Trojan.Win32.Swrort.3_918dcb020d

by malwarelabrobot on September 26th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Swrort.3.FD, GenericEmailWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 918dcb020d504c429f7b0f70f6f8c63f
SHA1: 6c801fe70e447a9f94b60620efb35271e09e822f
SHA256: 538af4f62e90812395cb3a2b7c8f1525731504951bc011a9555b4c74ebfb53c6
SSDeep: 98304:Jb 0e0yfMtPdxs4jUJa7Xv 5VHZ5ck507SKET1i9r eg2ERRaQhrj8CP2EZM 5W0:Jbxqf4nBepb5aw1qCrRfL2ES 4sgw
Size: 6713344 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-09-09 18:14:46
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1904

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6a295.tmp (7971 bytes)
C:\Windows\System32\yxkey.ime (307 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6a2a5.tmp (5873 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6a295.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6a2a5.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\918dcb020d504c429f7b0f70f6f8c63f_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\918dcb020d504c429f7b0f70f6f8c63f_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\918dcb020d504c429f7b0f70f6f8c63f_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\918dcb020d504c429f7b0f70f6f8c63f_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\918dcb020d504c429f7b0f70f6f8c63f_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\918dcb020d504c429f7b0f70f6f8c63f_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\918dcb020d504c429f7b0f70f6f8c63f_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\918dcb020d504c429f7b0f70f6f8c63f_RASAPI32]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
032319ae9e8756d3c3eb3d08e04079b2	c:\Windows\System32\yxkey.ime

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: */By???
Product Name: ????_PC_???
Product Version: 1.0.1.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.1.0
File Description: ????_PC_???
QQ?:62081964
Comments: QQ?:62081964
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1998442	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	2002944	4686200	0	0	d41d8cd98f00b204e9800998ecf8427e
.data	6692864	396394	0	0	d41d8cd98f00b204e9800998ecf8427e
.vmp0	7090176	2674052	0	0	d41d8cd98f00b204e9800998ecf8427e
.vmp1	9764864	6627664	6631424	5.54352	96b89768a60c00c6ac10df9944ff0d1f
.reloc	16396288	264	4096	0.308286	4ba084a34cf57ce123970e49f5cd43b3
.rsrc	16400384	70309	73728	2.89734	f1cd0c1e73a662312453d74eda682fa0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://temp.p23.tc.cdntip.com/gx.txt
hxxp://oqkeaisqb.bkt.clouddn.com/gx.txt	121.31.30.201
dns.msftncsi.com	131.107.255.255
1.5yyz.com
2.5yyz.com
3.5yyz.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /gx.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: oqkeaisqb.bkt.clouddn.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nws_supermid_hy

Connection: keep-alive

Date: Mon, 25 Sep 2017 13:30:41 GMT

Cache-Control: public, max-age=31536000

Expires: Tue, 25 Sep 2018 13:30:41 GMT

Last-Modified: Mon, 11 Sep 2017 06:59:19 GMT

Content-Type: text/plain

Content-Length: 391

X-NWS-LOG-UUID: 0867b043-656d-4622-aedb-18c5eeba08ad 07c22117ed07c618c401cd7b57866e42

X-Cache-Lookup: Hit From Disktank3

Access-Control-Allow-Origin: *

Access-Control-Max-Age: 2592000

Accept-Ranges: bytes

Content-Transfer-Encoding: binary

X-ReqId: cj4AAFOOputGPeMU

Content-Disposition: inline; filename="gx.txt"; filename*=utf-8' 'gx.txt

X-Daa-Tunnel: hop_count=3

X-Cache-Lookup: Hit From Inner Cluster

X-Cache-Lookup: Hit From Upstream

X-Cache-Lookup: Hit From Inner Cluster

////............=1.7.5</p>..........=hXXp://oqkeaisqb.bkt.cloudd
n.com/é£˜é€¸æ¢¦å¹»_PC_æ¡Œé¢ç‰
ˆ.exe</p>..............=..1...................../............-
------------------------------------....BUG...........................
.......-------------------------------------..                        
     By.....................

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1904:

.text

`.rdata

@.data

.vmp0

`.vmp1

`.reloc

@.rsrc

-xzr}

t$(SSh

~%UVW

u.hp;

u$SShe

|.5|}.sG

kernel32.dll

user32.dll

gdiplus.dll

advapi32.dll

ntdll.dll

Kernel32.dll

NTDLL.DLL

shlwapi.dll

shell32.dll

yxkey.ime

psapi.dll

gdi32.dll

msimg32.dll

comctl32.dll

COMCTL32.DLL

version.dll

imm32.dll

ole32.dll

GdiPlus.dll

Gdiplus.dll

MsgWaitForMultipleObjects

ShellExecuteEx

UnhookWindowsHookEx

GdiplusShutdown

EnumWindows

MapVirtualKeyA

SetKeyboardState

GetKeyState

GetKeyboardLayoutList

ZwOpenKey

RtlFormatCurrentUserKeyPath

ZwQueryValueKey

UnloadKeyboardLayout

ZwEnumerateValueKey

ZwDeleteValueKey

ZwEnumerateKey

ZwDeleteKey

KeyPress

KeyDown

KeyUp

KbdAkeysSeq

GdipSetPenLineJoin

GdipGetPenLineJoin

GdipSetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

{B6F7542F-B8FE-46a8-9605-98856A687097}

.rsrc

.rb)6t$`6

wI.VAj

.CR7C- G

!"#$%&'()* ,-./

|.DLL@&

C:\Ks\BLACK\8

.pdbk

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

KERNEL32.DLL

E_Loader.dll

KeymV?Y.

=.rP

.Lq]=

.RC]-

*2|%X

.vcQ%

G}%S(F

0.VAb

ÊxR/

%8%C:z

b.gm$'

%uMa3s;"

x%Ss>

G.kl&

M%u9q

l%U_|

}{.wr

.wSnD

TCP(('*

0_.kvLc'

O)œ^

.kj}7

.jd$[KR

%5xSw

.aPs.

&%sbP};

\%%uo4

h2%f$I;

.hT`j

.qV6,

KK3PR{%dUqDM

.gC'`

[o=I%F

EN].kp

A%.jV

VWN.Lzb&q

Plk.Caf

OA%xX

0!* 0{.*

%FXIF

.vI"%:

,%1xSD0

JGW%F

]S[<

.gfaE}

.tpR

.LfG4

3.Ivo_r

Hq%FS

K.puHk

s.qZH.

>9.Zx

1-KR}

s^}.UI

W%uFp%

|/%So|

9a%Uot

.Wom1

.iK"F

e0.jO

xbE.js

Q{œ&

SC.Bm{

E\-9S}

.udz"S

[.Kxd

.WKuW

)}p.XQ

^UVLh.QV0e

}xj2%X`XMv

j%5x:

'HDPlug.DLL'

HD.HDSoft = s 'HDPlugInterFace Class'

CLSID = s '{7EEE458C-7C90-4871-B3EE-0F2AD7EDAE18}'

CurVer = s 'HD.HDSoft'

ForceRemove {7EEE458C-7C90-4871-B3EE-0F2AD7EDAE18} = s 'HDPlugInterFace Class'

ProgID = s 'HD.HDSoft'

stdole2.tlbWWW

BkeypadWW

.aKeyDownW

MKeyUpWWWd

KeyPressd

KeyPressStrW

pOkey_strWd

KeyPressChard

qHKeyDownCharWd

KeyUpCharWWWd

.retstrWWd

iRSetKeypadDelayWWd

>SGetWindowStateWWd

SetWindowStateWWd

U@SetWindowSizeWWWd

SetShowErrorMsgW

EnableRealKeypadd

WaitKeyW

KLoginWWW

password

keyWd

xModifyPasswordWW

oldPasswordW

NewPasswordWd

port

.yclientNumWWWd

Created by MIDL version 7.00.0555 at Sun Apr 09 22:54:38 2017

ADVAPI32.dll

GDI32.dll

IMM32.dll

IPHLPAPI.DLL

OLEAUT32.dll

PSAPI.DLL

USER32.dll

WININET.dll

RegOpenKeyW

HDPlug.DLL

Login

ModifyPassword

1.7.4

\py.ini

H@hXXp://oqkeaisqb.bkt.clouddn.com/gx.txt

1.7.4

update.py

ping 127.0.0.1 -n 1

ren update.py

update.bat

$0.0.836$125.21.125.21

$0.0.861$111.20.111.20

$0.0.793$110.20.110.20

$0.0.870$96.23.96.23

$0.0.727$96.22.96.22

$0.0.736$95.22.95.22

$0.0.753$89.20.89.20

$0.0.890$88.21.88.21

$0.0.773$88.21.88.21

1$0.0.749$88.21.88.21

$0.0.725$88.21.88.21

$0.0.707$88.21.88.21

$0.0.705$88.21.88.21

$0.0.696$88.21.88.21

$0.0.676$88.21.88.21

$0.0.672$88.21.88.21

$0.0.625$88.21.88.21

$0.0.586$88.21.88.21

$0.0.577$88.21.88.21

$0.0.525$88.21.88.21

$0.0.510$88.21.88.21

$0.0.676$88.20.88.20

$0.0.571$88.20.88.20

$0.0.704$87.21.87.21

$0.0.670$87.21.87.21

$0.0.693$87.20.87.20

$0.0.627$87.20.87.20

$0.0.614$87.20.87.20

$0.0.508$87.20.87.20

$0.0.430$87.20.87.20

$0.0.516$81.19.81.19

$0.0.660$81.18.81.18

$0.0.580$81.18.81.18

$0.0.511$81.18.81.18

$0.0.602$80.19.80.19

$0.0.303$71.22.71.22

$0.0.409$71.21.71.21

$0.0.335$71.21.71.21

$0.0.321$71.21.71.21

$0.0.317$71.21.71.21

$0.0.582$70.21.70.21

$0.0.321$66.20.66.20

$0.0.411$65.16.65.16

$0.0.499$60.19.60.19

$0.0.483$60.19.60.19

$0.0.379$59.21.59.21

$0.0.329$58.22.58.22

$0.0.251$57.17.57.17

$0.0.461$55.18.55.18

$0.0.404$55.17.55.17

$0.0.383$55.17.55.17

$0.0.340$55.17.55.17

$0.0.332$55.17.55.17

$0.0.298$55.17.55.17

$0.0.378$54.20.54.20

$0.0.366$54.20.54.20

$0.0.308$54.17.54.17

$0.0.302$54.17.54.17

$0.0.307$54.16.54.16

$0.0.272$53.17.53.17

$0.0.409$50.22.50.22

$0.0.350$50.22.50.22

$0.0.326$47.22.47.22

$0.0.499$47.21.47.21

$0.0.420$46.22.46.22

$0.0.361$46.21.46.21

$0.0.321$44.21.44.21

$0.0.386$43.21.43.21

$0.0.384$43.21.43.21

$0.0.363$43.21.43.21

$0.0.353$43.21.43.21

$0.0.293$43.21.43.21

$0.0.288$43.21.43.21

$0.0.419$43.20.43.20

$0.0.416$43.20.43.20

$0.0.377$43.20.43.20

$0.0.371$43.20.43.20

$0.0.364$43.20.43.20

$0.0.240$43.20.43.20

$0.0.369$42.20.42.20

$0.0.324$42.20.42.20

$0.0.289$42.20.42.20

$0.0.196$42.20.42.20

$0.0.344$41.21.41.21

$0.0.311$41.21.41.21

$0.0.330$41.20.41.20

$0.0.356$40.19.40.19

$0.0.331$40.19.40.19

$0.0.317$40.19.40.19

$0.0.315$40.19.40.19

$0.0.345$40.18.40.18

$0.0.321$40.18.40.18

$0.0.264$39.19.39.19

$0.0.255$39.19.39.19

$0.0.225$39.19.39.19

$0.0.255$38.19.38.19

$0.0.277$36.18.36.18

$0.0.310$36.17.36.17

$0.0.292$36.17.36.17

$0.0.277$36.17.36.17

$0.0.273$36.17.36.17

$0.0.246$36.17.36.17

$0.0.227$36.17.36.17

$0.0.153$36.17.36.17

$0.0.236$36.16.36.16

$0.0.202$36.16.36.16

$0.0.396$35.18.35.18

$0.0.297$35.17.35.17

$0.0.250$35.17.35.17

$0.0.234$35.17.35.17

$0.0.172$35.17.35.17

$0.0.209$35.16.35.16

$0.0.181$35.16.35.16

$0.0.163$35.16.35.16

$0.0.158$32.16.32.16

$0.0.144$32.15.32.15

$0.0.134$32.15.32.15

$0.0.118$32.14.32.14

$0.0.254$21.23.21.23

$0.0.155$17.17.17.17

$0.0.153$17.17.17.17

$0.0.145$17.17.17.17

$0.0.138$17.17.17.17

$0.0.135$17.17.17.17

$0.0.134$17.17.17.17

$0.0.142$17.16.17.16

$0.0.124$17.16.17.16

$0.0.113$17.16.17.16

$0.0.101$17.16.17.16

$0.0.88$17.16.17.16

$0.0.123$16.17.16.17

$0.0.118$16.17.16.17

$0.0.117$16.17.16.17

$0.0.110$16.17.16.17

$0.0.105$16.17.16.17

$0.0.120$16.16.16.16

$0.0.105$16.16.16.16

$0.0.94$16.16.16.16

$0.0.92$16.16.16.16

$0.0.80$16.16.16.16

$0.0.46$8.20.8.20

$0.0.42$7.22.7.22

$0.0.44$7.18.7.18

C:\Windows\py.ini

503822-505050

916333-505050

C:\Windows\System\3285945.bmp

)@##18|$

Wx.iN

OV>@T6B.ZHN

6uÒ/&

*V7D.SC

75%F*G8q(

Z.YLf

ør9

9.Jf-

Cc.UE

fE.Kr

:%c(/|c>#>X

"%S}/

E~Q.BV^

x%e"t.xi{

%!%X'

kMsG^

]%xFQ\|"T

j.begJR

%F$`.1,R3

,;:  27$

-h.UB\>

C{.iHB*XMB0hLr:

o.qPd

 .Hp)V;

3l%c!

F_.gZ

-1BM%D>

;l8

=i.aK=6

t.xkmL~

Li%dNT

 ^&#"! 9

É0=

71)-* #=

;l%c<

.sMQ:j/

2u@\.aAY

.UW&1

%D`!aV

Kl.hF

!Y%C!W%

t%X):8

%u%?%

^&X40rLB.

NI#%cU

,YFf.VIv-

C.MA:

.DC3:=<

=.qp>

QlOu9

%S@*%

.BW"!

5 (x-*%s!

:.BT9'E

%U'B$

%k%D%r

;73B-q7}

8S.GF )5

.wg2,Ob

IFPC;!LJ.CP

R.kaTyu

i.uHv

cKx:kvz.kFzZd

(A.Uc

#;"!0 =$$

6{'@9 ;{7

!7<6.QH

E#.XAl0RG]<

4G -&f4

;= .Dt&=E:-

5!B~.PCz&

%s-z(

.kDm2 A)4ZB

&`%X ,.

%D:>&

7rRu.oE

Rqm%S

&f%c*S%

.NEo.

h)8%f *(3!

09%C;Q"

%D>0*

%C-2,

=.JKNIS<R

.MP<3

ö,(3?v&.J

Tw=-L}40.

[OV%SXS

%d&e/

9.if9Bl

_.ts]4q

K.TPL

[U?%c

=ZQb.QL

*#&.DY.

=.QA>

@ñ<'Kv5? @2

D,.na

0~N%D|Ta-

J.AoN

$2P`.ZZH(

yE]%SR

?4!$10()

WEB~X

Et%cQ

{:t.ngk

%X e s

ÄX#

@o`fN%xV\

>.Hb=

N\SsH

j.oYR-iAF

(%SR)'d

0@&^2^'\4

)k%s!

%u$`%F':'

%s0l"z,

W,.BFb

/D.FA

Y.QuQ

Qu?JD%D

R#e%S

-7?#.FB

j.cmN

YÜ`-72a

nPdkn%cru

<6U|9%c

ozm.rfo'v

#w%d)

B!F!H]%X<

<9.DV\I

%u6v,

4&9%x*

%d]O&

}.F23.wJ

)k%U#

E%u"^,)

#-%C 5

$39(6F?IM.GKLB?

$5%X!a-

.yM75<Ky*

8JD6.EFc(

LCP%S

d]i.kJk

*?-

'<%s,

(W%S(Z

`Y;.Dp-B. "l6

.hYs/ h

.bX-[GF

%s<}#

' ) & &^'

[;m<XMsGO

.yDh,

Eu%D>

%x3H'

tAa%xkg

%c.4)

@M.kUM.6]c.

GJ.kC

%U$R$^-m84K

J~NCP.TSO

%x7y#

U.BqG

4.Jf"

m.qXh

b.oug'd

E.YQC

MTH.QDM

t%x$N

%F*[515

>&bi%.lR

5.DON

723912-505050

946637-505050

703610-505050

mymain.exe

mymaln.exe

@.reloc

SSSSh

.WWWW

r%f;M

monochrome

unsupported bit depth

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

?#%X.y

GetProcessWindowStation

operator

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

1.3.6.1.4.1.311.2.1.12

1.2.840.113549.1.9.5

1.2.840.113549.1.9.6

%s %d

com_ingame_urlopen

com_inpusharticle_web

checkClientByEnumProcess EnumProcesses failed lasterror = %d

checkClientByEnumProcess : OpenProcess failed processID = %d, lasterror = %d

pi_init g_pfnCreateToolhelp32Snapshot = %d, g_pfnProcess32First = %d

checkClientBySnapShot : CreateToolhelp32Snapshot failed and lasterror = %d

checkClientBySnapShot : Process32First failed and lasterror = %d

terminate process return false pocess = x

E:\workspace\winXqProjectTrunk\projects\XyqPocket\mymain.pdb

??0CWebBrowserUI@DuiLib@@QAE@ABV01@@Z

??0CWebBrowserUI@DuiLib@@QAE@XZ

??1CWebBrowserUI@DuiLib@@UAE@XZ

??4CWebBrowserUI@DuiLib@@QAEAAV01@ABV01@@Z

??_7CWebBrowserUI@DuiLib@@6BCControlUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIDispatch@@@

??_7CWebBrowserUI@DuiLib@@6BIDocHostUIHandler@@@

??_7CWebBrowserUI@DuiLib@@6BIMessageFilterUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIOleCommandTarget@@@

??_7CWebBrowserUI@DuiLib@@6BIServiceProvider@@@

??_7CWebBrowserUI@DuiLib@@6BITranslateAccelerator@1@@

?AddRef@CWebBrowserUI@DuiLib@@UAGKXZ

?BeforeNavigate2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@1111AAPAF@Z

?CommandStateChange@CWebBrowserUI@DuiLib@@IAEXJF@Z

?DUI__TraceMsg@DuiLib@@YAPB_WI@Z

?DoCreateControl@CWebBrowserUI@DuiLib@@UAE_NXZ

?DocumentComplete@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@@Z

?Download@CWebBrowserUI@DuiLib@@UAGJPAUIMoniker@@PAUIBindCtx@@KJPAU_tagBINDINFO@@PB_W3I@Z

?EnableModeless@CWebBrowserUI@DuiLib@@UAGJH@Z

?Exec@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KKPAUtagVARIANT@@1@Z

?FilterDataObject@CWebBrowserUI@DuiLib@@UAGJPAUIDataObject@@PAPAU3@@Z

?FindId@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_W@Z

?GetAutoURLDetect@CRichEditUI@DuiLib@@QBE_NXZ

?GetClass@CWebBrowserUI@DuiLib@@UBEPB_WXZ

?GetDropTarget@CWebBrowserUI@DuiLib@@UAGJPAUIDropTarget@@PAPAU3@@Z

?GetExternal@CWebBrowserUI@DuiLib@@UAGJPAPAUIDispatch@@@Z

?GetHomePage@CWebBrowserUI@DuiLib@@QAEPB_WXZ

?GetHostInfo@CWebBrowserUI@DuiLib@@UAGJPAU_DOCHOSTUIINFO@@@Z

?GetHtmlWindow@CWebBrowserUI@DuiLib@@QAEPAUIDispatch@@XZ

?GetIDsOfNames@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPA_WIKPAJ@Z

?GetInterface@CWebBrowserUI@DuiLib@@UAEPAXPB_W@Z

?GetMessageMap@CNotifyPump@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetOptionKeyPath@CWebBrowserUI@DuiLib@@UAGJPAPA_WK@Z

?GetPasswordChar@CEditUI@DuiLib@@QBE_WXZ

?GetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?GetTypeInfo@CWebBrowserUI@DuiLib@@UAGJIKPAPAUITypeInfo@@@Z

?GetTypeInfoCount@CWebBrowserUI@DuiLib@@UAGJPAI@Z

?GetWebBrowser2@CWebBrowserUI@DuiLib@@QAEPAUIWebBrowser2@@XZ

?GetWindowStyls@CEditUI@DuiLib@@QBEHXZ

?GoBack@CWebBrowserUI@DuiLib@@QAEXXZ

?GoForward@CWebBrowserUI@DuiLib@@QAEXXZ

?HideUI@CWebBrowserUI@DuiLib@@UAGJXZ

?Invoke@CWebBrowserUI@DuiLib@@UAGJJABU_GUID@@KGPAUtagDISPPARAMS@@PAUtagVARIANT@@PAUtagEXCEPINFO@@PAI@Z

?InvokeMethod@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@2H@Z

?IsAutoNavigation@CWebBrowserUI@DuiLib@@QAE_NXZ

?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ

?IsPasswordMode@CEditUI@DuiLib@@QBE_NXZ

?IsShowHtml@CLabelUI@DuiLib@@QAE_NXZ

?IsShowHtml@CListHeaderItemUI@DuiLib@@QAE_NXZ

?IsShowUpdateRect@CPaintManagerUI@DuiLib@@QBE_NXZ

?Join@CDuiRect@DuiLib@@QAEXABUtagRECT@@@Z

?Navigate2@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?NavigateComplete2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@@Z

?NavigateError@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@11AAPAF@Z

?NavigateHomePage@CWebBrowserUI@DuiLib@@QAEXXZ

?NavigateUrl@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?NewWindow3@CWebBrowserUI@DuiLib@@IAEXPAPAUIDispatch@@AAPAFKPA_W2@Z

?OnDocWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnFrameWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z

?ProgressChange@CWebBrowserUI@DuiLib@@IAEXJJ@Z

?QueryInterface@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPAX@Z

?QueryService@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@0PAPAX@Z

?QueryStatus@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KQAU_tagOLECMD@@PAU_tagOLECMDTEXT@@@Z

?Refresh2@CWebBrowserUI@DuiLib@@QAEXH@Z

?Refresh@CWebBrowserUI@DuiLib@@QAEXXZ

?RegisterEventHandler@CWebBrowserUI@DuiLib@@IAEJH@Z

?Release@CWebBrowserUI@DuiLib@@UAGKXZ

?ReleaseControl@CWebBrowserUI@DuiLib@@MAEXXZ

?ResizeBorder@CWebBrowserUI@DuiLib@@UAGJPBUtagRECT@@PAUIOleInPlaceUIWindow@@H@Z

?ResponseDefaultKeyEvent@WindowImplBase@DuiLib@@MAEJI@Z

?SetAttribute@CWebBrowserUI@DuiLib@@MAEXPB_W0@Z

?SetAutoNavigation@CWebBrowserUI@DuiLib@@QAEX_N@Z

?SetAutoURLDetect@CRichEditUI@DuiLib@@QAE_N_N@Z

?SetFadeAlphaDelta@CButtonUI@DuiLib@@QAEXE@Z

?SetHomePage@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z

?SetLayeredOpacity@CPaintManagerUI@DuiLib@@QAEXE@Z

?SetOpacity@CPaintManagerUI@DuiLib@@QAEXE@Z

?SetPasswordChar@CEditUI@DuiLib@@QAEX_W@Z

?SetPasswordMode@CEditUI@DuiLib@@QAEX_N@Z

?SetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?SetWebBrowserEventHandler@CWebBrowserUI@DuiLib@@QAEXPAVCWebBrowserEventHandler@2@@Z

?ShowContextMenu@CWebBrowserUI@DuiLib@@UAGJKPAUtagPOINT@@PAUIUnknown@@PAUIDispatch@@@Z

?ShowUI@CWebBrowserUI@DuiLib@@UAGJKPAUIOleInPlaceActiveObject@@PAUIOleCommandTarget@@PAUIOleInPlaceFrame@@PAUIOleInPlaceUIWindow@@@Z

?TranslateAcceleratorW@CPaintManagerUI@DuiLib@@QAE_NPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAEJPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAGJPAUtagMSG@@PBU_GUID@@K@Z

?TranslateMessage@CPaintManagerUI@DuiLib@@SA_NQAUtagMSG@@@Z

?TranslateUrl@CWebBrowserUI@DuiLib@@UAGJKPA_WPAPA_W@Z

?UpdateUI@CWebBrowserUI@DuiLib@@UAGJXZ

?_GetBaseMessageMap@CNotifyPump@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_GetBaseMessageMap@WindowImplBase@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_messageEntries@CNotifyPump@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?_messageEntries@WindowImplBase@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?messageMap@CNotifyPump@DuiLib@@1UDUI_MSGMAP@2@B

?messageMap@WindowImplBase@DuiLib@@1UDUI_MSGMAP@2@B

GetProcessHeap

KERNEL32.dll

ShellExecuteW

SHELL32.dll

CryptMsgClose

CertGetNameStringW

CertFreeCertificateContext

CertFindCertificateInStore

CertCloseStore

CryptMsgGetParam

CRYPT32.dll

WINTRUST.dll

COMCTL32.dll

GetCPInfo

#*1892 $

%,3:;4-&

zcÁ

.?AVCWebBrowserUI@DuiLib@@

.?AVCActiveXEnum@DuiLib@@

.?AVCWebBrowserEventHandler@DuiLib@@

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

>">&>*>.>

5 5&5,52585>5

>"?(?,?0?4?

5l6l6

?%?*?/?4?=?

6$9(9,9094989<9@9

4 4$4(4,4044484

6,8084888<8@8

> >(>0>8>@>

= =(=0=<=`=

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

hXXp://sv.symcb.com/sv.crl0a

hXXps://d.symcb.com/cps0%

hXXps://d.symcb.com/rpa0

hXXp://sv.symcd.com0&

hXXp://sv.symcb.com/sv.crt0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXp://s2.symcb.com0

hXXp://VVV.symauth.com/cps0(

hXXp://VVV.symauth.com/rpa00

hXXp://s1.symcb.com/pca3-g5.crl0

|*.ini

\mymln.exe

\mymaln.exe

\mymain.exe

C:\Windows\pydk.ini

anonymous@123.com

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

\yxkey.ime

`.data

devcon.pdb

t)9>t%U

msvcrt.dll

RegCloseKey

SetupDiOpenDevRegKey

SetupDiOpenClassRegKeyExW

SETUPAPI.dll

ExitWindowsEx

version="1.0.0.0"

name="InstallShield.Setup"

<description>InstallShield.Setup</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

.Class 3 Public Primary Certification Authority0

hXXp://crl.verisign.com/pca3.crl0

hXXps://VVV.verisign.com/cps0

#hXXp://logo.verisign.com/vslogo.gif04

hXXp://ocsp.verisign.com0

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

hXXp://sf.symcb.com/sf.crl0f

hXXp://sf.symcd.com0&

hXXp://sf.symcb.com/sf.crt0

DU}x%u

hXXps://VVV.verisign.com/cps0*

hXXps://VVV.verisign.com/rpa0

#hXXp://crl.verisign.com/pca3-g5.crl04

devcon update DrvInDMU.inf "DrvInDKB"

devcon install DrvInDKB.inf "DrvInDKB"

devcon install DrvInDMU.inf "DrvInDMU"

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

signature="$Windows NT$"

Class=Keyboard

ClassGUID={4D36E96B-E325-11CE-BFC1-08002BE10318}

CatalogFile=DrvInDKB.cat

;LayoutFile=layout.inf

DriverVer=03/12/2014,1.0.0.0

; Layout.inf (etc.) list all files shipped with the operating system so the

; in layout.inf

DrvInDKB.sys = 99

99 = %DISK_NAME%,,,

%VPS2Device% = VPS2Device.Inst, DrvInDKB

[Vendor.NTia64]

[Vendor.NTamd64]

[VPS2Device.Inst.NT]

[VPS2Device.Inst.NT.Services]

ServiceType = %SERVICE_KERNEL_DRIVER%

StartType = %SERVICE_DEMAND_START%

ErrorControl = %SERVICE_ERROR_IGNORE%

ServiceBinary = %\DrvInDKB.sys

DrvInDKB.sys

VPS2Device = "Virtual Driver Keyboard"

VPS2ServiceDesc= "Virtual Driver Keyboard Service"

DISK_NAME = "Virtual Driver Keyboard Install Disk"

h.rdata

H.data

B.reloc

d:\work\envoy\drvin\curr\drvind\drvindkb\objfre_wlh_x86\i386\DrvInDKB.pdb

ntoskrnl.exe

HAL.dll

ClassGUID={4D36E96F-E325-11CE-BFC1-08002BE10318}

CatalogFile=DrvInDMU.cat

DrvInDMU.sys = 99

%VPS2Device% = VPS2Device.Inst, DrvInDMU

%VPS2Device% = VPS2Device.Inst, DrvInDKB ; Used for remove the DrvInDKB

ServiceBinary = %\DrvInDMU.sys

DrvInDMU.sys

d:\work\envoy\drvin\curr\drvind\drvindmu\objfre_wlh_x86\i386\DrvInDMU.pdb

.pdata

GetWindowsDirectoryW

_amsg_exit

publicKeyToken="6595b64144ccf1df"

version="1.0.0.0"

<requestedExecutionLevel

name="Microsoft.Windows.Common-Controls" version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

d:\work\envoy\drvin\curr\drvind\drvindkb\objfre_wlh_amd64\amd64\DrvInDKB.pdb

d:\work\envoy\drvin\curr\drvind\drvindmu\objfre_wlh_amd64\amd64\DrvInDMU.pdb

__MSVCRT_HEAP_SELECT

SHFileOperationW

ShellExecuteExW

keybd_event

MapVirtualKeyW

SHLWAPI.dll

DrvInDll.dll

KbdAkeysAsync

KbdAkeysSingle

KbdAkeysSync

KbdVirtualKeyAsync

KbdVirtualKeySingle

KbdVirtualKeySync

1 1$1,10181<1

4(5,50545

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\

winmm.dll

WinINet.dll

GLU32.DLL

aclui.dll

acsmib.dll

activeds.dll

AcXtrnal.dll

adimage.dll

adptif.dll

ADVAPI32.DLL

advpack.dll

atl.dll

authz.dll

avicap32.dll

avifil32.dll

browseui.dll

CABINET.DLL

clusapi.dll

comdlg32.dll

comsvcs.dll

crtdll.dll

crypt32.dll

cryptnet.dll

D3DRM.DLL

dbghelp.dll

ddraw.dll

DHCPCSVC.DLL

digest.dll

DINPUT.DLL

dplay.dll

dplayx.dll

dsound.dll

dsprop.dll

dsuiext.dll

ftsrch.dll

gpedit.dll

hhctrl.ocx

hlink.dll

iasperf.dll

icm32.dll

ICMP.DLL

icmui.dll

idq.dll

iedkcs32.dll

iissuba.dll

IMAGEHLP.DLL

inetcpl.cpl

iprop.dll

KSUSER.DLL

loadperf.dll

lz32.dll

mapi32.dll

mgmtapi.dll

MOBSYNC.DLL

mpg4dmod.dll

mpr.dll

mprapi.dll

mqrt.dll

msacm32.dll

msafd.dll

mscms.dll

mscpxl32.dLL

msgina.dll

MSHTML.DLL

MSI.DLL

msorcl32.dll

MSPATCHA.DLL

msrating.dll

mstlsapi.dll

msvbvm50.dll

msvfw32.dll

MSWSOCK.DLL

MTXDM.DLL

MTXOCI.DLL

NDDEAPI.DLL

ndisnpp.dll

netapi32.dll

npptools.dll

ntdsapi.dll

ntdsbcli.dll

ntmsapi.dll

nwprovau.dll

odbc32.dll

ODBCBCP.DLL

odbccp32.dll

ODBCTRAC.DLL

OLEACC.DLL

oleaut32.dll

olecli32.dll

oledlg.dll

olesvr32.dll

opengl32.dll

password.cpl

pdh.dll

Powrprof.dll

qosname.dll

query.dll

rasapi32.dll

raschap.dll

rasdlg.dll

rasman.dll

rassapi.dll

rastls.dll

resutils.dll

RICHED20.DLL

rpcns4.dll

rpcrt4.dll

RSRC32.dll

rtm.dll

rtutils.dll

scarddlg.dll

secur32.dll

SENSAPI.DLL

setupapi.dll

SFC.DLL

shdocvw.dll

snmpapi.dll

softpub.dll

spoolss.dll

SVRAPI.DLL

tapi32.dll

TLBINF32.dll

traffic.dll

url.dll

URLMON.DLL

userenv.dll

USP10.DLL

uxtheme.dll

VB5STKIT.DLL

vba6.dll

VDMDBG.DLL

winfax.dll

wininet.dll

winscard.dll

winspool.dll

winspool.drv

wintrust.dll

wldap32.dll

WOW32.DLL

wsnmp32.dll

wtsapi32.dll

xolehlp.dll

\empty.exe

could not empty working set for process #%d [%s]

could not empty working set for process #%d

USAGE: empty.exe {pid | task-name}

AdjustTokenPrivileges failed with %d

LookupPrivilegeValue failed with %d

OpenProcessToken failed with %d

empty.pdb

CloseWindowStation

SetProcessWindowStation

OpenWindowStationA

EnumWindowStationsA

?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

SetWindowsHookExA

MSVCRT.dll

lock.dll

60000000000000000

OLE32.DLL

program internal error number is %d.

:"%s"

:"%s".

5D6|7z7

!.ime

.nsp0

.nsp1

.nsp2

SHLWAPI.DLL

USER32.DLL

IMM32.DLL

GDI32.DLL

WINSPOOL.DRV

MyIme2.dll

ImeProcessKey

tH.XW

A-4wP}u

.ed6&K=

.nE:'

q},.IQ

~9.ua

6{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

=@{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}

6F.SUsK

!%x1*

wcRk:.lk

v.ukLU

62081964

 z.QB

^.Vqsz

.MhQK

.ikXU

Mal%s

S{.eN

.lH"T

ÿlm9fDHi

 nL.QJ

5_%sj

%d<Sk

#-lV}

m6-e}d

"u.Ky

fD.AY

*N%.MQKI

In.fA

Es.oz

%u,Fw

K%xq"

(%D^H

.mDWF#Z

o.CID?

Y7.bJ

.XzzQ

/t%F-

62081964

"62081964

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

CCmdTarget

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

MPR.dll

VERSION.dll

u-lh}

%x.tmp

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

VVV.dywt.com.cn

%s,%d

%s.lnk

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Referer: %s

Host: %s

GET %s HTTP/1.1

HTTP/1.1

hXXp://

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

=1.7.5</p>

=hXXp://oqkeaisqb.bkt.clouddn.com/é£˜é€¸æ¢¦å¹»_PC_æ¡Œé¢ç‰ˆ.exe</p>

c:\%original file name%.exe

)'.im

f%Sif

O-xzr}

v-xzr}

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

6)sbiedll.dll

sice.sys

siwvid.sys

ntice.sys

iceext.sys

syser.sys

%d-%d-%d

winhttp.dll

activation.php?code=

deactivation.php?hash=

9.Xld

I>.dY

E9\%U

1Cmd_

xJ.qU

@7\%S

mp)

.xFPme}

z,.Zj,

h-xzr}

XR.DA

\%f'~t@

L.iz;=

13sql

q\ 7-xzr}

/-xzr}

G-xzr}

2%xUx

%fJyK5%D

#'.oRz

.oQKM

%ukX,

hIi%XN

%Do[*@

%?-xzr}

*.pXr

%hQ.bD

Ficmdoc

m-xzr}

DjxK.ATX

B.Aoy

.YXqQ

<V.SOV

%s~b$

&.qjf

Y]S`.OQ

e#s%S#

s-xzr}

S.ziG^- h6;

klcrt

Y.gC\p

1-xzr}

e-xzr}

5.RY{

\/|

D8%Ub

9r-xzr}

jh.wjpk

\%u\y\

A-xzr}

n e-xzr}

w;!3.Cc

I-xzr}

.EL\Wj}

.nC,3

--[.ej8

Q(-xzr}

ST.Fa

%S<.SS

Z4.FV

J1Z.wv

-xzr}

U-xzr}

Dhÿ

4h`'s|5CFÃ

\).yRd)

!?d-xzr}

{.fh1

C.pF}

'-xzr}

fz-xzr}

r:K%0uK

X-xzr}

YA.KAA{_

h|7)b.Db

{|7/P%U

7%x|7b

7%{|7%/!

k-xzr}

8f-xzr}

S-xzr}

.eB&zdB

f={t-xzr}

 G2.qL

*-xzr}

b.oR%

fv-xzr}

.fHE/

f%DV5p

Z-xzr}

Z9t>|!V%F<

0!}-xzr}

--xzr}

x.skI

|.OoBtGB

-sfqf}

~-xzr}

%sVgNUpT

.ZVIH

E-xzr}

|p

"-xzr}

Q.hE]

M%cm%Z,cwn

(CrS%s

X%c_,4 ^

r.cIk

d&.WV

n-xzr}

mt.ZH

C-xzr}

@ 4.zN

4-xzr}

<-xzr}

D.gP=

/YT_.Yj

@.cd*

u9L.mG

O.gFC~

<Iv;%f}B

o>-xzr}

8b"-xzr}

x%u"

[VÆS

17.Eex

3U-xzr}

' y.vs

.tJpk?t

KM-xzr}

`My0S>m%F

#%xs>

nz-xzr}

jGexE

&-xzr}

#c-xzr}

^--xzr}

{F.iRF

=ß~

PK.EOh

,,-xzr}

?!.gI

tF-xzr}

f{-xzr}

^[ -xzr}

2-xzr}

.mi|9

.Cb"w

L.wC.

^p8XÜ

k.NySH

Tu-xzr}

%ste<w5

%f<1:

Ie.XH

#3Ü

iKH%u

(.eFU{ PVhxP

Z( .aH

..oPf;

Jk.VFg6M\y8

y-xzr}

\%6X_%

0`.Hc1

1h-xzr}

TÏ3

*.Au1Vow1^

RzK<%s!

!.Ddp'

2`!-xzr}

U.LIz

&b%xh

0.pc*

B.DJ>8

.hG_f

HH-xzr}

iA.uT

v=M%F::

W-xzr}

 -xzr}

.haQt

.GQcjVKB

sA-xzr}

T}I-xzr}

s.ve7

~|7%S

7Kz|7.uw

{|7$ ‚

x|7.JJy

{|7%S

lT.gL

7f{|7%un

J%dJZ

8R >s>dmsG

f*)%f

7ir%s!

WS2_32.dll

8||8-4||

tX$.bXk

Ov%U2

%U(37n

.mq=l

L%x&u>R

.ji$5

"%FPaA

(A%D/

O.fL

i1A~aKR[\%.ul

!%x<(3y

-JZ2}Xb

:!%f

M!.bt

.QRft

#oK-w}

7@.yS

lH!%UL9~(

( C%u

%x:nb$R

.zLPv

.MT,E/

R.Rh3O

-Ps?5%d

WJ.Zb

S&Ou.mF

.xv3ks

.djr(

w.eFo

h.sPay

;Z%U9

zd.ID

%'%u-fs

QO.bbq

;,.JH

.kOUewL

%C=-U

u %sj

%U\eYr

RzA.ED

G.mT,

I%f#:

o.qjbf

%SN6(

\r.rO

O%u\0

7:N.FM

9ÁY

.Gc#C

k:6~hb%ck=

%4Sh7

Y.wu_

Z4T.an

sOx%c

.vrjM>m

Q%Cn(

J.MVg

.PqjgL&

.QdrJk

5{.OYo

S,%uQ

>G.mS?

W4Bah.gQ

'p..YM

zB%Up

B.Ip:

fy?&.WK

} z%F

c3).Or

BCmd

&.qL&4)

.BT1k

L.Bo)

Z].Bd

~bQyA.xi&

<,V

-N}|g

o X.rhn

%uP%P

[D.Mt

F.wdiWv

>.xg@

".%cI

.fcwxDZ

JWsU%d

n?[%Dn

.XICp

.kps5

.qtN6

uY.Wm

\%6Ul

%fg"i?

 A.ZuKT

`k} .te

.KY\S

.vk84

.zFV6

"\X%X

%S^`4u

msQU

aA5*.Se>5

d.tP,v

!X.Bgn

(@kEy

A2m%U

.fF\{

5>.iVI8

=.deP

ØD1

m.SoO

r:\<3J;^O

0sx1%X

.JbfM

7x.Zl,

Q/a.lV#

dWEBa

;%cG$

%%fToc

%fz!#

h.kQp

z[.Jf

f.Bdd

"/dX%c

luQba%X

#F.mG2}

5.xA)>c

lt%xWF

BM/.hx:gvmp

3X*%D

3?"]_#{#

gv.hH/

.pQ[A

.aR==d<H

o.Qw#(

Þv{

xLS-v}

|D.mE

%D)WjV

oa .usoc

MbN.vU

nmy%fM

;gYmSg

%Un^!

u.pH}

P.uN.

m.kn@

))*9.oC

*A%u^

w2.xk

fp.RB

/.xU_

*C7%C

.EMnNy

q7.bM7

R%FtLA

S9%xP

D.aYm '

uXl1%S

.ZaybA

.kFtO

.yU$Q

lx.AR

<i

HH.bz

\.DdM

B%cXo]

WxK.qf.

B/Ï0

Ú,;\

0S%D/

.yPJ=

;7J*v.EhR@

o).uJ

CfTP8~

Ear%f/L

?}qN.wj

r%Ck-

*.RqN

%dq|}2q

MQ/I'.cj

c.yS#4>%

9%SJ

Q.rYe

).Xma

)k.SN

\P>%s

F'5ú

KeYg#

%5UG,%

3[T%U

2.BSD

'1glMsG

b`F%X

?4m%u

2M.jo

.Wqs`yBw

W .lc

RASAPI32.dll

%ChOV

#L.tu

^z.ES

y.eB4S

P`$"%c

.ypg2

\T.YTa

<.ls!

WV.Iy

K.Qc>

HVI.jBc

#%uz$

A9E }Ëu

.njOs

.whft

K_.LF

}%F>6

Q-.YA

.de'2

e6%dV

Jv;%f

sb%s90

.tG@J

.iZ>@

Y.xl'4

{%shq

~%cnt"

iÛL

:Ssh}

QPc.qz

4.Aa7Z

j3.BA-

 h%9uy%

>%.Vn

L.uJqJ

~e%ct

{%Ds{

b-JrE}J

n*.GV

 aV%s

%X&g9

(&.ho@

H)|.km

v?.qA

/-x}37

.xzqL

.hJ'a

.SQmp$

PIn.UB

*.ti'r6

t %xY

sP.Ym

.GZpl?

;*;2;8;~;

2#3$5,5@5

=/>9>}>^?

0,5:<

|0(1.6?6

InternetCanonicalizeUrlA

KXM.Bd

WINMM.dll

.DRm9D

WLDAP32.dll

z,2.KE

=vsg%Xq

_%c"DL8

4-.hp

=&da|h %F

sZ.pYGB

7.IJi

 tcPw

2.wOu

t.emI

%.RJ"x

PHx%Fk

@Q.Su

.ckO_

Q.lOe

N).dGh#_

F.QB#

|.XIz

/.KU}

H-zq}

s|X%U

@QU<.eam

_OL%Xk

;_\.Js'T

1sw.DB

?Ï.

Y.uG=

NES%xZ

R2.Ac

.KD*\-

G.CDcd

[VCrT

g&.Cy

G}.CIN%

.Gp,G71

.Olg-|Z

X.azK

xþv

.IO"4

M%1xb

wÎc

%*À

=R\%F

gCS.uF

`n-7%X,

D.Oki

%U!:Q

#-rS}

"FÈ

?xE.pfu

*x*%X)

.Al2$3

.oK()/

6.TH6

Py.eU

%sQ3 =

Cb%S#

z4%d<

.gBMD

ST%X^

%s6<P4%u

k~%Xw

.AdN!

%.zBi

.TnZ<N

v_S-4Mf.Ph@bO^

Q:98%s

.Dpsi`

$.yeu

e}.tBl

\D'U;gr%s

O.zNx<

%S5W/

KEy%4

\c6wÓ

^.dnPTf

:WW%F

%SWZ4-7o

9Rv%S

Y[.Py

.Gg*W

[C.tP

-W.bm<

.YcC<

@.YM}

g%S`,

&d^%x~

o.VCd

%S"FAR

gm.vi

-.enLy.

U]Sy%Cg

4.Pp%K

s .fnD5

-_#k

%cn)-

c(z

J.cbB

nO .OK

y.cQ`jw

d8&.Mx

|w%Xr

CBÿ^T

.YfNa!

%XI?5

*.jyfm

8.ZJmo

g%c?m*

4g%XRh

#cM%F

.La(J

F.QF@U

xò1r

A.raD

.RRX?

Y.OoO

D%f}L

3fI.MM

.EC(1

C.xn3

%F]v$

nAD.Zwe

o.OYt

YU.WR

M%Ct]O

r.EA=*

I"i%.af

3%s1%$

.GF4}

4|O/~.Rs

.bJH<!

L.lci#

OS%S' T

N0<%S[

%X2Dt

!_.qm

[.GX[

b{.RXGC

^.iZ6

$H[%6S

|p.yr

j.Kx8

N_.dU!KJ

Gljd%D

^&.dIa

t%C*Y

A.msO

bp%CM

mY
4

%fVHmnN

E}$).AIRTy

t.fZP

_".RWnqJ

X%F.M

T?.UV|}r

@|.Ao9

k!Þ

kEY;"

(x^|.DlZ

.xLD_

.xKpx

<`cRT

q%s:o

.XC!u

.Z.ER

).xTD

.rW9c

/z.hC#

.NNw)

!.IU%

%u*PU

d9q.Ik4

p_N.oMX

$~.ng

%Sd;wsX

9%X9y-

f%uCyU

XP.ky

#'.Ay

1.KX26

#&e.pc

d&.yVe

Q4EkO23.UF,M

Kt=mÝs E

qe.iz

luDP,

_,{2.gw

k.Ufs

e_n^l%c

H%ds.

'@.Bp!i

0(.xC

_.Az$3k

*N.LH{

TcPi

N.TV?

.VbH,,A~^

%uoY

uS*?.lC,

.vfHc (

4DI-0}F

".wtK

m9.Vg

6OM.Ig

vZ|%C

(k&.IA

-M8}3

T.zT(

e.NSQQ

U.hg]v

^.jD\

.omJb.

V%f]%

BK$<

.gml1

| .qjv

7.jB:

#.eF^k

Mp`{W4.rZ

4R%cI

&D%xcq

y3C=.Httb

%s?]EW

C3.gl

O!%s6

pO.Ad

uI.MW

Wg%S

`h.AN

|.BLI$d

.xnFT

C%Fn[@

V].kin

6@,.Ua

.PN[Er

v":.OT

Aq{.wp

,.DF!y

.ZzG&

Z.PAC3rm

.Rsy4@

Nk.JK

}.gH[W

'4.Na"

w.kW;

-.Gh:

M SQl

-}.HO*

.LBQ@

V.xuLB]

  -1}L

.fv"Cx

]%%X:

0%x&0#

q9.vQ

.uG1o

".bA;

m l.ax

v%Ui6

.Ods2}

WTSAPI32.dll

].axc  a

TZ.pE

LhXXp://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07

hXXp://pki-ocsp.symauth.com0

6,mC%F

ehXXp://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0

.agLb a"

q>.yhq1.

`}.aCr

^8KeY

MSIMG32.dll

C.aW6

.iObEx

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

5.4.1.0

HDPlug.dll

AUSER32.DLL

WM_KEYDOWN

WM_KEYUP

WM_SYSKEYDOWN

WM_SYSKEYUP

0xX

WebBrowser

errorUrl

keyboard

Cmsftedit.dll

M-d-d

mscoree.dll

nmymain.dll

HashRes\Json.npk

HashRes\res.npk

HashRes\script.npk

findownload.dat

%s\*.*

%s\%s

version.ini

MyWebHelper.exe

[d:d.d]

checkinfo.lst

%d.%d.%d

shortcutkeybtn

file='jcnr_btn.png'

file='jcnr_btn_h.png'

file='xflb_btn.png'

file='xflb_btn_h.png'

file='hdzt_btn.png'

file='hdzt_btn_h.png'

file='qa_btn.png'

file='qa_btn_h.png'

file='shortcutkey_btn.png'

file='shortcutkey_btn_h.png'

curURLFlag == %d

file='jcnr_btn_p.png'

file='xflb_btn_p.png'

file='hdzt_btn_p.png'

file='qa_btn_p.png'

file='shortcutkey_btn_p.png'

menu.xml

hXXp://web.my.netease.com/index.html

file='jcnrLogo.png'

file='xfflLogo.png'

file='cjnrLogo.png'

file='kjjwLogo.png'

file='hdztLogo.png'

file='menu.png'

jcnr.xml

Exception Code: %X, at address %X

%s_%d

mymain.dll

%d %d %d %d %d %d %f

skin.xml

hGameProcess != NULL, falied to TerminateProcess the process x, lasterror = %d

Explorer.exe

hXXp://web.my.netease.com/live.html?roomId=

%s%d%s%d

hXXp://my.163.com/web/xffl?from=zmb

hXXp://web.my.netease.com/jump.html?id=

hXXp://my.163.com/web/activities?from=zmb

hXXp://my.netease.com/zt/cjwt

hXXp://my.netease.com/kjjsm

%s %s %d %d

onCleanPatch CreateProcess failed error = %d

%s %s %d

onRestartGame CreateProcess failed error = %d

Kernel32.DLL

!!!!!!!GetModuleFileNameEx failed, processID = %d, szExeFile = %s

!!!!!!!!!OpenProcess failed processID = %d, szExeFile = %s, lasterror = %d

mymainmutex%d

CreateMutex(%s) = %d, successfully lasterror = %d

CreateMutex(%s) = %d, Failed lastError = %d

checkEngineVersion parseVersionIni1 failed fullpath = %s

find update file after filtered filename = %s, version = %s

copy from pkres filename = %s, version = %s

StartMyGameStartSelf CreateProcess failed error = %d

%s %d %d

%s %d %d %d %d

start entry lpCmdLine = %s

FrameRes.dll

C:\mywin32pc_log.txt

1.61.0.0

%-60s: %s

DMA : %u

IRQ : %u

%-20s: %s

newdev.dll

Not all of %1!u! device(s) enabled, at least one requires reboot to complete the operation.

Not all of %1!u! device(s) disabled, at least one requires reboot to complete the operation.

Not all of %1!u! device(s) restarted, at least one requires reboot to complete the operation.

Device has a problem reported by the driver.

Not all of %1!u! device(s) removed, at least one requires reboot to complete the operation.

%1 %2 <class> upper <subcmds> - Upper filters.

%1 %2 <class> lower <subcmds> - Lower filters.

Where <subcmds> iterate the list of services, modifying the services in the filter. In the context of this command, each sub-command works on services in the list relative to previous sub-commands. Examples below.

%1 [-m:\\<machine>] %2 <id> [<id>...] := <subcmds>

%1 [-m:\\<machine>] %2 =<class> [<id>...] := <subcmds>

<subcmds> consists of one or more:

Windows Setup API

5.2.3718.0 (dnsrv.021114-1947)

SETUPAPI.DLL

Windows

Operating System

5.2.3718.0

DrvInDKB.inf

L{DE351A42-8E59-11D0-8C47-00C04FC295EE

hXXp://blog.163.com/envoy_0769@yeah/

1.0.0.0 built by: WinDDK

1.0.0.0

DrvInDMU.inf

\INF\OEM*.INF

The driver reported a problem with the device.

%1 %2 [-r] <class> {upper | lower} [<operator><filter> [<operator><filter>...]]

<operator> Specifies an operation (listed below).

operator (=, @, -,  , !) and a filter driver name.

Operators

6.0.6001.18000 (longhorn_rtm.080118-1840)

6.0.6001.18000

Unknown key: x

\\.\DrvInDKB

\\.\DrvInDMU

DrvInDMU.cat

DrvInDKB.cat

Driver_Setup.bat

Driver_Remove.bat

devcon.exe

\Driver_Setup.bat

1, 0, 0, 0

DrvInDll.Dll

5.2.3790.0 built by: dnsrv_dev(v-smgum)

empty.exe

5.2.3790.0

(hXXp://VVV.dywt.com.cn)

4.1.4.0

Error at hooking API "%S"

Dumping first %d bytes:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Cannot %s server %s

Error: 0x%X

The procedure entry point %s could not be located in the module %s

Cannot load file %s

Error: %d

1.0.1.0

%original file name%.exe_1904_rwx_02900000_01118000:

`.rsrc

SSSSh

8%uvP

!"N#$%&'()* ,-.NNNNN/0123456789:N; <=>?@ABCDEFGHNNNNNNNNNNNNNNNNNNNNINNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNJNKNNLNNNNNNNNNNNNNNNNNNNNNNNNNNNM

-Du}%7

%u!^_

xSSSh

FTPjKS

FtPj;S

C.PjRV

BvyPBv}.Bv

RCv.SCv

p_skey=

&clientkey=

hXXp://ptlogin2.qq.com/jump?keyindex=9&pt_aid=549000912&daid=5&u1=http://i.qq.com&pt_3rd_aid=0&ptopt=1&clientuin=

GetuinKey()

hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=549000912&daid=5&style=24&s_url=hXXp://i.qq.com

hXXp://qun.qzone.qq.com/cgi-bin/get_group_member?callbackFun=_GroupMember&uin=

skey=

ntdll.dll

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

5.4.1.0

TS_KEYDOWN_EVEN

TS_KEYUP_EVEN

TS_KEYPRESS_EVEN

TS_KEYPRESSSTR_EVEN

TS_KEYPRESSCHAR_EVEN

jmp %x

push 0x%x

call %x

MYSLEEPEVENT:%d

NtUserGetAsyncKeyState

NtUserGetKeyState

GetKeyboardState

GetKeyState

GetAsyncKeyState

%s|%s,%d,%d

%s,%d,%d

ahXXp://

application/x-www-form-urlencoded

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

%d %d %s

%d %s

%d %s %s

%d %d

\\.\Pipe\

ANTI.sys

drvM.sys

push %x

%s 00

%s 0%s

%s 0%X

%s %X

%s %s

FPU registers have indexes 0 to 7

Too long import name

Unterminated import name

Sorry, 16-bit addressing is not supported

Unrecognized operand

Relative jump out of range, use %s LONG form

Constant does not fit into operand

Please specify operand size

Different size of operands

Bad operand size

Command does not support given operands

Wrong number of operands

Too many operands

Too few operands

Extra input after operand

REPNE %s

REPE %s

REP %s

BLOCK CMPXCHG8B may crash some processors when executed

Win95/98 may crash when VxD call is executed in user mode

Win95/98 may crash when NOT ESP is executed

Win95/98 may crash when NEG ESP is executed

%s(%i)

%s X:X

(%i-BYTE) %s

Unaligned stack operation

PREFIX %s:

X:

?#%X.y

operator

GetProcessWindowStation

portuguese-brazilian

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

5.lD6

.?AVHttpRequest@@

zcÁ

!"#$%&'(

0123456789

1234567890-=

c:\%original file name%.exe

!Y!%U

v.WUh>MeZToGt,

,%xg$

<%d;.

Rb%U1

sKl%F

.Kt@38MY

Dx.epu^X

xSf6C%U=

.WwfF.D7J

pF%4U

1.dDJq=

`%DKcg"

O.ZGZ"U4o3

.I.Mh<IS:rKM

D6\e%X

$~:A=.WN

%U%!SM

8B.md~

HRRh%f

8-fN%X!>

I.XbB

.sX_h

.nZw8

B%fNi

z&cO.CB

?%UeYve#

Z%Xc7`BM](CBV

.cObN

.Cv|kJ

O-Tt}}

.aq,C

W.zGa,

?:.KRK

}wT%C

C%DY;

&T%U1

.text

h.rdata

H.data

.reloc

ZwOpenKey

ZwQueryValueKey

KeDelayExecutionThread

ntoskrnl.exe

kdcom.dll

HAL.dll

?,?4?:?@?

.pdata

ID:%d

ID:%d

:32681735

PID:%d

*Add New PID:%d

*Del PID:%d

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

hXXp://sf.symcb.com/sf.crl0f

hXXps://d.symcb.com/cps0%

hXXps://d.symcb.com/rpa0

hXXp://sf.symcd.com0&

hXXp://sf.symcb.com/sf.crt0

<VeriSign Class 3 Public Primary Certification Authority - G50

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

hXXps://VVV.verisign.com/cps0*

hXXps://VVV.verisign.com/rpa0

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

%&.pU.

VCg%d

0 B.RG

.bo%H

5.EW|

V/Tk.md

j%sO6

.Mo[T2

.dY,

KERNEL32.DLL

SHLWAPI.dll

USER32.dll

Hide.dll

.vmp0

h.reloc

.data

lsass.exe

csrss.exe

service.exe

svchost.exe

`%Cp0

n`A.Kho[3

8!8)8/858

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

!Certification Authority of WoSign0

Þe3F

hXXp://crls1.wosign.com/ca1.crl0o

hXXp://ocsp1.wosign.com/ca106

*hXXp://aia1.wosign.com/ca1-class3-code.cer0

hXXp://VVV.wosign.com/policy/0

'hXXp://ocsp1.wosign.com/class3/code/ca106

*hXXp://aia1.wosign.com/class3.code.ca1.cer07

&hXXp://crls1.wosign.com/ca1-code-3.crl0Q

VVV.66wy.cn 0

taskmgr.exe

audiodg.exe

smss.exe

services.exe

explorer.exe

hXXp://VVV.usertrust.com1

6hXXp://crl.trust-provider.com/UTN-USERFirst-Object.crl0:

hXXp://ocsp.trust-provider.com0

hXXp://crls1.wosign.com/ca1.crl0g

hXXp://ocsp1.wosign.com/ca10.

"hXXp://aia1.wosign.com/ca1-tsa.cer0

!Certification Authority of WoSign

CryptoJS v3.1.2

code.google.com/p/crypto-js

code.google.com/p/crypto-js/wiki/License

var CryptoJS=CryptoJS||function(u,p){var d={},l=d.lib={},s=function(){},t=l.Base={extend:function(a){s.prototype=this;var c=new s;a&&c.mixIn(a);c.hasOwnProperty("init")||(c.init=function(){c.$super.init.apply(this,arguments)});c.init.prototype=c;c.$super=this;return c},create:function(){var a=this.extend();a.init.apply(a,arguments);return a},init:function(){},mixIn:function(a){for(var c in a)a.hasOwnProperty(c)&&(this[c]=a[c]);a.hasOwnProperty("toString")&&(this.toString=a.toString)},clone:function(){return this.init.prototype.extend(this)}},

r=l.WordArray=t.extend({init:function(a,c){a=this.words=a||[];this.sigBytes=c!=p?c:4*a.length},toString:function(a){return(a||v).stringify(this)},concat:function(a){var c=this.words,e=a.words,j=this.sigBytes;a=a.sigBytes;this.clamp();if(j%4)for(var k=0;k<a;k  )c[j k>>>2]|=(e[k>>>2]>>>24-8*(k%4)&255)<<24-8*((j k)%4);else if(65535<e.length)for(k=0;k<a;k =4)c[j k>>>2]=e[k>>>2];else c.push.apply(c,e);this.sigBytes =a;return this},clamp:function(){var a=this.words,c=this.sigBytes;a[c>>>2]&=4294967295<<

32-8*(c%4);a.length=u.ceil(c/4)},clone:function(){var a=t.clone.call(this);a.words=this.words.slice(0);return a},random:function(a){for(var c=[],e=0;e<a;e =4)c.push(4294967296*u.random()|0);return new r.init(c,a)}}),w=d.enc={},v=w.Hex={stringify:function(a){var c=a.words;a=a.sigBytes;for(var e=[],j=0;j<a;j  ){var k=c[j>>>2]>>>24-8*(j%4)&255;e.push((k>>>4).toString(16));e.push((k&15).toString(16))}return e.join("")},parse:function(a){for(var c=a.length,e=[],j=0;j<c;j =2)e[j>>>3]|=parseInt(a.substr(j,

2),16)<<24-4*(j%8);return new r.init(e,c/2)}},b=w.Latin1={stringify:function(a){var c=a.words;a=a.sigBytes;for(var e=[],j=0;j<a;j  )e.push(String.fromCharCode(c[j>>>2]>>>24-8*(j%4)&255));return e.join("")},parse:function(a){for(var c=a.length,e=[],j=0;j<c;j  )e[j>>>2]|=(a.charCodeAt(j)&255)<<24-8*(j%4);return new r.init(e,c)}},x=w.Utf8={stringify:function(a){try{return decodeURIComponent(escape(b.stringify(a)))}catch(c){throw Error("Malformed UTF-8 data");}},parse:function(a){return b.parse(unescape(encodeURIComponent(a)))}},

q=l.BufferedBlockAlgorithm=t.extend({reset:function(){this._data=new r.init;this._nDataBytes=0},_append:function(a){"string"==typeof a&&(a=x.parse(a));this._data.concat(a);this._nDataBytes =a.sigBytes},_process:function(a){var c=this._data,e=c.words,j=c.sigBytes,k=this.blockSize,b=j/(4*k),b=a?u.ceil(b):u.max((b|0)-this._minBufferSize,0);a=b*k;j=u.min(4*a,j);if(a){for(var q=0;q<a;q =k)this._doProcessBlock(e,q);q=e.splice(0,a);c.sigBytes-=j}return new r.init(q,j)},clone:function(){var a=t.clone.call(this);

a._data=this._data.clone();return a},_minBufferSize:0});l.Hasher=q.extend({cfg:t.extend(),init:function(a){this.cfg=this.cfg.extend(a);this.reset()},reset:function(){q.reset.call(this);this._doReset()},update:function(a){this._append(a);this._process();return this},finalize:function(a){a&&this._append(a);return this._doFinalize()},blockSize:16,_createHelper:function(a){return function(b,e){return(new a.init(e)).finalize(b)}},_createHmacHelper:function(a){return function(b,e){return(new n.HMAC.init(a,

e)).finalize(b)}}});var n=d.algo={};return d}(Math);

(function(){var u=CryptoJS,p=u.lib.WordArray;u.enc.Base64={stringify:function(d){var l=d.words,p=d.sigBytes,t=this._map;d.clamp();d=[];for(var r=0;r<p;r =3)for(var w=(l[r>>>2]>>>24-8*(r%4)&255)<<16|(l[r 1>>>2]>>>24-8*((r 1)%4)&255)<<8|l[r 2>>>2]>>>24-8*((r 2)%4)&255,v=0;4>v&&r 0.75*v<p;v  )d.push(t.charAt(w>>>6*(3-v)&63));if(l=t.charAt(64))for(;d.length%4;)d.push(l);return d.join("")},parse:function(d){var l=d.length,s=this._map,t=s.charAt(64);t&&(t=d.indexOf(t),-1!=t&&(l=t));for(var t=[],r=0,w=0;w<

l;w  )if(w%4){var v=s.indexOf(d.charAt(w-1))<<2*(w%4),b=s.indexOf(d.charAt(w))>>>6-2*(w%4);t[r>>>2]|=(v|b)<<24-8*(r%4);r  }return p.create(t,r)},_map:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /="}})();

(function(u){function p(b,n,a,c,e,j,k){b=b (n&a|~n&c) e k;return(b<<j|b>>>32-j) n}function d(b,n,a,c,e,j,k){b=b (n&c|a&~c) e k;return(b<<j|b>>>32-j) n}function l(b,n,a,c,e,j,k){b=b (n^a^c) e k;return(b<<j|b>>>32-j) n}function s(b,n,a,c,e,j,k){b=b (a^(n|~c)) e k;return(b<<j|b>>>32-j) n}for(var t=CryptoJS,r=t.lib,w=r.WordArray,v=r.Hasher,r=t.algo,b=[],x=0;64>x;x  )b[x]=4294967296*u.abs(u.sin(x 1))|0;r=r.MD5=v.extend({_doReset:function(){this._hash=new w.init([1732584193,4023233417,2562383102,271733878])},

_doProcessBlock:function(q,n){for(var a=0;16>a;a  ){var c=n a,e=q[c];q[c]=(e<<8|e>>>24)&16711935|(e<<24|e>>>8)&4278255360}var a=this._hash.words,c=q[n 0],e=q[n 1],j=q[n 2],k=q[n 3],z=q[n 4],r=q[n 5],t=q[n 6],w=q[n 7],v=q[n 8],A=q[n 9],B=q[n 10],C=q[n 11],u=q[n 12],D=q[n 13],E=q[n 14],x=q[n 15],f=a[0],m=a[1],g=a[2],h=a[3],f=p(f,m,g,h,c,7,b[0]),h=p(h,f,m,g,e,12,b[1]),g=p(g,h,f,m,j,17,b[2]),m=p(m,g,h,f,k,22,b[3]),f=p(f,m,g,h,z,7,b[4]),h=p(h,f,m,g,r,12,b[5]),g=p(g,h,f,m,t,17,b[6]),m=p(m,g,h,f,w,22,b[7]),

E,15,b[50]),m=s(m,g,h,f,r,21,b[51]),f=s(f,m,g,h,u,6,b[52]),h=s(h,f,m,g,k,10,b[53]),g=s(g,h,f,m,B,15,b[54]),m=s(m,g,h,f,e,21,b[55]),f=s(f,m,g,h,v,6,b[56]),h=s(h,f,m,g,x,10,b[57]),g=s(g,h,f,m,t,15,b[58]),m=s(m,g,h,f,D,21,b[59]),f=s(f,m,g,h,z,6,b[60]),h=s(h,f,m,g,C,10,b[61]),g=s(g,h,f,m,j,15,b[62]),m=s(m,g,h,f,A,21,b[63]);a[0]=a[0] f|0;a[1]=a[1] m|0;a[2]=a[2] g|0;a[3]=a[3] h|0},_doFinalize:function(){var b=this._data,n=b.words,a=8*this._nDataBytes,c=8*b.sigBytes;n[c>>>5]|=128<<24-c2;var e=u.floor(a/

4294967296);n[(c 64>>>9<<4) 15]=(e<<8|e>>>24)&16711935|(e<<24|e>>>8)&4278255360;n[(c 64>>>9<<4) 14]=(a<<8|a>>>24)&16711935|(a<<24|a>>>8)&4278255360;b.sigBytes=4*(n.length 1);this._process();b=this._hash;n=b.words;for(a=0;4>a;a  )c=n[a],n[a]=(c<<8|c>>>24)&16711935|(c<<24|c>>>8)&4278255360;return b},clone:function(){var b=v.clone.call(this);b._hash=this._hash.clone();return b}});t.MD5=v._createHelper(r);t.HmacMD5=v._createHmacHelper(r)})(Math);

(function(){var u=CryptoJS,p=u.lib,d=p.Base,l=p.WordArray,p=u.algo,s=p.EvpKDF=d.extend({cfg:d.extend({keySize:4,hasher:p.MD5,iterations:1}),init:function(d){this.cfg=this.cfg.extend(d)},compute:function(d,r){for(var p=this.cfg,s=p.hasher.create(),b=l.create(),u=b.words,q=p.keySize,p=p.iterations;u.length<q;){n&&s.update(n);var n=s.update(d).finalize(r);s.reset();for(var a=1;a<p;a  )n=s.finalize(n),s.reset();b.concat(n)}b.sigBytes=4*q;return b}});u.EvpKDF=function(d,l,p){return s.create(p).compute(d,

CryptoJS.lib.Cipher||function(u){var p=CryptoJS,d=p.lib,l=d.Base,s=d.WordArray,t=d.BufferedBlockAlgorithm,r=p.enc.Base64,w=p.algo.EvpKDF,v=d.Cipher=t.extend({cfg:l.extend(),createEncryptor:function(e,a){return this.create(this._ENC_XFORM_MODE,e,a)},createDecryptor:function(e,a){return this.create(this._DEC_XFORM_MODE,e,a)},init:function(e,a,b){this.cfg=this.cfg.extend(b);this._xformMode=e;this._key=a;this.reset()},reset:function(){t.reset.call(this);this._doReset()},process:function(e){this._append(e);return this._process()},

finalize:function(e){e&&this._append(e);return this._doFinalize()},keySize:4,ivSize:4,_ENC_XFORM_MODE:1,_DEC_XFORM_MODE:2,_createHelper:function(e){return{encrypt:function(b,k,d){return("string"==typeof k?c:a).encrypt(e,b,k,d)},decrypt:function(b,k,d){return("string"==typeof k?c:a).decrypt(e,b,k,d)}}}});d.StreamCipher=v.extend({_doFinalize:function(){return this._process(!0)},blockSize:1});var b=p.mode={},x=function(e,a,b){var c=this._iv;c?this._iv=u:c=this._prevBlock;for(var d=0;d<b;d  )e[a d]^=

c[d]},q=(d.BlockCipherMode=l.extend({createEncryptor:function(e,a){return this.Encryptor.create(e,a)},createDecryptor:function(e,a){return this.Decryptor.create(e,a)},init:function(e,a){this._cipher=e;this._iv=a}})).extend();q.Encryptor=q.extend({processBlock:function(e,a){var b=this._cipher,c=b.blockSize;x.call(this,e,a,c);b.encryptBlock(e,a);this._prevBlock=e.slice(a,a c)}});q.Decryptor=q.extend({processBlock:function(e,a){var b=this._cipher,c=b.blockSize,d=e.slice(a,a c);b.decryptBlock(e,a);x.call(this,

e,a,c);this._prevBlock=d}});b=b.CBC=q;q=(p.pad={}).Pkcs7={pad:function(a,b){for(var c=4*b,c=c-a.sigBytes%c,d=c<<24|c<<16|c<<8|c,l=[],n=0;n<c;n =4)l.push(d);c=s.create(l,c);a.concat(c)},unpad:function(a){a.sigBytes-=a.words[a.sigBytes-1>>>2]&255}};d.BlockCipher=v.extend({cfg:v.cfg.extend({mode:b,padding:q}),reset:function(){v.reset.call(this);var a=this.cfg,b=a.iv,a=a.mode;if(this._xformMode==this._ENC_XFORM_MODE)var c=a.createEncryptor;else c=a.createDecryptor,this._minBufferSize=1;this._mode=c.call(a,

this,b&&b.words)},_doProcessBlock:function(a,b){this._mode.processBlock(a,b)},_doFinalize:function(){var a=this.cfg.padding;if(this._xformMode==this._ENC_XFORM_MODE){a.pad(this._data,this.blockSize);var b=this._process(!0)}else b=this._process(!0),a.unpad(b);return b},blockSize:4});var n=d.CipherParams=l.extend({init:function(a){this.mixIn(a)},toString:function(a){return(a||this.formatter).stringify(this)}}),b=(p.format={}).OpenSSL={stringify:function(a){var b=a.ciphertext;a=a.salt;return(a?s.create([1398893684,

1701076831]).concat(a).concat(b):b).toString(r)},parse:function(a){a=r.parse(a);var b=a.words;if(1398893684==b[0]&&1701076831==b[1]){var c=s.create(b.slice(2,4));b.splice(0,4);a.sigBytes-=16}return n.create({ciphertext:a,salt:c})}},a=d.SerializableCipher=l.extend({cfg:l.extend({format:b}),encrypt:function(a,b,c,d){d=this.cfg.extend(d);var l=a.createEncryptor(c,d);b=l.finalize(b);l=l.cfg;return n.create({ciphertext:b,key:c,iv:l.iv,algorithm:a,mode:l.mode,padding:l.padding,blockSize:a.blockSize,formatter:d.format})},

decrypt:function(a,b,c,d){d=this.cfg.extend(d);b=this._parse(b,d.format);return a.createDecryptor(c,d).finalize(b.ciphertext)},_parse:function(a,b){return"string"==typeof a?b.parse(a,this):a}}),p=(p.kdf={}).OpenSSL={execute:function(a,b,c,d){d||(d=s.random(8));a=w.create({keySize:b c}).compute(a,d);c=s.create(a.words.slice(b),4*c);a.sigBytes=4*b;return n.create({key:a,iv:c,salt:d})}},c=d.PasswordBasedCipher=a.extend({cfg:a.cfg.extend({kdf:p}),encrypt:function(b,c,d,l){l=this.cfg.extend(l);d=l.kdf.execute(d,

b.keySize,b.ivSize);l.iv=d.iv;b=a.encrypt.call(this,b,c,d.key,l);b.mixIn(d);return b},decrypt:function(b,c,d,l){l=this.cfg.extend(l);c=this._parse(c,l.format);d=l.kdf.execute(d,b.keySize,b.ivSize,c.salt);l.iv=d.iv;return a.decrypt.call(this,b,c,d.key,l)}})}();

(function(){for(var u=CryptoJS,p=u.lib.BlockCipher,d=u.algo,l=[],s=[],t=[],r=[],w=[],v=[],b=[],x=[],q=[],n=[],a=[],c=0;256>c;c  )a[c]=128>c?c<<1:c<<1^283;for(var e=0,j=0,c=0;256>c;c  ){var k=j^j<<1^j<<2^j<<3^j<<4,k=k>>>8^k&255^99;l[e]=k;s[k]=e;var z=a[e],F=a[z],G=a[F],y=257*a[k]^16843008*k;t[e]=y<<24|y>>>8;r[e]=y<<16|y>>>16;w[e]=y<<8|y>>>24;v[e]=y;y=16843009*G^65537*F^257*z^16843008*e;b[k]=y<<24|y>>>8;x[k]=y<<16|y>>>16;q[k]=y<<8|y>>>24;n[k]=y;e?(e=z^a[a[a[G^z]]],j^=a[a[j]]):e=j=1}var H=[0,1,2,4,8,

16,32,64,128,27,54],d=d.AES=p.extend({_doReset:function(){for(var a=this._key,c=a.words,d=a.sigBytes/4,a=4*((this._nRounds=d 6) 1),e=this._keySchedule=[],j=0;j<a;j  )if(j<d)e[j]=c[j];else{var k=e[j-1];j%d?6<d&&4==j%d&&(k=l[k>>>24]<<24|l[k>>>16&255]<<16|l[k>>>8&255]<<8|l[k&255]):(k=k<<8|k>>>24,k=l[k>>>24]<<24|l[k>>>16&255]<<16|l[k>>>8&255]<<8|l[k&255],k^=H[j/d|0]<<24);e[j]=e[j-d]^k}c=this._invKeySchedule=[];for(d=0;d<a;d  )j=a-d,k=d%4?e[j]:e[j-4],c[d]=4>d||4>=j?k:b[l[k>>>24]]^x[l[k>>>16&255]]^q[l[k>>>

8&255]]^n[l[k&255]]},encryptBlock:function(a,b){this._doCryptBlock(a,b,this._keySchedule,t,r,w,v,l)},decryptBlock:function(a,c){var d=a[c 1];a[c 1]=a[c 3];a[c 3]=d;this._doCryptBlock(a,c,this._invKeySchedule,b,x,q,n,s);d=a[c 1];a[c 1]=a[c 3];a[c 3]=d},_doCryptBlock:function(a,b,c,d,e,j,l,f){for(var m=this._nRounds,g=a[b]^c[0],h=a[b 1]^c[1],k=a[b 2]^c[2],n=a[b 3]^c[3],p=4,r=1;r<m;r  )var q=d[g>>>24]^e[h>>>16&255]^j[k>>>8&255]^l[n&255]^c[p  ],s=d[h>>>24]^e[k>>>16&255]^j[n>>>8&255]^l[g&255]^c[p  ],t=

d[k>>>24]^e[n>>>16&255]^j[g>>>8&255]^l[h&255]^c[p  ],n=d[n>>>24]^e[g>>>16&255]^j[h>>>8&255]^l[k&255]^c[p  ],g=q,h=s,k=t;q=(f[g>>>24]<<24|f[h>>>16&255]<<16|f[k>>>8&255]<<8|f[n&255])^c[p  ];s=(f[h>>>24]<<24|f[k>>>16&255]<<16|f[n>>>8&255]<<8|f[g&255])^c[p  ];t=(f[k>>>24]<<24|f[n>>>16&255]<<16|f[g>>>8&255]<<8|f[h&255])^c[p  ];n=(f[n>>>24]<<24|f[g>>>16&255]<<16|f[h>>>8&255]<<8|f[k&255])^c[p  ];a[b]=q;a[b 1]=s;a[b 2]=t;a[b 3]=n},keySize:8});u.AES=p._createHelper(d)})();

* @author haitao.tu

* @email tuhaitao@foxmail.com

_keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /=";

this.encode = function (input) {

while (i < input.length) {

chr1 = input.charCodeAt(i  );

chr2 = input.charCodeAt(i  );

chr3 = input.charCodeAt(i  );

_keyStr.charAt(enc1)   _keyStr.charAt(enc2)

_keyStr.charAt(enc3)   _keyStr.charAt(enc4);

this.decode = function (input) {

input = input.replace(/[^A-Za-z0-9\ \/\=]/g, "");

enc1 = _keyStr.indexOf(input.charAt(i  ));

enc2 = _keyStr.indexOf(input.charAt(i  ));

enc3 = _keyStr.indexOf(input.charAt(i  ));

enc4 = _keyStr.indexOf(input.charAt(i  ));

output = output   String.fromCharCode(chr1);

output = output   String.fromCharCode(chr2);

output = output   String.fromCharCode(chr3);

string = string.replace(/\r\n/g,"\n");

for (var n = 0; n < string.length; n  ) {

var c = string.charCodeAt(n);

utftext  = String.fromCharCode(c);

utftext  = String.fromCharCode((c >> 6) | 192);

utftext  = String.fromCharCode((c & 63) | 128);

utftext  = String.fromCharCode((c >> 12) | 224);

utftext  = String.fromCharCode(((c >> 6) & 63) | 128);

while ( i < utftext.length ) {

c = utftext.charCodeAt(i);

string  = String.fromCharCode(c);

c2 = utftext.charCodeAt(i 1);

string  = String.fromCharCode(((c & 31) << 6) | (c2 & 63));

c3 = utftext.charCodeAt(i 2);

string  = String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63));

hXXp://VVV.JSON.org/json2.js

2010-03-20

See hXXp://VVV.JSON.org/js.html

See hXXp://javascript.crockford.com/jsmin.html

JSON.stringify(value, replacer, space)

will be passed the key associated with the value, and this will be

Date.prototype.toJSON = function (key) {

return this.getUTCFullYear()   '-'

f(this.getUTCMonth()   1)   '-'

f(this.getUTCDate())   'T'

f(this.getUTCHours())   ':'

f(this.getUTCMinutes())   ':'

f(this.getUTCSeconds())   'Z';

You can provide an optional replacer method. It will be passed the

key and value of each member, with this bound to the containing

such that only members with keys listed in the replacer array are

JSON.stringify(undefined) returns undefined.

text = JSON.stringify(['e', {pluribus: 'unum'}]);

text = JSON.stringify(['e', {pluribus: 'unum'}], null, '\t');

text = JSON.stringify([new Date()], function (key, value) {

return this[key] instanceof Date ?

'Date('   this[key]   ')' : value;

JSON.parse(text, reviver)

transform the results. It receives each of the keys and values,

myData = JSON.parse(text, function (key, value) {

/^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2}(?:\.\d*)?)Z$/.exec(value);

return new Date(Date.UTC( a[1],  a[2] - 1,  a[3],  a[4],

myData = JSON.parse('["Date(09/09/2001)"]', function (key, value) {

value.slice(0, 5) === 'Date(' &&

value.slice(-1) === ')') {

d = new Date(value.slice(5, -1));

getUTCMinutes, getUTCMonth, getUTCSeconds, hasOwnProperty, join,

if (!this.JSON) {

this.JSON = {};

if (typeof Date.prototype.toJSON !== 'function') {

Date.prototype.toJSON = function (key) {

return isFinite(this.valueOf()) ?

this.getUTCFullYear()   '-'

f(this.getUTCMonth()   1)   '-'

f(this.getUTCDate())   'T'

f(this.getUTCHours())   ':'

f(this.getUTCMinutes())   ':'

f(this.getUTCSeconds())   'Z' : null;

String.prototype.toJSON =

Number.prototype.toJSON =

Boolean.prototype.toJSON = function (key) {

return this.valueOf();

'"' : '\\"',

'\\': '\\\\'

escapable.lastIndex = 0;

return escapable.test(string) ?

'"'   string.replace(escapable, function (a) {

'\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);

})   '"' :

function str(key, holder) {

// Produce a string from holder[key].

k, // The member key.

value = holder[key];

typeof value.toJSON === 'function') {

value = value.toJSON(key);

value = rep.call(holder, key, value);

if (Object.prototype.toString.apply(value) === '[object Array]') {

length = value.length;

// Join all of the elements together, separated with commas, and wrap them in

v = partial.length === 0 ? '[]' :

partial.join(',\n'   gap)   '\n'

'['   partial.join(',')   ']';

length = rep.length;

partial.push(quote(k)   (gap ? ': ' : ':')   v);

// Otherwise, iterate through all of the keys in the object.

if (Object.hasOwnProperty.call(value, k)) {

// Join all of the member texts together, separated with commas,

v = partial.length === 0 ? '{}' :

gap ? '{\n'   gap   partial.join(',\n'   gap)   '\n'

mind   '}' : '{'   partial.join(',')   '}';

if (typeof JSON.stringify !== 'function') {

JSON.stringify = function (value, replacer, space) {

// that can replace values, or an array of strings that will select the keys.

typeof replacer.length !== 'number')) {

throw new Error('JSON.stringify');

// Make a fake root object containing our value under the key of ''.

if (typeof JSON.parse !== 'function') {

JSON.parse = function (text, reviver) {

function walk(holder, key) {

var k, v, value = holder[key];

if (Object.hasOwnProperty.call(value, k)) {

return reviver.call(holder, key, value);

// Parsing happens in four stages. In the first stage, we replace certain

cx.lastIndex = 0;

if (cx.test(text)) {

text = text.replace(cx, function (a) {

('0000'   a.charCodeAt(0).toString(16)).slice(-4);

// We split the second stage into 4 regexp operations in order to work around

test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@').

// JavaScript structure. The '{' operator is subject to a syntactic ambiguity

// In the optional fourth stage, we recursively walk the new structure, passing

throw new SyntaxError('JSON.parse');

* See hXXp://pajhome.org.uk/crypt/md5 for more info.

function hex_md5(s){ return binl2hex(core_md5(str2binl(s), s.length * chrsz));}

function b64_md5(s){ return binl2b64(core_md5(str2binl(s), s.length * chrsz));}

function str_md5(s){ return binl2str(core_md5(str2binl(s), s.length * chrsz));}

function hex_hmac_md5(key, data) { return binl2hex(core_hmac_md5(key, data)); }

function b64_hmac_md5(key, data) { return binl2b64(core_hmac_md5(key, data)); }

function str_hmac_md5(key, data) { return binl2str(core_hmac_md5(key, data)); }

for(var i = 0; i < x.length; i  = 16)

* These functions implement the four basic operations the algorithm uses.

* Calculate the HMAC-MD5, of a key and some data

function core_hmac_md5(key, data)

var bkey = str2binl(key);

if(bkey.length > 16) bkey = core_md5(bkey, key.length * chrsz);

ipad[i] = bkey[i] ^ 0x36363636;

opad[i] = bkey[i] ^ 0x5C5C5C5C;

var hash = core_md5(ipad.concat(str2binl(data)), 512   data.length * chrsz);

return core_md5(opad.concat(hash), 512   128);

* Add integers, wrapping at 2^32. This uses 16-bit operations internally

for(var i = 0; i < str.length * chrsz; i  = chrsz)

bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (i2);

for(var i = 0; i < bin.length * 32; i  = chrsz)

str  = String.fromCharCode((bin[i>>5] >>> (i % 32)) & mask);

for(var i = 0; i < binarray.length * 4; i  )

str  = hex_tab.charAt((binarray[i>>2] >> ((i%4)*8 4)) & 0xF)

hex_tab.charAt((binarray[i>>2] >> ((i%4)*8 )) & 0xF);

for(var i = 0; i < binarray.length * 4; i  = 3)

if(i * 8   j * 6 > binarray.length * 32) str  = b64pad;

else str  = tab.charAt((triplet >> 6*(3-j)) & 0x3F);

jsonObj = JSON.parse(jsonText);

function json_get(key) {

return jsonObj[''   key   ''];

function json_put(key, value) {

jsonObj[key] = value;

var ret = eval("jsonObj['"   key   "']");

return JSON.stringify(jsonObj);

// return CryptoJS.AES.encrypt(word, pwd).toString();

// var encryptedHexStr = CryptoJS.enc.Hex.parse(word);

// var srcs = CryptoJS.enc.Base64.stringify(encryptedHexStr);

// return CryptoJS.AES.decrypt(word, pwd).toString(CryptoJS.enc.Utf8);

var key = CryptoJS.enc.Utf8.parse("1234567812345678");

var iv = CryptoJS.enc.Utf8.parse("1234567812345678");

var encrypted = CryptoJS.AES.encrypt(word, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 });

return encrypted.toString();

var decrypted = CryptoJS.AES.decrypt(word, key, { iv: iv, mode: CryptoJS.mode.CBC });

return decrypted.toString(CryptoJS.enc.Utf8);

function GetuinKey() {

window.onerror = function () { return true; }

if (window.ActiveXObject) {

q_hummerQtrl = new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");

var A = q_hummerQtrl.CreateTXSSOData();

q_hummerQtrl.InitSSOFPTCtrl(0, A);

g_vOptData = q_hummerQtrl.CreateTXSSOData();

var a = q_hummerQtrl.DoOperation(1, g_vOptData);

var V = a.GetArray("PTALIST");

var f = V.GetSize();

var E = V.GetData(g);

var P = E.GetDWord("dwSSO_Account_dwAccountUin");

var U = E.GetStr("strSSO_Account_strNickName");

var G = E.GetBuf("bufST_PTLOGIN");

var A = G.GetSize();

var B = G.GetAt(Y).toString("16");

if (B.length == 1) {

document.body.innerHTML = text;

* See hXXp://pajhome.org.uk/crypt/md5 for details.

return binb2hex(core_sha1(str2binb(s), s.length * chrsz));

return binb2b64(core_sha1(str2binb(s), s.length * chrsz));

return binb2str(core_sha1(str2binb(s), s.length * chrsz));

function hex_hmac_sha1(key, data) {

return binb2hex(core_hmac_sha1(key, data));

function b64_hmac_sha1(key, data) {

return binb2b64(core_hmac_sha1(key, data));

function str_hmac_sha1(key, data) {

return binb2str(core_hmac_sha1(key, data));

for (var i = 0; i < x.length; i  = 16) {

* Calculate the HMAC-SHA1 of a key and some data

function core_hmac_sha1(key, data) {

var bkey = str2binb(key);

if (bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);

ipad[i] = bkey[i] ^ 0x36363636;

opad[i] = bkey[i] ^ 0x5C5C5C5C;

var hash = core_sha1(ipad.concat(str2binb(data)), 512   data.length * chrsz);

return core_sha1(opad.concat(hash), 512   160);

* Add integers, wrapping at 2^32. This uses 16-bit operations internally

for (var i = 0; i < str.length * chrsz; i  = chrsz)

bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (24 - i % 32);

for (var i = 0; i < bin.length * 32; i  = chrsz)

str  = String.fromCharCode((bin[i >> 5] >>> (24 - i % 32)) & mask);

for (var i = 0; i < binarray.length * 4; i  ) {

str  = hex_tab.charAt((binarray[i >> 2] >> ((3 - i % 4) * 8   4)) & 0xF)   hex_tab.charAt((binarray[i >> 2] >> ((3 - i % 4) * 8)) & 0xF);

for (var i = 0; i < binarray.length * 4; i  = 3) {

if (i * 8   j * 6 > binarray.length * 32) str  = b64pad;

else str  = tab.charAt((triplet >> 6 * (3 - j)) & 0x3F);

READ_PORT_UCHAR

READ_PORT_ULONG

READ_PORT_USHORT

WRITE_PORT_UCHAR

WRITE_PORT_ULONG

WRITE_PORT_USHORT

c:\hymcg64\sys\amd64\hMcg_x64.pdb

ConnectNamedPipe

CreateNamedPipeA

GetCPInfo

DisconnectNamedPipe

GetProcessHeap

RegOpenKeyW

RegEnumKeyExW

RegQueryInfoKeyW

RegCloseKey

RegDeleteKeyW

RegCreateKeyExW

RegOpenKeyExW

GetKeyboardLayout

MapVirtualKeyExW

EnumWindows

keybd_event

MsgWaitForMultipleObjects

UnhookWindowsHookEx

UnloadKeyboardLayout

MapVirtualKeyW

InternetOpenUrlW

<b.pE

8(920=((2/

`.rdata

@.data

`.reloc

@.rsrc

'HDPlug.DLL'

HD.HDSoft = s 'HDPlugInterFace Class'

CLSID = s '{7EEE458C-7C90-4871-B3EE-0F2AD7EDAE18}'

CurVer = s 'HD.HDSoft'

ForceRemove {7EEE458C-7C90-4871-B3EE-0F2AD7EDAE18} = s 'HDPlugInterFace Class'

ProgID = s 'HD.HDSoft'

stdole2.tlbWWW

BkeypadWW

.aKeyDownW

MKeyUpWWWd

KeyPressd

KeyPressStrW

pOkey_strWd

KeyPressChard

qHKeyDownCharWd

KeyUpCharWWWd

.retstrWWd

iRSetKeypadDelayWWd

>SGetWindowStateWWd

SetWindowStateWWd

U@SetWindowSizeWWWd

SetShowErrorMsgW

EnableRealKeypadd

WaitKeyW

KLoginWWW

password

keyWd

xModifyPasswordWW

oldPasswordW

NewPasswordWd

port

.yclientNumWWWd

Created by MIDL version 7.00.0555 at Sun Apr 09 22:54:38 2017

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

ADVAPI32.dll

GDI32.dll

gdiplus.dll

IMM32.dll

IPHLPAPI.DLL

ole32.dll

OLEAUT32.dll

PSAPI.DLL

WININET.dll

HDPlug.DLL

Login

ModifyPassword

Set-Cookie: p_skey=

)execScript

mSSOAxCtrlForPTLogin.SSOForPTLogin2

MSXML2.ServerXMLHTTP.6.0

MSXML2.ServerXMLHTTP

WinHttp.WinHttpRequest.5.1

application/x-www-form-urlencoded

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

{900527EB-7D74-41DE-9E3E-80E4B267E0F2}

user32.dll

Advapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

OLEAUT32.DLL

{CCE4FE94-7B6F-4E01-9374-A81B0EE108AD}

{7EEE458C-7C90-4871-B3EE-0F2AD7EDAE18}

hXXp://VVV.tyuyan.com/tongjiversion.aspx?version=2.5&maccode=%s

dx.anti.api

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

%s\TEMPBMP%d.BMP

%s\%s

xKernel32.dll

Keyboard Layout\Preload

%s\TSimedll.ime

%s\TSimedllcode.ime

%s\SysWOW64\TSimedll.ime

%x%x0%x

%x0%x%x

0%x%x%x

%x0%x0%x

0%x%x0%x

0%x0%x%x

0%x0%x0%x

%x%x%x

%s\%d%d.bmp

%s\tbmp%d.bmp

%s|%s

\*.bmp

%d,%d

dinput8.dll

Imm32.dll

dd3d9.dll

tEhSvc.dll

%s%s%s

%d,%d,%d

%s|%d,%d,%d

t%s|%s,%d,%d

%s%s\InprocServer32

{%X-%X-%X-%X-%X%X}

TS.TSsoft

kernel32.dll

windows

%s,%d

%s|%s|%d|%d

%s %x 00

%s 0%x 00

%x 00

0%x 00

%s %x

%s 0%x

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

\SystemRoot\System32\Win32k.sys

Csrss.exe

VVV.66wy.c

HDPlug.dll

%original file name%.exe_1904_rwx_04821000_00042000:

Bv=kAv.SCv

__MSVCRT_HEAP_SELECT

user32.dll

z>ntdll.dll

gdi32.dll

kernel32.dll

Kernel32.dll

Shlwapi.dll

program internal error number is %d.

%s%x.tmp

:"%s"

:"%s".

zcÁ

c:\%original file name%.exe

n.AU8T =

 .uP@

..%f,

.nnrlq

)7.ga

_}.gq

.xT}n

GetProcessHeap

GetCPInfo

.text

`.rdata

@.data

.vmp0

`.reloc

%original file name%.exe_1904_rwx_10000000_00018000:

`.rsrc

RCv=kAv.SCvs

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

C:\Users\BLACK\Desktop\E_Loader 1.0\Release\E_Loader.pdb

E_Loader.dll

c:\%original file name%.exe

GetCPInfo

.text

`.rdata

@.data

.rsrc

@.reloc

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

KERNEL32.DLL

kernel32.dll

mscoree.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6a295.tmp (7971 bytes)
C:\Windows\System32\yxkey.ime (307 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6a2a5.tmp (5873 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.Swrort.3_918dcb020d

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.Swrort.3_918dcb020d

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet