab

sqlite3_enable_load_extension

sqlite3_enable_shared_cache

sqlite3_errmsg16

sqlite3_expired

sqlite3_extended_errcode

sqlite3_extended_result_codes

sqlite3_file_control

sqlite3_get_autocommit

sqlite3_get_auxdata

sqlite3_global_recover

sqlite3_initialize

sqlite3_last_insert_rowid

sqlite3_libversion_number

sqlite3_limit

sqlite3_load_extension

sqlite3_malloc

sqlite3_memory_alarm

sqlite3_memory_highwater

sqlite3_memory_used

sqlite3_mprintf

sqlite3_mutex_alloc

sqlite3_mutex_enter

sqlite3_mutex_free

sqlite3_mutex_leave

sqlite3_mutex_try

sqlite3_next_stmt

sqlite3_open

sqlite3_open16

sqlite3_os_end

sqlite3_os_init

sqlite3_overload_function

sqlite3_prepare

sqlite3_prepare16

sqlite3_prepare16_v2

sqlite3_profile

sqlite3_progress_handler

sqlite3_randomness

sqlite3_realloc

sqlite3_release_memory

sqlite3_reset_auto_extension

sqlite3_result_blob

sqlite3_result_double

sqlite3_result_error

sqlite3_result_error16

sqlite3_result_error_code

sqlite3_result_error_nomem

sqlite3_result_error_toobig

sqlite3_result_int

sqlite3_result_int64

sqlite3_result_null

sqlite3_result_text

sqlite3_result_text16

sqlite3_result_text16be

sqlite3_result_text16le

sqlite3_result_value

sqlite3_result_zeroblob

sqlite3_rollback_hook

sqlite3_set_authorizer

sqlite3_set_auxdata

sqlite3_shutdown

sqlite3_sleep

sqlite3_snprintf

sqlite3_soft_heap_limit

sqlite3_sourceid

sqlite3_status

sqlite3_stmt_status

sqlite3_strnicmp

sqlite3_table_column_metadata

sqlite3_test_control

sqlite3_thread_cleanup

sqlite3_threadsafe

sqlite3_total_changes

sqlite3_trace

sqlite3_transfer_bindings

sqlite3_update_hook

sqlite3_user_data

sqlite3_value_blob

sqlite3_value_bytes

sqlite3_value_bytes16

sqlite3_value_double

sqlite3_value_int

sqlite3_value_int64

sqlite3_value_numeric_type

sqlite3_value_text

sqlite3_value_text16

sqlite3_value_text16be

sqlite3_value_text16le

sqlite3_value_type

sqlite3_version

sqlite3_vfs_find

sqlite3_vfs_register

sqlite3_vfs_unregister

sqlite3_vmprintf

sqlite3_win32_mbcs_to_utf8

/index.php/api/client/get_key

/index.php/api/client/userdebug

hXXp://VVV.njwmkj.com/404/tjhbvipb.exe

@ping -n 1 127.0.0.1>nul

@ping -n 2 127.0.0.1>nul

@ping -n 3 127.0.0.1>nul

\ .bat

hXXp://VVV.njwmkj.com/404/tip2.txt

http=

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Adodb.Stream

WinHttp

/index.php/api/client/passchange

hXXp://VVV.njwmkj.com/ice9/

\\.\PHYSICALDRIVE

\\.\SCSI

\\.\SMARTVSD

\\.\PhysicalDrive0

.mul_announcement

.mul_state

.mul_version_num

.mul_version_url

.mul_version_subc

.mul_version_switch

/index.php/api/client/getarret

hXXp://api.ruokuai.com/register.xml

hXXp://api.ruokuai.com/info.xml

hXXp://api.ruokuai.com/recharge.xml

hXXp://api.ruokuai.com/create.xml

hXXp://api.ruokuai.com/reporterror.xml

vip827b3t5566passwordq136422102code463

%D&j)

hXXp://api.ele.me/user/messages/bind

hXXp://restapi.ele.me/v1/user?extras[]=gift_amount

hXXp://restapi.ele.me/marketing/v2/startup_hongbao

hXXp://restapi.ele.me/member/v1/red_badge/status

hXXps://mainsite-restapi.ele.me/v1/users/

HTTP_UNAUTHORIZED

/orders?extras[]=basket&extras[]=restaurant&extras[]=rate_info&extras[]=pay_expired_time&limit=10&offset=0&type=last_three_month"},{"method":"GET","url":"/v1/users/

{"timeout":10000,"requests":[{"method":"GET","url":"/v2/users/

Referer: hXXps://VVV.ele.me/profile/order

hXXps://mainsite-restapi.ele.me/batch

hXXps://m.ele.me/restapi/v1/users/

","type":"old_password"}

","old_password":"

{"action":"password","new_password":"

hXXps://mainsite-restapi.ele.me/v1/user/password

',password = '

hXXps://mainsite-restapi.ele.me/v1/captchas

hXXps://mainsite-restapi.ele.me/v1/captchas/

","password":"

hXXps://mainsite-restapi.ele.me/v1/login

insert into cookies(username,password,userid,sid) values ('

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

/index.php/api/client/register

/index.php/api/client/recharge

/index.php/api/client/spacetime

/index.php/api/client/secede

\^$ .{}[]=()-"

\^$ .{}[]=()?*|"

\^$ .{}[]=()?*"

\^$ .{}[]=?*"

VBScript.RegExp

&password=

application/x-www-form-urlencoded

&softkey=

Content-Disposition: form-data; name="password"

{pass}

Content-Disposition: form-data; name="softkey"

{softkey}

Content-Disposition: form-data; name="image"; filename="System.Byte[]"

Primary Key

select count(*) from sqlite_master where type='table' and tbl_name='

select name as title from sqlite_master where type='table'

select name as title from sqlite_master where type='table' and name not like('sqlite%')

sqlite_master

select sql from sqlite_master where type='table' and name='

SELECT name FROM sqlite_master WHERE type='table' ORDER BY name

sqlite_sequence

select sql from sqlite_master where type='index' and name='

select sql from sqlite_master where type='view' and name='

select sql from sqlite_master where type='trigger' and name='

SetClientCertificate

).txt|*.txt

0-6,32-14,6-5,10-5

hXXp://VVV.ka20.com/Shop-38ef36069.html

_gm_repass2

_zhmm_newpass

_gm_repass1

_gm_repass

_gm_newpass

'.iHRDRXR

_reg_repass

_zc_repass

_zc_pass

_reg_pass

_jb_pass

 AM-BN-CO.DO.

_gm_pass

%d&&'

123456789

00003333

1.2.18

__MSVCRT_HEAP_SELECT

EnumChildWindows

USER32.dll

GDI32.dll

ShellExecuteA

SHELL32.dll

IMM32.dll

SHLWAPI.dll

WINMM.dll

GetCPInfo

exui.dll

F3.7.11

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLYHerF

?456789:;<=

!"#$%&'()* ,-./0123

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

MPR.dll

VERSION.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

keye

10FE000C-ACC4-4d21-BF4D-135DEAAB9175

ex_ui keye

msimg32.dll

214821178

73C0558A-EC75-4af4-AE00-26C2F3091309

C4F42B3E-E268-4841-B178-410077863BF9

F9F51895-6A82-4012-A380-31BE87C35394

VVV.meitu.com

937C8B4E-863C-4915-98DB-1AB7FFC3F0BFL

F9527F43-AC13-4b6e-B923-C9011E3FE5DC

C7DA8792-CB01-4104-8EF5-E08965E12F3C

2A947078-BC9C-48e7-BF4C-A8BD831117C84

45D194E9-0244-4ea9-8751-813ACF85EEEF

FB3DADD5-3E2F-48eb-BD31-AA43D142DA77

vk=15vd=9999vx=0vv= vi=-3}{vt=v?=2vs=

vk=10vd=12vx=1vv= vi=-3}{vt=v?=31vs=

vk=10vd=31vx=1vv= vi=-3}

2747873D-7005-4c4e-AAD9-25D85698EFEE

\wke.dll

\lib\ex_ui\wke.dll

C:\exui

wke.dll

D:\exui

\lib\ex_ui\wke.dll)

wke.dll

4F4232B4-AE1B-449c-BF6F-1B3DD0351CBF

{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}

A46CAE6A-3EFD-48dc-9E3C-CA251E75E97A

E53BD398-631F-443d-A550-89085D2E46A6D

ryxzxzw@163.com QQ 1060943567 QQ

1:128623809

diTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0B7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0A7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>w

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0F7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0E7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695B87A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695B77A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>p

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695BC7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BB7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695C07A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BF7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>G

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C8A76F497A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C8A76F487A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>]

015621FD-C063-4706-B16E-A8877DC952E1

0FE5D74C-29B7-4980-BC1D-70650F50AA2E

GdiPlus.dll

lib\ex_ui\AttributeEditorexui.dll

Ole32.dll

shell32.dll

imm32.dll

GetAsyncKeyState

wkeKeyDown

wkeKeyUp

wkeCreateWebView

wkeGlobalExec

wkeLoadURLW

wkeDestroyWebView

wkeKeyPress

program internal error number is %d.

%s%x.tmp

:"%s"

:"%s".

zcÁ

c:\%original file name%.exe

;3 #>6.&

'2, / 0&7!4-)1#

large file support is disabled

unknown operation

SQL logic error or missing database

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_log

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

RowKey

SQLITE_

d-d-d d:d:d

d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

os_win.c:%d: (%d) %s(%s) - %s

OsError 0x%x (%u)

delayed %dms for lock/sharing conflict

%s-shm

%s\etilqs_

unknown database %s

cannot limit WAL size: %s

Recovered %d frames from WAL file %s

MJ delete: %s

-mjX9X

MJ collide: %s

%s-mjXXXXXX9XXz

foreign key constraint failed

%s(%d)

keyinfo(%d

bind on a busy prepared statement: [%s]

statement aborts at %d: [%s] %s

constraint failed at %d in [%s]

abort at %d in [%s]: %s

database table is locked: %s

cannot change %s wal mode from within a transaction

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

sqlite_temp_master

cannot commit transaction - SQL statements in progress

cannot release savepoint - SQL statements in progress

no such savepoint: %s

cannot open savepoint - SQL statements in progress

Outstanding page count goes from %d to %d during this analysis

Pointer map page %d is referenced

Page %d is never used

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

freelist leaf count too big on page %d

2nd reference to page %d

invalid page number %d

Fragmentation of %d bytes reported as %d on page %d

Multiple uses for byte %d of page %d

Corruption detected in cell %d on page %d

On page %d at right child:

On tree page %d cell %d:

btreeInitPage() returns error code %d

unable to get the page. error code=%d

Page %d:

zeroblob(%d)

cannot open %s column for writing

no such column: "%s"

cannot open view: %s

cannot open virtual table: %s

indexed

foreign key

cannot open value of type %s

%.*s"%w"%s

%s%.*s"%w"

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

unable to open database: %s

database %s is already in use

too many attached databases - max %d

database %s is locked

cannot detach database %s

no such database: %s

%s: %s

%s: %s.%s

API call with %s database connection pointer

error during initialization: %s

no entry point [%s] in shared library [%s]

unable to open shared library [%s]

sqlite3_extension_init

%s - %s

malformed database schema (%s)

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unsupported file format

database schema is locked: %s

sqlite3_get_table() called with two or more incompatible queries

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

PRAGMA vacuum_db.synchronous=OFF

cannot VACUUM - SQL statements in progress

no such module: %s

vtable constructor did not declare schema: %s

vtable constructor failed: %s

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

Expression tree is too large (maximum depth %d)

too many SQL variables

variable number must be between ?1 and ?%d

too many columns in %s

there is already another table or index with this name: %s

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

view %s may not be altered

%s OR name=%Q

type='trigger' AND (%s)

table %s may not be altered

sqlite_

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

Cannot add a PRIMARY KEY column

sqlite_altertab_%s

DELETE FROM %Q.%s WHERE %s=%Q

CREATE TABLE %Q.%s(%s)

misuse of aggregate: %s()

EXECUTE %s%s SUBQUERY %d

invalid name: "%s"

not authorized to use function: %s

%s: %s.%s.%s

misuse of aliased aggregate %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

duplicate column name: %s

too many columns on %s

default value of column [%s] is not constant

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

no such collation sequence: %s

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

%s %T cannot reference objects in database %s

view %s is circularly defined

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

table %s may not be dropped

sqlite_stat

sqlite_stat%d

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

table %s has no column named %s

sqlite_autoindex_%s_%d

index %s already exists

there is already a table named %s

virtual tables may not be indexed

views may not be indexed

table %s may not be indexed

indexed columns are not unique

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

no such index: %S

a JOIN clause is required before %s

unable to identify the object to be reindexed

cannot modify %s because it is a view

table %s may not be modified

foreign key mismatch

table %S has no column named %s

%d values for %d columns

table %S has %d columns but %d values were supplied

PRIMARY KEY must be unique

%s.%s may not be NULL

*** in database %s ***

unsupported encoding: %s

foreign_key_list

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

no such index: %s

no such table: %s

%s.%s

sqlite_subquery_%p_

cannot join using column %s - column not present in both tables

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

USE TEMP B-TREE FOR %s

SELECTs to the left and right of %s do not have the same number of result columns

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

COMPOUND SUBQUERIES %d AND %d %s(%s)

SCAN TABLE %s %s%s(~%d rows)

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

-- TRIGGER %s

no such column: %s

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

cannot use index: %s

at most %d tables in a join

table %s: xBestIndex returned an invalid plan

%s (~%lld rows)

%s VIRTUAL TABLE INDEX %d:%s

%s (rowid<?)

%s (rowid>?)

%s (rowid>? AND rowid<?)

%s (rowid=?)

%s USING INTEGER PRIMARY KEY

%s USING %s%sINDEX%s%s%s

%s AS %s

%s TABLE %s

%s SUBQUERY %d

unable to close due to unfinished backup operation

unable to use function %s in the requested context

unknown database: %s

no such vfs: %s

%s mode not allowed: %s

no such %s mode: %s

automatic extension loading failed: %s

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

#include "l.chs\afxres.rc" // Standard components

WinExec

GetWindowsDirectoryA

RegCreateKeyExA

RegCloseKey

RegOpenKeyExA

GetViewportOrgEx

GetViewportExtEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

CreateDialogIndirectParamA

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

!"#$%&'()* ,-

25, 0, 0, 1

Windows

!$).056;

.Ro_|

888816666554443

6666554443

!6666554443

(*.*)

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\dc.dll (122 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.