Trojan.Win32.FlyStudio_3b074de669

by malwarelabrobot on March 26th, 2018 in Malware Descriptions.

Gen:Variant.Zusy.264158 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Gen:Variant.Zusy.264158 (B) (Emsisoft), Artemis!3B074DE66998 (McAfee), SecurityRisk.gen1 (Symantec), Trojan-GameThief.Win32.Magania (Ikarus), Gen:Variant.Zusy.264158 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), Trojan-Banker.Win32.Banker.FD, Trojan-Banker.Win32.Brasil.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Banker, Trojan, Worm, EmailWorm, VirTool, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3b074de669980861d4661b221f7be2f9
SHA1: 32b3687c4999812fa7003ce7dcc96504b451160e
SHA256: b3139149e788080657f23024759fd0bb6f2fe4b5d380c017e6fd53d955249d37
SSDeep: 24576:6Kc517C2bPuyAz/ZUlvtKxYgS9MRXIvjyV/sLKLe4rvQZ:6Kc51tjuyAzxM1OYgS9byq BDQZ
Size: 1356594 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2017-11-09 17:04:06
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2940
%original file name%.exe:3600

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2940 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6341cee27a1e54312fb488bb1e1e2f46.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1aa68468a225e8ad9b49edb1a946182e.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\4d87324efef94ef67221f2912dc89ae9.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ba6e1b2e9f76da34a5d521a20d52e63e.txt (243 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\e06549067736b6d8b83ad1692e3dac04.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\680db6d335c551c4885c3046600e89d8.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5573c0e0e4504d62ea432f4b5df3481a.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ea81016697da3e03d2125f1b020a8d96.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7e6dffff5b2a7eccc3fee5dcd53d0927.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\a156b79569931e9cce44736b86f6e069.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\96490dc4bc985859888d970e8fd9b954.txt (297 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\b86ec984a069da4dfeaa3a16fc0ec2f2.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\212b0fa0fa111459cc3edae1d50ba7f8.txt (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\8df8373986d2124c43b3d42c81e8f3df.txt (226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\257ebb26802bfc542d2d602fefb1ec6f.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\792574abec5d363f69be9bca3997483b.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\a58fcef2b3da25a3a84fd37417c981e9.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\da3b879a31840d80746740e6e3a5490a.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\8bc587ee979cdb3a96b82251a1c579e8.txt (410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\c811cdec13b869980d35d80854d6ee98.txt (420 bytes)

Registry activity

The process %original file name%.exe:2940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\3b074de669980861d4661b221f7be2f9_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3b074de669980861d4661b221f7be2f9_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3b074de669980861d4661b221f7be2f9_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\3b074de669980861d4661b221f7be2f9_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3b074de669980861d4661b221f7be2f9_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\3b074de669980861d4661b221f7be2f9_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\3b074de669980861d4661b221f7be2f9_RASAPI32]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments: ??????????(http://www.dywt.com.cn)
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 634880 274944 5.54465 63b923c3cbba8e8c112534b1dff18ac0
.rdata 638976 5279744 1040384 5.54176 e552088d330281d2d7c54e042ad48357
.data 5918720 286720 23040 5.51306 d3f344622d77f0f349cf5e76fd82ce3b
.rsrc 6205440 24576 8192 4.3906 71f16704cfffb648ac6e9b330b1dc211
.aspack 6230016 8192 8192 3.72011 fd330b7ff47ca7128c9597ae739b994e
.adata 6238208 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://imgsa.jomodns.com/forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/a50f4bfbfbedab644b5ed96bfc36afc379311e68.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/a6efce1b9d16fdfa4bae5345bf8f8c5495ee7b5f.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/c2cec3fdfc039245f7a375a48c94a4c27d1e2502.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/f11f3a292df5e0fe74da1caa576034a85fdf725f.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/9358d109b3de9c822da76c246781800a18d8435f.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/34fae6cd7b899e513698aebf49a7d933c8950d02.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/9e3df8dcd100baa1d511d3104c10b912c8fc2e5f.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/b8014a90f603738df3399889b81bb051f819ec2e.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/b21bb051f819861856347b2f41ed2e738bd4e62e.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/a5c27d1ed21b0ef433d50cf5d6c451da81cb3e5f.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/0df3d7ca7bcb0a46650e1f926063f6246b60af69.jpg
hxxp://imgsa.jomodns.com/forum/pic/item/b8389b504fc2d56226373e60ef1190ef76c66c04.jpg
imgsa.baidu.com 119.146.74.48
www.hc130.com 110.42.2.15


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /forum/pic/item/0df3d7ca7bcb0a46650e1f926063f6246b60af69.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:43 GMT
Content-Type: image/jpeg
Content-Length: 243245
Connection: close
ETag: "10215505918543956883"
Last-Modified: Wed, 22 Nov 2017 09:00:20 GMT
Expires: Mon, 25 Mar 2019 07:19:43 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 5 5 159 160
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c ......./p....]Dg.e`.$...........A...%.....
....`a...:.pR....%......W.. .D..'..N..Ik....GA.,(O...xS...'0...1...$'.
..u..e.I...U..(....R5:nW......i_...../!.N__#;....6..........5.k}..
<<< skipped >>>


GET /forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:07 GMT
Content-Type: image/jpeg
Content-Length: 297656
Connection: close
ETag: "8194768310413110853"
Last-Modified: Thu, 29 Sep 2016 09:44:52 GMT
Expires: Thu, 13 Dec 2018 12:19:32 GMT
Age: 8181814
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/9e3df8dcd100baa1d511d3104c10b912c8fc2e5f.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:30 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "3160509314556795232"
Last-Modified: Wed, 22 Nov 2017 09:00:19 GMT
Expires: Mon, 25 Mar 2019 07:19:30 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 5 5 244 244
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c ........$.K.h..........l...?.....Q.G".z..?
.........)^....9.~C.y.S..d]..z....^h......./.........f/h.w...Xh.....N.
.z.....e.......4..&3"f..............X../1.^.].KFO.@..`..J....A...H
<<< skipped >>>


GET /forum/pic/item/34fae6cd7b899e513698aebf49a7d933c8950d02.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:26 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "2183998585425626014"
Last-Modified: Wed, 22 Nov 2017 09:00:19 GMT
Expires: Mon, 25 Mar 2019 07:19:26 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 6 7 134 134
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c ..........3...f[/~.u*kN.kzl.V....ER.._E.U.
n.....4..uQZ...f.V.X."..$b...d<...t.../t8U..g->......s)t...[....
....}.N.tM...t..'...Z./.f...'[...5/W3....o......m.WK.bm..:.;g...a.
<<< skipped >>>


GET /forum/pic/item/a6efce1b9d16fdfa4bae5345bf8f8c5495ee7b5f.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:13 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "6686004409411070014"
Last-Modified: Wed, 22 Nov 2017 09:00:19 GMT
Expires: Mon, 25 Mar 2019 07:19:14 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 8 8 198 198
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c ..............=...lE4e.e..5Ko%k.......}F.F
..56..]....P.j.0.d....x...^..R:m....,n.cE..........T...Z>.`k!......
9...`.T.e./.qM=....f..c.\.......Em.0.4..a......0.@.......6.Xm..mb.
<<< skipped >>>


GET /forum/pic/item/b21bb051f819861856347b2f41ed2e738bd4e62e.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:36 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "14337305329627786317"
Last-Modified: Wed, 22 Nov 2017 09:00:20 GMT
Expires: Mon, 25 Mar 2019 07:19:36 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 6 6 196 198
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c ............}....G%...Q...1.v......O|..Y\C
...%eSb.b].[q.7.`OqU......,..z..u.q.`).]...m/.r....].k.:.~..[<.yYhw
.....^.....c.6-b.u4#N.k.g....6.[.{.....).V.| .g.X.Yq.....(. g.|H..
<<< skipped >>>


GET /forum/pic/item/b8014a90f603738df3399889b81bb051f819ec2e.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:33 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "2576645439184400800"
Last-Modified: Wed, 22 Nov 2017 09:00:19 GMT
Expires: Mon, 25 Mar 2019 07:19:33 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 9 9 179 272
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c .......bk..H8.....9....*j..D=..~F...&.u1.#
cr~n.j!J....C..i...~Z.........Rw^w.3...'{.}....>6....dO.`..}v9.....
:>..b..Y..K..>.-G.8.J..8... .....U....d..h...o.....?......%.
<<< skipped >>>


GET /forum/pic/item/9358d109b3de9c822da76c246781800a18d8435f.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:23 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "8643267872418547629"
Last-Modified: Wed, 22 Nov 2017 09:00:19 GMT
Expires: Mon, 25 Mar 2019 07:19:23 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 7 7 199 200
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c .......pc.....Iv;.b[".$A...S.gz&U.PZ.>.
....T..f.S:....K..8.6.!..Z....._V.m...|..g.#....ha]z.HL.y..K......T.Q.
{.w.........M........e..K...F.J.t-.K..X1u/d.n].G...t.G....1...b..w
<<< skipped >>>


GET /forum/pic/item/a50f4bfbfbedab644b5ed96bfc36afc379311e68.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:10 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "16294274713007680567"
Last-Modified: Wed, 22 Nov 2017 09:00:19 GMT
Expires: Mon, 25 Mar 2019 07:19:10 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 4 5 213 214
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c .........>.@eR.x...wT...?.DQ.!)  Q.....
.d....H(..qH.J..0... ...D. "I2.......g.....^..s....~....z..S....w.]...
......H@....G.76....J...}..A....;.....U4...&..>B8..N...B.....}.
<<< skipped >>>


GET /forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:18:58 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: close
ETag: "7878501113830277673"
Last-Modified: Thu, 29 Sep 2016 09:44:50 GMT
Expires: Sun, 16 Sep 2018 08:33:19 GMT
Age: 16411539
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/c2cec3fdfc039245f7a375a48c94a4c27d1e2502.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:17 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "15360862637863710182"
Last-Modified: Wed, 22 Nov 2017 09:00:19 GMT
Expires: Mon, 25 Mar 2019 07:19:17 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 7 7 163 163
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c .......f/k.........;...Z...........$.....K
.S/D}...D..^W>."2.Ll...8..Q\...y.#....A.._O....W...p.c..Hm/.W..... 
a...r..%..N..X......_T....4t.v7.....ww.z......,9zy..i..8.~xP)....e
<<< skipped >>>


GET /forum/pic/item/a5c27d1ed21b0ef433d50cf5d6c451da81cb3e5f.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:40 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "1162579077072831296"
Last-Modified: Wed, 22 Nov 2017 09:00:20 GMT
Expires: Mon, 25 Mar 2019 07:19:40 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 5 5 168 168
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c ..........Z..D.H..T...J.~t51E..x.....D....
......? p.c.~ya1../.2A.U.IP.{...0.........@..0b....].V.=..........{...
.w....E.;.g58$..xZH....;......Mp^..".E;.`nmn%.<q.0..L....1..C.p
<<< skipped >>>


GET /forum/pic/item/b8389b504fc2d56226373e60ef1190ef76c66c04.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:46 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: close
ETag: "13190613130288077330"
Last-Modified: Tue, 27 Sep 2016 08:32:15 GMT
Expires: Wed, 20 Mar 2019 01:11:34 GMT
Age: 449512
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/f11f3a292df5e0fe74da1caa576034a85fdf725f.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:20 GMT
Content-Type: image/jpeg
Content-Length: 410975
Connection: close
ETag: "6594573751140990132"
Last-Modified: Wed, 22 Nov 2017 09:00:19 GMT
Expires: Mon, 25 Mar 2019 07:19:20 GMT
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 7 7 167 168
......JFIF.....`.`.....C..............................................
......................C...............................................
........................(.@...........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?........
.f..8..M.......z.._W......?...q..1.......Q...\.<.P........g.o....m.
...;Z..6...oo..........`c.....v........&..?........kF......[L.(....4..
....f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o...
.m....;Z..6...oo..........`c.....v........&..?........kF......[L.(....
4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........g.o
....m....;Z..6...oo..........`c.....v........&..?........kF......[L.(.
...4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P........
g.o....m....;Z..6...oo..........`c.....v........&..?........kF......[L
.(....4......f..8..M....;.]..]}^......?...q..1.......Q...\.<.P.....
...g.o....m....;Z..6...oo..........`c.....v........&..?........kF.....
.[L.(....?.. .. .#C z....%c .........&^].$(...._t.....}Q.......<.Js
.T|a..p....P....\.....)......(f.\..........T......b...?..&...A..?...q.
K`b........O....K....k^R..z1....'....~.._O?b....8!-..D.O%..../....
<<< skipped >>>


GET /forum/pic/item/838ba61ea8d3fd1fb85125ca384e251f94ca5fe2.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:18:56 GMT
Content-Type: image/jpeg
Content-Length: 226769
Connection: close
ETag: "7130635741171976897"
Last-Modified: Thu, 29 Sep 2016 09:22:38 GMT
Expires: Sun, 16 Sep 2018 08:33:19 GMT
Age: 16411537
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:04 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: close
ETag: "2181626205514252865"
Last-Modified: Thu, 29 Sep 2016 09:44:52 GMT
Expires: Sun, 16 Sep 2018 08:33:20 GMT
Age: 16411544
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>


GET /forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: imgsa.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: JSP3/2.0.14
Date: Sun, 25 Mar 2018 07:19:01 GMT
Content-Type: image/jpeg
Content-Length: 420649
Connection: close
ETag: "17719340091593362697"
Last-Modified: Thu, 29 Sep 2016 09:44:51 GMT
Expires: Sun, 16 Sep 2018 08:33:20 GMT
Age: 16411541
Cache-Control: max-age=31536000
Accept-Ranges: bytes
Error-Message: OK
Ohc-Response-Time: 1 0 0 0 0 0
......JFIF.....H.H......Exif..MM.*.............................b......
.....j.(...........1.........r.2...........i....................'.....
..'.Adobe Photoshop CS3 Windows.2008:02:19 19:27:40...................
........./.......................................................&.(..
.......................................H.......H..........JFIF.....H.H
......Adobe_CM......Adobe.d...........................................
......................................................................
................................../.."................?...............
...........................................................3......!.1.
AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e.....u..F'.....
..........Vfv........7GWgw........................5.....!1..AQaq"..2..
...B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...............
Vfv........'7GWgw.................?..N.e..ck........p.X.....w.b..~.Qs.
.Z..I...k\.}./..m.3.*{.[.......1..Tc.i...<x......jn....H..#.]s.....
........}X../....s.;.^...Y.q.........r....E..X..2}f..jG..........X..;.
-s..r6VV{..b..............=%5-....hvd.`6..k^@...e.}Mw...c.........._.Q
....1.t...V....1]...^.e2...m..sV.L.2....@.....:.g_.U.e.........~.=...3
..................s.$...w..;.y..........N...r.....v..'.H|L~r.W_.Ov.n.5
..k..........e%#....p...2m....oh.z{]g.y.'~gO.y.........X...lK,u..-g..n
Z,....[..u.i.~..J..~A.....$......w.INf/...C...k.^C...|...l.G....c3....
.i,{.-.....47......r...k;*..W~m8..q>.....k./.u...[P.j.42.pF..lu^...
...IO..............\.[xh6...n...........?*.1.K.Mo.1.....Z..fE{...m
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2940:

.text
`.rdata
@.data
.rsrc
.aspack
.adata
t$(SSh
~%UVW
u$SShe
iu2.iu
ntdll.dll
kernel32.dll
Kernel32.dll
shlwapi.dll
wininet.dll
user32.dll
Msimg32.dll
InternetOpenUrlA
k.eX&h
pG.Le
.OKG'
k@v%D
.qjKb
.>;$>:$~
%.IiZ
h%C;BD
O.rlA
G  H~.Ou}*@6
*6%XS2
)Dz.Bc
%.IWi
^F%Fi
5S%U)
uLp|.aNS
%fTl&K
sE%u7^
IwEB
VCMpX?dkGraiUsInTnu^TRa`YNu_WrpkUbynYRpkXBa_GrapURpkJ?HtTb@rHRQ]JBLoUbLmUbDtIO@nIRI]Ho\pUODqHRTuIBI]IRUaH^ufXBYxH_DrIoTu[?Y]HoTlU_ToTRPqHrPuJR@pJOIaHoPuJRTsTODsJO=bimgsa.baidu.com
G|Z%d
c:\hwconfig
c:\hwconfig\
qjwyhe.ini
hXXp://101.200.152.202:86/
101.200.152.202
\*.qdat
Adobe Photoshop CS5 Windows
2016:12:24 15:53:35
urlTEXT
MsgeTEXT
#hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2016-12-24T14:33:14 08:00" xmp:ModifyDate="2016-12-24T15:53:35 08:00" xmp:MetadataDate="2016-12-24T15:53:35 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:2E4DDB12AEC9E6118C34F98869735BFC" xmpMM:DocumentID="xmp.did:2D4DDB12AEC9E6118C34F98869735BFC" xmpMM:OriginalDocumentID="xmp.did:2D4DDB12AEC9E6118C34F98869735BFC"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:2D4DDB12AEC9E6118C34F98869735BFC" stEvt:when="2016-12-24T14:33:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/gif to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:2E4DDB12AEC9E6118C34F98869735BFC" stEvt:when="2016-12-24T15:53:35 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
.vk?HxG
2016:12:24 14:59:37
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:crs="hXXp://ns.adobe.com/camera-raw-settings/1.0/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" crs:AlreadyApplied="True" photoshop:LegacyIPTCDigest="7B3DBCF7478532F3D679AC0D72F73A63" photoshop:ColorMode="3" xmp:CreateDate="2016-01-12T17:12:27 08:00" xmp:ModifyDate="2016-12-24T14:59:37 08:00" xmp:MetadataDate="2016-12-24T14:59:37 08:00" xmp:CreatorTool="Adobe Photoshop CS5 Windows" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:47161857A6C9E6118BA5E0E97935A33C" xmpMM:DocumentID="xmp.did:FCB80ACD0EB9E511A90D9B6CB514D116" xmpMM:OriginalDocumentID="xmp.did:FCB80ACD0EB9E511A90D9B6CB514D116"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:FCB80ACD0EB9E511A90D9B6CB514D116" stEvt:when="2016-01-12T17:28:12 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:FDB80ACD0EB9E511A90D9B6CB514D116" stEvt:when="2016-01-12T17:28:12 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:45161857A6C9E6118BA5E0E97935A33C" stEvt:when="2016-12-24T14:58:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:46161857A6C9E6118BA5E0E97935A33C" stEvt:when="2016-12-24T14:58:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:47161857A6C9E6118BA5E0E97935A33C" stEvt:when="2016-12-24T14:59:37 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:41078AF178C9E611BC89FA2214169575" xmpMM:DocumentID="xmp.did:FE8DACE1C9A111E6AD14C12F766AE3F3" xmpMM:InstanceID="xmp.iid:FE8DACE0C9A111E6AD14C12F766AE3F3" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:42078AF178C9E611BC89FA2214169575" stRef:documentID="xmp.did:41078AF178C9E611BC89FA2214169575"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
H'.XA0
~.nqQ
d90.hg
I#1.Rc]p
.bc76$
%\9%S
%UErM
` jgAKT.MA(
VP%u~
<CH%d
:.CI 
%cNP&l"
o8%UB
xCÝ
<.Nl8
&tCpFC
XB%DSr
%S&Z_H1r
*2y%Xa5
vFb%Xja
X,K%U
/kAB%D
8O6.Í
$@CN&fB
@.nP?
*~?K%D
 1.od8
,O.To_
;.VN.
b.xqTA
`.fH),#
.Lakt*
J%C`^
ea.nx
K.sAL
*<;!*<!<
.uB.T
]\ (B%D
@75.xH
8`%Di
PF)%F!
4.qIF
2%DvV@
.yBe4
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
RASAPI32.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
WS2_32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
rasapi32.dll
gdi32.dll
winmm.dll
winspool.drv
advapi32.dll
shell32.dll
oleaut32.dll
comctl32.dll
ws2_32.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
233333333333331
(*.*)
1.0.0.0
(hXXp://VVV.dywt.com.cn)

%original file name%.exe_2940_rwx_002E7000_0000C000:

/imgsrc.baidu.com/forum/pic/item/7e3e6709c93d70cfe7c54480f0dcd100baa12b04.jpg|420649|22c0f1ae6a3654cb673e92cb88ad5f5e
hXXp://imgsrc.baidu.com/forum/pic/item/9f510fb30f2442a7dc301328d943ad4bd1130204.jpg|420649|52d2925ece046155a3222e9b043d85ed
hXXp://imgsrc.baidu.com/forum/pic/item/b8389b504fc2d56221a23f60ef1190ef77c66c91.jpg|106655|58257954e6e8d6c2b6f4874c3959b9a0
This program is maDe by dtcser.thank
.MAMA~
.AND~~
P.YOURS
P.BABA
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
hXXp://imgsrc.baidu.com/forum/pic/item/810a19d8bc3eb135ddf43a4bae1ea8d3fd1f440b.jpg|420649|74caa486e032c9a95ff7ac69a6335657
hXXp://imgsrc.baidu.com/forum/pic/item/b3b7d0a20cf431ad79d1cec94336acaf2edd983b.jpg|420649|f8c4dfdc2d60a199afe37b7d72864b4e
hXXp://imgsrc.baidu.com/forum/pic/item/3b292df5e0fe9925650fe4a03ca85edf8db1713b.jpg|420649|5cf48fa3b58bed6c6c3be7dccd673d66
hXXp://imgsrc.baidu.com/forum/pic/item/4bed2e738bd4b31cd50e194b8fd6277f9e2ff814.jpg|297656|101037befd84a153d332d67e5aeb686b
hXXp://VVV.hc130.com:666/Upgrade/list.txt
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\
nternet Files\Content.IE5
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\
les\Content.IE5
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Feeds Cache\
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\IECompatCache\

%original file name%.exe_3600:

.text
`.itext
`.data
.idata
.rdata
.reloc
@.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
Uh.UA
ssShift
htKeyword
EInvalidOperation
%s[%d]
%s_%d
.Owner
Uh.ZB
USER32.DLL
comctl32.dll
TaskDialogIndirect
EInvalidGraphicOperation
Uhc%C
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
ole32.dll
uxtheme.dll
DWMAPI.DLL
shell32.dll
PasswordChar
OnKeyDown
OnKeyPressh E
OnKeyUp
ssHorizontal
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
msimg32.dll
Proportional
OnExecute<CD
{43826d1e-e718-42ee-bc55-a1e261c37bfe}
%s%s%s%s%s%s%s%s%s%s
AutoHotkeys
AutoHotkeysP
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
TKeyEvent
TKeyPressEvent
HelpKeyword`
crSQLWait
%s (%s)
imm32.dll
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview0)E
WindowState4
GlassFrame.Bottom
GlassFrame.Enabled
GlassFrame.Left
GlassFrame.Right
GlassFrame.SheetOfGlass
GlassFrame.Top
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
User32.dll
tsShadow
TRzRegKey
hkeyClassesRoot
hkeyCurrentUser
hkeyLocalMachine
hkeyUsers
hkeyPerformanceData
hkeyCurrentConfig
hkeyDynData
TRzRegAccessKey
keyQueryValue
keySetValue
keyCreateSubKey
keyEnumerateSubKeys
keyNotify
keyCreateLink
keyRead
keyWrite
keyExecute
keyAllAccess
RegKey
\Software\Microsoft\Windows\CurrentVersion
%u / %u
MAPI32.DLL
msShiftSelect
TComboBoxExEnumerator
TRzURLLabel
TRzURLLabel|
RunDLL32.exe Shell32.dll,OpenAs_RunDLL *.htm
BeepOnInvalidKey
%s, %.2d %s %.4d %s %s
EIdCanNotBindPortInRange
EIdInvalidPortRangetbJ
C:\Builds\TpAddons\IndyNet\System\IdStreamVCL.pas
C:\Builds\TpAddons\IndyNet\System\IdGlobal.pas
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
Wship6.dll
EIdIPVersionUnsupportedU
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
127.0.0.1
C:\builds\TpAddons\IndyNet\System\IdStack.pas
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
PortSVW
EIdPortRequired
EIdTCPConnectionError
EIdObjectTypeNotSupported
Port<
C:\builds\TpAddons\IndyNet\Core\IdIOHandler.pas
"EIdTransparentProxyUDPNotSupported
TIdTCPClientCustom
IdTCPClient
TIdTCPClient
BoundPort<
%EIdSocksUDPNotSupportedBySOCKSVersion
saUsernamePassword
Password<
Port@iJ
0.0.0.1
0.0.0.0
DefaultPort@iJ
TIdTCPConnection
IdTCPConnection
ISO_646.irv:1991
ISO_646.basic:1983
ISO_646.irv:1983
csISO16Portuguese
csISO84Portuguese2
windows-936
csShiftJIS
ISO-8859-1-Windows-3.0-Latin-1
csWindows30Latin1
ISO-8859-1-Windows-3.1-Latin-1
csWindows31Latin1
ISO-8859-2-Windows-Latin-2
csWindows31Latin2
ISO-8859-9-Windows-Latin-5
csWindows31Latin5
csMicrosoftPublishing
Windows-31J
csWindows31J
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
C:\builds\TpAddons\IndyNet\Protocols\IdCoder3to4.pas
TIdEncoder3to4.Encode: Calculated length exceeded (expected
TIdEncoder3to4.Encode: Calculated length not met (expected
password
Password
CommentURL
Port
C:\builds\TpAddons\IndyNet\Protocols\IdZLibCompressorBase.pas
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
%d%s%d
TIdHTTPOption
IdHTTP
TIdHTTPOptions
TIdHTTPProtocolVersion
IdHTTP4|L
TIdHTTPOnRedirectEvent
TIdHTTPOnHeadersAvailable
TIdHTTPResponse
TIdHTTPResponse`~L
TIdHTTPRequest
TIdHTTPProtocol4
TIdCustomHTTP
TIdCustomHTTP4
TIdHTTP
TIdHTTPd
HTTPOptions
EIdHTTPProtocolException
C:\builds\TpAddons\IndyNet\Protocols\IdHTTP.pas
HTTPS
https
HTTP/1.0 200 OK
HTTP/
%s, ClassID: %s
%s: %s
%s:%s
user32.dll
Class <%s> not registered
Source Class <%s> not registered
tObject %s not in item list
srBadPassword
TBadPassword
NewPassword
OnBadPasswordh
1.2.3
.zip.
olepro32.dll
IWebBrowser
IWebBrowserAppP
IWebBrowser2
TWebBrowserStatusTextChange
TWebBrowserProgressChange
TWebBrowserCommandStateChange
TWebBrowserTitleChange
TWebBrowserPropertyChange
TWebBrowserBeforeNavigate2
TWebBrowserNewWindow2
TWebBrowserNavigateComplete2
TWebBrowserDocumentComplete
TWebBrowserOnVisible
TWebBrowserOnToolBar
TWebBrowserOnMenuBar
TWebBrowserOnStatusBar
TWebBrowserOnFullScreen
TWebBrowserOnTheaterMode
TWebBrowserWindowSetResizable
TWebBrowserWindowSetLeft
TWebBrowserWindowSetTop
TWebBrowserWindowSetWidth
TWebBrowserWindowSetHeight
TWebBrowserWindowClosing
TWebBrowserClientToHostWindow
TWebBrowserSetSecureLockIcon
TWebBrowserFileDownload
TWebBrowserNavigateError
%TWebBrowserPrintTemplateInstantiation
TWebBrowserPrintTemplateTeardown
TWebBrowserUpdatePageStatus
%TWebBrowserPrivacyImpactedStateChange
TWebBrowser
OnWindowSetResizable
OnWindowSetLeft
OnWindowSetTop`
OnWindowSetWidth
OnWindowSetHeight
MaxKeySize
Invalid key size
LabelHintMsgh
RzURLLabel1
MsgBox
EditPasswordt
720101-146720
1977/10/15
650101-1455111
EditPasswordl
EditNewPasswordp
TfrmChangePassword
LChgPassword
TfrmGetBackPassword
LGetBackPassword
.\Ftp.ini
.\lscfg.ini
Software\MicroSoft\Windows\CurrentVersion\Explorer
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; .NET CLR 2.0.50727)
LoginTool.bin
LoginTool.exe
LoginDLL.dll
.\LoginDLL.dll.bak
.\LoginDLL.dll
netapi32.dll
stoDefaultKeyHandling
TRzShellControlDefKeyRec
Software\Microsoft\Windows\CurrentVersion\Explorer
"%s" %s
x@.td
xB.tG
%UUUU
HttpGetEX
THTTPGetThread
THttpGetEX
1.0.4
btnChangePassword|
btnGetBackPassword
WebBrowser
TimerWebBroswer
btnChangePasswordClick
btnGetBackPasswordClick
TimerLoginFunTimer
WebBrowserDownloadComplete!
TimerWebBroswerTimer
.\Data\Prguse2.wil
.\Data\Prguse2.wzl
%s,%d,%d,%d,%d
%d X %d
Q.NYcJ!
LoginTool
.\Data\ui\blue.uib
.\Data\ui\ItemBag.uib
.\Data\ui\HeroItemBag1.uib
.\Data\ui\HeroItemBag2.uib
.\Data\ui\HeroItemBag3.uib
.\Data\ui\HeroItemBag4.uib
.\Data\ui\HeroItemBag5.uib
.\Data\ui\HeroStateWin.uib
.\Data\ui\StateWindowHumanB.uib
.\Data\ui\StateWindowHumanC.uib
.\Wav\sound2.lst
.\Data\ui\gcbkd.uib
.\Data\ui\gcpage1.uib
.\Data\ui\gcpage2.uib
.\Data\ui\gcclose1.uib
.\Data\ui\gcclose2.uib
.\Data\ui\gccheckbox1.uib
.\Data\ui\gccheckbox2.uib
.\Data\ui\WStall.uib
.\Data\ui\WStallPrice.uib
.\Data\ui\PStallPrice0.uib
.\Data\ui\PStallPrice1.uib
.\Data\ui\StallBot0.uib
.\Data\ui\StallBot1.uib
.\Data\ui\DscStart0.uib
.\Data\ui\DscStart1.uib
.\Data\lsDefaultItemFilte1.txt
%s:%d
.\bass.dll
.\CmdLine.txt
/contact.htm
/buy.htm
%s %dK/%dK
Data\cboweapon.wzl
Data\cboweapon.wis
s.hXpT
inflate 1.2.3 Copyright 1995-2005 Mark Adler
)4."1-2(
*5/#2.3)
",71@5  &
3'627-"(
1 '-7#&0
1&,#84 .'*
- 8!3(.%
7&-3!),6%
#5*0' 8$2 .
8'.4"*-7& 0#
("2%!&8-3*#
/5,%!)703
(03!,&6)%* 17.'# 
$/6 *25#.(8 ',"3
&18",47%0*
'2, / 0&7!4-)1#8
(3-!0,1'8"5.*2$
inflate 1.0.4 Copyright 1995-1996 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
iu2.iu
e.mu .
^8%sy
}.dJ@U6s
e.Zt?
l%.gP
<;<%D!
^~.Eo
XJ.fw
d9.CXm
ZR.%S;
<js.Kl
.GpI"k
U6L.WM
#.FEbH
]..sx@J
Lz=
SK6_%d
@a.tO
5 5$5(5,5|5
1"1-131;1@1 3
> >$>(>,>0>4>8><>
8ƒ8F8`8
0*1.121:1@1
=&>*>.>2>6>:>>>
2 2$2(2,202
4 4$4(464>4
84898\8|8
2 2$2>2`2
6"6)6@6]6
6074787<7@7
;$<(<,<0<4<
0	0u1
5(595=5\5
9"9&9*909
7 7$7(7,70747:7
6o6S6p6
5 5.5<5"6-6
3 3<3@3|3
UnhookWindowsHookEx
RegFlushKey
RegCloseKey
V%smKT
9*.aGn
qM!%s
!.ULbp
6.NJZ
%gPT.jf4
%x'u;
5j>`11(.iA
0%C}!mQ
g<t.jJ9F=
U%dW}
2r.BfF
*A.Bo
nZa.Ka
.Mc6:
.JMJ 
$>C.Ht
xHH%D
.nA4B
=Q%x&
.Tt;N
.Cf{j
I9M.NR
i-zE}
.jJ&{K
.Pjk`
@P910.vqf*
N.qz7B
.wA[U/
.mt-nh
05%s!
k.ls7z@
0.CTN
'&!  *m
Fo$.
C.!A%u
y%uBn5
%Fg_d
~.wA:
%xt>5!
VR.eG>6C
6 EWV.uC>J
.vZ6.RX
8P@Vj Z~.jQ*
p?9K%F
8.pz:{
~;&E%c
Bc.BDbqJ
oy.fi
m".JK
Z%XEv
2.nRQ
.pvtC:q
4Nc%s
{|%CL
n.Lz 
:!%Dn
#%UoT
n/.jG
1.gz]
.Yuxm
eJ%C=
q%uy?
.AKxf
.Pi4~xb
.bWN^
J.KJ6N
iui.VH
yR.nt{
.ln/yc
1v.Eg
{ME%x
B0.Cz
x0P:.LF
};.KM
_Aß62
.gf$D
q63n.IL
V.EZV
,k5.fv
vC.hs& "6d
F.KG:
1.FnF
!.CTf x
.wbAj2v
kF@.eC(
.iP~9
Wg.SF
.uD8}k)}r98
%Ur~4
=G).%F
0~)@.gB(@
0<J%s
@8%CoJ=
j0E.nk
=].ty
uZ!%f
EG_D:V.jA8
jM%x&E
6'&7n.UI$
G6v.tV
n~.Ad
=Q.HB
.rJBkA
comdlg32.dll
RegCreateKeyExA
GetKeyNameTextA
SetViewportOrgEx
~b.LT
GetKeyboardState
mpr.dll
GetKeyboardType
WinExec
wsock32.dll
gdi32.dll
EnumWindows
EnumChildWindows
.YFwQ
MsgWaitForMultipleObjectsEx
.tbo:
RegCreateKeyA
EnumThreadWindows
MsgWaitForMultipleObjects
ShellExecuteA
.YnNW
!@g2.Ms?
2&.gFP
.nMwH]
`?.HFk
6.bh f
5F%f`
1<%s'4
x.FOc
;%fp9
Q.NfA
Oh1%S
n%u1BU
%%uc~C*$F9
xÓC1l
;%x'T
%4Uu,
1!9%C
d%cuE
.fvNe
%2ubBfu3
%.sV.
(z.UX
X8Y.hJ
2B.ZDc
I%sUp
h%x"0
iLZ.LY
j:%Cx
f.xC04
&%Cnsf
`Ì\
B%d,RB!BZ
:%xBg
V.dR$
%fRvr6
Ec[&~.lU
.yo}.
%oM.Gl
ncr.sC
\lN%d
P=CcJ\v.Zj
F(>!;.DF
X%dmN%
.eHyY
o.En.
|.Txv
.aJD|*&
O1$~S
g8.Bd
RJ'.qHf
F%XrA.x;?
.pC>h0
.lYk6 c$~
L%So6a
.Zqi9
.wX7E
.oT7@
t$.ex
%FS3<
q[.FF<
RXF.CF
4W.eX_^
ÛQ$
l%S<q
%FPnn
Y]C?.GD
#.vwk
)u#.od
i#%S9W
:XD%f
;0xP%u>
.zTGu-<Zd
:uZ%U.
Lr?%s
SF<%f
sfW%D
j.d.NP
_>{
J.eEp
4?%xWj
.kKlOf;
.yr#G
b%cg[
}.QMd
_mø.
t.QR1@
;"-U6}
/%S,^
'RZ-F4}C
x.LC:G
2jF.Fk
GetKeyboardLayout
GetKeyboardLayoutNameA
GetKeyState
MapVirtualKeyA
version.dll
ShellExecuteExA
RegOpenKeyExA
LoadKeyboardLayoutA
GetKeyboardLayoutList
e.gp)
GetViewportOrgEx
4/.)(%$9
RegOpenKeyA
advapi32.dll
ActivateKeyboardLayout
SetWindowsHookExA
GetCPInfo
<assemblyIdentity version="1.0.0.0" processorArchitecture="x86" name="lacebook.exe" type="win32"/>
<requestedExecutionLevel level="requireAdministrator"/>
.rsrc
KERNEL32.dll
USER32.dll
WINMM.dll
MSACM32.dll
MSVCRT.dll
BASS_GetCPU
BASS_StreamCreateURL
BASS.dll
:d%UZ
L*.up""~G
o=<lþx
-Yh}MX
MW.pwV
;|u~yWn.LnZ
%I`.IFao
#AH%c"
.Qb, 
$=/.Pr
ze|%Xm 
?.xMj1 
f-p}U
%x;^./
xP6%d
4444444
4444444444
444444444
VWeBIg
m~GTWeBB
44444444
%UlLLl
wav\1.wav
wav\2.wav
wav\3.wav
wav\4.wav
wav\5.wav
wav\6.wav
wav\7.wav
wav\8.wav
wav\9.wav
wav\10.wav
wav\11.wav
wav\12.wav
wav\13.wav
wav\14.wav
wav\15.wav
wav\16.wav
wav\17.wav
wav\18.wav
wav\19.wav
wav\20.wav
wav\21.wav
wav\22.wav
wav\23.wav
wav\24.wav
wav\25.wav
wav\26.wav
wav\27.wav
wav\28.wav
wav\29.wav
wav\30.wav
wav\31.wav
wav\32.wav
wav\M42-2.wav
wav\game-over2.wav
wav\50.wav
wav\51.wav
wav\52.wav
wav\53.wav
wav\54.wav
wav\55.wav
wav\56.wav
wav\57.wav
wav\60.wav
wav\61.wav
wav\62.wav
wav\63.wav
wav\64.wav
wav\65.wav
wav\70.wav
wav\71.wav
wav\72.wav
wav\73.wav
wav\80.wav
wav\81.wav
wav\82.wav
wav\83.wav
wav\91.wav
wav\92.wav
wav\100.wav
wav\101.wav
wav\102.wav
wav\103.wav
wav\104.wav
wav\105.wav
wav\106.wav
wav\107.wav
wav\108.wav
wav\109.wav
110: wav\110.wav
111: wav\111.wav
112: wav\112.wav
113: wav\113.wav
114: wav\114.wav
115: wav\115.wav
116: wav\116.wav
117: wav\117.wav
118: wav\118.wav
122: wav\122.wav
123: wav\123.wav
124: wav\124.wav
125: wav\125.wav
126: wav\126.wav
130: wav\M7-1.wav
131: wav\M7-2.wav
132: wav\M12-1.wav
133: wav\M25-1.wav
134: wav\M27-L.wav
135: wav\M27-R.wav
136: wav\M26-1.wav
137: wav\M26-3.wav
138: wav\138.wav
139: wav\139.wav
140: wav\M34-1.wav
141: wav\M38-0.wav
142: wav\M38-1.wav
144: wav\144.wav
145: wav\145.wav
;;160: wav\160-1.wav
;;161: wav\160-2.wav
;;162: wav\162.wav
;;163: wav\163.wav
;;164: wav\164.wav
;;165: wav\165.wav
;;166: wav\166.wav
;;167: wav\167.wav
;;168: wav\168.wav
;;169: wav\169-1.wav
;;170: wav\169-2.wav
;;171: wav\171.wav
;;172: wav\172.wav
;;173: wav\173.wav
180: wav\M56-0.wav
181: wav\M56-3.wav
211: wav\210-1.wav
212: wav\210-2.wav
214: wav\210-4.wav
215: wav\210-5.wav
291: wav\290-1.wav
292: wav\290-2.wav
294: wav\290-4.wav
295: wav\290-5.wav
300: wav\300-1.wav
301: wav\300-1.wav
302: wav\300-2.wav
304: wav\300-4.wav
305: wav\300-5.wav
401: wav\400-1.wav
402: wav\400-2.wav
403: wav\400-3.wav
404: wav\400-4.wav
405: wav\400-5.wav
411: wav\410-1.wav
412: wav\410-2.wav
414: wav\410-4.wav
415: wav\410-5.wav
421: wav\420-1.wav
422: wav\420-2.wav
424: wav\420-4.wav
425: wav\420-5.wav
431: wav\430-1.wav
432: wav\430-2.wav
433: wav\430-3.wav
434: wav\430-4.wav
435: wav\430-5.wav
441: wav\440-1.wav
442: wav\440-2.wav
444: wav\440-4.wav
445: wav\440-5.wav
451: wav\450-1.wav
452: wav\450-2.wav
453: wav\450-3.wav
454: wav\450-4.wav
455: wav\450-5.wav
461: wav\460-1.wav
462: wav\460-2.wav
463: wav\460-3.wav
464: wav\460-4.wav
465: wav\460-5.wav
471: wav\470-1.wav
472: wav\470-2.wav
474: wav\470-4.wav
475: wav\470-5.wav
481: wav\480-1.wav
482: wav\480-2.wav
484: wav\480-4.wav
485: wav\480-5.wav
491: wav\490-1.wav
492: wav\490-2.wav
494: wav\490-4.wav
495: wav\490-5.wav
501: wav\500-1.wav
502: wav\500-2.wav
504: wav\500-4.wav
505: wav\500-5.wav
511: wav\510-1.wav
512: wav\510-2.wav
514: wav\510-4.wav
515: wav\510-5.wav
521: wav\520-1.wav
522: wav\520-2.wav
524: wav\520-4.wav
525: wav\520-5.wav
531: wav\530-1.wav
532: wav\530-2.wav
534: wav\530-4.wav
535: wav\530-5.wav
541: wav\540-1.wav
542: wav\540-2.wav
543: wav\540-3.wav
544: wav\540-4.wav
545: wav\540-5.wav
561: wav\560-1.wav
562: wav\560-2.wav
564: wav\560-4.wav
565: wav\560-5.wav
570: wav\M17-3.wav
572: wav\54.wav
573: wav\64.wav
575: wav\570-5.wav
581: wav\580-1.wav
582: wav\580-2.wav
584: wav\580-4.wav
585: wav\580-5.wav
591: wav\590-1.wav
592: wav\590-2.wav
594: wav\590-4.wav
595: wav\590-5.wav
601: wav\600-1.wav
602: wav\600-2.wav
604: wav\600-4.wav
605: wav\600-5.wav
611: wav\610-1.wav
612: wav\610-2.wav
614: wav\610-4.wav
615: wav\610-5.wav
621: wav\620-1.wav
622: wav\620-2.wav
624: wav\620-4.wav
625: wav\620-5.wav
631: wav\630-1.wav
632: wav\630-2.wav
634: wav\630-4.wav
635: wav\630-5.wav
641: wav\640-1.wav
642: wav\640-2.wav
644: wav\640-4.wav
645: wav\640-5.wav
651: wav\650-1.wav
652: wav\650-2.wav
654: wav\650-4.wav
655: wav\650-5.wav
661: wav\660-1.wav
662: wav\660-2.wav
664: wav\660-4.wav
665: wav\660-5.wav
671: wav\670-1.wav
672: wav\670-2.wav
674: wav\670-4.wav
675: wav\670-5.wav
681: wav\680-1.wav
682: wav\680-2.wav
684: wav\680-4.wav
685: wav\680-5.wav
691: wav\680-1.wav
692: wav\680-2.wav
694: wav\680-4.wav
695: wav\680-5.wav
700: wav\700-0.wav
701: wav\700-1.wav
702: wav\700-2.wav
704: wav\700-4.wav
705: wav\700-5.wav
710: wav\710-0.wav
711: wav\710-1.wav
712: wav\710-2.wav
714: wav\710-4.wav
715: wav\710-5.wav
720: wav\710-0.wav
721: wav\720-1.wav
722: wav\720-2.wav
724: wav\720-4.wav
725: wav\720-5.wav
730: wav\710-0.wav
731: wav\730-1.wav
732: wav\730-2.wav
734: wav\730-4.wav
735: wav\730-5.wav
811: wav\810-1.wav
812: wav\810-2.wav
814: wav\810-4.wav
815: wav\810-5.wav
821: wav\820-1.wav
822: wav\820-2.wav
824: wav\820-4.wav
830: wav\830-0.wav
831: wav\830-1.wav
832: wav\830-2.wav
834: wav\830-4.wav
835: wav\830-5.wav
901: wav\900-1.wav
902: wav\900-2.wav
904: wav\900-4.wav
905: wav\900-5.wav
931: wav\930-1.wav
932: wav\930-2.wav
934: wav\930-4.wav
935: wav\930-5.wav
940: wav\940-0.wav
941: wav\940-1.wav
942: wav\940-2.wav
943: wav\940-3.wav
944: wav\940-4.wav
945: wav\940-5.wav
1002: wav\1000-2.wav
1005: wav\1000-5.wav
1006: wav\1000-6.wav
1011: wav\1010-1.wav
1012: wav\1010-2.wav
1014: wav\1010-4.wav
1015: wav\1010-5.wav
1021: wav\1020-1.wav
1022: wav\1020-2.wav
1024: wav\1020-4.wav
1025: wav\1020-5.wav
1032: wav\1030-2.wav
1035: wav\1030-5.wav
1101: wav\1100-1.wav
1102: wav\1100-2.wav
1104: wav\1100-4.wav
1105: wav\1100-5.wav
1111: wav\1110-1.wav
1112: wav\1110-2.wav
1114: wav\1110-4.wav
1115: wav\1110-5.wav
wav\1360-1.wav
wav\1360-2.wav
wav\1360-3.wav
wav\1360-4.wav
wav\1360-5.wav
1201: wav\1200-1.wav
1202: wav\1200-2.wav
1204: wav\1200-4.wav
1205: wav\1200-5.wav
1211: wav\1210-1.wav
1212: wav\1210-2.wav
1213: wav\1220-3.wav
1214: wav\1210-4.wav
1215: wav\1210-5.wav
1221: wav\1220-1.wav
1222: wav\1220-2.wav
1223: wav\1220-3.wav
1224: wav\1220-4.wav
1225: wav\1220-5.wav
1231: wav\1230-1.wav
1232: wav\1230-2.wav
1234: wav\1230-4.wav
1235: wav\1230-5.wav
1241: wav\1240-1.wav
1242: wav\1240-2.wav
1244: wav\1240-4.wav
1245: wav\1240-5.wav
1251: wav\1240-1.wav
1252: wav\1240-2.wav
1254: wav\1240-4.wav
1255: wav\1240-5.wav
1261: wav\1260-1.wav
1262: wav\1260-2.wav
1264: wav\1260-4.wav
1265: wav\1260-5.wav
1271: wav\1260-1.wav
1272: wav\1260-2.wav
1274: wav\1260-4.wav
1275: wav\1260-5.wav
1301: wav\1310-1.wav
1302: wav\1310-2.wav
1304: wav\1310-4.wav
1305: wav\1310-5.wav
1311: wav\1310-1.wav
1312: wav\1310-2.wav
1314: wav\1310-4.wav
1315: wav\1310-5.wav
1321: wav\1320-1.wav
1323: wav\1320-3.wav
1324: wav\1320-4.wav
1325: wav\1320-5.wav
wav\1330-1.wav
wav\1330-2.wav
wav\1330-3.wav
wav\1330-4.wav
wav\1330-5.wav
wav\1340-1.wav
wav\1340-2.wav
wav\1340-3.wav
wav\1340-4.wav
wav\1340-5.wav
wav\1350-1.wav
wav\1350-2.wav
wav\1350-4.wav
wav\1350-5.wav
wav\1370-1.wav
wav\1370-2.wav
wav\1370-3.wav
wav\1370-4.wav
wav\1370-5.wav
wav\1380-1.wav
wav\1380-2.wav
wav\1380-4.wav
wav\1380-5.wav
wav\1390-1.wav
wav\1390-2.wav
wav\1390-3.wav
wav\1390-4.wav
wav\1390-5.wav
1401: wav\1400-1.wav
1402: wav\1400-2.wav
1404: wav\1400-4.wav
1405: wav\1400-5.wav
1411: wav\1410-1.wav
1412: wav\1410-2.wav
1414: wav\1410-4.wav
1415: wav\1410-5.wav
1501: wav\1500-1.wav
1502: wav\1500-2.wav
wav\1500-3.wav
1504: wav\1500-4.wav
1505: wav\1500-5.wav
wav\1510-1.wav
wav\1510-2.wav
wav\1510-3.wav
wav\1510-4.wav
wav\1510-5.wav
wav\1520-1.wav
wav\1520-2.wav
wav\1520-4.wav
wav\1520-5.wav
wav\1530-1.wav
wav\1530-4.wav
wav\1530-5.wav
1600: wav\1600-0.wav
wav\1600-2.wav
wav\1600-4.wav
wav\1600-5.wav
1701: wav\1700-1.wav
1702: wav\1700-2.wav
1703: wav\1700-2.wav
1704: wav\1700-4.wav
1705: wav\1700-5.wav
1711: wav\1710-1.wav
1712: wav\1710-2.wav
1714: wav\1710-4.wav
1715: wav\1710-5.wav
1721: wav\1720-1.wav
1722: wav\1720-2.wav
1724: wav\1720-4.wav
1725: wav\1720-5.wav
1801: wav\1800-1.wav
1802: wav\1800-2.wav
1804: wav\1800-4.wav
1805: wav\1800-5.wav
1811: wav\1810-1.wav
1812: wav\1810-2.wav
1814: wav\1810-4.wav
1815: wav\1810-5.wav
1821: wav\1820-1.wav
1822: wav\1820-2.wav
1824: wav\1820-4.wav
1825: wav\1820-5.wav
1831: wav\1830-1.wav
1832: wav\1830-2.wav
1834: wav\1830-4.wav
1835: wav\1830-5.wav
1900: wav\M30-3.wav
1901: wav\1900-1.wav
1904: wav\1900-4.wav
1905: wav\1900-5.wav
1910: wav\1910-0.wav
1911: wav\1910-1.wav
1912: wav\1910-2.wav
1913: wav\1910-3.wav
1914: wav\1910-4.wav
1915: wav\1910-5.wav
1920: wav\1920-0.wav
1921: wav\1920-1.wav
1922: wav\M11-1.wav
1923: wav\M11-2.wav
1924: wav\1920-4.wav
1925: wav\1920-5.wav
2001: wav\2000-1.wav
2002: wav\2000-2.wav
2003: wav\2000-3.wav
2004: wav\2000-4.wav
2005: wav\2000-5.wav
2011: wav\2010-1.wav
2012: wav\2010-2.wav
2013: wav\2010-3.wav
2014: wav\2010-4.wav
2015: wav\2010-5.wav
2021: wav\2020-1.wav
2022: wav\2020-2.wav
2023: wav\2020-3.wav
2024: wav\2020-4.wav
2025: wav\2020-5.wav
2101: wav\2100-1.wav
2102: wav\2100-2.wav
2103: wav\2100-3.wav
2104: wav\2100-4.wav
2105: wav\2100-5.wav
2111: wav\2110-1.wav
2112: wav\2110-2.wav
2113: wav\2110-3.wav
2114: wav\2110-4.wav
2115: wav\2110-5.wav
2121: wav\2120-1.wav
2122: wav\2120-2.wav
2123: wav\2120-3.wav
2124: wav\2120-4.wav
2125: wav\2120-5.wav
2131: wav\2130-1.wav
2132: wav\2130-2.wav
2133: wav\2130-3.wav
2134: wav\2130-4.wav
2135: wav\2130-5.wav
2141: wav\2140-1.wav
2142: wav\2130-2.wav
2143: wav\2140-3.wav
2144: wav\2130-4.wav
2145: wav\2130-5.wav
2151: wav\2150-1.wav
2152: wav\2130-2.wav
2153: wav\2150-3.wav
2154: wav\2130-4.wav
2155: wav\2130-5.wav
2160: wav\2160-0.wav
2161: wav\2160-1.wav
2162: wav\2160-2.wav
2163: wav\2160-3.wav
2164: wav\2160-4.wav
2165: wav\2160-5.wav
2201: wav\2200-1.wav
2202: wav\2200-2.wav
2203: wav\2200-3.wav
2204: wav\2200-4.wav
2205: wav\2200-5.wav
2211: wav\2210-1.wav
2212: wav\2210-2.wav
2213: wav\2210-3.wav
2214: wav\2210-4.wav
2215: wav\2210-5.wav
2221: wav\2220-1.wav
2222: wav\2220-2.wav
2223: wav\2220-3.wav
2224: wav\2220-4.wav
2225: wav\2220-5.wav
2231: wav\2230-1.wav
2232: wav\2230-2.wav
2233: wav\2230-3.wav
2234: wav\2230-4.wav
2235: wav\2230-5.wav
2241: wav\2240-1.wav
2242: wav\2240-2.wav
2243: wav\2240-3.wav
2244: wav\2240-4.wav
2245: wav\2240-5.wav
2251: wav\2250-1.wav
2252: wav\2250-2.wav
2253: wav\2250-3.wav
2254: wav\2250-4.wav
2255: wav\2250-5.wav
2261: wav\2260-1.wav
2262: wav\2260-2.wav
2263: wav\2260-3.wav
2264: wav\2260-4.wav
2265: wav\2260-5.wav
2271: wav\2270-1.wav
2272: wav\2270-2.wav
2273: wav\2270-3.wav
2274: wav\2270-4.wav
2275: wav\2270-5.wav
2276: wav\2270.wav
2301: wav\2300-1.wav
2302: wav\2300-2.wav
2303: wav\2300-3.wav
2304: wav\2300-4.wav
2305: wav\2300-5.wav
2306: wav\2300-6.wav
2311: wav\2310-1.wav
2313: wav\2310-3.wav
2314: wav\2310-4.wav
2315: wav\2310-5.wav
2321: wav\2320-1.wav
2323: wav\2320-3.wav
2324: wav\2320-4.wav
2325: wav\2320-5.wav
2331: wav\2330-1.wav
2333: wav\2330-3.wav
2334: wav\2330-4.wav
2335: wav\2330-5.wav
2341: wav\2340-1.wav
2343: wav\2340-3.wav
2344: wav\2340-4.wav
2345: wav\2340-5.wav
2351: wav\2350-1.wav
2353: wav\2350-3.wav
2354: wav\2350-4.wav
2355: wav\2350-5.wav
2371: wav\2370-1.wav
2373: wav\2370-3.wav
2374: wav\2370-4.wav
2375: wav\2370-5.wav
2381: wav\2370-1.wav
2383: wav\2380-3.wav
2384: wav\2370-4.wav
2385: wav\2370-5.wav
2391: wav\2390-1.wav
2393: wav\2390-3.wav
2394: wav\2390-4.wav
2395: wav\2390-5.wav
2396: wav\2390-6.wav
2401: wav\2400-1.wav
2402: wav\2400-2.wav
2404: wav\2400-4.wav
2405: wav\2400-5.wav
wav\2400-6.wav
2411: wav\2410-1.wav
2412: wav\2410-2.wav
2414: wav\2410-4.wav
2415: wav\2410-5.wav
2416: wav\2410-6.wav
wav\2420-1.wav
wav\2420-2.wav
wav\2420-4.wav
wav\2420-5.wav
wav\2420-6.wav
wav\2430-1.wav
wav\2430-2.wav
wav\2430-4.wav
wav\2430-5.wav
wav\2430-6.wav
wav\2430-7.wav
2621: wav\210-1.wav
2622: wav\210-2.wav
2624: wav\210-4.wav
2625: wav\210-5.wav
wav\2700-1.wav
wav\2700-2.wav
wav\2700-4.wav
wav\2700-5.wav
wav\2700-6.wav
wav\2710-1.wav
wav\2710-2.wav
wav\2710-4.wav
wav\2710-5.wav
wav\2710-6.wav
wav\2720-1.wav
wav\2720-2.wav
wav\2720-4.wav
wav\2720-5.wav
wav\2750-1.wav
wav\2750-2.wav
wav\2750-4.wav
wav\2750-5.wav
wav\2750-6.wav
wav\2750-7.wav
wav\2760-1.wav
wav\2760-2.wav
wav\2760-4.wav
wav\2760-5.wav
wav\2760-6.wav
wav\2760-7.wav
wav\2780-1.wav
wav\460-3.wav
wav\2780-4.wav
wav\2780-5.wav
wav\2790-1.wav
wav\2790-2.wav
wav\2790-4.wav
wav\2790-5.wav
2801: wav\1100-1.wav
2802: wav\1100-2.wav
2804: wav\1100-4.wav
2805: wav\1100-5.wav
2811: wav\900-1.wav
2812: wav\900-2.wav
2814: wav\900-4.wav
2815: wav\900-5.wav
2821: wav\1200-1.wav
2822: wav\1200-2.wav
2824: wav\1200-4.wav
2825: wav\1200-5.wav
2831: wav\2790-1.wav
2832: wav\2790-2.wav
2834: wav\2790-4.wav
2835: wav\2790-5.wav
2841: wav\210-1.wav
2842: wav\210-2.wav
2844: wav\210-4.wav
2845: wav\210-5.wav
3101: wav\1200-1.wav
3102: wav\1200-2.wav
3104: wav\1200-4.wav
3105: wav\1200-5.wav
3111: wav\1200-1.wav
3112: wav\1200-2.wav
3114: wav\1200-4.wav
3115: wav\1200-5.wav
3121: wav\1200-1.wav
3122: wav\1200-2.wav
3124: wav\1200-4.wav
3125: wav\1200-5.wav
3131: wav\1200-1.wav
3132: wav\1200-2.wav
3134: wav\1200-4.wav
3135: wav\1200-5.wav
3401: wav\900-1.wav
3402: wav\3400-2.wav
3404: wav\3400-4.wav
3405: wav\900-5.wav
3406: wav\3400-att1.wav
3411: wav\3410-1.wav
3414: wav\3410-4.wav
3415: wav\900-5.wav
3416: wav\3410-att1.wav
3417: wav\3410-att2.wav
3421: wav\3420-1.wav
3422: wav\3420-2.wav
3424: wav\3420-4.wav
3425: wav\900-5.wav
3426: wav\3420-att1.wav
3427: wav\3420-att2.wav
3428: wav\3420-att3.wav
3431: wav\3430-1.wav
3432: wav\2130-2.wav
3433: wav\3430-3.wav
3434: wav\2130-4.wav
3435: wav\2130-5.wav
3441: wav\M47-0.wav
3446: wav\3440-att1.wav
3447: wav\3440-att2.wav
3451: wav\3450-1.wav
3452: wav\3450-2.wav
3454: wav\3450-4.wav
3455: wav\3450-5.wav
3461: wav\3460-1.wav
3462: wav\3460-2.wav
3464: wav\3460-4.wav
3465: wav\3460-5.wav
3471: wav\3470-1.wav
3474: wav\3470-4.wav
3475: wav\3470-5.wav
3476: wav\3470-att1.wav
3477: wav\3470-att2.wav
3478: wav\3470-att3.wav
3479: wav\3470-att4.wav
3481: wav\3480-1.wav
3482: wav\3480-2.wav
3484: wav\3480-4.wav
3485: wav\3480-5.wav
3491: wav\3490-1.wav
3492: wav\3490-2.wav
3494: wav\3490-4.wav
3495: wav\3490-5.wav
3601: wav\210-1.wav
3602: wav\210-2.wav
3604: wav\210-4.wav
3605: wav\210-5.wav
3611: wav\8200-1.wav
3612: wav\8200-2.wav
3613: wav\8200-3.wav
3614: wav\8200-4.wav
3616: wav\8200-6.wav
3617: wav\8200-7.wav
3618: wav\8200-8.wav
3621: wav\8200-1.wav
3622: wav\8200-2.wav
3623: wav\8200-3.wav
3624: wav\8200-4.wav
3626: wav\8200-6.wav
3627: wav\8200-7.wav
3628: wav\8200-8.wav
3701: wav\480-1.wav
3702: wav\480-2.wav
3704: wav\480-4.wav
3705: wav\480-5.wav
3710: wav\700-0.wav
3711: wav\490-1.wav
3712: wav\490-2.wav
3714: wav\490-4.wav
3715: wav\490-5.wav
3720: wav\700-0.wav
3721: wav\700-1.wav
3722: wav\700-2.wav
3724: wav\700-4.wav
3725: wav\700-5.wav
3731: wav\210-1.wav
3732: wav\210-2.wav
3734: wav\210-4.wav
3735: wav\210-5.wav
wav\2320-1.wav
wav\xsws_tsgj.wav
wav\xsws_injured.wav
wav\xsws_death.wav
3751: wav\530-1.wav
3752: wav\530-2.wav
3754: wav\530-4.wav
3755: wav\530-5.wav
3761: wav\720-1.wav
3762: wav\720-2.wav
3764: wav\720-4.wav
3765: wav\720-5.wav
3771: wav\510-1.wav
3772: wav\510-2.wav
3774: wav\510-4.wav
3775: wav\510-5.wav
3781: wav\610-1.wav
3782: wav\610-2.wav
3784: wav\610-4.wav
3785: wav\610-5.wav
3791: wav\600-1.wav
3792: wav\600-2.wav
3794: wav\600-4.wav
3795: wav\600-5.wav
8301: wav\2120-1.wav
8302: wav\2120-2.wav
8303: wav\2120-3.wav
8304: wav\2120-4.wav
8305: wav\2120-5.wav
8311: wav\2000-1.wav
8312: wav\2000-2.wav
8313: wav\2000-3.wav
8314: wav\2000-4.wav
8315: wav\2000-5.wav
8321: wav\1830-1.wav
8322: wav\1830-2.wav
8324: wav\1830-4.wav
8325: wav\1830-5.wav
8331: wav\3450-1.wav
8332: wav\3450-2.wav
8334: wav\3450-4.wav
8335: wav\3450-5.wav
8340: wav\700-0.wav
8341: wav\700-1.wav
8342: wav\700-2.wav
8344: wav\700-4.wav
8345: wav\700-5.wav
8361: wav\1200-1.wav
8362: wav\1200-2.wav
8364: wav\1200-4.wav
8365: wav\1200-5.wav
8371: wav\1020-1.wav
8372: wav\1020-2.wav
8374: wav\1020-4.wav
8375: wav\1020-5.wav
8381: wav\1020-1.wav
8382: wav\1020-2.wav
8384: wav\1020-4.wav
8385: wav\1020-5.wav
8391: wav\1810-1.wav
8392: wav\1810-2.wav
8394: wav\1810-4.wav
8395: wav\1810-5.wav
8401: wav\500-1.wav
8402: wav\500-2.wav
8404: wav\500-4.wav
8405: wav\500-5.wav
8411: wav\500-1.wav
8412: wav\500-2.wav
8414: wav\500-4.wav
8415: wav\500-5.wav
8421: wav\820-1.wav
8422: wav\820-2.wav
8424: wav\820-4.wav
8425: wav\820-5.wav
8431: wav\300-1.wav
8432: wav\300-2.wav
8434: wav\300-4.wav
8435: wav\300-5.wav
8441: wav\300-1.wav
8442: wav\300-2.wav
8444: wav\300-4.wav
8445: wav\300-5.wav
8451: wav\1520-1.wav
8452: wav\1520-2.wav
8454: wav\1520-4.wav
8455: wav\1520-5.wav
8461: wav\940-1.wav
8462: wav\670-2.wav
8464: wav\940-4.wav
8465: wav\940-5.wav
8471: wav\940-1.wav
8472: wav\940-2.wav
8474: wav\940-4.wav
8475: wav\940-5.wav
8481: wav\2320-1.wav
8482: wav\2320-2.wav
8484: wav\2320-4.wav
8485: wav\2320-5.wav
8201: wav\8200-1.wav
8202: wav\8200-2.wav
8203: wav\8200-3.wav
8204: wav\8200-4.wav
8206: wav\8200-6.wav
8207: wav\8200-7.wav
8208: wav\8200-8.wav
8222: wav\8220-6.wav
8301: wav\8300-1.wav
8302: wav\8300-2.wav
9200: wav\9200-0.wav
9202: wav\9200-2.wav
9204: wav\9200-4.wav
9205: wav\9200-5.wav
9210: wav\9210-0.wav
9214: wav\9210-4.wav
9215: wav\9210-5.wav
9220: wav\9210-0.wav
9224: wav\9220-4.wav
9225: wav\9210-5.wav
9230: wav\9210-0.wav
9234: wav\9220-4.wav
9235: wav\9210-5.wav
10010: wav\M1-1.wav
10011: wav\M1-2.wav
10012: wav\M1-3.wav
10020: wav\M2-1.wav
10022: wav\M2-3.wav
10050: wav\M5-1.wav
10051: wav\M5-2.wav
10052: wav\M5-3.wav
10060: wav\M6-1.wav
10061: wav\M6-2.wav
10062: wav\M6-3.wav
10080: wav\M8-2.wav
10090: wav\M9-1.wav
10092: wav\M9-3.wav
10100: wav\M10-1.wav
10110: wav\M11-1.wav
10111: wav\M11-1.wav
10112: wav\M11-2.wav
10120: wav\M12-1.wav
10130: wav\M13-1.wav
10131: wav\M13-2.wav
10132: wav\M13-3.wav
10141: wav\M14-2.wav
10142: wav\M14-3.wav
10151: wav\M15-2.wav
10152: wav\M15-3.wav
10160: wav\M16-1.wav
10162: wav\M16-3.wav
10170: wav\M17-1.wav
10180: wav\M18-1.wav
10191: wav\M19-2.wav
10192: wav\M19-3.wav
10200: wav\M20-1.wav
10202: wav\M20-3.wav
10210: wav\M21-1.wav
10220: wav\M22-1.wav
10221: wav\M22-2.wav
10222: wav\M22-3.wav
10230: wav\M23-1.wav
10232: wav\M23-3.wav
10240: wav\M24-1.wav
10241: wav\M24-2.wav
10260: wav\M24-2.wav
10280: wav\M28-1.wav
10282: wav\M28-3.wav
10290: wav\M29-1.wav
10292: wav\M29-3.wav
10300: wav\M30-1.wav
10310: wav\M31-1.wav
10320: wav\M32-1.wav
10322: wav\M32-3.wav
10330: wav\M33-1.wav
10332: wav\M33-3.wav
10350: wav\M35-1.wav
10352: wav\M35-1.wav
10360: wav\M36-1.wav
10370: wav\M37-1.wav
10380: wav\M44-0.wav
10390: wav\M39-0.wav
10391: wav\M39-1.wav
10392: wav\M39-2.wav
10393: wav\M39-3.wav
10400: wav\M40-0.wav
10401: wav\M40-1.wav
10410: wav\M43-0.wav
10420: wav\M48-0.wav
10422: wav\M48-2.wav
10430: wav\M43-0.wav
10440: wav\M39-0.wav
10441: wav\M39-1.wav
10442: wav\M39-2.wav
10443: wav\M39-3.wav
wav\M35-1.wav
10461: wav\M46-1.wav
10470: wav\M47-0.wav
10472: wav\M47-2.wav
10475: wav\M47-5.wav
10480: wav\M37-1.wav
10490: wav\M49-0.wav
10491: wav\M49-1.wav
10492: wav\M49-2.wav
10493: wav\newysound-mix.wav
10500: wav\M36-1.wav
10510: wav\M51-0.wav
10512: wav\M51-2.wav
10520: wav\M52-0.wav
10521: wav\M52-1.wav
10522: wav\M52-2.wav
10530: wav\M53-0.wav
10532: wav\M53-2.wav
10540: wav\M54-0.wav
10542: wav\M54-2.wav
10550: wav\M55-0.wav
10552: wav\M55-2.wav
10560: wav\M56-0.wav
10563: wav\M56-3.wav
10570: wav\M57-0.wav
10571: wav\M57-3.wav
10572: wav\M57-3.wav
10580: wav\M58-0.wav
10582: wav\M58-3.wav
10680: wav\M42-0.wav
10681: wav\M42-1.wav
10682: wav\M42-2.wav
10690: wav\M33-1.wav
10760: wav\M47-0.wav
10761: wav\M47-2.wav
10762: wav\2270.wav
10770: wav\M101-0.wav
10771: wav\warpower-up.wav
10772: wav\warpower-up.wav
10780: wav\M42-0.wav
10781: wav\M42-1.wav
10782: wav\M42-2.wav
10800: wav\M33-1.wav
10802: wav\cboFs4_start.wav
10820: wav\M28-1.wav
10822: wav\M28-3.wav
11000: wav\M100-0.wav
wav\M100-2.wav
11010: wav\M101-0.wav
wav\M101-2.wav
11040: wav\cboFs2_start.wav
wav\cboFs2_target.wav
11050: wav\cboFs3_start.wav
wav\cboFs3_target.wav
11060: wav\cboFs4_start.wav
wav\cboFs4_target.wav
11070: wav\cboFs1_start.wav
wav\cboFs1_target.wav
11080: wav\cboDs1_start.wav
wav\cboDs1_target.wav
11090: wav\cboDs2_start.wav
wav\cboDs2_target.wav
11100: wav\cboDs3_start.wav
wav\cboDs3_target.wav
11110: wav\cboDs4_start.wav
wav\cboDs4_target.wav
11120: wav\cboFs2_start.wav
11160: wav\cboFs1_start.wav
11170: wav\cboFs3_start.wav
11180: wav\M101-0.wav
11181: wav\warpower-up.wav
11182: wav\warpower-up.wav
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
0IdHTTPHeaderInfo
LMsgBox
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
frmChangePassword
Picture.Data
2007:02:07 02:59:30
urlTEXT
MsgeTEXT
HhXXp://ns.adobe.com/xap/1.0/
<x:xapmeta xmlns:x='adobe:ns:meta/' x:xaptk='XMP toolkit 2.8.2-33, framework 1.5'>
<rdf:RDF xmlns:rdf='hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:iX='hXXp://ns.adobe.com/iX/1.0/'>
<rdf:Description about='uuid:a1975220-b60f-11db-b931-c8e8dfd9ba45'
xmlns:xapMM='hXXp://ns.adobe.com/xap/1.0/mm/'>
<xapMM:DocumentID>adobe:docid:photoshop:a197521e-b60f-11db-b931-c8e8dfd9ba45</xapMM:DocumentID>
EditPassword
EditNewPassword
Bitmaps.Down.Data
Bitmaps.Hot.Data
Bitmaps.TransparentColor
Bitmaps.Up.Data
frmGetBackPassword
2007:03:06 08:02:29
<rdf:Description about='uuid:ea54afb1-cb74-11db-9adb-a5021ffa588c'
<xapMM:DocumentID>adobe:docid:photoshop:ea54afaf-cb74-11db-9adb-a5021ffa588c</xapMM:DocumentID>
Bitmaps.Disabled.Data
111:1Ìcccccccccccccccccccccccccccccccccccccccj
:%1:11::
OOOOOk.QOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
.keeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee*9
66666666
55555555
.s.ssssssss..s..sss.sss.
.sss.
s.<<<<<.sss
s$$.ss
s$$$$.sssss
4111111111
5555555500
5555055
::::@@:::
:::44::::4:
11111111
.AAAA
btnChangePassword
.s..sss.
.ssssssss.
.ssss
s?.sss
s.%%%%s
5111111111
4000000000
[.gaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaggL
:::33::::3:
@~~~~~~~~%%Cq
;;;>>;;;
;(((;;;;
;;;?-?;;;
;;;;#<<#;
.sssssssss.
.ssss.
.sssssss.
s.?.ssss
&&&.ss
s&&.ss
p%%%DmmmD%%%%%%%%%%%%%%%%%%^s
s^%%%%%%s
s%%%%%%s
.tPoIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII':.ACu!!8
6666666611
6666166
WebBrowserDownloadComplete
TimerLoginFun
LabelHintMsg
2007:02:07 02:59:57
<rdf:Description about='uuid:3be681c9-b614-11db-b931-c8e8dfd9ba45'
<xapMM:DocumentID>adobe:docid:photoshop:2ef6df80-b614-11db-b931-c8e8dfd9ba45</xapMM:DocumentID>
%U}d4*hx
1980/03/12
0123456
Glyph.Data
TFRMCHANGEPASSWORD
TFRMGETBACKPASSWORD
1999-2007
Open a Zip File[Zip Files (*.ZIP)|*.zip|SFX Files (*.EXE)|*.exe|Jar Files (*.JAR)|*.jar|All Files (*.*)|*.*&User canceled Set Desination Directory
Index %d is out of range
User Aborted Operation
User canceled Zip operation%Select a new name for the fixed file.
Zip Files (*.ZIP)
Invalid seek origin (%d)
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Reply Code is not valid: %s
Unknown Protocol(Request method requires HTTP version 1.1DThis authentication method is already registered with class name %s.
JPEG error #%d
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
"%d: Circular links are not allowed
File "%s" not found
Object type not supported.
Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.
)UDP is not support in this SOCKS version.
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.
Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
Invalid Port Range (%d - %d)
%s is not a valid service.
%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Network is down.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Socket Error # %d
UTF-7"%s requires Windows Vista or later Invalid level (%d) for item "%s"
Invalid owner=This control requires version 4.70 or greater of COMCTL32.DLL
Indigo Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.,Multiselect mode must be on for this feature
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count#No OnGetItem event handler assigned
&Files: (*.*)
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
No help found for %s#No context-sensitive help installed
Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
Cannot open file "%s". %s
Unable to write to %s
Invalid file name - %s
Invalid stream format$''%s'' is not a valid component name
Invalid property element: %s
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
'%s' is not a valid GUID value
I/O error %d
_ChangePassword
:1980/01/01)

%original file name%.exe_2940_rwx_009F1000_00003000:

kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
rasapi32.dll
gdi32.dll
winmm.dll
winspool.drv
advapi32.dll
shell32.dll
ole32.dll
oleaut32.dll
comctl32.dll
ws2_32.dll
wininet.dll
comdlg32.dll
RegCreateKeyExA
ShellExecuteA
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
233333333333331
1.0.0.0
(hXXp://VVV.dywt.com.cn)

%original file name%.exe_2940_rwx_02150000_0006D000:

.text
`.itext
`.data
.idata
.edata
@.reloc
B.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
%s_%d
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
uxtheme.dll
USER32.DLL
DWMAPI.DLL
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
comctl32.dll
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDown
OnKeyPress
OnKeyUp
GlassFrame.Bottom
GlassFrame.Enabled
GlassFrame.Left
GlassFrame.Right
GlassFrame.SheetOfGlass
GlassFrame.Top
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
User32.dll
AutoHotkeys
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
SHELL_EXE
ntdll.dll
Kernel32.dll
iu2.iu
advapi32.dll
RegOpenKeyExA
RegCloseKey
user32.dll
GetKeyboardType
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
gdi32.dll
SetViewportOrgEx
version.dll
GetCPInfo
RegFlushKey
Project1.dll
MemExecute1
2 2$2(2,2
6#6'6 687\7
9!9˜9X9`9d9h9l9p9t9x9|9
; ;$;(;,;0;4;<;
5$5*565>5
0-1W1c1}1
4"5 51568
2%2x2
9-:1:5:9:@:
>#?5?@?|?
6o6N6_6}6
7 7$7(7,707
KWindows
UrlMon
version="11.0.2902.10471"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d."Unable to find a Table of Contents
No help found for %s#No context-sensitive help installed
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Failed to get data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Unsupported clipboard format
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Write$Error creating variant or safe array!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

%original file name%.exe_2940_rwx_02D60000_00064000:

.text
`.itext
`.data
.idata
.edata
@.reloc
B.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
%s_%d
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
uxtheme.dll
USER32.DLL
DWMAPI.DLL
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
comctl32.dll
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDown
OnKeyPress
OnKeyUp
GlassFrame.Bottom
GlassFrame.Enabled
GlassFrame.Left
GlassFrame.Right
GlassFrame.SheetOfGlass
GlassFrame.Top
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
Uh.TC
User32.dll
AutoHotkeys
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
TMarginsX%D
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
SHELL_EXE
ntdll.dll
Kernel32.dll
advapi32.dll
RegOpenKeyExA
RegCloseKey
user32.dll
GetKeyboardType
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
gdi32.dll
SetViewportOrgEx
version.dll
GetCPInfo
RegFlushKey
Project1.dll
MemExecute1
2 2$2(2,2
6#6'6 687\7
9!9˜9X9`9d9h9l9p9t9x9|9
; ;$;(;,;0;4;<;
5$5*565>5
0-1W1c1}1
4"5 51568
2%2x2
9-:1:5:9:@:
>#?5?@?|?
6o6N6_6}6
7 7$7(7,707
KWindows
UrlMon
version="11.0.2902.10471"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d."Unable to find a Table of Contents
No help found for %s#No context-sensitive help installed
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Failed to get data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Unsupported clipboard format
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Write$Error creating variant or safe array!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

%original file name%.exe_3600_rwx_00259000_00001000:

@%SystemRoot%\system32\nlasvc.dll,-1000
%SystemRoot%\system32\napinsp.dll
@%SystemRoot%\system32\napinsp.dll,-1000
%SystemRoot%\system32\pnrpnsp.dll
@%SystemRoot%\system32\pnrpnsp.dll,-1000
@%SystemRoot%\system32\pnrpnsp.dll,-1001
%SystemRoot%\System32\mswsock.dll
@%SystemRoot%\system32\wshtcpip.dll,-601

%original file name%.exe_3600_rwx_00289000_00001000:

\\?\STORAGE#Volume#{f80abb41-5224-11e3-bc81-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\\?\STORAGE#Volume#{904f7812-51e3-11e3-bf61-806e6f6e6963}#0000000000010000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

%original file name%.exe_3600_rwx_0028D000_00001000:

C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\
95b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comc
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

%original file name%.exe_3600_rwx_002A6000_00002000:

69980861
VVV.922my.com
(20171121)
hXXp://127.0.0.1:11382/lb.txt
hXXp://127.0.0.1:11382/sj.txt
f9.exe
shell32.dll
1980/03/12
,C:\Users\Public\Music\desktop.ini
,C:\Users\"%CurrentUserName%"\Pictures\desktop.ini
,C:\Users\"%CurrentUserName%"\Desktop\desktop.ini
,C:\Users\"%CurrentUserName%"\Music\desktop.ini
C:\Windows\system32\WindowsCodecs.dll
c:\%original file name%.exe
C:\Windows\system32\EhStorShell.dll
C:\Windows\system32\ReinstallBackups

%original file name%.exe_3600_rwx_002B3000_00001000:

|8.8.8.8.8|188|password
w.ly024.com
VVV.lyL
VVV.ly024.comQ
VVV.ly024.com
8.8.8.8.8|188|password
.8|188|password
|8.8.8
password
|60.191.143.
|60.191.143.1
|60.191.1
4|password
|8.8.8.8.8
|60.191.143.138|
VVV.922my.com
0|password
|60.191.143.138|7060|password
VVV.922my
2my.com
|60.191.143.138|7010|password
|60.191.143.138|7064|password
.8.8.8
ntdll.dll
KERNEL32.DLL
BlueWebHeader
sWebSite

%original file name%.exe_3600_rwx_00400000_00001000:

.text
`.itext
`.data
.idata
.rdata
.reloc
@.rsrc

%original file name%.exe_3600_rwx_00536000_00018000:

1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
)4."1-2(
*5/#2.3)
",71@5  &
3'627-"(
1 '-7#&0
1&,#84 .'*
- 8!3(.%
7&-3!),6%
#5*0' 8$2 .
8'.4"*-7& 0#
("2%!&8-3*#
/5,%!)703
(03!,&6)%* 17.'# 
$/6 *25#.(8 ',"3
&18",47%0*
'2, / 0&7!4-)1#8
(3-!0,1'8"5.*2$
1.0.4
inflate 1.0.4 Copyright 1995-1996 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
iu2.iu

%original file name%.exe_3600_rwx_005D5000_00178000:

UnhookWindowsHookEx
RegFlushKey
RegCloseKey
V%smKT
9*.aGn
qM!%s
!.ULbp
6.NJZ
%gPT.jf4
%x'u;
5j>`11(.iA
0%C}!mQ
g<t.jJ9F=
U%dW}
2r.BfF
*A.Bo
nZa.Ka
.Mc6:
.JMJ 
$>C.Ht
xHH%D
.nA4B
=Q%x&
.Tt;N
.Cf{j
I9M.NR
i-zE}
.jJ&{K
.Pjk`
@P910.vqf*
N.qz7B
.wA[U/
.mt-nh
05%s!
k.ls7z@
0.CTN
'&!  *m
Fo$.
C.!A%u
y%uBn5
%Fg_d
~.wA:
%xt>5!
VR.eG>6C
6 EWV.uC>J
.vZ6.RX
8P@Vj Z~.jQ*
p?9K%F
8.pz:{
~;&E%c
Bc.BDbqJ
oy.fi
m".JK
Z%XEv
2.nRQ
.pvtC:q
4Nc%s
{|%CL
n.Lz 
:!%Dn
#%UoT
n/.jG
1.gz]
.Yuxm
eJ%C=
q%uy?
.AKxf
.Pi4~xb
.bWN^
J.KJ6N
iui.VH
yR.nt{
.ln/yc
1v.Eg
{ME%x
B0.Cz
x0P:.LF
};.KM
_Aß62
.gf$D
q63n.IL
V.EZV
,k5.fv
vC.hs& "6d
F.KG:
1.FnF
!.CTf x
.wbAj2v
kF@.eC(
.iP~9
Wg.SF
.uD8}k)}r98
%Ur~4
=G).%F
0~)@.gB(@
0<J%s
@8%CoJ=
j0E.nk
=].ty
uZ!%f
EG_D:V.jA8
jM%x&E
6'&7n.UI$
G6v.tV
n~.Ad
=Q.HB
.rJBkA
comdlg32.dll
RegCreateKeyExA
GetKeyNameTextA
SetViewportOrgEx
~b.LT
GetKeyboardState
kernel32.dll
comctl32.dll
mpr.dll
shell32.dll
GetKeyboardType
WinExec
wsock32.dll
iu2.iu
user32.dll
gdi32.dll
EnumWindows
EnumChildWindows
.YFwQ
MsgWaitForMultipleObjectsEx
.tbo:
RegCreateKeyA
EnumThreadWindows
MsgWaitForMultipleObjects
ShellExecuteA
.YnNW
!@g2.Ms?
2&.gFP
.nMwH]
`?.HFk
6.bh f
5F%f`
1<%s'4
x.FOc
;%fp9
Q.NfA
Oh1%S
n%u1BU
%%uc~C*$F9
xÓC1l
;%x'T
%4Uu,
1!9%C
d%cuE
.fvNe
%2ubBfu3
%.sV.
(z.UX
X8Y.hJ
2B.ZDc
I%sUp
h%x"0
iLZ.LY
j:%Cx
f.xC04
&%Cnsf
`Ì\
B%d,RB!BZ
:%xBg
V.dR$
%fRvr6
Ec[&~.lU
.yo}.
%oM.Gl
ncr.sC
\lN%d
P=CcJ\v.Zj
F(>!;.DF
X%dmN%
.eHyY
o.En.
|.Txv
.aJD|*&
O1$~S
g8.Bd
RJ'.qHf
F%XrA.x;?
.pC>h0
.lYk6 c$~
L%So6a
.Zqi9
.wX7E
.oT7@
t$.ex
%FS3<
q[.FF<
RXF.CF
4W.eX_^
ÛQ$
l%S<q
%FPnn
Y]C?.GD
#.vwk
)u#.od
i#%S9W
:XD%f
;0xP%u>
.zTGu-<Zd
:uZ%U.
Lr?%s
SF<%f
sfW%D
j.d.NP
_>{
J.eEp
4?%xWj
.kKlOf;
.yr#G
b%cg[
}.QMd
_mø.
t.QR1@
;"-U6}
/%S,^
'RZ-F4}C
x.LC:G
2jF.Fk
GetKeyboardLayout
GetKeyboardLayoutNameA
GetKeyState
MapVirtualKeyA
version.dll
ShellExecuteExA
ole32.dll
RegOpenKeyExA
LoadKeyboardLayoutA
GetKeyboardLayoutList
e.gp)
GetViewportOrgEx
oleaut32.dll
4/.)(%$9
RegOpenKeyA
advapi32.dll
ActivateKeyboardLayout
SetWindowsHookExA
GetCPInfo

%original file name%.exe_3600_rwx_00A00000_00528000:

.text
`.rdata
@.data
.vmp0
`.reloc
@.rsrc
]owEBR
.wh;r
.pFi\
t$(SSh
~%UVW
u$SShe
kernel32.dll
ntdll.dll
shlwapi.dll
user32.dll
kernel32.DLL
Kernel32.dll
gdi32.dll
advapi32.dll
Advapi32.dll
LoginDLL.dll
LoginGen.dll
psapi.dll
version.dll
wsock32.dll
Ws2_32.dll
ws2_32.dll
iphlpapi.dll
GetProcessHeap
EnumChildWindows
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
LoginTYFw
LoginGen
GetExtendedTcpTable
hwdlq.bin
vkernel32.dll
KERNELBASE.dll
@ntdll.dll
hXXp://127.0.0.1
.vmp0.rdata
hfgste1.bsp
0-0-0-0-0-0
z>\hwerror.txt
hXXp://116.211.143.120:8899/s.txt
@qjdlq1.hwdlq.com
qjdlq2.hwdlq.com
qjdlq3.hwdlq.com
qjdlq4.hwdlq.com
imgsrc.baidu.com
c:\hwconfig
c:\hwconfig\
hXXp://101.200.152.202:86/
101.200.152.202
G|Z%d
2.lnk
188002905
hXXp://imgsrc.baidu.com/forum/pic/item/8435e5dde71190ef5247fb65c41b9d16fcfa60cf.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/42a98226cffc1e171107e58b4090f603728de9d4.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/279759ee3d6d55fb7d551f9c67224f4a21a4ddfd.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/d833c895d143ad4b574a2f7a88025aafa40f0627.jpg
Protection.exe
e.exe
<@hXXp://VVV.xkdlq.net/Bluelist.txt
hXXp://bak.xkdlq.net/Bluelist.txt
hXXp://VVV.xkdlq.net/LoginTool/Upgrade/list.txt
hao959.com
\data\lsDefaultItemFilter.txt
link1.ini
link.ini
e:\BlueAnit
d:\BlueAnit
d:\BlueKEY.exe
e:\BlueKEY.exe
d:\GomKEY.exe
e:\GomKEY.exe
d:\BlueAnit.rar
e:\BlueAnit.rar
d:\SKT1.zip
e:\SKT1.zip
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\
@\data\ItemDesc.dat
\data\lsDefaultItemFilte1.txt
\LoginDll.dll
\LoginGen.dll
1V2016.08.28_0508 4
V2017.02.18_0508 4
lb.txt
sj.txt
HTTP/1.1 200 OK
/lb.txt
hXXp://127.0.0.1:
/sj.txt
LoginTool.exe
\data\prguse2.wil
\data\prguse2.wzl
\lscfg.ini
20171122
66666666
H% SggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggM%%U4.X
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
ole32.dll
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
WinExec
GetWindowsDirectoryA
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
WSOCK32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
its:%s::%s
VVV.dywt.com.cn
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
1.0.6
\shell32.dll
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Arithmetic table 0xx was not defined
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
DCT scaled block size %dx%d not supported
Invalid component ID %d in SOS
%s: Cannot open
%s: Write error at scanline %lu
%s: Seek error at scanline %lu
%u: Sample out of range, max %u
%s: Cannot modify tag "%s" while writing
%s: Unknown %stag %u
%f: Bad value for "%s"
%s: Invalid %stag "%s" (not supported by codec)
TIFFVSetField ... pass by value not imp.
%ld: Bad value for "%s"
%d: Bad value for "%s"
Nonstandard tile length %d, convert file
Nonstandard tile width %d, convert file
Bad value %ld for "%s" tag ignored
%s: Invalid InkNames value; expecting %d names, found %d
TIFFVGetField ... pass by value not imp.
Sorry, can not handle images with %d-bit samples
Sorry, can not handle LogLuv images with %s=%d
Sorry, LogLuv data must have %s=%d or %d
Sorry, can not handle image with %s=%d
Sorry, LogL data must have %s=%d
Sorry, can not handle separated image with %s=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle YCbCr images with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Missing needed %s tag
Sorry, can not image with %d-bit samples
"%s": Bad mode
Not a TIFF file, bad version number %d (0x%x)
Not a TIFF file, bad magic number %d (0x%x)
%s: Out of memory (TIFF structure)
Sample %d out of range, max %u
Internal error, unknown tag 0x%x
Tag %d
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Seek error at scanline %lu, strip %lu
%s: Data buffer too small to hold strip %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Seek error at row %ld, col %ld, tile %ld
%s: Data buffer too small to hold tile %ld
%s: No space for data buffer at scanline %ld
Compression scheme %u %s encoding is not implemented
%s %s encoding is not implemented
%s %s encoding is no longer implemented due to Unisys patent enforcement
Compression scheme %u %s decoding is not implemented
%s %s decoding is not implemented
Compression algorithm does not support random access
Bogus "%s" field, ignoring and calculating from imagelength
TIFF directory is missing required "%s" field, calculating from imagelength
wrong data type %d for "%s"; tag ignored
unknown field with tag %d (0x%x) encountered
No space %s
TIFF directory is missing required "%s" field
incorrect count for field "%s" (%lu, expecting %lu); tag ignored
Error fetching data for field "%s"
%s: Rational with zero denominator (num = %lu)
Cannot handle different per-sample values for field "%s"
cannot read TIFF_ANY type %d for field "%s"
"%s": Information lost writing value (%g) as (unsigned) RATIONAL
Error writing data for field "%s"
%s: Error writing SubIFD directory link
%s compression support is not configured
?%s: No space for LogLuv state block
Inappropriate photometric interpretation %d for SGILog compression; %s
LogL16Decode: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
%s: No space for SGILog translation buffer
No support for converting user data format to LogL
No support for converting user data format to LogLuv
SGILog compression supported only for %s, or raw data
Unknown data format %d for LogLuv compression
Unknown encoding %d for LogLuv compression
%s: No space for state block
%s: Bad code word at scanline %d (x %lu)
%s: %s at scanline %d (got %lu, expected %lu)
%s: Premature EOF at scanline %d (x %lu)
%s: No space for Group 3/4 reference line
%s: No space for Group 3/4 run arrays
%s: Uncompressed data (not supported) at scanline %d (x %lu)
Fax SubAddress: %s
(%u = 0x%x)
%suncompressed data
%sEOL padding
%s2-d encoding
Improper JPEG sampling factors %d,%d
Apparently should be %d,%d,decompressor will try reading with sampling %d,%d
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
RowsPerStrip must be multiple of %d for JPEG
JPEG tile width must be multiple of %d
JPEG tile height must be multiple of %d
BitsPerSample %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
ThunderDecode: %s data at scanline %ld (%lu != %lu)
PackBitsDecode: discarding %d bytes to avoid buffer overrun
LZWDecode: Not enough data at scanline %d (short %d bytes)
LZWDecode: Strip %d not terminated with EOI code
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)
DumpModeDecode: Not enough data for scanline %d
Horizontal differencing "Predictor" not supported with %d-bit samples
"Predictor" value %d not supported
%u (0x%x)
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
zcÁ
e%1S^
.LGQ L
C.vj}
q.hdL
cQ%fH
.yY@hT
Vu|%c
c.nv0r
Ik&.JFf
.ei*k
-QL};
%fRqT
-ym}r
5%j%D
S1}%F
h.SJ>
~{q%Sx
yIZ.uy
.gJ`<
urltO
iaJ.yR
cmDdp
.pP(/
.LpQ`
f.zvH
:.UkE
`..QP
8R.HZ
a`S.bV
r}%FHs
74.Ka ,
f`5%C
%x-zJ
y@.HB
%Dy>_5
iQ.EK5U
.au`<$
Y.Qph
_.rN,
]O`%c
MW^#%C
m.Cn{;
F<".rB
W%FL`
f<6f
.rxs'
Ib-%C
*[.bt;
crTS
Z.Us2
!.Pb3*
.cJ|/
.Rpcq
E.LQw
Cu.yl,
.%xER1
N`.nPD
.dw` 69
d%sK-A
(dj-.jb 
`j.jP
i.ijp
%C`s1
u;r`@.Xg
".Ff;
F.lj-Sy
:`.bET
.cRLM
`.rfs
,.PRp
yj.lmy_
g[\.jW
`%spR
qVuRL
3?S.lp
.Sg-[tR
te.TR
.Kwp4
.Plxj
`h.xw>
(%D-I
`%sOO
F4ö
cMdJ'
p.Zo`f
.VU,S
G.Jy,
v<.fsLM
'.aqI
)P%C,
]%D|{
Bx`%s
K<.Yt|
Ã8p
J;-.xnJ
N.Cl0
=|L.oz
p{2.Vl
h[%C>
`n.Un
8g8.XY
.ZE~_ 8
$O.wh
OUL%D
p.VFi
.rDS8
.Hx@<
g.rOD
93E%X
a%d`*
%x`hU?L>
Ls-%S@
%P7.ff
vH%X`
<.ZZyn$A
T.KY<
.Jt\xwa(wR
b`.tCr
f%F:4
W`L.CG
%s`3m?
s%x^`
>}.Wn
.kf&K
.dII\
.SLg9
r 0%D
S%cpb
pMSg
?.aq?
"s~.ZT
p%c\M
p:\CZ
5.cl6
p%U\`
D.ArY
.LbDy
My.nq{y
.Kryv
.NbM!8W
3!,""%1:
.le2L
[.gP3
.DC!`
-1}N#T>
!`.ni
il.oi
Keyf
y%S]}
P%s'wh
vR.drrQ
-1E}{
%d-rH
d\l.MS
huC%X
.MG'r
]Z~Ëf
(;.eF
IN.le
h.Tlj
-J}UUR
jL.Vi
K.rg8
.RHr#r
%s!'P
b.GuR
-&A%cR
r:\/e
.jye$
cE.zB
;%sn,xf
%fn~A3
HB}.oQ
-N.oR
-g}^f
s%SPL
m.jyvN9
@[Z.iK
`4.Zl
km-k}
`.nf@
f%dIf
3%3S3c3
2!2.2@2\2
;$;(;,;0;4;8;<;\;
2 2$2(2,2024282
5 5$5(5,505
%0X0\0`0d0h0l0p0t0x0|0
0x0-2}2
< <$<(<,<0<4<
<$<*<0<6<<<
2 2$2(2,2
1(1,1014181<1@1 2'2
(0,0004080<0@0
: :$:(:,:0:4:
<#<1<7<{=
< <$<(<,<0<4<8<<<@<
5$5,585@5
#include "l.chs\afxres.rc" // Standard components
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
hXXp://sf.symcb.com/sf.crl0a
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0
hXXp://sf.symcd.com0&
hXXp://sf.symcb.com/sf.crt0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://sv.symcb.com/sv.crl0a
hXXp://sv.symcd.com0&
hXXp://sv.symcb.com/sv.crt0
hXXp://s2.symcb.com0
hXXp://VVV.symauth.com/cps0(
hXXp://VVV.symauth.com/rpa00
hXXp://s1.symcb.com/pca3-g5.crl0
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0
(*.*)

%original file name%.exe_3600_rwx_01E10000_00556000:

.text
`.rdata
@.data
.vmp0
`.reloc
@.rsrc
]owEBR
.wh;r
.pFi\
t$(SSh
~%UVW
u$SShe
ku2.iu
1wK(.wE
kernel32.dll
ntdll.dll
shlwapi.dll
user32.dll
kernel32.DLL
Kernel32.dll
gdi32.dll
advapi32.dll
Advapi32.dll
LoginDLL.dll
LoginGen.dll
psapi.dll
version.dll
wsock32.dll
Ws2_32.dll
ws2_32.dll
iphlpapi.dll
GetProcessHeap
EnumChildWindows
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
LoginTYFw
LoginGen
GetExtendedTcpTable
hwdlq.bin
vkernel32.dll
KERNELBASE.dll
@ntdll.dll
hXXp://127.0.0.1
.vmp0.rdata
hfgste1.bsp
0-0-0-0-0-0
z>\hwerror.txt
hXXp://116.211.143.120:8899/s.txt
@qjdlq1.hwdlq.com
qjdlq2.hwdlq.com
qjdlq3.hwdlq.com
qjdlq4.hwdlq.com
imgsrc.baidu.com
c:\hwconfig
c:\hwconfig\
hXXp://101.200.152.202:86/
101.200.152.202
G|Z%d
2.lnk
188002905
hXXp://imgsrc.baidu.com/forum/pic/item/8435e5dde71190ef5247fb65c41b9d16fcfa60cf.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/42a98226cffc1e171107e58b4090f603728de9d4.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/279759ee3d6d55fb7d551f9c67224f4a21a4ddfd.jpg
hXXp://imgsrc.baidu.com/forum/pic/item/d833c895d143ad4b574a2f7a88025aafa40f0627.jpg
Protection.exe
e.exe
<@hXXp://VVV.xkdlq.net/Bluelist.txt
hXXp://bak.xkdlq.net/Bluelist.txt
hXXp://VVV.xkdlq.net/LoginTool/Upgrade/list.txt
hao959.com
\data\lsDefaultItemFilter.txt
link1.ini
link.ini
e:\BlueAnit
d:\BlueAnit
d:\BlueKEY.exe
e:\BlueKEY.exe
d:\GomKEY.exe
e:\GomKEY.exe
d:\BlueAnit.rar
e:\BlueAnit.rar
d:\SKT1.zip
e:\SKT1.zip
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\
@\data\ItemDesc.dat
\data\lsDefaultItemFilte1.txt
\LoginDll.dll
\LoginGen.dll
1V2016.08.28_0508 4
V2017.02.18_0508 4
lb.txt
sj.txt
HTTP/1.1 200 OK
/lb.txt
hXXp://127.0.0.1:
/sj.txt
LoginTool.exe
\data\prguse2.wil
\data\prguse2.wzl
\lscfg.ini
20171122
66666666
H% SggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggM%%U4.X
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
ole32.dll
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
WinExec
GetWindowsDirectoryA
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
WSOCK32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
its:%s::%s
VVV.dywt.com.cn
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
1.0.6
\shell32.dll
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Arithmetic table 0xx was not defined
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
DCT scaled block size %dx%d not supported
Invalid component ID %d in SOS
%s: Cannot open
%s: Write error at scanline %lu
%s: Seek error at scanline %lu
%u: Sample out of range, max %u
%s: Cannot modify tag "%s" while writing
%s: Unknown %stag %u
%f: Bad value for "%s"
%s: Invalid %stag "%s" (not supported by codec)
TIFFVSetField ... pass by value not imp.
%ld: Bad value for "%s"
%d: Bad value for "%s"
Nonstandard tile length %d, convert file
Nonstandard tile width %d, convert file
Bad value %ld for "%s" tag ignored
%s: Invalid InkNames value; expecting %d names, found %d
TIFFVGetField ... pass by value not imp.
Sorry, can not handle images with %d-bit samples
Sorry, can not handle LogLuv images with %s=%d
Sorry, LogLuv data must have %s=%d or %d
Sorry, can not handle image with %s=%d
Sorry, LogL data must have %s=%d
Sorry, can not handle separated image with %s=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle YCbCr images with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Missing needed %s tag
Sorry, can not image with %d-bit samples
"%s": Bad mode
Not a TIFF file, bad version number %d (0x%x)
Not a TIFF file, bad magic number %d (0x%x)
%s: Out of memory (TIFF structure)
Sample %d out of range, max %u
Internal error, unknown tag 0x%x
Tag %d
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Seek error at scanline %lu, strip %lu
%s: Data buffer too small to hold strip %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Seek error at row %ld, col %ld, tile %ld
%s: Data buffer too small to hold tile %ld
%s: No space for data buffer at scanline %ld
Compression scheme %u %s encoding is not implemented
%s %s encoding is not implemented
%s %s encoding is no longer implemented due to Unisys patent enforcement
Compression scheme %u %s decoding is not implemented
%s %s decoding is not implemented
Compression algorithm does not support random access
Bogus "%s" field, ignoring and calculating from imagelength
TIFF directory is missing required "%s" field, calculating from imagelength
wrong data type %d for "%s"; tag ignored
unknown field with tag %d (0x%x) encountered
No space %s
TIFF directory is missing required "%s" field
incorrect count for field "%s" (%lu, expecting %lu); tag ignored
Error fetching data for field "%s"
%s: Rational with zero denominator (num = %lu)
Cannot handle different per-sample values for field "%s"
cannot read TIFF_ANY type %d for field "%s"
"%s": Information lost writing value (%g) as (unsigned) RATIONAL
Error writing data for field "%s"
%s: Error writing SubIFD directory link
%s compression support is not configured
?%s: No space for LogLuv state block
Inappropriate photometric interpretation %d for SGILog compression; %s
LogL16Decode: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
%s: No space for SGILog translation buffer
No support for converting user data format to LogL
No support for converting user data format to LogLuv
SGILog compression supported only for %s, or raw data
Unknown data format %d for LogLuv compression
Unknown encoding %d for LogLuv compression
%s: No space for state block
%s: Bad code word at scanline %d (x %lu)
%s: %s at scanline %d (got %lu, expected %lu)
%s: Premature EOF at scanline %d (x %lu)
%s: No space for Group 3/4 reference line
%s: No space for Group 3/4 run arrays
%s: Uncompressed data (not supported) at scanline %d (x %lu)
Fax SubAddress: %s
(%u = 0x%x)
%suncompressed data
%sEOL padding
%s2-d encoding
Improper JPEG sampling factors %d,%d
Apparently should be %d,%d,decompressor will try reading with sampling %d,%d
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
RowsPerStrip must be multiple of %d for JPEG
JPEG tile width must be multiple of %d
JPEG tile height must be multiple of %d
BitsPerSample %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
ThunderDecode: %s data at scanline %ld (%lu != %lu)
PackBitsDecode: discarding %d bytes to avoid buffer overrun
LZWDecode: Not enough data at scanline %d (short %d bytes)
LZWDecode: Strip %d not terminated with EOI code
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)
DumpModeDecode: Not enough data for scanline %d
Horizontal differencing "Predictor" not supported with %d-bit samples
"Predictor" value %d not supported
%u (0x%x)
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
zcÁ
c:\%original file name%.exe
e%1S^
.LGQ L
C.vj}
q.hdL
cQ%fH
.yY@hT
Vu|%c
c.nv0r
Ik&.JFf
.ei*k
-QL};
%fRqT
-ym}r
5%j%D
S1}%F
h.SJ>
~{q%Sx
yIZ.uy
.gJ`<
urltO
iaJ.yR
cmDdp
.pP(/
.LpQ`
f.zvH
:.UkE
`..QP
8R.HZ
a`S.bV
r}%FHs
74.Ka ,
f`5%C
%x-zJ
y@.HB
%Dy>_5
iQ.EK5U
.au`<$
Y.Qph
_.rN,
]O`%c
MW^#%C
m.Cn{;
F<".rB
W%FL`
f<6f
.rxs'
Ib-%C
*[.bt;
crTS
Z.Us2
!.Pb3*
.cJ|/
.Rpcq
E.LQw
Cu.yl,
.%xER1
N`.nPD
.dw` 69
d%sK-A
(dj-.jb 
`j.jP
i.ijp
%C`s1
u;r`@.Xg
".Ff;
F.lj-Sy
:`.bET
.cRLM
`.rfs
,.PRp
yj.lmy_
g[\.jW
`%spR
qVuRL
3?S.lp
.Sg-[tR
te.TR
.Kwp4
.Plxj
`h.xw>
(%D-I
`%sOO
F4ö
cMdJ'
p.Zo`f
.VU,S
G.Jy,
v<.fsLM
'.aqI
)P%C,
]%D|{
Bx`%s
K<.Yt|
Ã8p
J;-.xnJ
N.Cl0
=|L.oz
p{2.Vl
h[%C>
`n.Un
8g8.XY
.ZE~_ 8
$O.wh
OUL%D
p.VFi
.rDS8
.Hx@<
g.rOD
93E%X
a%d`*
%x`hU?L>
Ls-%S@
%P7.ff
vH%X`
<.ZZyn$A
T.KY<
.Jt\xwa(wR
b`.tCr
f%F:4
W`L.CG
%s`3m?
s%x^`
>}.Wn
.kf&K
.dII\
.SLg9
r 0%D
S%cpb
pMSg
?.aq?
"s~.ZT
p%c\M
p:\CZ
5.cl6
p%U\`
D.ArY
.LbDy
My.nq{y
.Kryv
.NbM!8W
3!,""%1:
.le2L
[.gP3
.DC!`
-1}N#T>
!`.ni
il.oi
Keyf
y%S]}
P%s'wh
vR.drrQ
-1E}{
%d-rH
d\l.MS
huC%X
.MG'r
]Z~Ëf
(;.eF
IN.le
h.Tlj
-J}UUR
jL.Vi
K.rg8
.RHr#r
%s!'P
b.GuR
-&A%cR
r:\/e
.jye$
cE.zB
;%sn,xf
%fn~A3
HB}.oQ
-N.oR
-g}^f
s%SPL
m.jyvN9
@[Z.iK
`4.Zl
km-k}
`.nf@
f%dIf
3%3S3c3
2!2.2@2\2
;$;(;,;0;4;8;<;\;
2 2$2(2,2024282
5 5$5(5,505
%0X0\0`0d0h0l0p0t0x0|0
0x0-2}2
< <$<(<,<0<4<
<$<*<0<6<<<
2 2$2(2,2
1(1,1014181<1@1 2'2
(0,0004080<0@0
: :$:(:,:0:4:
<#<1<7<{=
< <$<(<,<0<4<8<<<@<
5$5,585@5
#include "l.chs\afxres.rc" // Standard components
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
(*.*)


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6341cee27a1e54312fb488bb1e1e2f46.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1aa68468a225e8ad9b49edb1a946182e.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\4d87324efef94ef67221f2912dc89ae9.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ba6e1b2e9f76da34a5d521a20d52e63e.txt (243 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\e06549067736b6d8b83ad1692e3dac04.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\680db6d335c551c4885c3046600e89d8.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5573c0e0e4504d62ea432f4b5df3481a.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ea81016697da3e03d2125f1b020a8d96.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7e6dffff5b2a7eccc3fee5dcd53d0927.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\a156b79569931e9cce44736b86f6e069.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\96490dc4bc985859888d970e8fd9b954.txt (297 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\b86ec984a069da4dfeaa3a16fc0ec2f2.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\212b0fa0fa111459cc3edae1d50ba7f8.txt (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\8df8373986d2124c43b3d42c81e8f3df.txt (226 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\257ebb26802bfc542d2d602fefb1ec6f.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\792574abec5d363f69be9bca3997483b.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\a58fcef2b3da25a3a84fd37417c981e9.ini (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\da3b879a31840d80746740e6e3a5490a.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\8bc587ee979cdb3a96b82251a1c579e8.txt (410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\c811cdec13b869980d35d80854d6ee98.txt (420 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now