Gen.Variant.Mikey.59397_2a969135b4

by malwarelabrobot on October 27th, 2017 in Malware Descriptions.

Gen:Variant.Mikey.59397 (B) (Emsisoft), Gen:Variant.Mikey.59397 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2a969135b407c86e2d83bac14b4f8ebc
SHA1: 70394c168c01580562a7e87dc49a263f1251319f
SHA256: 0a089a6f840540bc9eb2cbd677990e3d3503f83739deb109215283fafb538e95
SSDeep: 49152:wBfALokJsr1kMlwST3huZrBq5Xt4g9qBulWa7c5vt6ItpgEMPsF0nmWj44:kVlw23hQrBq59LPoRoEMPsF0nmw
Size: 4259840 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2016-12-03 08:45:14
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

cross.exe:2872

The Trojan injects its code into the following process(es):

%original file name%.exe:3228

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process cross.exe:2872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The process %original file name%.exe:3228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1WG9EN9I.txt (91 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\9eecf8d4c685cad98cef71bfc32bee84[1].txt (34401 bytes)
C:\exdui.dll (110 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\9eecf8d4c685cad98cef71bfc32bee84[1].txt (0 bytes)

Registry activity

The process cross.exe:2872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\cross_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\cross_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\cross_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3B 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\cross_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cross_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"

[HKLM\SOFTWARE\Microsoft\Tracing\cross_RASMANCS]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cross_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cross_RASMANCS]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:3228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\2a969135b407c86e2d83bac14b4f8ebc_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\2a969135b407c86e2d83bac14b4f8ebc_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3A 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\2a969135b407c86e2d83bac14b4f8ebc_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2a969135b407c86e2d83bac14b4f8ebc_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2a969135b407c86e2d83bac14b4f8ebc_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\2a969135b407c86e2d83bac14b4f8ebc_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\2a969135b407c86e2d83bac14b4f8ebc_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2a969135b407c86e2d83bac14b4f8ebc_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2a969135b407c86e2d83bac14b4f8ebc_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\62\52C64B7E]
"LanguageList" = "en-US, en"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
c472335b008c5942ec8a162177058111 c:\exdui.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Leesin
Product Name: www.cfzhushou.com
Product Version: 2.5.8.0
Legal Copyright: Copyright (C) 2016 CF????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.5.8.0
File Description: CF????
Comments: www.cfzhushou.com
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1811498 1814528 4.34516 02ac2f28935b9b972aa82703b5fdbb18
.rdata 1818624 2271246 2273280 4.83722 3f16a442ca9069dd232fd6fe8d5ff48a
.data 4091904 442513 114688 3.79241 a9e0c37c07109a5dd9b529ac3fd29652
.rsrc 4538368 52652 53248 3.85614 3f53908b052e4a2661582a96c2c209ec

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43
hxxp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/
hxxp://note.youdao.com/yws/public/note/9eecf8d4c685cad98cef71bfc32bee84?keyfrom=public


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3228:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
Hw2.Hw
user32.dll
User32.dll
kernel32.dll
Kernel32.dll
shell32.dll
gdiplus.dll
GdiPlus.dll
Ole32.dll
OleAut32.dll
wininet.dll
ole32.dll
oleaut32.dll
gzip.dll
ntdll.dll
Winhttp.dll
gdi32.dll
Gdi32.dll
imm32.dll
atl.dll
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ShellExecuteA
GetProcessHeap
WinHttpCheckPlatform
WinHttpCrackUrl
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSetTimeouts
WinHttpSetCredentials
WinHttpCloseHandle
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpQueryHeaders
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
UnregisterHotKey
\exdui.dll
@V.Dv
.UmKm
4v %u
oft.XMLDOMnY
\dwmapi.dll
A715A0-6587-11D0-924A_20AFC7/
Leave.CoIn@alize
number is %d.
:"%s"
..0`%X
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
GDI32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
exdui.dll
t=.VMV
%%fnW
,7Z.in
k`%u"]
T.ZQ2
CDKEY
CDKEY:
ND ED9MS?WC [H6WU<fL.aF6bB=dM2aN<iE?hO1jL=jP.gP4cP>iQ4kU;mX>qN?EJILOPMSFMRSWKEVYGWYW[_bXcI]dV^bciIDeRAbUMeYNkTChVLmZEm\KhYTrNHsYJ{ZTo`LefYir^saKtcTsd\ti[{eTzf]}iV{k]fhhhkqmtfmqsyiewtivxxz}
ND ED9MS?WB [H6WU<eL-bM;jP.cP>qN?EJILNPMSEMRSVKFVXGVYW[^aXcI]dV]bciIEeSAcVMfZEe[MkTChVLmZEm\JhYTrMGsYJ{ZTeaIgeYir^saKtcTsd\viWui\{eTze]|iU{k\~p_fihhkqlsgmqtyiextjuxxz}
ND EE9LS?WC [I7WT<eL.bM;jP/dP>qN?EJILOPMTDMRSWJE[OTWXFWYWZ^bXcI]dV]bciIEjXEhYUrMGrZIzZTh^aeaIgeYir^saKxgX~p_fhhilrmsgmqtyidslsytjvxxz|
OB EE9LR?WC [I7WT<eL.bM:iP/dQ>qN?EJILOPMTDMRSWIE[OTWXFWYX[^aXcI]dV]bciJEjXEhYUrNGr[IzZTh^bfaIgdYir^saKxgX~p_fhhjlrmsgmqtyidslsysjvxxz|
OB FE9KR?WC [I7WT<eL.bM:iP/dQ>qN?EJIKOPMTDMRSWIE\ORWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTh^bfaIhdYir^saKxgX~p_fhhjlrmsgnrtyjeslsysjvxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRSWHE\NSWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTg^bfaIhdZir^saJxgX~p_fhhjmrmrhnqtxjermtzsjvxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[NSWXFWYX[^aXcI]dV]bciJE`ORjXEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhjmrmrhnrtxjerlszsivxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[OSWXFWYXZ^aXcI]dV]bbiJE`ORjXEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhjmrmrhnrtxjerlszsjvxxz|
wW.Gg
NA EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[OSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrmrhnrtxjerlszsjvxxz|
NA FE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE\OSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrmrhnrtxjerlszsjvxxz|
Z|.Gw
MA,FE9KR?WC*[I7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnrhnrtxjerlszsjvxxz|
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnrhnrtxjerlszsivxxz|
MA,EE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
NA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[OSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
NA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE\NSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhcZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
l.er;
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyYTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsjvxyz|
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUBMRRWHE[NSWXFWYXZ^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyYTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsivxxz|
8`!%x
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsivxxz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bciJE`ORjYEhYVqNIr\IyZTg^bfaIhdYir_saJwgX|p_fhhkmrnqinrtxjerlszsivxxz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eV]bciJE`ORcOQjYEhYVqNIr\IyZTg^bfaIidYir_saJwgXzq^fhhkmrnqinrtxjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eV]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidYir_saJwgXzr^fhhkmrnqinrtxjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidXir_saJwgXzr^fhhkmrnqinrtyjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
MA,FE9KR?WC ZI7WT<fL.bM;iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhZVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
.pQ\ a
.NaH-*
!)!!))!)-*1-(333:73_
%XE%Z
dj%d~
.PXF3
02/24/16
%4u3\2t
W.ctn
B%D#H;
hXXp://
Yn7%X
..RZd
A$#%DR
Wx.xlu
n.mJ~f#
Il%UVl_
.mDB`
.ijWU5
w%SY<s
Wkbn%X
kEYH
&.kPd
(s.PKL
MsgBox
SysShadow.SubWnd
%f%%f
7".Fv
>.OsM
r.vDO
V2.5.8
\CF_data.ini
360tray.exe
cross.exe
hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=
hXXp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/
hXXp://note.youdao.com/yws/public/note/9eecf8d4c685cad98cef71bfc32bee84?keyfrom=public
hXXp://xinzyw.com/cf.txt
hXXp://cfzhushou.com/cf.txt
hXXp://VVV.cfzhushou.com
ADURL1
ADURL2
ADURL3
ADURL4
ADURL5
ADURL6
ADURL7
ADURL8
ADURL9
ADURL10
.jF<J
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
&s_url=http://cf.qq.com/comm-htdocs/login/logincallback.htm&f_url=&ptlang=2052&ptredirect=100&aid=21000124&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&service=login&nodirect=0&ptsigx=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
p_skey=
skey=
szNick_name=
hXXp://cdn.tgp.qq.com/cf/v3/images/level/BigClass_
hXXp://VVV.cfzhushou.com/blackuser.txt
hXXp://VVV.51.la/report/1_main.asp?id=18855916
hXXp://VVV.51.la/report/1_main_online.asp?id=18855916
hXXp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43
hXXp://count.knowsky.com/img/(.*?)/(.*?).gif
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=cf&area=
hXXp://apps.game.qq.com/cf/a20141126main/getUserInfo.php?action=initQuery&sArea=
tEXtXML:com.adobe.xmp
<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
<xmp:CreatorTool>Adobe Photoshop CC (Windows)</xmp:CreatorTool>
/* |xGv00|13a28bd5e87728de7241d2f04c3c02f5 */hXXp://apps.game.qq.com/cgi-bin/cf/cfvip/checkCFvipStatue.cgi?rd=0.3552593735512346&_=1459778886737
msg":"
hXXp://apps.game.qq.com/cf/cfvip/doCfVip.php?action=getCfVipInfo&rd=0.16843547895445687&_=1459479795992
hXXp://apps.game.qq.com/php/tgclub/v2/user/logininfo?callback=jQuery17209628733010031283_1459773913284&_=1459773913464
ÿF8>NFFFh
ÿFV
hXXp://VVV.cfzhushou.com/vipuser.txt
,.Ey)
qTcp,
hXXp://wpa.qq.com/msgrd?v=3&uin=138417120&site=qq&menu=yes
&appid=15000103&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&r=0.15214470936916769
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=
&pt_randsalt=0&ptredirect=1&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-6-1461659794871&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&pt_uistyle=20&aid=15000103&daid=5&
hXXp://ptlogin2.qq.com/login?u=
&s_url=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&f_url=&ptlang=2052&ptredirect=100&aid=1000101&daid=5&j_later=0&low_login_hour=0®master=0&pt_login_type=2&pt_aid=15000103&pt_aaid=0&pt_light=0&pt_3rd_aid=0
hXXp://ptlogin4.qzone.qq.com/check_sig?pttype=2&uin=
return binl2hex(core_md5(str2binl(s), s.length * chrsz))
return binl2str(core_md5(str2binl(s), s.length * chrsz))
function hex_hmac_md5(key, data) {
return binl2hex(core_hmac_md5(key, data))
function b64_hmac_md5(key, data) {
return binl2b64(core_hmac_md5(key, data))
function str_hmac_md5(key, data) {
return binl2str(core_hmac_md5(key, data))
for (var i = 0; i < x.length; i  = 16) {
function core_hmac_md5(key, data) {
var bkey = str2binl(key);
if (bkey.length > 16) {
bkey = core_md5(bkey, key.length * chrsz)
ipad[i] = bkey[i] ^ 909522486;
opad[i] = bkey[i] ^ 1549556828
var hash = core_md5(ipad.concat(str2binl(data)), 512   data.length * chrsz);
return core_md5(opad.concat(hash), 512   128)
for (var i = 0; i < str.length * chrsz; i  = chrsz) {
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (i % 32)
for (var i = 0; i < bin.length * 32; i  = chrsz) {
str  = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)
for (var i = 0; i < binarray.length * 4; i  ) {
str  = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8   4)) & 15)   hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)
for (var i = 0; i < binarray.length * 4; i  = 3) {
if (i * 8   j * 6 > binarray.length * 32) {
str  = tab.charAt((triplet >> 6 * (3 - j)) & 63)
for (var i = 0; i < str.length; i = i   2) {
arr.push('\\x'   str.substr(i, 2))
arr = arr.join('');
function getEncryption(password, salt, vcode, isMd5) {
password = password || '';
var md5Pwd = isMd5 ? password: md5(password),
rsaH1 = $.RSA.rsa_encrypt(h1),
rsaH1Len = (rsaH1.length / 2).toString(16),
hexVcode = TEA.strToBytes(vcode.toUpperCase()),
vcodeLen = '000'   vcode.length.toString(16);
while (rsaH1Len.length < 4) {
TEA.initkey(s2);
var saltPwd = TEA.enAsBase64(rsaH1Len   rsaH1   TEA.strToBytes(salt)   vcodeLen   hexVcode);
TEA.initkey('');
return saltPwd.replace(/[\/\ =]/g,
'/': '-',
' ': '*',
'=': '_'
function getRSAEncryption(password, vcode, isMd5) {
var str1 = isMd5 ? password: md5(password);
var str2 = str1   vcode.toUpperCase();
var str3 = $.RSA.rsa_encrypt(str2);
$.RSA = function() {
while (z   aD < aC.length) {
t  = aC.substring(z, z   aD)   '\n';
return t   aC.substring(z, aC.length)
return '0'   t.toString(16)
return t.toString(16)
if (aG < aD.length   11) {
var aC = aD.length - 1;
var aE = aD.charCodeAt(aC--);
z.nextBytes(t)
this.dmp1 = null;
this.dmq1 = null;
this.coeff = null
if (z != null && t != null && z.length > 0 && t.length > 0) {
uv_alert('Invalid RSA public key')
return t.modPowInt(this.e, this.n)
var t = ah(aC, (this.n.bitLength()   7) >> 3);
var aD = this.doPublic(t);
var z = aD.toString(16);
if ((z.length & 1) == 0) {
N.prototype.doPublic = Y;
N.prototype.setPublic = q;
N.prototype.encrypt = r;
this.fromNumber(z, t, aC)
this.fromString(z, 256)
this.fromString(z, t)
aG = Math.floor(aC / 67108864);
if (ab && (navigator.appName == 'Microsoft Internet Explorer')) {
au.prototype.am = aA;
if (ab && (navigator.appName != 'Netscape')) {
au.prototype.am = b;
au.prototype.am = az;
au.prototype.DB = ay;
au.prototype.DM = ((1 << ay) - 1);
au.prototype.DV = (1 << ay);
au.prototype.FV = Math.pow(2, ac);
au.prototype.F1 = ac - ay;
au.prototype.F2 = 2 * ay - ac;
ar = '0'.charCodeAt(0);
ar = 'a'.charCodeAt(0);
ar = 'A'.charCodeAt(0);
return ag.charAt(t)
var aC = ai[z.charCodeAt(t)];
z.fromInt(t);
this.fromRadix(aG, z);
var aF = aG.length,
if (aG.charAt(aF) == '-') {
if (aE   aD > this.DB) {
this[this.t - 1] |= (t & ((1 << (this.DB - aE)) - 1)) << aE;
this[this.t  ] = (t >> (this.DB - aE))
if (aE >= this.DB) {
aE -= this.DB
this[this.t - 1] |= ((1 << (this.DB - aE)) - 1) << aE
this.clamp();
au.ZERO.subTo(this, this)
var t = this.s & this.DM;
return '-'   this.negate().toString(z)
return this.toRadix(z)
var aG = this.DB - (aD * this.DB) % aC;
if (aG < this.DB && (aH = this[aD] >> aG) > 0) {
aH |= this[--aD] >> (aG  = this.DB - aC)
aG  = this.DB; --aD
au.ZERO.subTo(this, t);
return (this.s < 0) ? this.negate() : this
return this.DB * (this.t - 1)   l(this[this.t - 1] ^ (this.s & this.DM))
z.t = Math.max(this.t - aC, 0);
var z = aH % this.DB;
var t = this.DB - z;
var aE = Math.floor(aH / this.DB),
aG = (this.s << z) & this.DM,
aD.clamp()
var aE = Math.floor(aG / this.DB);
var z = aG % this.DB;
t = Math.min(z.t, this.t);
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = this.DV   aE
var t = this.abs(),
aE = z.abs();
aD[aC   t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)
aD.clamp();
au.ZERO.subTo(aD, aD)
var t = this.abs();
var aD = t.am(z, t[z], aC, 2 * z, 0, 1);
if ((aC[z   t.t]  = t.am(z   1, 2 * t[z], aC, 2 * z   1, aD, t.t - z - 1)) >= t.DV) {
aC[z   t.t] -= t.DV;
aC[aC.t - 1]  = t.am(z, t[z], aC, 2 * z, 0, 1)
aC.clamp()
var aQ = aK.abs();
var aI = this.abs();
aH.fromInt(0)
this.copyTo(aG)
var aP = this.DB - l(aQ[aQ.t - 1]);
aQ.lShiftTo(aP, aE);
aI.lShiftTo(aP, aG)
aQ.copyTo(aE);
aI.copyTo(aG)
var aT = this.FV / aL,
aE.dlShiftTo(aN, aF);
if (aG.compareTo(aF) >= 0) {
aG.subTo(aF, aG)
au.ONE.dlShiftTo(aM, aF);
aF.subTo(aE, aE);
var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT   (aG[aO - 1]   aR) * aS);
if ((aG[aO]  = aE.am(0, aD, aG, aN, 0, aM)) < aD) {
aE.dlShiftTo(aN, aF);
aG.subTo(aF, aG);
aG.subTo(aF, aG)
aG.drShiftTo(aM, aH);
au.ZERO.subTo(aH, aH)
aG.clamp();
aG.rShiftTo(aP, aG)
au.ZERO.subTo(aG, aG)
this.abs().divRemTo(t, null, z);
if (this.s < 0 && z.compareTo(au.ZERO) > 0) {
t.subTo(z, z)
if (t.s < 0 || t.compareTo(this.m) >= 0) {
return t.mod(this.m)
t.divRemTo(this.m, null, t)
t.multiplyTo(aC, z);
this.reduce(z)
t.squareTo(z);
M.prototype.convert = X;
M.prototype.revert = am;
M.prototype.reduce = L;
M.prototype.mulTo = J;
M.prototype.sqrTo = aw;
z = (z * (2 - t * z % this.DV)) % this.DV;
return (z > 0) ? this.DV - z: -z
this.mp = t.invDigit();
this.mpl = this.mp & 32767;
this.mph = this.mp >> 15;
this.um = (1 << (t.DB - 15)) - 1;
this.mt2 = 2 * t.t
t.abs().dlShiftTo(this.m.t, z);
z.divRemTo(this.m, null, z);
if (t.s < 0 && z.compareTo(au.ZERO) > 0) {
this.m.subTo(z, z)
t.copyTo(z);
this.reduce(z);
while (t.t <= this.mt2) {
var aD = (z * this.mpl   (((z * this.mph   (t[aC] >> 15) * this.mpl) & this.um) << 15)) & t.DM;
t[z]  = this.m.am(0, aD, t, aC, 0, this.m.t);
while (t[z] >= t.DV) {
t[z] -= t.DV;
t.clamp();
t.drShiftTo(this.m.t, t);
if (t.compareTo(this.m) >= 0) {
t.subTo(this.m, t)
g.prototype.convert = al;
g.prototype.revert = av;
g.prototype.reduce = R;
g.prototype.mulTo = B;
g.prototype.sqrTo = ao;
return au.ONE
aF = aI.convert(this),
aF.copyTo(aG);
aI.sqrTo(aG, aC);
aI.mulTo(aC, aF, aG)
return aI.revert(aG)
if (aC < 256 || t.isEven()) {
return this.exp(aC, aD)
au.prototype.copyTo = aa;
au.prototype.fromInt = p;
au.prototype.fromString = y;
au.prototype.clamp = Q;
au.prototype.dlShiftTo = at;
au.prototype.drShiftTo = Z;
au.prototype.lShiftTo = v;
au.prototype.rShiftTo = n;
au.prototype.subTo = ad;
au.prototype.multiplyTo = F;
au.prototype.squareTo = S;
au.prototype.divRemTo = G;
au.prototype.invDigit = D;
au.prototype.isEven = k;
au.prototype.exp = A;
au.prototype.toString = s;
au.prototype.negate = T;
au.prototype.abs = an;
au.prototype.compareTo = I;
au.prototype.bitLength = w;
au.prototype.mod = P;
au.prototype.modPowInt = ap;
au.ZERO = c(0);
au.ONE = c(1);
d(new Date().getTime())
if (navigator.appName == 'Netscape' && navigator.appVersion < '5' && window.crypto && window.crypto.random) {
var H = window.crypto.random(32);
for (K = 0; K < H.length;   K) {
W[ae  ] = H.charCodeAt(K) & 255
K = Math.floor(65536 * Math.random());
o.init(W);
for (ae = 0; ae < W.length;   ae) {
return o.next()
for (t = 0; t < z.length;   t) {
af.prototype.nextBytes = ax;
z = (z   this.S[aD]   aE[aD % aE.length]) & 255;
m.prototype.init = f;
m.prototype.next = a;
t.setPublic(aC, z);
return t.encrypt(aD)
return Math.round(Math.random() * 4294967295)
for (var B = 0; B < D.length; B  ) {
var C = Number(D[B]).toString(16);
if (C.length == 1) {
for (var A = 0; A < B.length; A  = 2) {
C  = String.fromCharCode(parseInt(B.substr(A, 2), 16))
for (var A = 0; A < C.length; A  ) {
B[A] = C.charCodeAt(A)
var A = C.length;
var A = E.length;
for (var C = 0; C < B.length; C  ) {
var A = u.length;
for (var B = 0; B < E.length; B  ) {
C[B] = E.charCodeAt(B) & 255
for (var B = 0; B < E.length; B  = 2) {
C[A  ] = parseInt(E.substr(B, 2), 16)
s.TEA = {
for (var B = 0; B < C.length; B  ) {
A  = String.fromCharCode(C[B])
return d.encode(A)
initkey: function(A, B) {
d.PADCHAR = '=';
d.ALPHA = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';
d.getbyte = function(C, B) {
var A = C.charCodeAt(B);
d.encode = function(E) {
if (arguments.length != 1) {
var B = d.PADCHAR;
var G = d.ALPHA;
var F = d.getbyte;
var C = E.length - E.length % 3;
if (E.length == 0) {
A.push(G.charAt(H >> 18));
A.push(G.charAt((H >> 12) & 63));
A.push(G.charAt((H >> 6) & 63));
A.push(G.charAt(H & 63))
switch (E.length - C) {
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   B   B);
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   G.charAt((H >> 6) & 63)   B);
return A.join('')
if (!window.btoa) {
window.btoa = d.encode
var hex = str.toString(16);
var len = hex.length;
arr.push('\\x'   hex.substr(j, 2))
var result = arr.join('');
hexVcode = s.TEA.strToBytes(c.toUpperCase()),
vcodeLen = '000'   c.length.toString(16);
s.TEA.initkey(s2);
var saltPwd = s.TEA.enAsBase64(rsaH1Len   rsaH1   s.TEA.strToBytes(salt)   vcodeLen   hexVcode);
s.TEA.initkey('');
&appid=21000124&js_ver=10181&js_type=1&login_sig=kfVLgNRMRQUC6C0PRRA2ooX-A9w5NXfpsDsDwLOf48L779v*igTIF1BbikF4AjaV&u1=http://cf.qq.com/clan/&r=
hXXps://ssl.ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=
function time(){return Math.random()}
hXXps://ssl.captcha.qq.com/cap_union_getsig_new?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/getimgbysig?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
&pt_randsalt=0&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
pt_mbkey
D:\cross.exe
Helper.dll
_43057.exe
\Helper.dll
@.reloc
%Program Files%\Helper_%d_43057.exe
Helper_%d_43057.exe
%Program Files%\3.txt
hXXp://bgp.jshgg.net/abc/3.txt
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
operator
GetProcessWindowStation
C:\Users\Administrator\Documents\Visual Studio 2013\Projects\dll\Release\Helper.pdb
InternetCrackUrlA
HttpQueryInfoW
WININET.dll
GetCPInfo
KERNEL32.dll
zcÁ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
7 7$7(7,7074787
9$9(9,909
5U5F5\5
7 7$7(7,707
tem.vbs
fso.DeleteFile("
Set fso = CreateObject("Scripting.FileSystemObject")
Wscript.Sleep(1000)
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
WinExec
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
COMCTL32.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
#include "l.chs\afxres.rc" // Standard components
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGC:\cross.exe
[SKEY]
-URL:
"cdkey":"(.*?)"
[%d/d/d d:d]
\CF_CDKEY.ini
hXXp://act.tgp.qq.com/index.php/
Host: act.tgp.qq.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Referer: hXXp://act.tgp.qq.com/cf/cf20160325/index.html?ADTAG=bangbang.hdsq
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=
%7C
&user_checkparam=cf%7Cyes%7C
"msg":"
"sMsg":"
sMsg":"
sMsg":"MODULE OK"
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=
hXXp://ossweb-img.qq.com/images/clientpop/act/cf/GpmHelpAct.js
http2://ossweb
hXXp://ossweb
"img":"http2(.*?).jpg"
"hXXp://(.*?)":{
"~ /1~!<
fD.nn'1r?
.KM8'
$&%cw]
hXXp://leesin.zuhaowan.com-
hXXp://leesin.zuhaowan.cn
hXXp://kf.qq.com/cgi-bin/common?rand=0.7021259550817557&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=
Referer:hXXp://kf.qq.com/game/consume_records.html?code=cf
hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=5
hXXp://bbs.cf.qq.com/home.php?mod=spacecp&ac=credit&showcredit=1
hXXp://bbs.cf.qq.com/forum.php?mod=forumdisplay&fid=30503&page=6
&extra=&replysubmit=yes&infloat=yes&handlekey=fastpost&inajax=1
hXXp://bbs.cf.qq.com/forum.php?mod=post&action=reply&fid=30503&tid=


&posttime=
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=5
&searchkey=15051408311873756101000000000000&from=1&question=免费枪&vip=0&bangdou=1
%7C322%7C
*&checkparam=cf%7Cyes%7C
&ams_checkparam=cf%7Cyes%7C
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=&sServiceDepartment=xinyue&sServiceType=cf&sArea=
Referer:hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://bangbang.qq.com/php/robott3nologin/servey
Referer:hXXp://bang.qq.com/actcenter/index/cf
hXXp://bang.qq.com/ugc1/getActRecommend
game=cf&mid=0&eid=5&surl=http://bangbang.qq.com/php/login?game=cf&durl=http://bang.qq.com/actcenter/index/cf?&ref=ingame01&ref=ingame01
hXXp://bang.qq.com/user/scorePersonalAcenter
Referer: hXXp://bang.qq.com/main/tradeinfo/
game=bangbang&mid=9&eid=9000&surl=http://bang.qq.com/main/tradeinfo/&durl=http://bang.qq.com/main/tradeinfo/&world=0&serviceType=2&ref=
hXXp://bang.qq.com/user/scorePersonal
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc&sServiceType=dj
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.9721381550078127
bHasSendFailItem":"0","iRet":"0","sMsg":"
hXXp://djcapp.game.qq.com/daoju/v3/api/app/e_app/add_jf_firstlogin.php?appSource=ios&appVersion=35&sDeviceID=&p_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Ftask.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=35644&iFlowId=204638&g_tk=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=35644&sServiceDepartment=djc&set_info=djc
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=79968&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams2.02.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/jsonp.php?_c=page&actid=5474&isLoadUserInfo=1&callback=page.signInCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&callback=vipSignNew.signCb&g_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&eas_refer=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&sServiceDepartment=xinyue&sServiceType=tgclub
Referer: hXXp://xinyue.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.7271989360451698
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue
&_=1452520903377
hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1452520903238&low_login=1&uin=
hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page
hXXp://buluo.qq.com/cgi-bin/bar/user/sign
hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=
hXXp://vip.qzone.qq.com/fcg-bin/v2/fcg_mobile_vip_site_checkin?t=0.46869834180487055&g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?callbackFun=woaiwang&uin=
Referer: hXXp://qiandao.qun.qq.com/cgi-bin/sign
Host: qiandao.qun.qq.com
hXXp://qiandao.qun.qq.com/cgi-bin/sign
hXXp://qiandao.qun.qq.com/cgi-bin/new_flag
&_=1454839692917
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&timer=1454839703753&callback=jQuery110205429354978259653_1454839692914&token=
msg": "
hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_feedback_send_lottery.fcg?activeid=110&rnd=1458872103167&g_tk=
&pvsrc=102&s_p=0|http|&s_v=6.1.0.496&ozid=511022&vipid=&actid=68391&sid=&callback=json14530355412865&cache=3654
hXXp://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=1456988761581&g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 QQ/6.2.2.402 Pixel/640 NetType/WIFI Mem/86
hXXp://c.pc.qq.com/fcgi-bin/signin?callback=jsonp1453084008086&_=1453084046097&mood_id=238&checkin_date=&remark=一支穿云箭 千军万马来相见。
1970-01-01 08:00:00
hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=group_f
hXXp://bbs.cf.qq.com/forum.php
08 08 08 50
hXXp://cfzhushou.com/cfzs/help.html
hXXp://cfzhushou.com/help.html
hXXp://ip.qq.com/cgi-bin/myip
hXXps://aq.qq.com/cn2/safe_service/device_lock
aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/cap_union_verify_new?random=1480258509499
&pt_randsalt=0&u1=http://cf.qq.com&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
hXXp://bang.qq.com/actcenter/queryFilterActList
"url":"(.*?)"
hXXp://captcha.qq.com/getimage?aid=210001040.5721703316085041
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=41615&sServiceDepartment=group_f
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=41615&sServiceDepartment=group_h&set_info=group_h
hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=
1970.01.01 08:00:00
function timea(){var d,s;d=new Date();d.setTime('
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=55856&sServiceDepartment=group_f
hXXp://apps.game.qq.com/cf/a20160726hxb/getUserTask.php?action=getMyTaskList&iArea=
Referer:hXXp://cf.qq.com/act/a20160726hxb/index.htm
hXXp://apps.game.qq.com/daoju/appmarket/daoju_promotion/cloud_ticket/QueryCloudTicket.php?acctid=A100078&id=28&time=0.23177661886438727&_=1461381268102
"sMsg":"MODULE OK"
*&checkparam=cf|yes|
&ams_checkparam=cf|yes|
&e_code=0&g_code=0&eas_url=http://daoju.qq.com/mall/judou2.0/cf.shtml&sServiceDepartment=djc&sPartition=
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.6722960381302983
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=42715&sServiceDepartment=djc&set_info=djc
,"iRet":"0","sMsg":"
modRet":{"iRet":"0","sMsg":"
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=http%3A%2F%2Fbang.qq.com%2Fmain%2Ftradeinfo%2F&sServiceDepartment=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=214216&g_tk=
|322|
sCdKey=
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=8918&sServiceDepartment=x1m1
sMsg" : "
\gzip.dll
`.data
gzip.pdb
_u%SV
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
hXXp://apps.game.qq.com/cgi-bin/cf/a20090409forceout/getinfo.cgi
hXXps://ssl.ptlogin2.qq.com/ptqrshow?appid=21000124&e=2&l=M&s=4&d=72&v=4&t=0.061519597441372864&daid=8
&js_ver=10151&js_type=1&login_sig=7qKho-IT4nBHQJBVoTYw6p-IGP0hieZLRsmCy5MWU7g0bRJNRkb5q8yH7BUA7cTM&pt_uistyle=20&aid=21000124&daid=8&
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?ptredirect=1&u1=http://cf.qq.com/cp/a20160223czxlx/index.htm?e_code=213709&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=6-0-
cf.qq.com
hXXp://cf.qq.com/clan
javascript:LoginManager.logout(function(){location.reload()});
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=hXXp://game.qq.com/comm-htdocs/milo/proxy.html&appid=21000124&target=top&s_url=http://cf.qq.com/clan/&style=20&daid=8
hXXp://cf.qq.com/cfvip/
hXXp://xinyue.qq.com
cf.qq.com/clan
hXXp://login.game.qq.com/comm-cgi-bin/login/LoginReturnInfo.cgi?callback=jsonp21&game=cf
nickName":"
%Program Files%\Internet Explorer\iexplore.exe
crossfire.exe
?kernel32.dll
hXXp://apps.game.qq.com/CommArticle/app/reg/gdate.php
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Adodb.Stream
WinHttp
Report
themepassword
SysShadow.HostWnd
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
VBScript.RegExp
LocationURL
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
SysShadow.Menu
Microsoft.XMLDOM
14:00~16:00
12:00-19:00
1.2.18
%*.*f
MSWHEEL_ROLLMSG
RASAPI32.dll
MSVFW32.dll
AVIFIL32.dll
GetKeyboardState
oledlg.dll
WSOCK32.dll
InternetCanonicalizeUrlA
msscript.ocx
VVV.dywt.com.cn
USER32.DLL
\\.\Smartvsd
\\.\PhysicalDrive%d
\\.\Scsi%d:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
;3 #>6.&
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
its:%s::%s
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
.PAVCOleException@@
.PAVCOleDispatchException@@
right-curly-bracket
left-curly-bracket
0123456789
c:\%original file name%.exe
.FNNNNNNNNNNNNNNV
.FNNNNNNNNNNNN
.CNNNB
.CNNd
ÝDDDDDDQC
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
1.0.15.507
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
VVV.kubei9.com
VVV.kubei9.com
1.3.6.1
(*.*)
1.0.0.0
VVV.cfzhushou.com
(hXXp://VVV.dywt.com.cn)
6.0.2600.0 (xpclient.010817-1148)
6.0.2600.0
2.5.8.0

%original file name%.exe_3228_rwx_01760000_00013000:

.text
`.rdata
@.data
.rsrc
@.reloc
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
<fd:%d>
%c%c%c%c%c%c%c%c%c%c
MSVCRT.dll
KERNEL32.dll
zlib1.dll
!"#$%&'()* ,-./012
DLL support by Alessandro Iacopetti & Gilles Vollant

cross.exe_2872:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
JHw2.Hw
Helper.dll
ShellExecuteA
_43057.exe
\Helper.dll
@.reloc
HTTP/1.1
%Program Files%\Helper_%d_43057.exe
Helper_%d_43057.exe
%Program Files%\3.txt
hXXp://bgp.jshgg.net/abc/3.txt
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
operator
GetProcessWindowStation
C:\Users\Administrator\Documents\Visual Studio 2013\Projects\dll\Release\Helper.pdb
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoW
WININET.dll
SHELL32.dll
GetProcessHeap
GetCPInfo
KERNEL32.dll
zcÁ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
7 7$7(7,7074787
9$9(9,909
5U5F5\5
7 7$7(7,707
tem.vbs
fso.DeleteFile("
Set fso = CreateObject("Scripting.FileSystemObject")
Wscript.Sleep(1000)
360tray.exe
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
WinExec
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
D:\cross.exe
#include "l.chs\afxres.rc" // Standard components
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
mscoree.dll
kernel32.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
VVV.kubei9.com
VVV.kubei9.com
1.3.6.1
(*.*)
1.0.0.0
VVV.cfzhushou.com
(hXXp://VVV.dywt.com.cn)

%original file name%.exe_3228_rwx_10001000_00033000:

f9z.vk
@Microsoft.XMLDOM
dwmapi.dll
Riched20.dll
Riched32.dll
{00000000-0000-0000-C000-000000000046}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
kernel32.dll
ole32.dll
gdiplus.dll
GdiPlus.dll
gdi32.dll
user32.dll
Advapi32.dll
advapi32.dll
User32.dll
ntdll.dll
Ole32.dll
shell32.dll
atl.dll
program internal error number is %d.
:"%s"
:"%s".
GetProcessHeap
&..0`%X
.text
`.rdata
@.data
.rsrc
.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    cross.exe:2872

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1WG9EN9I.txt (91 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\9eecf8d4c685cad98cef71bfc32bee84[1].txt (34401 bytes)
    C:\exdui.dll (110 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now