Gen.Variant.Mikey.38538_0169e46229

by malwarelabrobot on June 24th, 2016 in Malware Descriptions.

Gen:Variant.Mikey.38538 (B) (Emsisoft), Gen:Variant.Mikey.38538 (AdAware), Trojan.Win32.Swrort.3.FD, GenericInjector.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0169e462298b10fd20b22d6d60660c01
SHA1: 7f39009b852fc9c42516f0ddff12ae0ab2d1becc
SHA256: 521043c2701636c535468c8eaae1597c71bafb122b8d843262a72672844b5726
SSDeep: 98304:Vddegn/bR6nVZHQVrsEcTiiAvLa0oYkufXQIP0WyH9XDV:Ug6ZHQVrsEyi80 gAIMWuDV
Size: 6214144 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-05-31 09:57:48
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

sc.exe:2312
sc.exe:2216
Browser_V5.6.13381.9_r_4681_(Build1606081220).exe:2156
stats_uploader.exe:2212
stats_uploader.exe:3848
UCBrowser.exe:2756
ADSkip.v1.0.523.2104_Silent.exe:1748
%original file name%.exe:224
UCService.exe:3608
UCService.exe:2804
UCService.exe:3820
netsh.exe:2488
netsh.exe:2588
netsh.exe:320
netsh.exe:476
netsh.exe:2660
netsh.exe:2508
ADSkip.exe:756
ADSkipSvc.exe:2396
ADSkipSvc.exe:1152
setup.exe:2840
MiniTPFw.exe:1012

The Trojan injects its code into the following process(es):

MiniThunderPlatform.exe:1036
UCBrowser.exe:2680

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Browser_V5.6.13381.9_r_4681_(Build1606081220).exe:2156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir2156_19268\stats_uploader.exe (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\setup.exe (17426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir2156_10848\wow_installer.prefs (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\SETUP.EX_ (1709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\CHROME.PACKED.7Z (359691 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\SETUP.EX_ (0 bytes)

The process UCBrowser.exe:2756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\UCBrowser\User Data\Default\Preferences (2 bytes)
%Program Files%\UCBrowser\Application\Share\unconfirmed_config (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\UCBrowser\User Data\1.tmp (837 bytes)

The Trojan deletes the following file(s):

%Program Files%\UCBrowser\Application\Share\unconfirmed_config (0 bytes)

The process ADSkip.v1.0.523.2104_Silent.exe:1748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\blNetFilter.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win7\blNetFilter.sys (1856 bytes)
%Program Files%\ADSKIP\askRules.dll (3361 bytes)
%Program Files%\ADSKIP\CustomRule.txt (2 bytes)
%Program Files%\ADSKIP\res\400.dat (24 bytes)
%Program Files%\ADSKIP\dbghelp.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8\blNetFilter.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\uninst.exe (32824 bytes)
%Program Files%\ADSKIP\driver\Win32\Win7\blNetFilter.sys (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askProtect.sys (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\BugReport.exe (5520 bytes)
%Program Files%\ADSKIP\askComm.dll (8657 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\AdSkip\Uninstall AdSkip.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5983 (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5982 (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5981 (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5980 (8560 bytes)
%Program Files%\ADSKIP\driver\Win32\Win8\blNetFilter.sys (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askComm.dll (38103 bytes)
%Program Files%\ADSKIP\askProtect64.sys (1281 bytes)
%System%\drivers\askProtect.sys (1281 bytes)
%Program Files%\ADSKIP\CheckSum.dat (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\Install.xml (2 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5981 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askWfd.dll (12088 bytes)
%Program Files%\ADSKIP\driver\x64\Win8\blNetFilter.sys (54 bytes)
%Program Files%\ADSKIP\askProtect.sys (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\400.dat (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\2001 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res (4 bytes)
%Program Files%\ADSKIP\BugReport.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\dbghelp.dll (34773 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5980 (1281 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5983 (1425 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5982 (673 bytes)
%Program Files%\ADSKIP\res\000.dat (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\ADSkipSvc.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\1012.dat (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1 (4 bytes)
%Program Files%\ADSKIP\res\0002.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\2001 (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\101.dat (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CheckSum.dat (64 bytes)
%Program Files%\ADSKIP\zlib1.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnRuleOptionEN.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\000.dat (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51004 (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\0003.dat (280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51000 (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\zlib1.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51002 (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51003 (15536 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\AdSkip\AdSkip.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\se1.dat (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnRuleOptionEN.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\09999.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askUpdate.dll (32128 bytes)
%Program Files%\ADSKIP\ADSkip.exe (19686 bytes)
%Program Files%\ADSKIP\res\09999_EN.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\ADSkip.exe (86996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askProtect64.sys (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\WinXP\blNetFilter.sys (3616 bytes)
%Documents and Settings%\%current user%\Desktop\AdSkip.lnk (1 bytes)
%Program Files%\ADSKIP\res\300.dat (1281 bytes)
%Program Files%\ADSKIP\CrashHandler.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askMain.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\300.dat (8560 bytes)
%Program Files%\ADSKIP\DuiLib.dll (5441 bytes)
%Program Files%\ADSKIP\res\1012.dat (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip (4 bytes)
%Program Files%\ADSKIP\ADSkipSvc.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\DuiLib.dll (25112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\09999_EN.dat (4 bytes)
%Program Files%\ADSKIP\uninst.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win7\blNetFilter.sys (1552 bytes)
%Program Files%\ADSKIP\driver\Win32\WinXP\blNetFilter.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51001 (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8.1\blNetFilter.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CrashHandler.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8.1\blNetFilter.sys (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSafe4.zip (69133 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5992 (673 bytes)
%Program Files%\ADSKIP\uninstall.xml (3 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5991 (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askRules.dll (19096 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5994 (673 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5995 (673 bytes)
%Program Files%\ADSKIP\askMain.dll (1425 bytes)
%Program Files%\ADSKIP\driver\Win32\Win8.1\blNetFilter.sys (45 bytes)
%Program Files%\ADSKIP\res\09999.dat (4 bytes)
%System%\drivers\tcpip.sys (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnRuleOption.dat (4 bytes)
%Program Files%\ADSKIP\askWfd.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5994 (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5995 (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5991 (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5992 (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CustomRule.txt (2 bytes)
%Program Files%\ADSKIP\res\0003.dat (280 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnRuleOption.dat (4 bytes)
%Program Files%\ADSKIP\driver\x64\Win8.1\blNetFilter.sys (54 bytes)
%Program Files%\ADSKIP\res\se1.dat (673 bytes)
%Program Files%\ADSKIP\driver\x64\Win7\blNetFilter.sys (52 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002 (2321 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003 (2321 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000 (4185 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001 (2321 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnJsonconfig.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\0002.dat (4 bytes)
%System%\drivers\tcpip.sys_backup (2319 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnJsonconfig.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8\blNetFilter.sys (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askMisc.dll (23424 bytes)
%Program Files%\ADSKIP\res\101.dat (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\AdSkip.lnk (1 bytes)
%Program Files%\ADSKIP\askUpdate.dll (7345 bytes)
%Program Files%\ADSKIP\askMisc.dll (4545 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askComm.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51002 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\09999.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\ADSkip.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askProtect64.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\2001 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win7\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnRuleOption.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5995 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\WinXP\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5991 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5992 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\WinXP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CustomRule.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\uninst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51003 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askProtect.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\zlib1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\400.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\ADSkipSvc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5980 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askMain.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\300.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\101.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\BugReport.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CheckSum.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\1012.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\DuiLib.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\09999_EN.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnJsonconfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\0002.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\dbghelp.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5983 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\000.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5981 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51001 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51004 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8.1\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51000 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8.1\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CrashHandler.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5982 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askMisc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5994 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSafe4.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\se1.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnRuleOptionEN.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\0003.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askRules.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\Install.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win7\blNetFilter.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askUpdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askWfd.dll (0 bytes)

The process %original file name%.exe:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\monitorlist.data (178 bytes)
C:\download\MiniThunderPlatform.exe (746 bytes)
C:\download\msvcr71.dll (1629 bytes)
C:\download\download_engine.dll (24427 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downlist.data (686 bytes)
C:\download\minizip.dll (784 bytes)
C:\download\ThunderFW.exe (1333 bytes)
C:\download\zlib1.dll (745 bytes)
C:\download\msvcp71.dll (1784 bytes)
C:\download\id.dat (40 bytes)
C:\xldl.dll (1922 bytes)
C:\download\MiniTPFw.exe (745 bytes)
C:\download\atl71.dll (118 bytes)
C:\download\dl_peer_id.dll (314 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\AdSkip.lnk (0 bytes)
%Documents and Settings%\%current user%\Desktop\AdSkip.lnk (0 bytes)

The process MiniThunderPlatform.exe:1036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ADSkip.v1.0.523.2104_Silent.exe.td.cfg (14273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Browser_V5.6.13381.9_r_4681_(Build1606081220).exe.td.cfg (16328 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\asyn_frame.dat (2749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Browser_V5.6.13381.9_r_4681_(Build1606081220).exe.td (111530 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\stat.dat (44 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\200U (447 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\error.dat (284 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\DownloadLib\pub_store.dat (405 bytes)
%Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\download.cfg (1007 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ADSkip.v1.0.523.2104_Silent.exe.td (18018 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ADSkip.v1.0.523.2104_Silent.exe.td.cfg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Browser_V5.6.13381.9_r_4681_(Build1606081220).exe.td.cfg (0 bytes)

The process UCService.exe:3608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\UCBrowser\Application\ucsvc.log (1461 bytes)

The process UCService.exe:2804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\UCBrowser\Application\ucsvc.log (970 bytes)

The process ADSkip.exe:756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001.zip (511 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\cafl.dat (37 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnJsonconfig.dat (3 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\ErrorLog.txt (448 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002 (19592 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003 (16288 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000 (20624 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001 (14184 bytes)
%Program Files%\ADSKIP\res\yxx.dat (22192 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004 (13584 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnRuleOptionEN.dat (2 bytes)
%Program Files%\ADSKIP\res\txx.dat (8560 bytes)
%Program Files%\ADSKIP\res\txx.dat.zip (628 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000.zip (2067 bytes)
%Program Files%\ADSKIP\res\yxx.dat.zip (2812 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004.zip (1334 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\config.dat (2359 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002.zip (3086 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003.zip (1491 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001.zip (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\CdnJsonconfig.dat (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002 (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003 (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000 (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001 (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004 (0 bytes)
%Program Files%\ADSKIP\res\txx.dat.zip (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000.zip (0 bytes)
%Program Files%\ADSKIP\res\yxx.dat.zip (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004.zip (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002.zip (0 bytes)
%Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003.zip (0 bytes)

The process setup.exe:2840 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\VERSION (11 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome.dll (286042 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\zh-cn\start.dat (12 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\UC浏览器.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\config.dat (6408 bytes)
%Program Files%\UCBrowser\Application\Uninstall.exe (18934 bytes)
%Program Files%\UCBrowser\Application\Share\target_locale (5 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\zh-cn\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\delegate_execute.exe (3751 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\google.com.png (521 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\chrome.7z (1199069 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Languages\chs.locale (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Drivers\ucguard.sys (72 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\custom.dat (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libEGL.dll (88 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\marketing\1001.ico (192 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\id\start.dat (7 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\12dc664d-0442-4570-a7c8-f3aa22922cec.com.png (252 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\baidu.com.png (426 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\etao.com.png (335 bytes)
%Program Files%\UCBrowser\Application\UCBrowser.exe (7547 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\es-419\start.dat (7 bytes)
%Program Files%\UCBrowser\Application\master_preferences (235 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\google.com.png (457 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Languages\settings.xml (103 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Update\InstalledConfig.xml (680 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\UC浏览器.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\courgette.dll (281 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Drivers\ucguard-x64.sys (81 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\start.dat (12 bytes)
%Program Files%\UCBrowser\Application\update_task.exe (2321 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\7z.dll (6361 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\zh-cn\config.dat (6408 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\es-419\config.dat (151 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\qq.png (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\etaohaitao.com.png (438 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\taobao.com.png (290 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\win10.pak (8 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\UC浏览器\卸载UC浏览器.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\bing.com.png (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\alipay.png (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\natives_blob.bin (1711 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\stats_uploader.exe (279 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_100_percent.pak (7386 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\pt-br\config.dat (151 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libexif.dll (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chrome_installer.log (1252 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\zh-CN\external_extensions.json (939 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\youku.com.png (653 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\pt-br\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\UCBrowser.exe (7386 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\update_task.exe (1696 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\taobao.png (389 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\ru\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\en-in\config.dat (166 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\youku.com.png (764 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Backup\UCBrowser.exe (7386 bytes)
%Program Files%\UCBrowser\Application\Share\start.dat (12 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\d3dcompiler_47.dll (22433 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\extension\noads.png (4 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\bing.com.png (1 bytes)
%Program Files%\UCBrowser\Application\VERSION (11 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\desktop\facebook.ico (131 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\theme_tool.exe (1851 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\UCProxySDK.dll (9606 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\sogou.com.png (1 bytes)
%Program Files%\UCBrowser\Application\wow_helper.exe (601 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\start.dat (7 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\baidu.com.png (682 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\ru\config.dat (152 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\google.com.hk.png (457 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\molt_tool.exe (1814 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Update\curl-ca-bundle.crt (260 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Uninstall.exe (17629 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\baidu.png (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\es-419\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\12dc664d-0442-4570-a7c8-f3aa22922cec.com.png (479 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\browsing_data_remover.exe (236 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\amazon.png (507 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\sogou.com.png (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\en-in\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\win10_100_percent.pak (1697 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\PepperFlash\manifest.json (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\weibo.png (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libucguard.dll (179 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\tmall.com.png (196 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\en-in\start.dat (7 bytes)
%Program Files%\UCBrowser\Application\5.6.13381.9\Installer\setup.exe (7547 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Locales\zh-CN.pak (255 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\tmall.com.png (200 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\etao.com.png (252 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\id-ID\external_extensions.json (494 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\wow_helper.exe (80 bytes)
%Program Files%\UCBrowser\Application\Share\config.dat (7345 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\UC浏览器\UC浏览器.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\updater.dll (15021 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\pt-br\start.dat (7 bytes)
%Program Files%\UCBrowser\Application\Share\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libGLESv2.dll (7972 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\ru\start.dat (7 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\resources.pak (172310 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\pp_helper.png (1 bytes)
%Program Files%\UCBrowser\Application\UCService.exe (6841 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\snapshot_blob.bin (1802 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\icudtl.dat (34008 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\taobao.png (2 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\UCService.exe (6334 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\uc123.png (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Update\UpdateOption.xml (189 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\taobao.com.png (304 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\config_updater.dll (7386 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\external_extensions.json (494 bytes)
%Documents and Settings%\All Users\Desktop\UC浏览器.lnk (1 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\config.dat (151 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_watcher.dll (1680 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\desktop\tmall_points.ico (144 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\id\config.dat (164 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_elf.dll (201 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\share.dat (66 bytes)
%Program Files%\UCBrowser\Application\molt_tool.exe (3361 bytes)
%System%\drivers\ucguard.sys (601 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\UCAgent.exe (12289 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\5.6.13381.9.manifest (248 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_200_percent.pak (7972 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Locales\en-US.pak (258 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\PepperFlash\pepflashplayer.dll (124061 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\pt-BR\external_extensions.json (494 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\extension\renren.png (4 bytes)
%Program Files%\UCBrowser\Application\5.6.13381.9\Installer\chrmstp.exe (7547 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\en-IN\external_extensions.json (622 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\id\share.dat (66 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_child.dll (321430 bytes)
%Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\win10_200_percent.pak (1723 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir2840_15169 (0 bytes)

Registry activity

The process sc.exe:2312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 7D F9 D6 8F B8 4A 91 1E E0 F6 F1 CE 1A 87 1B"

The process sc.exe:2216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 5F F1 EC 4E EC F3 2D 37 2A 85 22 17 A1 DC 95"

The process Browser_V5.6.13381.9_r_4681_(Build1606081220).exe:2156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB E1 5E 83 76 11 C5 91 0E 0B 2A 02 83 7D B3 BA"

[HKCU\Software\UCBrowserPID]
"MachineIDEx" = "c0ed19538daa6d6db815ffd0b1233981v000000253f20c75"
"MachineID" = "d2713585a62dd2677f88d0fff85b3fe7"

[HKLM\SOFTWARE\UCBrowserPID]
"MachineIDEx" = "c0ed19538daa6d6db815ffd0b1233981v000000253f20c75"
"MachineID" = "d2713585a62dd2677f88d0fff85b3fe7"
"FirstBID" = "800"

[HKCU\Software\UCBrowserPID]
"FirstBID" = "800"

The process stats_uploader.exe:2212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 9B 95 66 77 BE AB 5A 6D 2C 07 13 29 70 80 78"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process stats_uploader.exe:3848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F B9 DB 43 A2 CE 3C 41 2A 4D D6 65 77 22 62 06"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process UCBrowser.exe:2756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"irc" = "UCHTML"

[HKCU\Software\Classes\UCHTML.AssocFile.HTM\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\UCHTML.AssocFile.XHT\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"Guid" = "2e8d9ec5-a712-48c4-8ce0-631eb0c1cd65"

[HKCU\Software\Classes\UCHTML.AssocFile.MHT\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\UCHTML.AssocFile.CRX\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\UCHTML.AssocFile.CRX\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,4"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"ShowIconsCommand" = "%Program Files%\UCBrowser\Application\UCBrowser.exe --show-icons"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities]
"ApplicationDescription" = "UC浏览器是一款快速、安全的通用浏览器,采用Trident和WebKit双渲染引擎,从快速、安全多个方面进行优化,为广大互联网用户提供更好的用户浏览体验。"

[HKCU\Software\Classes\UCHTML.AssocFile.SHTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml]
"Progid" = "UCHTML.AssocFile.XHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"webcal" = "UCHTML"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"BitNames" = " DOT11_ASSOCIATE DOT11_ROAMING DOT11_1X DOT11_PNP DOT11_SCAN DOT11_RECEIVE DOT11_SEND DOT11_IOCTL DOT11_OID DOT11_MISC DOT11_UPCALL DOT11_KEYMGR DOT11_PEER DOT11_SOFTAP DOT11_PAM DOT11_REPEATER DOT11_APROUTER DOT11_WME DOT11_CONFIG DOT11_MSM DOT11_MSM_ADAPT DOT11_MSM_SCAN DOT11_MSM_CONNECT DOT11_MSM_SECURITY_PKT DOT11_NOTIFY_OBJECT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\UCHTML.AssocFile.MHT\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\UCHTML.AssocFile.WEBP\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".shtm" = "UCHTML.AssocFile.SHTM"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"Guid" = "0c5a3172-2248-44fd-b9a6-8389cb1dc56a"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKCR\UCHTML.AssocFile.SHTM\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Classes\.webp]
"(Default)" = "UCHTML"

[HKCU\Software\Classes\UCHTML.AssocFile.SHTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtm]
"Progid" = "UCHTML.AssocFile.SHTM"

[HKCU\Software\Classes\UCHTML.AssocFile.XHT\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\.shtm\OpenWithProgids]
"UCHTML.AssocFile.SHTM" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.webp]
"Progid" = "UCHTML.AssocFile.WEBP"

[HKCR\UCHTML.AssocFile.XHTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCR\UCHTML.AssocFile.HTM\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\UCBrowser\Running]
"browser-2756" = "1"

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKCR\.xhtml\OpenWithProgids]
"UCHTML.AssocFile.XHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".crx" = "UCHTML.AssocFile.CRX"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"HideIconsCommand" = "%Program Files%\UCBrowser\Application\UCBrowser.exe --hide-icons"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"ControlFlags" = "1"

[HKCR\UCHTML.AssocFile.WEBP\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Classes\UCHTML.AssocFile.MHT\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Classes\UCHTML.AssocFile.WEBP\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities]
"ApplicationName" = "UC浏览器"

[HKCU\Software\Classes\.html]
"(Default)" = "UCHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"nntp" = "UCHTML"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"BitNames" = " WLANHC_AUTOCONFIG WLANHC_RNWFMSM WLANHC_FATMSM WLANHC_DLLMAIN WLANHC_TEST"

[HKCU\Software\Classes\UCHTML.AssocFile.XHT\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"https" = "UCHTML"

[HKCR\UCHTML.AssocFile.SHTM\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Classes\UCHTML.AssocFile.HTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm]
"Progid" = "UCHTML.AssocFile.HTM"

[HKLM\SOFTWARE\UCBrowser]
"usagestats" = "0"

[HKCU\Software\Classes\.crx]
"(Default)" = "UCHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtm]
"Progid" = "UCHTML.AssocFile.SHTM"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"mailto" = "UCHTML"

[HKCR\.htm\OpenWithProgids]
"UCHTML.AssocFile.HTM" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities]
"ApplicationIcon" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht]
"Progid" = "UCHTML.AssocFile.XHT"

[HKLM\SOFTWARE\UCBrowser\FirstNotDefault]
"S-1-5-21-1844237615-1960408961-1801674531-1003" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\UCBrowser\StabilityMetrics]
"user_experience_metrics.stability.exited_cleanly" = "1"

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,0"

[HKLM\SOFTWARE\RegisteredApplications]
"UCBrowser" = "Software\Clients\StartMenuInternet\UCBrowser\Capabilities"

[HKCU\Software\Classes\UCHTML.AssocFile.XHTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"BitNames" = " SECHC_LOG_FLAG_ASSERT SECHC_LOG_FLAG_INIT SECHC_LOG_FLAG_DIAG SECHC_LOG_FLAG_ONEX_DIAG SECHC_LOG_FLAG_REPAIR SECHC_LOG_FLAG_STATE SECHC_LOG_FLAG_EXT SECHC_LOG_FLAG_EVENT_LOG SECHC_LOG_FLAG_FUNCTION SECHC_LOG_FLAG_MEMORY SECHC_LOG_FLAG_LOCKS"

[HKCR\UCHTML\CLSID]
"(Default)" = ""

[HKCR\UCHTML.AssocFile.XHTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Classes\UCHTML.AssocFile.SHTM\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm]
"Progid" = "UCHTML.AssocFile.HTM"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".webp" = "UCHTML.AssocFile.WEBP"

[HKCU\Software\Classes\UCHTML.AssocFile.SHTM\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\UCHTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Classes\.xht]
"(Default)" = "UCHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.webp]
"Progid" = "UCHTML.AssocFile.WEBP"

[HKCU\Software\Classes\UCHTML.AssocFile.XHTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crx]
"Progid" = "UCHTML.AssocFile.CRX"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".htm" = "UCHTML.AssocFile.HTM"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml]
"Progid" = "UCHTML.AssocFile.XHTML"

[HKCU\Software\Classes\UCHTML.AssocFile.CRX\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 6D FC 86 05 0E 1A B3 02 CE CE 3F 37 61 76 49"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht]
"Progid" = "UCHTML.AssocFile.MHT"

[HKCU\Software\Classes\UCHTML.AssocFile.HTM\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crx]
"Progid" = "UCHTML.AssocFile.CRX"

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKCR\UCHTML]
"(Default)" = "UC HTML Document"

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"BitNames" = " DOT11_AUTOCONF DOT11_AUTOCONF_CLIENT DOT11_AUTOCONF_UI DOT11_FATMSM DOT11_COMMON DOT11_WLANGPA DOT11_CLASS_COINSTALLER"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"BitNames" = " WD_LOG_FLAG_INIT WD_LOG_FLAG_RPC WD_LOG_FLAG_EVENT WD_LOG_FLAG_INTERFACE WD_LOG_FLAG_CONNECTION WD_LOG_FLAG_CONTROL WD_LOG_FLAG_LOCKS WD_LOG_FLAG_MEMORY WD_LOG_FLAG_REFERENCES WD_LOG_FLAG_FUNCTION_TRACE WD_LOG_FLAG_ASSERT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".html" = "UCHTML.AssocFile.HTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html]
"Progid" = "UCHTML.AssocFile.HTML"

[HKCR\UCHTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,1"

[HKCR\.shtml\OpenWithProgids]
"UCHTML.AssocFile.SHTML" = ""

[HKCR\UCHTML.AssocFile.HTM\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\UCBrowser.exe]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe"

[HKCU\Software\Classes\UCHTML.AssocFile.WEBP\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".mht" = "UCHTML.AssocFile.MHT"

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml]
"Progid" = "UCHTML.AssocFile.SHTML"

[HKCR\UCHTML.AssocFile.MHT\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"tel" = "UCHTML"
"news" = "UCHTML"

[HKCR\UCHTML.AssocFile.HTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"Guid" = "d905ac1c-65e7-4242-99ea-fe66a8355df8"

[HKCU\Software\Classes\.shtml]
"(Default)" = "UCHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\UCBrowser.exe]
"Path" = "%Program Files%\UCBrowser\Application"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKCR\.mht\OpenWithProgids]
"UCHTML.AssocFile.MHT" = ""

[HKCU\Software\Classes\UCHTML]
"(Default)" = "UC HTML Document"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"urn" = "UCHTML"
"ftp" = "UCHTML"

[HKCU\Software\Classes\.htm]
"(Default)" = "UCHTML"

[HKCU\Software\Classes\UCHTML.AssocFile.HTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".shtml" = "UCHTML.AssocFile.SHTML"
".xht" = "UCHTML.AssocFile.XHT"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"mms" = "UCHTML"

[HKCR\.crx\OpenWithProgids]
"UCHTML.AssocFile.CRX" = ""

[HKCU\Software\Classes\.mht]
"(Default)" = "UCHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html]
"Progid" = "UCHTML.AssocFile.HTML"

[HKCR\.webp\OpenWithProgids]
"UCHTML.AssocFile.WEBP" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"Guid" = "6da4ddca-0901-4bae-9ad4-7e6030bab531"

[HKCU\Software\Classes\UCHTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"Guid" = "637a0f36-dff5-4b2f-83dd-b106c1c725e2"

[HKCU\Software\Classes\.shtm]
"(Default)" = "UCHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht]
"Progid" = "UCHTML.AssocFile.MHT"

[HKCR\.html\OpenWithProgids]
"UCHTML.AssocFile.HTML" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\UCHTML.AssocFile.XHT\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\FileAssociations]
".xhtml" = "UCHTML.AssocFile.XHTML"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\URLAssociations]
"smsto" = "UCHTML"
"sms" = "UCHTML"
"http" = "UCHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml]
"Progid" = "UCHTML.AssocFile.SHTML"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"IconsVisible" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht]
"Progid" = "UCHTML.AssocFile.XHT"

[HKCU\Software\Classes\.xhtml]
"(Default)" = "UCHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser]
"(Default)" = "UC浏览器"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\Startmenu]
"StartMenuInternet" = "UCBrowser"

[HKCR\UCHTML.AssocFile.SHTML\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\UCHTML.AssocFile.SHTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"ReinstallCommand" = "%Program Files%\UCBrowser\Application\UCBrowser.exe --make-default-browser"

[HKCU\Software\Classes\UCHTML\CLSID]
"(Default)" = ""

[HKCU\Software\Classes\UCHTML.AssocFile.CRX\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,4"

[HKCR\UCHTML.AssocFile.HTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,3"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "UCBrowser"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe -- %1"

[HKCR\.xht\OpenWithProgids]
"UCHTML.AssocFile.XHT" = ""

[HKCU\Software\Classes\UCHTML\DefaultIcon]
"(Default)" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\UCBrowser\Running]
"browser-2756"

The process ADSkip.v1.0.523.2104_Silent.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADSKIP]
"URLInfoAbout" = "http://www.adskiper.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADSKIP]
"DisplayVersion" = "1.0.523.2104"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\ADSKIP]
"join_feeling_plan" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\ADSKIP]
"InstallTime" = "2016-06-23 02:25"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\ADSKIP]
"ADSkip.exe" = "ADSkip 32 Bit Application"
"ADSkipSvc.exe" = "ADSkip 32 Bit Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\ADSKIP]
"InsErr1" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADSKIP]
"DisplayIcon" = "%Program Files%\ADSKIP\ADSkip.exe"

[HKCU\Software\ADSKIP]
"InstallType" = "2"
"Version" = "1.0.523.2104"
"CurVer" = "1.0.523.2104"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\ADSKIP]
"usercode" = "v1.0.523.2104_Silent"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADSKIP]
"UninstallString" = "%Program Files%\ADSKIP\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADSKIP]
"DisplayName" = "AdSkip"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 18 44 A1 31 97 63 6D 0D 42 AA 3F 96 7D C4 1A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\ADSKIP]
"InstallCode" = "1c976270104fe22d89b26b49818e10afbd277962612989d8b6a27421f094eff95dc51307ae0431860284b4d16b5fe000c2d33123da83ee5f613984d140444c2f9d609bebdeb55606293878b3273b8a1cc7b1a3fdd1f3f"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADSKIP]
"Publisher" = "Biling Network Technology Co. Ltd."

[HKCU\Software\ADSKIP]
"CheckCode" = "ae0438a1c098bca7797b0762100c291d1ea8e8491c8296261c512df04b4d16b5f8fb9a307d27"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process %original file name%.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 F3 27 8C 8B F6 C8 08 0E DD C4 C3 B5 C8 36 52"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Download]
"MiniTPFw.exe" = "MiniTPFw Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"ADSkip.v1.0.523.2104_Silent.exe" = "ADSkip 32 Bit Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Browser_V5.6.13381.9_r_4681_(Build1606081220).exe" = "UC浏览器"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%original file name%.exe -start" = "c:\%original file name%.exe -start"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process MiniThunderPlatform.exe:1036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 90 44 F8 7D 46 7E 8B AD 9E 2E C8 28 1F F5 57"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process UCService.exe:3608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 D4 CD 57 3E 3A D7 AE FD 5A 46 54 F7 65 FE FC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

The process UCService.exe:2804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A CB DA 8D 57 AB 27 AE E8 86 C0 55 3F 32 0A AB"

The process UCService.exe:3820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 C3 A8 B0 62 18 6D 3F C7 F6 6B E9 3D 78 C6 38"

The process netsh.exe:2488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A DA 44 2C AA 91 90 96 D8 33 13 D0 EE C9 03 66"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\UCBrowser\Application]
"UCBrowser.exe"

The process netsh.exe:2588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 8B FC 95 54 80 7E 9F 7E B8 10 C9 75 82 B7 53"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\UCBrowser\Application]
"UCBrowser.exe" = "%Program Files%\UCBrowser\Application\UCBrowser.exe:*:Enabled:UC浏览器"

The process netsh.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 21 FE 47 5E 3D D0 44 C9 E4 9F F3 31 FA 32 DA"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\ADSKIP]
"ADSkip.exe" = "%Program Files%\ADSKIP\ADSkip.exe:*:Enabled:ADSKIP"

The process netsh.exe:476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 1D 20 F9 07 32 E6 72 4E 71 C7 F0 28 07 67 A0"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\ADSKIP]
"ADSkipSvc.exe" = "%Program Files%\ADSKIP\ADSkipSvc.exe:*:Enabled:ADSkipSvc"

The process netsh.exe:2660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 B8 B6 DA 7E E6 08 BB 9B B2 8C C1 29 A0 7C EF"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

The process netsh.exe:2508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 40 CD 91 62 C4 F1 56 5A 88 1E 16 80 9A 53 74"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

The process ADSkip.exe:756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\ADSKIP]
"join_feeling_plan" = ""
"AutoFlag" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\ADSKIP]
"InstallCode" = ""

[HKLM]
"Start" = "0"

[HKCU\Software\ADSKIP]
"AutoStart" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\ADSKIP]
"InstallType" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 DE F3 DB 46 71 46 E4 3B DA 1D 5A 0D 9C 07 22"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\ADSkipSvc]
"Start" = "2"

The process ADSkipSvc.exe:2396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 07 C1 90 9C D1 C1 A6 0C C8 7D 23 E8 03 23 8C"

The process ADSkipSvc.exe:1152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 24 3B ED 0B 9B 46 3D 91 0C 32 3A 3D E6 87 25"

The process setup.exe:2840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\UCGuard\Instances\ucguard]
"Flags" = "0"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"DebugLevel" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"VersionMajor" = "13381"

[HKLM\System\CurrentControlSet\Services\UCGuard\Instances]
"DefaultInstance" = "ucguard"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\UCBrowser\Commands\on-os-upgrade]
"CommandLine" = "%Program Files%\UCBrowser\Application\5.6.13381.9\Installer\setup.exe --on-os-upgrade --system-level --verbose-logging"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}]
"IsInstalled" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"DisplayName" = "UC浏览器"

[HKCU\Software\UCBrowser]
"PreDefaultBrowser" = "htmlfile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"NoModify" = "1"
"DisplayIcon" = "%Program Files%\UCBrowser\Application\UCBrowser.exe,0"

[HKLM\SOFTWARE\UCBrowser]
"InstallerError" = "0"
"InstallTime" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\UCBrowser]
"UninstallArguments" = " --uninstall --system-level"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}]
"StubPath" = "%Program Files%\UCBrowser\Application\5.6.13381.9\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"DisplayVersion" = "5.6.13381.9"

[HKLM\System\CurrentControlSet\Services\UCGuard\Instances\ucguard]
"Altitude" = "888999"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"Version" = "5.6.13381.9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\UCBrowser]
"oopcrashes" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\UCBrowser]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\UCBrowser\Application\UCBrowser.exe"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"DependOnService" = "FltMgr"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}]
"(Default)" = "UC浏览器"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"ImagePath" = "system32\DRIVERS\ucguard.sys"

[HKLM\SOFTWARE\UCBrowser\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"Group" = "PNP_TDI"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"InstallDate" = "20160623"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\UCBrowser]
"InstallerExtraCode1" = "9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 15 80 1F F8 8D 7D 6E B6 DE 98 60 46 3C B0 A5"

[HKLM\SOFTWARE\UCBrowser]
"InstallerResult" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"VersionMinor" = "9"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"Type" = "1"

[HKLM\SOFTWARE\UCBrowser]
"pv" = "5.6.13381.9"
"Name" = "UC浏览器"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"Tag" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"Publisher" = "广州市动景计算机科技有限公司"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\UCBrowser]
"UninstallString" = "%Program Files%\UCBrowser\Application\Uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}]
"Version" = "43,0,0,0"

[HKLM\SOFTWARE\UCBrowser]
"ap" = "-stage:refreshing_policy"

[HKCU\Software\UCBrowser]
"Path" = "%Program Files%\UCBrowser\Application"

[HKLM\System\CurrentControlSet\Services\UCGuard]
"ErrorControl" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser]
"UninstallString" = "%Program Files%\UCBrowser\Application\Uninstall.exe --uninstall --system-level"
"InstallLocation" = "%Program Files%\UCBrowser\Application"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}]
"Localized Name" = "UC浏览器"

[HKLM\SOFTWARE\UCBrowser]
"installId" = "{C41E48D1-AA46-4E7B-BEE7-150B6602EEA0}"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\UCBrowser\Application]
"UCBrowser.exe" = "%Program Files%\UCBrowser\Application\UCBrowser.exe:*:Enabled:UC浏览器"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\UCGuard]
"Start" = "1"

The process MiniTPFw.exe:1012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B E3 25 90 FF 02 C0 4B 09 11 3D 5A CB F3 99 0F"

Dropped PE files

MD5 File path
c4ba8b63923d681bd00deb8fbcd12cca c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ADSkip.v1.0.523.2104_Silent.exe
9137ad342e6d77194f8a57d4f9e92bac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Browser_V5.6.13381.9_r_4681_(Build1606081220).exe
a829f040da54dd809731d403ae83caf2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\CR_E4C92.tmp\setup.exe
174d697c06d02aab649bc0f09e70651b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\scoped_dir2156_19268\stats_uploader.exe
9c95fe1fb78cd9a16e5bed8d9dfde238 c:\Program Files\ADSKIP\ADSkip.exe
1b97af3d24e4bd18952ad3f792402ef6 c:\Program Files\ADSKIP\ADSkipSvc.exe
cbc246367ae5153df82e65f2c01ab1bc c:\Program Files\ADSKIP\BugReport.exe
75cffcfe3fe8b863e008ff5ba5193c97 c:\Program Files\ADSKIP\CrashHandler.dll
9484d30589ba06ccb68271679b6612cb c:\Program Files\ADSKIP\DuiLib.dll
d2e3fbc25b8541ade1c345d8c9372511 c:\Program Files\ADSKIP\askComm.dll
d1be61ba142f179753fba092c90b327b c:\Program Files\ADSKIP\askMain.dll
50f55372196752dedf9de9660ea1e4e1 c:\Program Files\ADSKIP\askMisc.dll
34a7f56776f4966fcc48b74b46e47bd3 c:\Program Files\ADSKIP\askProtect.sys
e264539144ca3e6f830dd2a97cc04151 c:\Program Files\ADSKIP\askProtect64.sys
c6470bdb1b9b048159b948cf196dfb20 c:\Program Files\ADSKIP\askRules.dll
0c56193f66766e37984a0d8524a4e05e c:\Program Files\ADSKIP\askUpdate.dll
559f14ca8660450893eee0a213273f71 c:\Program Files\ADSKIP\askWfd.dll
d073f34aa9677ae56ef037f902232085 c:\Program Files\ADSKIP\dbghelp.dll
5a5855ac4c0d0bbb01ba561803e33262 c:\Program Files\ADSKIP\driver\Win32\Win7\blNetFilter.sys
55447eef016c5e3186f5996b916c6a45 c:\Program Files\ADSKIP\driver\Win32\Win8.1\blNetFilter.sys
36f02429c553f3bd5179fe62d3e245bc c:\Program Files\ADSKIP\driver\Win32\Win8\blNetFilter.sys
cfc7dc4719cdb3555721db6b34b74ce0 c:\Program Files\ADSKIP\driver\Win32\WinXP\blNetFilter.sys
3406d4f76488bb60f942b17bd6147679 c:\Program Files\ADSKIP\driver\x64\Win7\blNetFilter.sys
3e18aa340143b421b356d8240aa7d51c c:\Program Files\ADSKIP\driver\x64\Win8.1\blNetFilter.sys
14ef139317c2e3e28c68513f578ce707 c:\Program Files\ADSKIP\driver\x64\Win8\blNetFilter.sys
99e3130350cebb997ab37013e4993554 c:\Program Files\ADSKIP\uninst.exe
8ac275b39f47cd375de5c582af7bc5df c:\Program Files\ADSKIP\zlib1.dll
34a7f56776f4966fcc48b74b46e47bd3 c:\WINDOWS\system32\drivers\askProtect.sys
cfc7dc4719cdb3555721db6b34b74ce0 c:\WINDOWS\system32\drivers\blNetFilter.sys
14ac2d781326318239b4953b0bbb456c c:\WINDOWS\system32\drivers\tcpip.sys_backup
58bb62e88687791ad2ea5d8d6e3fe18b c:\download\MiniTPFw.exe
e2e9483568dc53f68be0b80c34fe27fb c:\download\MiniThunderPlatform.exe
f0372ff8a6148498b19e04203dbb9e69 c:\download\ThunderFW.exe
79cb6457c81ada9eb7f2087ce799aaa7 c:\download\atl71.dll
dba9a19752b52943a0850a7e19ac600a c:\download\dl_peer_id.dll
1a87ff238df9ea26e76b56f34e18402c c:\download\download_engine.dll
7fd4f79aca0b09fd3a60841a47ca96e7 c:\download\minizip.dll
a94dc60a90efd7a35c36d971e3ee7470 c:\download\msvcp71.dll
ca2f560921b7b8be1cf555a5a18d54c3 c:\download\msvcr71.dll
89f6488524eaa3e5a66c5f34f3b92405 c:\download\zlib1.dll
208662418974bca6faab5c0ca6f7debf c:\xldl.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\blNetFilter.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\ucguard.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\ucguard.sys" the Trojan controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\DRIVERS\ucguard.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
The Trojan installs the following kernel-mode hooks:

ZwTerminateProcess
ZwCreateKey
ZwDeleteKey
ZwDeleteValueKey
ZwLoadKey
ZwLoadKey2
ZwOpenKey
ZwQueryValueKey
ZwRenameKey
ZwReplaceKey
ZwRestoreKey
ZwSetSecurityObject
ZwSetValueKey

Propagation

VersionInfo

Company Name: ???
Product Name: ????
Product Version: 2.0.2.1618
Legal Copyright: Copyright (C) 2007-2013 xiami.com All Rights Reserved.
Legal Trademarks:
Original Filename: ????
Internal Name: ????
File Version: 2.0.2.1618
File Description: ????
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 224771 225280 4.5508 172187516d330187b4de5842d93592d1
.rdata 229376 76456 76800 3.73485 c99e2c0977676d6753c8bd045e645299
.data 307200 8356 5120 2.49539 8053a525ee758dbe4ac3e142255d2a47
.gfids 319488 604 1024 1.79363 4c83d9a68fbc2a648f05822166b0a8f2
.tls 323584 9 512 0.014135 1f354d76203061bfdd5a53dae48d5435
.rsrc 327680 5894144 5891584 4.52167 5e4c45cdfa44f136de57cd1649b3bbfd
.reloc 6221824 12548 12800 4.55408 9ebf1a2b18f86b5b6a810b5fa6a36f9f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_224:

.text
`.rdata
@.data
.gfids
@.tls
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
(D
address family not supported
broken pipe
function not supported
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
InitOnceExecuteOnce
operator
operator ""
?#%X.y
%S#[k
XL_GetFileSizeWithUrl
XL_ParseThunderPrivateUrl
XL_CreateTaskByURL
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; KB974487)
hXXp://VVV.baidu.com
Server-Key
[SDK] result = %s
[SDK] Serverkey = %s
[SDK] Key = %s
[SDK] OneDeCrypt= %s
[SDK] TwoDeCrypt= %s
hXXp://VVV.api4.pw/api/downlist
downlist.data
[URL]
[SDK] url = %s ,process = %s
hXXp://VVV.api4.pw/api/monitorlist
monitorlist.data
[SDK] type = %d , value = %s
hXXp://VVV.api4.pw/api/send
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
\\.\PhysicalDrive0
Windows 10
Windows Server Technical Preview
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Windows 8.1
Windows Server 2012 R2
Windows XP
Windows Server 2003
Web Server Edition
Error %u in WinHttpQueryDataAvailable.
Error %u in WinHttpReadData.
RegDeleteKeyExW
InvokeMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
C:\Users\Hooyi\Desktop\
M\CPAV3-1\Release\CpaMain.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.gfids$x
.gfids$y
.tls$
.tls$ZZZ
.rsrc$01
.rsrc$02
KERNEL32.dll
USER32.dll
ShellExecuteExW
ShellExecuteW
SHELL32.dll
SHLWAPI.dll
GetCPInfo
GetProcessHeap
RegOpenKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
WinHttpQueryDataAvailable
WinHttpCrackUrl
WinHttpConnect
WinHttpSetTimeouts
WinHttpSendRequest
WinHttpCloseHandle
WinHttpOpenRequest
WinHttpReadData
WinHttpQueryHeaders
WinHttpAddRequestHeaders
WinHttpOpen
WinHttpCheckPlatform
WinHttpReceiveResponse
WINHTTP.dll
PSAPI.DLL
.?AU_Crt_new_delete@std@@
.PA_W
.?AVCWinHttp@@
c:\%original file name%.exe
:|u%SS3
956|&56|
.tgPV
FTPjK
FtPj;
C.PjRVj
;|u.VV3
msvcr71.pdb
kernel32.dll
6|__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
MSVCR71.dll
_CRT_RTC_INIT
__crtCompareStringA
__crtCompareStringW
__crtGetLocaleInfoW
__crtGetStringTypeW
__crtLCMapStringA
__crtLCMapStringW
__p__acmdln
__p__wcmdln
_acmdln
_amsg_exit
_execl
_execle
_execlp
_execlpe
_execv
_execve
_execvp
_execvpe
_pipe
_wcmdln
_wexecl
_wexecle
_wexeclp
_wexeclpe
_wexecv
_wexecve
_wexecvp
_wexecvpe
6|mscoree.dll
setnewh.cpp
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
portuguese-brazilian
}7|.com
cmd.exe
command.com
GetConsoleOutputCP
PeekNamedPipe
CreatePipe
Assertion failed: %s, file %s, line %d
?)9|?)9|
zcÁ
3 3$3(3,3034383<3
5 5$5(5,5
=$=1=]={=
: :*:2:=:
6%7s7
?!?0?@?|?
6 6$6(6,6064686
4(6,686@6
0 0$0(0,0
Can not run Unicode version of ATL71.DLL on Windows 95, Windows98 or Windows Me.
ole32.dll
OLEAUT32.dll
GDI32.dll
atl71.pdb
RegCreateKeyExW
RegQueryInfoKeyW
MsgWaitForMultipleObjects
CreateDialogIndirectParamW
CreateDialogIndirectParamA
ATL71.DLL
advapi32.dll
gdi32.dll
oleaut32.dll
CloseWindowStation
EnumDesktopWindows
OpenWindowStationA
SetProcessWindowStation
SetViewportExtEx
SetViewportOrgEx
CryptDestroyKey
CryptExportKey
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyW
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyW
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyW
ReportEventW
stdole2.tlbWWW
hpcmdtReservedWWW
.ShowUIWW
RbstrGuidCmdGroup
nCmdIDWW
uGetOptionKeyPath
dzpbstrKey
5TranslateUrl
bstrURLInWWW
 pbstrURLOutW
pbMsgReflect
<OptionKeyPathWWW
pbstrOptionKeyPathWW,
Set the option key pathWWW
Get the option key pathWWW
Created by MIDL version 6.00.0362 at Tue Jul 11 18:07:22 2006
SSSSh
c:\windows\temp
7y"HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
Ey".tlb
\\.\Scsi0:
\\.\IDE21201.VXD
101111111111
222222222222
111111111111
000000000000
filter%u
XXXXXX
\pub_store.dat
.\UnknownBase.cpp
e:\xl7\Product Release\dl_peer_id.pdb
iphlpapi.dll
RegQueryInfoKeyA
RegEnumKeyExA
MSVCP71.dll
dl_peer_id.DLL
Dl_peer_id.XlPeerId.1 = s 'XlPeerId Class'
CLSID = s '{5D72951E-2B86-41B9-835F-464346928269}'
Dl_peer_id.XlPeerId = s 'XlPeerId Class'
CurVer = s 'Dl_peer_id.XlPeerId.1'
ForceRemove {5D72951E-2B86-41B9-835F-464346928269} = s 'XlPeerId Class'
ProgID = s 'Dl_peer_id.XlPeerId.1'
VersionIndependentProgID = s 'Dl_peer_id.XlPeerId'
'TypeLib' = s '{3E618540-AFE5-4DFC-B440-1A760323133B}'
Dl_peer_id.DownloadLibPlugin.1 = s 'DownloadLibPlugin Class'
CLSID = s '{D76D152E-836B-489B-A333-930A7F22A1D4}'
Dl_peer_id.DownloadLibPlugin = s 'DownloadLibPlugin Class'
CurVer = s 'Dl_peer_id.DownloadLibPlugin.1'
ForceRemove {D76D152E-836B-489B-A333-930A7F22A1D4} = s 'DownloadLibPlugin Class'
ProgID = s 'Dl_peer_id.DownloadLibPlugin.1'
VersionIndependentProgID = s 'Dl_peer_id.DownloadLibPlugin'
> >,>0><>@>
hXXp://ocsp.verisign.com0
"hXXp://crl.verisign.com/tss-ca.crl0
Thawte Certification1
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
{.Rich
t.SVW
j.Pj.Qj.R
j.Qj.Rj.P
.thMUQ
SQSSSSSSh
8^%u;
8X%u*
t%SSj
!"#$%&'()*" ,-./01
T$8RSSh
SSSSSh
szKey
SSSh5
3|$<3|$0
3|$@3|$,
3|$,3|$$
3|$03|$(
3|$43|$(
3|$83|$,
3|$$3|$(
user_udp_listen_port
user_tcp_listen_port
dl_udp_listen_port
dl_tcp_listen_port
dl_udp_default_port
dl_tcp_default_port
0123456789
https=
http=
[%I64u,%I64u]%s
LANG%x
[%s] overflowed.
[%s] includes non-numberic character.
[%s] is an empty std::string.
download_interface.dll
Version_%d_%d_%d_%d\
GetCurrentExeFullPath
Bad IUnknown:0xX
%s[%d.%d.%d.%d]:0xX[%X]
download.cfg
.\DownloadLib.cpp
xl_stat.dll
down_dispatcher.dll
ptl.dll
p2p.dll
backend_agent.dll
p2p_local_res.dll
p2p_upload.dll
p2sp.dll
fs.dll
dl_peer_id.dll
{A091AD25-4931-4569-9EC2-14FF003DE671}
asyn_frame.dll
prop.txt
va.dll
p2p_session_com.dll
al.dll
member_stat.dll
task_report.dll
xl_mole.dll
module_downloader.dll
media_data.dll
addinmanager.dll
p2p_network_com.dll
xlpfmc.dll
emule_id.dll
stream.dll
p2sp_pd.dll
{D76D152E-836B-489B-A333-930A7F22A1D4}
{174583A8-CA6D-4d16-96EC-7B9C03B86956}
{6F4EE6C4-55B7-4ff3-8670-03E0BD595D74}
bt_kernel.dll
{34B2E147-6B19-47ba-99C8-0755C2AFD066}
emule_kernel.dll
{12CF75BA-3FFD-4ea0-AEEA-6C5E113DAA82}
{790987D5-8ACC-4383-9005-E35F0B59F9FD}
{C4CEDAFD-E96F-4221-A8FA-CB1B350C4152}
{EF165A54-C96A-4fcd-9EB8-CC9DCC08FB5C}
{0D61278E-CF63-4B97-94D4-62E8DE662F31}
dphubt.dll
{D38016AB-AC47-483a-BD4B-812CCDCD4236}
{69281D18-CC2D-4d02-825B-B77B176BDBEC}
{DCEE4103-3E9E-4a3e-9BD8-E432B5CA7A25}
{D49969FF-0395-4E56-BA6A-39D2FDE49144}
stat.dat
HKEY_CURRENT_CONFIG
\/:*?"<>|
ftps://
hXXps://
PTF://
hXXp://
index.html
.rmvb
.mpga
.mpeg
.\AsynFrame.cpp
.\asyn_io_manager.cpp
operation_type_none == _connecting_queue[event_handle]._opt_type
0 == _connecting_queue[event_handle]._ip_addresses.size()
_connecting_queue.count(event_handle)
.\connect_manager.cpp
_connecting_queue[event_handle]._ip_addresses.size()
_socket2event_map.count(socket_handle)
_socket2event_map.count(info._operation_ptr->operate_handle())
operation_ptr->operate_handle()
operation_ptr->is_pending()
operation_ptr
_connecting_queue[event_handle]._opt_type == operation_type_connect
.\asyn_io_operation.cpp
operation_ptr->is_pending() == false
.\asyn_file_device.cpp
result == _io_operation
.\socks_proxy_verifier.cpp
Referer: hXXp://VVV.xunlei.com/
Host: VVV.xunlei.com
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
hXXp://VVV.xunlei.com/
127.0.0.1
0.0.0.0
SCHANNEL.DLL
_operation_ptr == NULL
.\AsynSSLSocket.cpp
bytes_transfered == _data_operate_bytes
_operation_ptr != NULL
.\AsynSpeedLimitSocket.cpp
buffer_pos expected_bytes <= operation_ptr->buffer_len()
.\asyn_socket_device_imp.cpp
operation_ptr != NULL
.\file_asyn_io_helper.cpp
enable_fcrt
.\asyn_io_handler.cpp
operation_ptr->handdler_ptr() == this
.\timer_manager.cpp
.\wait_objects_thread.cpp
.\asyn_socks_socket_device.cpp
.\socks_asyn_server_socket.cpp
.\asyn_udp_device.cpp
.\asyn_icmp_device.cpp
.\socks_wrapper.cpp
sock5: unsupport authenticate method:
sock5: no acceptable method to login proxy server
unsupported socks ver no:
sock5 not support passord of length exceed 255
sock5 not support user name of length exceed 255
no set user name,can't login socks5 proxy server
socks5 server user name and password authenticate not passed
exceed 255, sock5 not support this
not support ipv6 address
sock5 server : address type not supported
sock5 server : command not supported
asyn_frame.dat
.sandai.net
error.dat
.\dl_plugin_fs.cpp
(id < _io_unit_array.size())&&(_io_unit_array[id]->is_free == false)
.\file_io_unit.cpp
id < _io_unit_array.size()
map_it != _data_map.end()
map_it != _reading_ranges_array.end()
.\cache_strategy.cpp
.\rest_range_read_manager.cpp
it_done != _file_rest_queue_done.end()
j < data_record_ptr_array.size()
.\io_manager.cpp
p2s_idx_hub_port
hub5idx.shub.hz.sandai.net
p2s_res_hub_port
hub5sr.shub.hz.sandai.net
p2s_hub_port
port
imhub5t.hz.sandai.net
.td.cfg
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
cmd_report_abnormal_response
d:\minidownloadlib\branches\branch_wbf\p2sp\sim_class\../com_class/CCommand.h
g;CP2spSubTask_url
d:\minidownloadlib\branches\branch_wbf\p2sp\sim_class\download_plugin.h
.unknow
0 != _need_calc_blocknos.size()
.\xunlei_bcid_calculator.cpp
.\bcids_info.cpp
cfgfile error version: %d
("execute_cmd
\MiniDownloadLib\branches\branch_wbf\p2sp\protocol\cmd_tcp_handler.cpp
invalid_cmd
tcp_connect_error
report_time
TCPH_Failed
TCPH_NetError
TCPH_BothRes
TCPH_OnlySeedRes
TCPH_OnlyNonSeedRes
TCPH_NoRes
cmd_query_hub
cmd_query_res_info_hub
cmd_query_server_res
\MiniDownloadLib\branches\branch_wbf\p2sp\protocol\command.cpp
cmd_report_fetch_hint_error
cmd_report_fetch_hint_error_response
!_gcid.empty() && _sub_task_file_size != 0
.\p2sp_sub_task_imp.cpp
.\resource_info_ex.cpp
HTTP/1.1
httpresponse_header don't have field: Content-Length
httpresponse_header don't have field: Content-Range
httpresponse header don't have field: Content-Range
httpresponse_header don't have field: Content-Disposition
Httponly
HttpOnly
httponly
IDataPipe
dupsock_chunked_http_data_pipe
dupsock_data_pipe
_data_operation == NULL
.\ftp_data_pipe.cpp
operation_ptr == _data_operation
data_len <= FTP_BUFFER_SIZE
PASS ******
does not surpport this type of ftp proxy
_asyn_io_operation == NULL
_data_operation != NULL
_assigned_range.pos() < file_length()
_encode_filename_count<_all_encoded_filename.size()
_all_encoded_filename.size()>0
ftp_min_expected_sum_length
ftp_data_pipe
PROT failed, server may not support ssl
PBSZ failed, server may not support ssl
_encode_filename_count < _all_encoded_filename.size()
port command exec failure
login failure at cwd
login failure at PASS
login failure at USER
PORT
OP_SOCK_BIND == operation_ptr->operation_type()
OP_SOCK_CONNECT == operation_ptr->operation_type()
_ssl_explicit && operation_ptr == _asyn_io_operation
operation_ptr == _asyn_io_operation
_is_ssl && operation_ptr == _data_operation
http request return error, can't get entity_length
operation_ptr->operation_type() == OP_SOCK_CONNECT
operation_ptr == _ayso_io_operation
.\http_data_pipe.cpp
not send request,can't get redirect_url
yahoo.com
_cur_process_path_pos < _process_full_paths.size()
(unsigned)_small_file_pos < _process_full_paths.size()
Shlwapi.dll
http_min_expected_sum_length
cur_proxy.proxy_type == HTTP_PROXY
http_data_pipe
.xunlei.com
6to23.com
_process_full_paths.push_back has logical error
encode_mode <= _server_resource_ptr->_http_full_paths.size()
.\http_url_range_pipe.cpp
_server_resource_ptr->range_type() == VSU_RANGE_URL
.\p2s_task_event_handler.cpp
1 == resources.size()
.\server_res_store.cpp
cmd_query_hub_response
cmd_query_res_info_response
cmd_query_server_res_response
.\p2s_res_searcher.cpp
d..\p2s_sub_task.cpp
max_url_length
cmd_report_change_ex
cmd_insert_server
.movie
video/vnd.mpegurl
.wmls
text/vnd.wap.wmlscript
text/vnd.wap.wml
.html
image/x-portable-pixmap
image/x-portable-graymap
image/x-portable-bitmap
image/x-portable-anymap
.wbmp
image/vnd.wap.wbmp
image/vnd.djvu
.tiff
.arpm
audio/x-mpegurl
.midi
.xhtml
.ustar
.texi
.sv4crc
.sv4cpio
.shar
.latex
.gtar
.cpio
.bcpio
.wmlsc
application/vnd.wap.wmlscriptc
.wmlc
application/vnd.wap.wmlc
.wbxml
application/vnd.wap.wbxml
application/vnd.ms-powerpoint
application/vnd.ms-excel
application/vnd.mif
_dispatch_info.offset <= pos
.\p2sp_data_pipe.cpp
.\limit_asyn_socket_device.cpp
_client_cur_len   _dispatch_info.offset == _dispatch_info.expected_pos
1 == range_q.size()
.\ftp_data_reader.cpp
.\server_data_pipe.cpp
read notify failure, and not support range, exit
support keep alive and socket is not pending , reopen
pipe reading, pos != cur pos, cur pos:
support keep alive but pipe is not connected
pipe reading, pos == cur pos, do read direct
change ranges while state is opening, support keep alive ! pos != old_range_pos reconnect
pipe opening, pos != old pos , old pos:
pipe opening, pos == old pos
change zero range while state is opening. close this pipe.
change zero range while state is connecting. close this pipe.
pipe idle, pos != cur pos, not support range reconnect
pipe idle, pos != cur pos, connect again, cur pos:
pipe idle, pos != cur pos, not support keep alive, so reconnect
pipe idle, pos == cur pos, support keep alive, so do sub open
change_ranges at state: idle but not support range , do read direct
change zero range while state is idle. close this pipe.
change ranges while retry waiting! and is zero range. so close pipe.
, but not support range, range pos:
occur exception: redirect but schema not support, no retry
occur exception: redirect but self redirect url, no retry
occur exception: redirect but no redirect url, no retry
occur exception: redirect but wrong redirect port, no retry
io_complete, handle_open_notify return not support range, is html:
cmd_report_notstable_response
cmd_report_notstable
_cfgdata_info._bcid_calculator.get_bcids().block_size() != 0
\MiniDownloadLib\branches\branch_wbf\p2sp\datamanagement_imp\data_file_handler.cpp
0 !=_data_receiver_list.size()
.td.decprs
.\data_file_manager.cpp
_asyn_file_op_ptr == operation_ptr
cmd_report_new_task
cmd_report_new_task_response
cmd_report_task_life_cycle
cmd_report_task_life_cycle_resp
cmd_report_change_ex_response
cmd_insert_server_response
.\simple_data_receiver.cpp
cmd_report_dwstat
cmd_report_dwstat_resp
cmd_report_download_failure
cmd_vote_urlinfo
cmd_report_abnormal
cmd_report_correction_resp
cmd_report_correction
1.2.3
%c%c%c%c%c%c
%c%c%c%c%c%c%c%c%c
%c%c%c%c%c%c%c
%c%c%c%c%c
%c%c%c%c
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c
%c%c%c
.\data_receiver.cpp
cmd_report_download_failure_response
cmd_vote_urlinfo_resp
pipe_base_socre
simu_max_alternate_pipes
simu_pipes_per_task
simu_max_simultaneity_pipes
simu_min_simultaneity_pipes
random_unchoke_pipe_num
optimistic_unchoke_pipe_num
pure_upload_pipe_max
cid_store_server_port
hubciddata.hz.sandai.net
\cid_store.dat
hubstat_port
hubstat.hz.sandai.net
imhubstat.hz.sandai.net
pmap_port
pmap.hz.sandai.net
udp_recv_speed_max
udp_send_speed_max
diff_nat_tcp_recv_speed_max
diff_nat_tcp_send_speed_max
same_nat_tcp_recv_speed_max
same_nat_tcp_send_speed_max
udp_recv_bytes
udp_send_bytes
udp_recv_times
udp_send_times
diff_nat_tcp_recv_bytes
diff_nat_tcp_send_bytes
diff_nat_tcp_recv_times
diff_nat_tcp_send_times
same_nat_tcp_recv_bytes
same_nat_tcp_send_bytes
same_nat_tcp_recv_times
same_nat_tcp_send_times
cmd_retry_interval
cmd_enroll
passive_report_period
cmd_enroll_resp
config_port
hub5c.hz.sandai.net
cmd_reportcrack_resp
cmd_report_change_dir_for_ids_resp
cmd_report_del_uncomp_task_response
cmd_query_resstat_resp
new asyn_io_operation failed.
POST / HTTP/1.1
/ HTTP/1.1
POST hXXp://
udp_retry_times
command [%s] encode length [%lu] is greater than udp packet max length [%lu].
udp_recv_timeout_interval
wrap_with_http
cmd_query_base_conf
cmd_query_base_conf_resp
%d.%d.%d.%d
cmd_report_change_dir_for_ids
cmd_report_del_uncomp_task
cmd_query_resstat
cmd_reportcrack
cmd_getconfig
cmd_getconfig_resp
default_udp_port
dl_port
default_tcp_port
broker_tcp_conn_succ
broker_tcp_connection
direct_tcp_conn_succ
direct_tcp_connection
PS_PORT_ALLOC
AS_PORT_ALLOC
CONE_PORT_ALLOC
UNKNOWN_PORT_ALLOC
DELTA_PORT_OTHER
DELTA_PORT_0
DELTA_PORT_4
DELTA_PORT_3
DELTA_PORT_2
DELTA_PORT_1
UNKNOWN_DELTA_PORT
255.255.255.0
bind port failed.
http_wrapper_enable
p2p_cmd_reportp2pstatresp
report_time_obj
cmd_reportp2pobjstatresp
d:\minidownloadlib\branches\branch_wbf\ptl\back_agent\../com_class/CCommand.h
ReportP2PTraverseStatEvents
NAT_SERVER_PORT_LIST
8000,4000,3076,4004,5004
nat_check_port
BROKERCMD
path_stat_server_port
relay.phub.hz.sandai.net
P2P_UPDATE_EX_PORT_FACTOR
P2P_UPDATE_EX_PORT_INTERVAL
P2P_BIND_PORT_MAX_RETRY
hub5pnc.hz.sandai.net
TRACKER_PORT
hub5pn.hz.sandai.net
ping_server_port
hub5u.hz.sandai.net
P2P_NAT_CHECK_UDP_MAX_RETRY
P2P_NAT_CHECK_UDP_TIMEOUT
P2P_DEFAULT_LISTEN_DUMMY_PORT
relay.hz.sandai.net
_dest_dummy_port:
_source_dummy_port:
p2p_cmd_old::decode should decode
but decode cmd =[
UNKNOWNCMD
p2p_cmd_tcp::decode bodylen[
p2p_cmd_tcp::decode buff_size
HTTP/1.1 200 OK
asyn_http_socket
asyn_http_socket_device
p2p_cmd_statistic
cmd_reportp2pobjstat
enable_tcp_mode
No second port.
No source port.
No mapped port.
external_port
upnp.exe
describe_url
send udp data error
UDP send_to() is commanded to stop!
%u.%u.%u.%u
_local_port
_delta_port
_latest_ex_port
_local_dummy_port
_remote_port
port :
p2p_cmd_udp::decode buff_size
_guess_ex_port
_remote_dummy_port
_dest_dummy_port
_source_dummy_port
obj_dummy_port :
src_dummy_port :
_my_dummy_port
port:
no next_report_day
AddPortMapping
<NewExternalPort>%u</NewExternalPort>
<NewProtocol>%s</NewProtocol>
<NewInternalPort>%u</NewInternalPort>
<NewInternalClient>%s</NewInternalClient>
<NewPortMappingDescription>Thunder5</NewPortMappingDescription>
POST %s HTTP/1.1
HOST: %s:%u
Content-Length: %d
SOAPACTION: "%s#%s"
xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"
s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">
<u:%s xmlns:u="%s">
%s </u:%s>
GET %s HTTP/1.1
Host: %s:%d
controlURL
URLBase
cmd_report_upnp
cmd_report_upnp_response
239.255.255.250
M-SEARCH * HTTP/1.1
HOST:239.255.255.250:1900
unknown escape character: '&%s'
{D69684C8-7381-478C-A595-9FFBD8EA3506}
coisp_cdn.dat
coisp_ipsec.dat
recv_all_cmd_bytes
recv_all_cmd_count
send_all_cmd_bytes
send_all_cmd_count
pus_report_interval
p2p_hub_port
imhub5pr.hz.sandai.net
tracker_port
hub5p.hz.sandai.net
hub5pr.hz.sandai.net
score_port
score.phub.hz.sandai.net
zero_cdn_port
thunder7.zhub.sandai.net
_read_buffer2ref_count.count(data_input_ptr)
.\p2pres_repository.cpp
pipe_min_retry_time
check_pipe_alive_limit
check_pipe_alive_interval
udp_valid
tcp_valid
peer://%s@%s:%hu/%s
d:\minidownloadlib\branches\branch_wbf\p2p\dl_plugin\back_agent\../com_class/CCommand.h
cmd_retry_isrconline_interval
cmd_relogin_interval
_command_queue.size()
.\hub_protocol\p2phub_tcp_handler.cpp
force_report_p2p_res
cmd_p2perrorstatresp
cmd_report_invalid_peer
.\p2p_pipe_base.cpp
(tcp)
(udp)
remove choke pipe:
pipe deleted.
insert choke pipe:
pipe already closed and deleted!
]. pipe didn't send or recv for [
INVALID_CMD
send UNKNOWNCMD failed. error_code=[
recv UNKNOWNCMD failed. error_code=[
new asyn_io_operation == NULL!!
an operation need illegal [
encode cmd exception =
impossible _pipe_type =
0000000000000000
cmd_old_head->encode caused exception:
read_buffer notify error. post an operation simulant send GETRESP(failed).
recv opt_unknown_recv_cmd_old_header failed! error_code=[
opt_unknown_recv_cmd_old failed! error_code=[
old p2p command decode get unknown cmd_name =
PIPE
add_accepted_p2p_pipe failed!
accepted with TCP connection.
illegal pipe_open_type =
broker_open: impossible PIPE_TYPE =
incorrect pipe_open_type =
Unknown operation types =
range_to_save.pos()[
cmd_requestresp data_len
Unknown operation=
recv cmd tcp header failed! error_code=[
decode cmd tcp header exception =
cmd name is unknown. header data: protocol version[
] cmd_name[
Unknown _pipe_type =
p2p_data_pipe
cmd_report_upload_statistic_resp
cmd_report_upload_statistic
.\peer_res_store.cpp
.\download_task\resource_info_ex.cpp
.\command.cpp
cmd_is_src_online
cmd_insert_rc
cmd_delete_rc
cmd_delete_rc_resp
cmd_report_rclist
cmd_p2perrorstat
.\cmd_tcp_handler.cpp
cmd_query_self_p2p_score
cmd_query_self_p2p_score_resp
.\cmd_udp_handler.cpp
p2p_cmd_old::encode Empty command name to encode!
p2p_cmd_old::decode cmd name should =[
]. but decode cmd =[
p2p_cmd_old::decode buff_size [
cmd_query_p2phub
cmd_query_p2phub_resp
cmd_query_tracker
.\hub_protocol\cmd_query_tracker.cpp
cmd_query_tracker_resp
tracker_cmd_delete
tracker_cmd_delete_resp
cmd_is_src_online_resp
cmd_insert_rc_resp
cmd_report_rclist_resp
user_global_tcp_connection_limit
.\DispatcherMain.cpp
.\dispatcher.cpp
%d.txt
hyper_speed_mode_pipe_limit
task_url
max_non_p2sp_pipes_count
max_recv_data_internal_http
max_recv_data_internal_ftp
max_pipe_on_same_host
max_pipe_count
calc_speed_pipe_score_fator
open a pipe
find a pipe by substring in res_id
show pipe information
list all pipes
net_stat_recovery_mode_reserve_pipe_num
max_reserved_pipe_count_base
not_support_range_pipe_reopen_interval
max_normal_pipe_reopen_interval
normal_pipe_reopen_interval
new_pipe_count_base_dec_delta_slow
new_pipe_count_base_dec_delta_fast
new_pipe_count_base_inc_delta_slow
new_pipe_count_base_inc_delta_fast
default_open_pipe_count_on_task_start
?to_open_count >= pipes_created_once
.\normal_connect_dispatch.cpp
succ open pipe :
usage: open pipe_ptr
succ close pipe :
usage: close pipe_ptr
pipe_history_max_speed:
pipe_recent_max_speed:
pipe_speed:
pipe:
not found pipe:
usage: info pipe_ptr
pipe:
lixian.vip.xunlei.com
is_in(pipe_wrapper_ptr)
.\resource_wrapper.cpp
pipe_list
idle_cause >= PIPE_IDLE_INIT && idle_cause <= LONGTIME_NO_DATA
.\data_pipe_wrapper.cpp
d:\minidownloadlib\branches\branch_wbf\down_dispatcher\dispatcher\data_pipe_wrapper.h
data_pipe_wrapper
max_dispatch_p2p_pipe_count
max_dispatch_server_pipe_count
max_overlap_p2p_pipes
max_overlap_server_pipes
.\normal_dispatcher_imp_new.cpp
next_it != _cur_map.end()
next_it != _cur_map.begin()
end_of_range != _cur_map.end()
end_of_range != _cur_map.begin()
i->first == r_r.pos()
_cur_map.size() >= 2
.\normal_dispatcher_imp_opt.cpp
_cur_map.size() > 0
_cur_map.size() > 1
pipe_ptr->get_connect_time() != UINT_MAX
enable_pipeline
max_pipeline_count
block_range.length() > cut_len
.\small_file_dispatcher_v2.cpp
.\dispatch_range_queue.cpp
range_pos->r.is_contain(assign_range) || assign_range.is_full_range()
can_download_ranges().ranges().size() == 1
ranges.size()==1
can_download_ranges().ranges().size() != 0
current_queue.all_range_length() == current_all_length
.\peer_data_pipe.cpp
.\density_calculator.cpp
m_queue->m_allocate_begin_pos != m_queue->m_ranges_info.begin()
.\sequential_range_iterator.cpp
.\allocate_iterator.cpp
hubstat.sandai.net
last_passive_report
P:passive_report_delay
Tlast_report_time
report_period
cmd_report_statistic
cmd_report_statistic_resp
d:\minidownloadlib\branches\branch_wbf\xl_stat\back_agent\shub_command.cpp
Kernel32.dll
Run-Time Check Failure #%d - %s
MSPDB71.DLL
IMAGEHLP.DLL
KERNEL32.DLL
ADVAPI32.DLL
dl_crt
not_support_p2p_acc
support_p2p_acc
not_support_mhxy_v1
support_mhxy_v1
not_forced_tcp_mode
forced_tcp_mode
RSA part of OpenSSL 0.9.8b 04 May 2006
passed a null parameter
DSO support routines
x509 certificate routines
Big Number part of OpenSSL 0.9.8b 04 May 2006
ssl_sess_cert
ssl_cert
evp_pkey
x509_pkey
%s(%d): OpenSSL internal error, assertion failed: %s
lhash part of OpenSSL 0.9.8b 04 May 2006
Stack part of OpenSSL 0.9.8b 04 May 2006
RAND part of OpenSSL 0.9.8b 04 May 2006
You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html
ASN.1 part of OpenSSL 0.9.8b 04 May 2006
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
USER32.DLL
NETAPI32.DLL
SHA1 part of OpenSSL 0.9.8b 04 May 2006
SHA-256 part of OpenSSL 0.9.8b 04 May 2006
DlSHA-512 part of OpenSSL 0.9.8b 04 May 2006
port error
d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb
WS2_32.dll
WININET.dll
USERENV.dll
VERSION.dll
CreateIoCompletionPort
GetWindowsDirectoryA
zlib1.dll
MSWSOCK.dll
NETAPI32.dll
ReportEventA
download_engine.dll
get_default_listen_port
get_http_request_header
get_http_request_method
get_listen_port
get_task_url
get_url_str
is_support_dispatch_strategy
is_support_schema
parse_url
report_crack
report_crack_cancel
report_file_to_phub
set_http_request_header
set_http_request_method
set_listen_port
set_report_strategy
set_stat_ref_url
url_info_to_str
.?AUIAsynIoOperationEvents@@
.?AV?$singleton_ex@Vmsg_pool@@@@
.?AVmsg_pool@@
.?AVCAsynIoOperationLayer@@
.?AUIAsynTcpListener@@
.?AUIAsynTcpListener2@@
.?AVCAsynTcpListener@@
.?AV?$CComObject@VCAsynTcpListener@@@ATL@@
.?AVCAsynSock5TcpListener@@
.?AV?$CComObject@VCAsynSock5TcpListener@@@ATL@@
.?AUIAsynUdpSocket2@@
.?AUIAsynUdpSocket@@
.?AVCAsynUdpSocket@@
.?AV?$CComObject@VCAsynUdpSocket@@@ATL@@
.?AUIAsynTcpSocket@@
.?AVCAsynTcpSocket@@
.?AV?$CComObject@VCAsynTcpSocket@@@ATL@@
.?AVCAsynSock5UdpSocket@@
.?AV?$CComObject@VCAsynSock5UdpSocket@@@ATL@@
.?AUIAsynIoOperationObject@@
.?AUIAsynIoOperation@@
.?AUIAsynFileScatterOperation@@
.?AVCAsynIoOperation@@
.?AV?$CComObject@VCAsynIoOperation@@@ATL@@
.?AUIAsynProxyTcpSocket@@
.?AVCAsynSock5TcpSocket@@
.?AV?$CComObject@VCAsynSock5TcpSocket@@@ATL@@
.?AVasyn_io_operation@@
.?AVCAsynIoOperationObjects@@
.?AVftp_proxy_verifier@@
.?AVhttp_proxy_verifier@@
.?AVwait_objects_thread_operation_list@@
.?AVasyn_udp_device@@
.?AVcmd_tcp_handler@ns_p2sp@@
.?AVhub_cmd_tcp_handler@ns_p2sp@@
.?AVstatistic_report_handler@ns_p2sp@@
.?AUIHttpResource@@
.?AUIHttpResource2@@
.?AUIHttpResource3@@
.?AUIHttpResource4@@
.?AVp2sp_data_pipe@ns_p2sp@@
.?AUIServerDataPipe@@
.?AUIDataPipe@@
.?AVcmd_query@ns_p2sp@@
.?AVcmd_query_res_info@ns_p2sp@@
.?AVcmd_query_server_res@ns_p2sp@@
.?AVcmd_report_fetch_hint_error@ns_p2sp@@
.?AVcmd_report_fetch_hint_error_response@ns_p2sp@@
.?AVhttpresponse_header@@
.?AVserver_pipe_manager@ns_p2sp@@
.?AV?$CEventsRaiser@UIDataPipeEvents@@$0PPPPPPPP@@@
.?AVpipe_events_raiser@ns_p2sp@@
.?AV?$CServerDataPipeRoot@UIServerDataPipe@@@@
.?AVdupsock_chunked_http_data_pipe@ns_p2sp@@
.?AVdupsock_data_pipe@ns_p2sp@@
.?AVserver_data_pipe@ns_p2sp@@
.?AVftp_data_pipe@ns_p2sp@@
.?AUIHttpDataPipe@@
.?AUIHttpDataPipe2@@
.?AV?$CServerDataPipeRoot@UIHttpDataPipe2@@@@
.?AVhttp_data_pipe@ns_p2sp@@
.?AVhttp_url_range_pipe@ns_p2sp@@
.?AVasyn_io_operation@ns_p2sp@@
.?AVp2p_cmd_exception@ns_p2sp@@
.?AVp2p_cmd_exception_insufficient_write@ns_p2sp@@
.?AVp2p_cmd_exception_insufficient_read@ns_p2sp@@
.?AVcmd_query_response@ns_p2sp@@
.?AVcmd_query_res_info_response@ns_p2sp@@
.?AVcmd_query_server_res_response@ns_p2sp@@
.?AVcmd_report_change_ex@ns_p2sp@@
.?AVcmd_insert_server@ns_p2sp@@
.?AVCAsynIoOperationEvents@ns_p2sp@@
.?AV?$CComObject@VCAsynIoOperationEvents@ns_p2sp@@@ATL@@
.?AVftp_data_reader@ns_p2sp@@
.?AVhttpresponse_data@ns_p2sp@@
.?AVcmd_report_notstable_response@ns_p2sp@@
.?AVcmd_report_notstable@ns_p2sp@@
.?AVhttp_response@ns_p2sp@@
.?AVhttpresponse_stream_data@ns_p2sp@@
.?AVhttpresponse_chunked_data@ns_p2sp@@
.?AVfile_create_operation@@
.?AVcmd_report_new_task@ns_p2sp@@
.?AVcmd_report_new_task_response@ns_p2sp@@
.?AVcmd_report_task_life_cycle@ns_p2sp@@
.?AVcmd_report_task_life_cycle_resp@ns_p2sp@@
.?AVcmd_report_change_ex_response@ns_p2sp@@
.?AVcmd_insert_server_response@ns_p2sp@@
.?AVcmd_report_dwstat@ns_p2sp@@
.?AVcmd_report_dwstat_resp@ns_p2sp@@
.?AVcmd_report_download_failure@ns_p2sp@@
.?AVcmd_vote_urlinfo@ns_p2sp@@
.?AVcmd_report_abnormal_response@ns_p2sp@@
.?AVcmd_report_abnormal@ns_p2sp@@
.?AVcmd_report_correction_resp@ns_p2sp@@
.?AVcmd_report_correction@ns_p2sp@@
.?AVcmd_report_download_failure_response@ns_p2sp@@
.?AVcmd_vote_urlinfo_resp@ns_p2sp@@
.?AVcmd_handler@ns_back_agent@@
.?AVcmd_tcp_handler@ns_back_agent@@
.?AV?$CCommandSender@Vcmd_tcp_handler@ns_back_agent@@UIShubCommand@@VCShubCommand@2@@ns_back_agent@@
.?AV?$CCommandSender@Vcmd_tcp_handler@ns_back_agent@@UIPhubCommand@@VCPhubCommand@2@@ns_back_agent@@
.?AVcmd_udp_handler@ns_back_agent@@
.?AV?$CCommandSender@Vcmd_udp_handler@ns_back_agent@@UIPhubCommand@@VCPhubCommand@2@@ns_back_agent@@
.?AV?$CCommandSender@Vcmd_tcp_handler@ns_back_agent@@UICommand@@VCCommandEx@2@@ns_back_agent@@
.?AV?$CCommandSender@Vcmd_udp_handler@ns_back_agent@@UICommand@@VCCommandEx@2@@ns_back_agent@@
.?AVcmd_tcp_encrypted_handler@ns_back_agent@@
.?AV?$CCommandSender@Vcmd_tcp_encrypted_handler@ns_back_agent@@UIShubCommand@@VCShubCommand@2@@ns_back_agent@@
.?AV?$CCommandSender@Vcmd_tcp_encrypted_handler@ns_back_agent@@UIPhubCommand@@VCPhubCommand@2@@ns_back_agent@@
.?AV?$CCommandSender@Vcmd_tcp_encrypted_handler@ns_back_agent@@UICommand@@VCCommandEx@2@@ns_back_agent@@
.?AV?$CComObject@V?$CCommandSender@Vcmd_tcp_handler@ns_back_agent@@UIShubCommand@@VCShubCommand@2@@ns_back_agent@@@ATL@@
.?AV?$CComObject@V?$CCommandSender@Vcmd_tcp_handler@ns_back_agent@@UIPhubCommand@@VCPhubCommand@2@@ns_back_agent@@@ATL@@
.?AV?$CComObject@V?$CCommandSender@Vcmd_udp_handler@ns_back_agent@@UIPhubCommand@@VCPhubCommand@2@@ns_back_agent@@@ATL@@
.?AV?$CComObject@V?$CCommandSender@Vcmd_tcp_handler@ns_back_agent@@UICommand@@VCCommandEx@2@@ns_back_agent@@@ATL@@
.?AV?$CComObject@V?$CCommandSender@Vcmd_udp_handler@ns_back_agent@@UICommand@@VCCommandEx@2@@ns_back_agent@@@ATL@@
.?AV?$CComObject@V?$CCommandSender@Vcmd_tcp_encrypted_handler@ns_back_agent@@UIShubCommand@@VCShubCommand@2@@ns_back_agent@@@ATL@@
.?AV?$CComObject@V?$CCommandSender@Vcmd_tcp_encrypted_handler@ns_back_agent@@UIPhubCommand@@VCPhubCommand@2@@ns_back_agent@@@ATL@@
.?AV?$CComObject@V?$CCommandSender@Vcmd_tcp_encrypted_handler@ns_back_agent@@UICommand@@VCCommandEx@2@@ns_back_agent@@@ATL@@
.?AVconfig_hub_tcp_handler@ns_back_agent@@
.?AVstatistic_report_handler@ns_back_agent@@
.?AVthunderS_enroll_tcp_handler@ns_back_agent@@
.?AVcmd_enroll_resp@ns_back_agent@@
.?AVpmap_tcp_handler@ns_back_agent@@
.?AVcmd_query_base_conf@ns_back_agent@@
.?AVcmd_query_base_conf_resp@ns_back_agent@@
.?AVcmd_enroll@ns_back_agent@@
.?AVcmd_report_change_dir_for_ids@ns_back_agent@@
.?AVcmd_report_change_dir_for_ids_resp@ns_back_agent@@
.?AVcmd_report_del_uncomp_task@ns_back_agent@@
.?AVcmd_report_del_uncomp_task_response@ns_back_agent@@
.?AVcmd_query_resstat@ns_back_agent@@
.?AVcmd_reportcrack@ns_back_agent@@
.?AVcmd_getconfig@ns_back_agent@@
.?AVcmd_getconfig_resp@ns_back_agent@@
.?AVcmd_query_resstat_resp@ns_back_agent@@
.?AVcmd_reportcrack_resp@ns_back_agent@@
.?AVp2p_intranet_cmd@ns_ptl@@
.?AVp2p_cmd_keepalive@ns_ptl@@
.?AVasyn_io_operation@nssc@@
.?AVbroker_io_operation@ns_ptl@@
.?AVall_udt_accept_operation@ns_ptl@@
.?AVpassive_peek_operation@ns_ptl@@
.?AVpassive_connection_dispatcher@ns_ptl@@
.?AVstatistic_report_handler@ns_ptl@@
.?AVReportP2PTraverseStatEvents@ns_ptl@@
.?AVudp_socket_portal@ns_ptl@@
.?AVudp_data_handler_imp@ns_ptl@@
.?AVp2p_cmd_exception@ns_ptl@@
.?AVudp_make_peer_reachable_event_handler@ns_ptl@@
.?AVudp_make_peer_reachable_strategy@ns_ptl@@
.?AVudp_passive_punch_hole_strategy@ns_ptl@@
.?AVudp_punch_hole_strategy@ns_ptl@@
.?AVudp_direct_connect_strategy@ns_ptl@@
.?AVudp_passive_direct_connect_strategy@ns_ptl@@
.?AVincoming_udp_broker_connection_handler@ns_ptl@@
.?AVudp_broker_cmd_handler@ns_ptl@@
.?AVudp_passive_broker_strategy@ns_ptl@@
.?AVp2p_cmd_p2psyn@ns_ptl@@
.?AVudp_broker_strategy@ns_ptl@@
.?AVudp_relay_strategy@ns_ptl@@
.?AVptl_tcp_socket@ns_ptl@@
.?AVp2p_cmd_p2preset@ns_ptl@@
.?AVp2p_cmd_getpeersn@ns_ptl@@
.?AVcmd_brokerreq@ns_ptl@@
.?AVcmd_brokerreq2@ns_ptl@@
.?AVp2p_cmd_base@ns_ptl@@
.?AVp2p_cmd_tcp@ns_ptl@@
.?AVcmd_transferlayercontrolresp@ns_ptl@@
.?AVp2p_cmd_exception_insufficient_read@ns_ptl@@
.?AVcmd_transferlayercontrol@ns_ptl@@
.?AVasyn_http_socket_device@ns_ptl@@
.?AVp2p_cmd_statistic@ns_ptl@@
.?AVcmd_reportp2pobjstat@ns_ptl@@
.?AVp2p_cmd_binding_response@ns_ptl@@
.?AVp2p_cmd_binding_request@ns_ptl@@
.?AVudp_socket@ns_ptl@@
.?AVudp_socket_imp@ns_ptl@@
.?AVp2p_cmd_nn2snlogout@ns_ptl@@
.?AVp2p_cmd_getmysn@ns_ptl@@
.?AVp2p_cmd_pingsn@ns_ptl@@
.?AVcmd_query_relay_peer_resp@ns_ptl@@
.?AVp2p_cmd_RelayRequestResp@ns_ptl@@
.?AVp2p_cmd_RelayRequest@ns_ptl@@
.?AVcmd_brokercmd2@ns_ptl@@
.?AVp2p_cmd_getmysnres@ns_ptl@@
.?AVcmd_udp_broker_cmd@ns_ptl@@
.?AVp2p_cmd_udp@ns_ptl@@
.?AVp2p_cmd_brokercmd@ns_ptl@@
.?AVp2p_cmd_someonecallu@ns_ptl@@
.?AVp2p_cmd_punchhole@ns_ptl@@
.?AVp2p_cmd_pingsnres@ns_ptl@@
.?AVp2p_cmd_icallsomeoneres@ns_ptl@@
.?AVp2p_cmd_getpeersnres@ns_ptl@@
.?AVp2p_cmd_advanced_ack@ns_ptl@@
.?AVcmd_brokercmd@ns_ptl@@
.?AVp2p_cmd_icallsomeone@ns_ptl@@
.?AVcmd_udp_broker_req@ns_ptl@@
.?AVcmd_query_relay_peer@ns_ptl@@
.?AVp2p_cmd_brokerreq@ns_ptl@@
.?AVp2p_cmd_exception_insufficient_write@ns_ptl@@
.?AVp2p_cmd_reportp2pstatresp@ns_ptl@@
.?AVcmd_reportp2pobjstatresp@ns_ptl@@
.?AVp2p_cmd_logout@ns_ptl@@
.?AVcmd_ping@ns_ptl@@
.?AVasyn_tcp_handler@ns_ptl@@
.?AVcmd_report_upnp@ns_ptl@@
.?AVcmd_report_upnp_response@ns_ptl@@
.?AVasyn_udp_handler@ns_ptl@@
.?AV?$msg_base@Vp2pres_repository@ns_p2p@@@ns_p2p@@
.?AVresource_upload_control_msg@ns_p2p@@
.?AVp2p_data_pipe@ns_p2p@@
.?AVp2p_pipe_base@ns_p2p@@
.?AVbroker_pipe_record@ns_p2p@@
.?AVupload_p2p_pipes@ns_p2p@@
.?AVpending_p2p_pipes@ns_p2p@@
.?AVmsg@p2p_sub_task@ns_p2p@@
.?AVasyn_notify_msg@p2p_sub_task@ns_p2p@@
.?AVmsg@p2phub_tcp_handler@ns_p2p@@
.?AVremove_single_msg@p2phub_tcp_handler@ns_p2p@@
.?AVupdate_single_msg@p2phub_tcp_handler@ns_p2p@@
.?AVp2phub_tcp_handler@ns_p2p@@
.?AVstatistic_report_handler@ns_p2p@@
.?AVp2p_acc_cert_verifier@ns_p2p@@
.?AVcmd_tcp_handler@ns_p2p@@
.?AVquery_p2p_score_tcp_handler@ns_p2p@@
.?AVcmd_udp_handler@ns_p2p@@
.?AVp2phub_udp_handler@ns_p2p@@
.?AVcmd_report_invalid_peer@ns_p2p@@
.?AVp2p_pipe_speed_caculator@ns_p2p@@
.?AVp2p_cmd_base@ns_p2p@@
.?AVp2p_cmd_old@ns_p2p@@
.?AVp2p_cmd_tcp@ns_p2p@@
.?AVp2p_cmd_old_get@ns_p2p@@
.?AVp2p_cmd_request@ns_p2p@@
.?AUIChokePipeUploadScore@@
.?AUIExtraDataPipe@@
.?AUIChokePipe@@
.?AUIP2pDataPipe@@
.?AUIP2pDataPipe2@@
.?AVcmd_report_upload_statistic_resp@ns_p2p@@
.?AVcmd_report_upload_statistic@ns_p2p@@
.?AVcmd_tracker_delete_resp@ns_p2p@@
.?AVtracker_udp_handler@ns_p2p@@
.?AVasyn_tcp_device@ns_p2p@@
.?AVp2p_pipe_manager@ns_p2p@@
.?AVcmd_is_src_online@ns_p2p@@
.?AVcmd_insert_rc@ns_p2p@@
.?AVcmd_delete_rc@ns_p2p@@
.?AVcmd_delete_rc_resp@ns_p2p@@
.?AVcmd_report_rclist@ns_p2p@@
.?AVcmd_p2perrorstat@ns_p2p@@
.?AVcmd_p2perrorstatresp@ns_p2p@@
.?AVcmd_query_self_p2p_score@ns_p2p@@
.?AVcmd_query_self_p2p_score_resp@ns_p2p@@
.?AVp2p_cmd_exception@ns_p2p@@
.?AVp2p_cmd_exception_insufficient_write@ns_p2p@@
.?AVp2p_cmd_exception_insufficient_read@ns_p2p@@
.?AVp2p_cmd_requestresp@ns_p2p@@
.?AVp2p_cmd_old_resp@ns_p2p@@
.?AVp2p_cmd_exception_protocol_ver_too_high@ns_p2p@@
.?AVp2p_cmd_old_connect@ns_p2p@@
.?AVp2p_cmd_old_connectresp@ns_p2p@@
.?AVp2p_cmd_old_getresp@ns_p2p@@
.?AVp2p_cmd_handshake@ns_p2p@@
.?AVp2p_cmd_handshakeresp@ns_p2p@@
.?AVp2p_cmd_interested@ns_p2p@@
.?AVp2p_cmd_notinterested@ns_p2p@@
.?AVp2p_cmd_interestedresp@ns_p2p@@
.?AVp2p_cmd_extradata@ns_p2p@@
.?AVp2p_cmd_extradataresp@ns_p2p@@
.?AVp2p_cmd_cancel@ns_p2p@@
.?AVp2p_cmd_cancelresp@ns_p2p@@
.?AVp2p_cmd_fin@ns_p2p@@
.?AVp2p_cmd_finresp@ns_p2p@@
.?AVp2p_cmd_keepalive1@ns_p2p@@
.?AVp2p_cmd_unknowncmd@ns_p2p@@
.?AVp2p_cmd_choke@ns_p2p@@
.?AVp2p_cmd_unchoke@ns_p2p@@
.?AVcmd_query_p2phub@ns_p2p@@
.?AVcmd_query_p2phub_resp@ns_p2p@@
.?AVcmd_query_tracker@ns_p2p@@
.?AUpeer_res2@cmd_query_tracker_resp@ns_p2p@@
.?AVcmd_query_tracker_resp@ns_p2p@@
.?AVcmd_tracker_delete@ns_p2p@@
.?AVcmd_is_src_online_resp@ns_p2p@@
.?AVcmd_insert_rc_resp@ns_p2p@@
.?AVcmd_report_rclist_resp@ns_p2p@@
.?AUIDataPipeEvents@@
.?AVdata_pipe_wrapper@ns_down_dispatcher@@
.?AVserver_data_pipe@ns_down_dispatcher@@
.?AVpeer_data_pipe@ns_down_dispatcher@@
.?AVcmd_tcp_handler@ns_xl_data@@
.?AVreport_handler@ns_xl_data@@
.?AVcmd_report_statistic_resp@ns_xl_data@@
.?AVcmd_report_statistic@ns_xl_data@@
.?AVCAsynIoOperationEvents@nssc@@
.?AV?$CComObject@VCAsynIoOperationEvents@nssc@@@ATL@@
.?AVasyn_tcp_device_imp@nssc@@
.?AVasyn_udp_device@nssc@@
'0:0`0{0
4I4F4S4`4
8%8S8u8
= =,=2=8=>=
6r7S7o7t7
<(<-<=<_<
4T5U5d5
3#393]3}3
9Ÿ9i9
<&= =0===
4 4$4(4,494
5 5$5(5,505{5
9"9(919?9
6%7,727]7
0%0/090|0
6m6Q6d6v6
9'9-989A9F9S9Y9s9}9
4]5
8Œ8^8n8t879K9
00F0
1%1S1o1
<%<*<2<7<?<
5371979
:.:3:8:&;
4090>0`0
&1?164#8
88W8
2(3-383>3
3!3&333^3
3$3 34494>4
9(;-;2;"?
< <$<(<,<
4 5Y5U5^5c5u5~5
?(?1?:???
6d6C6R6a6p6u6
<#<(<.<3<|<
:$;(;,;0;4;8;<;@;
9(9,9094989
5 5$5(5,50545|5
3 3$3(3,3034383
: :$:(:,:0:4:
; ;$;(;,;0;
$0(0,0004080<0@0
7(8,8084888<8
= =$=0=4=8=`=|=
4 4(4,4044484<4@4
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Operate1604
ver = 3.2.1.42
.textbss1U
.idata
httpsProxy
ftpProxy
httpProxy
dwTcpSpeedLimit
ref_url_length
ref_url
url_length
udp_port
tcp_port
strCurrentExeFullPath
strExeFullPath
bug_report_dir
ShExecInfo
cmd_line
hKey
CertInfo
hMsg
XLBugReport_path
hXXp://store.paycenter.uc.cn
mail-attachment.googleusercontent.com
d:\minitp\src\minithunderplatform\src\minithunderplatform\downloadenginemanager.cpp
80000055
d:\minitp\src\minithunderplatform\src\dl_common\common\utility.cpp
_XL_SetAlwaysSendReport@4
_XL_SetReportShowMode@4
_XL_SetBugReportRootDir@4
unknown SDParameterType: %d when SDParameter::encode_data
unknown SDParameterType: %d when SDParameter::decode_data
d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb
RASAPI32.dll
CryptMsgClose
CertCloseStore
CertFreeCertificateContext
CertGetNameStringW
CertFindCertificateInStore
CryptMsgGetParam
CRYPT32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
d:\Project\MiniTPFw\MiniTPFw\Release\MiniTPFw.pdb
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
Yv4SSSSh
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
e:\code_svn\xl_framework\xl_component\minizip\Release\minizip.pdb
minizip.dll
unzOpenCurrentFilePassword
msvcp71.pdb
C?|!%x
\9?|49?|
\<?|4<?|
_Wcrtomb
__Wcrtomb_lk
wcrtomb
0 00C0R0b0k0~0
0-1}1@2
2 2(202@2`2
< <$<(<,<<<@<
HNetCfg.FwMgr
HNetCfg.FwAuthorizedApplication
HNetCfg.FwOpenPort
d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
9$9,92979=9
;.<4<8<<<@<
$1014181<1
> ><>@>`>
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
,[!1.2.3
%c%c%c%c%c%c%c%c%c%c
<fd:%d>
inflate 1.2.3 Copyright 1995-2005 Mark Adler
FTpl
u.VV3
codepage:%d
:?\/*<>|"
?456789:;<=
!"#$%&'()* ,-./0123
mscoree.dll
d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb
InternetCrackUrlW
HttpQueryInfoW
HttpSendRequestW
HttpOpenRequestW
XLDownloadEngine.dll
2"2.272@2`2
4 4$4(4,4044484<4
5"6(6,60646>7
7084888<8`8
:$:8:<:@:
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
3!5 5 656?6
<&<5<,=<=
7-8}8
3 3$3,3@3`3
ext-ms-win-ntuser-windowstation-l1-1-0
\xldl.dll
\download\atl71.dll
\download\dl_peer_id.dll
\download\download_engine.dll
\download\id.dat
\download\MiniThunderPlatform.exe
\download\MiniTPFw.exe
\download\minizip.dll
\download\msvcp71.dll
\download\msvcr71.dll
\download\zlib1.dll
\download\ThunderFW.exe
xldl.dll
[SDK] Load xl down dll pat : %s
\MiniTPFw.exe
MiniTPFw.exe
[SDK] colse xl firewall tips %s %s
@can not load xldl.dll
[SDK] Close_XL_Firewall_Tips result = %s
@[SDK] CMonitorFolder delete file path %s
[SDK] MonitorProcessCallBack hide window ok proccess : %s
[SDK] MonitorReportCallBack callback %d %s
[SDK] Upload Report, PID: %d,Name: %s
[SDK] Stop Upload Report
[DOWN FILE] FileName = %s ,Progress = %.2f%%
[DOWN FILE] Error FileName = %s
[DOWN FILE] success FileName = %s
[RUN FILE] success File = %s
ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Run
[SDK] CMonitorFolder DoFirstRemove %s
[SDK] CMonitorFolder DoFirstRemove Delete File %s
[SDK] CMonitorFolder Thread Run %s
[SDK] CMonitorRegistry Delete Reg %s
[SDK] CMonitorTrayIcon hide tray icon %s ok !
AAdvapi32.dll
7.10.6030.0
MSVCR71.DLL
Visual Studio .NET
!"754$#8
ATL Module for Windows (Unicode)
3, 2, 2, 16
shell32.dll
auto_test.cfg
5,0,2,288
id.dat
dc.ini
MINITP\BugReport\
{C6B7F4D9-8D15-4a48-A722-B54C3D6FCE70}
_67960FC3-A819-4fca-B939-F2B110716584_
{16C9DF46-AAF4-485d-AABE-4FE09E17E524}
%s=%s
%hu%c%hu%c%hu%c%hu
http redirect loop for 5 times
http redirect url is invalid
http header is invalid
xml <item> no key
invalid rsa public key
invalid aes key
\*.dll
XLBugReport.exe
XLBugHandler.dll
%sThumbs.db
Thumbs.db
%s*.*
3.2.1.42
M-%.2d-%.2d%.2d:%.2d:%.2d
\MiniThunderPlatform.exe"
ThunderFW.exe
1, 0, 0, 1
MSVCP71.DLL
2, 0, 0, 4
!"#$%&'()* ,-./012
DLL support by Alessandro Iacopetti & Gilles Vollant
download\MiniThunderPlatform.exe
nkernel32.dll
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
2.0.2.1618
Copyright (C) 2007-2013 xiami.com All Rights Reserved.

MiniThunderPlatform.exe_1036:

.textbss1U
.text
`.rdata
@.data
.idata
.rsrc
httpsProxy
ftpProxy
httpProxy
dwTcpSpeedLimit
ref_url_length
ref_url
url_length
udp_port
tcp_port
strCurrentExeFullPath
strExeFullPath
bug_report_dir
ShExecInfo
cmd_line
hKey
CertInfo
hMsg
XLBugReport_path
SSSh5
hXXp://store.paycenter.uc.cn
mail-attachment.googleusercontent.com
d:\minitp\src\minithunderplatform\src\minithunderplatform\downloadenginemanager.cpp
80000055
\/:*?"<>|
d:\minitp\src\minithunderplatform\src\dl_common\common\utility.cpp
_XL_SetAlwaysSendReport@4
_XL_SetReportShowMode@4
_XL_SetBugReportRootDir@4
unknown SDParameterType: %d when SDParameter::encode_data
unknown SDParameterType: %d when SDParameter::decode_data
Kernel32.dll
Run-Time Check Failure #%d - %s
MSPDB71.DLL
PSAPI.DLL
IMAGEHLP.DLL
KERNEL32.DLL
RegCloseKey
RegOpenKeyExA
ADVAPI32.DLL
d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb
||80000360
VERSION.dll
RASAPI32.dll
KERNEL32.dll
USER32.dll
RegCreateKeyExW
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
MSVCP71.dll
SHLWAPI.dll
MSVCR71.dll
_CRT_RTC_INIT
_wcmdln
_amsg_exit
CryptMsgClose
CertCloseStore
CertFreeCertificateContext
CertGetNameStringW
CertFindCertificateInStore
CryptMsgGetParam
CRYPT32.dll
GetProcessHeap
id.dat
dl_peer_id.dll
dc.ini
download_engine.dll
MINITP\BugReport\
{C6B7F4D9-8D15-4a48-A722-B54C3D6FCE70}
_67960FC3-A819-4fca-B939-F2B110716584_
{16C9DF46-AAF4-485d-AABE-4FE09E17E524}
%s=%s
%hu%c%hu%c%hu%c%hu
http redirect loop for 5 times
http redirect url is invalid
http header is invalid
xml <item> no key
invalid rsa public key
invalid aes key
shell32.dll
\*.dll
XLBugReport.exe
XLBugHandler.dll
%sThumbs.db
Thumbs.db
%s*.*
3.2.1.42

ADSkip.exe_756:

.text
`.rdata
@.data
.rsrc
@.reloc
w%s( 
.FAy-
-5-5--678
-[\]^_-7
|$L.uV
.tD8E
%uU9t$Xu?
|$X.uHj
22222222
22222222222222222
|$H%uk
|$H%u'
|$H.uH
%ur9T$
<%u*j
|$H%u
|$L%u
|$T%u-9L$(V
|$D.uZ
~8.uq
~8.uG
<.tA<:uQ
j.Yf;
_tcPVj@
.PjRW
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
1.2.8
inflate 1.2.8 Copyright 1995-2013 Mark Adler
GetProcessWindowStation
MaxPolicyElementKey
pExecutionResource
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
BDMNetMon.sys
kisknl.sys
ksapi.sys
kisnetmxp.sys
{C27B22E3-B783-438a-9A89-FB540D1C83FF}
{23D0387D-2353-4DA0-B3F2-BA7F67359928}
{ADCA0512-6548-4D8B-A17C-DC8421EE3109}
{FC25C1A5-ADDF-45E3-A380-C9C1A032AB38}
{DB44A98E-BC3B-4308-810D-9A73D87F7FD1}
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
!!""##$$%%&&''(())**  ,,--..//00112233445566778899
CREATE TABLE sqlite_master(
sql text
3.10.0
CREATE TEMP TABLE sqlite_temp_master(
Shell32.dll
%d.%d.%d
6.0.6
Internet Explorer\iexplore.exe
%d.%d.%d.%d
PathFileExists err %d
pid = %d
DeleteFile %ws, err = %d
Could not open file (error %d)
Could not create file mapping object (%d).
Could not map view of file (%d).
SELECT * FROM WINDOWS_FILES WHERE PATH LIKE '%Local State'
Show ads on a webpage
Block an ad by its URL
blink.pzz
cafl.dat
hXXp://bbs.adskiper.com/showthread.php?tid=2
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
os_win.c:%d: (%lu) %s(%s) - %s
delayed %dms for lock/sharing conflict at line %d
%s-shm
%s%c%s
recovered %d pages from %s
recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Offset %d out of range %d..%d
Multiple uses for byte %u of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
unknown database %s
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
FOREIGN KEY constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
FOREIGN KEY
abort at %d in [%s]: %s
%s constraint failed: %s
%s constraint failed
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open table without rowid: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
%s prohibited in %s
the "." operator
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
hex literal too big: %s
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
sqlite_stat3
sqlite_stat4
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
sqlite_%
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
%s cannot use variables
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
PRIMARY KEY missing on table %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
cannot create a TEMP index on non-TEMP table "%s"
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
expressions prohibited in PRIMARY KEY and UNIQUE constraints
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
%s.%s
%s.rowid
unable to identify the object to be reindexed
duplicate WITH table name: %s
no such collation sequence: %s
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch - "%w" referencing "%w"
table %S has no column named %s
table %S has %d columns but %d values were supplied
%d values for %d columns
sqlite3_extension_init
unable to open shared library [%s]
sqlite3_
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
defer_foreign_keys
foreign_key_check
foreign_key_list
foreign_keys
*** in database %s ***
NULL value in %s.%s
unsupported encoding: %s
malformed database schema (%s)
%z - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
column%d
%.*z:%u
recursive aggregate queries not supported
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
'%s' is not a function
multiple references to recursive table: %s
circular reference: %s
table %s has %d values for %d columns
multiple recursive references: %s
recursive reference in a subquery: %s
sqlite_sq_%p
too many references to "%s": max 65535
%s.%s.%s
no such table: %s
SCAN TABLE %s%s%s
expected %d columns for '%s' but got %d
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
DELETE FROM %Q.%s WHERE name=%Q AND type='trigger'
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor called recursively: %s
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
ANY(%s)
SUBQUERY %d
TABLE %s
AS %s
PRIMARY KEY
COVERING INDEX %s
INDEX %s
USING INTEGER PRIMARY KEY (rowid%s?)
VIRTUAL TABLE INDEX %d:%s
too many arguments on %s() - max %d
automatic index on %s(%s)
table %s: xBestIndex returned an invalid plan
%s.xBestIndex() malfunction
at most %d tables in a join
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
no such table column: %s.%s
GetLexerCount
GetLexerName
GetLexerFactory
%c%c X X
JOIN
REPORT
Clarion Keywords
fold.at.else
0123456789
01234567
Primary keywords and identifiers
Secondary keywords and identifiers
Documentation comment keywords
Task marker and error marker keywords
styling.within.preprocessor
Set to 0 to disallow the '$' character in identifiers with the cpp lexer.
lexer.cpp.allow.dollars
lexer.cpp.track.preprocessor
lexer.cpp.update.preprocessor
lexer.cpp.verbatim.strings.allow.escapes
lexer.cpp.triplequoted.strings
lexer.cpp.hashquoted.strings
lexer.cpp.backquoted.strings
lexer.cpp.escape.sequence
fold.cpp.syntax.based
This option enables folding multi-line comments and explicit fold points when using the C   lexer. Explicit fold points allows adding extra folding by placing a //{ comment at the start and a //} at the end of a section that should fold.
fold.comment
Set this property to 0 to disable folding multi-line comments when fold.comment=1.
fold.cpp.comment.multiline
Set this property to 0 to disable folding explicit fold points when fold.comment=1.
fold.cpp.comment.explicit
fold.cpp.explicit.start
fold.cpp.explicit.end
fold.cpp.explicit.anywhere
This option enables folding preprocessor directives when using the C   lexer. Includes C#'s explicit #region and #endregion folding directives.
fold.preprocessor
fold.compact
([{=,:;!%^&*|?~ -
$@\&<>#{}[]
lexer.css.scss.language
lexer.css.less.language
lexer.css.hss.language
important
Operators
mssql
msgid
msgstr
msgctxt
ps.level
PS Level 1 operators
PS Level 2 operators
PS Level 3 operators
RIP-specific operators
User-defined operators
Keywords
tab.timmy.whinge.level
lexer.python.literals.binary
lexer.python.strings.u
lexer.python.strings.b
lexer.python.strings.over.newline
When enabled, it will not style keywords2 items that are used as a sub-identifier. Example: when set, will not highlight "foo.open" when "open" is a keywords2 item.
lexer.python.keywords2.no.sub.identifiers
This option enables folding multi-line quoted strings when using the Python lexer.
fold.quotes.python
import
cimport
TCL Keywords
TK Keywords
iTCL Keywords
Directive operands
lexer.asm.comment.delimiter
fold.asm.syntax.based
fold.asm.comment.multiline
This option enables folding explicit fold points when using the Asm lexer. Explicit fold points allows adding extra folding by placing a ;{ comment at the start and a ;} at the end of a section that should fold.
fold.asm.comment.explicit
fold.asm.explicit.start
fold.asm.explicit.end
fold.asm.explicit.anywhere
Reserved operators
Set to 0 to disallow the '#' character at the end of identifiers and literals with the haskell lexer (GHC -XMagicHash extension)
lexer.haskell.allow.hash
lexer.haskell.allow.quotes
Set to 1 to allow the '?' character at the start of identifiers with the haskell lexer (GHC & Hugs -XImplicitParams extension)
lexer.haskell.allow.questionmark
Set to 0 to disallow "safe" keyword in imports (GHC -XSafe, -XTrustworthy, -XUnsafe extensions)
lexer.haskell.import.safe
lexer.haskell.cpp
Set to 1 to enable folding of import declarations
fold.haskell.imports
()[]{}:=;-\/&%$! <>|^?,.*~@
fold.comment.nimrod
fold.quotes.nimrod
area base basefont br col command embed frame hr img input isindex keygen link meta param source track wbr
asp.default.language
fold.html
fold.html.preprocessor
fold.hypertext.comment
fold.hypertext.heredoc
html.tags.case.sensitive
lexer.xml.allow.scripts
lexer.html.mako
lexer.html.django
([{=,:;!%^&*|?~
.xXabcdefABCDEF
JavaScript keywords
VBScript keywords
Python keywords
PHP keywords
SGML and DTD keywords
%D \module
lexer.metapost.comment.process
lexer.metapost.interface.default
Set to 0 to disable folding Pod blocks when using the Perl lexer.
fold.perl.pod
Set to 0 to disable folding packages when using the Perl lexer.
fold.perl.package
fold.perl.comment.explicit
fold.perl.at.else
"$;<>&`' ,./\%:=~!?@[]
^&\()- =|{}[]:;>,?!.~
\[$@%&* ];
Language Keywords
lexer.caml.magic
!~=<>@^ -*/()[];,:.#
)]};,'"`#
!$%&* -./:<=>?@^|~
Keywords2
Keywords3
Sequence keywords and identifiers
User defined keywords and identifiers
SQL*Plus
User Keywords 1
User Keywords 2
User Keywords 3
User Keywords 4
This option enables SQL folding on a "ELSE" and "ELSIF" line of an IF statement.
fold.sql.at.else
fold.sql.only.begin
lexer.sql.backticks.identifier
If "lexer.sql.numbersign.comment" property is set to 0 a line beginning with '#' will not be a comment.
lexer.sql.numbersign.comment
Enables backslash as an escape character in SQL.
sql.backslash.escapes
Set to 1 to colourise recognized words with dots (recommended for Oracle PL/SQL objects).
lexer.sql.allow.dotted.word
This option enables folding multi-line comments when using the Verilog lexer.
This option enables folding preprocessor directives when using the Verilog lexer.
fold.verilog.flags
lexer.verilog.track.preprocessor
lexer.verilog.update.preprocessor
Set to 1 to style input, output, and inout ports differently from regular keywords.
lexer.verilog.portstyling
Set to 1 to style identifiers that are all uppercase as documentation keyword.
lexer.verilog.allupperkeywords
lexer.verilog.fold.preprocessor.else
join
join_any
join_none
| || |& & && ; ;; ( ) { }
^&%()- =|{}[]:;>,*/<?!.~@
Keywords 1
Keywords 2
Keywords 3 (unused)
Keywords 4 (unused)
ReservedKeywords
PragmaKeyswords
DoxygeneKeywords
Major Keywords
Procedure keywords
mysql
Cmdlets
-,.=:\@()
lexer.tex.comment.process
lexer.tex.auto.if
lexer.tex.use.keywords
lexer.tex.interface.default
Unsupported DMIS Minor Words
Unsupported DMIS Major Words
Corresponding keywords for code folding end
Keywords for code folding start
control keywords
keywords
string definition keywords
User defined keywords
Pascal keywords
Predefined keywords
Section keywords and Forth words
nnCrontab keywords
exports
lexer.pascal.smart.highlighting
#$&'()* ,-./:;<=>@[]^{}
operator
,. -*/:;<=>[]()%&
fold.at.Parenthese
fold.at.Begin
Keywords 6
Keywords 5
fold.d.syntax.based
Keywords 7
fold.d.comment.explicit
fold.d.comment.multiline
fold.d.explicit.end
fold.d.explicit.start
fold.d.explicit.anywhere
lexer.d.fold.at.else
nsis.ignorecase
nsis.uservars
PageExEnd
nsis.foldutilcmd
Keyword list 2
Keyword list 1
Keyword list 4
Keyword list 3
Minor keywords (if, then, try, ...)
Major keywords (class, predicates, ...)
Documentation keywords without the '@' (short, detail, ...)
Directive keywords without the '#' (include, requires, ...)
BlitzBasic Keywords
PureBasic PreProcessor Keywords
PureBasic Keywords
FreeBasic PreProcessor Keywords
FreeBasic Keywords
This option enables folding explicit fold points when using the Basic lexer. Explicit fold points allows adding extra folding by placing a ;{ (BB/PB) or '{ (FB) comment at the start and a ;} (BB/PB) or '} (FB) at the end of a section that should be folded.
fold.basic.syntax.based
fold.basic.comment.explicit
fold.basic.explicit.start
fold.basic.explicit.anywhere
fold.basic.explicit.end
B Keywords
A Keywords
Extended Keywords
lexer.flagship.styling.within.preprocessor
.and.
.not.
Keywords Commands
Doxygen keywords
Other keywords
fold.rust.syntax.based
Keywords 4
fold.rust.comment.explicit
fold.rust.comment.multiline
fold.rust.explicit.end
fold.rust.explicit.start
fold.rust.explicit.anywhere
lexer.rust.fold.at.else
function_keywords
.java:
lexer.errorlist.value.separate
lexer.errorlist.escape.sequences
Operation Codes
!?~=<>@^|& -*/$%()[]{};,:.#
)]};,'"#
Secondary keywords
fold.coffeescript.comment
User keywords
escript.case.sensitive
Functions and special operators
fold.directive
#autoit keywords
#autoit Sent keys
*/- ()={}~[];<>,.^%:#
lexer.props.allow.initial.spaces
%[^.<>|&=\/]
23456789*#$
tcmd
fold.comment.yaml
PASSED
TADS3 Keywords
%^&*()- ={}[]:;<>,/?!.~|\
Keywords and reserved words
Literal operators
[*!~ -*/$=<>&^|
_~*$?!@/\;,.=:<>"&`' 
E:\4.0
\trunk\ADSafe4.0_new\OutPutFile\Release\ADSafe.pdb
ADSafe.exe
KERNEL32.dll
ExitWindowsEx
GetKeyState
USER32.dll
GDI32.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHDeleteKeyW
SHLWAPI.dll
PSAPI.DLL
gdiplus.dll
?ResponseDefaultKeyEvent@WindowImplBase@DuiLib@@MAEJI@Z
?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z
?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ
?messageMap@CNotifyPump@DuiLib@@1UDUI_MSGMAP@2@B
?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ
?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z
DuiLib.dll
RPCRT4.dll
WTSAPI32.dll
VERSION.dll
FindFirstUrlCacheEntryW
DeleteUrlCacheEntryW
FindNextUrlCacheEntryW
FindCloseUrlCache
WININET.dll
IMM32.dll
GetCPInfo
GetKeyboardLayout
MsgWaitForMultipleObjects
zcÁ
1.0.523.2104
.?AVunsupported_os@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AV?$_Func_impl@U?$_Callable_obj@V<lambda_2b48767422eb99cd950a480d33b6b107>@@$0A@@std@@V?$allocator@V?$_Func_class@XW4MsgBoxRet@@@std@@@2@XW4MsgBoxRet@@@std@@
.?AV?$_Func_base@XW4MsgBoxRet@@@std@@
.?AVCMsgBox@@
.?AVCMsgDelayHandle@@
.?AVinvalid_operation@Concurrency@@
.?AURegexError@@
.?AVDocumentIndexer@?A0x6a166ef8@@
.?AVCharacterIndexer@@
.?AVExternalLexerModule@@
.?AVLexerModule@@
.?AVILexerWithSubStyles@@
.?AVLexerCPP@@
.?AUOptionSetCPP@?A0x8efaeb54@@
.?AVILexer@@
.?AVLexerPython@@
.?AVLexerAsm@@
.?AVLexerHaskell@@
.?AVLexerPerl@@
.?AUOptionSetSQL@@
.?AVLexerSQL@@
.?AV?$OptionSet@UOptionsSQL@@@@
.?AVLexerVerilog@@
.?AVLexerRegistry@@
.?AVLexerDMIS@@
.?AVLexerD@@
.?AVLexerVisualProlog@@
.?AVLexerBasic@@
.?AVLexerRust@@
.?AVLexerLaTeX@@
.?AVLexerBase@@
.?AVLexerSimple@@
about.png}RY
about_back.png
add_rules_top.png
bkimage.png
w.xb?
bottom_layout.png
btn_add.png
btn_add_filter.png}T
%5xDf
btn_cancel.png}V{XRw
btn_cancle.png}S[h
btn_close.png}R{
btn_filterlist_add.pngM
btn_filter_cancel.png}Tk8
btn_filter_update.png}R
btn_main.png}R
btn_send.png
btn_submit.png}T{<
btn_update_code.png}R
btn_version_click.png
btn_version_normal.png
checkbox.png}R
code_enter.png
customize.png
DlgAbout.xml
DlgAddRules.xml
DlgFilterAdd.xml
DlgMsgBox_Skip.xml
dlgset_btn.png
DlgSkip.xml
DlgUpdate_Skip.xml
email.png
Filterlists.png}R
filter_inner_bck.png
filter_top.png
filter_type.png}V{8
font.xml
green_filter_type.png
headtext_customize.png
h.xO7
headtext_filters.png
headtext_settings.png
hint.png
input.png
layout_bk_left.png
:(%s~
<.uDn
t,R!G.cH
list_arrow.png
list_CustomRule.xml
list_custom_close.png}S[H
list_custom_line.png
list_delete.png}Rw
tI3%U
list_filter.xmlm
list_rulekind.xml
logo.png
main_left_logo.png
main_left_opt_selected.png
main_line.png
menu/bk_top.png
Ð*m52
menu/check.png}VgXSg
menu/help.png}TwXSw
menu/open.png}Vy8
menu/quit.png}Ty8TQ
menu_adskip_tray.xml
Çzc
message_box.png
opt.png
opt_ok.png
progressb.png
progressf.png
refresh.png
scrollbar/scrollbar.xml
scrollbar/scrollbar_bk.png
scrollbar/scrollbar_thumb.png
select_line.png
Settings.png
subject_hot.png
subject_normal.png
Support.png}R
tab_customize.xml
tab_filterlist.xml
tab_settings.xml
tab_support.xml
text_filter_type.png}S}<
title_customize.png
a9Ù
4;9%dm
nI%D <
title_filterlist.png
title_settings.png
DHN%U
UN%Ufr
Ss7wEb~_
L%Ud[d
a;9L2
Tm.jR
title_support.png
top.png
top_about.png
%uI4Z
triangle.png}SMh
update_complete.png
update_failed.png
verification_code.png
white_filter_type.png}TwTSw
about.png
btn_add_filter.png
btn_cancel.png
btn_cancle.png
btn_close.png
btn_filterlist_add.png
btn_filter_cancel.png
btn_filter_update.png
btn_main.png
btn_submit.png
btn_update_code.png
checkbox.png
Filterlists.png
filter_type.png
list_custom_close.png
list_delete.png
list_filter.xml
menu/check.png
menu/help.png
menu/open.png
menu/quit.png
Support.png
text_filter_type.png
triangle.png
white_filter_type.png
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS></application></compatibility></assembly>
7%7S7
7#7*71787?7^7
6h6D6U6a6r6~6
<(<-<:<@<
<$<(<,<0<4<8<
=&>0>)?3?
3'41464?4
1(2,20242
5#5*5/5=5^5
:!:&:4:=:
:$:):7:@:
9 9$9(9,9
1 1$1(1,1014181<1
45
0 0$0(0,0
949'>2>:>
= =$=(=,=
.04080<0@0
0"1/181\1
? ?$?(?,?0?4?8?
1$1(1,10173
1$1=1`1}1
1 1$1(1,101
:$;(;,;0;4;8;<;|<
8 8$8(8,80848
7 7$7(7,7074787
4 4$4(4,4
> >$>(>,>0>4>8>
3 3$3(3,3@3`3
> >@>\>`>
3$3,343<3
combase.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
advapi32.dll
portuguese-brazilian
USER32.DLL
nWebPageADCount
iWebPageADTime
YssShare
HeapSetInformation Fail ERR=(%d)
%u:0xx
g:0xx
Private_%u_
CShareObject init osver=%d %d
%sMAP_%s
CreateFileMapping %s Fail err=%d...
initWin7 %s obj=%s Ok
%sMUTEX_%s
CreateMutex %s Fail...
initWin7 obj=%s ok
Advapi32.dll
kernel32.dll
askProtect64.sys
askProtect.sys
\\.\askProtect
adb.exe
askComm.dll
The Key Components of ADSKIP Updated Successfully. Please Restart your PC.
askUpdate.dll
{904D6AEE-646A-44E6-ABCE-6BAC8CEA45A2}
Global\%s
Key files missing, please reinstall Adskip!
action.txt
00050000
00020127
ADSkipSvc.exe
%s\%s\
0explorer.exe
%s\%s
http\shell\open\command
oWin81_%d
Win2012_%d
Win8_%d
Win10_%d
Win7_%d
Win2008_%d
WinVista_%d
Win2003_%d
WinXP_%d
Win2000_%d
ADSkip.exe
Baidu\BaiduBrowser\user_data\default\chrome_profile\Cache
Google\Chrome\User Data\Default\Cache
Temp\Maxthon3Cache\Temp\Webkit\Cache
Tencent\QQBrowser\ChromeTab\User Data\Default\Cache
SogouExplorer\Webkit\Default\Cache
Opera Software\Opera Stable\Cache
360Chrome\Chrome\User Data\Default\Cache
115Chrome\User Data\Default\Cache
2345explorer.exe
360se.exe
360chrome.exe
ucbrowser.exe
baidubrowser.exe
chrome.exe
firefox.exe
sogouexplorer.exe
qqbrowser.exe
maxthon.exe
liebao.exe
opera.exe
theworld.exe
115chrome.exe
taobrowser.exe
YDlgAbout.xml
AhXXp://VVV.adskiper.com/license.html#license
bbs.adskiper.com
VVV.adskiper.com
@DlgAddRules.xml
\CustomRule.txt
@DlgBackUpWait.xml
2345Explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Application Data\360Chrome\Chrome\User Data\Default\CacheIE
UCBrowser.exe
\Baidu\BaiduBrowser\user_data\default\settings\user_setting.db
\Mozilla\Firefox\Profiles
*.default*
SogouExplorer.exe
\SogouExplorer\commcfg.xml
Opera
TheWorld.exe
115Chrome.exe
yyexplorer.exe
\YYExplorer\User Data\resource.db
Software\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
pd.user_setting_cache_dir
BCMsgBox
DlgMsgBox
Last updated at %s
opt_support
hXXps://
hXXp://
00020129
%s%d%s
hack.ini
%H:%M:%S %m/%d/%Y
szReport_log
[email protected]
@5FA7598D-51CD-4B56-84CB-7A996C28CE51.png
Xblue\optimize_center.png
blue\optimize_outside.png
msimg32.dll
file='right.png' dest='364,2,376,14'
file='right.png' dest='368,16,381,29'
file='right.png' dest='372,26,387,42'
file='right.png' dest='380,40,397,57'
Cblue/Windmill_leaf.png
CCrashHandler.dll
askMisc.dll
askWfd.dll
askMain.dll
askRules.dll
user32.dll
Shlwapi.dll
Id:%d
shell32.dll
sShell_TrayWnd
VisualStudioEditorOperationsLineCutCopyClipboardTag
rcomctl32.dll
LD2D1.DLL
DWRITE.DLL
Nmshjdic.hanjadic
%Program Files%\ADSKIP\ADSkip.exe
bfile='right.png' dest='364,2,376,14'
bfile='right.png' dest='368,16,381,29'
bfile='right.png' dest='372,26,387,42'
bfile='right.png' dest='380,40,397,57'

ADSkipSvc.exe_2396:

.text
`.rdata
@.data
.rsrc
@.reloc
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
GetProcessWindowStation
operator
E:\4.0
\trunk\ADSafe4.0_new\OutPutFile\Release\ADSafeSvc.pdb
GetProcessHeap
KERNEL32.dll
ReportEventW
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
WTSAPI32.dll
USERENV.dll
Secur32.dll
GetCPInfo
zcÁ
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
9 9$9(9,90949~9
6%6S6f6
3 3-363/4
0 0$0(0,000
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
explorer.exe
nkernel32.dll
%s failed with %d
{DB44A98E-BC3B-4308-810D-9A73D87F7FD1}
Global\ADSafe%s%s
winlogon.exe
%s\%s
"%s" %s
ADSafe.exe
{904D6AEE-646A-44E6-ABCE-6BAC8CEA45A2}
Global\%s
ADSkip.exe
%Program Files%\ADSKIP\ADSkipSvc.exe
1.0.511.2101

UCService.exe_3608:

.text
`.rdata
@.data
.rsrc
@.reloc
9passZ
PSSSSSSh
SSSSh
j.Xf9
8j.Xf;
j.Yf;
_tcPVj@
.PjRW
stats-url
os=%d.%d.%d(sp%d.%d)
5.6.13381.9
module_code=%d.%d&error_code=%d&customized_data=%s
bluesky.1.19.1.1.6
hXXps://mmstat.ucweb.com/bluesky.
>4%8$81#
'';>46#>89
<>90$81#
{]wwwwwwu2!6;"6#>89umwu6;#2%u{]wwwwwwu#6#umwu
$$84>6#>89$
iu{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu
02#!6;u{]wwwwwwu2!6;"6#>89umwu6;#2%u{]wwwwwwu#6#umwu
u{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu
u{]wwwwwwu64#8%umwuu]wwww*]ww
5%8 $2%umw
4u{]wwwwwwu2!6;"6#>89umwu&"2%.u{]wwwwwwu#6#umwu}
edcb2/';8%2%y2/2}u{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu
;>2568y2/2}u{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu
56>3"5%8 $2%y2/2}u{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu
$808"2/';8%2%y2/2}u{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu
dag$2y2/2}u{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu
dag4?%8:2y2/2}u{]wwwwwwu64#8%umwuu]wwww*]ww
{]wwwwwwu2!6;"6#>89umwu&"2%.u{]wwwwwwu#6#umwur
ru{]wwwwwwu64#8%umwuu]wwww*{]wwww,]wwwwwwu64#>89umwu
#%"946#2u{]wwwwwwu2!6;"6#>89umwu&"2%.u{]wwwwwwu#6#umwur
ru{]wwwwwwu64#8%umwuu{]wwwwwwu8'#>89$umw,]wwwwwwwwu'%8:'#
%2:8!2u{]wwwwwwu2!6;"6#>89umwu&"2%.u{]wwwwwwu#6#umwur
d:\webapps\b\build\slave\repo\build\src\wow\tools\service\durex\wow_durex_default_browser_pretender.cc
https
explorer.exe
d:\webapps\b\build\slave\repo\build\src\wow\tools\service\durex\wow_force_default_browser_enabler.cc
libucguard.dll
d:\webapps\b\build\slave\repo\build\src\wow\tools\service\durex\wow_huorong_api_wrapper.cc
ucsvc_config.dat
d:\webapps\b\build\slave\repo\build\src\wow\tools\service\durex\wow_persistent_store.cc
Loading config. msg:
guarder_option.policy_version
d:\webapps\b\build\slave\repo\build\src\wow\tools\service\durex\wow_proxy_delegate.cc
d:\webapps\b\build\slave\repo\build\src\wow\tools\service\durex\wow_security_driver_controller.cc
REG_openkey
REG_mkkey
REG_rmkey
REG_mvkey
REG_rstrkey
\\.\Pipe\TerminalServer\SystemExecSrvr\%d
d:\webapps\b\build\slave\repo\build\src\wow\tools\service\public\wow_launch_process_with_token.cc
check-product-exe-interval
d:\webapps\b\build\slave\repo\build\src\wow\tools\service\wow_elevated_process_delegate.cc
d:\webapps\b\build\slave\repo\build\src\wow\tools\service\wow_nt_service.cc
d:\webapps\b\build\slave\repo\build\src\wow\tools\service\wow_nt_service_impl.cc
Current process is windows service.
Cannot create CommandExecutionDelegate.
&cmd=
d:\webapps\b\build\slave\repo\build\src\wow\tools\service\wow_process_restrictions.cc
d:\webapps\b\build\slave\repo\build\src\wow\tools\service\wow_proxy_process_delegate.cc
Global\UCSvc.{1BF734CB-9BDA-4074-A109-3B2A6707B336}
Global\DHCPServer.{1BF734CB-9BDA-4074-A109-3B2A6707B336}
d:\webapps\b\build\slave\repo\build\src\wow\tools\service\wow_service_process_delegate.cc
Failed to reply message. execution result:
Failed to get the dir of current exe.
0123456789
0123456789:
d:\webapps\b\build\slave\repo\build\src\wow\base\stats\wow_stats_helper.cc
1.19.1.2.1_SysEvent
1.19.1.3.1_SysEvent
1.19.1.3.2_SysEvent
4.1.4.1.6_SysEvent
10.1.1.1.1_SysEvent
d:\webapps\b\build\slave\repo\build\src\wow\base\wow_shared_memory_ipc_channel.cc
.read
.write
d:\webapps\b\build\slave\repo\build\src\wow\base\win\wow_priviledge_utils.cc
d:\webapps\b\build\slave\repo\build\src\wow\base\win\wow_machine_info_utils_win.cc
wow wow_base::MachineInfoUtils::GetCPUBrand
\\.\PhysicalDrive%d
\\.\Scsi%d:
Drive%dModelNumber
Drive%dSerialNumber
DriveÜontrollerRevisionNumber
DriveÜontrollerBufferSize
Drive%dType
windowsZones
?#%X.y
GetProcessWindowStation
operator
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
d:\webapps\b\build\slave\repo\build\src\base\process\process_win.cc
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
icudtl.dat is not exists!
d:\webapps\b\build\slave\repo\build\src\base\files\memory_mapped_file.cc
icudtl.dat exists, but Initialize failed.
ICU.Initialize
MsgLoop:
d:\webapps\b\build\slave\repo\build\src\base\win\shortcut.cc
PlatformFile.UnknownErrors.Windows
\uX
Line: %i, column: %i, %s
d:\webapps\b\build\slave\repo\build\src\base\threading\thread_local_win.cc
d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_log.cc
tracing/thread_%d
[0;3%dm
Chrome.MessageLoopProblem
KeyDown
Chrome_WidgetWin
Chrome_RenderWidgetHostHWND
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
Histogram: %s recorded %d samples
(flags = 0x%x)
disabled-by-default-toplevel.flow
(%d = %3.1f%%)
WorkerThread-%d
.syzygy
.thunks
"%d":
d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_buffer.cc
renderer.scheduler
disabled-by-default-cc.debug.picture
disabled-by-default-cc.debug
d:\webapps\b\build\slave\repo\build\src\base\trace_event\memory_dump_manager.cc
%s/%s
d:\webapps\b\build\slave\repo\build\src\base\threading\thread.cc
%d:%s
D:\webapps\b\build\slave\repo\build\src\out\Release\UCService.exe.pdb
UCService.exe
USERENV.dll
WINTRUST.dll
WTSAPI32.dll
InternetOpenUrlW
WININET.dll
VERSION.dll
PSAPI.DLL
WINMM.dll
SHLWAPI.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
WaitNamedPipeW
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHeap
KERNEL32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
EnumDesktopWindows
OpenWindowStationA
EnumWindowStationsA
CloseWindowStation
MsgWaitForMultipleObjectsEx
CallMsgFilterW
USER32.dll
NETAPI32.dll
GetCPInfo
zcÁ
&ka=&kb=d2713585a62dd2677f88d0fff85b3fe7&kc=c0ed19538daa6d6db815ffd0b1233981v000000253f20c75&firstpid=0501&bid=800&ver=5.6.13381.9
%Program Files%\UCBrowser\Application\UCService.exe
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
<0<4<8<<<
;";';.;~;
<!< <0<8<
< <$<(<,<
2 262@2
2.34383<3@3
%0U0r0
333D3J3P3W3f3
0 0$0(0,0004080<0@0
3 3$3(3,303
*2.22262
2 2$2(2,2024282034383<3@3
7 7$7(7,7
stats_uploader.exe
.ProgId
UCBrowser.exe
.Hash
\https\
\http\
%s%s%s%s
@EXEC_create
bqqurlmgr.exe
qq.exe
services.exe
UC_BROWSER_EXE
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
new_UCService.exe
old_UCService.exe
UCAgent.exe
Aucsvc.log
resources.pak
chrome_100_percent.pak
chrome_200_percent.pak
hXXp://testenv.ucbrowser-dWNicm93c2Vy.local
molt.log
setup.exe
.\\.\X:
000000000003
Fmscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
kernel32.dll
Ndebug.log
ntdll.dll
icudtl.dat
\StringFileInfo\xx\%ls
shell32.dll
BChrome_MessagePumpWindow_%p
ASOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Advapi32.dll
UCWeb Inc.
1.0.0.0
Copyright 2008-2014 UCWeb Inc. All rights reserved.

UCBrowser.exe_328:

.text
`.rdata
@.data
@.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
d:\webapps\b\build\slave\repo\build\src\chrome\app\chrome_exe_main_win.cc
d:\webapps\b\build\slave\repo\build\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded from
Could not find exported function
MetricsReportingEnabled
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
%s-%x
CHROME_MAIN_TICKS
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
Cannot initialize AppCommands from an invalid key.
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_command.cc
kernel32.dll
d:\webapps\b\build\slave\repo\build\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
CHROME_VERSION
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
CHROME_BREAKPAD_PIPE_NAME
d:\webapps\b\build\slave\repo\build\src\components\crash\content\app\breakpad_win.cc
stats-url-exit
stats-url-browser-hang
stats-url
\UCBrowser\User Data\chrome_debug.log
origin breakpad::SetCrashKeyValueImpl
NTDLL.DLL
dbghelp.dll
SHELL32.dll
ole32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
?#%X.y
GetProcessWindowStation
operator
@-@-@-@-
@-@-@-@-@-@-@-@-
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_log.cc
tracing/thread_%d
[0;3%dm
d:\webapps\b\build\slave\repo\build\src\base\process\process_win.cc
%s-%Iu
(%d = %3.1f%%)
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
WorkerThread-%d
.thunks
.syzygy
d:\webapps\b\build\slave\repo\build\src\base\threading\thread_local_win.cc
"%d":
d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_buffer.cc
renderer.scheduler
disabled-by-default-cc.debug.picture
disabled-by-default-cc.debug
disabled-by-default-toplevel.flow
d:\webapps\b\build\slave\repo\build\src\base\trace_event\memory_dump_manager.cc
%s/%s
MsgLoop:
\uX
d:\webapps\b\build\slave\repo\build\src\base\threading\thread.cc
%d:%s
Chrome.MessageLoopProblem
KeyDown
Chrome_WidgetWin
Chrome_RenderWidgetHostHWND
full-memory-crash-report
D:\webapps\b\build\slave\repo\build\src\out\Release\initialexe\chrome.exe.pdb
chrome.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
chrome_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
MsgWaitForMultipleObjectsEx
CallMsgFilterW
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
UUVQcrtw
r%s @
nq.af
444444444444
474747474747
777777777777
777//6()/777
.mmm,Y
0000000000000000000
11<161611>
z.sa;
.gaB|s
D[%1x
>Eu
.vXZZ
.lecIS
?(.Ul
.WbqfL
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="5.6.13381.9" version="5.6.13381.9" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
8 8'868=8
1*11181`2
>$?=?]?}?
?%?0?9?@?
>(>2>9>~>
=">(>,>0>4>
5!5%5)5-51555
7,858@8{8
9 9(90989@9
5 5$5(5,5054585<5@5
: :$:(:,:0:4:
config_updater.dll
updater.dll
chrome_watcher.dll
chrome.dll
chrome_child.dll
UCBrowser.exe
metro_driver.dll
{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium
Software\Microsoft\Windows\CurrentVersion\Uninstall\
-chrome
-chromeframe
WebAccessible
E{65122CB0-EA0F-47DF-A953-017170ED12F9}
WebKit
Software\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ekernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
Fkernel32.dll
gdi32.dll
xntdll.dll
wow_helper.exe"
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
\\.\pipe\GoogleCrashServices\
\\.\pipe\UCBrowserCrashServices
error %u
%d.%d.%d.%d
unspecified-crash-key
stats_uploader.exe
Gmscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
USER32.DLL
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
mshtml.dll
\uninstall.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HuorongSysdiag
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
Ndebug.log
BCmdLine
\StringFileInfo\xx\%ls
Chrome_MessageWindow
Ntdll.dll
Advapi32.dll
shell32.dll
DChrome_MessagePumpWindow_%p
Chrome Frame
{49AE23F3-CF25-4041-9387-DC9D1B578555}
{EE1C56C8-D145-437E-A83F-74406D742719}
%Program Files%\UCBrowser\Application\UCBrowser.exe
UCWeb Inc.
5.6.13381.9
chrome_exe
Copyright 2008-2016 UCWeb Inc. All rights reserved.

UCBrowser.exe_2132:

.text
`.rdata
@.data
@.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
d:\webapps\b\build\slave\repo\build\src\chrome\app\chrome_exe_main_win.cc
d:\webapps\b\build\slave\repo\build\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded from
Could not find exported function
MetricsReportingEnabled
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
%s-%x
CHROME_MAIN_TICKS
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
Cannot initialize AppCommands from an invalid key.
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_command.cc
kernel32.dll
d:\webapps\b\build\slave\repo\build\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
CHROME_VERSION
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
CHROME_BREAKPAD_PIPE_NAME
d:\webapps\b\build\slave\repo\build\src\components\crash\content\app\breakpad_win.cc
stats-url-exit
stats-url-browser-hang
stats-url
\UCBrowser\User Data\chrome_debug.log
origin breakpad::SetCrashKeyValueImpl
NTDLL.DLL
dbghelp.dll
SHELL32.dll
ole32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
?#%X.y
GetProcessWindowStation
operator
@-@-@-@-
@-@-@-@-@-@-@-@-
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_log.cc
tracing/thread_%d
[0;3%dm
d:\webapps\b\build\slave\repo\build\src\base\process\process_win.cc
%s-%Iu
(%d = %3.1f%%)
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
WorkerThread-%d
.thunks
.syzygy
d:\webapps\b\build\slave\repo\build\src\base\threading\thread_local_win.cc
"%d":
d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_buffer.cc
renderer.scheduler
disabled-by-default-cc.debug.picture
disabled-by-default-cc.debug
disabled-by-default-toplevel.flow
d:\webapps\b\build\slave\repo\build\src\base\trace_event\memory_dump_manager.cc
%s/%s
MsgLoop:
\uX
d:\webapps\b\build\slave\repo\build\src\base\threading\thread.cc
%d:%s
Chrome.MessageLoopProblem
KeyDown
Chrome_WidgetWin
Chrome_RenderWidgetHostHWND
full-memory-crash-report
D:\webapps\b\build\slave\repo\build\src\out\Release\initialexe\chrome.exe.pdb
chrome.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
chrome_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
MsgWaitForMultipleObjectsEx
CallMsgFilterW
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
UUVQcrtw
r%s @
nq.af
444444444444
474747474747
777777777777
777//6()/777
.mmm,Y
0000000000000000000
11<161611>
z.sa;
.gaB|s
D[%1x
>Eu
.vXZZ
.lecIS
?(.Ul
.WbqfL
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="5.6.13381.9" version="5.6.13381.9" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
8 8'868=8
1*11181`2
>$?=?]?}?
?%?0?9?@?
>(>2>9>~>
=">(>,>0>4>
5!5%5)5-51555
7,858@8{8
9 9(90989@9
5 5$5(5,5054585<5@5
: :$:(:,:0:4:
config_updater.dll
updater.dll
chrome_watcher.dll
chrome.dll
chrome_child.dll
UCBrowser.exe
metro_driver.dll
{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium
Software\Microsoft\Windows\CurrentVersion\Uninstall\
-chrome
-chromeframe
WebAccessible
E{65122CB0-EA0F-47DF-A953-017170ED12F9}
WebKit
Software\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ekernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
Fkernel32.dll
gdi32.dll
xntdll.dll
wow_helper.exe"
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
\\.\pipe\GoogleCrashServices\
\\.\pipe\UCBrowserCrashServices
error %u
%d.%d.%d.%d
unspecified-crash-key
stats_uploader.exe
Gmscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
USER32.DLL
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
mshtml.dll
\uninstall.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HuorongSysdiag
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
Ndebug.log
BCmdLine
\StringFileInfo\xx\%ls
Chrome_MessageWindow
Ntdll.dll
Advapi32.dll
shell32.dll
DChrome_MessagePumpWindow_%p
Chrome Frame
{49AE23F3-CF25-4041-9387-DC9D1B578555}
{EE1C56C8-D145-437E-A83F-74406D742719}
%Program Files%\UCBrowser\Application\UCBrowser.exe
UCWeb Inc.
5.6.13381.9
chrome_exe
Copyright 2008-2016 UCWeb Inc. All rights reserved.

UCBrowser.exe_2680:

.text
`.rdata
@.data
@.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
d:\webapps\b\build\slave\repo\build\src\chrome\app\chrome_exe_main_win.cc
d:\webapps\b\build\slave\repo\build\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded from
Could not find exported function
MetricsReportingEnabled
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
%s-%x
CHROME_MAIN_TICKS
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
Cannot initialize AppCommands from an invalid key.
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_command.cc
kernel32.dll
d:\webapps\b\build\slave\repo\build\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
CHROME_VERSION
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
CHROME_BREAKPAD_PIPE_NAME
d:\webapps\b\build\slave\repo\build\src\components\crash\content\app\breakpad_win.cc
stats-url-exit
stats-url-browser-hang
stats-url
\UCBrowser\User Data\chrome_debug.log
origin breakpad::SetCrashKeyValueImpl
NTDLL.DLL
dbghelp.dll
SHELL32.dll
ole32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
?#%X.y
GetProcessWindowStation
operator
@-@-@-@-
@-@-@-@-@-@-@-@-
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_log.cc
tracing/thread_%d
[0;3%dm
d:\webapps\b\build\slave\repo\build\src\base\process\process_win.cc
%s-%Iu
(%d = %3.1f%%)
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
WorkerThread-%d
.thunks
.syzygy
d:\webapps\b\build\slave\repo\build\src\base\threading\thread_local_win.cc
"%d":
d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_buffer.cc
renderer.scheduler
disabled-by-default-cc.debug.picture
disabled-by-default-cc.debug
disabled-by-default-toplevel.flow
d:\webapps\b\build\slave\repo\build\src\base\trace_event\memory_dump_manager.cc
%s/%s
MsgLoop:
\uX
d:\webapps\b\build\slave\repo\build\src\base\threading\thread.cc
%d:%s
Chrome.MessageLoopProblem
KeyDown
Chrome_WidgetWin
Chrome_RenderWidgetHostHWND
full-memory-crash-report
D:\webapps\b\build\slave\repo\build\src\out\Release\initialexe\chrome.exe.pdb
chrome.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
chrome_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
MsgWaitForMultipleObjectsEx
CallMsgFilterW
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
UUVQcrtw
r%s @
nq.af
444444444444
474747474747
777777777777
777//6()/777
.mmm,Y
0000000000000000000
11<161611>
z.sa;
.gaB|s
D[%1x
>Eu
.vXZZ
.lecIS
?(.Ul
.WbqfL
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="5.6.13381.9" version="5.6.13381.9" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
8 8'868=8
1*11181`2
>$?=?]?}?
?%?0?9?@?
>(>2>9>~>
=">(>,>0>4>
5!5%5)5-51555
7,858@8{8
9 9(90989@9
5 5$5(5,5054585<5@5
: :$:(:,:0:4:
config_updater.dll
updater.dll
chrome_watcher.dll
chrome.dll
chrome_child.dll
UCBrowser.exe
metro_driver.dll
{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium
Software\Microsoft\Windows\CurrentVersion\Uninstall\
-chrome
-chromeframe
WebAccessible
E{65122CB0-EA0F-47DF-A953-017170ED12F9}
WebKit
Software\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ekernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
Fkernel32.dll
gdi32.dll
xntdll.dll
wow_helper.exe"
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
\\.\pipe\GoogleCrashServices\
\\.\pipe\UCBrowserCrashServices
error %u
%d.%d.%d.%d
unspecified-crash-key
stats_uploader.exe
Gmscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
USER32.DLL
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
mshtml.dll
\uninstall.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HuorongSysdiag
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
Ndebug.log
BCmdLine
\StringFileInfo\xx\%ls
Chrome_MessageWindow
Ntdll.dll
Advapi32.dll
shell32.dll
DChrome_MessagePumpWindow_%p
Chrome Frame
{49AE23F3-CF25-4041-9387-DC9D1B578555}
{EE1C56C8-D145-437E-A83F-74406D742719}
%Program Files%\UCBrowser\Application\UCBrowser.exe
UCWeb Inc.
5.6.13381.9
chrome_exe
Copyright 2008-2016 UCWeb Inc. All rights reserved.

UCBrowser.exe_3468:

.text
`.rdata
@.data
@.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
d:\webapps\b\build\slave\repo\build\src\chrome\app\chrome_exe_main_win.cc
d:\webapps\b\build\slave\repo\build\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded from
Could not find exported function
MetricsReportingEnabled
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
%s-%x
CHROME_MAIN_TICKS
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
Cannot initialize AppCommands from an invalid key.
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
d:\webapps\b\build\slave\repo\build\src\chrome\installer\util\app_command.cc
kernel32.dll
d:\webapps\b\build\slave\repo\build\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
CHROME_VERSION
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
CHROME_BREAKPAD_PIPE_NAME
d:\webapps\b\build\slave\repo\build\src\components\crash\content\app\breakpad_win.cc
stats-url-exit
stats-url-browser-hang
stats-url
\UCBrowser\User Data\chrome_debug.log
origin breakpad::SetCrashKeyValueImpl
NTDLL.DLL
dbghelp.dll
SHELL32.dll
ole32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
?#%X.y
GetProcessWindowStation
operator
@-@-@-@-
@-@-@-@-@-@-@-@-
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_log.cc
tracing/thread_%d
[0;3%dm
d:\webapps\b\build\slave\repo\build\src\base\process\process_win.cc
%s-%Iu
(%d = %3.1f%%)
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
WorkerThread-%d
.thunks
.syzygy
d:\webapps\b\build\slave\repo\build\src\base\threading\thread_local_win.cc
"%d":
d:\webapps\b\build\slave\repo\build\src\base\trace_event\trace_buffer.cc
renderer.scheduler
disabled-by-default-cc.debug.picture
disabled-by-default-cc.debug
disabled-by-default-toplevel.flow
d:\webapps\b\build\slave\repo\build\src\base\trace_event\memory_dump_manager.cc
%s/%s
MsgLoop:
\uX
d:\webapps\b\build\slave\repo\build\src\base\threading\thread.cc
%d:%s
Chrome.MessageLoopProblem
KeyDown
Chrome_WidgetWin
Chrome_RenderWidgetHostHWND
full-memory-crash-report
D:\webapps\b\build\slave\repo\build\src\out\Release\initialexe\chrome.exe.pdb
chrome.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
chrome_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
MsgWaitForMultipleObjectsEx
CallMsgFilterW
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
UUVQcrtw
r%s @
nq.af
444444444444
474747474747
777777777777
777//6()/777
.mmm,Y
0000000000000000000
11<161611>
z.sa;
.gaB|s
D[%1x
>Eu
.vXZZ
.lecIS
?(.Ul
.WbqfL
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="5.6.13381.9" version="5.6.13381.9" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
8 8'868=8
1*11181`2
>$?=?]?}?
?%?0?9?@?
>(>2>9>~>
=">(>,>0>4>
5!5%5)5-51555
7,858@8{8
9 9(90989@9
5 5$5(5,5054585<5@5
: :$:(:,:0:4:
config_updater.dll
updater.dll
chrome_watcher.dll
chrome.dll
chrome_child.dll
UCBrowser.exe
metro_driver.dll
{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium
Software\Microsoft\Windows\CurrentVersion\Uninstall\
-chrome
-chromeframe
WebAccessible
E{65122CB0-EA0F-47DF-A953-017170ED12F9}
WebKit
Software\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ekernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
Fkernel32.dll
gdi32.dll
xntdll.dll
wow_helper.exe"
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
\\.\pipe\GoogleCrashServices\
\\.\pipe\UCBrowserCrashServices
error %u
%d.%d.%d.%d
unspecified-crash-key
stats_uploader.exe
Gmscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
USER32.DLL
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
mshtml.dll
\uninstall.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HuorongSysdiag
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
Ndebug.log
BCmdLine
\StringFileInfo\xx\%ls
Chrome_MessageWindow
Ntdll.dll
Advapi32.dll
shell32.dll
DChrome_MessagePumpWindow_%p
Chrome Frame
{49AE23F3-CF25-4041-9387-DC9D1B578555}
{EE1C56C8-D145-437E-A83F-74406D742719}
%Program Files%\UCBrowser\Application\UCBrowser.exe
UCWeb Inc.
5.6.13381.9
chrome_exe
Copyright 2008-2016 UCWeb Inc. All rights reserved.

UCBrowser.exe_2680_rwx_0730A000_000F5000:

jJh%u


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    sc.exe:2312
    sc.exe:2216
    Browser_V5.6.13381.9_r_4681_(Build1606081220).exe:2156
    stats_uploader.exe:2212
    stats_uploader.exe:3848
    UCBrowser.exe:2756
    ADSkip.v1.0.523.2104_Silent.exe:1748
    %original file name%.exe:224
    UCService.exe:3608
    UCService.exe:2804
    UCService.exe:3820
    netsh.exe:2488
    netsh.exe:2588
    netsh.exe:320
    netsh.exe:476
    netsh.exe:2660
    netsh.exe:2508
    ADSkip.exe:756
    ADSkipSvc.exe:2396
    ADSkipSvc.exe:1152
    setup.exe:2840
    MiniTPFw.exe:1012

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir2156_19268\stats_uploader.exe (265 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\setup.exe (17426 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir2156_10848\wow_installer.prefs (235 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\SETUP.EX_ (1709 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_E4C92.tmp\CHROME.PACKED.7Z (359691 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\UCBrowser\User Data\Default\Preferences (2 bytes)
    %Program Files%\UCBrowser\Application\Share\unconfirmed_config (0 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\UCBrowser\User Data\1.tmp (837 bytes)
    %System%\drivers\blNetFilter.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win7\blNetFilter.sys (1856 bytes)
    %Program Files%\ADSKIP\askRules.dll (3361 bytes)
    %Program Files%\ADSKIP\CustomRule.txt (2 bytes)
    %Program Files%\ADSKIP\res\400.dat (24 bytes)
    %Program Files%\ADSKIP\dbghelp.dll (7726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8\blNetFilter.sys (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\uninst.exe (32824 bytes)
    %Program Files%\ADSKIP\driver\Win32\Win7\blNetFilter.sys (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askProtect.sys (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\BugReport.exe (5520 bytes)
    %Program Files%\ADSKIP\askComm.dll (8657 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\AdSkip\Uninstall AdSkip.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5983 (10136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5982 (5520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5981 (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5980 (8560 bytes)
    %Program Files%\ADSKIP\driver\Win32\Win8\blNetFilter.sys (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askComm.dll (38103 bytes)
    %Program Files%\ADSKIP\askProtect64.sys (1281 bytes)
    %System%\drivers\askProtect.sys (1281 bytes)
    %Program Files%\ADSKIP\CheckSum.dat (64 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\Install.xml (2 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5981 (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askWfd.dll (12088 bytes)
    %Program Files%\ADSKIP\driver\x64\Win8\blNetFilter.sys (54 bytes)
    %Program Files%\ADSKIP\askProtect.sys (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\400.dat (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\2001 (7 bytes)
    %Program Files%\ADSKIP\BugReport.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\dbghelp.dll (34773 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5980 (1281 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5983 (1425 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5982 (673 bytes)
    %Program Files%\ADSKIP\res\000.dat (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\ADSkipSvc.exe (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\1012.dat (16424 bytes)
    %Program Files%\ADSKIP\res\0002.dat (4 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\2001 (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\101.dat (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CheckSum.dat (64 bytes)
    %Program Files%\ADSKIP\zlib1.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\CdnRuleOptionEN.dat (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\000.dat (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51004 (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\0003.dat (280 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51000 (20624 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\zlib1.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51002 (14184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51003 (15536 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\AdSkip\AdSkip.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\se1.dat (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnRuleOptionEN.dat (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\09999.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askUpdate.dll (32128 bytes)
    %Program Files%\ADSKIP\ADSkip.exe (19686 bytes)
    %Program Files%\ADSKIP\res\09999_EN.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\ADSkip.exe (86996 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askProtect64.sys (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\WinXP\blNetFilter.sys (3616 bytes)
    %Documents and Settings%\%current user%\Desktop\AdSkip.lnk (1 bytes)
    %Program Files%\ADSKIP\res\300.dat (1281 bytes)
    %Program Files%\ADSKIP\CrashHandler.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askMain.dll (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\300.dat (8560 bytes)
    %Program Files%\ADSKIP\DuiLib.dll (5441 bytes)
    %Program Files%\ADSKIP\res\1012.dat (3073 bytes)
    %Program Files%\ADSKIP\ADSkipSvc.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\DuiLib.dll (25112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\09999_EN.dat (4 bytes)
    %Program Files%\ADSKIP\uninst.exe (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win7\blNetFilter.sys (1552 bytes)
    %Program Files%\ADSKIP\driver\Win32\WinXP\blNetFilter.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\51001 (15168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\x64\Win8.1\blNetFilter.sys (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CrashHandler.dll (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8.1\blNetFilter.sys (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSafe4.zip (69133 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5992 (673 bytes)
    %Program Files%\ADSKIP\uninstall.xml (3 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5991 (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askRules.dll (19096 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5994 (673 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\5995 (673 bytes)
    %Program Files%\ADSKIP\askMain.dll (1425 bytes)
    %Program Files%\ADSKIP\driver\Win32\Win8.1\blNetFilter.sys (45 bytes)
    %Program Files%\ADSKIP\res\09999.dat (4 bytes)
    %System%\drivers\tcpip.sys (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnRuleOption.dat (4 bytes)
    %Program Files%\ADSKIP\askWfd.dll (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5994 (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5995 (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5991 (15168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\subscribe1\5992 (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CustomRule.txt (2 bytes)
    %Program Files%\ADSKIP\res\0003.dat (280 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\CdnRuleOption.dat (4 bytes)
    %Program Files%\ADSKIP\driver\x64\Win8.1\blNetFilter.sys (54 bytes)
    %Program Files%\ADSKIP\res\se1.dat (673 bytes)
    %Program Files%\ADSKIP\driver\x64\Win7\blNetFilter.sys (52 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002 (2321 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003 (2321 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000 (4185 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001 (2321 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004 (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\CdnJsonconfig.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\res\0002.dat (4 bytes)
    %System%\drivers\tcpip.sys_backup (2319 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\CdnJsonconfig.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\driver\Win32\Win8\blNetFilter.sys (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bin\ADSkip\askMisc.dll (23424 bytes)
    %Program Files%\ADSKIP\res\101.dat (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\AdSkip.lnk (1 bytes)
    %Program Files%\ADSKIP\askUpdate.dll (7345 bytes)
    %Program Files%\ADSKIP\askMisc.dll (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\monitorlist.data (178 bytes)
    C:\download\MiniThunderPlatform.exe (746 bytes)
    C:\download\msvcr71.dll (1629 bytes)
    C:\download\download_engine.dll (24427 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\downlist.data (686 bytes)
    C:\download\minizip.dll (784 bytes)
    C:\download\ThunderFW.exe (1333 bytes)
    C:\download\zlib1.dll (745 bytes)
    C:\download\msvcp71.dll (1784 bytes)
    C:\download\id.dat (40 bytes)
    C:\xldl.dll (1922 bytes)
    C:\download\MiniTPFw.exe (745 bytes)
    C:\download\atl71.dll (118 bytes)
    C:\download\dl_peer_id.dll (314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ADSkip.v1.0.523.2104_Silent.exe.td.cfg (14273 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Browser_V5.6.13381.9_r_4681_(Build1606081220).exe.td.cfg (16328 bytes)
    %Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\asyn_frame.dat (2749 bytes)
    %Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\stat.dat (44 bytes)
    %Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\200U (447 bytes)
    %Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\error.dat (284 bytes)
    %Documents and Settings%\All Users\Application Data\Thunder Network\DownloadLib\pub_store.dat (405 bytes)
    %Documents and Settings%\All Users\Application Data\Thunder Network\Mini_downloadlib\ODAwMDAzNjA=\Version_3_2_1_42\Profiles\download.cfg (1007 bytes)
    %Program Files%\UCBrowser\Application\ucsvc.log (1461 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51001.zip (511 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\cafl.dat (37 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\ErrorLog.txt (448 bytes)
    %Program Files%\ADSKIP\res\yxx.dat (22192 bytes)
    %Program Files%\ADSKIP\res\txx.dat (8560 bytes)
    %Program Files%\ADSKIP\res\txx.dat.zip (628 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51000.zip (2067 bytes)
    %Program Files%\ADSKIP\res\yxx.dat.zip (2812 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51004.zip (1334 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\config.dat (2359 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51002.zip (3086 bytes)
    %Documents and Settings%\%current user%\Application Data\ADSKIP\subscribe1\51003.zip (1491 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\VERSION (11 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome.dll (286042 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\zh-cn\start.dat (12 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\UC浏览器.lnk (1 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\config.dat (6408 bytes)
    %Program Files%\UCBrowser\Application\Uninstall.exe (18934 bytes)
    %Program Files%\UCBrowser\Application\Share\target_locale (5 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\zh-cn\share.dat (66 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\delegate_execute.exe (3751 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\google.com.png (521 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\chrome.7z (1199069 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Languages\chs.locale (1 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Drivers\ucguard.sys (72 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\custom.dat (1 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libEGL.dll (88 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\marketing\1001.ico (192 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\id\start.dat (7 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\12dc664d-0442-4570-a7c8-f3aa22922cec.com.png (252 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\baidu.com.png (426 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\etao.com.png (335 bytes)
    %Program Files%\UCBrowser\Application\UCBrowser.exe (7547 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\es-419\start.dat (7 bytes)
    %Program Files%\UCBrowser\Application\master_preferences (235 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\google.com.png (457 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Languages\settings.xml (103 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Update\InstalledConfig.xml (680 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\UC浏览器.lnk (1 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\courgette.dll (281 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Drivers\ucguard-x64.sys (81 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\start.dat (12 bytes)
    %Program Files%\UCBrowser\Application\update_task.exe (2321 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\7z.dll (6361 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\zh-cn\config.dat (6408 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\es-419\config.dat (151 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\qq.png (2 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\etaohaitao.com.png (438 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\taobao.com.png (290 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\win10.pak (8 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\UC浏览器\卸载UC浏览器.lnk (1 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\bing.com.png (1 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\alipay.png (2 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\natives_blob.bin (1711 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\stats_uploader.exe (279 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_100_percent.pak (7386 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\pt-br\config.dat (151 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\share.dat (66 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libexif.dll (317 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\chrome_installer.log (1252 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\zh-CN\external_extensions.json (939 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\youku.com.png (653 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\pt-br\share.dat (66 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\UCBrowser.exe (7386 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\update_task.exe (1696 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\taobao.png (389 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\ru\share.dat (66 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\en-in\config.dat (166 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\youku.com.png (764 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Backup\UCBrowser.exe (7386 bytes)
    %Program Files%\UCBrowser\Application\Share\start.dat (12 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\d3dcompiler_47.dll (22433 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\extension\noads.png (4 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\bing.com.png (1 bytes)
    %Program Files%\UCBrowser\Application\VERSION (11 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\desktop\facebook.ico (131 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\theme_tool.exe (1851 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\UCProxySDK.dll (9606 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\sogou.com.png (1 bytes)
    %Program Files%\UCBrowser\Application\wow_helper.exe (601 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\start.dat (7 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\baidu.com.png (682 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\ru\config.dat (152 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\google.com.hk.png (457 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\molt_tool.exe (1814 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Update\curl-ca-bundle.crt (260 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Uninstall.exe (17629 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\baidu.png (1 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\es-419\share.dat (66 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\12dc664d-0442-4570-a7c8-f3aa22922cec.com.png (479 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\browsing_data_remover.exe (236 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\amazon.png (507 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\sogou.com.png (2 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\en-in\share.dat (66 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\win10_100_percent.pak (1697 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\PepperFlash\manifest.json (2 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\weibo.png (1 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libucguard.dll (179 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\tmall.com.png (196 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\en-in\start.dat (7 bytes)
    %Program Files%\UCBrowser\Application\5.6.13381.9\Installer\setup.exe (7547 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Locales\zh-CN.pak (255 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\tmall.com.png (200 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\searchbar\etao.com.png (252 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\id-ID\external_extensions.json (494 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\wow_helper.exe (80 bytes)
    %Program Files%\UCBrowser\Application\Share\config.dat (7345 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\UC浏览器\UC浏览器.lnk (1 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\updater.dll (15021 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\pt-br\start.dat (7 bytes)
    %Program Files%\UCBrowser\Application\Share\share.dat (66 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\libGLESv2.dll (7972 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\ru\start.dat (7 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\resources.pak (172310 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\pp_helper.png (1 bytes)
    %Program Files%\UCBrowser\Application\UCService.exe (6841 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\snapshot_blob.bin (1802 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\icudtl.dat (34008 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\login_view\taobao.png (2 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\UCService.exe (6334 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\bookmarks\uc123.png (1 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Update\UpdateOption.xml (189 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\new_tab_search\taobao.com.png (304 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\config_updater.dll (7386 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\external_extensions.json (494 bytes)
    %Documents and Settings%\All Users\Desktop\UC浏览器.lnk (1 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\config.dat (151 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_watcher.dll (1680 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\desktop\tmall_points.ico (144 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\id\config.dat (164 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_elf.dll (201 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\share.dat (66 bytes)
    %Program Files%\UCBrowser\Application\molt_tool.exe (3361 bytes)
    %System%\drivers\ucguard.sys (601 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\UCAgent.exe (12289 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\5.6.13381.9.manifest (248 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_200_percent.pak (7972 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Locales\en-US.pak (258 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\PepperFlash\pepflashplayer.dll (124061 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\pt-BR\external_extensions.json (494 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\Share\icons\extension\renren.png (4 bytes)
    %Program Files%\UCBrowser\Application\5.6.13381.9\Installer\chrmstp.exe (7547 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Extensions\en-IN\external_extensions.json (622 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\Configs\id\share.dat (66 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\chrome_child.dll (321430 bytes)
    %Program Files%\UCBrowser\Temp\source2840_32441\Chrome-bin\5.6.13381.9\win10_200_percent.pak (1723 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "%original file name%.exe -start" = "c:\%original file name%.exe -start"

  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now