Trojan.Win32.Swrort.3_6b525f881e

by malwarelabrobot on May 28th, 2017 in Malware Descriptions.

HEUR:Packed.Win32.Blackv.gen (Kaspersky), Packed-GV!6B525F881E40 (McAfee), ML.Attribute.HighConfidence (Symantec), Trojan.Win32.Swrort.3.FD, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm, Packed


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6b525f881e406f59ae110d2b40ea1d76
SHA1: 7c3dd7369e796490d494414e5d8d8932ac98d3d1
SHA256: 30a0ea72f5aba738fa262ee301c8a25c900ef02bc275dea47a147c05ede0222e
SSDeep: 98304:S5oPV/Kby0cneVtn1CjbyCX6MoRLkd/Iqd4zbICXMVg0:mue3n1C1MRL0Ac4zR8VZ
Size: 5804032 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-04-27 18:59:43
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1480
regsvr32.exe:2924

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:2924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

Registry activity

The process %original file name%.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\6b525f881e406f59ae110d2b40ea1d76_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\6b525f881e406f59ae110d2b40ea1d76_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\6b525f881e406f59ae110d2b40ea1d76_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\6b525f881e406f59ae110d2b40ea1d76_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\6b525f881e406f59ae110d2b40ea1d76_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\6b525f881e406f59ae110d2b40ea1d76_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\6b525f881e406f59ae110d2b40ea1d76_RASAPI32]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process regsvr32.exe:2924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"(Default)" = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR]
"(Default)" = "c:\Data\"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}]
"(Default)" = "Idmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0]
"(Default)" = "Dm"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"Version" = "1.0"

Dropped PE files

MD5 File path
c578b6820bda5689940560147c6e5ffc c:\Data\dm.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1509934 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 1515520 4472626 0 0 d41d8cd98f00b204e9800998ecf8427e
.data 5988352 467850 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp0 6459392 2170199 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp1 8630272 5725824 5726208 5.54304 d2a970a9551860b343386980fb00583e
.rsrc 14356480 69642 73728 2.97149 ee1072f2135318e85319ecf905d7d8bf

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://apicom.baibaoyun.com.w.kunlunea.com/cloudapi/GeneralExec?arg=0DE0850C40C60C60C80D60D60C20D70D20CE0C80D108509D0850C409B0C809A0970950C809409C0930970950950970C509B0930C60C40C40950C40940930C609A0C50970C80940990C608508F0850C40C60C60D20D80D10D708509D08512E0FF1281200C21260F31251041251131260FA08508F0850C40D50CA08509D08508508F0850D10D80D00C20CE0C80DC08509D09409309508F0850D70DC0D30C808509D0990E006D 61.154.126.122
hxxp://apicom.baibaoyun.com/cloudapi/GeneralExec?arg=0DE0850C40C60C60C80D60D60C20D70D20CE0C80D108509D0850C409B0C809A0970950C809409C0930970950950970C509B0930C60C40C40950C40940930C609A0C50970C80940990C608508F0850C40C60C60D20D80D10D708509D08512E0FF1281200C21260F31251041251131260FA08508F0850C40D50CA08509D08508508F0850D10D80D00C20CE0C80DC08509D09409309508F0850D70DC0D30C808509D0990E006D 61.154.126.122
comroute.baibaoyun.com 121.40.150.189


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /cloudapi/GeneralExec?arg=0DE0850C40C60C60C80D60D60C20D70D20CE0C80D108509D0850C409B0C809A0970950C809409C0930970950950970C509B0930C60C40C40950C40940930C609A0C50970C80940990C608508F0850C40C60C60D20D80D10D708509D08512E0FF1281200C21260F31251041251131260FA08508F0850C40D50CA08509D08508508F0850D10D80D00C20CE0C80DC08509D09409309508F0850D70DC0D30C808509D0990E006D HTTP/1.1
Host: apicom.baibaoyun.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine
Content-Type: text/html; charset=UTF-8
Content-Length: 105
Connection: keep-alive
Date: Sat, 27 May 2017 11:46:37 GMT
X-Powered-By: PHP/5.6.3
Set-Cookie: PHPSESSID=ouvq96l8c4egb98mmtt65hoan2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Via: cache19.l2et15[29,200-0,M], cache5.l2et15[30,0], kunlun7.cn199[71,200-0,M], kunlun8.cn199[72,0]
X-Cache: MISS TCP_MISS dirn:-2:-2
X-Swift-SaveTime: Sat, 27 May 2017 11:46:37 GMT
X-Swift-CacheTime: 0
Timing-Allow-Origin: *
EagleId: 3d9a7e0814958855971655899e
0B20590A60AC0AB0960990AC09D09D0590710590590630590A909C0AA0AC0A30AB0590
7106F06706C06A06706D06A06D06E0B4041HTTP/1.1 200 OK..Server: Tengine..C
ontent-Type: text/html; charset=UTF-8..Content-Length: 105..Connection
: keep-alive..Date: Sat, 27 May 2017 11:46:37 GMT..X-Powered-By: PHP/5
.6.3..Set-Cookie: PHPSESSID=ouvq96l8c4egb98mmtt65hoan2; path=/..Expire
s: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, m
ust-revalidate, post-check=0, pre-check=0..Pragma: no-cache..Via: cach
e19.l2et15[29,200-0,M], cache5.l2et15[30,0], kunlun7.cn199[71,200-0,M]
, kunlun8.cn199[72,0]..X-Cache: MISS TCP_MISS dirn:-2:-2..X-Swift-Save
Time: Sat, 27 May 2017 11:46:37 GMT..X-Swift-CacheTime: 0..Timing-Allo
w-Origin: *..EagleId: 3d9a7e0814958855971655899e..0B20590A60AC0AB09609
90AC09D09D0590710590590630590A909C0AA0AC0A30AB05907106F06706C06A06706D
06A06D06E0B4041..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1480:

.text
`.rdata
@.data
.vmp0
`.vmp1
`.rsrc
2.XH!
6*>%X
t%SVh
t$(SSh
~%UVW
u$SShe
iu2.iu
ole32.dll
user32.dll
wininet.dll
oleaut32.dll
kernel32.dll
Winhttp.dll
Kernel32.dll
ntdll.dll
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
WinHttpCheckPlatform
WinHttpCrackUrl
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSetTimeouts
WinHttpSetCredentials
WinHttpCloseHandle
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpQueryHeaders
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
u%uol8e
.rBk\E
L".eN40C
 e~%C}
x.jmL
TR.ii]<
t2.Ch
%u9'u
RY%U^
Y}.MSG
!%C.j
 .NW5G
.Xodo
:;%fx
(1^.jOu s
a.kIA
.gC6P
g>EE%C=4
B.pEp
;e.pU
 .Yj%
o.wS$=
oWD6.uT!
v![%C
.AFr,
.*j.wk
Wv\.Uv
`N.AI
J..TkB
oJ%C{
.SZ1R
7}.VC$x
%c[Q#^
nQ.tY
0U(%f
.ZvbWKp.
$.Hh?
=0,5\6\ 4
C"zA%C
QyúP
Dsg%u4
9pE.eq@k
.VH3zb
Z1c
R'B.al
5k.ECE
$]O
b#%SP
3%S<2
"%2uo
Y.VPI#
b|%Uq
%Ux6>~;D
.RfY"
%u/T%kJ*
Tr%Cp
A~.Fj
]L.SE
k'.rC
.Ms8;g
.Cuj%
M.GFE:
%S{QB%
.IfEY
Wm1.SH
_6 W%XHm
('M.fft
Rx.ml-]q
m?&1.Vv0
6ON?%X
.knUy
/%FnF
.qI%jut
ik.EK
xO.zT
^p.QT
h.WlL_
/-J.eF
(7t.jQ~|1(
.kjis
.HTDe
6/S%s
z5.El
.JkTMY
.gdHWi
-lY.uxs
V.NWSY
P.MFS}
p.su<?
k%S2_
Ji.eu4-
REHf.fu
EP%d%}
Ts%Sva3
ElD.qF
mC.GZ
E?.JJ
&;d(%U{MVp
avEz.yG
%x,Ve
P.Xp!
oÁ2
%frv`
SO.jw0
4.rM"
].v.yF
.JQ5{;
235web
res.dtx.game2.com.cn
hXXp://VVV.game2.cn/signout/
VVV.game2.cn
hXXp://VVV.game2.cn/playGame/code/dtx
&password=
op=login&code=
VVV.game2.cn/client/gamecode/ts/skin/as/
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
\Data\ .exe
&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=http&o=sso&m=checkNeedCaptcha&account=
hXXp://login.360.cn/?callback=jQuery1121004880054023122077_
&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=getToken&userName=
hXXps://login.360.cn/?func=jQuery1121028211051494341615_
@&proxy=http://wan.360.cn/psp_jump.html&callback=QiUserJsonp615662574&func=QiUserJsonp615662574
src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=login&lm=0&captFlag=1&rtype=data&validatelm=0&isKeepAlive=1&captchaApp=i360&userName=
hXXps://login.360.cn/
hXXp://dtx.wan.360.cn/game_login.php?channel=521260009&src=newwan-syzt1-dtx&advid=521254815__dtx__S112&server_id=S
360.cn
hXXp://s1.dtx.g.1360.com/indexLogin.php?
1970-01-01 08:00:00
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
hXXp://member.8090yxs.com/login.php?action=checkuser&username=
hXXp://member.8090yxs.com/game/game.php?game=dtx&full=play_gamecode&client=pc&server=s
hXXps://account.sogou.com/web/logout_js?client_id=1100
return Math.floor((1   Math.random()) * 65536).toString(16).substring(1)
&captcha=&autoLogin=1&client_id=1100&xd=http://wan.sogou.com/static/jump.html&token=
hXXps://account.sogou.com/web/login
hXXp://wan.sogou.com/clientplay.do?sid=
hXXp://wan.sogou.com/playgame.do?gid=653&sid=
hXXp://t.sogou.dtx.game2.com/indexLogin.php?gid=
hXXp://VVV.dahei.com/websiteAjax/op/login/
hXXp://VVV.dahei.com/joinGame/code/dtx
hXXp://passport.51wan.com/logout.php?refer=http://game.51wan.com/
hXXp://passport.51wan.com/login_index_needToValidate_0.html?jsoncallback=jQuery182016474190838213354_
hXXp://passport.51wan.com/login_index_theLogin_0.html
hXXp://my.51wan.com/gamelogin_wd_serverList_dtx-2.html
@-0-.html
hXXp://my.51wan.com/game_toolbar_0_dtx-
hXXp://res.dtx.game2.com.cn/index/index51wan.html?
hXXp://VVV.ufojoy.com/user/logout.phtml?url=/game/dtx/pc.phtml
hXXp://VVV.ufojoy.com/game/dtx/pc.phtml
"form_submit_key_time" value="
"form_submit_key_v1" value="
"form_submit_key_v2" value="
&url=/game/dtx/pc.phtml&
&form_submit_key_v2=
&form_submit_key_v1=
act=submit&form_submit_key_time=
hXXp://VVV.ufojoy.com/user/login.phtml
VVV.ufojoy.com
hXXp://VVV.ufojoy.com/game/dtx/servers.phtml
"><a href="/server/login/
.phtml"
/pc.phtml?full=play_gamecode
hXXp://VVV.ufojoy.com/server/login/
hXXp://dtx.swjoy.com/front/logon.htm
dtx.swjoy.com
hXXp://dtx.swjoy.com/front/wan_play.htm?gameId=3333&serveridx=
hXXp://dtx.ccttx.com/client.shtml
&lpassword=
hXXp://dtx.ccttx.com/login.shtml?op=login&lusername=
dtx.ccttx.com
hXXp://VVV.ccttx.com/api/getserverlist.shtml?gameid=25&callback=jQuery17103574862751721959_1476633881285&_=1476633881299
hXXp://dtx.ccttx.com/play.shtml?sid=
hXXp://res.dtx.game2.com.cn/index/indexccttx.html?
9211.com
hXXp://partner.open.9211.com/Main/index.aspx?action=login&appid=1000118&sid=
hXXp://passport.9211.com/Login/Login
hXXp://sso.9211.com/user/Login?ReturnUrl=http://VVV.9211.com/&st=
hXXp://duoqu.com/user/login/quit/v/json?_rnd=
var i,keyIndex,code,rand,newStr=[];
i<a.length;
rand=parseInt(256*Math.random());
keyIndex=i%b.length;
code=(a.charCodeAt(i) b.charCodeAt(keyIndex) rand)%6;
newStr.push(String.fromCharCode(rand));
newStr.push(String.fromCharCode(code))
return escape(newStr.join(''))
hXXp://duoqu.com/user/login/post/v/json?_rnd=
&password_enc=
duoqu.com
hXXp://duoqu.com/game/play/entrance/g/50/s/
hXXp://dtx.844a.com/index.php/Index/loginjson/login/1
.html?a2=play&type=
hXXp://dtx.844a.com/playgame-
do=login&client=1&gid=295&sid=54&username=
hXXp://wvw.9377.com/login.php
wvw.9377.com
hXXp://client.9377.com/pc_game_fwdtx.php?do=entergame&server=
type=login&username=
hXXp://game.kuwo.cn/g/st/Entry_2014
game.kuwo.cn
hXXp://dtx.kuwo.cn/g/st/JumpDtx?s=
act=submit&info_div_id=errorTxt&form_submit_key_time=1478090009&form_submit_key_v1=5bee4ecdd231e7039924ea00773fa36c&form_submit_key_v2=b3c842f706dd87e82483e5685791c12b&fik1=i_1921b5de8e5d30c6aedb94f5312a7995&fik2=i_c1f4c5ca9592f7c657a837811a19c238&url=http://dtx.66you.com/client/?channelB_id=0&i_1921b5de8e5d30c6aedb94f5312a7995=
hXXp://dtx.66you.com/user/login/
dtx.66you.com
hXXp://dtx.66you.com/client/?channelB_id=0
hXXp://dtx.66you.com/play/
0@hXXp://VVV.602.com/index.php?m=mymember&c=index&a=logout&forward=&siteid=1
hXXp://VVV.602.com/index.php?m=member&c=email&a=checkUsername&service=login&cn=
hXXp://VVV.602.com/game/s/dtxSucc/
hXXp://VVV.602.com/index.php?m=game&c=index&a=gameUrl&gid=211&sid=
hXXp://VVV.ao7.ufojoy.com/user/logout.phtml?url=/game/dtx/pc.phtml
hXXp://VVV.ao7.ufojoy.com/game/dtx.phtml
form_submit_key_time
=@form_submit_key_v1
;@form_submit_key_v2
&url=/game/dtx.phtml
&act=submit&form_submit_key_time=
hXXp://VVV.ao7.ufojoy.com/user/login.phtml
VVV.ao7.ufojoy.com
hXXp://VVV.ao7.ufojoy.com/game/dtx/servers.phtml
9@.phtml
hXXp://VVV.ao7.ufojoy.com/server/login/
http://res.dtx.game2.com.cn/index/indexufojoy.html?
hXXp://VVV.404wan.360uu.com/u/logout.asp
hXXp://VVV.404wan.360uu.com/u/login_check.asp
hXXp://VVV.404wan.com/diy/server.asp?game=fwdtx
S@hXXp://VVV.404wan.com
hXXp://youxi.kugou.com/site/logout/ref
&useCookie=true&callback=KGG.Login.submit
&captcha=&password=
hXXp://gameapi.kugou.com/member/login?username=
hXXp://gamecenter.kugou.com/gogame/index?gameid=282&serverid=
hXXp://dtx.86hud.com/public/ajax_login.htm
http:\/\/dtx.86hud.com\/api\/uc.php?
hXXp://dtx.86hud.com/api/uc.php?
dtx.86hud.com
hXXp://dtx.86hud.com/logger
hXXp://dtx.86hud.com
hXXp://res.dtx.game2.com.cn/
hXXp://VVV.90902.com/accounts/checklogin1?jsonpCallback=jQuery19103316643926254931_
VVV.90902.com
hXXp://VVV.90902.com
hXXp://dtx.90902.com/wdlogin/logined
hXXp://VVV.90902.com/game/rightFrame/game/180/server/
hXXp://VVV.360uu.com/u/logout.asp
hXXp://VVV.360uu.com/gamelist.asp?game=fwdtx
hXXp://VVV.360uu.com/g.asp?g=
hXXp://VVV.youxij.360uu.com/u/logout.asp
hXXp://VVV.youxij.360uu.com/u/login_check.asp
hXXp://VVV.youxij.360uu.com/g/fwdtx/index.html
I@.html
hXXp://VVV.youxij.360uu.com/g.asp?g=
&user_pass=
hXXp://7658w.com/index.php
hXXp://7658w.com/
hXXp://7658w.com/game_center.php?gameid=269&serverid=
hXXp://VVV.ufojoy.com
hXXp://VVV.y22.337you.com/user/logout/?url=http://dtx.y22.337you.com/client/?channelB_id=0
hXXp://dtx.y22.337you.com/client/?channelB_id=0
&url=http://dtx.y22.337you.com/client/?reg=0&channelB_id=0&
act=submit&info_div_id=errorTxt&form_submit_key_time=
hXXp://dtx.y22.337you.com/user/login/
dtx.y22.337you.com
@Çø/
/client/UID-13998318/TITLE-¾º¶ûÍøÒ³ÓÎϷƽ̨¡¶·¶Î°´òÌìÏ¡·Ë«Ïß
hXXp://dtx.y22.337you.com/play/
hXXp://my.hly.com/logout/?callback=jQuery172047134586476304974_
hXXp://my.hly.com/userapi/login/?callback=jQuery172047134586476304974_
hXXp://game.hly.com/gameLogin/dtx-
hXXp://res.dtx.game2.com.cn/index/indexhly.html?
hXXp://VVV.500xy.360uu.com/u/login_check.asp
500xy.360uu.com
hXXp://VVV.500xy.360uu.com/diy/server.asp?game=fwdtx
hXXp://VVV.500xy.360uu.com
hXXp://VVV.game19.360uu.com/u/logout.asp
hXXp://VVV.game19.360uu.com/u/login_check.asp
hXXp://VVV.game19.360uu.com/play_
hXXp://VVV.33456.com/accounts/loginout
hXXp://VVV.33456.com/accounts/checklogin
http:\/\/VVV.33456.com\/api\/uc.php?
hXXp://VVV.33456.com/api/uc.php?
hXXp://VVV.33456.com/hall/serverlist/gid/178
hXXp://VVV.33456.com
hXXp://VVV.56775.com/accounts/checklogin
http:\/\/VVV.56775.com\/api\/uc.php?
hXXp://VVV.56775.com/api/uc.php?
hXXp://VVV.56775.com/hall/serverlist/gid/61
?@hXXp://VVV.56775.com
hXXp://VVV.ao6.ufojoy.com/user/logout.phtml?url=/game/dtx/pc.phtml
hXXp://VVV.ao6.ufojoy.com/game/dtx.phtml
hXXp://VVV.ao6.ufojoy.com/user/login.phtml
VVV.ao6.ufojoy.com
hXXp://VVV.ao6.ufojoy.com/game/dtx/servers.phtml
hXXp://VVV.ao6.ufojoy.com/server/login/
hXXp://VVV.855yx.360uu.com/u/logout.asp
hXXp://VVV.855yx.360uu.com/u/login_check.asp
hXXp://VVV.855yx.360uu.com/g/fwdtx/index.html
hXXp://VVV.855yx.360uu.com/g.asp?g=
hXXp://VVV.252uu.360uu.com/u/login_check.asp
252uu.360uu.com
hXXp://VVV.252uu.360uu.com/diy/server.asp?game=fwdtx
hXXp://VVV.252uu.360uu.com
hXXp://login.511wan.com/index/pclogout.jsp?url=http://dtx.511wan.com/pc/dtx.jsp
&act=submit&url=http://dtx.511wan.com/pc/dtx.jsp&uname=
hXXp://login.511wan.com/jsonp/pclogin.jsp?callback=jsonp
hXXp://dtx.511wan.com/pc/dtx.jsp
@j@hXXp://VVV.ap1.ufojoy.com/user/logout.phtml?url=/game/dtx/pc.phtml
hXXp://VVV.ap1.ufojoy.com/game/dtx.phtml
hXXp://VVV.ap1.ufojoy.com/user/login.phtml
VVV.ap1.ufojoy.com
hXXp://VVV.ap1.ufojoy.com/game/dtx/servers.phtml
hXXp://VVV.ap1.ufojoy.com/server/login/
&act=submit&url=http://fwdtx.152g.com/pc/fwdtx.jsp&uname=
hXXp://login.152g.com/jsonp/pclogin.jsp?callback=jsonp
hXXp://fwdtx.152g.com/pc/fwdtx.jsp
hXXp://VVV.aotian.com/index.php?m=Client&a=logout
hXXp://VVV.aotian.com/index.php?m=Index&a=logindo&referer=hXXp://VVV.aotian.com/dtx/client/
hXXp://VVV.aotian.com/dtx/play.php?domain=s
hXXp://VVV.235web.360uu.com/u/logout.asp
hXXp://VVV.235web.360uu.com/u/login_check.asp
VVV.235web.360uu.com
hXXp://VVV.235web.360uu.com/diy/server.asp?game=fwdtx
W@hXXp://VVV.235web.360uu.com
hXXp://VVV.feihuo.com/login/logout
&autoLoginFlag=0&_=
hXXp://cas.dobest.com/authen/staticLogin.jsonp?callback=staticLogin_JSONPMethod&areaId=0&authenSource=2&locale=zh_CN&productId=8&productVersion=v5&version=21&tag=20&frameType=3&appId=2013030678&serviceUrl=http%3A%2F%2FVVV.dobest.com&statistics2={"os_type":12,"id":1266,"app_id":"201_0","label":"renzheng_game_login_yeyou","ip":"218.8.161.23","channel_id":0,"ad_id":0,"ad_pos_id":0,"channel_settlement":null,"register_type":"帐号登录","ad_id_icon":"","internet_bar_id":"","game_id_icon":"","yun_pc_mac":"","yun_fh_game_id":"0-","yun_launch_id":"","location_id":""}&inputUserId=
&return_url=http://VVV.feihuo.com/
hXXp://VVV.feihuo.com/login/loginSuccess?ticket=
hXXp://VVV.feihuo.com/newWd/commonlist/slug/fwdtx/channelid/286
hXXp://VVV.feihuo.com/game/newcommongame/serverid/
hXXp://user.kxwan.com/login/index/quitWebsite?website=fwdtx.kxwan.com/weiduan/dtx
&_t=0.17784472868959694&login_name=
hXXp://user.kxwan.com/login/index/user_login/?callback=jQuery1112039177097316957515_
hXXp://c.kxwan.com/game/client-1/num/gid-98/server-
hXXp://fwdtx.kxwan.com/api/dtx/login?
hXXp://pay.265g.com/index.php?tp=ajax_login&op=login&username=
hXXp://pay.265g.com/data/qfarr130.js
hXXp://pay.265g.com/index.php?tp=go2&&areaid=
hXXp://web.teeqee.com/abc.php?callback=jQuery17207836172967441288_
hXXp://web.teeqee.com/reg/login.php?ajax=1&callback=jQuery17205071656558068972_
&next_url=http://web.teeqee.com/fwdtx/loginexe/
hXXp://web.teeqee.com/start/index_exe.php?t=fwdtx&is_exe=true&s=
hXXp://login.7u6u.com/index/pclogout.jsp?url=http://fwdtx.7u6u.com/pc/fwdtx.jsp
&act=submit&url=http://fwdtx.7u6u.com/pc/fwdtx.jsp&uname=
hXXp://login.7u6u.com/jsonp/pclogin.jsp?callback=jsonp
hXXp://fwdtx.7u6u.com/pc/fwdtx.jsp
d@hXXp://VVV.707kk.360uu.com/u/logout.asp
hXXp://VVV.707kk.360uu.com/u/login_check.asp
hXXp://VVV.707kk.360uu.com/diy/server.asp?game=fwdtx
hXXp://VVV.707kk.360uu.com
hXXp://8ayx.com/api/loginout.ashx
&rememberYN=1&login=马上登录
posttype=user_login&username=
hXXp://VVV.8ayx.com/api/webaction_YZ.ashx
staticlogin=
8ayx.com
staticlogin
hXXp://8ayx.com/play/
hXXp://VVV.ufojoy.com/auth/go.phtml?
passport.51.com
hXXp://VVV.51.com/
hXXp://passport.51.com/login/proxy
&passport_cookie_login=0&from=1_33_0_0_2578_wddtx&gourl=hXXp://micro.51.com/client/index/dtx/?f_reg=1&from=1_33_0_0_2578_wddtx&passport_auto_login=0&passport_51_ishidden=0&chn=www&ie=7&version=2012&passport_51_ajax=true
&passport_51_password=
passport_51_user=
hXXp://passport.51.com/login/submit
hXXp://micro.51.com/client/play/437/s
&act=submit&url=http://dtx.787you.com/
hXXp://login.787you.com/jsonp/login.jsp?callback=jsonp
&webpage=1
hXXp://dtx.787you.com/play/index.jsp?server_id=
hXXp://res.dtx.game2.com.cn/index/index511wan.html?
&act=submit&url=http://dtx.714wan.com/
hXXp://login.714wan.com/jsonp/login.jsp?callback=jsonp
dtx.714wan.com
hXXp://dtx.714wan.com/
hXXp://dtx.714wan.com/play/index.jsp?server_id=
hXXp://VVV.603u.360uu.com/u/logout.asp
VVV.603u.360uu.com
hXXp://VVV.603u.360uu.com/u/login_check.asp
hXXp://VVV.603u.360uu.com/diy/server.asp?game=fwdtx
Y@href="/g.asp?
hXXp://VVV.603u.360uu.com/g.asp?
niuxAdvNo=201406062085051286; gameofficalloginno=201303049266322579; accessmode=10000; state=0; niux_report_guid=t4kH4HQ8n5HGXMHSJr2CYiSXnNe4AXMZ; deviceid=wdi10.0ba951b558e28bb393daac7037f3da7d122d115e7e26d4705b525259de7ee0f7; VERIFY_TYPE=MEA; result=200; blogresult=0; sessionid=; _x_t_=0
hXXp://i.xunlei.com/login/?r_d=1&use_cdn=0×tamp=1484841081804&refurl=http://dtx.niu.xunlei.com/
hXXps://login.xunlei.com/check/?u=
&login_enable=0&business_type=103&v=101&cachetime=
hXXps://login.xunlei.com/sec2login/?csrf_token=ab9ece3d648f85d2b4d5bc3354181e01
hXXp://niu.xunlei.com/entergame/dtx/?fenQuNum=
var a = g.length;
e  = g.charAt(Math.floor(Math.random() * a))
hXXp://websvr.niu.xunlei.com/loginWithServerid.webGameLogin?rtnName=niuxJSONP_1484851340953925832&rtnType=callback&sessionid=
t.dtx.niu.xunlei.com
gameLoginURL":"
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Adodb.Stream
WinHttp
&act=submit&url=http://dtx.766you.com/
hXXp://login.766you.com/jsonp/login.jsp?callback=jsonp
dtx.766you.com
hXXp://dtx.766you.com/
hXXp://dtx.766you.com/play/index.jsp?server_id=
&quickforward=yes&handlekey=ls
hXXp://bbs.g.pptv.com/member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes&inajax=1
game.g.pptv.com
hXXp://game.g.pptv.com/guest/c/api.php?gid=fwdtx&action=url&sid=
url":"
hXXp://VVV.7477.com/client/checklogin?jsonpCallback=jQuery1710613670145096166_
VVV.7477.com
hXXp://VVV.7477.com/client/gamelogin/game/126/server/
op=login&user_name=
hXXp://VVV.4dtime.com/accounts/checklogin
hXXp://VVV.4dtime.com/Dlq/game_login/?gid=197&sid=
hXXp://VVV.ii11.766q.com/user/logout/?url=http://dtx.ii11.766q.com/client/?channelB_id=0
dtx.ii11.766q.com
hXXp://dtx.ii11.766q.com/client/?channelB_id=0
form_submit_key_time" value="
form_submit_key_v1" value="
form_submit_key_v2" value="
&url=http://dtx.ii11.766q.com/client/?channelB_id=0&
hXXp://dtx.ii11.766q.com/user/login/
i@hXXp://dtx.ii11.766q.com
.yaodou.com
hXXp://dtx.yaodou.com/micro/
hXXp://login.yaodou.com/login/verify?username=
.html?full=play_gamecode&spm=10002.0.0
hXXp://dtx.yaodou.com/micro/s
hXXps://game.zixia.com/game_json.php?action=login&pwuser=
hXXp://go.zixia.com/dtx/
hXXp://VVV.jj1.355you.com/user/logout/?url=http://dtx.jj1.355you.com/client/?channelB_id=0
hXXp://dtx.jj1.355you.com/client/?channelB_id=0
&url=http://dtx.jj1.355you.com/client/?channelB_id=0&
hXXp://dtx.jj1.355you.com/user/login/
.355you.com
hXXp://dtx.jj1.355you.com/play/
dtx.yilewan.com
hXXp://dtx.yilewan.com/showGameServer
&passport=
hXXp://account.yilewan.com/api/loginSign?stcallback=jQuery182023270064345574592_
hXXps://register.stnts.com/new/sso/ajaxLoginSsoApi?stcallback=jQuery182022452994803680526_
hXXp://account.yilewan.com/gameLogin?stcallback=jQuery18208133532504785155_
hXXp://dtx.yilewan.com/gamePlay/wdPlay?gameId=dtx&serverId=s
hXXp://VVV.ii55.766q.com/user/logout/?url=http://dtx.ii55.766q.com/client/?channelB_id=0
dtx.ii55.766q.com
hXXp://dtx.ii55.766q.com/client/?channelB_id=0
hXXp://dtx.ii55.766q.com/user/login/
hXXp://dtx.ii55.766q.com
hXXp://res.dtx.game2.com.cn/index/
hXXp://VVV.59w.com/AllDBLists.ashx?0.9052525781340626&Act=Logines&Username=
51.com
hXXp://VVV.59w.com/login/right.aspx?gameid=29&Server=
hXXp://VVV.hh66.15gg.com/user/logout/?url=http://dtx.hh66.15gg.com/client/?channelB_id=0
dtx.hh66.15gg.com
hXXp://dtx.hh66.15gg.com/client/?channelB_id=0
hXXp://dtx.hh66.15gg.com/user/login/
hXXp://dtx.hh66.15gg.com
.6533.com
.VVV.6533.com
hXXp://VVV.6533.com/ulogin.aspx?ReturnUrl=hXXp://VVV.6533.com/UCenter/index.aspx
&login_pwd=
hXXp://VVV.6533.com/ulogin.aspx?act=login&login_user=
hXXp://game.6533.com/gamecenter.aspx?gameid=429&server=
4@hXXp://VVV.ufojoy.com/auth/go
hXXp://VVV.jj22.15gg.com/user/logout/?url=http://dtx.jj22.15gg.com/client/?channelB_id=0
dtx.jj22.15gg.com
hXXp://dtx.jj22.15gg.com/client/?channelB_id=0
hXXp://dtx.jj22.15gg.com/user/login/
hXXp://dtx.jj22.15gg.com
hXXp://VVV.jj44.15gg.com/user/logout/?url=http://dtx.jj22.15gg.com/client/?channelB_id=0
dtx.jj44.15gg.com
hXXp://dtx.jj44.15gg.com/client/?channelB_id=0
hXXp://dtx.jj44.15gg.com/user/login/
hXXp://dtx.jj44.15gg.com
windows
dx.mouse.position.lock.api|dx.mouse.focus.input.api|dx.mouse.input.lock.api|dx.mouse.state.api|dx.mouse.api
30|60|90
120|130|140
\Data\dm.dll
.rsrc
!!"#$%&'())?
%C%]uSj
Ha.QE
xCmD$L
s.Nd)
A_%.ID,
n.Nn0 b
.hh=@-
T8.Sz
.dTR0
.PWh=j
nL.nP?
webH
NQt%F
.XV LV#
PGPus(.Gz
.ROH=
]v%UO
uù u
0k00[ `.kh#
.scwX
?456789:;<=
!"#$%&'()* ,-./0123
CxImage 6.0.0
deflate 1.2.3 Copyright 1995-200d
a .WO<t
e processors when executed
>support g
X:
UxTheme.dll
;9HttpCli
7.PAVCExcep=^
.1.2600.441~
PSAPI.DLLU%f
%u%x-
88.185.3
20 4.49.
0.4.10n
129.6.15.29
202.120.
\.\%c
g%s#$A
"LuCBy%d
./*.bmp
log.tx
cpublic.inject.type.54
LL keypadput
k.ap*
.=.minmax
x.cfake`?
defense.szX
.sel/O
on.Leve
mp7%ss
tCPo
wKeyboardD
Scsi%d:
H%d_%
1.2.24
%ct t
: %s=
= (%d/10
gx=%f, gy
%ld, pass
xkey
'%ds=
3%u B
orm.de6
`O%dhx%dv qV
FD=%u, "
'z %4u
iY;kUnkeY
%ld%c$
-t.SSSj
MSVCRT
ntoskrnl.exQ
8)939@9|9
#&$&@'!?
9}%U}
3(Ýd
6,?-.7?`
SAPI.DLLK04e
506:6?6[
8(83888?
>,?0?4?8?<?
.net4x7
.Crz03
hÕ@e
:;.ofSb
R.of'z
B{.zS,y
6o.ob#
Ftpf
PIpE
.Sj_^
.vCb'PK
WlCmd
l%u$}0
Jy%s2;J
x-d}X
_~.SO
'.Sj?
.Increm
WinExe&Copy
.DIBi
uDPtoLPNq`n
fo@@UAE@XZ.on
ad.boa
.DD-?J8
1,//2/,/
7G#V%F
(.text
@.tp0
{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'
'Dm.EXE'
val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}
dm.dmsoft = s 'dm.dmsoft'
CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'
CurVer = s 'dm.dmsoft'
ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'
ProgID = s 'dm.dmsoft'
stdole2.tlbWWW
~cmdWd
KeyPress
.aKeyDownWd
MKeyUpWWWd
ShowScrMsgWW
msgWd
SetShowErrorMsgW
>SGetWindowStateWW
U@SetWindowSizeWWWd
SetWindowStateWWd
iRSetKeypadDelayWWd
BkeypadWW
SetExportDictWWWd
keyWd
FindWindowSuperW
qHKeyDownCharW
pOkey_strWd
KeyUpCharWWWd
KeyPressChard
KeyPressStrWd
EnableKeypadPatchWWWd
=PEnableKeypadSyncd
EnableRealKeypadd
GetKeyStateWd
[.ReadFiled
WaitKeyW
!key_coded
joEnumWindowSuperW
urlW
=EnableKeypadMsgWd
EnableMouseMsgWWd
method KeyPressWWW
method KeyDown
method KeyUpWW
method ShowScrMsgW
method SetShowErrorMsg
method GetWindowStateW
method SetWindowSizeWW
method SetWindowStateW
method SetKeypadDelayW
method SetExportDictWW
method FindWindowSuper
method KeyDownChar
method KeyUpCharWW
method KeyPressCharWWW
method KeyPressStr
method EnableKeypadPatchWW
method EnableKeypadSyncWWW
method EnableRealKeypadWWW
method GetKeyState
method WaitKey
method EnumWindowSuper
method EnableKeypadMsg
method EnableMouseMsgW
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
IMM32.dll
MFC42.DLL
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
VERSION.dll
WINMM.dll
WS2_32.dll
RegCloseKey
dm.dll
"\Data\dm.dll /s
hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=手机QQ空间&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html
pt_login_sig
pt_login_sig=
&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.05911428388208151&pt_uistyle=40
&appid=549000912&js_ver=10167&js_type=1&login_sig=
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=
if (e < t.length   11) return uv_alert("Message too long for RSA"),
n = t.length - 1; n >= 0 && e > 0;) {
var o = t.charCodeAt(n--);
for (s[0] = 0; 0 == s[0];) p.nextBytes(s);
this.dmp1 = null,
this.dmq1 = null,
this.coeff = null;
null != e && null != i && e.length > 0 && i.length > 0 ? (this.n = t(e, 16), this.e = parseInt(i, 16)) : uv_alert("Invalid RSA public key");
return t.modPowInt(this.e, this.n);
var i = e(t, this.n.bitLength()   7 >> 3);
var n = this.doPublic(i);
var o = n.toString(16);
return 0 == (1 & o.length) ? o: "0"   o;
null != t && ("number" == typeof t ? this.fromNumber(t, e, i) : null == e && "string" != typeof t ? this.fromString(t, 256) : this.fromString(t, e));
o = Math.floor(r / 67108864),
return ut.charAt(t);
var i = gt[t.charCodeAt(e)];
return e.fromInt(t),
if (4 != e) return void this.fromRadix(t, e);
for (var n = t.length,
0 > s ? "-" == t.charAt(n) && (o = !0) : (o = !1, 0 == p ? this[this.t  ] = s: p   i > this.DB ? (this[this.t - 1] |= (s & (1 << this.DB - p) - 1) << p, this[this.t  ] = s >> this.DB - p) : this[this.t - 1] |= s << p, p  = i, p >= this.DB && (p -= this.DB));
8 == i && 0 != (128 & t[0]) && (this.s = -1, p > 0 && (this[this.t - 1] |= (1 << this.DB - p) - 1 << p)),
this.clamp(),
o && r.ZERO.subTo(this, this);
for (var t = this.s & this.DM; this.t > 0 && this[this.t - 1] == t;)--this.t;
if (this.s < 0) return "-"   this.negate().toString(t);
if (4 != t) return this.toRadix(t);
s = this.DB - r * this.DB % e;
if (r-->0) for (s < this.DB && (i = this[r] >> s) > 0 && (o = !0, p = u(i)); r >= 0;) e > s ? (i = (this[r] & (1 << s) - 1) << e - s, i |= this[--r] >> (s  = this.DB - e)) : (i = this[r] >> (s -= e) & n, 0 >= s && (s  = this.DB, --r)),
return r.ZERO.subTo(this, t),
return this.s < 0 ? this.negate() : this;
return this.t <= 0 ? 0 : this.DB * (this.t - 1)   b(this[this.t - 1] ^ this.s & this.DM);
e.t = Math.max(this.t - t, 0),
var i, n = t % this.DB,
o = this.DB - n,
r = Math.floor(t / this.DB),
s = this.s << n & this.DM;
e.clamp();
var i = Math.floor(t / this.DB);
var n = t % this.DB,
o = Math.min(t.t, this.t); o > i;) n  = this[i] - t[i],
e[i  ] = n & this.DM,
n >>= this.DB;
e[i  ] = n & this.DM,
n >>= this.DB;
-1 > n ? e[i  ] = this.DV   n: n > 0 && (e[i  ] = n),
var i = this.abs(),
n = t.abs(),
for (o = 0; o < n.t;   o) e[o   i.t] = i.am(0, n[o], e, o, 0, i.t);
e.clamp(),
this.s != t.s && r.ZERO.subTo(e, e);
for (var e = this.abs(), i = t.t = 2 * e.t; --i >= 0;) t[i] = 0;
var n = e.am(i, e[i], t, 2 * i, 0, 1); (t[i   e.t]  = e.am(i   1, 2 * e[i], t, 2 * i   1, n, e.t - i - 1)) >= e.DV && (t[i   e.t] -= e.DV, t[i   e.t   1] = 1);
t.t > 0 && (t[t.t - 1]  = e.am(i, e[i], t, 2 * i, 0, 1)),
t.clamp();
var n = t.abs();
var o = this.abs();
if (o.t < n.t) return null != e && e.fromInt(0),
void(null != i && this.copyTo(i));
c = this.DB - b(n[n.t - 1]);
c > 0 ? (n.lShiftTo(c, p), o.lShiftTo(c, i)) : (n.copyTo(p), o.copyTo(i));
h = this.FV / d,
for (p.dlShiftTo($, v), i.compareTo(v) >= 0 && (i[i.t  ] = 1, i.subTo(v, i)), r.ONE.dlShiftTo(u, v), v.subTo(p, p); p.t < u;) p[p.t  ] = 0;
var w = i[--_] == g ? this.DM: Math.floor(i[_] * h   (i[_ - 1]   m) * f);
if ((i[_]  = p.am(0, w, i, $, 0, u)) < w) for (p.dlShiftTo($, v), i.subTo(v, i); i[_] < --w;) i.subTo(v, i);
null != e && (i.drShiftTo(u, e), a != l && r.ZERO.subTo(e, e)),
i.clamp(),
c > 0 && i.rShiftTo(c, i),
0 > a && r.ZERO.subTo(i, i);
return this.abs().divRemTo(t, null, e),
this.s < 0 && e.compareTo(r.ZERO) > 0 && t.subTo(e, e),
return t.s < 0 || t.compareTo(this.m) >= 0 ? t.mod(this.m) : t;
t.divRemTo(this.m, null, t);
t.multiplyTo(e, i),
this.reduce(i);
t.squareTo(e),
this.reduce(e);
e = e * (2 - t * e % this.DV) % this.DV,
e > 0 ? this.DV - e: -e;
this.mp = t.invDigit(),
this.mpl = 32767 & this.mp,
this.mph = this.mp >> 15,
this.um = (1 << t.DB - 15) - 1,
this.mt2 = 2 * t.t;
return t.abs().dlShiftTo(this.m.t, e),
e.divRemTo(this.m, null, e),
t.s < 0 && e.compareTo(r.ZERO) > 0 && this.m.subTo(e, e),
return t.copyTo(e),
this.reduce(e),
for (; t.t <= this.mt2;) t[t.t  ] = 0;
n = i * this.mpl   ((i * this.mph   (t[e] >> 15) * this.mpl & this.um) << 15) & t.DM;
for (i = e   this.m.t, t[i]  = this.m.am(0, n, t, e, 0, this.m.t); t[i] >= t.DV;) t[i] -= t.DV,
t.clamp(),
t.drShiftTo(this.m.t, t),
t.compareTo(this.m) >= 0 && t.subTo(this.m, t);
if (t > 4294967295 || 1 > t) return r.ONE;
o = e.convert(this),
for (o.copyTo(i); --p >= 0;) if (e.sqrTo(i, n), (t & 1 << p) > 0) e.mulTo(n, o, i);
return e.revert(i);
return i = 256 > t || e.isEven() ? new P(e) : new B(e),
this.exp(t, i);
X((new Date).getTime());
for (Z(), dt = nt(), dt.init(ht), ft = 0; ft < ht.length;   ft) ht[ft] = 0;
return dt.next();
for (e = 0; e < t.length;   e) t[e] = K();
for (i = 0, e = 0; 256 > e;   e) i = i   this.S[e]   t[e % t.length] & 255,
return o.setPublic(e, n),
o.encrypt(t);
i.prototype.doPublic = o,
i.prototype.setPublic = n,
i.prototype.encrypt = p;
st && "Microsoft Internet Explorer" == navigator.appName ? (r.prototype.am = l, pt = 30) : st && "Netscape" != navigator.appName ? (r.prototype.am = a, pt = 26) : (r.prototype.am = c, pt = 28),
r.prototype.DB = pt,
r.prototype.DM = (1 << pt) - 1,
r.prototype.DV = 1 << pt;
r.prototype.FV = Math.pow(2, at),
r.prototype.F1 = at - pt,
r.prototype.F2 = 2 * pt - at;
for (lt = "0".charCodeAt(0), ct = 0; 9 >= ct;   ct) gt[lt  ] = ct;
for (lt = "a".charCodeAt(0), ct = 10; 36 > ct;   ct) gt[lt  ] = ct;
for (lt = "A".charCodeAt(0), ct = 10; 36 > ct;   ct) gt[lt  ] = ct;
P.prototype.convert = Q,
P.prototype.revert = I,
P.prototype.reduce = H,
P.prototype.mulTo = M,
P.prototype.sqrTo = V,
B.prototype.convert = U,
B.prototype.revert = O,
B.prototype.reduce = j,
B.prototype.mulTo = F,
B.prototype.sqrTo = R,
r.prototype.copyTo = d,
r.prototype.fromInt = h,
r.prototype.fromString = m,
r.prototype.clamp = _,
r.prototype.dlShiftTo = S,
r.prototype.drShiftTo = q,
r.prototype.lShiftTo = C,
r.prototype.rShiftTo = T,
r.prototype.subTo = x,
r.prototype.multiplyTo = A,
r.prototype.squareTo = N,
r.prototype.divRemTo = E,
r.prototype.invDigit = D,
r.prototype.isEven = z,
r.prototype.exp = G,
r.prototype.toString = $,
r.prototype.negate = v,
r.prototype.abs = w,
r.prototype.compareTo = y,
r.prototype.bitLength = k,
r.prototype.mod = L,
r.prototype.modPowInt = W,
r.ZERO = f(0),
r.ONE = f(1);
if ("Netscape" == navigator.appName && navigator.appVersion < "5" && window.crypto && window.crypto.random) {
var _t = window.crypto.random(32);
for (mt = 0; mt < _t.length;   mt) ht[ft  ] = 255 & _t.charCodeAt(mt);
for (; $t > ft;) mt = Math.floor(65536 * Math.random()),
Y.prototype.nextBytes = J,
tt.prototype.init = et,
tt.prototype.next = it;
return Math.round(4294967295 * Math.random());
i = 0; i < t.length; i  ) {
var n = Number(t[i]).toString(16);
1 == n.length && (n = "0"   n),
i = 0; i < t.length; i  = 2) e  = String.fromCharCode(parseInt(t.substr(i, 2), 16));
for (var i = [], n = 0; n < t.length; n  ) i[n] = t.charCodeAt(n);
o = t.length;
for (e = 0; o > e; e  ) i = t.charCodeAt(e),
i > 0 && 127 >= i ? n.push(t.charAt(e)) : i >= 128 && 2047 >= i ? n.push(String.fromCharCode(192 | i >> 6 & 31), String.fromCharCode(128 | 63 & i)) : i >= 2048 && 65535 >= i && n.push(String.fromCharCode(224 | i >> 12 & 15), String.fromCharCode(128 | i >> 6 & 63), String.fromCharCode(128 | 63 & i));
return n.join("");
var i = t.length,
n = t.length;
for (var o = 0; o < i.length; o  ) i[o] = 0;
for (var t = (b.length, 0); 8 > t; t  ) $[t] ^= b[v   t];
if (e) for (var n = 0; n < t.length; n  ) i[n] = 255 & t.charCodeAt(n);
n = 0; n < t.length; n  = 2) i[o  ] = parseInt(t.substr(n, 2), 16);
for (var i = h(t, e), n = a(i), o = "", p = 0; p < n.length; p  ) o  = String.fromCharCode(n[p]);
return S.encode(o);
initkey: function(t, e) {
S.PADCHAR = "=",
S.ALPHA = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /",
S.getbyte = function(t, e) {
var i = t.charCodeAt(e);
S.encode = function(t) {
if (1 != arguments.length) throw "SyntaxError: Not enough arguments";
var e, i, n = S.PADCHAR,
o = S.ALPHA,
p = S.getbyte,
var s = t.length - t.length % 3;
if (0 == t.length) return t;
r.push(o.charAt(i >> 18)),
r.push(o.charAt(i >> 12 & 63)),
r.push(o.charAt(i >> 6 & 63)),
r.push(o.charAt(63 & i));
switch (t.length - s) {
r.push(o.charAt(i >> 18)   o.charAt(i >> 12 & 63)   n   n);
r.push(o.charAt(i >> 18)   o.charAt(i >> 12 & 63)   o.charAt(i >> 6 & 63)   n);
return r.join("");
window.btoa || (window.btoa = S.encode);
return binl2hex(core_md5(str2binl(t), t.length * chrsz));
return binl2str(core_md5(str2binl(t), t.length * chrsz));
r = 0; r < t.length; r  = 16) {
i.length > 16 && (i = core_md5(i, t.length * chrsz));
var r = core_md5(n.concat(str2binl(e)), 512   e.length * chrsz);
return core_md5(o.concat(r), 640);
for (var e = Array(), i = (1 << chrsz) - 1, n = 0; n < t.length * chrsz; n  = chrsz) e[n >> 5] |= (t.charCodeAt(n / chrsz) & i) << n % 32;
i = (1 << chrsz) - 1, n = 0; n < 32 * t.length; n  = chrsz) e  = String.fromCharCode(t[n >> 5] >>> n % 32 & i);
for (var e = hexcase ? "0123456789ABCDEF": "0123456789abcdef", i = "", n = 0; n < 4 * t.length; n  ) i  = e.charAt(t[n >> 2] >> n % 4 * 8   4 & 15)   e.charAt(t[n >> 2] >> n % 4 * 8 & 15);
n = 0; n < 4 * t.length; n  = 3) for (var o = (t[n >> 2] >> 8 * (n % 4) & 255) << 16 | (t[n   1 >> 2] >> 8 * ((n   1) % 4) & 255) << 8 | t[n   2 >> 2] >> 8 * ((n   2) % 4) & 255, p = 0; 4 > p; p  ) i  = 8 * n   6 * p > 32 * t.length ? b64pad: e.charAt(o >> 6 * (3 - p) & 63);
for (var arr = [], i = 0; i < str.length; i  = 2) arr.push("\\x"   str.substr(i, 2));
return arr = arr.join(""),
if (! (Math.random() > (e || 1))) try {
var i = location.protocol   "//ui.ptlogin2.qq.com/cgi-bin/report?id="   t,
n = document.createElement("img");
n.src = i;
u = RSA.rsa_encrypt(p),
c = (u.length / 2).toString(16),
s = TEA.strToBytes(i.toUpperCase(), !0),
a = Number(s.length / 2).toString(16);
for (; a.length < 4;) a = "0"   a;
for (; c.length < 4;) c = "0"   c;
TEA.initkey(r);
var l = TEA.enAsBase64(c   u   TEA.strToBytes(e)   a   s);
return l.replace(/[\/\ =]/g,
"/": "-",
" ": "*",
"=": "_"
for (var hex = str.toString(16), len = hex.length, i = len; maxLength > i; i  ) hex = "0"   hex;
for (var arr = [], j = 0; maxLength > j; j  = 2) arr.push("\\x"   hex.substr(j, 2));
var result = arr.join("");
&js_ver=10167&js_type=1&login_sig=
&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=3-13-
hXXp://ptlogin2.qq.com/login?u=
hXXp://captcha.qq.com/cap_union_show?clientype=2&uin=
hXXp://captcha.qq.com/getimgbysig?clientype=2&uin=
&pt_style=32&0.0.4691942469945334&rand=0.022853566350322763&capclass=0&sig=
hXXp://captcha.qq.com/cap_union_verify_new?clientype=2&uin=
&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=7-31-1448931424616&js_ver=10141&js_type=1&login_sig=
qzone.qq.com
hXXp://app1105314657.openwebgame.qq.com/SelectServer/qzone?appid=1105314657&sFrom=qzone&openid=&openkey=&pf=qzone&pfkey=&qz_ver=8&appcanvas=1&qz_style=25¶ms=
W%?-->n-->q-->q-->q-->q-->q-->q-->q-->q-->q--=q--=q--=q-->q-->q-->q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--=q--<q--<q--<q--<q--<q--<q--<q--<q--<q--<q--<q--<q--<q--<q--<q--<q--<q--<q--<q--<q--<q--;q--;q--;q--;q--;q--;q--;q--;q--;q--;q--;q--;q--;q--;q--;q--;q--;q--;q--;q--;q--;q--;q--:q--:q--:q--:q--:q--:q--:q,,:n$$0f
~~.WUh
Z.Hvk
T.lptx
@"$4HS2%S\p
.pA@z
%uhlG
5D\UWSSHh
u.FA.
e 7x`>x.hE
}o@.Be$>;
a.Ptm|tA
4W%D,
VE.Pmi
.mnSeJ
WudP
DQW%d
in.DNE
.tt-w
z%fpT
V<%8X
%Fija
A.tCDHP
h%D^(0V
& W%C<@
<X.|.Ah
.DBP0 $H[
A%F 5
.Kx7|m4
^`T%Cp
>n%uv>$
3L.oX-
..VWA
 $.CNH
 .JxS
c&>%d^`0
.kwFt
c9$%x
GCRt
afT.Aga
qÎx
WebBrowser
.lwtpPY
oCRT
%&'()*45
p.Hx9
%FrG.2?
W?2,%D!s0o
G`.gr
@5`%c
%d&&'
IAAD.DJ
O.OPPFZ
%*.*f
SupportedExcep{
LZ.DLL7
~CmdT"
a'.INI
w.HLP
.ld?<f?f-
hxrwWr%S$LV
.fhtm7S
vJ.vp
-f.Db
s:%di
keyP
2(%d-
ft.%d
.eR1]
.YesHX
0xX
?.BB(
zcÁ
OJ.Wr
o.VA67o
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
COMCTL32.dll
comdlg32.dll
oledlg.dll
WINSPOOL.DRV
ShellExecuteA
Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ .exe
Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\ .exe
Windows 7
Windows XP
Windows 8
Windows 8.1
Windows 10
mm.cfg
hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime
Windows Server Technical Preview
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows 2000
Windows Server 2003 R2,
Windows Storage Server 2003
Windows Home Server
Windows XP Professional x64 Edition
Windows Server 2003,
Windows 98
Web Server Edition
SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuild
346350253
hXXp://wpa.qq.com/msgrd?v=3&uin=
@Rundll32 InetCpl.cpl,ClearMyTracksByProcess 2
@Rundll32 InetCpl.cpl,ClearMyTracksByProcess 1
@Rundll32 InetCpl.cpl,ClearMyTracksByProcess 8
@Rundll32 InetCpl.cpl,ClearMyTracksByProcess 16
@Rundll32 InetCpl.cpl,ClearMyTracksByProcess 255echo
UserLogin
@.reloc
RSSh C
T$<RSSh C
D$<PSSh
~$)~()|$
3|$83|$0
3|$@3|$4
|$43|$(#
.QZ^&
xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
CryptoMaterial: this object does not support precomputation
GeneratableCryptoMaterial: this object does not support key/parameter generation
: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
<4,$?7/'
(3-!0,1'8"5.*2$
120.26.81.103
//./%s
XXXXXX
%s|%s
Empty key
[32m>>Connect select ret %d
..\t_baibaoyun\protocol\network\TSocket.cpp
[34m[%s %s %d]
[32m>>Connect field errno :%d err: %s
[32m>>ret:%d,error:%d,len:%d,err:%s
num_key
hXXp://apicom.baibaoyun.com/cloudapi/GeneralExec?arg=
[32m>>close g_sockClient %d
..\t_baibaoyun\protocol\TLogin.cpp
TLogin::clearInfo
ProcessPushMsg ret : %d
[32m>>ProcessPushMsg is in
TLogin::ProcessPushMsg
TLogin::SimpleLogin
%s TSocket::Connect err %d
TLogin::SimpleLogOut
TLogin::PushConnect
%d.%d.%d.%d
KeySize
: this object does't support a special last block
NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes
: this object doesn't support multiple channels
is not a valid key length
InvertibleRSAFunction: computational error during private key operation
for this key
: this key is too short to encrypt any messages
for this public key
EffectiveKeyLength
RC2: effective key length parameter exceeds maximum
?#%X.y
E:\4.0\bbyPlugin\Release\t_baibaoyun_win32.pdb
KERNEL32.dll
IPHLPAPI.DLL
InternetOpenUrlA
WININET.dll
GetCPInfo
GetProcessHeap
t_baibaoyun_win32.dll
generatersakey
generatersakeyW
login
loginW
msgcallback_login
msgcallback_loginW
msgcallback_loginex
msgcallback_loginexW
msgcallback_push
msgcallback_pushW
.?AVPublicKeyAlgorithm@CryptoPP@@
.?AVPrivateKeyAlgorithm@CryptoPP@@
.?AVPrivateKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPrivateKey@CryptoPP@@@CryptoPP@@
.?AVPKCS8PrivateKey@CryptoPP@@
.?AVPublicKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPublicKey@CryptoPP@@@CryptoPP@@
.?AVX509PublicKey@CryptoPP@@
.?AVHexEncoder@CryptoPP@@
.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0A@$0PP@$00$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$00$0IA@$00$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$FixedKeyLength@$0BI@$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$03$0DI@$00$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$FixedKeyLength@$0BA@$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
comroute.baibaoyun.com
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
.PAVRSAFunction@CryptoPP@@
.PAVInvertibleRSAFunction@CryptoPP@@
.PBVPrimeSelector@CryptoPP@@
.PB_W
.PAV?$basic_istream@DU?$char_traits@D@std@@@std@@
.PAV?$basic_ostream@DU?$char_traits@D@std@@@std@@
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
45
00x0
9&939&:6:
2%2*2/242>2
5_5K5X5a5
88K8X8a8
6$6)6.646;6
6o7U7y7
0!1)11282
6$71757?7
6$6(6.6:6
= =$=(=,=
5$5*505?5
6!6(6-6;6
<!<(<5<><\<
2 2$2(2,20242
hXXp://VVV.game2.cn/verifyCode.php
hXXp://passport.360.cn/captcha.php?m=create&app=i360&scene=login&userip=dODigcWWRHkmcDDp/zsj8w==&level=default&sign=590ec9&r=1488446452&_=
hXXp://passport.51wan.com/verify.php?for=login
hXXp://wan.sogou.com/game/captcha.do?t=
hXXp://img1.c0.letv.com/ptv/player/swfPlayer.swf?autoPlay=1&id=26776620
repass
UserChangePass
VBScript.RegExp
dm.dmsoft
SetKeypadDelay
SetShowErrorMsg
GetWindowState
SetWindowState
msgcallback_autologinW
msgcallback_autologin
23:58 - 00:02
.comment {color:green}
,(!73!73!73!73!73!73!73!73!73 @;
.KZCd
G.opy
diTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9E0C3F8A626BE211ABD1D5C56F68DC7C" xmpMM:DocumentID="xmp.did:BA32D29D96DD11E28E5CF121068396E5" xmpMM:InstanceID="xmp.iid:BA32D29C96DD11E28E5CF121068396E5" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:19648B32A596E2119A57D512E7129882" stRef:documentID="xmp.did:9E0C3F8A626BE211ABD1D5C56F68DC7C"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
~.agAV
i.ngv
%U,Ue
,QRI%uP
.yEODq
1234-4321-
23:59 - 00:01
'.Fos8ZMf
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
s_/v.LS
.jqV&
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
icmp.dll
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>
<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0xX</td></tr>
<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0xX</td></tr>
<table><tr><td><icon handle=0x%X></td><td>%s</td></tr></table>
burlywood
\winhlp32.exe
VVV.dywt.com.cn
index.dat
desktop.ini
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
;3 #>6.&
'2, / 0&7!4-)1#
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
%d%d%d
rundll32.exe shell32.dll,
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
c:\%original file name%.exe
.vCTf
Ya%s,
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
USER32.DLL
sice.sys
siwvid.sys
ntice.sys
iceext.sys
syser.sys
sbiedll.dll
%d-%d-%d
winhttp.dll
activation.php?code=
deactivation.php?hash=
?%DU{VOx 
p.NT?
:.HiD
xv.Ktu
2%u/M
m.NN\
)yX'.gE@
d@%seZTt
E%!.De
C.pzw
S^-.Wl
%FpGt
f.WWRmMp
4#.aR
%U"^!
=<ZM%D
*G=%c
%xT]z
6.FBN
&]4ÿM
u?.LHnYlm
.BL; 
.hTUp
fü^
J5.Fy
L75T.gz
iÁ%
YV.PR
Y*N:%s
yPy.ny2 #
nzC;x.CcX7
G.srlc
`%c &
.lV'/
faE<zO%x4
Kr[%x
!.qP?
" /(-N}'
Z.nlvl
3.ec~2
q2O]%X
~.jf3
b3.Hv
O;.Tu
.sJoD
\,~ p%Fo
#-r}?
sy.CZO
.)'%d
.GV^'
)\.wE
C?%5x
Fr %D
O$"%u
3.,%o%Xy
k%s0#
%d:.L
jEO.iK
'%f\}r
%Ui\3
%F&nw7RU
9m%Sf;
@0s\%D
#U%Uh
,`N;;.bg
iWeB
Ma%X(
'l'%f;
gfý
zF)%u
Dr.GS
|@.rB$
-$E.LF
.yl5H
.GJUv
>.aY@Q
.cAY1l
.mlM*
l6`Y.vzK
t%Xj%
36^'%c
)&%U2
d5.wd
%flvq
%U>Bh
%CKxo)
.zutE
Q%DLK
|GT#%x2L%
Q%uAPn
].YS-
#%DK@
bnz$%d
Nm.pMh
c.Ms]
40az4zMm9
.sT#8
7,.yx
}^M%U
/,4a%d
9c.IW
|.mzW
DZ.Yta{
=.BHM
ln.KS
YcRtbW t&
Oh.kSx)
,.DV<
n7\%f
[y].oq3b
TY\%f
3.qG0
A4.en
<YSSH
'g.xb
 .EF|I
BbU} a.aS
OGnPw%s
;.YX<
TB.vD
)Lm%xH
SW.SP
3yu%XL
.kM?C-
r}.MS
*/DA%x}`O
xGP.wB
Vg[,%c
x7.Jk
>kKA)T.msx
M.rN1
.ybXp};
-%C{(e$
:ds%.X
R -v}")
boON!\%X
70.Ji&AC)
%f'A/
9p.hNp
p.jNp)
-p}iNp
u0p.kNp
?p|cNp%S
Ì'p#nNp
_f%uyu
pekEyh
AVIFIL32.dll
útyt
ppy*1.iy
*a.wy
..qyt
il|yB.jy%B
Ey`seMy%F
.hzC<
&ZZ.Up
%UTwC;
^R.IW
`%.fP
k%S&Y
W'"MSg
b!<.Uqc
o7.hA%r
~H.hJ
*:k.fh
>%FW8q1
wU%S*
wT%uN
-oP}mM
kk`T i%x
5.fi=Wq'
L.cU5
@.ln*
s.akE{
2.qR<
]n%cq
.xu)}83
eL>C%s':
.EO!A
"?.wy
%d?,^
-.sMf
W&.lV
2N.Vi
,P5
%fj1}
edZ%x
[KVm.PP
%UP)d
%d wK
.lZ H
.oQ_F
9Nc.Nw)
Mo.hW
%9xys4
{y.SOxy
#.zy#
]%SyQ,
)Dw.zyS
RASAPI32.dll
l.WS2_32.dll
.OyyN/}y
FLk.lM]
.Kl,9
LcJ%sHC
l.Vs3zl
!.nn9?o
B!(.nm
_.opd
D%6XKY
2P%S9
zP.lm
%U9>O
U.BH&[
.%u\lB
<v.PA
dB%co
~.DKIX
7.NQx
.wpuq
p.dDA
#.osx
AFKv!}%d
sK.ydT
Þ2N
Gf _Y%d
i.OIlf
aXj.om
xlGf.lM
mG.kjA
!N.gC
9q.Fs
9'&%5x
qcRT
'E.Ns
lRm]1.qk
-bppm}
.Ma-M^
lf%d~
%.KoG
G=.AH
5z8.LTz
$2).YYK:
UaN@ds%X
p%D?7
%s9[?
<H-o}4
.sf7?t_"F
s%S:T
"R.CYQ|. dq
%xoKC
L\r%d
VzF.cY
..cY[ 
k.oN8j 
DFÒ
.zOrJ}Pn
.OaPd
.uDlM.
=-p3}
gl%f]
$cMD&s
.QPo!
%uZ^(
"[.bZ
.nn.!.W
Nk1v%fU
d.hIx
%dG7\s
$M.uO
r-q}1
k%XZ6
V.qOr
kAu.Aq/zHAF
7l)1%c
6%Cgt
V16.lZ
e@%UBRa
.lU1C>
[*py.PB?yQOX
8.Dka
-0 9z%1x
!.PL>
h.dqh
*ZP%Xj[V
.wp(/
#{.YP@Y
b.Og0*
1aV%CM
.Kbve8
=b%Xd
((d%U
#y.xT$y
%cpP&C
u %c~
.Wm>Okg
{'.nM
;.bNnb
3W%s.
A.aH:
WebEF
i.qn\
CH.LK 2
J0Y1 %d
i5fE.Km
/w<.tW*
98.Ff
W.Rpg
fQt.vp~
%C`:L
{.REK3
.Hn7A}m
FN.Mz
|M%SVX
oD@]HRW.IX`-
.wxM19
=nF.ac
EDHn.Ygg
%u0;J
(.sg'
&.oG63*
C6.lB
~;>%cL
þez
EgyArW.pf
2%sPj
%Cx&4
%dw&H
.UozY
UTFDc%X
wv.eS
im.zF
%X 5<L 
3%x1t(
nB%Fr
IvRC.AG
%$.JZ
".oar
M.DZ]9
B)%sLY
%c:0W$
|&%S6
>G.YQXQ
.Gtoo2
t_.RV
J.kJa
.cFUP
V%fUg
.YzJj
[Uf
%sKZN
B.-9%U
/4.vd
iYl.rQ
3.hObGC
Fq.Tn
yk.cIUE
s%x~K57Y
Hk%FkC8
K_b@#mk
d:\,hIE
(.Zgc
Gt%Do[?
}ýe
u.gS-
9@.EYv
]0.ura
{m_.NS
nZ%dn
%FuEb
"%5U@
H<o.AZs
$*$.NkF
1%xBX
AvÎP
Õ7ok
Ñ"vu
MJ.WL9
tN.Tu.
%x`OuG/
:\1;R.bC#/
.Ihy%
\%C:\
q.RSh
p<.tG
-Q4$%Ck
W.jco)
%_%s^
6%u'2
.gg|K
~I.Dpqm
%doI7
4%u'z}
R)T
7.tl,
>L%fm
@8M%X
.JHW`
nNQ%D
M.llk
.NV"(
p7.QE
.NT"R
7Ï`
,WW?0.zVy
OPL%x
R.WAn
abA%Se
Utt.Ck
.cPaY
WU$%C{P%
9U$%C
d].SB
K$f%Do
H_.AKZ
.klcf
M.quXQi
t.wiF
yduDp&&
(%Sxo
PTcP
4u.be
.KuI?h
7.ST`
.QOG&eN
-ZDE7}
.OsZH
Eg%xd
%sFxn
`Q.Az
%d_){e
\l.IC
?.vyWP1
.Yymg
v&.lH
.SOt0
RE%X<1
;.nNL?
9%f=n
,9.Le3
_Pe!.IR
Yn.sf
aT3.jK
B%S-$
qg>.sy
K.sq}
F.jY[A
f.upB>
:ÿ(
.AJ;wgNL
.NE-K
.GCr?,
f%D`K
b%u2]
tP.Itf~U
#Ut%F
^$EXe&"
 ^.bp{#T
"h.fz
.lV\`4
.ZTQc]~e
jP%5U
.c%Dy
WTSAPI32.dll
xAOy%d
yyGDI32.dll
%Dym:
p{.TGT
paC.ek
(@.XW
b6Jl/-a}
l-.lw
z2O%sw<
iy.vU
wq.Ku
l`%Sg
-C.XG
R.VJD
-AX}<
.FH"7
ny-q}
.Nwr(
ðG _
=-5}h
_[UÒ
P.yqYGX
W%C!`{
gd1ò
!.nav
Bb.qLE
.Hh!<:I
t.EbU
0.CUJ
}v.gH,
-A3o}
.vQR:
E>j.uX
.fd)u\
:.pIm/
5.Qwsd]
c.UNgPc
Ff@Ök
57.qXP
{(.wE
%Xnfq%>{3
yTy%X
.ZU"BM
MK.FTh~
2TX.Jr
]%CUe(
=TB3%s;
M;>%c
zOQqP%U=
m?(.rH
6Mf%C
-tGQ}
W.gDO
`Si.%D
c%1un
.BOk.
U.OezB
8).rU
9%-Q}]0\
uY%f$
ikPk.nR
H%SZYU
YP.TK
#Y}D.Cm
c<:.qL
Z%UnKj
~I.nn.
n.fWmu
E#|%U
X(D!.Gs
),%S@xw
T.aJ0
.NqZtR
n.jd-
`R.rl
uRLs
.Tl>I
!-9}D
YHz.fB
ßN:Nl
n}.PE%4P
p-%Sa
%8!"};_*
.pX`bhG
^k?e.kRe
.Li":
b9r.Yob
Q*.qj
4..LR
F%.aT9
.@.zC(
R=/.xQ'
Bf.Di%e
^%d##X
=W.aMBB
S.bC%
N1.Pi
l.CmR
rO.KLC
BA.VH
.fzp@
7%SWR
{.av;
2.YW%
B`s%X
%Sn6}
(I}%S 1
%XB43
Rr%x_
X%so}
.YJ>h`5
G:\H(
Q5, %x
^2 ,.uj
%S #Y
".Eg !
%fmN5
n8g.Fa
&;<5$;!3
6g.dm~
..ZAHw
m%DT^
o4.ZD
5q}%f
.zq47
T8.CR
|C%DW
.rGrW'
v.whZ
B.5.Mq
P.Ce(
E.DcQ
 "V%X
s6SB%d
<.uSR
K7.Iv
%s#y`
.UEnT"
T.TuN
@$ojZ.OA
*Z4%sP
i.eY^Y
"aQ.kJ
`.ZIb
Ua@%d
*p%Sb..
e;.zQ>
,c.pH
8.aRB
.Fx)jV
.Ecax:
MSGo
<f3.Qx
y.OHP
4V.My$}
sqLP
.iGVn7
at.nx
Ppp.HE
B<.JV
Qne.LV
HsiY%X
.fRdh
Q.Nct
.jyl1'
bA%C!
n#%U`
.'6U7.eS]
rr1%X
Webw;
B%Sl/
o.xw2Dt
-.cT/
Fk.Uxh
RegCreateKeyExA
LhXXp://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
hXXp://pki-ocsp.symauth.com0
ehXXp://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0
MSVFW32.dll
Ly.oZ
xs.TQ
S1.xr"*s
Yx.rfc
.gC Z
.hoC 8
Ö7Dw
u.YzJ
3, 1233, 0, 0
mscoree.dll
nKERNEL32.DLL
WUSER32.DLL
%s_tmp
errcode : %d,
1.0.0.2
Error at hooking API "%S"
Dumping first %d bytes:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cannot %s server %s
Error: 0x%X
The procedure entry point %s could not be located in the module %s
Cannot load file %s
Error: %d


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1480
    regsvr32.exe:2924

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Data\dm.dll (823 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now