Trojan.Win32.FlyStudio_23b6acd881

by malwarelabrobot on October 30th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan-Banker.Win32.Banker.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Banker, Trojan, Worm, EmailWorm, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 23b6acd88101c4b29ce081aa72a741dc
SHA1: 6cca94f79ca183890fd0720882da9dab341cab92
SHA256: 52837a0d634ae8955d6fa2ba4493db6cb5de51cdfe12ddf194bd23ea10aa54f0
SSDeep: 98304:KLvI9NCv3KkY1peDKR8QuGwhT1cLUrCknMaLpaDshA208yt:hNCv3KB102RaGmcLU0m4kA20D
Size: 3479528 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2017-09-28 17:43:59
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1804

The Trojan injects its code into the following process(es):

%original file name%.exe:1204

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9fc68e852bc88a177b3af1cdff88fdd7.ini (177 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9fc68e852bc88a177b3af1cdff88fdd7.ini (0 bytes)

The process %original file name%.exe:1804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\b017a0bca8761fbc515869ce9e27b79d.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3437ae35cad39e4b23c9354436b0c699.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\46a3c8721859e6dc1d677d4ab280b993.txt (124 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\90a97eeb5f87017d403ecdc80857aff1.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\df6a85f8c92ab933352505d3e630eba0.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cd435625acca819a73643fd7e788a2b0.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\057559c246e70004170fb451f30200aa.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ea81016697da3e03d2125f1b020a8d96.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\a9b081f301195d55ccac69db6197e79b.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\90c7c3f02beb266b0f1cac532cc195b1.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6e4c93455940e61684bfb6c357e2effb.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\96490dc4bc985859888d970e8fd9b954.txt (297 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\d46a24861ed2595397eb19d664ca24e8.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\212b0fa0fa111459cc3edae1d50ba7f8.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\8df8373986d2124c43b3d42c81e8f3df.txt (226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\acabd5f86d52491f9f52d049205000ee.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\e820eb161329035bf42ead5d7bf28adf.ini (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\c811cdec13b869980d35d80854d6ee98.txt (420 bytes)

Registry activity

The process %original file name%.exe:1204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF" = "01 00 00 00 00 00 00 00 0C 22 BF F3 B4 50 D3 01"
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF" = "01 00 00 00 00 00 00 00 6C 83 C1 F3 B4 50 D3 01"

"{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF" = "01 00 00 00 00 00 00 00 6C 83 C1 F3 B4 50 D3 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF" = "01 00 00 00 00 00 00 00 AC C0 BC F3 B4 50 D3 01"

[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF" = "01 00 00 00 00 00 00 00 0C 22 BF F3 B4 50 D3 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:1804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\23b6acd88101c4b29ce081aa72a741dc_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\23b6acd88101c4b29ce081aa72a741dc_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\23b6acd88101c4b29ce081aa72a741dc_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\23b6acd88101c4b29ce081aa72a741dc_RASMANCS]
"FileTracingMask" = "4294901760"

"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\23b6acd88101c4b29ce081aa72a741dc_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\23b6acd88101c4b29ce081aa72a741dc_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\23b6acd88101c4b29ce081aa72a741dc_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\23b6acd88101c4b29ce081aa72a741dc_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 548864 250880 5.54461 fdcdae7f414ae156bf151de8a3b4850e
.rdata 552960 7475200 3179520 5.54492 73017c123e794bcd8792b47f84b2b3d7
.data 8028160 147456 22016 5.53703 b6999ac0adab5edc29ac0159dae07ae5
.rsrc 8175616 20480 7680 4.44846 bcadf99beaeba1d4f9fdeaeb4f9a3e12
.aspack 8196096 8192 7168 3.91318 e2d3a906f3dad0ec2b0cd93829d347c3
.adata 8204288 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://dajipinheji.oss-cn-hangzhou.aliyuncs.com/zhanhun721.txt 116.62.99.204
hxxp://imgsa.jomodns.com/forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/6a63f6246b600c332a6c7954104c510fd9f9a111.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/f7246b600c33874445d088e05b0fd9f9d72aa011.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/34fae6cd7b899e5146389d8848a7d933c9950df3.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/43a7d933c895d143e2c043bf79f082025baf07f3.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/30adcbef76094b3675e4bc71a9cc7cd98d109d3c.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/a50f4bfbfbedab645bc4ea5cfd36afc378311ef3.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/1ad5ad6eddc451da7740e366befd5266d116328d.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/342ac65c103853437b3d68ac9b13b07ecb808849.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/ca1349540923dd5496d148e5d909b3de9d824899.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/2e2eb9389b504fc276ad5f88eddde71191ef6d49.jpg
hxxp://imgsa.baidu.com/forum/pic/item/ca1349540923dd5496d148e5d909b3de9d824899.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/342ac65c103853437b3d68ac9b13b07ecb808849.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/1ad5ad6eddc451da7740e366befd5266d116328d.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/43a7d933c895d143e2c043bf79f082025baf07f3.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/30adcbef76094b3675e4bc71a9cc7cd98d109d3c.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/a50f4bfbfbedab645bc4ea5cfd36afc378311ef3.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/f7246b600c33874445d088e05b0fd9f9d72aa011.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/6a63f6246b600c332a6c7954104c510fd9f9a111.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/2e2eb9389b504fc276ad5f88eddde71191ef6d49.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/34fae6cd7b899e5146389d8848a7d933c9950df3.jpg 119.146.74.48
hxxp://imgsa.baidu.com/forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg 119.146.74.48


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /zhanhun721.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: dajipinheji.oss-cn-hangzhou.aliyuncs.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Sun, 29 Oct 2017 12:52:34 GMT
Content-Type: text/plain
Content-Length: 44178
Connection: keep-alive
Vary: Accept-Encoding
x-oss-request-id: 59F5CF122084A5D5E8ABCB56
Accept-Ranges: bytes
ETag: "8665B6FDCA6BD7381A4D4C8D72F2A2D8"
Last-Modified: Wed, 25 Oct 2017 22:42:39 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 5755679923230498342
x-oss-storage-class: Standard
Content-MD5: hmW2/cpr1zgaTUyNcvKi2A==
x-oss-server-time: 25
                              ;........,........................;.....
...........,v:1......:....Blue 0212-[ ..................123456789 ]---
-------------------------------..hwbegin0D0F3E03EE020000789C8DD1416E9B
410806D07DA45CC5FF30C000BDCD0043E24A56ACD4D9F9F019A9915AEF2Cend..hwbeg
in762C78C0F77EBB5D7F1DC7F9F2F6E7334E3ECFF9758A8FCB511F9F5F97E37A8EE37C
5B9763CC81353A0D1FAD05end..hwbegin629F23C498A05130B44A2B9B0070FA7D7DBB
EFAE09DF3BAFE5D90A3347B5299268A6CD8B5DC2005E5FDE9FC34Bend..hwbeginFEC1
2A44C4D9545763FF0BA7F439DB23BE4269AD618B200700AD222D74D0E11CADE8691CA9
E61A91E26AB61868end..hwbeginA05AAA924E49430C336E59F8805336A9A1882C6EAE
B026946D3DB863483D8D13FE206A9C40B87A34422FB16ADAend..hwbegin5B679FB5A5
07DC27AC552D313AE98EC03A522A0F55EE73779FBFBCCD0C5F25A319390EE1451E02D3
2224D23437end..hwbeginB807FE8FC3721065ED9E158E3B029D3A1B8F851632F8697C
F20EC96BD7CAE983D883D6E4A8C4312B501401D6CFend..hwbeginE5D070CFBE03EC9D
C888ABA8DAFEBF70CC91C51CCE3DE5F5E51BAB91E38Bend..;................,v:1
......:....Blue 0212-[ ..................123456789 ]------------------
----------------........................7..21--9..22|..---------------
----------..|........|103.44.145.105|7000|password....................
..7..21--9..22|............-................|........|127.0.0.1|8888|p
assword......................7..21--9..22|............-...............
.|........|127.0.0.1|8888|password......................7..21--9..22|.
...........-................|........|127.0.0.1|8888|password.........
.............7..21--9..22|............-................|........|1
<<< skipped >>>

GET /zhanhun721.txt HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: dajipinheji.oss-cn-hangzhou.aliyuncs.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Sun, 29 Oct 2017 12:52:36 GMT
Content-Type: text/plain
Content-Length: 44178
Connection: keep-alive
Vary: Accept-Encoding
x-oss-request-id: 59F5CF142084A5D5E8ABE1F1
Accept-Ranges: bytes
ETag: "8665B6FDCA6BD7381A4D4C8D72F2A2D8"
Last-Modified: Wed, 25 Oct 2017 22:42:39 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 5755679923230498342
x-oss-storage-class: Standard
Content-MD5: hmW2/cpr1zgaTUyNcvKi2A==
x-oss-server-time: 2
                              ;........,........................;.....
...........,v:1......:....Blue 0212-[ ..................123456789 ]---
-------------------------------..hwbegin0D0F3E03EE020000789C8DD1416E9B
410806D07DA45CC5FF30C000BDCD0043E24A56ACD4D9F9F019A9915AEF2Cend..hwbeg
in762C78C0F77EBB5D7F1DC7F9F2F6E7334E3ECFF9758A8FCB511F9F5F97E37A8EE37C
5B9763CC81353A0D1FAD05end..hwbegin629F23C498A05130B44A2B9B0070FA7D7DBB
EFAE09DF3BAFE5D90A3347B5299268A6CD8B5DC2005E5FDE9FC34Bend..hwbeginFEC1
2A44C4D9545763FF0BA7F439DB23BE4269AD618B200700AD222D74D0E11CADE8691CA9
E61A91E26AB61868end..hwbeginA05AAA924E49430C336E59F8805336A9A1882C6EAE
B026946D3DB863483D8D13FE206A9C40B87A34422FB16ADAend..hwbegin5B679FB5A5
07DC27AC552D313AE98EC03A522A0F55EE73779FBFBCCD0C5F25A319390EE1451E02D3
2224D23437end..hwbeginB807FE8FC3721065ED9E158E3B029D3A1B8F851632F8697C
F20EC96BD7CAE983D883D6E4A8C4312B501401D6CFend..hwbeginE5D070CFBE03EC9D
C888ABA8DAFEBF70CC91C51CCE3DE5F5E51BAB91E38Bend..;................,v:1
......:....Blue 0212-[ ..................123456789 ]------------------
----------------........................7..21--9..22|..---------------
----------..|........|103.44.145.105|7000|password....................
..7..21--9..22|............-................|........|127.0.0.1|8888|p
assword......................7..21--9..22|............-...............
.|........|127.0.0.1|8888|password......................7..21--9..22|.
...........-................|........|127.0.0.1|8888|password.........
.............7..21--9..22|............-................|........|1
<<< skipped >>>


GET /forum/pic/item/2e2eb9389b504fc276ad5f88eddde71191ef6d49.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:53:34 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: close
ETag: "9601509063364712969"
Last-Modified: Tue, 27 Sep 2016 08:31:01 GMT
Expires: Sun, 16 Sep 2018 09:38:42 GMT
Age: 3725019
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/1ad5ad6eddc451da7740e366befd5266d116328d.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:53:20 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: close
ETag: "4590346132662130343"
Last-Modified: Tue, 27 Sep 2016 08:30:59 GMT
Expires: Sun, 16 Sep 2018 09:38:40 GMT
Age: 3725006
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:52:46 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: close
ETag: "2181626205514252865"
Last-Modified: Thu, 29 Sep 2016 09:44:52 GMT
Expires: Sun, 16 Sep 2018 08:33:20 GMT
Age: 3730766
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:52:42 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: close
ETag: "17719340091593362697"
Last-Modified: Thu, 29 Sep 2016 09:44:51 GMT
Expires: Sun, 16 Sep 2018 08:33:20 GMT
Age: 3730762
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/f7246b600c33874445d088e05b0fd9f9d72aa011.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:53:02 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "4610679139157386185"
Last-Modified: Tue, 18 Jul 2017 04:07:29 GMT
Expires: Mon, 17 Sep 2018 13:00:53 GMT
Age: 3628329
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 2
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c .......m...3.:........18..H"9?.C'f........
...-_B.\...o ..p{8.6N..#./,...j.7$^.... A....?c....|p.z...FX.V.7......
..e7......6.oRfK<..".t.$;.....F.4.....J....@..6..v...8s=..=I j.
<<< skipped >>>


GET /forum/pic/item/6a63f6246b600c332a6c7954104c510fd9f9a111.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:52:55 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "17758313444465962688"
Last-Modified: Tue, 18 Jul 2017 04:07:29 GMT
Expires: Mon, 17 Sep 2018 13:00:53 GMT
Age: 3628321
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c .........>.@e1.x...y8...?...6C([..;..%.
.e_SL.=*QF..)R...6%..... .})..C......z.>....~.}_._.}].s.k.s..,..x..
y.;..4......d.............M....r..p5..wa.o..B...W.=...x.....].....
<<< skipped >>>


GET /forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:52:51 GMT
Content-Type: image/jpeg
Content-Length: 297656
Connection: close
ETag: "8194768310413110853"
Last-Modified: Thu, 29 Sep 2016 09:44:52 GMT
Expires: Sun, 16 Sep 2018 08:33:20 GMT
Age: 3730771
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:52:38 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: close
ETag: "7878501113830277673"
Last-Modified: Thu, 29 Sep 2016 09:44:50 GMT
Expires: Sun, 16 Sep 2018 08:33:19 GMT
Age: 3730759
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/a50f4bfbfbedab645bc4ea5cfd36afc378311ef3.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:53:18 GMT
Content-Type: image/jpeg
Content-Length: 103765
Connection: close
ETag: "3779929261994002423"
Last-Modified: Tue, 18 Jul 2017 04:07:29 GMT
Expires: Mon, 17 Sep 2018 13:00:54 GMT
Age: 3628344
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c .........C.<el...[.~b......f.8_%a.9\j@.
1`.8[#....0.......1j<..-.l^2..Q..q.#Q..[....e.`A..... n./..T..^/;.,
/$$......=...V.m.p.f./......7.....:...k.!..d.[....U.?.......c..d..
<<< skipped >>>


GET /forum/pic/item/ca1349540923dd5496d148e5d909b3de9d824899.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:53:30 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: close
ETag: "3096779813651530065"
Last-Modified: Tue, 27 Sep 2016 08:31:00 GMT
Expires: Sun, 16 Sep 2018 09:38:41 GMT
Age: 3725016
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/43a7d933c895d143e2c043bf79f082025baf07f3.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:53:10 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "6758824727784252494"
Last-Modified: Tue, 18 Jul 2017 04:07:29 GMT
Expires: Mon, 17 Sep 2018 13:00:54 GMT
Age: 3628336
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 1
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c ........"........Pb.....,...5,Y@.YXJ...'u3
Q.B..;.o<......./5........ L|..4. t[.Z;.....y.NJF.X..............?.
.X...N".....N.t..Gp.vZ.)...T!..0.^.....u. ...u...:.m MT.ny....w.J8
<<< skipped >>>


GET /zhanhun721.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: dajipinheji.oss-cn-hangzhou.aliyuncs.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Sun, 29 Oct 2017 12:52:34 GMT
Content-Type: text/plain
Content-Length: 44178
Connection: keep-alive
Vary: Accept-Encoding
x-oss-request-id: 59F5CF1212058D732A7FE409
Accept-Ranges: bytes
ETag: "8665B6FDCA6BD7381A4D4C8D72F2A2D8"
Last-Modified: Wed, 25 Oct 2017 22:42:39 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 5755679923230498342
x-oss-storage-class: Standard
Content-MD5: hmW2/cpr1zgaTUyNcvKi2A==
x-oss-server-time: 5
                              ;........,........................;.....
...........,v:1......:....Blue 0212-[ ..................123456789 ]---
-------------------------------..hwbegin0D0F3E03EE020000789C8DD1416E9B
410806D07DA45CC5FF30C000BDCD0043E24A56ACD4D9F9F019A9915AEF2Cend..hwbeg
in762C78C0F77EBB5D7F1DC7F9F2F6E7334E3ECFF9758A8FCB511F9F5F97E37A8EE37C
5B9763CC81353A0D1FAD05end..hwbegin629F23C498A05130B44A2B9B0070FA7D7DBB
EFAE09DF3BAFE5D90A3347B5299268A6CD8B5DC2005E5FDE9FC34Bend..hwbeginFEC1
2A44C4D9545763FF0BA7F439DB23BE4269AD618B200700AD222D74D0E11CADE8691CA9
E61A91E26AB61868end..hwbeginA05AAA924E49430C336E59F8805336A9A1882C6EAE
B026946D3DB863483D8D13FE206A9C40B87A34422FB16ADAend..hwbegin5B679FB5A5
07DC27AC552D313AE98EC03A522A0F55EE73779FBFBCCD0C5F25A319390EE1451E02D3
2224D23437end..hwbeginB807FE8FC3721065ED9E158E3B029D3A1B8F851632F8697C
F20EC96BD7CAE983D883D6E4A8C4312B501401D6CFend..hwbeginE5D070CFBE03EC9D
C888ABA8DAFEBF70CC91C51CCE3DE5F5E51BAB91E38Bend..;................,v:1
......:....Blue 0212-[ ..................123456789 ]------------------
----------------........................7..21--9..22|..---------------
----------..|........|103.44.145.105|7000|password....................
..7..21--9..22|............-................|........|127.0.0.1|8888|p
assword......................7..21--9..22|............-...............
.|........|127.0.0.1|8888|password......................7..21--9..22|.
...........-................|........|127.0.0.1|8888|password.........
.............7..21--9..22|............-................|........|1
<<< skipped >>>


GET /forum/pic/item/342ac65c103853437b3d68ac9b13b07ecb808849.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:53:26 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: close
ETag: "13979779269839215316"
Last-Modified: Tue, 27 Sep 2016 08:31:00 GMT
Expires: Sun, 16 Sep 2018 09:38:40 GMT
Age: 3725012
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/34fae6cd7b899e5146389d8848a7d933c9950df3.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:53:06 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "18108391507782861392"
Last-Modified: Tue, 18 Jul 2017 04:07:29 GMT
Expires: Mon, 17 Sep 2018 13:00:54 GMT
Age: 3628332
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 1
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c .......&....N...s.................t......y
V.O0.......n'.....N..Y-..7..8..8T..n._..Q.......L.....t..*.|".....).)m
.J^I#..<.z.br..Xk......d1....".$. .tV.....HYy.K.7F...v......C..
<<< skipped >>>


GET /forum/pic/item/30adcbef76094b3675e4bc71a9cc7cd98d109d3c.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:53:14 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "11551376640010553166"
Last-Modified: Tue, 18 Jul 2017 04:07:29 GMT
Expires: Mon, 17 Sep 2018 13:00:54 GMT
Age: 3628340
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 3
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c .......ly......OA.M..i.~R.^....@[.bf.. ...
2..7..e.4....`0.l..:|....-..M.j.n..*..~n.z. .Z.}..........g.].@T.z....
....=..._G..8nl./.;R|.p. !G|.".&...n...T.u<S..WS..X.T..b^0.. ..
<<< skipped >>>


GET /forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 29 Oct 2017 12:52:35 GMT
Content-Type: image/jpeg
Content-Length: 226769
Connection: close
ETag: "7130635741171976897"
Last-Modified: Thu, 29 Sep 2016 09:22:38 GMT
Expires: Sun, 16 Sep 2018 08:33:19 GMT
Age: 3730756
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1204:

.text
`.itext
`.data
.idata
.rdata
.reloc
@.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
Uh.UA
ssShift
htKeyword
EInvalidOperation
%s[%d]
%s_%d
.Owner
Uh.ZB
USER32.DLL
comctl32.dll
TaskDialogIndirect
EInvalidGraphicOperation
Uhc%C
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
ole32.dll
uxtheme.dll
DWMAPI.DLL
shell32.dll
PasswordChar
OnKeyDown
OnKeyPressh E
OnKeyUp
ssHorizontal
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
msimg32.dll
Proportional
OnExecute<CD
{43826d1e-e718-42ee-bc55-a1e261c37bfe}
%s%s%s%s%s%s%s%s%s%s
AutoHotkeys
AutoHotkeysP
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
TKeyEvent
TKeyPressEvent
HelpKeyword`
crSQLWait
%s (%s)
imm32.dll
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview0)E
WindowState4
GlassFrame.Bottom
GlassFrame.Enabled
GlassFrame.Left
GlassFrame.Right
GlassFrame.SheetOfGlass
GlassFrame.Top
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
User32.dll
tsShadow
TRzRegKey
hkeyClassesRoot
hkeyCurrentUser
hkeyLocalMachine
hkeyUsers
hkeyPerformanceData
hkeyCurrentConfig
hkeyDynData
TRzRegAccessKey
keyQueryValue
keySetValue
keyCreateSubKey
keyEnumerateSubKeys
keyNotify
keyCreateLink
keyRead
keyWrite
keyExecute
keyAllAccess
RegKey
\Software\Microsoft\Windows\CurrentVersion
%u / %u
MAPI32.DLL
msShiftSelect
TComboBoxExEnumerator
TRzURLLabel
TRzURLLabel|
RunDLL32.exe Shell32.dll,OpenAs_RunDLL *.htm
BeepOnInvalidKey
%s, %.2d %s %.4d %s %s
EIdCanNotBindPortInRange
EIdInvalidPortRangetbJ
C:\Builds\TpAddons\IndyNet\System\IdStreamVCL.pas
C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
Wship6.dll
EIdIPVersionUnsupportedU
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
127.0.0.1
C:\builds\TpAddons\IndyNet\System\IdStack.pas
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
PortSVW
EIdPortRequired
EIdTCPConnectionError
EIdObjectTypeNotSupported
Port<
C:\builds\TpAddons\IndyNet\Core\IdIOHandler.pas
"EIdTransparentProxyUDPNotSupported
TIdTCPClientCustom
IdTCPClient
TIdTCPClient
BoundPort<
%EIdSocksUDPNotSupportedBySOCKSVersion
saUsernamePassword
Password<
Port@iJ
0.0.0.1
0.0.0.0
DefaultPort@iJ
TIdTCPConnection
IdTCPConnection
ISO_646.irv:1991
ISO_646.basic:1983
ISO_646.irv:1983
csISO16Portuguese
csISO84Portuguese2
windows-936
csShiftJIS
ISO-8859-1-Windows-3.0-Latin-1
csWindows30Latin1
ISO-8859-1-Windows-3.1-Latin-1
csWindows31Latin1
ISO-8859-2-Windows-Latin-2
csWindows31Latin2
ISO-8859-9-Windows-Latin-5
csWindows31Latin5
csMicrosoftPublishing
Windows-31J
csWindows31J
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
C:\builds\TpAddons\IndyNet\Protocols\IdCoder3to4.pas
TIdEncoder3to4.Encode: Calculated length exceeded (expected
TIdEncoder3to4.Encode: Calculated length not met (expected
password
Password
CommentURL
Port
C:\builds\TpAddons\IndyNet\Protocols\IdZLibCompressorBase.pas
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
%d%s%d
TIdHTTPOption
IdHTTP
TIdHTTPOptions
TIdHTTPProtocolVersion
IdHTTP4|L
TIdHTTPOnRedirectEvent
TIdHTTPOnHeadersAvailable
TIdHTTPResponse
TIdHTTPResponse`~L
TIdHTTPRequest
TIdHTTPProtocol4
TIdCustomHTTP
TIdCustomHTTP4
TIdHTTP
TIdHTTPd
HTTPOptions
EIdHTTPProtocolException
C:\builds\TpAddons\IndyNet\Protocols\IdHTTP.pas
HTTPS
https
HTTP/1.0 200 OK
HTTP/
%s, ClassID: %s
%s: %s
%s:%s
user32.dll
Class <%s> not registered
Source Class <%s> not registered
tObject %s not in item list
srBadPassword
TBadPassword
NewPassword
OnBadPasswordh
1.2.3
.zip.
olepro32.dll
IWebBrowser
IWebBrowserAppP
IWebBrowser2
TWebBrowserStatusTextChange
TWebBrowserProgressChange
TWebBrowserCommandStateChange
TWebBrowserTitleChange
TWebBrowserPropertyChange
TWebBrowserBeforeNavigate2
TWebBrowserNewWindow2
TWebBrowserNavigateComplete2
TWebBrowserDocumentComplete
TWebBrowserOnVisible
TWebBrowserOnToolBar
TWebBrowserOnMenuBar
TWebBrowserOnStatusBar
TWebBrowserOnFullScreen
TWebBrowserOnTheaterMode
TWebBrowserWindowSetResizable
TWebBrowserWindowSetLeft
TWebBrowserWindowSetTop
TWebBrowserWindowSetWidth
TWebBrowserWindowSetHeight
TWebBrowserWindowClosing
TWebBrowserClientToHostWindow
TWebBrowserSetSecureLockIcon
TWebBrowserFileDownload
TWebBrowserNavigateError
%TWebBrowserPrintTemplateInstantiation
TWebBrowserPrintTemplateTeardown
TWebBrowserUpdatePageStatus
%TWebBrowserPrivacyImpactedStateChange
TWebBrowser
OnWindowSetResizable
OnWindowSetLeft
OnWindowSetTop`
OnWindowSetWidth
OnWindowSetHeight
MaxKeySize
Invalid key size
LabelHintMsgh
RzURLLabel1
MsgBox
EditPasswordt
720101-146720
1977/10/15
650101-1455111
EditPasswordl
EditNewPasswordp
TfrmChangePassword
LChgPassword
TfrmGetBackPassword
LGetBackPassword
.\Ftp.ini
.\lscfg.ini
Software\MicroSoft\Windows\CurrentVersion\Explorer
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; .NET CLR 2.0.50727)
LoginTool.bin
LoginTool.exe
LoginDLL.dll
.\LoginDLL.dll.bak
.\LoginDLL.dll
netapi32.dll
stoDefaultKeyHandling
TRzShellControlDefKeyRec
Software\Microsoft\Windows\CurrentVersion\Explorer
"%s" %s
x@.td
xB.tG
%UUUU
HttpGetEX
THTTPGetThread
THttpGetEX
1.0.4
btnChangePassword|
btnGetBackPassword
WebBrowser
TimerWebBroswer
btnChangePasswordClick
btnGetBackPasswordClick
TimerLoginFunTimer
WebBrowserDownloadComplete!
TimerWebBroswerTimer
.\Data\Prguse2.wil
.\Data\Prguse2.wzl
%s,%d,%d,%d,%d
%d X %d
Q.NYcJ!
LoginTool
.\Data\ui\blue.uib
.\Data\ui\ItemBag.uib
.\Data\ui\HeroItemBag1.uib
.\Data\ui\HeroItemBag2.uib
.\Data\ui\HeroItemBag3.uib
.\Data\ui\HeroItemBag4.uib
.\Data\ui\HeroItemBag5.uib
.\Data\ui\HeroStateWin.uib
.\Data\ui\StateWindowHumanB.uib
.\Data\ui\StateWindowHumanC.uib
.\Wav\sound2.lst
.\Data\ui\gcbkd.uib
.\Data\ui\gcpage1.uib
.\Data\ui\gcpage2.uib
.\Data\ui\gcclose1.uib
.\Data\ui\gcclose2.uib
.\Data\ui\gccheckbox1.uib
.\Data\ui\gccheckbox2.uib
.\Data\ui\WStall.uib
.\Data\ui\WStallPrice.uib
.\Data\ui\PStallPrice0.uib
.\Data\ui\PStallPrice1.uib
.\Data\ui\StallBot0.uib
.\Data\ui\StallBot1.uib
.\Data\ui\DscStart0.uib
.\Data\ui\DscStart1.uib
.\Data\lsDefaultItemFilte1.txt
%s:%d
.\bass.dll
.\CmdLine.txt
/contact.htm
/buy.htm
%s %dK/%dK
Data\cboweapon.wzl
Data\cboweapon.wis
s.hXpT
inflate 1.2.3 Copyright 1995-2005 Mark Adler
)4."1-2(
*5/#2.3)
",71@5  &
3'627-"(
1 '-7#&0
1&,#84 .'*
- 8!3(.%
7&-3!),6%
#5*0' 8$2 .
8'.4"*-7& 0#
("2%!&8-3*#
/5,%!)703
(03!,&6)%* 17.'# 
$/6 *25#.(8 ',"3
&18",47%0*
'2, / 0&7!4-)1#8
(3-!0,1'8"5.*2$
inflate 1.0.4 Copyright 1995-1996 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
DBv}.Bv
CEwJ@Ew.AEw
e.mu .
^8%sy
}.dJ@U6s
e.Zt?
l%.gP
<;<%D!
^~.Eo
XJ.fw
d9.CXm
ZR.%S;
<js.Kl
.GpI"k
U6L.WM
#.FEbH
]..sx@J
Lz=
SK6_%d
@a.tO
5 5$5(5,5|5
1"1-131;1@1 3
> >$>(>,>0>4>8><>
8ƒ8F8`8
0*1.121:1@1
=&>*>.>2>6>:>>>
2 2$2(2,202
4 4$4(464>4
84898\8|8
2 2$2>2`2
6"6)6@6]6
6074787<7@7
;$<(<,<0<4<
0	0u1
5(595=5\5
9"9&9*909
7 7$7(7,70747:7
6o6S6p6
5 5.5<5"6-6
3 3<3@3|3
UnhookWindowsHookEx
RegFlushKey
RegCloseKey
V%smKT
9*.aGn
qM!%s
!.ULbp
6.NJZ
%gPT.jf4
%x'u;
5j>`11(.iA
0%C}!mQ
g<t.jJ9F=
U%dW}
2r.BfF
*A.Bo
nZa.Ka
.Mc6:
.JMJ 
$>C.Ht
xHH%D
.nA4B
=Q%x&
.Tt;N
.Cf{j
I9M.NR
i-zE}
.jJ&{K
.Pjk`
@P910.vqf*
N.qz7B
.wA[U/
.mt-nh
05%s!
k.ls7z@
0.CTN
'&!  *m
Fo$.
C.!A%u
y%uBn5
%Fg_d
~.wA:
%xt>5!
VR.eG>6C
6 EWV.uC>J
.vZ6.RX
8P@Vj Z~.jQ*
p?9K%F
8.pz:{
~;&E%c
Bc.BDbqJ
oy.fi
m".JK
Z%XEv
2.nRQ
.pvtC:q
4Nc%s
{|%CL
n.Lz 
:!%Dn
#%UoT
n/.jG
1.gz]
.Yuxm
eJ%C=
q%uy?
.AKxf
.Pi4~xb
.bWN^
J.KJ6N
iui.VH
yR.nt{
.ln/yc
1v.Eg
{ME%x
B0.Cz
x0P:.LF
};.KM
_Aß62
.gf$D
q63n.IL
V.EZV
,k5.fv
vC.hs& "6d
F.KG:
1.FnF
!.CTf x
.wbAj2v
kF@.eC(
.iP~9
Wg.SF
.uD8}k)}r98
%Ur~4
=G).%F
0~)@.gB(@
0<J%s
@8%CoJ=
j0E.nk
=].ty
uZ!%f
EG_D:V.jA8
jM%x&E
6'&7n.UI$
G6v.tV
n~.Ad
=Q.HB
.rJBkA
comdlg32.dll
RegCreateKeyExA
GetKeyNameTextA
SetViewportOrgEx
~b.LT
GetKeyboardState
mpr.dll
GetKeyboardType
WinExec
wsock32.dll
gdi32.dll
EnumWindows
EnumChildWindows
.YFwQ
MsgWaitForMultipleObjectsEx
.tbo:
RegCreateKeyA
EnumThreadWindows
MsgWaitForMultipleObjects
ShellExecuteA
.YnNW
!@g2.Ms?
2&.gFP
.nMwH]
`?.HFk
6.bh f
5F%f`
1<%s'4
x.FOc
;%fp9
Q.NfA
Oh1%S
n%u1BU
%%uc~C*$F9
xÓC1l
;%x'T
%4Uu,
1!9%C
d%cuE
.fvNe
%2ubBfu3
%.sV.
(z.UX
X8Y.hJ
2B.ZDc
I%sUp
h%x"0
iLZ.LY
j:%Cx
f.xC04
&%Cnsf
`Ì\
B%d,RB!BZ
:%xBg
V.dR$
%fRvr6
Ec[&~.lU
.yo}.
%oM.Gl
ncr.sC
\lN%d
P=CcJ\v.Zj
F(>!;.DF
X%dmN%
.eHyY
o.En.
|.Txv
.aJD|*&
O1$~S
g8.Bd
RJ'.qHf
F%XrA.x;?
.pC>h0
.lYk6 c$~
L%So6a
.Zqi9
.wX7E
.oT7@
t$.ex
%FS3<
q[.FF<
RXF.CF
4W.eX_^
ÛQ$
l%S<q
%FPnn
Y]C?.GD
#.vwk
)u#.od
i#%S9W
:XD%f
;0xP%u>
.zTGu-<Zd
:uZ%U.
Lr?%s
SF<%f
sfW%D
j.d.NP
_>{
J.eEp
4?%xWj
.kKlOf;
.yr#G
b%cg[
}.QMd
_mø.
t.QR1@
;"-U6}
/%S,^
'RZ-F4}C
x.LC:G
2jF.Fk
GetKeyboardLayout
GetKeyboardLayoutNameA
GetKeyState
MapVirtualKeyA
version.dll
ShellExecuteExA
RegOpenKeyExA
LoadKeyboardLayoutA
GetKeyboardLayoutList
e.gp)
GetViewportOrgEx
4/.)(%$9
RegOpenKeyA
advapi32.dll
ActivateKeyboardLayout
SetWindowsHookExA
GetCPInfo
<assemblyIdentity version="1.0.0.0" processorArchitecture="x86" name="lacebook.exe" type="win32"/>
<requestedExecutionLevel level="requireAdministrator"/>
.rsrc
KERNEL32.dll
USER32.dll
WINMM.dll
MSACM32.dll
MSVCRT.dll
BASS_GetCPU
BASS_StreamCreateURL
BASS.dll
:d%UZ
L*.up""~G
o=<lþx
-Yh}MX
MW.pwV
;|u~yWn.LnZ
%I`.IFao
#AH%c"
.Qb, 
$=/.Pr
ze|%Xm 
?.xMj1 
f-p}U
%x;^./
xP6%d
4444444
4444444444
444444444
VWeBIg
m~GTWeBB
44444444
%UlLLl
wav\1.wav
wav\2.wav
wav\3.wav
wav\4.wav
wav\5.wav
wav\6.wav
wav\7.wav
wav\8.wav
wav\9.wav
wav\10.wav
wav\11.wav
wav\12.wav
wav\13.wav
wav\14.wav
wav\15.wav
wav\16.wav
wav\17.wav
wav\18.wav
wav\19.wav
wav\20.wav
wav\21.wav
wav\22.wav
wav\23.wav
wav\24.wav
wav\25.wav
wav\26.wav
wav\27.wav
wav\28.wav
wav\29.wav
wav\30.wav
wav\31.wav
wav\32.wav
wav\M42-2.wav
wav\game-over2.wav
wav\50.wav
wav\51.wav
wav\52.wav
wav\53.wav
wav\54.wav
wav\55.wav
wav\56.wav
wav\57.wav
wav\60.wav
wav\61.wav
wav\62.wav
wav\63.wav
wav\64.wav
wav\65.wav
wav\70.wav
wav\71.wav
wav\72.wav
wav\73.wav
wav\80.wav
wav\81.wav
wav\82.wav
wav\83.wav
wav\91.wav
wav\92.wav
wav\100.wav
wav\101.wav
wav\102.wav
wav\103.wav
wav\104.wav
wav\105.wav
wav\106.wav
wav\107.wav
wav\108.wav
wav\109.wav
110: wav\110.wav
111: wav\111.wav
112: wav\112.wav
113: wav\113.wav
114: wav\114.wav
115: wav\115.wav
116: wav\116.wav
117: wav\117.wav
118: wav\118.wav
122: wav\122.wav
123: wav\123.wav
124: wav\124.wav
125: wav\125.wav
126: wav\126.wav
130: wav\M7-1.wav
131: wav\M7-2.wav
132: wav\M12-1.wav
133: wav\M25-1.wav
134: wav\M27-L.wav
135: wav\M27-R.wav
136: wav\M26-1.wav
137: wav\M26-3.wav
138: wav\138.wav
139: wav\139.wav
140: wav\M34-1.wav
141: wav\M38-0.wav
142: wav\M38-1.wav
144: wav\144.wav
145: wav\145.wav
;;160: wav\160-1.wav
;;161: wav\160-2.wav
;;162: wav\162.wav
;;163: wav\163.wav
;;164: wav\164.wav
;;165: wav\165.wav
;;166: wav\166.wav
;;167: wav\167.wav
;;168: wav\168.wav
;;169: wav\169-1.wav
;;170: wav\169-2.wav
;;171: wav\171.wav
;;172: wav\172.wav
;;173: wav\173.wav
180: wav\M56-0.wav
181: wav\M56-3.wav
211: wav\210-1.wav
212: wav\210-2.wav
214: wav\210-4.wav
215: wav\210-5.wav
291: wav\290-1.wav
292: wav\290-2.wav
294: wav\290-4.wav
295: wav\290-5.wav
300: wav\300-1.wav
301: wav\300-1.wav
302: wav\300-2.wav
304: wav\300-4.wav
305: wav\300-5.wav
401: wav\400-1.wav
402: wav\400-2.wav
403: wav\400-3.wav
404: wav\400-4.wav
405: wav\400-5.wav
411: wav\410-1.wav
412: wav\410-2.wav
414: wav\410-4.wav
415: wav\410-5.wav
421: wav\420-1.wav
422: wav\420-2.wav
424: wav\420-4.wav
425: wav\420-5.wav
431: wav\430-1.wav
432: wav\430-2.wav
433: wav\430-3.wav
434: wav\430-4.wav
435: wav\430-5.wav
441: wav\440-1.wav
442: wav\440-2.wav
444: wav\440-4.wav
445: wav\440-5.wav
451: wav\450-1.wav
452: wav\450-2.wav
453: wav\450-3.wav
454: wav\450-4.wav
455: wav\450-5.wav
461: wav\460-1.wav
462: wav\460-2.wav
463: wav\460-3.wav
464: wav\460-4.wav
465: wav\460-5.wav
471: wav\470-1.wav
472: wav\470-2.wav
474: wav\470-4.wav
475: wav\470-5.wav
481: wav\480-1.wav
482: wav\480-2.wav
484: wav\480-4.wav
485: wav\480-5.wav
491: wav\490-1.wav
492: wav\490-2.wav
494: wav\490-4.wav
495: wav\490-5.wav
501: wav\500-1.wav
502: wav\500-2.wav
504: wav\500-4.wav
505: wav\500-5.wav
511: wav\510-1.wav
512: wav\510-2.wav
514: wav\510-4.wav
515: wav\510-5.wav
521: wav\520-1.wav
522: wav\520-2.wav
524: wav\520-4.wav
525: wav\520-5.wav
531: wav\530-1.wav
532: wav\530-2.wav
534: wav\530-4.wav
535: wav\530-5.wav
541: wav\540-1.wav
542: wav\540-2.wav
543: wav\540-3.wav
544: wav\540-4.wav
545: wav\540-5.wav
561: wav\560-1.wav
562: wav\560-2.wav
564: wav\560-4.wav
565: wav\560-5.wav
570: wav\M17-3.wav
572: wav\54.wav
573: wav\64.wav
575: wav\570-5.wav
581: wav\580-1.wav
582: wav\580-2.wav
584: wav\580-4.wav
585: wav\580-5.wav
591: wav\590-1.wav
592: wav\590-2.wav
594: wav\590-4.wav
595: wav\590-5.wav
601: wav\600-1.wav
602: wav\600-2.wav
604: wav\600-4.wav
605: wav\600-5.wav
611: wav\610-1.wav
612: wav\610-2.wav
614: wav\610-4.wav
615: wav\610-5.wav
621: wav\620-1.wav
622: wav\620-2.wav
624: wav\620-4.wav
625: wav\620-5.wav
631: wav\630-1.wav
632: wav\630-2.wav
634: wav\630-4.wav
635: wav\630-5.wav
641: wav\640-1.wav
642: wav\640-2.wav
644: wav\640-4.wav
645: wav\640-5.wav
651: wav\650-1.wav
652: wav\650-2.wav
654: wav\650-4.wav
655: wav\650-5.wav
661: wav\660-1.wav
662: wav\660-2.wav
664: wav\660-4.wav
665: wav\660-5.wav
671: wav\670-1.wav
672: wav\670-2.wav
674: wav\670-4.wav
675: wav\670-5.wav
681: wav\680-1.wav
682: wav\680-2.wav
684: wav\680-4.wav
685: wav\680-5.wav
691: wav\680-1.wav
692: wav\680-2.wav
694: wav\680-4.wav
695: wav\680-5.wav
700: wav\700-0.wav
701: wav\700-1.wav
702: wav\700-2.wav
704: wav\700-4.wav
705: wav\700-5.wav
710: wav\710-0.wav
711: wav\710-1.wav
712: wav\710-2.wav
714: wav\710-4.wav
715: wav\710-5.wav
720: wav\710-0.wav
721: wav\720-1.wav
722: wav\720-2.wav
724: wav\720-4.wav
725: wav\720-5.wav
730: wav\710-0.wav
731: wav\730-1.wav
732: wav\730-2.wav
734: wav\730-4.wav
735: wav\730-5.wav
811: wav\810-1.wav
812: wav\810-2.wav
814: wav\810-4.wav
815: wav\810-5.wav
821: wav\820-1.wav
822: wav\820-2.wav
824: wav\820-4.wav
830: wav\830-0.wav
831: wav\830-1.wav
832: wav\830-2.wav
834: wav\830-4.wav
835: wav\830-5.wav
901: wav\900-1.wav
902: wav\900-2.wav
904: wav\900-4.wav
905: wav\900-5.wav
931: wav\930-1.wav
932: wav\930-2.wav
934: wav\930-4.wav
935: wav\930-5.wav
940: wav\940-0.wav
941: wav\940-1.wav
942: wav\940-2.wav
943: wav\940-3.wav
944: wav\940-4.wav
945: wav\940-5.wav
1002: wav\1000-2.wav
1005: wav\1000-5.wav
1006: wav\1000-6.wav
1011: wav\1010-1.wav
1012: wav\1010-2.wav
1014: wav\1010-4.wav
1015: wav\1010-5.wav
1021: wav\1020-1.wav
1022: wav\1020-2.wav
1024: wav\1020-4.wav
1025: wav\1020-5.wav
1032: wav\1030-2.wav
1035: wav\1030-5.wav
1101: wav\1100-1.wav
1102: wav\1100-2.wav
1104: wav\1100-4.wav
1105: wav\1100-5.wav
1111: wav\1110-1.wav
1112: wav\1110-2.wav
1114: wav\1110-4.wav
1115: wav\1110-5.wav
wav\1360-1.wav
wav\1360-2.wav
wav\1360-3.wav
wav\1360-4.wav
wav\1360-5.wav
1201: wav\1200-1.wav
1202: wav\1200-2.wav
1204: wav\1200-4.wav
1205: wav\1200-5.wav
1211: wav\1210-1.wav
1212: wav\1210-2.wav
1213: wav\1220-3.wav
1214: wav\1210-4.wav
1215: wav\1210-5.wav
1221: wav\1220-1.wav
1222: wav\1220-2.wav
1223: wav\1220-3.wav
1224: wav\1220-4.wav
1225: wav\1220-5.wav
1231: wav\1230-1.wav
1232: wav\1230-2.wav
1234: wav\1230-4.wav
1235: wav\1230-5.wav
1241: wav\1240-1.wav
1242: wav\1240-2.wav
1244: wav\1240-4.wav
1245: wav\1240-5.wav
1251: wav\1240-1.wav
1252: wav\1240-2.wav
1254: wav\1240-4.wav
1255: wav\1240-5.wav
1261: wav\1260-1.wav
1262: wav\1260-2.wav
1264: wav\1260-4.wav
1265: wav\1260-5.wav
1271: wav\1260-1.wav
1272: wav\1260-2.wav
1274: wav\1260-4.wav
1275: wav\1260-5.wav
1301: wav\1310-1.wav
1302: wav\1310-2.wav
1304: wav\1310-4.wav
1305: wav\1310-5.wav
1311: wav\1310-1.wav
1312: wav\1310-2.wav
1314: wav\1310-4.wav
1315: wav\1310-5.wav
1321: wav\1320-1.wav
1323: wav\1320-3.wav
1324: wav\1320-4.wav
1325: wav\1320-5.wav
wav\1330-1.wav
wav\1330-2.wav
wav\1330-3.wav
wav\1330-4.wav
wav\1330-5.wav
wav\1340-1.wav
wav\1340-2.wav
wav\1340-3.wav
wav\1340-4.wav
wav\1340-5.wav
wav\1350-1.wav
wav\1350-2.wav
wav\1350-4.wav
wav\1350-5.wav
wav\1370-1.wav
wav\1370-2.wav
wav\1370-3.wav
wav\1370-4.wav
wav\1370-5.wav
wav\1380-1.wav
wav\1380-2.wav
wav\1380-4.wav
wav\1380-5.wav
wav\1390-1.wav
wav\1390-2.wav
wav\1390-3.wav
wav\1390-4.wav
wav\1390-5.wav
1401: wav\1400-1.wav
1402: wav\1400-2.wav
1404: wav\1400-4.wav
1405: wav\1400-5.wav
1411: wav\1410-1.wav
1412: wav\1410-2.wav
1414: wav\1410-4.wav
1415: wav\1410-5.wav
1501: wav\1500-1.wav
1502: wav\1500-2.wav
wav\1500-3.wav
1504: wav\1500-4.wav
1505: wav\1500-5.wav
wav\1510-1.wav
wav\1510-2.wav
wav\1510-3.wav
wav\1510-4.wav
wav\1510-5.wav
wav\1520-1.wav
wav\1520-2.wav
wav\1520-4.wav
wav\1520-5.wav
wav\1530-1.wav
wav\1530-4.wav
wav\1530-5.wav
1600: wav\1600-0.wav
wav\1600-2.wav
wav\1600-4.wav
wav\1600-5.wav
1701: wav\1700-1.wav
1702: wav\1700-2.wav
1703: wav\1700-2.wav
1704: wav\1700-4.wav
1705: wav\1700-5.wav
1711: wav\1710-1.wav
1712: wav\1710-2.wav
1714: wav\1710-4.wav
1715: wav\1710-5.wav
1721: wav\1720-1.wav
1722: wav\1720-2.wav
1724: wav\1720-4.wav
1725: wav\1720-5.wav
1801: wav\1800-1.wav
1802: wav\1800-2.wav
1804: wav\1800-4.wav
1805: wav\1800-5.wav
1811: wav\1810-1.wav
1812: wav\1810-2.wav
1814: wav\1810-4.wav
1815: wav\1810-5.wav
1821: wav\1820-1.wav
1822: wav\1820-2.wav
1824: wav\1820-4.wav
1825: wav\1820-5.wav
1831: wav\1830-1.wav
1832: wav\1830-2.wav
1834: wav\1830-4.wav
1835: wav\1830-5.wav
1900: wav\M30-3.wav
1901: wav\1900-1.wav
1904: wav\1900-4.wav
1905: wav\1900-5.wav
1910: wav\1910-0.wav
1911: wav\1910-1.wav
1912: wav\1910-2.wav
1913: wav\1910-3.wav
1914: wav\1910-4.wav
1915: wav\1910-5.wav
1920: wav\1920-0.wav
1921: wav\1920-1.wav
1922: wav\M11-1.wav
1923: wav\M11-2.wav
1924: wav\1920-4.wav
1925: wav\1920-5.wav
2001: wav\2000-1.wav
2002: wav\2000-2.wav
2003: wav\2000-3.wav
2004: wav\2000-4.wav
2005: wav\2000-5.wav
2011: wav\2010-1.wav
2012: wav\2010-2.wav
2013: wav\2010-3.wav
2014: wav\2010-4.wav
2015: wav\2010-5.wav
2021: wav\2020-1.wav
2022: wav\2020-2.wav
2023: wav\2020-3.wav
2024: wav\2020-4.wav
2025: wav\2020-5.wav
2101: wav\2100-1.wav
2102: wav\2100-2.wav
2103: wav\2100-3.wav
2104: wav\2100-4.wav
2105: wav\2100-5.wav
2111: wav\2110-1.wav
2112: wav\2110-2.wav
2113: wav\2110-3.wav
2114: wav\2110-4.wav
2115: wav\2110-5.wav
2121: wav\2120-1.wav
2122: wav\2120-2.wav
2123: wav\2120-3.wav
2124: wav\2120-4.wav
2125: wav\2120-5.wav
2131: wav\2130-1.wav
2132: wav\2130-2.wav
2133: wav\2130-3.wav
2134: wav\2130-4.wav
2135: wav\2130-5.wav
2141: wav\2140-1.wav
2142: wav\2130-2.wav
2143: wav\2140-3.wav
2144: wav\2130-4.wav
2145: wav\2130-5.wav
2151: wav\2150-1.wav
2152: wav\2130-2.wav
2153: wav\2150-3.wav
2154: wav\2130-4.wav
2155: wav\2130-5.wav
2160: wav\2160-0.wav
2161: wav\2160-1.wav
2162: wav\2160-2.wav
2163: wav\2160-3.wav
2164: wav\2160-4.wav
2165: wav\2160-5.wav
2201: wav\2200-1.wav
2202: wav\2200-2.wav
2203: wav\2200-3.wav
2204: wav\2200-4.wav
2205: wav\2200-5.wav
2211: wav\2210-1.wav
2212: wav\2210-2.wav
2213: wav\2210-3.wav
2214: wav\2210-4.wav
2215: wav\2210-5.wav
2221: wav\2220-1.wav
2222: wav\2220-2.wav
2223: wav\2220-3.wav
2224: wav\2220-4.wav
2225: wav\2220-5.wav
2231: wav\2230-1.wav
2232: wav\2230-2.wav
2233: wav\2230-3.wav
2234: wav\2230-4.wav
2235: wav\2230-5.wav
2241: wav\2240-1.wav
2242: wav\2240-2.wav
2243: wav\2240-3.wav
2244: wav\2240-4.wav
2245: wav\2240-5.wav
2251: wav\2250-1.wav
2252: wav\2250-2.wav
2253: wav\2250-3.wav
2254: wav\2250-4.wav
2255: wav\2250-5.wav
2261: wav\2260-1.wav
2262: wav\2260-2.wav
2263: wav\2260-3.wav
2264: wav\2260-4.wav
2265: wav\2260-5.wav
2271: wav\2270-1.wav
2272: wav\2270-2.wav
2273: wav\2270-3.wav
2274: wav\2270-4.wav
2275: wav\2270-5.wav
2276: wav\2270.wav
2301: wav\2300-1.wav
2302: wav\2300-2.wav
2303: wav\2300-3.wav
2304: wav\2300-4.wav
2305: wav\2300-5.wav
2306: wav\2300-6.wav
2311: wav\2310-1.wav
2313: wav\2310-3.wav
2314: wav\2310-4.wav
2315: wav\2310-5.wav
2321: wav\2320-1.wav
2323: wav\2320-3.wav
2324: wav\2320-4.wav
2325: wav\2320-5.wav
2331: wav\2330-1.wav
2333: wav\2330-3.wav
2334: wav\2330-4.wav
2335: wav\2330-5.wav
2341: wav\2340-1.wav
2343: wav\2340-3.wav
2344: wav\2340-4.wav
2345: wav\2340-5.wav
2351: wav\2350-1.wav
2353: wav\2350-3.wav
2354: wav\2350-4.wav
2355: wav\2350-5.wav
2371: wav\2370-1.wav
2373: wav\2370-3.wav
2374: wav\2370-4.wav
2375: wav\2370-5.wav
2381: wav\2370-1.wav
2383: wav\2380-3.wav
2384: wav\2370-4.wav
2385: wav\2370-5.wav
2391: wav\2390-1.wav
2393: wav\2390-3.wav
2394: wav\2390-4.wav
2395: wav\2390-5.wav
2396: wav\2390-6.wav
2401: wav\2400-1.wav
2402: wav\2400-2.wav
2404: wav\2400-4.wav
2405: wav\2400-5.wav
wav\2400-6.wav
2411: wav\2410-1.wav
2412: wav\2410-2.wav
2414: wav\2410-4.wav
2415: wav\2410-5.wav
2416: wav\2410-6.wav
wav\2420-1.wav
wav\2420-2.wav
wav\2420-4.wav
wav\2420-5.wav
wav\2420-6.wav
wav\2430-1.wav
wav\2430-2.wav
wav\2430-4.wav
wav\2430-5.wav
wav\2430-6.wav
wav\2430-7.wav
2621: wav\210-1.wav
2622: wav\210-2.wav
2624: wav\210-4.wav
2625: wav\210-5.wav
wav\2700-1.wav
wav\2700-2.wav
wav\2700-4.wav
wav\2700-5.wav
wav\2700-6.wav
wav\2710-1.wav
wav\2710-2.wav
wav\2710-4.wav
wav\2710-5.wav
wav\2710-6.wav
wav\2720-1.wav
wav\2720-2.wav
wav\2720-4.wav
wav\2720-5.wav
wav\2750-1.wav
wav\2750-2.wav
wav\2750-4.wav
wav\2750-5.wav
wav\2750-6.wav
wav\2750-7.wav
wav\2760-1.wav
wav\2760-2.wav
wav\2760-4.wav
wav\2760-5.wav
wav\2760-6.wav
wav\2760-7.wav
wav\2780-1.wav
wav\460-3.wav
wav\2780-4.wav
wav\2780-5.wav
wav\2790-1.wav
wav\2790-2.wav
wav\2790-4.wav
wav\2790-5.wav
2801: wav\1100-1.wav
2802: wav\1100-2.wav
2804: wav\1100-4.wav
2805: wav\1100-5.wav
2811: wav\900-1.wav
2812: wav\900-2.wav
2814: wav\900-4.wav
2815: wav\900-5.wav
2821: wav\1200-1.wav
2822: wav\1200-2.wav
2824: wav\1200-4.wav
2825: wav\1200-5.wav
2831: wav\2790-1.wav
2832: wav\2790-2.wav
2834: wav\2790-4.wav
2835: wav\2790-5.wav
2841: wav\210-1.wav
2842: wav\210-2.wav
2844: wav\210-4.wav
2845: wav\210-5.wav
3101: wav\1200-1.wav
3102: wav\1200-2.wav
3104: wav\1200-4.wav
3105: wav\1200-5.wav
3111: wav\1200-1.wav
3112: wav\1200-2.wav
3114: wav\1200-4.wav
3115: wav\1200-5.wav
3121: wav\1200-1.wav
3122: wav\1200-2.wav
3124: wav\1200-4.wav
3125: wav\1200-5.wav
3131: wav\1200-1.wav
3132: wav\1200-2.wav
3134: wav\1200-4.wav
3135: wav\1200-5.wav
3401: wav\900-1.wav
3402: wav\3400-2.wav
3404: wav\3400-4.wav
3405: wav\900-5.wav
3406: wav\3400-att1.wav
3411: wav\3410-1.wav
3414: wav\3410-4.wav
3415: wav\900-5.wav
3416: wav\3410-att1.wav
3417: wav\3410-att2.wav
3421: wav\3420-1.wav
3422: wav\3420-2.wav
3424: wav\3420-4.wav
3425: wav\900-5.wav
3426: wav\3420-att1.wav
3427: wav\3420-att2.wav
3428: wav\3420-att3.wav
3431: wav\3430-1.wav
3432: wav\2130-2.wav
3433: wav\3430-3.wav
3434: wav\2130-4.wav
3435: wav\2130-5.wav
3441: wav\M47-0.wav
3446: wav\3440-att1.wav
3447: wav\3440-att2.wav
3451: wav\3450-1.wav
3452: wav\3450-2.wav
3454: wav\3450-4.wav
3455: wav\3450-5.wav
3461: wav\3460-1.wav
3462: wav\3460-2.wav
3464: wav\3460-4.wav
3465: wav\3460-5.wav
3471: wav\3470-1.wav
3474: wav\3470-4.wav
3475: wav\3470-5.wav
3476: wav\3470-att1.wav
3477: wav\3470-att2.wav
3478: wav\3470-att3.wav
3479: wav\3470-att4.wav
3481: wav\3480-1.wav
3482: wav\3480-2.wav
3484: wav\3480-4.wav
3485: wav\3480-5.wav
3491: wav\3490-1.wav
3492: wav\3490-2.wav
3494: wav\3490-4.wav
3495: wav\3490-5.wav
3601: wav\210-1.wav
3602: wav\210-2.wav
3604: wav\210-4.wav
3605: wav\210-5.wav
3611: wav\8200-1.wav
3612: wav\8200-2.wav
3613: wav\8200-3.wav
3614: wav\8200-4.wav
3616: wav\8200-6.wav
3617: wav\8200-7.wav
3618: wav\8200-8.wav
3621: wav\8200-1.wav
3622: wav\8200-2.wav
3623: wav\8200-3.wav
3624: wav\8200-4.wav
3626: wav\8200-6.wav
3627: wav\8200-7.wav
3628: wav\8200-8.wav
3701: wav\480-1.wav
3702: wav\480-2.wav
3704: wav\480-4.wav
3705: wav\480-5.wav
3710: wav\700-0.wav
3711: wav\490-1.wav
3712: wav\490-2.wav
3714: wav\490-4.wav
3715: wav\490-5.wav
3720: wav\700-0.wav
3721: wav\700-1.wav
3722: wav\700-2.wav
3724: wav\700-4.wav
3725: wav\700-5.wav
3731: wav\210-1.wav
3732: wav\210-2.wav
3734: wav\210-4.wav
3735: wav\210-5.wav
wav\2320-1.wav
wav\xsws_tsgj.wav
wav\xsws_injured.wav
wav\xsws_death.wav
3751: wav\530-1.wav
3752: wav\530-2.wav
3754: wav\530-4.wav
3755: wav\530-5.wav
3761: wav\720-1.wav
3762: wav\720-2.wav
3764: wav\720-4.wav
3765: wav\720-5.wav
3771: wav\510-1.wav
3772: wav\510-2.wav
3774: wav\510-4.wav
3775: wav\510-5.wav
3781: wav\610-1.wav
3782: wav\610-2.wav
3784: wav\610-4.wav
3785: wav\610-5.wav
3791: wav\600-1.wav
3792: wav\600-2.wav
3794: wav\600-4.wav
3795: wav\600-5.wav
8301: wav\2120-1.wav
8302: wav\2120-2.wav
8303: wav\2120-3.wav
8304: wav\2120-4.wav
8305: wav\2120-5.wav
8311: wav\2000-1.wav
8312: wav\2000-2.wav
8313: wav\2000-3.wav
8314: wav\2000-4.wav
8315: wav\2000-5.wav
8321: wav\1830-1.wav
8322: wav\1830-2.wav
8324: wav\1830-4.wav
8325: wav\1830-5.wav
8331: wav\3450-1.wav
8332: wav\3450-2.wav
8334: wav\3450-4.wav
8335: wav\3450-5.wav
8340: wav\700-0.wav
8341: wav\700-1.wav
8342: wav\700-2.wav
8344: wav\700-4.wav
8345: wav\700-5.wav
8361: wav\1200-1.wav
8362: wav\1200-2.wav
8364: wav\1200-4.wav
8365: wav\1200-5.wav
8371: wav\1020-1.wav
8372: wav\1020-2.wav
8374: wav\1020-4.wav
8375: wav\1020-5.wav
8381: wav\1020-1.wav
8382: wav\1020-2.wav
8384: wav\1020-4.wav
8385: wav\1020-5.wav
8391: wav\1810-1.wav
8392: wav\1810-2.wav
8394: wav\1810-4.wav
8395: wav\1810-5.wav
8401: wav\500-1.wav
8402: wav\500-2.wav
8404: wav\500-4.wav
8405: wav\500-5.wav
8411: wav\500-1.wav
8412: wav\500-2.wav
8414: wav\500-4.wav
8415: wav\500-5.wav
8421: wav\820-1.wav
8422: wav\820-2.wav
8424: wav\820-4.wav
8425: wav\820-5.wav
8431: wav\300-1.wav
8432: wav\300-2.wav
8434: wav\300-4.wav
8435: wav\300-5.wav
8441: wav\300-1.wav
8442: wav\300-2.wav
8444: wav\300-4.wav
8445: wav\300-5.wav
8451: wav\1520-1.wav
8452: wav\1520-2.wav
8454: wav\1520-4.wav
8455: wav\1520-5.wav
8461: wav\940-1.wav
8462: wav\670-2.wav
8464: wav\940-4.wav
8465: wav\940-5.wav
8471: wav\940-1.wav
8472: wav\940-2.wav
8474: wav\940-4.wav
8475: wav\940-5.wav
8481: wav\2320-1.wav
8482: wav\2320-2.wav
8484: wav\2320-4.wav
8485: wav\2320-5.wav
8201: wav\8200-1.wav
8202: wav\8200-2.wav
8203: wav\8200-3.wav
8204: wav\8200-4.wav
8206: wav\8200-6.wav
8207: wav\8200-7.wav
8208: wav\8200-8.wav
8222: wav\8220-6.wav
8301: wav\8300-1.wav
8302: wav\8300-2.wav
9200: wav\9200-0.wav
9202: wav\9200-2.wav
9204: wav\9200-4.wav
9205: wav\9200-5.wav
9210: wav\9210-0.wav
9214: wav\9210-4.wav
9215: wav\9210-5.wav
9220: wav\9210-0.wav
9224: wav\9220-4.wav
9225: wav\9210-5.wav
9230: wav\9210-0.wav
9234: wav\9220-4.wav
9235: wav\9210-5.wav
10010: wav\M1-1.wav
10011: wav\M1-2.wav
10012: wav\M1-3.wav
10020: wav\M2-1.wav
10022: wav\M2-3.wav
10050: wav\M5-1.wav
10051: wav\M5-2.wav
10052: wav\M5-3.wav
10060: wav\M6-1.wav
10061: wav\M6-2.wav
10062: wav\M6-3.wav
10080: wav\M8-2.wav
10090: wav\M9-1.wav
10092: wav\M9-3.wav
10100: wav\M10-1.wav
10110: wav\M11-1.wav
10111: wav\M11-1.wav
10112: wav\M11-2.wav
10120: wav\M12-1.wav
10130: wav\M13-1.wav
10131: wav\M13-2.wav
10132: wav\M13-3.wav
10141: wav\M14-2.wav
10142: wav\M14-3.wav
10151: wav\M15-2.wav
10152: wav\M15-3.wav
10160: wav\M16-1.wav
10162: wav\M16-3.wav
10170: wav\M17-1.wav
10180: wav\M18-1.wav
10191: wav\M19-2.wav
10192: wav\M19-3.wav
10200: wav\M20-1.wav
10202: wav\M20-3.wav
10210: wav\M21-1.wav
10220: wav\M22-1.wav
10221: wav\M22-2.wav
10222: wav\M22-3.wav
10230: wav\M23-1.wav
10232: wav\M23-3.wav
10240: wav\M24-1.wav
10241: wav\M24-2.wav
10260: wav\M24-2.wav
10280: wav\M28-1.wav
10282: wav\M28-3.wav
10290: wav\M29-1.wav
10292: wav\M29-3.wav
10300: wav\M30-1.wav
10310: wav\M31-1.wav
10320: wav\M32-1.wav
10322: wav\M32-3.wav
10330: wav\M33-1.wav
10332: wav\M33-3.wav
10350: wav\M35-1.wav
10352: wav\M35-1.wav
10360: wav\M36-1.wav
10370: wav\M37-1.wav
10380: wav\M44-0.wav
10390: wav\M39-0.wav
10391: wav\M39-1.wav
10392: wav\M39-2.wav
10393: wav\M39-3.wav
10400: wav\M40-0.wav
10401: wav\M40-1.wav
10410: wav\M43-0.wav
10420: wav\M48-0.wav
10422: wav\M48-2.wav
10430: wav\M43-0.wav
10440: wav\M39-0.wav
10441: wav\M39-1.wav
10442: wav\M39-2.wav
10443: wav\M39-3.wav
wav\M35-1.wav
10461: wav\M46-1.wav
10470: wav\M47-0.wav
10472: wav\M47-2.wav
10475: wav\M47-5.wav
10480: wav\M37-1.wav
10490: wav\M49-0.wav
10491: wav\M49-1.wav
10492: wav\M49-2.wav
10493: wav\newysound-mix.wav
10500: wav\M36-1.wav
10510: wav\M51-0.wav
10512: wav\M51-2.wav
10520: wav\M52-0.wav
10521: wav\M52-1.wav
10522: wav\M52-2.wav
10530: wav\M53-0.wav
10532: wav\M53-2.wav
10540: wav\M54-0.wav
10542: wav\M54-2.wav
10550: wav\M55-0.wav
10552: wav\M55-2.wav
10560: wav\M56-0.wav
10563: wav\M56-3.wav
10570: wav\M57-0.wav
10571: wav\M57-3.wav
10572: wav\M57-3.wav
10580: wav\M58-0.wav
10582: wav\M58-3.wav
10680: wav\M42-0.wav
10681: wav\M42-1.wav
10682: wav\M42-2.wav
10690: wav\M33-1.wav
10760: wav\M47-0.wav
10761: wav\M47-2.wav
10762: wav\2270.wav
10770: wav\M101-0.wav
10771: wav\warpower-up.wav
10772: wav\warpower-up.wav
10780: wav\M42-0.wav
10781: wav\M42-1.wav
10782: wav\M42-2.wav
10800: wav\M33-1.wav
10802: wav\cboFs4_start.wav
10820: wav\M28-1.wav
10822: wav\M28-3.wav
11000: wav\M100-0.wav
wav\M100-2.wav
11010: wav\M101-0.wav
wav\M101-2.wav
11040: wav\cboFs2_start.wav
wav\cboFs2_target.wav
11050: wav\cboFs3_start.wav
wav\cboFs3_target.wav
11060: wav\cboFs4_start.wav
wav\cboFs4_target.wav
11070: wav\cboFs1_start.wav
wav\cboFs1_target.wav
11080: wav\cboDs1_start.wav
wav\cboDs1_target.wav
11090: wav\cboDs2_start.wav
wav\cboDs2_target.wav
11100: wav\cboDs3_start.wav
wav\cboDs3_target.wav
11110: wav\cboDs4_start.wav
wav\cboDs4_target.wav
11120: wav\cboFs2_start.wav
11160: wav\cboFs1_start.wav
11170: wav\cboFs3_start.wav
11180: wav\M101-0.wav
11181: wav\warpower-up.wav
11182: wav\warpower-up.wav
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
0IdHTTPHeaderInfo
LMsgBox
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
frmChangePassword
Picture.Data
2007:02:07 02:59:30
urlTEXT
MsgeTEXT
HhXXp://ns.adobe.com/xap/1.0/
<x:xapmeta xmlns:x='adobe:ns:meta/' x:xaptk='XMP toolkit 2.8.2-33, framework 1.5'>
<rdf:RDF xmlns:rdf='hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:iX='hXXp://ns.adobe.com/iX/1.0/'>
<rdf:Description about='uuid:a1975220-b60f-11db-b931-c8e8dfd9ba45'
xmlns:xapMM='hXXp://ns.adobe.com/xap/1.0/mm/'>
<xapMM:DocumentID>adobe:docid:photoshop:a197521e-b60f-11db-b931-c8e8dfd9ba45</xapMM:DocumentID>
EditPassword
EditNewPassword
Bitmaps.Down.Data
Bitmaps.Hot.Data
Bitmaps.TransparentColor
Bitmaps.Up.Data
frmGetBackPassword
2007:03:06 08:02:29
<rdf:Description about='uuid:ea54afb1-cb74-11db-9adb-a5021ffa588c'
<xapMM:DocumentID>adobe:docid:photoshop:ea54afaf-cb74-11db-9adb-a5021ffa588c</xapMM:DocumentID>
Bitmaps.Disabled.Data
111:1Ìcccccccccccccccccccccccccccccccccccccccj
:%1:11::
OOOOOk.QOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
.keeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee*9
66666666
55555555
.s.ssssssss..s..sss.sss.
.sss.
s.<<<<<.sss
s$$.ss
s$$$$.sssss
4111111111
5555555500
5555055
::::@@:::
:::44::::4:
11111111
.AAAA
btnChangePassword
.s..sss.
.ssssssss.
.ssss
s?.sss
s.%%%%s
5111111111
4000000000
[.gaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaggL
:::33::::3:
@~~~~~~~~%%Cq
;;;>>;;;
;(((;;;;
;;;?-?;;;
;;;;#<<#;
.sssssssss.
.ssss.
.sssssss.
s.?.ssss
&&&.ss
s&&.ss
p%%%DmmmD%%%%%%%%%%%%%%%%%%^s
s^%%%%%%s
s%%%%%%s
.tPoIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII':.ACu!!8
6666666611
6666166
WebBrowserDownloadComplete
TimerLoginFun
LabelHintMsg
2007:02:07 02:59:57
<rdf:Description about='uuid:3be681c9-b614-11db-b931-c8e8dfd9ba45'
<xapMM:DocumentID>adobe:docid:photoshop:2ef6df80-b614-11db-b931-c8e8dfd9ba45</xapMM:DocumentID>
%U}d4*hx
1980/03/12
0123456
Glyph.Data
TFRMCHANGEPASSWORD
TFRMGETBACKPASSWORD
1999-2007
Open a Zip File[Zip Files (*.ZIP)|*.zip|SFX Files (*.EXE)|*.exe|Jar Files (*.JAR)|*.jar|All Files (*.*)|*.*&User canceled Set Desination Directory
Index %d is out of range
User Aborted Operation
User canceled Zip operation%Select a new name for the fixed file.
Zip Files (*.ZIP)
Invalid seek origin (%d)
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Reply Code is not valid: %s
Unknown Protocol(Request method requires HTTP version 1.1DThis authentication method is already registered with class name %s.
JPEG error #%d
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
"%d: Circular links are not allowed
File "%s" not found
Object type not supported.
Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.
)UDP is not support in this SOCKS version.
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.
Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
Invalid Port Range (%d - %d)
%s is not a valid service.
%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Network is down.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Socket Error # %d
UTF-7"%s requires Windows Vista or later Invalid level (%d) for item "%s"
Invalid owner=This control requires version 4.70 or greater of COMCTL32.DLL
Indigo Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.,Multiselect mode must be on for this feature
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count#No OnGetItem event handler assigned
&Files: (*.*)
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
No help found for %s#No context-sensitive help installed
Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
Cannot open file "%s". %s
Unable to write to %s
Invalid file name - %s
Invalid stream format$''%s'' is not a valid component name
Invalid property element: %s
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
'%s' is not a valid GUID value
I/O error %d
_ChangePassword
:1980/01/01)

%original file name%.exe_1204_rwx_002A9000_00001000:

531380811
1211813858
537064555
C:\Windows\system32\Normaliz.dll
C:\Windows\system32\iertutil.dll

%original file name%.exe_1204_rwx_002E8000_00001000:

5C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\desktop.ini
5C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini
5C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

%original file name%.exe_1204_rwx_00317000_00001000:

|127.0.0.1|8888|password
|127.0.0.1|8888|pa
ntdll.dll
KERNEL32.DLL
BlueWebHeader
sWebSite
C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_en-us_020378a8991bbcc2\

%original file name%.exe_1204_rwx_00327000_00001000:

.pac;.jvs;.js
115.28.143.172
C:\Windows\system32\jsproxy.dll

%original file name%.exe_1204_rwx_0033F000_00001000:

dc.exe

%original file name%.exe_1204_rwx_00344000_00001000:

hXXp://127.0.0.1
hXXp://115.28.143.172:81/
115.28.143.172

%original file name%.exe_1204_rwx_00400000_00001000:

.text
`.itext
`.data
.idata
.rdata
.reloc
@.rsrc

%original file name%.exe_1204_rwx_00536000_00018000:

1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
)4."1-2(
*5/#2.3)
",71@5  &
3'627-"(
1 '-7#&0
1&,#84 .'*
- 8!3(.%
7&-3!),6%
#5*0' 8$2 .
8'.4"*-7& 0#
("2%!&8-3*#
/5,%!)703
(03!,&6)%* 17.'# 
$/6 *25#.(8 ',"3
&18",47%0*
'2, / 0&7!4-)1#8
(3-!0,1'8"5.*2$
1.0.4
inflate 1.0.4 Copyright 1995-1996 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
DBv}.Bv
CEwJ@Ew.AEw

%original file name%.exe_1204_rwx_005D5000_00178000:

UnhookWindowsHookEx
RegFlushKey
RegCloseKey
V%smKT
9*.aGn
qM!%s
!.ULbp
6.NJZ
%gPT.jf4
%x'u;
5j>`11(.iA
0%C}!mQ
g<t.jJ9F=
U%dW}
2r.BfF
*A.Bo
nZa.Ka
.Mc6:
.JMJ 
$>C.Ht
xHH%D
.nA4B
=Q%x&
.Tt;N
.Cf{j
I9M.NR
i-zE}
.jJ&{K
.Pjk`
@P910.vqf*
N.qz7B
.wA[U/
.mt-nh
05%s!
k.ls7z@
0.CTN
'&!  *m
Fo$.
C.!A%u
y%uBn5
%Fg_d
~.wA:
%xt>5!
VR.eG>6C
6 EWV.uC>J
.vZ6.RX
8P@Vj Z~.jQ*
p?9K%F
8.pz:{
~;&E%c
Bc.BDbqJ
oy.fi
m".JK
Z%XEv
2.nRQ
.pvtC:q
4Nc%s
{|%CL
n.Lz 
:!%Dn
#%UoT
n/.jG
1.gz]
.Yuxm
eJ%C=
q%uy?
.AKxf
.Pi4~xb
.bWN^
J.KJ6N
iui.VH
yR.nt{
.ln/yc
1v.Eg
{ME%x
B0.Cz
x0P:.LF
};.KM
_Aß62
.gf$D
q63n.IL
V.EZV
,k5.fv
vC.hs& "6d
F.KG:
1.FnF
!.CTf x
.wbAj2v
kF@.eC(
.iP~9
Wg.SF
.uD8}k)}r98
%Ur~4
=G).%F
0~)@.gB(@
0<J%s
@8%CoJ=
j0E.nk
=].ty
uZ!%f
EG_D:V.jA8
jM%x&E
6'&7n.UI$
G6v.tV
n~.Ad
=Q.HB
.rJBkA
comdlg32.dll
RegCreateKeyExA
GetKeyNameTextA
SetViewportOrgEx
~b.LT
GetKeyboardState
kernel32.dll
comctl32.dll
mpr.dll
shell32.dll
GetKeyboardType
WinExec
wsock32.dll
DBv}.Bv
CEwJ@Ew.AEw
user32.dll
gdi32.dll
EnumWindows
EnumChildWindows
.YFwQ
MsgWaitForMultipleObjectsEx
.tbo:
RegCreateKeyA
EnumThreadWindows
MsgWaitForMultipleObjects
ShellExecuteA
.YnNW
!@g2.Ms?
2&.gFP
.nMwH]
`?.HFk
6.bh f
5F%f`
1<%s'4
x.FOc
;%fp9
Q.NfA
Oh1%S
n%u1BU
%%uc~C*$F9
xÓC1l
;%x'T
%4Uu,
1!9%C
d%cuE
.fvNe
%2ubBfu3
%.sV.
(z.UX
X8Y.hJ
2B.ZDc
I%sUp
h%x"0
iLZ.LY
j:%Cx
f.xC04
&%Cnsf
`Ì\
B%d,RB!BZ
:%xBg
V.dR$
%fRvr6
Ec[&~.lU
.yo}.
%oM.Gl
ncr.sC
\lN%d
P=CcJ\v.Zj
F(>!;.DF
X%dmN%
.eHyY
o.En.
|.Txv
.aJD|*&
O1$~S
g8.Bd
RJ'.qHf
F%XrA.x;?
.pC>h0
.lYk6 c$~
L%So6a
.Zqi9
.wX7E
.oT7@
t$.ex
%FS3<
q[.FF<
RXF.CF
4W.eX_^
ÛQ$
l%S<q
%FPnn
Y]C?.GD
#.vwk
)u#.od
i#%S9W
:XD%f
;0xP%u>
.zTGu-<Zd
:uZ%U.
Lr?%s
SF<%f
sfW%D
j.d.NP
_>{
J.eEp
4?%xWj
.kKlOf;
.yr#G
b%cg[
}.QMd
_mø.
t.QR1@
;"-U6}
/%S,^
'RZ-F4}C
x.LC:G
2jF.Fk
GetKeyboardLayout
GetKeyboardLayoutNameA
GetKeyState
MapVirtualKeyA
version.dll
ShellExecuteExA
ole32.dll
RegOpenKeyExA
LoadKeyboardLayoutA
GetKeyboardLayoutList
e.gp)
GetViewportOrgEx
oleaut32.dll
4/.)(%$9
RegOpenKeyA
advapi32.dll
ActivateKeyboardLayout
SetWindowsHookExA
GetCPInfo

%original file name%.exe_1204_rwx_00BE0000_00318000:

.text
`.rdata
@.data
.vmp0
`.reloc
@.rsrc
t$(SSh
~%UVW
t.It It
u$SShe
kernel32.dll
ntdll.dll
shlwapi.dll
user32.dll
ws2_32.dll
kernel32.DLL
Kernel32.dll
advapi32.dll
Advapi32.dll
LoginDLL.dll
psapi.dll
version.dll
wsock32.dll
Ws2_32.dll
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
LoginTYFw
EnumChildWindows
hwdlq.bin
vkernel32.dll
KERNELBASE.dll
hXXp://127.0.0.1
?hfgste.bsp
z>hXXp://123.56.236.9:86/tz1.txt
qjdlq1.hwdlq.com
qjdlq2.hwdlq.com
qjdlq3.hwdlq.com
qjdlq4.hwdlq.com
2.lnk
hXXp://imgsrc.baidu.com/forum/pic/item/3801213fb80e7becb5e6a02e272eb9389a506bc5.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/b64543a98226cffc7c551c7db1014a90f703ea86.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/32fa828ba61ea8d3e972d7cb9f0a304e241f58a8.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/1b4c510fd9f9d72ad148b3d2dc2a2834359bbbd5.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/e61190ef76c6a7ef200a0be9f5faaf51f2de66d5.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/622762d0f703918f30819e05593d269758eec4a9.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/d8f9d72a6059252d6728becb3c9b033b5ab5b9c6.jpg
Protection.exe
e.exe
<@hXXp://VVV.xkdlq.net/Bluelist.txt
hXXp://bak.xkdlq.net/Bluelist.txt
hXXp://VVV.xkdlq.net/LoginTool/Upgrade/list.txt
hao959.com
\data\lsDefaultItemFilter.txt
link1.ini
link.ini
e:\BlueAnit
d:\BlueAnit
d:\BlueKEY.exe
e:\BlueKEY.exe
d:\GomKEY.exe
e:\GomKEY.exe
d:\BlueAnit.rar
e:\BlueAnit.rar
d:\SKT1.zip
e:\SKT1.zip
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\
@\data\ItemDesc.dat
\data\lsDefaultItemFilte1.txt
\LoginDll.dll
1lb.txt
sj.txt
HTTP/1.1 200 OK
G|Z%d
/lb.txt
hXXp://127.0.0.1:
/sj.txt
LoginTool.exe
\data\prguse2.wil
\data\prguse2.wzl
t\lscfg.ini
20170718
66666666
H% SggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggM%%U4.X
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
ole32.dll
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
GetProcessHeap
WinExec
GetWindowsDirectoryA
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
WSOCK32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
blue.dll
.PAVCException@@
Shell32.dll
Mpr.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
\\.\Scsi0:
\\.\PhysicalDrive0
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
its:%s::%s
X-X-X-X-X-X
VVV.dywt.com.cn
x86 Family %s Model %s Stepping %s
X-X-X-X
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
1.0.6
\shell32.dll
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Arithmetic table 0xx was not defined
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
DCT scaled block size %dx%d not supported
Invalid component ID %d in SOS
NULL row buffer for row %ld, pass %d
Unknown zTXt compression type %d
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
%s: Cannot open
%s: Write error at scanline %lu
%s: Seek error at scanline %lu
%u: Sample out of range, max %u
%s: Cannot modify tag "%s" while writing
%s: Unknown %stag %u
%f: Bad value for "%s"
%s: Invalid %stag "%s" (not supported by codec)
TIFFVSetField ... pass by value not imp.
%ld: Bad value for "%s"
%d: Bad value for "%s"
Nonstandard tile length %d, convert file
Nonstandard tile width %d, convert file
Bad value %ld for "%s" tag ignored
%s: Invalid InkNames value; expecting %d names, found %d
TIFFVGetField ... pass by value not imp.
Sorry, can not handle images with %d-bit samples
Sorry, can not handle LogLuv images with %s=%d
Sorry, LogLuv data must have %s=%d or %d
Sorry, can not handle image with %s=%d
Sorry, LogL data must have %s=%d
Sorry, can not handle separated image with %s=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle YCbCr images with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Missing needed %s tag
Sorry, can not image with %d-bit samples
"%s": Bad mode
Not a TIFF file, bad version number %d (0x%x)
Not a TIFF file, bad magic number %d (0x%x)
%s: Out of memory (TIFF structure)
Sample %d out of range, max %u
Internal error, unknown tag 0x%x
Tag %d
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Seek error at scanline %lu, strip %lu
%s: Data buffer too small to hold strip %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Seek error at row %ld, col %ld, tile %ld
%s: Data buffer too small to hold tile %ld
%s: No space for data buffer at scanline %ld
Compression scheme %u %s encoding is not implemented
%s %s encoding is not implemented
%s %s encoding is no longer implemented due to Unisys patent enforcement
Compression scheme %u %s decoding is not implemented
%s %s decoding is not implemented
Compression algorithm does not support random access
Bogus "%s" field, ignoring and calculating from imagelength
TIFF directory is missing required "%s" field, calculating from imagelength
wrong data type %d for "%s"; tag ignored
unknown field with tag %d (0x%x) encountered
No space %s
TIFF directory is missing required "%s" field
incorrect count for field "%s" (%lu, expecting %lu); tag ignored
Error fetching data for field "%s"
%s: Rational with zero denominator (num = %lu)
Cannot handle different per-sample values for field "%s"
cannot read TIFF_ANY type %d for field "%s"
"%s": Information lost writing value (%g) as (unsigned) RATIONAL
Error writing data for field "%s"
%s: Error writing SubIFD directory link
%s compression support is not configured
?%s: No space for LogLuv state block
Inappropriate photometric interpretation %d for SGILog compression; %s
LogL16Decode: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
%s: No space for SGILog translation buffer
No support for converting user data format to LogL
No support for converting user data format to LogLuv
SGILog compression supported only for %s, or raw data
Unknown data format %d for LogLuv compression
Unknown encoding %d for LogLuv compression
%s: No space for state block
%s: Bad code word at scanline %d (x %lu)
%s: %s at scanline %d (got %lu, expected %lu)
%s: Premature EOF at scanline %d (x %lu)
%s: No space for Group 3/4 reference line
%s: No space for Group 3/4 run arrays
%s: Uncompressed data (not supported) at scanline %d (x %lu)
Fax SubAddress: %s
(%u = 0x%x)
%suncompressed data
%sEOL padding
%s2-d encoding
Improper JPEG sampling factors %d,%d
Apparently should be %d,%d,decompressor will try reading with sampling %d,%d
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
RowsPerStrip must be multiple of %d for JPEG
JPEG tile width must be multiple of %d
JPEG tile height must be multiple of %d
BitsPerSample %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
ThunderDecode: %s data at scanline %ld (%lu != %lu)
PackBitsDecode: discarding %d bytes to avoid buffer overrun
LZWDecode: Not enough data at scanline %d (short %d bytes)
LZWDecode: Strip %d not terminated with EOI code
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)
DumpModeDecode: Not enough data for scanline %d
Horizontal differencing "Predictor" not supported with %d-bit samples
"Predictor" value %d not supported
%u (0x%x)
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
zcÁ
%Sjko
.zg_5
%SPK?
BN%2X
.hcq\
.xZM5
H}.Fs
0.Ql?
%DViJ
.DfTf |
[.NX0
 .YVtX
/k.ncH
'.qC,H
C.oL!Ma
)D.RX
%c%s\
k.FE,
5kO.Yk
-w\.mT
Pf)%f
&6.Hs
%.Ho!
fsqL
L5%FQ7
MKk3[.pC
N0%F.
2.QB;
) -.kj
.HM&-
,L-.rc
;c%Dp
6Z.Yf
Hf>=-Y}
~.YAk
.tDa&
uu$s.ew6`5
|}.YU
0.Fa/
$Úx
%f%qn
X"Q%u!
5".mR
1[.CP
.ktq2
 -Yj}
.YTzB<
.hBl@
zM%Uq#
%cjz\
T[T.JN
%d(^c
3.SQ)
S;".az
.YkLb!
0.OOs?m
$L%f"k
.Oc{4
%C;Oh
.YMnn
?y\ÿ
N.aX.q2
c.cu9
2>Ÿ
'QI%D
C%s`^
5Q%.S
.buVY
!ÉW
L!gk.lcH
.fds&
m.yEf-
8%9U9
7&7 71767}7
6a6D6[6a6m6
4 4_5)909
1%2S2
2,313[3`3
2 2$2(2,2024282<2@273
8Œ8U8[8a8i8
4-646,7074787<7
0 0$0(0,0004080
2 2$2(2,2&4
;,;4;:;@;
1"1/141:1
:&:0:>:{:
9!9-9A9U9i9}9
=$=,=8=@=
#include "l.chs\afxres.rc" // Standard components
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
hXXp://sf.symcb.com/sf.crl0a
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0
hXXp://sf.symcd.com0&
hXXp://sf.symcb.com/sf.crt0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://sv.symcb.com/sv.crl0a
hXXp://sv.symcd.com0&
hXXp://sv.symcb.com/sv.crt0
hXXp://s2.symcb.com0
hXXp://VVV.symauth.com/cps0(
hXXp://VVV.symauth.com/rpa00
hXXp://s1.symcb.com/pca3-g5.crl0
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0
(*.*)

%original file name%.exe_1204_rwx_01E10000_00346000:

.text
`.rdata
@.data
.vmp0
`.reloc
@.rsrc
t$(SSh
~%UVW
t.It It
u$SShe
Bv.SCv=kAv
kernel32.dll
ntdll.dll
shlwapi.dll
user32.dll
ws2_32.dll
kernel32.DLL
Kernel32.dll
advapi32.dll
Advapi32.dll
LoginDLL.dll
psapi.dll
version.dll
wsock32.dll
Ws2_32.dll
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
LoginTYFw
EnumChildWindows
hwdlq.bin
vkernel32.dll
KERNELBASE.dll
hXXp://127.0.0.1
?hfgste.bsp
z>hXXp://123.56.236.9:86/tz1.txt
qjdlq1.hwdlq.com
qjdlq2.hwdlq.com
qjdlq3.hwdlq.com
qjdlq4.hwdlq.com
2.lnk
hXXp://imgsrc.baidu.com/forum/pic/item/3801213fb80e7becb5e6a02e272eb9389a506bc5.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/b64543a98226cffc7c551c7db1014a90f703ea86.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/32fa828ba61ea8d3e972d7cb9f0a304e241f58a8.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/1b4c510fd9f9d72ad148b3d2dc2a2834359bbbd5.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/e61190ef76c6a7ef200a0be9f5faaf51f2de66d5.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/622762d0f703918f30819e05593d269758eec4a9.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/d8f9d72a6059252d6728becb3c9b033b5ab5b9c6.jpg
Protection.exe
e.exe
<@hXXp://VVV.xkdlq.net/Bluelist.txt
hXXp://bak.xkdlq.net/Bluelist.txt
hXXp://VVV.xkdlq.net/LoginTool/Upgrade/list.txt
hao959.com
\data\lsDefaultItemFilter.txt
link1.ini
link.ini
e:\BlueAnit
d:\BlueAnit
d:\BlueKEY.exe
e:\BlueKEY.exe
d:\GomKEY.exe
e:\GomKEY.exe
d:\BlueAnit.rar
e:\BlueAnit.rar
d:\SKT1.zip
e:\SKT1.zip
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\
@\data\ItemDesc.dat
\data\lsDefaultItemFilte1.txt
\LoginDll.dll
1lb.txt
sj.txt
HTTP/1.1 200 OK
G|Z%d
/lb.txt
hXXp://127.0.0.1:
/sj.txt
LoginTool.exe
\data\prguse2.wil
\data\prguse2.wzl
t\lscfg.ini
20170718
66666666
H% SggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggM%%U4.X
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
ole32.dll
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
GetProcessHeap
WinExec
GetWindowsDirectoryA
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
WSOCK32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
blue.dll
.PAVCException@@
Shell32.dll
Mpr.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
\\.\Scsi0:
\\.\PhysicalDrive0
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
its:%s::%s
X-X-X-X-X-X
VVV.dywt.com.cn
x86 Family %s Model %s Stepping %s
X-X-X-X
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
1.0.6
\shell32.dll
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Arithmetic table 0xx was not defined
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
DCT scaled block size %dx%d not supported
Invalid component ID %d in SOS
NULL row buffer for row %ld, pass %d
Unknown zTXt compression type %d
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
%s: Cannot open
%s: Write error at scanline %lu
%s: Seek error at scanline %lu
%u: Sample out of range, max %u
%s: Cannot modify tag "%s" while writing
%s: Unknown %stag %u
%f: Bad value for "%s"
%s: Invalid %stag "%s" (not supported by codec)
TIFFVSetField ... pass by value not imp.
%ld: Bad value for "%s"
%d: Bad value for "%s"
Nonstandard tile length %d, convert file
Nonstandard tile width %d, convert file
Bad value %ld for "%s" tag ignored
%s: Invalid InkNames value; expecting %d names, found %d
TIFFVGetField ... pass by value not imp.
Sorry, can not handle images with %d-bit samples
Sorry, can not handle LogLuv images with %s=%d
Sorry, LogLuv data must have %s=%d or %d
Sorry, can not handle image with %s=%d
Sorry, LogL data must have %s=%d
Sorry, can not handle separated image with %s=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle YCbCr images with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Missing needed %s tag
Sorry, can not image with %d-bit samples
"%s": Bad mode
Not a TIFF file, bad version number %d (0x%x)
Not a TIFF file, bad magic number %d (0x%x)
%s: Out of memory (TIFF structure)
Sample %d out of range, max %u
Internal error, unknown tag 0x%x
Tag %d
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Seek error at scanline %lu, strip %lu
%s: Data buffer too small to hold strip %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Seek error at row %ld, col %ld, tile %ld
%s: Data buffer too small to hold tile %ld
%s: No space for data buffer at scanline %ld
Compression scheme %u %s encoding is not implemented
%s %s encoding is not implemented
%s %s encoding is no longer implemented due to Unisys patent enforcement
Compression scheme %u %s decoding is not implemented
%s %s decoding is not implemented
Compression algorithm does not support random access
Bogus "%s" field, ignoring and calculating from imagelength
TIFF directory is missing required "%s" field, calculating from imagelength
wrong data type %d for "%s"; tag ignored
unknown field with tag %d (0x%x) encountered
No space %s
TIFF directory is missing required "%s" field
incorrect count for field "%s" (%lu, expecting %lu); tag ignored
Error fetching data for field "%s"
%s: Rational with zero denominator (num = %lu)
Cannot handle different per-sample values for field "%s"
cannot read TIFF_ANY type %d for field "%s"
"%s": Information lost writing value (%g) as (unsigned) RATIONAL
Error writing data for field "%s"
%s: Error writing SubIFD directory link
%s compression support is not configured
?%s: No space for LogLuv state block
Inappropriate photometric interpretation %d for SGILog compression; %s
LogL16Decode: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
%s: No space for SGILog translation buffer
No support for converting user data format to LogL
No support for converting user data format to LogLuv
SGILog compression supported only for %s, or raw data
Unknown data format %d for LogLuv compression
Unknown encoding %d for LogLuv compression
%s: No space for state block
%s: Bad code word at scanline %d (x %lu)
%s: %s at scanline %d (got %lu, expected %lu)
%s: Premature EOF at scanline %d (x %lu)
%s: No space for Group 3/4 reference line
%s: No space for Group 3/4 run arrays
%s: Uncompressed data (not supported) at scanline %d (x %lu)
Fax SubAddress: %s
(%u = 0x%x)
%suncompressed data
%sEOL padding
%s2-d encoding
Improper JPEG sampling factors %d,%d
Apparently should be %d,%d,decompressor will try reading with sampling %d,%d
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
RowsPerStrip must be multiple of %d for JPEG
JPEG tile width must be multiple of %d
JPEG tile height must be multiple of %d
BitsPerSample %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
ThunderDecode: %s data at scanline %ld (%lu != %lu)
PackBitsDecode: discarding %d bytes to avoid buffer overrun
LZWDecode: Not enough data at scanline %d (short %d bytes)
LZWDecode: Strip %d not terminated with EOI code
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)
DumpModeDecode: Not enough data for scanline %d
Horizontal differencing "Predictor" not supported with %d-bit samples
"Predictor" value %d not supported
%u (0x%x)
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
zcÁ
c:\%original file name%.exe
%Sjko
.zg_5
%SPK?
BN%2X
.hcq\
.xZM5
H}.Fs
0.Ql?
%DViJ
.DfTf |
[.NX0
 .YVtX
/k.ncH
'.qC,H
C.oL!Ma
)D.RX
%c%s\
k.FE,
5kO.Yk
-w\.mT
Pf)%f
&6.Hs
%.Ho!
fsqL
L5%FQ7
MKk3[.pC
N0%F.
2.QB;
) -.kj
.HM&-
,L-.rc
;c%Dp
6Z.Yf
Hf>=-Y}
~.YAk
.tDa&
uu$s.ew6`5
|}.YU
0.Fa/
$Úx
%f%qn
X"Q%u!
5".mR
1[.CP
.ktq2
 -Yj}
.YTzB<
.hBl@
zM%Uq#
%cjz\
T[T.JN
%d(^c
3.SQ)
S;".az
.YkLb!
0.OOs?m
$L%f"k
.Oc{4
%C;Oh
.YMnn
?y\ÿ
N.aX.q2
c.cu9
2>Ÿ
'QI%D
C%s`^
5Q%.S
.buVY
!ÉW
L!gk.lcH
.fds&
m.yEf-
8%9U9
7&7 71767}7
6a6D6[6a6m6
4 4_5)909
1%2S2
2,313[3`3
2 2$2(2,2024282<2@273
8Œ8U8[8a8i8
4-646,7074787<7
0 0$0(0,0004080
2 2$2(2,2&4
;,;4;:;@;
1"1/141:1
:&:0:>:{:
9!9-9A9U9i9}9
=$=,=8=@=
#include "l.chs\afxres.rc" // Standard components
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
(*.*)

%original file name%.exe_1204_rwx_04D15000_00001000:

c:\;.;C:\Windows\system32;C:\Windows\system;C:\Windows;C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;c:\Program Files\Wireshark


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1804

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9fc68e852bc88a177b3af1cdff88fdd7.ini (177 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\b017a0bca8761fbc515869ce9e27b79d.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3437ae35cad39e4b23c9354436b0c699.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\46a3c8721859e6dc1d677d4ab280b993.txt (124 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\90a97eeb5f87017d403ecdc80857aff1.txt (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\df6a85f8c92ab933352505d3e630eba0.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cd435625acca819a73643fd7e788a2b0.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\057559c246e70004170fb451f30200aa.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ea81016697da3e03d2125f1b020a8d96.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\a9b081f301195d55ccac69db6197e79b.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\90c7c3f02beb266b0f1cac532cc195b1.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6e4c93455940e61684bfb6c357e2effb.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\96490dc4bc985859888d970e8fd9b954.txt (297 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\d46a24861ed2595397eb19d664ca24e8.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\212b0fa0fa111459cc3edae1d50ba7f8.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\8df8373986d2124c43b3d42c81e8f3df.txt (226 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\acabd5f86d52491f9f52d049205000ee.txt (103 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\e820eb161329035bf42ead5d7bf28adf.ini (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\c811cdec13b869980d35d80854d6ee98.txt (420 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now